# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: Black Banshee, Velvet Chollima

# Reference: https://otx.alienvault.com/pulse/5c93c4e48312d159728a9d78
# Reference: https://blog.alyac.co.kr/2209 (Korean)

maii-daum-net.atwebpages.com
nate-on.bug3.com
hanmail.membercp.net
korea.getenjoyment.net
mail.membercp.net
/itsme.daum

# Reference: https://twitter.com/blackorbird/status/1086970613552447489

safe-naver-mail.pe.hu

# Reference: https://twitter.com/blackorbird/status/1113318554563076096
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/aptnote0403
# Reference: https://blog.alyac.co.kr/2234 (Korean)

tcjst.com

# Reference: https://twitter.com/blackorbird/status/1118334122592591872
# Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Smoke%20Screen.pdf
# Reference: https://www.virustotal.com/gui/ip-address/192.186.142.74/relations
# Reference: https://otx.alienvault.com/pulse/5cb6e14b2fefc160d9e18b24

http://192.186.142.74
192.186.142.74:81
seoulhobi.biz

# Reference: https://twitter.com/RedDrip7/status/1133268937808859136

lovemoney.mypressonline.com

# Reference: https://blog.alyac.co.kr/2336 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d13373f428cfccd0fa506a6

hellojames.sportsontheweb.net

# Generic trails (also can be met in https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/)

/expres.php

# Reference: https://blog.alyac.co.kr/2347 (Korean)
# Reference: https://otx.alienvault.com/pulse/5cffce34469a83ecb23c93db

http://202.168.155.156
carolie-svr-v1.16mb.com
my-homework.890m.com
naver-security-mail.96.lt
oeks39402.890m.com
filer1.1apps.com
filer2.1apps.com
kuku675.site11.com
kuku79.herobo.com

# Reference: https://blog.alyac.co.kr/2389 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d14b11389f0f0ece394fab8

atene.myartsonline.com
hellojames.sportsontheweb.net
nid2-naver-com.medianewsonline.com
smalldeal.mypressonline.com

# Reference: https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks
# Reference: https://otx.alienvault.com/pulse/5d5d6f5c5f0e4d2b7f5f3208
# Reference: https://twitter.com/blackorbird/status/1164370375490228224

alone-service.work
app-support.work
check-up.work
com-main.work
doc-view.work
login-confirm.work
member-service.work
minner.work
short-line.work
sub-state.work
web-line.work

# Reference: https://twitter.com/cyberwar_15/status/1166592637371060226

rnailr.com

# Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf
# Reference: https://otx.alienvault.com/pulse/5d6d754babe6ca295f94cb1b

accounted.top
acounts.work
ahooc.com
alive-user.work
alone-service.work
app-house.online
app-main.site
app-support.site
app-support.work
check-line.site
check-operation.site
check-up.work
client-mobile.work
confirm-main.work
dounn.net
dovvn-mail.com
drog-service.com
eposcard.co
first-state.work
gstaticstorage.com
heehorse.com
hotrnall.co
imap-login.com
inbox-mail.work
inbox-yahoo.com
lh-login.com
lh-logs.com
lh-yahoo.com
local-link.work
log-yahoo.com
login-confirm.site
login-confirm.work
login-history.pw
login-sec.com
login-use.com
login-yahoo.info
logins-yahoo.com
mail-down.com
mail-inc.work
mail-service.win
mailseco.com
main-line.work
main-service.site
main-support.work
matmiho.com
member-service.work
message-inbox.work
minner.work
mobile-device.site
mobile-phone.work
myprivacy.work
net-policies.work
old-version.work
online-support.work
open-auth.work
options.work
page-view.work
phlogin.com
profile-setting.work
protect-com.work
protect-mail.work
protect-main.site
retry-confirm.com
script-main.site
sec-line.work
sec-live.com
set-login.com
setting-main.work
share-check.site
short-line.work
sign-in.work
srnbc-card.com
user-account.link
user-accounts.net
user-service.link
user-service.work
viewetherwallet.com
wallet-vahoo.com
weak-online.work
web-info.work
web-mind.work
web-online.work
web-rain.work
web-state.work
web-store.work
yah00.work
yrnall.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1177115401400016901
# Reference: https://blog.alyac.co.kr/2538 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d8dd05bac456c1dade338df

joelwisian.com
reunionhomesok.com

# Reference: https://twitter.com/blackorbird/status/1178497550938034177

eoplus.co.kr/board/pressed/
eoplus.co.kr/board/presset/

# Reference: https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf
# Reference: https://otx.alienvault.com/pulse/5d9f541a43c2babf60994786

c-naver.com
daum-center.net
rrnaver.com
udaum.net
account-google.member-authorize.com
user-manage-center.hol.es
user-daum-center.pe.hu
user-protect-center.pe.hu
naiei-aldiel.16mb.com
nid-protect-team.pe.hu
nid-management-team.890m.com
oeks39402.890m.com
vkcxvkweo.96.lt

