# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: dangerous passwords, hidden cobra, guardians of peace, zinc, nickel academy, manuscrypt

# Reference: https://cdn.securelist.com/files/2017/04/Lazarus_Under_The_Hood_PDF_final.pdf

exbonus.mrbasic.com
movis-es.ignorelist.com
tradeboard.mefound.com
update.toythieves.com
sap.misapor.ch

# Reference: https://securelist.com/operation-applejeus/87553/

celasllc.com
185.142.236.226
185.142.239.173
196.38.48.121
80.82.64.91

# Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea

tpddata.com
itaddnet.com
wifispeedcheck.net
coinoen.org                          
coinmaketcape.com
bitfiniex.org
apshenyihl.com/include/arc.speclist.class.php                                   
ap8898.com/include/arc.search.class.php                              
anlway.com/include/arc.search.class.php                              
tpddata.com/skins/skin-8.thm                                   
tpddata.com/skins/skin-6.thm
168wangpi.com/include/charset.php
ando.co.kr/service/s_top.asp
ansetech.co.kr/smarteditor/common.asp
mileage.krb.co.kr/common/db_conf.asp
028xmz.com/include/common.php
33cow.com/include/control.php
51up.com/ace/main.asp
530hr.com/data/common.php
97nb.net/include/arc.sglistview.php
marmarademo.com/include/extend.php
paulkaren.com/synthpop/main.asp
shieldonline.co.za/sitemap.asp

# Reference: https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/
# Reference: https://twitter.com/KevinPerlow/status/1083759627714682880
# Reference: https://twitter.com/Bank_Security/status/1107543887462064128
# Reference: https://www.hybrid-analysis.com/sample/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/5c8a414a0388381b3f329926
# Reference: https://www.virustotal.com/gui/file/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/detection
# Reference: https://twitter.com/ClearskySec/status/1084463729633316864

bodyshoppechiropractic.com
drupdate.club
ecombox.store
/tbl_add.php

# Reference: https://otx.alienvault.com/pulse/5c8b8e19261a7451de02bf60/

http://37.238.135.70/img/anan.jpg

# Reference: https://otx.alienvault.com/pulse/5c9a4d9f90726d0988873a2b
# Reference: https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/

dev.microcravate.com
nzssdm.com
bluecreekrobotics.com/wp-includes/common.php
dev.microcravate.com/wp-includes/common.php
dev.whatsyourcrunch.com/wp-includes/common.php
enterpriseheroes.com.ng/wp-includes/common.php
hrgp.asselsolutions.com/wp-includes/common.php
baseballcharlemagnelegardeur.com/wp-content/languages/common.php
bogorcenter.com/wp-content/themes/index2.php
eventum.cwsdev3.bi.com/wp-includes/common.php
streamf.ru/wp-content/index2.php
towingoperations.com/chat/chat.php
vinhsake.com/wp-content/uploads/index2.php
tangowithcolette.com/pages/common.php

# Reference: https://twitter.com/blackorbird/status/1110750919082147842
# Reference: https://blog.alyac.co.kr/2219

alahbabgroup.com
http://47.91.56.21/verify.php
http://103.225.168.159/admin/verify.php

# Reference: https://twitter.com/blackorbird/status/1111449536910680065

wb-bot.org
wb-invest.net

# Reference: https://twitter.com/KevinPerlow/status/1136994848341409792

sbackservice.com

# Reference: https://twitter.com/navSi16/status/1148192534654439426
# Reference: https://otx.alienvault.com/pulse/5d24562845fe64e37ffc46a7

sensationalsecrets.com/js/left.php

# Reference: https://twitter.com/blackorbird/status/1148843702690832385

194.45.8.41:443

# Reference: https://twitter.com/bad_packets/status/1148864469486854144
# Reference: https://pastebin.com/G0Ad5Ut6

http://178.128.253.67/tbl_add.php

# Reference: https://twitter.com/RedDrip7/status/1148887458152472576

byucksanpaint.com/community/com_gon_open.asp

# Reference: https://otx.alienvault.com/pulse/5d2c64b174175b03e7db85cd

http://103.53.176.145:8080/ServiceDeskPlus/products.do
http://111.68.126.155:8080/ServiceDeskPlus/products.do
http://137.117.57.244:8080/ServiceDeskPlus/products.do
chanbang.co.kr/board/check.asp
chanbang.co.kr/family/check.asp
chanbang.co.kr/gonggu/upload.asp
difa.or.kr/common/asp/inc_Comn.asp
edenenc.co.kr/Report/RptMyReport.asp
egreenland.co.kr/cheditor2/example/newpost.asp
hanbook.co.kr/partnershop/hanmail_ep.asp
img.kindermom.co.kr/frameart/print/footer.mov
kgsa1015.co.kr/upload/member/member.asp
rodaxsankyokorea.com/upload/favicon/favicon.asp
sinokor-eng.com/sub/sub01_09.asp

