# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://otx.alienvault.com/pulse/5c93c4e48312d159728a9d78
# Reference: https://blog.alyac.co.kr/2209 (Korean)

maii-daum-net.atwebpages.com
nate-on.bug3.com
hanmail.membercp.net
korea.getenjoyment.net
mail.membercp.net
/itsme.daum

# Reference: https://twitter.com/blackorbird/status/1086970613552447489

safe-naver-mail.pe.hu

# Reference: https://twitter.com/blackorbird/status/1113318554563076096
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/aptnote0403
# Reference: https://blog.alyac.co.kr/2234 (Korean)

tcjst.com

# Reference: https://twitter.com/blackorbird/status/1118334122592591872
# Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Smoke%20Screen.pdf
# Reference: https://www.virustotal.com/gui/ip-address/192.186.142.74/relations
# Reference: https://otx.alienvault.com/pulse/5cb6e14b2fefc160d9e18b24

http://192.186.142.74
192.186.142.74:81
seoulhobi.biz

# Reference: https://twitter.com/RedDrip7/status/1133268937808859136

lovemoney.mypressonline.com

# Reference: https://blog.alyac.co.kr/2336 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d13373f428cfccd0fa506a6

hellojames.sportsontheweb.net

# Generic trails (also can be met in https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/)

/expres.php

# Reference: https://blog.alyac.co.kr/2347 (Korean)
# Reference: https://otx.alienvault.com/pulse/5cffce34469a83ecb23c93db

http://202.168.155.156
carolie-svr-v1.16mb.com
my-homework.890m.com
naver-security-mail.96.lt
oeks39402.890m.com
filer1.1apps.com
filer2.1apps.com
kuku675.site11.com
kuku79.herobo.com

# Reference: https://blog.alyac.co.kr/2389 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d14b11389f0f0ece394fab8

atene.myartsonline.com
hellojames.sportsontheweb.net
nid2-naver-com.medianewsonline.com
smalldeal.mypressonline.com

# Reference: https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks
# Reference: https://otx.alienvault.com/pulse/5d5d6f5c5f0e4d2b7f5f3208
# Reference: https://twitter.com/blackorbird/status/1164370375490228224

alone-service.work
app-support.work
check-up.work
com-main.work
doc-view.work
login-confirm.work
member-service.work
minner.work
short-line.work
sub-state.work
web-line.work

# Reference: https://twitter.com/cyberwar_15/status/1166592637371060226

rnailr.com

# Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf
# Reference: https://otx.alienvault.com/pulse/5d6d754babe6ca295f94cb1b

accounted.top
acounts.work
ahooc.com
alive-user.work
alone-service.work
app-house.online
app-main.site
app-support.site
app-support.work
check-line.site
check-operation.site
check-up.work
client-mobile.work
confirm-main.work
dounn.net
dovvn-mail.com
drog-service.com
eposcard.co
first-state.work
gstaticstorage.com
heehorse.com
hotrnall.co
imap-login.com
inbox-mail.work
inbox-yahoo.com
lh-login.com
lh-logs.com
lh-yahoo.com
local-link.work
log-yahoo.com
login-confirm.site
login-confirm.work
login-history.pw
login-sec.com
login-use.com
login-yahoo.info
logins-yahoo.com
mail-down.com
mail-inc.work
mail-service.win
mailseco.com
main-line.work
main-service.site
main-support.work
matmiho.com
member-service.work
message-inbox.work
minner.work
mobile-device.site
mobile-phone.work
myprivacy.work
net-policies.work
old-version.work
online-support.work
open-auth.work
options.work
page-view.work
phlogin.com
profile-setting.work
protect-com.work
protect-mail.work
protect-main.site
retry-confirm.com
script-main.site
sec-line.work
sec-live.com
set-login.com
setting-main.work
share-check.site
short-line.work
sign-in.work
srnbc-card.com
user-account.link
user-accounts.net
user-service.link
user-service.work
viewetherwallet.com
wallet-vahoo.com
weak-online.work
web-info.work
web-mind.work
web-online.work
web-rain.work
web-state.work
web-store.work
yah00.work
yrnall.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1177115401400016901
# Reference: https://blog.alyac.co.kr/2538 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d8dd05bac456c1dade338df

joelwisian.com
reunionhomesok.com

# Reference: https://twitter.com/blackorbird/status/1178497550938034177

eoplus.co.kr/board/pressed/
eoplus.co.kr/board/presset/

# Reference: https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf
# Reference: https://otx.alienvault.com/pulse/5d9f541a43c2babf60994786

c-naver.com
daum-center.net
rrnaver.com
udaum.net
account-google.member-authorize.com
user-manage-center.hol.es
user-daum-center.pe.hu
user-protect-center.pe.hu
naiei-aldiel.16mb.com
nid-protect-team.pe.hu
nid-management-team.890m.com
oeks39402.890m.com
vkcxvkweo.96.lt

# Reference: https://otx.alienvault.com/pulse/5dac36de0d5134df36b16666

clouds.scienceontheweb.net

# Reference: https://twitter.com/spider_girl22/status/1191306963369353216

online---shop.atwebpages.com

# Reference: https://blog.alyac.co.kr/2645 (Korean)
# Reference: https://otx.alienvault.com/pulse/5de68f93fc4d8a6303a7598b

member-view-center.esy.es
primary-help.esy.es
ago2.co.kr/bbs/data/dir/F.php
antichrist.or.kr/data/cheditor/dir1/F.php
gyjmc.com/board/data/cheditor/dir1/F.php

# Reference: https://otx.alienvault.com/pulse/5e257c8c189e48e8e053e75b

antichrist.or.kr/data/cheditor/dir1/lyric64
batgalim.org.il/facebook/Facebook/Entities/ppp/encoding.png
jonashartley.com/hilaryolsen/wp-includes/images/crystal/1122/upload.php
jonashartley.com/hilaryolsen/wp-admin/network/run.php
jonashartley.com/hilaryolsen/wp-includes/random_compat/1122/res.php
jonashartley.com/hilaryolsen/wp-includes/random_compat/1122/expres.php
jonashartley.com/hilaryolsen/wp-includes/customize/1111/res.php
jonashartley.com/hilaryolsen/wp-includes/customize/1111/expres.php
happy-new-year.esy.es
safe-naver-mail.pe.hu