# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt35, apt42, apt-c-51, charmingcypress, phosphorus, ajax security team, tunnelvision, nemesiskitten, ta453, ta455, greencharlie, great rift, unc1549, unc4453, unc788, plaid rain, snailresin, wezrat, emennet pasargad, bellaciao, educated manticore, subtlesnail, magichound, nimbus manticore, subtle snail, smudgedserpent

# Note: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-06-12 Charming Kitten waterhole)

jewishjournal.us
deutcshewelle.org
deutcshewelle.com
frostsullivan.org
ns1.deutcshewelle.com
ns2.deutcshewelle.com
mail.jewishjournal.us
mx0.jewishjournal.us
ns1.jewishjournal.us
ns2.jewishjournal.us
win-ptf9aurtg8u.jewishjournal.us

# Reference: https://www.clearskysec.com/charmingkitten/
# Reference: https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
# Reference: https://www.virustotal.com/gui/file/d4375a22c0f3fb36ab788c0a9d6e0479bd19f48349f6e192b10d83047a74c9d7/detection
# Reference: https://www.virustotal.com/gui/file/971c5b5396ee37827635badea90d26d395b08d17cbe9e8027dc87b120f8bc0a2/detection
# Reference: https://www.virustotal.com/gui/file/2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f/detection
# Reference: https://www.virustotal.com/gui/file/734d9639fcfffef1a3c360269ccc1cda4f1d0e9dc857fa438f945e807b022c21/detection
# Reference: https://www.virustotal.com/gui/file/6618051ea0c45d667c9d9594d676bc1f4adadd8cb30e0138489fee05ce91a9cb/detection
# Reference: https://www.virustotal.com/gui/file/a6dea088c9e2c9191e4c2fc4ece7b7b7bd3f034f444362d35c8765f6ec4bd279/detection
# Reference: https://www.virustotal.com/gui/file/2b9c941150206d38a635620f2129660628f9b08dd2f674013cacda39bde7ae56/detection

58.158.177.102:5050
85.17.172.180:5050
012mail-net-uwclogin.ml
8ghefkwdvbfdsg3asdf1.com
account-customerservice.com
account-dropbox.net
account-google.co
account-login.net
account-logins.com
account-log-user-verify-mail.com
account-permission-mail-user.com
account-servicerecovery.com
accountservice.support
accounts-googelmail.com
accounts-googelmails.com
account-signin-myaccount-users.ga
accounts-logins.net
accountsrecovery.ddns.net
accounts-service.support
accountsservice-support.com
account-support-user.com
accounts-yahoo.us
accountts-google.com
account-user.com
account-user-permission-account.com
account-users-mail.com
account-user-verify-mail.com
acounts-qooqie-con.ml
addons-mozilla.download
aipak.org
aiqac.org
aol-mail-account.com
apache-utility.com
app-documents.com
app-facebook.co
araamco.com
archive-center.com
asus-support.net
asus-update.com
berozkhodro.com
book-archivecenter.bid
books-archivecenter.bid
books-archivecenter.club
books-google.books-archivecenter.bid
books-view.com
bootstrap.serveftp.com
britishnews.com.co
britishnews.org
broadcastbritishnews.com
brookings-edu.in
change-mail-accounting-register-single.com
change-mail-account-nodes-permision.com
change-permission-mail-user-managment.com
change-user-account-mail-permission.com
codeconfirm-recovery.bid
codeconfirm-recovery.club
com-account-login.com
com-accountrecovery.bid
com-accountsecure-recovery.name
com-accountsrecovery.name
com-archivecenter.work
com-customeradduser.bid
com-customerservice.bid
com-customerservice.name
com-customerservices.name
com-customersuperuser.bid
com-download.ml
com-manage-accountuser.club
com-messagecenter.bid
com-messengerservice.bid
com-messengerservice.work
com-microsoftonline.club
com-mychannel.bid
com-orginal-links.ga
com-recoversessions.bid
com-recoveryadduser.bid
com-recovery.com
com-recoveryidentifier.bid
com-recoveryidentifier.name
com-recoveryidentifiers.bid
com-recoverymail.bid
com-recoverysecureuser.club
com-recoverysecureusers.club
com-recoveryservice.bid
com-recoveryservice.info
com-recoverysessions.bid
com-recoverysubusers.bid
com-recoverysuperuser.bid
com-recoverysuperuser.club
com-recoverysuperuser.name
com-recoverysuperusers.bid
com-recoverysupport.bid
com-recoverysupport.club
com-servicecustomer.bid
com-servicecustomer.name
com-service.gq
com-servicemail.bid
com-service.net
com-servicerecovery.bid
com-servicerecovery.club
com-servicerecovery.info
com-servicerecovery.name
com-servicescustomer.name
com-serviceslogin.com
com-showvideo.ga
com-showvideo.gq
com-statistics.com
com-stats.com
com-video.net
com-videoservice.work
com-viewchannel.club
crcperss.com
cvcreate.org
digitalqlobe.com
display-error-runtime.com
display-ganavaro-abrashimchi.com
docs-google.co
documents-supportsharing.bid
documents-supportsharing.club
documents.sytes.net
document-supportsharing.bid
doc-viewer.com
download-link.top
drive-login.cf
drive-permission-user-account.com
drive-useraccount-signin-mail.ga
drop-box.vip
dropebox.co
embraer.co
emiartas.com
error-exchange.com
eursaia.org
fanderfart22.xyz
fardenfart2017.xyz
fb-login.cf
gle-mail.com
gmail-recovery.ml
gmal.cf
goo-gle.bid
goog-le.bid
goo-gle.cloud
google-mail.com.co
google-mail-recovery.com
googlemails.co
goo-gle.mobi
google-profile.com
google-profiles.com
google-setting.com
google-verification.com
google-verify.com
google-verify.net
group-google.com
help-recovery.com
hot-mail.ml
id-bayan.com
iforget-memail-user-account.com
iranianuknews.com
ir-owa-accountservice.bid
k2intelliqence.com
line-en.me
login-account-mail.com
login-account.net
login-again.ml
login-required.ga
login.loginto.me
mail-account-register-recovery.com
mails-account-signin-users-permssion.com
mailssender.bid
mail-yahoo.com.co
market-account-login.net
mehrnews.info
messageservice.bid
messageservice.club
microsoft-hotfix.com
microsoft-update.bid
microsoft-upgrade.mobi
microsoft-utility.com
msoffice-update.com
myaccount-login.net
mychannel.ddns.net
my-healthequity.com
my-mailcoil.ml
myscreenname.bid
news-onlines.info
nex1music.ml
notification-accountrecovery.com
nsdrive-phone.online
nvidia-support.com
nvidia-update.com
officialswebsites.info
official-uploads.com
onedrive-signin.com
onlinedocument.bid
onlinedocuments.org
onlinedrie-account-permission-verify.com
onlineserver.myftp.biz
online-supportaccount.com
orginal-links.com
outlook-livecom.bid
owa-insss-org-ill-owa-authen.ml
picofile.xyz
policy-facebook.com
privacy-facebook.com
privacy-gmail.com
privacy-yahoomail.com
profile-facebook.co
profiles-facebook.com
profile-verification.com
qet-adobe.com
radio-m.cf
raykiel.net
recoverycodeconfirm.bid
recovery-customerservice.com
recovery-emailcustomer.com
recoverysuperuser.bid
register-multiplay.ml
sadashboard.com
saudiarabiadigitaldashboards.com
saudi-government.com
saudi-haj.com
screen-royall-in-corporate.com
screen-shotuser-trash-green.com
security-supportteams-mail-change.ga
sers-login.com
service-accountrecovery.com
service-broadcast.com
servicecustomer.bid
service-logins.net
servicemailbroadcast.bid
service-recoveryaccount.com
set-ymail-user-account-permission-challenge.com
shared-access.com
shared-login.com
shared-permission.com
shorturlbot.club
show-video.info
slmkhubi.ddns.net
smstagram.com
sprinqer.com
support-aasaam.bid
support-aasaam.com
support-accountsrecovery.com
support-google.co
support-recoverycustomers.com
supports-recoverycustomers.com
support-verify-account-user.com
tadawul.com.co
tai-tr.com
team-speak.cf
teamspeak-download.ml
team-speak.ga
team-speak.ml
teamspeaks.cf
telagram.cf
token-ep.com
uk-service.org
update-checker.net
update-driversonline.bid
update-driversonline.club
update-finder.com
update-microsoft.bid
updater-driversonline.club
update-system-driversonline.bid
uploader.sytes.net
upload-services.com
uri.cab
usersettings.cf
users-facebook.com
users-login.com
users-yahoomail.com
utopaisystems.net
verify-account.services
verify-accounts.info
verify-facebook.com
verify-gmail.tk
video-youtube.cf
w3sch00ls.hopto.org
w3school.hopto.org
w3schools.hopto.org
w3schools-html.com
watch-youtube.org.uk
webmaiil-tau-ac-il.ml
webmail-tidhar-co-il.ml
windows-update.systems
xn--googe-q2e.ml
yahoo-proflles.com
yahoo-verification.net
yahoo-verification.org
yahoo-verify.net
youetube.ga
yourl.bid
youttube.ga
youttube.gq
youtubbe.cf
youtubbe.ml
youtube-com.watch
youtubee-videos.com
youtuebe.co
youtuobe.com.co
youutube.cf
yurl.bid

