# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://securelist.com/deathstalker-mercenary-triumvirate/98177/
# Reference: https://otx.alienvault.com/pulse/5f43eff7af4508bf663e17ea
# Reference: https://archive.f-secure.com/weblog/archives/00002803.html

http://105.104.10.115
http://54.38.192.174
http://87.121.52.62
http://87.121.52.69
http://91.229.76.153
http://91.229.76.17
http://91.229.77.120
http://91.229.77.240
http://91.229.79.120
http://94.156.77.182
http://95.211.168.10

# Reference: https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/ (# PowerPepper)
# Reference: https://otx.alienvault.com/pulse/5fc9193078e666899f4cc5a7

allmedicalpro.com
gofinancesolutions.com
mediqhealthcare.com
footersig.pythonanywhere.com
globalsignature.pythonanywhere.com
mailservice.pythonanywhere.com
mailservices.pythonanywhere.com
mailsignature.pythonanywhere.com
mailsigning.pythonanywhere.com
gsn-nettoyage.com/wp-snapshots/

# Reference: https://twitter.com/z0ul_/status/1389328825855746051 (# PyVil RAT)

audio-azure.com
azure-affiliate.com
check-avg.co
scan-eset.com
service-azure.com

# Reference: https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/

admex.org
adsoftpic.com
affijay.com
agagian.com
aidobe-update.com
allrivercenter.com
amazonappservice.com
amazoncld.com
amazoncontent.org
ammaze.org
amzbooks.org
amznapis.com
anyfoodappz.com
anypicsave.com
apidevops.org
apiygate.com
appcellor.com
apple-sdk.com
atomarket.org
azurecfd.com
azurecontents.com
azureservicesapi.com
bookfinder-ltd.com
borisjns.com
cargoargs.com
cashcores.org
check-avg.com
cloud-appint.com
cloudappcer.com
cloudazureservices.com
cloudpdom.com
cloudreg-email.com
coreadvc.com
corstand.com
cosmoscld.com
covidaff.org
covidgov.org
covsafezone.com
dbcallog.com
dellscanhw.com
diamondncenter.biz
dnserviceapp.com
dnstotal.org
dogeofcoin.com
dustforms.com
earthviehuge.com
econfuss.com
edwardpof.com
eroclasp.com
esetupdater.com
ezteching.com
fastnetbrowsing.com
findmypcs.com
firedomez.com
flightpassist.com
flyingpackagetrack.com
forceground.co
futureggs.com
getappcloud.com
govdefi.com
govtoffice.org
gratedomofrome.com
hostboxapp.com
hostedl.com
hpcloudlive.com
ihotel-deals.com
invgov.org
jarviservice.org
luccares.com
mailcloudservices.org
mailservicenow.com
mainsingular.com
mcafee-secd.com
mevcsft.com
missft.com
msfastbrowse.com
msfsvctassist.com
msft-dev.com
msftapp.com
msftcd.com
msftcrs.com
msftinfo.com
msftmnvm.com
msftprint.com
msintsvc.com
mslogger.org
mullticon.com
multitrolli.com
multizoom.org
murfyslaws.com
musthavethisapp.com
n90app.com
namereslv.org
navyedu.org
netmsvc.com
networkcanner.com
newedgeso.com
ntlmsvc.com
nvidiaupdater.com
oglmart.com
onesportinc.com
orklaus.com
outlooksyn.com
pdfscan-now.com
philipfin.com
picodehub.com
pinktwinlers.com
pivotnet.org
plancetron.com
poccodom.com
praxpay.org
print-hpcloud.com
printauthors.com
prodeload.com
questofma.com
realmacblog.com
realshbe.com
refsurface.com
robmkg.com
roboecloud.com
rombaic.com
rowfus.com
sellcoread.com
servicebu.org
servicejap.com
shopadvs.com
shopamzn.org
soundstuner.com
superimarkets.com
svclouds.com
svcscom.com
symantecq.com
sysconfwmi.com
textmaticz.com
thesailormaid.com
thismads.com
timetwork.com
tomandos.com
tophubbyriver.com
topotato.org
totaledgency.com
unitedubai.org
unitepixel.org
wdigitalecloud.com
weareukrainepeople.com
weatherlocate.com
windowslive-detect.com
wingsnsun.com
wizdomofdo.com
wwcsport.org
yourprintllc.com
zerobitfan.com
zummaride.com

# Reference: https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/

http://176.223.165.196
http://87.120.254.100
http://87.120.37.68
176.223.165.196:8080
185.62.189.210:8081
87.120.254.100:8080
87.120.37.68:8080