# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: appleworm, apt-c-26, apt-q-1, dangerous passwords, hidden cobra, guardians of peace, zinc, nickel academy, manuscrypt, applejeus, citrine sleet, diamond sleet, famous chollima, labyrinth chollima, unc4736, poolrat, pondrat, tradertraitor, ottercookie, golangghost, pychollima, pylangghost, pebbledash, hexeval loader, xorindex loader, alluring pisces, bureau-1121, cl-sta-240, covellite, dark seoul, group-77, hastati group, jade sleet, jumpy pisces, moonstone sleet, newromanic cyberarmy team, operation darkseoul, operation ghostsecret, operation troy, pukchong, ref9135, slow pisces, stardust, unit-121, whois hacking team, diamondsleet, romeogolf, themeforestrat, remotepeloader, gleaming pisces, akdoortea, postnaptea, tropidoor, weaselstore, purplebravo, waterplum, unc5342, cl-sta-0240, deceptivedevelopment, dev#popper, gwisin gang, tenacious pungsan, void dokkaebi, unc5267, storm-1877, nickel tapestry, purple bravo, beavertail, invisibleferret, tropidoor, wagemole, scoringmathtea, sectora01 # Reference: https://cdn.securelist.com/files/2017/04/Lazarus_Under_The_Hood_PDF_final.pdf exbonus.mrbasic.com movis-es.ignorelist.com tradeboard.mefound.com update.toythieves.com sap.misapor.ch # Reference: https://securelist.com/operation-applejeus/87553/ celasllc.com 185.142.236.226 185.142.239.173 196.38.48.121 80.82.64.91 # Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea tpddata.com itaddnet.com wifispeedcheck.net coinoen.org coinmaketcape.com bitfiniex.org apshenyihl.com/include/arc.speclist.class.php ap8898.com/include/arc.search.class.php anlway.com/include/arc.search.class.php tpddata.com/skins/skin-8.thm tpddata.com/skins/skin-6.thm 168wangpi.com/include/charset.php ando.co.kr/service/s_top.asp ansetech.co.kr/smarteditor/common.asp mileage.krb.co.kr/common/db_conf.asp 028xmz.com/include/common.php 33cow.com/include/control.php 51up.com/ace/main.asp 530hr.com/data/common.php 97nb.net/include/arc.sglistview.php marmarademo.com/include/extend.php paulkaren.com/synthpop/main.asp shieldonline.co.za/sitemap.asp # Reference: https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/ # Reference: https://twitter.com/KevinPerlow/status/1083759627714682880 # Reference: https://twitter.com/Bank_Security/status/1107543887462064128 # Reference: https://www.hybrid-analysis.com/sample/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/5c8a414a0388381b3f329926 # Reference: https://www.virustotal.com/gui/file/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/detection # Reference: https://twitter.com/ClearskySec/status/1084463729633316864 bodyshoppechiropractic.com drupdate.club ecombox.store /tbl_add.php # Reference: https://otx.alienvault.com/pulse/5c8b8e19261a7451de02bf60/ http://37.238.135.70/img/anan.jpg # Reference: https://otx.alienvault.com/pulse/5c9a4d9f90726d0988873a2b # Reference: https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/ dev.microcravate.com nzssdm.com bluecreekrobotics.com/wp-includes/common.php dev.microcravate.com/wp-includes/common.php dev.whatsyourcrunch.com/wp-includes/common.php enterpriseheroes.com.ng/wp-includes/common.php hrgp.asselsolutions.com/wp-includes/common.php baseballcharlemagnelegardeur.com/wp-content/languages/common.php bogorcenter.com/wp-content/themes/index2.php eventum.cwsdev3.bi.com/wp-includes/common.php streamf.ru/wp-content/index2.php towingoperations.com/chat/chat.php vinhsake.com/wp-content/uploads/index2.php tangowithcolette.com/pages/common.php # Reference: https://twitter.com/blackorbird/status/1110750919082147842 # Reference: https://blog.alyac.co.kr/2219 alahbabgroup.com http://47.91.56.21/verify.php http://103.225.168.159/admin/verify.php # Reference: https://twitter.com/blackorbird/status/1111449536910680065 wb-bot.org wb-invest.net # Reference: https://twitter.com/KevinPerlow/status/1136994848341409792 sbackservice.com # Reference: https://twitter.com/navSi16/status/1148192534654439426 # Reference: https://otx.alienvault.com/pulse/5d24562845fe64e37ffc46a7 sensationalsecrets.com/js/left.php # Reference: https://twitter.com/blackorbird/status/1148843702690832385 194.45.8.41:443 # Reference: https://twitter.com/bad_packets/status/1148864469486854144 # Reference: https://pastebin.com/G0Ad5Ut6 http://178.128.253.67/tbl_add.php # Reference: https://twitter.com/RedDrip7/status/1148887458152472576 byucksanpaint.com/community/com_gon_open.asp # Reference: https://otx.alienvault.com/pulse/5d2c64b174175b03e7db85cd http://103.53.176.145:8080/ServiceDeskPlus/products.do http://111.68.126.155:8080/ServiceDeskPlus/products.do http://137.117.57.244:8080/ServiceDeskPlus/products.do chanbang.co.kr/board/check.asp chanbang.co.kr/family/check.asp chanbang.co.kr/gonggu/upload.asp difa.or.kr/common/asp/inc_Comn.asp edenenc.co.kr/Report/RptMyReport.asp egreenland.co.kr/cheditor2/example/newpost.asp hanbook.co.kr/partnershop/hanmail_ep.asp img.kindermom.co.kr/frameart/print/footer.mov kgsa1015.co.kr/upload/member/member.asp rodaxsankyokorea.com/upload/favicon/favicon.asp sinokor-eng.com/sub/sub01_09.asp # Reference: https://otx.alienvault.com/pulse/5d2dca0a1c7d00fa07be15e5 byucksanpaint.com/community/com_gon_open.asp byucksanpaint.com/main/main4.asp keyang.co.kr/pub/editor/wa_path.asp upload.childu.co.kr/include/OnlyOne1.asp # Reference: https://twitter.com/cyberwar_15/status/1152035187196223488 lavaandstone.com/wp-content/plugins/fusion-core/about.php sales.alitho.com/wp-content/themes/sketch/about.php amytanathorn.com/wp-admin/includes/about.php # Reference: https://twitter.com/cyberwar_15/status/1153123863435214848 rhythm86.com/wp-content/themes/twentysixteen/about.php cabba-cacao.com/wp-content/themes/integral/about.php 3x-tv.com/plugins/editors/about.php # Reference: https://twitter.com/KorbenD_Intel/status/1158479283549089792 # Reference: https://www.virustotal.com/gui/file/3bba04f277e7f51a5500f7b144fdbd851954e4f94bb0290e49fc63f6fc807321/detection policyupdates.info # Reference: https://twitter.com/cyberwar_15/status/1166282138179624960 # Reference: https://twitter.com/navSi16/status/1166287915959214080 youdermoscopy.org/media/fly.avi youdermoscopy.org/media/fly312.avi # Reference: https://blog.alyac.co.kr/2500 (Korean) # Reference: https://otx.alienvault.com/pulse/5d6940cb9e719255258969f5 alnagm-press.com/wp-content/plugins/cloudflare/list.php elsouq.org/aramex/left.php swedishmassageamsterdam.nl/wp-content/themes/top.php # Reference: https://twitter.com/cyberwar_15/status/1175940165425958912 http://158.69.57.135 http://92.222.106.229 # Reference: https://securelist.com/my-name-is-dtrack/93338/ # Reference: https://unit42.paloaltonetworks.com/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/ # Reference: https://otx.alienvault.com/pulse/5d88b31dea7f4b9d4701d7e8 # Reference: https://www.virustotal.com/gui/file/fe51590db6f835a3a210eba178d78d5eeafe8a47bf4ca44b3a6b3dfb599f1702/detection # Reference: https://www.virustotal.com/gui/file/58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb/detection katawaku.jp/bbs/data/theme/profile2.php materialindia.in totalmateria.net cyberub.com/board/icon/template/template_ro.php /gallery/profile2.php /theme/profile2.php /wp/profile2.php # Reference: https://twitter.com/KseProso/status/1178580006047539200 heromessi.com/wp-public/career/car_add.php # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-12-lazarus-resurfaces-targets-global-banks-bitcoin-users/lazarus-resurfaces-targets-global-banks-bitcoin-users.csv deltaemis.com # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2017/2017-11-20-android-malware-appears-linked-to-lazarus-cybercrime-group/android-malware-appears-linked-to-lazarus-cybercrime-group.csv vmware-probe.zol.co.zw # Reference: https://app.any.run/tasks/01497f45-7fba-4356-bbdc-4270e51c2465/ # Reference: https://twitter.com/Rmy_Reserve/status/1181528617374777344 # Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea gp-core.com gp-main.com # Reference: https://twitter.com/VK_Intel/status/1182722604240719872 # Reference: https://objective-see.com/blog/blog_0x49.html (# AppleJeus) 185.228.83.32:443 beastgoc.com /grepmonux.php # Reference: https://twitter.com/kyleehmke/status/1184120287199223808 # Reference: https://www.virustotal.com/gui/ip-address/185.228.83.129/relations dev.jmttrading.org # Reference: https://twitter.com/RedDrip7/status/1186562944311517184 # Reference: https://blog.alyac.co.kr/2388 (Korean) # Reference: https://twitter.com/RedDrip7/status/1186562944311517184 # Reference: https://otx.alienvault.com/pulse/5db06ad90686f3bad959d7fc crabbedly.club craypot.live czinfo.club indagator.club pegasusco.net smilekeepers.co # Reference: https://twitter.com/0xD0CF11E0A1B11/status/1187264570861076481 thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi juliesoskin.com/includes/common/list.php necaled.com/modules/applet/list.php valentinsblog.de/wp-admin/includes/list.php # Reference: https://twitter.com/blackorbird/status/1187619261612609536 # Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html # Reference: https://www.virustotal.com/gui/ip-address/218.255.24.226/relations 119.18.230.253:443 218.255.24.226:443 # Reference: https://twitter.com/Rmy_Reserve/status/1188235835956551680 # Reference: https://app.any.run/tasks/42c972b1-ec38-4637-9354-9de930ff50b2/ curiofirenze.com # Reference: https://twitter.com/blackorbird/status/1202177008572092417 unioncrypto.vip # Reference: https://blog.netlab.360.com/dacls-the-dual-platform-rat/ 107.172.197.175:443 172.93.201.219:443 192.210.213.178:443 198.180.198.6:443 209.90.234.34:443 23.227.196.116:443 23.227.199.53:443 23.254.119.12:443 23.81.246.179:443 37.72.175.179:443 64.188.19.117:443 74.121.190.121:443 # Reference: https://securelist.com/operation-applejeus-sequel/95596/ # Reference: https://otx.alienvault.com/pulse/5e15b526b4f8bc605744ad76 aeroplans.info beastgoc.com buckfast-zucht.de chainfun365.com cyptian.com invesuccess.com jmttrading.org mydealoman.com private-kurier.com unioncrypto.vip wb-bot.org wb-invest.net wfcwallet.com # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-03-08-hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant.csv falcancoin.io # Reference: https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/ # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045d # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045e # Reference: https://www.us-cert.gov/ncas/analysis-reports/AR19-100A # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045b # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045a # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045f 94.177.123.138:8088 193.56.28.103:88 197.211.212.59:7443 181.39.135.126:7443 112.175.92.57:443 81.94.192.147:443 21.252.107.198:23164 70.224.36.194:59681 113.114.117.122:23397 47.206.4.145:59067 84.49.242.125:17770 26.165.218.44:2248 137.139.135.151:64694 97.90.44.200:37120 128.200.115.228:52884 186.169.2.237:65292 188.165.37.168:80 159.100.250.231:80 159.100.250.231:8080 107.6.12.135:443 210.202.40.35:443 # Reference: https://twitter.com/AffableKraut/status/1234726033930248198 74.121.190.140:8443 # Reference: https://twitter.com/RedDrip7/status/1254678135133442048 # Reference: https://ti.qianxin.com/blog/articles/analysis-of-lazarus-apt-targeted-attack-against-south-korea-using-new-crown-outbreak-bait/ # Reference: https://www.virustotal.com/gui/domain/teslacontrols.ir/relations afuocolento.it/wp-admin/network/server_test.php kingsvc.cc mbrainingevents.com/wp-admin/network/server_test.php sofa.rs/wp-admin/network/server_test.php sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg teslacontrols.ir/wp-includes/images/detail31.jpg teslacontrols.ir/wp-includes/images/detail32.jpg /wp-admin/network/server_test.php # Reference: https://twitter.com/cyberwar_15/status/1254736896330133504 matteoragazzini.it/wp-content/uploads/2017/06/category.php # Reference: https://twitter.com/DeadlyLynn/status/1257504361577496576 # Reference: https://twitter.com/ShadowChasing1/status/1257511608189743105 astedams.it/uploads/template/17.dotm astedams.it/include/inc-elenco-offerter.asp # Reference: https://twitter.com/spider_girl22/status/1258224278194941953 astedams.it/uploads/frame/61.dotm # Reference: https://objective-see.com/blog/blog_0x57.html # Reference: https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/ # Reference: https://otx.alienvault.com/pulse/5eb2fabf6c26a287f705ca20 185.62.58.207:443 67.43.239.146:443 # Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md#IOC # Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/CSV/IOC-Lazarus_2020_05_05.csv # Reference: https://www.virustotal.com/gui/file/1b0c82e71a53300c969da61b085c8ce623202722cf3fa2d79160dac16642303f/behavior/VMRay # Reference: https://www.virustotal.com/gui/file/66e5371c3da7dc9a80fb4c0fabfa23a30d82650c434eec86a95b6e239eccab88/behavior/QiAnXin%20RedDrip 51.77.65.154:443 192.169.250.185:443 sanlorenzoyacht.com/newsl/uploads/docs/43.dotm elite4print.com/admin/order/batchPdfs.asp od.lk/d/MzBfMjA1Njc0ODdf/pubmaterial.dotm # Reference: https://twitter.com/cyberwar_15/status/1264353716930412544 # Reference: https://www.virustotal.com/gui/file/e637c86ae20a7f36a0ad43618b00c48f47b5591a03af3fb689a16c45afa43733/detection # Reference: https://www.virustotal.com/gui/file/d3a402458682c4febacc6ae4bc98e15e92142603a97d51316eeee9e8bca77f88/detection depts.washington.edu/dswkshp/wordpress/wp-content/themes/twentyfifteen/inc/io/ # Reference: https://twitter.com/spider_girl22/status/1265486116393713665 anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg # Reference: https://twitter.com/cyberwar_15/status/1265266629044080642 # Reference: https://asec.ahnlab.com/1323 (Korean) mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php sixbitsmedia.com/wp-content/uploads/wp-logs/category.php # Reference: https://twitter.com/ShadowChasing1/status/1267431134662541317 fudcitydelivers.com sctemarkets.com # Reference: https://twitter.com/IntezerLabs/status/1268158680593313794 threegood.cc # Reference: https://twitter.com/ccxsaber/status/1268020350605910016 coingotrade.com kupaywallet.com # Reference: https://twitter.com/Vishnyak0v/status/1269635930878545922 bluemoonresearch.org fitnessdirector.net # Reference: https://twitter.com/RedDrip7/status/1270201358721769475 paghera.com/include/inc-main-default-news.asp # Reference: https://twitter.com/ShadowChasing1/status/1270728525926944768 ne-ba.org/files/gallery/img/img.asp # Reference: https://twitter.com/MBThreatIntel/status/1270741821560406019 160.20.147.253:8443 audiopodcasts.co/verify.php lastedforcast.com/list.php # Reference: https://twitter.com/spider_girl22/status/1275366600560873473 # Reference: https://www.virustotal.com/gui/file/0fa91cac5712cfc0848af092190fd3d09948f1a7750547f0f16d1867dac6288a/detection thestreetsmartsalesman.com/wp-content/uploads/wp-logs/category.php # Reference: https://twitter.com/JAMESWT_MHT/status/1275396942139469824 # Reference: https://app.any.run/tasks/5ddb7e93-bfc8-49a9-bd52-6b70f57c3846/ scertodisha.nic.in/wp-content/plugins/photo-gallery/admin/controllers/Photo.php haciendasacchich.com/wp-content/plugins/photo-gallery/admin/views/404.php annafalkenau.com/awstats/data/upload.php # Reference: https://blog.reversinglabs.com/blog/hidden-cobra # Reference: https://otx.alienvault.com/pulse/5ef2252af73ae43d92eecd15 1688dsj.com amytanathorn.com ccsnbao.com fmose.com fudcitydelivers.com lavaandstone.com sctemarkets.com vns1389.com # Reference: https://twitter.com/ShadowChasing1/status/1276324740878102529 anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg # Reference: https://twitter.com/JAMESWT_MHT/status/1276471822217891840 # Reference: https://app.any.run/tasks/109752e9-2c7f-4d5c-9c3f-300bddc4c0db/ down.1230578.com # Reference: https://twitter.com/felixaime/status/1280053007036624896 # Reference: https://sansec.io/research/north-korea-magecart # Reference: https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-credit-card-stealing-attacks-on-us-stores/ # Reference: https://www.virustotal.com/gui/file/a6c803d7a185f896a6c90f78891c5dbb904df3535825764e05432641ab059fb1/detection areac-agr.com papers0urce.com # Reference: https://twitter.com/gwillem/status/1281128245052805120 focuscamere.com # Reference: https://twitter.com/patrickwardle/status/1286109626941845504 # Reference: https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/ 104.232.71.7:443 107.172.197.175:443 108.170.31.81:443 111.90.146.105:443 111.90.148.132:443 172.81.132.41:443 172.93.184.62:443 172.93.201.219:443 185.62.58.207:443 192.210.239.122:443 198.180.198.6:443 209.90.234.34:443 216.244.71.233:443 23.227.199.53:443 23.227.199.69:443 23.254.119.12:443 67.43.239.146:443 68.168.123.86:443 # Reference: https://twitter.com/cyberwar_15/status/1287291019537473538 nextlevelliving.pro/wp-content/uploads/js_composer/images/8c206b81-f5b1-4242-84d3-237ce728ff35.php # Reference: https://twitter.com/AnonySecAgency/status/1290115260116897792 # Reference: https://www.virustotal.com/gui/file/40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13/detection publishapp.co # Reference: https://twitter.com/RedDrip7/status/1293462469214531584 # Reference: https://www.virustotal.com/gui/file/b0921142f8d3067c8253931977999a5092470ff3e562586d87af68c28ec66a99/detection unsunozo.org/include/notes/notes.asp # Reference: https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html # Reference: https://otx.alienvault.com/pulse/5f4d20e8d417f271a62e0aeb gestao.simtelecomrs.com.br/sac/digital/client.jsp sac.onecenter.com.br/sac/masks/wfr_masks.jsp mk.bital.com.br/sac/Formule/Manager.jsp # Reference: https://twitter.com/IntezerLabs/status/1300403461809491969 # Reference: https://analyze.intezer.com/analyses/13d64c6e-6ac7-4888-a682-138a06cbaf16/ # Reference: https://www.virustotal.com/gui/file/390f9aae2dd5f0584106e3aa315bbd28a8c6479f126a4f13c7c3a62e19356634/detection 104.217.163.61:443 107.175.172.129:443 37.72.168.228:443 # Reference: https://twitter.com/ShadowChasing1/status/1302180729174937600 fabianiarte.com/uploads/imgup/21it-23792.jpg # Reference: https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html # Reference: https://otx.alienvault.com/pulse/5f7389601681e32d5bf045f6 automercado.co.cr/empleo/css/main.jsp curiofirenze.com/include/inc-site.asp ne-ba.org/files/news/thumbs/thumbs.asp sanlorenzoyacht.com/newsl/include/inc-map.asp # Reference: https://twitter.com/h2jazi/status/1311644338812792833 # Reference: https://www.virustotal.com/gui/file/d2f1cccfe688c074c3d58ae8f7be7b10dbea5d7ae53320c3f7b6e48cd4f62955/detection phukien2a.net/images/images.zip.000 # Reference: https://blog.talosintelligence.com/2020/11/crat-and-plugins.html # Reference: https://otx.alienvault.com/pulse/5faf04431c479940b422288b teslacontrols.ir/wp-includes/images/detail31.jpg teslacontrols.ir/wp-includes/images/detail32.jpg sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg publishapp.co/update/check.php sideforum.cc/forum/list.php freeforum.co/forum/list.php goodfriend.pro/projects/list.php friendship.me/users/register.php threegood.cc/api/manage/customers Engpro.xyz/images/detail.php infocop.me/products/list.php teamspit.pro/adverts/follow.php dodoi.cc/photos/preview.php advertapp.me/user/invite.php insideforum.me/forum/list.php anyoneforum.cc/forum/list.php goodproject.xyz/projects/list.php hellofriend.pro/users/register.php moonge.cc/wp-content/plugins/google-sitemap-generator/sitemap-builder-embed.php calculactcal.org/wp-content/themes/twentysixteen/body.php 3cuartos.com/wp-content/plugins/music-press-pro/templates/global/update.php worldfoodstory.co.uk/wp-includes/register.php bokkeriejesj.nl/wp-content/plugins/music-press-pro/upload.php encontrosmaracatu.com.br/wp-content/plugins/music-press-pro/templates/global/topmenu.php theblackout.fr/wp-content/plugins/music-press-pro/music-pro.php mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php tiramisu.it/wp-content/plugins/wp-comment-form.php kartacnictvi.cz/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/upload.php dimer-group.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/download.php ecolerubanvert.com/wp-content/plugins/image-intense/know.php lwac.com/wp-content/plugins/gallery-plugin/includes/demo-data/images/music/photo.php copansrl.it/wp-admin/user/invite.php arar-musique.fr/wp-content/plugins/music-press-pro/includes/admin/upgrade.php firstalliance.church/wp-content/plugins/music-press/templates/404.php erickeleo.com.br/wp-content/plugins/music-press-pro/go.php kingsvc.cc/index.php sofa.rs/wp-admin/network/server_test.php afuocolento.it/wp-admin/network/server_test.php mbrainingevents.com/wp-admin/network/server_test.php afuocolento.it/wp-includes/process.php # Reference: https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/ # Reference: https://otx.alienvault.com/pulse/5fb4044fd5f18831c24c6af6 cowp.or.kr/html/board/main.asp erpmas.co.kr/Member/franchise_modify.asp fored.or.kr/home/board/view.php gncaf.or.kr/cafe/cafe_board.asp gongsinet.kr/comm/comm_gongsi.asp goojoo.net/board/banner01.asp hsbutton.co.kr/bbs/bbs_write.asp hstudymall.co.kr/easypay/web/bottom.asp ikrea.or.kr/main/main_board.asp pcdesk.co.kr/Freeboard/mn_board.asp pgak.net/service/engine/release.asp quecue.kr/okproj/ex_join.asp style1.co.kr/main/view.asp wowpress.co.kr/customer/refuse_05.asp zndance.com/shop/post.asp # Reference: https://twitter.com/h2jazi/status/1334353120038678528 # Reference: https://www.virustotal.com/gui/file/c19064733f2a23f09c8b16b3847cceeac8f61488be57911cefceb75425501097/detection ilhak.co.kr/images/data/upload.asp ktri.or.kr/upload/mail/upload.asp warevalley.com/support/orange_open.asp # Reference: https://twitter.com/BitsOfBinary/status/1321488299932983296 # Reference: https://twitter.com/BitsOfBinary/status/1337330286787518464 # Reference: https://twitter.com/mg2_tracy1/status/1337335098224508928 # Reference: https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=3051 admforte.com.br/wp-content/plugins/top.php dafnefonseca.com/wp-content/themes/top.php drei-schneeballen.de/wp-content/plugins/nextgen-gallery/view.php funny-pictures.picphotos.net/saint-louis-senior-photos-senior-pictures-seniors-st-louis-st-louis/upload.php greenvideo.nl/wp-content/themes/top.php haciendadeclarevot.com/wp-content/top.php justholdfast.com/doodle/wp-content/plugins/top.php qwerty.creativehonduras.com/wp-includes/class-wp-redirect.php shahrtdc.com/wp-content/plugins/top.php tag-cloud-photo.freeware.filetransit.com/login.php urbankizomba.se/wp-content/plugins/photo-gallery/filemanager/upload.php # Reference: https://otx.alienvault.com/pulse/5fd8dbfcfed23b6fa1393ea9 yakufreshperu.com/facturacion/public/css/main.php shikshakibaat.com/classes/detail.jsp sanlorenzoyacht.com/newsl/include/inc-map.asp paghera.com/content/view/thumb/info.asp lyzeum.com/popup/popup.asp index-consulting.jp/eng/news/index.php hansolhope.or.kr/welfare/notice/view.jsp forecareer.com/gdcareer/officetemplate-20nab.asp fidesarte.it/thumb/multibox/style/common.asp fabianiarte.com/uploads/imgup/21it-23792.jpg fabianiarte.com/pdf/thumbs/thumb.asp emilypress.com/CMWorking/Static/service/center.asp curiofirenze.com/include/inc-site.asp calculadoras.mx/themes/pack/pilot.php automercado.co.cr/empleo/css/main.jsp astedams.it/photos/image/image.asp arumdaunresort.com/admin/html/user/contact.asp apars-surgery.org/bbs/bbs_files/board_photo/menu.php anca-aste.it/uploads/form/02E319AF73A33547343B71D5CB1064BC.dotm vega.mh-tec.jp/.well-known/index.php turnscor.com/ACT/images/slide/view.jsp prestigein-am.jp/akita/wp-includes/wp-rss1.php genieaccount.com/images/common/common.asp acanicjquery.com/slides/style.php mannpublicwhseltd.com/cservice.asp hirokawaunso.co.jp/wordpress/wp-includes/review.php anisweb.org/layout/site/style/preview.jsp support.medicalinthecloud.com/TechCenter/include/slide.asp pennontraders.com/assets/slides/view.jsp indoweb.org/love/data/common/common.php admin.shcpa.co.kr/_asapro2/formmail/lib.php http://137.74.114.227/theveniaux/webliotheque/public/css/main.php http://125.206.177.152/old/viewer.php # Reference: https://twitter.com/BitsOfBinary/status/1339623925274296323 muzeyyengroup.com/wp-content/help.php puskesmas-terminal.com/wp-content/help.php zeandf.com/wp-content/help.php # Reference: https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ # Reference: https://otx.alienvault.com/pulse/5fe36c30dbe6a83c04783415 bytecortex.com.br/eletronicos/digital.jsp client.livesistemas.com/Live/posto/system.jsp cometnet.biz/framework/common/common.asp gongim.com/board/ajax_Write.asp iski.silogica.net/events/serial.jsp k-kiosk.com/bbs/notice_write.asp kne.co.kr/upload/Customer/BBS.asp locknlockmall.com/common/popup_left.asp sac.najatelecom.com.br/sac/Dados/ntlm.jsp sistema.celllab.com.br/webrun/Navbar/auth.jsp # Reference: https://twitter.com/ShadowChasing1/status/1349924271791882247 # Reference: https://www.virustotal.com/gui/file/867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36/detection # Reference: https://www.virustotal.com/gui/file/89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957/detection aideck.net # Reference: https://twitter.com/ShadowChasing1/status/1349927630183694339 creaideck.com/update/darwin64.bin # Reference: https://www.virustotal.com/gui/file/d09041e3d635ddb28540b11cf180a30a28fc04c2ee6e5d994aa0bacc9633e944/detection hpc.kau.ac.kr/rolling_banner/tmp4c5ae3.p3a hpc.kau.ac.kr/error2.php # Reference: https://twitter.com/BushidoToken/status/1353684625382641664 # Reference: https://www.virustotal.com/gui/ip-address/120.138.8.26/relations # Reference: https://www.virustotal.com/gui/file/cabb45c99ffd8dd189e4e3ed5158fac1d0de4e2782dd704b2b595db5f63e2610/detection # Reference: https://www.virustotal.com/gui/file/a9b3bc337043c04f529b2c19b3e33df1ad59bce27c074427e7b563db3a83c37b/detection # Reference: https://www.virustotal.com/gui/file/bdf9fffe1c9ffbeec307c536a2369eefb2a2c5d70f33a1646a15d6d152c2a6fa/detection advantims.com # Reference: https://twitter.com/ShadowChasing1/status/1353972356759187456 angeldonationblog.com # Reference: https://twitter.com/K_N1kolenko/status/1353975032104558592 # Reference: https://twitter.com/500mk500/status/1353992570519609344 # Reference: https://twitter.com/RedDrip7/status/1354038387603197952 # Reference: https://twitter.com/sS55752750/status/1354059524739653633 # Reference: https://twitter.com/vngkv123/status/1357247638228226053 # Reference: https://twitter.com/blackorbird/status/1357259907448229888 # Reference: https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg (Korean) # Reference: https://enki.co.kr/blog/2021/02/04/ie_0day.html (Korean) # Reference: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ # Reference: https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/ # Reference: https://otx.alienvault.com/pulse/60103a3268891c63b1f24d74 # Reference: https://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection # Reference: https://www.virustotal.com/gui/file/a08d24f74027256c6fd5c5a2fdb15b12889971fbdcfa7a28ffebbfe8b15aaefb/detection # Reference: https://www.virustotal.com/gui/file/9c906c2f3bfb24883a8784a92515e6337e1767314816d5d9738f9ec182beaf44/detection # Reference: https://www.virustotal.com/graph/embed/g4784ec032b3f4cb987a616f4b2dbc9aa9a982d9b20494f8980ae611a4ca3a1d8 angeldonationblog.com codebiogblog.com codevexillium.org investbooking.de krakenfolio.com opsonew3org.sg transferwiser.io transplugin.io blog.br0vvnn.io codevexillium.org/image/download/download.asp colasprint.com/_vti_log/upload.asp dronerc.it/forum/uploads/index.php dronerc.it/shop_testbr/Adapter/Adapter_Config.php dronerc.it/shop_testbr/Core/upload.php dronerc.it/shop_testbr/upload/upload.php edujikim.com/intro/blue/insert.asp fabioluciani.com/ae/include/constant.asp fabioluciani.com/es/include/include.asp loonsaloon.com/wp-content/plugins/revslider/hello.php transplugin.io/upload/upload.asp trophylab.com/notice/images/renewal/upload.asp # Reference: https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html # Reference: https://otx.alienvault.com/pulse/601052e27a2c451b3ba5ed31 akramportal.org/public/voice/voice.php commodore.com.tr/mobiquo/appExtt/notdefteri/writenote.php