# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: Black Banshee, Velvet Chollima

# Reference: https://otx.alienvault.com/pulse/5c93c4e48312d159728a9d78
# Reference: https://blog.alyac.co.kr/2209 (Korean)

maii-daum-net.atwebpages.com
nate-on.bug3.com
hanmail.membercp.net
korea.getenjoyment.net
mail.membercp.net
/itsme.daum

# Reference: https://twitter.com/blackorbird/status/1086970613552447489

safe-naver-mail.pe.hu

# Reference: https://twitter.com/blackorbird/status/1113318554563076096
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/aptnote0403
# Reference: https://blog.alyac.co.kr/2234 (Korean)

tcjst.com

# Reference: https://twitter.com/blackorbird/status/1118334122592591872
# Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Smoke%20Screen.pdf
# Reference: https://www.virustotal.com/gui/ip-address/192.186.142.74/relations
# Reference: https://otx.alienvault.com/pulse/5cb6e14b2fefc160d9e18b24

http://192.186.142.74
192.186.142.74:81
seoulhobi.biz

# Reference: https://twitter.com/RedDrip7/status/1133268937808859136

lovemoney.mypressonline.com

# Reference: https://blog.alyac.co.kr/2336 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d13373f428cfccd0fa506a6

hellojames.sportsontheweb.net

# Generic trails (also can be met in https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/)

/expres.php

# Reference: https://blog.alyac.co.kr/2347 (Korean)
# Reference: https://otx.alienvault.com/pulse/5cffce34469a83ecb23c93db

http://202.168.155.156
carolie-svr-v1.16mb.com
my-homework.890m.com
naver-security-mail.96.lt
oeks39402.890m.com
filer1.1apps.com
filer2.1apps.com
kuku675.site11.com
kuku79.herobo.com

# Reference: https://blog.alyac.co.kr/2389 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d14b11389f0f0ece394fab8

atene.myartsonline.com
hellojames.sportsontheweb.net
nid2-naver-com.medianewsonline.com
smalldeal.mypressonline.com

# Reference: https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks
# Reference: https://otx.alienvault.com/pulse/5d5d6f5c5f0e4d2b7f5f3208
# Reference: https://twitter.com/blackorbird/status/1164370375490228224

alone-service.work
app-support.work
check-up.work
com-main.work
doc-view.work
login-confirm.work
member-service.work
minner.work
short-line.work
sub-state.work
web-line.work

# Reference: https://twitter.com/cyberwar_15/status/1166592637371060226

rnailr.com

# Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf
# Reference: https://otx.alienvault.com/pulse/5d6d754babe6ca295f94cb1b

accounted.top
acounts.work
ahooc.com
alive-user.work
alone-service.work
app-house.online
app-main.site
app-support.site
app-support.work
check-line.site
check-operation.site
check-up.work
client-mobile.work
confirm-main.work
dounn.net
dovvn-mail.com
drog-service.com
eposcard.co
first-state.work
gstaticstorage.com
heehorse.com
hotrnall.co
imap-login.com
inbox-mail.work
inbox-yahoo.com
lh-login.com
lh-logs.com
lh-yahoo.com
local-link.work
log-yahoo.com
login-confirm.site
login-confirm.work
login-history.pw
login-sec.com
login-use.com
login-yahoo.info
logins-yahoo.com
mail-down.com
mail-inc.work
mail-service.win
mailseco.com
main-line.work
main-service.site
main-support.work
matmiho.com
member-service.work
message-inbox.work
minner.work
mobile-device.site
mobile-phone.work
myprivacy.work
net-policies.work
old-version.work
online-support.work
open-auth.work
options.work
page-view.work
phlogin.com
profile-setting.work
protect-com.work
protect-mail.work
protect-main.site
retry-confirm.com
script-main.site
sec-line.work
sec-live.com
set-login.com
setting-main.work
share-check.site
short-line.work
sign-in.work
srnbc-card.com
user-account.link
user-accounts.net
user-service.link
user-service.work
viewetherwallet.com
wallet-vahoo.com
weak-online.work
web-info.work
web-mind.work
web-online.work
web-rain.work
web-state.work
web-store.work
yah00.work
yrnall.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1177115401400016901
# Reference: https://blog.alyac.co.kr/2538 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d8dd05bac456c1dade338df

