# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: hidden cobra, guardians of peace, zinc, nickel academy, manuscrypt # Reference: https://cdn.securelist.com/files/2017/04/Lazarus_Under_The_Hood_PDF_final.pdf exbonus.mrbasic.com movis-es.ignorelist.com tradeboard.mefound.com update.toythieves.com sap.misapor.ch # Reference: https://securelist.com/operation-applejeus/87553/ celasllc.com 185.142.236.226 185.142.239.173 196.38.48.121 80.82.64.91 # Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea tpddata.com itaddnet.com wifispeedcheck.net coinoen.org coinmaketcape.com bitfiniex.org apshenyihl.com/include/arc.speclist.class.php ap8898.com/include/arc.search.class.php anlway.com/include/arc.search.class.php tpddata.com/skins/skin-8.thm tpddata.com/skins/skin-6.thm 168wangpi.com/include/charset.php ando.co.kr/service/s_top.asp ansetech.co.kr/smarteditor/common.asp mileage.krb.co.kr/common/db_conf.asp 028xmz.com/include/common.php 33cow.com/include/control.php 51up.com/ace/main.asp 530hr.com/data/common.php 97nb.net/include/arc.sglistview.php marmarademo.com/include/extend.php paulkaren.com/synthpop/main.asp shieldonline.co.za/sitemap.asp # Reference: https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/ # Reference: https://twitter.com/KevinPerlow/status/1083759627714682880 # Reference: https://twitter.com/Bank_Security/status/1107543887462064128 # Reference: https://www.hybrid-analysis.com/sample/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/5c8a414a0388381b3f329926 # Reference: https://www.virustotal.com/gui/file/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/detection # Reference: https://twitter.com/ClearskySec/status/1084463729633316864 bodyshoppechiropractic.com drupdate.club ecombox.store /tbl_add.php # Reference: https://otx.alienvault.com/pulse/5c8b8e19261a7451de02bf60/ http://37.238.135.70/img/anan.jpg # Reference: https://otx.alienvault.com/pulse/5c9a4d9f90726d0988873a2b # Reference: https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/ dev.microcravate.com nzssdm.com bluecreekrobotics.com/wp-includes/common.php dev.microcravate.com/wp-includes/common.php dev.whatsyourcrunch.com/wp-includes/common.php enterpriseheroes.com.ng/wp-includes/common.php hrgp.asselsolutions.com/wp-includes/common.php baseballcharlemagnelegardeur.com/wp-content/languages/common.php bogorcenter.com/wp-content/themes/index2.php eventum.cwsdev3.bi.com/wp-includes/common.php streamf.ru/wp-content/index2.php towingoperations.com/chat/chat.php vinhsake.com/wp-content/uploads/index2.php tangowithcolette.com/pages/common.php # Reference: https://twitter.com/blackorbird/status/1110750919082147842 # Reference: https://blog.alyac.co.kr/2219 alahbabgroup.com http://47.91.56.21/verify.php http://103.225.168.159/admin/verify.php # Reference: https://twitter.com/blackorbird/status/1111449536910680065 wb-bot.org wb-invest.net # Reference: https://twitter.com/KevinPerlow/status/1136994848341409792 sbackservice.com # Reference: https://twitter.com/navSi16/status/1148192534654439426 # Reference: https://otx.alienvault.com/pulse/5d24562845fe64e37ffc46a7 sensationalsecrets.com/js/left.php # Reference: https://twitter.com/blackorbird/status/1148843702690832385 194.45.8.41:443 # Reference: https://twitter.com/bad_packets/status/1148864469486854144 # Reference: https://pastebin.com/G0Ad5Ut6 http://178.128.253.67/tbl_add.php # Reference: https://twitter.com/RedDrip7/status/1148887458152472576 byucksanpaint.com/community/com_gon_open.asp # Reference: https://otx.alienvault.com/pulse/5d2c64b174175b03e7db85cd http://103.53.176.145:8080/ServiceDeskPlus/products.do http://111.68.126.155:8080/ServiceDeskPlus/products.do http://137.117.57.244:8080/ServiceDeskPlus/products.do chanbang.co.kr/board/check.asp chanbang.co.kr/family/check.asp chanbang.co.kr/gonggu/upload.asp difa.or.kr/common/asp/inc_Comn.asp edenenc.co.kr/Report/RptMyReport.asp egreenland.co.kr/cheditor2/example/newpost.asp hanbook.co.kr/partnershop/hanmail_ep.asp img.kindermom.co.kr/frameart/print/footer.mov