# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: apt-c-26, dangerous passwords, hidden cobra, guardians of peace, zinc, nickel academy, manuscrypt, applejeus # Reference: https://cdn.securelist.com/files/2017/04/Lazarus_Under_The_Hood_PDF_final.pdf exbonus.mrbasic.com movis-es.ignorelist.com tradeboard.mefound.com update.toythieves.com sap.misapor.ch # Reference: https://securelist.com/operation-applejeus/87553/ celasllc.com 185.142.236.226 185.142.239.173 196.38.48.121 80.82.64.91 # Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea tpddata.com itaddnet.com wifispeedcheck.net coinoen.org coinmaketcape.com bitfiniex.org apshenyihl.com/include/arc.speclist.class.php ap8898.com/include/arc.search.class.php anlway.com/include/arc.search.class.php tpddata.com/skins/skin-8.thm tpddata.com/skins/skin-6.thm 168wangpi.com/include/charset.php ando.co.kr/service/s_top.asp ansetech.co.kr/smarteditor/common.asp mileage.krb.co.kr/common/db_conf.asp 028xmz.com/include/common.php 33cow.com/include/control.php 51up.com/ace/main.asp 530hr.com/data/common.php 97nb.net/include/arc.sglistview.php marmarademo.com/include/extend.php paulkaren.com/synthpop/main.asp shieldonline.co.za/sitemap.asp # Reference: https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/ # Reference: https://twitter.com/KevinPerlow/status/1083759627714682880 # Reference: https://twitter.com/Bank_Security/status/1107543887462064128 # Reference: https://www.hybrid-analysis.com/sample/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/5c8a414a0388381b3f329926 # Reference: https://www.virustotal.com/gui/file/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/detection # Reference: https://twitter.com/ClearskySec/status/1084463729633316864 bodyshoppechiropractic.com drupdate.club ecombox.store /tbl_add.php # Reference: https://otx.alienvault.com/pulse/5c8b8e19261a7451de02bf60/ http://37.238.135.70/img/anan.jpg # Reference: https://otx.alienvault.com/pulse/5c9a4d9f90726d0988873a2b # Reference: https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/ dev.microcravate.com nzssdm.com bluecreekrobotics.com/wp-includes/common.php dev.microcravate.com/wp-includes/common.php dev.whatsyourcrunch.com/wp-includes/common.php enterpriseheroes.com.ng/wp-includes/common.php hrgp.asselsolutions.com/wp-includes/common.php baseballcharlemagnelegardeur.com/wp-content/languages/common.php bogorcenter.com/wp-content/themes/index2.php eventum.cwsdev3.bi.com/wp-includes/common.php streamf.ru/wp-content/index2.php towingoperations.com/chat/chat.php vinhsake.com/wp-content/uploads/index2.php tangowithcolette.com/pages/common.php # Reference: https://twitter.com/blackorbird/status/1110750919082147842 # Reference: https://blog.alyac.co.kr/2219 alahbabgroup.com http://47.91.56.21/verify.php http://103.225.168.159/admin/verify.php # Reference: https://twitter.com/blackorbird/status/1111449536910680065 wb-bot.org wb-invest.net # Reference: https://twitter.com/KevinPerlow/status/1136994848341409792 sbackservice.com # Reference: https://twitter.com/navSi16/status/1148192534654439426 # Reference: https://otx.alienvault.com/pulse/5d24562845fe64e37ffc46a7 sensationalsecrets.com/js/left.php # Reference: https://twitter.com/blackorbird/status/1148843702690832385 194.45.8.41:443 # Reference: https://twitter.com/bad_packets/status/1148864469486854144 # Reference: https://pastebin.com/G0Ad5Ut6 http://178.128.253.67/tbl_add.php # Reference: https://twitter.com/RedDrip7/status/1148887458152472576 byucksanpaint.com/community/com_gon_open.asp # Reference: https://otx.alienvault.com/pulse/5d2c64b174175b03e7db85cd http://103.53.176.145:8080/ServiceDeskPlus/products.do http://111.68.126.155:8080/ServiceDeskPlus/products.do http://137.117.57.244:8080/ServiceDeskPlus/products.do chanbang.co.kr/board/check.asp chanbang.co.kr/family/check.asp chanbang.co.kr/gonggu/upload.asp difa.or.kr/common/asp/inc_Comn.asp edenenc.co.kr/Report/RptMyReport.asp egreenland.co.kr/cheditor2/example/newpost.asp hanbook.co.kr/partnershop/hanmail_ep.asp img.kindermom.co.kr/frameart/print/footer.mov kgsa1015.co.kr/upload/member/member.asp rodaxsankyokorea.com/upload/favicon/favicon.asp sinokor-eng.com/sub/sub01_09.asp # Reference: https://otx.alienvault.com/pulse/5d2dca0a1c7d00fa07be15e5 byucksanpaint.com/community/com_gon_open.asp byucksanpaint.com/main/main4.asp keyang.co.kr/pub/editor/wa_path.asp upload.childu.co.kr/include/OnlyOne1.asp # Reference: https://twitter.com/cyberwar_15/status/1152035187196223488 lavaandstone.com/wp-content/plugins/fusion-core/about.php sales.alitho.com/wp-content/themes/sketch/about.php amytanathorn.com/wp-admin/includes/about.php # Reference: https://twitter.com/cyberwar_15/status/1153123863435214848 rhythm86.com/wp-content/themes/twentysixteen/about.php cabba-cacao.com/wp-content/themes/integral/about.php 3x-tv.com/plugins/editors/about.php # Reference: https://twitter.com/KorbenD_Intel/status/1158479283549089792 # Reference: https://www.virustotal.com/gui/file/3bba04f277e7f51a5500f7b144fdbd851954e4f94bb0290e49fc63f6fc807321/detection policyupdates.info # Reference: https://twitter.com/cyberwar_15/status/1166282138179624960 # Reference: https://twitter.com/navSi16/status/1166287915959214080 youdermoscopy.org/media/fly.avi youdermoscopy.org/media/fly312.avi # Reference: https://blog.alyac.co.kr/2500 (Korean) # Reference: https://otx.alienvault.com/pulse/5d6940cb9e719255258969f5 alnagm-press.com/wp-content/plugins/cloudflare/list.php elsouq.org/aramex/left.php swedishmassageamsterdam.nl/wp-content/themes/top.php # Reference: https://twitter.com/cyberwar_15/status/1175940165425958912 http://158.69.57.135 http://92.222.106.229 # Reference: https://securelist.com/my-name-is-dtrack/93338/ # Reference: https://unit42.paloaltonetworks.com/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/ # Reference: https://otx.alienvault.com/pulse/5d88b31dea7f4b9d4701d7e8 # Reference: https://www.virustotal.com/gui/file/fe51590db6f835a3a210eba178d78d5eeafe8a47bf4ca44b3a6b3dfb599f1702/detection # Reference: https://www.virustotal.com/gui/file/58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb/detection katawaku.jp/bbs/data/theme/profile2.php materialindia.in totalmateria.net cyberub.com/board/icon/template/template_ro.php /gallery/profile2.php /theme/profile2.php /wp/profile2.php # Reference: https://twitter.com/KseProso/status/1178580006047539200 heromessi.com/wp-public/career/car_add.php # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-12-lazarus-resurfaces-targets-global-banks-bitcoin-users/lazarus-resurfaces-targets-global-banks-bitcoin-users.csv deltaemis.com # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2017/2017-11-20-android-malware-appears-linked-to-lazarus-cybercrime-group/android-malware-appears-linked-to-lazarus-cybercrime-group.csv vmware-probe.zol.co.zw # Reference: https://app.any.run/tasks/01497f45-7fba-4356-bbdc-4270e51c2465/ # Reference: https://twitter.com/Rmy_Reserve/status/1181528617374777344 # Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea gp-core.com gp-main.com # Reference: https://twitter.com/VK_Intel/status/1182722604240719872 # Reference: https://objective-see.com/blog/blog_0x49.html (# AppleJeus) 185.228.83.32:443 beastgoc.com /grepmonux.php # Reference: https://twitter.com/kyleehmke/status/1184120287199223808 # Reference: https://www.virustotal.com/gui/ip-address/185.228.83.129/relations dev.jmttrading.org # Reference: https://twitter.com/RedDrip7/status/1186562944311517184 # Reference: https://blog.alyac.co.kr/2388 (Korean) # Reference: https://twitter.com/RedDrip7/status/1186562944311517184 # Reference: https://otx.alienvault.com/pulse/5db06ad90686f3bad959d7fc crabbedly.club craypot.live czinfo.club indagator.club pegasusco.net smilekeepers.co # Reference: https://twitter.com/0xD0CF11E0A1B11/status/1187264570861076481 thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi juliesoskin.com/includes/common/list.php necaled.com/modules/applet/list.php valentinsblog.de/wp-admin/includes/list.php # Reference: https://twitter.com/blackorbird/status/1187619261612609536 # Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html # Reference: https://www.virustotal.com/gui/ip-address/218.255.24.226/relations 119.18.230.253:443 218.255.24.226:443 # Reference: https://twitter.com/Rmy_Reserve/status/1188235835956551680 # Reference: https://app.any.run/tasks/42c972b1-ec38-4637-9354-9de930ff50b2/ curiofirenze.com # Reference: https://twitter.com/blackorbird/status/1202177008572092417 unioncrypto.vip # Reference: https://blog.netlab.360.com/dacls-the-dual-platform-rat/ 107.172.197.175:443 172.93.201.219:443 192.210.213.178:443 198.180.198.6:443 209.90.234.34:443 23.227.196.116:443 23.227.199.53:443 23.254.119.12:443 23.81.246.179:443 37.72.175.179:443 64.188.19.117:443 74.121.190.121:443 # Reference: https://securelist.com/operation-applejeus-sequel/95596/ # Reference: https://otx.alienvault.com/pulse/5e15b526b4f8bc605744ad76 aeroplans.info beastgoc.com buckfast-zucht.de chainfun365.com cyptian.com invesuccess.com jmttrading.org mydealoman.com private-kurier.com unioncrypto.vip wb-bot.org wb-invest.net wfcwallet.com # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-03-08-hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant.csv falcancoin.io # Reference: https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/ # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045d # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045e # Reference: https://www.us-cert.gov/ncas/analysis-reports/AR19-100A # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045b # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045a # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045f 94.177.123.138:8088 193.56.28.103:88 197.211.212.59:7443 181.39.135.126:7443 112.175.92.57:443 81.94.192.147:443 21.252.107.198:23164 70.224.36.194:59681 113.114.117.122:23397 47.206.4.145:59067 84.49.242.125:17770 26.165.218.44:2248 137.139.135.151:64694 97.90.44.200:37120 128.200.115.228:52884 186.169.2.237:65292 188.165.37.168:80 159.100.250.231:80 159.100.250.231:8080 107.6.12.135:443 210.202.40.35:443 # Reference: https://twitter.com/AffableKraut/status/1234726033930248198 74.121.190.140:8443 # Reference: https://twitter.com/RedDrip7/status/1254678135133442048 # Reference: https://ti.qianxin.com/blog/articles/analysis-of-lazarus-apt-targeted-attack-against-south-korea-using-new-crown-outbreak-bait/ # Reference: https://www.virustotal.com/gui/domain/teslacontrols.ir/relations afuocolento.it/wp-admin/network/server_test.php kingsvc.cc mbrainingevents.com/wp-admin/network/server_test.php sofa.rs/wp-admin/network/server_test.php sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg teslacontrols.ir/wp-includes/images/detail31.jpg teslacontrols.ir/wp-includes/images/detail32.jpg /wp-admin/network/server_test.php # Reference: https://twitter.com/cyberwar_15/status/1254736896330133504 matteoragazzini.it/wp-content/uploads/2017/06/category.php # Reference: https://twitter.com/DeadlyLynn/status/1257504361577496576 # Reference: https://twitter.com/ShadowChasing1/status/1257511608189743105 astedams.it/uploads/template/17.dotm astedams.it/include/inc-elenco-offerter.asp # Reference: https://twitter.com/spider_girl22/status/1258224278194941953 astedams.it/uploads/frame/61.dotm # Reference: https://objective-see.com/blog/blog_0x57.html # Reference: https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/ # Reference: https://otx.alienvault.com/pulse/5eb2fabf6c26a287f705ca20 185.62.58.207:443 67.43.239.146:443 # Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md#IOC # Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/CSV/IOC-Lazarus_2020_05_05.csv # Reference: https://www.virustotal.com/gui/file/1b0c82e71a53300c969da61b085c8ce623202722cf3fa2d79160dac16642303f/behavior/VMRay # Reference: https://www.virustotal.com/gui/file/66e5371c3da7dc9a80fb4c0fabfa23a30d82650c434eec86a95b6e239eccab88/behavior/QiAnXin%20RedDrip 51.77.65.154:443 192.169.250.185:443 sanlorenzoyacht.com/newsl/uploads/docs/43.dotm elite4print.com/admin/order/batchPdfs.asp od.lk/d/MzBfMjA1Njc0ODdf/pubmaterial.dotm # Reference: https://twitter.com/cyberwar_15/status/1264353716930412544 # Reference: https://www.virustotal.com/gui/file/e637c86ae20a7f36a0ad43618b00c48f47b5591a03af3fb689a16c45afa43733/detection # Reference: https://www.virustotal.com/gui/file/d3a402458682c4febacc6ae4bc98e15e92142603a97d51316eeee9e8bca77f88/detection depts.washington.edu/dswkshp/wordpress/wp-content/themes/twentyfifteen/inc/io/ # Reference: https://twitter.com/spider_girl22/status/1265486116393713665 anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg # Reference: https://twitter.com/cyberwar_15/status/1265266629044080642 # Reference: https://asec.ahnlab.com/1323 (Korean) mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php