joelwisian.com
reunionhomesok.com

# Reference: https://twitter.com/blackorbird/status/1178497550938034177

eoplus.co.kr/board/pressed/
eoplus.co.kr/board/presset/

# Reference: https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf
# Reference: https://otx.alienvault.com/pulse/5d9f541a43c2babf60994786

c-naver.com
daum-center.net
rrnaver.com
udaum.net
account-google.member-authorize.com
user-manage-center.hol.es
user-daum-center.pe.hu
user-protect-center.pe.hu
naiei-aldiel.16mb.com
nid-protect-team.pe.hu
nid-management-team.890m.com
oeks39402.890m.com
vkcxvkweo.96.lt

# Reference: https://otx.alienvault.com/pulse/5dac36de0d5134df36b16666

clouds.scienceontheweb.net

# Reference: https://twitter.com/spider_girl22/status/1191306963369353216

online---shop.atwebpages.com

# Reference: https://blog.alyac.co.kr/2645 (Korean)
# Reference: https://otx.alienvault.com/pulse/5de68f93fc4d8a6303a7598b

member-view-center.esy.es
primary-help.esy.es
ago2.co.kr/bbs/data/dir/F.php
antichrist.or.kr/data/cheditor/dir1/F.php
gyjmc.com/board/data/cheditor/dir1/F.php

# Reference: https://otx.alienvault.com/pulse/5e257c8c189e48e8e053e75b

antichrist.or.kr/data/cheditor/dir1/lyric64
batgalim.org.il/facebook/Facebook/Entities/ppp/encoding.png
jonashartley.com/hilaryolsen/wp-includes/images/crystal/1122/upload.php
jonashartley.com/hilaryolsen/wp-admin/network/run.php
jonashartley.com/hilaryolsen/wp-includes/random_compat/1122/res.php
jonashartley.com/hilaryolsen/wp-includes/random_compat/1122/expres.php
jonashartley.com/hilaryolsen/wp-includes/customize/1111/res.php
jonashartley.com/hilaryolsen/wp-includes/customize/1111/expres.php
happy-new-year.esy.es
safe-naver-mail.pe.hu

# Reference: https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf
# Reference: https://otx.alienvault.com/pulse/5e42fd9c9fa37be52610c5c5

accounting-microsofft.epizy.com
csdaum-help.esy.es
daum-account-login.esy.es
daum-account-login.esy.esoeks39402.890m.com
daum-account-signin.pe.hu
daum-login-protect.hol.es
daum-setting.hol.es
daum-stting.hol.es
daumlogin.esy.es
gyjmc.com
mail-customer-safety-center.hol.es
mail-kinu.hol.es
mail-naver-protect.hol.es
mail.naver.comuf.com
member-authorize.com
member-daum-regist.hol.es
member-view-center.esy.es
memver-view-center.esy.es
nager-relogin-security.96.lt
naiei-ldel.16mb.com
naver-password.esy.es
naver-security-mail.96.lt
naverhelp.esy.es
naverkorea.esy.es
naverlogin.esy.es
nid-mail.pe.hu
nid-management-team.890m.com
nid-protect-team.pe.hu
primary-help.esy.es
protect-yahoo-teeam.000webhostapp.com
security-mail-daum.000webhostapp.com
snu-mail-ac-kr.esy.es
suppcrt-seourity.esy.es
uefa2018.000webhostapp.com
user-daum-center.pe.hu
user-management-center.hol.es
user-protect-center.pe.hu
vkcxvkweo.96.lt
webrnail-kinu.hol.es

# Reference: https://twitter.com/anyrun_app/status/1115513990711521280
# Reference: https://www.virustotal.com/gui/file/540336c5e61d589776e267eed14eac835720b4484312434ce4f27adfec8bf817/detection

