# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: shadowhammer, shadowpad, apt41, apt-c-41, double dragon, lowkey, AXIOMATICASYMPTOTE, RedEcho

# Reference: https://securelist.com/operation-shadowhammer/89992/

asushotfix.com

# Reference: https://twitter.com/ydklijnsma/status/1110220766778286080
# Reference: https://twitter.com/ydklijnsma/status/1110189880313692160

homeabcd.com
simplexoj.com

# Reference: https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

103.19.3.17:443
103.19.3.43:443
103.19.3.44:443
103.19.3.44:1194
117.16.142.9:443
23.236.77.175:443
23.236.77.177:443
infestexe.com

# Reference: https://content.fireeye.com/apt-41/rpt-apt41
# Reference: https://otx.alienvault.com/pulse/5d4ae9f31ae8a479422a17ab

agegamepay.com
ageofwuxia.com
ageofwuxia.info
ageofwuxia.net
ageofwuxia.org
bugcheck.xigncodeservice.com
byeserver.com
dnsgogle.com
gamewushu.com
gxxservice.com
ibmupdate.com
infestexe.com
kasparsky.net
linux-update.net
macfee.ga
micros0ff.com
micros0tf.com
notped.com
operatingbox.com
paniesx.com
serverbye.com
sexyjapan.ddns.info
symanteclabs.com
techniciantext.com
win7update.net

# Reference: https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
# Reference: https://www.virustotal.com/gui/ip-address/67.229.97.229/relations

http://67.229.97.229
67.229.97.229:5985
67.229.97.229:9999

# Reference: https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html
# Reference: https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/
# Reference: https://otx.alienvault.com/pulse/5da5eaab4516e8056a6d59fb

checkin.travelsanignacio.com

# Reference: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
# Reference: https://otx.alienvault.com/pulse/5e7b4a11d552fbcfce6c314d
# Reference: https://twitter.com/sysgoblin/status/1237054973579583489 (# CVE-2020-10189)

http://66.42.98.220
http://91.208.184.78
66.42.98.220:12345
74.82.201.8:12345
91.208.184.78:443
accounts.longmusic.com
dylerays.tk
exchange.dumb1.com

# Reference: https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/
# Reference: https://otx.alienvault.com/pulse/5e95c0d3d12068d29f538338
# Reference: https://www.virustotal.com/gui/ip-address/66.42.98.220/relations

http://66.42.98.220
66.42.98.220:12345
119.28.139.20:443
alibaba.zzux.com
exchange.longmusic.com

# Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/shadowpad-novaya-aktivnost-gruppirovki-winnti/ (Russian, # ShadowPad IOC)

ertufg.com
filename.onedumb.com
info.kavlabonline.com
ncdle.net
trendupdate.dns05.com
ttareyice.jkub.com
unaecry.zzux.com
yandex2unitedstated.dns04.com

# Reference: https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html
# Reference: https://otx.alienvault.com/pulse/5f650a34fabdf2c7bf7a7616

http://104.233.224.227

# Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 2)

ashcrack.freetcp.com
heatidc.com
infrast.ygto.com
notify.serveuser.com
platform.freetcp.com
reply.ygto.com
tripmerry.com

# Reference: https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf

arestc.net
icefirebest.com
mongolv.com
pneword.net

# Reference: https://blog.macnica.net/blog/2020/11/dtrack.html
# Reference: https://otx.alienvault.com/pulse/5fc12f0ec26699f8ccd97838

mail.gietriangle.org/public/src3.png
tastygoodness.net
ussainc.org

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf
# Reference: https://otx.alienvault.com/pulse/603d0dcc0a0f44e375d16c62/

escanavupdate.club
indrails.com
ixrails.com
ntpc-co.com
pandorarve.com
ptciocl.com
ubuntumax.com
websencl.com
indianrailway.hopto.org
indrra.ddns.net
inraja.ddns.net
modibest.sytes.net
railway.sytes.net
railways.hopto.org
astudycarsceu.net
indiasunsung.com
shipcardonlinehelp.com
smartdevoe.com

