# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: artradownloader, splinter, TurtlePower # Reference: https://github.com/pan-unit42/iocs/blob/master/bitter/iocs.csv a.churchill91.com aday.primeservices.mobi aroundtheworld123.net chinatel90.com churchill91.com confirm97.com destiny91.com font.jiangsuhost.com frameworksupport.net healthnewsone.com hewle.kielsoservice.net johnywalter.webatu.com mappservworldvide.16mb.com marvel89.com marvellighter.com medzone71.com mob.wirelesssolutions.mobi muzicwonder.com nethosttalk.com newmysticvision.com nsiagenthoster.net red5big.com sound.muzicwonder.com spring.tulipnetworks.net sterling66.com stingray91.com styl.crrerc.com styl.hairparker.com thematrix.esy.es thepandaservices.nsiagenthoster.net tulipnetworks.net victory1983.ddns.net wills.hairparker.com wingames2015.com wirelesssolutions.mobi woodwind71.com xiovo416.net zmwardrobe.com # Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/ (Chinese) khurram.com.pk traxbin.com wcnchost.ddns.net # Reference: https://twitter.com/h4ckak/status/1147710998817542145 healthdevicetracker.co # Reference: https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations # Reference: https://cert.360.cn/report/detail?id=137867e159331b7a968aa45050502d13 # Reference: https://otx.alienvault.com/pulse/5d4d82f21a9bb34d2b0e65f7 btappclientsvc.net cdaxpropsvc.net v3solutions4all.com v3solutions4all.org wangluojiumingjingli.org winmanagerservice.net winmanagerservice.org # Generic trails from https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/ # Reference: https://www.virustotal.com/gui/file/aecfa3879cd68b3a2ab0771638c0d649b007cbb6f28dddb56af4fb740b8e25a5/detection /ergdfbd/ /healthne/ /ourtyaz/ /RguhsT/ /ergdfbd/wscspl /healthne/accept.php /healthne/regdl /ourtyaz/dwnack.php /ourtyaz/qwe.php /ourtyaz/qwf.php # Reference: https://twitter.com/Timele9527/status/1169430987832344576 gongzuosousuo.net # Reference: https://twitter.com/blackorbird/status/1169925232255090689 aroundtheworld123.net # Reference: https://twitter.com/James_inthe_box/status/1166128688175300608 # Reference: https://twitter.com/MeltX0R/status/1170183286712340482 # Reference: https://meltx0r.github.io/tech/2019/09/06/bitter-apt-not-so-sweet.html # Reference: https://twitter.com/Timele9527/status/1169785910881218560 biocons.pk gandharaart.org maq.com.pk netnsiservice.net onlinejohnline99.org sartetextile.com zhongwenchuantongqiye.com /kvs06v.php /lax05u.php /Mcx2svc.php /ms2u1p.php # Reference: https://twitter.com/RedDrip7/status/1170988245561294850 # Reference: https://twitter.com/MeltX0R/status/1171245112082481153 blth32serv.net w32infinitisupports.net # Reference: https://twitter.com/blackorbird/status/1182479754965876737 wangluojiumingjingli.org # Reference: https://twitter.com/James_inthe_box/status/1183927764778274816 lmhostsvc.net # Reference: https://twitter.com/blackorbird/status/1187662590224191489 nethostsupport.ddns.net sysintservice.ddns.net # Reference: https://twitter.com/ccxsaber/status/1192326844529422337 tvnservereventlog.net # Reference: https://twitter.com/Timele9527/status/1201477767352553472 # Reference: https://twitter.com/Timele9527/status/1201477848852090881 # Reference: https://twitter.com/Timele9527/status/1201477876236701696 cloud-storage-service.com kerbosim.com noitfication-office-client.890m.com office360-pub.16mb.com quartzu.hol.es # Reference: https://twitter.com/Rmy_Reserve/status/1224289465872502789 wbclientservice.ddns.net # Reference: https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf activemobistore.ddns.net cbyxhuxo663.ddns.net flashnewsservice.org wdibitmapservice.net # Reference: https://twitter.com/ShadowChasing1/status/1256036038331387904 # Reference: https://twitter.com/ShadowChasing1/status/1305879886473474048 # Reference: https://twitter.com/_re_fox/status/1305925337004601345 http://162.0.229.203 camncryptsvc.net /RguhsT/ /RguhsT/accept.php # Reference: https://twitter.com/MeltX0R/status/1258870289066319872 # Reference: https://www.virustotal.com/gui/ip-address/63.250.38.240/relations http://63.250.38.240 # Reference: https://twitter.com/ccxsaber/status/1273442309816770560 usmservice.net # Reference: https://twitter.com/Timele9527/status/1280315854094123008 liveways.pk # Reference: https://twitter.com/Timele9527/status/1277843761318354944 mia.alkhaleejpk.info tusdec.org.pk/ee uniengrisb.com/img/rt.msi # Reference: https://twitter.com/blackorbird/status/1295265067173163010 # Reference: https://twitter.com/ShadowChasing1/status/1303628547366350848 # Reference: https://twitter.com/ShadowChasing1/status/1306422911972958210 # Reference: https://twitter.com/Des00464472/status/1348964050076540928 # Reference: https://www.virustotal.com/gui/file/f45590dbb07e6a506c19f62b3f23b17a1aefbb6d8287f94a74c3ea707e6f4736/detection # Reference: https://www.virustotal.com/gui/file/2ba30469c3cbe13aa02073ae6c48114d2902450c3745857946b30d811eff6e6d/detection livevideosonlinepk.com box.livevideosonlinepk.com /RsdvgiMincSnyYu/ /tstRsdvgiMincSnyYutsphp/ /tstRsdvgiMincSnyYutspph/ /PerHyPfilbmiw1.php /PerHyPfilbmiw2.php /tstPerHyPfilbmiw1.php /tstPerHyPfilbmiwts2t.php /RsdvgiMincSnyYu/PerHyPfilbmiw1.php /RsdvgiMincSnyYu/PerHyPfilbmiw2.php /tstRsdvgiMincSnyYutsphp/tstPerHyPfilbmiw1.php /tstRsdvgiMincSnyYutsphp/tstPerHyPfilbmiwts2t.php /tstRsdvgiMincSnyYutspph/tstPerHyPfilbmiw1.php /tstRsdvgiMincSnyYutspph/tstPerHyPfilbmiwts2t.php # Reference: https://twitter.com/HONKONE_K/status/1297829657568407554 # Reference: https://www.virustotal.com/gui/file/0ce047bb77073990a8810f8d6f178dc0d4fc5257603790f80d3d84b0b2405a6c/detection # Reference: https://www.virustotal.com/gui/file/ced29451faed4f5dfa9ce80e35469e3573a89f848d5a7f5b087ee62a62f5f89a/detection oppak.com/one/opa oppak.com/one/eths # Reference: https://twitter.com/_re_fox/status/1301887287765225477 # Reference: https://twitter.com/ShadowChasing1/status/1304017919655858177 # Reference: https://app.any.run/tasks/383a15aa-63b0-48ee-9a90-2cb64da9134f/ jgcest.com/css/ # Reference: https://twitter.com/ShadowChasing1/status/1306858164277526528 alkhaleejpk.info /PsehestyvuPw/F1l3estPhPInf1.php /PsehestyvuPw/ /F1l3estPhPInf1.php /F1l3estPhPInf2.php # Reference: https://ti.qianxin.com/blog/articles/Blocking-APT:-Qianxin's-QOWL-Engine-Defeats-Bitter's-Targeted-Attack-on-Domestic-Government-and-Enterprises/ # Reference: https://otx.alienvault.com/pulse/5fd7a716e178ff014c630ecb # Reference: https://www.virustotal.com/gui/file/6cb0c0a2f89d1e82653d2b0dd1389007543616d11f0709ff194a4db2d36865f7/detection # Reference: https://www.virustotal.com/gui/file/820ab2458839688369906cee2a4c08b4694e2bddcb187358ce575e5d2063515e/behavior # Reference: https://www.virustotal.com/gui/file/efeaadaa53ec033d224b58be109c0f5fde12c8775fc5603f51efa8e23bcd6fb2/detection http://162.0.229.203 http://72.11.134.216 http://82.221.136.27 107.173.63.218:58370 pichostfrm.net # Reference: https://twitter.com/ShadowChasing1/status/1356412596430233603 # Reference: https://twitter.com/_re_fox/status/1301887287765225477 # Reference: https://app.any.run/tasks/383a15aa-63b0-48ee-9a90-2cb64da9134f/ # Reference: https://www.virustotal.com/gui/file/c2131a3906d97b5d7d697d16de15a8f704db1e6e4a8d3d7316c784d45716cffc/detection vdsappauthservice.net /taskshandlers/DBhandle/primary_main.php /taskshandlers/DBhandle/secondary.php # Reference: https://twitter.com/ShadowChasing1/status/1375227175226368006 # Reference: https://www.virustotal.com/gui/file/e07e8cbeeddc60697cc6fdb5314bd3abb748e3ac5347ff108fef9eab2f5c89b8/detection snsrsvchost.com # Reference: https://twitter.com/ShadowChasing1/status/1408579870230126592 # Reference: https://twitter.com/malwrhunterteam/status/1408491293207154696 mail-mfa-gov-cn-login.netlify.app # Reference: https://twitter.com/ShadowChasing1/status/1408579947417927687 yuruhjforonjoigrvnbnrgoigoigoisannvmvnfnmkfd7.000webhostapp.com # Reference: https://cloud.tencent.com/developer/article/1826900 # Reference: https://twitter.com/AnonySecAgency/status/1423510463212523521 # Reference: https://www.virustotal.com/gui/file/1ac7f4cee8b614359cb0997c1934e8b2e4cab0bbfddfa84bedb6d1b2f55e26f3/detection gxwxtvonline.com otx.gxwxtvonline.com /OtPefhePbvw/datarcvoninfile.php /OtPefhePbvw/nnodata3inf.php /OtPefhePbvw/onlinedata1inf.php /OtPefhePbvw/ /datarcvoninfile.php /nnodata3inf.php /onlinedata1inf.php # Reference: https://ti.qianxin.com/blog/articles/%22operation-magichm%22:CHM-file-release-and-subsequent-operation-of-BITTER-organization/ (Chenese) http://193.142.58.186 45.11.19.170:34318 bheragreens.com