# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt35, apt-c-35, donot, stealjob

# Reference: https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/

qwe.drivethrough.top
qwe.sessions4life.pw
aoc.sessions4life.pw
mon.sesions4life.pw
tes.sessions4life.pw

# Reference: https://ti.360.net/blog/articles/analysis-of-donot-andriod-sample/

godspeed.geekgalaxy.com
jasper.drivethrough.top

# Reference: https://asert.arbornetworks.com/donot-team-leverages-new-modular-malware-framework-south-asia/

conf.serviceupdateres.com
upload.cloudsekurity.online
abodeupdater.com
qmails.org
serviceupports.com
thebangladeshtoday.net
sundayobserver.net

# Reference: https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/

databig.akamaihub.stream
bigdata.akamaihub.stream
unique.fontsupdate.com

# Reference: https://twitter.com/blackorbird/status/1111159128775249920
# Reference: https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading

account-sign-in-security.ga
account-update-com.tk
account-updates-team.ga
afd-gov-bd.gq
baf-mil-bd.tk
checkbox.gq
cyber-net-pk.cf
fwo-com.tk
g00gle-com.cf
googlemail-com.gq
live-com.gq
live-com.ml
live-service.cf
login-live-com.cf
login-yah00-com.tk
login-yahoo-com.ga
live-com-owa.gq
mail-account-security-com.cf
mail-accounts-verify-com.cf
mail-intl-ja-mail-about.gq
mail-nepalarmymil-np.gq
mail-ntc-net-pk.tk
mail-outlook-support-team.tk
mail-paf-gov.cf
mail-sign-alert-notification.cf
mail-updates-systems.ga
mail-update-task.ga
mail-update-team.ga
mail-yahoo-com.tk
mail-yahoo-task.tk
micorsoft-outlook-update.ml
mofa-gov-mm.ml
mofagov-np.cf
mofa-gov-np.cf
mofa-gov-pk.tk
molaw-gov-pk.cf
outlook-com.cf
outlook-livecom.cf
outlook-live-com.cf
outlook-live-com.ga
outlooklive-com.ml
outlook-live-com.tk
outlookmail-com.tk
paec-gov-pk.ga
paec-gov-pk-taskmail.tk
paecweb-gov.gq
paecwebmail.gq
paf-gov-pk.cf
paf-gov-pk.ga
paf-gov-pk.tk
paknavy-pk.gq
paecgov-pk.cf
pmo-gov-pk.tk
pnra-org.gq
pof-gov-pk.tk
rab-gov-bd.gq
sharepoint-google.ml
slaf-gov-lk.ml
sco-gov-pk.tk
super-net-pk.cf
super-net-pk.tk
test-updates.ga
yahoo-com.ga
yahoomail.cf
yahoomail-com.cf
yahoo-mail-com.ml

# Reference: https://twitter.com/blackorbird/status/1116263262524362753

unique.fontsupdate.com

# Reference: https://otx.alienvault.com/pulse/5cb620d626b619048ca7b344
# Reference: https://ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/

139.180.135.59:4233
bike.drivethrough.top
car.drivethrough.top
guide.domainoutlet.site
param.drivethrough.top
justin.drinkeatgood.space
genwar.drivethrough.top
alter.drivethrough.top
qwe.drivethrough.top
digest.drinkeatgood.space
jasper.drivethrough.top
ground.domainoutlet.site
help.domainoutlet.site
guild.domainoutlet.site

# Reference: https://twitter.com/blackorbird/status/1122493860859432960

data-backup.online

# Reference: https://twitter.com/sudosev/status/1123303891062460419

mystrylust.pw
new.listenmusic.pw

# Reference: https://twitter.com/Timele9527/status/1130673924193128448

servicejobs.life

# Reference: https://twitter.com/blackorbird/status/1132951652896350208

rightapps.net/sms//images/files/nbp_request.php

# Reference: https://twitter.com/sudosev/status/1143562610492760064

new.transportfun.pw
strings.guitarshop.space

# Reference: https://twitter.com/RedDrip7/status/1145539943323717632

151.236.11.222:50240

# Reference: https://twitter.com/RedDrip7/status/1170896437229445120

mangasiso.top

# Reference: https://mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA

ezeescan.com

# Reference: https://m.threatbook.cn/detail/1924
# Reference: https://otx.alienvault.com/pulse/5d7f7deb8cdf93013777cbad
# Reference: https://www.secrss.com/articles/13726
# Reference: https://otx.alienvault.com/pulse/5d93295e8526be516a05f369
# Reference: https://twitter.com/ArielJT/status/1183064542869381121

bsodsupport.icu
en-content.com
mscheck.icu
msplugin.icu
windowserver.site
worldupdate.live

# Reference: https://twitter.com/RedDrip7/status/1188662662734893056

officeupdater.org

# Reference: https://twitter.com/ccxsaber/status/1195175943087616000

stylesheet.xyz

# Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/issleduem-aktivnost-kibergruppirovki-donot-team/ (Russian)

burningforests.com
cloud-storage-service.com
skillsnew.top

# Reference: https://twitter.com/Rmy_Reserve/status/1206596674920972288

full.newcontest.xyz

# Reference: https://twitter.com/ccxsaber/status/1213050724403167238

mimestyle.xyz

# Reference: https://twitter.com/Arkbird_SOLG/status/1214146144177197058

comodo.world

# Reference: https://twitter.com/Arkbird_SOLG/status/1214146146563698689
# Reference: https://app.any.run/tasks/2907c2bd-a00d-4742-9467-01b8058e734a/

testypoha.top

# Reference: https://twitter.com/Timele9527/status/1253165991351119872

supportsession.live

# Reference: https://twitter.com/Youngs0xff/status/1254959731338178560

rythemsjoy.club

# Reference: https://twitter.com/ShadowChasing1/status/1260881015133753345

spectronet.pw

# Reference: https://twitter.com/AnonySecAgency/status/1263046236652728324

mailsession.online

# Reference: https://twitter.com/ShadowChasing1/status/1267834418942492672

advancesearch.xyz

# Reference: https://twitter.com/Timele9527/status/1271098267590221824

covidpk.uno
datasecure.icu
filepage.icu
meflying.xyz
remindme.top
yourcontents.xyz

# Reference: https://twitter.com/ccxsaber/status/1274978583463649281

dnsresolve.live

# Reference: https://twitter.com/ccxsaber/status/1275611268192145408

tampotrust.top