# Reference: https://otx.alienvault.com/pulse/5c9bb407e5a06b014da016e3

account-profile-users.info
accounts-apple.com
account-servicemanagement.info
account-servieemanagement.info
accounts-manager.info
accounts-support.services
accounts-web-maii.com
accounts-web-mail.com
account-verifiy.net
activities-recovery-options.info
activities-servicesnotification.info
activity-confirmationservice.info
activity-session-recovery.info
aeroconf2014.org
aerospace2014.org
appleid.com.co
attacker-domain.com
broadcastnews.pro
com-accountidentifier.info
com-identifier-servicelog.info
com-identifier-servicelog.name
comidentifier-servicelog.name
com-identifier-servlcelog.name
com-mailbox.com
com-microsoftonline.club
com-myaccuants.com
com-privacy-help.info
com-sessionidentifier.info
com-useraccount.info
com-users.net
confirmation-recoveryoptions.info
confirmation-service.info
confirmation-users-service.info
confirmation-users-servlee.info
confirm-identity.info
confirm-session-identification.info
confirm-sessionidentification.info
confirm-session-identifier.info
continue-session-identifier.info
continue-sesslon-identifier.info
customer-certificate.com
customer-recovery.info
customers-activities.info
customers-manager.info
customers-services.info
customize-identity.info
documentofficupdate.info
documentsfilesharing.cloud
documentsharing.info
download-teamspeak.info
elitemaildelivery.info
email-deiivery.info
email-delivery.info
eom-microsoftonline.club
eom-useraccount.info
eustomers-activities.info
giitials.tk
googledomalns.com
identifier-activities.info
identifier-services-sessions.info
identify-user-session.info
intel-update.com
intelupdate.com
login-gov.info
message-serviceprovider.info
microsoft-update.bid
microsoft-upgrade.mobi
mobile-messengerplus.network
mobile-sessionid.customize-identity.info
mobiles-sessionid.customize-identity.info
myaccount-services.net
notification-accountservice.com
notification-accountservice.info
notificationapp.info
notification-manager.info
notification-managers.info
notifications-center.info
notification-signal-agnecy.info
notificatlon-signal-agnecy.info
o5vdb.org
outlook-livecom.bid
outlook-verify.net
packctstormsccurity.com
plugin-adobe.com
privacy-google.com
recognized-activity.info
recover-customers-service.info
recovery-session-change.info
recoveryusercustomer.info
serverbroadcast.info
service-accountrecoverv.com
service-recovery-session.info
service-session-confirm.info
service-session-continue.info
services-issue-notification.info
services-sessionconfirmation.info
session-mail-customers.info
session-management.info
session-manager.info
session-managment.info
session-recovery-options.info
sessions-identifiermemberemailid.network
sessions-notification.info
session-users-activities.com
session-verify-user.info
shop-sellwear.info
supportmailservice.info
support.services
support-servics.com
support-servics.net
terms-service-notification.info
terms-service-notlfication.info
update-microsoft.bid
user-activity-issues.info
useridentity-confirm.info
user-profile-credentials.com
users-facebook.com
users-issue-services.info
verification-live.com
verificationlive.com
verification-llve.com
verifiy-account.net
verifv-linkedin.net
verify-linke.com
verify-linkedin.net
verify-user-session.info
vvincicivj-c-ssenrjais.tk
webemail.info
xn--facebook-06k.com
xn--google-yri.com
yahoomail.com.co
yahoo-verification.net
yahoo-verification.org
yahoo-verify.net

# Reference: https://www.clearskysec.com/the-kittens-are-back-in-town/
# Reference: https://otx.alienvault.com/pulse/5d7e61f9aa517862e977cbad

acconut-verify.com
drive-accounts.com
exnovin.org
isis-online.net
islamicemojimaker.com
leslettrespersanes.net
niaconucil.org
seisolarpros.org
skynevvs.com
unrisd.com
w3-schools.org
# gnldp.live        # Note: regular trackers
# gnldr.club
# gnldr.live
# gnldr.website
# gnldrp.live
# sgnl.live
# sgnl.network
# sgnldp.live
# sgnldr.live

# Reference: https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2.pdf
# Reference: https://otx.alienvault.com/pulse/5d9b7a71f31df0e33eefab04

bahaius.info
bailment.org
com-activities.site
com-identifier.site
com-session.site
com-verifications.site
customers-activities.site
customers-recovery.site
customers-reminder.info
document-sharing.online
documentsfilesharing.cloud
gomyfiles.info
home-access.online
identifier-activities.info
identifier-activities.online
identity-verification-service.info
inbox-drive.info
inbox-sharif.info
magic-delivery.info
microsoftinternetsafety.net
mobile-messengerplus.network
mobilecontinue.network
notification-accountservice.com
recovery-services.info
recoverysuperuser.info
see-us.info
sessions-identifier-memberemailid.network
smarttradingfast.com
system-services.site
telagram.net
uploaddata.info
verification-services.info

# Reference: https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/
# Reference: https://otx.alienvault.com/pulse/5e3acf325495b5e504f82abc
# Reference: https://www.virustotal.com/gui/ip-address/144.202.123.86/relations

acconut-verify.com
accounts-drive.com
apple-ads-metric.com
bahaius.info
cpanel-services.site
customers-activities.site
customers-service.ddns.net
drive-accounts.com
finance-usbnc.info
instagram-com.site
inztaqram.ga
isis-online.net
leslettrespersanes.net
malcolmrifkind.site
niaconucil.org
phonechallenges-submit.site
recovery-options.site
seisolarpros.org
service-activity-checkup.site
service-issues.site
skynevvs.com
software-updating-managers.site
system-services.site
two-step-checkup.site
unirsd.com
w3-schools.org
yah00.site

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#
# Reference: https://otx.alienvault.com/pulse/5e6ff05783c525e779904d69

myconnect-support.com

# Reference: https://twitter.com/ClearskySec/status/1258432745891680256

com-recovery.site
com-sessions.site
customer-identifier.site
customer-reminder.info
customers-activity.site
identifier-services-session.site
mobile-airbnb.site
mobile-uber.site
newspedia.ddns.net
radiofarda.site
recovery-option.site
safe-solution.site
scribdinc.site
travel-airbnb.site

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/
# Reference: https://www.virustotal.com/gui/domain/kia-customerservice.ddns.net/detection
# Reference: https://www.virustotal.com/gui/domain/recovery-service.site/detection

document-share.info
kia-customerservice.ddns.net
login-users-account.site
manage-accounts.info
recovery-service.site
us2-mail-login-profile.site

# Reference: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
# Reference: https://otx.alienvault.com/pulse/5f99808638696999cf7b109c

de-ma.online
g20saudi.000webhostapp.com
ksat20.000webhostapp.com

# Reference: https://twitter.com/kyleehmke/status/1328374352602144770

check-panel-account.icu
cover-home-panel.xyz
it-service.men
student-rank-number.icu

# Reference: https://twitter.com/kyleehmke/status/1334170023968051200

cover-home-page.xyz

# Reference: https://twitter.com/kyleehmke/status/1339602993814102016

home-reload-page.xyz

# Reference: https://twitter.com/kyleehmke/status/1346154845221384194

check-panel-live.icu
check-reload-page.xyz
front-cover-panel.xyz
front-home-panel.xyz
office-live-activity.icu
page-home-reload.xyz

# Reference: https://blog.certfa.com/posts/charming-kitten-christmas-gift/
# Reference: https://otx.alienvault.com/pulse/5fff52390820519347e5f2d3

agentappservice.ddns.net
archiverepositories.xyz
basementofdarkness.ddns.net
benefitsredington.ddns.net
bulk-approach.site
challengechampions.ddns.net
com-254514785965.site
com-3654623478192.site
com-5464825879854.site
com-apk-6712qw123asd8awf7.site
com-archive.site
com-posts6712qw12387.site
confirm-identity.site
customer-session.site
deepthinkingroom.ddns.net
differentintegrated.ddns.net
dynamiceventmanager.ddns.net
enhanceservicchecke.hopto.org
heisonhisway.ddns.net
hello-planet.com
homedirections.ddns.net
homeinspections.ddns.net
identifier-service-verify.site
identifier-session-recovery.site
identity-session-recovery.site
lonelymanshadow.ddns.net
mail-newyorker.com
minimumservicechek.ddns.net
mobile-activity-session.site
mobile-check-activity.site
patchtheschool.ddns.net
planet-labs.site
profilechangeruser.ddns.net
randomworldcity.ddns.net
recover-identity.site
recover-session-service.site
recovery-customer-service.site
recovery-session-service.site
recovery-session.site
reset-account.com
schoolofculture.ddns.net
securelogicalrepository.com
service-recovery.site
service-session-recovery.site
service-support.site
service-verification.site
session-confirmation.site
session-customer-activity.site
uniquethinksession.ddns.net
verify-session-service.site
wearefirefighters.ddns.net

# Reference: https://twitter.com/jfslowik/status/1347905935654539267

dhs-us.org
csm-group.org
procurement-inl-gov.us
procurements-inl-gov.us
ukborderhomeoffice-gov.org

# Reference: https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential
# Reference: https://otx.alienvault.com/pulse/6065f293e16c3e4e72044475

1drv.casa
1drv.cyou
1drv.icu
1drv.live
1drv.online
1drv.surf
1drv.xyz

# Reference: https://twitter.com/ChicagoCyber/status/1391819499872137225

log-in-dropbox.com

# Reference: https://twitter.com/BaoshengbinCumt/status/1423577884615081992
# Reference: https://mp.weixin.qq.com/s/oD1VQZBxgjL3rNeN72MJqg

jamaat-ul-islam.com
jamatapplication.com
jamaatforummah.com
jamaatforallah.com

# Reference: https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/

144.217.139.155:4444
54.38.49.6:21
0standavalue0.xyz
0storageatools0.xyz
0brandaeyes0.xyz

# Reference: https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage
# Reference: https://www.virustotal.com/gui/ip-address/91.214.124.143/relations
# Reference: https://www.virustotal.com/gui/file/ca4217b9d188cbe5fc6f4c7d5d696f93cc611dff1ffd323941f2a8b5e77284de/detection

http://162.55.136.233
http://162.55.137.20
169.51.60.221:1331
45.77.76.158:23643
onedriver-srv.ml
windows-driver.ml
google.onedriver-srv.ml
update.windows-driver.ml
/gadfTs55sghsSSS/phppost.php
/gadfTs55sghsSSS

# Reference: https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/
# Reference: https://otx.alienvault.com/pulse/620f76b08f1d06ea8646c0d3

microsoft-updateserver.cf
service-management.tk

# Reference: https://twitter.com/BaoshengbinCumt/status/1494478437960286208
# Reference: https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf

http://182.54.217.2
51.89.181.64:443
us‐nation‐ny.cf

# Reference: https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/

http://148.251.71.182
/ecp/auth/aspx_wkggiyvttmu.aspx
/aspx_wkggiyvttmu.aspx
/dhvqx.aspx

