# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt35, charmingcypress, phosphorus, ajax security team, tunnelvision, nemesiskitten, ta453

# Note: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-06-12 Charming Kitten waterhole)

jewishjournal.us
deutcshewelle.org
deutcshewelle.com
frostsullivan.org
ns1.deutcshewelle.com
ns2.deutcshewelle.com
mail.jewishjournal.us    
mx0.jewishjournal.us    
ns1.jewishjournal.us    
ns2.jewishjournal.us
win-ptf9aurtg8u.jewishjournal.us

# Reference: https://www.clearskysec.com/charmingkitten/
# Reference: https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
# Reference: https://www.virustotal.com/gui/file/d4375a22c0f3fb36ab788c0a9d6e0479bd19f48349f6e192b10d83047a74c9d7/detection
# Reference: https://www.virustotal.com/gui/file/971c5b5396ee37827635badea90d26d395b08d17cbe9e8027dc87b120f8bc0a2/detection
# Reference: https://www.virustotal.com/gui/file/2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f/detection
# Reference: https://www.virustotal.com/gui/file/734d9639fcfffef1a3c360269ccc1cda4f1d0e9dc857fa438f945e807b022c21/detection
# Reference: https://www.virustotal.com/gui/file/6618051ea0c45d667c9d9594d676bc1f4adadd8cb30e0138489fee05ce91a9cb/detection
# Reference: https://www.virustotal.com/gui/file/a6dea088c9e2c9191e4c2fc4ece7b7b7bd3f034f444362d35c8765f6ec4bd279/detection
# Reference: https://www.virustotal.com/gui/file/2b9c941150206d38a635620f2129660628f9b08dd2f674013cacda39bde7ae56/detection

