# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt-c-26, dangerous passwords, hidden cobra, guardians of peace, zinc, nickel academy, manuscrypt

# Reference: https://cdn.securelist.com/files/2017/04/Lazarus_Under_The_Hood_PDF_final.pdf

exbonus.mrbasic.com
movis-es.ignorelist.com
tradeboard.mefound.com
update.toythieves.com
sap.misapor.ch

# Reference: https://securelist.com/operation-applejeus/87553/

celasllc.com
185.142.236.226
185.142.239.173
196.38.48.121
80.82.64.91

# Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea

tpddata.com
itaddnet.com
wifispeedcheck.net
coinoen.org                          
coinmaketcape.com
bitfiniex.org
apshenyihl.com/include/arc.speclist.class.php                                   
ap8898.com/include/arc.search.class.php                              
anlway.com/include/arc.search.class.php                              
tpddata.com/skins/skin-8.thm                                   
tpddata.com/skins/skin-6.thm
168wangpi.com/include/charset.php
ando.co.kr/service/s_top.asp
ansetech.co.kr/smarteditor/common.asp
mileage.krb.co.kr/common/db_conf.asp
028xmz.com/include/common.php
33cow.com/include/control.php
51up.com/ace/main.asp
530hr.com/data/common.php
97nb.net/include/arc.sglistview.php
marmarademo.com/include/extend.php
paulkaren.com/synthpop/main.asp
shieldonline.co.za/sitemap.asp

# Reference: https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/
# Reference: https://twitter.com/KevinPerlow/status/1083759627714682880
# Reference: https://twitter.com/Bank_Security/status/1107543887462064128
# Reference: https://www.hybrid-analysis.com/sample/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/5c8a414a0388381b3f329926
# Reference: https://www.virustotal.com/gui/file/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/detection
# Reference: https://twitter.com/ClearskySec/status/1084463729633316864

bodyshoppechiropractic.com
drupdate.club
ecombox.store
/tbl_add.php

# Reference: https://otx.alienvault.com/pulse/5c8b8e19261a7451de02bf60/

http://37.238.135.70/img/anan.jpg

# Reference: https://otx.alienvault.com/pulse/5c9a4d9f90726d0988873a2b
# Reference: https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/

dev.microcravate.com
nzssdm.com
bluecreekrobotics.com/wp-includes/common.php
dev.microcravate.com/wp-includes/common.php
dev.whatsyourcrunch.com/wp-includes/common.php
enterpriseheroes.com.ng/wp-includes/common.php
hrgp.asselsolutions.com/wp-includes/common.php
baseballcharlemagnelegardeur.com/wp-content/languages/common.php
bogorcenter.com/wp-content/themes/index2.php
eventum.cwsdev3.bi.com/wp-includes/common.php
streamf.ru/wp-content/index2.php
towingoperations.com/chat/chat.php
vinhsake.com/wp-content/uploads/index2.php
tangowithcolette.com/pages/common.php

# Reference: https://twitter.com/blackorbird/status/1110750919082147842
# Reference: https://blog.alyac.co.kr/2219

alahbabgroup.com
http://47.91.56.21/verify.php
http://103.225.168.159/admin/verify.php

# Reference: https://twitter.com/blackorbird/status/1111449536910680065

wb-bot.org
wb-invest.net

# Reference: https://twitter.com/KevinPerlow/status/1136994848341409792

sbackservice.com

# Reference: https://twitter.com/navSi16/status/1148192534654439426
# Reference: https://otx.alienvault.com/pulse/5d24562845fe64e37ffc46a7

sensationalsecrets.com/js/left.php

# Reference: https://twitter.com/blackorbird/status/1148843702690832385

194.45.8.41:443

# Reference: https://twitter.com/bad_packets/status/1148864469486854144
# Reference: https://pastebin.com/G0Ad5Ut6

http://178.128.253.67/tbl_add.php

# Reference: https://twitter.com/RedDrip7/status/1148887458152472576

byucksanpaint.com/community/com_gon_open.asp

# Reference: https://otx.alienvault.com/pulse/5d2c64b174175b03e7db85cd

http://103.53.176.145:8080/ServiceDeskPlus/products.do
http://111.68.126.155:8080/ServiceDeskPlus/products.do
http://137.117.57.244:8080/ServiceDeskPlus/products.do
chanbang.co.kr/board/check.asp
chanbang.co.kr/family/check.asp
chanbang.co.kr/gonggu/upload.asp
difa.or.kr/common/asp/inc_Comn.asp
edenenc.co.kr/Report/RptMyReport.asp
egreenland.co.kr/cheditor2/example/newpost.asp
hanbook.co.kr/partnershop/hanmail_ep.asp
img.kindermom.co.kr/frameart/print/footer.mov
kgsa1015.co.kr/upload/member/member.asp
rodaxsankyokorea.com/upload/favicon/favicon.asp
sinokor-eng.com/sub/sub01_09.asp

# Reference: https://otx.alienvault.com/pulse/5d2dca0a1c7d00fa07be15e5

byucksanpaint.com/community/com_gon_open.asp
byucksanpaint.com/main/main4.asp
keyang.co.kr/pub/editor/wa_path.asp
upload.childu.co.kr/include/OnlyOne1.asp

# Reference: https://twitter.com/cyberwar_15/status/1152035187196223488

lavaandstone.com/wp-content/plugins/fusion-core/about.php
sales.alitho.com/wp-content/themes/sketch/about.php
amytanathorn.com/wp-admin/includes/about.php

# Reference: https://twitter.com/cyberwar_15/status/1153123863435214848

rhythm86.com/wp-content/themes/twentysixteen/about.php
cabba-cacao.com/wp-content/themes/integral/about.php
3x-tv.com/plugins/editors/about.php

# Reference: https://twitter.com/KorbenD_Intel/status/1158479283549089792
# Reference: https://www.virustotal.com/gui/file/3bba04f277e7f51a5500f7b144fdbd851954e4f94bb0290e49fc63f6fc807321/detection

policyupdates.info

# Reference: https://twitter.com/cyberwar_15/status/1166282138179624960
# Reference: https://twitter.com/navSi16/status/1166287915959214080

youdermoscopy.org/media/fly.avi
youdermoscopy.org/media/fly312.avi

# Reference: https://blog.alyac.co.kr/2500 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d6940cb9e719255258969f5

alnagm-press.com/wp-content/plugins/cloudflare/list.php
elsouq.org/aramex/left.php
swedishmassageamsterdam.nl/wp-content/themes/top.php

# Reference: https://twitter.com/cyberwar_15/status/1175940165425958912

http://158.69.57.135
http://92.222.106.229

# Reference: https://securelist.com/my-name-is-dtrack/93338/
# Reference: https://unit42.paloaltonetworks.com/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/
# Reference: https://otx.alienvault.com/pulse/5d88b31dea7f4b9d4701d7e8
# Reference: https://www.virustotal.com/gui/file/fe51590db6f835a3a210eba178d78d5eeafe8a47bf4ca44b3a6b3dfb599f1702/detection
# Reference: https://www.virustotal.com/gui/file/58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb/detection

katawaku.jp/bbs/data/theme/profile2.php
materialindia.in
totalmateria.net
cyberub.com/board/icon/template/template_ro.php
/gallery/profile2.php
/theme/profile2.php
/wp/profile2.php

# Reference: https://twitter.com/KseProso/status/1178580006047539200

heromessi.com/wp-public/career/car_add.php

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-12-lazarus-resurfaces-targets-global-banks-bitcoin-users/lazarus-resurfaces-targets-global-banks-bitcoin-users.csv

deltaemis.com

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2017/2017-11-20-android-malware-appears-linked-to-lazarus-cybercrime-group/android-malware-appears-linked-to-lazarus-cybercrime-group.csv

vmware-probe.zol.co.zw

# Reference: https://app.any.run/tasks/01497f45-7fba-4356-bbdc-4270e51c2465/
# Reference: https://twitter.com/Rmy_Reserve/status/1181528617374777344
# Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea

gp-core.com
gp-main.com

# Reference: https://twitter.com/VK_Intel/status/1182722604240719872
# Reference: https://objective-see.com/blog/blog_0x49.html (# AppleJeus)

185.228.83.32:443
beastgoc.com
/grepmonux.php

# Reference: https://twitter.com/kyleehmke/status/1184120287199223808
# Reference: https://www.virustotal.com/gui/ip-address/185.228.83.129/relations

dev.jmttrading.org

# Reference: https://twitter.com/RedDrip7/status/1186562944311517184
# Reference: https://blog.alyac.co.kr/2388 (Korean)
# Reference: https://twitter.com/RedDrip7/status/1186562944311517184
# Reference: https://otx.alienvault.com/pulse/5db06ad90686f3bad959d7fc

crabbedly.club
craypot.live
czinfo.club
indagator.club
pegasusco.net
smilekeepers.co

# Reference: https://twitter.com/0xD0CF11E0A1B11/status/1187264570861076481

thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi
juliesoskin.com/includes/common/list.php
necaled.com/modules/applet/list.php
valentinsblog.de/wp-admin/includes/list.php

# Reference: https://twitter.com/blackorbird/status/1187619261612609536
# Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html
# Reference: https://www.virustotal.com/gui/ip-address/218.255.24.226/relations

119.18.230.253:443
218.255.24.226:443

# Reference: https://twitter.com/Rmy_Reserve/status/1188235835956551680
# Reference: https://app.any.run/tasks/42c972b1-ec38-4637-9354-9de930ff50b2/

curiofirenze.com

# Reference: https://twitter.com/blackorbird/status/1202177008572092417

unioncrypto.vip

# Reference: https://blog.netlab.360.com/dacls-the-dual-platform-rat/

107.172.197.175:443
172.93.201.219:443
192.210.213.178:443
198.180.198.6:443
209.90.234.34:443
23.227.196.116:443
23.227.199.53:443
23.254.119.12:443
23.81.246.179:443
37.72.175.179:443
64.188.19.117:443
74.121.190.121:443