sixbitsmedia.com/wp-content/uploads/wp-logs/category.php # Reference: https://twitter.com/ShadowChasing1/status/1267431134662541317 fudcitydelivers.com sctemarkets.com # Reference: https://twitter.com/IntezerLabs/status/1268158680593313794 threegood.cc # Reference: https://twitter.com/ccxsaber/status/1268020350605910016 coingotrade.com kupaywallet.com # Reference: https://twitter.com/Vishnyak0v/status/1269635930878545922 bluemoonresearch.org fitnessdirector.net # Reference: https://twitter.com/RedDrip7/status/1270201358721769475 paghera.com/include/inc-main-default-news.asp # Reference: https://twitter.com/ShadowChasing1/status/1270728525926944768 ne-ba.org/files/gallery/img/img.asp # Reference: https://twitter.com/MBThreatIntel/status/1270741821560406019 160.20.147.253:8443 audiopodcasts.co/verify.php lastedforcast.com/list.php # Reference: https://twitter.com/spider_girl22/status/1275366600560873473 # Reference: https://www.virustotal.com/gui/file/0fa91cac5712cfc0848af092190fd3d09948f1a7750547f0f16d1867dac6288a/detection thestreetsmartsalesman.com/wp-content/uploads/wp-logs/category.php # Reference: https://twitter.com/JAMESWT_MHT/status/1275396942139469824 # Reference: https://app.any.run/tasks/5ddb7e93-bfc8-49a9-bd52-6b70f57c3846/ scertodisha.nic.in/wp-content/plugins/photo-gallery/admin/controllers/Photo.php haciendasacchich.com/wp-content/plugins/photo-gallery/admin/views/404.php annafalkenau.com/awstats/data/upload.php # Reference: https://blog.reversinglabs.com/blog/hidden-cobra # Reference: https://otx.alienvault.com/pulse/5ef2252af73ae43d92eecd15 1688dsj.com amytanathorn.com ccsnbao.com fmose.com fudcitydelivers.com lavaandstone.com sctemarkets.com vns1389.com # Reference: https://twitter.com/ShadowChasing1/status/1276324740878102529 anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg # Reference: https://twitter.com/JAMESWT_MHT/status/1276471822217891840 # Reference: https://app.any.run/tasks/109752e9-2c7f-4d5c-9c3f-300bddc4c0db/ down.1230578.com # Reference: https://twitter.com/felixaime/status/1280053007036624896 # Reference: https://sansec.io/research/north-korea-magecart # Reference: https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-credit-card-stealing-attacks-on-us-stores/ # Reference: https://www.virustotal.com/gui/file/a6c803d7a185f896a6c90f78891c5dbb904df3535825764e05432641ab059fb1/detection areac-agr.com papers0urce.com # Reference: https://twitter.com/gwillem/status/1281128245052805120 focuscamere.com # Reference: https://twitter.com/patrickwardle/status/1286109626941845504 # Reference: https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/ 104.232.71.7:443 107.172.197.175:443 108.170.31.81:443 111.90.146.105:443 111.90.148.132:443 172.81.132.41:443 172.93.184.62:443 172.93.201.219:443 185.62.58.207:443 192.210.239.122:443 198.180.198.6:443 209.90.234.34:443 216.244.71.233:443 23.227.199.53:443 23.227.199.69:443 23.254.119.12:443 67.43.239.146:443 68.168.123.86:443 # Reference: https://twitter.com/cyberwar_15/status/1287291019537473538 nextlevelliving.pro/wp-content/uploads/js_composer/images/8c206b81-f5b1-4242-84d3-237ce728ff35.php # Reference: https://twitter.com/AnonySecAgency/status/1290115260116897792 # Reference: https://www.virustotal.com/gui/file/40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13/detection publishapp.co # Reference: https://twitter.com/RedDrip7/status/1293462469214531584 # Reference: https://www.virustotal.com/gui/file/b0921142f8d3067c8253931977999a5092470ff3e562586d87af68c28ec66a99/detection unsunozo.org/include/notes/notes.asp # Reference: https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html # Reference: https://otx.alienvault.com/pulse/5f4d20e8d417f271a62e0aeb gestao.simtelecomrs.com.br/sac/digital/client.jsp sac.onecenter.com.br/sac/masks/wfr_masks.jsp mk.bital.com.br/sac/Formule/Manager.jsp # Reference: https://twitter.com/IntezerLabs/status/1300403461809491969 # Reference: https://analyze.intezer.com/analyses/13d64c6e-6ac7-4888-a682-138a06cbaf16/ # Reference: https://www.virustotal.com/gui/file/390f9aae2dd5f0584106e3aa315bbd28a8c6479f126a4f13c7c3a62e19356634/detection 104.217.163.61:443 107.175.172.129:443 37.72.168.228:443 # Reference: https://twitter.com/ShadowChasing1/status/1302180729174937600 fabianiarte.com/uploads/imgup/21it-23792.jpg # Reference: https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html # Reference: https://otx.alienvault.com/pulse/5f7389601681e32d5bf045f6 automercado.co.cr/empleo/css/main.jsp curiofirenze.com/include/inc-site.asp ne-ba.org/files/news/thumbs/thumbs.asp sanlorenzoyacht.com/newsl/include/inc-map.asp # Reference: https://twitter.com/h2jazi/status/1311644338812792833 # Reference: https://www.virustotal.com/gui/file/d2f1cccfe688c074c3d58ae8f7be7b10dbea5d7ae53320c3f7b6e48cd4f62955/detection phukien2a.net/images/images.zip.000 # Reference: https://blog.talosintelligence.com/2020/11/crat-and-plugins.html # Reference: https://otx.alienvault.com/pulse/5faf04431c479940b422288b teslacontrols.ir/wp-includes/images/detail31.jpg teslacontrols.ir/wp-includes/images/detail32.jpg sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg publishapp.co/update/check.php sideforum.cc/forum/list.php freeforum.co/forum/list.php goodfriend.pro/projects/list.php friendship.me/users/register.php threegood.cc/api/manage/customers Engpro.xyz/images/detail.php infocop.me/products/list.php teamspit.pro/adverts/follow.php dodoi.cc/photos/preview.php advertapp.me/user/invite.php insideforum.me/forum/list.php anyoneforum.cc/forum/list.php goodproject.xyz/projects/list.php hellofriend.pro/users/register.php moonge.cc/wp-content/plugins/google-sitemap-generator/sitemap-builder-embed.php calculactcal.org/wp-content/themes/twentysixteen/body.php 3cuartos.com/wp-content/plugins/music-press-pro/templates/global/update.php worldfoodstory.co.uk/wp-includes/register.php bokkeriejesj.nl/wp-content/plugins/music-press-pro/upload.php encontrosmaracatu.com.br/wp-content/plugins/music-press-pro/templates/global/topmenu.php theblackout.fr/wp-content/plugins/music-press-pro/music-pro.php mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php tiramisu.it/wp-content/plugins/wp-comment-form.php kartacnictvi.cz/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/upload.php dimer-group.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/download.php ecolerubanvert.com/wp-content/plugins/image-intense/know.php lwac.com/wp-content/plugins/gallery-plugin/includes/demo-data/images/music/photo.php copansrl.it/wp-admin/user/invite.php arar-musique.fr/wp-content/plugins/music-press-pro/includes/admin/upgrade.php firstalliance.church/wp-content/plugins/music-press/templates/404.php erickeleo.com.br/wp-content/plugins/music-press-pro/go.php kingsvc.cc/index.php sofa.rs/wp-admin/network/server_test.php afuocolento.it/wp-admin/network/server_test.php mbrainingevents.com/wp-admin/network/server_test.php afuocolento.it/wp-includes/process.php # Reference: https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/ # Reference: https://otx.alienvault.com/pulse/5fb4044fd5f18831c24c6af6 cowp.or.kr/html/board/main.asp erpmas.co.kr/Member/franchise_modify.asp fored.or.kr/home/board/view.php gncaf.or.kr/cafe/cafe_board.asp gongsinet.kr/comm/comm_gongsi.asp goojoo.net/board/banner01.asp hsbutton.co.kr/bbs/bbs_write.asp hstudymall.co.kr/easypay/web/bottom.asp ikrea.or.kr/main/main_board.asp pcdesk.co.kr/Freeboard/mn_board.asp pgak.net/service/engine/release.asp quecue.kr/okproj/ex_join.asp style1.co.kr/main/view.asp wowpress.co.kr/customer/refuse_05.asp zndance.com/shop/post.asp # Reference: https://twitter.com/h2jazi/status/1334353120038678528 # Reference: https://www.virustotal.com/gui/file/c19064733f2a23f09c8b16b3847cceeac8f61488be57911cefceb75425501097/detection ilhak.co.kr/images/data/upload.asp ktri.or.kr/upload/mail/upload.asp warevalley.com/support/orange_open.asp # Reference: https://twitter.com/BitsOfBinary/status/1321488299932983296 # Reference: https://twitter.com/BitsOfBinary/status/1337330286787518464 # Reference: https://twitter.com/mg2_tracy1/status/1337335098224508928 # Reference: https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=3051 admforte.com.br/wp-content/plugins/top.php dafnefonseca.com/wp-content/themes/top.php drei-schneeballen.de/wp-content/plugins/nextgen-gallery/view.php funny-pictures.picphotos.net/saint-louis-senior-photos-senior-pictures-seniors-st-louis-st-louis/upload.php greenvideo.nl/wp-content/themes/top.php haciendadeclarevot.com/wp-content/top.php justholdfast.com/doodle/wp-content/plugins/top.php qwerty.creativehonduras.com/wp-includes/class-wp-redirect.php shahrtdc.com/wp-content/plugins/top.php tag-cloud-photo.freeware.filetransit.com/login.php urbankizomba.se/wp-content/plugins/photo-gallery/filemanager/upload.php # Reference: https://otx.alienvault.com/pulse/5fd8dbfcfed23b6fa1393ea9 yakufreshperu.com/facturacion/public/css/main.php shikshakibaat.com/classes/detail.jsp sanlorenzoyacht.com/newsl/include/inc-map.asp paghera.com/content/view/thumb/info.asp lyzeum.com/popup/popup.asp index-consulting.jp/eng/news/index.php hansolhope.or.kr/welfare/notice/view.jsp forecareer.com/gdcareer/officetemplate-20nab.asp fidesarte.it/thumb/multibox/style/common.asp fabianiarte.com/uploads/imgup/21it-23792.jpg fabianiarte.com/pdf/thumbs/thumb.asp emilypress.com/CMWorking/Static/service/center.asp curiofirenze.com/include/inc-site.asp calculadoras.mx/themes/pack/pilot.php automercado.co.cr/empleo/css/main.jsp astedams.it/photos/image/image.asp arumdaunresort.com/admin/html/user/contact.asp apars-surgery.org/bbs/bbs_files/board_photo/menu.php anca-aste.it/uploads/form/02E319AF73A33547343B71D5CB1064BC.dotm vega.mh-tec.jp/.well-known/index.php turnscor.com/ACT/images/slide/view.jsp prestigein-am.jp/akita/wp-includes/wp-rss1.php genieaccount.com/images/common/common.asp acanicjquery.com/slides/style.php mannpublicwhseltd.com/cservice.asp hirokawaunso.co.jp/wordpress/wp-includes/review.php anisweb.org/layout/site/style/preview.jsp support.medicalinthecloud.com/TechCenter/include/slide.asp pennontraders.com/assets/slides/view.jsp indoweb.org/love/data/common/common.php admin.shcpa.co.kr/_asapro2/formmail/lib.php http://137.74.114.227/theveniaux/webliotheque/public/css/main.php http://125.206.177.152/old/viewer.php # Reference: https://twitter.com/BitsOfBinary/status/1339623925274296323 muzeyyengroup.com/wp-content/help.php puskesmas-terminal.com/wp-content/help.php zeandf.com/wp-content/help.php # Reference: https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ # Reference: https://otx.alienvault.com/pulse/5fe36c30dbe6a83c04783415 bytecortex.com.br/eletronicos/digital.jsp client.livesistemas.com/Live/posto/system.jsp cometnet.biz/framework/common/common.asp gongim.com/board/ajax_Write.asp iski.silogica.net/events/serial.jsp k-kiosk.com/bbs/notice_write.asp kne.co.kr/upload/Customer/BBS.asp locknlockmall.com/common/popup_left.asp sac.najatelecom.com.br/sac/Dados/ntlm.jsp sistema.celllab.com.br/webrun/Navbar/auth.jsp # Reference: https://twitter.com/ShadowChasing1/status/1349924271791882247 # Reference: https://www.virustotal.com/gui/file/867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36/detection # Reference: https://www.virustotal.com/gui/file/89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957/detection aideck.net # Reference: https://twitter.com/ShadowChasing1/status/1349927630183694339 creaideck.com/update/darwin64.bin # Reference: https://www.virustotal.com/gui/file/d09041e3d635ddb28540b11cf180a30a28fc04c2ee6e5d994aa0bacc9633e944/detection hpc.kau.ac.kr/rolling_banner/tmp4c5ae3.p3a hpc.kau.ac.kr/error2.php # Reference: https://twitter.com/BushidoToken/status/1353684625382641664 # Reference: https://www.virustotal.com/gui/ip-address/120.138.8.26/relations # Reference: https://www.virustotal.com/gui/file/cabb45c99ffd8dd189e4e3ed5158fac1d0de4e2782dd704b2b595db5f63e2610/detection # Reference: https://www.virustotal.com/gui/file/a9b3bc337043c04f529b2c19b3e33df1ad59bce27c074427e7b563db3a83c37b/detection # Reference: https://www.virustotal.com/gui/file/bdf9fffe1c9ffbeec307c536a2369eefb2a2c5d70f33a1646a15d6d152c2a6fa/detection advantims.com # Reference: https://twitter.com/ShadowChasing1/status/1353972356759187456 angeldonationblog.com # Reference: https://twitter.com/K_N1kolenko/status/1353975032104558592 # Reference: https://twitter.com/500mk500/status/1353992570519609344 # Reference: https://twitter.com/RedDrip7/status/1354038387603197952 # Reference: https://twitter.com/sS55752750/status/1354059524739653633 # Reference: https://twitter.com/vngkv123/status/1357247638228226053 # Reference: https://twitter.com/blackorbird/status/1357259907448229888 # Reference: https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg (Korean) # Reference: https://enki.co.kr/blog/2021/02/04/ie_0day.html (Korean) # Reference: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ # Reference: https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/ # Reference: https://otx.alienvault.com/pulse/60103a3268891c63b1f24d74 # Reference: https://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection # Reference: https://www.virustotal.com/gui/file/a08d24f74027256c6fd5c5a2fdb15b12889971fbdcfa7a28ffebbfe8b15aaefb/detection # Reference: https://www.virustotal.com/gui/file/9c906c2f3bfb24883a8784a92515e6337e1767314816d5d9738f9ec182beaf44/detection # Reference: https://www.virustotal.com/graph/embed/g4784ec032b3f4cb987a616f4b2dbc9aa9a982d9b20494f8980ae611a4ca3a1d8 angeldonationblog.com codebiogblog.com codevexillium.org investbooking.de krakenfolio.com opsonew3org.sg transferwiser.io transplugin.io blog.br0vvnn.io codevexillium.org/image/download/download.asp colasprint.com/_vti_log/upload.asp dronerc.it/forum/uploads/index.php dronerc.it/shop_testbr/Adapter/Adapter_Config.php dronerc.it/shop_testbr/Core/upload.php dronerc.it/shop_testbr/upload/upload.php edujikim.com/intro/blue/insert.asp fabioluciani.com/ae/include/constant.asp fabioluciani.com/es/include/include.asp loonsaloon.com/wp-content/plugins/revslider/hello.php transplugin.io/upload/upload.asp trophylab.com/notice/images/renewal/upload.asp # Reference: https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html # Reference: https://otx.alienvault.com/pulse/601052e27a2c451b3ba5ed31 akramportal.org/public/voice/voice.php commodore.com.tr/mobiquo/appExtt/notdefteri/writenote.php fabianiarte.com/newsletter/arte/view.asp hirokawaunso.co.jp/wordpress/wp-includes/ID3/module.audio.mp4.php index-consulting.jp/eng/news/index.php inovecommerce.com.br/public/pdf/view.php ja-fc.or.jp/shop/shopping.php kenpa.org/yokohama/main.php leemble.com/5mai-lyon/public/webconf.php mail.clicktocareers.com/dev_clicktocareers/public/mailview.php scimpex.com/admin/assets/backup/requisition/requisition.php tronslog.com/public/appstore.php vega.mh-tec.jp/.well-known/index.php # Reference: https://twitter.com/Dashowl/status/1354264740692942848 trophylab.com/design/trophy/product/lmages/logo.png worldspia.kr/upload_images/inc/LOG.PHP # Reference: https://twitter.com/mattyb1512/status/1354070629469872129 ctrac.online # Reference: https://twitter.com/h2jazi/status/1362109944791764993 # Reference: https://www.virustotal.com/gui/file/0bc7517aa2f0c1820ced399bfd66b993f10ad77e8d72727b0f3dc1ca35cad7ba/detection # Reference: https://www.virustotal.com/gui/file/91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd/detection # Reference: https://www.virustotal.com/gui/file/dcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61/detection kupaywallet.com levelframeblog.com dorusio.com/dorusio_update.php # Reference: https://twitter.com/ShadowChasing1/status/1362362744909930496 materialindia.in/wp/wp-main/gallery/profile2.php totalmateria.net/wp/profile2.php # Reference: https://securelist.com/lazarus-threatneedle/100803/ # Reference: https://otx.alienvault.com/pulse/6037c3cea83bb963f5be0d51/ http://156.245.16.55/admin/admin.asp americanhotboats.com/forums/core/cache/index.php astedams.it/photos/image/image.asp au-pair.org/admin/Newspaper.asp au-pair.org/admin/login.asp automercado.co.cr/empleo/css/main.jsp cloudarray.com/images/logo/videos/cache.jsp colasprint.com/_vti_log/upload.asp curiofirenze.com/include/inc-site.asp dellarocca.net/it/content/img/img.asp digitaldowns.us/artman/exec/upload.php djasw.or.kr/sub/popup/images/upfiles.asp docentfx.com/wp-admin/includes/upload.php dronerc.it/forum/uploads/index.php dronerc.it/shop_testbr/Adapter/Adapter_Config.php edujikim.com/intro/blue/view.asp edujikim.com/pay/sample/INIstart.asp edujikim.com/smarteditor/img/upload.asp fabioluciani.com/ae/include/constant.asp fabioluciani.com/es/include/include.asp forum.iron-maiden.ru/core/cache/index.php forum.snowreport.gr/cache/template/upload.php fredrikarnell.com/marocko2014/index.php geeks-board.com/blog/wp-content/uploads/2017/cache.php gonnelli.it/uploads/catalogo/thumbs/thumb.asp juvillage.co.kr/img/upload.asp kannadagrahakarakoota.org/forums/admincp/upload.php kbcwainwrightchallenge.org.uk/connections/dbconn.asp kwwa.org/DR6001/FN6006LS.asp kwwa.org/popup/160307/popup_160308.asp lyzeum.com/board/bbs/bbs_read.asp lyzeum.com/images/board/upload.asp martiancartel.com/forum/customavatars/avatars.php mdim.in.ua/core/cache/index.php newidealupvc.com:443/img/prettyPhoto/jquery.max.php polyboatowners.com/2010/images/BOTM/upload.php polyboatowners.com/css/index.php prototypetrains.com:443/forums/core/cache/index.php raiestatesandbuilders.com/admin/installer/installer/index.php roit.co.kr/xyz/mainpage/view.asp sanatoliacare.com/include/index.asp sanlorenzoyacht.com/newsl/include/inc-map.asp shinwonbook.co.kr/basket/pay/open.asp shinwonbook.co.kr/board/editor/upload.asp theforceawakenstoys.com/vBulletin/core/cache/upload.php waterdoblog.com/uploads/index.asp # Reference: https://twitter.com/AnonySecAgency/status/1366971633458548738 # Reference: https://twitter.com/ShadowChasing1/status/1366988046294376450 # Reference: https://www.virustotal.com/gui/file/03cd4ec3defa490e68b1ca2efaf8daea6f89d3cceed51c91f4c4f9e2222d258d/detection gcloud-share.com dshellelink.gcloud-share.com # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1225581378840006656 (# DangerousPasswords) # Reference: https://pastebin.com/raw/cLWvyJ20 # Reference: https://twitter.com/Rmy_Reserve/status/1230881875767377920 # Reference: https://twitter.com/ShadowChasing1/status/1328208737933246464 # Reference: https://www.virustotal.com/gui/file/4c574c1a2b126c8a5ba1ef9560516d0ac9990c0253119f874eb084b57742e3d7/detection http://84.201.189.216 103.205.179.4:8080 amazonaws1.info gdrvup.xyz gmaildrive.site googleauth.pro googledriver.info googleupload.info liveonedrvshare.xyz secureshares.online gdriveupload.info # Reference: https://twitter.com/Rmy_Reserve/status/1246404220040802309 (# DangerousPassword) 88.204.166.59:8080 # Reference: https://twitter.com/ShadowChasing1/status/1339195498519875585 (# DangerousPassword) gdocshare.com # Reference: https://twitter.com/ShadowChasing1/status/1367368069618700291 # Reference: https://twitter.com/_re_fox/status/1260931809103101957 # Reference: https://twitter.com/_re_fox/status/1301564536575733760 # Reference: https://twitter.com/_re_fox/status/1301565785345863689 # Reference: https://twitter.com/mattnotmax/status/1370311682354941954 # Reference: https://twitter.com/cyber__sloth/status/1285510760303656960 # Reference: https://www.virustotal.com/gui/file/d287388e5ff978bf6f8af477460a9b76a74fdc33535e392b70e58176fc9ad805/detection # Reference: https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_302_kodera_jp.pdf (Japanese) # Reference: https://www.virustotal.com/gui/file/01184a5acb8b3ec56c9e90f2e6cd6673ae83b4fd6982e17329b33da2f77bcf5b/detection doc.gsheetshare.org docs.dsharefile.tech docs.gdriveshare.top drop.trailads.net dsharefile.tech gsheetshare.org filehost.network mdown.showprice.xyz mse.theworkpc.com name.ownemail.me newsbtctech.com ownemail.me share.onedrvfile.site shop.newsbtctech.com trailads.net up.digifincx.com up.myemail.works # Reference: https://twitter.com/ShadowChasing1/status/1339933511973699584 (# DangerousPassword) # Reference: https://www.virustotal.com/gui/file/c64e2993563345fd497cfc382de27c7791b4f172d2c50d79b6290c2f9c06102c/detection google-clouds.com # Reference: https://twitter.com/cyber__sloth/status/1344208175168368641 (# DangerousPassword) # Reference: https://twitter.com/cyber__sloth/status/1344208380525752321 (# DangerousPassword) addrcheck.corecheckmailsrv.com cloud-sheet.net cloud.optvers.net corecheckmailsrv.com digitalcurencygroup.co down.privatework.buzz fidelitydigitalsassets.com gdocshare.com goglestorage.com google-clouds.com googleproduct.org gsuiteshare.com msftoffice.com myemail.works official.googleproduct.org presentonline.xyz privatework.buzz sharesvr.net # Reference: https://twitter.com/h2jazi/status/1369305004922855431 # Reference: https://twitter.com/h2jazi/status/1369307165807280135 torgirf.ru/loginhome.css # Reference: https://twitter.com/h2jazi/status/1370024802791096320 # Reference: https://www.virustotal.com/gui/file/46fcbc170e84d8ad48434251421bd8f6fa49a7e741d2c24d31c170c607c60d51/detection # Reference: https://www.virustotal.com/gui/file/c8a8d2caa429a8bbe885ef8d59d982b4bfd9c48f1255ff69e3b81c6bbd7b2925/detection dronerc.it/shop_testbr/localization/dir_photoes/image.php dronerc.it/shop_testbr/localization/dir_photoes/logo.php # Reference: https://twitter.com/h2jazi/status/1354880834092859395 # Reference: https://www.virustotal.com/gui/ip-address/104.168.158.103/relations # Reference: https://www.virustotal.com/gui/file/aec3ced40a3451dc2c6b1704cc50b0e0c8e549faaa8ae42b6d6f421b4fc2ef8a/detection # Reference: https://www.virustotal.com/gui/file/e7a4d8b80dc653a47440db2a8deaf782109bb710e5d4311bc3d7685dba715865/detection # Reference: https://www.virustotal.com/gui/file/75d3d96033db529c9ae698ac6de8fba420c2daa5d97614d7118f49e03c2d83d3/detection documentprotect.live documentprotect.pro # Reference: https://twitter.com/h2jazi/status/1373985591814197250 # Reference: https://www.virustotal.com/gui/file/09b83a501b8f919fc4861735097dd50957f21e81209d362b4fa425bd3348a495/detection cloudshare.jumpshare.vip # Reference: https://twitter.com/HONKONE_K/status/1374178555634933762 # Reference: https://www.virustotal.com/gui/file/66e96fbd6e977ddef3f0a2924978d92e5d67bd96e68dc4832f5041dbd40bcfc9/detection # Reference: https://www.virustotal.com/gui/file/e087d06c552aeef36c2ba9fdd14b06fca499f2d37dfea21e480a02a748b19bf1/detection antcapital.us document.antcapital.us protect.antcapital.us # Reference: https://twitter.com/DrN1ght/status/1374026917343543301 chemistryworld.us coinbigex.com innoenergy.info mclland.com qooqle.download # Reference: https://twitter.com/h2jazi/status/1375528365587894272 # Reference: https://www.virustotal.com/gui/file/2fdba1e332203ca0d01992b137ebeaa1f21f7c3daec7230e6b8a4d36182caed4/detection sanlorenzoyacht.com/newsl/uploads/docs/ # Reference: https://twitter.com/ShadowChasing1/status/1377610488830291973 # Reference: https://twitter.com/ShadowChasing1/status/1377628563000594433 # Reference: https://securelist.com/dtrack-targeting-europe-latin-america/107798/ toysbagonline.com purewatertokyo.com pinkgoat.com purplebear.com yellowlion.com salmonrabbit.com bluecow.com # Reference: https://twitter.com/darktracer_int/status/1380309710721622016 # Reference: https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/ # Reference: https://otx.alienvault.com/pulse/60739323ef1b2b3a187f0f15 4bjt2rceijktwedi.onion cwwpxpxuswo7b6tr.onion # Reference: https://twitter.com/fr0s7_/status/1381328726819020804 # Reference: https://www.virustotal.com/gui/file/e514d83d2aaa1357b34f5f11ecc35afe10b6240796e085977e9d4a56145bb8b3/detection protectoffice.club # Reference: https://twitter.com/ShadowChasing1/status/1382514587589742597 # Reference: https://www.virustotal.com/gui/file/f1eed93e555a0a33c7fef74084a6f8d06a92079e9f57114f523353d877226d72/detection jinjinpig.co.kr/Anyboard/skin/board.php mail.namusoft.kr/jsp/user/eam/board.jsp # Reference: https://www.group-ib.com/blog/btc_changer luxmodelagency.com/wp-incluses/random_compat/zeus/wongs/wongs.php /random_compat/zeus/wongs/wongs.php /zeus/wongs/wongs.php # Reference: https://twitter.com/ShadowChasing1/status/1384016097494507521 # Reference: https://twitter.com/cyberwar_15/status/1384462513249546244 # Reference: https://www.virustotal.com/gui/file/79e15cc02c6359cdb84885f6b84facbf91f6df1254551750dd642ff96998db35/detection ddjm.co.kr/bbs/icon/skin/skin.php snum.or.kr/skin_img/skin.php # Reference: https://www.virustotal.com/gui/file/6d2ecc3b0a43f0c377ea6d9a68aa5ac0d48635a04219264fb0702976efea8ef6/detection http://121.146.68.233/fileserver/temp/platform.asp http://121.254.224.218/angkor.ylw.common.fileserviceserver/web/document/netframework.asp codibest.com/data/geditor/main_1.php gbflatinamerica.com myungokhun.co.kr/_proc/member/member_bk.asp /angkor.ylw.common.fileserviceserver/web/document/netframework.asp /data/geditor/main_1.php /fileserver/temp/platform.asp # Reference: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/ # Reference: https://otx.alienvault.com/pulse/608af383c5be4591c5da02e5 akramportal.org/delv/public/voice/voice.php apars-surgery.org/bbs/bbs_files/board_blog/write.php bootcamp-coders.cnm.edu ctevt.org.np/ctevt/public/frontend/review.php forecareer.com/gdcareer/officetemplate-20nab.asp gbflatinamerica.com/file/filelist.php goldllama4.sakura.ne.jp hospitality-partners.co.jp/works/performance/consumer.php inovecommerce.com.br/public/pdf/view.php mail.clicktocareers.com/public/jobapplications/jdviewer.php propro.jp/wp-content/documents/docsmgmt.php vega.mh-tec.jp/.well-known/gallery/siteview.php # Reference: https://www.virustotal.com/gui/file/610047be0b2360d609baa71be22ddc5814743868886f8d85ab9985d3f01229d6/detection