# Reference: https://twitter.com/ChicagoCyber/status/1562047469126656001
# Reference: https://www.shodan.io/host/173.209.51.54
# Reference: https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/ (# HYPERSCRAPE)

http://136.243.108.14
http://173.209.51.54
173.209.51.54:5985

# Reference: https://twitter.com/IronNetTR/status/1562913025350303744
# Reference: https://twitter.com/IronNetTR/status/1562913027951042561
# Reference: https://twitter.com/IronNetTR/status/1562913029620203520
# Reference: https://www.shodan.io/host/136.243.108.10
# Reference: https://www.shodan.io/host/136.243.108.11
# Reference: https://www.shodan.io/host/136.243.108.12
# Reference: https://www.shodan.io/host/136.243.108.13
# Reference: https://www.shodan.io/host/136.243.108.14
# Reference: https://www.shodan.io/host/136.243.108.9
# Reference: https://www.shodan.io/host/78.47.90.60

http://136.243.108.10
http://136.243.108.11
http://136.243.108.12
http://136.243.108.13
http://136.243.108.14
http://136.243.108.9
http://159.69.105.181
http://195.201.46.42
http://78.47.90.60
136.243.108.10:10000
136.243.108.10:22
136.243.108.10:25
136.243.108.10:4040
136.243.108.10:443
136.243.108.10:465
136.243.108.10:587
136.243.108.10:993
136.243.108.10:995
136.243.108.11:10000
136.243.108.11:22
136.243.108.11:25
136.243.108.11:4040
136.243.108.11:443
136.243.108.11:465
136.243.108.11:587
136.243.108.11:993
136.243.108.11:995
136.243.108.12:10000
136.243.108.12:22
136.243.108.12:25
136.243.108.12:4040
136.243.108.12:443
136.243.108.12:465
136.243.108.12:587
136.243.108.12:993
136.243.108.12:995
136.243.108.13:10000
136.243.108.13:22
136.243.108.13:25
136.243.108.13:4040
136.243.108.13:443
136.243.108.13:465
136.243.108.13:587
136.243.108.13:993
136.243.108.13:995
136.243.108.14:10000
136.243.108.14:22
136.243.108.14:25
136.243.108.14:4040
136.243.108.14:443
136.243.108.14:465
136.243.108.14:587
136.243.108.14:993
136.243.108.14:995
136.243.108.9:10000
136.243.108.9:22
136.243.108.9:25
136.243.108.9:4040
136.243.108.9:443
136.243.108.9:465
136.243.108.9:587
136.243.108.9:993
136.243.108.9:995
159.69.105.181:2082
159.69.105.181:2083
159.69.105.181:2086
159.69.105.181:2087
159.69.105.181:21
159.69.105.181:22
159.69.105.181:443
159.69.105.181:53
195.201.46.42:10000
195.201.46.42:22
195.201.46.42:25
195.201.46.42:443
195.201.46.42:465
195.201.46.42:587
195.201.46.42:993
195.201.46.42:995
78.47.90.60:10000
78.47.90.60:110
78.47.90.60:143
78.47.90.60:2082
78.47.90.60:2083
78.47.90.60:2086
78.47.90.60:2087
78.47.90.60:21
78.47.90.60:25
78.47.90.60:443
78.47.90.60:465
78.47.90.60:53
78.47.90.60:587
78.47.90.60:993
78.47.90.60:995

# Reference: https://research.checkpoint.com/2022/check-point-research-exposes-an-iranian-phishing-campaign-targeting-former-israeli-foreign-minister-former-us-ambassador-idf-general-and-defense-industry-executives/

litby.us

# Reference: https://twitter.com/LukasStefanko/status/1569258418283905026
# Reference: https://www.mandiant.com/media/17826 (# apt42, crookedcharms)
# Reference: https://www.virustotal.com/gui/file/5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5/detection
# Reference: https://www.virustotal.com/gui/file/c2c1d804aeed1913f858df48bf89a58b1f9819d7276a70b50785cf91c9d34083/detection
# Reference: https://www.virustotal.com/gui/file/a8c062846411d3fb8ceb0b2fe34389c4910a4887cd39552d30e6a03a02f4cc78/detection
# Reference: https://www.virustotal.com/gui/file/90e5fa3f382c5b15a85484c17c15338a6c8dbc2b0ca4fb73c521892bd853f226/detection

137.184.212.205:4373
51.38.87.253:3535
cdsa.xyz
developer-app.xyz
hardship-management.com
office-updates.info

# Reference: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations

acconut-signin.com
account-signin.com
accounts-mails.com
accredit-validity.online
accurate-sprout-porpoise.glitch.me
admin-stable-right.top
admiscion.online
admit-roar-frame.top
advission.online
affect-fist-ton.online
aspenlnstitute.org
avid-striking-eagerness.online
azadlliq.info
beaviews.online
besvision.top
bloom-flatter-affably.top
bq-ledmagic.online
briview.online
businesslnsider.org
check-online-panel.live
check-pabnel-status.live
check-panel-status.live
check-short-panel.live
confirmation-process.top
connection-view.online
continue-recognized.online
coordinate.icu
cvisiion.online
d75.site
daemon-mailer.info
dloffice.buzz
dloffice.top
ecomonist.org
email-daemon.biz
email-daemon.biz.tinurls.com
email-daemon.online
email-daemon.online.tinurls.com
email-daemon.site
endorsement-services.online
eocnomist.com
foreiqnaffairs.com
foreiqnaffairs.org
forieqnaffairs.com
fortune-retire-home.top
g-online.org
geaviews.site
glory-uplift-vouch.online
go-conversation.lol
go-forward.quest
gview.site
identifier-direction.site
indication-service.online
israelhayum.com
join-paneling.online
jpost.press
jpostpress.com
khaleejtimes.org
khalejtimes.org
last-check-leave.buzz
live-project-online.live
live-projects-online.top
loriginal.online
m85.online
maariv.net
mailer-daemon.info
mailer-daemon.us
mccainlnstitute.org
mterview.site
myaccount-signin.com
nterview.site
online-access.live
panel-check-short.live
panel-live-check.online
panel-short-check.live
panel-view-short.online
panel-view.live
panel-view.online
panel-views-cheking.live
panelchecking.live
paneling-viewing.live
panels-views-ckeck.live
quomodocunquize.site
recognize-validation.online
reconsider.site
revive-project-live.online
s20.site
s51.online
s59.site
short-url.live
short-view.online
shortenurl.online
shorting-ce.live
shortingurling.live
shortlinkview.live
shortulonline.live
shoting-urls.live
signin-acconut.com
signin-accounts.com
signin-mail.com
signin-mails.com
signin-myaccounts.com
simple-process-static.top
status-short.live
stellar-roar-right.buzz
support-account.xyz
sweet-pinnacle-readily.online
tcvision.online
themedealine.org
timesfisrael.com
title-flow-store.online
tnt200.mywire.org
twision.top
vanityfaire.org
verify-person-entry.top
view-cope-flow.online
view-panel.live
view-pool-cope.online
view-total-step.online
viewstand.online
viewtop.online
virtue-regular-ready.online
washinqtonpost.press
we-transfer.shop
ynetnews.press
youronlineregister.com
youtransfer.live

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-11-22-v10179/172

dnx.capital
sharedrive.ink
washingtonlnstitute.org

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-11-30-v10185/185
# Reference: https://twitter.com/ThreatBookLabs/status/1613825659582959617

cutly.biz
mailer-daemon.live
mailer-daemon.me
mailer-daemon.net
mailer-daemon.online
mailer-daemon.org
tinyurl.ink

# Reference: https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank
# Reference: https://otx.alienvault.com/pulse/638e5648107623c3429e8c21

continuetogo.me
mailer-daemon-message.co

# Reference: https://twitter.com/ET_Labs/status/1629278117071147008

compact-miracle-abounds.top
funeral-engineering-expression.top
node-dashboard.site
node-panel.site
stellar-stable-faith.top

# Reference: https://www.secureworks.com/blog/cobalt-illusion-masquerades-as-atlantic-council-employee

bonny-marvels-authentic.top
live-redirect-system.top
progress-captivate-amply.top
review-status-plan.online
sincerely-sensation-outdo.top

# Reference: https://twitter.com/k3yp0d/status/1650513653802708996
# Reference: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation

azadijobs.me
beparas.com
bilal1com.com
damavand-hr.me
damkahill.com
darakeh.me
dream-jobs.org
dream-jobs.vip
dreamy-job.com
dreamy-jobs.com
dreamycareer.com
golanjobs.me
hat-cast.com
irnjobs.me
joinoptimahr.com
jomehjob.com
kandovani.org
opthrltd.me
optima-hr.com
optimac-hr.com
optimax-hr.com
parasil.me
radabala.com
rostam-hr.vip
salamjobs.me
shirazicom.com
syrtime.me
titanium-hr.com
topiranjobs.me
topwor4u.com
trnjobs.me
vipjobsglobal.com
wazayif-halima.com
wazayif-halima.org
wehatcast.com
youna101.me
younamesh.com

# Reference: https://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/

deersharpfork.info
subinfralab.info
blackturtle.hopto.org

# Reference: https://x.com/salmanvsf/status/1930185668560597209
# Reference: https://www.virustotal.com/gui/ip-address/185.132.176.240/relations
# Reference: https://www.virustotal.com/gui/file/f54dc4b91383d84e0a51fee2e232916da8899a7b7b39f91a782af8ef17f15d02/detection

http://185.132.176.240
mywebdout.ddns.net

# Reference: https://businessinsights.bitdefender.com/unpacking-bellaciao-a-closer-look-at-irans-latest-malware
# Reference: https://otx.alienvault.com/pulse/64499283c56cf14e277f9063

mail-updateservice.info
maill-support.com
mailupdate.com
mailupdate.info
msn-center.uk
msn-service.co
twittsupport.com

# Reference: https://www.proofpoint.com/us/blog/threat-insight/welcome-new-york-exploring-ta453s-foray-lnks-and-mac-malware
# Reference: https://www.virustotal.com/gui/ip-address/144.217.129.176/relations

checkup.webredirect.org
filemanager.theworkpc.com
fuschia-rhinestone.cleverapps.io
library-store.camdvr.org

# Reference: https://twitter.com/blackorbird/status/1690994786415874048
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/Charming%20Kitten/2023-08-10-cyber-brief-no-01-2023.pdf

beape.live
beasze.live
beeasaze.top
check-control-panel.live
check-reload-page.live
direct-view-check.live
direct-view-panel.xyz
ksview.top
load-panel.online
panel-review-check.live
view-direct-panel.live
view-direct-panel.xyz
view-home-panel.xyz

# Reference: https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/

http://37.120.222.168

# Reference: https://app.validin.com/axon?find=58.158.177.102&type=ip

canvas-life.me
flash-adobe.org
lgupluscdn.com
manage-tech.club
channel-shop.manage-tech.club
helper.canvas-life.me

