# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: hidden cobra, guardians of peace, zinc, nickel academy

# Reference: https://cdn.securelist.com/files/2017/04/Lazarus_Under_The_Hood_PDF_final.pdf

exbonus.mrbasic.com
movis-es.ignorelist.com
tradeboard.mefound.com
update.toythieves.com
sap.misapor.ch

# Reference: https://securelist.com/operation-applejeus/87553/

celasllc.com
185.142.236.226
185.142.239.173
196.38.48.121
80.82.64.91

# Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea

tpddata.com
itaddnet.com
wifispeedcheck.net
coinoen.org                          
coinmaketcape.com
bitfiniex.org
apshenyihl.com/include/arc.speclist.class.php                                   
ap8898.com/include/arc.search.class.php                              
anlway.com/include/arc.search.class.php                              
tpddata.com/skins/skin-8.thm                                   
tpddata.com/skins/skin-6.thm
168wangpi.com/include/charset.php
ando.co.kr/service/s_top.asp
ansetech.co.kr/smarteditor/common.asp
mileage.krb.co.kr/common/db_conf.asp
028xmz.com/include/common.php
33cow.com/include/control.php
51up.com/ace/main.asp
530hr.com/data/common.php
97nb.net/include/arc.sglistview.php
marmarademo.com/include/extend.php
paulkaren.com/synthpop/main.asp
shieldonline.co.za/sitemap.asp

# Reference: https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/
# Reference: https://twitter.com/KevinPerlow/status/1083759627714682880
# Reference: https://twitter.com/Bank_Security/status/1107543887462064128
# Reference: https://www.hybrid-analysis.com/sample/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/5c8a414a0388381b3f329926
# Reference: https://www.virustotal.com/gui/file/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/detection
# Reference: https://twitter.com/ClearskySec/status/1084463729633316864

bodyshoppechiropractic.com
drupdate.club
ecombox.store
/tbl_add.php

# Reference: https://otx.alienvault.com/pulse/5c8b8e19261a7451de02bf60/

http://37.238.135.70/img/anan.jpg

# Reference: https://otx.alienvault.com/pulse/5c9a4d9f90726d0988873a2b
# Reference: https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/

dev.microcravate.com
nzssdm.com
bluecreekrobotics.com/wp-includes/common.php
dev.microcravate.com/wp-includes/common.php
dev.whatsyourcrunch.com/wp-includes/common.php
enterpriseheroes.com.ng/wp-includes/common.php
hrgp.asselsolutions.com/wp-includes/common.php
baseballcharlemagnelegardeur.com/wp-content/languages/common.php
bogorcenter.com/wp-content/themes/index2.php
eventum.cwsdev3.bi.com/wp-includes/common.php
streamf.ru/wp-content/index2.php
towingoperations.com/chat/chat.php
vinhsake.com/wp-content/uploads/index2.php
tangowithcolette.com/pages/common.php

# Reference: https://twitter.com/blackorbird/status/1110750919082147842
# Reference: https://blog.alyac.co.kr/2219

alahbabgroup.com
http://47.91.56.21/verify.php
http://103.225.168.159/admin/verify.php

# Reference: https://twitter.com/blackorbird/status/1111449536910680065

wb-bot.org
wb-invest.net

# Reference: https://twitter.com/KevinPerlow/status/1136994848341409792

sbackservice.com

# Reference: https://twitter.com/navSi16/status/1148192534654439426
# Reference: https://otx.alienvault.com/pulse/5d24562845fe64e37ffc46a7

sensationalsecrets.com/js/left.php

# Reference: https://twitter.com/blackorbird/status/1148843702690832385

194.45.8.41:443

# Reference: https://twitter.com/bad_packets/status/1148864469486854144
# Reference: https://pastebin.com/G0Ad5Ut6

http://178.128.253.67/tbl_add.php

# Reference: https://twitter.com/RedDrip7/status/1148887458152472576

byucksanpaint.com/community/com_gon_open.asp

# Reference: https://otx.alienvault.com/pulse/5d2c64b174175b03e7db85cd

http://103.53.176.145:8080/ServiceDeskPlus/products.do
http://111.68.126.155:8080/ServiceDeskPlus/products.do
http://137.117.57.244:8080/ServiceDeskPlus/products.do
chanbang.co.kr/board/check.asp
chanbang.co.kr/family/check.asp
chanbang.co.kr/gonggu/upload.asp
difa.or.kr/common/asp/inc_Comn.asp
edenenc.co.kr/Report/RptMyReport.asp
egreenland.co.kr/cheditor2/example/newpost.asp
hanbook.co.kr/partnershop/hanmail_ep.asp
img.kindermom.co.kr/frameart/print/footer.mov
kgsa1015.co.kr/upload/member/member.asp
rodaxsankyokorea.com/upload/favicon/favicon.asp
sinokor-eng.com/sub/sub01_09.asp