58.158.177.102:5050
85.17.172.180:5050
012mail-net-uwclogin.ml
8ghefkwdvbfdsg3asdf1.com
account-customerservice.com
account-dropbox.net
account-google.co
account-login.net
account-logins.com
account-log-user-verify-mail.com
account-permission-mail-user.com
account-servicerecovery.com
accountservice.support
accounts-googelmail.com
accounts-googelmails.com
account-signin-myaccount-users.ga
accounts-logins.net
accountsrecovery.ddns.net
accounts-service.support
accountsservice-support.com
account-support-user.com
accounts-yahoo.us
accountts-google.com
account-user.com
account-user-permission-account.com
account-users-mail.com
account-user-verify-mail.com
acounts-qooqie-con.ml
addons-mozilla.download
aipak.org
aiqac.org
aol-mail-account.com
apache-utility.com
app-documents.com
app-facebook.co
araamco.com
archive-center.com
asus-support.net
asus-update.com
berozkhodro.com
book-archivecenter.bid
books-archivecenter.bid
books-archivecenter.club
books-google.books-archivecenter.bid
books-view.com
bootstrap.serveftp.com
britishnews.com.co
britishnews.org
broadcastbritishnews.com
brookings-edu.in
change-mail-accounting-register-single.com
change-mail-account-nodes-permision.com
change-permission-mail-user-managment.com
change-user-account-mail-permission.com
codeconfirm-recovery.bid
codeconfirm-recovery.club
com-account-login.com
com-accountrecovery.bid
com-accountsecure-recovery.name
com-accountsrecovery.name
com-archivecenter.work
com-customeradduser.bid
com-customerservice.bid
com-customerservice.name
com-customerservices.name
com-customersuperuser.bid
com-download.ml
com-manage-accountuser.club
com-messagecenter.bid
com-messengerservice.bid
com-messengerservice.work
com-microsoftonline.club
com-mychannel.bid
com-orginal-links.ga
com-recoversessions.bid
com-recoveryadduser.bid
com-recovery.com
com-recoveryidentifier.bid
com-recoveryidentifier.name
com-recoveryidentifiers.bid
com-recoverymail.bid
com-recoverysecureuser.club
com-recoverysecureusers.club
com-recoveryservice.bid
com-recoveryservice.info
com-recoverysessions.bid
com-recoverysubusers.bid
com-recoverysuperuser.bid
com-recoverysuperuser.club
com-recoverysuperuser.name
com-recoverysuperusers.bid
com-recoverysupport.bid
com-recoverysupport.club
com-servicecustomer.bid
com-servicecustomer.name
com-service.gq
com-servicemail.bid
com-service.net
com-servicerecovery.bid
com-servicerecovery.club
com-servicerecovery.info
com-servicerecovery.name
com-servicescustomer.name
com-serviceslogin.com
com-showvideo.ga
com-showvideo.gq
com-statistics.com
com-stats.com
com-video.net
com-videoservice.work
com-viewchannel.club
crcperss.com
cvcreate.org
digitalqlobe.com
display-error-runtime.com
display-ganavaro-abrashimchi.com
docs-google.co
documents-supportsharing.bid
documents-supportsharing.club
documents.sytes.net
document-supportsharing.bid
doc-viewer.com
download-link.top
drive-login.cf
drive-permission-user-account.com
drive-useraccount-signin-mail.ga
drop-box.vip
dropebox.co
embraer.co
emiartas.com
error-exchange.com
eursaia.org
fanderfart22.xyz
fardenfart2017.xyz
fb-login.cf
gle-mail.com
gmail-recovery.ml
gmal.cf
goo-gle.bid
goog-le.bid
goo-gle.cloud
google-mail.com.co
google-mail-recovery.com
googlemails.co
goo-gle.mobi
google-profile.com
google-profiles.com
google-setting.com
google-verification.com
google-verify.com
google-verify.net
group-google.com
help-recovery.com
hot-mail.ml
id-bayan.com
iforget-memail-user-account.com
iranianuknews.com
ir-owa-accountservice.bid
k2intelliqence.com
line-en.me
login-account-mail.com
login-account.net
login-again.ml
login-required.ga
login.loginto.me
mail-account-register-recovery.com
mails-account-signin-users-permssion.com
mailssender.bid
mail-yahoo.com.co
market-account-login.net
mehrnews.info
messageservice.bid
messageservice.club
microsoft-hotfix.com
microsoft-update.bid
microsoft-upgrade.mobi
microsoft-utility.com
msoffice-update.com
myaccount-login.net
mychannel.ddns.net
my-healthequity.com
my-mailcoil.ml
myscreenname.bid
news-onlines.info
nex1music.ml
notification-accountrecovery.com
nsdrive-phone.online
nvidia-support.com
nvidia-update.com
officialswebsites.info
official-uploads.com
onedrive-signin.com
onlinedocument.bid
onlinedocuments.org
onlinedrie-account-permission-verify.com
onlineserver.myftp.biz
online-supportaccount.com
orginal-links.com
outlook-livecom.bid
owa-insss-org-ill-owa-authen.ml
picofile.xyz
policy-facebook.com
privacy-facebook.com
privacy-gmail.com
privacy-yahoomail.com
profile-facebook.co
profiles-facebook.com
profile-verification.com
qet-adobe.com
radio-m.cf
raykiel.net
recoverycodeconfirm.bid
recovery-customerservice.com
recovery-emailcustomer.com
recoverysuperuser.bid
register-multiplay.ml
sadashboard.com
saudiarabiadigitaldashboards.com
saudi-government.com
saudi-haj.com
screen-royall-in-corporate.com
screen-shotuser-trash-green.com
security-supportteams-mail-change.ga
sers-login.com
service-accountrecovery.com
service-broadcast.com
servicecustomer.bid
service-logins.net
servicemailbroadcast.bid
service-recoveryaccount.com
set-ymail-user-account-permission-challenge.com
shared-access.com
shared-login.com
shared-permission.com
shorturlbot.club
show-video.info
slmkhubi.ddns.net
smstagram.com
sprinqer.com
support-aasaam.bid
support-aasaam.com
support-accountsrecovery.com
support-google.co
support-recoverycustomers.com
supports-recoverycustomers.com
support-verify-account-user.com
tadawul.com.co
tai-tr.com
team-speak.cf
teamspeak-download.ml
team-speak.ga
team-speak.ml
teamspeaks.cf
telagram.cf
token-ep.com
uk-service.org
update-checker.net
update-driversonline.bid
update-driversonline.club
update-finder.com
update-microsoft.bid
updater-driversonline.club
update-system-driversonline.bid
uploader.sytes.net
upload-services.com
uri.cab
usersettings.cf
users-facebook.com
users-login.com
users-yahoomail.com
utopaisystems.net
verify-account.services
verify-accounts.info
verify-facebook.com
verify-gmail.tk
video-youtube.cf
w3sch00ls.hopto.org
w3school.hopto.org
w3schools.hopto.org
w3schools-html.com
watch-youtube.org.uk
webmaiil-tau-ac-il.ml
webmail-tidhar-co-il.ml
windows-update.systems
xn--googe-q2e.ml
yahoo-proflles.com
yahoo-verification.net
yahoo-verification.org
yahoo-verify.net
youetube.ga
yourl.bid
youttube.ga
youttube.gq
youtubbe.cf
youtubbe.ml
youtube-com.watch
youtubee-videos.com
youtuebe.co
youtuobe.com.co
youutube.cf
yurl.bid