msisspsvc.net myprivatehostsvc.com sartetextile.com svc2mcxwave.net w32timeslicesvc.net wdisvcnotifyhost.com webmailcgwip.com windiagnosticsvc.net youxiangxiezhu.com /n9brCs21/ /n9brCs21/apprun /UihbywscTZ/45Ugty845nv7rt.php /UihbywscTZ/ /45Ugty845nv7rt.php # Reference: https://twitter.com/ShadowChasing1/status/1438706652522303489 # Reference: https://www.virustotal.com/gui/file/a169156b0d307ca978d722cafbd3bc1d04c94e55f71bc9d16ba6fabb8140be83/detection olmajhnservice.com # Reference: https://twitter.com/HONKONE_K/status/1464090084349669382 # Reference: https://www.virustotal.com/gui/file/528c6bf7c0c32be26bc1e32df73fed73ca7312e1b6fdb2ca20d5f0c157b02256/detection # Reference: https://www.virustotal.com/gui/file/499bf98bef84eeff781828932b16747a5aa03d3f70e15aabf4718cccd20a51a5/detection snsrsvchost.net # Reference: https://twitter.com/RedDrip7/status/1468420250245136390 # Reference: https://twitter.com/kyleehmke/status/1510958302800318467 # Reference: https://www.virustotal.com/gui/ip-address/172.93.201.143/relations # Reference: https://www.virustotal.com/gui/file/25aeec4c58f740c62664c757987902981c9676d0f58f9337f852fa9dd8a874d9 msofficeupdates.ddns.net windowtemplates.info # Reference: https://twitter.com/ShadowChasing1/status/1474005551818313729 # Reference: https://www.virustotal.com/gui/file/6b475078aca28ef7c8b162065b562e61670aceea1602715f53d64d81e7023a2a/detection epapbuizhost.net # Reference: https://twitter.com/ShadowChasing1/status/1478259210110775297 # Reference: https://www.virustotal.com/gui/file/9a8b201eb2bebe309d15c7b0ab5a6dcde460b84b035bb3575d4a0ec6af51a37e/detection tomcruefrshsvc.com sbss.com.pk cpcalendars.tomcruefrshsvc.com cpcontacts.tomcruefrshsvc.com mail.tomcruefrshsvc.com subscribe.tomcruefrshsvc.com viewz.tomcruefrshsvc.com webdisk.tomcruefrshsvc.com webmail.tomcruefrshsvc.com /VcvNbtgRrPopqSD/SzWvcxuer/userlog.php /VcvNbtgRrPopqSD/SzWvcxuer/ /VcvNbtgRrPopqSD/ /SzWvcxuer/ # Reference: https://twitter.com/ShadowChasing1/status/1479641732169932801 # Reference: https://www.virustotal.com/gui/file/f7ed5eec6d1869498f2fca8f989125326b2d8cee8dcacf3bc9315ae7566963db/detection slrpnlcontrlintrface.com # Reference: https://twitter.com/ShadowChasing1/status/1480193191299084288 autodefragapp.com care.autodefragapp.com evert.autodefragapp.com helpdesk.autodefragapp.com mail.autodefragapp.com newdesk.autodefragapp.com support.autodefragapp.com # Reference: https://twitter.com/ShadowChasing1/status/1480853604609126403 # Reference: https://www.virustotal.com/gui/file/4e0824b6c9c4e53a7caeda78c8b60bf1dc20670e58955ad1e2e9f89fdf22029c/detection gpcpsvclog.net # Reference: https://www.virustotal.com/gui/file/1b60ef6900dc790f2565e4fd27b14742ed6bec53252e3b142f0af6a246d94837/detection comnmsgwrapsvc.net /jsprc.php?h= # Reference: https://twitter.com/k3yp0d/status/1490994886338027527 # Reference: https://www.virustotal.com/gui/file/15a58d7223761f8386c902ae2d55a1313b4744e543f8f228851d0376dce721fe/detection /dFFrt3856ByutTs/xnb/data1.php /dFFrt3856ByutTs/ # Reference: https://twitter.com/RedDrip7/status/1493905786354892801 # Reference: https://www.virustotal.com/gui/file/a4afaa41383f447d96d0ebb1e2e50721af080e951d40754a836215fb2c3f0660/detection 45.86.163.212:49920 snapsvcvirtual.net # Reference: https://twitter.com/h2jazi/status/1499501002743062539 # Reference: https://www.virustotal.com/gui/file/eaa013b863bda3bd76c6f6073cc304002d1a9f317c8fba9c362534aff7dd1b0b/detection diyefosterfeeds.com # Reference: https://www.virustotal.com/gui/file/34182232200718be91a1b683112f8e44c1ee75bf3b11e2c055de68d990e0dd92/detection http://45.11.19.170 # Reference: https://twitter.com/h2jazi/status/1509636768504717313 # Reference: https://www.virustotal.com/gui/file/9fca7eeb6a7c3591492ddb7693b9d7b2349acc3240cc46710f91fb79d8a8deb6/detection coerciondigital.com # Reference: https://twitter.com/GGGGh0st/status/1512002541370097664 # Reference: https://www.virustotal.com/gui/file/195682cc8a6318d3eb2af83faaff76dc925e3e382b13729b9e03cf6d8f5435b0/detection lltdifslogsvc.net # Reference: https://twitter.com/blackorbird/status/1520688352286052352 zhaodaolajiankang.com # Reference: https://twitter.com/ShadowChasing1/status/1521401317360513025 # Reference: https://www.virustotal.com/gui/file/a979c76afd0e9d2e135ca64a215e1af270222d059d806e7028022060e8cbe72c/detection 