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-12-04-v10478/1178

igsecurity.email
metaemailsecurity.com
metaemailsecurity.net
metahelpservice.net
metasecurityemail.org
metasupportmail.co
metasupportmail.com
xn–metaspport-v43e.com

# Reference: https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2024-01-17-v10508/1292

cloud-document-edit.onrender.com
coral-polydactyl-dragonfruit.glitch.me
east-healthy-dress.glitch.me
epibvgvoszemkwjnplyc.supabase.co
kwhfibejjyxregxmnpcs.supabase.co
ndrrftqrlblfecpupppp.supabase.co

# Reference: https://twitter.com/MsftSecIntel/status/1747666342897963362
# Reference: https://twitter.com/G60930953/status/1747821766074863690
# Reference: https://www.virustotal.com/gui/file/e0ba0cedd8a8624c75af29965e5fa7ab754fc0fcddbb330bb548dab4f2be333f/detection

prism-west-candy.glitch.me

# Reference: https://twitter.com/billyleonard/status/1757556382176313624
# Reference: https://blog.google/technology/safety-security/tool-of-first-resort-israel-hamas-war-in-cyber/
# Reference: https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf
# Reference: https://github.com/google/threat-team/blob/main/2024/2024-02-14-tool-of-first-resort-israel-hamas-war-cyber/indicators.csv

bitly.org.il
cyberflood.io
daemon-mailer.co
fbmro.com
glorynewstoday.com
ifstate.page.link
isra-help.org
latest-tools.store
mailer-daemon.co
mailerdaemon.online
myprofileface.page.link
ncgrassfed.com
pasmoiapp.com
ppmataro.com
shebacenter.online
shebacenter.org
solofansapp.page.link
stromectolonline.com

# Reference: https://twitter.com/k3yp0d/status/1764938541203612004
# Reference: https://twitter.com/k3yp0d/status/1764940785345089940
# Reference: https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/
# Reference: https://www.virustotal.com/gui/file/3226b3e7d7fdaebfe7d7f06bdaf0cad08ea9792cd32843d01e6023f67cd0c889/detection
# Reference: https://www.virustotal.com/gui/file/0e51029ba28243b0a6a071713c17357a8eb024aa4298d1ccc9e2c4ac8916df4d/detection

drive-file-share.site
worried-eastern-salto.glitch.me

# Reference: https://www.validin.com/blog/expanding-apt42-intelligence-with-validin/
# CERT_FINGERPRINT_SHA256-HOST=fc6b8570bf7f77380959a1314d2d8ded69f0e22c7faad781c984ca3da8021497

3dauth.live
acconut-mail.com
account-drive.com
account-siqnin.com
accredit-validity.ddns.net
accredit.network
africanblackwidow.ddns.net
atlanticconucil.org
atlanticcuoncil.com
businessinssider.org
centrallibrary.info
clarification.network
conferencecall.live
confirm-direction.ddns.net
confirm-integrity.ddns.net
confirm-validation.ddns.net
confirm-validation.mywire.org
confirm-validity.hopto.org
confirm-verify.servepics.com
confirmation-verify.hopto.org
continue-recognized.ddns.net
continue-recognized.hopto.org
digitalpufferfish.ddns.net
direction-check.online
direction-session-verify.site
direction-veracity.ddns.net
drive-acconut.com
drive-acconuts.com
drive-account.com
eatonthehotground.ddns.net
elated-supportive-exultation.top
entrpreneur.org
flowerskindergarten.ddns.net
gatestonelnstitute.org
identifier-direct.ddns.net
identifier-service.ddns.net
identifier-verify.ddns.net
identity-session.ddns.net
jubilatesee.site
meeting-share.online
modification-check.online
modification-verify.ddns.net
oceanofinformation.ddns.net
ourredbucket.ddns.net
panel-status-join.live
paneling-check-live.live
paneling-cheking-df.live
pay.entrpreneur.org
permission-data.online
pnael-checking.live
products-services.network
recognize-validation.theworkpc.com
responsiblestatcraft.org
review-session.hopto.org
safeshortl.ink
schoolofpinkmice.ddns.net
session-review.hopto.org
short-modification.site
short-urling.live
shorting-urling.live
shortoni.live
shorturling.live
signin-identifi.com
strainitiatives.ddns.net
thefireisburnt.ddns.net
validation-confirm.ddns.net
validity-accredit.ddns.net
verify-corroborate.ddns.net
web-getdata.site

# Reference: https://www.virustotal.com/gui/file/9146f8c1e0a88d961e5d1b6ac4633506c6e904e4cdf4c36ac5c1b5bd44867628/detection

94.156.128.60:5252

https://community.emergingthreats.net/t/ruleset-update-summary-2024-05-06-v10590/1615

decorous-super-blender.glitch.me
wulpfsrqupnuqorhexiw.supabase.co

# Reference: https://twitter.com/k3yp0d/status/1572561485376950274
# Reference: https://www.mandiant.com/media/17826
# Reference: https://www.virustotal.com/gui/file/2be8c9591d9aab6d81e4dd4a7e04371c7b1577404fa9ead11372251afcd13059/detection

technical-updates.info

# Reference: https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/
# Reference: https://app.validin.com/detail?find=135.181.203.1&type=ip4&ref_id=7bb26af05d1#tab=resolutions
# Reference: https://app.validin.com/detail?find=212.162.152.151&type=ip4&ref_id=ea7526bb584#tab=resolutions
# Reference: https://app.validin.com/detail?find=38.180.121.133&type=ip4&ref_id=f79dde040dd#tab=resolutions
# Reference: https://app.validin.com/detail?find=66.151.40.83&type=ip4&ref_id=45cc7c174db#tab=resolutions
# Reference: https://app.validin.com/detail?find=66.151.40.84&type=ip4&ref_id=d413894d497#tab=resolutions
# Reference: https://www.virustotal.com/gui/file/f83e2b3be2e6db20806a4b9b216edc7508fa81ce60bf59436d53d3ae435b6060/detection
# Reference: https://www.virustotal.com/gui/file/f1819b6aed24b81e6432a6d738206a388c266f72dbde4a8f4a4b9b6e3c55e609/detection
# Reference: https://www.virustotal.com/gui/file/89c1d1b61d7f863f8a651726e29f2ae3de7958f36b49a756069021817947d06c/detection
# Reference: https://www.virustotal.com/gui/file/0180f4f29c550aa1ffaa21af51711b29de99fb1d7c932d008a0e9356ae8a7d60/detection

http://91.107.150.184
accredit-navigation.online
accredit.validity.werifcattion.info
app-engage-station.help
boundary.cfd
brookings.email
cdn-workspacestudio.redirectme.net
check-fa-pane.live
checking-paneling.live
click-choose-figured.cfd
click-manage-room.cfd
complete-telecom-operation.top
confirrnation.info
continueworkflow.onthewifi.com
correction.verify.rsession.site
duuuumpy.click
dynamicroute.serveirc.com
essential-guide.serveirc.com
essentialeditor.serveirc.com
expandprocess.serveblog.net
filecloudmanager.site
flow-exulltation-uplift.top
green-light.bond
happened.fun
host-bulk-stack.cfd
house-server-digital.xyz
interconnected-equipment-buildings.buzz
make-host-solution.buzz
makeit.lat
meetroomonlin1925.w3spaces.com
modification-control.online
nail-forward-valid.lol
overviewstatus.redirectme.net
panel-check-live.live
panel-status-joining.live
paneling-checke.live
program-indipendent-system.buzz
re-brandly.store
real-vision.redirectme.net
recognize.site
rectification.info
recursivedns.site
rendercomponents.site
request-human-received.xyz
review-continue-entered.cfd
review.validation.recognize.site
rsession.site
s3api.shop
s4api.shop
sharedrive.webredirect.org
shooort.site
shooourt.click
shoring-live.live
short-ion-per.live
short-jg934hw.live
short-rigf.live
smaaaal.cfd
submissiveness.online
taskprocess.viewdns.net
teams.webredirect.org
umberella.icu
understandingthewar.org
validation.recognize.site
validity.werifcattion.info
verify.rsession.site
visioneditor.loseyourip.com
webdirecthost.site
werifcattion.info
wysebeyond.gotdns.ch
youtransfer.online
/Gallery/Ref/FSaEM5gG
/Gcollection/Ref/CkliPwaM
/Ref/CkliPwaM
/CkliPwaM
/Lcollection/Ref/F53OQQkE
/Ref/F53OQQkE
/F53OQQkE
/aliasauthG/autoref/vNSX6c2m
/autoref/vNSX6c2m
/vNSX6c2m

# Reference: https://x.com/RecordedFuture/status/1825867926043312398
# Reference: https://go.recordedfuture.com/hubfs/reports/cta-ir-2024-0820.pdf

activeeditor.info
admin.cheap-case.site
api.cheap-case.site
api.overall-continuing.site
app.cheap-case.site
backend.cheap-case.site
callfeedback.duia.ro
carservices.dns-dynamic.net
chatsynctransfer.info
cheap-case.site
cloudarchive.info
cloudregionpages.info
cloudtools.duia.eu
coldwarehexahash.dns-dynamic.net
configtools.linkpc.net
contentpreview.redirectme.net
continue.duia.eu
continueresource.forumz.info
currentpageeditor.dns-dynamic.net
demo.cheap-case.site
destinationzone.duia.eu
dev.cheap-case.site
directfileinternal.info
doceditor.duckdns.org
documentcloudeditor.ddnsgeek.com
dynamicrender.line.pm
dynamictranslator.ddnsgeek.com
editioncloudfiles.dns-dynamic.net
entryconfirmation.duckdns.org
fileeditiontools.linkpc.net
filereader.dns-dynamic.net
finaledition.redirectme.net
highlightsreview.line.pm
hugmefirstddd.ddns.net
icegelato.ddns.net
icenotebook.ddns.net
itemselectionmode.info
joincloud.duckdns.org
joincloud.mypi.co
lineeditor.001www.com
lineeditor.32-b.it
lineeditor.mypi.co
linereview.duia.eu
longlivefreedom.ddns.net
messagepending.info
minascs.ddns.net
mobiletoolssdk.dns-dynamic.net
nextbox.line.pm
nextcloud.duia.us
nextcloudzone.dns-dynamic.net
onetimestorage.info
onlinecalendar.ddnsgeek.com
onlinecloudzone.info
onlinereader.linkpc.net
overall-continuing.site
overflow.duia.eu
pagerender.duckdns.org
pagerendercloud.linkpc.net
pageviewer.linkpc.net
personalcloudparent.info
personalstoragebox.linkpc.net
personalwebview.info
pkglessplans.xyz
preparingdestination.fixip.org
proceeddestination.dns-dynamic.net
projectdrivevirtualcloud.co.uk
readquickarticle.dns-dynamic.net
realcloud.info
realpage.redirectme.net
researchdocument.info
reviewedition.duia.eu
rozetka.dyndns.org
s1vega.dyndns.org
searchstatistics.duckdns.org
selfpackage.info
servicesfiledrop.theworkpc.com
sharestoredocs.theworkpc.com
smartview.dns-dynamic.net
softservicetel.ddns.net
sourceusedirection.mypi.co
splitviewer.linkpc.net
storageprovider.duia.eu
streaml23.duia.eu
synctimezone.dns-dynamic.net
termsstatement.duckdns.org
testecs48.ddns.net
thisismyapp.accesscam.org
thisismydomain.chickenkiller.com
timelinepage.dns-dynamic.net
timezone-update.duckdns.org
towerreseller.dns-dynamic.net
tracedestination.duia.eu
translatorupdater.dns-dynamic.net
uptime-timezone.dns-dynamic.net
uptimezonemetadta.run.place
vector.kozow.com
vegas777.dyndns.org
viewdestination.vpndns.net
webviewerpage.info
worldstate.duia.us