mappo-on.life help.mappo-on.life # Reference: https://www.virustotal.com/gui/file/27bfac11c1f9184b515fbf5fcd946e921c95506f89eb273e148fcf0068e50932/detection octo-manage.net help.octo-manage.net # Reference: https://twitter.com/ShadowChasing1/status/1391981731394187266 # Reference: https://www.virustotal.com/gui/file/a0d070b66408654cdcb84784e77914dc355a23c81e3e6ef36362470619c4de96/detection http://45.61.136.204 googledocpage.com # Reference: https://twitter.com/ShadowChasing1/status/1393356174506921985 # Reference: https://www.virustotal.com/gui/file/8e1746829851d28c555c143ce62283bc011bbd2acfa60909566339118c9c5c97/detection allgraphicart.com # Reference: https://twitter.com/ShadowChasing1/status/1397768682776895491 # Reference: https://www.virustotal.com/gui/file/8d48a77e7a4b8c824d8c1b890dc3e2b904e6fa8fbe8dae1a22f5870916c01c20/detection sslsharecloud.net dev.sslsharecloud.net # Reference: https://twitter.com/ShadowChasing1/status/1398468263818928136 ewha-ac.ml # Reference: https://twitter.com/ShadowChasing1/status/1399369260577681426 # Reference: https://www.virustotal.com/gui/file/4059fea324e27cfbd4955f37dc7791709dbf35a800449373c6715bc53b88f7c5/detection amene.homepc.it # Reference: https://twitter.com/360CoreSec/status/1402920149754155010 # Reference: https://www.virustotal.com/gui/file/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c/detection # Reference: https://www.virustotal.com/gui/file/3b33b0739107411b978c3cbafb312a44b7488bd7adabae3e7b02059240b6dc83/detection shopweblive.com # Reference: https://twitter.com/h2jazi/status/1406401709157629952 # Reference: https://twitter.com/ShadowChasing1/status/1406592585796177924 # Reference: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/ # Reference: https://www.virustotal.com/gui/file/5c2f339362d0cd8e5a8e3105c9c56971087bea2701ea3b7324771b0ea2c26c6c/detection allamwith.com/home/mobile/list.php conkorea.com/cshop/banner/list.php ddjm.co.kr/bbs/icon/skin/skin.php hivekorea.com/jdboard/member/list.php jinjinpig.co.kr/Anyboard/skin/board.php mail.namusoft.kr/jsp/user/eam/board.jsp mail.neocyon.com/jsp/user/sms/sms_recv.jsp mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp snum.or.kr/skin_img/skin.php /jsp/user/sms/sms_recv.jsp # Reference: https://twitter.com/360CoreSec/status/1405790277034418177 # Reference: https://www.virustotal.com/gui/file/35a39299c47bc701dbe7cb72fcb695d08eb2095d1a5b8b7942d3034d16435e89/detection # Reference: https://www.virustotal.com/gui/file/382a209ce5745c85507b0bd80b87496ad92128e6870199d0c33d6ddedc542dd1/detection # Reference: https://www.virustotal.com/gui/file/f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4/detection 185.208.158.204:443 193.56.28.251:443 # Reference: https://twitter.com/ShadowChasing1/status/1405515076149284870 # Reference: https://www.virustotal.com/gui/file/4c4cc3abd3ddb15d5306fb647c6d779b18df5b949673bb3f3f87faa2c5f56a6a/detection authenticate.azure-drive.com # Reference: https://twitter.com/ShadowChasing1/status/1407993219720224771 elwoodasset.xyz sharemanage.elwoodasset.xyz # Reference: https://twitter.com/360CoreSec/status/1410127120177635328 52.202.193.124:443 # Reference: https://twitter.com/fr0s7_/status/1402394083331559431 # Reference: https://twitter.com/Jup1a/status/1402470227292561412 # Reference: https://www.virustotal.com/gui/file/1939d9fdcf831dc4cac001ba193669c75a336258bc99a1775471554229e4a69b/detection azure-drive.com download.azure-drive.com protect.azure-drive.com # Reference: https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12 # Reference: https://otx.alienvault.com/pulse/60e6d2a6786d43397db19bc7 grandgolf.co.kr/html/facilities/facilities_01_06.asp kdone.co.kr/Utils/EmailUtil.asp namchuncheon.co.kr/admin/BookAppl/Search_left.asp # Reference: https://twitter.com/ShadowChasing1/status/1412934665292316677 # Reference: https://twitter.com/ShadowChasing1/status/1412953330700062726 http://95.179.235.55 sharebusiness.xyz signverydn.sharebusiness.xyz # Reference: https://twitter.com/ShadowChasing1/status/1412932935523573760 # Reference: https://www.virustotal.com/gui/file/8afdf8513a6e3bede16187004daccc95e193a29062415d9ba0c29b98a5a927d1/detection devprocloud.com share.devprocloud.com # Reference: https://mp.weixin.qq.com/s/y-SHoh9f5qwAwqml3uf8vw # Reference: https://otx.alienvault.com/pulse/60f930c9c1a69acdb28adea6 smartaudpor.com # Reference: https://twitter.com/h2jazi/status/1445596955552272389 gozdeelektronik.net/wp-content/themes/0111/ # Reference: https://twitter.com/s1ckb017/status/1447476954639347712 # Reference: https://www.virustotal.com/gui/file/cf10c1cad090ab31d9e579df3bd22f3d0653792cb010e1d6ac0e2cd1ced52076 digitalguarder.com # Reference: https://twitter.com/h2jazi/status/1455601350222417926 # Reference: https://www.virustotal.com/gui/file/8562f6b2a95963f076f7bc6ff00401d96656eafda1cfad3af53b3e3b99ae6452/detection mantis.linkundlink.de /logs/officetemplate.php # Reference: https://twitter.com/ESETresearch/status/1458438169502826508 # Reference: https://www.virustotal.com/gui/ip-address/45.147.231.213 # Reference: https://www.virustotal.com/gui/file/fe80e890689b0911d2cd1c29196c1dad92183c40949fe6f8c39deec8e745de7f/detection devguardmap.org navercorpservice.com # Reference: https://twitter.com/ShadowChasing1/status/1455489336850325519 # Reference: https://www.virustotal.com/gui/file/65b5709f67bb0fac31ec977f98cda6f89f4b38703ee5aeef0b633c33669ea88a/detection thetalkingcanvas.com/jobs/en-gb/jobs/9/details.php # Reference: https://twitter.com/h2jazi/status/1462832390632583168 # Reference: https://www.virustotal.com/gui/file/c12a0565ea1c59d7c2b73e9c022604dbc827980df58ede7ce42d648f9dd4e096 ditijindal.com/wp-content/gallery/services/globalcareers/12849/jobs/gallery.php # Reference: https://twitter.com/ShadowChasing1/status/1465998017836707840 # Reference: https://twitter.com/ShadowChasing1/status/1465998020734898176 http://152.89.247.236 silvergatehr.com ny.silvergatehr.com /5Ek9724mz8oncul8Zx7E7CVDCdBNxuFFUO6pLk/ # Reference: https://twitter.com/k3yp0d/status/1468485748269662208 # Reference: https://app.any.run/tasks/ff306f89-64d4-4d30-8b72-7c0be0b1f9fb/ cloudplus.one drive.cloudplus.one # Reference: https://twitter.com/h2jazi/status/1462832390632583168 # Reference: https://www.virustotal.com/gui/file/c12a0565ea1c59d7c2b73e9c022604dbc827980df58ede7ce42d648f9dd4e096/detection aditijindal.com/wp-content/gallery/services/globalcareers/12849/jobs/gallery.php # Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_Lazarus_APT_Related.json # Reference: https://www.virustotal.com/gui/ip-address/149.28.162.113/relations dubbedfinally.link filesaves.cloud fsdriveshare.org googlesheetpage.org gsheetpage.com help-optus.com onedocshare.com onlinedoc.dev pilotview.cloud retrots.net tresordocs.com trollinguneaten.org database.retrots.net doc.filesaves.cloud docs.gsheetpage.com license.cloudplus.one product.onlinedoc.dev sheet.tresordocs.com support.pilotview.cloud # Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_Lazarus.json autodiscover.vin banner-counter.com clarionhpdu.top craptioerne.com fhewkhwjehwekjfhwehfwe.com lif0.top smartscreenfilter.com statcounters.net vz206llb19o.com 2ab9.watashinonegai.ru b.watashinonegai.ru d.watashinonegai.ru apkv3.clarionhpdu.top cltpk.doomdns.org down.mykings.pw # Reference: https://twitter.com/souiten/status/1468818352156020737 # Reference: https://www.virustotal.com/gui/file/b3646d8cbadc7620ca7782f2525cc019740a3088f32e2ea9a6c97cc1432537b0/detection fsdriveshare.org dmarc.fsdriveshare.org file.fsdriveshare.org share.fsdriveshare.org # Reference: https://twitter.com/ffforward/status/1456239300593524741 # Reference: https://www.virustotal.com/gui/file/0b8d7a851920d4584777505f9fb484b226a8457d4049885a87c847f7d3532d28/detection stablemarket.org share.stablemarket.org # Reference: https://twitter.com/k3yp0d/status/1448552868907204612 # Reference: https://www.virustotal.com/gui/domain/cloudmgmt.org/relations cloudmgmt.org share.cloudmgmt.org # Reference: https://threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families/ # Reference: https://otx.alienvault.com/pulse/61c9aff8d72c2a4731021bee allamwith.com/home/mobile/list.php conkorea.com/cshop/banner/list.php ddjm.co.kr/bbs/icon/skin/skin.php jinjinpig.co.kr/Anyboard/skin/board.php mail.namusoft.kr/jsp/user/eam/board.jsp mail.neocyon.com/jsp/user/sms/sms_recv.jsp mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp snum.or.kr/skin_img/skin.php /jsp/user/sms/sms_recv.jsp # Reference: https://twitter.com/h2jazi/status/1483521532433473536 # Reference: https://twitter.com/h2jazi/status/1483521535268769793 # Reference: https://www.virustotal.com/gui/file/0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b/detection lm-career.com # Reference: https://twitter.com/s1ckb017/status/1484451637653614592 # Reference: https://twitter.com/h2jazi/status/1486448926081302536 # Reference: https://www.virustotal.com/gui/file/0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1/detection allinfostudio.com markettrendingcenter.com yourblogcenter.com # Reference: https://twitter.com/czy_1116/status/1485813878550597632 # Reference: https://www.virustotal.com/gui/file/3542078fd524e3cb141d5bebf96aea73467505a07ae72fc58395afa14f22e8a3/detection gfinanzen.net portal.gfinanzen.net # Reference: https://twitter.com/ShadowChasing1/status/1486530954382348290 # Reference: https://www.virustotal.com/gui/file/ac7b6ca73207db6ec6d4af2632a7c842c32af6658e3214753e589b567d809125/detection docusign.agency # Reference: https://twitter.com/h2jazi/status/1487070198955978753 loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001 /update_coingotrade.php # Reference: https://twitter.com/h2jazi/status/1490057626134192136 # Reference: https://www.virustotal.com/gui/file/08c3aaeec3da9a106536ad1beff4d2ed23d1e31c9481be60f5dbd5eb1a01d2e5/detection sportsblogweb.com # Reference: https://twitter.com/s1ckb017/status/1489591023030448129 # Reference: https://www.virustotal.com/gui/file/29de2289a2b111a4873e49402c310b2ad0e3de51b5562ee1422a37c514910c71/detection designautocad.org # Reference: https://twitter.com/cyberoverdrive/status/1490839283803951106 # Reference: https://www.virustotal.com/gui/file/353f82475fcfad5b3f06ed85a931bda46ec34279793b5d70085aa8c603e8ebec/detection datacentre.center # Reference: https://twitter.com/ShadowChasing1/status/1490958579930517504 # Reference: https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f/detection shopapppro.com shopapptech.com # Reference: https://twitter.com/pkalnai/status/1489269982814949382 # Reference: http://report.threatbook.cn/LS.pdf (Chinese) # Reference: https://www.virustotal.com/gui/file/8562f6b2a95963f076f7bc6ff00401d96656eafda1cfad3af53b3e3b99ae6452/detection bmanal.com canyonzcc.com devguardmap.org industryinfostructure.com linkundlink.de mante.li shopandtravelusa.com mantis.linkundlink.de # Reference: https://twitter.com/jaydinbas/status/1468521246862233603 # Reference: https://www.virustotal.com/gui/file/ef2d3e488b781a7c6144afa8fc8ba2b6d085ca671100d04686097f3b4dd2ed42/detection mantis-gewa.technisat-digital.de # Reference: https://twitter.com/czy_1116/status/1498190652412203008 # Reference: https://www.virustotal.com/gui/file/4cbad835586faf1d91431d5421b58b4acda0bd280cfbaf8a5d4820aec486b0e6/detection bloomcloud.org share.bloomcloud.org # Reference: https://twitter.com/ShadowChasing1/status/1502240130702065664 open.googlesheetpage.org /KcyRbGDJKRZoaLq8lHh8/C0sHwcGMH2/ /C0sHwcGMH2/ /KcyRbGDJKRZoaLq8lHh8/ # Reference: https://twitter.com/malwrhunterteam/status/1503640289810038786 # Reference: https://twitter.com/malwrhunterteam/status/1504573045750571010 # Reference: https://twitter.com/malwrhunterteam/status/1506008938197643266 # Reference: https://twitter.com/h2jazi/status/1503826030812925962 # Reference: https://twitter.com/h2jazi/status/1503826034923388929 # Reference: https://www.virustotal.com/gui/file/8672acfb06258f5b6dec3700cd7f91a0c013a70a9664dbc6cf33a4c6406756ed/detection # Reference: https://www.virustotal.com/gui/file/e62a7d9184a841e2b53e41f2d85aa278b427e2e427dbfd8f4be072108e3089c1/detection # Reference: https://www.virustotal.com/gui/file/689d5513ad52ad5e7a631a9147049c4cc494ad514b81cf41e841fb244c766b8b/detection # Reference: https://www.virustotal.com/gui/file/a51cad94475e0af91d270146379574b5a8ae70a03098318ddf9912784ace3cba/detection encorpost.com foxiebed.com hillokay.com nhn-games.com sktelecom.help want-helper.com # Reference: https://twitter.com/h2jazi/status/1505965580075114498 # Reference: https://www.virustotal.com/gui/file/e3a4e97e27bcfb6126ebfe92827cfb6b7e0c04eb7f5426bf17dd366e4723d1ef/detection pvacek.cz/wp-content/plugins/akismet/control/en/en.jpg # Reference: https://twitter.com/h2jazi/status/1505983796897894401 # Reference: https://www.virustotal.com/gui/file/d0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b/detection webhosttech.org # Reference: https://twitter.com/blackorbird/status/1507040337097027584 # Reference: https://blog.google/threat-analysis-group/countering-threats-north-korea/ disneycareers.net find-dreamjob.com indeedus.org varietyjob.com ziprecruiters.org blockchainnews.vip chainnews-star.com financialtimes365.com fireblocks.vip gatexpiring.com gbclabs.com giantblock.org humingbot.io onlynova.org teenbeanjs.com colasprint.com/about/about.asp varietyjob.com/sitemap/sitemap.asp financialtimes365.com/user/finance.asp gatexpiring.com/gate/index.asp humingbot.io/cdn/js.asp teenbeanjs.com/cloud/javascript.asp # Reference: https://twitter.com/jaydinbas/status/1506970733997604867 # Reference: https://twitter.com/ShadowChasing1/status/1508637858927587328 # Reference: https://twitter.com/ShadowChasing1/status/1509520460974723072 # Reference: https://twitter.com/ShadowChasing1/status/1511144288830119941 # Reference: https://asec.ahnlab.com/ko/33034/ (Korean) # Reference: https://www.virustotal.com/gui/ip-address/2.57.90.16/relations # Reference: https://www.virustotal.com/gui/ip-address/209.126.83.186/relations # Reference: https://www.virustotal.com/gui/file/2fc71184be22ed1b504b75d7bde6e46caac0bf63a913e7a74c3b65157f9bf1df/detection # Reference: https://www.virustotal.com/gui/file/392aba0070375051d7bc3cc478c4bb66c5f55be87ad797800f50a338c3e2479b/detection # Reference: https://www.virustotal.com/gui/file/a7c17e5fa55bcc60d4cff64dd37d0a1f0cc93f4f44b3cebd5633ca5af413e5cc/detection # Reference: https://www.virustotal.com/gui/file/ae7275988753fffb29bdb254babdf46773daf935b2721006fe66a1747af3d1d4/detection naveicoipf.online naveicoipg.online naveicoiph.online naveicoiph.online naveicoipa.tech naveicoipc.tech naveicoipd.tech naveicoipe.tech navermailteam.online 123fisd.naveicoipg.online aat1pbil.naveicoipg.online adzjvazj.naveicoipg.online aosm8cts.naveicoipg.online buiweggajhqwj.naveicoipg.online cecomtp3.naveicoipg.online edfeiyql.naveicoipg.online eoinlslsf.naveicoipg.online fwpoyktt.naveicoipg.online hytrycnc.naveicoipg.online jbmnqpwp.naveicoipg.online jvnquetbon.naveicoipg.online kdzdm1rq.naveicoipg.online kygfkdum.naveicoipg.online l1tog1iv.naveicoipg.online lbmwbnbieo.naveicoipg.online olsnvolqwe.naveicoipg.online pv5pnwlx.naveicoipg.online qogngnslel.naveicoipg.online tp0rw6ie.naveicoipg.online twlekqnwl.naveicoipg.online urm1o6h0.naveicoipg.online vm2rjonq.naveicoipg.online vnwoei.naveicoipg.online 6la0cwds.naveicoiph.online 9yxqida1b.naveicoiph.online d4yp8bphj3.naveicoiph.online dtdgwgfvr.naveicoiph.online gkins2p3i.naveicoiph.online kashaccn4.naveicoiph.online lkpiedozd.naveicoiph.online rxpz7z2yi8.naveicoiph.online gowelknx.naveicoipf.online xjowihgnxcvb.naveicoipf.online xuau0b2i.naveicoipf.online 4w9h8ps9.naveicoipa.tech 4w9h8ps9.naveicoipc.tech momls4ii.naveicoipa.tech momls4ii.naveicoipc.tech tofysz6a.naveicoipa.tech tofysz6a.naveicoipc.tech uzzmuqwv.naveicoipa.tech uzzmuqwv.naveicoipc.tech zvc1ijau.naveicoipa.tech zvc1ijau.naveicoipc.tech bcvbert.naveicoipe.tech mhf8huuo.naveicoipe.tech msldkopw.naveicoipe.tech tyidrtu.naveicoipe.tech uktyukb.naveicoipe.tech vkqrwl00.naveicoipe.tech wrhehdfg.naveicoipe.tech nredial.navermailteam.online /1uFnvppj/1uFnvppj32.acm /1uFnvppj/1uFnvppj64.acm /1uFnvppj/ /1uFnvppj32.acm /1uFnvppj64.acm /018ueCdS/018ueCdS32.acm /018ueCdS/ /018ueCdS32.acm /0lvNAK1t/0lvNAK1t32.acm /0lvNAK1t/ /0lvNAK1t32.acm # Reference: https://www.virustotal.com/gui/ip-address/15.235.132.77/relations # Reference: https://www.virustotal.com/gui/ip-address/23.81.246.131/relations # Reference: https://www.virustotal.com/gui/ip-address/23.82.19.179/relations mailcontactteam.online mailcustomerservice.site mailhelp.online mailmanagecorp.online mailsecurity.email mailservicecorp.online mailserviceteam.email navcopcenter.tech navcorpmanager.site naveeocorp.xyz navenida.live navenida.site navenidb.live navenidb.site navenidc.live navenidc.site navenidd.site navenide.site navenidf.site naveorseccorp.link naveracom.link naveradmin01.link naveranid.link naveranid.live naveranid.online naverbcom.link naverbnid.live naverbnid.online naverccom.link navercert.live navercert.online navercnid.link navercnid.online navercoa.store navercob.store navercoc.store navercod.store navercoe.store navercoma.link navercoma.online navercomb.link navercomb.online navercomb.tech navercomc.link navercomc.online navercomc.tech navercomd.link navercomd.online navercome.link navercome.online navercome.tech navercomf.link navercomf.online navercomg.link navercomh.link navercop.link navercop.online navercorp.email navercorp.live navercorpl.tech navercorpr.online navercorpservice.com navercorpteam.com navercscorp.com naverenid.online naverfnid.online navergnid.online naverhnid.online naverhost.live naverinid.com naverinid.online naverjnid.online naverlogn.live navermailcorp.com navermailmanage.com navermailservice.com navermailservice.online navermailteam.online navermanage.com navermanage.live navermanage.space navermanageteam.com navermcorp.com navernida.link navernida.online navernida.tech navernidb.link navernidb.online navernidb.tech navernidc.link navernidc.online navernidc.tech navernidd.live navernidd.online navernide.online navernidlog.live navernidmail.com naverorteam.link naverreda.xyz naverredc.xyz naverredd.xyz naverrede.xyz naverredirect.live naversecurityservice.online naversecurityteam.com naverservice.email naverservice.host naverservice.link naverserviceteam.com naverserviceteam.email naverteam.live naverteamcorp.live navreplya.live navreplya.online navreplyb.live navreplyd.live navreplye.live navreplyf.site navreplyg.site navreplyh.site navreplyi.site navreplyj.site navreplyk.site navteamcorp.link nidbnaver.tech nidcnaver.tech niddnaver.tech nidnavera.online nidnavere.online noreplya.xyz noreplyb.xyz nvrcopa.link nvrcopb.link nvrcopc.link nvrcope.site nvrcopf.site nvricop.online nvrjcop.online portalcorpteam.com help.navreplya.live logn.navermanagecorp.site logn.noreplya.website mail.naveradmina.tech mail.navercomf.link nav.cloudcentre.space nav.naveracom.link nav.naveradmin06.online nav.noreplyb.xyz nav.portalcorpteam.com nin.navercop.link nlog.noreplyb.space red.naveradmin07.site red.nidnavere.online sec.naveralert.link sub.naverbcom.link # Reference: https://twitter.com/ShadowChasing1/status/1508706298640052225 # Reference: https://www.virustotal.com/gui/ip-address/44.227.65.245/relations cloudscare.xyz onlinedocview.biz cdn.onlinedocview.biz edit.onlinedocview.biz # Reference: https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/ # Reference: https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/ # Reference: https://otx.alienvault.com/pulse/61bca21cf212a6842e17c00b diragame.com diregame.live mygametoa.com d.diragame.com google.diragame.com jom.diregame.live toa.mygametoa.com tob.mygametoa.com # Reference: https://twitter.com/h2jazi/status/1509206625701220356 # Reference: https://www.virustotal.com/gui/file/e9894893a8a1f74d7d6a8768dda9ef5ddaf8aac18634a1110e9a79652c9f13ee/detection aixstore.info app.aixstore.info # Reference: https://securelist.com/lazarus-trojanized-defi-app/106195/ # Reference: https://otx.alienvault.com/pulse/6246c2c9082f5d1a7c15ffba bn-cosmo.com/customer/board_replay.asp edujikim.com/pay_sample/INIstart.asp emsystec.com/include/inc.asp gyro3d.com/common/faq.asp gyro3d.com/mypage/faq.asp ilovesvc.com/HomePage1/Inquiry/privacy.asp newbusantour.co.kr/gallery/left.asp roit.co.kr/xyz/adminer/edit_fail_decoded.asp softapp.co.kr/sub/cscenter/privacy.asp syadplus.com/search/search_00.asp # Reference: https://twitter.com/ShadowChasing1/status/1514899414367694851 # Reference: https://www.virustotal.com/gui/file/f78b85fc5c9a5f6c8d735f13180d318bf8f5639e71556e2ae0f2c6b9b4181a6c/detection http://15.235.33.14 # Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical # Reference: https://otx.alienvault.com/pulse/625d3bb7b78be557e145d2c7 aumentarelevisite.com juneprint.com jungfrau.co.kr mariamchurch.com happy.nanoace.co.kr ric-camid.re.kr # Reference: https://twitter.com/blackorbird/status/1516300076523548674 # Reference: https://mp.weixin.qq.com/s/Xs54_RDKU5MvkvsPPCGKEw (Chinese) beenos.biz zvc.capital cloud.beenos.biz it.zvc.capital # Reference: https://www.cisa.gov/uscert/ncas/alerts/aa22-108a # Reference: https://otx.alienvault.com/pulse/625e65bf6aa1f7977a316d65 alticgo.com cryptais.com dafom.dev esilet.com tokenais.com # Reference: https://asec.ahnlab.com/ko/33706/ # Reference: https://otx.alienvault.com/pulse/625e688f46dbcbce7ac0668d gaonwell.com/data/base/mail/login.asp h-cube.co.kr/main/image/gellery/gallery.asp materic.or.kr/include/main/main_top.asp materic.or.kr/include/main/main_top.xn--asp namchoncc.co.kr/include/?ind= okkids.kr/html/program/display/?re= shoppingbagsdirect.com/media/images/?ui= # Reference: https://twitter.com/blackorbird/status/1519504288849874944 # Reference: https://www.virustotal.com/gui/file/672ec8899b8ee513dbfc4590440a61023846ddc2ca94c88ae637144305c497e7/detection http://109.248.144.155 http://155.94.210.11 http://193.56.28.32 http://45.57.245.17 109.248.144.136:8443 109.248.144.155:8080 109.248.144.155:8443 usengineergroup.com mail.usengineergroup.com # Reference: https://twitter.com/ESETresearch/status/1521735320852643840 # Reference: https://twitter.com/ESETresearch/status/1521735343497695232 # Reference: https://www.virustotal.com/gui/file/55571ac52e1f02f18af77e2f3314382c982a37744b58732dfc15faac9d66619f/detection # Reference: https://www.virustotal.com/gui/file/a0bf5af3f931a428b905fd14d43b61af47b7f272425ae4ff4d78b5cb139b8276/detection # Reference: https://www.virustotal.com/gui/file/315503862cb7ebb0a731483827016015e355bad51f872db5c650a822de744937/detection onlinestockwatch.net # Reference: https://www.virustotal.com/gui/file/5081f54761947bc9ce4aa2a259a0bd60b4ec03d32605f8e3635c4d4edaf48894/detection 66.154.102.91:9090 # Reference: https://blogs.jpcert.or.jp/en/2022/07/vsingle.html bluedragon.com/login crm.vncgroup.com/cats/scripts/sphinxview.php mantis.westlinks.net/api/soap/mc_enum.php ougreen.com/zone semiconductboard.com/xcror shipshorejob.com/ckeditor/samples/samples.php tecnojournals.com/general tecnojournals.com/prest # Reference: https://blogs.jpcert.or.jp/en/2022/07/yamabot.html # Reference: https://www.virustotal.com/gui/file/f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb/detection http://213.180.180.154 karin-store.com/recaptcha.php yoshinorihirano.net/wp-includes/feed-xml.php /editor/session/aaa000/support.php /aaa000/support.php # Reference: https://mp.weixin.qq.com/s/USitU4jAg9y2XkQxbwcAPQ # Reference: https://otx.alienvault.com/pulse/62d153ef7d6fbe552403bc90 namchuncheon.co.kr/html/notice/list.asp stracarrara.org/public/photos/image/image.asp stracarrara.org/public/photos/image/image.xn--asp # Reference: https://twitter.com/h2jazi/status/1549780561551675393 # Reference: https://www.virustotal.com/gui/ip-address/155.138.219.140/relations # Reference: https://www.virustotal.com/gui/file/f7170b70a89f4b5d196e3a09c1d6135d36320548f66cdc2c55bf725b0f8d4ab8/detection documentworkspace.io fclouddown.co cdn.documentworkspace.io file.fclouddown.co # Reference: https://twitter.com/cyberoverdrive/status/1550175620927299584 # Reference: https://www.virustotal.com/gui/file/1e154b2976cc00d457c0dc2b83ebe81911294c8276691617085c03a3304fd87f/detection googlesheet.info # Reference: https://twitter.com/h2jazi/status/1553024107989635073 # Reference: https://www.virustotal.com/gui/file/0fe69e67286203ca2dcd080b4c25ab76fc4ca925e6207b193d47f02da1481843/detection shconstmarket.com dps.shconstmarket.com inst.shconstmarket.com web.shconstmarket.com # Reference: https://twitter.com/Des00464472/status/1546403794871001093 http://52.79.92.249/bbs/bbs_post.asp # Reference: https://twitter.com/h2jazi/status/1555205042331947011 # Reference: https://www.virustotal.com/gui/file/a3ef9fd758bca1c94054a43995a99069abaef672495c1bd3ee831217c1f5e498/detection mktrending.com docs.mktrending.com # Reference: https://twitter.com/ShadowChasing1/status/1557034048345997312 # Reference: https://www.virustotal.com/gui/file/57959c2be2ac6349aa37edb73cd8a88fe8d3e69678cac4b38fac401bd3141fdf/detection documentshare.info doc.documentshare.info ww16.documentshare.info /DmJMFYpwLPP3ygS/ # Reference: https://twitter.com/malwrhunterteam/status/1557077792075829249 # Reference: https://www.virustotal.com/gui/file/f1ade73b9c61f2f4b774a1b5003a5d70d7a12e0872abe98c52fbf9e9e3a90fc5/detection wordonline.cloud cdn.wordonline.cloud gdoc.wordonline.cloud # Reference: https://twitter.com/ESETresearch/status/1559553324998955010 # Reference: https://www.virustotal.com/gui/file/49046dfeaefc59747e45e013f3ab5a2895b4245cfaa218dd2863d86451104506/detection # Reference: https://www.virustotal.com/gui/file/8b427c47a43e6c357d8439fefa7f0ff34b72a2abdaf0461193fb9e6086807e17/detection # Reference: https://www.virustotal.com/gui/file/94a669041ef572e3fb089179f5c29e2811e2e82613290e39a2ce1b6c273727c9/detection # Reference: https://www.virustotal.com/gui/file/dae9f37ae5c2a030c0fb3f55d5731cdb37a4f68560a6f2ba38bb54c9533f8805/detection # Reference: https://www.virustotal.com/gui/file/e29d0db8c013e7eb5820a6f40aae92a085d9550f2f0b2ebc10c8c2c08d14f6d5/detection # Reference: https://www.virustotal.com/gui/file/fe336a032b564eef07afb2f8a478b0e0a37d9a1a6c4c1e7cd01e404cc5dd2853/detection concrecapital.com # Reference: https://twitter.com/h2jazi/status/1559259261665943553 # Reference: https://www.virustotal.com/gui/file/03f6c8f173413302d9c22a44a593fc9a5203fbb7652d3a36b3ace79f3cdc39a3/detection 1drvmicrosoft.com hare.1drvmicrosoft.com share.1drvmicrosoft.com # Reference: https://twitter.com/malwrhunterteam/status/1560563222624710656 # Reference: https://www.virustotal.com/gui/file/c9b4893bdb85d67c13826814ef0cf392648089f416aed40078907054624fba72/detection cooporatestock.com doc.cooporatestock.com docs.cooporatestock.com # Reference: https://www.virustotal.com/gui/ip-address/45.76.77.197/relations # Reference: https://www.virustotal.com/gui/file/0f6b6c1596e38e840fb03420317db224739a18dbef0b98285637f5887e90a191/detection drivegoogle.info docs.drivegoogle.info # Reference: https://twitter.com/ShadowChasing1/status/1564980900785373185 # Reference: https://www.virustotal.com/gui/file/51d53ca36a662b4aad5878987548f0f22f2a53545790577d8043373b6bf7eb75/detection wpsonline.co edit.wpsonline.co wps.wpsonline.co # Reference: https://www.virustotal.com/gui/file/f42c637db03edf83a08e944bc190265167ecea84d77508f37fc1269d267fe5a8/detection stablehouses.info app.stablehouses.info # Reference: https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html # Reference: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/ # Reference: https://www.virustotal.com/gui/file/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332/detection # Reference: https://www.virustotal.com/gui/file/f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4/detection # Reference: https://www.virustotal.com/gui/file/eb73c57c6f4ce8bf197ddc689b7e0afd3703a9bf9a78212c9cb838528441df7a/detection # Reference: https://www.virustotal.com/gui/file/bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1/detection # Reference: https://www.virustotal.com/gui/file/afb2d4d88f59e528f0e388705113ae54b7b97db4f03a35ae43cc386a48f263a0/detection # Reference: https://www.virustotal.com/gui/file/196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06eba/detection http://151.106.2.139 http://193.56.28.251 http://52.202.193.124 http://64.188.27.73 http://66.154.102.91 151.106.2.139:8080 151.106.2.139:8443 66.154.102.91:9090 gendoraduragonkgp126.com /adm_bord/login_new_check.php # Reference: https://twitter.com/Des00464472/status/1569331099305918465 techdesignshop.com # Reference: https://twitter.com/h2jazi/status/1570501870954905600 # Reference: https://www.virustotal.com/gui/file/5816eb32cbaadfc3477c823293a8c49cdf690b443c8fa3c19f98399c143df2b3/detection azure-protect.online verify.azure-protect.online # Reference: https://twitter.com/BaoshengbinCumt/status/1570579732399558656 jbic.us mufg.tokyo salt1ending.com wpic.ink cloud.jbic.us cloud.mufg.tokyo # Reference: https://twitter.com/HaoZhixiang/status/1572434427942432772 # Reference: https://www.virustotal.com/gui/file/0b79e1194644431c2e28c48aa3654e658a2907e1003cd0484cd00a0796ebe6bb/detection onlineshares.cloud ms.onlineshares.cloud # Reference: https://twitter.com/malwrhunterteam/status/1573305740252663809 # Reference: https://www.virustotal.com/gui/file/48bd1c5cf9ccc3d454ab80d7284abaf39028a228607d132bfa92ab2ceca47ca2/detection azure-protection.cloud docs.azure-protection.cloud secure.azure-protection.cloud # Reference: https://twitter.com/StopMalvertisin/status/1574329188793733120 # Reference: https://www.virustotal.com/gui/file/3b70c3ebffcfd6a97859f8d9e5a31f6902756e23fd6688ca7c7446d24ec76d9d/detection digiboxes.us fs.digiboxes.us # Reference: https://twitter.com/StopMalvertisin/status/1574749887203143680 # Reference: https://www.virustotal.com/gui/file/f00fe4e6da3aaad25d1ac8b268ffeebc98bda184e3df224905626908be24d415/detection sunlin.org/info/style?title= # Reference: https://twitter.com/StopMalvertisin/status/1575055809104334848 # Reference: https://twitter.com/ScarletSharkSec/status/1575130042627244038 # Reference: https://twitter.com/malwrhunterteam/status/1593744606172168195 # Reference: https://www.virustotal.com/gui/ip-address/155.138.159.45/relations # Reference: https://www.virustotal.com/gui/file/99eae95f3271fe7cd2b25aca9a2b69ca8f5cc034f3416b554a4af38903f14233/detection # Reference: https://www.virustotal.com/gui/file/8f05021071c4bfd4cfce3d02bd30bf16f1322170515d796e13f75eb25b09d533/detection docuprivacy.com gdocshare.one msteam.biz onlinecloud.cloud privacysign.org _dmarc.onlineshares.cloud dmarc.onlineshares.cloud ms.msteam.biz team.msteam.biz open.onlinecloud.cloud # Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/ 137.184.15.189:22 172.93.201.253:22 44.238.74.84:22 44.238.74.84:5900 # Reference: https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/ # Reference: https://otx.alienvault.com/pulse/6336cd77cbc019c475aa2034 contradecapital.com m.contradecapital.com market.contradecapital.com stage.contradecapital.com vpn.contradecapital.com # Reference: https://github.com/eset/malware-ioc/tree/master/nukesped_lazarus cowp.or.kr/html/board/main.asp erpmas.co.kr/Member/franchise_modify.asp fored.or.kr/home/board/view.php gncaf.or.kr/cafe/cafe_board.asp gongsinet.kr/comm/comm_gongsi.asp goojoo.net/board/banner01.asp hsbutton.co.kr/bbs/bbs_write.asp hstudymall.co.kr/easypay/web/bottom.asp ikrea.or.kr/main/main_board.asp pcdesk.co.kr/Freeboard/mn_board.asp pgak.net/service/engine/release.asp quecue.kr/okproj/ex_join.asp style1.co.kr/main/view.asp wowpress.co.kr/customer/refuse_05.asp zndance.com/shop/post.asp # Reference: https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/ # Reference: https://otx.alienvault.com/pulse/633c7f2703c1f6dec01555e5 aquaprographix.com/patterns/Map/maps.php stracarrara.org/images/img.asp thetalkingcanvas.com/thetalking/globalcareers/us/5/careers/jobinfo.php turnscor.com/wp-includes/feedback.php # Reference: https://twitter.com/Des00464472/status/1580021488433831936 propertys-shop.com # Reference: https://twitter.com/h2jazi/status/1582809597051826177 # Reference: https://twitter.com/h2jazi/status/1582809599023124481 # Reference: https://www.virustotal.com/gui/file/c114b73da17eb5c8aff5a7b5509ffe26b9770e28c7123f038e98d42f8a065632/detection bbcnewsagency.com # Reference: https://twitter.com/h2jazi/status/1582919568384663552 bloombergnewsagency.com # Reference: https://www.virustotal.com/gui/file/500ae0f1ab40a254f81c73331c9848bada4c26adad613d53d339d14ca3599a32/detection # Reference: https://www.virustotal.com/gui/file/442c2b7b8e7ec13306bfb6c1332bd87e4d9cac242fd86555df355a606b895c46/detection 11.23.33.44:8050 66.85.157.67:8050 drivetools.xyz filesspace.xyz theboxart.xyz # Reference: https://twitter.com/imp0rtp3/status/1589263364274155520 # Reference: https://twitter.com/imp0rtp3/status/1589263367650578434 # Reference: https://www.virustotal.com/gui/file/06ea41ee563f0ecb884d0640344a1e0006a9e8b1b3d4cda9a769a896f18c4b6d/detection # Reference: https://www.virustotal.com/gui/file/e1ecf0f7bd90553baaa83dcdc177e1d2b20d6ee5520f5d9b44cdf59389432b10/detection # Reference: https://www.virustotal.com/gui/file/dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031/detection leadsblue.com/wp-content/wp-utility/index.php # Reference: https://twitter.com/Des00464472/status/1590966132596695040 olidhealth.com dc-ba6f51b553e0.olidhealth.com # Reference: https://twitter.com/souiten/status/1593449165349978113 # Reference: https://www.virustotal.com/gui/file/0937cbb980cb898eacd8458366fc4de3510266b8fbcd68010aa04e58bf72df28/detection # Reference: https://www.virustotal.com/gui/file/a3f087c83453cde2bc845122c05ebeb60e8891e395b45823c192869ec1b72ea6/detection capmarketreport.com # Reference: https://explore.avertium.com/resource/an-in-depth-look-at-north-korean-threat-actor-zinc # Reference: https://otx.alienvault.com/pulse/637f670d45a399f00e8aea3c cats.runtimerec.com/db/dbconn.php elite4print.com/support/support.asp hurricanepub.com/include/include.php olidhealth.com/wp-includes/php-compat/compat.php recruitment.raystechserv.com/lib/artichow/BarPlotDashboard.object.php turnscor.com/wp-includes/contacts.php # Reference: https://twitter.com/jaydinbas/status/1598660262751604738 # Reference: https://www.virustotal.com/gui/file/f14c5bad5219b1ed5166eb02f5ff08a890a181cef2af565f3fe7bcea9c870e22/detection key.sharedrive.ink # Reference: https://twitter.com/malwrhunterteam/status/1598405604317442048 # Reference: https://twitter.com/jaydinbas/status/1598722899556577280 # Reference: https://www.virustotal.com/gui/file/741be5e53a5dc7cebaa63d6ff624c5eff1a0e1817ede1e7fc0473a28b1ed7a33/detection dsx-app.com # Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-12-02-v10187/190 bloxholder.com oilycargo.com rebelthumb.net strainservice.com telloo.io # Reference: https://twitter.com/h2jazi/status/1602302208325947394 # Reference: https://www.virustotal.com/gui/file/69e5cc9d865301f7e8dd7d4dbf5624db2859c614112d339b2fc07ea6176c776d/detection microshare.cloud one.microshare.cloud # Reference: https://twitter.com/h2jazi/status/1602314597926576131 # Reference: https://twitter.com/h2jazi/status/1602314600753598465 # Reference: https://www.virustotal.com/gui/file/bdd109cba8346548dd6fe5110180aa23eb9f5805c90733025344a5881c15c985/detection thecloudnet.org # Reference: https://twitter.com/jaydinbas/status/1608077663532449792 # Reference: https://www.virustotal.com/gui/file/c52028b494c37505cbe073e3b0fcdeb6b7b48636c6fd00a41108e6dc1a66a4ce/detection professiondesc.com # Reference: https://twitter.com/Des00464472/status/1610535596262580230 # Reference: https://www.virustotal.com/gui/ip-address/172.86.121.130/relations # Reference: https://www.virustotal.com/gui/ip-address/45.153.242.37/relations # Reference: https://www.virustotal.com/gui/file/e04848c1e2908335975dd52793c94624d06a598fdd75d5d3eb6ea8c5d569b8bc/detection auto-protection.cloud auto-protection.services azure-protect.cloud azure-protection.online auto-secure.cloud beyondnextventures.us doc-protection.cloud docs-view.cloud mizuhogroup.uk offerings.cloud online-protection.cloud protection-service.cloud smbcgroup.uk tptf.cloud tptf.ltd azure.auto-protection.cloud azure.auto-protection.services azure.auto-secure.cloud azure.doc-protection.cloud azure.doc-protection.online azure.docs-view.cloud azure.online-protection.cloud azure.protection-service.cloud cloud.beyondnextventures.us cloud.mizuhogroup.uk cloud.smbcgroup.uk docs.tptf.cloud secure.azure-protection.online secure.azure-protect.cloud secure.azure-protection.online # Reference: https://twitter.com/Des00464472/status/1613893230004965381 # Reference: https://www.virustotal.com/gui/file/9dc04153455d054d7e04d46bcd8c13dd1ca16ab2995e518ba9bf33b43008d592/detection easyview.kr/board/mb_admin.php mudeungsan.or.kr/gbbs/bbs/template/g_botton.php neohr.co.kr/bbs/data/notice/notice.php # Reference: https://twitter.com/h2jazi/status/1618630926891913217 blurbshop.com cloudfly.org dailynewsagent.com oneweb-host.com shopwebstudio.com turacodi.com # Reference: https://twitter.com/jaydinbas/status/1623295609703636993 # Reference: https://www.virustotal.com/gui/file/3a4aed5b9ad0827696a1bb5f3497a6a2aa26b453d27bfacbe3c8c47673aac98d/detection doc-share.cloud safe.doc-share.cloud # Reference: https://asec.ahnlab.com/ko/48416/ # Reference: https://otx.alienvault.com/pulse/63ff76797371033cf70b2df3 ctmnews.kr dalbinews.co.kr kfcjn.com lightingmart.co.kr studyholic.co.kr # Reference: https://www.malwarebytes.com/blog/news/2022/12/lazarus-group-uses-fake-cryptocurrency-apps-to-plant-applejeus-malware wirexpro.com # Reference: https://twitter.com/souiten/status/1653999722477268992 # Reference: https://www.virustotal.com/gui/file/69ef7c4cb3849283c03eaa593b02ebbfd1d08d25ef9a58355d2a9909678d6c6d/detection share.googlefiledrive.com # Reference: https://twitter.com/ESETresearch/status/1656385173968019456 # Reference: https://twitter.com/ESETresearch/status/1656386549594857472 # Reference: https://www.virustotal.com/gui/ip-address/104.168.138.7/relations # Reference: https://www.virustotal.com/gui/file/c28e4031129f3e6e5c6fbd7b1cebd8dd21b6f87a8564b0fb9ee741a9b8bc0197/detection # Reference: https://www.virustotal.com/gui/file/5f00106f7f15e0ca00df4dbb0eeccd57930b4b81bc9aa3fca0c5af4eda339ab7/detection coto.live cryptyk.cloud cryptyk.info gumicryptos.com hyperchaincapital.online parallaxdigital.online prosec.ink autoprotect.com.se cloud.cryptyk.info cloud.prosec.ink cloudprotect.us.org cryptyk.ddns.net cryptyk.hopto.org cryptyk.sytes.net cryptyk.webredirect.org document.coto.live document.sharedrive.ink docusend.coto.live hostings.webredirect.org # Reference: https://www.virustotal.com/gui/ip-address/104.168.214.151/relations azure-defender.cloud azuredefender.online bico-news.blog blockchainworld.info blockfi.loans box-docsend.cloud box-docsend.online companydetail.online crypto-ecosystem.world cryptofundsresearch.com daiwa.ventures doc-send.cloud doc-send.com docs-send.com doc-send.online docs-send.online docsend-host.cloud drop-box.cloud dropbox-docsend.cloud dropbox-docsend.online gumi-cryptos.loan job-description.online jobdescription.online nextera.capital online-meeting.xyz panteracapital.ventures private-meeting.online privatenetwork.online smart-contracts.blog swissborg.blog tokentracking.info usncet.org verifydocument.online video-meet.online video-meeting.xyz additional.work.gd additionalpublic.work.gd abs.twitter.expublic.linkpc.net arbor.companydetail.online asset.crypto-ecosystem.world autoprotect.gb.net bico.tokentracking.info boa.azuredefender.online boa.job-description.online boa.jobdescription.online cloud.daiwa.ventures cnbc.crypto-ecosystem.world coinbase.expublic.linkpc.net crypto.blockchainworld.info daiwa.azure-defender.cloud defi.smart-contracts.blog docs.panteracapital.ventures draper.online-meeting.xyz dynamic.expublic.linkpc.net exceptions.coinbase.expublic.linkpc.net exceptions.expublic.linkpc.net expublic.linkpc.net github.expublic.linkpc.net google.coinbase.expublic.linkpc.net hashkey.online-meeting.xyz hwsrv-1033810.hostwindsdns.com internal-server.nextera.capital internal.daiwa.ventures internal.usncet.org interview.private-meeting.online meet.ubi-safemeeting.online onedrive.azure-defender.cloud recent.bico-news.blog shared.box-docsend.cloud shared.box-docsend.online shared.doc-send.cloud shared.drop-box.cloud shared.dropbox-docsend.cloud shared.dropbox-docsend.online support.private-meeting.online support.trustmeeting.online support.ubi-safemeeting.live support.video-meeting.online support.video-meeting.xyz # Reference: https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499 http://3.89.226.234 http://40.121.90.194 eflow.co.kr/member_image/about.php projectcell.niv.co.in/non_scientific/service.php sora.bz/xoops_root_path/templates_c/login.php sora.bz/xoops_root_path/uploads/information/about.php # Reference: https://twitter.com/blackorbird/status/1675803174551314432 # Reference: https://www.elastic.co/cn/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket # Reference: https://www.virustotal.com/gui/ip-address/64.44.141.15/relations # Reference: https://www.virustotal.com/gui/ip-address/91.195.240.123/relations amazoncojp.one dropbx-doc.online hondchain.com jaicvc.com previewaccess-doc.online starbucls.xyz thefifodoc.online crypto.hondchain.com docsend.linkpc.net docsend.publicvm.com # Reference: https://www.virustotal.com/gui/ip-address/64.44.141.13/relations blackleopard.world docsend.apple.linkpc.net docsend.apple.work.gd docsend.camdvr.org docsend.theworkpc.com floriventures.linkpc.net floriventures.publicvm.com floriventuresfund.com forest.groundwolf.sbs groundwolf.sbs info.floriventuresfund.com info.racondog.shop kingstar.publicvm.com lightkingstar.com net.lightkingstar.com nomanstone.shop origin.blackleopard.world racondog.shop sabrpartner.com starbocks.yachts xyz.nomanstone.shop xyz.racondog.shop # Reference: https://twitter.com/h2jazi/status/1681426768597778440 # Reference: https://twitter.com/ShadowChasing1/status/1681947062471098368 # Reference: https://www.virustotal.com/gui/file/6f11c52f01e5696b1ac0faf6c19b0b439ba6f48f1f9851e34f0fa582b09dfa48/detection jkmusic.co.kr/shop/data/theme/ notebooksell.kr/mall/m_schema.php # Reference: https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html checkdevinc.com git-hub.me pkginstall.net # Reference: https://asec.ahnlab.com/en/54195/ # Reference: https://otx.alienvault.com/pulse/6490761db8416aad20dd9404 bcdm.or.kr/board/type3_D/edit.asp coupontreezero.com/include/bottom.asp daehang.com/member/logout.asp gongsilbox.com/board/bbs.asp hmedical.co.kr/include/edit.php ksmarathon.com/admin/excel2.asp materic.or.kr/files/board/equip/equip_ok.asp sinae.or.kr/sub01/index.asp # Reference: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247492789&idx=1&sn=a991e6c5ed7388515d75f02e9c33428f # Reference: https://otx.alienvault.com/pulse/64a2f58febf38755c4240c34 rowdensurname.org/slideshow/slides/show.asp # Reference: https://blog.talosintelligence.com/lazarus-collectionrat/ # Reference: https://www.virustotal.com/gui/file/ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6/detection (# QietRAT) # Reference: https://www.virustotal.com/gui/file/db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984/detection (# CollectionRAT) # Reference: https://www.virustotal.com/gui/file/773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df/detection (# CollectionRAT) # Reference: https://www.virustotal.com/gui/file/e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe/detection (# Trojanized Plink) http://109.248.150.13 http://146.4.21.94 109.248.150.13:443 ec2-15-207-207-64.ap-south-1.compute.amazonaws.com/resource/main/rawmail.php # Reference: https://twitter.com/fr0s7_/status/1695001873604903348 # Reference: https://twitter.com/fr0s7_/status/1695012385705148748 # Reference: https://twitter.com/fr0s7_/status/1695012576600498679 # Reference: https://www.virustotal.com/gui/ip-address/144.202.17.28/relations # Reference: https://www.virustotal.com/gui/ip-address/45.63.1.46/relations # Reference: https://www.virustotal.com/gui/ip-address/66.42.86.109/detection # Reference: https://www.virustotal.com/gui/file/8e271b07ad050b648321af5aa98ae9f9057342a6c4d3de40ee07a4fbec1ef2b9/detection # Reference: https://www.virustotal.com/gui/file/7c2721b4beedcff6f8d7af585516af86287a9bab703e8050e97365aa9fd849cb/detection dliklone.online sourljsourhs.cfd ajileuowl.dliklone.online huweisge.dliklone.online tales.dliklone.online tonses.dliklone.online magmow.sourljsourhs.cfd # Reference: https://twitter.com/tiresearch1/status/1695342915281965409 online-meeting.pro private-meeting.xyz trustmeeting.online ubi-safemeeting.live video-meeting.online # Reference: https://twitter.com/tiresearch1/status/1696067977463087376 safe-meeting.online trustmeeting.live ubi-safemeeting.online # Reference: https://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues # Reference: https://www.virustotal.com/gui/ip-address/45.61.136.133/relations tableditermanaging.pro # Reference: https://asec.ahnlab.com/en/56405/ # Reference: https://otx.alienvault.com/pulse/64f0a87de1d155ccb31c3561 chinesekungfu.org ipservice.kro.kr privatemake.bounceme.net bbs.topigsnorsvin.com.ec # Reference: https://twitter.com/blackorbird/status/1700047882441908674 # Reference: https://twitter.com/felixaime/status/1699865970041348506 # Reference: https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/ # Reference: https://otx.alienvault.com/pulse/64fa0325f88b5109856801c8 bitsvertise.com blgbeach.com dbgsymbol.com ecordillos.com ismartrium.com rapisigns.com # Reference: https://twitter.com/tiresearch1/status/1701155845608964391 alwayswait.online alwayswait.site antifirmware.online antifirmware.site antifirmware.store antiviruscheck.site antiviruscheck.store auditprovidre.online auditprovidre.site auditprovidre.store newcoming.cfd remoteproweb.cfd systemupdate.site systemupdate.store unbelievableresult.site unbelievableresult.store updatecheck.site updatecheck.store waitingfor.cfd # Reference: https://twitter.com/h2jazi/status/1702726275012382747 # Reference: https://www.virustotal.com/gui/file/c83c7b000a955f2b8cb92bb112ed606ffd9fbebbe3422f80d90d06b167f2f37b/detection brianrep.com /dnquery.phpinteger # Reference: https://twitter.com/asdasd13asbz/status/1705140120222105777 http://91.206.178.125 # Reference: https://twitter.com/tiresearch1/status/1706312971054412039 datasend.linkpc.net docsenddata.linkpc.net docsendinfo.linkpc.net open-sc.xyz opensend.linkpc.net opensend.online video-meet.team # Reference: https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/ barsaji.com.mx/src/recaptcha/index.php bug.restoroad.com/admin/view_status.php kapata-arkeologi.kemdikbud.go.id/pages/payment/payment.php kerstpakketten.horesca-meppel.nl/wp-content/plugins/woocommerce/lib.php kittimasszazs.hu/images/virag.php nrfm.lk/wp-includes/simplepie/content.php radiographers.org/aboutus/aboutus.php # Reference: https://twitter.com/tiresearch1/status/1708141542261809360 bitscrunch.linkpc.net bitscrunch.publicvm.com bitscrunnch.linkpc.net bitscrunnch.run.place coupang-network.pics exodus.linkpc.net jobdescription.linkpc.net # Reference: https://twitter.com/tiresearch1/status/1708539447908958382 starbocks.shop starbuck-coffee.cfd starbuckex.beauty starbucls.top # Reference: https://twitter.com/k3yp0d/status/1709851707427975382 # Reference: https://twitter.com/greglesnewich/status/1742926817827422712 # Reference: https://g-les.github.io/yara/2024/01/04/100DaysofYARA-CosmicRust.html # Reference: https://www.virustotal.com/gui/file/979ef0f43f25a6707fd98f6f0cb6e8452c24f41216ff53486781f487803d69c4/detection # Reference: https://www.virustotal.com/gui/file/dbe48dc08216850e93082b4d27868a7ca51656d9e55366f2642fc5106e3af980/detection # Reference: https://www.virustotal.com/gui/file/a8cc70bcd0ef98e3eea54f953166f518a2cf1d898e4eb9e85cf70861f8ec7578/detection # Reference: https://www.virustotal.com/gui/file/5f4063e3a5583e62ddec2f84ca88eb97fbcfbee31d9269742ab438f441f0cd58/detection # Reference: https://www.virustotal.com/gui/file/576d1688f744a9f6ae4c1fb4cec1cda3daecabf3a13cb3bafabf083c54d1fcb6/detection # Reference: https://www.virustotal.com/gui/file/5115be816d0cd579915d079573bfa384d78ac0bd33cc845b7a83a488b0fc1b99/detection # Reference: https://www.virustotal.com/gui/file/3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a/detection 104.168.136.24:8080 104.168.172.20:8080 commoncome.online web.commoncome.online welcome.newcoming.cfd # Reference: https://twitter.com/tiresearch1/status/1709900227241758810 automatic.antifirmware.store autoserverupdate.line.pm huanying.remoteproweb.cfd real.unbelievableresult.store stress.antiviruscheck.site successfulconnection.linkpc.net sys.antiviruscheck.store sys.updatecheck.site web.auditprovidre.site # Reference: https://twitter.com/asdasd13asbz/status/1711617213944492293 # Reference: https://www.virustotal.com/gui/ip-address/103.179.142.171/relations # Reference: https://www.virustotal.com/gui/file/f59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc58/detection # Reference: https://www.virustotal.com/gui/file/00433ebf3b21c1c055d4ab8a599d3e84f03b328496236b54e56042cef2146b1c/detection blockchain-newtech.com # Reference: https://twitter.com/tiresearch1/status/1712004829978190112 docs-protection.cloud docs-protection.online docs-protection.top azure.docs-protection.cloud azure.docs-protection.online azure.docs-protection.top docs.smbc-vc.com meeting.work.gd orangecake.work.gd transactions.publicvm.com updatecheck.publicvm.com # Reference: https://twitter.com/malwrhunterteam/status/1710379117869150506 # Reference: https://twitter.com/h2jazi/status/1712115378933977444 # Reference: https://www.virustotal.com/gui/file/f59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc58/detection chiark.greenend.org.uk/~sgtatham/putty/ # Reference: https://twitter.com/tiresearch1/status/1712839519366795733 15248636.site activity-179384736.site activity-permission.online allow-permission.online book-download.shop chat-services.online files-archive.online mail-roundcube.site online-meeting.site online-video-services.site share-meeting.online un-call.services videocallservice.live webmailaccount.cloud # Reference: https://twitter.com/tiresearch1/status/1713828674750017852 # Reference: https://twitter.com/tiresearch1/status/1714149818753507596 book.tomming.us cloud.bdcc.bio enimvzud.mouradvps8hostwin.online floriventuresend.linkpc.net forservercon.run.place jobintro.linkpc.net mouradvps8hostwin.online protectli.online web3.auditprovidre.store xjba.linkpc.net xjbb.linkpc.net xjbd.linkpc.net # Reference: https://twitter.com/tiresearch1/status/1714283158588600641 crtypk.run.place cryptykhost.work.gd share.prosec.ink singlelink.work.gd # Reference: https://securelist.com/updated-mata-attacks-industrial-companies-in-eastern-europe/110829/ # Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/18092216/Updated-MATA-attacks-Eastern-Europe_full-report_ENG.pdf beeztrend.com mbafleet.com prajeshpatel.com zawajonly.com icimp.swarkul.com # Reference: https://twitter.com/malwrhunterteam/status/1715075131175751740 # Reference: https://www.virustotal.com/gui/ip-address/68.170.2.240/relations # Reference: https://www.virustotal.com/gui/file/5e523ba395d7b92001d14d0d0e607410af9acb61d724a4a7651c3d80a79fb532/detection coingecko.bond # Reference: https://twitter.com/tiresearch1/status/1717496437985128862 bitscrunch.co bitscrunch.deck.linkpc.net bitscrunch.im.linkpc.net deck.linkpc.net doc.global-link.run.place