# Reference: https://securelist.com/operation-applejeus-sequel/95596/
# Reference: https://otx.alienvault.com/pulse/5e15b526b4f8bc605744ad76

aeroplans.info
beastgoc.com
buckfast-zucht.de
chainfun365.com
cyptian.com
invesuccess.com
jmttrading.org
mydealoman.com
private-kurier.com
unioncrypto.vip
wb-bot.org
wb-invest.net
wfcwallet.com

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-03-08-hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant.csv

falcancoin.io

# Reference: https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045d
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045e
# Reference: https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045b
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045a
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045f

94.177.123.138:8088
193.56.28.103:88
197.211.212.59:7443
181.39.135.126:7443
112.175.92.57:443
81.94.192.147:443
21.252.107.198:23164
70.224.36.194:59681
113.114.117.122:23397
47.206.4.145:59067
84.49.242.125:17770
26.165.218.44:2248
137.139.135.151:64694
97.90.44.200:37120
128.200.115.228:52884
186.169.2.237:65292
188.165.37.168:80
159.100.250.231:80
159.100.250.231:8080
107.6.12.135:443
210.202.40.35:443

# Reference: https://twitter.com/AffableKraut/status/1234726033930248198

74.121.190.140:8443

# Reference: https://twitter.com/RedDrip7/status/1254678135133442048
# Reference: https://ti.qianxin.com/blog/articles/analysis-of-lazarus-apt-targeted-attack-against-south-korea-using-new-crown-outbreak-bait/
# Reference: https://www.virustotal.com/gui/domain/teslacontrols.ir/relations

afuocolento.it/wp-admin/network/server_test.php
kingsvc.cc
mbrainingevents.com/wp-admin/network/server_test.php
sofa.rs/wp-admin/network/server_test.php
sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg
teslacontrols.ir/wp-includes/images/detail31.jpg
teslacontrols.ir/wp-includes/images/detail32.jpg
/wp-admin/network/server_test.php

# Reference: https://twitter.com/cyberwar_15/status/1254736896330133504

matteoragazzini.it/wp-content/uploads/2017/06/category.php

# Reference: https://twitter.com/DeadlyLynn/status/1257504361577496576
# Reference: https://twitter.com/ShadowChasing1/status/1257511608189743105

astedams.it/uploads/template/17.dotm
astedams.it/include/inc-elenco-offerter.asp

# Reference: https://twitter.com/spider_girl22/status/1258224278194941953

astedams.it/uploads/frame/61.dotm

# Reference: https://objective-see.com/blog/blog_0x57.html
# Reference: https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/
# Reference: https://otx.alienvault.com/pulse/5eb2fabf6c26a287f705ca20

185.62.58.207:443
67.43.239.146:443

# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md#IOC
# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/CSV/IOC-Lazarus_2020_05_05.csv
# Reference: https://www.virustotal.com/gui/file/1b0c82e71a53300c969da61b085c8ce623202722cf3fa2d79160dac16642303f/behavior/VMRay
# Reference: https://www.virustotal.com/gui/file/66e5371c3da7dc9a80fb4c0fabfa23a30d82650c434eec86a95b6e239eccab88/behavior/QiAnXin%20RedDrip

51.77.65.154:443
192.169.250.185:443
sanlorenzoyacht.com/newsl/uploads/docs/43.dotm
elite4print.com/admin/order/batchPdfs.asp
od.lk/d/MzBfMjA1Njc0ODdf/pubmaterial.dotm

# Reference: https://twitter.com/cyberwar_15/status/1264353716930412544
# Reference: https://www.virustotal.com/gui/file/e637c86ae20a7f36a0ad43618b00c48f47b5591a03af3fb689a16c45afa43733/detection
# Reference: https://www.virustotal.com/gui/file/d3a402458682c4febacc6ae4bc98e15e92142603a97d51316eeee9e8bca77f88/detection

depts.washington.edu/dswkshp/wordpress/wp-content/themes/twentyfifteen/inc/io/

# Reference: https://twitter.com/spider_girl22/status/1265486116393713665

anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg

# Reference: https://twitter.com/cyberwar_15/status/1265266629044080642
# Reference: https://asec.ahnlab.com/1323 (Korean)

mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php
sixbitsmedia.com/wp-content/uploads/wp-logs/category.php

# Reference: https://twitter.com/ShadowChasing1/status/1267431134662541317

fudcitydelivers.com
sctemarkets.com

# Reference: https://twitter.com/IntezerLabs/status/1268158680593313794

threegood.cc

# Reference: https://twitter.com/ccxsaber/status/1268020350605910016

coingotrade.com
kupaywallet.com

# Reference: https://twitter.com/Vishnyak0v/status/1269635930878545922

bluemoonresearch.org
fitnessdirector.net

# Reference: https://twitter.com/RedDrip7/status/1270201358721769475

paghera.com/include/inc-main-default-news.asp

# Reference: https://twitter.com/ShadowChasing1/status/1270728525926944768

ne-ba.org/files/gallery/img/img.asp

# Reference: https://twitter.com/MBThreatIntel/status/1270741821560406019

160.20.147.253:8443
audiopodcasts.co/verify.php
lastedforcast.com/list.php

# Reference: https://twitter.com/spider_girl22/status/1275366600560873473
# Reference: https://www.virustotal.com/gui/file/0fa91cac5712cfc0848af092190fd3d09948f1a7750547f0f16d1867dac6288a/detection

thestreetsmartsalesman.com/wp-content/uploads/wp-logs/category.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1275396942139469824
# Reference: https://app.any.run/tasks/5ddb7e93-bfc8-49a9-bd52-6b70f57c3846/

scertodisha.nic.in/wp-content/plugins/photo-gallery/admin/controllers/Photo.php
haciendasacchich.com/wp-content/plugins/photo-gallery/admin/views/404.php
annafalkenau.com/awstats/data/upload.php

# Reference: https://blog.reversinglabs.com/blog/hidden-cobra
# Reference: https://otx.alienvault.com/pulse/5ef2252af73ae43d92eecd15

1688dsj.com
amytanathorn.com
ccsnbao.com
fmose.com
fudcitydelivers.com
lavaandstone.com
sctemarkets.com
vns1389.com

# Reference: https://twitter.com/ShadowChasing1/status/1276324740878102529

anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg

# Reference: https://twitter.com/JAMESWT_MHT/status/1276471822217891840
# Reference: https://app.any.run/tasks/109752e9-2c7f-4d5c-9c3f-300bddc4c0db/

down.1230578.com

# Reference: https://twitter.com/felixaime/status/1280053007036624896
# Reference: https://sansec.io/research/north-korea-magecart
# Reference: https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-credit-card-stealing-attacks-on-us-stores/
# Reference: https://www.virustotal.com/gui/file/a6c803d7a185f896a6c90f78891c5dbb904df3535825764e05432641ab059fb1/detection

areac-agr.com
papers0urce.com

# Reference: https://twitter.com/gwillem/status/1281128245052805120

focuscamere.com

# Reference: https://twitter.com/patrickwardle/status/1286109626941845504
# Reference: https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/

104.232.71.7:443
107.172.197.175:443
108.170.31.81:443
111.90.146.105:443
111.90.148.132:443
172.81.132.41:443
172.93.184.62:443
172.93.201.219:443
185.62.58.207:443
192.210.239.122:443
198.180.198.6:443
209.90.234.34:443
216.244.71.233:443
23.227.199.53:443
23.227.199.69:443
23.254.119.12:443
67.43.239.146:443
68.168.123.86:443

# Reference: https://twitter.com/cyberwar_15/status/1287291019537473538

nextlevelliving.pro/wp-content/uploads/js_composer/images/8c206b81-f5b1-4242-84d3-237ce728ff35.php

# Reference: https://twitter.com/AnonySecAgency/status/1290115260116897792
# Reference: https://www.virustotal.com/gui/file/40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13/detection

publishapp.co

# Reference: https://twitter.com/RedDrip7/status/1293462469214531584
# Reference: https://www.virustotal.com/gui/file/b0921142f8d3067c8253931977999a5092470ff3e562586d87af68c28ec66a99/detection

unsunozo.org/include/notes/notes.asp

# Reference: https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html
# Reference: https://otx.alienvault.com/pulse/5f4d20e8d417f271a62e0aeb

gestao.simtelecomrs.com.br/sac/digital/client.jsp
sac.onecenter.com.br/sac/masks/wfr_masks.jsp
mk.bital.com.br/sac/Formule/Manager.jsp

# Reference: https://twitter.com/IntezerLabs/status/1300403461809491969
# Reference: https://analyze.intezer.com/analyses/13d64c6e-6ac7-4888-a682-138a06cbaf16/
# Reference: https://www.virustotal.com/gui/file/390f9aae2dd5f0584106e3aa315bbd28a8c6479f126a4f13c7c3a62e19356634/detection

104.217.163.61:443
107.175.172.129:443
37.72.168.228:443

# Reference: https://twitter.com/ShadowChasing1/status/1302180729174937600

fabianiarte.com/uploads/imgup/21it-23792.jpg

# Reference: https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html
# Reference: https://otx.alienvault.com/pulse/5f7389601681e32d5bf045f6

automercado.co.cr/empleo/css/main.jsp
curiofirenze.com/include/inc-site.asp
ne-ba.org/files/news/thumbs/thumbs.asp
sanlorenzoyacht.com/newsl/include/inc-map.asp