# Reference: https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering
# Reference: https://app.validin.com/detail?find=6d7b0b16f0cbad033ee08e6b414f02fd&type=hash&ref_id=015842d48f4#tab=host_pairs_v2
# Reference: https://www.virustotal.com/gui/ip-address/54.39.143.120/relations

deepspaceocean.info
pinnaclegen.com
hoticecream.ddns.net
pencilbrush.ddns.net

# Reference: https://www.virustotal.com/gui/file/c67cd544a112cab1bb75b3c44df4caf2045ef0af51de9ece11261d6c504add32/detection

http://190.2.150.50
190.2.150.50:443

# Reference: https://x.com/k3yp0d/status/1828699405056180664
# Reference: https://www.virustotal.com/gui/ip-address/38.180.111.244/relations
# Reference: https://app.validin.com/detail?find=38.180.111.244&type=ip4&ref_id=86db3c91efa#tab=resolutions

cspvpn.duckdns.org
em-payments-bot.duckdns.org
empaymentsbot.duckdns.org
vpncsp.duckdns.org

# Reference: https://app.validin.com/detail?find=38.180.111.246&type=ip4&ref_id=c6b5b76ecdb#tab=resolutions

zedisdead.duckdns.org

# Reference: https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/

autoupdate.uk
mail-update.info
servicepackupdate.info
systemupdate.info
servicesupdate.info
servicechecker.top
ns2.servicechecker.top
freeheadlines.top
ns2.freeheadlines.top

# Reference: https://x.com/blackorbird/status/1840667306583572653
# Reference: https://www.ic3.gov/Media/News/2024/240927.pdf
# Reference: https://www.resecurity.com/blog/article/iranian-cyber-actors-irgc-targeting-the-2024-us-presidential-election

3dconfirrnation.com
accesscheckout.online
accessverification.online
accunt-loqin.ml
accurateprivacy.online
atlantic-council.com
boom-boom.ga
bytli.us
continue-to-your-account.000webhostapp.com
covi19questionaire.000webhostapp.com
covid19questionnaire.freesite.vip
css-ethz.ch
cutly.vip
daemon-mailer.com
direct-access.info
discovery-protocol.ml
docfileview.org
doctransfer.online
dr-sup.live
email-protection.online
file-access.com
filetransfer.club
freahman.online
freshconnect.live
gdrive-files.com
gettogether.quest
gl-sup.online
gm-sup.com
idccovid19questionaire.000webhostapp.com
ipsss.000webhostapp.com
linkauthenticator.online
lovetoflight.com
lst-accurate.com
ltf.world
mailer-daemon.site
mailer-support.online
mailerdaemon.info
mfa-ic.ae
mofa-ic.ae
private-file-sharing.000webhostapp.com
qmaiil.ml
reactivate-disabled-accuonts.000webhostapp.com
redirect-drive.online
shared-files-access.live
sharefilesonline.live
summit-files.com
tinyurl.co.il
tinyurl.live
uani.us
verificationservice.online
workstation2020.000webhostapp.com
www-myaccounts-support.000webhostapp.com

# Reference: https://x.com/k3yp0d/status/1840762048826728893
# Reference: https://app.validin.com/detail?type=ip&find=38.180.91.211#tab=resolutions
# Reference: https://www.gov.il/BlobFolder/reports/alert_1803/he/ALERT-CERT-IL-W-1803.pdf

cloudviewer.site
directpathfellow.zapto.org
formcloud.redirectme.net
launchmeetprofile.servehttp.com

# Reference: https://app.validin.com/detail?find=38.180.91.195&type=ip4&ref_id=96da503d30d#tab=resolutions

cloudcomputing.webredirect.org
matchtomeet.ddns.net
mycloudhosting.redirectme.net
zoomcloud.redirectme.net

# Reference: https://app.validin.com/detail?find=38.180.91.193&type=ip4&ref_id=96da503d30d#tab=resolutions

navigationtools.site
flashpointfarm.gotdns.ch
main-packages.strangled.net

# Reference: https://app.validin.com/detail?find=38.180.91.206&type=ip4&ref_id=96da503d30d#tab=resolutions

entrydirect.ddns.net

# Reference: https://app.validin.com/detail?find=38.180.91.175&type=ip4&ref_id=96da503d30d#tab=resolutions

sublimetxtcontent.serveblog.net
virtual-notes.gotdns.ch
workspaceconsole.servehttp.com

# Reference: https://app.validin.com/detail?find=38.180.91.195&type=ip4&ref_id=96da503d30d#tab=resolutions

cloudcomputing.webredirect.org
matchtomeet.ddns.net
mycloudhosting.redirectme.net
zoomcloud.redirectme.net

# Reference: https://app.validin.com/detail?find=38.180.91.193&type=ip4&ref_id=96da503d30d#tab=resolutions

navigationtools.site
flashpointfarm.gotdns.ch
main-packages.strangled.net

# Reference: https://app.validin.com/detail?find=38.180.91.190&type=ip4&ref_id=96da503d30d#tab=resolutions

pagerenderstatus.info
destinationreferrer.serveirc.com
essential-overview.sytes.net
featurespace.ooguy.com
featurespace.serveblog.net
usabilitystatus.servehttp.com

# Reference: https://app.validin.com/detail?find=38.180.91.184&type=ip4&ref_id=96da503d30d#tab=resolutions

realcdnworker.site
hardbookshelf.ooguy.com
myselfdatahistory.serveirc.com

# Reference: https://x.com/HostileSpectrum/status/1722628312013660665
# Reference: https://x.com/k3yp0d/status/1852051018181452143
# Reference: https://www.virustotal.com/gui/ip-address/45.143.167.87/relations
# Reference: https://www.ic3.gov/CSA/2024/241030.pdf
# Reference: https://research.checkpoint.com/2024/wezrat-malware-deep-dive/
# Reference: https://www.virustotal.com/gui/file/4431b2a4d7758907f81fb1a0c1e36b2ce03e08d43123b1c398487770afd20727/detection
# Reference: https://www.virustotal.com/gui/file/e37b95bb9bee64cc0313eaad8a0269493745f89413bd78b58bb3b479b36084ae/detection
# Reference: https://www.virustotal.com/gui/file/a624768f28ca66e82cb5d157e5ddd427644e903476099ef0d155ab1f426da8a3/detection
# Reference: https://www.virustotal.com/gui/file/84366a894120d4a8c83411925ef04de52fa56da6fad0023a71f71a9bf21259ad/detection

http://45.143.167.87
http://194.11.226.9
http://194.4.49.175
194.11.226.9:443
194.4.49.175:443
45.143.167.87:443
46.249.58.136:4444
46.249.58.136:8080
cybercourt.io
gamershotel.pro
il-cert.net
onlinelive.info
pro-today.org
rgud-group.com
rgud-group.net
zeusistalking.com
zeusistalking.io
zeusistalking.net

# Reference: https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf
# Reference: https://otx.alienvault.com/pulse/624f0d6039be61f29b5f463c
# Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-April/030630.html

alharbitelecom.co
apply-jobs.com
applytalents.com
appslocallogin.online
archery.dedyn.io
bnt2.live
careers-finder.com
cloudgoogle.co
cortanaservice.com
cortanaupdate.co
defenderupdate.ddns.net
edge-cloudservices.com
elecresearch.org
enerflex.ddns.net
enerflex.org
etisalatonline.com
exprogroup.org
freechess.live
funnychess.online
getadobe.ddns.net
getadobe.net
globaltalent.in
googleservices.co
googleupdate.co
helpdesk-product.com
kavkazru.press
khaleejtimes.co
latinoamericareporta.com
librarycollection.org
linkedinz.me
listen-books.com
localadmin.online
localadmin.ru
lukoil.in
market.dedyn.io
market.vinam.me
mastergatevpn.com
microsoftcdn.co
microsoftdefender.info
microsoftedgesh.info
mideasthiring.com
monitor-ua.com
office-shop.me
onedrivelive.me
onedriveupdate.net
online-audible.com
online-chess.live
outlookde.live
outlookdelivery.com
politica.in.ua
remgrogroup.com
revistadcr.com
saipem.org
sauditourismguide.com
savemoneytrick.com
sharepointnotify.com
signin.dedyn.io
sparrowsgroup.org
supportskype.com
talent-recruitment.org
talktalky.azurewebsites.net
thefreemovies.net
ukraine2day.com
updateddns.ddns.net
updatedefender.net
updatedns.ddns.net
updateservices.co

# Reference: https://x.com/StrikeReadyLabs/status/1851438224834433154
# Reference: https://x.com/ClearskySec/status/1856268257734410647
# Reference: https://x.com/asdasd13asbz/status/1851513587967078410
# Reference: https://www.clearskysec.com/wp-content/uploads/2024/11/Iranian-Dream-Job-ver1.pdf
# Reference: https://www.virustotal.com/gui/file/4e27556432464375a9016a410b6eef586f3a27377424ffc09f40eb252af144a2/detection
# Reference: https://www.virustotal.com/gui/file/918e70e3f5fdafad28effd512b2f2d21c86cb3d3f14ec14f7ff9e7f0760fd760/detection

careers2find.com
xboxapicenter.com
cdn.careers2find.com
quiz.careers2find.com

# Reference: https://twitter.com/malwrhunterteam/status/1762813636001570980
# Reference: https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
# Reference: https://www.virustotal.com/gui/file/5aa317d3682ff127e1e92d2016c08f94be60937a1b8a210876d931d072386336/detection