193.142.58.38:34905 # Reference: https://twitter.com/SethKingHi/status/1522867750481408001 # Reference: https://www.virustotal.com/gui/file/14986da600df26fdb4e435cf01b6be4e5fffcc001059609070a2de701496bdde/detection wmbwowxsvc.com # Reference: https://twitter.com/SethKingHi/status/1523592393249136640 # Reference: https://www.virustotal.com/gui/file/471b384ca81a9d804992d4e4693ab3d42d419a2e2690ebb146671407fe0809d8/detection levarisnetqlsvc.net # Reference: https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html 185.141.25.244:33324 urocakpmpanel.com /updateReqServ10893x.php # Reference: https://twitter.com/k3yp0d/status/1525508775980957698 # Reference: https://www.virustotal.com/gui/file/dbd72490ce2642721ba8919b27a5f4854d2a8199132e9c4bb08f54b48282febc/detection nymedsvcsystems.com # Reference: https://twitter.com/k3yp0d/status/1527656133837594624 # Reference: https://www.virustotal.com/gui/file/91ddbe011f1129c186849cd4c84cf7848f20f74bf512362b3283d1ad93be3e42/detection emshedulersvc.com huandocimama.com han.huandocimama.com log.huandocimama.com m.huandocimama.com # Reference: https://twitter.com/__0XYC__/status/1501847173864083458 # Reference: https://twitter.com/__0XYC__/status/1501852899491852288 # Reference: https://twitter.com/blackorbird/status/1534373342446202881 # Reference: https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg (Chinese) botanoolifeapp.net deliverymailserver.com ekoconect.com epapbuizhost.net maildataserver.com pnptrafcroutsvc.net rurushophoogtypnl.com svc2mcxwave.net # Reference: https://twitter.com/RedDrip7/status/1536987661939773440 # Reference: https://twitter.com/RedDrip7/status/1536989979229835265 # Reference: https://www.virustotal.com/gui/file/6f5ce57dce03d9456657ad872766ee8f78b1b6c258a8b99c7658bc0590813d4d/detection # Reference: https://www.virustotal.com/gui/file/55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396/detection 64.44.131.109:33638 wizbizkidshow.biz # Reference: https://twitter.com/binlmmhc/status/1539094292064784384 # Reference: https://www.virustotal.com/gui/file/cfd883237a56a1a59c2882b9c7e11272ab32b76b35bbf69358c1168e82aae278/detection mynewellowstore.com login.mynewellowstore.com star.mynewellowstore.com /OibytDsERt.php # Reference: https://twitter.com/binlmmhc/status/1529782539199868928 # Reference: https://www.virustotal.com/gui/file/3037f41f422033a11ed86871ea7f6dbba8b910dbee3212eb33165e488eecde14/detection 51.255.3.62:48152 # Reference: https://twitter.com/binlmmhc/status/1485545135882784768 # Reference: https://www.virustotal.com/gui/file/9ca64c2672258e72d297dbf0d2d7a57d92d6011e75ac08ba4feb01e8a975cf09/detection 185.117.73.195:59600 plprasvchost.net # Reference: https://twitter.com/binlmmhc/status/1437704326789488642 # Reference: https://www.virustotal.com/gui/file/73f3a0d2d93c36276e1ecc7ebe64bede9c5adcfd01c5bebc89be75dc5b70111e/detection fdcx32hostlaunchsvc.com # Reference: https://twitter.com/binlmmhc/status/1377080167881924608 # Reference: https://www.virustotal.com/gui/file/fdc7cff892b890cb46c3c6d9fd3e8a62bb3059caaf034d63ba7d615342f17f70/detection vercplsupport.net /taskshandlers/DBhandle/primary_main.php # Reference: https://twitter.com/h2jazi/status/1551980359990104064 # Reference: https://www.virustotal.com/gui/file/fec00455734451b722f3037e0a668c280c5ddbec1d905c647bf1a7f153856860/detection novaoutletclub.com # Reference: https://twitter.com/Richard_S81/status/1557419346078666752 # Reference: https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/ # Reference: https://www.bleepingcomputer.com/news/security/hackers-install-dracarys-android-malware-using-modified-signal-app/ # Reference: https://www.virustotal.com/gui/file/220fcfa47a11e7e3f179a96258a5bb69914c17e8ca7d0fdce44d13f1f3229548/detection (# Dracarys) 94.140.114.22:41322 signal-premium-app.org signalpremium.com youtubepremiumapp.com # Reference: https://github.com/blackorbird/APT_REPORT/tree/master/bitter/2022 appbriar.com appprotonvpn.com briarapppro.org converse-app.org gosignal.org islam-360-plus.com linphone-app.com play-protect.com signal-premium.org signalpro.org sikhsiyasatapp.net telegram-app.tech telegram-pro.org telegramapppro.org app2.appvlc.com gallery.play-protect.com pflix.camdvr.org weather.play-protect.com # Reference: https://about.fb.com/wp-content/uploads/2022/08/Quarterly-Adversarial-Threat-Report-Q2-2022.pdf # Reference: https://otx.alienvault.com/pulse/62f2344533e6cfe5e975f573 1drivestorage.com appsupdate.net archiverst.com createasocialcard.top hatvax.com playapps.ga shareflx.com social-card-share.top socialpreviews.top storeupdates.net theambix.org yoursdrive.com whatsapp.playapps.ga play.google.com.whatsapp.playapps.ga shareflx.createasocialcard.top shareflx.social-card-share.top shareflx.socialpreviews.top # Reference: https://twitter.com/malwrhunterteam/status/1577401341768568854 # Reference: https://twitter.com/LukasStefanko/status/1577553669700083714 # Reference: https://www.virustotal.com/gui/ip-address/74.119.239.234/relations # Reference: https://www.virustotal.com/gui/file/cbfa2aa73ea8bdc126c6767efd61a822786f4b48479859a6d14246a25d8ebd1a/detection currweather.com weather-latest.com # Reference: https://www.virustotal.com/gui/file/510b3de50c8dfc20a3085166f373a5f12475c7915984de0afa3cc0bff0c2580d/detection dnldsalecraze.com # Reference: https://twitter.com/SethKingHi/status/1583039595524259841 # Reference: https://www.virustotal.com/gui/file/07504fcef717e6b74ed381e94eab5a9140171572b5572cda87b275e3873c8a88/detection qwavemediaservice.net # Reference: https://twitter.com/HONKONE_K/status/1533694370805063680 # Reference: https://www.virustotal.com/gui/file/d07b4487348de35df5e4cfa7c26c8cc6432230c1df220d2379fc702e25850909/detection 110.42.64.137:9527 # Reference: https://twitter.com/h2jazi/status/1594688392314474502 # Reference: https://www.virustotal.com/gui/file/4baf42e448120bd26fd0198c1b3382296fa3cb47f6c882fd5a9f4693d88847e5/detection vividworld.net # Reference: https://twitter.com/ginkgo_g/status/1598138502017085440 # Reference: https://www.virustotal.com/gui/file/8cfc803459682619e97f172e9cca33458fdf38b0b9ca09f8ccbc7df16f09240f/detection # Reference: https://www.virustotal.com/gui/file/b514635f569791316e1c55057f63f596847e23c0fa1ca0f751c5a2135f72b8ff/detection mobisharestock.com updnangelgroup.com # Reference: https://twitter.com/ThreatBookLabs/status/1602611437326991360 rusjamystarapp.com # Reference: https://twitter.com/ThreatBookLabs/status/1603675610504499200 supunitysharehost.net # Reference: https://twitter.com/Des00464472/status/1607962294222454784 # Reference: https://www.virustotal.com/gui/file/caf871247b7256945598816e9c5461d64b6bdb68a15ff9f8742ca31dc00865f8/detection devqrytoprar.net # Reference: https://twitter.com/Des00464472/status/1608357353589735425 mabizstockholm.com # Reference: https://twitter.com/binlmmhc/status/1610969202722242561 deriksystemspartens.com guppu.pk herbsbrunabuiz.net mirzadihatti.com # Reference: https://twitter.com/binlmmhc/status/1555002494593679361 # Reference: https://www.virustotal.com/gui/file/5374d2b9c9802d3b04735134960be84033c390b9279aea5b8ff7cbca8eaf9a4c/detection 147.124.223.140:41320 # Reference: https://twitter.com/ThreatBookLabs/status/1611260753151164417 # Reference: https://www.virustotal.com/gui/file/b7a9407b47baf7442e0baf94a3b4cc8b7420cb01364fc8e6a3c622b7ae39301f/detection 23.106.122.149:31174 kryoblockbind.net # Reference: https://www.virustotal.com/gui/file/06dd9a7aebe0995b23526f04eabc85db3d2d98def9be58c1012a1280f5aa63f1/detection ellearningstore.com # Reference: https://twitter.com/RedDrip7/status/1613474917038837764 # Reference: https://www.virustotal.com/gui/file/5b90d4c397e575965ed49082981fd34272b5e1da010057f6ebcdd4f53a409ad0/detection wcnsappword.com /wmis/wave.php?xas= # Reference: https://twitter.com/StopMalvertisin/status/1613833615984721922 # Reference: https://www.virustotal.com/gui/file/2fe49d93b5dcf19a2b60e91756246b051adc89303151c9e0b875c3f21c698be9/detection onlinehealthmatters.info # Reference: https://twitter.com/StopMalvertisin/status/1614460800680472579 # Reference: https://www.virustotal.com/gui/file/95990cac90d19e6fe48bff85a72148c35facbb2e61b1f326d85e82603240a741/detection bensnewfashionstyles.com # Reference: https://twitter.com/StopMalvertisin/status/1618434887220105216 # Reference: https://www.virustotal.com/gui/file/561ace43f77de135d5b3286bd2ef270b185d0abdba15d442551211068f8bbf11/detection wbfashionshow.com # Reference: https://twitter.com/StopMalvertisin/status/1622200643787309056 # Reference: https://www.virustotal.com/gui/file/f598f3bd60a39ad5861f145e82b33acde146b6ed5c2ffd9c6862ca1ea635afbf/detection dracjohnsupport.com # Reference: https://twitter.com/ThreatBookLabs/status/1622884433945829376 # Reference: https://www.virustotal.com/gui/file/a447a890c7738c259ae0fc03958fbd6a96abd350a5acb9cc39fd8b3e7d450147/detection zingstockpicks.com # Reference: https://twitter.com/StopMalvertisin/status/1623199772810301447 # Reference: https://www.virustotal.com/gui/file/636c2a16f94b5e30e725527a1bd2215399f98f17cc08580bc7358751b9eb2944/detection jlmusiklearn.com # Reference: https://twitter.com/StopMalvertisin/status/1623199776476131328 # Reference: https://www.virustotal.com/gui/file/35952afc1c9f5597348373cee4611bc37287076606ca1b912d6a73aeee26602a/detection rxnovelapps.info # Reference: https://twitter.com/StopMalvertisin/status/1628694986140311552 # Reference: https://www.virustotal.com/gui/file/ded0635c5ef9c3d63543abc36a69b1176875dba84ca005999986bd655da3a446/detection coauthcn.com # Reference: https://twitter.com/StopMalvertisin/status/1633398160843485185 # Reference: https://www.virustotal.com/gui/file/9da7bb7065b91ec4634c080955d7ab086f7bc6f5391d1db10751812c38bcff19/detection lbhandlesystem.com # Reference: https://twitter.com/fmc_nan/status/1639175633019478017 # Reference: https://twitter.com/StopMalvertisin/status/1639339836225253377 # Reference: https://twitter.com/StopMalvertisin/status/1639340323200733184 # Reference: https://www.virustotal.com/gui/file/43c8ada7cb7c046893dd96aef195856ec94f62823ca1a2987adf31899788c92d/detection # Reference: https://www.virustotal.com/gui/file/cd3effd25629ab9c440ed8bedb9bfb312c73a022cad5078684784ea07eff2c68/detection # Reference: https://www.virustotal.com/gui/file/8aeb7dd31c764b0cf08b38030a73ac1d22b29522fbcf512e0d24544b3d01d8b3/detection mail-gdrive.com bluelotus.mail-gdrive.com msdata.ddns.net # Reference: https://twitter.com/fmc_nan/status/1638874363335409667 # Reference: https://www.virustotal.com/gui/file/117ae7b2d08c8f11be7e4c4f27e54fa1d3a816073502241f1bb6277c89c67d85/detection # Reference: https://www.virustotal.com/gui/file/f5e066da37fc9da2ca68678aa1e001c4428e9476dde8a927cb76fa9389038b06/detection # Reference: https://www.virustotal.com/gui/file/2eca2f7a1fb4654dd73bf4a999ce155b2303e47340b26a49623f5b32948060c3/detection 46.30.188.43:51683 # Reference: https://twitter.com/suyog41/status/1640346154205343747 # Reference: https://www.virustotal.com/gui/file/6ac16df25b0faead1d019f73edd9b12bac9f356d8250b5637f3f6a0b94e73c75/detection erswuniconsharing.com # Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1654318267002163202 # Reference: https://www.virustotal.com/gui/file/4e3e4d476810c95c34b6f2aa9c735f8e57e85e3b7a97c709adc5d6ee4a5f6ccc/detection 46.30.190.160:60099 uxmesysconsole.com # Reference: https://twitter.com/suyog41/status/1663857230616186881 # Reference: https://www.virustotal.com/gui/file/4f94e7bd1515e0025293fb5a041bc41c20a7dd15a6dd0bc7076145a69d5238c0/detection folkmusicstreams.com # Reference: https://twitter.com/StopMalvertisin/status/1666834231983767558 # Reference: https://www.virustotal.com/gui/file/490eccbb2712e7752a0ba193f783de9d333f67ba1fde5bb130280c5abf77555a/detection novasapothecary.com # Reference: https://twitter.com/ThreatBookLabs/status/1662266116247552001 greenspowerpanel.com # Reference: https://twitter.com/suyog41/status/1671452383879081984 # Reference: https://www.virustotal.com/gui/file/a2e3f464e1c39909f47f0b837b04e1256061f4a9698678e097b4dd09aa4de9c1/detection daveonenewtestpanel.com # Reference: https://twitter.com/ThreatBookLabs/status/1676953190913433607 netmansrvdns.com # Reference: https://twitter.com/ThreatBookLabs/status/1681656384071376897 # Reference: https://www.virustotal.com/gui/file/e8149ba0e8ce1a48142df2009688d5aa657286d56638b36da1c5ea2376ba6f9f/detection webcarewellclinic.com # Reference: https://twitter.com/suyog41/status/1684892151316955136 # Reference: https://www.virustotal.com/gui/file/1ea9e9ecd0e5b0ac4aedc1b5515484a372dd8aefb1dbeb00f243a0a3ce40fab9/detection farleysmxpph.com # Reference: https://twitter.com/suyog41/status/1686298387455283200 # Reference: https://www.virustotal.com/gui/file/c3fc4d145ce3cee06782753be269cad6632751fb9b824e1917b0de6e597ee2ee/detection mercifulnearyou.com # Reference: