# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: apt-c-35, donot, stealjob # Reference: https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/ # Reference: https://community.riskiq.com/article/6f60db72 qwe.drivethrough.top qwe.sessions4life.pw aoc.sessions4life.pw mon.sesions4life.pw tes.sessions4life.pw drivethrough.top trendzs.club sessions4life.club sesions4life.pw sessions4life.pw # Reference: https://ti.360.net/blog/articles/analysis-of-donot-andriod-sample/ godspeed.geekgalaxy.com jasper.drivethrough.top drivethrough.top geekgalaxy.com # Reference: https://asert.arbornetworks.com/donot-team-leverages-new-modular-malware-framework-south-asia/ conf.serviceupdateres.com upload.cloudsekurity.online abodeupdater.com qmails.org serviceupdateres.com serviceupports.com thebangladeshtoday.net sundayobserver.net # Reference: https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/ databig.akamaihub.stream bigdata.akamaihub.stream unique.fontsupdate.com akamaihub.stream fontsupdate.com # Reference: https://twitter.com/blackorbird/status/1111159128775249920 # Reference: https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading account-sign-in-security.ga account-update-com.tk account-updates-team.ga afd-gov-bd.gq baf-mil-bd.tk checkbox.gq cyber-net-pk.cf fwo-com.tk g00gle-com.cf googlemail-com.gq live-com.gq live-com.ml live-service.cf login-live-com.cf login-yah00-com.tk login-yahoo-com.ga live-com-owa.gq mail-account-security-com.cf mail-accounts-verify-com.cf mail-intl-ja-mail-about.gq mail-nepalarmymil-np.gq mail-ntc-net-pk.tk mail-outlook-support-team.tk mail-paf-gov.cf mail-sign-alert-notification.cf mail-updates-systems.ga mail-update-task.ga mail-update-team.ga mail-yahoo-com.tk mail-yahoo-task.tk micorsoft-outlook-update.ml mofa-gov-mm.ml mofagov-np.cf mofa-gov-np.cf mofa-gov-pk.tk molaw-gov-pk.cf outlook-com.cf outlook-livecom.cf outlook-live-com.cf outlook-live-com.ga outlooklive-com.ml outlook-live-com.tk outlookmail-com.tk paec-gov-pk.ga paec-gov-pk-taskmail.tk paecweb-gov.gq paecwebmail.gq paf-gov-pk.cf paf-gov-pk.ga paf-gov-pk.tk paknavy-pk.gq paecgov-pk.cf pmo-gov-pk.tk pnra-org.gq pof-gov-pk.tk rab-gov-bd.gq sharepoint-google.ml slaf-gov-lk.ml sco-gov-pk.tk super-net-pk.cf super-net-pk.tk test-updates.ga yahoo-com.ga yahoomail.cf yahoomail-com.cf yahoo-mail-com.ml # Reference: https://twitter.com/blackorbird/status/1116263262524362753 unique.fontsupdate.com # Reference: https://otx.alienvault.com/pulse/5cb620d626b619048ca7b344 # Reference: https://ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/ 139.180.135.59:4233 bike.drivethrough.top car.drivethrough.top guide.domainoutlet.site param.drivethrough.top justin.drinkeatgood.space genwar.drivethrough.top alter.drivethrough.top qwe.drivethrough.top digest.drinkeatgood.space jasper.drivethrough.top ground.domainoutlet.site help.domainoutlet.site guild.domainoutlet.site domainoutlet.site drinkeatgood.space drivethrough.top # Reference: https://twitter.com/blackorbird/status/1122493860859432960 data-backup.online # Reference: https://twitter.com/sudosev/status/1123303891062460419 mystrylust.pw new.listenmusic.pw # Reference: https://twitter.com/Timele9527/status/1130673924193128448 servicejobs.life # Reference: https://twitter.com/blackorbird/status/1132951652896350208 rightapps.net/sms//images/files/nbp_request.php # Reference: https://twitter.com/sudosev/status/1143562610492760064 # Reference: https://github.com/faisalusuf/ThreatIntelligence/blob/main/APT%20DONOT%20TEAM/Tracking-DONOT-IOCs.csv new.transportfun.pw strings.guitarshop.space transportfun.pw # Reference: https://twitter.com/RedDrip7/status/1145539943323717632 151.236.11.222:50240 # Reference: https://twitter.com/RedDrip7/status/1170896437229445120 mangasiso.top # Reference: https://mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA ezeescan.com # Reference: https://m.threatbook.cn/detail/1924 # Reference: https://otx.alienvault.com/pulse/5d7f7deb8cdf93013777cbad # Reference: https://www.secrss.com/articles/13726 # Reference: https://otx.alienvault.com/pulse/5d93295e8526be516a05f369 # Reference: https://twitter.com/ArielJT/status/1183064542869381121 bsodsupport.icu en-content.com mscheck.icu msplugin.icu windowserver.site worldupdate.live # Reference: https://twitter.com/RedDrip7/status/1188662662734893056 officeupdater.org # Reference: https://twitter.com/ccxsaber/status/1195175943087616000 stylesheet.xyz # Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/issleduem-aktivnost-kibergruppirovki-donot-team/ (Russian) burningforests.com cloud-storage-service.com skillsnew.top # Reference: https://twitter.com/Rmy_Reserve/status/1206596674920972288 full.newcontest.xyz # Reference: https://twitter.com/ccxsaber/status/1213050724403167238 mimestyle.xyz # Reference: https://twitter.com/Arkbird_SOLG/status/1214146144177197058 comodo.world # Reference: https://twitter.com/Arkbird_SOLG/status/1214146146563698689 # Reference: https://app.any.run/tasks/2907c2bd-a00d-4742-9467-01b8058e734a/ testypoha.top # Reference: https://twitter.com/Timele9527/status/1253165991351119872 supportsession.live # Reference: https://twitter.com/Youngs0xff/status/1254959731338178560 rythemsjoy.club # Reference: https://twitter.com/ShadowChasing1/status/1260881015133753345 spectronet.pw # Reference: https://twitter.com/AnonySecAgency/status/1263046236652728324 mailsession.online # Reference: https://twitter.com/ShadowChasing1/status/1267834418942492672 advancesearch.xyz # Reference: https://twitter.com/Timele9527/status/1271098267590221824 covidpk.uno datasecure.icu filepage.icu meflying.xyz remindme.top yourcontents.xyz # Reference: https://twitter.com/ccxsaber/status/1274978583463649281 dnsresolve.live # Reference: https://twitter.com/ccxsaber/status/1275611268192145408 tampotrust.top # Reference: https://twitter.com/ccxsaber/status/1279958779388297216 securecon.top # Reference: https://twitter.com/ShadowChasing1/status/1287039040038952960 coronotest.xyz filedata.top # Reference: https://twitter.com/ShadowChasing1/status/1289083580514107394 # Reference: https://twitter.com/500mk500/status/1289100860254027776 # Reference: https://www.virustotal.com/gui/file/f5432e3a4184baf3957035ded89916310f3a7f791b3bcf3e2e92c3dba4682d26/detection # Reference: https://www.virustotal.com/gui/file/124f2f71d658fdbeacaf648ec6811589ef01b4154471378839724a79de0edd48/detection sparc.org.in/wp-content/uploads/2020/06/now/rt.rtf http://164.68.108.22 164.68.108.22:4140 164.68.108.22:6102 /cruisers/beacon.php # Reference: https://twitter.com/ShadowChasing1/status/1289198158669443078 apifile.xyz # Reference: https://twitter.com/ShadowChasing1/status/1286504871416360961 filecopying.xyz # Reference: https://threatconnect.com/blog/research-roundup-recent-probable-charming-kitten-infrastructure/ # Reference: https://otx.alienvault.com/pulse/5f2c73733fc6956731644a7d # Reference: https://twitter.com/kyleehmke/status/1290613021992255488 accounts.googel.email app-view-support.club cmailco.xyz cnnnews-app.xyz control-user-activity.club control-view-sharing.club cover-home-page.site email-checker.xyz fatservice.site g-shorturl.com gmail-com.xyz googel.email hinbox-drive.info inbox-drive.info login-gov.info mail-instgram.com mailco.xyz mailerdaemon.me name-file-support.best on-dr.com page-support-view.club preview-control-support.club reload-cover-page.live reload-page-cover.site support-following-page.club support-myservice.com support-viewing-page.club verify-identity-service.best verifychecking.com view-control-page.club view-control-support.club view-external-page.best view-panel-control.club # Reference: https://twitter.com/ShadowChasing1/status/1292286043874455552 # Reference: https://www.virustotal.com/gui/file/addf78fe59b2b0f45c3c448caee35c206ecae5a51a5c0e0f71ef361ea5fae6e0/detection 142.93.12.211:4233 # Reference: https://twitter.com/ShadowChasing1/status/1302882266910253056 checkinternet.icu # Reference: https://twitter.com/ShadowChasing1/status/1304968566114975745 msfonts.live word-dnld.com # Reference: https://s.tencent.com/research/report/951.html # Reference: https://community.riskiq.com/article/6f60db72 # Reference: https://twitter.com/voodoodahl1/status/1267571622732578816 # Reference: https://otx.alienvault.com/pulse/5f74ce39f8419e27addbd726 advancesearch.xyz apkfreeware.xyz appie.host bitiy.info brightnew.xyz bulk.fun carefile.icu covidapp.icu dnsrevanche.xyz domainoutlet.site drivethrough.top fiddaz.club inapfirst.top inapscnd.top inapturst.top lowlilght.xyz mangasiso.top mimestyle.xyz mimeversion.top myappshare.xyz mypersonaldrive.icu n9cl.xyz newbulb.xyz phovonel.icu ppadaolnwod.xyz qwertykeypad.host rythemsjoy.club seahome.top spectronet.pw trakfind.buzz verisign.monster whynotworkonit.top # Reference: https://twitter.com/malwrhunterteam/status/1314236986018988035 # Reference: https://twitter.com/bl4ckh0l3z/status/1314252380867899393 # Reference: https://www.virustotal.com/gui/file/70df22a25cbb8715f1d3dd693123ac92203b3a27dfc6c7fa0e48239cf15cbf02/detection 45.147.229.93:4233 joy-trends.xyz qwertykeypad.host trendsjoy.biz webchat.life # Reference: https://twitter.com/_re_fox/status/1315388450414227467 # Reference: https://twitter.com/RedDrip7/status/1320568526730477571 # Reference: https://www.virustotal.com/gui/file/19321da02763a73eda1cdff7d073f7da18b5f32121fbddcee8eab60ac13d418a/detection # Reference: https://www.virustotal.com/gui/file/c9c2f68074bafb0885c8f3ace3e3188f38471e0710caefa50192ecd05edecac2/detection soundvista.club # Reference: https://blog.talosintelligence.com/2020/10/donot-firestarter.html # Reference: https://otx.alienvault.com/pulse/5f9ad41f97b945d0a6797baa apkv6.endurecif.top bulk.fun fif0.top inapturst.top seahome.top # Reference: https://twitter.com/ShadowChasing1/status/1324694029620006913 # Reference: https://www.virustotal.com/gui/file/ab6c34abe0d42dc0b93213661e24257b504b8d8973f4f5993d64e6631bd1358d/detection createlist.xyz # Reference: https://twitter.com/malwrhunterteam/status/1325782688062693376 # Reference: https://www.virustotal.com/gui/file/449979f1b1a9db98dad92de3f3af7045f0dc470085b9640b77f27675feaeefd8/detection 167.99.190.44:8090 latertime.icu # Reference: https://twitter.com/ShadowChasing1/status/1328980811102654465 # Reference: https://twitter.com/midnight_comms/status/1329043473635307522 # Reference: https://www.virustotal.com/gui/file/8885752384e54f65c7bd94982fadfa016f906960e9a53492a908eda12335f5aa/detection 45.138.172.7:4233 pvtchat.live # Reference: https://twitter.com/cyberwar_15/status/1331490166473519106 hometaxcenter.web.app # Reference: https://twitter.com/malwrhunterteam/status/1336980863272308742 namearch.xyz yourlsd.xyz # Reference: https://twitter.com/ShadowChasing1/status/1336997657865175040 sportfunk.xyz # Reference: https://twitter.com/ShadowChasing1/status/1337256313831604225 instantinfo.buzz # Reference: https://twitter.com/malwrhunterteam/status/1348575001109286913 # Reference: https://twitter.com/bl4ckh0l3z/status/1348575976196866048 # Reference: https://www.virustotal.com/gui/file/f1772de5062571ab63518595a36daf12203bcbc13f530a10ebc382e89220c840/detection 167.99.130.191:8090 transp.link # Reference: https://twitter.com/ShadowChasing1/status/1359479141146365952 # Reference: https://www.virustotal.com/gui/ip-address/5.135.199.23/detection # Reference: https://www.virustotal.com/gui/file/18cfe54cf4a92d1757ee471cd09c20b5aea8578b9db660239de5ba8208cc8be8/detection networkspeed.live resolverequest.live # Reference: https://twitter.com/malwrhunterteam/status/1359512197911699457 # Reference: https://twitter.com/bl4ckh0l3z/status/1360157297734004739 # Reference: https://www.virustotal.com/gui/file/c5c50a2a600c6372e8757f9371fe475a7041d448a96f7361c0eda1b9951301d2/detection 135.181.198.146:8099 fatchinfo.xyz mobilelink.buzz # Reference: https://twitter.com/ShadowChasing1/status/1364448144323342338 # Reference: https://twitter.com/ShadowChasing1/status/1368945187230257154 # Reference: https://twitter.com/ShadowChasing1/status/1369944378584690688 # Reference: https://www.virustotal.com/gui/file/dc1bd94c1941dcfa69c5561959cec64c3f5b1c3c0738f66a33c320c0c4217030/detection # Reference: https://www.virustotal.com/gui/file/03730cdc23a3d10c8752ad1464ff2e68a64c69f8310b0ceea4d52b1db0215dfc/detection # Reference: https://www.virustotal.com/gui/file/e82a17c9c0936de0c50267a296b801d1d7073293ad93b444eb63f336ebb46330/detection tplinkupdates.space firm.tplinkupdates.space /8ujdfuyer8d8f7d98jreerje /bikuyteftgyheujdike11ygeyg /ujhsygdhgtsygbuehdthd # Reference: https://twitter.com/ShadowChasing1/status/1364536619353575429 # Reference: https://www.virustotal.com/gui/file/79b6fd53fc676089d691ddbbf54da0855abd23d91c2325555d258eaca2c1dfb6/detection flickry.xyz # Reference: https://twitter.com/ShadowChasing1/status/1365304023775989761 # Reference: https://www.virustotal.com/gui/file/c1aa62da6cbb8656741d88a4c30c9620188b7045d0b0d271065464fdfbcab76f/detection printerupdates.online info.printerupdates.online # Reference: https://twitter.com/ShadowChasing1/status/1366672088241606658 # Reference: https://twitter.com/ShadowChasing1/status/1366688956088131584 requireplugin.xyz worxbox.xyz /AaTCm1uhEJlKxjeAvwltK5pkzRasnhXo /AaTCm1uhEJlKxjeAvwltK5pkzRasnhXo.dat /AaTCm1uhEJlKxjeAvwltK5pkzRasnhXo.doc /AaTCm1uhEJlKxjeAvwltK5pkzRasnhXo.dot # Reference: https://twitter.com/malwrhunterteam/status/1366839536890900482 # Reference: https://twitter.com/bl4ckh0l3z/status/1366866811455684612 # Reference: https://www.virustotal.com/gui/file/80151e5971821b1f0abb13b049efb0eeb9b1626b2f5501fc9ac21918935a6c3e/detection shortler.xyz # Reference: https://twitter.com/malwrhunterteam/status/1370400639155589132 # Reference: https://www.virustotal.com/gui/file/680681423d5007030bd3fe577b88f4c5df6dc423cdaa6aa415ecae01bd83b0d7/detection 178.63.172.2:4233 bismi.club # Reference: https://twitter.com/ShadowChasing1/status/1379048935969316871 paperflies.buzz worldfronts.xyz /h9i341lDMiztxAqrWsaOwHfUkSrAFWuI /h9i341lDMiztxAqrWsaOwHfUkSrAFWuI.dat /h9i341lDMiztxAqrWsaOwHfUkSrAFWuI.doc /h9i341lDMiztxAqrWsaOwHfUkSrAFWuI.dot # Reference: https://twitter.com/ShadowChasing1/status/1380555450433728513 # Reference: https://www.virustotal.com/gui/file/f18aba837e86025dfb9bd3fd2c4bf161f679ff1f3d10e7a480d682178051a9b9/detection instadownload.buzz # Reference: https://twitter.com/ShadowChasing1/status/1384825247061331980 # Reference: https://www.virustotal.com/gui/file/81b4a8f6ff2489e01f6b09126583673d3df922a0bbf7ff2cbcef2bcf6102b951/detection loadingmessage.info # Reference: https://twitter.com/ShadowChasing1/status/1387026581453893635 # Reference: https://www.virustotal.com/gui/file/e82d1f4f2960aef4142c32d7920b97700f2b5957bb4807bfcd59e586e71a33c0/detection nextra.buzz # Reference: https://twitter.com/ShadowChasing1/status/1387309759217365000 # Reference: https://twitter.com/ShadowChasing1/status/1387309762132336647 # Reference: https://www.virustotal.com/gui/file/694d433a729b65993dae758e862077c2d82c92018e8e310e121e1fa051567dba/detection idmquick.xyz wserves.xyz /IvGRnMiDzgderQQteqNjNgKoIYqaLW6C /IvGRnMiDzgderQQteqNjNgKoIYqaLW6C.dat /IvGRnMiDzgderQQteqNjNgKoIYqaLW6C.dot # Referenc: https://twitter.com/fuuuing_/status/1387958339569479683 # Reference: https://www.virustotal.com/gui/file/edd590c343570f7576aca83da58967e058585c6ba861682dca2fc987c713ee3a/detection edgevista.live files.edgevista.live /abjhdueuhkuclli78jfkdfj /abjhdueuhkuclli78jfkdfj.dat /abjhdueuhkuclli78jfkdfj.doc # Reference: https://twitter.com/r3dbU7z/status/1388510523579305988 # Reference: https://twitter.com/r3dbU7z/status/1388937495677743104 # Reference: https://www.virustotal.com/gui/file/08d7ec323925fa1de26d49c0dc414acb8ef3f876fd4b173673895465a27eda46/detection 66.23.225.108:8001 # APK /Conion_Pro_V2q.apk /Zak_m.apk