# Reference: https://otx.alienvault.com/pulse/5d2dca0a1c7d00fa07be15e5

byucksanpaint.com/community/com_gon_open.asp
byucksanpaint.com/main/main4.asp
keyang.co.kr/pub/editor/wa_path.asp
upload.childu.co.kr/include/OnlyOne1.asp

# Reference: https://twitter.com/cyberwar_15/status/1152035187196223488

lavaandstone.com/wp-content/plugins/fusion-core/about.php
sales.alitho.com/wp-content/themes/sketch/about.php
amytanathorn.com/wp-admin/includes/about.php

# Reference: https://twitter.com/cyberwar_15/status/1153123863435214848

rhythm86.com/wp-content/themes/twentysixteen/about.php
cabba-cacao.com/wp-content/themes/integral/about.php
3x-tv.com/plugins/editors/about.php

# Reference: https://twitter.com/KorbenD_Intel/status/1158479283549089792
# Reference: https://www.virustotal.com/gui/file/3bba04f277e7f51a5500f7b144fdbd851954e4f94bb0290e49fc63f6fc807321/detection

policyupdates.info

# Reference: https://twitter.com/cyberwar_15/status/1166282138179624960
# Reference: https://twitter.com/navSi16/status/1166287915959214080

youdermoscopy.org/media/fly.avi
youdermoscopy.org/media/fly312.avi

# Reference: https://blog.alyac.co.kr/2500 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d6940cb9e719255258969f5

alnagm-press.com/wp-content/plugins/cloudflare/list.php
elsouq.org/aramex/left.php
swedishmassageamsterdam.nl/wp-content/themes/top.php

# Reference: https://twitter.com/cyberwar_15/status/1175940165425958912

http://158.69.57.135
http://92.222.106.229

# Reference: https://securelist.com/my-name-is-dtrack/93338/
# Reference: https://unit42.paloaltonetworks.com/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/
# Reference: https://otx.alienvault.com/pulse/5d88b31dea7f4b9d4701d7e8
# Reference: https://www.virustotal.com/gui/file/fe51590db6f835a3a210eba178d78d5eeafe8a47bf4ca44b3a6b3dfb599f1702/detection
# Reference: https://www.virustotal.com/gui/file/58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb/detection

katawaku.jp/bbs/data/theme/profile2.php
materialindia.in
totalmateria.net
cyberub.com/board/icon/template/template_ro.php
/gallery/profile2.php
/theme/profile2.php
/wp/profile2.php

# Reference: https://twitter.com/KseProso/status/1178580006047539200

heromessi.com/wp-public/career/car_add.php

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-12-lazarus-resurfaces-targets-global-banks-bitcoin-users/lazarus-resurfaces-targets-global-banks-bitcoin-users.csv

deltaemis.com

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2017/2017-11-20-android-malware-appears-linked-to-lazarus-cybercrime-group/android-malware-appears-linked-to-lazarus-cybercrime-group.csv

vmware-probe.zol.co.zw

# Reference: https://app.any.run/tasks/01497f45-7fba-4356-bbdc-4270e51c2465/
# Reference: https://twitter.com/Rmy_Reserve/status/1181528617374777344
# Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea

gp-core.com
gp-main.com

# Reference: https://twitter.com/VK_Intel/status/1182722604240719872
# Reference: https://objective-see.com/blog/blog_0x49.html (# AppleJeus)

185.228.83.32:443
beastgoc.com
/grepmonux.php

# Reference: https://twitter.com/kyleehmke/status/1184120287199223808
# Reference: https://www.virustotal.com/gui/ip-address/185.228.83.129/relations

dev.jmttrading.org

# Reference: https://twitter.com/RedDrip7/status/1186562944311517184
# Reference: https://blog.alyac.co.kr/2388 (Korean)
# Reference: https://twitter.com/RedDrip7/status/1186562944311517184
# Reference: https://otx.alienvault.com/pulse/5db06ad90686f3bad959d7fc

crabbedly.club
craypot.live
czinfo.club
indagator.club
pegasusco.net
smilekeepers.co