fabianiarte.com/newsletter/arte/view.asp hirokawaunso.co.jp/wordpress/wp-includes/ID3/module.audio.mp4.php index-consulting.jp/eng/news/index.php inovecommerce.com.br/public/pdf/view.php ja-fc.or.jp/shop/shopping.php kenpa.org/yokohama/main.php leemble.com/5mai-lyon/public/webconf.php mail.clicktocareers.com/dev_clicktocareers/public/mailview.php scimpex.com/admin/assets/backup/requisition/requisition.php tronslog.com/public/appstore.php vega.mh-tec.jp/.well-known/index.php # Reference: https://twitter.com/Dashowl/status/1354264740692942848 trophylab.com/design/trophy/product/lmages/logo.png worldspia.kr/upload_images/inc/LOG.PHP # Reference: https://twitter.com/mattyb1512/status/1354070629469872129 ctrac.online # Reference: https://twitter.com/h2jazi/status/1362109944791764993 # Reference: https://www.virustotal.com/gui/file/0bc7517aa2f0c1820ced399bfd66b993f10ad77e8d72727b0f3dc1ca35cad7ba/detection # Reference: https://www.virustotal.com/gui/file/91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd/detection # Reference: https://www.virustotal.com/gui/file/dcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61/detection kupaywallet.com levelframeblog.com dorusio.com/dorusio_update.php # Reference: https://twitter.com/ShadowChasing1/status/1362362744909930496 materialindia.in/wp/wp-main/gallery/profile2.php totalmateria.net/wp/profile2.php # Reference: https://securelist.com/lazarus-threatneedle/100803/ # Reference: https://otx.alienvault.com/pulse/6037c3cea83bb963f5be0d51/ http://156.245.16.55/admin/admin.asp americanhotboats.com/forums/core/cache/index.php astedams.it/photos/image/image.asp au-pair.org/admin/Newspaper.asp au-pair.org/admin/login.asp automercado.co.cr/empleo/css/main.jsp cloudarray.com/images/logo/videos/cache.jsp colasprint.com/_vti_log/upload.asp curiofirenze.com/include/inc-site.asp dellarocca.net/it/content/img/img.asp digitaldowns.us/artman/exec/upload.php djasw.or.kr/sub/popup/images/upfiles.asp docentfx.com/wp-admin/includes/upload.php dronerc.it/forum/uploads/index.php dronerc.it/shop_testbr/Adapter/Adapter_Config.php edujikim.com/intro/blue/view.asp edujikim.com/pay/sample/INIstart.asp edujikim.com/smarteditor/img/upload.asp fabioluciani.com/ae/include/constant.asp fabioluciani.com/es/include/include.asp forum.iron-maiden.ru/core/cache/index.php forum.snowreport.gr/cache/template/upload.php fredrikarnell.com/marocko2014/index.php geeks-board.com/blog/wp-content/uploads/2017/cache.php gonnelli.it/uploads/catalogo/thumbs/thumb.asp juvillage.co.kr/img/upload.asp kannadagrahakarakoota.org/forums/admincp/upload.php kbcwainwrightchallenge.org.uk/connections/dbconn.asp kwwa.org/DR6001/FN6006LS.asp kwwa.org/popup/160307/popup_160308.asp lyzeum.com/board/bbs/bbs_read.asp lyzeum.com/images/board/upload.asp martiancartel.com/forum/customavatars/avatars.php mdim.in.ua/core/cache/index.php newidealupvc.com:443/img/prettyPhoto/jquery.max.php polyboatowners.com/2010/images/BOTM/upload.php polyboatowners.com/css/index.php prototypetrains.com:443/forums/core/cache/index.php raiestatesandbuilders.com/admin/installer/installer/index.php roit.co.kr/xyz/mainpage/view.asp sanatoliacare.com/include/index.asp sanlorenzoyacht.com/newsl/include/inc-map.asp shinwonbook.co.kr/basket/pay/open.asp shinwonbook.co.kr/board/editor/upload.asp theforceawakenstoys.com/vBulletin/core/cache/upload.php waterdoblog.com/uploads/index.asp # Reference: https://twitter.com/AnonySecAgency/status/1366971633458548738 # Reference: https://twitter.com/ShadowChasing1/status/1366988046294376450 # Reference: https://www.virustotal.com/gui/file/03cd4ec3defa490e68b1ca2efaf8daea6f89d3cceed51c91f4c4f9e2222d258d/detection gcloud-share.com dshellelink.gcloud-share.com # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1225581378840006656 (# DangerousPasswords) # Reference: https://pastebin.com/raw/cLWvyJ20 # Reference: https://twitter.com/Rmy_Reserve/status/1230881875767377920 # Reference: https://twitter.com/ShadowChasing1/status/1328208737933246464 # Reference: https://www.virustotal.com/gui/file/4c574c1a2b126c8a5ba1ef9560516d0ac9990c0253119f874eb084b57742e3d7/detection http://84.201.189.216 103.205.179.4:8080 amazonaws1.info gdrvup.xyz gmaildrive.site googleauth.pro googledriver.info googleupload.info liveonedrvshare.xyz secureshares.online gdriveupload.info # Reference: https://twitter.com/Rmy_Reserve/status/1246404220040802309 (# DangerousPassword) 88.204.166.59:8080 # Reference: https://twitter.com/ShadowChasing1/status/1339195498519875585 (# DangerousPassword) gdocshare.com # Reference: https://twitter.com/ShadowChasing1/status/1367368069618700291 # Reference: https://twitter.com/_re_fox/status/1260931809103101957 # Reference: https://twitter.com/_re_fox/status/1301564536575733760 # Reference: https://twitter.com/_re_fox/status/1301565785345863689 # Reference: https://twitter.com/mattnotmax/status/1370311682354941954 # Reference: https://twitter.com/cyber__sloth/status/1285510760303656960 # Reference: https://www.virustotal.com/gui/file/d287388e5ff978bf6f8af477460a9b76a74fdc33535e392b70e58176fc9ad805/detection # Reference: https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_302_kodera_jp.pdf (Japanese) # Reference: https://www.virustotal.com/gui/file/01184a5acb8b3ec56c9e90f2e6cd6673ae83b4fd6982e17329b33da2f77bcf5b/detection doc.gsheetshare.org docs.dsharefile.tech docs.gdriveshare.top drop.trailads.net dsharefile.tech gsheetshare.org filehost.network mdown.showprice.xyz mse.theworkpc.com name.ownemail.me newsbtctech.com ownemail.me share.onedrvfile.site shop.newsbtctech.com trailads.net up.digifincx.com up.myemail.works # Reference: https://twitter.com/ShadowChasing1/status/1339933511973699584 (# DangerousPassword) # Reference: https://www.virustotal.com/gui/file/c64e2993563345fd497cfc382de27c7791b4f172d2c50d79b6290c2f9c06102c/detection google-clouds.com # Reference: https://twitter.com/cyber__sloth/status/1344208175168368641 (# DangerousPassword) # Reference: https://twitter.com/cyber__sloth/status/1344208380525752321 (# DangerousPassword) addrcheck.corecheckmailsrv.com cloud-sheet.net cloud.optvers.net corecheckmailsrv.com digitalcurencygroup.co down.privatework.buzz fidelitydigitalsassets.com gdocshare.com goglestorage.com google-clouds.com googleproduct.org gsuiteshare.com msftoffice.com myemail.works official.googleproduct.org presentonline.xyz privatework.buzz sharesvr.net # Reference: https://twitter.com/h2jazi/status/1369305004922855431 # Reference: https://twitter.com/h2jazi/status/1369307165807280135 torgirf.ru/loginhome.css # Reference: https://twitter.com/h2jazi/status/1370024802791096320 # Reference: https://www.virustotal.com/gui/file/46fcbc170e84d8ad48434251421bd8f6fa49a7e741d2c24d31c170c607c60d51/detection # Reference: https://www.virustotal.com/gui/file/c8a8d2caa429a8bbe885ef8d59d982b4bfd9c48f1255ff69e3b81c6bbd7b2925/detection dronerc.it/shop_testbr/localization/dir_photoes/image.php dronerc.it/shop_testbr/localization/dir_photoes/logo.php # Reference: https://twitter.com/h2jazi/status/1354880834092859395 # Reference: https://www.virustotal.com/gui/ip-address/104.168.158.103/relations # Reference: https://www.virustotal.com/gui/file/aec3ced40a3451dc2c6b1704cc50b0e0c8e549faaa8ae42b6d6f421b4fc2ef8a/detection # Reference: https://www.virustotal.com/gui/file/e7a4d8b80dc653a47440db2a8deaf782109bb710e5d4311bc3d7685dba715865/detection # Reference: https://www.virustotal.com/gui/file/75d3d96033db529c9ae698ac6de8fba420c2daa5d97614d7118f49e03c2d83d3/detection documentprotect.live documentprotect.pro # Reference: https://twitter.com/h2jazi/status/1373985591814197250 # Reference: https://www.virustotal.com/gui/file/09b83a501b8f919fc4861735097dd50957f21e81209d362b4fa425bd3348a495/detection cloudshare.jumpshare.vip # Reference: https://twitter.com/HONKONE_K/status/1374178555634933762 # Reference: https://www.virustotal.com/gui/file/66e96fbd6e977ddef3f0a2924978d92e5d67bd96e68dc4832f5041dbd40bcfc9/detection # Reference: https://www.virustotal.com/gui/file/e087d06c552aeef36c2ba9fdd14b06fca499f2d37dfea21e480a02a748b19bf1/detection antcapital.us document.antcapital.us protect.antcapital.us # Reference: https://twitter.com/DrN1ght/status/1374026917343543301 chemistryworld.us coinbigex.com innoenergy.info mclland.com qooqle.download # Reference: https://twitter.com/h2jazi/status/1375528365587894272 # Reference: https://www.virustotal.com/gui/file/2fdba1e332203ca0d01992b137ebeaa1f21f7c3daec7230e6b8a4d36182caed4/detection sanlorenzoyacht.com/newsl/uploads/docs/ # Reference: https://twitter.com/ShadowChasing1/status/1377610488830291973 # Reference: https://twitter.com/ShadowChasing1/status/1377628563000594433 # Reference: https://securelist.com/dtrack-targeting-europe-latin-america/107798/ toysbagonline.com purewatertokyo.com pinkgoat.com purplebear.com yellowlion.com salmonrabbit.com bluecow.com # Reference: https://twitter.com/darktracer_int/status/1380309710721622016 # Reference: https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/ # Reference: https://otx.alienvault.com/pulse/60739323ef1b2b3a187f0f15 4bjt2rceijktwedi.onion cwwpxpxuswo7b6tr.onion # Reference: https://twitter.com/fr0s7_/status/1381328726819020804 # Reference: https://www.virustotal.com/gui/file/e514d83d2aaa1357b34f5f11ecc35afe10b6240796e085977e9d4a56145bb8b3/detection protectoffice.club # Reference: https://twitter.com/ShadowChasing1/status/1382514587589742597 # Reference: https://www.virustotal.com/gui/file/f1eed93e555a0a33c7fef74084a6f8d06a92079e9f57114f523353d877226d72/detection jinjinpig.co.kr/Anyboard/skin/board.php mail.namusoft.kr/jsp/user/eam/board.jsp # Reference: https://www.group-ib.com/blog/btc_changer luxmodelagency.com/wp-incluses/random_compat/zeus/wongs/wongs.php /random_compat/zeus/wongs/wongs.php /zeus/wongs/wongs.php # Reference: https://twitter.com/ShadowChasing1/status/1384016097494507521 # Reference: https://twitter.com/cyberwar_15/status/1384462513249546244 # Reference: https://www.virustotal.com/gui/file/79e15cc02c6359cdb84885f6b84facbf91f6df1254551750dd642ff96998db35/detection ddjm.co.kr/bbs/icon/skin/skin.php snum.or.kr/skin_img/skin.php # Reference: https://www.virustotal.com/gui/file/6d2ecc3b0a43f0c377ea6d9a68aa5ac0d48635a04219264fb0702976efea8ef6/detection http://121.146.68.233/fileserver/temp/platform.asp http://121.254.224.218/angkor.ylw.common.fileserviceserver/web/document/netframework.asp codibest.com/data/geditor/main_1.php gbflatinamerica.com myungokhun.co.kr/_proc/member/member_bk.asp /angkor.ylw.common.fileserviceserver/web/document/netframework.asp /data/geditor/main_1.php /fileserver/temp/platform.asp # Reference: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/ # Reference: https://otx.alienvault.com/pulse/608af383c5be4591c5da02e5 akramportal.org/delv/public/voice/voice.php apars-surgery.org/bbs/bbs_files/board_blog/write.php bootcamp-coders.cnm.edu ctevt.org.np/ctevt/public/frontend/review.php forecareer.com/gdcareer/officetemplate-20nab.asp gbflatinamerica.com/file/filelist.php goldllama4.sakura.ne.jp hospitality-partners.co.jp/works/performance/consumer.php inovecommerce.com.br/public/pdf/view.php mail.clicktocareers.com/public/jobapplications/jdviewer.php propro.jp/wp-content/documents/docsmgmt.php vega.mh-tec.jp/.well-known/gallery/siteview.php # Reference: https://www.virustotal.com/gui/file/610047be0b2360d609baa71be22ddc5814743868886f8d85ab9985d3f01229d6/detection mappo-on.life help.mappo-on.life # Reference: https://www.virustotal.com/gui/file/27bfac11c1f9184b515fbf5fcd946e921c95506f89eb273e148fcf0068e50932/detection octo-manage.net help.octo-manage.net # Reference: https://twitter.com/ShadowChasing1/status/1391981731394187266 # Reference: https://www.virustotal.com/gui/file/a0d070b66408654cdcb84784e77914dc355a23c81e3e6ef36362470619c4de96/detection http://45.61.136.204 googledocpage.com # Reference: https://twitter.com/ShadowChasing1/status/1393356174506921985 # Reference: https://www.virustotal.com/gui/file/8e1746829851d28c555c143ce62283bc011bbd2acfa60909566339118c9c5c97/detection allgraphicart.com # Reference: https://twitter.com/ShadowChasing1/status/1397768682776895491 # Reference: https://www.virustotal.com/gui/file/8d48a77e7a4b8c824d8c1b890dc3e2b904e6fa8fbe8dae1a22f5870916c01c20/detection sslsharecloud.net dev.sslsharecloud.net # Reference: https://twitter.com/ShadowChasing1/status/1398468263818928136 ewha-ac.ml # Reference: https://twitter.com/ShadowChasing1/status/1399369260577681426 # Reference: https://www.virustotal.com/gui/file/4059fea324e27cfbd4955f37dc7791709dbf35a800449373c6715bc53b88f7c5/detection amene.homepc.it # Reference: https://twitter.com/360CoreSec/status/1402920149754155010 # Reference: https://www.virustotal.com/gui/file/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c/detection # Reference: https://www.virustotal.com/gui/file/3b33b0739107411b978c3cbafb312a44b7488bd7adabae3e7b02059240b6dc83/detection shopweblive.com # Reference: https://twitter.com/h2jazi/status/1406401709157629952 # Reference: https://twitter.com/ShadowChasing1/status/1406592585796177924 # Reference: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/ # Reference: https://www.virustotal.com/gui/file/5c2f339362d0cd8e5a8e3105c9c56971087bea2701ea3b7324771b0ea2c26c6c/detection allamwith.com/home/mobile/list.php conkorea.com/cshop/banner/list.php ddjm.co.kr/bbs/icon/skin/skin.php hivekorea.com/jdboard/member/list.php jinjinpig.co.kr/Anyboard/skin/board.php mail.namusoft.kr/jsp/user/eam/board.jsp mail.neocyon.com/jsp/user/sms/sms_recv.jsp mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp snum.or.kr/skin_img/skin.php /jsp/user/sms/sms_recv.jsp # Reference: https://twitter.com/360CoreSec/status/1405790277034418177 # Reference: https://www.virustotal.com/gui/file/35a39299c47bc701dbe7cb72fcb695d08eb2095d1a5b8b7942d3034d16435e89/detection # Reference: https://www.virustotal.com/gui/file/382a209ce5745c85507b0bd80b87496ad92128e6870199d0c33d6ddedc542dd1/detection # Reference: https://www.virustotal.com/gui/file/f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4/detection 185.208.158.204:443 193.56.28.251:443 # Reference: https://twitter.com/ShadowChasing1/status/1405515076149284870 # Reference: https://www.virustotal.com/gui/file/4c4cc3abd3ddb15d5306fb647c6d779b18df5b949673bb3f3f87faa2c5f56a6a/detection authenticate.azure-drive.com # Reference: https://twitter.com/ShadowChasing1/status/1407993219720224771 elwoodasset.xyz sharemanage.elwoodasset.xyz # Reference: https://twitter.com/360CoreSec/status/1410127120177635328 52.202.193.124:443 # Reference: https://twitter.com/fr0s7_/status/1402394083331559431 # Reference: https://twitter.com/Jup1a/status/1402470227292561412 # Reference: https://www.virustotal.com/gui/file/1939d9fdcf831dc4cac001ba193669c75a336258bc99a1775471554229e4a69b/detection azure-drive.com download.azure-drive.com protect.azure-drive.com # Reference: https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12 # Reference: https://otx.alienvault.com/pulse/60e6d2a6786d43397db19bc7 grandgolf.co.kr/html/facilities/facilities_01_06.asp kdone.co.kr/Utils/EmailUtil.asp namchuncheon.co.kr/admin/BookAppl/Search_left.asp # Reference: https://twitter.com/ShadowChasing1/status/1412934665292316677 # Reference: https://twitter.com/ShadowChasing1/status/1412953330700062726 http://95.179.235.55 sharebusiness.xyz signverydn.sharebusiness.xyz # Reference: https://twitter.com/ShadowChasing1/status/1412932935523573760 # Reference: https://www.virustotal.com/gui/file/8afdf8513a6e3bede16187004daccc95e193a29062415d9ba0c29b98a5a927d1/detection devprocloud.com share.devprocloud.com # Reference: https://mp.weixin.qq.com/s/y-SHoh9f5qwAwqml3uf8vw # Reference: https://otx.alienvault.com/pulse/60f930c9c1a69acdb28adea6 smartaudpor.com # Reference: https://twitter.com/h2jazi/status/1445596955552272389 gozdeelektronik.net/wp-content/themes/0111/ # Reference: https://twitter.com/s1ckb017/status/1447476954639347712 # Reference: https://www.virustotal.com/gui/file/cf10c1cad090ab31d9e579df3bd22f3d0653792cb010e1d6ac0e2cd1ced52076 digitalguarder.com # Reference: https://twitter.com/h2jazi/status/1455601350222417926 # Reference: https://www.virustotal.com/gui/file/8562f6b2a95963f076f7bc6ff00401d96656eafda1cfad3af53b3e3b99ae6452/detection mantis.linkundlink.de /logs/officetemplate.php # Reference: https://twitter.com/ESETresearch/status/1458438169502826508 # Reference: https://www.virustotal.com/gui/ip-address/45.147.231.213 # Reference: https://www.virustotal.com/gui/file/fe80e890689b0911d2cd1c29196c1dad92183c40949fe6f8c39deec8e745de7f/detection devguardmap.org navercorpservice.com # Reference: https://twitter.com/ShadowChasing1/status/1455489336850325519 # Reference: https://www.virustotal.com/gui/file/65b5709f67bb0fac31ec977f98cda6f89f4b38703ee5aeef0b633c33669ea88a/detection thetalkingcanvas.com/jobs/en-gb/jobs/9/details.php # Reference: https://twitter.com/h2jazi/status/1462832390632583168 # Reference: https://www.virustotal.com/gui/file/c12a0565ea1c59d7c2b73e9c022604dbc827980df58ede7ce42d648f9dd4e096 ditijindal.com/wp-content/gallery/services/globalcareers/12849/jobs/gallery.php # Reference: https://twitter.com/ShadowChasing1/status/1465998017836707840 # Reference: https://twitter.com/ShadowChasing1/status/1465998020734898176 http://152.89.247.236 silvergatehr.com ny.silvergatehr.com /5Ek9724mz8oncul8Zx7E7CVDCdBNxuFFUO6pLk/ # Reference: https://twitter.com/k3yp0d/status/1468485748269662208 # Reference: https://app.any.run/tasks/ff306f89-64d4-4d30-8b72-7c0be0b1f9fb/ cloudplus.one drive.cloudplus.one # Reference: https://twitter.com/h2jazi/status/1462832390632583168 # Reference: https://www.virustotal.com/gui/file/c12a0565ea1c59d7c2b73e9c022604dbc827980df58ede7ce42d648f9dd4e096/detection aditijindal.com/wp-content/gallery/services/globalcareers/12849/jobs/gallery.php # Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_Lazarus_APT_Related.json # Reference: https://www.virustotal.com/gui/ip-address/149.28.162.113/relations dubbedfinally.link filesaves.cloud fsdriveshare.org googlesheetpage.org gsheetpage.com help-optus.com onedocshare.com onlinedoc.dev pilotview.cloud retrots.net tresordocs.com trollinguneaten.org database.retrots.net doc.filesaves.cloud docs.gsheetpage.com license.cloudplus.one product.onlinedoc.dev sheet.tresordocs.com support.pilotview.cloud # Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_Lazarus.json autodiscover.vin banner-counter.com clarionhpdu.top craptioerne.com fhewkhwjehwekjfhwehfwe.com lif0.top smartscreenfilter.com statcounters.net vz206llb19o.com 2ab9.watashinonegai.ru b.watashinonegai.ru d.watashinonegai.ru apkv3.clarionhpdu.top cltpk.doomdns.org down.mykings.pw # Reference: https://twitter.com/souiten/status/1468818352156020737 # Reference: https://www.virustotal.com/gui/file/b3646d8cbadc7620ca7782f2525cc019740a3088f32e2ea9a6c97cc1432537b0/detection fsdriveshare.org dmarc.fsdriveshare.org file.fsdriveshare.org share.fsdriveshare.org # Reference: https://twitter.com/ffforward/status/1456239300593524741 # Reference: https://www.virustotal.com/gui/file/0b8d7a851920d4584777505f9fb484b226a8457d4049885a87c847f7d3532d28/detection stablemarket.org share.stablemarket.org # Reference: https://twitter.com/k3yp0d/status/1448552868907204612 # Reference: https://www.virustotal.com/gui/domain/cloudmgmt.org/relations cloudmgmt.org share.cloudmgmt.org # Reference: https://threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families/ # Reference: https://otx.alienvault.com/pulse/61c9aff8d72c2a4731021bee allamwith.com/home/mobile/list.php conkorea.com/cshop/banner/list.php ddjm.co.kr/bbs/icon/skin/skin.php jinjinpig.co.kr/Anyboard/skin/board.php mail.namusoft.kr/jsp/user/eam/board.jsp mail.neocyon.com/jsp/user/sms/sms_recv.jsp mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp snum.or.kr/skin_img/skin.php /jsp/user/sms/sms_recv.jsp # Reference: https://twitter.com/h2jazi/status/1483521532433473536 # Reference: https://twitter.com/h2jazi/status/1483521535268769793 # Reference: https://www.virustotal.com/gui/file/0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b/detection lm-career.com # Reference: https://twitter.com/s1ckb017/status/1484451637653614592 # Reference: https://twitter.com/h2jazi/status/1486448926081302536 # Reference: https://www.virustotal.com/gui/file/0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1/detection allinfostudio.com markettrendingcenter.com yourblogcenter.com # Reference: https://twitter.com/czy_1116/status/1485813878550597632 # Reference: https://www.virustotal.com/gui/file/3542078fd524e3cb141d5bebf96aea73467505a07ae72fc58395afa14f22e8a3/detection gfinanzen.net portal.gfinanzen.net # Reference: https://twitter.com/ShadowChasing1/status/1486530954382348290 # Reference: https://www.virustotal.com/gui/file/ac7b6ca73207db6ec6d4af2632a7c842c32af6658e3214753e589b567d809125/detection docusign.agency # Reference: https://twitter.com/h2jazi/status/1487070198955978753 loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001 /update_coingotrade.php # Reference: https://twitter.com/h2jazi/status/1490057626134192136 # Reference: https://www.virustotal.com/gui/file/08c3aaeec3da9a106536ad1beff4d2ed23d1e31c9481be60f5dbd5eb1a01d2e5/detection sportsblogweb.com # Reference: https://twitter.com/s1ckb017/status/1489591023030448129 # Reference: https://www.virustotal.com/gui/file/29de2289a2b111a4873e49402c310b2ad0e3de51b5562ee1422a37c514910c71/detection designautocad.org # Reference: https://twitter.com/cyberoverdrive/status/1490839283803951106 # Reference: https://www.virustotal.com/gui/file/353f82475fcfad5b3f06ed85a931bda46ec34279793b5d70085aa8c603e8ebec/detection datacentre.center # Reference: https://twitter.com/ShadowChasing1/status/1490958579930517504 # Reference: https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f/detection shopapppro.com shopapptech.com # Reference: https://twitter.com/pkalnai/status/1489269982814949382 # Reference: http://report.threatbook.cn/LS.pdf (Chinese) # Reference: https://www.virustotal.com/gui/file/8562f6b2a95963f076f7bc6ff00401d96656eafda1cfad3af53b3e3b99ae6452/detection bmanal.com canyonzcc.com devguardmap.org industryinfostructure.com linkundlink.de mante.li shopandtravelusa.com mantis.linkundlink.de # Reference: https://twitter.com/jaydinbas/status/1468521246862233603 # Reference: https://www.virustotal.com/gui/file/ef2d3e488b781a7c6144afa8fc8ba2b6d085ca671100d04686097f3b4dd2ed42/detection mantis-gewa.technisat-digital.de # Reference: https://twitter.com/czy_1116/status/1498190652412203008 # Reference: https://www.virustotal.com/gui/file/4cbad835586faf1d91431d5421b58b4acda0bd280cfbaf8a5d4820aec486b0e6/detection bloomcloud.org share.bloomcloud.org # Reference: https://twitter.com/ShadowChasing1/status/1502240130702065664 open.googlesheetpage.org /KcyRbGDJKRZoaLq8lHh8/C0sHwcGMH2/ /C0sHwcGMH2/ /KcyRbGDJKRZoaLq8lHh8/ # Reference: https://twitter.com/malwrhunterteam/status/1503640289810038786 # Reference: https://twitter.com/malwrhunterteam/status/1504573045750571010 # Reference: https://twitter.com/malwrhunterteam/status/1506008938197643266 # Reference: https://twitter.com/h2jazi/status/1503826030812925962 # Reference: https://twitter.com/h2jazi/status/1503826034923388929 # Reference: https://www.virustotal.com/gui/file/8672acfb06258f5b6dec3700cd7f91a0c013a70a9664dbc6cf33a4c6406756ed/detection # Reference: https://www.virustotal.com/gui/file/e62a7d9184a841e2b53e41f2d85aa278b427e2e427dbfd8f4be072108e3089c1/detection # Reference: https://www.virustotal.com/gui/file/689d5513ad52ad5e7a631a9147049c4cc494ad514b81cf41e841fb244c766b8b/detection # Reference: https://www.virustotal.com/gui/file/a51cad94475e0af91d270146379574b5a8ae70a03098318ddf9912784ace3cba/detection encorpost.com foxiebed.com hillokay.com nhn-games.com sktelecom.help want-helper.com # Reference: https://twitter.com/h2jazi/status/1505965580075114498 # Reference: https://www.virustotal.com/gui/file/e3a4e97e27bcfb6126ebfe92827cfb6b7e0c04eb7f5426bf17dd366e4723d1ef/detection pvacek.cz/wp-content/plugins/akismet/control/en/en.jpg # Reference: https://twitter.com/h2jazi/status/1505983796897894401 # Reference: https://www.virustotal.com/gui/file/d0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b/detection webhosttech.org # Reference: https://twitter.com/blackorbird/status/1507040337097027584 # Reference: https://blog.google/threat-analysis-group/countering-threats-north-korea/ disneycareers.net find-dreamjob.com indeedus.org varietyjob.com ziprecruiters.org blockchainnews.vip chainnews-star.com financialtimes365.com fireblocks.vip gatexpiring.com gbclabs.com giantblock.org humingbot.io onlynova.org teenbeanjs.com colasprint.com/about/about.asp varietyjob.com/sitemap/sitemap.asp financialtimes365.com/user/finance.asp gatexpiring.com/gate/index.asp humingbot.io/cdn/js.asp teenbeanjs.com/cloud/javascript.asp # Reference: https://twitter.com/jaydinbas/status/1506970733997604867 # Reference: https://twitter.com/ShadowChasing1/status/1508637858927587328 # Reference: https://twitter.com/ShadowChasing1/status/1509520460974723072 # Reference: https://twitter.com/ShadowChasing1/status/1511144288830119941 # Reference: https://asec.ahnlab.com/ko/33034/ (Korean) # Reference: https://www.virustotal.com/gui/ip-address/2.57.90.16/relations # Reference: https://www.virustotal.com/gui/ip-address/209.126.83.186/relations # Reference: https://www.virustotal.com/gui/file/2fc71184be22ed1b504b75d7bde6e46caac0bf63a913e7a74c3b65157f9bf1df/detection # Reference: https://www.virustotal.com/gui/file/392aba0070375051d7bc3cc478c4bb66c5f55be87ad797800f50a338c3e2479b/detection # Reference: https://www.virustotal.com/gui/file/a7c17e5fa55bcc60d4cff64dd37d0a1f0cc93f4f44b3cebd5633ca5af413e5cc/detection # Reference: https://www.virustotal.com/gui/file/ae7275988753fffb29bdb254babdf46773daf935b2721006fe66a1747af3d1d4/detection naveicoipf.online naveicoipg.online naveicoiph.online naveicoiph.online naveicoipa.tech naveicoipc.tech naveicoipd.tech naveicoipe.tech navermailteam.online 123fisd.naveicoipg.online aat1pbil.naveicoipg.online adzjvazj.naveicoipg.online aosm8cts.naveicoipg.online buiweggajhqwj.naveicoipg.online cecomtp3.naveicoipg.online edfeiyql.naveicoipg.online eoinlslsf.naveicoipg.online fwpoyktt.naveicoipg.online hytrycnc.naveicoipg.online jbmnqpwp.naveicoipg.online jvnquetbon.naveicoipg.online kdzdm1rq.naveicoipg.online kygfkdum.naveicoipg.online l1tog1iv.naveicoipg.online lbmwbnbieo.naveicoipg.online olsnvolqwe.naveicoipg.online pv5pnwlx.naveicoipg.online qogngnslel.naveicoipg.online tp0rw6ie.naveicoipg.online twlekqnwl.naveicoipg.online urm1o6h0.naveicoipg.online vm2rjonq.naveicoipg.online vnwoei.naveicoipg.online 6la0cwds.naveicoiph.online 9yxqida1b.naveicoiph.online d4yp8bphj3.naveicoiph.online dtdgwgfvr.naveicoiph.online gkins2p3i.naveicoiph.online kashaccn4.naveicoiph.online lkpiedozd.naveicoiph.online rxpz7z2yi8.naveicoiph.online gowelknx.naveicoipf.online xjowihgnxcvb.naveicoipf.online xuau0b2i.naveicoipf.online 4w9h8ps9.naveicoipa.tech 4w9h8ps9.naveicoipc.tech momls4ii.naveicoipa.tech momls4ii.naveicoipc.tech tofysz6a.naveicoipa.tech tofysz6a.naveicoipc.tech uzzmuqwv.naveicoipa.tech uzzmuqwv.naveicoipc.tech zvc1ijau.naveicoipa.tech zvc1ijau.naveicoipc.tech bcvbert.naveicoipe.tech mhf8huuo.naveicoipe.tech msldkopw.naveicoipe.tech tyidrtu.naveicoipe.tech uktyukb.naveicoipe.tech vkqrwl00.naveicoipe.tech wrhehdfg.naveicoipe.tech nredial.navermailteam.online /1uFnvppj/1uFnvppj32.acm /1uFnvppj/1uFnvppj64.acm /1uFnvppj/ /1uFnvppj32.acm /1uFnvppj64.acm /018ueCdS/018ueCdS32.acm /018ueCdS/ /018ueCdS32.acm /0lvNAK1t/0lvNAK1t32.acm /0lvNAK1t/ /0lvNAK1t32.acm # Reference: https://www.virustotal.com/gui/ip-address/15.235.132.77/relations # Reference: https://www.virustotal.com/gui/ip-address/23.81.246.131/relations # Reference: https://www.virustotal.com/gui/ip-address/23.82.19.179/relations mailcontactteam.online mailcustomerservice.site mailhelp.online mailmanagecorp.online mailsecurity.email mailservicecorp.online mailserviceteam.email navcopcenter.tech navcorpmanager.site naveeocorp.xyz navenida.live navenida.site navenidb.live navenidb.site navenidc.live navenidc.site navenidd.site