185.224.137.164:21

# Reference: https://twitter.com/cyberwar_15/status/1227709181605613569

happy-boy.pe.hu

# Reference: https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html
# Reference: https://otx.alienvault.com/pulse/5e4c19894aad216887c8cb3d

ago2.co.kr/bbs/data/tmp
aiyac-updaite.hol.es
daum-center.net
embed-helper.esy.es
er-manage-center.hol.es
finale-jack.esy.es
kakao-check.esy.es
my-homework.890m.com
naver-mail-com.hol.es
nid-protect-team.pe.hu
nid-yyanagemeniteam.890m.com
nortice-centre.esy.es
oeks39402.890m.com
rrnaver.com
simple-hick.esy.es
suppcrt-seourity.esy.es
udaum.net
upgradesrv.890m.com
user-daum-center.pe.hu
user-manage-cenier.nol.es
user-protect-center.pe.hu

# Reference: https://twitter.com/cyberwar_15/status/1230093739554557953

pingball.mygamesonline.org

# Reference: https://twitter.com/spider_girl22/status/1233198285747154944
# Reference: https://twitter.com/cyberwar_15/status/1241591674255446016
# Reference: https://app.any.run/tasks/f4172853-90e6-49ad-be7b-bf6efa771448/

nagoya.datastore.pe.hu
suzuki.datastore.pe.hu
toyota.datastore.pe.hu

# Reference: https://blog.alyac.co.kr/2737 (Korean)

mernberinfo.tech

# Reference: https://twitter.com/cyberwar_15/status/1232989735011794945
# Reference: https://www.virustotal.com/gui/file/2cd5f1852ac6d3ed481394ea0abc49f16789c12fb81bcdf9988762730fb0aa8f/detection
# Reference: https://twitter.com/spider_girl22/status/1234761655214493697
# Reference: https://twitter.com/cyberwar_15/status/1240677656451899394
# Reference: https://twitter.com/Timele9527/status/1240620534468997125

all200.mireene.com
crphone.mireene.com
jmable.mireene.com
jmdesign.mireene.com
nhpurumy.mireene.com
orblog.mireene.com
sgmedia.mireene.com
vnext.mireene.com

# Reference: https://twitter.com/Timele9527/status/1240123132419223554

mybobo.mygamesonline.org

# Reference: https://twitter.com/DeadlyLynn/status/1245264426321600513

saemaeul.mireene.com

# Reference: https://twitter.com/AnonySecAgency/status/1250605504520318977

rolls-royce-love.890m.com

# Reference: https://twitter.com/VK_Intel/status/1257243399742251010

upload.bigfile.hol.es

# Reference: https://twitter.com/AnonySecAgency/status/1263047043150299136

gotoclean.com.co
ricefarm.kr/bbs/st/expres.php

# Reference: https://twitter.com/cyberwar_15/status/1266553918454067201
# Reference: https://www.rfa.org/korean/in_focus/nkhacking-05292020160533.html (Korean)

com-download.work

# Reference: https://twitter.com/cyberwar_15/status/1268073043365990401

part.bigfile.pe.hu

# Reference: https://blog.alyac.co.kr/3033 (Korean)
# Reference: https://otx.alienvault.com/pulse/5ed7c80f673c40df00c52fa6

boaz.kr/skin/member/basic/css/cross.php
boaz.kr/skin/member/basic/css/report.php
boaz.kr/skin/member/log/cross.php
boaz.kr/skin/member/log/pre.hta
boaz.kr/skin/member/log/report.php
boaz.kr/skin/member/log/suf.hta

# Reference: https://twitter.com/XOR_Hex/status/1273023258535886848

dept-dp.lab.hol.es

# Reference: https://twitter.com/cyberwar_15/status/1273435333430935552

gbxhd.org-help.com

# Reference: https://twitter.com/ccxsaber/status/1273804166612135940

security-confirm.bmail-org.com

# Reference: https://twitter.com/ShadowChasing1/status/1274724519803043852

finalist.org-help.com

# Reference: https://twitter.com/cyberwar_15/status/1275368364819410950

foxhunter.getenjoyment.net
korea.getenjoyment.net
pootball.getenjoyment.net

# Reference: https://twitter.com/DeadlyLynn/status/1275998401524424704

attachchosun.atwebpages.com

# Reference: https://twitter.com/ccxsaber/status/1278941222166380545

lovelovelove.atwebpages.com

# Reference: https://twitter.com/DeadlyLynn/status/1281840956170317824

bascetball.atwebpages.com

# Reference: https://twitter.com/cyberoverdrive/status/1285955528770891776
# Reference: https://www.virustotal.com/gui/file/4fae9a942aafddc8ee21a753302cec3c5273d3f71e132f176cb799dd922e30ac/detection