# Reference: https://otx.alienvault.com/pulse/5d2dca0a1c7d00fa07be15e5

byucksanpaint.com/community/com_gon_open.asp
byucksanpaint.com/main/main4.asp
keyang.co.kr/pub/editor/wa_path.asp
upload.childu.co.kr/include/OnlyOne1.asp

# Reference: https://twitter.com/cyberwar_15/status/1152035187196223488

lavaandstone.com/wp-content/plugins/fusion-core/about.php
sales.alitho.com/wp-content/themes/sketch/about.php
amytanathorn.com/wp-admin/includes/about.php

# Reference: https://twitter.com/cyberwar_15/status/1153123863435214848

rhythm86.com/wp-content/themes/twentysixteen/about.php
cabba-cacao.com/wp-content/themes/integral/about.php
3x-tv.com/plugins/editors/about.php

# Reference: https://twitter.com/KorbenD_Intel/status/1158479283549089792
# Reference: https://www.virustotal.com/gui/file/3bba04f277e7f51a5500f7b144fdbd851954e4f94bb0290e49fc63f6fc807321/detection

policyupdates.info

# Reference: https://twitter.com/cyberwar_15/status/1166282138179624960
# Reference: https://twitter.com/navSi16/status/1166287915959214080

youdermoscopy.org/media/fly.avi
youdermoscopy.org/media/fly312.avi

# Reference: https://blog.alyac.co.kr/2500 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d6940cb9e719255258969f5

alnagm-press.com/wp-content/plugins/cloudflare/list.php
elsouq.org/aramex/left.php
swedishmassageamsterdam.nl/wp-content/themes/top.php

# Reference: https://twitter.com/cyberwar_15/status/1175940165425958912

http://158.69.57.135
http://92.222.106.229

# Reference: https://securelist.com/my-name-is-dtrack/93338/
# Reference: https://unit42.paloaltonetworks.com/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/
# Reference: https://otx.alienvault.com/pulse/5d88b31dea7f4b9d4701d7e8
# Reference: https://www.virustotal.com/gui/file/fe51590db6f835a3a210eba178d78d5eeafe8a47bf4ca44b3a6b3dfb599f1702/detection
# Reference: https://www.virustotal.com/gui/file/58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb/detection

katawaku.jp/bbs/data/theme/profile2.php
materialindia.in
totalmateria.net
cyberub.com/board/icon/template/template_ro.php
/gallery/profile2.php
/theme/profile2.php
/wp/profile2.php

# Reference: https://twitter.com/KseProso/status/1178580006047539200

heromessi.com/wp-public/career/car_add.php

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-12-lazarus-resurfaces-targets-global-banks-bitcoin-users/lazarus-resurfaces-targets-global-banks-bitcoin-users.csv

deltaemis.com

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2017/2017-11-20-android-malware-appears-linked-to-lazarus-cybercrime-group/android-malware-appears-linked-to-lazarus-cybercrime-group.csv

vmware-probe.zol.co.zw

# Reference: https://app.any.run/tasks/01497f45-7fba-4356-bbdc-4270e51c2465/
# Reference: https://twitter.com/Rmy_Reserve/status/1181528617374777344
# Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea

gp-core.com
gp-main.com

# Reference: https://twitter.com/VK_Intel/status/1182722604240719872
# Reference: https://objective-see.com/blog/blog_0x49.html (# AppleJeus)

185.228.83.32:443
beastgoc.com
/grepmonux.php

# Reference: https://twitter.com/kyleehmke/status/1184120287199223808
# Reference: https://www.virustotal.com/gui/ip-address/185.228.83.129/relations

dev.jmttrading.org

# Reference: https://twitter.com/RedDrip7/status/1186562944311517184
# Reference: https://blog.alyac.co.kr/2388 (Korean)
# Reference: https://twitter.com/RedDrip7/status/1186562944311517184
# Reference: https://otx.alienvault.com/pulse/5db06ad90686f3bad959d7fc

crabbedly.club
craypot.live
czinfo.club
indagator.club
pegasusco.net
smilekeepers.co

# Reference: https://twitter.com/0xD0CF11E0A1B11/status/1187264570861076481

thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi
juliesoskin.com/includes/common/list.php
necaled.com/modules/applet/list.php
valentinsblog.de/wp-admin/includes/list.php

# Reference: https://twitter.com/blackorbird/status/1187619261612609536
# Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html
# Reference: https://www.virustotal.com/gui/ip-address/218.255.24.226/relations