# Reference: https://twitter.com/h2jazi/status/1311644338812792833
# Reference: https://www.virustotal.com/gui/file/d2f1cccfe688c074c3d58ae8f7be7b10dbea5d7ae53320c3f7b6e48cd4f62955/detection

phukien2a.net/images/images.zip.000

# Reference: https://blog.talosintelligence.com/2020/11/crat-and-plugins.html
# Reference: https://otx.alienvault.com/pulse/5faf04431c479940b422288b

teslacontrols.ir/wp-includes/images/detail31.jpg
teslacontrols.ir/wp-includes/images/detail32.jpg
sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg
publishapp.co/update/check.php
sideforum.cc/forum/list.php
freeforum.co/forum/list.php
goodfriend.pro/projects/list.php
friendship.me/users/register.php
threegood.cc/api/manage/customers
Engpro.xyz/images/detail.php
infocop.me/products/list.php
teamspit.pro/adverts/follow.php
dodoi.cc/photos/preview.php
advertapp.me/user/invite.php
insideforum.me/forum/list.php
anyoneforum.cc/forum/list.php
goodproject.xyz/projects/list.php
hellofriend.pro/users/register.php
moonge.cc/wp-content/plugins/google-sitemap-generator/sitemap-builder-embed.php
calculactcal.org/wp-content/themes/twentysixteen/body.php
3cuartos.com/wp-content/plugins/music-press-pro/templates/global/update.php
worldfoodstory.co.uk/wp-includes/register.php
bokkeriejesj.nl/wp-content/plugins/music-press-pro/upload.php
encontrosmaracatu.com.br/wp-content/plugins/music-press-pro/templates/global/topmenu.php
theblackout.fr/wp-content/plugins/music-press-pro/music-pro.php
mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php
tiramisu.it/wp-content/plugins/wp-comment-form.php
kartacnictvi.cz/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/upload.php
dimer-group.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/download.php
ecolerubanvert.com/wp-content/plugins/image-intense/know.php
lwac.com/wp-content/plugins/gallery-plugin/includes/demo-data/images/music/photo.php
copansrl.it/wp-admin/user/invite.php
arar-musique.fr/wp-content/plugins/music-press-pro/includes/admin/upgrade.php
firstalliance.church/wp-content/plugins/music-press/templates/404.php
erickeleo.com.br/wp-content/plugins/music-press-pro/go.php
kingsvc.cc/index.php
sofa.rs/wp-admin/network/server_test.php
afuocolento.it/wp-admin/network/server_test.php
mbrainingevents.com/wp-admin/network/server_test.php
afuocolento.it/wp-includes/process.php

# Reference: https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/
# Reference: https://otx.alienvault.com/pulse/5fb4044fd5f18831c24c6af6

cowp.or.kr/html/board/main.asp
erpmas.co.kr/Member/franchise_modify.asp
fored.or.kr/home/board/view.php
gncaf.or.kr/cafe/cafe_board.asp
gongsinet.kr/comm/comm_gongsi.asp
goojoo.net/board/banner01.asp
hsbutton.co.kr/bbs/bbs_write.asp
hstudymall.co.kr/easypay/web/bottom.asp
ikrea.or.kr/main/main_board.asp
pcdesk.co.kr/Freeboard/mn_board.asp
pgak.net/service/engine/release.asp
quecue.kr/okproj/ex_join.asp
style1.co.kr/main/view.asp
wowpress.co.kr/customer/refuse_05.asp
zndance.com/shop/post.asp

# Reference: https://twitter.com/h2jazi/status/1334353120038678528
# Reference: https://www.virustotal.com/gui/file/c19064733f2a23f09c8b16b3847cceeac8f61488be57911cefceb75425501097/detection

ilhak.co.kr/images/data/upload.asp
ktri.or.kr/upload/mail/upload.asp
warevalley.com/support/orange_open.asp

# Reference: https://twitter.com/BitsOfBinary/status/1321488299932983296
# Reference: https://twitter.com/BitsOfBinary/status/1337330286787518464
# Reference: https://twitter.com/mg2_tracy1/status/1337335098224508928
# Reference: https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=3051

admforte.com.br/wp-content/plugins/top.php
dafnefonseca.com/wp-content/themes/top.php
drei-schneeballen.de/wp-content/plugins/nextgen-gallery/view.php
funny-pictures.picphotos.net/saint-louis-senior-photos-senior-pictures-seniors-st-louis-st-louis/upload.php
greenvideo.nl/wp-content/themes/top.php
haciendadeclarevot.com/wp-content/top.php
justholdfast.com/doodle/wp-content/plugins/top.php
qwerty.creativehonduras.com/wp-includes/class-wp-redirect.php
shahrtdc.com/wp-content/plugins/top.php
tag-cloud-photo.freeware.filetransit.com/login.php
urbankizomba.se/wp-content/plugins/photo-gallery/filemanager/upload.php

# Reference: https://otx.alienvault.com/pulse/5fd8dbfcfed23b6fa1393ea9

yakufreshperu.com/facturacion/public/css/main.php
shikshakibaat.com/classes/detail.jsp
sanlorenzoyacht.com/newsl/include/inc-map.asp
paghera.com/content/view/thumb/info.asp
lyzeum.com/popup/popup.asp
index-consulting.jp/eng/news/index.php
hansolhope.or.kr/welfare/notice/view.jsp
forecareer.com/gdcareer/officetemplate-20nab.asp
fidesarte.it/thumb/multibox/style/common.asp
fabianiarte.com/uploads/imgup/21it-23792.jpg
fabianiarte.com/pdf/thumbs/thumb.asp
emilypress.com/CMWorking/Static/service/center.asp
curiofirenze.com/include/inc-site.asp
calculadoras.mx/themes/pack/pilot.php
automercado.co.cr/empleo/css/main.jsp
astedams.it/photos/image/image.asp
arumdaunresort.com/admin/html/user/contact.asp
apars-surgery.org/bbs/bbs_files/board_photo/menu.php
anca-aste.it/uploads/form/02E319AF73A33547343B71D5CB1064BC.dotm
vega.mh-tec.jp/.well-known/index.php
turnscor.com/ACT/images/slide/view.jsp
prestigein-am.jp/akita/wp-includes/wp-rss1.php
genieaccount.com/images/common/common.asp
acanicjquery.com/slides/style.php
mannpublicwhseltd.com/cservice.asp
hirokawaunso.co.jp/wordpress/wp-includes/review.php
anisweb.org/layout/site/style/preview.jsp
support.medicalinthecloud.com/TechCenter/include/slide.asp
pennontraders.com/assets/slides/view.jsp
indoweb.org/love/data/common/common.php
admin.shcpa.co.kr/_asapro2/formmail/lib.php
http://137.74.114.227/theveniaux/webliotheque/public/css/main.php
http://125.206.177.152/old/viewer.php

# Reference: https://twitter.com/BitsOfBinary/status/1339623925274296323

muzeyyengroup.com/wp-content/help.php
puskesmas-terminal.com/wp-content/help.php
zeandf.com/wp-content/help.php

# Reference: https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
# Reference: https://otx.alienvault.com/pulse/5fe36c30dbe6a83c04783415

bytecortex.com.br/eletronicos/digital.jsp
client.livesistemas.com/Live/posto/system.jsp
cometnet.biz/framework/common/common.asp
gongim.com/board/ajax_Write.asp
iski.silogica.net/events/serial.jsp
k-kiosk.com/bbs/notice_write.asp
kne.co.kr/upload/Customer/BBS.asp
locknlockmall.com/common/popup_left.asp
sac.najatelecom.com.br/sac/Dados/ntlm.jsp
sistema.celllab.com.br/webrun/Navbar/auth.jsp

# Reference: https://twitter.com/ShadowChasing1/status/1349924271791882247
# Reference: https://www.virustotal.com/gui/file/867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36/detection
# Reference: https://www.virustotal.com/gui/file/89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957/detection

aideck.net

# Reference: https://twitter.com/ShadowChasing1/status/1349927630183694339

creaideck.com/update/darwin64.bin

# Reference: https://www.virustotal.com/gui/file/d09041e3d635ddb28540b11cf180a30a28fc04c2ee6e5d994aa0bacc9633e944/detection

hpc.kau.ac.kr/rolling_banner/tmp4c5ae3.p3a
hpc.kau.ac.kr/error2.php

# Reference: https://twitter.com/BushidoToken/status/1353684625382641664
# Reference: https://www.virustotal.com/gui/ip-address/120.138.8.26/relations
# Reference: https://www.virustotal.com/gui/file/cabb45c99ffd8dd189e4e3ed5158fac1d0de4e2782dd704b2b595db5f63e2610/detection
# Reference: https://www.virustotal.com/gui/file/a9b3bc337043c04f529b2c19b3e33df1ad59bce27c074427e7b563db3a83c37b/detection
# Reference: https://www.virustotal.com/gui/file/bdf9fffe1c9ffbeec307c536a2369eefb2a2c5d70f33a1646a15d6d152c2a6fa/detection

advantims.com

# Reference: https://twitter.com/ShadowChasing1/status/1353972356759187456

angeldonationblog.com

# Reference: https://twitter.com/K_N1kolenko/status/1353975032104558592
# Reference: https://twitter.com/500mk500/status/1353992570519609344
# Reference: https://twitter.com/RedDrip7/status/1354038387603197952
# Reference: https://twitter.com/sS55752750/status/1354059524739653633
# Reference: https://twitter.com/vngkv123/status/1357247638228226053
# Reference: https://twitter.com/blackorbird/status/1357259907448229888
# Reference: https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg (Korean)
# Reference: https://enki.co.kr/blog/2021/02/04/ie_0day.html (Korean)
# Reference: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
# Reference: https://otx.alienvault.com/pulse/60103a3268891c63b1f24d74
# Reference: https://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection
# Reference: https://www.virustotal.com/gui/file/a08d24f74027256c6fd5c5a2fdb15b12889971fbdcfa7a28ffebbfe8b15aaefb/detection
# Reference: https://www.virustotal.com/gui/file/9c906c2f3bfb24883a8784a92515e6337e1767314816d5d9738f9ec182beaf44/detection
# Reference: https://www.virustotal.com/graph/embed/g4784ec032b3f4cb987a616f4b2dbc9aa9a982d9b20494f8980ae611a4ca3a1d8

angeldonationblog.com
codebiogblog.com
codevexillium.org
investbooking.de
krakenfolio.com
opsonew3org.sg
transferwiser.io
transplugin.io
blog.br0vvnn.io
codevexillium.org/image/download/download.asp
colasprint.com/_vti_log/upload.asp
dronerc.it/forum/uploads/index.php
dronerc.it/shop_testbr/Adapter/Adapter_Config.php
dronerc.it/shop_testbr/Core/upload.php
dronerc.it/shop_testbr/upload/upload.php
edujikim.com/intro/blue/insert.asp
fabioluciani.com/ae/include/constant.asp
fabioluciani.com/es/include/include.asp
loonsaloon.com/wp-content/plugins/revslider/hello.php
transplugin.io/upload/upload.asp
trophylab.com/notice/images/renewal/upload.asp

