# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: shadowhammer, shadowpad, apt41, apt-c-41, double dragon, lowkey, AXIOMATICASYMPTOTE, RedEcho # Reference: https://securelist.com/operation-shadowhammer/89992/ asushotfix.com # Reference: https://twitter.com/ydklijnsma/status/1110220766778286080 # Reference: https://twitter.com/ydklijnsma/status/1110189880313692160 homeabcd.com simplexoj.com # Reference: https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/ 103.19.3.17:443 103.19.3.43:443 103.19.3.44:443 103.19.3.44:1194 117.16.142.9:443 23.236.77.175:443 23.236.77.177:443 infestexe.com # Reference: https://content.fireeye.com/apt-41/rpt-apt41 # Reference: https://otx.alienvault.com/pulse/5d4ae9f31ae8a479422a17ab agegamepay.com ageofwuxia.com ageofwuxia.info ageofwuxia.net ageofwuxia.org bugcheck.xigncodeservice.com byeserver.com dnsgogle.com gamewushu.com gxxservice.com ibmupdate.com infestexe.com kasparsky.net linux-update.net macfee.ga micros0ff.com micros0tf.com notped.com operatingbox.com paniesx.com serverbye.com sexyjapan.ddns.info symanteclabs.com techniciantext.com win7update.net # Reference: https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html # Reference: https://www.virustotal.com/gui/ip-address/67.229.97.229/relations http://67.229.97.229 67.229.97.229:5985 67.229.97.229:9999 # Reference: https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html # Reference: https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/ # Reference: https://otx.alienvault.com/pulse/5da5eaab4516e8056a6d59fb checkin.travelsanignacio.com # Reference: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html # Reference: https://otx.alienvault.com/pulse/5e7b4a11d552fbcfce6c314d # Reference: https://twitter.com/sysgoblin/status/1237054973579583489 (# CVE-2020-10189) http://66.42.98.220 http://91.208.184.78 66.42.98.220:12345 74.82.201.8:12345 91.208.184.78:443 accounts.longmusic.com dylerays.tk exchange.dumb1.com # Reference: https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/ # Reference: https://otx.alienvault.com/pulse/5e95c0d3d12068d29f538338 # Reference: https://www.virustotal.com/gui/ip-address/66.42.98.220/relations http://66.42.98.220 66.42.98.220:12345 119.28.139.20:443 alibaba.zzux.com exchange.longmusic.com # Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/shadowpad-novaya-aktivnost-gruppirovki-winnti/ (Russian, # ShadowPad IOC) ertufg.com filename.onedumb.com info.kavlabonline.com ncdle.net trendupdate.dns05.com ttareyice.jkub.com unaecry.zzux.com yandex2unitedstated.dns04.com # Reference: https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html # Reference: https://otx.alienvault.com/pulse/5f650a34fabdf2c7bf7a7616 http://104.233.224.227 # Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 2) ashcrack.freetcp.com heatidc.com infrast.ygto.com notify.serveuser.com platform.freetcp.com reply.ygto.com tripmerry.com # Reference: https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf arestc.net icefirebest.com mongolv.com pneword.net # Reference: https://blog.macnica.net/blog/2020/11/dtrack.html # Reference: https://otx.alienvault.com/pulse/5fc12f0ec26699f8ccd97838 mail.gietriangle.org/public/src3.png tastygoodness.net ussainc.org # Reference: https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf # Reference: https://otx.alienvault.com/pulse/603d0dcc0a0f44e375d16c62/ escanavupdate.club indrails.com ixrails.com ntpc-co.com pandorarve.com ptciocl.com ubuntumax.com websencl.com indianrailway.hopto.org indrra.ddns.net inraja.ddns.net modibest.sytes.net railway.sytes.net railways.hopto.org astudycarsceu.net indiasunsung.com shipcardonlinehelp.com smartdevoe.com # Reference: https://blog.group-ib.com/colunmtk_apt41 # Reference: https://otx.alienvault.com/pulse/60c34510bd6707ce53355efc colunm.tk cs.colunm.tk ns1.colunm.tk ns2.colunm.tk service.dns22.ml server04.dns04.com service04.dns04.com # Reference: https://content.fireeye.com/apt41-jp/rpt-apt41-jp # Reference: https://otx.alienvault.com/pulse/610cf675620c3a10851e62d0 backdoor.apt.photo # Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/BB_APT41.json isbigfish.xyz # Reference: https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ dbhubspi.com glbaitech.com kinopoisksu.com necemarket.com dev.kinopoisksu.com holdmem.dbhubspi.com m.necemarket.com mb.glbaitech.com ns.glbaitech.com st.kinopoisksu.com # Reference: https://www.mandiant.com/resources/apt41-us-state-governments milli-seconds.com queryip.cf time12.cf viewdns.ml winsproxy.com work.viewdns.ml workers.viewdns.ml work.queryip.cf cdn.ns.time12.cf east.winsproxy.com afdentry.workstation.eu.org ns1.entrydns.eu.org subnet.milli-seconds.com # Reference: https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41 # Reference: https://otx.alienvault.com/pulse/615da9a8e2c277e1749757c3 assistcustody.xyz chaindefend.bid defendchain.xyz isbigfish.xyz mircosoftdoc.com zalofilescdn.com microsoftbooks.dns-dns.com ns.mircosoftdoc.com # Reference: https://www.mandiant.com/resources/apt41-us-state-governments down-flash.com microsoftfile.com libxqagv.ns.dns3.cf # Reference: https://www.mandiant.com/resources/mobileiron-log4shell-exploitation # Reference: https://otx.alienvault.com/pulse/6244606893ddbc9a6a5bbdeb # Reference: https://www.virustotal.com/gui/file/fb091547c42fcd5917283b3a79ee86e7388d57789327289d6d357e71ae28ddff/detection 103.224.80.44:8080 103.242.133.48:44322 103.242.133.48:8085 198.13.40.130:2222 note.down-flash.com 111111.note.down-flash.com 2f2640fb.dns.1433.eu.org 335b5282.dns.1433.eu.org d5922235.dns.1433.eu.org # Reference: https://twitter.com/0xrb/status/1509396448387153920 # Reference: https://www.virustotal.com/gui/file/536def339fefa0c259cf34f809393322cdece06fc4f2b37f06136375b073dff3/detection 43.129.188.223:10333 longlifetrump.com # Reference: https://otx.alienvault.com/pulse/624ff0af271429d152b5a27e greatsong.soundcast.me supermarket.ownip.net supership.dynv6.net # Reference: https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf # Reference: https://otx.alienvault.com/pulse/613b110f3e005c40fe57317d dns224.com mssetting.com twitterproxy.com microsofthelp.dns1.us ns.cloud01.tk ns.cloud20.tk ns1.extrsports.ru # Reference: https://twitter.com/AltShiftPrtScn/status/1519840040637157378 # Reference: https://www.virustotal.com/gui/file/d2d927e7cdb804c416e70e41290453a7902420894b5cb17fdb688e9ee7943b13/detection 138.68.61.82:444 # Reference: https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/ # Reference: https://otx.alienvault.com/pulse/6270f28cc2cfb0f83fe7b211 farisrezky.com freewula.strangled.net gfsg.chickenkiller.com greenhugeman.dns04.com pic.farisrezky.com szuunet.strangled.net final.staticd.dynamic-dns.net