# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: apt-c-35, donot, stealjob # Reference: https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/ # Reference: https://community.riskiq.com/article/6f60db72 qwe.drivethrough.top qwe.sessions4life.pw aoc.sessions4life.pw mon.sesions4life.pw tes.sessions4life.pw drivethrough.top trendzs.club sessions4life.club sesions4life.pw sessions4life.pw # Reference: https://ti.360.net/blog/articles/analysis-of-donot-andriod-sample/ godspeed.geekgalaxy.com jasper.drivethrough.top drivethrough.top geekgalaxy.com # Reference: https://asert.arbornetworks.com/donot-team-leverages-new-modular-malware-framework-south-asia/ conf.serviceupdateres.com upload.cloudsekurity.online abodeupdater.com qmails.org serviceupdateres.com serviceupports.com thebangladeshtoday.net sundayobserver.net # Reference: https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/ databig.akamaihub.stream bigdata.akamaihub.stream unique.fontsupdate.com akamaihub.stream fontsupdate.com # Reference: https://twitter.com/blackorbird/status/1111159128775249920 # Reference: https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading account-sign-in-security.ga account-update-com.tk account-updates-team.ga afd-gov-bd.gq baf-mil-bd.tk checkbox.gq cyber-net-pk.cf fwo-com.tk g00gle-com.cf googlemail-com.gq live-com.gq live-com.ml live-service.cf login-live-com.cf login-yah00-com.tk login-yahoo-com.ga live-com-owa.gq mail-account-security-com.cf mail-accounts-verify-com.cf mail-intl-ja-mail-about.gq mail-nepalarmymil-np.gq mail-ntc-net-pk.tk mail-outlook-support-team.tk mail-paf-gov.cf mail-sign-alert-notification.cf mail-updates-systems.ga mail-update-task.ga mail-update-team.ga mail-yahoo-com.tk mail-yahoo-task.tk micorsoft-outlook-update.ml mofa-gov-mm.ml mofagov-np.cf mofa-gov-np.cf mofa-gov-pk.tk molaw-gov-pk.cf outlook-com.cf outlook-livecom.cf outlook-live-com.cf outlook-live-com.ga outlooklive-com.ml outlook-live-com.tk outlookmail-com.tk paec-gov-pk.ga paec-gov-pk-taskmail.tk paecweb-gov.gq paecwebmail.gq paf-gov-pk.cf paf-gov-pk.ga paf-gov-pk.tk paknavy-pk.gq paecgov-pk.cf pmo-gov-pk.tk pnra-org.gq pof-gov-pk.tk rab-gov-bd.gq sharepoint-google.ml slaf-gov-lk.ml sco-gov-pk.tk super-net-pk.cf super-net-pk.tk test-updates.ga yahoo-com.ga yahoomail.cf yahoomail-com.cf yahoo-mail-com.ml # Reference: https://twitter.com/blackorbird/status/1116263262524362753 unique.fontsupdate.com # Reference: https://otx.alienvault.com/pulse/5cb620d626b619048ca7b344 # Reference: https://ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/ 139.180.135.59:4233 bike.drivethrough.top car.drivethrough.top guide.domainoutlet.site param.drivethrough.top justin.drinkeatgood.space genwar.drivethrough.top alter.drivethrough.top qwe.drivethrough.top digest.drinkeatgood.space jasper.drivethrough.top ground.domainoutlet.site help.domainoutlet.site guild.domainoutlet.site domainoutlet.site drinkeatgood.space drivethrough.top # Reference: https://twitter.com/blackorbird/status/1122493860859432960 data-backup.online # Reference: https://twitter.com/sudosev/status/1123303891062460419 mystrylust.pw new.listenmusic.pw # Reference: https://twitter.com/Timele9527/status/1130673924193128448 servicejobs.life # Reference: https://twitter.com/blackorbird/status/1132951652896350208 rightapps.net/sms//images/files/nbp_request.php # Reference: https://twitter.com/h2jazi/status/1414062099756634113 # Reference: https://twitter.com/h2jazi/status/1414062101384007683 # Reference: https://www.virustotal.com/gui/file/c1923226d58186c7e0735e058be80022a57e7e819e1e41b4c6e03065252be11f/detection rightapps.net/web/images/adobe.pdf # Reference: https://twitter.com/sudosev/status/1143562610492760064 # Reference: https://github.com/faisalusuf/ThreatIntelligence/blob/main/APT%20DONOT%20TEAM/Tracking-DONOT-IOCs.csv new.transportfun.pw strings.guitarshop.space guitarshop.space transportfun.pw # Reference: https://twitter.com/RedDrip7/status/1145539943323717632 151.236.11.222:50240 # Reference: https://twitter.com/RedDrip7/status/1170896437229445120 mangasiso.top # Reference: https://mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA ezeescan.com # Reference: https://m.threatbook.cn/detail/1924 # Reference: https://otx.alienvault.com/pulse/5d7f7deb8cdf93013777cbad # Reference: https://www.secrss.com/articles/13726 # Reference: https://otx.alienvault.com/pulse/5d93295e8526be516a05f369 # Reference: https://twitter.com/ArielJT/status/1183064542869381121 bsodsupport.icu en-content.com mscheck.icu msplugin.icu windowserver.site worldupdate.live # Reference: https://twitter.com/RedDrip7/status/1188662662734893056 officeupdater.org # Reference: https://twitter.com/ccxsaber/status/1195175943087616000 stylesheet.xyz # Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/issleduem-aktivnost-kibergruppirovki-donot-team/ (Russian) burningforests.com cloud-storage-service.com skillsnew.top # Reference: https://twitter.com/Rmy_Reserve/status/1206596674920972288 full.newcontest.xyz # Reference: https://twitter.com/ccxsaber/status/1213050724403167238 mimestyle.xyz # Reference: https://twitter.com/Arkbird_SOLG/status/1214146144177197058 comodo.world # Reference: https://twitter.com/Arkbird_SOLG/status/1214146146563698689 # Reference: https://app.any.run/tasks/2907c2bd-a00d-4742-9467-01b8058e734a/ testypoha.top # Reference: https://twitter.com/Timele9527/status/1253165991351119872 supportsession.live # Reference: https://twitter.com/Youngs0xff/status/1254959731338178560 rythemsjoy.club # Reference: https://twitter.com/ShadowChasing1/status/1260881015133753345 spectronet.pw # Reference: https://twitter.com/AnonySecAgency/status/1263046236652728324 mailsession.online # Reference: https://twitter.com/ShadowChasing1/status/1267834418942492672 advancesearch.xyz # Reference: https://twitter.com/Timele9527/status/1271098267590221824 covidpk.uno datasecure.icu filepage.icu meflying.xyz remindme.top yourcontents.xyz # Reference: https://twitter.com/ccxsaber/status/1274978583463649281 dnsresolve.live # Reference: https://twitter.com/ccxsaber/status/1275611268192145408 tampotrust.top # Reference: https://twitter.com/ccxsaber/status/1279958779388297216 securecon.top # Reference: https://twitter.com/ShadowChasing1/status/1287039040038952960 coronotest.xyz filedata.top # Reference: https://twitter.com/ShadowChasing1/status/1289083580514107394 # Reference: https://twitter.com/500mk500/status/1289100860254027776 # Reference: https://www.virustotal.com/gui/file/f5432e3a4184baf3957035ded89916310f3a7f791b3bcf3e2e92c3dba4682d26/detection # Reference: https://www.virustotal.com/gui/file/124f2f71d658fdbeacaf648ec6811589ef01b4154471378839724a79de0edd48/detection sparc.org.in/wp-content/uploads/2020/06/now/rt.rtf http://164.68.108.22 164.68.108.22:4140 164.68.108.22:6102 /cruisers/beacon.php # Reference: https://twitter.com/ShadowChasing1/status/1289198158669443078 apifile.xyz # Reference: https://twitter.com/ShadowChasing1/status/1286504871416360961 filecopying.xyz # Reference: https://threatconnect.com/blog/research-roundup-recent-probable-charming-kitten-infrastructure/ # Reference: https://otx.alienvault.com/pulse/5f2c73733fc6956731644a7d # Reference: https://twitter.com/kyleehmke/status/1290613021992255488 accounts.googel.email app-view-support.club cmailco.xyz cnnnews-app.xyz control-user-activity.club control-view-sharing.club cover-home-page.site email-checker.xyz fatservice.site g-shorturl.com gmail-com.xyz googel.email hinbox-drive.info inbox-drive.info login-gov.info mail-instgram.com mailco.xyz mailerdaemon.me name-file-support.best on-dr.com page-support-view.club preview-control-support.club reload-cover-page.live reload-page-cover.site support-following-page.club support-myservice.com support-viewing-page.club verify-identity-service.best verifychecking.com view-control-page.club view-control-support.club view-external-page.best view-panel-control.club # Reference: https://twitter.com/ShadowChasing1/status/1292286043874455552 # Reference: https://www.virustotal.com/gui/file/addf78fe59b2b0f45c3c448caee35c206ecae5a51a5c0e0f71ef361ea5fae6e0/detection 142.93.12.211:4233 # Reference: https://twitter.com/ShadowChasing1/status/1302882266910253056 checkinternet.icu # Reference: https://twitter.com/ShadowChasing1/status/1304968566114975745 msfonts.live word-dnld.com # Reference: https://s.tencent.com/research/report/951.html # Reference: https://community.riskiq.com/article/6f60db72 # Reference: https://twitter.com/voodoodahl1/status/1267571622732578816 # Reference: https://otx.alienvault.com/pulse/5f74ce39f8419e27addbd726 advancesearch.xyz apkfreeware.xyz appie.host bitiy.info brightnew.xyz bulk.fun carefile.icu covidapp.icu dnsrevanche.xyz domainoutlet.site drivethrough.top fiddaz.club inapfirst.top inapscnd.top inapturst.top lowlilght.xyz