119.18.230.253:443
218.255.24.226:443

# Reference: https://twitter.com/Rmy_Reserve/status/1188235835956551680
# Reference: https://app.any.run/tasks/42c972b1-ec38-4637-9354-9de930ff50b2/

curiofirenze.com

# Reference: https://twitter.com/blackorbird/status/1202177008572092417

unioncrypto.vip

# Reference: https://blog.netlab.360.com/dacls-the-dual-platform-rat/

107.172.197.175:443
172.93.201.219:443
192.210.213.178:443
198.180.198.6:443
209.90.234.34:443
23.227.196.116:443
23.227.199.53:443
23.254.119.12:443
23.81.246.179:443
37.72.175.179:443
64.188.19.117:443
74.121.190.121:443

# Reference: https://securelist.com/operation-applejeus-sequel/95596/
# Reference: https://otx.alienvault.com/pulse/5e15b526b4f8bc605744ad76

aeroplans.info
beastgoc.com
buckfast-zucht.de
chainfun365.com
cyptian.com
invesuccess.com
jmttrading.org
mydealoman.com
private-kurier.com
unioncrypto.vip
wb-bot.org
wb-invest.net
wfcwallet.com

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-03-08-hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant.csv

falcancoin.io

# Reference: https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045d
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045e
# Reference: https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045b
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045a
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045f

94.177.123.138:8088
193.56.28.103:88
197.211.212.59:7443
181.39.135.126:7443
112.175.92.57:443
81.94.192.147:443
21.252.107.198:23164
70.224.36.194:59681
113.114.117.122:23397
47.206.4.145:59067
84.49.242.125:17770
26.165.218.44:2248
137.139.135.151:64694
97.90.44.200:37120
128.200.115.228:52884
186.169.2.237:65292
188.165.37.168:80
159.100.250.231:80
159.100.250.231:8080
107.6.12.135:443
210.202.40.35:443

# Reference: https://twitter.com/AffableKraut/status/1234726033930248198

74.121.190.140:8443

# Reference: https://twitter.com/RedDrip7/status/1254678135133442048
# Reference: https://ti.qianxin.com/blog/articles/analysis-of-lazarus-apt-targeted-attack-against-south-korea-using-new-crown-outbreak-bait/
# Reference: https://www.virustotal.com/gui/domain/teslacontrols.ir/relations

afuocolento.it/wp-admin/network/server_test.php
kingsvc.cc
mbrainingevents.com/wp-admin/network/server_test.php
sofa.rs/wp-admin/network/server_test.php
sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg
teslacontrols.ir/wp-includes/images/detail31.jpg
teslacontrols.ir/wp-includes/images/detail32.jpg
/wp-admin/network/server_test.php

# Reference: https://twitter.com/cyberwar_15/status/1254736896330133504

matteoragazzini.it/wp-content/uploads/2017/06/category.php

# Reference: https://twitter.com/DeadlyLynn/status/1257504361577496576
# Reference: https://twitter.com/ShadowChasing1/status/1257511608189743105

astedams.it/uploads/template/17.dotm
astedams.it/include/inc-elenco-offerter.asp

# Reference: https://twitter.com/spider_girl22/status/1258224278194941953

astedams.it/uploads/frame/61.dotm

# Reference: https://objective-see.com/blog/blog_0x57.html
# Reference: https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/
# Reference: https://otx.alienvault.com/pulse/5eb2fabf6c26a287f705ca20

185.62.58.207:443
67.43.239.146:443

# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md#IOC
# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/CSV/IOC-Lazarus_2020_05_05.csv
# Reference: https://www.virustotal.com/gui/file/1b0c82e71a53300c969da61b085c8ce623202722cf3fa2d79160dac16642303f/behavior/VMRay
# Reference: https://www.virustotal.com/gui/file/66e5371c3da7dc9a80fb4c0fabfa23a30d82650c434eec86a95b6e239eccab88/behavior/QiAnXin%20RedDrip

51.77.65.154:443
192.169.250.185:443
sanlorenzoyacht.com/newsl/uploads/docs/43.dotm
elite4print.com/admin/order/batchPdfs.asp
od.lk/d/MzBfMjA1Njc0ODdf/pubmaterial.dotm

# Reference: https://twitter.com/cyberwar_15/status/1264353716930412544
# Reference: https://www.virustotal.com/gui/file/e637c86ae20a7f36a0ad43618b00c48f47b5591a03af3fb689a16c45afa43733/detection
# Reference: https://www.virustotal.com/gui/file/d3a402458682c4febacc6ae4bc98e15e92142603a97d51316eeee9e8bca77f88/detection

depts.washington.edu/dswkshp/wordpress/wp-content/themes/twentyfifteen/inc/io/

# Reference: https://twitter.com/spider_girl22/status/1265486116393713665

anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg

# Reference: https://twitter.com/cyberwar_15/status/1265266629044080642
# Reference: https://asec.ahnlab.com/1323 (Korean)

mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php
sixbitsmedia.com/wp-content/uploads/wp-logs/category.php