navenide.site navenidf.site naveorseccorp.link naveracom.link naveradmin01.link naveranid.link naveranid.live naveranid.online naverbcom.link naverbnid.live naverbnid.online naverccom.link navercert.live navercert.online navercnid.link navercnid.online navercoa.store navercob.store navercoc.store navercod.store navercoe.store navercoma.link navercoma.online navercomb.link navercomb.online navercomb.tech navercomc.link navercomc.online navercomc.tech navercomd.link navercomd.online navercome.link navercome.online navercome.tech navercomf.link navercomf.online navercomg.link navercomh.link navercop.link navercop.online navercorp.email navercorp.live navercorpl.tech navercorpr.online navercorpservice.com navercorpteam.com navercscorp.com naverenid.online naverfnid.online navergnid.online naverhnid.online naverhost.live naverinid.com naverinid.online naverjnid.online naverlogn.live navermailcorp.com navermailmanage.com navermailservice.com navermailservice.online navermailteam.online navermanage.com navermanage.live navermanage.space navermanageteam.com navermcorp.com navernida.link navernida.online navernida.tech navernidb.link navernidb.online navernidb.tech navernidc.link navernidc.online navernidc.tech navernidd.live navernidd.online navernide.online navernidlog.live navernidmail.com naverorteam.link naverreda.xyz naverredc.xyz naverredd.xyz naverrede.xyz naverredirect.live naversecurityservice.online naversecurityteam.com naverservice.email naverservice.host naverservice.link naverserviceteam.com naverserviceteam.email naverteam.live naverteamcorp.live navreplya.live navreplya.online navreplyb.live navreplyd.live navreplye.live navreplyf.site navreplyg.site navreplyh.site navreplyi.site navreplyj.site navreplyk.site navteamcorp.link nidbnaver.tech nidcnaver.tech niddnaver.tech nidnavera.online nidnavere.online noreplya.xyz noreplyb.xyz nvrcopa.link nvrcopb.link nvrcopc.link nvrcope.site nvrcopf.site nvricop.online nvrjcop.online portalcorpteam.com help.navreplya.live logn.navermanagecorp.site logn.noreplya.website mail.naveradmina.tech mail.navercomf.link nav.cloudcentre.space nav.naveracom.link nav.naveradmin06.online nav.noreplyb.xyz nav.portalcorpteam.com nin.navercop.link nlog.noreplyb.space red.naveradmin07.site red.nidnavere.online sec.naveralert.link sub.naverbcom.link # Reference: https://twitter.com/ShadowChasing1/status/1508706298640052225 # Reference: https://www.virustotal.com/gui/ip-address/44.227.65.245/relations cloudscare.xyz onlinedocview.biz cdn.onlinedocview.biz edit.onlinedocview.biz # Reference: https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/ # Reference: https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/ # Reference: https://otx.alienvault.com/pulse/61bca21cf212a6842e17c00b diragame.com diregame.live mygametoa.com d.diragame.com google.diragame.com jom.diregame.live toa.mygametoa.com tob.mygametoa.com # Reference: https://twitter.com/h2jazi/status/1509206625701220356 # Reference: https://www.virustotal.com/gui/file/e9894893a8a1f74d7d6a8768dda9ef5ddaf8aac18634a1110e9a79652c9f13ee/detection aixstore.info app.aixstore.info # Reference: https://securelist.com/lazarus-trojanized-defi-app/106195/ # Reference: https://otx.alienvault.com/pulse/6246c2c9082f5d1a7c15ffba bn-cosmo.com/customer/board_replay.asp edujikim.com/pay_sample/INIstart.asp emsystec.com/include/inc.asp gyro3d.com/common/faq.asp gyro3d.com/mypage/faq.asp ilovesvc.com/HomePage1/Inquiry/privacy.asp newbusantour.co.kr/gallery/left.asp roit.co.kr/xyz/adminer/edit_fail_decoded.asp softapp.co.kr/sub/cscenter/privacy.asp syadplus.com/search/search_00.asp # Reference: https://twitter.com/ShadowChasing1/status/1514899414367694851 # Reference: https://www.virustotal.com/gui/file/f78b85fc5c9a5f6c8d735f13180d318bf8f5639e71556e2ae0f2c6b9b4181a6c/detection http://15.235.33.14 # Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical # Reference: https://otx.alienvault.com/pulse/625d3bb7b78be557e145d2c7 aumentarelevisite.com juneprint.com jungfrau.co.kr mariamchurch.com happy.nanoace.co.kr ric-camid.re.kr # Reference: https://twitter.com/blackorbird/status/1516300076523548674 # Reference: https://mp.weixin.qq.com/s/Xs54_RDKU5MvkvsPPCGKEw (Chinese) beenos.biz zvc.capital cloud.beenos.biz it.zvc.capital # Reference: https://www.cisa.gov/uscert/ncas/alerts/aa22-108a # Reference: https://otx.alienvault.com/pulse/625e65bf6aa1f7977a316d65 alticgo.com cryptais.com dafom.dev esilet.com tokenais.com # Reference: https://asec.ahnlab.com/ko/33706/ # Reference: https://otx.alienvault.com/pulse/625e688f46dbcbce7ac0668d gaonwell.com/data/base/mail/login.asp h-cube.co.kr/main/image/gellery/gallery.asp materic.or.kr/include/main/main_top.asp materic.or.kr/include/main/main_top.xn--asp namchoncc.co.kr/include/?ind= okkids.kr/html/program/display/?re= shoppingbagsdirect.com/media/images/?ui= # Reference: https://twitter.com/blackorbird/status/1519504288849874944 # Reference: https://www.virustotal.com/gui/file/672ec8899b8ee513dbfc4590440a61023846ddc2ca94c88ae637144305c497e7/detection http://109.248.144.155 http://155.94.210.11 http://193.56.28.32 http://45.57.245.17 109.248.144.136:8443 109.248.144.155:8080 109.248.144.155:8443 usengineergroup.com mail.usengineergroup.com # Reference: https://twitter.com/ESETresearch/status/1521735320852643840 # Reference: https://twitter.com/ESETresearch/status/1521735343497695232 # Reference: https://www.virustotal.com/gui/file/55571ac52e1f02f18af77e2f3314382c982a37744b58732dfc15faac9d66619f/detection # Reference: https://www.virustotal.com/gui/file/a0bf5af3f931a428b905fd14d43b61af47b7f272425ae4ff4d78b5cb139b8276/detection # Reference: https://www.virustotal.com/gui/file/315503862cb7ebb0a731483827016015e355bad51f872db5c650a822de744937/detection onlinestockwatch.net # Reference: https://www.virustotal.com/gui/file/5081f54761947bc9ce4aa2a259a0bd60b4ec03d32605f8e3635c4d4edaf48894/detection 66.154.102.91:9090 # Reference: https://blogs.jpcert.or.jp/en/2022/07/vsingle.html bluedragon.com/login crm.vncgroup.com/cats/scripts/sphinxview.php mantis.westlinks.net/api/soap/mc_enum.php ougreen.com/zone semiconductboard.com/xcror shipshorejob.com/ckeditor/samples/samples.php tecnojournals.com/general tecnojournals.com/prest # Reference: https://blogs.jpcert.or.jp/en/2022/07/yamabot.html # Reference: https://www.virustotal.com/gui/file/f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb/detection http://213.180.180.154 karin-store.com/recaptcha.php yoshinorihirano.net/wp-includes/feed-xml.php /editor/session/aaa000/support.php /aaa000/support.php # Reference: https://mp.weixin.qq.com/s/USitU4jAg9y2XkQxbwcAPQ # Reference: https://otx.alienvault.com/pulse/62d153ef7d6fbe552403bc90 namchuncheon.co.kr/html/notice/list.asp stracarrara.org/public/photos/image/image.asp stracarrara.org/public/photos/image/image.xn--asp # Reference: https://twitter.com/h2jazi/status/1549780561551675393 # Reference: https://www.virustotal.com/gui/ip-address/155.138.219.140/relations # Reference: https://www.virustotal.com/gui/file/f7170b70a89f4b5d196e3a09c1d6135d36320548f66cdc2c55bf725b0f8d4ab8/detection documentworkspace.io fclouddown.co cdn.documentworkspace.io file.fclouddown.co # Reference: https://twitter.com/cyberoverdrive/status/1550175620927299584 # Reference: https://www.virustotal.com/gui/file/1e154b2976cc00d457c0dc2b83ebe81911294c8276691617085c03a3304fd87f/detection googlesheet.info # Reference: https://twitter.com/h2jazi/status/1553024107989635073 # Reference: https://www.virustotal.com/gui/file/0fe69e67286203ca2dcd080b4c25ab76fc4ca925e6207b193d47f02da1481843/detection shconstmarket.com dps.shconstmarket.com inst.shconstmarket.com web.shconstmarket.com # Reference: https://twitter.com/Des00464472/status/1546403794871001093 http://52.79.92.249/bbs/bbs_post.asp # Reference: https://twitter.com/h2jazi/status/1555205042331947011 # Reference: https://www.virustotal.com/gui/file/a3ef9fd758bca1c94054a43995a99069abaef672495c1bd3ee831217c1f5e498/detection mktrending.com docs.mktrending.com # Reference: https://twitter.com/ShadowChasing1/status/1557034048345997312 # Reference: https://www.virustotal.com/gui/file/57959c2be2ac6349aa37edb73cd8a88fe8d3e69678cac4b38fac401bd3141fdf/detection documentshare.info doc.documentshare.info ww16.documentshare.info /DmJMFYpwLPP3ygS/ # Reference: https://twitter.com/malwrhunterteam/status/1557077792075829249 # Reference: https://www.virustotal.com/gui/file/f1ade73b9c61f2f4b774a1b5003a5d70d7a12e0872abe98c52fbf9e9e3a90fc5/detection wordonline.cloud cdn.wordonline.cloud gdoc.wordonline.cloud # Reference: https://twitter.com/ESETresearch/status/1559553324998955010 # Reference: https://www.virustotal.com/gui/file/49046dfeaefc59747e45e013f3ab5a2895b4245cfaa218dd2863d86451104506/detection # Reference: https://www.virustotal.com/gui/file/8b427c47a43e6c357d8439fefa7f0ff34b72a2abdaf0461193fb9e6086807e17/detection # Reference: https://www.virustotal.com/gui/file/94a669041ef572e3fb089179f5c29e2811e2e82613290e39a2ce1b6c273727c9/detection # Reference: https://www.virustotal.com/gui/file/dae9f37ae5c2a030c0fb3f55d5731cdb37a4f68560a6f2ba38bb54c9533f8805/detection # Reference: https://www.virustotal.com/gui/file/e29d0db8c013e7eb5820a6f40aae92a085d9550f2f0b2ebc10c8c2c08d14f6d5/detection # Reference: https://www.virustotal.com/gui/file/fe336a032b564eef07afb2f8a478b0e0a37d9a1a6c4c1e7cd01e404cc5dd2853/detection concrecapital.com # Reference: https://twitter.com/h2jazi/status/1559259261665943553 # Reference: https://www.virustotal.com/gui/file/03f6c8f173413302d9c22a44a593fc9a5203fbb7652d3a36b3ace79f3cdc39a3/detection 1drvmicrosoft.com hare.1drvmicrosoft.com share.1drvmicrosoft.com # Reference: https://twitter.com/malwrhunterteam/status/1560563222624710656 # Reference: https://www.virustotal.com/gui/file/c9b4893bdb85d67c13826814ef0cf392648089f416aed40078907054624fba72/detection cooporatestock.com doc.cooporatestock.com docs.cooporatestock.com # Reference: https://www.virustotal.com/gui/ip-address/45.76.77.197/relations # Reference: https://www.virustotal.com/gui/file/0f6b6c1596e38e840fb03420317db224739a18dbef0b98285637f5887e90a191/detection drivegoogle.info docs.drivegoogle.info # Reference: https://twitter.com/ShadowChasing1/status/1564980900785373185 # Reference: https://www.virustotal.com/gui/file/51d53ca36a662b4aad5878987548f0f22f2a53545790577d8043373b6bf7eb75/detection wpsonline.co edit.wpsonline.co wps.wpsonline.co # Reference: https://www.virustotal.com/gui/file/f42c637db03edf83a08e944bc190265167ecea84d77508f37fc1269d267fe5a8/detection stablehouses.info app.stablehouses.info # Reference: https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html # Reference: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/ # Reference: https://www.virustotal.com/gui/file/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332/detection # Reference: https://www.virustotal.com/gui/file/f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4/detection # Reference: https://www.virustotal.com/gui/file/eb73c57c6f4ce8bf197ddc689b7e0afd3703a9bf9a78212c9cb838528441df7a/detection # Reference: https://www.virustotal.com/gui/file/bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1/detection # Reference: https://www.virustotal.com/gui/file/afb2d4d88f59e528f0e388705113ae54b7b97db4f03a35ae43cc386a48f263a0/detection # Reference: https://www.virustotal.com/gui/file/196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06eba/detection http://151.106.2.139 http://193.56.28.251 http://52.202.193.124 http://64.188.27.73 http://66.154.102.91 151.106.2.139:8080 151.106.2.139:8443 66.154.102.91:9090 gendoraduragonkgp126.com /adm_bord/login_new_check.php # Reference: https://twitter.com/Des00464472/status/1569331099305918465 techdesignshop.com # Reference: https://twitter.com/h2jazi/status/1570501870954905600 # Reference: https://www.virustotal.com/gui/file/5816eb32cbaadfc3477c823293a8c49cdf690b443c8fa3c19f98399c143df2b3/detection azure-protect.online verify.azure-protect.online # Reference: https://twitter.com/BaoshengbinCumt/status/1570579732399558656 jbic.us mufg.tokyo salt1ending.com wpic.ink cloud.jbic.us cloud.mufg.tokyo # Reference: https://twitter.com/HaoZhixiang/status/1572434427942432772 # Reference: https://www.virustotal.com/gui/file/0b79e1194644431c2e28c48aa3654e658a2907e1003cd0484cd00a0796ebe6bb/detection onlineshares.cloud ms.onlineshares.cloud # Reference: https://twitter.com/malwrhunterteam/status/1573305740252663809 # Reference: https://www.virustotal.com/gui/file/48bd1c5cf9ccc3d454ab80d7284abaf39028a228607d132bfa92ab2ceca47ca2/detection azure-protection.cloud docs.azure-protection.cloud secure.azure-protection.cloud # Reference: https://twitter.com/StopMalvertisin/status/1574329188793733120 # Reference: https://www.virustotal.com/gui/file/3b70c3ebffcfd6a97859f8d9e5a31f6902756e23fd6688ca7c7446d24ec76d9d/detection digiboxes.us fs.digiboxes.us # Reference: https://twitter.com/StopMalvertisin/status/1574749887203143680 # Reference: https://www.virustotal.com/gui/file/f00fe4e6da3aaad25d1ac8b268ffeebc98bda184e3df224905626908be24d415/detection sunlin.org/info/style?title= # Reference: https://twitter.com/StopMalvertisin/status/1575055809104334848 # Reference: https://twitter.com/ScarletSharkSec/status/1575130042627244038 # Reference: https://twitter.com/malwrhunterteam/status/1593744606172168195 # Reference: https://www.virustotal.com/gui/ip-address/155.138.159.45/relations # Reference: https://www.virustotal.com/gui/file/99eae95f3271fe7cd2b25aca9a2b69ca8f5cc034f3416b554a4af38903f14233/detection # Reference: https://www.virustotal.com/gui/file/8f05021071c4bfd4cfce3d02bd30bf16f1322170515d796e13f75eb25b09d533/detection docuprivacy.com gdocshare.one msteam.biz onlinecloud.cloud privacysign.org dmarc.onlineshares.cloud ms.msteam.biz team.msteam.biz open.onlinecloud.cloud # Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/ 137.184.15.189:22 172.93.201.253:22 44.238.74.84:22 44.238.74.84:5900 # Reference: https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/ # Reference: https://otx.alienvault.com/pulse/6336cd77cbc019c475aa2034 contradecapital.com m.contradecapital.com market.contradecapital.com stage.contradecapital.com vpn.contradecapital.com # Reference: https://github.com/eset/malware-ioc/tree/master/nukesped_lazarus cowp.or.kr/html/board/main.asp erpmas.co.kr/Member/franchise_modify.asp fored.or.kr/home/board/view.php gncaf.or.kr/cafe/cafe_board.asp gongsinet.kr/comm/comm_gongsi.asp goojoo.net/board/banner01.asp hsbutton.co.kr/bbs/bbs_write.asp hstudymall.co.kr/easypay/web/bottom.asp ikrea.or.kr/main/main_board.asp pcdesk.co.kr/Freeboard/mn_board.asp pgak.net/service/engine/release.asp quecue.kr/okproj/ex_join.asp style1.co.kr/main/view.asp wowpress.co.kr/customer/refuse_05.asp zndance.com/shop/post.asp # Reference: https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/ # Reference: https://otx.alienvault.com/pulse/633c7f2703c1f6dec01555e5 aquaprographix.com/patterns/Map/maps.php stracarrara.org/images/img.asp thetalkingcanvas.com/thetalking/globalcareers/us/5/careers/jobinfo.php turnscor.com/wp-includes/feedback.php # Reference: https://twitter.com/Des00464472/status/1580021488433831936 propertys-shop.com # Reference: https://twitter.com/h2jazi/status/1582809597051826177 # Reference: https://twitter.com/h2jazi/status/1582809599023124481 # Reference: https://www.virustotal.com/gui/file/c114b73da17eb5c8aff5a7b5509ffe26b9770e28c7123f038e98d42f8a065632/detection bbcnewsagency.com # Reference: https://twitter.com/h2jazi/status/1582919568384663552 bloombergnewsagency.com # Reference: https://www.virustotal.com/gui/file/500ae0f1ab40a254f81c73331c9848bada4c26adad613d53d339d14ca3599a32/detection # Reference: https://www.virustotal.com/gui/file/442c2b7b8e7ec13306bfb6c1332bd87e4d9cac242fd86555df355a606b895c46/detection 11.23.33.44:8050 66.85.157.67:8050 drivetools.xyz filesspace.xyz theboxart.xyz # Reference: https://twitter.com/imp0rtp3/status/1589263364274155520 # Reference: https://twitter.com/imp0rtp3/status/1589263367650578434 # Reference: https://www.virustotal.com/gui/file/06ea41ee563f0ecb884d0640344a1e0006a9e8b1b3d4cda9a769a896f18c4b6d/detection # Reference: https://www.virustotal.com/gui/file/e1ecf0f7bd90553baaa83dcdc177e1d2b20d6ee5520f5d9b44cdf59389432b10/detection # Reference: https://www.virustotal.com/gui/file/dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031/detection leadsblue.com/wp-content/wp-utility/index.php # Reference: https://twitter.com/Des00464472/status/1590966132596695040 olidhealth.com dc-ba6f51b553e0.olidhealth.com # Reference: https://twitter.com/souiten/status/1593449165349978113 # Reference: https://www.virustotal.com/gui/file/0937cbb980cb898eacd8458366fc4de3510266b8fbcd68010aa04e58bf72df28/detection # Reference: https://www.virustotal.com/gui/file/a3f087c83453cde2bc845122c05ebeb60e8891e395b45823c192869ec1b72ea6/detection capmarketreport.com # Reference: https://explore.avertium.com/resource/an-in-depth-look-at-north-korean-threat-actor-zinc # Reference: https://otx.alienvault.com/pulse/637f670d45a399f00e8aea3c cats.runtimerec.com/db/dbconn.php elite4print.com/support/support.asp hurricanepub.com/include/include.php olidhealth.com/wp-includes/php-compat/compat.php recruitment.raystechserv.com/lib/artichow/BarPlotDashboard.object.php turnscor.com/wp-includes/contacts.php # Reference: https://twitter.com/jaydinbas/status/1598660262751604738 # Reference: https://www.virustotal.com/gui/file/f14c5bad5219b1ed5166eb02f5ff08a890a181cef2af565f3fe7bcea9c870e22/detection key.sharedrive.ink # Reference: https://twitter.com/malwrhunterteam/status/1598405604317442048 # Reference: https://twitter.com/jaydinbas/status/1598722899556577280 # Reference: https://www.virustotal.com/gui/file/741be5e53a5dc7cebaa63d6ff624c5eff1a0e1817ede1e7fc0473a28b1ed7a33/detection dsx-app.com # Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-12-02-v10187/190 bloxholder.com oilycargo.com rebelthumb.net strainservice.com telloo.io # Reference: https://twitter.com/h2jazi/status/1602302208325947394 # Reference: https://www.virustotal.com/gui/file/69e5cc9d865301f7e8dd7d4dbf5624db2859c614112d339b2fc07ea6176c776d/detection microshare.cloud one.microshare.cloud # Reference: https://twitter.com/h2jazi/status/1602314597926576131 # Reference: https://twitter.com/h2jazi/status/1602314600753598465 # Reference: https://www.virustotal.com/gui/file/bdd109cba8346548dd6fe5110180aa23eb9f5805c90733025344a5881c15c985/detection thecloudnet.org # Reference: https://twitter.com/jaydinbas/status/1608077663532449792 # Reference: https://www.virustotal.com/gui/file/c52028b494c37505cbe073e3b0fcdeb6b7b48636c6fd00a41108e6dc1a66a4ce/detection professiondesc.com # Reference: https://twitter.com/Des00464472/status/1610535596262580230 # Reference: https://www.virustotal.com/gui/ip-address/172.86.121.130/relations # Reference: https://www.virustotal.com/gui/ip-address/45.153.242.37/relations # Reference: https://www.virustotal.com/gui/file/e04848c1e2908335975dd52793c94624d06a598fdd75d5d3eb6ea8c5d569b8bc/detection auto-protection.cloud auto-protection.services azure-protect.cloud azure-protection.online auto-secure.cloud beyondnextventures.us doc-protection.cloud docs-view.cloud mizuhogroup.uk offerings.cloud online-protection.cloud protection-service.cloud smbcgroup.uk tptf.cloud tptf.ltd azure.auto-protection.cloud azure.auto-protection.services azure.auto-secure.cloud azure.doc-protection.cloud azure.doc-protection.online azure.docs-view.cloud azure.online-protection.cloud azure.protection-service.cloud cloud.beyondnextventures.us cloud.mizuhogroup.uk cloud.smbcgroup.uk docs.tptf.cloud secure.azure-protection.online secure.azure-protect.cloud secure.azure-protection.online # Reference: https://twitter.com/Des00464472/status/1613893230004965381 # Reference: https://www.virustotal.com/gui/file/9dc04153455d054d7e04d46bcd8c13dd1ca16ab2995e518ba9bf33b43008d592/detection easyview.kr/board/mb_admin.php mudeungsan.or.kr/gbbs/bbs/template/g_botton.php neohr.co.kr/bbs/data/notice/notice.php # Reference: https://twitter.com/h2jazi/status/1618630926891913217 blurbshop.com cloudfly.org dailynewsagent.com oneweb-host.com shopwebstudio.com turacodi.com # Reference: https://twitter.com/jaydinbas/status/1623295609703636993 # Reference: https://www.virustotal.com/gui/file/3a4aed5b9ad0827696a1bb5f3497a6a2aa26b453d27bfacbe3c8c47673aac98d/detection doc-share.cloud safe.doc-share.cloud # Reference: https://asec.ahnlab.com/ko/48416/ # Reference: https://otx.alienvault.com/pulse/63ff76797371033cf70b2df3 ctmnews.kr dalbinews.co.kr kfcjn.com lightingmart.co.kr studyholic.co.kr # Reference: https://www.malwarebytes.com/blog/news/2022/12/lazarus-group-uses-fake-cryptocurrency-apps-to-plant-applejeus-malware wirexpro.com # Reference: https://twitter.com/souiten/status/1653999722477268992 # Reference: https://www.virustotal.com/gui/file/69ef7c4cb3849283c03eaa593b02ebbfd1d08d25ef9a58355d2a9909678d6c6d/detection share.googlefiledrive.com # Reference: https://twitter.com/ESETresearch/status/1656385173968019456 # Reference: https://twitter.com/ESETresearch/status/1656386549594857472 # Reference: https://www.virustotal.com/gui/ip-address/104.168.138.7/relations # Reference: https://www.virustotal.com/gui/file/c28e4031129f3e6e5c6fbd7b1cebd8dd21b6f87a8564b0fb9ee741a9b8bc0197/detection # Reference: https://www.virustotal.com/gui/file/5f00106f7f15e0ca00df4dbb0eeccd57930b4b81bc9aa3fca0c5af4eda339ab7/detection coto.live cryptyk.cloud cryptyk.info gumicryptos.com hyperchaincapital.online parallaxdigital.online prosec.ink autoprotect.com.se cloud.cryptyk.info cloud.prosec.ink cloudprotect.us.org cryptyk.ddns.net cryptyk.hopto.org cryptyk.sytes.net cryptyk.webredirect.org document.coto.live document.sharedrive.ink docusend.coto.live hostings.webredirect.org # Reference: https://www.virustotal.com/gui/ip-address/104.168.214.151/relations azure-defender.cloud azuredefender.online bico-news.blog blockchainworld.info blockfi.loans box-docsend.cloud box-docsend.online companydetail.online crypto-ecosystem.world cryptofundsresearch.com daiwa.ventures doc-send.cloud doc-send.com docs-send.com doc-send.online docs-send.online docsend-host.cloud drop-box.cloud dropbox-docsend.cloud dropbox-docsend.online gumi-cryptos.loan job-description.online jobdescription.online nextera.capital online-meeting.xyz panteracapital.ventures private-meeting.online privatenetwork.online smart-contracts.blog swissborg.blog tokentracking.info usncet.org verifydocument.online video-meet.online video-meeting.xyz additional.work.gd additionalpublic.work.gd abs.twitter.expublic.linkpc.net arbor.companydetail.online asset.crypto-ecosystem.world autoprotect.gb.net bico.tokentracking.info boa.azuredefender.online boa.job-description.online boa.jobdescription.online cloud.daiwa.ventures cnbc.crypto-ecosystem.world coinbase.expublic.linkpc.net crypto.blockchainworld.info daiwa.azure-defender.cloud defi.smart-contracts.blog docs.panteracapital.ventures draper.online-meeting.xyz dynamic.expublic.linkpc.net exceptions.coinbase.expublic.linkpc.net exceptions.expublic.linkpc.net expublic.linkpc.net github.expublic.linkpc.net google.coinbase.expublic.linkpc.net hashkey.online-meeting.xyz hwsrv-1033810.hostwindsdns.com internal-server.nextera.capital internal.daiwa.ventures internal.usncet.org interview.private-meeting.online meet.ubi-safemeeting.online onedrive.azure-defender.cloud recent.bico-news.blog shared.box-docsend.cloud shared.box-docsend.online shared.doc-send.cloud shared.drop-box.cloud shared.dropbox-docsend.cloud shared.dropbox-docsend.online support.private-meeting.online support.trustmeeting.online support.ubi-safemeeting.live support.video-meeting.online support.video-meeting.xyz # Reference: https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499 http://3.89.226.234 http://40.121.90.194 eflow.co.kr/member_image/about.php projectcell.niv.co.in/non_scientific/service.php sora.bz/xoops_root_path/templates_c/login.php sora.bz/xoops_root_path/uploads/information/about.php # Reference: https://twitter.com/blackorbird/status/1675803174551314432 # Reference: https://www.elastic.co/cn/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket # Reference: https://www.virustotal.com/gui/ip-address/64.44.141.15/relations # Reference: https://www.virustotal.com/gui/ip-address/91.195.240.123/relations amazoncojp.one dropbx-doc.online hondchain.com jaicvc.com previewaccess-doc.online starbucls.xyz thefifodoc.online crypto.hondchain.com docsend.linkpc.net docsend.publicvm.com # Reference: https://www.virustotal.com/gui/ip-address/64.44.141.13/relations blackleopard.world docsend.apple.linkpc.net docsend.apple.work.gd docsend.camdvr.org docsend.theworkpc.com floriventures.linkpc.net floriventures.publicvm.com floriventuresfund.com forest.groundwolf.sbs groundwolf.sbs info.floriventuresfund.com info.racondog.shop kingstar.publicvm.com lightkingstar.com net.lightkingstar.com nomanstone.shop origin.blackleopard.world racondog.shop sabrpartner.com starbocks.yachts xyz.nomanstone.shop xyz.racondog.shop # Reference: https://twitter.com/h2jazi/status/1681426768597778440 # Reference: https://twitter.com/ShadowChasing1/status/1681947062471098368 # Reference: https://www.virustotal.com/gui/file/6f11c52f01e5696b1ac0faf6c19b0b439ba6f48f1f9851e34f0fa582b09dfa48/detection jkmusic.co.kr/shop/data/theme/ notebooksell.kr/mall/m_schema.php # Reference: https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html checkdevinc.com git-hub.me pkginstall.net # Reference: https://asec.ahnlab.com/en/54195/ # Reference: https://otx.alienvault.com/pulse/6490761db8416aad20dd9404 bcdm.or.kr/board/type3_D/edit.asp coupontreezero.com/include/bottom.asp daehang.com/member/logout.asp gongsilbox.com/board/bbs.asp hmedical.co.kr/include/edit.php ksmarathon.com/admin/excel2.asp materic.or.kr/files/board/equip/equip_ok.asp sinae.or.kr/sub01/index.asp # Reference: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247492789&idx=1&sn=a991e6c5ed7388515d75f02e9c33428f # Reference: https://otx.alienvault.com/pulse/64a2f58febf38755c4240c34 rowdensurname.org/slideshow/slides/show.asp # Reference: https://blog.talosintelligence.com/lazarus-collectionrat/ # Reference: https://www.virustotal.com/gui/file/ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6/detection (# QietRAT) # Reference: https://www.virustotal.com/gui/file/db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984/detection (# CollectionRAT) # Reference: https://www.virustotal.com/gui/file/773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df/detection (# CollectionRAT) # Reference: https://www.virustotal.com/gui/file/e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe/detection (# Trojanized Plink) http://109.248.150.13 http://146.4.21.94 109.248.150.13:443 ec2-15-207-207-64.ap-south-1.compute.amazonaws.com/resource/main/rawmail.php # Reference: https://twitter.com/fr0s7_/status/1695001873604903348 # Reference: https://twitter.com/fr0s7_/status/1695012385705148748 # Reference: https://twitter.com/fr0s7_/status/1695012576600498679 # Reference: https://www.virustotal.com/gui/ip-address/144.202.17.28/relations # Reference: https://www.virustotal.com/gui/ip-address/45.63.1.46/relations # Reference: https://www.virustotal.com/gui/ip-address/66.42.86.109/detection # Reference: https://www.virustotal.com/gui/file/8e271b07ad050b648321af5aa98ae9f9057342a6c4d3de40ee07a4fbec1ef2b9/detection # Reference: https://www.virustotal.com/gui/file/7c2721b4beedcff6f8d7af585516af86287a9bab703e8050e97365aa9fd849cb/detection dliklone.online sourljsourhs.cfd ajileuowl.dliklone.online huweisge.dliklone.online tales.dliklone.online tonses.dliklone.online magmow.sourljsourhs.cfd # Reference: https://twitter.com/tiresearch1/status/1695342915281965409 online-meeting.pro private-meeting.xyz trustmeeting.online ubi-safemeeting.live video-meeting.online # Reference: https://twitter.com/tiresearch1/status/1696067977463087376 safe-meeting.online trustmeeting.live ubi-safemeeting.online # Reference: https://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues # Reference: https://www.virustotal.com/gui/ip-address/45.61.136.133/relations