# Reference: https://otx.alienvault.com/pulse/5c9bb407e5a06b014da016e3

account-profile-users.info
accounts-apple.com
account-servicemanagement.info
account-servieemanagement.info
accounts-manager.info
accounts-support.services
accounts-web-maii.com
accounts-web-mail.com
account-verifiy.net
activities-recovery-options.info
activities-servicesnotification.info
activity-confirmationservice.info
activity-session-recovery.info
aeroconf2014.org
aerospace2014.org
appleid.com.co
attacker-domain.com
broadcastnews.pro
com-accountidentifier.info
com-identifier-servicelog.info
com-identifier-servicelog.name
comidentifier-servicelog.name
com-identifier-servlcelog.name
com-mailbox.com
com-microsoftonline.club
com-myaccuants.com
com-privacy-help.info
com-sessionidentifier.info
com-useraccount.info
com-users.net
confirmation-recoveryoptions.info
confirmation-service.info
confirmation-users-service.info
confirmation-users-servlee.info
confirm-identity.info
confirm-session-identification.info
confirm-sessionidentification.info
confirm-session-identifier.info
continue-session-identifier.info
continue-sesslon-identifier.info
customer-certificate.com
customer-recovery.info
customers-activities.info
customers-manager.info
customers-services.info
customize-identity.info
documentofficupdate.info
documentsfilesharing.cloud
documentsharing.info
download-teamspeak.info
elitemaildelivery.info
email-deiivery.info
email-delivery.info
eom-microsoftonline.club
eom-useraccount.info
eustomers-activities.info
giitials.tk
googledomalns.com
identifier-activities.info
identifier-services-sessions.info
identify-user-session.info
intel-update.com
intelupdate.com
login-gov.info
message-serviceprovider.info
microsoft-update.bid
microsoft-upgrade.mobi
mobile-messengerplus.network
mobile-sessionid.customize-identity.info
mobiles-sessionid.customize-identity.info
myaccount-services.net
notification-accountservice.com
notification-accountservice.info
notificationapp.info
notification-manager.info
notification-managers.info
notifications-center.info
notification-signal-agnecy.info
notificatlon-signal-agnecy.info
o5vdb.org
outlook-livecom.bid
outlook-verify.net
packctstormsccurity.com
plugin-adobe.com
privacy-google.com
recognized-activity.info
recover-customers-service.info
recovery-session-change.info
recoveryusercustomer.info
serverbroadcast.info
service-accountrecoverv.com
service-recovery-session.info
service-session-confirm.info
service-session-continue.info
services-issue-notification.info
services-sessionconfirmation.info
session-mail-customers.info
session-management.info
session-manager.info
session-managment.info
session-recovery-options.info
sessions-identifiermemberemailid.network
sessions-notification.info
session-users-activities.com
session-verify-user.info
shop-sellwear.info
supportmailservice.info
support.services
support-servics.com
support-servics.net
terms-service-notification.info
terms-service-notlfication.info
update-microsoft.bid
user-activity-issues.info
useridentity-confirm.info
user-profile-credentials.com
users-facebook.com
users-issue-services.info
verification-live.com
verificationlive.com
verification-llve.com
verifiy-account.net
verifv-linkedin.net
verify-linke.com
verify-linkedin.net
verify-user-session.info
vvincicivj-c-ssenrjais.tk
webemail.info
xn--facebook-06k.com
xn--google-yri.com
yahoomail.com.co
yahoo-verification.net
yahoo-verification.org
yahoo-verify.net

# Reference: https://www.clearskysec.com/the-kittens-are-back-in-town/
# Reference: https://otx.alienvault.com/pulse/5d7e61f9aa517862e977cbad

acconut-verify.com
drive-accounts.com
exnovin.org
isis-online.net
islamicemojimaker.com
leslettrespersanes.net
niaconucil.org
seisolarpros.org
skynevvs.com
unrisd.com
w3-schools.org
# gnldp.live        # Note: regular trackers
# gnldr.club
# gnldr.live
# gnldr.website
# gnldrp.live
# sgnl.live
# sgnl.network
# sgnldp.live
# sgnldr.live

