# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: shadowhammer, shadowpad, apt41, apt-c-41, double dragon, lowkey

# Reference: https://securelist.com/operation-shadowhammer/89992/

asushotfix.com

# Reference: https://twitter.com/ydklijnsma/status/1110220766778286080
# Reference: https://twitter.com/ydklijnsma/status/1110189880313692160

homeabcd.com
simplexoj.com

# Reference: https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

103.19.3.17:443
103.19.3.43:443
103.19.3.44:443
103.19.3.44:1194
117.16.142.9:443
23.236.77.175:443
23.236.77.177:443
infestexe.com

# Reference: https://content.fireeye.com/apt-41/rpt-apt41
# Reference: https://otx.alienvault.com/pulse/5d4ae9f31ae8a479422a17ab

agegamepay.com
ageofwuxia.com
ageofwuxia.info
ageofwuxia.net
ageofwuxia.org
bugcheck.xigncodeservice.com
byeserver.com
dnsgogle.com
gamewushu.com
gxxservice.com
ibmupdate.com
infestexe.com
kasparsky.net
linux-update.net
macfee.ga
micros0ff.com
micros0tf.com
notped.com
operatingbox.com
paniesx.com
serverbye.com
sexyjapan.ddns.info
symanteclabs.com
techniciantext.com
win7update.net

# Reference: https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
# Reference: https://www.virustotal.com/gui/ip-address/67.229.97.229/relations

http://67.229.97.229
67.229.97.229:5985
67.229.97.229:9999

# Reference: https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html
# Reference: https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/
# Reference: https://otx.alienvault.com/pulse/5da5eaab4516e8056a6d59fb

checkin.travelsanignacio.com

# Reference: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
# Reference: https://otx.alienvault.com/pulse/5e7b4a11d552fbcfce6c314d
# Reference: https://twitter.com/sysgoblin/status/1237054973579583489 (# CVE-2020-10189)

http://66.42.98.220
http://91.208.184.78
66.42.98.220:12345
74.82.201.8:12345
91.208.184.78:443
accounts.longmusic.com
dylerays.tk
exchange.dumb1.com

# Reference: https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/
# Reference: https://otx.alienvault.com/pulse/5e95c0d3d12068d29f538338
# Reference: https://www.virustotal.com/gui/ip-address/66.42.98.220/relations

http://66.42.98.220
66.42.98.220:12345
119.28.139.20:443
alibaba.zzux.com
exchange.longmusic.com

# Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/shadowpad-novaya-aktivnost-gruppirovki-winnti/ (Russian, # ShadowPad IOC)

ertufg.com
filename.onedumb.com
info.kavlabonline.com
ncdle.net
trendupdate.dns05.com
ttareyice.jkub.com
unaecry.zzux.com
yandex2unitedstated.dns04.com

# Reference: https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html
# Reference: https://otx.alienvault.com/pulse/5f650a34fabdf2c7bf7a7616

http://104.233.224.227

# Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 2)

ashcrack.freetcp.com
heatidc.com
infrast.ygto.com
notify.serveuser.com
platform.freetcp.com
reply.ygto.com
tripmerry.com

# Reference: https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf

arestc.net
icefirebest.com
mongolv.com
pneword.net

# Reference: https://blog.macnica.net/blog/2020/11/dtrack.html
# Reference: https://otx.alienvault.com/pulse/5fc12f0ec26699f8ccd97838

mail.gietriangle.org/public/src3.png
tastygoodness.net
ussainc.org

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf
# Reference: https://otx.alienvault.com/pulse/603d0dcc0a0f44e375d16c62/

escanavupdate.club
indrails.com
ixrails.com
ntpc-co.com
pandorarve.com
ptciocl.com
ubuntumax.com
websencl.com
indianrailway.hopto.org
indrra.ddns.net
inraja.ddns.net
modibest.sytes.net
railway.sytes.net
railways.hopto.org
astudycarsceu.net
indiasunsung.com
shipcardonlinehelp.com
smartdevoe.com

# Reference: https://blog.group-ib.com/colunmtk_apt41
# Reference: https://otx.alienvault.com/pulse/60c34510bd6707ce53355efc

colunm.tk
cs.colunm.tk
ns1.colunm.tk
ns2.colunm.tk
service.dns22.ml
server04.dns04.com
service04.dns04.com

# Reference: https://content.fireeye.com/apt41-jp/rpt-apt41-jp
# Reference: https://otx.alienvault.com/pulse/610cf675620c3a10851e62d0

backdoor.apt.photo