mangasiso.top mimestyle.xyz mimeversion.top myappshare.xyz mypersonaldrive.icu n9cl.xyz newbulb.xyz phovonel.icu ppadaolnwod.xyz qwertykeypad.host rythemsjoy.club seahome.top spectronet.pw trakfind.buzz verisign.monster whynotworkonit.top # Reference: https://twitter.com/malwrhunterteam/status/1314236986018988035 # Reference: https://twitter.com/bl4ckh0l3z/status/1314252380867899393 # Reference: https://www.virustotal.com/gui/file/70df22a25cbb8715f1d3dd693123ac92203b3a27dfc6c7fa0e48239cf15cbf02/detection 45.147.229.93:4233 joy-trends.xyz qwertykeypad.host trendsjoy.biz webchat.life # Reference: https://twitter.com/_re_fox/status/1315388450414227467 # Reference: https://twitter.com/RedDrip7/status/1320568526730477571 # Reference: https://www.virustotal.com/gui/file/19321da02763a73eda1cdff7d073f7da18b5f32121fbddcee8eab60ac13d418a/detection # Reference: https://www.virustotal.com/gui/file/c9c2f68074bafb0885c8f3ace3e3188f38471e0710caefa50192ecd05edecac2/detection soundvista.club # Reference: https://blog.talosintelligence.com/2020/10/donot-firestarter.html # Reference: https://otx.alienvault.com/pulse/5f9ad41f97b945d0a6797baa apkv6.endurecif.top bulk.fun fif0.top inapturst.top seahome.top # Reference: https://twitter.com/ShadowChasing1/status/1324694029620006913 # Reference: https://www.virustotal.com/gui/file/ab6c34abe0d42dc0b93213661e24257b504b8d8973f4f5993d64e6631bd1358d/detection createlist.xyz # Reference: https://twitter.com/malwrhunterteam/status/1325782688062693376 # Reference: https://www.virustotal.com/gui/file/449979f1b1a9db98dad92de3f3af7045f0dc470085b9640b77f27675feaeefd8/detection 167.99.190.44:8090 latertime.icu # Reference: https://twitter.com/ShadowChasing1/status/1328980811102654465 # Reference: https://twitter.com/midnight_comms/status/1329043473635307522 # Reference: https://www.virustotal.com/gui/file/8885752384e54f65c7bd94982fadfa016f906960e9a53492a908eda12335f5aa/detection 45.138.172.7:4233 pvtchat.live # Reference: https://twitter.com/cyberwar_15/status/1331490166473519106 hometaxcenter.web.app # Reference: https://twitter.com/malwrhunterteam/status/1336980863272308742 namearch.xyz yourlsd.xyz # Reference: https://twitter.com/ShadowChasing1/status/1336997657865175040 sportfunk.xyz # Reference: https://twitter.com/ShadowChasing1/status/1337256313831604225 instantinfo.buzz # Reference: https://twitter.com/malwrhunterteam/status/1348575001109286913 # Reference: https://twitter.com/bl4ckh0l3z/status/1348575976196866048 # Reference: https://www.virustotal.com/gui/file/f1772de5062571ab63518595a36daf12203bcbc13f530a10ebc382e89220c840/detection 167.99.130.191:8090 transp.link # Reference: https://twitter.com/_re_fox/status/1315467764656726017 # Reference: https://twitter.com/ShadowChasing1/status/1359479141146365952 # Reference: https://www.virustotal.com/gui/ip-address/5.135.199.23/detection # Reference: https://www.virustotal.com/gui/file/18cfe54cf4a92d1757ee471cd09c20b5aea8578b9db660239de5ba8208cc8be8/detection # Reference: https://www.virustotal.com/gui/file/9d216202b7718a9a8b99ead16685790283992c1f41981c1b862762abda17b4cd/detection # Reference: https://www.virustotal.com/gui/file/36b8af9e7eade60304cce874c383c6c68f37ea4fa69fcf36095f993b69c8786f/detection networkspeed.live resolverequest.live # Reference: https://twitter.com/malwrhunterteam/status/1359512197911699457 # Reference: https://twitter.com/bl4ckh0l3z/status/1360157297734004739 # Reference: https://www.virustotal.com/gui/file/c5c50a2a600c6372e8757f9371fe475a7041d448a96f7361c0eda1b9951301d2/detection 135.181.198.146:8099 fatchinfo.xyz mobilelink.buzz # Reference: https://twitter.com/ShadowChasing1/status/1364448144323342338 # Reference: https://twitter.com/ShadowChasing1/status/1368945187230257154 # Reference: https://twitter.com/ShadowChasing1/status/1369944378584690688 # Reference: https://www.virustotal.com/gui/file/dc1bd94c1941dcfa69c5561959cec64c3f5b1c3c0738f66a33c320c0c4217030/detection # Reference: https://www.virustotal.com/gui/file/03730cdc23a3d10c8752ad1464ff2e68a64c69f8310b0ceea4d52b1db0215dfc/detection # Reference: https://www.virustotal.com/gui/file/e82a17c9c0936de0c50267a296b801d1d7073293ad93b444eb63f336ebb46330/detection tplinkupdates.space firm.tplinkupdates.space /8ujdfuyer8d8f7d98jreerje /8ujdfuyer8d8f7d98jreerje.doc /8ujdfuyer8d8f7d98jreerje.dot /bikuyteftgyheujdike11ygeyg /bikuyteftgyheujdike11ygeyg.doc /bikuyteftgyheujdike11ygeyg.dot /ujhsygdhgtsygbuehdthd /ujhsygdhgtsygbuehdthd.doc /ujhsygdhgtsygbuehdthd.dot # Reference: https://twitter.com/ShadowChasing1/status/1364536619353575429 # Reference: https://www.virustotal.com/gui/file/79b6fd53fc676089d691ddbbf54da0855abd23d91c2325555d258eaca2c1dfb6/detection flickry.xyz # Reference: https://twitter.com/ShadowChasing1/status/1365304023775989761 # Reference: https://www.virustotal.com/gui/file/c1aa62da6cbb8656741d88a4c30c9620188b7045d0b0d271065464fdfbcab76f/detection printerupdates.online info.printerupdates.online # Reference: https://twitter.com/ShadowChasing1/status/1366672088241606658 # Reference: https://twitter.com/ShadowChasing1/status/1366688956088131584 requireplugin.xyz worxbox.xyz /AaTCm1uhEJlKxjeAvwltK5pkzRasnhXo /AaTCm1uhEJlKxjeAvwltK5pkzRasnhXo.dat /AaTCm1uhEJlKxjeAvwltK5pkzRasnhXo.doc /AaTCm1uhEJlKxjeAvwltK5pkzRasnhXo.dot # Reference: https://twitter.com/malwrhunterteam/status/1366839536890900482 # Reference: https://twitter.com/bl4ckh0l3z/status/1366866811455684612 # Reference: https://www.virustotal.com/gui/file/80151e5971821b1f0abb13b049efb0eeb9b1626b2f5501fc9ac21918935a6c3e/detection shortler.xyz # Reference: https://twitter.com/malwrhunterteam/status/1370400639155589132 # Reference: https://www.virustotal.com/gui/file/680681423d5007030bd3fe577b88f4c5df6dc423cdaa6aa415ecae01bd83b0d7/detection 178.63.172.2:4233 bismi.club # Reference: https://twitter.com/ShadowChasing1/status/1379048935969316871 paperflies.buzz worldfronts.xyz /h9i341lDMiztxAqrWsaOwHfUkSrAFWuI /h9i341lDMiztxAqrWsaOwHfUkSrAFWuI.dat /h9i341lDMiztxAqrWsaOwHfUkSrAFWuI.doc /h9i341lDMiztxAqrWsaOwHfUkSrAFWuI.dot # Reference: https://twitter.com/ShadowChasing1/status/1380555450433728513 # Reference: https://www.virustotal.com/gui/file/f18aba837e86025dfb9bd3fd2c4bf161f679ff1f3d10e7a480d682178051a9b9/detection instadownload.buzz # Reference: https://twitter.com/ShadowChasing1/status/1384825247061331980 # Reference: https://www.virustotal.com/gui/file/81b4a8f6ff2489e01f6b09126583673d3df922a0bbf7ff2cbcef2bcf6102b951/detection loadingmessage.info # Reference: https://twitter.com/ShadowChasing1/status/1387026581453893635 # Reference: https://www.virustotal.com/gui/file/e82d1f4f2960aef4142c32d7920b97700f2b5957bb4807bfcd59e586e71a33c0/detection nextra.buzz # Reference: https://twitter.com/ShadowChasing1/status/1387309759217365000 # Reference: https://twitter.com/ShadowChasing1/status/1387309762132336647 # Reference: https://www.virustotal.com/gui/file/694d433a729b65993dae758e862077c2d82c92018e8e310e121e1fa051567dba/detection idmquick.xyz wserves.xyz /IvGRnMiDzgderQQteqNjNgKoIYqaLW6C /IvGRnMiDzgderQQteqNjNgKoIYqaLW6C.dat /IvGRnMiDzgderQQteqNjNgKoIYqaLW6C.doc /IvGRnMiDzgderQQteqNjNgKoIYqaLW6C.dot # Referenc: https://twitter.com/fuuuing_/status/1387958339569479683 # Reference: https://www.virustotal.com/gui/file/edd590c343570f7576aca83da58967e058585c6ba861682dca2fc987c713ee3a/detection edgevista.live files.edgevista.live /abjhdueuhkuclli78jfkdfj /abjhdueuhkuclli78jfkdfj.dat /abjhdueuhkuclli78jfkdfj.doc /abjhdueuhkuclli78jfkdfj.dot # Reference: https://twitter.com/r3dbU7z/status/1388510523579305988 # Reference: https://twitter.com/r3dbU7z/status/1388937495677743104 # Reference: https://www.virustotal.com/gui/file/08d7ec323925fa1de26d49c0dc414acb8ef3f876fd4b173673895465a27eda46/detection 66.23.225.108:8001 # Reference: https://twitter.com/Circuitous__/status/1390290226090754058 # Reference: https://www.virustotal.com/gui/file/3d63156060c7568b2c3065820f698fdadb6e48910ec82593a61c306c13f5692c/detection venturelabo.co cloud.venturelabo.co # Reference: https://twitter.com/ShadowChasing1/status/1391383866347331590 # Reference: https://www.virustotal.com/gui/file/89d357d9731a046d4ba671e67bf0b4b300302a137a76e1e7ab3675fcd5b922ac/detection icuttly.buzz # Reference: https://twitter.com/ShadowChasing1/status/1393718569507069953 # Reference: https://www.virustotal.com/gui/file/7e8a0f71d52ce23e2ac0bb23795df7bc56d9166eb39f042d75226f01b4203749/detection imageview.xyz # Reference: https://twitter.com/ShadowChasing1/status/1397892294599081988 # Reference: https://www.virustotal.com/gui/file/ea5cff131dda16855a4a6f89e25728ac970ee342df9f496ab616c646f8e7b433/detection webservice.buzz # Reference: https://twitter.com/malwrhunterteam/status/1398672382626304006 # Reference: https://twitter.com/ShadowChasing1/status/1398800211988803586 # Reference: https://www.virustotal.com/gui/file/41322bfef851e2ff973be411fa8cb5360a95b1dbc9004d96c19b62419810d138/detection yoururl.icu # Reference: https://twitter.com/360CoreSec/status/1400726492389146625 # Reference: https://twitter.com/ShadowChasing1/status/1402417052426522626 credmg.xyz frontcheck.buzz getsr.xyz nelog.buzz plugindownload.buzz solutionsroof.xyz /YsiNqNecL9cNFZv144OWCjioAQukPtyy /YsiNqNecL9cNFZv144OWCjioAQukPtyy.dat /YsiNqNecL9cNFZv144OWCjioAQukPtyy.doc /YsiNqNecL9cNFZv144OWCjioAQukPtyy.dot # Reference: https://twitter.com/ShadowChasing1/status/1404610201194360832 # Reference: https://www.virustotal.com/gui/file/a3c020bf50d39a58f5345b671c43d790cba0e2a3f631c5182437976adf970633/detection microsoft-updates.servehttp.com # Reference: http://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html # Reference: https://www.virustotal.com/gui/ip-address/46.30.188.222/relations linux-stable.sytes.net microsoft-docs.myftp.org nucleusvision.sytes.net webmail-org.servehttp.com # Reference: https://twitter.com/ShadowChasing1/status/1407636259367899138 # Reference: https://www.virustotal.com/gui/file/0a456bd773d6eb0a479f3bb43fe88e7b781dae310e56dbe001eaa68273e326ee/detection winxpo.live # Reference: https://twitter.com/fuuuing_/status/1409327487985745920 # Reference: https://www.virustotal.com/gui/ip-address/51.195.211.91/relations # Reference: https://www.virustotal.com/gui/file/a59195a5a87b6d6e4275e01a2360003bf55bcc72772e92b07f22e59aaa7b3cad/detection biteupdates.site dataupdates.live /BcX21DKixeXs44skdqqD /BcX21DKixeXs44skdqqD.dat /BcX21DKixeXs44skdqqD.doc /BcX21DKixeXs44skdqqD.dot # Reference: https://twitter.com/ShadowChasing1/status/1410030175362850818 # Reference: https://www.virustotal.com/gui/file/aadaf88e315592aae5c2255ad9acbc175a6b5eec5c69ab0c81099b84e66e04f8/detection nextgent.top # Reference: https://twitter.com/ShadowChasing1/status/1410930643446353924 # Reference: https://www.virustotal.com/gui/file/b7b3a3a9274541246e8a3f330b8a2e594fadf5281652c4490b68f4e5f77e8858/detection domhub.live # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1413500787502706691 # Reference: https://twitter.com/h2jazi/status/1412819829925593089 # Reference: https://www.virustotal.com/gui/file/4678c0e3a563119790dc1f77dee974af8151c833bfbaf1ae86ebc74569fa1f47/detection akamaifast.club submitonline.club request.submitonline.club update.akamaifast.club # Reference: https://twitter.com/blackorbird/status/1416963499658338304 # Reference: https://mp.weixin.qq.com/s/v62AeG6vNcQTm1-zc4nXBQ (Chinese) designerzebra.com realworld.sytes.net # Reference: https://twitter.com/ShadowChasing1/status/1417296126852567049 tinyshort.icu # Reference: https://twitter.com/ShadowChasing1/status/1419299952069464065 # Reference: https://www.virustotal.com/gui/file/a38cce6ee4ab232f259d98818fa1cd06d7784dac21d42fc41eac4ad26f5bd63e/detection # Reference: https://www.virustotal.com/gui/file/3a7e30efd0a283ef764dfa5762fcb1aacca031b18084b49b993ae7b20ec31dd0/detection picarts.xyz # Reference: https://twitter.com/h2jazi/status/1420414156155596804 # Reference: https://www.virustotal.com/gui/file/8cb4ed2d3f3f466f2417b95856ac0eb268a578e6bfd26c615b2a4adc0094ecd2/detection # Reference: https://www.virustotal.com/gui/file/3bbae53fc00449166fd9255b3f3192deba0b81b41b6e173d454c398a857b5094/detection microsoft-patches.servehttp.com # Reference: https://twitter.com/ShadowChasing1/status/1420768191505002501 # Reference: https://www.virustotal.com/gui/file/5948c9539e1f843a350fda27bd97bb9dd1c6427a3f9b45ac95032319f844bb32/detection bitdo.xyz # Reference: https://twitter.com/ShadowChasing1/status/1421481147389812736 # Reference: https://www.virustotal.com/gui/file/75fcff78f5c71315fb54cf244f681e27b3480510042b3dd406b88ca65d6ccce4/detection 88.150.227.96:4233 omegas.site # Reference: https://www.virustotal.com/gui/file/07ebe38795cfe0388975fd1a07c179a5f8abe8539de2ee575c55fb2d38c03e87/detection pvttchat.live # Reference: https://twitter.com/malwrhunterteam/status/1446115320087801862 # Reference: https://www.virustotal.com/gui/file/b184aaf786ed7e9e1fa2fc9fc77a574c8b6d8e3ea431bb5bd76fab5e949731e2 jarshare.live # Reference: https://twitter.com/s1ckb017/status/1461610955587178500 # Reference: https://www.virustotal.com/gui/ip-address/81.17.30.41/relations # Reference: https://www.virustotal.com/gui/file/091cde4c9a8e7dd2bfcb6d1854f724f5ec4e47159ec04b8311f44d30a996e5a3 digitalresolve.live printersolutions.live /ekcvilsrkjiasfjkikiakik # Reference: https://twitter.com/GGGGh0st/status/1461632762721542146 # Reference: https://www.virustotal.com/gui/file/268fa6131f57de67d554cedf7f1abbd7cba1660a30fddfb07ebf3e1b5d650205/detection # Reference: https://www.virustotal.com/gui/file/b0af54f01f4c3157d4ef5ff72a628574ed4f4aa9ada89eff319715765e175765/detection svhservice.xyz wordfile.live # Reference: https://twitter.com/GGGGh0st/status/1439120967612002309 # Reference: https://www.virustotal.com/gui/ip-address/54.38.212.184/relations # Reference: https://www.virustotal.com/gui/file/32dbb7c9afde7e9acd3a13ac97a09ae8cacde69c4a51c38e6ea4a61d301c54eb/detection edgevista.live soundedge.live files.edgevista.live request.edgevista.live request.soundedge.live /access/vicosijoxsdf # Reference: https://twitter.com/HONKONE_K/status/1462653781485576194 # Reference: https://twitter.com/GGGGh0st/status/1463033122665213953 # Reference: https://www.virustotal.com/gui/file/cf0bc5361919e166253c35e4efb3c6288fd5bec4211b4bb31a0a7b4d1fd54de5 getzarvis.xyz /9zxd7eXLBiMT6m4w/U7h25bSTybOFjNe1.php /9zxd7eXLBiMT6m4w/ /U7h25bSTybOFjNe1.php # Reference: https://twitter.com/ShadowChasing1/status/1463498326481932289 /BXRi3EE06i5IES2k/rns63jefark0bRQf.php /BXRi3EE06i5IES2k/ /rns63jefark0bRQfxxc6qM8l5tmR16vi2pTahsP7MWVZAOl8 /rns63jefark0bRQfxxc6qM8l5tmR16vi2pTahsP7MWVZAOl8.rtf /rns63jefark0bRQf.php # Reference: https://www.virustotal.com/gui/file/2db9c7a14de6c58b46f41b9519f56b813baa05d825b09a1c7096101c44670076/detection /goHULMS9jXVytbJi/LUPQwf50wsIPdiei.php /goHULMS9jXVytbJi/ /LUPQwf50wsIPdieiJjMb9nV4g5WlDRTzL00cZ3y7PXsdRdQN /LUPQwf50wsIPdieiJjMb9nV4g5WlDRTzL00cZ3y7PXsdRdQN.rtf /LUPQwf50wsIPdiei.php # Reference: https://twitter.com/h2jazi/status/1463937730036051975 # Reference: https://www.virustotal.com/gui/file/5cff3f8205d5d6991185a1650b9fb1ff31dea5e750be2e62e59e1c96701c47c8 /AuC8S7jmqLYSYHyb/8MSN6hJJJ4tyVbDz.php /AuC8S7jmqLYSYHyb/ /8MSN6hJJJ4tyVbDz.php # Reference: https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread # Reference: https://www.virustotal.com/gui/file/df203b04288af9e0081cd18c7c2daec2bc4686e2e21dcaf415bb70bbd12169a0/detection traveltriangle.cc # Reference: https://twitter.com/HONKONE_K/status/1469175567228760067 # Reference: https://www.virustotal.com/gui/ip-address/146.70.80.105/relations # Reference: https://www.virustotal.com/gui/file/2d55cf612a33672948fdd7ea027fcd5ab065123dda7baefb01fbb1ec80a45aeb/detection stickme.live # Reference: https://twitter.com/BaoshengbinCumt/status/1470661161129766914 # Reference: https://www.virustotal.com/gui/file/bbb8f961bf36d702f7ed494576481c70fd09bda7f6daf9085130482a17e00f45/detection appview.buzz # Reference: https://www.virustotal.com/gui/file/a6b5dac9b67da3c2b96c13f3513ca1463f3d05096bf3a8083efea4eee0e11266/detection app-palace.live # Reference: https://twitter.com/malwrhunterteam/status/1478069767810527235 # Reference: https://twitter.com/bl4ckh0l3z/status/1478365182653042693 # Refereence: https://www.virustotal.com/gui/file/e1c24030653d15ee673627bf28f165d1a30be5027b8cd4186ac6bfd9809e8cb8/detection appstringfy.xyz # Reference: https://twitter.com/malwrhunterteam/status/1483433924986650626 # Reference: https://twitter.com/midnight_comms/status/1483511201543995397 # Reference: https://www.virustotal.com/gui/file/e180e607ece9b29674ded20b9948fb512c1f953f58c1124bb0251c35d6771e59/detection trialdocs.xyz # Reference: https://twitter.com/ShadowChasing1/status/1485599591873810434 # Reference: https://www.virustotal.com/gui/file/715ea2906434f021110515606a941d72315b8997384c1fa3e93e176f1e90886c/detection # Reference: https://www.virustotal.com/gui/file/773a4aa92659e30f1ffd89f74968876dc258783f55d4bf5128bd620fa4993f94/detection worldfile.xyz /269LPtq84u4pLqye/jnj3GFBTIGohYrCQ.php /269LPtq84u4pLqye/ /jnj3GFBTIGohYrCQ.php # Reference: https://twitter.com/ShadowChasing1/status/1485599594306469903 easycldshare.xyz files.easycldshare.xyz /jnj3GFBTIGohYrCQHMzQ9gJ3sHXFBrlgU5sHI6scYl86Xm4W /jnj3GFBTIGohYrCQHMzQ9gJ3sHXFBrlgU5sHI6scYl86Xm4W.rtf # Reference: https://twitter.com/malwrhunterteam/status/1489591376840957952 # Reference: https://www.virustotal.com/gui/file/5588f6fab387133c21b06f6248259c64260435898edd61866fad50312c2d3b25/detection pam-beesly.site /J2FWAHfmgH573SUB/CbvktaN6f8qTMJ26/CbvktaN6f8qTMJ26 /J2FWAHfmgH573SUB/tJhhBk8Cb5DLmBBq /CbvktaN6f8qTMJ26 /tJhhBk8Cb5DLmBBq # Reference: https://twitter.com/ShadowChasing1/status/1489732370093654016 # Reference: https://www.virustotal.com/gui/file/49ede2937a565ffe13f1212c8c67a8a7828b4ce7ede51b7753d597ec21855d6e/detection 131.153.22.218:4233 zaqxswcdevfrbgtnhymjukilop.online chat.zaqxswcdevfrbgtnhymjukilop.online # Reference: https://twitter.com/__0XYC__/status/1494639713361268740 # Reference: https://twitter.com/ShadowChasing1/status/1494670929116295176 # Reference: https://twitter.com/GGGGh0st/status/1497057272354451456 # Reference: https://www.virustotal.com/gui/ip-address/158.69.30.207/relations # Reference: https://www.virustotal.com/gui/file/e18609f62b9f420474ac4543d326455a5dfb0e95da7c3e88b388c9244490f150/detection # Reference: https://www.virustotal.com/gui/file/2f9174eff646bc08557b2f05cdc149e87c9b5c83f23c3a7a34db061a81280a2a/detection latestsyn.xyz backup.latestsyn.xyz /smtpmail/mnijuakurjhjajbcakjd /dcneikirki1290534lo /mnijuakurjhjajbcakjd # Reference: https://twitter.com/malwrhunterteam/status/1494602480948236288 # Reference: https://twitter.com/bl4ckh0l3z/status/1494771703209201674 # Reference: https://www.virustotal.com/gui/file/ae3342fca635f2e8ad3e4222b319e742eafb0b74df2a531424350a60806b7232/detection energyr.xyz # Reference: https://twitter.com/ShadowChasing1/status/1496054996177240068 # Reference: https://twitter.com/ShadowChasing1/status/1496055001159983108 # Reference: https://twitter.com/ShadowChasing1/status/1497125739568660481 # Reference: https://twitter.com/ShadowChasing1/status/1497125743125413892 # Reference: https://www.virustotal.com/gui/file/e010ca233178440ae92c7e3bd045fd1d5724ee865748322c3125cd7dc6f96871/detection # Reference: https://www.virustotal.com/gui/file/1deea32da9923887482d6950ffffbb490d92e3dcbe4a39152b92da74285d1277/detection beetelson.xyz tobaccosafe.xyz /NreAZyhcftItfyH6/tDM1PLu22kdd47p9.php /NxbFhYGLXQ1DhZYY/Bt0CmBR6dVoWhbYd.php /NreAZyhcftItfyH6/ /NxbFhYGLXQ1DhZYY/ /Bt0CmBR6dVoWhbYd.php /tDM1PLu22kdd47p9.php /Bt0CmBR6dVoWhbYd0MysWuV5LKOmpypn8E01oi16ES4qOo3d /Bt0CmBR6dVoWhbYd0MysWuV5LKOmpypn8E01oi16ES4qOo3d.rtf /tDM1PLu22kdd47p9KkHr26X5ZHWA0svGK6lctkM1SzxHZk90 /tDM1PLu22kdd47p9KkHr26X5ZHWA0svGK6lctkM1SzxHZk90.rtf # Reference: https://twitter.com/malwrhunterteam/status/1496129802239201289 # Reference: https://www.virustotal.com/gui/file/38f4b6dd84e5e31fc5b84fe8098ee180a64725af8c716a015c8b7a99c7994005/detection # Reference: https://www.virustotal.com/gui/file/a49bb6f6be5b597cd7ac592faa01f857060f3694c1bed69f8c8c0cc029b70069/detection # Reference: https://www.virustotal.com/gui/file/541575054a7c0b48bc364444ed5402426dd934f777f05e8e22fabe302a190e15/detection backuplogs.xyz srvrfontsdrive.xyz font.backuplogs.xyz /jiuTeOjl3XBvhWzc/sERtJRTb9aBbiGe3KmbZpxYParKXhzKqxc1KzKGU6aTAoGcC.ico /jiuTeOjl3XBvhWzc/sERtJRTb9aBbiGe3KmbZpxYParKXhzKqxc1KzKGU6aTAoGcC.mp3 /jiuTeOjl3XBvhWzc/ /sERtJRTb9aBbiGe3KmbZpxYParKXhzKqxc1KzKGU6aTAoGcC.ico /sERtJRTb9aBbiGe3KmbZpxYParKXhzKqxc1KzKGU6aTAoGcC.mp3 # Reference: https://twitter.com/s1ckb017/status/1499688182794829827 # Reference: https://www.virustotal.com/gui/file/16f7cf28fdb412147a818ba21f70200c7230432a8b929d208e06b93590ee961a/detection # Reference: https://www.virustotal.com/gui/file/69d3b199547198bbbc397a0980274df00c1eda6b631a19552324ec37ccb36718/detection computerupdates.digital # Reference: https://twitter.com/ShadowChasing1/status/1504412533989396481 # Reference: https://www.virustotal.com/gui/file/2d6ced810b45358b89ee180f69697569723f54d28872e4d4451766407295d59b/detection deathstroke.xyz /WRLm4mYD0p6iWCta/CoETln2BYtPHtY9W.php /WRLm4mYD0p6iWCta/ /CoETln2BYtPHtY9W.php # Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-January/030557.html oceansurvey.club printerjobs.xyz seasonsbackup.xyz # Reference: https://twitter.com/GGGGh0st/status/1514516619699306501 # Reference: https://www.virustotal.com/gui/file/a9c7c187202e8b08c00a73f95c15735b2571a962e3c76d1f43e07ef07e994c36/detection request.resolverequest.live # Reference: https://twitter.com/_re_fox/status/1517173649568149504 # Reference: https://www.virustotal.com/gui/file/5b6c10c35cab002750ba16aa8eba4f46d8e7267ae7c40c9e610add6da01ba3fd/detection hibiscus.live records.hibiscus.live /NDnD7RdekyhSrhPE/KOighzucGWiCq6hR.php /NDnD7RdekyhSrhPE/ /KOighzucGWiCq6hR.php # Reference: https://twitter.com/ShadowChasing1/status/1517445025788956673 # Reference: https://twitter.com/ShadowChasing1/status/1517445027923824640 # Reference: https://www.virustotal.com/gui/file/8eb9e93adb4e5e6bf5fac0d0b9de5897aa7274ef451b84854a0da38db61a502a/detection