# Reference: https://twitter.com/ShadowChasing1/status/1267431134662541317

fudcitydelivers.com
sctemarkets.com

# Reference: https://twitter.com/IntezerLabs/status/1268158680593313794

threegood.cc

# Reference: https://twitter.com/ccxsaber/status/1268020350605910016

coingotrade.com
kupaywallet.com

# Reference: https://twitter.com/Vishnyak0v/status/1269635930878545922

bluemoonresearch.org
fitnessdirector.net

# Reference: https://twitter.com/RedDrip7/status/1270201358721769475

paghera.com/include/inc-main-default-news.asp

# Reference: https://twitter.com/ShadowChasing1/status/1270728525926944768

ne-ba.org/files/gallery/img/img.asp

# Reference: https://twitter.com/MBThreatIntel/status/1270741821560406019

160.20.147.253:8443
audiopodcasts.co/verify.php
lastedforcast.com/list.php

# Reference: https://twitter.com/spider_girl22/status/1275366600560873473
# Reference: https://www.virustotal.com/gui/file/0fa91cac5712cfc0848af092190fd3d09948f1a7750547f0f16d1867dac6288a/detection

thestreetsmartsalesman.com/wp-content/uploads/wp-logs/category.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1275396942139469824
# Reference: https://app.any.run/tasks/5ddb7e93-bfc8-49a9-bd52-6b70f57c3846/

scertodisha.nic.in/wp-content/plugins/photo-gallery/admin/controllers/Photo.php
haciendasacchich.com/wp-content/plugins/photo-gallery/admin/views/404.php
annafalkenau.com/awstats/data/upload.php

# Reference: https://blog.reversinglabs.com/blog/hidden-cobra
# Reference: https://otx.alienvault.com/pulse/5ef2252af73ae43d92eecd15

1688dsj.com
amytanathorn.com
ccsnbao.com
fmose.com
fudcitydelivers.com
lavaandstone.com
sctemarkets.com
vns1389.com

# Reference: https://twitter.com/ShadowChasing1/status/1276324740878102529

anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg

# Reference: https://twitter.com/JAMESWT_MHT/status/1276471822217891840
# Reference: https://app.any.run/tasks/109752e9-2c7f-4d5c-9c3f-300bddc4c0db/

down.1230578.com

# Reference: https://twitter.com/felixaime/status/1280053007036624896
# Reference: https://sansec.io/research/north-korea-magecart
# Reference: https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-credit-card-stealing-attacks-on-us-stores/
# Reference: https://www.virustotal.com/gui/file/a6c803d7a185f896a6c90f78891c5dbb904df3535825764e05432641ab059fb1/detection

areac-agr.com
papers0urce.com

# Reference: https://twitter.com/gwillem/status/1281128245052805120

focuscamere.com

# Reference: https://twitter.com/patrickwardle/status/1286109626941845504
# Reference: https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/

104.232.71.7:443
107.172.197.175:443
108.170.31.81:443
111.90.146.105:443
111.90.148.132:443
172.81.132.41:443
172.93.184.62:443
172.93.201.219:443
185.62.58.207:443
192.210.239.122:443
198.180.198.6:443
209.90.234.34:443
216.244.71.233:443
23.227.199.53:443
23.227.199.69:443
23.254.119.12:443
67.43.239.146:443
68.168.123.86:443

# Reference: https://twitter.com/cyberwar_15/status/1287291019537473538

nextlevelliving.pro/wp-content/uploads/js_composer/images/8c206b81-f5b1-4242-84d3-237ce728ff35.php

# Reference: https://twitter.com/AnonySecAgency/status/1290115260116897792
# Reference: https://www.virustotal.com/gui/file/40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13/detection

publishapp.co

# Reference: https://twitter.com/RedDrip7/status/1293462469214531584
# Reference: https://www.virustotal.com/gui/file/b0921142f8d3067c8253931977999a5092470ff3e562586d87af68c28ec66a99/detection

unsunozo.org/include/notes/notes.asp

# Reference: https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html
# Reference: https://otx.alienvault.com/pulse/5f4d20e8d417f271a62e0aeb

gestao.simtelecomrs.com.br/sac/digital/client.jsp
sac.onecenter.com.br/sac/masks/wfr_masks.jsp
mk.bital.com.br/sac/Formule/Manager.jsp

