# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: shadowhammer, shadowpad, apt41, apt-c-41, double dragon, lowkey, AXIOMATICASYMPTOTE, RedEcho # Reference: https://securelist.com/operation-shadowhammer/89992/ asushotfix.com # Reference: https://twitter.com/ydklijnsma/status/1110220766778286080 # Reference: https://twitter.com/ydklijnsma/status/1110189880313692160 homeabcd.com simplexoj.com # Reference: https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/ 103.19.3.17:443 103.19.3.43:443 103.19.3.44:443 103.19.3.44:1194 117.16.142.9:443 23.236.77.175:443 23.236.77.177:443 infestexe.com # Reference: https://content.fireeye.com/apt-41/rpt-apt41 # Reference: https://otx.alienvault.com/pulse/5d4ae9f31ae8a479422a17ab agegamepay.com ageofwuxia.com ageofwuxia.info ageofwuxia.net ageofwuxia.org bugcheck.xigncodeservice.com byeserver.com dnsgogle.com gamewushu.com gxxservice.com ibmupdate.com infestexe.com kasparsky.net linux-update.net macfee.ga micros0ff.com micros0tf.com notped.com operatingbox.com paniesx.com serverbye.com sexyjapan.ddns.info symanteclabs.com techniciantext.com win7update.net # Reference: https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html # Reference: https://www.virustotal.com/gui/ip-address/67.229.97.229/relations http://67.229.97.229 67.229.97.229:5985 67.229.97.229:9999 # Reference: https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html # Reference: https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/ # Reference: https://otx.alienvault.com/pulse/5da5eaab4516e8056a6d59fb checkin.travelsanignacio.com # Reference: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html # Reference: https://otx.alienvault.com/pulse/5e7b4a11d552fbcfce6c314d # Reference: https://twitter.com/sysgoblin/status/1237054973579583489 (# CVE-2020-10189) http://66.42.98.220 http://91.208.184.78 66.42.98.220:12345 74.82.201.8:12345 91.208.184.78:443 accounts.longmusic.com dylerays.tk exchange.dumb1.com # Reference: https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/ # Reference: https://otx.alienvault.com/pulse/5e95c0d3d12068d29f538338 # Reference: https://www.virustotal.com/gui/ip-address/66.42.98.220/relations http://66.42.98.220 66.42.98.220:12345 119.28.139.20:443 alibaba.zzux.com exchange.longmusic.com # Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/shadowpad-novaya-aktivnost-gruppirovki-winnti/ (Russian, # ShadowPad IOC) ertufg.com filename.onedumb.com info.kavlabonline.com ncdle.net trendupdate.dns05.com ttareyice.jkub.com unaecry.zzux.com yandex2unitedstated.dns04.com # Reference: https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html # Reference: https://otx.alienvault.com/pulse/5f650a34fabdf2c7bf7a7616 http://104.233.224.227 # Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 2) ashcrack.freetcp.com heatidc.com infrast.ygto.com notify.serveuser.com platform.freetcp.com reply.ygto.com tripmerry.com # Reference: https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf arestc.net icefirebest.com mongolv.com pneword.net # Reference: https://blog.macnica.net/blog/2020/11/dtrack.html # Reference: https://otx.alienvault.com/pulse/5fc12f0ec26699f8ccd97838 mail.gietriangle.org/public/src3.png tastygoodness.net ussainc.org # Reference: https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf # Reference: https://otx.alienvault.com/pulse/603d0dcc0a0f44e375d16c62/ escanavupdate.club indrails.com ixrails.com ntpc-co.com pandorarve.com ptciocl.com ubuntumax.com websencl.com indianrailway.hopto.org indrra.ddns.net inraja.ddns.net modibest.sytes.net railway.sytes.net railways.hopto.org astudycarsceu.net indiasunsung.com shipcardonlinehelp.com smartdevoe.com # Reference: https://blog.group-ib.com/colunmtk_apt41 # Reference: https://otx.alienvault.com/pulse/60c34510bd6707ce53355efc colunm.tk cs.colunm.tk ns1.colunm.tk ns2.colunm.tk service.dns22.ml server04.dns04.com service04.dns04.com # Reference: https://content.fireeye.com/apt41-jp/rpt-apt41-jp # Reference: https://otx.alienvault.com/pulse/610cf675620c3a10851e62d0 backdoor.apt.photo # Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/BB_APT41.json isbigfish.xyz # Reference: https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ dbhubspi.com glbaitech.com kinopoisksu.com necemarket.com dev.kinopoisksu.com holdmem.dbhubspi.com m.necemarket.com