https://twitter.com/binlmmhc/status/1686659755622924288 # Reference: https://twitter.com/binlmmhc/status/1686661719261958144 kaatsonlinesupport.com thenewmusictunes.com /WVKA/qbv.php # Reference: https://twitter.com/ThreatBookLabs/status/1688902207566196736 emmacloudsystem.com # Reference: https://twitter.com/ginkgo_g/status/1696470343979012600 # Reference: https://www.virustotal.com/gui/file/cc1c7e53ea567509a4bcfda2df95cb8f6ed7eed7cb2ae8786b736cd4d858173a/detection shzjwxsns.qqcloud.coauthcn.com # Reference: https://twitter.com/suyog41/status/1698568505535414578 # Reference: https://www.virustotal.com/gui/ip-address/82.221.129.39/relations # Reference: https://www.virustotal.com/gui/file/413d0aacddad41105f9f04de12cae9420919083796ed856df47ee2c7b3767fda/detection dashonlineclub.com /CVBN/mzx.php # Reference: https://twitter.com/ThreatBookLabs/status/1677666593982271488 xiuxonlinehost.com # Reference: https://twitter.com/lightC07379408/status/1706965936098390431 # Reference: https://www.virustotal.com/gui/file/e61e41d73682c166e7cf8c8a1db169f0f689fa2b70e19cfb0033e4c9211d9de6/detection mxsiclienteventlog.com neozelappconsole.com /ROAM/gret.php /WORK/info.php?cve= # Reference: https://twitter.com/suyog41/status/1717061493068640648 # Reference: https://www.virustotal.com/gui/file/8bb36cb759cada50695ae3b5156b6f603c92081147400db544ac75ece8ce7129/detection webandersondesign.com /dozq/jkl.php /dozq/jkl.php?pi= # Reference: https://twitter.com/StopMalvertisin/status/1722944218015179147 # Reference: https://www.virustotal.com/gui/file/445c801e857329e1740745b4949349a02971530c4f5d28a8e9e5489c3516933a/detection farlookclinic.com /DMMA/hfo.php /DMMA/hfo.php?pi= # Reference: https://twitter.com/RexorVc0/status/1727230322855833657 # Reference: https://mp.weixin.qq.com/s/HVhXyIB4sKuG6dDwwe4Pcw # Reference: https://www.virustotal.com/gui/ip-address/91.236.230.44/relations # Reference: https://www.virustotal.com/gui/file/2b25469b0e23fc024f5ca147948292cd4175a18625cb8a5b67ab04300082866f/detection 91.236.230.44:59310 olivershikerhelp.com sportsaccessstore.com cjcjegb9k5vg46vkns5g.sportsaccessstore.com gspcfdqtloe.sportsaccessstore.com # Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1729760374960927051 # Reference: https://twitter.com/doc_guard/status/1729861690613989781 # Reference: https://app.docguard.io/fc72bd3e21cddcb3c181d7bdf1cacd2886701cdf9cc12be63061c2eeeda47ce9/results/dashboard # Reference: https://www.virustotal.com/gui/file/fc72bd3e21cddcb3c181d7bdf1cacd2886701cdf9cc12be63061c2eeeda47ce9/detection newsaxfluteclub.com # Reference: https://twitter.com/suyog41/status/1730172467094983083 # Reference: https://www.virustotal.com/gui/file/83ca53918af3ea659d767e489a1e42ea97879e3e534f68c4edc7d0eb77f44204/detection newlbfashions.com /kna.php?ka= # Reference: https://twitter.com/ginkgo_g/status/1729698368987787591 # Reference: https://www.virustotal.com/gui/file/132098213b5923463611e6fc77bfce0cfad3d727566ce0e87e9723456c698ae6/detection 89.40.206.85:52529 maxdimservice.com # Reference: https://twitter.com/suyog41/status/1731632299618525471 # Reference: https://www.virustotal.com/gui/file/62e42d3e778fd79b7989966b057c24c141531f871a7c73703b35858ab3d13f47/detection paulalesiastyles.com # Reference: https://twitter.com/suyog41/status/1732637340299104556 # Reference: https://www.virustotal.com/gui/file/22dd82c94cadf5cf31b3e9519e8149d4a68fe13bac13eaef91bf283a4beb8101/detection lroliviapanel.com /frst.php?ys= # Reference: https://twitter.com/liqingjia1989/status/1734459198245867732 # Reference: https://www.virustotal.com/gui/file/ab26ffe31e0c6b247781b20eba4f405ade35ebe6d87d49e7780a65ea7bd870dc/detection # Reference: https://www.virustotal.com/gui/file/be6be16175f523214ce49f765245ea38b4c5ecb24b15d08180232df0eb728e23/detection 46.249.38.18:41426 loganwcshost.com # Reference: https://twitter.com/liqingjia1989/status/1724011550825136526 # Reference: https://www.virustotal.com/gui/file/fc9f84bad598c057b595efbca7ae0ae9a1678de7f2185275953424b3ec47a00e/detection # Reference: https://www.virustotal.com/gui/file/813c67414723ea162e789b1fc4b269839351863050f27a2f906426dac3a86f39/detection # Reference: https://www.virustotal.com/gui/file/14e43110cc3c40bf56d95df0079cc744055b1568dbceac05b50a2c0159bef872/detection 45.66.248.66:59142 