# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt35, apt-c-35, donot, stealjob

# Reference: https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/

qwe.drivethrough.top
qwe.sessions4life.pw
aoc.sessions4life.pw
mon.sesions4life.pw
tes.sessions4life.pw

# Reference: https://ti.360.net/blog/articles/analysis-of-donot-andriod-sample/

godspeed.geekgalaxy.com
jasper.drivethrough.top

# Reference: https://asert.arbornetworks.com/donot-team-leverages-new-modular-malware-framework-south-asia/

conf.serviceupdateres.com
upload.cloudsekurity.online
abodeupdater.com
qmails.org
serviceupports.com
thebangladeshtoday.net
sundayobserver.net

# Reference: https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/

databig.akamaihub.stream
bigdata.akamaihub.stream
unique.fontsupdate.com

# Reference: https://twitter.com/blackorbird/status/1111159128775249920
# Reference: https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading

account-sign-in-security.ga
account-update-com.tk
account-updates-team.ga
afd-gov-bd.gq
baf-mil-bd.tk
checkbox.gq
cyber-net-pk.cf
fwo-com.tk
g00gle-com.cf
googlemail-com.gq
live-com.gq
live-com.ml
live-service.cf
login-live-com.cf
login-yah00-com.tk
login-yahoo-com.ga
live-com-owa.gq
mail-account-security-com.cf
mail-accounts-verify-com.cf
mail-intl-ja-mail-about.gq
mail-nepalarmymil-np.gq
mail-ntc-net-pk.tk
mail-outlook-support-team.tk
mail-paf-gov.cf
mail-sign-alert-notification.cf
mail-updates-systems.ga
mail-update-task.ga
mail-update-team.ga
mail-yahoo-com.tk
mail-yahoo-task.tk
micorsoft-outlook-update.ml
mofa-gov-mm.ml
mofagov-np.cf
mofa-gov-np.cf
mofa-gov-pk.tk
molaw-gov-pk.cf
outlook-com.cf
outlook-livecom.cf
outlook-live-com.cf
outlook-live-com.ga
outlooklive-com.ml
outlook-live-com.tk
outlookmail-com.tk
paec-gov-pk.ga
paec-gov-pk-taskmail.tk
paecweb-gov.gq
paecwebmail.gq
paf-gov-pk.cf
paf-gov-pk.ga
paf-gov-pk.tk
paknavy-pk.gq
paecgov-pk.cf
pmo-gov-pk.tk
pnra-org.gq
pof-gov-pk.tk
rab-gov-bd.gq
sharepoint-google.ml
slaf-gov-lk.ml
sco-gov-pk.tk
super-net-pk.cf
super-net-pk.tk
test-updates.ga
yahoo-com.ga
yahoomail.cf
yahoomail-com.cf
yahoo-mail-com.ml

# Reference: https://twitter.com/blackorbird/status/1116263262524362753

unique.fontsupdate.com

# Reference: https://otx.alienvault.com/pulse/5cb620d626b619048ca7b344
# Reference: https://ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/

139.180.135.59:4233
bike.drivethrough.top
car.drivethrough.top
guide.domainoutlet.site
param.drivethrough.top
justin.drinkeatgood.space
genwar.drivethrough.top
alter.drivethrough.top
qwe.drivethrough.top
digest.drinkeatgood.space
jasper.drivethrough.top
ground.domainoutlet.site
help.domainoutlet.site
guild.domainoutlet.site

# Reference: https://twitter.com/blackorbird/status/1122493860859432960

data-backup.online

# Reference: https://twitter.com/sudosev/status/1123303891062460419

mystrylust.pw
new.listenmusic.pw

# Reference: https://twitter.com/Timele9527/status/1130673924193128448

servicejobs.life

# Reference: https://twitter.com/blackorbird/status/1132951652896350208

rightapps.net/sms//images/files/nbp_request.php

# Reference: https://twitter.com/sudosev/status/1143562610492760064

new.transportfun.pw
strings.guitarshop.space

# Reference: https://twitter.com/RedDrip7/status/1145539943323717632

151.236.11.222:50240

# Reference: https://twitter.com/RedDrip7/status/1170896437229445120

mangasiso.top

# Reference: https://mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA

ezeescan.com

# Reference: https://m.threatbook.cn/detail/1924
# Reference: https://otx.alienvault.com/pulse/5d7f7deb8cdf93013777cbad
# Reference: https://www.secrss.com/articles/13726
# Reference: https://otx.alienvault.com/pulse/5d93295e8526be516a05f369
# Reference: https://twitter.com/ArielJT/status/1183064542869381121

bsodsupport.icu
en-content.com
mscheck.icu
msplugin.icu
windowserver.site
worldupdate.live