# Reference: https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2.pdf
# Reference: https://otx.alienvault.com/pulse/5d9b7a71f31df0e33eefab04

bahaius.info
bailment.org
com-activities.site
com-identifier.site
com-session.site
com-verifications.site
customers-activities.site
customers-recovery.site
customers-reminder.info
document-sharing.online
documentsfilesharing.cloud
gomyfiles.info
home-access.online
identifier-activities.info
identifier-activities.online
identity-verification-service.info
inbox-drive.info
inbox-sharif.info
magic-delivery.info
microsoftinternetsafety.net
mobile-messengerplus.network
mobilecontinue.network
notification-accountservice.com
recovery-services.info
recoverysuperuser.info
see-us.info
sessions-identifier-memberemailid.network
smarttradingfast.com
system-services.site
telagram.net
uploaddata.info
verification-services.info

# Reference: https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/
# Reference: https://otx.alienvault.com/pulse/5e3acf325495b5e504f82abc

acconut-verify.com
accounts-drive.com
bahaius.info
cpanel-services.site
customers-activities.site
customers-service.ddns.net
drive-accounts.com
finance-usbnc.info
instagram-com.site
inztaqram.ga
isis-online.net
leslettrespersanes.net
malcolmrifkind.site
niaconucil.org
phonechallenges-submit.site
recovery-options.site
seisolarpros.org
service-activity-checkup.site
service-issues.site
skynevvs.com
software-updating-managers.site
system-services.site
two-step-checkup.site
unirsd.com
w3-schools.org
yah00.site

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#
# Reference: https://otx.alienvault.com/pulse/5e6ff05783c525e779904d69

myconnect-support.com

# Reference: https://twitter.com/ClearskySec/status/1258432745891680256

com-recovery.site
com-sessions.site
customer-identifier.site
customer-reminder.info
customers-activity.site
identifier-services-session.site
mobile-airbnb.site
mobile-uber.site
newspedia.ddns.net
radiofarda.site
recovery-option.site
safe-solution.site
scribdinc.site
travel-airbnb.site

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/
# Reference: https://www.virustotal.com/gui/domain/kia-customerservice.ddns.net/detection
# Reference: https://www.virustotal.com/gui/domain/recovery-service.site/detection

document-share.info
kia-customerservice.ddns.net
login-users-account.site
manage-accounts.info
recovery-service.site
us2-mail-login-profile.site

# Reference: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
# Reference: https://otx.alienvault.com/pulse/5f99808638696999cf7b109c

de-ma.online
g20saudi.000webhostapp.com
ksat20.000webhostapp.com

# Reference: https://twitter.com/kyleehmke/status/1328374352602144770

check-panel-account.icu
cover-home-panel.xyz
it-service.men
student-rank-number.icu

# Reference: https://twitter.com/kyleehmke/status/1334170023968051200

cover-home-page.xyz

# Reference: https://twitter.com/kyleehmke/status/1339602993814102016

home-reload-page.xyz

# Reference: https://twitter.com/kyleehmke/status/1346154845221384194

check-panel-live.icu
check-reload-page.xyz
front-cover-panel.xyz
front-home-panel.xyz
office-live-activity.icu
page-home-reload.xyz

# Reference: https://blog.certfa.com/posts/charming-kitten-christmas-gift/
# Reference: https://otx.alienvault.com/pulse/5fff52390820519347e5f2d3