pingguo5.atwebpages.com

# Reference: https://app.any.run/tasks/74d55d02-7bbd-444c-a01b-30ac52a7e576/

foxonline123.atwebpages.com

# Reference: https://twitter.com/cyberwar_15/status/1296301860312084482

jongjin.000webhostapp.com

# Reference: https://twitter.com/DeadlyLynn/status/1299970605043707905
# Reference: https://www.virustotal.com/gui/file/4ff2a67b094bcc56df1aec016191465be4e7de348360fd307d1929dc9cbab39f/detection

portable.epizy.com

# Reference: https://otx.alienvault.com/pulse/5f737caa710907613c4d2773

account-protect.work
account-viewer.work
com-active.work
com-download.work
com-option.work
com-ssl.work
com-sslnet.work
com-vps.work
default.tokyo
desk-top.work
doc-view.pw
dorey.work
dutaley.work
exiweng.work
idiolos.work
intemet.work
jp-sec.pw
jp-ssl.work
kinac.work
net-sec.pw
org-view.pw
org-view.work
org-vip.work
org-vps.work
poulsen.work
robezo.work
rtyuio.work
sslport.work
sslserver.work
ssltop.work
taplist.work
tlsmain.work
unrepong.work
verdall.xyz
vpstop.work
webmain.work

# Reference: https://twitter.com/cyberwar_15/status/1313175039307476993

daumcleaner.mywebcommunity.org
naver.mywebcommunity.org
workcrafter.mywebcommunity.org

# Reference: https://twitter.com/DeadlyLynn/status/1314181830162083841
# Reference: https://www.virustotal.com/gui/file/363386c4caa5a995d3ca9345520c90942d5d3e1aaf8056831348f92eb73c15db/detection

goldbin.myartsonline.com

# Reference: https://twitter.com/vigilantbeluga/status/1315720089316941824
# Reference: https://twitter.com/vigilantbeluga/status/1315722308703543297

hdac-wallet.com
kasse-v1.hdac-wallet.com
update.hdac-tech.com
wallet.hdac-tech.com

# Reference: https://twitter.com/vigilantbeluga/status/1255002262256025600
# Reference: https://www.virustotal.com/gui/file/3110f00c1c48bbba24931042657a21c55e9a07d2ef315c2eae0a422234623194/detection

general-second.org-help.com

# Reference: https://us-cert.cisa.gov/ncas/alerts/aa20-301a
# Reference: https://otx.alienvault.com/pulse/5f9856f8655cfd07338c8e83

account.daum.unikftc.kr
account.daum.unikortv.com
account.daurn.pe.hu
amberalexander.ghtdev.com
beyondparallel.sslport.work
bigfile.pe.hu
cdaum.pe.hu
cloudmail.cloud
cloudnaver.com
coinone.co.in
com-download.work
com-option.work
com-ssl.work
com-sslnet.work
com-vps.work
comment.poulsen.work
cooper.center
csnaver.com
daum.net.pl
daum.unikortv.com
daurn.org
daurn.pe.hu
demand.poulsen.work
dept-dr.lab.hol.es
downloadman06.com
dubai-1.com
eastsea.or.kr
gloole.net
help-navers.com
help.unikoreas.kr
helpnaver.com
hogy.desk-top.work
impression.poulsen.work
intemet.work
intranet.ohchr.account-protect.work
jonga.ml
jp-ssl.work
kooo.gq
loadmanager07.com
login.bignaver.com
login.daum.kcrct.ml
login.daum.net-accounts.info
login.daum.unikortv.com
login.outlook.kcrct.ml
mail.unifsc.com
mailsnaver.com
member-authorize.com
member.daum.uniex.kr
member.daum.unikortv.com
member.navier.pe.hu
msdatl3.inc
msolui80.inc
myaccount.nkaac.net
myaccounts.gmail.kr-infos.com
myetherwallet.co.in
myetherwallet.com.mx
naver.co.in
naver.com.cm
naver.com.de
naver.com.ec
naver.com.mx
naver.com.pl
naver.com.se
naver.cx
naver.hol.es
naver.koreagov.com
naver.onegov.com
naver.pw
naver.unibok.kr
naverdns.co
net.tm.ro
nid.naver.com.se
nid.naver.corper.be
nid.naver.onektx.com
nid.naver.unibok.kr
nid.naver.unicrefia.com
nidlogin.naver.corper.be
nidnaver.email
nidnaver.net
ns.onekorea.me
nytimes.onekma.com
org-vip.work
preview.manage.org-view.work
pro-navor.com
read-hanmail.net
read-naver.com
read.tongilmoney.com
resetprofile.com
resultview.com
riaver.site
sankei.sslport.work
securetymail.com
servicenidnaver.com
smtper.cz
smtper.org
sslserver.work
ssltop.work
statement.poulsen.work
sts.desk-top.work
taplist.work
tiosuaking.com
top.naver.onekda.com
usernaver.com
view-hanmail.net
view-naver.com
vilene.desk-top.work
vpstop.work
webmain.work
webuserinfo.com
ww-naver.com

