# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt19, codoso, c0d0so0, codoso team, deep panda, sunshop group

# Reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html (Network Based Indicators (NBI))

http://104.236.77.169
http://138.68.45.9
http://162.243.143.145
autodiscover.2bunny.com
lyncdiscover.2bunny.com
tk-in-f156.2bunny.com
sfo02s01-in-f2.cloudsend.net

# Reference: https://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/
# Reference: https://www.domaintools.com/resources/blog/domaintools-101-the-art-of-tracking-threat-actors

http://210.181.184.64
http://218.54.139.20
http://42.200.18.194
microsoft-cache.com
supermanbox.org
jbossas.org

# Reference: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf

ameteksen.com
asconline.we11point.com
assso.net
capstoneturbine.cechire.com
caref1rst.com
careflrst.com
EmpireB1ue.com
extcitrix.we11point.com
facefuture.us
gifas.blogsite.org
gifas.cechire.com
healthslie.com
hrsolutions.we11point.com
icbcqsz.com
kaspersyk.com
me.we11point.com
mycitrix.we11point.com
myhr.we11point.com
oa.ameteksen.com
oa.technical-requre.com
oa.trustneser.com
polarroute.com
prennera.com
savmpet.com
sharepoint-vaeit.com
sinmoung.com
ssl-vaeit.com
ssl-vait.com
topsec2014.com
vipreclod.com
vpn.we11point.com
we11point.com
webmail.kaspersyk.com
webmail.vipreclod.com
wiki-vaeit.com
we11point.com
ysims.com

# Reference: https://attack.mitre.org/wiki/Group/G0009
# Reference: https://krebsonsecurity.com/wp-content/uploads/2015/02/FBI-Flash-Warning-Deep-Panda.pdf

googlewebcache.com
outlookssl.com
images.googlewebcache.com
smtp.outlookssl.com

# Reference: https://twitter.com/unpacker/status/1343143954007482369
# Reference: https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/
# Reference: https://www.virustotal.com/gui/file/8b0877209594dada522e606ebac60ce82ceaa31978e71e7772fd8ae0065d53de/detection

http://106.185.43.96/user/atv.html
google-dash.com
microsoft-cache.com

# Reference: https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits
# Reference: https://otx.alienvault.com/pulse/6245655996f5a1a01e2b5d94
# Reference: https://www.virustotal.com/gui/file/c0a2a3708516a321ad2fd68400bef6a3b302af54d6533b5cce6c67b4e13b87d3/detection

http://104.223.34.198
192.95.36.61:443
gnisoft.com
smi1egate.com
b.gnisoft.com
client.gnisoft.com
giga.gnisoft.com
svn1.smi1egate.com
vpn2.smi1egate.com

# Reference: https://www.cisa.gov/uscert/ncas/alerts/aa22-174a
# Reference: https://otx.alienvault.com/pulse/62b5767285717d7d3a45b2b8

104.223.34.198:443

# Generic

/example/McAltLib.dll
/lifeandstyle/marmalade-paddington-sales-up-making-drinking
/money/ofcom-fines-nuisance-calls
/world/video/shrien-dewani-arrives-uk-murder-trial-collapses-video