tableditermanaging.pro # Reference: https://asec.ahnlab.com/en/56405/ # Reference: https://otx.alienvault.com/pulse/64f0a87de1d155ccb31c3561 chinesekungfu.org ipservice.kro.kr privatemake.bounceme.net bbs.topigsnorsvin.com.ec # Reference: https://twitter.com/blackorbird/status/1700047882441908674 # Reference: https://twitter.com/felixaime/status/1699865970041348506 # Reference: https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/ # Reference: https://otx.alienvault.com/pulse/64fa0325f88b5109856801c8 bitsvertise.com blgbeach.com dbgsymbol.com ecordillos.com ismartrium.com rapisigns.com # Reference: https://twitter.com/tiresearch1/status/1701155845608964391 alwayswait.online alwayswait.site antifirmware.online antifirmware.site antifirmware.store antiviruscheck.site antiviruscheck.store auditprovidre.online auditprovidre.site auditprovidre.store newcoming.cfd remoteproweb.cfd systemupdate.site systemupdate.store unbelievableresult.site unbelievableresult.store updatecheck.site updatecheck.store waitingfor.cfd system.updatecheck.store # Reference: https://twitter.com/h2jazi/status/1702726275012382747 # Reference: https://www.virustotal.com/gui/file/c83c7b000a955f2b8cb92bb112ed606ffd9fbebbe3422f80d90d06b167f2f37b/detection brianrep.com /dnquery.phpinteger # Reference: https://twitter.com/asdasd13asbz/status/1705140120222105777 http://91.206.178.125 # Reference: https://twitter.com/tiresearch1/status/1706312971054412039 datasend.linkpc.net docsenddata.linkpc.net docsendinfo.linkpc.net open-sc.xyz opensend.linkpc.net opensend.online video-meet.team # Reference: https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/ barsaji.com.mx/src/recaptcha/index.php bug.restoroad.com/admin/view_status.php kapata-arkeologi.kemdikbud.go.id/pages/payment/payment.php kerstpakketten.horesca-meppel.nl/wp-content/plugins/woocommerce/lib.php kittimasszazs.hu/images/virag.php nrfm.lk/wp-includes/simplepie/content.php radiographers.org/aboutus/aboutus.php # Reference: https://twitter.com/tiresearch1/status/1708141542261809360 bitscrunch.linkpc.net bitscrunch.publicvm.com bitscrunnch.linkpc.net bitscrunnch.run.place coupang-network.pics exodus.linkpc.net jobdescription.linkpc.net # Reference: https://twitter.com/tiresearch1/status/1708539447908958382 starbocks.shop starbuck-coffee.cfd starbuckex.beauty starbucls.top # Reference: https://twitter.com/k3yp0d/status/1709851707427975382 # Reference: https://twitter.com/greglesnewich/status/1742926817827422712 # Reference: https://g-les.github.io/yara/2024/01/04/100DaysofYARA-CosmicRust.html # Reference: https://www.virustotal.com/gui/file/979ef0f43f25a6707fd98f6f0cb6e8452c24f41216ff53486781f487803d69c4/detection # Reference: https://www.virustotal.com/gui/file/dbe48dc08216850e93082b4d27868a7ca51656d9e55366f2642fc5106e3af980/detection # Reference: https://www.virustotal.com/gui/file/a8cc70bcd0ef98e3eea54f953166f518a2cf1d898e4eb9e85cf70861f8ec7578/detection # Reference: https://www.virustotal.com/gui/file/5f4063e3a5583e62ddec2f84ca88eb97fbcfbee31d9269742ab438f441f0cd58/detection # Reference: https://www.virustotal.com/gui/file/576d1688f744a9f6ae4c1fb4cec1cda3daecabf3a13cb3bafabf083c54d1fcb6/detection # Reference: https://www.virustotal.com/gui/file/5115be816d0cd579915d079573bfa384d78ac0bd33cc845b7a83a488b0fc1b99/detection # Reference: https://www.virustotal.com/gui/file/3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a/detection 104.168.136.24:8080 104.168.172.20:8080 commoncome.online web.commoncome.online welcome.newcoming.cfd # Reference: https://twitter.com/tiresearch1/status/1709900227241758810 automatic.antifirmware.store autoserverupdate.line.pm huanying.remoteproweb.cfd real.unbelievableresult.store stress.antiviruscheck.site successfulconnection.linkpc.net sys.antiviruscheck.store sys.updatecheck.site web.auditprovidre.site # Reference: https://twitter.com/asdasd13asbz/status/1711617213944492293 # Reference: https://www.virustotal.com/gui/ip-address/103.179.142.171/relations # Reference: https://www.virustotal.com/gui/file/f59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc58/detection # Reference: https://www.virustotal.com/gui/file/00433ebf3b21c1c055d4ab8a599d3e84f03b328496236b54e56042cef2146b1c/detection blockchain-newtech.com # Reference: https://twitter.com/tiresearch1/status/1712004829978190112 docs-protection.cloud docs-protection.online docs-protection.top azure.docs-protection.cloud azure.docs-protection.online azure.docs-protection.top docs.smbc-vc.com meeting.work.gd orangecake.work.gd transactions.publicvm.com updatecheck.publicvm.com # Reference: https://twitter.com/malwrhunterteam/status/1710379117869150506 # Reference: https://twitter.com/h2jazi/status/1712115378933977444 # Reference: https://www.virustotal.com/gui/file/f59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc58/detection chiark.greenend.org.uk/~sgtatham/putty/ # Reference: https://twitter.com/tiresearch1/status/1712839519366795733 15248636.site activity-179384736.site activity-permission.online allow-permission.online book-download.shop chat-services.online files-archive.online mail-roundcube.site online-meeting.site online-video-services.site share-meeting.online un-call.services videocallservice.live webmailaccount.cloud # Reference: https://twitter.com/tiresearch1/status/1713828674750017852 # Reference: https://twitter.com/tiresearch1/status/1714149818753507596 book.tomming.us cloud.bdcc.bio enimvzud.mouradvps8hostwin.online floriventuresend.linkpc.net forservercon.run.place jobintro.linkpc.net mouradvps8hostwin.online protectli.online web3.auditprovidre.store xjba.linkpc.net xjbb.linkpc.net xjbd.linkpc.net # Reference: https://twitter.com/tiresearch1/status/1714283158588600641 crtypk.run.place cryptykhost.work.gd share.prosec.ink singlelink.work.gd # Reference: https://securelist.com/updated-mata-attacks-industrial-companies-in-eastern-europe/110829/ # Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/18092216/Updated-MATA-attacks-Eastern-Europe_full-report_ENG.pdf beeztrend.com mbafleet.com prajeshpatel.com zawajonly.com icimp.swarkul.com # Reference: https://twitter.com/malwrhunterteam/status/1715075131175751740 # Reference: https://www.virustotal.com/gui/ip-address/68.170.2.240/relations # Reference: https://www.virustotal.com/gui/file/5e523ba395d7b92001d14d0d0e607410af9acb61d724a4a7651c3d80a79fb532/detection coingecko.bond # Reference: https://twitter.com/tiresearch1/status/1717496437985128862 bitscrunch.co bitscrunch.deck.linkpc.net bitscrunch.im.linkpc.net deck.linkpc.net doc.global-link.run.place global-link.run.place # Reference: https://twitter.com/tiresearch1/status/1717554754023526564 # Reference: https://twitter.com/KSeznec/status/1717542794942660771 # Reference: https://www.virustotal.com/gui/file/47b8b4d55d75505d617e53afcb6c32dd817024be209116f98cbbc3d88e57b4d1/detection co.intneral-document-he-gr-me.run.place group.link-net.publicvm.com internal.group.link-net.publicvm.com intneral-document-he-gr-me.run.place j-ic.co.intneral-document-he-gr-me.run.place link-net.publicvm.com on-global.xyz # Reference: https://twitter.com/tiresearch1/status/1717922111749288043 bitscrunch.pd.linkpc.net bitscrunch.presentations.life col-link.linkpc.net docshared.col-link.linkpc.net pd.linkpc.net presentations.life # Reference: https://securelist.com/unveiling-lazarus-new-campaign/110888/ # Reference: https://otx.alienvault.com/pulse/653c0681ae38ba0d7d84e538 admin.esangedu.kr/XPaySample/submit.php api.shw.kr/login_admin/member/login_fail.php blastedlevels.com/levels4SqR8/measure.asp droof.kr/Board/htmlEdit/PopupWin/Editor.asp friendmc.com/upload/board/asp20062107.asp hankooktop.com/ko/company/info.asp hanlasangjo.com/editor/pages/page.asp happinesscc.com/mobile/include/func.asp healthpro.or.kr/upload/naver_editor/subview/view.inc hicar.kalo.kr/data/rental/Coupon/include/inc.asp hspje.com/menu6/teacher_qna.asp ictm.or.kr/UPLOAD_file/board/free/edit/index.php khmcpharm.com/Lib/Modules/HtmlEditor/Util/read.cer kscmfs.or.kr/member/handle/log_proc.php kstr.radiology.or.kr/upload/schedule/29431_1687715624.inc little-pet.com/web/board/skin/default/read.php mainbiz.or.kr/SmartEditor2/photo_uploader/popup/edit.asp mainbiz.or.kr/include/common.asp medric.or.kr/Controls/Board/certificate.cer muijae.com/daumeditor/pages/template/simple.asp muijae.com/daumeditor/pages/template/template.asp muijae.com/daumeditor/pages/template/ new-q-cells.com/upload/newsletter/cn/frame.php nonstopexpress.com/community/include/index.asp pediatrics.or.kr/PubReader/build_css.php pms.nninc.co.kr/app/content/board/inc_list.asp safemotors.co.kr/daumeditor/pages/template/template.asp samwoosystem.co.kr/board/list/write.asp seoulanesthesia.or.kr/mail/mail_211230.html seouldementia.or.kr/_manage/inc/bbs/jiyeuk1_ok.asp siriuskorea.co.kr/mall/community/bbs_read.asp swt-keystonevalve.com/data/editor/index.php theorigin.co.kr:443/admin/management/index.php ucware.net/skins/PHPMailer-master/index.php vietjetairkorea.com/INFO/info.asp vnfmal2022.com/niabbs5/upload/gongji/index.php warevalley.com/en/common/include/page_tab.asp yoohannet.kr/min/tmp/process/proc.php # Reference: https://twitter.com/tiresearch1/status/1718902558922834192 cisco-webex.online pdf.cisco-webex.online support.cisco-webex.online # Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-10-30-v10452/1080 bitscrunch.ddns.net bitscrunch.serveirc.com bitscrunch.tech.linkpc.net bitscrunch.zapto.org bitscrunchtech.linkpc.net document.shared-link.line.pm indaddy.xyz internalpdfviewer.ddns.net nor-health.xyz shared-link.line.pm tech.linkpc.net voldemort.myvnc.com # Reference: https://www.virustotal.com/gui/ip-address/192.236.194.152/relations coupang-networks.pics ronaldo-nftprojects.shop # Reference: https://twitter.com/tiresearch1/status/1719979579170009130 cloud.doc-shared.linkpc.net doc-shared.linkpc.net dubai.network.cloud.doc-shared.linkpc.net group.evalaskatours.com internal.bounceme.net mclearoptical.com network.cloud.doc-shared.linkpc.net # Reference: https://twitter.com/tiresearch1/status/1721811568814624831 # Reference: https://app.validin.com/axon?find=62.133.61.204&type=ip online-meeting.team safemeeting.online team-meet.online video-meeting.team videomeethub.online # Reference: https://twitter.com/tiresearch1/status/1722534103751540999 syncmeet.online team-meeting.xyz # Reference: https://twitter.com/tiresearch1/status/1725052270910538103 # Reference: https://www.virustotal.com/gui/ip-address/216.107.136.10/relations bitscrunch.myvnc.com blackleopard.myvnc.com naverk.myvnc.com # Reference: https://twitter.com/tiresearch1/status/1727306536522043677 privymeet.com # Reference: https://twitter.com/tiresearch1/status/1727956853794250850 group-meeting.online group-meeting.team # Reference: https://asec.ahnlab.com/en/59073/ # Reference: https://otx.alienvault.com/pulse/655e254bda9c2bd236bc188f 109.248.150.147:8585 185.29.8.108:8585 27.102.118.204:6099 27.102.128.152:8098 84.38.132.67:9479 primez.online song.th # Reference: https://twitter.com/tiresearch1/status/1729392929612218731 france24.live meeting-online.site online-processing.online ovcloud.online # Reference: https://twitter.com/tiresearch1/status/1729754195903844484 # Reference: https://www.virustotal.com/gui/ip-address/104.168.137.21/relations alwayswait.online audiocheck.store auditprovidre.online cryptowave.capital group-meeting.online group-meeting.team internal-meeting.online kkvps.buzz meetcentralhub.online meetingverse.app online-meeting.team privymeet.com safe-meeting.online safemeeting.online skyboxdrive.cloud syncmeet.online team-meet.online team-meeting.xyz trustmeeting.live trustmeeting.online ubi-safemeeting.live ubi-safemeeting.online video-meet.online video-meet.team video-meet.xyz video-meeting.team archax.privymeet.com archax.skyboxdrive.cloud archax.trustmeeting.live bitfinex.internal-meeting.online bitfinex.video-meet.online cryptowave.internal-meeting.online cryptowave.video-meet.online d1.skyboxdrive.cloud drop.skyboxdrive.cloud dun.audiocheck.store dun.auditprovidre.online email.alwayswait.online emv1.meetingverse.app emv1.ubi-safemeeting.live gumi-cryptos.group-meeting.online gumi-cryptos.group-meeting.team gumi-cryptos.team-meet.online gumi-cryptos.team-meeting.xyz gumi-cryptos.video-meet.team hashkey.group-meeting.online hashkey.group-meeting.team hashkey.internal-meeting.online hashkey.online-meeting.team hashkey.team-meet.online hashkey.team-meeting.xyz hashkey.video-meet.online hashkey.video-meet.team hashkey.video-meeting.team help.group-meeting.online help.team-meet.online help.video-meet.team help.video-meeting.team hwsrv-1093408.hostwindsdns.com ihsgpnsj.meetingverse.app internal-meeting.online kraken.group-meeting.online kraken.group-meeting.team kraken.team-meet.online kraken.video-meeting.team meet.cryptowave.capital meet.ubi-safemeeting.online mta-sts.meetingverse.app mta-sts.ubi-safemeeting.live okx.internal-meeting.online okx.video-meet.online okx.video-meeting.team pdf.cisco-webex.online ryze.privymeet.com shared.dropbox-docsend.online support.cisco-webex.online support.cryptowave.capital support.group-meeting.online support.group-meeting.team support.internal-meeting.online support.meetcentralhub.online support.privymeet.com support.safe-meeting.online support.skyboxdrive.cloud support.syncmeet.online support.team-meet.online support.team-meeting.xyz support.trustmeeting.live support.trustmeeting.online support.ubi-safemeeting.live support.ubi-safemeeting.online support.video-meet.online support.video-meet.team support.video-meet.xyz support.video-meeting.team technical-support.group-meeting.team technical-support.internal-meeting.online technical-support.team-meet.online technical-support.video-meet.online troubleshoot.group-meeting.team troubleshoot.internal-meeting.online troubleshoot.team-meeting.xyz ubisoft.group-meeting.online ubisoft.internal-meeting.online ubisoft.safe-meeting.online ubisoft.trustmeeting.live # Reference: https://www.virustotal.com/gui/file/60674602836323647634016774ea123232160c1b4dfcf3fcd2d2c28c652aa00e/detection 104.168.151.34:8080 audiocheck.store autoupdate.xyz botsc.autoupdate.xyz dun.audiocheck.store # Reference: https://twitter.com/tiresearch1/status/1730114476786229304 einei.line.pm onelao.line.pm tiena.einei.line.pm # Reference: https://twitter.com/tiresearch1/status/1731600500259524993 team-meet.xyz team-meeting.pro archax.meetingverse.app archax.team-meeting.pro hashkey.team-meeting.pro lrakkiqr.team-meeting.pro mail.privymeet.com technical-support.safe-meeting.online # Reference: https://twitter.com/tiresearch1/status/1733020053426282778 wndlwndmfe.xyz # Reference: https://mp.weixin.qq.com/s/f5YE12w3x3wad5EO0EB53Q http://103.179.142.171 http://156.236.76.9 chaingrown.com # Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-12-06-v10480/1183 manchestercity.work.gd myself.hopto.org # Reference: https://slowmist.medium.com/analysis-of-north-korean-hackers-targeted-phishing-scams-on-telegram-872db3f7392b # Reference: https://otx.alienvault.com/pulse/65773dc2466c7161e66b3d07 archax.team-meeting.xyz archax.videomeethub.online emv1.group-meeting.team emv1.team-meet.xyz # Reference: https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/ # Reference: https://www.virustotal.com/gui/file/000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee/detection # Reference: https://www.virustotal.com/gui/file/0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f/detection # Reference: https://www.virustotal.com/gui/file/e615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f/detection # Reference: https://www.virustotal.com/gui/file/9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a/detection # Reference: https://www.virustotal.com/gui/file/534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433/detection # Reference: https://www.virustotal.com/gui/file/ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4/detection # Reference: https://www.virustotal.com/gui/file/47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30/detection # Reference: https://www.virustotal.com/gui/file/f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59/detection # Reference: https://www.virustotal.com/gui/file/5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541/detection # Reference: https://www.virustotal.com/gui/file/82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def/detection http://155.94.208.209 http://185.29.8.53 http://27.102.113.93 201.77.179.66:8082 micrsofts.tech tech.micrsofts.com tech.micrsofts.tech # Reference: https://www.virustotal.com/gui/ip-address/23.254.129.6/relations # Reference: https://app.validin.com/axon?source=DNS&type=ip&find=23.254.129.6 commoncome.site good.commoncome.site wideocean.run.place # Reference: https://twitter.com/karol_paciorek/status/1749376208477786172 http://173.249.5.112 # Reference: https://twitter.com/malwrhunterteam/status/1750492037936222291 # Reference: https://twitter.com/greglesnewich/status/1750500025346445609 # Reference: https://www.virustotal.com/gui/file/e05142f8375070d1ea25ed3a31404ca37b4e1ac88c26832682d8d2f9f4f6d0ae/detection fasttet.com # Reference: https://twitter.com/tiresearch1/status/1755176085610721337 # Reference: https://www.virustotal.com/gui/ip-address/217.20.117.39/relations continue-meeting.site drive-access.site home-continue.online home-proceed.online pannel-get-data.us ushrt.us join-room.meeting-online.site # Reference: https://twitter.com/h2jazi/status/1757798585611997236 # Reference: https://www.virustotal.com/gui/file/b557fa6a92e1ecd768aa723258cb453beb6597c583dbe76d8e82ffdf392f5932/detection franksweeklycall.com/wp-includes/html-api/class-wp-html-user.php # Reference: https://twitter.com/asdasd13asbz/status/1758054481957450034 # Reference: https://www.virustotal.com/gui/ip-address/35.167.150.110/relations elshaik.com/wp-content/plugins/elementor/core/editor/editor-ui.php ssoc.cl/wp-content/plugins/webmention/libraries/emoji-detector/src/Detector.php # Reference: https://twitter.com/malwrhunterteam/status/1764037492812943550 # Reference: https://www.virustotal.com/gui/file/0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7/detection # Reference: https://www.virustotal.com/gui/file/bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b/detection jdkgradle.com # Reference: https://twitter.com/malwrhunterteam/status/1769840338745659896 # Reference: https://www.virustotal.com/gui/file/09d152aa2b6261e3b0a1d1c19fa8032f215932186829cfcca954cc5e84a6cc38/detection mingeloem.com # Reference: https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/ http://145.232.235.222 # Reference: https://asec.ahnlab.com/en/63192/ 84.38.129.21:2222 84.38.129.21:5443 ourhome.o-r.kr mssrv.kro.kr privacy.hopto.org panda.ourhome.o-r.kr # Reference: https://asec.ahnlab.com/en/85400/ http://45.61.148.153 # Reference: https://twitter.com/1ZRR4H/status/1771912721031663841 # Reference: https://www.virustotal.com/gui/file/02d55193310ea19a4ce4c8a7f095c84b0511946d11a647e12758569292014882/detection http://91.92.248.50 91.92.248.50:445 the.earth.li/~sgtatham/putty/0.80/w64/ # Reference: https://twitter.com/dimitribest/status/1782609281897902426 # Reference: https://twitter.com/Cyberteam008/status/1782983614701162993 147.124.212.89:1244 147.124.214.129:1244 147.124.214.131:1244 147.124.214.237:1244 67.203.7.171:1244 67.203.7.245:1244 # Reference: https://twitter.com/tiresearch1/status/1784118099278741797 star-bucks.autos star-bucks.beauty star-bucks.boats star-bucks.bond star-bucks.cam star-bucks.cfd star-bucks.click star-bucks.com star-bucks.fun star-bucks.gay star-bucks.guru star-bucks.homes star-bucks.lol star-bucks.makeup star-bucks.mom star-bucks.motorcycles star-bucks.net star-bucks.pics star-bucks.quest star-bucks.rest star-bucks.sbs star-bucks.shop star-bucks.skin star-bucks.store star-bucks.tattoo star-bucks.today star-bucks.top star-bucks.xyz star-bucks.yachts starbuckscenter.autos starbuckscenter.beauty starbuckscenter.boats starbuckscenter.bond starbuckscenter.cam starbuckscenter.cfd starbuckscenter.click starbuckscenter.com starbuckscenter.fun starbuckscenter.gay starbuckscenter.guru starbuckscenter.homes starbuckscenter.life starbuckscenter.lol starbuckscenter.makeup starbuckscenter.mom starbuckscenter.motorcycles starbuckscenter.net starbuckscenter.pics starbuckscenter.quest starbuckscenter.rest starbuckscenter.sbs starbuckscenter.shop starbuckscenter.skin starbuckscenter.store starbuckscenter.tattoo starbuckscenter.today starbuckscenter.top starbuckscenter.xyz starbuckscenter.yachts starbucksevent.autos starbucksevent.beauty starbucksevent.boats starbucksevent.bond starbucksevent.cam starbucksevent.cfd starbucksevent.click starbucksevent.com starbucksevent.fun starbucksevent.gay starbucksevent.guru starbucksevent.homes starbucksevent.life starbucksevent.lol starbucksevent.makeup starbucksevent.mom starbucksevent.motorcycles starbucksevent.net starbucksevent.quest starbucksevent.rest starbucksevent.sbs starbucksevent.shop starbucksevent.skin starbucksevent.store starbucksevent.tattoo starbucksevent.today starbucksevent.top starbucksevent.xyz starbucksevent.yachts # Reference: https://app.validin.com/detail?type=ip&find=194.59.183.241#tab=resolutions starbucks-goodsitem.cfd starbucks-greenapron.lol starbucks-greenapronnft.click starbucks-odyssey.shop starbucks-support.store starbucksnft-service.xyz # Reference: https://app.validin.com/detail?find=45.86.230.189&type=ip4&ref_id=2dd37ed5db5#tab=resolutions 11stnft.click starbucks-greenapron.rest starbucks-greenaprons.cfd starbucks-newtech.bond starbucks-newtech.cfd starbucksgoodsnft.click starbucksgreenapron.bond starbucksnftservice.homes # Reference: https://twitter.com/MichalKoczwara/status/1785379113517154732 private-meet.online fenbushi.private-meet.online # Reference: https://twitter.com/MichalKoczwara/status/1787783113742885332 letsmeetnow.site regular-meeting.team ngc.regular-meeting.team fenbushi.regular-meeting.team # Reference: https://twitter.com/KseProso/status/1788114018722595188 # Reference: https://twitter.com/ValidinLLC/status/1788128803698450591 # Reference: https://x.com/tayvano_/status/1848785112101691511 # Reference: https://www.virustotal.com/gui/ip-address/104.168.157.45/relations biz-meeting.site cloudstore.business group-meeting.pro instant-patch.online online-meet.team online-meet.xyz online-meeting.co preconnection.online sky-meeting.com team-meeting.net voov-meeting.site abc.preconnection.online alpha.preconnection.online casteisland.sky-meeting.com casteisland.team-meeting.net support.cloudstore.business email.instant-patch.online emv1.group-meeting.pro emv1.preconnection.online emv1.private-meet.online hashkey.online-meet.team hashkey.online-meet.xyz liwoeson.online-meet.team ok.preconnection.online signum.group-meeting.pro support.group-meeting.pro support.online-meet.xyz waterdrip.group-meeting.pro # Reference: https://twitter.com/ValidinLLC/status/1788134423273034033 # Reference: https://www.virustotal.com/gui/ip-address/104.168.203.159/relations general-meeting.team private-meet.team private-meet.xyz emv1.general-meeting.team fenbushi.general-meeting.team fenbushi.private-meet.team ngc.private-meet.xyz support.general-meeting.team # Reference: https://mp.weixin.qq.com/s/84lUaNSGo4lhQlpnCVUHfQ # Reference: https://www.cert.si/tz016/ 147.124.212.146:1244 147.124.213.11:1244 147.124.213.29:1244 172.86.123.35:1244 172.86.97.80:1224 173.211.106.101:1244 173.211.106.101:1245 45.61.131.218:1245 91.92.120.135:3000 # Reference: https://x.com/dimitribest/status/1796191215626440908 # Reference: https://www.virustotal.com/gui/file/6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0/detection # Reference: https://www.virustotal.com/gui/file/01611aa9fe649335a7d813fa1693b9421d8585155351f3a696e8bfdcf45440d3/detection # Reference: https://www.virustotal.com/gui/file/70db987e2545cbc3e22bac0503f89f46a441cc9f206d0aa41d66b54f511638d6/detection 172.86.98.240:1224 # Reference: https://twitter.com/asdasd13asbz/status/1788848468947296398 67.203.7.245:21 # Reference: https://twitter.com/MichalKoczwara/status/1788980517812994267 # Reference: https://app.validin.com/detail?type=ip&find=104.168.203.161 regular-meeting.site regular-meeting.xyz ngc.regular-meeting.site # Reference: https://app.validin.com/detail?find=regular-meeting.online&type=dom#tab=resolutions regular-meeting.online # Reference: https://app.validin.com/detail?find=regular-meeting.pro&type=dom#tab=resolutions regular-meeting.pro # Reference: https://x.com/banthisguy9349/status/1795545335164490137 # Reference: https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/ bestonlinefilmstudio.org ccwaterfall.com defitankzone.com detankwar.com freenet-zhilly.org matrixane.com pointdnt.com starglowventures.com # Reference: https://raw.githubusercontent.com/0xKoda/ioc-public/main/ioc.json ld-digitaal.com tiktoks.bio yayachuhai.top long.waitingfor.cfd us13.yayachuhai.top # Reference: https://checkmarx.com/blog/a-new-north-korean-group-emerges-disrupting-the-open-source-ecosystem/ cryptopriceoffer.com # Reference: https://x.com/MichalKoczwara/status/1812580245645766928 # Reference: https://www.validin.com/blog/hunting-lazarus-dns-history-host-responses/ # Reference: https://www.virustotal.com/gui/ip-address/104.168.157.45/relations alwayswelcome.online docsend.online docsend.site docsend.store dropfile.cloud dropfile.online general-meet.online general-meet.site general-meet.team group-meet.online group-meet.site group-meet.team internal-meet.online internal-meet.team internal-meet.xyz live-meeting.world meet-safe.online meeting-central.online meeting-hub.online meeting-pro.online meetup-zone.online online-meeting.community online-meeting.social regular-meet.online regular-meet.site regular-meet.team room-connect.online roomconnect.online video-meet.site virtual-collab.online 7xvc.roomconnect.online abc.roomconnect.online beta.preconnection.online http-qjhndbrw.roomconnect.online https-qjhndbrw.roomconnect.online xkbaaalpha.preconnection.online # Reference: https://x.com/malwrhunterteam/status/1812792291876119034 # Reference: https://objective-see.org/blog/blog_0x7A.html # Reference: https://www.virustotal.com/gui/file/9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c/detection 95.164.17.24:1224 mirotalk.net # Reference: https://x.com/dimitribest/status/1815789250656301211 # Reference: https://search.censys.io/search?q=services.http.response.headers%3A+%28key%3A+%60ETag%60+and+value.headers%3A+%60W%2F%2286b-1886de13223%22%60%29&resource=hosts 67.203.7.163:1244 # Reference: https://www.virustotal.com/gui/ip-address/23.254.244.242/relations # Reference: https://search.censys.io/search?q=services.http.response.headers%3A+%28key%3A+%60ETag%60+and+value.headers%3A+%60W%2F%22841-18e75d61ccb%22%60%29&resource=hosts 23.254.244.242:3000 coupang-marketing.rest coupang-sales.rest starbucks-services.cyou # Reference: https://www.virustotal.com/gui/ip-address/192.236.233.51/relations starbucksservice.homes yourstabrucks.monster # Reference: https://www.virustotal.com/gui/ip-address/192.119.81.146/relations starbucksfirst.icu # Reference: https://www.virustotal.com/gui/ip-address/104.168.237.182/relations coca-cola.bond starbucks-corp.art # Reference: https://search.censys.io/search?q=services.http.response.html_tags%3D%22%3Ctitle%3ENode.js+upload+multiple+files%3C%2Ftitle%3E%22&resource=hosts http://143.198.48.95 143.198.48.95:22 143.198.48.95:443 # Reference: https://x.com/h2jazi/status/1818715043800006982 # Reference: https://www.virustotal.com/gui/file/f7559f6d4346f412c2c4ea18363efba3075345b7533af9964298803ffe75f919/detection # Reference: https://www.virustotal.com/gui/file/dd038040283793c67cd50252fb9ef20eb07e2f36d284f70cb2340e501dcb99d7/detection honehsn.com # Reference: https://x.com/JangPr0/status/1818787100130787428 # Reference: https://www.securonix.com/blog/research-update-threat-actors-behind-the-devpopper-campaign-have-retooled-and-are-continuing-to-target-software-developers-via-social-engineering/ 166.88.132.114:8000 77.37.37.81:1244 77.37.37.81:8000 ztec.store de.ztec.store # Reference: https://www.virustotal.com/gui/file/e90cedfce785b0f1ed30661914a0c169edf8ccb039cd722fec7fd5a85a3e99ad/detection 185.208.158.203:5555 # Reference: https://x.com/malwrhunterteam/status/1820375076312604830 # Reference: https://www.virustotal.com/gui/file/1ab4af3bb2a343e9bc29e177aebe7d175a6b8af317ee3a8527271ed41148212e/detection # Reference: https://www.virustotal.com/gui/file/3ac93cd715dc191464703b988ba1d72d4bd97836bcddea9a653232fd57facf00/detection 185.208.158.203:8080 # Reference: https://x.com/MichalKoczwara/status/1826162083332829323 # Reference: https://www.virustotal.com/gui/ip-address/104.168.165.173/relations cloud-storage.world ryzelabs.net meet.ryzelabs.net 7xvc.virtual-collab.online dragonfly.virtual-collab.online support.virtual-collab.online technical-support.virtual-collab.online # Reference: https://x.com/Merlax_/status/1826417594766651777 # Reference: https://www.virustotal.com/gui/file/8a23dd86da0aff9b460b8ebc9dd3e891d44ea0183ace4f5d28a7e4ddab47664a/detection # Reference: https://www.virustotal.com/gui/file/a87b6664b718a9985267f9670e10339372419b320aa3d3da350f9f71dff35dd1/detection http://45.140.147.208 45.140.147.208:53421 45.140.147.208:53422 # Reference: https://blog.phylum.io/north-korea-still-attacking-developers-via-npm/ # Reference: https://app.validin.com/detail?find=167.88.36.13&type=ip4&ref_id=545b0c93f1c#tab=resolutions # Reference: https://app.validin.com/detail?type=ip&find=45.61.158.14#tab=resolutions ipcheck.cloud regioncheck.net repohost.online support-pishgam.site # Reference: https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/ # Reference: https://app.validin.com/detail?find=185.135.84.58&type=ip4&ref_id=5a6b4dd9f9e#tab=resolutions voyagorclub.space weinsteinfrog.com # Reference: https://www.group-ib.com/blog/apt-lazarus-python-scripts/ # Reference: https://www.virustotal.com/gui/file/7165aa2157b7cb4e20a0ed68b26a2b9c6957ae370d6bcb58918efb47b595744f/detection # Reference: https://www.virustotal.com/gui/file/1ef484513c027ccc747a88777559f96018e2b5cad830025911f0786e24d491f3/detection 23.106.253.194:1244 freeconference.io /brow/N3RFYU07 /payload/N3RFYU07 /N3RFYU07 # Reference: https://x.com/MichalKoczwara/status/1833241777374900497 # Reference: https://x.com/MichalKoczwara/status/1853481507848908950 # Reference: https://www.virustotal.com/gui/ip-address/104.168.165.165/relations 7xvc.meeting-central.online 7xvc.meeting-zone.online abc.meeting-central.online abc.meeting-zone.online access.support.general-meet.site admin.alwayswelcome.online admin.general-meet.site admin.meeting-central.online admin.meeting-zone.online admin.support.general-meet.site affiliate.support.general-meet.site ann.support.general-meet.site api.alwayswelcome.online api.general-meet.site api.meeting-zone.online apollo.support.general-meet.site app.alwayswelcome.online app.meeting-zone.online backed.general-meet.site backend.alwayswelcome.online backend.meeting-zone.online demo.alwayswelcome.online dev.alwayswelcome.online dev.general-meet.site dev.meeting-zone.online emv1.alwayswelcome.online emv1.group-meet.online emv1.group-meet.site foundationcap.regular-meet.team hack-vc.video-meets.site hack-vc.video-meets.xyz invoicez.xyz longhash.general-meet.site longhash.video-meets.online mail1.fuchuangonline.com meeting-zone.online metaschool.video-meets.online newfromjune.xyz ngc.regular-meet.site online-meets.site online-meets.xyz staging.alwayswelcome.online staging.meeting-zone.online support.general-meet.site support.meeting-zone.online support.regular-meet.online support.regular-meet.team support.video-meet.site support.video-meets.online support.video-meets.site video-meets.online video-meets.pro video-meets.site video-meets.team video-meets.xyz # Reference: https://www.elastic.co/security-labs/dprk-code-of-conduct # Reference: https://app.validin.com/detail?find=92e6a5d3a7f7f2cf909fa50522b44b4d33719202db005383be611a2e68a3d5b3&type=hash&ref_id=77a108e8213#tab=host_pairs_v2 # Reference: https://www.virustotal.com/gui/file/6779f9b40beaf172950372303d89452358403189d236c5856d305ded2e82a15f/detection akamaitechnologies.online ceinbase.com cienbase.com ceionbase.com coinblase.com coinbrase.com login.ceionbase.com loading-coinbase.com accounts.ceinbase.com links.ceinbase.com login.ceinbase.com login.coinblase.com login.coinbrase.com # Reference: https://app.validin.com/detail?find=45.32.90.176&type=ip4&ref_id=d162d0bbffd#tab=resolutions cicoinbase.com cobinase.com cobinbase.com coinbalse.com coinibrase.com coininbase.com eoinbase.com login.cicoinbase.com login.cobinase.com login.cobinbase.com login.coinbalse.com login.coinibrase.com login.coininbase.com mail.eoinbase.com # Reference: https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/ # Reference: https://www.virustotal.com/gui/file/f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703/detection rgedist.com talesseries.com # Reference: https://x.com/eastside_nci/status/1836605224020033548 # Reference: https://search.censys.io/hosts/45.61.128.122 caladangroup.xyz selinicapital.online selinicapital.xyz sellinicapital.com meet.caladangroup.xyz meet.selinicapital.online meet.selinicapital.xyz meeting.sellinicapital.com # Reference: https://x.com/P4nd3m1cb0y/status/1841829124404343223 23.106.253.221:1224 # Reference: https://x.com/MichalKoczwara/status/1843725315664912877 # Reference: https://www.virustotal.com/gui/ip-address/104.168.165.203/relations 2daojnjnp666jla6.dropfile.online 8190ocvswfyd57v5.docsend.online ade.dropfile.online admin.chrome-browser.cloud admin.docsend.online admin.docsend.site admin.dropfile.online analytic.dropfile.online api.chrome-browser.cloud api.docsend.site api.docsend.store api.dropfile.cloud api.dropfile.online app.docsend.site app.dropfile.cloud app.dropfile.online argoworkflow.chrome-browser.cloud asl.dropfile.online auth.dropfile.online authsmtp.dropfile.online ayr.dropfile.online bac.dropfile.online backed.docsend.site backend.chrome-browser.cloud backend.docsend.site backend.dropfile.cloud backend.dropfile.online blo.dropfile.online bon.dropfile.online bot.dropfile.online bqersape.dropfile.online chrome-browser.cloud coz.dropfile.online cro.dropfile.online dag.dropfile.online day.dropfile.online dc-aeea9bdbc87b.dropfile.online demo.chrome-browser.cloud demo.docsend.site demo.docsend.store demo.dropfile.online dev.chrome-browser.cloud dev.docsend.site dev.docsend.store dev.dropfile.online dip.dropfile.online drive.chrome-browser.cloud eli.dropfile.online elm.dropfile.online email.dropfile.online emv1.chrome-browser.cloud emv1.dropfile.cloud emv1.dropfile.online eon.dropfile.online exchange.dropfile.online flow.dropfile.online fob.dropfile.online fog.dropfile.online ftp.dropfile.online fw.docsend.online gen.dropfile.online iao.dropfile.online iba.dropfile.online ice.dropfile.online ich.dropfile.online imap.dropfile.online imap1.dropfile.online kuadyhfnejh.meeting-hub.online lad.dropfile.online lam.dropfile.online lei.dropfile.online liymgdc-aeea9bdbc87b.dropfile.online liz.dropfile.online llm.docsend.online login.docsend.online m.docsend.online m.dropfile.online mail.dropfile.online mail1.dropfile.online mail2.dropfile.online mailer.dropfile.online mailgate.dropfile.online mailgw.dropfile.online mailhost.dropfile.online mailin.dropfile.online mailout.dropfile.online mailserver.dropfile.online mailx.dropfile.online mx.dropfile.online mx2.dropfile.online ns.dropfile.online ns1.dropfile.online ns2.dropfile.online pop.dropfile.online pop3.dropfile.online post.dropfile.online postmaster.dropfile.online qeiukdemo.docsend.store relay.dropfile.online remote.dropfile.online secure.dropfile.online server.dropfile.online smtp.dropfile.online smtp1.dropfile.online smtp2.dropfile.online smtpauth.dropfile.online smtps.dropfile.online spam.dropfile.online staging.chrome-browser.cloud staging.docsend.site staging.docsend.store staging.dropfile.online support.docsend.site upport.docsend.site web-conference.xyz webmail.dropfile.online ww25.ann.dropfile.online ww25.dit.dropfile.online ww25.dropfile.online ww25.eli.dropfile.online ww25.lad.dropfile.online ww38.asl.dropfile.online ww38.bed.dropfile.online ww38.dropfile.online ww38.gen.dropfile.online ww38.lei.dropfile.online www1.docsend.online www1.dropfile.online www2.dropfile.online xyy.dropfile.online ygpsabacked.docsend.site # Reference: https://x.com/MichalKoczwara/status/1844302222911476079 # Reference: https://x.com/ishivtripathi/status/1844313316241645886 185.235.241.208:1224 23.106.253.215:1244 23.106.253.221:1244 23.106.253.242:1244 23.106.70.154:1244 45.137.213.30:1224 # Reference: https://x.com/80vul/status/1844345021627236578 # Reference: https://www.zoomeye.hk/searchResult?q=%22%3Ctitle%3ENode.js+upload+multiple+files%3C%2Ftitle%3E%22&page=1&pageSize=50 123.21.4.30:3000 13.126.148.192:3000 13.76.169.115:3000 142.11.210.175:3000 149.28.137.173:7001 149.40.62.82:3000 159.93.36.174:8444 159.93.36.84:8444 195.154.173.4:3000 23.106.253.209:1244 35.188.212.32:3000 35.219.62.75:3001 45.61.169.99:3000 45.76.154.181:3000 52.187.130.188:3000 # Reference: https://x.com/blackorbird/status/1848262847689887757 # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/lazarus/2024-10-14%20Lazarus%20InvisibleFerret.pdf # Reference: https://search.censys.io/hosts/95.164.7.171https://search.censys.io/hosts/95.164.7.171 95.164.17.24:2249 95.164.7.171:1244 95.164.7.171:2249 95.164.7.171:445 privatepool.store ba5827bf4e00.privatepool.store # Reference: https://x.com/blackorbird/status/1848563899064586701 # Reference: https://www.esentire.com/blog/bored-beavertail-yacht-club-a-lazarus-lure # Reference: https://github.com/eSentire/iocs/blob/main/Lazarus/lazarus_iocs_10-15-2024.txt 167.88.168.152:1224 69.43.130.141:3000 69.43.130.153:3000 # Reference: https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/ # Reference: https://www.virustotal.com/gui/ip-address/45.61.132.114/relations detankzone.com api.detankzone.com app.detankzone.com # Reference: https://x.com/blackorbird/status/1853724721520775677 # Reference: https://github.com/ThreatLabz/iocs/blob/main/contagiousinterview/c2s.txt w3capi.marketing payloadrpc.com # Reference: https://x.com/P4nd3m1cb0y/status/1856123619417428061 # Reference: https://x.com/P4nd3m1cb0y/status/1856520422583353696 # Reference: https://x.com/DaveLikesMalwre/status/1866981595111895209 147.124.197.138:1244 147.124.197.149:1244 165.140.86.227:1244 38.92.47.151:1244 38.92.47.85:1244 38.92.47.91:1244 45.43.11.201:1244 66.235.168.232:1244 66.235.168.238:1244 86.104.74.51:1224 # Reference: https://x.com/TLP_R3D/status/1856645765185110265 # Reference: https://x.com/TLP_R3D/status/1856648392295797009 # Reference: https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/ # Reference: https://hunt.io/blog/suspected-north-korean-hackers-target-blockchain-community-via-telegram big-typl.online civ.team-meeting.net dun.wndlwndmfe.xyz eosszzc.hateoo.space hateoo.space internal-meeting.site mail.big-typl.online mouradvps43hostwin.online ns1.big-typl.online paycount.webbs-information.login.udaviemayas.com private-meeting.site ryzelabs.private-meeting.site secure.paycount.webbs-information.login.udaviemayas.com suntcijm.mouradvps43hostwin.online support.internal-meeting.site udaviemayas.com webbs-information.login.udaviemayas.com # Reference: https://x.com/lontze7/status/1856611739166470347 # Reference: https://x.com/MichalKoczwara/status/1856633769668616614 # Reference: https://x.com/LPX_404/status/1860977091690615172 # Reference: https://x.com/_eremit4/status/1856707514936492089 # Reference: https://x.com/ValidinLLC/status/1861021649522348124 # Reference: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.jarm.fingerprint%3A+2ad2ad0002ad2ad00042d42d00000000f78d2dc0ce6e5bbc5b8149a4872356+AND+%22hwc-hwp-7982830%22 104.168.157.45:3389 104.168.157.45:443 104.168.165.165:3389 104.168.165.165:443 104.168.165.173:3389 104.168.165.173:443 104.168.165.203:3389 104.168.165.203:443 104.168.203.159:3389 104.168.203.159:443 23.254.244.248:3389 23.254.244.248:443 23.254.247.32:3389 23.254.247.32:443 23.254.247.53:3389 23.254.247.53:443 a.videotalks.site admin.drop-box.store app.drop-box.store b.videotalks.site backend.drop-box.store comma3.videotalks.online conference-go.online demo.drop-box.store drop-box.info drop-box.store emv1.videotalks.online leavetecs.online meet-client.online ns2.videotalks.online ollie.videotalks.online online-meets.online online-meets.pro room-meeting.xyz support.videotalks.online videotalks.online videotalks.site web-meet.online insights.online-meets.pro # Reference: https://x.com/1ZRR4H/status/1856985633153053060 castleisland.sky-meeting.com comma3.biz-meeting.site dragonfly.cloudstore.business # Reference: https://x.com/asdasd13asbz/status/1859467358013895092 # Reference: https://x.com/asdasd13asbz/status/1859512243471446165 # Reference: https://www.nccgroup.com/es/research-blog/north-korea-s-lazarus-their-initial-access-trade-craft-using-social-media-and-social-engineering/ global-job.org ics-kr.com/video/player.php manhotline.or.kr/data/member/search.php # Reference: https://x.com/malwrhunterteam/status/1860965771242864867 # Reference: https://app.validin.com/detail?find=51.79.133.76&type=ip4&ref_id=e843c726398#tab=resolutions # Reference: https://app.validin.com/detail?find=%3A%3A%22og%3Atitle%22%3A%3A%22SITUS%20SLOT%20DEPO%2010K%20%F0%9F%92%8E%20Situs%20Viral%20Minimal%20DP%2010.000%20Gampang%20Menang%22&type=raw&ref_id=92eff97ba42#tab=host_pairs # Reference: https://www.virustotal.com/gui/file/2727e1775588fee0f9e6d69460338cb526a8d0bb34c5d9df6e4609d1b3d56386/detection internal-meeting.cyou safe-meeting.site situsslotdepo10k.org # Reference: https://app.validin.com/detail?find=195.133.88.31&type=ip4&ref_id=24685dca12a#tab=resolutions h34fdfbm.store essendantdock.online # Reference: https://app.validin.com/detail?type=ip&find=45.11.181.47#tab=resolutions m-omeets.online m-teams.live mo-events.online # Reference: https://app.validin.com/detail?type=ip&find=67.43.234.98#tab=resolutions salessgroupss.live ns1.salessgroupss.live ns2.salessgroupss.live # Reference: https://app.validin.com/detail?type=ip&find=94.247.42.70#tab=resolutions 247l.net dldoc.net fmi-link.info greenroad.top greenways.shop racksuphde.xyz rtupdates.net # Reference: https://app.validin.com/detail?find=wassmestaazh.pro&type=raw&ref_id=22540801568#tab=host_pairs (# 2024-12-10) avillionrabbitry.com bizsupport365.com bobshields.com contentverge.com etoffcoinbase.com gnxcepro.com gwmspacegpt.com haifeizhang.com luosongs.shop marketplacepcai.com momentumspace.top nd6u0.asia ns2.bizsupport365.com ns2.contentverge.com quonexa.com reddish-dawn.store sandwich-factory.buzz sdhsdfhsd.com serversnoti.com soar.vip sssaaaafdafa.top wassmestaazh.pro yayun88.one # Reference: https://x.com/dimitribest/status/1869572308178010492 # Reference: https://www.virustotal.com/gui/file/56a666601e66a01cc8dcb53a470d9ea092633c76197cd13919c7749e51ebccbc/detection atokyonews.com # Reference: https://x.com/AzakaSekai_/status/1871118429501128863 # Reference: https://search.censys.io/hosts/67.203.7.209/data/table#1244-TCP-HTTP # Reference: https://search.censys.io/search?q=services.http.response.html_title%3D%22Node.js+upload+multiple+files%22&resource=hosts (# 2024-12-23) 147.124.212.125:1244 67.203.7.200:1244 67.203.7.209:1244 66.235.175.109:1244 /bro/gbNsNg6 /payl/gbNsNg6 /gbNsNg6 # Reference: https://x.com/AzakaSekai_/status/1871960523698545069 # Reference: https://www.virustotal.com/gui/file/672757d8ead192ea797570b0bc25a07cd0e6424af7819bd6bab33f49a304f6bf/detection # Reference: https://www.virustotal.com/gui/file/8637fb723054087f42c0ba93b4528588adc4954a077dc0860912bbfbcbdd8013/detection http://108.181.185.2 108.181.185.2:23 108.181.185.2:443 108.181.185.2:5001 /adc/empOQO /payload/empOQO # Reference: https://jp.security.ntt/tech_blog/contagious-interview-ottercookie # Reference: https://app.validin.com/detail?find=135.181.163.182&type=ip4&ref_id=9058ba7500b#tab=resolutions # Reference: https://app.validin.com/detail?find=65.21.19.33&type=ip4&ref_id=9058ba7500b#tab=resolutions 45.128.52.14:1224 blastapi.org zkservice.cloud ethereum.blastapi.org # Reference: https://x.com/dimitribest/status/1872743641166606737 # Reference: https://x.com/dimitribest/status/1873003988536230241 # Reference: https://www.virustotal.com/gui/file/1fa62f29313e55ee1bca18820d2f1ca3aaecf438a137a67106d413c655004f0e/detection # Reference: https://www.virustotal.com/gui/file/aee26c1ac2cbb598bd2ed4747e58efe68de20cb4c6cf5863c1a9dcf33dc6aae9/detection 5.253.43.122:1224 5.253.43.122:5346 95.164.17.24:5346 # Reference: https://x.com/tayvano_/status/1872980013542457802 # Reference: https://x.com/dimitribest/status/1873024742690857009 # Reference: https://x.com/StrikeReadyLabs/status/1873182889128673422 # Reference: https://x.com/StrikeReadyLabs/status/1873388149566747069 # Reference: https://x.com/banthisguy9349/status/1873329177312875005 # Reference: https://x.com/G60930953/status/1876050261023875128 # Reference: https://dmpdump.github.io/posts/NorthKorea_Backdoor_Stealer/ # Reference: https://www.virustotal.com/gui/ip-address/162.254.39.9/relations # Reference: https://www.virustotal.com/gui/file/a803c043e12a5dac467fae092b75aa08b461b8e9dd4c769cea375ff87287a361/detection camera-drive.cloud imoda.site nvidia-cloud.online nvidia-drive.cloud nvidia-release.cloud nvidia-release.org nvidia-release.us api.camera-drive.cloud api.imoda.site api.nvidia-cloud.online api.nvidia-drive.cloud api.nvidia-release.cloud api.nvidia-release.org api.nvidia-release.us # Reference: https://x.com/banthisguy9349/status/1873348678540493273 hyphen-connect.com # Reference: https://x.com/banthisguy9349/status/1873338361928466759 # Reference: https://x.com/dimitribest/status/1873367811822903765 # Reference: https://x.com/L0Psec/status/2020850377801781319 # Reference: https://www.virustotal.com/gui/file/d05f805d172583f1436eac2cfddcc5413ef6be0b37eda98ebca0cb0cfae8ad9e/detection # Reference: https://www.virustotal.com/gui/file/bdad5b5e2f92a70036958b9ba27705231c0d22f2dc0b7ffcf1bc1006902b791c/detection 173.211.46.37:8080 216.74.123.191:22 216.74.123.191:3001 216.74.123.191:8080 cleverbiz.us jz-aws.info api.cleverbiz.us api.jz-aws.info # Reference: https://x.com/tayvano_/status/1872980013542457802 # Reference: https://x.com/MichalKoczwara/status/1878451947734204660 # Reference: https://app.validin.com/detail?find=190.97.166.164&type=ip4&ref_id=ce0a2dc7d44#tab=resolutions # Reference: https://www.virustotal.com/gui/ip-address/193.242.184.2/relations # Reference: https://www.virustotal.com/gui/ip-address/91.222.173.30/relations # Reference: https://app.validin.com/detail?find=%3A%3A%22og%3Adescription%22%3A%22description%22%3A%22Willo%20is%20a%20platform%20for%20structured%2C%20asynchronous%2C%20video%20creation%20and%20sharing.%20We%20help%20organisations%20everywhere%20discover%20and%20connect%20with%20more%20people.%22&type=raw&ref_id=a33de82ac6e#tab=host_pairs (# 2024-12-28) atdfinancial.com blockchain-assess.com blockchain-checkup.com blockchain-talent-search.com blockchainrecruitment360.com careerinterview360.com complexassess.com complexassessment.com crypto-assess.com crypto-assessment.com decentscrippts.com digitpotalent.com distscrippts.com elitewholetalent.com easyinterview360.com fundcandidates.com gethirednow.org helpdeskassistance.org hiring-interview.com hiringinterview.org hiringtalent.pro insight-interview.com insightquestion.com interview-talent.com interviewhub.org interviewnest.org intervu-talent.pro intro-crypto-assess.com jobinterview360.com jobinterviewguide.org primestacks.org questionnairehq.com quickhire360.com quickhiretest.com quickinterview360.com quickskillup.us skilluplifestylehub.com quickvidintro.com screenquestion.com screenquestions.com skill-share.org skillmasteryhub.org smarthiretop.online talentassesspro.com talentcompetency.com talentvideopro.com talentview360.com test29292.com topinnomastertech.com videoforrecruitment.com videorecruitpro.com videoscreening.org vidintroexam.com vinterview.org wholecryptoloom.com wiilotalent.com wilio-talent.net willo-interview.us willo-video.com willoassess.com willoassess.net willoassess.org willoassessment.com willocandidate.com willohire.com willohiring.com willointerview.com willomexcvip.us willorecruit.com willotalant.com willotalent.pro willotalent.us willotalent.xyz willotalentes.com willotalents.org wilo-talent.com winterviews.net winyourrole.com workwizards.org wtalents.in wtalents.info wtalents.us api.willoassessment.com app.blockchain-assess.com app.blockchain-checkup.com app.crypto-assessment.com app.hiring-interview.com app.hiringinterview.org app.hiringtalent.pro app.interviewnest.org app.quickvidintro.com app.skill-share.org app.videoforrecruitment.com app.videoscreening.org app.vidintroexam.com app.vinterview.org app.willo-interview.us app.willoassess.com app.willoassessment.com app.willocandidate.com app.willohiring.com app.willomexcvip.us app.willorecruit.com app.willotalant.com app.willotalent.pro app.willotalent.us app.willotalent.xyz app.willotalentes.com app.willotalents.org app.wilo-talent.com app.wtalents.us consensys.willoassessment.com final.hiringtalent.pro frontend-dev-bnp.pages.dev frontend-eu1.pages.dev frontend-staging-egw.pages.dev frontend-us1.pages.dev gemini.crypto-assessment.com gemini.willoassess.com gemini.willohiring.com geminiskill.willoassessment.com hiring.willoassessment.com holi.intervu-talent.pro mail.crypto-assess.com mail.digitpotalent.com mail.gethirednow.org mail.interviewhub.org robinhood.interview.org robinhood.intro-crypto-assess.com talent.willo-interview.us vid.blockchain-assess.com vid.intro-crypto-assess.com vid.willoassess.com web.videoscreening.org werhiring.willomexcvip.us # Reference: https://x.com/banthisguy9349/status/1873358841053949966 # Reference: https://urlscan.io/search/#hash%3A6b7038bab8c410aeb6714e1d98d609a61b6dc3e418a6b5c74a17f2d6d6cb4aaf willohiringtalent.org app.willohiringtalent.org cpanel.wtalents.us d12rlkj8v5mwse.cloudfront.net d1yzmjg018adwf.cloudfront.net d20zx0lguyxj2p.cloudfront.net d3o9p0hkd7eul5.cloudfront.net dal-shared-22.hostwindsdns.com dal-shared-25.hostwindsdns.com dal-shared-37.hostwindsdns.com gemini.willohiringtalent.org mail.willomexcvip.us mail.wtalents.us sea-shared-10.hostwindsdns.com # Reference: https://x.com/lazarusholic/status/1873360845939621945 # Reference: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247505438&idx=1&sn=cf1947c7af6581f4a66460ae6d14dc2f # Reference: https://www.virustotal.com/gui/file/33be1a646e5ed46aa707455637e2116715592d1ef63feafb0fd2f66c872a634d/detection cryptocopedia.com # Reference: https://www.virustotal.com/gui/file/78b845050c78daf92ed44f7928d8755cc6b4773bd774409a21b09b5a4dd7ddf1/detection # Reference: https://www.virustotal.com/gui/file/76cb3de448bdbd761beb917eed0d71c058db643fca6a37f7bbf00afbcec9d22d/detection # Reference: https://www.virustotal.com/gui/file/68725d4cbc05d8e344addd27c3d831a62faa7860042ed5dbef55b12ad6fbe4b8/detection 37.221.126.117:5000 lianxinxiao.com # Reference: https://search.censys.io/hosts/216.173.115.200/data/table#1244-TCP-UNKNOWN 216.173.115.200:1244 # Reference: https://search.censys.io/hosts/95.179.135.133 95.179.135.133:1244 # Reference: https://x.com/banthisguy9349/status/1873358841053949966 # Reference: https://urlscan.io/search/#hash%3A6b7038bab8c410aeb6714e1d98d609a61b6dc3e418a6b5c74a17f2d6d6cb4aaf /video-questions/create/531fbaedf67046d6904478f15d3e7142 # Reference: https://x.com/StrikeReadyLabs/status/1878822875081372108 # Reference: https://www.virustotal.com/gui/ip-address/54.39.128.125/relations digitptalent.com camera-drive.org api.camera-drive.org # Reference: https://x.com/cyber__sloth/status/1879848914230374457 # Reference: https://search.censys.io/hosts/185.153.182.241/data/table#1224-TCP-HTTP 185.153.182.241:1224 # Reference: https://x.com/ValidinLLC/status/1879884999652229588 # Reference: https://www.validin.com/blog/inoculating_contagious_interview_with_validin/ # Reference: https://app.validin.com/detail?find=23.254.244.74&type=ip4&ref_id=263630d721d#tab=resolutions willocandidates.com willovideorec.com # Reference: https://x.com/StrikeReadyLabs/status/1880368325047521678 # Reference: https://www.virustotal.com/gui/ip-address/199.188.200.35/relations drive-release.cloud api.drive-release.cloud # Reference: https://x.com/TLP_R3D/status/1881385663897231704 # Reference: https://www.virustotal.com/gui/ip-address/91.222.173.108/relations # Reference: https://app.validin.com/detail?find=Crypto%20Ledger&type=raw&ref_id=fb1de658046#tab=host_pairs (# 2025-01-20) ledgep.net ledgemail.net support-ledger.net mail.support-ledger.net # Reference: https://x.com/RexorVc0/status/1881973724712452577 # Reference: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247505519&idx=1&sn=594229f2c0123673d1fa9c6cf729858b&chksm=f9c1e566ceb66c701d875de8481fe02d89654d4b56cfc51088de6e421cb701437cdab52a0851&scene=178&cur_album_id=1955835290309230595 138.201.199.46:1224 # Reference: https://x.com/dyingbreeds_/status/1881986240020709401 94.131.9.32:1224 94.232.247.192:1224 # Reference: https://x.com/smica83/status/1883855708963442892 # Reference: https://www.virustotal.com/gui/file/6744ca5d49833c9b90aee0f3be39d28dec94579b028b05c647354ec5e1ab53e1/detection # Reference: https://www.virustotal.com/gui/file/875b0cbad25e04a255b13f86ba361b58453b6f3c5cc11aca2db573c656e64e24/detection # Reference: https://www.virustotal.com/gui/file/d0a41dfe8f5b5c8ba6a5d0bdc3754543210ec2d36290564d9a774e9d22e3ad97/detection # Reference: https://www.virustotal.com/gui/file/dd9607913e9c422d6dcf2e8d11be71afbc76f761c8208f76f6ed80a0efa75255/detection addfriend.kr/board/userfiles/temp/index.html # Reference: https://x.com/eastside_nci/status/1884354415387365458 # Reference: https://www.virustotal.com/gui/file/efd555e779a25e1be16e594866d4cb758b078ae336b589421c3b9f676cd2ef5d/detection # Reference: https://www.virustotal.com/gui/file/c4b8ac6b919c61315a3ed47ee5e2839813a6e87888e4bb518f916d4582bbf6b4/detection # Reference: https://www.virustotal.com/gui/file/4b2b157041e8bbeace43320ec93a4206daa9818a6406279999636b2fbc3d08c9/detection # Reference: https://www.virustotal.com/gui/file/4a6b7409d79e51113e88c1e62c7f5bad55e5c27a19d0b986b9347c4869233893/detection # Reference: https://www.virustotal.com/gui/file/3fb46ed9876d5f3a0aaa57a3726a574fa7e3626f16c86dea685cbf63d721f3ce/detection # Reference: https://www.virustotal.com/gui/file/05d7113cd17ee12b26c772716d3370dc0f0fa3c7f996d25d516d22b45b68a43e/detection # Reference: https://www.virustotal.com/gui/file/0e3b1ad900604f0f27bcf718592beb50a7ace9af6b7d9c1439a416647e47dd7b/detection 45.59.163.56:1244 5.135.5.48:1244 95.179.135.133:1245 /bro/ugDtMe1 /payl/ugDtMe1 /bro/ZU1RIOk9 /payl/ZU1RIOk9 /bro/ZU1WJVq1 /payl/ZU1WJVq1 # Reference: https://x.com/lazarusholic/status/1885289504401142011 # Reference: https://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package http://91.92.120.132 # Reference: https://sourcecodered.com/malicious-arcus-npm-package/ # Reference: https://www.linkedin.com/feed/update/urn:li:activity:7290126497732837378/ # Reference: https://www.virustotal.com/gui/ip-address/195.250.29.94/relations # Reference: https://tria.ge/250124-1k3bxs1paj/behavioral2 # Reference: https://www.virustotal.com/gui/file/d390d23d6d96f105de24e85ecd4d2d2d2379bb565ca7cc3923c604518b6a97fa/detection # Reference: https://www.virustotal.com/gui/file/9efd70e4bbf658dc374594d8c1251810a954ffa7ccc7155abc1a831c77f9fb6b/detection # Reference: https://www.virustotal.com/gui/file/7b5843c32b8ee8ac3a54b6c09bff6d67140e74e548b4b31e7c3c5e35ba4341dc/detection # Reference: https://www.virustotal.com/gui/file/6a0ed1976dd871000ab3dad9228e7e8df01df77d17ba4f50fa210d409200d437/detection # Reference: https://www.virustotal.com/gui/file/56655ea5ba27f14b860bac62c37e4c45940908e8a45d7c2a6117ce9951baf10d/detection # Reference: https://www.virustotal.com/gui/file/0463351dc7858ac1f9038c4c2bf27a1977f462ac0e4a494b7c51f1c8005e0587/detection http://195.250.29.94 195.250.29.94:1337 195.250.29.94:3001 # Reference: https://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/ # Reference: https://www.virustotal.com/gui/file/cd6e548b085eaaee31b260489c932088f1ea58390bccce54b546cba9e8dca228/detection