agentappservice.ddns.net
archiverepositories.xyz
basementofdarkness.ddns.net
benefitsredington.ddns.net
bulk-approach.site
challengechampions.ddns.net
com-254514785965.site
com-3654623478192.site
com-5464825879854.site
com-apk-6712qw123asd8awf7.site
com-archive.site
com-posts6712qw12387.site
confirm-identity.site
customer-session.site
deepthinkingroom.ddns.net
differentintegrated.ddns.net
dynamiceventmanager.ddns.net
enhanceservicchecke.hopto.org
heisonhisway.ddns.net
hello-planet.com
homedirections.ddns.net
homeinspections.ddns.net
identifier-service-verify.site
identifier-session-recovery.site
identity-session-recovery.site
lonelymanshadow.ddns.net
mail-newyorker.com
minimumservicechek.ddns.net
mobile-activity-session.site
mobile-check-activity.site
patchtheschool.ddns.net
planet-labs.site
profilechangeruser.ddns.net
randomworldcity.ddns.net
recover-identity.site
recover-session-service.site
recovery-customer-service.site
recovery-session-service.site
recovery-session.site
reset-account.com
schoolofculture.ddns.net
securelogicalrepository.com
service-recovery.site
service-session-recovery.site
service-support.site
service-verification.site
session-confirmation.site
session-customer-activity.site
uniquethinksession.ddns.net
verify-session-service.site
wearefirefighters.ddns.net

# Reference: https://twitter.com/jfslowik/status/1347905935654539267

dhs-us.org
csm-group.org
procurement-inl-gov.us
procurements-inl-gov.us
ukborderhomeoffice-gov.org

# Reference: https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential
# Reference: https://otx.alienvault.com/pulse/6065f293e16c3e4e72044475

1drv.casa
1drv.cyou
1drv.icu
1drv.live
1drv.online
1drv.surf
1drv.xyz

# Reference: https://twitter.com/ChicagoCyber/status/1391819499872137225

log-in-dropbox.com

# Reference: https://twitter.com/BaoshengbinCumt/status/1423577884615081992
# Reference: https://mp.weixin.qq.com/s/oD1VQZBxgjL3rNeN72MJqg

jamaat-ul-islam.com
jamatapplication.com
jamaatforummah.com
jamaatforallah.com

# Reference: https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/

144.217.139.155:4444
54.38.49.6:21
0standavalue0.xyz
0storageatools0.xyz
0brandaeyes0.xyz

# Reference: https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage
# Reference: https://www.virustotal.com/gui/ip-address/91.214.124.143/relations
# Reference: https://www.virustotal.com/gui/file/ca4217b9d188cbe5fc6f4c7d5d696f93cc611dff1ffd323941f2a8b5e77284de/detection

http://162.55.136.233
http://162.55.137.20
169.51.60.221:1331
45.77.76.158:23643
onedriver-srv.ml
windows-driver.ml
google.onedriver-srv.ml
update.windows-driver.ml
/gadfTs55sghsSSS/phppost.php
/gadfTs55sghsSSS

# Reference: https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/
# Reference: https://otx.alienvault.com/pulse/620f76b08f1d06ea8646c0d3

microsoft-updateserver.cf
service-management.tk

# Reference: https://twitter.com/BaoshengbinCumt/status/1494478437960286208
# Reference: https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf

http://182.54.217.2
51.89.181.64:443
us‐nation‐ny.cf

# Reference: https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/

http://148.251.71.182
/ecp/auth/aspx_wkggiyvttmu.aspx
/aspx_wkggiyvttmu.aspx
/dhvqx.aspx

# Reference: https://twitter.com/ChicagoCyber/status/1562047469126656001
# Reference: https://www.shodan.io/host/173.209.51.54
# Reference: https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/ (# HYPERSCRAPE)

http://136.243.108.14
http://173.209.51.54
173.209.51.54:5985

# Reference: https://twitter.com/IronNetTR/status/1562913025350303744
# Reference: https://twitter.com/IronNetTR/status/1562913027951042561
# Reference: https://twitter.com/IronNetTR/status/1562913029620203520
# Reference: https://www.shodan.io/host/136.243.108.10
# Reference: https://www.shodan.io/host/136.243.108.11
# Reference: https://www.shodan.io/host/136.243.108.12
# Reference: https://www.shodan.io/host/136.243.108.13
# Reference: https://www.shodan.io/host/136.243.108.14
# Reference: https://www.shodan.io/host/136.243.108.9
# Reference: https://www.shodan.io/host/78.47.90.60