worldbook65.xyz wrldfronts.xyz /SLsLNcQ54gVvWOAV/9Qmq09QX0CYns496.php /SLsLNcQ54gVvWOAV/ /9Qmq09QX0CYns496.php /SLsLNcQ54gVvWOAV/9Qmq09QX0CYns496Y8xnO41X7QOnMxNTj0Ng2KahqH9ua6Cc /9Qmq09QX0CYns496Y8xnO41X7QOnMxNTj0Ng2KahqH9ua6Cc /9Qmq09QX0CYns496Y8xnO41X7QOnMxNTj0Ng2KahqH9ua6Cc.rtf # Reference: https://twitter.com/ShadowChasing1/status/1522217116937596929 # Reference: https://www.virustotal.com/gui/file/635ad590116dc390141f58b4dded72d9d6d51d83c10cb60ca6e0d7e00b1ef4d4/detection 23.83.133.141:4233 uniqueupdatesfrtetheupdateing.live # Reference: https://twitter.com/__0XYC__/status/1522183055703687171 # Reference: https://twitter.com/h2jazi/status/1522233728306712576 # Reference: https://twitter.com/_re_fox/status/1526997863611486210 # Reference: https://www.virustotal.com/gui/file/e793f991f7efc2dc49a1e43165bd64a01e0ce35f0f529171f7fefff3cf994f54/detection # Reference: https://www.virustotal.com/gui/file/15e2a10772575e77d1041394191a4db7a665da96889346da0d2e7b6a3aa455b3/detection # Reference: https://www.virustotal.com/gui/file/e793f991f7efc2dc49a1e43165bd64a01e0ce35f0f529171f7fefff3cf994f54/detection bookservices.xyz hplservices.xyz log.bookservices.xyz pre.hplservices.xyz /Ods9Z6420zj7Y9H3/OsVoOaari3CP2x4i.php /Ods9Z6420zj7Y9H3/ /OsVoOaari3CP2x4i.php # Reference: https://twitter.com/ShadowChasing1/status/1522454663735382016 # Reference: https://www.virustotal.com/gui/file/7952c02ea6c90e29370ee0e80b754156a2e5b1f473b2a469fdde3426a20e9356/detection kokoo.live /D7yrtjdcjjd3jjw2jdj7vvNsso0oR/5trT0o0oOO0retnRKKLmM /D7yrtjdcjjd3jjw2jdj7vvNsso0oR/ /5trT0o0oOO0retnRKKLmM # Reference: https://twitter.com/ShadowChasing1/status/1526783834410598400 # Reference: https://twitter.com/ShadowChasing1/status/1526783836507754496 # Reference: https://www.virustotal.com/gui/file/3342d74ec2b0c7324d6cc94a6e9989f002ec02b43927fe6b0951e160829843be/detection intector.xyz suppservices.xyz esr.suppservices.xyz wrd.intector.xyz /39Hq4vSPhlIwdUP9/naLhrcrCK8cV8Imf.php /39Hq4vSPhlIwdUP9/ /naLhrcrCK8cV8Imf.php # Reference: https://twitter.com/ShadowChasing1/status/1532619301437734912 # Reference: https://twitter.com/__0XYC__/status/1532618235647885312 # Reference: https://www.virustotal.com/gui/ip-address/64.190.113.91/relations # Reference: https://www.virustotal.com/gui/file/e55fd48dcfc37f5f810b4d16c1b6498ba5501c9beb80fe0a475badad9834e525/detection househomess.xyz # Reference: https://twitter.com/Jirehlov/status/1535110745649983488 # Reference: https://www.virustotal.com/gui/file/28a0f79c1c18a9cf6beb8d93ac9cb523ee83c92aeb2bc83e69e87a1d6e3df748/detection http://42.192.53.5 42.192.53.5:443 # Reference: https://twitter.com/RedDrip7/status/1539556990183100416 # Reference: https://www.virustotal.com/gui/file/ba60ae1347a7e4f385177fc92aaa21eef0682ed52b6359c4be58036e5d74c291/detection # Reference: https://www.virustotal.com/gui/file/486f772d81a3b90ba76617fd5f49d9ca99dac1051a9918222cfa25117888a1d5/detection feedpolicy.xyz logupdates.xyz mak.logupdates.xyz rus.feedpolicy.xyz /DWqYVVzQLc0xrqvt/HG5HlDPqsnr3HBwO.php /gDAr2QJr4cw1BSZe/GigPXrnLQs173vv9.php /DWqYVVzQLc0xrqvt/ /gDAr2QJr4cw1BSZe/ /GigPXrnLQs173vv9.php /HG5HlDPqsnr3HBwO.php # Reference: https://twitter.com/malwrhunterteam/status/1540335442922446848 # Reference: https://twitter.com/midnight_comms/status/1540339283751346176 # Reference: https://www.virustotal.com/gui/file/80b4141c007a5b9ea87388bb29744d7473572784819423e5d77b9dce8370fe88/detection flashnotederby.xyz gamz.flashnotederby.xyz /xoboleyncs # Reference: https://twitter.com/h2jazi/status/1540402245866377216 # Reference: https://www.virustotal.com/gui/file/58856004b837e45898e3621439ce69dc6f562c4f4c72867a66faad030a4c237a/detection rebutuoy.xyz # Reference: https://twitter.com/ShadowChasing1/status/1541354249246089216 # Reference: https://www.virustotal.com/gui/file/41c221c4f14a5f93039de577d0a76e918c915862986a8b9870df1c679469895c/detection worksolution.buzz who.worksolution.buzz /pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3YtjSkvyumPAsnckh5SZGE7nlj7WSghAI.rtf /pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3YtjSkvyumPAsnckh5SZGE7nlj7WSghAI /pq7uzPUMBBQpn8ub/HZNnKZmaMsQMFGX3.php /pq7uzPUMBBQpn8ub/ /HZNnKZmaMsQMFGX3YtjSkvyumPAsnckh5SZGE7nlj7WSghAI /HZNnKZmaMsQMFGX3YtjSkvyumPAsnckh5SZGE7nlj7WSghAI.rtf /HZNnKZmaMsQMFGX3.php # APK /Bride-Fun.apk /Conion_Pro_V2q.apk /Embassy_Info_v23m1221ppmm.apk /Fire_chat_07.apk /Go_chat_notf.apk /Zak_m.apk