# Reference: https://twitter.com/IntezerLabs/status/1300403461809491969
# Reference: https://analyze.intezer.com/analyses/13d64c6e-6ac7-4888-a682-138a06cbaf16/
# Reference: https://www.virustotal.com/gui/file/390f9aae2dd5f0584106e3aa315bbd28a8c6479f126a4f13c7c3a62e19356634/detection

104.217.163.61:443
107.175.172.129:443
37.72.168.228:443

# Reference: https://twitter.com/ShadowChasing1/status/1302180729174937600

fabianiarte.com/uploads/imgup/21it-23792.jpg

# Reference: https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html
# Reference: https://otx.alienvault.com/pulse/5f7389601681e32d5bf045f6

automercado.co.cr/empleo/css/main.jsp
curiofirenze.com/include/inc-site.asp
ne-ba.org/files/news/thumbs/thumbs.asp
sanlorenzoyacht.com/newsl/include/inc-map.asp

# Reference: https://twitter.com/h2jazi/status/1311644338812792833
# Reference: https://www.virustotal.com/gui/file/d2f1cccfe688c074c3d58ae8f7be7b10dbea5d7ae53320c3f7b6e48cd4f62955/detection

phukien2a.net/images/images.zip.000

# Reference: https://blog.talosintelligence.com/2020/11/crat-and-plugins.html
# Reference: https://otx.alienvault.com/pulse/5faf04431c479940b422288b

teslacontrols.ir/wp-includes/images/detail31.jpg
teslacontrols.ir/wp-includes/images/detail32.jpg
sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg
publishapp.co/update/check.php
sideforum.cc/forum/list.php
freeforum.co/forum/list.php
goodfriend.pro/projects/list.php
friendship.me/users/register.php
threegood.cc/api/manage/customers
Engpro.xyz/images/detail.php
infocop.me/products/list.php
teamspit.pro/adverts/follow.php
dodoi.cc/photos/preview.php
advertapp.me/user/invite.php
insideforum.me/forum/list.php
anyoneforum.cc/forum/list.php
goodproject.xyz/projects/list.php
hellofriend.pro/users/register.php
moonge.cc/wp-content/plugins/google-sitemap-generator/sitemap-builder-embed.php
calculactcal.org/wp-content/themes/twentysixteen/body.php
3cuartos.com/wp-content/plugins/music-press-pro/templates/global/update.php
worldfoodstory.co.uk/wp-includes/register.php
bokkeriejesj.nl/wp-content/plugins/music-press-pro/upload.php
encontrosmaracatu.com.br/wp-content/plugins/music-press-pro/templates/global/topmenu.php
theblackout.fr/wp-content/plugins/music-press-pro/music-pro.php
mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php
tiramisu.it/wp-content/plugins/wp-comment-form.php
kartacnictvi.cz/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/upload.php
dimer-group.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/download.php
ecolerubanvert.com/wp-content/plugins/image-intense/know.php
lwac.com/wp-content/plugins/gallery-plugin/includes/demo-data/images/music/photo.php
copansrl.it/wp-admin/user/invite.php
arar-musique.fr/wp-content/plugins/music-press-pro/includes/admin/upgrade.php
firstalliance.church/wp-content/plugins/music-press/templates/404.php
erickeleo.com.br/wp-content/plugins/music-press-pro/go.php
kingsvc.cc/index.php
sofa.rs/wp-admin/network/server_test.php
afuocolento.it/wp-admin/network/server_test.php
mbrainingevents.com/wp-admin/network/server_test.php
afuocolento.it/wp-includes/process.php

# Reference: https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/
# Reference: https://otx.alienvault.com/pulse/5fb4044fd5f18831c24c6af6

cowp.or.kr/html/board/main.asp
erpmas.co.kr/Member/franchise_modify.asp
fored.or.kr/home/board/view.php
gncaf.or.kr/cafe/cafe_board.asp
gongsinet.kr/comm/comm_gongsi.asp
goojoo.net/board/banner01.asp
hsbutton.co.kr/bbs/bbs_write.asp
hstudymall.co.kr/easypay/web/bottom.asp
ikrea.or.kr/main/main_board.asp
pcdesk.co.kr/Freeboard/mn_board.asp
pgak.net/service/engine/release.asp
quecue.kr/okproj/ex_join.asp
style1.co.kr/main/view.asp
wowpress.co.kr/customer/refuse_05.asp
zndance.com/shop/post.asp

# Reference: https://twitter.com/h2jazi/status/1334353120038678528
# Reference: https://www.virustotal.com/gui/file/c19064733f2a23f09c8b16b3847cceeac8f61488be57911cefceb75425501097/detection

ilhak.co.kr/images/data/upload.asp
ktri.or.kr/upload/mail/upload.asp
warevalley.com/support/orange_open.asp