# Reference: https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite
# Reference: https://www.cyberscoop.com/north-korea-espionage-kimsuky-cybereason/
# Reference: https://otx.alienvault.com/pulse/5fa029ed2e8d9de384c74f26

csv.posadadesantiago.com/home/up.php?id=
csv.posadadesantiago.com/home?act=news&id=
csv.posadadesantiago.com/home?id=
myaccounts.posadadesantiago.com/test/Update.php?wShell=
wave.posadadesantiago.com/home/dwn.php?van=

# Reference: https://blog.alyac.co.kr/3352
# Reference: https://otx.alienvault.com/pulse/5fa1bb282c5efd7327b229a6

xeoskin.co.kr/wp/wp-includes/SimplePie/Net/

# Reference: https://twitter.com/cyberwar_15/status/1327040440189607936
# Reference: https://twitter.com/cyberwar_15/status/1327045373781635072
# Reference: https://twitter.com/cyberwar_15/status/1327403605825970176
# Reference: https://twitter.com/cyberwar_15/status/1327403626118094848

accountcheck.net
app.veryton.ml
appmedicine.whoint.cf
astrozeneca.ml
bidmc.accountcheck.net
daumi.club
daurn.ga
dup.photo.oiiio.ga
email-hanwha.pe.hu
genexine.member-info.net
jnj.accountcheck.net
kaist.r-naver.com
kari.gq
kimm.r-naver.com
krnvc.ga
logins.daumi.club
logins.daurn.ga
love.krnvc.ga
mail.astrozeneca.ml
member-info.net
oiiio.ga
on.color.oiiio.ga
r-naver.com
shinpoong.accountcheck.net
shinpoong.r-naver.com
shkj.hol.es
veryton.ml
webmail.kari.gq
whoint.cf

# Reference: https://twitter.com/RedDrip7/status/1329628989699235840
# Reference: https://otx.alienvault.com/pulse/5fb804ac581df7fe4f35bfd6
# Reference: https://www.virustotal.com/gui/file/9365ce79a51768a398cc22ec701d5f256de827fbefed283c933dea4052d66027/detection

pelebra.atwebpages.com

# Reference: https://twitter.com/jfslowik/status/1330611004456067073

asia-studies.net
itamaraty.net
midsecurity.org
netsecurityservice.com
securitycounci1report.org

# Reference: https://twitter.com/cyberwar_15/status/1332300116179312640

bidmc.accountcheck.net
genexine.member-info.net
jnj.accountcheck.net
shinpoong.accountcheck.net
shinpoong.r-naver.com

# Reference: https://twitter.com/cyberwar_15/status/1333181928606814211

daumusercenter.web.app

# Reference: https://twitter.com/cyberwar_15/status/1333767468473487363

autoway.huyndai.ml
huyndai.ml

# Reference: https://twitter.com/Timele9527/status/1333971180290592769

documentserver.site

# Reference: https://twitter.com/h2jazi/status/1339226171272286209
# Reference: https://blog.alyac.co.kr/3458 (Korean)
# Reference: https://otx.alienvault.com/pulse/5fdbc57a744937101f4f9adc