# Reference: https://twitter.com/0xD0CF11E0A1B11/status/1187264570861076481

thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi
juliesoskin.com/includes/common/list.php
necaled.com/modules/applet/list.php
valentinsblog.de/wp-admin/includes/list.php

# Reference: https://twitter.com/blackorbird/status/1187619261612609536
# Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html
# Reference: https://www.virustotal.com/gui/ip-address/218.255.24.226/relations

119.18.230.253:443
218.255.24.226:443

# Reference: https://twitter.com/Rmy_Reserve/status/1188235835956551680
# Reference: https://app.any.run/tasks/42c972b1-ec38-4637-9354-9de930ff50b2/

curiofirenze.com

# Reference: https://twitter.com/blackorbird/status/1202177008572092417

unioncrypto.vip

# Reference: https://blog.netlab.360.com/dacls-the-dual-platform-rat/

107.172.197.175:443
172.93.201.219:443
192.210.213.178:443
198.180.198.6:443
209.90.234.34:443
23.227.196.116:443
23.227.199.53:443
23.254.119.12:443
23.81.246.179:443
37.72.175.179:443
64.188.19.117:443
74.121.190.121:443

# Reference: https://securelist.com/operation-applejeus-sequel/95596/
# Reference: https://otx.alienvault.com/pulse/5e15b526b4f8bc605744ad76

aeroplans.info
beastgoc.com
buckfast-zucht.de
chainfun365.com
cyptian.com
invesuccess.com
jmttrading.org
mydealoman.com
private-kurier.com
unioncrypto.vip
wb-bot.org
wb-invest.net
wfcwallet.com

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-03-08-hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant.csv

falcancoin.io

# Reference: https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045d
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045e
# Reference: https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045b
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045a
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045f

94.177.123.138:8088
193.56.28.103:88
197.211.212.59:7443
181.39.135.126:7443
112.175.92.57:443
81.94.192.147:443
21.252.107.198:23164
70.224.36.194:59681
113.114.117.122:23397
47.206.4.145:59067
84.49.242.125:17770
26.165.218.44:2248
137.139.135.151:64694
97.90.44.200:37120
128.200.115.228:52884
186.169.2.237:65292
188.165.37.168:80
159.100.250.231:80
159.100.250.231:8080
107.6.12.135:443
210.202.40.35:443

# Reference: https://twitter.com/AffableKraut/status/1234726033930248198

74.121.190.140:8443

# Reference: https://twitter.com/RedDrip7/status/1254678135133442048
# Reference: https://ti.qianxin.com/blog/articles/analysis-of-lazarus-apt-targeted-attack-against-south-korea-using-new-crown-outbreak-bait/
# Reference: https://www.virustotal.com/gui/domain/teslacontrols.ir/relations

afuocolento.it/wp-admin/network/server_test.php
kingsvc.cc
mbrainingevents.com/wp-admin/network/server_test.php
sofa.rs/wp-admin/network/server_test.php
sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg
teslacontrols.ir/wp-includes/images/detail31.jpg
teslacontrols.ir/wp-includes/images/detail32.jpg
/wp-admin/network/server_test.php

# Reference: https://twitter.com/cyberwar_15/status/1254736896330133504

matteoragazzini.it/wp-content/uploads/2017/06/category.php

# Reference: https://twitter.com/DeadlyLynn/status/1257504361577496576
# Reference: https://twitter.com/ShadowChasing1/status/1257511608189743105

astedams.it/uploads/template/17.dotm
astedams.it/include/inc-elenco-offerter.asp

# Reference: https://twitter.com/spider_girl22/status/1258224278194941953

astedams.it/uploads/frame/61.dotm

# Reference: https://objective-see.com/blog/blog_0x57.html
# Reference: https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/
# Reference: https://otx.alienvault.com/pulse/5eb2fabf6c26a287f705ca20

185.62.58.207:443
67.43.239.146:443

# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md#IOC
# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/CSV/IOC-Lazarus_2020_05_05.csv
# Reference: https://www.virustotal.com/gui/file/1b0c82e71a53300c969da61b085c8ce623202722cf3fa2d79160dac16642303f/behavior/VMRay
# Reference: https://www.virustotal.com/gui/file/66e5371c3da7dc9a80fb4c0fabfa23a30d82650c434eec86a95b6e239eccab88/behavior/QiAnXin%20RedDrip

51.77.65.154:443
192.169.250.185:443
sanlorenzoyacht.com/newsl/uploads/docs/43.dotm
elite4print.com/admin/order/batchPdfs.asp
od.lk/d/MzBfMjA1Njc0ODdf/pubmaterial.dotm