# Reference: https://twitter.com/BitsOfBinary/status/1321488299932983296
# Reference: https://twitter.com/BitsOfBinary/status/1337330286787518464
# Reference: https://twitter.com/mg2_tracy1/status/1337335098224508928
# Reference: https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=3051

admforte.com.br/wp-content/plugins/top.php
dafnefonseca.com/wp-content/themes/top.php
drei-schneeballen.de/wp-content/plugins/nextgen-gallery/view.php
funny-pictures.picphotos.net/saint-louis-senior-photos-senior-pictures-seniors-st-louis-st-louis/upload.php
greenvideo.nl/wp-content/themes/top.php
haciendadeclarevot.com/wp-content/top.php
justholdfast.com/doodle/wp-content/plugins/top.php
qwerty.creativehonduras.com/wp-includes/class-wp-redirect.php
shahrtdc.com/wp-content/plugins/top.php
tag-cloud-photo.freeware.filetransit.com/login.php
urbankizomba.se/wp-content/plugins/photo-gallery/filemanager/upload.php

# Reference: https://otx.alienvault.com/pulse/5fd8dbfcfed23b6fa1393ea9

yakufreshperu.com/facturacion/public/css/main.php
shikshakibaat.com/classes/detail.jsp
sanlorenzoyacht.com/newsl/include/inc-map.asp
paghera.com/content/view/thumb/info.asp
lyzeum.com/popup/popup.asp
index-consulting.jp/eng/news/index.php
hansolhope.or.kr/welfare/notice/view.jsp
forecareer.com/gdcareer/officetemplate-20nab.asp
fidesarte.it/thumb/multibox/style/common.asp
fabianiarte.com/uploads/imgup/21it-23792.jpg
fabianiarte.com/pdf/thumbs/thumb.asp
emilypress.com/CMWorking/Static/service/center.asp
curiofirenze.com/include/inc-site.asp
calculadoras.mx/themes/pack/pilot.php
automercado.co.cr/empleo/css/main.jsp
astedams.it/photos/image/image.asp
arumdaunresort.com/admin/html/user/contact.asp
apars-surgery.org/bbs/bbs_files/board_photo/menu.php
anca-aste.it/uploads/form/02E319AF73A33547343B71D5CB1064BC.dotm
vega.mh-tec.jp/.well-known/index.php
turnscor.com/ACT/images/slide/view.jsp
prestigein-am.jp/akita/wp-includes/wp-rss1.php
genieaccount.com/images/common/common.asp
acanicjquery.com/slides/style.php
mannpublicwhseltd.com/cservice.asp
hirokawaunso.co.jp/wordpress/wp-includes/review.php
anisweb.org/layout/site/style/preview.jsp
support.medicalinthecloud.com/TechCenter/include/slide.asp
pennontraders.com/assets/slides/view.jsp
indoweb.org/love/data/common/common.php
admin.shcpa.co.kr/_asapro2/formmail/lib.php
http://137.74.114.227/theveniaux/webliotheque/public/css/main.php
http://125.206.177.152/old/viewer.php

# Reference: https://twitter.com/BitsOfBinary/status/1339623925274296323

muzeyyengroup.com/wp-content/help.php
puskesmas-terminal.com/wp-content/help.php
zeandf.com/wp-content/help.php

# Reference: https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
# Reference: https://otx.alienvault.com/pulse/5fe36c30dbe6a83c04783415

bytecortex.com.br/eletronicos/digital.jsp
client.livesistemas.com/Live/posto/system.jsp
cometnet.biz/framework/common/common.asp
gongim.com/board/ajax_Write.asp
iski.silogica.net/events/serial.jsp
k-kiosk.com/bbs/notice_write.asp
kne.co.kr/upload/Customer/BBS.asp
locknlockmall.com/common/popup_left.asp
sac.najatelecom.com.br/sac/Dados/ntlm.jsp
sistema.celllab.com.br/webrun/Navbar/auth.jsp

# Reference: https://twitter.com/ShadowChasing1/status/1349924271791882247
# Reference: https://www.virustotal.com/gui/file/867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36/detection
# Reference: https://www.virustotal.com/gui/file/89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957/detection

aideck.net

# Reference: https://twitter.com/ShadowChasing1/status/1349927630183694339

creaideck.com/update/darwin64.bin

# Reference: https://www.virustotal.com/gui/file/d09041e3d635ddb28540b11cf180a30a28fc04c2ee6e5d994aa0bacc9633e944/detection