global-link.run.place # Reference: https://twitter.com/tiresearch1/status/1717554754023526564 # Reference: https://twitter.com/KSeznec/status/1717542794942660771 # Reference: https://www.virustotal.com/gui/file/47b8b4d55d75505d617e53afcb6c32dd817024be209116f98cbbc3d88e57b4d1/detection co.intneral-document-he-gr-me.run.place group.link-net.publicvm.com internal.group.link-net.publicvm.com intneral-document-he-gr-me.run.place j-ic.co.intneral-document-he-gr-me.run.place link-net.publicvm.com on-global.xyz # Reference: https://twitter.com/tiresearch1/status/1717922111749288043 bitscrunch.pd.linkpc.net bitscrunch.presentations.life col-link.linkpc.net docshared.col-link.linkpc.net pd.linkpc.net presentations.life # Reference: https://securelist.com/unveiling-lazarus-new-campaign/110888/ # Reference: https://otx.alienvault.com/pulse/653c0681ae38ba0d7d84e538 admin.esangedu.kr/XPaySample/submit.php api.shw.kr/login_admin/member/login_fail.php blastedlevels.com/levels4SqR8/measure.asp droof.kr/Board/htmlEdit/PopupWin/Editor.asp friendmc.com/upload/board/asp20062107.asp hankooktop.com/ko/company/info.asp hanlasangjo.com/editor/pages/page.asp happinesscc.com/mobile/include/func.asp healthpro.or.kr/upload/naver_editor/subview/view.inc hicar.kalo.kr/data/rental/Coupon/include/inc.asp hspje.com/menu6/teacher_qna.asp ictm.or.kr/UPLOAD_file/board/free/edit/index.php khmcpharm.com/Lib/Modules/HtmlEditor/Util/read.cer kscmfs.or.kr/member/handle/log_proc.php kstr.radiology.or.kr/upload/schedule/29431_1687715624.inc little-pet.com/web/board/skin/default/read.php mainbiz.or.kr/SmartEditor2/photo_uploader/popup/edit.asp mainbiz.or.kr/include/common.asp medric.or.kr/Controls/Board/certificate.cer muijae.com/daumeditor/pages/template/simple.asp muijae.com/daumeditor/pages/template/template.asp muijae.com/daumeditor/pages/template/ new-q-cells.com/upload/newsletter/cn/frame.php nonstopexpress.com/community/include/index.asp pediatrics.or.kr/PubReader/build_css.php pms.nninc.co.kr/app/content/board/inc_list.asp safemotors.co.kr/daumeditor/pages/template/template.asp samwoosystem.co.kr/board/list/write.asp seoulanesthesia.or.kr/mail/mail_211230.html seouldementia.or.kr/_manage/inc/bbs/jiyeuk1_ok.asp siriuskorea.co.kr/mall/community/bbs_read.asp swt-keystonevalve.com/data/editor/index.php theorigin.co.kr:443/admin/management/index.php ucware.net/skins/PHPMailer-master/index.php vietjetairkorea.com/INFO/info.asp vnfmal2022.com/niabbs5/upload/gongji/index.php warevalley.com/en/common/include/page_tab.asp yoohannet.kr/min/tmp/process/proc.php # Reference: https://twitter.com/tiresearch1/status/1718902558922834192 cisco-webex.online pdf.cisco-webex.online support.cisco-webex.online # Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-10-30-v10452/1080 bitscrunch.ddns.net bitscrunch.serveirc.com bitscrunch.tech.linkpc.net bitscrunch.zapto.org bitscrunchtech.linkpc.net document.shared-link.line.pm indaddy.xyz internalpdfviewer.ddns.net nor-health.xyz shared-link.line.pm tech.linkpc.net voldemort.myvnc.com # Reference: https://www.virustotal.com/gui/ip-address/192.236.194.152/relations coupang-networks.pics ronaldo-nftprojects.shop # Reference: https://twitter.com/tiresearch1/status/1719979579170009130 cloud.doc-shared.linkpc.net doc-shared.linkpc.net dubai.network.cloud.doc-shared.linkpc.net group.evalaskatours.com internal.bounceme.net mclearoptical.com network.cloud.doc-shared.linkpc.net # Reference: https://twitter.com/tiresearch1/status/1721811568814624831 # Reference: https://app.validin.com/axon?find=62.133.61.204&type=ip online-meeting.team safemeeting.online team-meet.online video-meeting.team videomeethub.online # Reference: https://twitter.com/tiresearch1/status/1722534103751540999 syncmeet.online team-meeting.xyz # Reference: https://twitter.com/tiresearch1/status/1725052270910538103 # Reference: https://www.virustotal.com/gui/ip-address/216.107.136.10/relations bitscrunch.myvnc.com blackleopard.myvnc.com naverk.myvnc.com # Reference: https://twitter.com/tiresearch1/status/1727306536522043677 privymeet.com # Reference: https://twitter.com/tiresearch1/status/1727956853794250850 group-meeting.online group-meeting.team # Reference: https://asec.ahnlab.com/en/59073/ # Reference: https://otx.alienvault.com/pulse/655e254bda9c2bd236bc188f 109.248.150.147:8585 185.29.8.108:8585 27.102.118.204:6099 27.102.128.152:8098 84.38.132.67:9479 primez.online song.th # Reference: https://twitter.com/tiresearch1/status/1729392929612218731 france24.live meeting-online.site online-processing.online ovcloud.online # Reference: https://twitter.com/tiresearch1/status/1729754195903844484 # Reference: https://www.virustotal.com/gui/ip-address/104.168.137.21/relations alwayswait.online audiocheck.store auditprovidre.online cryptowave.capital group-meeting.online group-meeting.team internal-meeting.online kkvps.buzz meetcentralhub.online meetingverse.app online-meeting.team privymeet.com safe-meeting.online safemeeting.online skyboxdrive.cloud syncmeet.online team-meet.online team-meeting.xyz trustmeeting.live trustmeeting.online ubi-safemeeting.live ubi-safemeeting.online video-meet.online video-meet.team video-meet.xyz video-meeting.team archax.privymeet.com archax.skyboxdrive.cloud archax.trustmeeting.live bitfinex.internal-meeting.online bitfinex.video-meet.online cryptowave.internal-meeting.online cryptowave.video-meet.online d1.skyboxdrive.cloud drop.skyboxdrive.cloud dun.audiocheck.store dun.auditprovidre.online email.alwayswait.online emv1.meetingverse.app emv1.ubi-safemeeting.live gumi-cryptos.group-meeting.online gumi-cryptos.group-meeting.team gumi-cryptos.team-meet.online gumi-cryptos.team-meeting.xyz gumi-cryptos.video-meet.team hashkey.group-meeting.online hashkey.group-meeting.team hashkey.internal-meeting.online hashkey.online-meeting.team hashkey.team-meet.online hashkey.team-meeting.xyz hashkey.video-meet.online hashkey.video-meet.team hashkey.video-meeting.team help.group-meeting.online help.team-meet.online help.video-meet.team help.video-meeting.team hwsrv-1093408.hostwindsdns.com ihsgpnsj.meetingverse.app internal-meeting.online kraken.group-meeting.online kraken.group-meeting.team kraken.team-meet.online kraken.video-meeting.team meet.cryptowave.capital meet.ubi-safemeeting.online mta-sts.meetingverse.app mta-sts.ubi-safemeeting.live okx.internal-meeting.online okx.video-meet.online okx.video-meeting.team pdf.cisco-webex.online ryze.privymeet.com shared.dropbox-docsend.online support.cisco-webex.online support.cryptowave.capital support.group-meeting.online support.group-meeting.team support.internal-meeting.online support.meetcentralhub.online support.privymeet.com support.safe-meeting.online support.skyboxdrive.cloud support.syncmeet.online support.team-meet.online support.team-meeting.xyz support.trustmeeting.live support.trustmeeting.online support.ubi-safemeeting.live support.ubi-safemeeting.online support.video-meet.online support.video-meet.team support.video-meet.xyz support.video-meeting.team technical-support.group-meeting.team technical-support.internal-meeting.online technical-support.team-meet.online technical-support.video-meet.online troubleshoot.group-meeting.team troubleshoot.internal-meeting.online troubleshoot.team-meeting.xyz ubisoft.group-meeting.online ubisoft.internal-meeting.online ubisoft.safe-meeting.online ubisoft.trustmeeting.live # Reference: https://www.virustotal.com/gui/file/60674602836323647634016774ea123232160c1b4dfcf3fcd2d2c28c652aa00e/detection 104.168.151.34:8080 audiocheck.store autoupdate.xyz botsc.autoupdate.xyz dun.audiocheck.store # Reference: https://twitter.com/tiresearch1/status/1730114476786229304 einei.line.pm onelao.line.pm tiena.einei.line.pm # Reference: https://twitter.com/tiresearch1/status/1731600500259524993 team-meet.xyz team-meeting.pro archax.meetingverse.app archax.team-meeting.pro hashkey.team-meeting.pro lrakkiqr.team-meeting.pro mail.privymeet.com technical-support.safe-meeting.online # Reference: https://twitter.com/tiresearch1/status/1733020053426282778 wndlwndmfe.xyz # Reference: https://mp.weixin.qq.com/s/f5YE12w3x3wad5EO0EB53Q http://103.179.142.171 http://156.236.76.9 chaingrown.com # Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-12-06-v10480/1183 manchestercity.work.gd myself.hopto.org # Reference: https://slowmist.medium.com/analysis-of-north-korean-hackers-targeted-phishing-scams-on-telegram-872db3f7392b # Reference: https://otx.alienvault.com/pulse/65773dc2466c7161e66b3d07 archax.team-meeting.xyz archax.videomeethub.online emv1.group-meeting.team emv1.team-meet.xyz # Reference: https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/ # Reference: https://www.virustotal.com/gui/file/000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee/detection # Reference: https://www.virustotal.com/gui/file/0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f/detection # Reference: https://www.virustotal.com/gui/file/e615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f/detection # Reference: https://www.virustotal.com/gui/file/9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a/detection # Reference: https://www.virustotal.com/gui/file/534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433/detection # Reference: https://www.virustotal.com/gui/file/ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4/detection # Reference: https://www.virustotal.com/gui/file/47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30/detection # Reference: https://www.virustotal.com/gui/file/f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59/detection # Reference: https://www.virustotal.com/gui/file/5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541/detection # Reference: https://www.virustotal.com/gui/file/82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def/detection http://155.94.208.209 http://185.29.8.53 http://27.102.113.93 201.77.179.66:8082 micrsofts.tech tech.micrsofts.com tech.micrsofts.tech # Reference: https://www.virustotal.com/gui/ip-address/23.254.129.6/relations # Reference: https://app.validin.com/axon?source=DNS&type=ip&find=23.254.129.6 commoncome.site good.commoncome.site wideocean.run.place # Reference: https://twitter.com/karol_paciorek/status/1749376208477786172 http://173.249.5.112 # Reference: https://twitter.com/malwrhunterteam/status/1750492037936222291 # Reference: https://twitter.com/greglesnewich/status/1750500025346445609 # Reference: https://www.virustotal.com/gui/file/e05142f8375070d1ea25ed3a31404ca37b4e1ac88c26832682d8d2f9f4f6d0ae/detection fasttet.com # Reference: https://twitter.com/tiresearch1/status/1755176085610721337 # Reference: https://www.virustotal.com/gui/ip-address/217.20.117.39/relations continue-meeting.site drive-access.site home-continue.online home-proceed.online pannel-get-data.us ushrt.us join-room.meeting-online.site # Reference: https://twitter.com/h2jazi/status/1757798585611997236 # Reference: https://www.virustotal.com/gui/file/b557fa6a92e1ecd768aa723258cb453beb6597c583dbe76d8e82ffdf392f5932/detection franksweeklycall.com/wp-includes/html-api/class-wp-html-user.php # Reference: https://twitter.com/asdasd13asbz/status/1758054481957450034 # Reference: https://www.virustotal.com/gui/ip-address/35.167.150.110/relations elshaik.com/wp-content/plugins/elementor/core/editor/editor-ui.php ssoc.cl/wp-content/plugins/webmention/libraries/emoji-detector/src/Detector.php # Reference: https://twitter.com/malwrhunterteam/status/1764037492812943550 # Reference: https://www.virustotal.com/gui/file/0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7/detection # Reference: https://www.virustotal.com/gui/file/bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b/detection jdkgradle.com # Reference: https://twitter.com/malwrhunterteam/status/1769840338745659896 # Reference: https://www.virustotal.com/gui/file/09d152aa2b6261e3b0a1d1c19fa8032f215932186829cfcca954cc5e84a6cc38/detection mingeloem.com # Reference: https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/ http://145.232.235.222 # Reference: https://asec.ahnlab.com/en/63192/ 84.38.129.21:2222 84.38.129.21:5443 ourhome.o-r.kr mssrv.kro.kr privacy.hopto.org panda.ourhome.o-r.kr # Reference: https://twitter.com/1ZRR4H/status/1771912721031663841 # Reference: https://www.virustotal.com/gui/file/02d55193310ea19a4ce4c8a7f095c84b0511946d11a647e12758569292014882/detection http://91.92.248.50 91.92.248.50:445 the.earth.li/~sgtatham/putty/0.80/w64/ # Generic /daumeditor/pages/template/ /daumeditor/pages/template/simple.asp /daumeditor/pages/template/template.asp /levels4SqR8/measure.asp /mall/community/bbs_read.asp /niabbs5/upload/gongji/index.php /niabbs5/upload/gongji/ /_manage/inc/bbs/jiyeuk1_ok.asp /inc/bbs/jiyeuk1_ok.asp /asdfghjkl /qwertyuiop /qwertyuiop/asdfghjkl /Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/ /Of56cYsfVV8/ /OJITWH2WFx/ /Jy5S7hSx0K/ /fP7saoiPBc/