# Reference: https://twitter.com/cyberwar_15/status/1264353716930412544
# Reference: https://www.virustotal.com/gui/file/e637c86ae20a7f36a0ad43618b00c48f47b5591a03af3fb689a16c45afa43733/detection
# Reference: https://www.virustotal.com/gui/file/d3a402458682c4febacc6ae4bc98e15e92142603a97d51316eeee9e8bca77f88/detection

depts.washington.edu/dswkshp/wordpress/wp-content/themes/twentyfifteen/inc/io/

# Reference: https://twitter.com/spider_girl22/status/1265486116393713665

anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg

# Reference: https://twitter.com/cyberwar_15/status/1265266629044080642
# Reference: https://asec.ahnlab.com/1323 (Korean)

mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php
sixbitsmedia.com/wp-content/uploads/wp-logs/category.php

# Reference: https://twitter.com/ShadowChasing1/status/1267431134662541317

fudcitydelivers.com
sctemarkets.com

# Reference: https://twitter.com/IntezerLabs/status/1268158680593313794

threegood.cc

# Reference: https://twitter.com/ccxsaber/status/1268020350605910016

coingotrade.com
kupaywallet.com

# Reference: https://twitter.com/Vishnyak0v/status/1269635930878545922

bluemoonresearch.org
fitnessdirector.net

# Reference: https://twitter.com/RedDrip7/status/1270201358721769475

paghera.com/include/inc-main-default-news.asp

# Reference: https://twitter.com/ShadowChasing1/status/1270728525926944768

ne-ba.org/files/gallery/img/img.asp

# Reference: https://twitter.com/MBThreatIntel/status/1270741821560406019

160.20.147.253:8443
audiopodcasts.co/verify.php
lastedforcast.com/list.php

# Reference: https://twitter.com/spider_girl22/status/1275366600560873473
# Reference: https://www.virustotal.com/gui/file/0fa91cac5712cfc0848af092190fd3d09948f1a7750547f0f16d1867dac6288a/detection

thestreetsmartsalesman.com/wp-content/uploads/wp-logs/category.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1275396942139469824
# Reference: https://app.any.run/tasks/5ddb7e93-bfc8-49a9-bd52-6b70f57c3846/

annafalkenau.com
bonjourben.com
diversityuk.org
haciendasacchich.com

# Reference: https://blog.reversinglabs.com/blog/hidden-cobra
# Reference: https://otx.alienvault.com/pulse/5ef2252af73ae43d92eecd15

1688dsj.com
amytanathorn.com
ccsnbao.com
fmose.com
fudcitydelivers.com
lavaandstone.com
sctemarkets.com
vns1389.com

# Reference: https://twitter.com/ShadowChasing1/status/1276324740878102529

anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg

# Reference: https://twitter.com/JAMESWT_MHT/status/1276471822217891840
# Reference: https://app.any.run/tasks/109752e9-2c7f-4d5c-9c3f-300bddc4c0db/

down.1230578.com

# Reference: https://twitter.com/felixaime/status/1280053007036624896
# Reference: https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-credit-card-stealing-attacks-on-us-stores/

areac-agr.com
papers0urce.com

# Reference: https://twitter.com/gwillem/status/1281128245052805120

focuscamere.com

# Reference: https://twitter.com/patrickwardle/status/1286109626941845504
# Reference: https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/

104.232.71.7:443
107.172.197.175:443
108.170.31.81:443
111.90.146.105:443
111.90.148.132:443
172.81.132.41:443
172.93.184.62:443
172.93.201.219:443
185.62.58.207:443
192.210.239.122:443
198.180.198.6:443
209.90.234.34:443
216.244.71.233:443
23.227.199.53:443
23.227.199.69:443
23.254.119.12:443
67.43.239.146:443
68.168.123.86:443

# Reference: https://twitter.com/cyberwar_15/status/1287291019537473538

nextlevelliving.pro/wp-content/uploads/js_composer/images/8c206b81-f5b1-4242-84d3-237ce728ff35.php

# Reference: https://twitter.com/AnonySecAgency/status/1290115260116897792
# Reference: https://www.virustotal.com/gui/file/40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13/detection

publishapp.co

# Reference: https://twitter.com/RedDrip7/status/1293462469214531584
# Reference: https://www.virustotal.com/gui/file/b0921142f8d3067c8253931977999a5092470ff3e562586d87af68c28ec66a99/detection

unsunozo.org/include/notes/notes.asp