hpc.kau.ac.kr/rolling_banner/tmp4c5ae3.p3a
hpc.kau.ac.kr/error2.php

# Reference: https://twitter.com/BushidoToken/status/1353684625382641664
# Reference: https://www.virustotal.com/gui/ip-address/120.138.8.26/relations
# Reference: https://www.virustotal.com/gui/file/cabb45c99ffd8dd189e4e3ed5158fac1d0de4e2782dd704b2b595db5f63e2610/detection
# Reference: https://www.virustotal.com/gui/file/a9b3bc337043c04f529b2c19b3e33df1ad59bce27c074427e7b563db3a83c37b/detection
# Reference: https://www.virustotal.com/gui/file/bdf9fffe1c9ffbeec307c536a2369eefb2a2c5d70f33a1646a15d6d152c2a6fa/detection

advantims.com

# Reference: https://twitter.com/ShadowChasing1/status/1353972356759187456

angeldonationblog.com

# Reference: https://twitter.com/K_N1kolenko/status/1353975032104558592
# Reference: https://twitter.com/500mk500/status/1353992570519609344
# Reference: https://twitter.com/RedDrip7/status/1354038387603197952
# Reference: https://twitter.com/sS55752750/status/1354059524739653633
# Reference: https://twitter.com/vngkv123/status/1357247638228226053
# Reference: https://twitter.com/blackorbird/status/1357259907448229888
# Reference: https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg (Korean)
# Reference: https://enki.co.kr/blog/2021/02/04/ie_0day.html (Korean)
# Reference: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
# Reference: https://otx.alienvault.com/pulse/60103a3268891c63b1f24d74
# Reference: https://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection
# Reference: https://www.virustotal.com/gui/file/a08d24f74027256c6fd5c5a2fdb15b12889971fbdcfa7a28ffebbfe8b15aaefb/detection
# Reference: https://www.virustotal.com/gui/file/9c906c2f3bfb24883a8784a92515e6337e1767314816d5d9738f9ec182beaf44/detection
# Reference: https://www.virustotal.com/graph/embed/g4784ec032b3f4cb987a616f4b2dbc9aa9a982d9b20494f8980ae611a4ca3a1d8

angeldonationblog.com
codebiogblog.com
codevexillium.org
investbooking.de
krakenfolio.com
opsonew3org.sg
transferwiser.io
transplugin.io
blog.br0vvnn.io
codevexillium.org/image/download/download.asp
colasprint.com/_vti_log/upload.asp
dronerc.it/forum/uploads/index.php
dronerc.it/shop_testbr/Adapter/Adapter_Config.php
dronerc.it/shop_testbr/Core/upload.php
dronerc.it/shop_testbr/upload/upload.php
edujikim.com/intro/blue/insert.asp
fabioluciani.com/ae/include/constant.asp
fabioluciani.com/es/include/include.asp
loonsaloon.com/wp-content/plugins/revslider/hello.php
transplugin.io/upload/upload.asp
trophylab.com/notice/images/renewal/upload.asp

# Reference: https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html
# Reference: https://otx.alienvault.com/pulse/601052e27a2c451b3ba5ed31

akramportal.org/public/voice/voice.php
commodore.com.tr/mobiquo/appExtt/notdefteri/writenote.php
fabianiarte.com/newsletter/arte/view.asp
hirokawaunso.co.jp/wordpress/wp-includes/ID3/module.audio.mp4.php
index-consulting.jp/eng/news/index.php
inovecommerce.com.br/public/pdf/view.php
ja-fc.or.jp/shop/shopping.php
kenpa.org/yokohama/main.php
leemble.com/5mai-lyon/public/webconf.php
mail.clicktocareers.com/dev_clicktocareers/public/mailview.php
scimpex.com/admin/assets/backup/requisition/requisition.php
tronslog.com/public/appstore.php
vega.mh-tec.jp/.well-known/index.php

# Reference: https://twitter.com/Dashowl/status/1354264740692942848

trophylab.com/design/trophy/product/lmages/logo.png
worldspia.kr/upload_images/inc/LOG.PHP

# Reference: https://twitter.com/mattyb1512/status/1354070629469872129

ctrac.online

# Reference: https://twitter.com/h2jazi/status/1362109944791764993
# Reference: https://www.virustotal.com/gui/file/0bc7517aa2f0c1820ced399bfd66b993f10ad77e8d72727b0f3dc1ca35cad7ba/detection
# Reference: https://www.virustotal.com/gui/file/91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd/detection
# Reference: https://www.virustotal.com/gui/file/dcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61/detection

kupaywallet.com
levelframeblog.com
dorusio.com/dorusio_update.php

# Reference: https://twitter.com/ShadowChasing1/status/1362362744909930496

materialindia.in/wp/wp-main/gallery/profile2.php
totalmateria.net/wp/profile2.php