# Reference: https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html
# Reference: https://otx.alienvault.com/pulse/601052e27a2c451b3ba5ed31

akramportal.org/public/voice/voice.php
commodore.com.tr/mobiquo/appExtt/notdefteri/writenote.php
fabianiarte.com/newsletter/arte/view.asp
hirokawaunso.co.jp/wordpress/wp-includes/ID3/module.audio.mp4.php
index-consulting.jp/eng/news/index.php
inovecommerce.com.br/public/pdf/view.php
ja-fc.or.jp/shop/shopping.php
kenpa.org/yokohama/main.php
leemble.com/5mai-lyon/public/webconf.php
mail.clicktocareers.com/dev_clicktocareers/public/mailview.php
scimpex.com/admin/assets/backup/requisition/requisition.php
tronslog.com/public/appstore.php
vega.mh-tec.jp/.well-known/index.php

# Reference: https://twitter.com/Dashowl/status/1354264740692942848

trophylab.com/design/trophy/product/lmages/logo.png
worldspia.kr/upload_images/inc/LOG.PHP

# Reference: https://twitter.com/mattyb1512/status/1354070629469872129

ctrac.online

# Reference: https://twitter.com/h2jazi/status/1362109944791764993
# Reference: https://www.virustotal.com/gui/file/0bc7517aa2f0c1820ced399bfd66b993f10ad77e8d72727b0f3dc1ca35cad7ba/detection
# Reference: https://www.virustotal.com/gui/file/91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd/detection
# Reference: https://www.virustotal.com/gui/file/dcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61/detection

kupaywallet.com
levelframeblog.com
dorusio.com/dorusio_update.php

# Reference: https://twitter.com/ShadowChasing1/status/1362362744909930496

materialindia.in/wp/wp-main/gallery/profile2.php
totalmateria.net/wp/profile2.php

# Reference: https://securelist.com/lazarus-threatneedle/100803/
# Reference: https://otx.alienvault.com/pulse/6037c3cea83bb963f5be0d51/

http://156.245.16.55/admin/admin.asp
americanhotboats.com/forums/core/cache/index.php
astedams.it/photos/image/image.asp
au-pair.org/admin/Newspaper.asp
au-pair.org/admin/login.asp
automercado.co.cr/empleo/css/main.jsp
cloudarray.com/images/logo/videos/cache.jsp
colasprint.com/_vti_log/upload.asp
curiofirenze.com/include/inc-site.asp
dellarocca.net/it/content/img/img.asp
digitaldowns.us/artman/exec/upload.php
djasw.or.kr/sub/popup/images/upfiles.asp
docentfx.com/wp-admin/includes/upload.php
dronerc.it/forum/uploads/index.php
dronerc.it/shop_testbr/Adapter/Adapter_Config.php
edujikim.com/intro/blue/view.asp
edujikim.com/pay/sample/INIstart.asp
edujikim.com/smarteditor/img/upload.asp
fabioluciani.com/ae/include/constant.asp
fabioluciani.com/es/include/include.asp
forum.iron-maiden.ru/core/cache/index.php
forum.snowreport.gr/cache/template/upload.php
fredrikarnell.com/marocko2014/index.php
geeks-board.com/blog/wp-content/uploads/2017/cache.php
gonnelli.it/uploads/catalogo/thumbs/thumb.asp
juvillage.co.kr/img/upload.asp
kannadagrahakarakoota.org/forums/admincp/upload.php
kbcwainwrightchallenge.org.uk/connections/dbconn.asp
kwwa.org/DR6001/FN6006LS.asp
kwwa.org/popup/160307/popup_160308.asp
lyzeum.com/board/bbs/bbs_read.asp
lyzeum.com/images/board/upload.asp
martiancartel.com/forum/customavatars/avatars.php
mdim.in.ua/core/cache/index.php
newidealupvc.com:443/img/prettyPhoto/jquery.max.php
polyboatowners.com/2010/images/BOTM/upload.php
polyboatowners.com/css/index.php
prototypetrains.com:443/forums/core/cache/index.php
raiestatesandbuilders.com/admin/installer/installer/index.php
roit.co.kr/xyz/mainpage/view.asp
sanatoliacare.com/include/index.asp
sanlorenzoyacht.com/newsl/include/inc-map.asp
shinwonbook.co.kr/basket/pay/open.asp
shinwonbook.co.kr/board/editor/upload.asp
theforceawakenstoys.com/vBulletin/core/cache/upload.php
waterdoblog.com/uploads/index.asp

# Reference: https://twitter.com/AnonySecAgency/status/1366971633458548738
# Reference: https://twitter.com/ShadowChasing1/status/1366988046294376450
# Reference: https://www.virustotal.com/gui/file/03cd4ec3defa490e68b1ca2efaf8daea6f89d3cceed51c91f4c4f9e2222d258d/detection

gcloud-share.com
dshellelink.gcloud-share.com

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1225581378840006656 (# DangerousPasswords)
# Reference: https://pastebin.com/raw/cLWvyJ20
# Reference: https://twitter.com/Rmy_Reserve/status/1230881875767377920
# Reference: https://twitter.com/ShadowChasing1/status/1328208737933246464
# Reference: https://www.virustotal.com/gui/file/4c574c1a2b126c8a5ba1ef9560516d0ac9990c0253119f874eb084b57742e3d7/detection

http://84.201.189.216
103.205.179.4:8080
amazonaws1.info
gdrvup.xyz
gmaildrive.site
googleauth.pro
googledriver.info
googleupload.info
liveonedrvshare.xyz
secureshares.online
gdriveupload.info

# Reference: https://twitter.com/Rmy_Reserve/status/1246404220040802309 (# DangerousPassword)

88.204.166.59:8080

# Reference: https://twitter.com/ShadowChasing1/status/1339195498519875585 (# DangerousPassword)

gdocshare.com

# Reference: https://twitter.com/ShadowChasing1/status/1367368069618700291
# Reference: https://twitter.com/_re_fox/status/1260931809103101957
# Reference: https://twitter.com/_re_fox/status/1301564536575733760
# Reference: https://twitter.com/_re_fox/status/1301565785345863689
# Reference: https://twitter.com/mattnotmax/status/1370311682354941954
# Reference: https://twitter.com/cyber__sloth/status/1285510760303656960
# Reference: https://www.virustotal.com/gui/file/d287388e5ff978bf6f8af477460a9b76a74fdc33535e392b70e58176fc9ad805/detection
# Reference: https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_302_kodera_jp.pdf (Japanese)
# Reference: https://www.virustotal.com/gui/file/01184a5acb8b3ec56c9e90f2e6cd6673ae83b4fd6982e17329b33da2f77bcf5b/detection

doc.gsheetshare.org
docs.dsharefile.tech
docs.gdriveshare.top
drop.trailads.net
dsharefile.tech
gsheetshare.org
filehost.network
mdown.showprice.xyz
mse.theworkpc.com
name.ownemail.me
newsbtctech.com
ownemail.me
share.onedrvfile.site
shop.newsbtctech.com
trailads.net
up.digifincx.com
up.myemail.works

# Reference: https://twitter.com/ShadowChasing1/status/1339933511973699584 (# DangerousPassword)
# Reference: https://www.virustotal.com/gui/file/c64e2993563345fd497cfc382de27c7791b4f172d2c50d79b6290c2f9c06102c/detection

google-clouds.com

# Reference: https://twitter.com/cyber__sloth/status/1344208175168368641 (# DangerousPassword)
# Reference: https://twitter.com/cyber__sloth/status/1344208380525752321 (# DangerousPassword)

addrcheck.corecheckmailsrv.com
cloud-sheet.net
cloud.optvers.net
corecheckmailsrv.com
digitalcurencygroup.co
down.privatework.buzz
fidelitydigitalsassets.com
gdocshare.com
goglestorage.com
google-clouds.com
googleproduct.org
gsuiteshare.com
msftoffice.com
myemail.works
official.googleproduct.org
presentonline.xyz
privatework.buzz
sharesvr.net

# Reference: https://twitter.com/h2jazi/status/1369305004922855431
# Reference: https://twitter.com/h2jazi/status/1369307165807280135

torgirf.ru/loginhome.css

# Reference: https://twitter.com/h2jazi/status/1370024802791096320
# Reference: https://www.virustotal.com/gui/file/46fcbc170e84d8ad48434251421bd8f6fa49a7e741d2c24d31c170c607c60d51/detection
# Reference: https://www.virustotal.com/gui/file/c8a8d2caa429a8bbe885ef8d59d982b4bfd9c48f1255ff69e3b81c6bbd7b2925/detection

dronerc.it/shop_testbr/localization/dir_photoes/image.php
dronerc.it/shop_testbr/localization/dir_photoes/logo.php