http://136.243.108.10
http://136.243.108.11
http://136.243.108.12
http://136.243.108.13
http://136.243.108.14
http://136.243.108.9
http://159.69.105.181
http://195.201.46.42
http://78.47.90.60
136.243.108.10:10000
136.243.108.10:22
136.243.108.10:25
136.243.108.10:4040
136.243.108.10:443
136.243.108.10:465
136.243.108.10:587
136.243.108.10:993
136.243.108.10:995
136.243.108.11:10000
136.243.108.11:22
136.243.108.11:25
136.243.108.11:4040
136.243.108.11:443
136.243.108.11:465
136.243.108.11:587
136.243.108.11:993
136.243.108.11:995
136.243.108.12:10000
136.243.108.12:22
136.243.108.12:25
136.243.108.12:4040
136.243.108.12:443
136.243.108.12:465
136.243.108.12:587
136.243.108.12:993
136.243.108.12:995
136.243.108.13:10000
136.243.108.13:22
136.243.108.13:25
136.243.108.13:4040
136.243.108.13:443
136.243.108.13:465
136.243.108.13:587
136.243.108.13:993
136.243.108.13:995
136.243.108.14:10000
136.243.108.14:22
136.243.108.14:25
136.243.108.14:4040
136.243.108.14:443
136.243.108.14:465
136.243.108.14:587
136.243.108.14:993
136.243.108.14:995
136.243.108.9:10000
136.243.108.9:22
136.243.108.9:25
136.243.108.9:4040
136.243.108.9:443
136.243.108.9:465
136.243.108.9:587
136.243.108.9:993
136.243.108.9:995
159.69.105.181:2082
159.69.105.181:2083
159.69.105.181:2086
159.69.105.181:2087
159.69.105.181:21
159.69.105.181:22
159.69.105.181:443
159.69.105.181:53
195.201.46.42:10000
195.201.46.42:22
195.201.46.42:25
195.201.46.42:443
195.201.46.42:465
195.201.46.42:587
195.201.46.42:993
195.201.46.42:995
78.47.90.60:10000
78.47.90.60:110
78.47.90.60:143
78.47.90.60:2082
78.47.90.60:2083
78.47.90.60:2086
78.47.90.60:2087
78.47.90.60:21
78.47.90.60:25
78.47.90.60:443
78.47.90.60:465
78.47.90.60:53
78.47.90.60:587
78.47.90.60:993
78.47.90.60:995

# Reference: https://research.checkpoint.com/2022/check-point-research-exposes-an-iranian-phishing-campaign-targeting-former-israeli-foreign-minister-former-us-ambassador-idf-general-and-defense-industry-executives/

litby.us

# Reference: https://twitter.com/LukasStefanko/status/1569258418283905026
# Reference: https://www.mandiant.com/media/17826 (# apt42, crookedcharms)
# Reference: https://www.virustotal.com/gui/file/5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5/detection
# Reference: https://www.virustotal.com/gui/file/c2c1d804aeed1913f858df48bf89a58b1f9819d7276a70b50785cf91c9d34083/detection
# Reference: https://www.virustotal.com/gui/file/a8c062846411d3fb8ceb0b2fe34389c4910a4887cd39552d30e6a03a02f4cc78/detection
# Reference: https://www.virustotal.com/gui/file/90e5fa3f382c5b15a85484c17c15338a6c8dbc2b0ca4fb73c521892bd853f226/detection

137.184.212.205:4373
51.38.87.253:3535
cdsa.xyz
developer-app.xyz
hardship-management.com
office-updates.info