kgsa1015.co.kr/upload/member/member.asp rodaxsankyokorea.com/upload/favicon/favicon.asp sinokor-eng.com/sub/sub01_09.asp # Reference: https://otx.alienvault.com/pulse/5d2dca0a1c7d00fa07be15e5 byucksanpaint.com/community/com_gon_open.asp byucksanpaint.com/main/main4.asp keyang.co.kr/pub/editor/wa_path.asp upload.childu.co.kr/include/OnlyOne1.asp # Reference: https://twitter.com/cyberwar_15/status/1152035187196223488 lavaandstone.com/wp-content/plugins/fusion-core/about.php sales.alitho.com/wp-content/themes/sketch/about.php amytanathorn.com/wp-admin/includes/about.php # Reference: https://twitter.com/cyberwar_15/status/1153123863435214848 rhythm86.com/wp-content/themes/twentysixteen/about.php cabba-cacao.com/wp-content/themes/integral/about.php 3x-tv.com/plugins/editors/about.php # Reference: https://twitter.com/KorbenD_Intel/status/1158479283549089792 # Reference: https://www.virustotal.com/gui/file/3bba04f277e7f51a5500f7b144fdbd851954e4f94bb0290e49fc63f6fc807321/detection policyupdates.info # Reference: https://twitter.com/cyberwar_15/status/1166282138179624960 # Reference: https://twitter.com/navSi16/status/1166287915959214080 youdermoscopy.org/media/fly.avi youdermoscopy.org/media/fly312.avi # Reference: https://blog.alyac.co.kr/2500 (Korean) # Reference: https://otx.alienvault.com/pulse/5d6940cb9e719255258969f5 alnagm-press.com/wp-content/plugins/cloudflare/list.php elsouq.org/aramex/left.php swedishmassageamsterdam.nl/wp-content/themes/top.php # Reference: https://twitter.com/cyberwar_15/status/1175940165425958912 http://158.69.57.135 http://92.222.106.229 # Reference: https://securelist.com/my-name-is-dtrack/93338/ # Reference: https://unit42.paloaltonetworks.com/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/ # Reference: https://otx.alienvault.com/pulse/5d88b31dea7f4b9d4701d7e8 # Reference: https://www.virustotal.com/gui/file/fe51590db6f835a3a210eba178d78d5eeafe8a47bf4ca44b3a6b3dfb599f1702/detection # Reference: https://www.virustotal.com/gui/file/58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb/detection katawaku.jp/bbs/data/theme/profile2.php materialindia.in totalmateria.net cyberub.com/board/icon/template/template_ro.php /gallery/profile2.php /theme/profile2.php /wp/profile2.php # Reference: https://twitter.com/KseProso/status/1178580006047539200 heromessi.com/wp-public/career/car_add.php # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-12-lazarus-resurfaces-targets-global-banks-bitcoin-users/lazarus-resurfaces-targets-global-banks-bitcoin-users.csv deltaemis.com # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2017/2017-11-20-android-malware-appears-linked-to-lazarus-cybercrime-group/android-malware-appears-linked-to-lazarus-cybercrime-group.csv vmware-probe.zol.co.zw # Reference: https://app.any.run/tasks/01497f45-7fba-4356-bbdc-4270e51c2465/ # Reference: https://twitter.com/Rmy_Reserve/status/1181528617374777344 # Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea gp-core.com gp-main.com # Reference: https://twitter.com/VK_Intel/status/1182722604240719872 # Reference: https://objective-see.com/blog/blog_0x49.html (# AppleJeus) 185.228.83.32:443 beastgoc.com /grepmonux.php # Reference: https://twitter.com/kyleehmke/status/1184120287199223808 # Reference: https://www.virustotal.com/gui/ip-address/185.228.83.129/relations dev.jmttrading.org # Reference: https://twitter.com/RedDrip7/status/1186562944311517184 # Reference: https://blog.alyac.co.kr/2388 (Korean) # Reference: https://twitter.com/RedDrip7/status/1186562944311517184 # Reference: https://otx.alienvault.com/pulse/5db06ad90686f3bad959d7fc crabbedly.club craypot.live czinfo.club indagator.club pegasusco.net smilekeepers.co # Reference: https://twitter.com/0xD0CF11E0A1B11/status/1187264570861076481 thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi juliesoskin.com/includes/common/list.php necaled.com/modules/applet/list.php valentinsblog.de/wp-admin/includes/list.php # Reference: https://twitter.com/blackorbird/status/1187619261612609536 # Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html # Reference: https://www.virustotal.com/gui/ip-address/218.255.24.226/relations 119.18.230.253:443 218.255.24.226:443 # Reference: https://twitter.com/Rmy_Reserve/status/1188235835956551680 # Reference: https://app.any.run/tasks/42c972b1-ec38-4637-9354-9de930ff50b2/ curiofirenze.com # Reference: https://twitter.com/blackorbird/status/1202177008572092417 unioncrypto.vip # Reference: https://blog.netlab.360.com/dacls-the-dual-platform-rat/ 107.172.197.175:443 172.93.201.219:443 192.210.213.178:443 198.180.198.6:443 209.90.234.34:443 23.227.196.116:443 23.227.199.53:443 23.254.119.12:443 23.81.246.179:443 37.72.175.179:443 64.188.19.117:443 74.121.190.121:443 # Reference: https://securelist.com/operation-applejeus-sequel/95596/ # Reference: https://otx.alienvault.com/pulse/5e15b526b4f8bc605744ad76 aeroplans.info beastgoc.com buckfast-zucht.de chainfun365.com cyptian.com invesuccess.com jmttrading.org mydealoman.com private-kurier.com unioncrypto.vip wb-bot.org wb-invest.net wfcwallet.com # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-03-08-hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant.csv falcancoin.io # Reference: https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/ # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045d # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045e # Reference: https://www.us-cert.gov/ncas/analysis-reports/AR19-100A # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045b # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045a # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045f 94.177.123.138:8088 193.56.28.103:88 197.211.212.59:7443 181.39.135.126:7443 112.175.92.57:443 81.94.192.147:443 21.252.107.198:23164 70.224.36.194:59681 113.114.117.122:23397 47.206.4.145:59067 84.49.242.125:17770 26.165.218.44:2248 137.139.135.151:64694 97.90.44.200:37120 128.200.115.228:52884 186.169.2.237:65292 188.165.37.168:80 159.100.250.231:80 159.100.250.231:8080 107.6.12.135:443 210.202.40.35:443 # Reference: https://twitter.com/AffableKraut/status/1234726033930248198 74.121.190.140:8443 # Reference: https://twitter.com/RedDrip7/status/1254678135133442048 # Reference: https://ti.qianxin.com/blog/articles/analysis-of-lazarus-apt-targeted-attack-against-south-korea-using-new-crown-outbreak-bait/ # Reference: https://www.virustotal.com/gui/domain/teslacontrols.ir/relations afuocolento.it/wp-admin/network/server_test.php kingsvc.cc mbrainingevents.com/wp-admin/network/server_test.php sofa.rs/wp-admin/network/server_test.php sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg teslacontrols.ir/wp-includes/images/detail31.jpg teslacontrols.ir/wp-includes/images/detail32.jpg /wp-admin/network/server_test.php # Reference: https://twitter.com/cyberwar_15/status/1254736896330133504 matteoragazzini.it/wp-content/uploads/2017/06/category.php # Reference: https://twitter.com/DeadlyLynn/status/1257504361577496576 # Reference: https://twitter.com/ShadowChasing1/status/1257511608189743105 astedams.it/uploads/template/17.dotm astedams.it/include/inc-elenco-offerter.asp # Reference: https://twitter.com/spider_girl22/status/1258224278194941953 astedams.it/uploads/frame/61.dotm # Reference: https://objective-see.com/blog/blog_0x57.html # Reference: https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/ # Reference: https://otx.alienvault.com/pulse/5eb2fabf6c26a287f705ca20 185.62.58.207:443 67.43.239.146:443 # Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md#IOC # Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/CSV/IOC-Lazarus_2020_05_05.csv # Reference: https://www.virustotal.com/gui/file/1b0c82e71a53300c969da61b085c8ce623202722cf3fa2d79160dac16642303f/behavior/VMRay # Reference: https://www.virustotal.com/gui/file/66e5371c3da7dc9a80fb4c0fabfa23a30d82650c434eec86a95b6e239eccab88/behavior/QiAnXin%20RedDrip 51.77.65.154:443 192.169.250.185:443 sanlorenzoyacht.com/newsl/uploads/docs/43.dotm elite4print.com/admin/order/batchPdfs.asp