# Reference: https://twitter.com/RedDrip7/status/1188662662734893056

officeupdater.org

# Reference: https://twitter.com/ccxsaber/status/1195175943087616000

stylesheet.xyz

# Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/issleduem-aktivnost-kibergruppirovki-donot-team/ (Russian)

burningforests.com
cloud-storage-service.com
skillsnew.top

# Reference: https://twitter.com/Rmy_Reserve/status/1206596674920972288

full.newcontest.xyz

# Reference: https://twitter.com/ccxsaber/status/1213050724403167238

mimestyle.xyz

# Reference: https://twitter.com/Arkbird_SOLG/status/1214146144177197058

comodo.world

# Reference: https://twitter.com/Arkbird_SOLG/status/1214146146563698689
# Reference: https://app.any.run/tasks/2907c2bd-a00d-4742-9467-01b8058e734a/

testypoha.top

# Reference: https://twitter.com/Timele9527/status/1253165991351119872

supportsession.live

# Reference: https://twitter.com/Youngs0xff/status/1254959731338178560

rythemsjoy.club

# Reference: https://twitter.com/ShadowChasing1/status/1260881015133753345

spectronet.pw

# Reference: https://twitter.com/AnonySecAgency/status/1263046236652728324

mailsession.online

# Reference: https://twitter.com/ShadowChasing1/status/1267834418942492672

advancesearch.xyz

# Reference: https://twitter.com/Timele9527/status/1271098267590221824

covidpk.uno
datasecure.icu
filepage.icu
meflying.xyz
remindme.top
yourcontents.xyz

# Reference: https://twitter.com/ccxsaber/status/1274978583463649281

dnsresolve.live

# Reference: https://twitter.com/ccxsaber/status/1275611268192145408

tampotrust.top

# Reference: https://twitter.com/ccxsaber/status/1279958779388297216

securecon.top

# Reference: https://twitter.com/ShadowChasing1/status/1287039040038952960

coronotest.xyz
filedata.top

# Reference: https://twitter.com/ShadowChasing1/status/1289083580514107394
# Reference: https://twitter.com/500mk500/status/1289100860254027776
# Reference: https://www.virustotal.com/gui/file/f5432e3a4184baf3957035ded89916310f3a7f791b3bcf3e2e92c3dba4682d26/detection
# Reference: https://www.virustotal.com/gui/file/124f2f71d658fdbeacaf648ec6811589ef01b4154471378839724a79de0edd48/detection

sparc.org.in/wp-content/uploads/2020/06/now/rt.rtf
http://164.68.108.22
164.68.108.22:4140
164.68.108.22:6102
/cruisers/beacon.php

# Reference: https://twitter.com/ShadowChasing1/status/1289198158669443078

apifile.xyz

# Reference: https://twitter.com/ShadowChasing1/status/1286504871416360961

filecopying.xyz

# Reference: https://threatconnect.com/blog/research-roundup-recent-probable-charming-kitten-infrastructure/
# Reference: https://otx.alienvault.com/pulse/5f2c73733fc6956731644a7d
# Reference: https://twitter.com/kyleehmke/status/1290613021992255488

accounts.googel.email
app-view-support.club
cmailco.xyz
cnnnews-app.xyz
control-user-activity.club
control-view-sharing.club
cover-home-page.site
email-checker.xyz
fatservice.site
g-shorturl.com
gmail-com.xyz
googel.email
hinbox-drive.info
inbox-drive.info
login-gov.info
mail-instgram.com
mailco.xyz
mailerdaemon.me
name-file-support.best
on-dr.com
page-support-view.club
preview-control-support.club
reload-cover-page.live
reload-page-cover.site
support-following-page.club
support-myservice.com
support-viewing-page.club
verify-identity-service.best
verifychecking.com
view-control-page.club
view-control-support.club
view-external-page.best
view-panel-control.club

# Reference: https://twitter.com/ShadowChasing1/status/1292286043874455552
# Reference: https://www.virustotal.com/gui/file/addf78fe59b2b0f45c3c448caee35c206ecae5a51a5c0e0f71ef361ea5fae6e0/detection

142.93.12.211:4233

# Reference: https://twitter.com/ShadowChasing1/status/1302882266910253056

checkinternet.icu

# Reference: https://twitter.com/ShadowChasing1/status/1304968566114975745

msfonts.live
word-dnld.com