dtzappaccount.com # Reference: https://twitter.com/liqingjia1989/status/1706835231536525805 # Reference: https://www.virustotal.com/gui/file/20bf58300532c55c46c19ff9c634bd8f3d48c577b1d8414cb6d4d2fbb1716087/detection 95.174.71.139:39006 umsmssvc.com # Reference: https://twitter.com/liqingjia1989/status/1694531703505813618 # Reference: https://www.virustotal.com/gui/file/4664dc63b2faaa69ee7440980da0b9894a5267f06cfe3948b0f762196c0b50b7/detection 91.236.230.54:46056 # Reference: https://twitter.com/liqingjia1989/status/1672787159424835585 # Reference: https://twitter.com/liqingjia1989/status/1672792060007714816 alfiehealthcareservice.com # Reference: https://twitter.com/liqingjia1989/status/1656105672365477888 # Reference: https://www.virustotal.com/gui/file/c24efc7c4dafd4f0b39e7ae7e84627fbd0fb766019b820cb11edbb8dda54de66/detection # Reference: https://www.virustotal.com/gui/file/66a73b1b3b51a1c6a56db2d20cff9af3d1362b989989b5d9543d2e9b92ac9a3d/detection 23.254.128.22:22812 51.178.206.76:22812 jjwappconsole.com # Reference: https://twitter.com/suyog41/status/1737375533250511276 # Reference: https://www.virustotal.com/gui/file/c77ae7c9533eddbb5f2b80889590436aac7df6166abefc51d5a65f775e6258dc/detection mikeyourevents.com /CP/tre.php?pi= # Reference: https://twitter.com/liqingjia1989/status/1742010387481121156 # Reference: https://www.virustotal.com/gui/file/f6afa3080c4f69eaaeb4d43c723672031b4a5b7130b1db8361786180e6bba380/detection 46.249.38.18:52993 lcpcstudiover.com # Reference: https://twitter.com/malwrhunterteam/status/1742941632922624097 # Reference: https://www.virustotal.com/gui/file/15161231be575991c70252cc33cdd2c41b5c3b255d6510790bef32be9b6ff5a2/detection # Reference: https://www.virustotal.com/gui/file/408292710999abc4d37f23a6672ef407d70ffb4dc2e3e030a5ec705735c1f8bd/detection adamsresearchshare.com /textcmd/cmd1.php /textcmd/text.php?id1= # Reference: https://twitter.com/liqingjia1989/status/1743080624196661436 # Reference: https://www.virustotal.com/gui/file/89e609cc48e0926b8121ed943bf9561d0ed0ac682d811618d56d0602ccca847c/detection 185.117.73.209:49725 gotiktikweb.com # Reference: https://twitter.com/RexorVc0/status/1744276666782716098 # Reference: https://mp.weixin.qq.com/s/0iiCwpxNnd8akoT8RjU84A?ref=www.ctfiot.com alfiehealtcareservice.com nesiallservice.net # Reference: https://twitter.com/liqingjia1989/status/1745729324349825131 # Reference: https://www.virustotal.com/gui/ip-address/135.125.242.211/relations # Reference: https://www.virustotal.com/gui/file/c492bdf749b0a229cb256e1ee04e1c48b7472a351f04605415c11d40063cd14a/detection 135.125.242.211:52112 hallanskylarks.com # Reference: https://twitter.com/ginkgo_g/status/1746827915306909954 upulllogistics.com /wipe/ret.php?eer= # Reference: https://twitter.com/ginkgo_g/status/1753259443675156855 # Reference: https://www.virustotal.com/gui/file/876122fcc9e0d5ebd42df9e93d37ad23d9f521e6077e9cb8b05862ae157757e3/detection northgenstudios.com /ML/vbn.php?pi= # Reference: https://twitter.com/liqingjia1989/status/1760112384071606393 # Reference: https://www.virustotal.com/gui/file/c0d926b33ae2351a9a528ba4d7ca13be7d55ba3455d52c5a69c8b381ade28ed0/detection # Reference: https://www.virustotal.com/gui/file/f2f783a72e955ecbcddc448764921a753bd1ac4dd14128200bb4866021287ae7/detection 91.192.81.102:22981 kaatmusiclab.com # Reference: https://twitter.com/alex_lanstein/status/1765088371108639175 # Reference: https://www.virustotal.com/gui/file/414d6ed63baaaa69a555068e91e1ee89dbcf38cac7ac4918f6e50fb82d039485/detection demolaservices.com # Reference: https://twitter.com/h2jazi/status/1765117935469658451 # Reference: https://www.virustotal.com/gui/file/c0120c1f458497602ae3068e7e755d5056f7a0b2c28c9e6ba9a3bfe12b27ad56/detection clairsvanieclub.com # Reference: https://twitter.com/suyog41/status/1765296640028774450 # Reference: https://www.virustotal.com/gui/file/8b79f6b2061e3231da4ef75799ad9754d64c336ce34fbc9a4538b0b3020fff8a/detection whitelilyshop.com # Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1765651279093612644 bartelemarks.com # Reference: https://twitter.com/__0XYC__/status/1770689612031164671 # Reference: https://www.virustotal.com/gui/file/7525cecb3d45097db48ee08410ba2b2ae1f9db84f887098557b09e7f8fa79a81/detection libraofficeweb.com