hahae.co.kr/new3/ISAF/Libs/php/cross.php

# Reference: https://twitter.com/RedDrip7/status/1336258913323216896
# Reference: https://www.virustotal.com/gui/file/1909010c264328edaf24cc2804d4f046aabd3c59de45e1d295d4155eb466d753/detection

price365.co.kr/abbi/json/ps/aa.php

# Reference: https://twitter.com/cyberwar_15/status/1343610577894088704
# Reference: https://www.virustotal.com/gui/ip-address/27.255.79.204/relations

bkl-co.ml
conm.ga
covision.tk
dongguk.ml
edongwon.ml
edongyang.ml
ejnuac.ml
ekecc.ml
ekoreapetroleum.ml
eland.ml
enepa.cf
esmec.ml
gwdeuac.ml
gwpancon.ml
imperial.fit
kangwon.ml
kccworld.ml
kyungnam.ml
kyungnam.tk
kyungshin.ml
leeko.ml
maeil.ml
miraeasset.ml
naver.srl
nexaemc.ml
nh-amundi.ml
onestorecorp.ml
s-food.ml
samyang.ml
sejonggroup.ml
slworld.cf
sogang.ml
tlbu.ml
webnaver.srl
wonik.ml
yncc.ml
zdnet.ga
email.dongwon.ml
email.dongyang.ml
email.jnuac.ml
email.kecc.ml
email.koreapetroleum.ml
email.nepa.cf
ext.imperial.fit
gwmail.deuac.ml
gwmail.pancon.ml
mail.bkl-co.ml
mail.conm.ga
mail.covision.tk
mail.dongguk.ml
mail.eland.ml
mail.esmec.ml
mail.kangwon.ml
mail.kccworld.ml
mail.kyungnam.ml
mail.kyungnam.tk
mail.kyungshin.ml
mail.leeko.ml
mail.maeil.ml
mail.miraeasset.ml
mail.naver.srl
mail.nh-amundi.ml
mail.onestorecorp.ml
mail.s-food.ml
mail.samyang.ml
mail.sejonggroup.ml
mail.slworld.cf
mail.sogang.ml
mail.tlbu.ml
mail.wonik.ml
mail.yncc.ml
mail.zdnet.ga
nidlogin.naver.srl
nmail.exaemc.ml
webmail.naver.srl

# Reference: https://twitter.com/cyberwar_15/status/1345704290069876736

karist.cf
kaist-ac.xyz
krfa.ml
veryton.ml
kaist.krfa.ml
kaist-ac.xyz
mail.kaist-ac.xyz
vpn.karist.cf
app.veryton.ml

# Reference: https://twitter.com/h2jazi/status/1347225069890789376
# Reference: https://www.virustotal.com/gui/file/18ee06625f7bddadafa8c256d63a123f4e69d5488f88828052fd7803b3aa8b3b/detection

cwda.co.kr/theme/basic/skin/new/basic/update/

# Reference: https://twitter.com/AnonySecAgency/status/1350988738973884418
# Reference: https://www.virustotal.com/gui/file/fd740b70649f06269bf8fe2d0d4fdd87d99606a7a666c4f6a2fc89bee70b6649/detection

connectter.atwebpages.com

# Reference: https://twitter.com/cyberwar_15/status/1352117474943135745
# Reference: https://twitter.com/cyberwar_15/status/1352117964527423490
# Reference: https://www.virustotal.com/gui/ip-address/121.78.88.85/relations

attach.ddns.net
bigfile-naver.servepics.com
cafe-daum.ddns.net
naver.serveblog.net
naver.servehttp.com

# Reference: https://twitter.com/ShadowChasing1/status/1358713278390673408
# Reference: https://www.virustotal.com/gui/file/39bd6b689b02d6dee329131a51aa09301889faf5698eeac0d02aef0ba47cf024/detection
# Reference: https://www.virustotal.com/gui/file/a8820cc75cd580c8eda747931eb36f5943cece48ba720af9771cf16490a78aa6/detection

reform-ouen.com/wp-includes/css/dist/nux/dotm/dwn.php

# Reference: https://twitter.com/ShadowChasing1/status/1362575412539183115
# Reference: https://www.virustotal.com/gui/file/115b9bf1c6f6040248dfa1a77044143dc318e3712ad613a022b4cced6007906f/detection