1stemployer.com
airconnectionapi.azurewebsites.net
airconnectionsapi.azurewebsites.net
airconnectionsapijson.azurewebsites.net
airgadgetsolution.azurewebsites.net
airgadgetsolutions.azurewebsites.net
altnametestapi.azurewebsites.net
answerssurveytest.azurewebsites.net
apphrquestion.azurewebsites.net
apphrquestions.azurewebsites.net
apphrquizapi.azurewebsites.net
arquestions.azurewebsites.net
arquestionsapi.azurewebsites.net
audiomanagerapi.azurewebsites.net
audioservicetestapi.azurewebsites.net
birngthemhomenow.co.il
blognewsalphaapijson.azurewebsites.net
blogvolleyballstatus.azurewebsites.net
blogvolleyballstatusapi.azurewebsites.net
boeisurveyapplications.azurewebsites.net
browsercheckap.azurewebsites.net
browsercheckingapi.azurewebsites.net
browsercheckjson.azurewebsites.net
cashcloudservices.com
changequestionstypeapi.azurewebsites.net
changequestionstypejsonapi.azurewebsites.net
changequestiontypes.azurewebsites.net
changequestiontypesapi.azurewebsites.net
checkapicountryquestions.azurewebsites.net
checkapicountryquestionsjson.azurewebsites.net
checkservicecustomerapi.azurewebsites.net
coffeeonlineshop.azurewebsites.net
coffeeonlineshoping.azurewebsites.net
connectairapijson.azurewebsites.net
connectionhandlerapi.azurewebsites.net
countrybasedquestions.azurewebsites.net
customercareservice.azurewebsites.net
customercareserviceapi.azurewebsites.net
emiratescheckapi.azurewebsites.net
emiratescheckapijson.azurewebsites.net
engineeringrssfeed.azurewebsites.net
engineeringssfeed.azurewebsites.net
exchtestcheckingapi.azurewebsites.net
exchtestcheckingapihealth.azurewebsites.net
flighthelicopterahtest.azurewebsites.net
helicopterahtest.azurewebsites.net
helicopterahtests.azurewebsites.net
helicoptersahtests.azurewebsites.net
hiringarabicregion.azurewebsites.net
homefurniture.azurewebsites.net
hrapplicationtest.azurewebsites.net
humanresourcesapi.azurewebsites.net
humanresourcesapijson.azurewebsites.net
humanresourcesapiquiz.azurewebsites.net
iaidevrssfeed.centralus.cloudapp.azure.com
iaidevrssfeed.centrualus.cloudapp.azure.com
iaidevrssfeed.cloudapp.azure.com
iaidevrssfeedp.cloudapp.azure.com
identifycheckapplication.azurewebsites.net
identifycheckapplications.azurewebsites.net
identifycheckingapplications.azurewebsites.net
ilengineeringrssfeed.azurewebsites.net
integratedblognewfeed.azurewebsites.net
integratedblognews.azurewebsites.net
integratedblognewsapi.azurewebsites.com
integratedblognewsapi.azurewebsites.net
intengineeringrssfeed.azurewebsites.net
intergratedblognewsapi.azurewebsites.net
javaruntime.azurewebsites.net
javaruntimestestapi.azurewebsites.net
javaruntimetestapi.azurewebsites.net
javaruntimeversionchecking.azurewebsites.net
javaruntimeversioncheckingapi.azurewebsites.net
jupyternotebookcollection.azurewebsites.net
jupyternotebookcollections.azurewebsites.net
jupyternotebookcollections.com
jupyternotebookscollection.azurewebsites.net
logsapimanagement.azurewebsites.net
logsapimanagements.azurewebsites.net
logupdatemanagementapi.azurewebsites.net
logupdatemanagementapijson.azurewebsites.net
manpowerfeedapi.azurewebsites.net
manpowerfeedapijson.azurewebsites.net
marineblogapi.azurewebsites.net
notebooktextchecking.azurewebsites.net
notebooktextcheckings.azurewebsites.net
notebooktextcheckings.com
notebooktexts.azurewebsites.net
onequestions.azurewebsites.net
onequestionsapi.azurewebsites.net
onequestionsapicheck.azurewebsites.net
openapplicationcheck.azurewebsites.net
optionalapplication.azurewebsites.net
personalitytestquestionapi.azurewebsites.net
personalizationsurvey.azurewebsites.net
qaquestionapi.azurewebsites.net
qaquestions.azurewebsites.net
qaquestionsapi.azurewebsites.net
qaquestionsapijson.azurewebsites.net
queryfindquestions.azurewebsites.net
queryquestions.azurewebsites.net
questionsapplicationapi.azurewebsites.net
questionsapplicationapijson.azurewebsites.net
questionsapplicationbackup.azurewebsites.net
questionsdatabases.azurewebsites.net
questionsurveyapp.azurewebsites.net
questionsurveyappserver.azurewebsites.net
quiztestapplication.azurewebsites.net
refaeldevrssfeed.centralus.cloudapp.azure.com
regionuaequestions.azurewebsites.net
registerinsurance.azurewebsites.net
roadmapselector.azurewebsites.net
roadmapselectorapi.azurewebsites.net
sportblogs.azurewebsites.net
surveyappquery.azurewebsites.net
surveyonlinetest.azurewebsites.net
surveyonlinetestapi.azurewebsites.net
technewsblogapi.azurewebsites.net
teledyneflir.com.de
testmanagementapi1.azurewebsites.net
testmanagementapis.azurewebsites.net
testmanagementapisjson.azurewebsites.net
testquestionapplicationapi.azurewebsites.net
testtesttes.azurewebsites.net
tiappschecktest.azurewebsites.net
tnlsowki.westus3.cloudapp.azure.com
tnlsowkis.westus3.cloudapp.azure.com
turkairline.azurewebsites.net
uaeaircheckon.azurewebsites.net
uaeairchecks.azurewebsites.net
vscodeupdater.azurewebsites.net
vsliveagent.com
workersquestions.azurewebsites.net
workersquestionsapi.azurewebsites.net
workersquestionsjson.azurewebsites.net
xboxplayservice.com

# Reference: https://x.com/Cyberteam008/status/1866677248587337914
# Reference: https://x.com/ValidinLLC/status/1867193831612985822
# Reference: https://en.fofa.info/result?qbase64=dGl0bGU9PSJVUkwgU2hvcnRlbmVyIiAmJiBpY29uX2hhc2g9IjE5MDgxNDcxMjEi

allocationwithour.info
conveniente-sharefile.info
filterfiletransfer.hopto.org
filtertransferfile.online
loss-modification.site
recognizedshare.site
transfer-filterless.ddns.net
viewfileitems.info
emv1.allocationwithour.info
ns2.allocationwithour.info
transfer.loss-modification.site

# Reference: https://x.com/Cyberteam008/status/1868875414510485876

dash.shortoni.live
emv1.short-jg934hw.live
emv1.short-rigf.live
emv1.statuss-short-join.live
fazadi.info
ftur-sher.online
live-join-short.online
mrz.fazadi.info
redirect-b.online
redirect-c.live
redirect-d.online
redirect-k.online
redirect-l.online
redirect-m.live
redirect-o.online
redirect-p.online
redirect-q.online
redirect-r.online
redirect-s.online
redirect-t.online
redirect-u.online
room-meet-url.live
sh-tro.live
sho-flu.live
shor-erier-f.xyz
shor-fg.live
shor-trv.live
short-join-live.online
short-redirect.online
short-view-url.online
shr-r4yr93d.live
sht-rgtio9.live
statuss-short-join.live
url-room-meet.live
visit-site-online.online

# Reference: https://www.bitdefender.com/en-us/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware

http://88.80.148.162
188.165.174.199:18080

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2025-03-12-v10877/2511

googles.site
drives.googles.site

# Reference: https://x.com/Cyberteam008/status/1919571782983356563

agm-rto-ewi.com
brannew-home.info
dazedebtor.com
emv1.brannew-home.info
emv1.newsaboutecology.info
get-ready.blog
ismywhs.com.de
mail.brannew-home.info
meet-online.site
meet-room.site
meetime.info
meeting-invite.live
meeting-room.live
meeting-time.info
meetingonline.live
meetingzone.info
meetland.info
meetonline.pro
meot-roem.online
newsaboutecology.info
ns2.brannew-home.info
ns2.newsaboutecology.info
populationnote.com
room-online.one
sejoinu.cc
shrtlink.space
shrtlnk.info
snap-short.online
stablis.online
verifymeet.live
wwwlmeetic.com

# Reference: https://x.com/blackorbird/status/1920061952459518406
# Reference: https://mp.weixin.qq.com/s/nY2Hyg6ZsM7ViXW1lhO2Ag
# Reference: https://app.validin.com/detail?find=2c2951f9c795c19412bf900f8e0ea00e&type=hash#tab=host_pairs (# 2025-04-25)
# Reference: https://app.validin.com/detail?find=Thoughts%20and%20Reflections%20-%20A%20Personal%20Blog&type=raw&ref_id=b7e5679da39#tab=host_pairs (# 2025-05-07)
# Reference: https://www.virustotal.com/gui/ip-address/185.182.194.175/relations
# Reference: https://www.virustotal.com/gui/ip-address/31.42.176.171/relations
# Reference: https://www.virustotal.com/gui/ip-address/78.159.117.177/relations
# Reference: https://www.virustotal.com/gui/ip-address/78.159.117.175/relations
# Reference: https://www.virustotal.com/gui/ip-address/91.107.155.179/relations

http://185.153.197.236
academy-update.com
bookstoragestore.com
cloudtransferfile.info
commercialstudio.ddns.net
computerlearning.ddns.net
creating-loceer.ddns.net
holyicker.ddns.net
lastfilterfile.info
publicreservoir.info
research-storage.com
searchfilterapp.info
starmanblind.ddns.net
tepbit.site
timtechlab.duckdns.org