od.lk/d/MzBfMjA1Njc0ODdf/pubmaterial.dotm # Reference: https://twitter.com/cyberwar_15/status/1264353716930412544 # Reference: https://www.virustotal.com/gui/file/e637c86ae20a7f36a0ad43618b00c48f47b5591a03af3fb689a16c45afa43733/detection # Reference: https://www.virustotal.com/gui/file/d3a402458682c4febacc6ae4bc98e15e92142603a97d51316eeee9e8bca77f88/detection depts.washington.edu/dswkshp/wordpress/wp-content/themes/twentyfifteen/inc/io/ # Reference: https://twitter.com/spider_girl22/status/1265486116393713665 anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg # Reference: https://twitter.com/cyberwar_15/status/1265266629044080642 # Reference: https://asec.ahnlab.com/1323 (Korean) mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php sixbitsmedia.com/wp-content/uploads/wp-logs/category.php # Reference: https://twitter.com/ShadowChasing1/status/1267431134662541317 fudcitydelivers.com sctemarkets.com # Reference: https://twitter.com/IntezerLabs/status/1268158680593313794 threegood.cc # Reference: https://twitter.com/ccxsaber/status/1268020350605910016 coingotrade.com kupaywallet.com # Reference: https://twitter.com/Vishnyak0v/status/1269635930878545922 bluemoonresearch.org fitnessdirector.net # Reference: https://twitter.com/RedDrip7/status/1270201358721769475 paghera.com/include/inc-main-default-news.asp # Reference: https://twitter.com/ShadowChasing1/status/1270728525926944768 ne-ba.org/files/gallery/img/img.asp # Reference: https://twitter.com/MBThreatIntel/status/1270741821560406019 160.20.147.253:8443 audiopodcasts.co/verify.php lastedforcast.com/list.php # Reference: https://twitter.com/spider_girl22/status/1275366600560873473 # Reference: https://www.virustotal.com/gui/file/0fa91cac5712cfc0848af092190fd3d09948f1a7750547f0f16d1867dac6288a/detection thestreetsmartsalesman.com/wp-content/uploads/wp-logs/category.php # Reference: https://twitter.com/JAMESWT_MHT/status/1275396942139469824 # Reference: https://app.any.run/tasks/5ddb7e93-bfc8-49a9-bd52-6b70f57c3846/ scertodisha.nic.in/wp-content/plugins/photo-gallery/admin/controllers/Photo.php haciendasacchich.com/wp-content/plugins/photo-gallery/admin/views/404.php annafalkenau.com/awstats/data/upload.php # Reference: https://blog.reversinglabs.com/blog/hidden-cobra # Reference: https://otx.alienvault.com/pulse/5ef2252af73ae43d92eecd15 1688dsj.com amytanathorn.com ccsnbao.com fmose.com fudcitydelivers.com lavaandstone.com sctemarkets.com vns1389.com # Reference: https://twitter.com/ShadowChasing1/status/1276324740878102529 anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg # Reference: https://twitter.com/JAMESWT_MHT/status/1276471822217891840 # Reference: https://app.any.run/tasks/109752e9-2c7f-4d5c-9c3f-300bddc4c0db/ down.1230578.com # Reference: https://twitter.com/felixaime/status/1280053007036624896 # Reference: https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-credit-card-stealing-attacks-on-us-stores/ areac-agr.com papers0urce.com # Reference: https://twitter.com/gwillem/status/1281128245052805120 focuscamere.com # Reference: https://twitter.com/patrickwardle/status/1286109626941845504 # Reference: https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/ 104.232.71.7:443 107.172.197.175:443 108.170.31.81:443 111.90.146.105:443 111.90.148.132:443 172.81.132.41:443 172.93.184.62:443 172.93.201.219:443 185.62.58.207:443 192.210.239.122:443 198.180.198.6:443 209.90.234.34:443 216.244.71.233:443 23.227.199.53:443 23.227.199.69:443 23.254.119.12:443 67.43.239.146:443 68.168.123.86:443 # Reference: https://twitter.com/cyberwar_15/status/1287291019537473538 nextlevelliving.pro/wp-content/uploads/js_composer/images/8c206b81-f5b1-4242-84d3-237ce728ff35.php # Reference: https://twitter.com/AnonySecAgency/status/1290115260116897792 # Reference: https://www.virustotal.com/gui/file/40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13/detection publishapp.co # Reference: https://twitter.com/RedDrip7/status/1293462469214531584 # Reference: https://www.virustotal.com/gui/file/b0921142f8d3067c8253931977999a5092470ff3e562586d87af68c28ec66a99/detection unsunozo.org/include/notes/notes.asp # Reference: https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html # Reference: https://otx.alienvault.com/pulse/5f4d20e8d417f271a62e0aeb gestao.simtelecomrs.com.br/sac/digital/client.jsp sac.onecenter.com.br/sac/masks/wfr_masks.jsp mk.bital.com.br/sac/Formule/Manager.jsp # Reference: https://twitter.com/IntezerLabs/status/1300403461809491969 # Reference: https://analyze.intezer.com/analyses/13d64c6e-6ac7-4888-a682-138a06cbaf16/ # Reference: https://www.virustotal.com/gui/file/390f9aae2dd5f0584106e3aa315bbd28a8c6479f126a4f13c7c3a62e19356634/detection 104.217.163.61:443 107.175.172.129:443 37.72.168.228:443 # Reference: https://twitter.com/ShadowChasing1/status/1302180729174937600 fabianiarte.com/uploads/imgup/21it-23792.jpg # Reference: https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html # Reference: https://otx.alienvault.com/pulse/5f7389601681e32d5bf045f6 automercado.co.cr/empleo/css/main.jsp curiofirenze.com/include/inc-site.asp ne-ba.org/files/news/thumbs/thumbs.asp sanlorenzoyacht.com/newsl/include/inc-map.asp # Reference: https://twitter.com/h2jazi/status/1311644338812792833 # Reference: https://www.virustotal.com/gui/file/d2f1cccfe688c074c3d58ae8f7be7b10dbea5d7ae53320c3f7b6e48cd4f62955/detection phukien2a.net/images/images.zip.000 # Reference: https://blog.talosintelligence.com/2020/11/crat-and-plugins.html # Reference: https://otx.alienvault.com/pulse/5faf04431c479940b422288b teslacontrols.ir/wp-includes/images/detail31.jpg teslacontrols.ir/wp-includes/images/detail32.jpg sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg publishapp.co/update/check.php sideforum.cc/forum/list.php freeforum.co/forum/list.php goodfriend.pro/projects/list.php friendship.me/users/register.php threegood.cc/api/manage/customers Engpro.xyz/images/detail.php infocop.me/products/list.php teamspit.pro/adverts/follow.php dodoi.cc/photos/preview.php advertapp.me/user/invite.php insideforum.me/forum/list.php anyoneforum.cc/forum/list.php goodproject.xyz/projects/list.php hellofriend.pro/users/register.php moonge.cc/wp-content/plugins/google-sitemap-generator/sitemap-builder-embed.php calculactcal.org/wp-content/themes/twentysixteen/body.php 3cuartos.com/wp-content/plugins/music-press-pro/templates/global/update.php worldfoodstory.co.uk/wp-includes/register.php bokkeriejesj.nl/wp-content/plugins/music-press-pro/upload.php encontrosmaracatu.com.br/wp-content/plugins/music-press-pro/templates/global/topmenu.php theblackout.fr/wp-content/plugins/music-press-pro/music-pro.php mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php tiramisu.it/wp-content/plugins/wp-comment-form.php kartacnictvi.cz/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/upload.php dimer-group.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/download.php ecolerubanvert.com/wp-content/plugins/image-intense/know.php lwac.com/wp-content/plugins/gallery-plugin/includes/demo-data/images/music/photo.php copansrl.it/wp-admin/user/invite.php arar-musique.fr/wp-content/plugins/music-press-pro/includes/admin/upgrade.php firstalliance.church/wp-content/plugins/music-press/templates/404.php erickeleo.com.br/wp-content/plugins/music-press-pro/go.php kingsvc.cc/index.php sofa.rs/wp-admin/network/server_test.php afuocolento.it/wp-admin/network/server_test.php mbrainingevents.com/wp-admin/network/server_test.php afuocolento.it/wp-includes/process.php # Reference: https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/ # Reference: https://otx.alienvault.com/pulse/5fb4044fd5f18831c24c6af6 cowp.or.kr/html/board/main.asp erpmas.co.kr/Member/franchise_modify.asp fored.or.kr/home/board/view.php gncaf.or.kr/cafe/cafe_board.asp gongsinet.kr/comm/comm_gongsi.asp goojoo.net/board/banner01.asp hsbutton.co.kr/bbs/bbs_write.asp hstudymall.co.kr/easypay/web/bottom.asp ikrea.or.kr/main/main_board.asp pcdesk.co.kr/Freeboard/mn_board.asp pgak.net/service/engine/release.asp