# Reference: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations

acconut-signin.com
account-signin.com
accounts-mails.com
accredit-validity.online
accurate-sprout-porpoise.glitch.me
admin-stable-right.top
admiscion.online
admit-roar-frame.top
advission.online
affect-fist-ton.online
aspenlnstitute.org
avid-striking-eagerness.online
azadlliq.info 
beaviews.online
besvision.top
bloom-flatter-affably.top
bq-ledmagic.online
briview.online
businesslnsider.org 
check-online-panel.live
check-pabnel-status.live
check-panel-status.live
check-short-panel.live
confirmation-process.top
connection-view.online
continue-recognized.online
coordinate.icu
cvisiion.online
d75.site
daemon-mailer.info
dloffice.buzz
dloffice.top
ecomonist.org
email-daemon.biz
email-daemon.biz.tinurls.com
email-daemon.online
email-daemon.online.tinurls.com
email-daemon.site
endorsement-services.online
eocnomist.com
foreiqnaffairs.com 
foreiqnaffairs.org
forieqnaffairs.com
fortune-retire-home.top
g-online.org
geaviews.site
glory-uplift-vouch.online
go-conversation.lol
go-forward.quest
gview.site
identifier-direction.site
indication-service.online
israelhayum.com
join-paneling.online
jpost.press 
jpostpress.com 
khaleejtimes.org 
khalejtimes.org 
last-check-leave.buzz
live-project-online.live
live-projects-online.top
loriginal.online
m85.online
maariv.net 
mailer-daemon.info
mailer-daemon.us
mccainlnstitute.org
mterview.site
myaccount-signin.com
nterview.site
online-access.live
panel-check-short.live
panel-live-check.online
panel-short-check.live
panel-view-short.online
panel-view.live
panel-view.online
panel-views-cheking.live
panelchecking.live
paneling-viewing.live
panels-views-ckeck.live
quomodocunquize.site
recognize-validation.online
reconsider.site
revive-project-live.online
s20.site
s51.online
s59.site
short-url.live
short-view.online
shortenurl.online
shorting-ce.live
shortingurling.live
shortlinkview.live
shortulonline.live
shoting-urls.live
signin-acconut.com
signin-accounts.com
signin-mail.com
signin-mails.com
signin-myaccounts.com
simple-process-static.top
status-short.live
stellar-roar-right.buzz
support-account.xyz
sweet-pinnacle-readily.online
tcvision.online
themedealine.org 
timesfisrael.com
title-flow-store.online
tnt200.mywire.org
twision.top
vanityfaire.org
verify-person-entry.top
view-cope-flow.online
view-panel.live
view-pool-cope.online
view-total-step.online
viewstand.online
viewtop.online
virtue-regular-ready.online
washinqtonpost.press 
we-transfer.shop
ynetnews.press 
youronlineregister.com
youtransfer.live

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-11-22-v10179/172

dnx.capital
sharedrive.ink
washingtonlnstitute.org

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-11-30-v10185/185
# Reference: https://twitter.com/ThreatBookLabs/status/1613825659582959617

cutly.biz
mailer-daemon.live
mailer-daemon.me
mailer-daemon.net
mailer-daemon.online
mailer-daemon.org
tinyurl.ink

# Reference: https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank
# Reference: https://otx.alienvault.com/pulse/638e5648107623c3429e8c21

continuetogo.me
mailer-daemon-message.co

# Reference: https://twitter.com/ET_Labs/status/1629278117071147008

compact-miracle-abounds.top
funeral-engineering-expression.top
node-dashboard.site
node-panel.site
stellar-stable-faith.top

# Reference: https://www.secureworks.com/blog/cobalt-illusion-masquerades-as-atlantic-council-employee

bonny-marvels-authentic.top
live-redirect-system.top
progress-captivate-amply.top
review-status-plan.online
sincerely-sensation-outdo.top

# Reference: https://twitter.com/k3yp0d/status/1650513653802708996

optimac-hr.com
optimax-hr.com

# Reference: https://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/

deersharpfork.info
subinfralab.info
blackturtle.hopto.org

# Reference: https://businessinsights.bitdefender.com/unpacking-bellaciao-a-closer-look-at-irans-latest-malware
# Reference: https://otx.alienvault.com/pulse/64499283c56cf14e277f9063

mail-updateservice.info
maill-support.com
mailupdate.com
mailupdate.info
msn-center.uk
msn-service.co
twittsupport.com

# Reference: https://www.proofpoint.com/us/blog/threat-insight/welcome-new-york-exploring-ta453s-foray-lnks-and-mac-malware
# Reference: https://www.virustotal.com/gui/ip-address/144.217.129.176/relations

checkup.webredirect.org
filemanager.theworkpc.com
fuschia-rhinestone.cleverapps.io
library-store.camdvr.org

# Reference: https://twitter.com/blackorbird/status/1690994786415874048
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/Charming%20Kitten/2023-08-10-cyber-brief-no-01-2023.pdf

beape.live
beasze.live
beeasaze.top
check-control-panel.live
check-reload-page.live
direct-view-check.live
direct-view-panel.xyz
ksview.top
load-panel.online
panel-review-check.live
view-direct-panel.live
view-direct-panel.xyz
view-home-panel.xyz

# Reference: https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/

http://37.120.222.168

# Reference: https://app.validin.com/axon?find=58.158.177.102&type=ip

canvas-life.me
flash-adobe.org
lgupluscdn.com
manage-tech.club
channel-shop.manage-tech.club
helper.canvas-life.me

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-12-04-v10478/1178

igsecurity.email
metaemailsecurity.com
metaemailsecurity.net
metahelpservice.net
metasecurityemail.org
metasupportmail.co
metasupportmail.com
xn–metaspport-v43e.com