mb.glbaitech.com ns.glbaitech.com st.kinopoisksu.com # Reference: https://www.mandiant.com/resources/apt41-us-state-governments milli-seconds.com queryip.cf time12.cf viewdns.ml winsproxy.com work.viewdns.ml workers.viewdns.ml work.queryip.cf cdn.ns.time12.cf east.winsproxy.com afdentry.workstation.eu.org ns1.entrydns.eu.org subnet.milli-seconds.com # Reference: https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41 # Reference: https://otx.alienvault.com/pulse/615da9a8e2c277e1749757c3 assistcustody.xyz chaindefend.bid defendchain.xyz isbigfish.xyz mircosoftdoc.com zalofilescdn.com microsoftbooks.dns-dns.com ns.mircosoftdoc.com # Reference: https://www.mandiant.com/resources/apt41-us-state-governments down-flash.com microsoftfile.com libxqagv.ns.dns3.cf # Reference: https://www.mandiant.com/resources/mobileiron-log4shell-exploitation # Reference: https://otx.alienvault.com/pulse/6244606893ddbc9a6a5bbdeb # Reference: https://www.virustotal.com/gui/file/fb091547c42fcd5917283b3a79ee86e7388d57789327289d6d357e71ae28ddff/detection 103.224.80.44:8080 103.242.133.48:44322 103.242.133.48:8085 198.13.40.130:2222 note.down-flash.com 111111.note.down-flash.com 2f2640fb.dns.1433.eu.org 335b5282.dns.1433.eu.org d5922235.dns.1433.eu.org # Reference: https://twitter.com/0xrb/status/1509396448387153920 # Reference: https://www.virustotal.com/gui/file/536def339fefa0c259cf34f809393322cdece06fc4f2b37f06136375b073dff3/detection 43.129.188.223:10333 longlifetrump.com # Reference: https://otx.alienvault.com/pulse/624ff0af271429d152b5a27e greatsong.soundcast.me supermarket.ownip.net supership.dynv6.net # Reference: https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf # Reference: https://otx.alienvault.com/pulse/613b110f3e005c40fe57317d dns224.com mssetting.com twitterproxy.com microsofthelp.dns1.us ns.cloud01.tk ns.cloud20.tk ns1.extrsports.ru # Reference: https://twitter.com/AltShiftPrtScn/status/1519840040637157378 # Reference: https://www.virustotal.com/gui/file/d2d927e7cdb804c416e70e41290453a7902420894b5cb17fdb688e9ee7943b13/detection 138.68.61.82:444 # Reference: https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/ # Reference: https://otx.alienvault.com/pulse/6270f28cc2cfb0f83fe7b211 farisrezky.com freewula.strangled.net gfsg.chickenkiller.com greenhugeman.dns04.com pic.farisrezky.com szuunet.strangled.net final.staticd.dynamic-dns.net # Reference: https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/ http://145.232.235.222 # Reference: https://blog.group-ib.com/apt41-world-tour-2021 # Reference: https://otx.alienvault.com/pulse/630615f326d4b91e473170fe delaylink.tk socialpt2021.club cs16.dns04.com newimages.socialpt2021.tk # Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments # Reference: https://otx.alienvault.com/pulse/632082a05037fdffef98dcb4 # Reference: https://www.virustotal.com/gui/file/c48e1ff27b6386dadd7a8b696c00b0b96d27dffc8ee5df393765ba538c272c11/detection 27.124.17.222:443 # Reference: https://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html # Reference: https://github.com/carbonblack/active_c2_ioc_public/blob/main/shadowpad/shadowpad_202210.tsv http://149.127.176.12 http://149.127.176.14 http://164.155.51.9 http://38.54.4.48 http://45.79.122.225 http://65.21.57.12 103.120.82.243:443 103.133.139.23:443 103.133.139.29:443 103.138.82.202:443 103.138.82.215:443 103.143.73.116:443 103.151.229.130:443 103.151.229.139:443 103.151.229.35:443 103.151.229.74:443 103.209.233.172:443 103.231.14.171:443 103.254.75.140:443 103.27.108.20:443 103.27.109.182:443 103.56.19.113:443 103.56.19.157:443 103.56.19.42:443 103.93.76.135:443 107.155.50.198:443 116.204.134.123:443 120.79.8.23:443 134.122.134.140:443 134.122.188.187:443 137.220.185.203:443 137.220.53.224:443 137.220.55.36:443 139.180.188.58:443 139.180.193.182:443 14.18.191.150:443 149.127.176.12:443 149.127.176.14:443 149.127.176.22:443 149.28.151.244:53 152.32.133.68:443 152.32.139.128:443 154.201.144.60:443 154.215.96.211:443 154.38.118.107:443 156.240.104.115:443 156.240.104.149:443 156.240.107.248:443 158.247.202.188:443 163.197.32.39:443 163.197.34.109:443 167.179.78.160:443 167.179.78.160:53 167.71.236.226:443 172.105.36.249:443 173.254.227.204:443 185.207.155.146:443 188.116.48.62:443 193.239.191.95:443 211.239.213.13:443 213.59.118.124:443 38.54.4.48:443 38.55.223.221:443 