anpcb.co.kr/plugin/sns/facebook/src/update/normal.dotm

# Reference: https://twitter.com/AnonySecAgency/status/1366948179762024449
# Reference: https://www.virustotal.com/gui/file/73476d8ed35d6bbdaab3e7a17de7668af3860e994ac59107ecbe1aba7e40ace1/detection
# Reference: https://www.virustotal.com/gui/file/412baf955c1e256c4e8bf7e07ce0f1fbf14c03d11ed98932be45a58a14d55690/detection

monkey.funnystory.tech
seoul.lastpark.life

# Reference: https://twitter.com/ShadowChasing1/status/1368827485253627907
# Reference: https://www.virustotal.com/gui/file/e46887db62f3ee5583587531358e1b70cc8a171067fa4e1ae3e6693f7f9fc938/detection

koreacit.co.kr/skin/

# Reference: https://twitter.com/ShadowChasing1/status/1372464570183208961
# Reference: https://www.virustotal.com/gui/file/50d826640cc9ba66b789f0823f04308178b435f7eb39021bf7861061849f7efd/detection

inonix.co.kr/kor/board/widgets/mcontent/skins/tmp

# Reference: https://twitter.com/ShadowChasing1/status/1372537353311449091

waels.onlinewebshop.net/st/

# Reference: https://twitter.com/Xxx_8885/status/1373888922179170305
# Reference: https://twitter.com/Xxx_8885/status/1373889297414123521
# Reference: https://www.virustotal.com/gui/file/a030873cf5a9b8c76740a1ba9a4d28fc7acf4ce71ebebbe33a46be372f551004/detection
# Reference: https://www.virustotal.com/gui/file/a56163d758cd4a0a00e0991b7a4aecab35fdecb59df6d1821488826f8b37d7b9/detection
# Reference: https://www.virustotal.com/gui/file/e532685d362475dd3dec1aacedff87c7b32ec3573714a9f56ac87905fa13d66c/detection
# Reference: https://www.virustotal.com/gui/file/00bbab408dbc5c1a95143f75c282a74dddd5a87df533d7d198c1fc7eb2138269/detection
# Reference: https://www.virustotal.com/gui/file/a2465f753ff409cbd036cc0235704e3f49d9a52b8e4e2bc812428d7c8ea6f32b/detection

http://200.200.200.200/test/v.php
eucie091.myartsonline.com
eucie09111.myartsonline.com
ftcpark59.getenjoyment.net

# Reference: https://twitter.com/blackorbird/status/1377218251344633856
# Reference: https://twitter.com/RedDrip7/status/1377217232573321220

policy.webofknowledg.com
usamilitarysavings.webofknowledg.com
webofknowledg.com

# Reference: https://twitter.com/ShadowChasing1/status/1377841916948082689
# Reference: https://www.virustotal.com/gui/file/873b8fb97b4b0c6d7992f6af15653295788526def41f337c651dc64e8e4aeebd/detection
# Reference: https://www.virustotal.com/gui/file/4a1c43258fe0e3b75afc4e020b904910c94d9ba08fc1e3f3a99d188b56675211/detection

pcsecucheck.scienceontheweb.net

# Reference: https://twitter.com/ShadowChasing1/status/1377900770629099530
# Reference: https://www.virustotal.com/gui/file/3dd9628b3f92a1f8c340e546343c1c1448de94212a9c19e83cae661eba2d1b37/detection

beilksa.scienceontheweb.net

# Reference: https://twitter.com/mg2_tracy1/status/1379269472926638081
# Reference: https://www.virustotal.com/gui/file/b89e79ee9c4834177cbabba9b265910a6a55c7defd2863cc1699753dbfa342b8/detection

baboivan.scienceontheweb.net

# Reference: https://twitter.com/h2jazi/status/1380510153397637127
# Reference: https://www.virustotal.com/gui/file/e6f0d7e114c04017b07f321ba4df440ff55718ef451b1a3cb0f1c0856bd1c86e/detection

pc.ac-kr.esy.es

# Reference: https://twitter.com/ShadowChasing1/status/1382509560179531782
# Reference: https://www.virustotal.com/gui/file/e7fae41c0bd8d3d95253bd75dce99015599ecc404bd8d737cec305fc3e4dd018/detection

wbg0909.scienceontheweb.net