# Reference: https://blog.group-ib.com/colunmtk_apt41
# Reference: https://otx.alienvault.com/pulse/60c34510bd6707ce53355efc

colunm.tk
cs.colunm.tk
ns1.colunm.tk
ns2.colunm.tk
service.dns22.ml
server04.dns04.com
service04.dns04.com

# Reference: https://content.fireeye.com/apt41-jp/rpt-apt41-jp
# Reference: https://otx.alienvault.com/pulse/610cf675620c3a10851e62d0

backdoor.apt.photo

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/BB_APT41.json

isbigfish.xyz

# Reference: https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

dbhubspi.com
glbaitech.com
kinopoisksu.com
necemarket.com
dev.kinopoisksu.com
holdmem.dbhubspi.com
m.necemarket.com
mb.glbaitech.com
ns.glbaitech.com
st.kinopoisksu.com

# Reference: https://www.mandiant.com/resources/apt41-us-state-governments

milli-seconds.com
queryip.cf
time12.cf
viewdns.ml
winsproxy.com
work.viewdns.ml
workers.viewdns.ml
work.queryip.cf
cdn.ns.time12.cf
east.winsproxy.com
afdentry.workstation.eu.org
ns1.entrydns.eu.org
subnet.milli-seconds.com

# Reference: https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41
# Reference: https://otx.alienvault.com/pulse/615da9a8e2c277e1749757c3

assistcustody.xyz
chaindefend.bid
defendchain.xyz
isbigfish.xyz
mircosoftdoc.com
zalofilescdn.com
microsoftbooks.dns-dns.com
ns.mircosoftdoc.com

# Reference: https://www.mandiant.com/resources/apt41-us-state-governments

down-flash.com
microsoftfile.com
libxqagv.ns.dns3.cf

# Reference: https://www.mandiant.com/resources/mobileiron-log4shell-exploitation
# Reference: https://otx.alienvault.com/pulse/6244606893ddbc9a6a5bbdeb
# Reference: https://www.virustotal.com/gui/file/fb091547c42fcd5917283b3a79ee86e7388d57789327289d6d357e71ae28ddff/detection

103.224.80.44:8080
103.242.133.48:44322
103.242.133.48:8085
198.13.40.130:2222
note.down-flash.com
111111.note.down-flash.com
2f2640fb.dns.1433.eu.org
335b5282.dns.1433.eu.org
d5922235.dns.1433.eu.org

# Reference: https://twitter.com/0xrb/status/1509396448387153920
# Reference: https://www.virustotal.com/gui/file/536def339fefa0c259cf34f809393322cdece06fc4f2b37f06136375b073dff3/detection

43.129.188.223:10333
longlifetrump.com

# Reference: https://otx.alienvault.com/pulse/624ff0af271429d152b5a27e

greatsong.soundcast.me
supermarket.ownip.net
supership.dynv6.net

# Reference: https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf
# Reference: https://otx.alienvault.com/pulse/613b110f3e005c40fe57317d

dns224.com
mssetting.com
twitterproxy.com
microsofthelp.dns1.us
ns.cloud01.tk
ns.cloud20.tk
ns1.extrsports.ru

# Reference: https://twitter.com/AltShiftPrtScn/status/1519840040637157378
# Reference: https://www.virustotal.com/gui/file/d2d927e7cdb804c416e70e41290453a7902420894b5cb17fdb688e9ee7943b13/detection

138.68.61.82:444

# Reference: https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/
# Reference: https://otx.alienvault.com/pulse/6270f28cc2cfb0f83fe7b211

farisrezky.com
freewula.strangled.net
gfsg.chickenkiller.com
greenhugeman.dns04.com
pic.farisrezky.com
szuunet.strangled.net
final.staticd.dynamic-dns.net