bsc-dash.us callapp.us callservice.us infuy.us linkedinservice.us versus-dash.us versus-x.us versusx.us zoom.callapp.us zoom.callservice.us # Reference: https://x.com/_notdodo_/status/1888867769006850395 # Reference: https://www.virustotal.com/gui/file/1cd0ce9ce247b8cabe491515dcd70f5b23209ec08c1a7f80ee9663c946e6365c/detection 67.203.7.205:1244 45.59.163.55:1244 # Reference: https://x.com/solostalking/status/1889307324453625988 # Reference: https://www.virustotal.com/gui/ip-address/147.45.167.128/relations candy-pdf.com myqr-generator.com pdf-candy.com pdftool25.com # Reference: https://x.com/abuse_ch/status/1889398273376424103 # Reference: https://app.validin.com/detail?find=d590539b3bdf826ec5f7ce7be46d7dcb&type=hash&ref_id=8e7c052fd41#tab=host_pairs (# 2025-02-11) checknewversion.com express--vpn.com hwsrv-1091010.hostwindsdns.com meetingzoom.org nv-onlines.info runningcloudx.com secfilecert.com sunbutterfly.meme wallpaper-flare.com # Reference: https://x.com/morimolymoly2/status/1889722965459181881 # Reference: https://app.validin.com/detail?find=Node.js%20upload%20multiple%20files&type=raw&ref_id=02496d38d39#tab=host_pairs (# 2025-04-30) # Reference: https://www.virustotal.com/gui/file/c4399052e5801f4947edf3bf634c43a77870ca46ec0c27ded50062f8219aef28/detection http://144.172.98.23 http://172.86.109.49 http://172.86.114.141 http://172.86.70.173 http://185.231.205.75 45.59.163.23:1244 172-86-114-141.dal.priv.octovpn.net ns1.coponde.com pepeartly-foundry.net redirect-smartwallet.com /bro/ahNjWa2 /payl/ahNjWa2 # Reference: https://hackernoon.com/cybercrooks-are-using-fake-job-listings-to-steal-crypto # Reference: https://search.censys.io/hosts/95.169.180.146 95.169.180.146:3389 95.169.180.146:4444 95.169.180.146:8080 # Reference: https://securityscorecard.com/wp-content/uploads/2025/02/Operation-Marstech-Mayhem-Report_021025_03.pdf # Reference: https://search.censys.io/hosts/74.119.194.129/ # Reference: https://search.censys.io/hosts/95.164.45.239/ 74.119.194.129:3000 74.119.194.129:3001 95.164.45.239:3000 95.164.45.239:3001 /client/marstech1 /j/marstech1 /marstech1 # Reference: https://x.com/Cybercyberbp04/status/1892039442157666815 # Reference: https://app.validin.com/detail?find=Interview&type=raw&ref_id=64a8ed2f563#tab=host_pairs hiringinterview360.com talenthiring360.com okx.hiringinterview360.com okx.talenthiring360.com # Reference: https://app.validin.com/detail?find=SkillMaster&type=raw&ref_id=04a9609e38c#tab=host_pairs (# 2025-03-05) deepmindschematic.com devchallengehq.com skillmasteryhub.us zenspiretech.com # Reference: https://www.virustotal.com/gui/ip-address/13.248.213.45/relations # Reference: https://www.virustotal.com/gui/ip-address/3.33.130.190/relations # Reference: https://www.virustotal.com/gui/ip-address/91.195.240.123/relations ayrshire360.com elitetalent360.com fetchtalent360.com findhelptalent360.com inst.fetchtalent360.com # Reference: https://app.validin.com/detail?find=8452ce8ad04afa240e1e8b65d4b3343a&type=hash&ref_id=e867567f0d8#tab=host_pairs (# 2025-02-24) # Reference: https://app.validin.com/detail?find=Video%20Recruting%20-%20Find%2C%20Interview&type=raw&ref_id=6b735d3d78d#tab=host_pairs (# 2025-02-24) # Reference: https://app.validin.com/detail?find=3934696b4640069f357c788ff3508f4f&type=hash&ref_id=029fac138c3#tab=host_pairs (# 2025-02-27) livehirehub.com quickskill-review.com test-wolf.com vid-crypto-assess.com vidcruiterinterview.com app.vid-crypto-assess.com inter.vid-crypto-assess.com inter.quickskill-review.com intro.vid-crypto-assess.com intro.quickskill-review.com rec.vid-crypto-assess.com robinhood.quickskill-review.com skill.vidcruiterinterview.com # Reference: https://www.virustotal.com/gui/ip-address/168.231.70.177/relations # Reference: https://app.validin.com/detail?find=195.35.38.215&type=ip4&ref_id=25087bf71b4#tab=resolutions (# 2025-03-01) # Reference: https://app.validin.com/detail?find=6c38526ceb115206329131fc840bb881&type=hash&ref_id=04d59776778#tab=host_pairs # Reference: https://app.validin.com/detail?find=TalentCheck&type=raw#tab=host_pairs # Reference: https://app.validin.com/detail?find=c35874ba204e503c8e96bd275956e0cb&type=hash&ref_id=f5e249222ea#tab=host_pairs (# 2025-07-22) blockassess.com careerquestion.com driverpool.online rastreojerezexpress.com skillcheck.pro talentcheck.pro testwolf-assessment.com testwolfpro.com doodles.careerquestion.com etoro.careerquestion.com # Reference: https://app.validin.com/detail?find=45.89.245.88&type=ip4&ref_id=49b32a66a80#tab=resolutions (# 2025-02-26) ecareerscan.com evalvidz.com gethiring360.com hotstreamx.stream intervwolf.com paxosassessments.com robinhood.evalvidz.com robinhood.intervwolf.com # Reference: https://app.validin.com/detail?find=91.222.173.30&type=ip4&ref_id=8b2f0b868b7#tab=resolutions (# 2025-02-24) blockchainjobhub.com bybit-assessment.com evalassesso.com skillprops.com talentsnaptest.com vidassesspro.com # Reference: https://x.com/lazarusholic/status/1893684791406715003 # Reference: https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34 # Reference: https://www.virustotal.com/gui/ip-address/131.226.2.120/relations # Reference: https://www.virustotal.com/gui/ip-address/5.206.227.51/relations # Reference: https://www.virustotal.com/gui/file/b9f6a9d4f837f5b8a5dc9987a91ba44bc7ae7f39aa692b5b21dba460f935a0ae/detection clubinfo.io coreladao.com eclairdomain.com getstockprice.info gossipsnare.com replaydreary.com showmanroast.com cdn.clubinfo.io # Reference: https://x.com/malwrhunterteam/status/1894301990286471388 # Reference: https://app.validin.com/detail?find=954d80b823db3724aa3936475f9a7505&type=hash&ref_id=8ae40870ea8#tab=host_pairs # Reference: https://www.virustotal.com/gui/file/bf1986ecd37dbc9917b31077615c48fb5d64b904b95e789f9e73be47b1573c0d/detection 72.5.42.93:8080 camdriversupport.com cameradriverx.cloud camtechdrivers.com drivercams.cloud releasedrive.live stockdata.tech api.camdriversupport.com api.cameradriverx.cloud api.camtechdrivers.com api.drivercams.cloud api.releasedrive.live api.stockdata.tech # Reference: https://cybersecuritynews.com/lazarus-group-infostealer-malwares-attacking-developers/ http://41.208.185.235 41.208.185.235:443 # Reference: https://x.com/RakeshKrish12/status/1894626162061840605 assessiohq.com # Reference: https://x.com/lontze7/status/1894676242349048110 blockchainjobassessment.com # Reference: https://x.com/CreateFileInt_/status/1894739132678599091 http://91.222.173.110 http://91.222.173.138 http://91.222.173.168 91.222.173.110:443 91.222.173.138:443 91.222.173.168:443 bonusdali.com btcblender.live chipmixer.live ido-epargne.com stream-football.org safefinanceltd.com vngpubgm.com # Reference: https://x.com/CreateFileInt_/status/1894741888743223449 http://152.89.61.240 http://152.89.61.96 152.89.61.240:443 152.89.61.96:443 acoustickoala.com acroadovw.com app-solaxy.world binancestransfers.com boofparadise.com carllamb4judge.com cdpll-couk.top nadlan-dubai.com pitisalot.site reliableservers.org sumy.fun turkishmob.com # Reference: https://x.com/0xmh1/status/1894951955333865918 # Reference: https://search.censys.io/hosts/185.53.46.38 # Reference: https://www.virustotal.com/gui/file/a1171ffade3d147e54fab021bc4d56f30645aeb401a88517e9df93d852b78c73/detection 185.53.46.38:1244 185.53.46.38:3000 185.53.46.38:3389 # Reference: https://x.com/lontze7/status/1895044097129496782 # Reference: https://x.com/lontze7/status/1896131895223841044 # Reference: https://x.com/lontze7/status/1897214445107175780 # Reference: https://app.validin.com/detail?find=66.29.141.73&type=ip4&ref_id=5db4210a5c4#tab=resolutions # Reference: https://app.validin.com/detail?find=f002a88cbb7b49e66036&type=hash&ref_id=a4d0e878c1e#tab=host_pairs (# 2025-06-05) # Reference: https://www.virustotal.com/gui/file/ff1d5ee6dbf77b79eec7e7405d864eb2445213aa0f5b5b665d322c4565d5b6a5/detection africamall.chat autodriverfix.online auto-fixer.online autofixer.online camallupdate.cloud camdriverhelp.club camdriverhub.cloud camdrivers.cloud camdriverstore.cloud camtuneup.online deepdriverupdate.online devicefixer.online drivercamhub.cloud driversnap.cloud driversofthub.online driverstream.cloud drivfixer.online drivhost.store drvfixer.online fix-drivers.online fixdiskpro.online olaestudiocreativo.com provideodrivers.cloud quickdriverupdate.online rapiddrivers.cloud release-driver.online release-drivers.online retailpackagingpartner.xyz smartchecker.online smartdriverfix.cloud smartdrvupdate.online soft-dev.online updatecall.live updatewebcamnow.live vblimitedgroup.com vcamfixer.online vcamdriverupdate.cloud vcamsupport.cloud videocarddrivers.cloud videodriverzone.cloud videotechdrivers.cloud vidtechdrv.online vidtechdrivers.com vidtechhub.cloud web-cam.cloud webcamdrivers.cloud webcamfix.cloud webcamfixer.cloud webcamfixer.online webcamwizard.cloud west-app.online wikahmart.com yourdomainhost.store api.africamall.chat api.autodriverfix.online api.auto-fixer.online api.autofixer.online api.camallupdate.cloud api.camdriverhelp.club api.camdriverhub.cloud api.camdrivers.cloud api.camdriverstore.cloud api.camtuneup.online api.deepdriverupdate.online api.devicefixer.online api.drivercamhub.cloud api.driversnap.cloud api.driversofthub.online api.driverstream.cloud api.drivfixer.online api.drivhost.store api.drvfixer.online api.fix-drivers.online api.fixdiskpro.online api.olaestudiocreativo.com api.provideodrivers.cloud api.quickdriverupdate.online api.rapiddrivers.cloud api.release-driver.online api.release-drivers.online api.retailpackagingpartner.xyz api.smartchecker.online api.smartdriverfix.cloud api.smartdrvupdate.online api.updatecall.live api.updatewebcamnow.live api.vblimitedgroup.com api.vcamdriverupdate.cloud api.vcamfixer.online api.vcamsupport.cloud api.videocarddrivers.cloud api.videodriverzone.cloud api.videotechdrivers.cloud api.vidtechdrivers.com api.vidtechdrv.online api.vidtechhub.cloud api.web-cam.cloud api.webcamdrivers.cloud api.webcamfix.cloud api.webcamfixer.cloud api.webcamfixer.online api.webcamwizard.cloud api.wikahmart.com api.yourdomainhost.store fix.soft-dev.online # Reference: https://app.validin.com/detail?find=138.128.165.91&type=ip4&ref_id=d07daaf12d1#tab=resolutions (# 2025-02-27) skillhiretrack.com # Reference: https://x.com/im23pds/status/1895284359911088358 enrollcrux.com postedviral.com speeduneasy.com viperpager.com # Reference: https://app.validin.com/detail?find=78.110.166.82&type=ip4&ref_id=3862e914a67#tab=resolutions (# 2025-03-01) aiagentnow.online biomedsurgcial.com carandcclasic.com citce-group.com competency-core.com digitaltalent.review evalvideo.com febintllc.com ftutech.store gamesmasterbb.com grainituae.com j-rl.com jumping-mechellen.com kirschneigroup.com livehirepro.com livesnotnumbers.org livetalentpro.com lucas-gaming.com massmedia24.com medcialbiotop.com notaiospuglisi.com online-globaleurope.com panelcvedata.com paxosvideointerviewassesment.com phubauto.space prohirevideo.com quickassessio.com skill-bridges.com smartvirtual-assessment.com smartwalletfinder.com stratosshipping.com superdocsoff.com talent-hiring-step.com talent-hiringstep.com thelightstower.com treelifeups.com vidcruitermaster.com videomaxgreece.com videoplayermaxgr.com vidhirehub.com vidintermaster.com web3remotework.com xchangetrump.com mail.massmedia24.com skill.vidcruitermaster.com # Reference: https://app.validin.com/detail?find=0a4bb3c47c527ff1cd8b53fbe0dcd159&type=hash#tab=host_pairs (# 2025-03-05) # Reference: https://app.validin.com/detail?find=51.210.235.36&type=ip4&ref_id=9c0bb8dc123#tab=host_pairs (# 2025-04-13) # Reference: https://app.validin.com/detail?find=51.210.235.45&type=ip4&ref_id=d5055d61a61#tab=resolutions (# 2025-03-07) # Reference: https://app.validin.com/detail?find=rockhoster.gmail.com&type=dom&ref_id=b801936350f#tab=dns (# 2025-05-29) assessbay.com bofhintl.com careerscreeners.com coinhouse360.com crypto-briefings.com diamondhilllaw.com eskillfolio.com eskillpilot.com expertssavingai.com greendottb.com greendtb.com heritagetbk.com hireqora.com hireskillhub.com insight-hire.com job-career-portal.com jobskillmatch360.com krakenhire.com livehiringhub.com livehiringpro.com onchainhiringtool.com onlinesearchlic.com quiz-nest.com smartdriverfixer.com smartvideoassess.com smartvideohire.com stdheritb.com sunflowbikes.com talentelevate360.com talentvidintro.com ugethired360.com unionminerscorp.com vidassess360.com vidassessmentmaster.com vidinterviewmaster.com web3neptune.com alchemy.onchainhiringtool.com ai.coinhouse360.com api.smartdriverfixer.com app.coinhouse360.com app.expertssavingai.com archblock.careerscreeners.com bitgo.talentelevate360.com coinbase.onchainhiringtool.com coinbase.talentelevate360.com crosstheages.talentelevate360.com kraken.livehiringpro.com mail.archblock.careerscreeners.com mail.careerscreeners.com online.stdheritb.com robinhood.eskillfolio.com robinhood.eskillpilot.com secure.greendtb.com secure.greendottb.com skill.vidassessmentmaster.com video.coinhouse360.com # Reference: https://x.com/safe/status/1897663514975649938 # Reference: https://x.com/0xKoda/status/1897787501592617160 # Reference: https://x.com/MichalKoczwara/status/1898074044274294948 # Reference: https://www.validin.com/blog/crawl_history_artifact_upgrade/ # Reference: https://app.validin.com/detail?find=f4407a84d90c5ecc1025&type=hash&ref_id=297005cc469#tab=host_pairs (# 2025-07-22) anglerstatic.com blockfi-krollra.com electoralvictory.site financecap.io getstockprice.com goingladies.com stocksitem.org trashcrease.com truthwillsetyoufree.online verification-blockfi.com api.financecap.io en.stocksitem.org # Reference: https://app.validin.com/detail?find=a142257525e31628ead74927c88695f8&type=hash#tab=host_pairs (# 2025-03-08) candidateinsightinfo.com eskillprof.com skillprooflab.com toptalentassess.com robinhood.eskillprof.com # Reference: https://x.com/ValidinLLC/status/1899512759965868072 # Reference: https://www.validin.com/blog/bybit_hack_infrastructure_hunt/ firexch.com getcoinprice.info stockinfo.io stocksindex.org wfinance.org api.stockinfo.io # Reference: https://x.com/dazhengzhang/status/1899776299725680975 # Reference: https://x.com/tayvano_/status/1899896814536712334 # Reference: https://www.virustotal.com/gui/ip-address/5.230.252.157/relations # Reference: https://app.validin.com/detail?find=528ab116aa10f63a5156ed906744fcc9&type=hash#tab=host_pairs (# 2025-03-24) # Reference: https://app.validin.com/detail?find=Zoom%20Meeting&type=raw&ref_id=af1604aa97f#tab=host_pairs 118274-zoomid.com ae-zoom.us ae-zooom-hegne-meetingsfromf6758s.pages.dev alejandro.uefa-meeting.com api-zoom.com api.zoom-sdk.us app-center.download app-zoom.website as-zoom.us baincapitalcrypto.zm-meeting.com biz-zoom.us bizmeet.online bizmeet.org bizmeet.pro bizmeeting.org bizmeeting.video boolnetwork.xyz bu-zoom.us business-zoom.us businessmeet.xyz calystiabusiness.com capitalviabtc.com capitalviabtc.comhollow-jordan-narrow.on-fleek.app communicationhub.us cr-zoom.us downloadcenter.website dunamu.jp-zoom.com ecosystem.openfort.video en-zoom.us er-zoom.us extrazoom.us fronterixbusiness.com gcp.webzoom.video globiscapital.co globiscapitals.com group.superstatefund.co hanagroup.live hanagroup.video hartmanmcapital.com hk05web.us hwsrv-1275416.hostwindsdns.com ignite.bizmeeting.org ignite.bizmeeting.video innerteams.us interzoom.us jp-zoom.com justbuiltprojects.com.au kourosh.uefa-meeting.com krakenmeetings.com lido.web05zoom.us lostdungeon.openfort.xyz luc.uefa-meeting.com mail.web021zoom.us matias.uefa-meeting.com mediaprime.team meet.capitalviabtc.com meet.capitalviabtc.comhollow-jordan-narrow.on-fleek.app meet.globiscapital.co meet.globiscapitals.com meet.hanagroup.video meet.mythicaigames.foundation meet.mythicalgames.foundation meet.openfort-team.xyz meet.picwe-team.com meet.re7.network meet.rwa-team.video meet.str8fire-team.network meet.superstatefund.co meet.synternetlab.com meet.twosigma-vc.com meeting-zoom-witcam-tests-meet-id-5u83-82f3-8h39-83h9-d9e3.pages.dev meeting-zoom-witcam-tests-meet-id-5u83-82f3-8h39-83h9-n9e3.pages.dev meetwithhealthyh2o.com mythicaigames.foundation mythicalgames.foundation mzweb3.bu-zoom.us mzweb3.er-zoom.us mzweb3.jp-zoom.com officezoom.us openfort-team.xyz openfort.businessmeet.xyz openfort.video openfort.xyz partner.hartmanmcapital.com partners.boolnetwork.xyz picwe-team.com pre-zoom.us re7.network republic.biz-zoom.us republic.bu-zoom.us republic.cr-zoom.us republic.er-zoom.us republic.extrazoom.us republic.innerteams.us republic.officezoom.us republic.pre-zoom.us republic.usweb-zoom.us republic.web021zoom.us riccardo.uefa-meeting.com rwa-team.video rwa.business-zoom.us rwa.businessmeet.xyz sammy.uefa-meeting.com silencio.webzoom.video silvermine.web05zoom.us skalelabs.as-zoom.us skalelabs.bu-zoom.us skalelabs.cr-zoom.us skalelabs.en-zoom.us skalelabs.mediaprime.team skalelabs.pre-zoom.us skalelabs.usweb-zoom.us stage.bizmeet.online stage.bizmeet.org stage.bizmeet.pro str8fire-team.network str8fire.businessmeet.xyz su05web.us superstatefund.co synternetlab.com tom.uefa-meeting.com twosigma-vc.com uefa-meeting.com uk03web.us uk06web.us uk07web.us ukweb05.us ukweb06.us ukweb07.us us04office.us us04we.us usweb-zoom.us usweb02.us viabtc.webmeet.video viabtc.webmeet.vip web.interzoom.us web.zoomhub.us web001-zoom.us web001zoom.us web011zoom.us web021zoom.us web05zoom.us web3fund.as-zoom.us web3fund.en-zoom.us web3fund.io webmeet.icu webmeet.video webmeet.vip webus02.us webus07.us webus08.us webus09.us webzoom.video xn--rxamia.com zach.uefa-meeting.com zm-meeting.com zoom-sdk.us zoommeetspace.com zoom.app-center.download zoom.communicationhub.us zoom.downloadcenter.website zoom.hanagroup.live zoom.hk05web.us zoom.personifyio.com zoom.su05web.us zoom.uk03web.us zoom.uk06web.us zoom.uk07web.us zoom.ukweb05.us zoom.ukweb06.us zoom.ukweb07.us zoom.us04office.us zoom.us04we.us zoom.usweb02.us zoom.webus02.us zoom.webus07.us zoom.webus08.us zoom.webus09.us zoomapp.downloadcenter.website zoomhub.us zoomtomeet.pposbc.org zoomzipdrop.pages.dev zooom.in zooom.pages.dev zooommeeting.pages.dev # Reference: https://x.com/zoomeye_team/status/1901822378348568825 # Reference: https://x.com/blackorbird/status/1993135605623218560 # Reference: https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages # Reference: https://www.gendigital.com/blog/insights/research/apt-cyber-alliances-2025 # Reference: https://app.validin.com/detail?find=L-Administrator&type=raw&ref_id=7c876e7935a#tab=host_pairs # Reference: https://www.virustotal.com/gui/file/c6edbb0d733798e5e8168a9df2bccaad7834e40f3c30d09816cc9a8ecc431376/detection http://144.172.112.106 104.194.133.88:1224 104.194.133.88:1245 107.189.16.122:1224 107.189.16.122:1245 107.189.16.176:1224 107.189.16.176:1245 107.189.20.152:1224 107.189.20.152:1245 107.189.24.80:1224 107.189.24.80:1245 107.189.25.109:1224 107.189.25.109:1245 144.172.100.124:1224 144.172.100.124:1245 144.172.100.142:1224 144.172.100.142:1245 144.172.101.45:1224 144.172.101.45:1245 144.172.102.148:1224 144.172.102.148:1245 144.172.102.21:1224 144.172.102.21:1245 144.172.103.97:1224 144.172.103.97:1245 144.172.104.10:1224 144.172.104.10:1245 144.172.104.113:1224 144.172.104.113:1245 144.172.105.189:1224 144.172.105.189:1245 144.172.105.235:1224 144.172.105.235:1245 144.172.106.133:1224 144.172.106.133:1245 144.172.106.7:1224 144.172.106.7:1245 144.172.109.98:1224 144.172.109.98:1245 144.172.112.106:1224 144.172.112.106:1245 144.172.86.27:1224 144.172.86.27:1245 144.172.95.226:1224 144.172.95.226:1245 144.172.96.80:1224 144.172.96.80:1245 144.172.97.7:1224 144.172.97.7:1245 146.70.253.107:1224 146.70.253.107:1245 146.70.41.188:1224 146.70.41.188:1245 172.86.113.115:1244 172.86.113.115:1245 172.86.113.18:1224 172.86.113.18:1245 172.86.116.90:1224 172.86.116.90:1245 172.86.123.55:1224 172.86.123.55:1245 172.86.73.198:1224 172.86.73.198:1245 172.86.84.38:1224 172.86.84.38:1245 185.153.182.251:1224 185.153.182.251:1245 214.75.112.56:1224 214.75.112.56:1244 214.75.112.56:1245 216.126.229.166:1224 216.126.229.166:1245 217.148.142.113:1224 217.148.142.113:1245 23.227.202.244:1224 23.227.202.244:1245 23.227.202.51:1224 23.227.202.51:1245 23.227.202.52:1224 23.227.202.52:1245 23.227.203.18:1224 23.227.203.18:1245 23.227.203.192:1224 23.227.203.192:1245 23.227.203.204:1224 23.227.203.204:1245 45.61.128.110:1224 45.61.128.110:1245 45.61.128.61:1224 45.61.128.61:1245 45.61.133.110:1224 45.61.133.110:1245 45.61.135.4:1224 45.61.135.4:1245 45.61.149.222:1224 45.61.149.222:1245 45.61.150.30:1224 45.61.150.30:1245 45.61.150.31:1224 45.61.150.31:1245 45.61.150.67:1224 45.61.150.67:1245 45.61.151.71:1244 45.61.151.71:1245 45.61.160.28:1224 45.61.160.28:1245 45.61.165.45:1224 45.61.165.45:1245 88.218.0.78:1224 88.218.0.78:1245 94.131.97.195:1224 94.131.97.195:1245 /payload/99/81 /payload/99/root # Reference: https://x.com/blackorbird/status/1924832471621030031 mayonestore.online ofo-home.top # Reference: https://x.com/TLP_R3D/status/1900511506518970638 onlinemeet.pro zincnetwork.tk zoom-client.xyz ignite.onlinemeet.pro # Reference: https://x.com/TLP_R3D/status/1900528743732367865 # Reference: https://www.validin.com/blog/zooming_through_bluenoroff_pivots/ # Reference: https://app.validin.com/detail?find=%2Fzoom%2Fjoin&type=raw&ref_id=cca7f8289eb#tab=host_pairs (# 2025-03-14) # Reference: https://app.validin.com/detail?find=%2Fzoom%2Ferror&type=raw&ref_id=cca7f8289eb#tab=host_pairs (# 2025-03-14) # Reference: https://app.validin.com/detail?find=38.110.228.112&type=ip4&ref_id=7b554bab928#tab=resolutions (# 2025-03-14) http://144.76.201.229 http://216.107.137.53 http://23.254.164.232 http://23.254.204.184 http://38.110.228.112 http://45.42.40.200 http://45.42.40.208 http://45.84.226.239 http://5.230.251.49 http://5.230.252.157 http://5.230.44.79 zmwebsdk.com zoomsdk.us zoomwebapi.com api.zoomsdk.us # Reference: https://x.com/capodieci/status/1903075585414533144 # Reference: https://x.com/lontze7/status/1903091260216189306 # Reference: https://app.validin.com/detail?find=31.220.40.22&type=ip4&ref_id=e4480ae66af#tab=resolutions provevidskillcheck.com quantumnodespro.com # Reference: https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/ # Reference: https://app.validin.com/detail?find=Coinbase%20-%20Buy%20and%20Sell%20Bitcoin%2C%20Ethereum%2C%20and%20more%20with%20trust&type=raw&ref_id=c888fcffa16#tab=host_pairs (# 2025-03-31) # Reference: https://www.virustotal.com/gui/file/e79e28865cfa4b31030133b62d26367ceb06a49b3f449fdd85e136d4f6443edf/detection 154.62.226.22:8080 38.134.148.218:8080 coinbase-walet.biz coinbase-walet.me # Reference: https://x.com/0xmh1/status/1907245404766531772 # Reference: https://platform.censys.io/search?q=b86140ad75113e930e40228d3e1d7ba1f9e48abb0e02ee293bdd40d6cde8c061 91.198.66.112:3000 91.198.66.158:3000 # Reference: https://x.com/malwrhunterteam/status/1908069353796292714 # Reference: https://www.virustotal.com/gui/file/a45b34c97e45d73fd60b683e8543a1bb50d73eb30823b9e933fe2436edc35f2b/detection # Reference: https://www.virustotal.com/gui/file/d78fe3bd46a1fddddaee98634a4fb082dd47d84bf6a24c3d9b422efef1a01a03/detection # Reference: https://www.virustotal.com/gui/file/f5a24d157881801fd13c5e6b6e870dea2873010e75765c231c1437b42fa82dd2/detection 158.62.198.177:8080 # Reference: https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket 144.172.87.27:1224 ip-api-server.vercel.app ip-check-api.vercel.app m21gk.wiremockapi.cloud mocki.io/v1/32f16c80-602a-4c80-80af-32a9b8220a6b # Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2025-03-05-v10872/2497 alchemy-api-v3.cloud # Reference: https://x.com/malwrhunterteam/status/1910604983201902976 # Reference: https://www.virustotal.com/gui/file/c0682c72db57aae7c05d08e79f2d82825be2c2cdcb162c19e4c8bf5a737dcb20/detection cryptomn.vercel.app # Reference: https://x.com/malwrhunterteam/status/1910818212834353408 # Reference: https://app.validin.com/detail?find=dd5bd7746a6f5cbc843f54ecfc7ed780&type=hash&ref_id=056495bef48#tab=host_pairs (# 2025-06-24) aduresi.com cpromoter.com dabacof.com digipairx.com growzy.tech koliinfotech.company macamhelp.online unimeta.biz updatemycam.online api.crm.koliinfotech.company api.digipairx.com api.growzy.tech api.macamhelp.online api.unimeta.biz api.updatemycam.online development-server.aduresi.com elitedrivva-app.dabacof.com gatuga-api.cpromoter.com # Reference: https://x.com/jamieantisocial/status/1911968062062166078 # Reference: https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/ bitzone.io blockprices.io chainanalyser.com clublogos.io coinhar.io coinpricehub.io ethzone.io fivebit.io indobit.io jquery-release.com jquerycloud.io jqueryversion.net leaguehub.net logoeye.net logosports.net mavenradar.com skypredict.org soccerlab.io stockslab.org thaibit.io weatherdatahub.org api.bitzone.io api.coinhar.io api.coinpricehub.io api.ethzone.io api.fivebit.io api.jquery-release.com api.thaibit.io cdn.clublogos.io cdn.jqueryversion.net cdn.leaguehub.net cdn.logoeye.net cdn.logosports.net cdn.soccerlab.io en.stocksindex.org en.stockslab.org en.wfinance.org update.jquerycloud.io # Reference: https://app.validin.com/detail?find=23.254.253.148&type=ip4&ref_id=5af70a4c3a0#tab=resolutions (# 2025-04-17) phantom-phantomwallet.us phantomwallet-us.us rabbywallet-app.us wallet-trustwallet.us # Reference: https://socket.dev/blog/npm-malware-targets-telegram-bot-developers validator.blog solana.validator.blog # Reference: https://x.com/BaoshengbinCumt/status/1914881621226033430 # Reference: https://x.com/malwrhunterteam/status/1915157662733394036 # Reference: https://www.virustotal.com/gui/file/75699cc6d3cfc2e4d0f2fe920e45f559f084acc65f2df48c117016d2642b154b/detection http://159.100.18.177 173.211.70.210:8080 173.211.70.246:8080 212.81.47.217:8080 # Reference: https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/ smartmanagerex.com bluekostec.com/eng/community/write.asp builsf.com/inc/left.php dream.bluit.gethompy.com/mobile/skin/board/gallery/index.skin.php htns.com/eng/skin/member/basic/skin.php kadsm.org/skin/board/basic/write_comment_skin.php rsdf.kr/wp-content/uploads/2024/01/index.php shcpump.com/admin/form/skin/formBasic/style.php thek-portal.com/eng/career/index.asp # Reference: https://www.silentpush.com/blog/contagious-interview-front-companies/ angeloper.com angeloperonline.online apply-blocknovas.site attisscmo.com bigrocks918.com blocknovas.com camdriversupport.com easydriver.cloud insomnianwin.site softglide.co wonthegame.site xn--12c5eglc5bd7i.site apply.blocknovas.com chat.blocknovas.com # Reference: https://x.com/TLP_R3D/status/1915851139301708283 # Reference: https://app.validin.com/detail?find=1da7c4f8368cdc8cf054e3f3ef560ec8&type=hash&ref_id=c4a2719f1ec#tab=host_pairs (# 2025-04-25) 171.22.127.221:5000 88.119.169.226:5000 # Reference: https://app.validin.com/detail?type=raw&find=BlockNovas+LLC#tab=host_pairs (# 2025-04-25) # Reference: https://app.validin.com/detail?find=Alphanomics%20Racer&type=raw&ref_id=48da85c573d#tab=host_responses (# 2025-04-26) # Reference: https://app.validin.com/detail?find=Team%20Monitor&type=raw&ref_id=48da85c573d#tab=host_responses (# 2025-04-26) # Reference: https://app.validin.com/detail?find=2e8498a098fd04d28ee900521de053b3&type=hash&ref_id=4d03061f4ff#tab=host_pairs (# 2025-04-27) 167.88.39.55:3000 167.88.39.55:4000 172.86.114.170:4000 172.86.114.170:5000 172-86-114-170.dal.priv.octovpn.net alpcoin.anomgaming.online anomgaming.online blocknovasllc.com dprk-it.pages.dev easyvps.net srv587993.hstgr.cloud apply.blocknovasllc.com facial.anomgaming.online # Reference: https://x.com/teamcymru_S2/status/1915827990774063179 167.88.39.141:5000 171.22.127.221:8000 188.43.33.250:3389 188.43.33.250:5000 188.43.33.250:8080 188.43.33.251:12323 188.43.33.251:12324 188.43.33.251:5000 188.43.33.251:8000 188.43.33.251:8080 37.221.126.117:3011 37.221.126.117:4000 86.104.74.169:27017 worldenterprise-beta.com # Reference: https://app.validin.com/detail?type=raw&find=BlockNovas#tab=host_pairs (# 2025-04-26) # Reference: https://app.validin.com/detail?find=b68075c8f2aaef80fa70d7c562804f25&type=hash&ref_id=799956bbc73#tab=host_pairs (# 2025-04-26) # Reference: https://app.validin.com/detail?find=b99acd5a518e05c1adbb592ad4192334&type=hash&ref_id=05f30f00222#tab=host_pairs (# 2025-04-26) # Reference: https://app.validin.com/detail?type=hash&find=b68075c8f2aaef80fa70d7c562804f25#tab=host_pairs (# 2025-04-27) 203.161.52.90:3000 203.161.52.90:4000 203.161.52.90:8090 effectiveengineeringleader.com lunoxbet77--yes.site lunoxbet77rain.baby lunoxbet77rain.online lunoxbet77rain.store lunoxbet77speed.site sadborgroup.site talenthiringexpert.com theeffectiveengineeringleader.com blocknovas.talenthiringexpert.com # Reference: https://www.virustotal.com/gui/ip-address/50.6.4.97/relations gladneyocivpsdedinvme4.com mail.gladneyocivpsdedinvme4.com # Reference: https://x.com/malwrhunterteam/status/1925298281329901682 # Reference: https://gbhackers.com/lazarus-group-malware-with-ottercookie/ # Reference: https://app.validin.com/detail?find=Coinlend%20DeFi&type=raw&ref_id=af6318fa6e3#tab=host_pairs (# 2025-05-22) # Reference: https://www.virustotal.com/gui/file/b2a203b9391987049ad60c826e6d7a76554f38dfc8b9ce88fea083ca1b106800/detection http://135.181.123.177 http://144.172.96.35 135.181.123.177:8080 135.181.123.177:8081 135.181.123.177:9000 135.181.123.177:9001 144.172.96.35:3000 144.172.96.35:8000 144.172.96.35:8080 31.97.218.133:6168 77.37.74.86:6168 bujey.store coinlenddefi.com coinlendefi.com fashdefi.store cdn-static-server.vercel.app # Reference: https://x.com/morimolymoly2/status/1926877622350279117 144.172.109.155:1224 bs-production.up.railway.app # Reference: https://any.run/cybersecurity-blog/ottercookie-malware-analysis/ # Reference: https://www.virustotal.com/gui/ip-address/135.181.123.177/relations chainlink-api-v3.cloud # Reference: https://app.validin.com/detail?find=contato.impreza.email&type=dom&ref_id=63a84babf20#tab=dns (# 2025-06-13) # Reference: https://app.validin.com/detail?find=d7434f80ddd2395783c6f935cab65a6c&type=hash&ref_id=85f9a34e59c#tab=host_pairs (# 2025-06-16) assessforhire.com quizterview.com speakure.com testforhire.com mail.testforhire.com ripple.quizterview.com ripple.speakure.com uniswap.assessforhire.com uniswap.speakure.com uniswap.quizterview.com # Reference: https://x.com/AlvieriD/status/1933822421007847594 prehireiq.com uniswap.prehireiq.com # Reference: https://www.aikido.dev/blog/malicious-package-web3 http://74.119.194.244 # Reference: https://x.com/lazarusholic/status/1935329204020855066 # Reference: https://blog.talosintelligence.com/python-version-of-golangghost-rat/ (# pychollima) # Reference: https://app.validin.com/detail?find=91.90.121.28&type=ip4&ref_id=8c1f7873b55#tab=resolutions 154.58.204.15:8080 31.57.243.190:8080 31.57.243.29:8080 autocamfixer.online quickcamfix.online api.autocamfixer.online api.quickcamfix.online assesstrack.com drivertools.org eskillora.com eskillprov.com evalswift.com fast-video-recording.com hireviavideo.com skillence360.com skillquestions.com talent-hiringtalk.com talenthiringtool.com talentmonitoringtool.com talentscreeningtool.com alchemy.talentscreeningtool.com coinbase.talenthiringtool.com coinbase.talentmonitoringtool.com coinbase.talentscreeningtool.com crosstheages.skillence360.com doodles.skillquestions.com mail.hireviavideo.com parallel.eskillora.com parallel.eskillprov.com thorequities.skillence360.com yuga.skillquestions.com /cam-v-ri69.fix /mac-v-ri69.fixer # Reference: https://x.com/ThreatBookLabs/status/1935542389793341808 hiremployee.com office-theme.com # Reference: https://app.validin.com/detail?find=Zoom%20Meeting&type=raw#tab=host_pairs (# 2025-06-19) conferenceauth.coffeebrain.co demo.techsaeein.com document-content.online emeetings.zoominvites.com gbmaudiologininstructions.esdinfra.com getdonald.xyz hollow-jordan-narrow.on-fleek.app hysf6-baaaa-aaaag-algfa-cai.icp0.io joinustoday.online ksrtcaudiologininstructions.esdinfra.com ksrtceccsgbmaudiologininstructions.esdinfra.com live.bankdost.in live.econceptual.com meeting.document-content.online register-meeting.pages.dev stagging-apiresources.caspiansr.kz tdlgzoom.com us.meeting.document-content.online v2ray.gelithagithmal.workers.dev z8048w4.caspiansr.kz zoominvites.com zoom-meeting-web-static.eventx.com.cn zoom.2vanx.com zoom.eventx.io zoom.eventxtra.com zoom.petersen.ai zoom.qa.retrocubedev.com zoomfiledrop.pages.dev zoommetting.dev.retrocubedevs.com zoomworkspace.us.meeting.document-content.online # Reference: https://app.validin.com/detail?find=185.100.87.82&type=ip4&ref_id=2c13cb80e43#tab=resolutions cyptoconnections.com easywalletconnect.com # Reference: https://x.com/lazarusholic/status/1937865917289168970 # Reference: https://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages 172.86.80.145:1224 ip-check-server.vercel.app log-server-lovat.vercel.app # Reference: https://app.validin.com/detail?find=Talent%20Hire%20Flow&type=raw&ref_id=060cb05f4b2#tab=host_pairs (# 2025-07-15) # Reference: https://app.validin.com/detail?find=%3A%3A%3A%22twitter%3Acard%22%3A%22MotionAssess%20Card%22&type=raw&ref_id=060cb05f4b2#tab=host_pairs (# 2025-07-16) # Reference: https://app.validin.com/detail?find=%3A%3A%3A%22twitter%3Acreator%22%3A%22%40skillvisions%22&type=raw&ref_id=91cf464b398#tab=host_pairs (# 2025-07-16) abilityscan360.com easyhiringtool.com joblitic.com motionassess.com professionalsnapshot.com skillvisions.com talentcatchingtool360.com talenthireflow.com talentmatchingtools.com talentmatchingtools.net alchemy.motionassess.com chaoslabs.abilityscan360.com chaoslabs.motionassess.com chaoslabs.professionalsnapshot.com circle.talentmonitoringtool.com coinbase.abilityscan360.com coinbase.motionassess.com coinbase.professionalsnapshot.com defianceanalytics.abilityscan360.com defianceanalytics.easyhiringtool.com shimacapital.abilityscan360.com shimacapital.easyhiringtool.com # Reference: https://app.validin.com/detail?find=%3A%3A%3A%22keywords%22%3A%22hiring%2C%20recruitment%2C%20assessment%2C%20talent%20evaluation%2C%20interview%20platform%2C%20employee%20skills%22&type=raw&ref_id=b6a09e2884b#tab=host_pairs (# 2025-07-16) apply-camera.com assessalign.com assessdome.com carrervision.com eliteshire.com eskillence.com evalonboard.com hirehatch360.com hirelytics360.com hirequestion.com interviews360.com ixcareer.com jobinterviews360.com mat-techcore.org roleassessor.com rolematches.com skillquestion.com workquestion.com aveva.roleassessor.com axieinfinity.assessalign.com axieinfinity.hirelytics360.com blog.evalonboard.com cex.apply-camera.com crosstheages.eskillence.com crosstheages.hirehatch360.com crosstheages.hirelytics360.com doodles.carrervision.com doodles.hirequestion.com doodles.interviews360.com doodles.skillquestion.com doodles.workquestion.com finnt.evalonboard.com tellus.evalonboard.com theta.apply-camera.com theta.evalonboard.com thorequities.eskillence.com wintermute.workquestion.com workiva.roleassessor.com yuga.hirequestion.com yuga.ixcareer.com yuga.jobinterviews360.com yuga.workquestion.com # Reference: https://x.com/byrne_emmy12099/status/1945890954604605497 # Reference: https://x.com/byrne_emmy12099/status/1946062275183575474 # Reference: https://www.virustotal.com/gui/file/760bbec57ef20807abebecfbc6fa345b5ac83483de0cb26dcf0306806e98f317/detection bizzyclub.org unmannedsystemstechnology.org # Reference: https://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages (# hexeval loader, xorindex loader) 1215.vercel.app log-writter.vercel.app process-log-update.vercel.app soc-log.vercel.app api.npoint.io/1f901a22daea7694face # Reference: https://app.validin.com/detail?find=BlockOvas&type=raw#tab=host_pairs (# 2025-07-21) 103.35.189.107:3000 103.35.189.107:4000 74.119.194.205:3000 74.119.194.205:4000 crostox.com waventic.com apply.waventic.com contract.waventic.com hiring.crostox.com hiring.waventic.com support.waventic.com # Reference: https://www.virustotal.com/gui/ip-address/194.164.64.90/relations globalelitehire.com # Reference: https://www.virustotal.com/gui/ip-address/52.223.13.41/relations softshare.online api.softshare.online # Reference: https://www.virustotal.com/gui/ip-address/198.251.81.14/relations vidfastinterviewmaster.com # Reference: https://www.virustotal.com/gui/ip-address/78.110.166.82/relations interviewskillmaster.com # Reference: https://www.virustotal.com/gui/ip-address/104.243.33.214/relations # Reference: https://www.virustotal.com/gui/ip-address/198.251.84.129/relations paxos-video-interview.com paxos-video-talk.com # Reference: https://www.virustotal.com/gui/ip-address/145.223.77.219/relations wegrowup.us geocollab.wegrowup.us silverrabbit.wegrowup.us younginvest.wegrowup.us # Reference: https://www.virustotal.com/gui/ip-address/194.164.64.193/relations certifyedge360.com axieinfinity.certifyedge360.com # Reference: https://www.virustotal.com/gui/ip-address/212.85.29.40/relations skillpilothq.com # Reference: https://www.virustotal.com/gui/ip-address/212.85.28.229/relations evaluateiq.com # Reference: https://www.virustotal.com/gui/ip-address/51.210.235.45/relations fireblocksinsight.com # Reference: https://www.virustotal.com/gui/ip-address/82.29.199.129/relations hirefeedbacker.com hiringtestpro.com quickproassess.com rolefit360.com archblock.quickproassess.com archblock.rolefit360.com zora.quickproassess.com zora.rolefit360.com # Reference: https://www.virustotal.com/gui/ip-address/147.93.44.252/relations edividy.pro # Reference: https://www.virustotal.com/gui/ip-address/104.21.32.1/relations wavelyhire.com # Reference: https://www.virustotal.com/gui/ip-address/82.29.81.1/relations candidatescope.com archblock.candidatescope.com deadfellaz.candidatescope.com # Reference: https://www.virustotal.com/gui/ip-address/193.242.184.2/relations 360share.pro applylens.com assessmentbay.com assesstoday.com backupwizard.net digitaltalentassess.com drivercamsupport.com eskillforge.com eskillmetric.com glitchmedic.com hiresyncer.us hiretestzone.com kryptoneer.com meetingjoin.us patchpal.pro paxosinterview.com prehighiq.com quizpathway.com rolltojoin.com skillsquestions.com smrtassess.com softdebugnest.pro talenttracker.us web3talentreview.com api.drivercamsupport.com # Reference: https://app.validin.com/detail?find=IT%20Company%20Website&type=raw&ref_id=3511f31a488#tab=host_pairs (# 2025-07-26) 4caddie.com 8cap.inashtech.com aa2akhtech.in aarnaitsolution.in abiyz.com acom.capital adg-japan.com admin.nexcloudinfo.com admireservices.in adrinfinitiniaga.com ads.inashtech.com afriinnovativetech.co.za agree-business.com ai.uoon.com.cn aidcore.co.uk aitc.vn ajaforensicsol.com alkamdevelopers.com.ng alphabet-in.com alphalabs.consulting alphatechenterprises.in ampreh.com.ng andrewmuz.ddns.net andrewmuz.direct.quickconnect.to ankly.net ankly.net.bytelinker.net annovate.tech aooaoollc.com apiarc.net apnsolution.in apply-oneof.com apply.blockforgex.com apply.dappspire.com apply.softcloudnet.co arcaoffice.com aria.halfpower.top artifactsbd.com artzoneservices.freewebhostmost.com artzoneservicesllc.freewebhostmost.com ashlyasoftwares.ashlya.com aunix.run.place aunix.work.gd avisoltechnologies.com babyqlimited.com bearcatalog.info beekayprecision.com biraj-karki.com.np bitnewly.com blackmatrix.in blockforgex.com brands.kavishala.com broussardinnovations.com busy-bee-design.com busybee.vercel.app butikplus.com buttgas.vsoltech.com bytelinker.net c365.tech cadancecove.com cadresol.com caj.bli.mybluehost.me campus2career.in care-covid19.inashtech.com celestikon.com cieosglobal.com cieosglobal.com.131-153-147-50.cpanel.site cimakcimento.online ckite.in cloudhub24.in cloudsforge.in code-lab.website codefusion.it.com codekrew.decrypt4.me codesharkstudiowebsite.pages.dev cognitosparkinnovations.com com.fixnap.com completehomenetworks.com confiableindia.com consult.aesthera.ninja coreit.com.pk corp.cherniuk.ca cpanel.inashtech.com cpcalendars.inashtech.com cpcontacts.inashtech.com creaciontechnologies.com cta.inashtech.com cta2020.inashtech.com cyberconfidential.co.za cybernonics.in cybertreeindia.com cybervstacks.in cybervstacks.work.gd dappspire.com dcprob.com delta-diving.com demo.nacos.org.ng demo2.wzcare.in demo3.wzcare.in demo6-mmitsg.pages.dev dev.devanshibeverages.in devlineinnovations.co.ke dhruvatech.in digicyber.org dinotik.pages.dev ditlousolutions.co.za ditlousolutions.co.za.154-0-174-246.cpanel.site doorsteptech.online download-device-files.pages.dev downloader-of-files.pages.dev dropke.org dtgm.ovh earthtechnologis.co.za ecomm-git-main-tparfum.vercel.app edoble.in eftoll.info engedzanitechnologies.co.za envy-labs.com epicms.com.pk epicms.com.pk.confido360.com eventorg.online evoford.com fb1.a71.myftpupload.com file-downloader-and-warranty-checker.pages.dev files-download-manager.pages.dev files-download.pages.dev files-downloader-and-warrenty-checker-0618.pages.dev files-downloader-and-warrenty-checker-downloade-diagnois.pages.dev files-downloader-and-warrenty-checker-downloader-diagnois.pages.dev files-downloader-and-warrenty-checker-pricing-page.pages.dev files-downloader-and-warrenty-checker-pricing-pages-ads.pages.dev files-downloader-and-warrenty-checker-pricing-pages.pages.dev files-downloader-and-warrenty-checker-update-0614.pages.dev files-downloader-and-warrenty-checker.pages.dev files0uuplaod.pages.dev fixnap.com food.inovetta.com freezologi.com freezologi.com.staycalm.in ftp.artifactsbd.com fxprimus.inashtech.com gadgetproteam.com gangaaramtechnologies.in gaurisoft.com gemperts.com getursoft.in golendusformacion.com golite.vn goqua.org.in greyspireinnovation.com groutmix.co.za grtclean.ai grtcleanai.com grupogolendus.com gtreksolution.co.ke gulf-byte-it.com haazlo.com hanumantainfotech.com harsudhtechnologies.site heart-blossom.org heart-blossom.pages.dev hfginternalsite.pages.dev hfgsite.pages.dev hhzhu.com hitechpune.co.in hly.shplh.com home.codesharkstudio.com hugconsulting.s3-website-us-east-1.amazonaws.com hyacinth.cloud hybrid.nairobiskates.com iboyotech.com idioctis.com ignitexsolutions.com imediaafrica.com inashtech.com industrysolutiongroup.com infinitech.co.in infinity4it.com inflecto.pro innoventumtech.com inoozar.com insightboosts.com invored.com irymia.pl isatinfotech.com isgranada.com it-company-website-1v7.pages.dev it-company-website-44k.pages.dev it-company-website-5cv.pages.dev it-company-website.pages.dev itcompany.ikramprofile.com itcompanywebsite.pages.dev itfebsolutions.co.za itsofttech.org itsupportzoran.com itworldinternational.com itwsolrizeindia.com jade-clafoutis-26e6ab.netlify.app jaston.serv00.net josephcleaningservicesllc.com june.it.com kas-technology.com katztechgroup.com kenzou.co.in kmsignite.dev kodecamp.org langitinfo.com laravel.wzshop.in layen.co lebamfinancials.com linforthsolutions.com linquana.com lspmaestro.com luckywatermelon.xyz m-rna.com.tr maaetech.in mail.afriinnovativetech.co.za mail.alphabet-in.com mail.ampreh.com.ng mail.ankly.net mail.apiarc.net mail.artifactsbd.com mail.bytelinker.net mail.caj.bli.mybluehost.me mail.cieosglobal.com mail.coreit.com.pk mail.cyberconfidential.co.za mail.dhruvatech.in mail.ditlousolutions.co.za mail.dropke.org mail.earthtechnologis.co.za mail.engedzanitechnologies.co.za mail.epicms.com.pk mail.gangaaramtechnologies.in mail.greyspireinnovation.com mail.imediaafrica.com mail.itfebsolutions.co.za mail.kodecamp.org mail.langitinfo.com mail.layen.co mail.lebamfinancials.com mail.linquana.com mail.melakutamiruauditing.com mail.micronlab.com mail.milancyber.com mail.mojuko.co.za mail.nexcloudinfo.com mail.phygitaltech.in mail.preyfoxtechnology.com mail.qubemindz.com mail.robosolutionsbd.com mail.server1.vitesol.net mail.shivanshitsolutions.com mail.signalhands.co.bw mail.smartdevcloud.sbs mail.tamilnadusoftwaresolutions.com mail.techspheresolution.in mail.thedevsaar.com mail.thewebecho.com mail.trustwavecybersecurity.info mail.undangandigital.cyou mail.vidcraft.co.in mail.whoisraihan.com mail.wtcglobalsolutions.com mail.zacmaa.net mail.zephyrits.com mail.zootiz.in main-website-domail-temp-soon0update.pages.dev makerzonelanka.com.lk mamta-electronics.com maruapps.inashtech.com maruday.inashtech.com maruteam.inashtech.com masilaresidency.com.fixnap.com melakutamiruauditing.com mgwastemanagement.com microfinance.work micronlab.com milancyber.com mmg3033-health-care-covid19.inashtech.com mmg3033-health.care-covid19.inashtech.com mojait.co.za mojuko.co.za moonsys.co mulvara.co.za muyunqichen.com my3website.pages.dev myrareaesthetics.com nawar.site ncode.neoays.com neoays.com neoays.com.ymcgroups.com nettemsoftware.in netzenix.co.in neuralisitsolutions.com nexcloudinfo.com nextlinktechnologies.net nexvergetech.com ngkore.com ngkore.org nibsbridge.com nibsbridge.in nilmangkorncyber.com nobaton.ltd nomadzsolutions.com norg-abc.com novasmart.in nprservices.in numantrainfotech.com nuwan-softgroup.com olenaunhurianu.com onrtech.fr oyatsu.org patternsinfotech.in peacockengr.com pepperstone.inashtech.com phoenixaircraft.com.au php.wzshop.in phygitaltech.in pkppl.com plasiohomeautomation.com platosweb.com preyfoxtechnology.com primaryweb1.pages.dev project-files-downlaoder.pages.dev prominenttrades.in prosaham.inashtech.com pttpa.com qasaralbahar.com quantumdev.online qubemindz.com quintlogic.com radianttechnosft.in raibsinfotech.com rajmatienterprises.in ratanpolyelastomers.com remote.envy-labs.com robosolutionsbd.com robosolutionsbd.com.jamiatulabrargouripur.com rvprconsultancy.com saibersys.com saldymosistemos.eu scuretech.com securityanddatasolutions.com server1.vitesol.net servintec.net servodev.in seyoo.net shahnaz.inashtech.com shimonitservices.com shivanshitsolutions.com shplh.com shrikhatushyamjidigital.com signalhands.co.bw signinbd.com skeey.in skylinetechsinc.com smartdevcloud.sbs sniper.inashtech.com sobatrinjani.net softcloudnet.co softcps.co.in softwaresphereit.com sonear-sports.com.cn sonetic-ae.com spbtech.site sshsoftwares.in sssss-company-website-c71dc7dc1f12.herokuapp.com sssss.co.in sssuppport.pages.dev staffordlaboratories.com staging.vhilv.com starkcloudie.netlify.app stepwebtech.com sunahromeoenterprise.online swifttechnology.tech syncgrass.com syneritesystems.co.ke taditafrica.com takinsite.ir tamilnadusoftwaresolutions.com tamizhiautomatetechnology.in techfellow.in techflixo.com techspheresolution.in techspheresolution.in.junctionarts.in temp.cybertouch.tech tensormesh.ai terrawizz.com test.yourhelp247.com test22233.pages.dev thesurepass.com thesurepass.pages.dev theusaseries.com thewebecho.com thilinasakuna.com titaniums.de toapply.me touhid.tech tricodeblog.abiyz.com truesouthstl.com trustwavecybersecurity.cxstocktrade.com trustwavecybersecurity.info tsf8.com tskautomations.com ubsrcr.zugy.online ui.gcp.po.ateme.ninja ukcarservice.in umtechnologies.de undangandigital.cyou unnaturalai.com uoon.com.cn upland.toapply.me venvietech.co.ke vfconsults.com vhilv.com vidcraft.co.in vidyagoyal.com visindosinergy.com vitaminurse.com vsservices.in w.wzshop.in web.halfpower.top webcodetech.in webdisk.inashtech.com webli-bd.com webmail.inashtech.com whoisraihan.com whoisraihan.com.bytelinker.net window-update-and-warrenty-check-updated-0522.pages.dev winwinsolutionway.com wisemindtech.com wizard.inashtech.com wondoro.site wtcglobal.pages.dev wtcglobalsolutions.com x5k.c7d.mywebsitetransfer.com xtreamdigitech.in ykvinfotech.in yourhelp247.com zacmaa.net zaozaozao.tech zephyrits.com zootiz.in zyperfect.com zzyzxz.net # Reference: https://www.virustotal.com/gui/ip-address/82.198.232.148/relations assessintel.com agora.assessintel.com axieinfinity.assessintel.com # Reference: https://x.com/lazarusholic/status/1950911891498488244 # Reference: https://www.sonatype.com/hubfs/White_Papers/How-North-Korea-Backed-Lazarus-Group-is-Weaponizing-Open-Source-Whitepaper.pdf http://144.172.94.226 144.172.94.226:5961 144.172.94.226:5974 0927.vercel.app # Reference: https://www.virustotal.com/gui/ip-address/82.29.80.153/relations greennovadigital.com # Reference: https://www.virustotal.com/gui/ip-address/84.32.84.32/relations icareerc.com ixscreen.com frameworkvc.icareerc.com frameworkvc.ixscreen.com sfdfsdf.icareerc.com yugalabs.icareerc.com yugalabs.ixscreen.com # Reference: https://www.virustotal.com/gui/ip-address/82.197.83.216/relations ixcareers.com frameworkvc.ixcareers.com yugalabs.ixcareers.com # Reference: https://app.validin.com/detail?find=Node.js%20upload%20multiple%20files&type=raw&ref_id=02496d38d39#tab=host_pairs (# 2025-08-02) 103.65.230.100:1244 147.124.202.225:1244 147.124.212.234:1244 147.124.213.19:1244 147.124.213.232:1244 147.124.215.131:1244 165.140.86.154:1244 165.140.86.160:1244 173.211.106.164:1244 207.189.164.137:1244 216.250.251.211:1244 216.250.252.163:1244 38.92.47.152:1244 66.235.175.117:1244 93.88.74.112:1244 # Reference: https://www.veracode.com/blog/north-korean-crypto-stealing-campaign-again/ http://95.216.46.218 api.npoint.io/e5a5e32cdf9bfe7d2386 # Reference: https://x.com/lazarusholic/status/1953086237193150753 # Reference: https://any.run/cybersecurity-blog/pylangghost-malware-analysis/ 151.243.101.229:8080 360scanner.store # Reference: https://x.com/RedDrip7/status/1954801591938170935 # Reference: https://www.virustotal.com/gui/file/93f11750014fa65066ffa7f7896c3a5b127ef8e68a4062a38610931057fe3dae/detection # Reference: https://www.virustotal.com/gui/file/c67e8f51c086ce3c7f6fbd3e0d6d29212def08c321197449afbaecdd799173f1/detection # Reference: https://www.virustotal.com/gui/file/259e8845176a665765f488e136931b2aca27be30eb27eb1074606213473d0446/detection # Reference: https://www.virustotal.com/gui/file/bc229eca6d7a46acd195a7364c1caa97db96ea8c6c1f0bec10d3929930e89457/detection # Reference: https://www.virustotal.com/gui/file/d39f0e201762e5eb4c335371abf29b3192367808f95815123bb58a4f59436476/detection http://45.159.248.110 103.231.75.101:8888 driverservices.store # Reference: https://www.virustotal.com/gui/ip-address/198.54.116.86/relations fix-driver.online # Reference: https://www.virustotal.com/gui/ip-address/76.76.21.21/relations block-digital.fit block-digital.site block-digital.store # Reference: https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ # Reference: https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/ # Reference: https://otx.alienvault.com/pulse/65534130052d1800f62e7ba2 # Reference: https://otx.alienvault.com/pulse/655f0ab585a20bff0cac8b7c aeon-petro.com/wcms/plugins/addition_contents/cfg.png aeon-petro.com/wcms/plugins/addition_contents/user64.png bandarpowder.com/public/assets/img/cfg.png bandarpowder.com/public/assets/img/user64.png commune-fraita.ma/wp-content/plugins/wp-contact/contact.php mantis.jancom.pl/bluemantis/image/addon/addin.php mge.sn/themes/classic/modules/ps_rssfeed/feed.zip mge.sn/themes/classic/modules/ps_rssfeed/feedmd.zip vadtalmandir.org/admin/ckeditor/plugins/icontact/about.php zeduzeventos.busqueabuse.com/wpadmin/js/widgets/sub/wids.php # Reference: https://slowmist.medium.com/threat-intelligence-uncovering-a-web3-interview-scam-bb366694b7f3 http://172.86.64.67 172.86.64.67:4181 172.86.64.67:4186 172.86.64.67:4187 172.86.64.67:4188 api.npoint.io/96979650f5739bcbaebb # Reference: https://x.com/SttyK/status/1956180410104471917 0xraiseup.com ascendrix.us ballroller.fun corebiz.fun donmuzzi.site funnyboy0719.fun greenservice.tech gsoftcompany.com innovateinc.fun limitlesstechltd.com litslink.online memecoinmania.net resumegenie.us thediversityandinclusionteam.com pay.resumegenie.us # Reference: https://www.virustotal.com/gui/ip-address/51.210.235.45/relations superstarscanner.com # Reference: https://www.virustotal.com/gui/ip-address/72.60.32.153/relations toolshare.cloud # Reference: https://www.virustotal.com/gui/ip-address/148.230.98.183/relations open-src.org # Reference: https://www.virustotal.com/gui/ip-address/212.85.29.150/relations assesspro360.com parallel.assesspro360.com # Reference: https://www.virustotal.com/gui/ip-address/84.32.84.32/relations careerboard.video framework.careerboard.video yugalabs.careerboard.video # Reference: https://app.validin.com/detail?find=IT%20Company%20Website&type=raw#tab=host_pairs (# 2025-08-26) anifintech.xyz echelonfnd.io admin.echelonfnd.io apply.echelonfnd.io support.echelonfnd.io authnsecuresystems.com finovec.co.ke ipv6.srv755058.hstgr.cloud mail.anifintech.xyz mediajourney.digital precisioncoderss.com srv755058.hstgr.cloud tenspick.shop thehubservice.cloud vern.thehubservice.cloud # Reference: https://www.ctfiot.com/267223.html http://45.89.53.54 block-digital.online # Reference: https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/ # Reference: https://www.virustotal.com/gui/file/d8de31bcaf5b9ebb99bef36244b0ab3c21367821947a789dff69c33d49aaffc9/detection 144.172.74.120:3389 aes-secure.net arcashop.org azuredeploypackages.net azureglobalaccelerator.com calendly.live dpkgrepo.com ftxstock.com go.oncehub.co keondigital.com latamics.org lmaxtrd.com nansenpro.org natefi.org oncehub.co paxosfuture.com picktime.live plexisco.com pypilibrary.com pypistorage.com # Reference: https://www.virustotal.com/gui/ip-address/82.29.157.117/relations # Reference: https://app.validin.com/detail?find=%3A%3A%3A%22keywords%22%3A%22hiring%20platform%2C%20recruitment%20software%2C%20candidate%20screening%2C%20talent%20evaluation%2C%20skills-based%20hiring%2C%20interview%20tools%2C%20tech%20hiring%2C%20remote%20hiring%2C%20hiring%20automation%2C%20team%20building%22&type=raw#tab=host_pairs (# 2025-09-08) answerpanel.org avalabs-digital.online avalabs-digital.space avalabs-network.live avalabs-network.online avalabs-talent.site elitehireaxis360.com free-loader.org queryyard.com recruitboard.video skillstandard360.com softcaredesk.pro standard-ai.org base-cei.pages.dev career-8hp.pages.dev recruitboard-base.pages.dev sub-recruitboard.pages.dev stage-framework.recruitboard.video stage-yuga.recruitboard.video # Reference: https://www.virustotal.com/gui/ip-address/157.173.209.152/relations auto-ai.online auto-patch.tech insighthire360.com talentgauge360.com talentpreview360.com talentradar360.com talentverge360.com web3elitesmint.com web3elitesmint.pages.dev web3globalmint.com web3globalmint.pages.dev web3talentmint.com # Reference: https://x.com/volrant136/status/1965126588745613721 # Reference: https://www.virustotal.com/gui/file/15e2d1390aff1c4b83607152cb75ecf5c9b5a20cb732780379265a7b8df80f6b/detection avalabs-digital.store avalabs-hiring.online avalabs-hiring.site avalabs-hiring.space avalabs-hiring.store avalabs-hiring.world avalabs-io.online avalabs-io.space avalabs-io.store avalabs-network.space avalabs-org.online avalabs-talent.online avalabs-talent.space avalabs-talent.store avalabs-tech.online avalabs-tech.space avalabs-tech.store # Reference: https://www.virustotal.com/gui/ip-address/82.25.83.175/relations globalskillconnect360.com # Reference: https://www.virustotal.com/gui/ip-address/82.25.87.27/relations assesscrew.com hiremodozone.com staffingedges.com talentedstarmodo.com bitmart.hiremodozone.com mythicalgames.hiremodozone.com paradigm.hiremodozone.com solulab.hiremodozone.com stake.assesscrew.com stake.hiremodozone.com stake.staffingedges.com stake.talentedstarmodo.com # Reference: https://x.com/RedDrip7/status/1968500301377458222 # Reference: https://www.virustotal.com/gui/file/c105f8c14f3903af3051ae1811ea4ba8898c49b45687f20e22e13a40685c7521/detection # Reference: https://www.virustotal.com/gui/file/0c78a1c0809a6a8bcd9e857272817ceafd20c49051fbb8540c4bc1777c7356e6/detection http://141.98.168.79 http://69.10.53.86 # Reference: https://x.com/RedDrip7/status/1970391207051436538 # Reference: https://x.com/RedDrip7/status/1970391207051436538 # Reference: https://www.virustotal.com/gui/file/24326e187f082c73f1aa8952696dc1b0b47f8cf205c518194c2c4bb20d8e36b7/detection # Reference: https://www.virustotal.com/gui/file/914ebde62460fa8daf6dd57fa91f88000314c8aeb48e2de41576d3c15899cf98/detection # Reference: https://www.virustotal.com/gui/file/a3bb64de9782d000a1fb50401a8c26a65ea99cb2698cccbb3916dc546761587f/detection # Reference: https://www.virustotal.com/gui/file/cba0189ba9f6ef80ce03948c07a8e85fffb41a835d90502903a6f306927f5653/detection 165.140.85.106:1243 165.140.85.106:1244 165.140.85.106:1245 165.140.85.106:1248 165.140.85.106:3389 # Reference: https://www.virustotal.com/gui/ip-address/191.101.15.48/relations