43.129.188.223:443 45.134.1.74:443 45.137.10.3:443 45.32.102.50:443 45.32.121.100:443 45.32.248.92:443 45.76.152.71:443 45.76.152.71:53 45.77.169.228:443 45.77.250.209:443 45.77.252.157:443 5.181.4.59:443 61.97.248.72:443 65.21.57.12:443 66.42.60.66:443 8.136.179.117:443 8.208.94.94:443 85.9.26.104:53 92.38.135.71:443 95.85.67.48:443 # Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi/IOCs-hack-the-real-box-apt41-new-subgroup-earth-longzhi.txt # Reference: https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html # Reference: https://otx.alienvault.com/pulse/636d814b3faea55b00ea98b8 # Reference: https://www.virustotal.com/gui/file/f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08/detection # Reference: https://www.virustotal.com/gui/file/76998c3cef50132d7eb091555b034b03a351bd8639c1c5dc05cf1ea6c19331d9/detection # Reference: https://www.virustotal.com/gui/file/4bc4d2ad9b608c8564eb5da5d764644cbb088c2f1cb61427d11f7b2ce4733add/detection http://139.180.138.226 http://47.108.173.88 139.180.138.226:8000 47.108.173.88:8098 47.108.173.88:8099 # Reference: https://community.emergingthreats.net/t/daily-ruleset-update-summary-2022-11-11/149 ymvh8w5.xyz c.ymvh8w5.xyz # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/APT-hunting/hunting-cobaltstrike-beacons-in-the-dark.pdf # Reference: https://www.virustotal.com/gui/ip-address/185.14.29.72/relations schememicrosoft.com aliyun.com.co microport.com.cn microsoftbooks.dynamic-dns.net microsoftdocs.dns05.com microsoftonlineupdate.dynamic-dns.net ns.microsoftdocs.dns05.com # Reference: https://twitter.com/r3dbU7z/status/1605356770330828802 # Reference: https://twitter.com/jaydinbas/status/1605532948480000002 # Reference: https://www.virustotal.com/gui/file/867e8902612f9e9a390fc667ffd53343e324c8c677c12dcbca4e1b9f14b0e461/detection 43.229.155.42:8000 43.229.155.38:8443 google-au.ga cdn.google-au.ga # Reference: https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf adobe-cdn.org akamaixed.net dl-flash.tk linuxupdate.info microsoftcontents.com portomnail.com tcplog.com xxe.pw a.linuxupdate.info aejava.ddns.net aejva.ddns.net aone.ddns.net back.rooter.tk box.xxe.pw chrome.down-flash.com cloudat.ddns.net cloudcat.ddns.net dash.tcplog.com dns.xxe.pw down.xxe.pw down1.linuxupdate.info down2.linuxupdate.info exchange.openmd5.com exchange.portomnail.com fonts.google-au.ga gknbm.ddns.net help.down-flash.com help.tcplog.com js.down-flash.com jsj1.linuxupdate.info lemonupdate.ddns.net linux.down-flash.com linuxupdate.ddns.net ltupdate.ddns.net mail.xxe.pw mirros.microsoftcontents.com mirros3.linuxupdate.info mm.portomnail.com n2.xxe.pw ns1.xxe.pw ns2.xxe.pw officecdn-microsoft-com.akamaixed.net proxy.xxe.pw q.xxe.pw q2.xxe.pw q4.xxe.pw qq.xxe.pw static.adobe-cdn.org static.tcplog.com transcom.ddns.net twnoc.ddns.net updatenew.servehttp.com vbnmob.ddns.net volleyball.ddns.net vpnmobupdate.ddns.net x.xxe.pw xxe.linuxupdate.info yunchat.ddns.net # Reference: https://twitter.com/sneakymonk3y/status/1679970286467268609 # Reference: https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html http://158.247.230.255 # Reference: https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41 # Reference: https://www.virustotal.com/gui/file/38e18d79b83e7c0afbe1ac246a7a5fe6b2783adc085e9aeb2ec610e76f5ccaad/detection 116.205.4.18:33889 121.42.149.52:8002 andropwn.xyz win10micros0ft.com alxc.tbtianyan.com dns.win10micros0ft.com huaxin-bantian.duckdns.org smiss.imwork.net # Reference: https://twitter.com/tiresearch1/status/1688843159265325056 ap.philancourts.com atomiclampco.com closeby.coupons ftp.gulliverwear.com gulliverwear.com news.revecontopsy.com securityhealthservice.com test.dagnelie.fr test.securityhealthservice.com # Reference: https://twitter.com/tiresearch1/status/1689173376487849984 bulkyservice.info mexicobulk.info kdalpqwx312dwjbb.leopard2.com mta0.bulkyservice.info mta0.mexicobulk.info ns1.bulkyservice.info ns2.bulkyservice.info ns2.mexicobulk.info server.mexicobulk.info # Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ 120.25.0.139:8443 193.36.117.21:443 47.94.196.131:444 # Reference: https://stairwell.com/resources/security-alert-enrichment-shadowpad-variants/ # Reference: https://www.virustotal.com/gui/file/48ac2ca316e636109524e72c771afc7e4592f0a6c1de827985aa090f17b98879/detection rtxwen.com