# Reference: https://twitter.com/h2jazi/status/1354880834092859395
# Reference: https://www.virustotal.com/gui/ip-address/104.168.158.103/relations
# Reference: https://www.virustotal.com/gui/file/aec3ced40a3451dc2c6b1704cc50b0e0c8e549faaa8ae42b6d6f421b4fc2ef8a/detection
# Reference: https://www.virustotal.com/gui/file/e7a4d8b80dc653a47440db2a8deaf782109bb710e5d4311bc3d7685dba715865/detection
# Reference: https://www.virustotal.com/gui/file/75d3d96033db529c9ae698ac6de8fba420c2daa5d97614d7118f49e03c2d83d3/detection

documentprotect.live
documentprotect.pro

# Reference: https://twitter.com/h2jazi/status/1373985591814197250
# Reference: https://www.virustotal.com/gui/file/09b83a501b8f919fc4861735097dd50957f21e81209d362b4fa425bd3348a495/detection

cloudshare.jumpshare.vip

# Reference: https://twitter.com/HONKONE_K/status/1374178555634933762
# Reference: https://www.virustotal.com/gui/file/66e96fbd6e977ddef3f0a2924978d92e5d67bd96e68dc4832f5041dbd40bcfc9/detection
# Reference: https://www.virustotal.com/gui/file/e087d06c552aeef36c2ba9fdd14b06fca499f2d37dfea21e480a02a748b19bf1/detection

antcapital.us
document.antcapital.us
protect.antcapital.us

# Reference: https://twitter.com/DrN1ght/status/1374026917343543301

chemistryworld.us
coinbigex.com
innoenergy.info
mclland.com
qooqle.download

# Reference: https://twitter.com/h2jazi/status/1375528365587894272
# Reference: https://www.virustotal.com/gui/file/2fdba1e332203ca0d01992b137ebeaa1f21f7c3daec7230e6b8a4d36182caed4/detection

sanlorenzoyacht.com/newsl/uploads/docs/

# Reference: https://twitter.com/ShadowChasing1/status/1377610488830291973
# Reference: https://twitter.com/ShadowChasing1/status/1377628563000594433

toysbagonline.com
purewatertokyo.com
pinkgoat.com
yellowlion.com
salmonrabbit.com
bluecow.com

# Reference: https://twitter.com/darktracer_int/status/1380309710721622016
# Reference: https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/
# Reference: https://otx.alienvault.com/pulse/60739323ef1b2b3a187f0f15

4bjt2rceijktwedi.onion
cwwpxpxuswo7b6tr.onion

# Reference: https://twitter.com/fr0s7_/status/1381328726819020804
# Reference: https://www.virustotal.com/gui/file/e514d83d2aaa1357b34f5f11ecc35afe10b6240796e085977e9d4a56145bb8b3/detection

protectoffice.club

# Reference: https://twitter.com/ShadowChasing1/status/1382514587589742597
# Reference: https://www.virustotal.com/gui/file/f1eed93e555a0a33c7fef74084a6f8d06a92079e9f57114f523353d877226d72/detection

jinjinpig.co.kr/Anyboard/skin/board.php
mail.namusoft.kr/jsp/user/eam/board.jsp

# Reference: https://www.group-ib.com/blog/btc_changer

luxmodelagency.com/wp-incluses/random_compat/zeus/wongs/wongs.php
/random_compat/zeus/wongs/wongs.php
/zeus/wongs/wongs.php

# Reference: https://twitter.com/ShadowChasing1/status/1384016097494507521
# Reference: https://twitter.com/cyberwar_15/status/1384462513249546244
# Reference: https://www.virustotal.com/gui/file/79e15cc02c6359cdb84885f6b84facbf91f6df1254551750dd642ff96998db35/detection

ddjm.co.kr/bbs/icon/skin/skin.php
snum.or.kr/skin_img/skin.php

# Reference: https://www.virustotal.com/gui/file/6d2ecc3b0a43f0c377ea6d9a68aa5ac0d48635a04219264fb0702976efea8ef6/detection

http://121.146.68.233/fileserver/temp/platform.asp
http://121.254.224.218/angkor.ylw.common.fileserviceserver/web/document/netframework.asp
codibest.com/data/geditor/main_1.php
gbflatinamerica.com
myungokhun.co.kr/_proc/member/member_bk.asp
/angkor.ylw.common.fileserviceserver/web/document/netframework.asp
/data/geditor/main_1.php
/fileserver/temp/platform.asp

# Reference: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/
# Reference: https://otx.alienvault.com/pulse/608af383c5be4591c5da02e5

akramportal.org/delv/public/voice/voice.php
apars-surgery.org/bbs/bbs_files/board_blog/write.php
bootcamp-coders.cnm.edu
ctevt.org.np/ctevt/public/frontend/review.php
forecareer.com/gdcareer/officetemplate-20nab.asp
gbflatinamerica.com/file/filelist.php
goldllama4.sakura.ne.jp
hospitality-partners.co.jp/works/performance/consumer.php
inovecommerce.com.br/public/pdf/view.php
mail.clicktocareers.com/public/jobapplications/jdviewer.php
propro.jp/wp-content/documents/docsmgmt.php
vega.mh-tec.jp/.well-known/gallery/siteview.php

# Reference: https://www.virustotal.com/gui/file/610047be0b2360d609baa71be22ddc5814743868886f8d85ab9985d3f01229d6/detection

mappo-on.life
help.mappo-on.life

# Reference: https://www.virustotal.com/gui/file/27bfac11c1f9184b515fbf5fcd946e921c95506f89eb273e148fcf0068e50932/detection

octo-manage.net
help.octo-manage.net

# Reference: https://twitter.com/ShadowChasing1/status/1391981731394187266
# Reference: https://www.virustotal.com/gui/file/a0d070b66408654cdcb84784e77914dc355a23c81e3e6ef36362470619c4de96/detection

http://45.61.136.204
googledocpage.com

# Reference: https://twitter.com/ShadowChasing1/status/1393356174506921985
# Reference: https://www.virustotal.com/gui/file/8e1746829851d28c555c143ce62283bc011bbd2acfa60909566339118c9c5c97/detection

allgraphicart.com

# Reference: https://twitter.com/ShadowChasing1/status/1397768682776895491
# Reference: https://www.virustotal.com/gui/file/8d48a77e7a4b8c824d8c1b890dc3e2b904e6fa8fbe8dae1a22f5870916c01c20/detection

sslsharecloud.net
dev.sslsharecloud.net

# Reference: https://twitter.com/ShadowChasing1/status/1398468263818928136

ewha-ac.ml

# Reference: https://twitter.com/ShadowChasing1/status/1399369260577681426
# Reference: https://www.virustotal.com/gui/file/4059fea324e27cfbd4955f37dc7791709dbf35a800449373c6715bc53b88f7c5/detection

amene.homepc.it

# Reference: https://twitter.com/360CoreSec/status/1402920149754155010
# Reference: https://www.virustotal.com/gui/file/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c/detection
# Reference: https://www.virustotal.com/gui/file/3b33b0739107411b978c3cbafb312a44b7488bd7adabae3e7b02059240b6dc83/detection

shopweblive.com

# Reference: https://twitter.com/h2jazi/status/1406401709157629952
# Reference: https://twitter.com/ShadowChasing1/status/1406592585796177924
# Reference: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
# Reference: https://www.virustotal.com/gui/file/5c2f339362d0cd8e5a8e3105c9c56971087bea2701ea3b7324771b0ea2c26c6c/detection

allamwith.com/home/mobile/list.php
conkorea.com/cshop/banner/list.php
ddjm.co.kr/bbs/icon/skin/skin.php
hivekorea.com/jdboard/member/list.php
jinjinpig.co.kr/Anyboard/skin/board.php
mail.namusoft.kr/jsp/user/eam/board.jsp
mail.neocyon.com/jsp/user/sms/sms_recv.jsp
mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp
snum.or.kr/skin_img/skin.php
/jsp/user/sms/sms_recv.jsp

# Reference: https://twitter.com/360CoreSec/status/1405790277034418177
# Reference: https://www.virustotal.com/gui/file/35a39299c47bc701dbe7cb72fcb695d08eb2095d1a5b8b7942d3034d16435e89/detection
# Reference: https://www.virustotal.com/gui/file/382a209ce5745c85507b0bd80b87496ad92128e6870199d0c33d6ddedc542dd1/detection
# Reference: https://www.virustotal.com/gui/file/f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4/detection

185.208.158.204:443
193.56.28.251:443

# Reference: https://twitter.com/ShadowChasing1/status/1405515076149284870
# Reference: https://www.virustotal.com/gui/file/4c4cc3abd3ddb15d5306fb647c6d779b18df5b949673bb3f3f87faa2c5f56a6a/detection

authenticate.azure-drive.com

# Reference: https://twitter.com/ShadowChasing1/status/1407993219720224771

elwoodasset.xyz
sharemanage.elwoodasset.xyz

# Reference: https://twitter.com/360CoreSec/status/1410127120177635328

52.202.193.124:443

# Reference: https://twitter.com/fr0s7_/status/1402394083331559431
# Reference: https://twitter.com/Jup1a/status/1402470227292561412
# Reference: https://www.virustotal.com/gui/file/1939d9fdcf831dc4cac001ba193669c75a336258bc99a1775471554229e4a69b/detection

azure-drive.com
download.azure-drive.com
protect.azure-drive.com

# Reference: https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12
# Reference: https://otx.alienvault.com/pulse/60e6d2a6786d43397db19bc7

grandgolf.co.kr/html/facilities/facilities_01_06.asp
kdone.co.kr/Utils/EmailUtil.asp
namchuncheon.co.kr/admin/BookAppl/Search_left.asp

# Reference: https://twitter.com/ShadowChasing1/status/1412934665292316677
# Reference: https://twitter.com/ShadowChasing1/status/1412953330700062726

http://95.179.235.55
sharebusiness.xyz
signverydn.sharebusiness.xyz

# Reference: https://twitter.com/ShadowChasing1/status/1412932935523573760
# Reference: https://www.virustotal.com/gui/file/8afdf8513a6e3bede16187004daccc95e193a29062415d9ba0c29b98a5a927d1/detection

devprocloud.com
share.devprocloud.com

# Reference: https://mp.weixin.qq.com/s/y-SHoh9f5qwAwqml3uf8vw
# Reference: https://otx.alienvault.com/pulse/60f930c9c1a69acdb28adea6

smartaudpor.com

# Reference: https://twitter.com/h2jazi/status/1445596955552272389

gozdeelektronik.net/wp-content/themes/0111/

# Reference: https://twitter.com/s1ckb017/status/1447476954639347712
# Reference: https://www.virustotal.com/gui/file/cf10c1cad090ab31d9e579df3bd22f3d0653792cb010e1d6ac0e2cd1ced52076

digitalguarder.com

# Reference: https://twitter.com/h2jazi/status/1455601350222417926
# Reference: https://www.virustotal.com/gui/file/8562f6b2a95963f076f7bc6ff00401d96656eafda1cfad3af53b3e3b99ae6452/detection

mantis.linkundlink.de
/logs/officetemplate.php

# Reference: https://twitter.com/ESETresearch/status/1458438169502826508
# Reference: https://www.virustotal.com/gui/ip-address/45.147.231.213
# Reference: https://www.virustotal.com/gui/file/fe80e890689b0911d2cd1c29196c1dad92183c40949fe6f8c39deec8e745de7f/detection

devguardmap.org
navercorpservice.com

# Reference: https://twitter.com/ShadowChasing1/status/1455489336850325519
# Reference: https://www.virustotal.com/gui/file/65b5709f67bb0fac31ec977f98cda6f89f4b38703ee5aeef0b633c33669ea88a/detection

thetalkingcanvas.com/jobs/en-gb/jobs/9/details.php

# Reference: https://twitter.com/h2jazi/status/1462832390632583168
# Reference: https://www.virustotal.com/gui/file/c12a0565ea1c59d7c2b73e9c022604dbc827980df58ede7ce42d648f9dd4e096

ditijindal.com/wp-content/gallery/services/globalcareers/12849/jobs/gallery.php

# Reference: https://twitter.com/ShadowChasing1/status/1465998017836707840
# Reference: https://twitter.com/ShadowChasing1/status/1465998020734898176

http://152.89.247.236
silvergatehr.com
ny.silvergatehr.com
/5Ek9724mz8oncul8Zx7E7CVDCdBNxuFFUO6pLk/