# Reference: https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/

http://145.232.235.222

# Reference: https://blog.group-ib.com/apt41-world-tour-2021
# Reference: https://otx.alienvault.com/pulse/630615f326d4b91e473170fe

delaylink.tk
socialpt2021.club
cs16.dns04.com
newimages.socialpt2021.tk

# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
# Reference: https://otx.alienvault.com/pulse/632082a05037fdffef98dcb4
# Reference: https://www.virustotal.com/gui/file/c48e1ff27b6386dadd7a8b696c00b0b96d27dffc8ee5df393765ba538c272c11/detection

27.124.17.222:443

# Reference: https://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html
# Reference: https://github.com/carbonblack/active_c2_ioc_public/blob/main/shadowpad/shadowpad_202210.tsv

http://149.127.176.12
http://149.127.176.14
http://164.155.51.9
http://38.54.4.48
http://45.79.122.225
http://65.21.57.12
103.120.82.243:443
103.133.139.23:443
103.133.139.29:443
103.138.82.202:443
103.138.82.215:443
103.143.73.116:443
103.151.229.130:443
103.151.229.139:443
103.151.229.35:443
103.151.229.74:443
103.209.233.172:443
103.231.14.171:443
103.254.75.140:443
103.27.108.20:443
103.27.109.182:443
103.56.19.113:443
103.56.19.157:443
103.56.19.42:443
103.93.76.135:443
107.155.50.198:443
116.204.134.123:443
120.79.8.23:443
134.122.134.140:443
134.122.188.187:443
137.220.185.203:443
137.220.53.224:443
137.220.55.36:443
139.180.188.58:443
139.180.193.182:443
14.18.191.150:443
149.127.176.12:443
149.127.176.14:443
149.127.176.22:443
149.28.151.244:53
152.32.133.68:443
152.32.139.128:443
154.201.144.60:443
154.215.96.211:443
154.38.118.107:443
156.240.104.115:443
156.240.104.149:443
156.240.107.248:443
158.247.202.188:443
163.197.32.39:443
163.197.34.109:443
167.179.78.160:443
167.179.78.160:53
167.71.236.226:443
172.105.36.249:443
173.254.227.204:443
185.207.155.146:443
188.116.48.62:443
193.239.191.95:443
211.239.213.13:443
213.59.118.124:443
38.54.4.48:443
38.55.223.221:443
43.129.188.223:443
45.134.1.74:443
45.137.10.3:443
45.32.102.50:443
45.32.121.100:443
45.32.248.92:443
45.76.152.71:443
45.76.152.71:53
45.77.169.228:443
45.77.250.209:443
45.77.252.157:443
5.181.4.59:443
61.97.248.72:443
65.21.57.12:443
66.42.60.66:443
8.136.179.117:443
8.208.94.94:443
85.9.26.104:53
92.38.135.71:443
95.85.67.48:443

# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi/IOCs-hack-the-real-box-apt41-new-subgroup-earth-longzhi.txt
# Reference: https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
# Reference: https://otx.alienvault.com/pulse/636d814b3faea55b00ea98b8
# Reference: https://www.virustotal.com/gui/file/f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08/detection
# Reference: https://www.virustotal.com/gui/file/76998c3cef50132d7eb091555b034b03a351bd8639c1c5dc05cf1ea6c19331d9/detection
# Reference: https://www.virustotal.com/gui/file/4bc4d2ad9b608c8564eb5da5d764644cbb088c2f1cb61427d11f7b2ce4733add/detection

http://139.180.138.226
http://47.108.173.88
139.180.138.226:8000
47.108.173.88:8098
47.108.173.88:8099

