# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html 32player.com appswonder.info capsnit.com hiltrox.com hytechmart.com ios-update-whatsapp.com ios-certificate-update.com metclix.com nfinx.info referfile.com scrollayer.com techwach.com twitck.com wpitcher.com # Reference: https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf # Reference: https://otx.alienvault.com/pulse/5f7dd394005536c84adbaf56 account-googie.com accountvalidate.com airfitgym.com ambicluster.com aspnet.dyndns.info aspnet.dyndns.infoassurecom.info assurecom.info bulletinalerts.com by4mode.com cdn-icloud.co cdn-icloud.cocelebsnightmares.com celebsnightmares.com citrusquad.com classmunch.com cloud-authorize.com cocahut.com cocelebsnightmares.com cocoka.info cocoka.infocrawloofle.com cohealthclubfun.com crawloofle.com cyroonline.com devicesupport-rnicrosoft.com domforworld.com electrobric.com everification-session-load.com flux2key.com freepunjab2020.info frexinq.com gateway-yahoo.com ghelp.co ghelp.cohealthclubfun.com healthclubfun.com hypforever.com i3mode.com imging.site imging.siteinlineirnage.com infoassurecom.info infocrawloofle.com inlineirnage.com justsikhthings.com kannat.ns01.us kannat.ns01.uskhalistanlehar.com khalistanlehar.com leastinfo.com leelee.dnset.com lizacorner.com lobertica.info login-private.com logon-info-gsupport.com logstrick.com m0-rnaiil-siina-chn-reload.everification-session-load.com mail-incc.com mail-king.com mail-validation.info mail.techsprouts.com mailinfo-bh.com me-yahoo.com medieczema.com middleeastleaks.com mideastleaks.com mindcraftstore.com musicbandfiles.com myaccount-googie.com myappie.comyfoodzone.net myggl.ioo-auth.net netonlinetokenid.com netstring2me.com onlinetokenid.com opticscold.com opticzstore.com optusiy.com orgyes2khalistanis.com out-look-mail-bh.com oyesterclub.info passwordsaverr.com poiusavid.com portal549.com privacylog.info prontexim.com regditogo.com rhc-jo.com risalaencryptor.com rnaiill2-rnaill-slna-m0.everification-session-load.com rnail-appld-oath-varfiction.everification-session-load.com scan8t.comsecure-useraccount.com service-authorization.com setting-secure.com shiaar-e-islam.com signtabo.com sikhforjustice.org sikhforjustice.orgsimilerwork.netstring2me.com similerwork.net string2me.com sync-tokens.com tansyroof.com techsprouts.com techwach.com thegogl.com tierradom.com timesofarab.com toysforislam.com trailhinder.com traxbin.com treemanic.com trioganic.com user-privacy.com uskhalistanlehar.com uyghuri.51vip.biz uyghuri.51vip.bizuyghurie.51vip.bizuygur.5166.info uyghurie.51vip.biz uygur.5166.info uygur.51vip.biz uygur.51vip.bizuygur.eicp.netuygur.xicp.netvlprnaiill2-rnaill-slna.m0.everification-session-load.com uygur.eicp.net uygur.xicp.net vlprnaiill2-rnaill-slna.m0.everification-session-load.com weddnest.com yes2khalistan.org yes2khalistan.orgyes2khalistanis.com yes2khalistanis.com yfoodzone.netmyggl.ioo-auth.netonlinetokenid.com zhqdgk.com # Reference: https://twitter.com/bl4ckh0l3z/status/1321746458308128769 # Reference: https://www.virustotal.com/gui/file/cef4be533954e5bb901080cbca26976929d55692674f1bb9fefeca0c349c86db/detection # Reference: https://www.virustotal.com/gui/file/4fd441183ffd576aea2cf50b19d263f6b07b7548ea24725a496a0a929daaf912/detection procompass.org voiceofislam.info # Reference: https://twitter.com/Circuitous__/status/1377767299709550593 # Reference: https://pastebin.com/9U57CHZn fastfiterzone.com lobertica.info memoadvicr.com zovwelle.com # Reference: https://twitter.com/m0br3v/status/1413076245152141316 # Reference: https://www.virustotal.com/gui/file/73b516a0a3996ec1c685ad3d8e26a7191e5d7698bfd98970afc27d5356003cac/detection onlinedomain.link # Reference: https://www.virustotal.com/gui/file/815466ec21c59f7704f094a0e4cfc4f817c8b98231d10fe01919b6bd60eca64e/detection lepze.com # Reference: https://www.virustotal.com/gui/domain/ie-settings.com/detection ie-settings.com # Reference: https://twitter.com/m0br3v/status/1502262179390758913 # Reference: https://www.virustotal.com/gui/file/c921363c790c2eb82ab009f94ac0961164690d795c4ae87bed61897cc80fb33f/detection datahost.click /jkRt5e/check.php /jkRt5e/ # Reference: https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=zh-CN # Reference: https://otx.alienvault.com/pulse/625591f0fdef5bd852d84afe 5iw68rugwfcir37uj8z3r6rfaxwd8g8cdcfcqw62.de h94xnghlldx6a862moj3.de freesexvideos.ch securechatnow.com # Reference: https://twitter.com/malwrhunterteam/status/1539985809184641024 # Reference: https://twitter.com/malwrhunterteam/status/1540332848577667073 # Reference: https://www.virustotal.com/gui/ip-address/193.23.161.164/relations # Reference: https://www.virustotal.com/gui/file/1084b7ff4758b5d13dcfc4f9167b16e6b834bfff2032b540e74959ceb18a5b1e/detection 172.64.168.30:2053 172.64.168.30:8443 193.23.161.164:8443 gkcx6ye4t4zafw8ju2xdr5na5.de iminglechat.de fjasfjfas89e.gkcx6ye4t4zafw8ju2xdr5na5.de # Reference: https://twitter.com/Des00464472/status/1552146340515561472 # Reference: https://www.virustotal.com/gui/ip-address/5.249.160.136/relations ay3a9j7pc3.de yu27izuchc.de # Reference: https://twitter.com/Des00464472/status/1567097126999703553 # Reference: https://www.virustotal.com/gui/ip-address/5.249.160.150/relations 32e6dwbbpg.de # Reference: https://twitter.com/m0br3v/status/1570415612014530562 # Reference: https://www.virustotal.com/gui/file/c5f29fcb69ffaaac4568b0607d94bce55641ab5e7c6279393cd9605d14be0311/detection newshostpoint.co # Reference: https://twitter.com/malwrhunterteam/status/1595141450177871872 # Reference: https://twitter.com/midnight_comms/status/1596156830363029504 # Reference: https://twitter.com/midnight_comms/status/1596566303598182401 # Reference: https://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/ # Reference: https://www.virustotal.com/gui/file/45a6a0b2b02a9d288afba1ff41c689be9b9bd40ee862aa4bd6b036e3f0a4c3ab/detection # Reference: https://www.virustotal.com/gui/file/a2abdf1d3439c9598f76c3732770b98725315efd32db322d926207ed28edf0db/detection http://45.156.84.129 45.156.84.129:3000 14.16.88.35:5000 194.156.88.235:5000 45.156.85.161:2096 96r1yh643o.de cdw1ir0dc9g3dwl5oh1y.de # Reference: https://twitter.com/malwrhunterteam/status/1504892577975259141 # Reference: https://twitter.com/midnight_comms/status/1596563852035903488 # Reference: https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/ # Reference: https://otx.alienvault.com/pulse/63809fb03dacd453ae69d37b # Reference: https://www.virustotal.com/gui/file/a40c7cabf874517f5d3d069e0377fa9348e10344000e39717c1a6571939ba7c0/detection # Reference: https://www.virustotal.com/gui/file/a71290070f826292c0ce907f21280e46cb4b800163ca3b81301c75710387ff1b/detection ft8hua063okwfdcu21pw.de thesecurevpn.com # Reference: https://twitter.com/malwrhunterteam/status/1616145101343817750 # Reference: https://twitter.com/dyngnosis/status/1616149602578595846 # Reference: https://www.virustotal.com/gui/file/0d7c1dffbd5abab02c174836cf1075bdc24f125b4084e5ba75e2c8ecccb747a3/detection # Reference: https://www.virustotal.com/gui/file/38d0804412c47a77f08ecb346df27a9036dc02b83c51f70ab830902a2eab66dc/detection 162.55.103.212:20121 162.55.103.212:20122 162.55.103.212:20123 fvbyavgyea.com jkiohreh.com rondwsign.com tokenmajorp.com varweregofo.com # Reference: https://twitter.com/0x6rsk/status/1656554067160702982 # Reference: https://twitter.com/BaoshengbinCumt/status/1656577909224796161 # Reference: https://about.fb.com/wp-content/uploads/2023/05/Meta-Quarterly-Adversarial-Threat-Report-Q1-2023.pdf # Reference: https://www.virustotal.com/gui/file/0a7a9a3e5915f390e8a0d89c0ec21dd056504b0b759ea57ef68a000ee05b12e9/detection # Reference: https://www.virustotal.com/gui/file/672d56b13708752b9d5287a8ac5e063174aa0af0c616a3ce8dd0dfbaff13386a/detection hbx5adg6vk.de khalsaforum.com mamoonchat.com rwzj2nntc3.de usmimedia.com play-store-secure-safechat.usmimedia.com punjab-news18media-tribuneindia-mail.usmimedia.com # Reference: https://www.welivesecurity.com/en/eset-research/unlucky-kamran-android-malware-spying-urdu-speaking-residents-gilgit-baltistan/ # Reference: https://otx.alienvault.com/pulse/6552657c0e444a423248f10c # Reference: https://www.virustotal.com/gui/file/8609ce3bd3f395a25f3a2e2e343eb3ee87b0f1375202b5cec8bfcf8579d0472e/detection hunzanews.net/wp-content/uploads/apk/ # Reference: https://threatfox.abuse.ch/browse/malware/apk.bahamut/ 134.255.231.233:8443 # APK /Kashmir-Youth.apk /Kashmir.apk /ChatService_master.apk /securechatnow_v1_0_6.apk /securechatnow_v1_0_7.apk