# Reference: https://x.com/Cyberteam008/status/1927915406288695626

accounts.google.live-meet.blog
accounts.google.live-meet.cfd
accounts.google.live-meet.cloud
accounts.google.live-meet.info
accounts.google.network-show.online
actor.rap-art.info
albert-company.online
all-for-city.info
amg-car-ger.info
anna-blog.info
apple.beta-man.info
april.spring-club.info
arizonaclub.me
arrow-click.info
backback.info
best85best.online
beta-man.info
bmw.amg-car-ger.info
book.anna-blog.info
bvio85.info
cc-newton.info
chapter1.cc-newton.info
cnt-worth.online
connect-room.online
crysus-h.info
data.live-meet.blog
dmn-for-car.online
exir-juice.online
friends.lizza-blog.info
friends.thomas-mark.xyz
good-student.online
goods-companies.online
google.live-meet.blog
google.live-meet.cfd
google.live-meet.cloud
google.live-meet.info
google.network-show
google.network-show.online
hrd-dmn.info
human-fly900.online
intelligence.live-meet.blog
ip-194-11-226-29.rockhoster.net
isftyviliam.platinum-cnt.info
live-coaching.online
live-conn.online
live-gml.online
live-meet.blog
live-meet.cfd
live-meet.cloud
live-meet.info
live-meet.live
live.connect-room.online
live.goods-companies.online
live.live-coaching.online
live.live-gml.online
live.live-meet
live.live-meet.cloud
live.live-meet.info
live.online-room.online
live.platinum-cnt.info
live.white-life-bl.info
live.yamal-group.online
lizza-blog.info
lynda-tricks.online
mail.bvio85.info
meet-work.info
message-live.online
mickel.connect-room.online
mickel.goods-companies.online
mickel.live-coaching.online
mickel.platinum-cnt.info
mickel.white-life-bl.info
mickel.yamal-group.online
mikel.yamal-group.online
network-show.online
nsim-ph.info
ntp-clock-h.info
online-room.online
oranus.albert-company.online
oranus.connect-room.online
oranus.human-fly900.online
oranus.live-coaching.online
oranus.platinum-cnt.info
oranus.white-life-bl.info
oranus.yamal-group.online
outlook.live.live-meet.cloud
outlook.live.live-meet.info
panel.live-meet.blog
panel.live-meet.cfd
panel.live-meet.cloud
panel.live-meet.info
panel.live-meet.live
panel.network-show.online
pfl.redirect-review.online
ph-crtdomain.info
platinum-cnt.info
prj-ph.info
profile.arizonaclub.me
profile.best85best.online
prt-max.online
rap-art.info
rbconline-support.info
redirect-review.online
richard-3th.online
right.arrow-click.info
rockhoster.net
roland-cc.online
sandbox.live-meet.blog
shadow-network.best
smtp.amg-car-ger.info
spring-club.info
stats.live-meet.blog
steve-brown.info
superset.sandbox.live-meet.blog
thomas-mark.xyz
viliam.albert-company.online
viliam.cnt-worth.online
viliam.connect-room.online
viliam.crysus-h.info
viliam.dmn-for-car.online
viliam.exir-juice.online
viliam.goods-companies.online
viliam.hrd-dmn.info
viliam.human-fly900.online
viliam.live-coaching.online
viliam.live-conn.online
viliam.lynda-tricks.online
viliam.meet-work.info
viliam.message-live.online
viliam.nsim-ph.info
viliam.ntp-clock-h.info
viliam.online-room.online
viliam.ph-crtdomain.info
viliam.platinum-cnt.info
viliam.prj-ph.info
viliam.prt-max.online
viliam.richard-3th.online
viliam.roland-cc.online
viliam.steve-brown.info
viliam.warning-d.info
viliam.wer-d.info
viliam.white-life-bl.info
viliam.work-meeting.info
viliam.yamal-group.online
violet.backback.info
warning-d.info
wer-d.info
white-life-bl.info
work-meeting.info
yamal-group.online

# Reference: https://x.com/skocherhan/status/1932952171122737290

cacademy-update.com
ccreservoir.info
cholyicker.ddns.net
cresearch-storage.com
csearchfilterapp.info

# Reference: https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/

adams-cooling.online
alex-mendez-fire.info
alison624.online
alpha-man.info
becker624.online
bestshopu.online
black-friday-store.online
book-handwrite.online
bracs-lion.online
city-splash.online
clame-rade.online
cloth-model.blog
clothes-show.online
conn-ectionor.cfd
cook-tips.info
course-math.info
crysus-p.info
cyberlattice.pro
dmn-for-hall.online
door-black-meter.online
encryption-redirect.online
est5090.online
everything-here.info
expressmarket.online
first-course.online
food-tips-blog.online
gallery-shop.online
good-news.cfd
good-news.fashion
healthy-lifestyle.fit
idea-home.online
infinit-world.info
lenan-rex.online
lesson-first.info
live-content.online
live-message.online
loads-ideas.online
make-house.online
master-club.info
network-game.xyz
network-review.xyz
network-show-a.online
nice-goods.online
normal-dmn.info
nsim-pa.info
ntp-clock-p.info
optio-nalynk.online
pa-crtdomain.info
panel-meeting.info
panel-network.online
panel-redirect.online
ph-work.info
pnl-worth.online
prj-pa.info
ptr-cc.online
ques-tion-ing.xyz
reading-course.online
reg-d.info
ricardo-mell.online
royalsoul.online
sendly-ink.shop
shaer-likn.store
show-verify.xyz
sky-writer.online
socks.beauty
stadium-fresh.online
storm-wave.online
suite-moral.info
teammate-live.online
tomas-company.online
top-game.online
ude-final.online
warplogic.pro
wash-less.online
white-car.online
white-life.info
wood-house.online
word-course.online
world-shop.online
zra-roll.online

# Reference: https://catalyst.prodaft.com/public/report/subtle-snail-expands-espionage-campaign-to-european-telecom-organizations
# Reference: https://github.com/prodaft/malware-ioc/tree/master/SubtleSnail

safrangroup-careers.com
telespazio-careers.com
auto-updater.azurewebsites.net
background-update.azurewebsites.net
cache-cleaner-check-111.azurewebsites.net
cache-cleaner-check-805.azurewebsites.net
cache-cleaner-check-926.azurewebsites.net
cache-cleaner-check.azurewebsites.net
cache-managment.northeurope.cloudapp.azure.com
check-security-update.azurewebsites.net
group-policy-update.azurewebsites.net
hyperv-heartbeat-service.azurewebsites.net
patch-provider-247.azurewebsites.net
patch-provider-597.azurewebsites.net
patch-provider-745.azurewebsites.net
patch-provider.azurewebsites.net
send-feedback-296.azurewebsites.net
send-feedback-413.azurewebsites.net
send-feedback-838.azurewebsites.net
send-feedback.azurewebsites.net
services-update-check.azurewebsites.net
update-health-service.azurewebsites.net
verify-publisher.azurewebsites.net

# Reference: http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/
# Reference: https://github.com/pan-unit42/iocs/blob/master/iran_linked_operators/MagicHound.csv

servicesystem.serveirc.com
chrome-up.date
timezone.live
analytics-google.org
microsoftsubsystem.com-adm.in
microsoftexplorerservices.cloud

# Reference: https://x.com/ThreatBookLabs/status/1957276288944918620
# Reference: https://app.validin.com/detail?find=WIN-46MPMA44ISV&type=raw&ref_id=777b5254d85#tab=host_pairs
# Reference: https://app.validin.com/detail?find=185.132.176.236&type=ip4&ref_id=1013ff6b648#tab=resolutions
# Reference: https://app.validin.com/detail?find=185.132.176.27&type=ip4&ref_id=1013ff6b648#tab=resolutions
# META-HOST=::"og:title":"title":"ShortURL - URL Shortener"

1stl.ink
beetly.online
bytli.ink
electrons-residingonthemoon.info
eventer.ink
filevisitresult.site
msnl.ink
proctor-custodian.site
revstoragefile.site
short-abbreviate.info
shorten-abbreviate.site
shortlycc.site
supervisor-protector.online
mobile.proctor-custodian.site
mobile.shorten-abbreviate.site
outstanding.revstoragefile.site
reproduce.outstanding.revstoragefile.site
ace-capitalpartners.ddns.net
centrallibrary.bounceme.net
consistent-provisioned.accesscam.org
enovation-affirm.theworkpc.com
implemen-tmeasures.myftp.org
internationalbester.ddns.net
revstoragefil.ddns.net
revstoragefile.ddns.net

# Reference: https://app.validin.com/detail?find=URL%20Shortener&type=raw&ref_id=7eee58f2849#tab=host_pairs (# 2025-08-18)

bdroyer.webredirect.org
bouncer.qc.to
cloud.qc.to
continue-short.ddns.net
db.qc.to
fdns1.duckdns.org
gc.n-e.kr
i-love-tux.qc.to
miniurl.duckdns.org
my.abrdns.com
rb1chesid8.ocry.com
rb2chesid8.otzo.com
shortener.ddns.net
shorter.kozow.com
sites.bounceme.net
tinygo.duckdns.org
tracking.ns02.info
updatedisplacement.ddns.net
viewfileitems.myftp.org
websites.freemyip.com

# Reference: https://x.com/ThreatBookLabs/status/1968132855827181901
# Reference: https://www.virustotal.com/gui/ip-address/185.132.176.27/relations
# Reference: https://www.virustotal.com/gui/ip-address/185.182.194.50/relations
# Reference: https://app.validin.com/detail?find=%3A%3A%22og%3Atitle%22%3A%22title%22%3A%22ShortURL%20-%20URL%20Shortener%22&type=raw&ref_id=9b9c611b5fd#tab=host_pairs (# 2025-09-17)

file-review.hopto.org
fileviewitems.myftp.org
first-myshortel.ddns.net
interactive-view.myftp.org
javedpension.is-a-good.dev
licentiegegevens.ddns.net
onwards-gerencia.ddns.net
rb4chesid8.serveuser.com
shorten-abbreviate.ddns.net
shortfile-interactive.webredirect.org
videozoom.ddns.net