# Reference: https://otx.alienvault.com/pulse/5dac36de0d5134df36b16666

clouds.scienceontheweb.net

# Reference: https://twitter.com/spider_girl22/status/1191306963369353216

online---shop.atwebpages.com

# Reference: https://blog.alyac.co.kr/2645 (Korean)
# Reference: https://otx.alienvault.com/pulse/5de68f93fc4d8a6303a7598b

member-view-center.esy.es
primary-help.esy.es
ago2.co.kr/bbs/data/dir/F.php
antichrist.or.kr/data/cheditor/dir1/F.php
gyjmc.com/board/data/cheditor/dir1/F.php

# Reference: https://otx.alienvault.com/pulse/5e257c8c189e48e8e053e75b

antichrist.or.kr/data/cheditor/dir1/lyric64
batgalim.org.il/facebook/Facebook/Entities/ppp/encoding.png
jonashartley.com/hilaryolsen/wp-includes/images/crystal/1122/upload.php
jonashartley.com/hilaryolsen/wp-admin/network/run.php
jonashartley.com/hilaryolsen/wp-includes/random_compat/1122/res.php
jonashartley.com/hilaryolsen/wp-includes/random_compat/1122/expres.php
jonashartley.com/hilaryolsen/wp-includes/customize/1111/res.php
jonashartley.com/hilaryolsen/wp-includes/customize/1111/expres.php
happy-new-year.esy.es
safe-naver-mail.pe.hu

# Reference: https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf
# Reference: https://otx.alienvault.com/pulse/5e42fd9c9fa37be52610c5c5

accounting-microsofft.epizy.com
csdaum-help.esy.es
daum-account-login.esy.es
daum-account-login.esy.esoeks39402.890m.com
daum-account-signin.pe.hu
daum-login-protect.hol.es
daum-setting.hol.es
daum-stting.hol.es
daumlogin.esy.es
gyjmc.com
mail-customer-safety-center.hol.es
mail-kinu.hol.es
mail-naver-protect.hol.es
mail.naver.comuf.com
member-authorize.com
member-daum-regist.hol.es
member-view-center.esy.es
memver-view-center.esy.es
nager-relogin-security.96.lt
naiei-ldel.16mb.com
naver-password.esy.es
naver-security-mail.96.lt
naverhelp.esy.es
naverkorea.esy.es
naverlogin.esy.es
nid-mail.pe.hu
nid-management-team.890m.com
nid-protect-team.pe.hu
primary-help.esy.es
protect-yahoo-teeam.000webhostapp.com
security-mail-daum.000webhostapp.com
snu-mail-ac-kr.esy.es
suppcrt-seourity.esy.es
uefa2018.000webhostapp.com
user-daum-center.pe.hu
user-management-center.hol.es
user-protect-center.pe.hu
vkcxvkweo.96.lt
webrnail-kinu.hol.es

# Reference: https://twitter.com/anyrun_app/status/1115513990711521280
# Reference: https://www.virustotal.com/gui/file/540336c5e61d589776e267eed14eac835720b4484312434ce4f27adfec8bf817/detection

185.224.137.164:21

# Reference: https://twitter.com/cyberwar_15/status/1227709181605613569

happy-boy.pe.hu

# Reference: https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html
# Reference: https://otx.alienvault.com/pulse/5e4c19894aad216887c8cb3d

ago2.co.kr/bbs/data/tmp
aiyac-updaite.hol.es
daum-center.net
embed-helper.esy.es
er-manage-center.hol.es
finale-jack.esy.es
kakao-check.esy.es
my-homework.890m.com
naver-mail-com.hol.es
nid-protect-team.pe.hu
nid-yyanagemeniteam.890m.com
nortice-centre.esy.es
oeks39402.890m.com
rrnaver.com
simple-hick.esy.es
suppcrt-seourity.esy.es
udaum.net
upgradesrv.890m.com
user-daum-center.pe.hu
user-manage-cenier.nol.es
user-protect-center.pe.hu

# Reference: https://twitter.com/cyberwar_15/status/1230093739554557953

pingball.mygamesonline.org

# Reference: https://twitter.com/spider_girl22/status/1233198285747154944
# Reference: https://twitter.com/cyberwar_15/status/1241591674255446016
# Reference: https://app.any.run/tasks/f4172853-90e6-49ad-be7b-bf6efa771448/

nagoya.datastore.pe.hu
suzuki.datastore.pe.hu
toyota.datastore.pe.hu

# Reference: https://blog.alyac.co.kr/2737 (Korean)

mernberinfo.tech

# Reference: https://twitter.com/cyberwar_15/status/1232989735011794945
# Reference: https://www.virustotal.com/gui/file/2cd5f1852ac6d3ed481394ea0abc49f16789c12fb81bcdf9988762730fb0aa8f/detection
# Reference: https://twitter.com/spider_girl22/status/1234761655214493697
# Reference: https://twitter.com/cyberwar_15/status/1240677656451899394
# Reference: https://twitter.com/Timele9527/status/1240620534468997125

all200.mireene.com
crphone.mireene.com
jmable.mireene.com
jmdesign.mireene.com
nhpurumy.mireene.com
orblog.mireene.com
sgmedia.mireene.com
vnext.mireene.com