# Reference: https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2024-01-17-v10508/1292

cloud-document-edit.onrender.com
coral-polydactyl-dragonfruit.glitch.me
east-healthy-dress.glitch.me
epibvgvoszemkwjnplyc.supabase.co
kwhfibejjyxregxmnpcs.supabase.co
ndrrftqrlblfecpupppp.supabase.co

# Reference: https://twitter.com/MsftSecIntel/status/1747666342897963362
# Reference: https://twitter.com/G60930953/status/1747821766074863690
# Reference: https://www.virustotal.com/gui/file/e0ba0cedd8a8624c75af29965e5fa7ab754fc0fcddbb330bb548dab4f2be333f/detection

prism-west-candy.glitch.me

# Reference: https://twitter.com/billyleonard/status/1757556382176313624
# Reference: https://blog.google/technology/safety-security/tool-of-first-resort-israel-hamas-war-in-cyber/
# Reference: https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf
# Reference: https://github.com/google/threat-team/blob/main/2024/2024-02-14-tool-of-first-resort-israel-hamas-war-cyber/indicators.csv

bitly.org.il
businessservicesinc.net
cyberflood.io
daemon-mailer.co
fbmro.com
gamerocker.net
glorynewstoday.com
ifstate.page.link
isra-help.org
jennifercanti.com
kathleenhumphreystore.com
latest-tools.store
mailer-daemon.co
mailerdaemon.online
morecoreservises.com
myprofileface.page.link
ncgrassfed.com
pasmoiapp.com
ppmataro.com
shebacenter.online
shebacenter.org
solofansapp.page.link
stromectolonline.com

# Reference: https://twitter.com/k3yp0d/status/1764938541203612004
# Reference: https://twitter.com/k3yp0d/status/1764940785345089940
# Reference: https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/
# Reference: https://www.virustotal.com/gui/file/3226b3e7d7fdaebfe7d7f06bdaf0cad08ea9792cd32843d01e6023f67cd0c889/detection
# Reference: https://www.virustotal.com/gui/file/0e51029ba28243b0a6a071713c17357a8eb024aa4298d1ccc9e2c4ac8916df4d/detection

drive-file-share.site
worried-eastern-salto.glitch.me

# Reference: https://www.validin.com/blog/expanding-apt42-intelligence-with-validin/

3dauth.live
account-drive.com
account-siqnin.com
accredit-validity.ddns.net
accredit.network
africanblackwidow.ddns.net
atlanticconucil.org
atlanticcuoncil.com
businessinssider.org
centrallibrary.info
clarification.network
conferencecall.live
confirm-direction.ddns.net
confirm-integrity.ddns.net
confirm-validation.ddns.net
confirm-validation.mywire.org
confirm-validity.hopto.org
confirm-verify.servepics.com
confirmation-verify.hopto.org
continue-recognized.ddns.net
continue-recognized.hopto.org
digitalpufferfish.ddns.net
direction-check.online
direction-session-verify.site
direction-veracity.ddns.net
drive-acconut.com
drive-acconuts.com
drive-account.com
eatonthehotground.ddns.net
elated-supportive-exultation.top
flowerskindergarten.ddns.net
gatestonelnstitute.org
identifier-direct.ddns.net
identifier-service.ddns.net
identifier-verify.ddns.net
identity-session.ddns.net
jubilatesee.site
meeting-share.online
modification-check.online
modification-verify.ddns.net
oceanofinformation.ddns.net
ourredbucket.ddns.net
panel-status-join.live
paneling-check-live.live
paneling-cheking-df.live
permission-data.online
pnael-checking.live
products-services.network
recognize-validation.theworkpc.com
responsiblestatcraft.org
review-session.hopto.org
safeshortl.ink
schoolofpinkmice.ddns.net
session-review.hopto.org
short-modification.site
short-urling.live
shorting-urling.live
shortoni.live
shorturling.live
strainitiatives.ddns.net
thefireisburnt.ddns.net
validation-confirm.ddns.net
validity-accredit.ddns.net
verify-corroborate.ddns.net
web-getdata.site

https://community.emergingthreats.net/t/ruleset-update-summary-2024-05-06-v10590/1615

decorous-super-blender.glitch.me
wulpfsrqupnuqorhexiw.supabase.co