# Reference: https://app.validin.com/detail?find=%3A%3A%22og%3Atitle%22%3A%22title%22%3A%22ShortURL%20-%20URL%20Shortener%22&type=raw&ref_id=9b9c611b5fd#tab=host_pairs (# 2025-09-17)

shortener-abbreviate.info
veracity-revision.info
share.veracity-revision.info

# Reference: https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/

activehealthlab.azurewebsites.net
activespiritluth.eastus.cloudapp.azure.com
acupuncturebentonville.com
aeroclinicit.azurewebsites.net
airbus.careers-portal.org
airbus.careersworld.org
airbus.germanywork.org
airbus.global-careers.com
airbus.usa-careers.com
airmdsolutions.azurewebsites.net
airtravellog.com
arabiccountriestalent.azurewebsites.net
arabiccountriestalent.com
arabiccountriestalenthr.azurewebsites.net
arabiccountriestalents.azurewebsites.net
arabiccountriestalentshr.azurewebsites.net
asylimed.azurewebsites.net
backsrv66.azurewebsites.net
backsrv74.azurewebsites.net
biolinksystems.azurewebsites.net
boeing-careers.com
cardiomedspecialists.azurewebsites.net
carebytesolutions.azurewebsites.net
careers-hub.org
careers-portal.org
careersworld.org
check-backup-service-179.azurewebsites.net
check-backup-service-288.azurewebsites.net
check-backup-service-736.azurewebsites.net
check-backup-service.azurewebsites.net
clinichaven.azurewebsites.net
cloudaskingquestioning.azurewebsites.net
cloudaskingquestioning.azurewebsites.net.net
cloudaskingquestions.azurewebsites.net.net
cloudaskingquestions.eastus.cloudapp.azure.com
cloudaskingquestions.eastus.cloudapp.azure.com.net
cloudaskquestionanswers.azurewebsites.net
cloudaskquestionanswers.azurewebsites.net.net
cloudaskquestionanswers.com
cloudaskquestionanswers.com.net
cloudaskquestioning.eastus.cloudapp.azure.com
cloudaskquestioning.eastus.cloudapp.azure.com.net
collaboromarketing.com
createformquestionshelper.com
createformquestionshelper.com.net
datasheet96.azurewebsites.net
digicura.azurewebsites.net
digithealthplatform.azurewebsites.net
doctorconsult-app.azurewebsites.net
ehealthpsuluth.com
exchtestchecking.azurewebsites.net
exchtestcheckingapihealth.com
exchtestcheckingapijson.azurewebsites.net
flydubaicareers.ae.org
focusfusion.eastus.cloudapp.azure.com
frameforward.azurewebsites.net
germanywork.org
global-careers.com
gocareers.org
grownehealth.eastus.cloudapp.azure.com
healsanctum.azurewebsites.net
healthbodymonitoring.azurewebsites.net
healthcare-azureapi.azurewebsites.net
healthcarefluent.com
healthdataanalyticsrecord.azurewebsites.net
hivemedtech.azurewebsites.net
lensvisionary.azurewebsites.net
mainrepo10.azurewebsites.net
managetools-platform.azurewebsites.net
marsoxygen.azurewebsites.net
masterflexiblecloud.azurewebsites.net
maydaymed.azurewebsites.net
mediasylum.azurewebsites.net
medical-deepresearch.azurewebsites.net
medicalit-imaging.azurewebsites.net
medicoreit.azurewebsites.net
medicpathsolutions.azurewebsites.net
mentalhealth-support-portal.azurewebsites.net
mojavemassageandwellness.com
msnotetask-insights.azurewebsites.net
mstrakcer-tools.azurewebsites.net
nanobreathe.azurewebsites.net
neurocloudhq.azurewebsites.net
nextgenhealthtrack.azurewebsites.net
olemanage-dashboard.azurewebsites.net
oletask-tracker.azurewebsites.net
patient-azureportal.azurewebsites.net
patientcare-portal.azurewebsites.net
pharmainfo.azurewebsites.net
rheinmetall.careers-hub.org
rheinmetall.careersworld.org
rheinmetall.gocareers.org
rheinmetall.theworldcareers.com
rheinmetallcareer.com
rheinmetallcareer.org
rpcconnection.azurewebsites.net
smartapptools.azurewebsites.net
smartmediq.azurewebsites.net
storagewiz.co.azurewebsites.net
sulumorbusinessservices.com
symptom-recordchecker.azurewebsites.net
systemmedicaleducation.azurewebsites.net
tacticalsnap.eastus.cloudapp.azure.com
talenthumanresourcestalent.com
telehealthconnectpro.azurewebsites.net
thecloudappbox.azurewebsites.net
therashelter.azurewebsites.net
thetacticstore.com
theworldcareers.com
totalcaremedcenter.azurewebsites.net
traveltipspage.com
trustedcarehub360.azurewebsites.net
turbulencemd.azurewebsites.net
usa-careers.com
ventilateainest.azurewebsites.net
virgomarketingsolutions.com
virgomarketingsolutions.comtions.com
virtualcliniczone.azurewebsites.net
vitatechlink.azurewebsites.net
vitatechlinks.azurewebsites.net
wellnessfirstgroup.azurewebsites.net
wellnessglowluth.azurewebsites.net
yourfamilymdclinic.azurewebsites.net
zerogmed.azurewebsites.net

# Reference: https://x.com/volrant136/status/1971653625274683671
# Reference: https://x.com/volrant136/status/1971654091656122835

hotchichenfly.info

# Reference: https://x.com/4rchib4ld/status/1972582381275275498
# Reference: https://www.stormshield.com/news/apt35-plays-same-music-again/
# Reference: https://www.virustotal.com/gui/ip-address/79.132.131.184/relations
# Reference: https://www.virustotal.com/gui/ip-address/84.200.193.20/relations

alpha-meet.online
alpha-met.online
arcanet.online
azdava.online
besatoo.online
cppsg.online
dmn-inter.online
ell-safe.online
go0gle.online
into-support.online
kuret-live.online
live-board.online
look-together-online.online
online-speak.online
owner-rate.online
p-safe.online
proof-video.online
robinthing123.online
rohand63.xyz
safe-lord.online
superlite.online
tensore.online
teslator.online
toolfare.online
video-connect.online
viliam-live-identity.online
go0gle.online
look-together-online.online
owner-rate.online
p-safe.online
rohand63.xyz
toolfare.online
video-connect.online
book.kuret-live.online
live.besatoo.online
meet.azdava.online
meet.ell-safe.online
meet.go0gle.online
meet.proof-video.online
meet.video-connect.online
mickel.besatoo.online
oranus.besatoo.online
viliam.alpha-meet.online
viliam.alpha-met.online
viliam.arcanet.online
viliam.azdava.online
viliam.besatoo.online
viliam.cppsg.online
viliam.dmn-inter.online
viliam.into-support.online
viliam.kuret-live.online
viliam.kuret-met.online
viliam.live-board.online
viliam.look-together-online.online
viliam.online-speak.online
viliam.owner-rate.online
viliam.p-safe.online
viliam.robinthing123.online
viliam.rohand63.xyz
viliam.safe-lord.online
viliam.superlite.online
viliam.tensore.online
viliam.teslator.online
viliam.toolfare.online
viliam.viliam-live-identity.online
villiam.online-speak.online

# Reference: https://x.com/skocherhan/status/1973278284906635640
# Reference: https://www.virustotal.com/gui/file/0596554b58c644d42d44ba24c7b6c31a7b8999f77672cb430e6f6a006c022bdc/detection
# Reference: https://www.virustotal.com/gui/file/48883dcbac14e1f57613f482ec69b1a50458c8fd59e78a5ce66b988bf4a06347/detection
# Reference: https://www.virustotal.com/gui/file/5b1b7d9c5f08d67834dcb8d15a25941363441b235dd82bface19588ece8a9841/detection
# Reference: https://www.virustotal.com/gui/file/c8baf145f2f586167ed108eca143ce4d2b86af8df050a226959fcb172462cd0a/detection

179.43.177.130:3333
ameen-alkhalij.org
ameen-alkhalij.is
ameen-alkhalij.nu
ameen-alkhalij.com
ameen-alkhalij.se
musalas.se
shopleta.ru

# CERT_CN-HOST=WIN-GT7DSJ6SLAI

quickmath-solver.site
redfoxteeth.site

# Reference: https://www.proofpoint.com/us/blog/threat-insight/crossed-wires-case-study-iranian-espionage-and-attribution

accountroyal.com
airbus-careers.onlyoffice.com
airbus-survay.onlyoffice.com
airbusaerodefence.com
airbusaerodefence.nl
airbusgroup-careers.com
airbushiring.com
alwayslivehealthy.com
anteromarketing.com
asiandefenses.com
bodywellnessbycynthia.com
boeinginformation.onlyoffice.com
boeingspace.com
chakracleansetherapy.com
clearmindhealthandwellness.com
droneflywell.com
dronetechasia.org
easymarketing101.com
emiratescareers.org
emiratesgroup-careers.com
flydubai-careers.com
healthcarefluent.com
healthiestmama.com
healthinfusiontherapy.com
jadehealthcenter.com
joinboeing.com
kibanacore.com
malebachhew2506090936.onlyoffice.com
marketinglw.com
msnapp.help
msnapp.live
msnclouds.com
opportunities2get.com
palaerospace.careers
randcorp.onlyoffice.com
rhealthylivingsolutions.com
rheinmetallcareer.onlyoffice.com
rheinmetallcareers.com
thecareershub.org
uavnodes.com
worldcareers.org
zytonhealth.com

# Reference: https://x.com/blackorbird/status/1992075483836744154
# Reference: https://dti.domaintools.com/threat-intelligence-report-apt35-internal-leak-of-hacking-campaigns-against-lebanon-kuwait-turkey-saudi-arabia-korea-and-domestic-iranian-targets/

http://212.175.168.58
103.57.251.153:2000
103.57.251.153:443
212.175.168.58:443

# Reference: https://dti.domaintools.com/the-apt35-dump-episode-4-leaking-the-backstage-pass-to-an-iranian-intelligence-operation/

bbmovements.com
cavinet.org
israel-talent.com
israel-talent.xyz
kanplus.org
moses-staff.io
moses-staff.to
secnetdc.com
tecret.com
termite.nu

# Reference: https://x.com/ThreatBookLabs/status/2010540242932269492
# Reference: https://www.virustotal.com/gui/file/e7b2cc236af9edbe44307d293a7d7fcbb199a286f7eec864f363fcb725c7ef70/detection
# Reference: https://www.virustotal.com/gui/file/a6b0c63b2aa25d5fe8ff5b9bd4d28636fbfa7f7af5db7c34d82459738243163a/detection

baochinhphu.org