# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://otx.alienvault.com/pulse/5c93c4e48312d159728a9d78
# Reference: https://blog.alyac.co.kr/2209 (Korean)

maii-daum-net.atwebpages.com
nate-on.bug3.com
hanmail.membercp.net
korea.getenjoyment.net
mail.membercp.net
/itsme.daum

# Reference: https://twitter.com/blackorbird/status/1086970613552447489

safe-naver-mail.pe.hu

# Reference: https://twitter.com/blackorbird/status/1113318554563076096
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/aptnote0403
# Reference: https://blog.alyac.co.kr/2234 (Korean)

tcjst.com

# Reference: https://twitter.com/blackorbird/status/1118334122592591872
# Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Smoke%20Screen.pdf
# Reference: https://www.virustotal.com/gui/ip-address/192.186.142.74/relations
# Reference: https://otx.alienvault.com/pulse/5cb6e14b2fefc160d9e18b24

http://192.186.142.74
192.186.142.74:81
seoulhobi.biz

# Reference: https://twitter.com/RedDrip7/status/1133268937808859136

lovemoney.mypressonline.com

# Reference: https://blog.alyac.co.kr/2336 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d13373f428cfccd0fa506a6

hellojames.sportsontheweb.net

# Generic trails (also can be met in https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/)

/expres.php

# Reference: https://blog.alyac.co.kr/2347 (Korean)
# Reference: https://otx.alienvault.com/pulse/5cffce34469a83ecb23c93db

http://202.168.155.156
carolie-svr-v1.16mb.com
my-homework.890m.com
naver-security-mail.96.lt
oeks39402.890m.com
filer1.1apps.com
filer2.1apps.com
kuku675.site11.com
kuku79.herobo.com

# Reference: https://blog.alyac.co.kr/2389 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d14b11389f0f0ece394fab8

atene.myartsonline.com
hellojames.sportsontheweb.net
nid2-naver-com.medianewsonline.com
smalldeal.mypressonline.com

# Reference: https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks
# Reference: https://otx.alienvault.com/pulse/5d5d6f5c5f0e4d2b7f5f3208
# Reference: https://twitter.com/blackorbird/status/1164370375490228224

alone-service.work
app-support.work
check-up.work
com-main.work
doc-view.work
login-confirm.work
member-service.work
minner.work
short-line.work
sub-state.work
web-line.work