# Reference: https://community.emergingthreats.net/t/daily-ruleset-update-summary-2022-11-11/149

ymvh8w5.xyz
c.ymvh8w5.xyz

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/APT-hunting/hunting-cobaltstrike-beacons-in-the-dark.pdf
# Reference: https://www.virustotal.com/gui/ip-address/185.14.29.72/relations

schememicrosoft.com
aliyun.com.co
microport.com.cn
microsoftbooks.dynamic-dns.net
microsoftdocs.dns05.com
microsoftonlineupdate.dynamic-dns.net
ns.microsoftdocs.dns05.com

# Reference: https://twitter.com/r3dbU7z/status/1605356770330828802
# Reference: https://twitter.com/jaydinbas/status/1605532948480000002
# Reference: https://www.virustotal.com/gui/file/867e8902612f9e9a390fc667ffd53343e324c8c677c12dcbca4e1b9f14b0e461/detection

43.229.155.42:8000
43.229.155.38:8443
google-au.ga
cdn.google-au.ga

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf 

adobe-cdn.org
akamaixed.net
dl-flash.tk
linuxupdate.info
microsoftcontents.com
portomnail.com
tcplog.com
xxe.pw
a.linuxupdate.info
aejava.ddns.net
aejva.ddns.net
aone.ddns.net
back.rooter.tk
box.xxe.pw
chrome.down-flash.com
cloudat.ddns.net
cloudcat.ddns.net
dash.tcplog.com
dns.xxe.pw
down.xxe.pw
down1.linuxupdate.info
down2.linuxupdate.info
exchange.openmd5.com
exchange.portomnail.com
fonts.google-au.ga
gknbm.ddns.net
help.down-flash.com
help.tcplog.com
js.down-flash.com
jsj1.linuxupdate.info
lemonupdate.ddns.net
linux.down-flash.com
linuxupdate.ddns.net
ltupdate.ddns.net
mail.xxe.pw
mirros.microsoftcontents.com
mirros3.linuxupdate.info
mm.portomnail.com
n2.xxe.pw
ns1.xxe.pw
ns2.xxe.pw
officecdn-microsoft-com.akamaixed.net
proxy.xxe.pw
q.xxe.pw
q2.xxe.pw
q4.xxe.pw
qq.xxe.pw
static.adobe-cdn.org
static.tcplog.com
transcom.ddns.net
twnoc.ddns.net
updatenew.servehttp.com
vbnmob.ddns.net
volleyball.ddns.net
vpnmobupdate.ddns.net
x.xxe.pw
xxe.linuxupdate.info
yunchat.ddns.net

# Reference: https://twitter.com/sneakymonk3y/status/1679970286467268609
# Reference: https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html

http://158.247.230.255

# Reference: https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41
# Reference: https://www.virustotal.com/gui/file/38e18d79b83e7c0afbe1ac246a7a5fe6b2783adc085e9aeb2ec610e76f5ccaad/detection

116.205.4.18:33889
121.42.149.52:8002
andropwn.xyz
win10micros0ft.com
alxc.tbtianyan.com
dns.win10micros0ft.com
huaxin-bantian.duckdns.org
smiss.imwork.net

# Reference: https://twitter.com/tiresearch1/status/1688843159265325056

ap.philancourts.com
atomiclampco.com
closeby.coupons
ftp.gulliverwear.com
gulliverwear.com
news.revecontopsy.com
securityhealthservice.com
test.dagnelie.fr
test.securityhealthservice.com

# Reference: https://twitter.com/tiresearch1/status/1689173376487849984

bulkyservice.info
mexicobulk.info
kdalpqwx312dwjbb.leopard2.com
mta0.bulkyservice.info
mta0.mexicobulk.info
ns1.bulkyservice.info
ns2.bulkyservice.info
ns2.mexicobulk.info
server.mexicobulk.info

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/

120.25.0.139:8443
193.36.117.21:443
47.94.196.131:444

# Reference: https://stairwell.com/resources/security-alert-enrichment-shadowpad-variants/
# Reference: https://www.virustotal.com/gui/file/48ac2ca316e636109524e72c771afc7e4592f0a6c1de827985aa090f17b98879/detection

rtxwen.com