radarsync.pro # Reference: https://www.virustotal.com/gui/ip-address/72.60.28.66/relations softmedic.pro # Reference: https://www.virustotal.com/gui/ip-address/72.60.71.89/relations softsquashers.pro # Reference: https://x.com/tayvano_/status/1971206871076991302 advisoryfit.com advisoryfit.pages.dev api.ixcareer.video app.eboardcareer.com app.evalixhub.com app.ixcareer.video candidatesnap.com eboardcareer.com eboardcareer.pages.dev evalixhub.com ixcareer-video.pages.dev ixcareer.video proficientmint.com proficientmint.pages.dev speedvice.com app.speedvice.com speedvice.pages.dev # BANNER_0_HASH-HOST=fda47416f397bac31d80d8e73d01fe0c introon.com onchainassess.com skilllens360.com skillview360.com api.introon.com api.onchainassess.com api.skilllens360.com ftp.skillview360.com parallel.skillview360.com # BANNER_0_HASH-HOST=bdce8fdf1bf366047ba5479342c64b07 axionara.com snap-screening.com api.snap-screening.com app.axionara.com # Reference: https://www.virustotal.com/gui/ip-address/82.29.199.206/relations talentevaluate.com ftp.talentevaluate.com # Reference: https://www.virustotal.com/gui/ip-address/82.29.87.223/relations anchoragedigitalhireflow.com anchoragehireflow.com anchoragehiring.com fireblocks-assessment.com fireblockshireflow.com fireblockshiring.com ftp.anchoragehireflow.com # Reference: https://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages http://138.201.50.5 http://23.127.202.249 json-project-hazel.vercel.app process-log.vercel.app /apikey/QWERTYU890T12HML /QWERTYU890T12HML # Reference: https://jp.security.ntt/insights_resources/tech_blog/ottercandy_malware_e/ 139.60.163.206:4000 172.86.114.31:3000 54.146.239.83:8080 80.209.243.85:4000 80.209.243.85:5000 # Reference: https://www.virustotal.com/gui/ip-address/216.24.57.1/relations businesshire.cv ehireflex.com ehireflix.com hirebest.cv hirefiix.pro hireflix.pro hireflix360.com hireone.top hireproflix.online hirevision360.com onehire.pro # Reference: https://www.picussecurity.com/resource/blog/lazarus-group-apt38-explained-timeline-ttps-and-major-attacks # Reference: https://www.virustotal.com/gui/file/0a472fdc188c9da6b8610e9eabed467b4a76457fb01ab16cf3a887d24adb9065/detection palgong-cc.co.kr # Reference: https://kl4r10n.tech/blog/dprk-new-malware http://172.86.116.178 172.86.116.178:3000 172.86.116.178:5918 172.86.116.178:5976 chainlink-api-v3.com # Reference: https://x.com/moonlock_lab/status/1980683916571996312 # Reference: https://x.com/moonlock_lab/status/1980685980895236162 # Reference: https://www.virustotal.com/gui/file/6149bacfb02eb3db6f95947bc57d89bfb92b90f16f92a61266ea6fbec81d10b7/detection # Reference: https://www.virustotal.com/gui/file/5db4182efcfd449078b1b9e96b68cf3be05bbc42543a0b11ed6d50ed951cb576/detection # Reference: https://www.virustotal.com/gui/file/cf2e793eac702b70865c79d550cea3f2e1c43966565aa05f2a82d0d19b5873eb/detection # ETAG-HOST="25e-63aa45dfa5b80-gzip" customizetions.com endesway.life microsoft.customizetions.com office.microsoft.customizetions.com # Reference: https://medium.com/deriv-tech/how-a-fake-ai-recruiter-delivers-five-staged-malware-disguised-as-a-dream-job-64cc68fec263 # Reference: https://www.virustotal.com/gui/ip-address/31.97.218.133/relations 172.86.89.10:4382 88.218.0.78:2243 loopsoft.tech top-king.store # Reference: https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat daniel-ayala.netlify.app # Reference: https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/ # Reference: https://otx.alienvault.com/pulse/655dd802326b4dba522c9d84 blocktestingto.com # Reference: https://x.com/1ZRR4H/status/1814476691911090466 # Reference: https://www.virustotal.com/gui/ip-address/77.37.37.81/relations # Reference: https://www.virustotal.com/gui/file/6156127355d8016c8e741de98ee4ef2a4cb5cb02cd44f22fd3c8fef033b69830/detection hirog.io files.hirog.io # Reference: https://x.com/500mk500/status/1814696344272986483 # Reference: https://www.virustotal.com/gui/ip-address/206.206.123.151/relations greenhouselc.com # Reference: https://x.com/malwrhunterteam/status/1820385406002872541 # Reference: https://www.virustotal.com/gui/ip-address/82.197.80.64/relations # Reference: https://www.virustotal.com/gui/file/456b3100d6e0364c036a33ca2d1c68f9e237520ab26da2b78d9dd55f1a2eec09/detection cestlaviewellnessretreat.com usconsultinghub.blog usconsultinghub.cloud file.cestlaviewellnessretreat.com files.cestlaviewellnessretreat.com # Reference: https://x.com/StrikeReadyLabs/status/1826432976894189825 # Reference: https://www.virustotal.com/gui/file/b8e69d6a766b9088d650e850a638d7ab7c9f59f4e24e2bc8eac41c380876b0d8/detection 185.235.241.208:1244 # Reference: https://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/ hopanatech.com huguotechltd.com inditechlab.com tonywangtech.com wkjllc.com # Reference: https://x.com/TomHegel/status/1859663831510942204 sunlotustech.com # Reference: https://asec.ahnlab.com/en/87299/ # Reference: https://www.virustotal.com/gui/file/e967097a02185995ae58cded08f57e8984152124a3a34adc9543bd4ca1569e5e/detection # Reference: https://www.virustotal.com/gui/file/cdadeb1e8358a00ea6f74a42a2f536acc53981762aa1c01b53c62f8b4e278fb7/detection # Reference: https://www.virustotal.com/gui/file/b5ed9eb0073ba18e5aee28ff3bc41923ed7e9dbc14c9175c8f2d9bfc58f47402/detection # Reference: https://www.virustotal.com/gui/file/1fd921159de8ccf3c33c7ad3d52a4186c2695b858435e8e327c4d95a8d1b048a/detection http://103.35.190.170 http://135.181.242.24 http://191.96.31.38 http://45.12.134.206 http://45.8.146.93 http://86.104.72.247 45.8.146.93:443 86.104.72.247:443 royalsevres.com/bbs/bbs_img/btn_list.psd royalsevres.com/javascript/activex_patch.hwp # Reference: https://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages http://144.217.86.88 # Reference: https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/ 172.86.93.139:3000 businesshire.top nvidiasdk.fly.dev # Reference: https://blog.talosintelligence.com/beavertail-and-ottercookie/ http://144.172.112.50 http://172.86.113.12 http://172.86.73.46 http://172.86.88.188 138.201.50.5:5961 172.86.88.188:1418 172.86.88.188:1476 # Reference: https://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/ # Reference: https://www.virustotal.com/gui/file/aefc12b500b58fbc09ebbf34fe64b34cb32a27513478f4769447280ad23af4d2/detection anvil.org.ph/list/images/index.php bandarpowder.com/public/assets/buttons/bootstrap.php coralsunmarine.com/wp-content/themes/flatsome/inc/functions/function-hand.php ecudecode.mx/redsocial/wp-content/themes/buddyx/inc/Customizer/usercomp.php galaterrace.com/wp-content/themes/hello-elementor/includes/functions.php kazitradebd.com/wp-content/themes/hello-elementor/includes/customizer/customizer-hand.php mediostresbarbas.com.ar/php_scrip/banahosting/index.php mnmathleague.org/ckeditor/adapters/index.php oldlinewoodwork.com/wp-content/themes/zubin/inc/index.php partnerls.pl/wp-content/themes/public/index.php pierregems.com/wp-content/themes/woodmart/inc/configs/js-hand.php scgestor.com.br/wp-content/themes/vantage/inc/template-headers.php spaincaramoon.com/realestate/wp-content/plugins/gravityforms/forward.php trainingpharmacist.co.uk/bootstrap/bootstrap.php # Reference: https://x.com/TuringAlex/status/1986746682084839459 http://23.27.177.183 23.27.177.183:443 # Reference: https://x.com/lazarusholic/status/1988962619659886724 # Reference: https://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/ http://146.70.253.10 http://23.227.202.242 http://23.254.164.156 http://45.76.160.53 n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion # Reference: https://x.com/lazarusholic/status/1990925548269568447 # Reference: https://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/ mnmathleague.com/ckeditor/adapters/index.php # Reference: https://www.validin.com/blog/inside_dprk_fake_job_platform/ advisorflux.com advisorflux.pages.dev assureeval.com carrerlilla.com consulturbo.com consulturbo.pages.dev lenvny.com pathsummitx.com pathsummitx.pages.dev app.carrerlilla.com app.lenvny.com # Reference: https://x.com/L0Psec/status/1992348070101791152 # Reference: https://x.com/__pberba__/status/1992762008069161317 # Reference: https://www.virustotal.com/gui/file/0048b92365f3ab21540b20a00a306c20ad016b334bce1dbb4fd85999278d5b54/detection # TITLE-HOST=LevinPros # TITLE-HOST=ZynoraCreative 147.93.40.224:3000 217.15.168.86:3000 31.220.62.190:3000 31.97.211.52:3000 72.60.174.178:3000 95.169.180.140:8080 levinpros.com limesurvey.us merreo.org qwary.org sloneek.us zynoracreative.com api.zynoracreative.com app.limesurvey.us app.merreo.org app.qwary.org app.sloneek.us app.zynoracreative.com patch.levinpros.com patch.zynoracreative.com # Reference: https://www.jamf.com/blog/flexibleferret-malware-continues-to-adapt/ 185.164.111.104:3000 31.220.48.106:3000 72.60.117.70:3000 72.60.173.32:3000 compassidea.org evaluino.com evaluza.com proficiencycert.com app.compassidea.org app.evaluino.com app.evaluza.com app.proficiencycert.com my-n8n-76.duckdns.org # Reference: https://socket.dev/blog/north-korea-contagious-interview-npm-attacks 144.172.104.117:5918 knightsbridge-dex.vercel.app tetrismic.vercel.app # Reference: https://x.com/ValidinLLC/status/1994006209284788529 advisorygrid.com answerpart.com answerpart.pages.dev equisphirep.com skillroar.com stafnex.com app.answerpart.com # Reference: https://github.com/motuariki/IOCs/blob/main/DPRK%20Tracking/04-12-2025-DPRK-Fake-Meeting-Infrastructure businessgoogledoc.com mircosoftclouddocment.com sharefilesdocment.com superstate-team.xyz # Reference: https://urlscan.io/result/019ae9c9-3021-722e-a3db-20cc2005fc0f/ videohirepro.com # Reference: https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered 118.123.54.71:9999 119.6.121.143:9999 119.6.56.194:9999 125.65.88.195:9999 125.67.171.158:9999 149.28.139.62:8080 154.216.177.215:8080 182.136.120.52:9999 182.136.123.102:9999 207.254.22.248:8800 61.139.89.11:9999 # Reference: https://x.com/smica83/status/2007012261744030069 # Reference: https://www.virustotal.com/gui/file/5f9c4af7ac12197fb8df152d27f9aa6cc1add0613eb3ecfd7699807b0d35e577/detection # Reference: https://www.virustotal.com/gui/file/adeeff8fc41d1ba4922e92a5907f430122b9edc3b6dbe51f3d104fbee464b8ae/detection 144.172.114.238:8085 144.172.114.238:8086 144.172.114.238:8087 # Reference: https://x.com/malwrhunterteam/status/2008866701707038749 # Reference: https://www.virustotal.com/gui/file/ede27865d869f073d2bcafd7c633eee87e3fbfb6dcf115a9a8f39be9840fa6cd/detection 144.172.105.122:8085 144.172.105.122:8086 144.172.105.122:8087 # Reference: https://x.com/blackorbird/status/2011064658212634920 # Reference: https://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure 216.250.251.87:1244 216.250.251.87:1245 216.250.251.87:1249 216.250.251.87:3389 45.43.11.199:1244 45.43.11.199:1249 45.43.11.199:3389 66.235.63.55:1244 66.235.63.55:1249 66.235.63.55:3389 brantwork.vercel.app kb102531x.vercel.app task-hrec.vercel.app /DAhkMrMq7/ # Reference: https://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain 14.37.47.13:1244 14.37.47.13:1245 165.140.85.105:1244 165.140.86.181:1244 165.140.86.181:1245 176.222.52.77:1244 176.222.52.77:1245 206.206.127.135:8080 206.206.127.80:8080 31.57.243.55:8080 38.146.28.177:8080 38.92.47.118:1244 38.92.47.155:1244 63.176.219.134:8080 66.235.168.17:1244 66.235.168.17:1245 # Reference: https://x.com/KfishNFT/status/2014379828787494923 # Reference: https://x.com/g0njxa/status/2014800328105894004 # Reference: https://radar.securityalliance.org/vs-code-tasks-abuse-by-contagious-interview-dprk/ # Reference: https://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector # Reference: https://www.virustotal.com/gui/file/60914b8df5b5d64070f71ef13817499b3a85de98433ae5c01bd235abec9464f6/detection # Reference: https://www.virustotal.com/gui/file/6be45e165de60b61e9b7cb9e1f9b72c652c388a04c02d2068de6188cc88fc3fe/detection # Reference: https://www.virustotal.com/gui/file/c226eb59cf696a85ed7134b57f12d82cb392d42b908dd6a463cd4d8c980ee5e8/detection # FAVICON_HASH-HOST=984ef72031945f19ce5cce5cb7d41be5 144.172.116.80:8085 144.172.116.80:8086 144.172.116.80:8087 147.124.202.194:1244 147.124.202.194:3000 api-server-mocha.vercel.app brantwork.vercel.app codeviewer-fawn.vercel.app codeviewer-three.vercel.app coreviewer.vercel.app editorsettings.vercel.app isvalid-region.vercel.app isvalid-regions.vercel.app jerryfox-platform.vercel.app regioncheck.xyz tailwind-version-four.vercel.app task-hrec.vercel.app thopywork.vercel.app tsukan.online vscode-bootstrapper.vercel.app vscode-config-setting.vercel.app vscode-config-settings.vercel.app vscode-config.vercel.app vscode-helper-132.vercel.app vscode-helper171-ruby.vercel.app vscode-helper171.vercel.app vscode-lnc.vercel.app vscode-load-config.vercel.app vscode-load.onrender.com vscode-project-setting.vercel.app vscode-settings-bootstrap.vercel.app vscode-settings-config.vercel.app vscode-toolkit-bootstrap.vercel.app vscodeconfig.com vscodesettingstask.vercel.app # Reference: https://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/ anvil.org.ph/list/images/index.php bandarpowder.com/public/assets/buttons/bootstrap.php coralsunmarine.com/wp-content/themes/flatsome/inc/functions/function-hand.php ecudecode.mx/redsocial/wp-content/themes/buddyx/inc/Customizer/usercomp.php galaterrace.com/wp-content/themes/hello-elementor/includes/functions.php kazitradebd.com/wp-content/themes/hello-elementor/includes/customizer/customizer-hand.php mediostresbarbas.com.ar/php_scrip/banahosting/index.php mnmathleague.org/ckeditor/adapters/index.php oldlinewoodwork.com/wp-content/themes/zubin/inc/index.php partnerls.pl/wp-content/themes/public/index.php pierregems.com/wp-content/themes/woodmart/inc/configs/js-hand.php scgestor.com.br/wp-content/themes/vantage/inc/template-headers.php spaincaramoon.com/realestate/wp-content/plugins/gravityforms/forward.php trainingpharmacist.co.uk/bootstrap/bootstrap.php # Reference: https://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop 87.236.177.9:3000 # Reference: https://redasgard.com/blog/hunting-lazarus-part4-real-blood-on-the-wire 172.86.105.40:5918 216.250.251.87:1247 66.235.168.238:22411 66.235.168.238:22413 86.106.85.234:4558 # Reference: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-02-04-IOCs-for-December-2025-Contagious-Interview-activity.txt /michalcaladanxyz/caladanecomvp /michalcaladanxyz/ # Reference: https://x.com/L0Psec/status/2020850377801781319 # Reference: https://www.virustotal.com/gui/ip-address/95.169.180.198/relations # Reference: https://www.virustotal.com/gui/file/41c24510d95fcafc4cc3c31bebccc0c45afad114eb1c9bc6b49a69afc549d574/detection # Reference: https://www.virustotal.com/gui/file/867dd37ad635536cd9396c15944b9bca4b1fa9a9858171e164e73b9fc6be0d55/detection # Reference: https://www.virustotal.com/gui/file/cf33cc4237492b0660698f25548d6738ed1ff24d485dda9654a7fa0b476a953e/detection # BANNER_0_HASH-HOST=214d27afb3775896a143153135921994 # BANNER_0_HASH-HOST=46b8be35ecc4df1fa76c9471832384bd # BANNER_0_HASH-HOST=62930f9fb61101f55d4afcf5c9ab3b44 # BANNER_0_HASH-HOST=7cb10905be3d719e4ddbe860f8765ae4 # BANNER_0_HASH-HOST=9e61cf012c0627128cd97aa23613d894 # BANNER_0_HASH-HOST=c5f71956d0cb013b3138ed0ee96d8a80 # CERT_FINGERPRINT_SHA256-HOST=869357a8800692e5d7c9154a22cd240b19399c92748b9405df0355580e0dfb58 # CLASS_0_HASH-HOST=2a9aa943943423c1a6cac06ad610025f # CLASS_0_HASH-HOST=e177c0c822d74e6c25af8def1c966960 # ETAG-HOST=W/"2e-h4S+tZ8z8BZ5XI7+Vj1GJMeW3fA" # FAVICON_HASH-HOST=623b321cf1ae6f152ae4c9714ea8b402 # FAVICON_HASH-HOST=6503e00d4d2d9d31e422442c442c2aed # FAVICON_HASH-HOST=ce75376e80f2e8e1cb516c43fdb136f7 109.205.195.98:3000 144.172.115.189:8080 95.169.180.198:8080 1-73g.pages.dev 129react.pages.dev 1winfans.com adnoc.sbs advisor-ecareerflare.pages.dev advisornetic.com agafilime.com animoca.finance api.betterevaluation.us api.cincopa.org api.elemize.us api.entergenix.com api.equisphire.com api.evalium-expertises.us api.evaluateproficiency.com api.gappeo.us api.info-job.org api.jobecam.org api.jobecam.us api.keenest.org api.medincahub.com api.pre-screen.net api.pre-screen.online api.quant-screen.com api.softechsoftwares.co.ke api.tailora.org api.talentacq.pro api.viasto.us app.advisornetic.com app.animoca.finance app.aptitudespro.com app.askillo.online app.avasup.com app.betterevaluation.us app.cammio.org app.ecareerflare.com app.ehiremeasure.com app.eskillion.com app.evalcrew.com app.evalium-expertises.us app.evaliuminsights.com app.evalsuit.com app.gappeo.us app.getevalor.com app.gumlet.us app.harqen.us app.hirvexo.com app.insighboard.com app.keenest.org app.pancakeswap.studio app.poweem.com app.powerwize.org app.pre-screen.net app.prontoquiz.org app.quick-view.org app.recroya.com app.rev-prot.org app.rolevia.us app.scoret.net app.speedvice.com app.spiralboard.com app.survicate.us app.toptiercrew.com app.vervoe.org app.vervoe.us app.viasto.us app.vidcruiter.us app.visionaryte.org app.weboardtals.com app.wonderlic.net apply.ecareerflare.com apps.gappeo.us aptitudespro.com askillo.online atlas.small-forest-2b0b.workers.dev avasup.com aviamastersnetwork.com backend.pre-screen.net bapi.evalsuit.com belgiumchickenroad.com betterevaluation.us camdriver.pro cammio.org ccuk.edu.ng chickenbaloonsgame.com chickenfrroad.com chickenroad.chickenbaloonsgame.com chickenroad.chickenkitchengame.org chickenroad.eggfactorygame.es chickenroad.greatchickenescape.com chickenroad.happychickenmrs.com chickenroad.playskatepark.com chickenroad.plushtoytumama.com chickenroad.toadegged.com chickenroadbike.com chickenroadblast.com chickenroadcase.com chickenroadde.org chickenroadjump.org chickenroadjumping.com chickenroadpixel.com chickenroadrecipe.com chickenroadrocky.com chickenroadshow.com chickenroadsquad.com chickenroadstack.com chickenroadventures.com cincopa.org coinme.hiring-one.com copia.vin dataxo.net dev.copia.vin download.factrina.com download.getevalor.com download.inspach.com download.kooverly.org download.prontoquiz.org ecareerflare.com ecareerflare.pages.dev ehiremeasure.com elemize.us entergenix.com equisphire.com eskillion.com evalcrew.com evalium-expertise1.pages.dev evalium-expertise360.com evalium-expertises.us evaliuminsights.com evalsuit.com evaluateproficiency.com factrina.com fastwise.org file-secure-sharing.com filehosting.store fix.measureaptitudes.com front-bzi.pages.dev frontend-5e7.pages.dev ftp.ccuk.edu.ng ftp.dataxo.net ftp.kaltura.studio gappeo.us getevalor.com gumlet.us happychickenmrs.com harqen.us hiring-one.com hiring-you.com hirvexo.com info-job.org insighboard.com inspach.com jamesbillion.com jobecam.org jobecam.us kaltura.studio keenest.org koover.org kooverly.org mail.ccuk.edu.ng mail.kooverly.org main-aptitudespro.pages.dev main-az8.pages.dev measureaptitudes.com medincahub.com memo.ccuk.edu.ng mlischagori.pro moxtern.com mx.hiring-you.com my-c0m.pages.dev mypatchauto.com mypatchfree.com myproject-f8d.pages.dev new.hirvexo.com ns1.dataxo.net ns2.dataxo.net online.advisornetic.com online.betterevaluation.us online.evalium-expertises.us online.prontoquiz.org online.rev-prot.org online.spiralboard.com online.weboink.com pancakeswap.studio paxos-video-interviews.com paxos-video-recording.com paxos.video-hiring.com playskatepark.com plushtoytumama.com pop.dataxo.net portal.ccuk.edu.ng poweem.com powerwize.org powerwize.pages.dev pre-screen.net pre-screen.online prontoquiz.org quant-screen.com quick-view.org recroya.com recruit.vervoe.us rev-prot.org rolevia.us scoret.net server.pre-screen.net sightalent.org sightalent.pages.dev small-forest-2b0b.workers.dev softechsoftwares.co.ke speedvice.com spiralboard.com srv1283254.hstgr.cloud srv833039.hstgr.cloud staff.ccuk.edu.ng stake.trueskilltest.com stn.equisphire.com survicate.us tailora.org tailora.pages.dev talentacq.pro talentestpro.com tazmim.com techaipactch.com test.ccuk.edu.ng tether.trueskilltest.com toadegged.com toptiercrew.com tracking.toptiercrew.com trappuzzle.com trueskilltest.com update.koover.org us.evalium-expertises.us veeki.org vek.equisphire.com venceos.pages.dev vervoe.org vervoe.us viasto.us vidcruiter.us video-hiring.com videointerviewrecording.com vifort.org visionaryte.org weboardtals.com weboink.com wonderlic.net zoom.vervoe.us /realtekwin.update # Reference: https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs # Reference: https://www.virustotal.com/gui/file/2aaf4c62372fb1c84178d258576561d35d2a437341905db0c7c7a3d75219333f/detection # BANNER_0_HASH-HOST=21351a944fed5dcb776c0195c34eb8d2 angeldrop.cloud aurevian.cloud codepool.cloud # Reference: https://x.com/unpacker/status/2022669422411043001 # Reference: https://sp4rk.medium.com/beyond-the-backdoor-how-contagious-interview-is-surgically-tampering-with-metamask-wallets-0314ae901d85 145.59.1.45:1244 147.124.202.163:1243 202.163.147.124:1248 45.43.11.200:1244 45.43.11.248:1244 66.235.28.238:1244 66.235.28.238:1249 # Referenece: https://x.com/phatomcandle/status/2023457365660704806 # Reference: https://www.virustotal.com/gui/file/8ff100ca86cb62117f1290e71d5f9c0519661d6c955d9fcfb71f0bbdf75b51b3/detection # Reference: https://www.virustotal.com/gui/file/972b598d709b66b35900dc21c5225e5f0d474f241fefa890b381089afd7d44ee/detection # Reference: https://www.virustotal.com/gui/file/d4c7dba741ee2eb888de9e3117fb2b1a759586b84e67b176d891c6811754ef3f/detection energydonate.com m.energydonate.com # Reference: https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/ # BANNER_0_HASH-HOST=74282cd1d17af9e4d46dd10700e4dc02 185.92.220.208:5000 185.92.220.208:5173 185.92.220.208:8080 admin-8jy8o7jbg.vercel.sh analytics-script-git-main.vercel.sh api-agent-2pqjsxiut.vercel.sh api-git-main.vercel.sh api-www-avatar-25fcc9rbk.vercel.sh astraluck-vercel.vercel.app barjobslasvegas-2f0akudpg-superbwebsolutions-e260a2eb.vercel.app beta-reactjs-org-1c98ufhjb-fbopensource.vercel.app binshtok-cowan-test-pwjs2ggdx.vercel.sh bot-protection-3bhbcw8wm.vercel.sh catalog-editorial-qdoii4smx-clg.vercel.app conf-2025-fcwpato0v.vercel.sh control-plane-default-ehybkouwd.vercel.sh coop-shop-next-jld7wvrxk-co-op-food-customer-experience.vercel.app coop-shop-next-philwolstenholme-co-op-food-customer-experience.vercel.app copper-fv73l6e9m.vercel.sh crawl-analysis-git-main.vercel.sh crawled-sitemap-git-main.vercel.sh curiosity-works-opschudding.vercel.app cv-8zz57gksb-simons-projects-486531f7.vercel.app dawiteewnetu-uxgr-ig97x97wa-dawite-ewnetus-projects.vercel.app dawiteewnetu-uxgr-l5fvt75j7-dawite-ewnetus-projects.vercel.app deng-labs-6ts0pz3vm.vercel.sh derek-site-2026-6g03r9taz-derek-martins-projects.vercel.app docs-git-fix-issue-330-driveclub.vercel.app docs-payload-dgwy6heek.vercel.sh edge-runtime-git-main.vercel.sh examples-basic-web.vercel.sh expert-mode-1c2u0v83b-chainlinklabs.vercel.app expert-mode-1ruzfeq6x-chainlinklabs.vercel.app expert-mode-iebahb8mh-chainlinklabs.vercel.app expert-mode-ifa37strm-chainlinklabs.vercel.app expert-mode-ilj8udtti-chainlinklabs.vercel.app expert-mode-j12s18yqd-chainlinklabs.vercel.app expert-mode-kpwcznf9q-chainlinklabs.vercel.app expert-mode-n0lcsjlju-chainlinklabs.vercel.app expert-mode-omc4wsgd7-chainlinklabs.vercel.app expert-mode-otcucejsn-chainlinklabs.vercel.app expert-mode-retiqr6xk-chainlinklabs.vercel.app expert-mode-rr4zcmoka-chainlinklabs.vercel.app flag-git-main.vercel.sh geist-docs-n03iy9wgb.vercel.sh geist-storybook-kbjruqxe3.vercel.sh geist-storybook-nyf9kazrs.vercel.sh getapilatency.onrender.com getpngdata.vercel.app githero-dev7uf163-gimenetes-projects.vercel.app googlezauthtoken.vercel.app instant-preview-site-9w675nmgg.vercel.sh internal-engineering-documentation-site-mrj1hhs06.vercel.sh ip-api-test.vercel.app jwt-alpha-woad.vercel.app marketplace-neut52jgl.vercel.sh maverick-njkr6h6me-sohybes-projects.vercel.app metric-analytics.vercel.app metrics-dashboard-7lgdhdfot-peter1.vercel.app my-3d-portfolio-1o6x-j8oobuufq-hadi-arabis-projects.vercel.app my-3d-portfolio-598x-c8nb68kta-hadi-arabis-projects.vercel.app my-3d-portfolio-598x-git-main-hadi-arabis-projects.vercel.app next-master-pwg93975l-now-examples.vercel.app nextjs-conf-2024-jwokq4e6s.vercel.sh nextjs-stripe-template.vercel.sh now-examples-3ok9tvp04.zeit.sh now-examples-5onkajpkx.zeit.sh now-examples-6pn2lr1ir.zeit.sh now-examples-7v52p79xj.zeit.sh now-examples-7voymifaz.zeit.sh now-examples-7xu2100yl.zeit.sh now-examples-9zv8bcocf.zeit.sh now-examples-bd1jwqxdf.zeit.sh now-examples-crsku8zyd.zeit.sh now-examples-d8gbron9h.zeit.sh now-examples-dge5dpeg6.zeit.sh now-examples-dhev9x619.zeit.sh now-examples-enprlx5lm.zeit.sh now-examples-j447nc3bq.zeit.sh now-examples-nqk5yw2f2.zeit.sh now-examples-oiceysajh.zeit.sh now-examples-rnwbzp2r8.zeit.sh now-tgxhacluff.now.sh og-examples-4gnvoge9a.vercel.sh oidc-issuer-8pba9g3rc.vercel.sh openmodules.org peninsulaparking-5ubyvdtqb-om-sanghvis-projects.vercel.app picolink-jorisjgriffioen.vercel.app playingwithcodex-git-codex-implement-en-954ce6-shnurps-projects.vercel.app pngconvert-p0kl4fodi-jhones-projects-f8ddbcbe.vercel.app portfolio-naylinmyats-projects.vercel.app pronoia-kkeeland-4878s-projects.vercel.app pyra-docs-git-main.vercel.sh pyra-docs.vercel.sh rocket-resume.vercel.app sakuramedia-git-cognito-sakura-media.vercel.app ship-ai-2025-gguq0jdwo.vercel.sh site-git-fix-issue-330-driveclub.vercel.app solutions-subdomains-auth.vercel.sh testserver-l0hpvjw5b.vercel.sh upstash-docs-upstash.vercel.app v0-frame-render-engine-4vo9x0236.vercel.sh v0-frame-render-engine-ayk1sm54x.vercel.sh v0-frame-render-engine-git-iansbrash-promo-page.vercel.sh v0-frame-render-engine-git-ido-01-16-xwol1.vercel.sh v0-frame-render-engine-git-ma-fix-integration-layout.vercel.sh v0-frame-render-engine-git-max-01-15-update.vercel.sh v0-frame-render-engine-git-tz-chatzipupload0115.vercel.sh v0-frame.vercel.sh v0-vercel-webhook-automation-fp90rr464.vercel.sh vercel-academy-lhaqud9fg.vercel.sh vercel-agent-bvszyn2w5.vercel.sh vercel-agent-code-review-2l2w1466s.vercel.sh vercel-agent-code-review-f2jv6t9a5.vercel.sh vercel-alerts-n4q8h9gnw.vercel.sh vercel-dash-3cr0qiedg.vercel.sh vercel-dash-hw9r7f35s.vercel.sh vercel-dash-keh9xf79l.vercel.sh vercel-dashboard-7epa04yyk.vercel.sh vercel-dashboard-nc6g2xtna.vercel.sh vercel-dashboard-q42jpk16z.vercel.sh vercel-docs-proxy-5ovwbe3iw.vercel.sh vercel-docs-proxy-5xb0awnoq.vercel.sh vercel-marketing-gkaxe8vec.vercel.sh vercel-marketing-n6pm8fju2.vercel.sh vercel-marketing-obv54w0jf.vercel.sh vercel-ship-f9ny6po6t.vercel.sh vercel-site-1ddnejsfa.vercel.sh vercel-site-33i0im1gu.vercel.sh vercel-site-git-main.vercel.sh vercel-site-gow03hmpw.vercel.sh vercel-site-ivfjv5dp5.vercel.sh vercel-site-r50pzdsjo.vercel.sh vercel-site.vercel.sh vercel-tmdb-wangsy1007s-projects.vercel.app vscode-load.vercel.app wealth-94t6wfs93-wealthcom.vercel.app wealth-lm7yyddh8-wealthcom.vercel.app wealth-web-courtneyoconnell-wealth-wealthcom.vercel.app wealth-web-git-apfot-612-implement-unique-urls-5bb992-wealthcom.vercel.app wealth-web-git-auth0-poc-wealthcom.vercel.app wealth-web-git-decouple-extraction-loading-states-wealthcom.vercel.app wealth-web-git-dev-vito-docx-wealthcom.vercel.app wealth-web-git-feature-advyzon-fe-update-wealthcom.vercel.app wealth-web-git-feature-tp-baseline-stretch-wealthcom.vercel.app wealth-web-git-fos-463-cetera-fix-wealthcom.vercel.app wealth-web-git-niece-nephew-parent-save-fix-wealthcom.vercel.app wealth-web-git-quickactionsmodal2-wealthcom.vercel.app web3-metric-analytics.vercel.app wedding-fkdp77wwj-gianclaudiocarellas-projects.vercel.app wot-design-qn1zw7qfc-moonofweisheng.vercel.app zksync-blog-git-adding-to-prividium-the-tm-matter-labs-651a8986.vercel.app zksync-enterprise-df1wkzlnd-matter-labs-651a8986.vercel.app zksync-enterprise-pxn6m30gh-matter-labs-651a8986.vercel.app zone-api-navy.vercel.app # Generic /daumeditor/pages/template/ /daumeditor/pages/template/simple.asp /daumeditor/pages/template/template.asp /levels4SqR8/measure.asp /mall/community/bbs_read.asp /niabbs5/upload/gongji/index.php /niabbs5/upload/gongji/ /_manage/inc/bbs/jiyeuk1_ok.asp /inc/bbs/jiyeuk1_ok.asp /asdfghjkl /qwertyuiop /qwertyuiop/asdfghjkl /Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/ /Of56cYsfVV8/ /OJITWH2WFx/ /Jy5S7hSx0K/ /fP7saoiPBc/