# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: shadowhammer, shadowpad, apt41, apt-c-41, double dragon, lowkey # Reference: https://securelist.com/operation-shadowhammer/89992/ asushotfix.com # Reference: https://twitter.com/ydklijnsma/status/1110220766778286080 # Reference: https://twitter.com/ydklijnsma/status/1110189880313692160 homeabcd.com simplexoj.com # Reference: https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/ 103.19.3.17:443 103.19.3.43:443 103.19.3.44:443 103.19.3.44:1194 117.16.142.9:443 23.236.77.175:443 23.236.77.177:443 infestexe.com # Reference: https://content.fireeye.com/apt-41/rpt-apt41 # Reference: https://otx.alienvault.com/pulse/5d4ae9f31ae8a479422a17ab agegamepay.com ageofwuxia.com ageofwuxia.info ageofwuxia.net ageofwuxia.org bugcheck.xigncodeservice.com byeserver.com dnsgogle.com gamewushu.com gxxservice.com ibmupdate.com infestexe.com kasparsky.net linux-update.net macfee.ga micros0ff.com micros0tf.com notped.com operatingbox.com paniesx.com serverbye.com sexyjapan.ddns.info symanteclabs.com techniciantext.com win7update.net # Reference: https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html # Reference: https://www.virustotal.com/gui/ip-address/67.229.97.229/relations http://67.229.97.229 67.229.97.229:5985 67.229.97.229:9999 # Reference: https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html # Reference: https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/ # Reference: https://otx.alienvault.com/pulse/5da5eaab4516e8056a6d59fb checkin.travelsanignacio.com # Reference: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html # Reference: https://otx.alienvault.com/pulse/5e7b4a11d552fbcfce6c314d # Reference: https://twitter.com/sysgoblin/status/1237054973579583489 (# CVE-2020-10189) http://66.42.98.220 http://91.208.184.78 66.42.98.220:12345 74.82.201.8:12345 91.208.184.78:443 accounts.longmusic.com dylerays.tk exchange.dumb1.com # Reference: https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/ # Reference: https://otx.alienvault.com/pulse/5e95c0d3d12068d29f538338 # Reference: https://www.virustotal.com/gui/ip-address/66.42.98.220/relations http://66.42.98.220 66.42.98.220:12345 119.28.139.20:443 alibaba.zzux.com exchange.longmusic.com # Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/shadowpad-novaya-aktivnost-gruppirovki-winnti/ (Russian, # ShadowPad IOC) ertufg.com filename.onedumb.com info.kavlabonline.com ncdle.net trendupdate.dns05.com ttareyice.jkub.com unaecry.zzux.com yandex2unitedstated.dns04.com # Reference: https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html # Reference: https://otx.alienvault.com/pulse/5f650a34fabdf2c7bf7a7616 http://104.233.224.227 # Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 2) ashcrack.freetcp.com heatidc.com infrast.ygto.com notify.serveuser.com platform.freetcp.com reply.ygto.com tripmerry.com # Reference: https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf arestc.net icefirebest.com mongolv.com pneword.net # Reference: https://blog.macnica.net/blog/2020/11/dtrack.html # Reference: https://otx.alienvault.com/pulse/5fc12f0ec26699f8ccd97838 mail.gietriangle.org/public/src3.png tastygoodness.net ussainc.org # Reference: https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf # Reference: https://otx.alienvault.com/pulse/603d0dcc0a0f44e375d16c62/ escanavupdate.club indrails.com ixrails.com ntpc-co.com pandorarve.com ptciocl.com ubuntumax.com websencl.com indianrailway.hopto.org indrra.ddns.net inraja.ddns.net modibest.sytes.net railway.sytes.net railways.hopto.org astudycarsceu.net indiasunsung.com shipcardonlinehelp.com smartdevoe.com # Reference: https://blog.group-ib.com/colunmtk_apt41 # Reference: https://otx.alienvault.com/pulse/60c34510bd6707ce53355efc colunm.tk cs.colunm.tk ns1.colunm.tk ns2.colunm.tk service.dns22.ml server04.dns04.com service04.dns04.com