# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: keyboy, famoussparrow, pirate panda, tropic trooper, usbferry # Reference: https://citizenlab.ca/2016/11/parliament-keyboy/ tibetvoices.com about.jkub.com eleven.mypop3.org backus.myftp.name # Reference: https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf # Reference: https://otx.alienvault.com/pulse/5ebd510bcf2617c25c082fb3 dpponline.trickip.org jupiter.qpoe.com mila1314.25u.com mila1314.4dq.com mila1314.ddns.info myinfo.ocry.com myzinfo.myz.info oldape.25u.com oldape.4dq.com # Reference: https://twitter.com/r0ny_123/status/1410537058418888705 185.20.187.10:443 # Reference: https://www.virustotal.com/gui/file/77bcebc65a7ac66da8ad8689b437b0cffecb2247dc58ade041cefe7ed2d46b5e/detection # Reference: https://www.virustotal.com/gui/file/6acc9ece44d4458a43851bd6ee11a9d2b33ba095ad288f7f9140d33d25d25fbc/detection # Reference: https://www.virustotal.com/gui/file/74593e081b0b9ab8683d77895035b424ba6e0f31c24ae7c270b18818b56a0d1d/detection # Reference: https://www.virustotal.com/gui/file/7150761f1767b3c25858925f867a226645bfe9cabcc6fb8e06f284e020489ae6/detection # Reference: https://www.virustotal.com/gui/file/446a393266d27961c09217054182bb4003346cc402e62c700ac3e334f9bfa035/detection # Reference: https://www.virustotal.com/gui/file/9fdc678b76cec3189f1d0ad32f838de1c3a5ec1b0aca4ee9df4aa1c65ebe6c94/detection # Reference: https://www.virustotal.com/gui/file/b15a3e0ca13cc21dace58ffb517b9f2b24ac6684ef823fa7a51a20ab7e7f69dd/detection # Reference: https://www.virustotal.com/gui/file/7150761f1767b3c25858925f867a226645bfe9cabcc6fb8e06f284e020489ae6/detection # Reference: https://www.virustotal.com/gui/file/7e1e16086e90cff8a33fdf0222410dd32773d7821ddd1b92a2ddb84eda573eb0/detection # Reference: https://www.virustotal.com/gui/file/2f6cb063966125e0a9f2aa72e471c05657f95a3ddd9f65329071b7ee4acedce6/detection http://159.75.83.212 http://45.76.218.247 101.32.36.76:443 106.53.120.204:443 114.251.216.125:1234 118.195.161.141:443 118.195.161.141:8443 132.232.92.218:443 134.175.197.144:443 150.109.114.190:443 155.138.155.181:443 159.75.144.13:443 159.75.81.151:443 159.75.83.212:443 212.182.121.97:443 219.225.109.246:1234 43.129.177.152:443 43.134.194.237:443 43.154.74.7:443 43.154.85.5:443 43.154.88.192:443 45.76.218.247:443 45.77.178.47:1234 49.232.142.8:443 82.156.178.135:443 82.156.178.135:8443 82.157.51.214:443 82.157.62.199:8443 buycheap.cn cnicchina.com ak.buycheap.cn api.cnicchina.com laishi.ddns.net # Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_APT-FamousSparrow.json # Reference: https://www.virustotal.com/gui/ip-address/103.15.28.228/relations awsdns-531.com offices-analytics.com redcrossco.com credits.offices-analytics.com resource.offices-analytics.com services.offices-analytics.com soffice.offices-analytics.com c11r.awsdns-531.com cdn181.awsdns-531.com llnw-dd.awsdns-531.com rdmail.redcrossco.com redsquare.redcrossco.com tranning.redcrossco.com # Reference: https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/ # Reference: https://otx.alienvault.com/pulse/614d9d97468b5d59e66efeec kkxx888666.com cdn.kkxx888666.com # Reference: https://twitter.com/0x680x610x6A/status/1761993166780330420 # Reference: https://www.virustotal.com/gui/file/8937e8dd520dc6555c5b2cd62897b8eb5352e43a12af488bd8594449ed114fd5/detection # Reference: https://www.virustotal.com/gui/file/98af7888655b8bcac49b76c074fc08877807ac074fb4e81a6cacfd1566d52f12/detection # Reference: https://www.virustotal.com/gui/file/9dff4c8f403338875d009508c64a0e4d4a5eeac191d7654a7793c823fb8e3018/detection techmersion.com blog.techmersion.com # Reference: https://securelist.com/new-tropic-trooper-web-shell-infection/113737/ # Reference: https://www.virustotal.com/gui/ip-address/162.19.135.182/relations # Reference: https://www.virustotal.com/gui/ip-address/51.195.37.155/relations adobehomework.com athenatechlabs.com helpdesk.athenatechlabs.com # Reference: https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html # Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-operations/iocs-breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-operations.txt amazoncdns.com ap.missmichiko.com auth.boxlibraries.com awsdns-531.com broadmediacloud.com cache10.newsfreecloud.com cachecloud.cloudflaresrv.com cas04.awsdns-531.com cdglobalclouds.com cdn101.cloudflaresrv.com cloudflaresrv.com cloudshappen.com cloudsrv.cloudfrontsrv.com dbacloudsupport.com de.huseinhbz.click emv1.cdglobalclouds.com emv1.techmersion.com euphemismscase.site flarecastdns.com ftp.techmersion.com ge.huseinhbz.click global.techmersion.com globalnetzone.b-cdn.net helpdesk.cloudshappen.com huseinhbz.click images.dbacloudsupport.com johannesburghotel.net kidshomeworkabc.global.ssl.fastly.net lync.realtxholdem.com mail.euphemismscase.site mail2-0da8aa1c.oxcdntech.com missmichiko.com ms119.newsfreecloud.com newsfreecloud.com nodtecloud.com ns.starkaero.com ns101.awsdns-531.com ns108.cloudshappen.com opengl.cloudshappen.com oxcdntech.com pay.johannesburghotel.net portal.cdglobalclouds.com portal.sppokemon.com portal.techmersion.com realtxholdem.com sppokemon.com ssl3.awsdns-531.com starkaero.com supports.dbacloudsupport.com supports.flarecastdns.com svn.truecdnnetwork.com techmersion.com truecdnnetwork.com zmail.broadmediacloud.com