quecue.kr/okproj/ex_join.asp style1.co.kr/main/view.asp wowpress.co.kr/customer/refuse_05.asp zndance.com/shop/post.asp # Reference: https://twitter.com/h2jazi/status/1334353120038678528 # Reference: https://www.virustotal.com/gui/file/c19064733f2a23f09c8b16b3847cceeac8f61488be57911cefceb75425501097/detection ilhak.co.kr/images/data/upload.asp ktri.or.kr/upload/mail/upload.asp warevalley.com/support/orange_open.asp # Reference: https://twitter.com/BitsOfBinary/status/1321488299932983296 # Reference: https://twitter.com/BitsOfBinary/status/1337330286787518464 # Reference: https://twitter.com/mg2_tracy1/status/1337335098224508928 # Reference: https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=3051 admforte.com.br/wp-content/plugins/top.php dafnefonseca.com/wp-content/themes/top.php drei-schneeballen.de/wp-content/plugins/nextgen-gallery/view.php funny-pictures.picphotos.net/saint-louis-senior-photos-senior-pictures-seniors-st-louis-st-louis/upload.php greenvideo.nl/wp-content/themes/top.php haciendadeclarevot.com/wp-content/top.php justholdfast.com/doodle/wp-content/plugins/top.php qwerty.creativehonduras.com/wp-includes/class-wp-redirect.php shahrtdc.com/wp-content/plugins/top.php tag-cloud-photo.freeware.filetransit.com/login.php urbankizomba.se/wp-content/plugins/photo-gallery/filemanager/upload.php # Reference: https://otx.alienvault.com/pulse/5fd8dbfcfed23b6fa1393ea9 yakufreshperu.com/facturacion/public/css/main.php shikshakibaat.com/classes/detail.jsp sanlorenzoyacht.com/newsl/include/inc-map.asp paghera.com/content/view/thumb/info.asp lyzeum.com/popup/popup.asp index-consulting.jp/eng/news/index.php hansolhope.or.kr/welfare/notice/view.jsp forecareer.com/gdcareer/officetemplate-20nab.asp?iqxml=NVcareer183991 fidesarte.it/thumb/multibox/style/common.asp fabianiarte.com/uploads/imgup/21it-23792.jpg fabianiarte.com/pdf/thumbs/thumb.asp emilypress.com/CMWorking/Static/service/center.asp curiofirenze.com/include/inc-site.asp calculadoras.mx/themes/pack/pilot.php automercado.co.cr/empleo/css/main.jsp astedams.it/photos/image/image.asp arumdaunresort.com/admin/html/user/contact.asp apars-surgery.org/bbs/bbs_files/board_photo/menu.php anca-aste.it/uploads/form/02E319AF73A33547343B71D5CB1064BC.dotm vega.mh-tec.jp/.well-known/index.php turnscor.com/ACT/images/slide/view.jsp prestigein-am.jp/akita/wp-includes/wp-rss1.php genieaccount.com/images/common/common.asp acanicjquery.com/slides/style.php mannpublicwhseltd.com/cservice.asp hirokawaunso.co.jp/wordpress/wp-includes/review.php anisweb.org/layout/site/style/preview.jsp support.medicalinthecloud.com/TechCenter/include/slide.asp pennontraders.com/assets/slides/view.jsp indoweb.org/love/data/common/common.php admin.shcpa.co.kr/_asapro2/formmail/lib.php http://137.74.114.227/theveniaux/webliotheque/public/css/main.php http://125.206.177.152/old/viewer.php # Reference: https://twitter.com/BitsOfBinary/status/1339623925274296323 muzeyyengroup.com/wp-content/help.php puskesmas-terminal.com/wp-content/help.php zeandf.com/wp-content/help.php # Reference: https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ # Reference: https://otx.alienvault.com/pulse/5fe36c30dbe6a83c04783415 bytecortex.com.br/eletronicos/digital.jsp client.livesistemas.com/Live/posto/system.jsp cometnet.biz/framework/common/common.asp gongim.com/board/ajax_Write.asp iski.silogica.net/events/serial.jsp k-kiosk.com/bbs/notice_write.asp kne.co.kr/upload/Customer/BBS.asp locknlockmall.com/common/popup_left.asp sac.najatelecom.com.br/sac/Dados/ntlm.jsp sistema.celllab.com.br/webrun/Navbar/auth.jsp # Reference: https://twitter.com/ShadowChasing1/status/1349924271791882247 # Reference: https://www.virustotal.com/gui/file/867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36/detection # Reference: https://www.virustotal.com/gui/file/89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957/detection aideck.net # Reference: https://twitter.com/ShadowChasing1/status/1349927630183694339 creaideck.com/update/darwin64.bin