# Reference: https://twitter.com/k3yp0d/status/1468485748269662208
# Reference: https://app.any.run/tasks/ff306f89-64d4-4d30-8b72-7c0be0b1f9fb/

cloudplus.one
drive.cloudplus.one

# Reference: https://twitter.com/h2jazi/status/1462832390632583168
# Reference: https://www.virustotal.com/gui/file/c12a0565ea1c59d7c2b73e9c022604dbc827980df58ede7ce42d648f9dd4e096/detection

aditijindal.com/wp-content/gallery/services/globalcareers/12849/jobs/gallery.php

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_Lazarus_APT_Related.json
# Reference: https://www.virustotal.com/gui/ip-address/149.28.162.113/relations

dubbedfinally.link
filesaves.cloud
fsdriveshare.org
googlesheetpage.org
gsheetpage.com
help-optus.com
onedocshare.com
onlinedoc.dev
pilotview.cloud
retrots.net
tresordocs.com
trollinguneaten.org
database.retrots.net
doc.filesaves.cloud
docs.gsheetpage.com
license.cloudplus.one
product.onlinedoc.dev
sheet.tresordocs.com
support.pilotview.cloud

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_Lazarus.json

autodiscover.vin
banner-counter.com
clarionhpdu.top
craptioerne.com
fhewkhwjehwekjfhwehfwe.com
lif0.top
smartscreenfilter.com
statcounters.net
vz206llb19o.com
2ab9.watashinonegai.ru
b.watashinonegai.ru
d.watashinonegai.ru
apkv3.clarionhpdu.top
cltpk.doomdns.org
down.mykings.pw

# Reference: https://twitter.com/souiten/status/1468818352156020737
# Reference: https://www.virustotal.com/gui/file/b3646d8cbadc7620ca7782f2525cc019740a3088f32e2ea9a6c97cc1432537b0/detection

fsdriveshare.org
dmarc.fsdriveshare.org
file.fsdriveshare.org
share.fsdriveshare.org

# Reference: https://twitter.com/ffforward/status/1456239300593524741
# Reference: https://www.virustotal.com/gui/file/0b8d7a851920d4584777505f9fb484b226a8457d4049885a87c847f7d3532d28/detection

stablemarket.org
share.stablemarket.org

# Reference: https://twitter.com/k3yp0d/status/1448552868907204612
# Reference: https://www.virustotal.com/gui/domain/cloudmgmt.org/relations

cloudmgmt.org
share.cloudmgmt.org

# Reference: https://threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families/
# Reference: https://otx.alienvault.com/pulse/61c9aff8d72c2a4731021bee

allamwith.com/home/mobile/list.php
conkorea.com/cshop/banner/list.php
ddjm.co.kr/bbs/icon/skin/skin.php
jinjinpig.co.kr/Anyboard/skin/board.php
mail.namusoft.kr/jsp/user/eam/board.jsp
mail.neocyon.com/jsp/user/sms/sms_recv.jsp
mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp
snum.or.kr/skin_img/skin.php
/jsp/user/sms/sms_recv.jsp

# Reference: https://twitter.com/h2jazi/status/1483521532433473536
# Reference: https://twitter.com/h2jazi/status/1483521535268769793
# Reference: https://www.virustotal.com/gui/file/0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b/detection

lm-career.com

# Reference: https://twitter.com/s1ckb017/status/1484451637653614592
# Reference: https://twitter.com/h2jazi/status/1486448926081302536
# Reference: https://www.virustotal.com/gui/file/0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1/detection

allinfostudio.com
markettrendingcenter.com
yourblogcenter.com

# Reference: https://twitter.com/czy_1116/status/1485813878550597632
# Reference: https://www.virustotal.com/gui/file/3542078fd524e3cb141d5bebf96aea73467505a07ae72fc58395afa14f22e8a3/detection

gfinanzen.net
portal.gfinanzen.net

# Reference: https://twitter.com/ShadowChasing1/status/1486530954382348290
# Reference: https://www.virustotal.com/gui/file/ac7b6ca73207db6ec6d4af2632a7c842c32af6658e3214753e589b567d809125/detection

docusign.agency

# Reference: https://twitter.com/h2jazi/status/1487070198955978753

loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001
/update_coingotrade.php

# Reference: https://twitter.com/h2jazi/status/1490057626134192136
# Reference: https://www.virustotal.com/gui/file/08c3aaeec3da9a106536ad1beff4d2ed23d1e31c9481be60f5dbd5eb1a01d2e5/detection

sportsblogweb.com

# Reference: https://twitter.com/s1ckb017/status/1489591023030448129
# Reference: https://www.virustotal.com/gui/file/29de2289a2b111a4873e49402c310b2ad0e3de51b5562ee1422a37c514910c71/detection

designautocad.org

# Reference: https://twitter.com/cyberoverdrive/status/1490839283803951106
# Reference: https://www.virustotal.com/gui/file/353f82475fcfad5b3f06ed85a931bda46ec34279793b5d70085aa8c603e8ebec/detection

datacentre.center

# Reference: https://twitter.com/ShadowChasing1/status/1490958579930517504
# Reference: https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f/detection

shopapppro.com
shopapptech.com

# Reference: https://twitter.com/pkalnai/status/1489269982814949382
# Reference: http://report.threatbook.cn/LS.pdf (Chinese)
# Reference: https://www.virustotal.com/gui/file/8562f6b2a95963f076f7bc6ff00401d96656eafda1cfad3af53b3e3b99ae6452/detection

bmanal.com
canyonzcc.com
devguardmap.org
industryinfostructure.com
linkundlink.de
mante.li
shopandtravelusa.com
mantis.linkundlink.de

# Reference: https://twitter.com/jaydinbas/status/1468521246862233603
# Reference: https://www.virustotal.com/gui/file/ef2d3e488b781a7c6144afa8fc8ba2b6d085ca671100d04686097f3b4dd2ed42/detection

mantis-gewa.technisat-digital.de

# Reference: https://twitter.com/czy_1116/status/1498190652412203008
# Reference: https://www.virustotal.com/gui/file/4cbad835586faf1d91431d5421b58b4acda0bd280cfbaf8a5d4820aec486b0e6/detection

bloomcloud.org
share.bloomcloud.org

# Reference: https://twitter.com/ShadowChasing1/status/1502240130702065664

open.googlesheetpage.org
/KcyRbGDJKRZoaLq8lHh8/C0sHwcGMH2/
/C0sHwcGMH2/
/KcyRbGDJKRZoaLq8lHh8/

# Reference: https://twitter.com/malwrhunterteam/status/1503640289810038786
# Reference: https://twitter.com/malwrhunterteam/status/1504573045750571010
# Reference: https://twitter.com/malwrhunterteam/status/1506008938197643266
# Reference: https://twitter.com/h2jazi/status/1503826030812925962
# Reference: https://twitter.com/h2jazi/status/1503826034923388929
# Reference: https://www.virustotal.com/gui/file/8672acfb06258f5b6dec3700cd7f91a0c013a70a9664dbc6cf33a4c6406756ed/detection
# Reference: https://www.virustotal.com/gui/file/e62a7d9184a841e2b53e41f2d85aa278b427e2e427dbfd8f4be072108e3089c1/detection
# Reference: https://www.virustotal.com/gui/file/689d5513ad52ad5e7a631a9147049c4cc494ad514b81cf41e841fb244c766b8b/detection
# Reference: https://www.virustotal.com/gui/file/a51cad94475e0af91d270146379574b5a8ae70a03098318ddf9912784ace3cba/detection

encorpost.com
foxiebed.com
hillokay.com
nhn-games.com
sktelecom.help
want-helper.com

# Reference: https://twitter.com/h2jazi/status/1505965580075114498
# Reference: https://www.virustotal.com/gui/file/e3a4e97e27bcfb6126ebfe92827cfb6b7e0c04eb7f5426bf17dd366e4723d1ef/detection

pvacek.cz/wp-content/plugins/akismet/control/en/en.jpg

# Reference: https://twitter.com/h2jazi/status/1505983796897894401
# Reference: https://www.virustotal.com/gui/file/d0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b/detection

webhosttech.org

# Reference: https://twitter.com/blackorbird/status/1507040337097027584
# Reference: https://blog.google/threat-analysis-group/countering-threats-north-korea/

disneycareers.net
find-dreamjob.com
indeedus.org
varietyjob.com
ziprecruiters.org
blockchainnews.vip
chainnews-star.com
financialtimes365.com
fireblocks.vip
gatexpiring.com
gbclabs.com
giantblock.org
humingbot.io
onlynova.org
teenbeanjs.com
colasprint.com/about/about.asp
varietyjob.com/sitemap/sitemap.asp
financialtimes365.com/user/finance.asp
gatexpiring.com/gate/index.asp
humingbot.io/cdn/js.asp
teenbeanjs.com/cloud/javascript.asp