# Reference: https://twitter.com/Timele9527/status/1240123132419223554

mybobo.mygamesonline.org

# Reference: https://twitter.com/DeadlyLynn/status/1245264426321600513

saemaeul.mireene.com

# Reference: https://twitter.com/AnonySecAgency/status/1250605504520318977

rolls-royce-love.890m.com

# Reference: https://twitter.com/VK_Intel/status/1257243399742251010

upload.bigfile.hol.es

# Reference: https://twitter.com/AnonySecAgency/status/1263047043150299136

gotoclean.com.co
ricefarm.kr/bbs/st/expres.php

# Reference: https://twitter.com/cyberwar_15/status/1266553918454067201
# Reference: https://www.rfa.org/korean/in_focus/nkhacking-05292020160533.html (Korean)

com-download.work

# Reference: https://twitter.com/cyberwar_15/status/1268073043365990401

part.bigfile.pe.hu

# Reference: https://blog.alyac.co.kr/3033 (Korean)
# Reference: https://otx.alienvault.com/pulse/5ed7c80f673c40df00c52fa6

boaz.kr/skin/member/basic/css/cross.php
boaz.kr/skin/member/basic/css/report.php
boaz.kr/skin/member/log/cross.php
boaz.kr/skin/member/log/pre.hta
boaz.kr/skin/member/log/report.php
boaz.kr/skin/member/log/suf.hta

# Reference: https://twitter.com/XOR_Hex/status/1273023258535886848

dept-dp.lab.hol.es

# Reference: https://twitter.com/cyberwar_15/status/1273435333430935552

gbxhd.org-help.com

# Reference: https://twitter.com/ccxsaber/status/1273804166612135940

security-confirm.bmail-org.com

# Reference: https://twitter.com/ShadowChasing1/status/1274724519803043852

finalist.org-help.com

# Reference: https://twitter.com/cyberwar_15/status/1275368364819410950

foxhunter.getenjoyment.net
korea.getenjoyment.net
pootball.getenjoyment.net

# Reference: https://twitter.com/DeadlyLynn/status/1275998401524424704

attachchosun.atwebpages.com

# Reference: https://twitter.com/ccxsaber/status/1278941222166380545

lovelovelove.atwebpages.com

# Reference: https://twitter.com/DeadlyLynn/status/1281840956170317824

bascetball.atwebpages.com

# Reference: https://twitter.com/cyberoverdrive/status/1285955528770891776
# Reference: https://www.virustotal.com/gui/file/4fae9a942aafddc8ee21a753302cec3c5273d3f71e132f176cb799dd922e30ac/detection

pingguo5.atwebpages.com

# Reference: https://app.any.run/tasks/74d55d02-7bbd-444c-a01b-30ac52a7e576/

foxonline123.atwebpages.com

# Reference: https://twitter.com/cyberwar_15/status/1296301860312084482

jongjin.000webhostapp.com

# Reference: https://twitter.com/DeadlyLynn/status/1299970605043707905
# Reference: https://www.virustotal.com/gui/file/4ff2a67b094bcc56df1aec016191465be4e7de348360fd307d1929dc9cbab39f/detection

portable.epizy.com

# Reference: https://otx.alienvault.com/pulse/5f737caa710907613c4d2773

account-protect.work
account-viewer.work
com-active.work
com-download.work
com-option.work
com-ssl.work
com-sslnet.work
com-vps.work
default.tokyo
desk-top.work
doc-view.pw
dorey.work
dutaley.work
exiweng.work
idiolos.work
intemet.work
jp-sec.pw
jp-ssl.work
kinac.work
net-sec.pw
org-view.pw
org-view.work
org-vip.work
org-vps.work
poulsen.work
robezo.work
rtyuio.work
sslport.work
sslserver.work
ssltop.work
taplist.work
tlsmain.work
unrepong.work
verdall.xyz
vpstop.work
webmain.work

# Reference: https://twitter.com/cyberwar_15/status/1313175039307476993

daumcleaner.mywebcommunity.org
naver.mywebcommunity.org
workcrafter.mywebcommunity.org

# Reference: https://twitter.com/DeadlyLynn/status/1314181830162083841
# Reference: https://www.virustotal.com/gui/file/363386c4caa5a995d3ca9345520c90942d5d3e1aaf8056831348f92eb73c15db/detection

goldbin.myartsonline.com

# Reference: https://twitter.com/vigilantbeluga/status/1315720089316941824
# Reference: https://twitter.com/vigilantbeluga/status/1315722308703543297

hdac-wallet.com
kasse-v1.hdac-wallet.com
update.hdac-tech.com
wallet.hdac-tech.com

# Reference: https://twitter.com/vigilantbeluga/status/1255002262256025600
# Reference: https://www.virustotal.com/gui/file/3110f00c1c48bbba24931042657a21c55e9a07d2ef315c2eae0a422234623194/detection

general-second.org-help.com