# Reference: https://twitter.com/jaydinbas/status/1506970733997604867
# Reference: https://twitter.com/ShadowChasing1/status/1508637858927587328
# Reference: https://twitter.com/ShadowChasing1/status/1509520460974723072
# Reference: https://twitter.com/ShadowChasing1/status/1511144288830119941
# Reference: https://asec.ahnlab.com/ko/33034/ (Korean)
# Reference: https://www.virustotal.com/gui/ip-address/2.57.90.16/relations
# Reference: https://www.virustotal.com/gui/ip-address/209.126.83.186/relations
# Reference: https://www.virustotal.com/gui/file/2fc71184be22ed1b504b75d7bde6e46caac0bf63a913e7a74c3b65157f9bf1df/detection
# Reference: https://www.virustotal.com/gui/file/392aba0070375051d7bc3cc478c4bb66c5f55be87ad797800f50a338c3e2479b/detection
# Reference: https://www.virustotal.com/gui/file/a7c17e5fa55bcc60d4cff64dd37d0a1f0cc93f4f44b3cebd5633ca5af413e5cc/detection
# Reference: https://www.virustotal.com/gui/file/ae7275988753fffb29bdb254babdf46773daf935b2721006fe66a1747af3d1d4/detection

naveicoipf.online
naveicoipg.online
naveicoiph.online
naveicoiph.online
naveicoipa.tech
naveicoipc.tech
naveicoipd.tech
naveicoipe.tech
navermailteam.online
123fisd.naveicoipg.online
aat1pbil.naveicoipg.online
adzjvazj.naveicoipg.online
aosm8cts.naveicoipg.online
buiweggajhqwj.naveicoipg.online
cecomtp3.naveicoipg.online
edfeiyql.naveicoipg.online
eoinlslsf.naveicoipg.online
fwpoyktt.naveicoipg.online
hytrycnc.naveicoipg.online
jbmnqpwp.naveicoipg.online
jvnquetbon.naveicoipg.online
kdzdm1rq.naveicoipg.online
kygfkdum.naveicoipg.online
l1tog1iv.naveicoipg.online
lbmwbnbieo.naveicoipg.online
olsnvolqwe.naveicoipg.online
pv5pnwlx.naveicoipg.online
qogngnslel.naveicoipg.online
tp0rw6ie.naveicoipg.online
twlekqnwl.naveicoipg.online
urm1o6h0.naveicoipg.online
vm2rjonq.naveicoipg.online
vnwoei.naveicoipg.online
6la0cwds.naveicoiph.online
9yxqida1b.naveicoiph.online
d4yp8bphj3.naveicoiph.online
dtdgwgfvr.naveicoiph.online
gkins2p3i.naveicoiph.online
kashaccn4.naveicoiph.online
lkpiedozd.naveicoiph.online
rxpz7z2yi8.naveicoiph.online
gowelknx.naveicoipf.online
xjowihgnxcvb.naveicoipf.online
xuau0b2i.naveicoipf.online
4w9h8ps9.naveicoipa.tech
4w9h8ps9.naveicoipc.tech
momls4ii.naveicoipa.tech
momls4ii.naveicoipc.tech
tofysz6a.naveicoipa.tech
tofysz6a.naveicoipc.tech
uzzmuqwv.naveicoipa.tech
uzzmuqwv.naveicoipc.tech
zvc1ijau.naveicoipa.tech
zvc1ijau.naveicoipc.tech
bcvbert.naveicoipe.tech
mhf8huuo.naveicoipe.tech
msldkopw.naveicoipe.tech
tyidrtu.naveicoipe.tech
uktyukb.naveicoipe.tech
vkqrwl00.naveicoipe.tech
wrhehdfg.naveicoipe.tech
nredial.navermailteam.online
/1uFnvppj/1uFnvppj32.acm
/1uFnvppj/1uFnvppj64.acm
/1uFnvppj/
/1uFnvppj32.acm
/1uFnvppj64.acm
/018ueCdS/018ueCdS32.acm
/018ueCdS/
/018ueCdS32.acm
/0lvNAK1t/0lvNAK1t32.acm
/0lvNAK1t/
/0lvNAK1t32.acm

# Reference: https://www.virustotal.com/gui/ip-address/15.235.132.77/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.81.246.131/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.82.19.179/relations

mailcontactteam.online
mailcustomerservice.site
mailhelp.online
mailmanagecorp.online
mailsecurity.email
mailservicecorp.online
mailserviceteam.email
navcopcenter.tech
navcorpmanager.site
naveeocorp.xyz
navenida.live
navenida.site
navenidb.live
navenidb.site
navenidc.live
navenidc.site
navenidd.site
navenide.site
navenidf.site
naveorseccorp.link
naveracom.link
naveradmin01.link
naveranid.link
naveranid.live
naveranid.online
naverbcom.link
naverbnid.live
naverbnid.online
naverccom.link
navercert.live
navercert.online
navercnid.link
navercnid.online
navercoa.store
navercob.store
navercoc.store
navercod.store
navercoe.store
navercoma.link
navercoma.online
navercomb.link
navercomb.online
navercomb.tech
navercomc.link
navercomc.online
navercomc.tech
navercomd.link
navercomd.online
navercome.link
navercome.online
navercome.tech
navercomf.link
navercomf.online
navercomg.link
navercomh.link
navercop.link
navercop.online
navercorp.email
navercorp.live
navercorpl.tech
navercorpr.online
navercorpservice.com
navercorpteam.com
navercscorp.com
naverenid.online
naverfnid.online
navergnid.online
naverhnid.online
naverhost.live
naverinid.com
naverinid.online
naverjnid.online
naverlogn.live
navermailcorp.com
navermailmanage.com
navermailservice.com
navermailservice.online
navermailteam.online
navermanage.com
navermanage.live
navermanage.space
navermanageteam.com
navermcorp.com
navernida.link
navernida.online
navernida.tech
navernidb.link
navernidb.online
navernidb.tech
navernidc.link
navernidc.online
navernidc.tech
navernidd.live
navernidd.online
navernide.online
navernidlog.live
navernidmail.com
naverorteam.link
naverreda.xyz
naverredc.xyz
naverredd.xyz
naverrede.xyz
naverredirect.live
naversecurityservice.online
naversecurityteam.com
naverservice.email
naverservice.host
naverservice.link
naverserviceteam.com
naverserviceteam.email
naverteam.live
naverteamcorp.live
navreplya.live
navreplya.online
navreplyb.live
navreplyd.live
navreplye.live
navreplyf.site
navreplyg.site
navreplyh.site
navreplyi.site
navreplyj.site
navreplyk.site
navteamcorp.link
nidbnaver.tech
nidcnaver.tech
niddnaver.tech
nidnavera.online
nidnavere.online
noreplya.xyz
noreplyb.xyz
nvrcopa.link
nvrcopb.link
nvrcopc.link
nvrcope.site
nvrcopf.site
nvricop.online
nvrjcop.online
portalcorpteam.com
help.navreplya.live
logn.navermanagecorp.site
logn.noreplya.website
mail.naveradmina.tech
mail.navercomf.link
nav.cloudcentre.space
nav.naveracom.link
nav.naveradmin06.online
nav.noreplyb.xyz
nav.portalcorpteam.com
nin.navercop.link
nlog.noreplyb.space
red.naveradmin07.site
red.nidnavere.online
sec.naveralert.link
sub.naverbcom.link

# Reference: https://twitter.com/ShadowChasing1/status/1508706298640052225
# Reference: https://www.virustotal.com/gui/ip-address/44.227.65.245/relations

cloudscare.xyz
onlinedocview.biz
cdn.onlinedocview.biz
edit.onlinedocview.biz

# Reference: https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/
# Reference: https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/
# Reference: https://otx.alienvault.com/pulse/61bca21cf212a6842e17c00b

diragame.com
diregame.live
mygametoa.com
d.diragame.com
google.diragame.com
jom.diregame.live
toa.mygametoa.com
tob.mygametoa.com

# Reference: https://twitter.com/h2jazi/status/1509206625701220356
# Reference: https://www.virustotal.com/gui/file/e9894893a8a1f74d7d6a8768dda9ef5ddaf8aac18634a1110e9a79652c9f13ee/detection

aixstore.info
app.aixstore.info

# Reference: https://securelist.com/lazarus-trojanized-defi-app/106195/
# Reference: https://otx.alienvault.com/pulse/6246c2c9082f5d1a7c15ffba

bn-cosmo.com/customer/board_replay.asp
edujikim.com/pay_sample/INIstart.asp
emsystec.com/include/inc.asp
gyro3d.com/common/faq.asp
gyro3d.com/mypage/faq.asp
ilovesvc.com/HomePage1/Inquiry/privacy.asp
newbusantour.co.kr/gallery/left.asp
roit.co.kr/xyz/adminer/edit_fail_decoded.asp
softapp.co.kr/sub/cscenter/privacy.asp
syadplus.com/search/search_00.asp

# Reference: https://twitter.com/ShadowChasing1/status/1514899414367694851
# Reference: https://www.virustotal.com/gui/file/f78b85fc5c9a5f6c8d735f13180d318bf8f5639e71556e2ae0f2c6b9b4181a6c/detection

http://15.235.33.14

# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
# Reference: https://otx.alienvault.com/pulse/625d3bb7b78be557e145d2c7

aumentarelevisite.com
juneprint.com
jungfrau.co.kr
mariamchurch.com
happy.nanoace.co.kr
ric-camid.re.kr

# Reference: https://twitter.com/blackorbird/status/1516300076523548674
# Reference: https://mp.weixin.qq.com/s/Xs54_RDKU5MvkvsPPCGKEw (Chinese)

beenos.biz
zvc.capital
cloud.beenos.biz
it.zvc.capital

# Reference: https://www.cisa.gov/uscert/ncas/alerts/aa22-108a
# Reference: https://otx.alienvault.com/pulse/625e65bf6aa1f7977a316d65

alticgo.com
cryptais.com
dafom.dev
esilet.com
tokenais.com

# Reference: https://asec.ahnlab.com/ko/33706/
# Reference: https://otx.alienvault.com/pulse/625e688f46dbcbce7ac0668d

gaonwell.com/data/base/mail/login.asp
h-cube.co.kr/main/image/gellery/gallery.asp
materic.or.kr/include/main/main_top.asp
materic.or.kr/include/main/main_top.xn--asp
namchoncc.co.kr/include/?ind=
okkids.kr/html/program/display/?re=
shoppingbagsdirect.com/media/images/?ui=

# Reference: https://twitter.com/blackorbird/status/1519504288849874944
# Reference: https://www.virustotal.com/gui/file/672ec8899b8ee513dbfc4590440a61023846ddc2ca94c88ae637144305c497e7/detection

http://109.248.144.155
http://155.94.210.11
http://193.56.28.32
http://45.57.245.17
109.248.144.136:8443
109.248.144.155:8080
109.248.144.155:8443
usengineergroup.com
mail.usengineergroup.com

# Reference: https://twitter.com/ESETresearch/status/1521735320852643840
# Reference: https://twitter.com/ESETresearch/status/1521735343497695232
# Reference: https://www.virustotal.com/gui/file/55571ac52e1f02f18af77e2f3314382c982a37744b58732dfc15faac9d66619f/detection
# Reference: https://www.virustotal.com/gui/file/a0bf5af3f931a428b905fd14d43b61af47b7f272425ae4ff4d78b5cb139b8276/detection
# Reference: https://www.virustotal.com/gui/file/315503862cb7ebb0a731483827016015e355bad51f872db5c650a822de744937/detection

onlinestockwatch.net

# Reference: https://www.virustotal.com/gui/file/5081f54761947bc9ce4aa2a259a0bd60b4ec03d32605f8e3635c4d4edaf48894/detection

66.154.102.91:9090

# Reference: https://blogs.jpcert.or.jp/en/2022/07/vsingle.html

bluedragon.com/login
crm.vncgroup.com/cats/scripts/sphinxview.php
mantis.westlinks.net/api/soap/mc_enum.php
ougreen.com/zone
semiconductboard.com/xcror
shipshorejob.com/ckeditor/samples/samples.php
tecnojournals.com/general
tecnojournals.com/prest

# Reference: https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
# Reference: https://www.virustotal.com/gui/file/f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb/detection

http://213.180.180.154
karin-store.com/recaptcha.php
yoshinorihirano.net/wp-includes/feed-xml.php
/editor/session/aaa000/support.php
/aaa000/support.php

# Reference: https://mp.weixin.qq.com/s/USitU4jAg9y2XkQxbwcAPQ
# Reference: https://otx.alienvault.com/pulse/62d153ef7d6fbe552403bc90

namchuncheon.co.kr/html/notice/list.asp
stracarrara.org/public/photos/image/image.asp
stracarrara.org/public/photos/image/image.xn--asp

# Reference: https://twitter.com/h2jazi/status/1549780561551675393
# Reference: https://www.virustotal.com/gui/ip-address/155.138.219.140/relations
# Reference: https://www.virustotal.com/gui/file/f7170b70a89f4b5d196e3a09c1d6135d36320548f66cdc2c55bf725b0f8d4ab8/detection

documentworkspace.io
fclouddown.co
cdn.documentworkspace.io
file.fclouddown.co

# Reference: https://twitter.com/cyberoverdrive/status/1550175620927299584
# Reference: https://www.virustotal.com/gui/file/1e154b2976cc00d457c0dc2b83ebe81911294c8276691617085c03a3304fd87f/detection

googlesheet.info

# Reference: https://twitter.com/h2jazi/status/1553024107989635073
# Reference: https://www.virustotal.com/gui/file/0fe69e67286203ca2dcd080b4c25ab76fc4ca925e6207b193d47f02da1481843/detection

shconstmarket.com
dps.shconstmarket.com
inst.shconstmarket.com
web.shconstmarket.com

# Reference: https://twitter.com/Des00464472/status/1546403794871001093

http://52.79.92.249/bbs/bbs_post.asp

# Reference: https://twitter.com/h2jazi/status/1555205042331947011
# Reference: https://www.virustotal.com/gui/file/a3ef9fd758bca1c94054a43995a99069abaef672495c1bd3ee831217c1f5e498/detection

mktrending.com
docs.mktrending.com

# Reference: https://twitter.com/ShadowChasing1/status/1557034048345997312
# Reference: https://www.virustotal.com/gui/file/57959c2be2ac6349aa37edb73cd8a88fe8d3e69678cac4b38fac401bd3141fdf/detection

documentshare.info
doc.documentshare.info
ww16.documentshare.info
/DmJMFYpwLPP3ygS/

# Reference: https://twitter.com/malwrhunterteam/status/1557077792075829249
# Reference: https://www.virustotal.com/gui/file/f1ade73b9c61f2f4b774a1b5003a5d70d7a12e0872abe98c52fbf9e9e3a90fc5/detection

wordonline.cloud
cdn.wordonline.cloud
gdoc.wordonline.cloud

# Reference: https://twitter.com/ESETresearch/status/1559553324998955010
# Reference: https://www.virustotal.com/gui/file/49046dfeaefc59747e45e013f3ab5a2895b4245cfaa218dd2863d86451104506/detection
# Reference: https://www.virustotal.com/gui/file/8b427c47a43e6c357d8439fefa7f0ff34b72a2abdaf0461193fb9e6086807e17/detection
# Reference: https://www.virustotal.com/gui/file/94a669041ef572e3fb089179f5c29e2811e2e82613290e39a2ce1b6c273727c9/detection
# Reference: https://www.virustotal.com/gui/file/dae9f37ae5c2a030c0fb3f55d5731cdb37a4f68560a6f2ba38bb54c9533f8805/detection
# Reference: https://www.virustotal.com/gui/file/e29d0db8c013e7eb5820a6f40aae92a085d9550f2f0b2ebc10c8c2c08d14f6d5/detection
# Reference: https://www.virustotal.com/gui/file/fe336a032b564eef07afb2f8a478b0e0a37d9a1a6c4c1e7cd01e404cc5dd2853/detection

concrecapital.com

# Reference: https://twitter.com/h2jazi/status/1559259261665943553
# Reference: https://www.virustotal.com/gui/file/03f6c8f173413302d9c22a44a593fc9a5203fbb7652d3a36b3ace79f3cdc39a3/detection

1drvmicrosoft.com
hare.1drvmicrosoft.com
share.1drvmicrosoft.com

# Reference: https://twitter.com/malwrhunterteam/status/1560563222624710656
# Reference: https://www.virustotal.com/gui/file/c9b4893bdb85d67c13826814ef0cf392648089f416aed40078907054624fba72/detection

cooporatestock.com
doc.cooporatestock.com
docs.cooporatestock.com

# Reference: https://www.virustotal.com/gui/ip-address/45.76.77.197/relations
# Reference: https://www.virustotal.com/gui/file/0f6b6c1596e38e840fb03420317db224739a18dbef0b98285637f5887e90a191/detection

drivegoogle.info
docs.drivegoogle.info

# Reference: https://twitter.com/ShadowChasing1/status/1564980900785373185
# Reference: https://www.virustotal.com/gui/file/51d53ca36a662b4aad5878987548f0f22f2a53545790577d8043373b6bf7eb75/detection

wpsonline.co
edit.wpsonline.co
wps.wpsonline.co

# Reference: https://www.virustotal.com/gui/file/f42c637db03edf83a08e944bc190265167ecea84d77508f37fc1269d267fe5a8/detection

stablehouses.info
app.stablehouses.info

# Reference: https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html
# Reference: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
# Reference: https://www.virustotal.com/gui/file/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332/detection
# Reference: https://www.virustotal.com/gui/file/f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4/detection
# Reference: https://www.virustotal.com/gui/file/eb73c57c6f4ce8bf197ddc689b7e0afd3703a9bf9a78212c9cb838528441df7a/detection
# Reference: https://www.virustotal.com/gui/file/bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1/detection
# Reference: https://www.virustotal.com/gui/file/afb2d4d88f59e528f0e388705113ae54b7b97db4f03a35ae43cc386a48f263a0/detection
# Reference: https://www.virustotal.com/gui/file/196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06eba/detection

http://151.106.2.139
http://193.56.28.251
http://52.202.193.124
http://64.188.27.73
http://66.154.102.91
151.106.2.139:8080
151.106.2.139:8443
66.154.102.91:9090
gendoraduragonkgp126.com
/adm_bord/login_new_check.php

# Reference: https://twitter.com/Des00464472/status/1569331099305918465

techdesignshop.com

# Reference: https://twitter.com/h2jazi/status/1570501870954905600
# Reference: https://www.virustotal.com/gui/file/5816eb32cbaadfc3477c823293a8c49cdf690b443c8fa3c19f98399c143df2b3/detection

azure-protect.online
verify.azure-protect.online

# Reference: https://twitter.com/BaoshengbinCumt/status/1570579732399558656

jbic.us
mufg.tokyo
salt1ending.com
wpic.ink
cloud.jbic.us
cloud.mufg.tokyo

# Reference: https://twitter.com/HaoZhixiang/status/1572434427942432772
# Reference: https://www.virustotal.com/gui/file/0b79e1194644431c2e28c48aa3654e658a2907e1003cd0484cd00a0796ebe6bb/detection

onlineshares.cloud
ms.onlineshares.cloud

# Reference: https://twitter.com/malwrhunterteam/status/1573305740252663809
# Reference: https://www.virustotal.com/gui/file/48bd1c5cf9ccc3d454ab80d7284abaf39028a228607d132bfa92ab2ceca47ca2/detection

azure-protection.cloud
docs.azure-protection.cloud
secure.azure-protection.cloud

# Reference: https://twitter.com/StopMalvertisin/status/1574329188793733120
# Reference: https://www.virustotal.com/gui/file/3b70c3ebffcfd6a97859f8d9e5a31f6902756e23fd6688ca7c7446d24ec76d9d/detection

digiboxes.us
fs.digiboxes.us