# Reference: https://securelist.com/lazarus-threatneedle/100803/
# Reference: https://otx.alienvault.com/pulse/6037c3cea83bb963f5be0d51/

http://156.245.16.55/admin/admin.asp
americanhotboats.com/forums/core/cache/index.php
astedams.it/photos/image/image.asp
au-pair.org/admin/Newspaper.asp
au-pair.org/admin/login.asp
automercado.co.cr/empleo/css/main.jsp
cloudarray.com/images/logo/videos/cache.jsp
colasprint.com/_vti_log/upload.asp
curiofirenze.com/include/inc-site.asp
dellarocca.net/it/content/img/img.asp
digitaldowns.us/artman/exec/upload.php
djasw.or.kr/sub/popup/images/upfiles.asp
docentfx.com/wp-admin/includes/upload.php
dronerc.it/forum/uploads/index.php
dronerc.it/shop_testbr/Adapter/Adapter_Config.php
edujikim.com/intro/blue/view.asp
edujikim.com/pay/sample/INIstart.asp
edujikim.com/smarteditor/img/upload.asp
fabioluciani.com/ae/include/constant.asp
fabioluciani.com/es/include/include.asp
forum.iron-maiden.ru/core/cache/index.php
forum.snowreport.gr/cache/template/upload.php
fredrikarnell.com/marocko2014/index.php
geeks-board.com/blog/wp-content/uploads/2017/cache.php
gonnelli.it/uploads/catalogo/thumbs/thumb.asp
juvillage.co.kr/img/upload.asp
kannadagrahakarakoota.org/forums/admincp/upload.php
kbcwainwrightchallenge.org.uk/connections/dbconn.asp
kwwa.org/DR6001/FN6006LS.asp
kwwa.org/popup/160307/popup_160308.asp
lyzeum.com/board/bbs/bbs_read.asp
lyzeum.com/images/board/upload.asp
martiancartel.com/forum/customavatars/avatars.php
mdim.in.ua/core/cache/index.php
newidealupvc.com:443/img/prettyPhoto/jquery.max.php
polyboatowners.com/2010/images/BOTM/upload.php
polyboatowners.com/css/index.php
prototypetrains.com:443/forums/core/cache/index.php
raiestatesandbuilders.com/admin/installer/installer/index.php
roit.co.kr/xyz/mainpage/view.asp
sanatoliacare.com/include/index.asp
sanlorenzoyacht.com/newsl/include/inc-map.asp
shinwonbook.co.kr/basket/pay/open.asp
shinwonbook.co.kr/board/editor/upload.asp
theforceawakenstoys.com/vBulletin/core/cache/upload.php
waterdoblog.com/uploads/index.asp

# Reference: https://twitter.com/AnonySecAgency/status/1366971633458548738
# Reference: https://twitter.com/ShadowChasing1/status/1366988046294376450
# Reference: https://www.virustotal.com/gui/file/03cd4ec3defa490e68b1ca2efaf8daea6f89d3cceed51c91f4c4f9e2222d258d/detection

gcloud-share.com
dshellelink.gcloud-share.com

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1225581378840006656 (# DangerousPasswords)
# Reference: https://pastebin.com/raw/cLWvyJ20
# Reference: https://twitter.com/Rmy_Reserve/status/1230881875767377920
# Reference: https://twitter.com/ShadowChasing1/status/1328208737933246464
# Reference: https://www.virustotal.com/gui/file/4c574c1a2b126c8a5ba1ef9560516d0ac9990c0253119f874eb084b57742e3d7/detection

http://84.201.189.216
103.205.179.4:8080
amazonaws1.info
gdrvup.xyz
gmaildrive.site
googleauth.pro
googledriver.info
googleupload.info
liveonedrvshare.xyz
secureshares.online
gdriveupload.info

# Reference: https://twitter.com/Rmy_Reserve/status/1246404220040802309 (# DangerousPassword)

88.204.166.59:8080

# Reference: https://twitter.com/ShadowChasing1/status/1339195498519875585 (# DangerousPassword)

gdocshare.com

# Reference: https://twitter.com/ShadowChasing1/status/1367368069618700291
# Reference: https://twitter.com/_re_fox/status/1260931809103101957
# Reference: https://twitter.com/_re_fox/status/1301564536575733760
# Reference: https://twitter.com/_re_fox/status/1301565785345863689
# Reference: https://twitter.com/mattnotmax/status/1370311682354941954
# Reference: https://twitter.com/cyber__sloth/status/1285510760303656960
# Reference: https://www.virustotal.com/gui/file/d287388e5ff978bf6f8af477460a9b76a74fdc33535e392b70e58176fc9ad805/detection
# Reference: https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_302_kodera_jp.pdf (Japanese)
# Reference: https://www.virustotal.com/gui/file/01184a5acb8b3ec56c9e90f2e6cd6673ae83b4fd6982e17329b33da2f77bcf5b/detection

doc.gsheetshare.org
docs.dsharefile.tech
docs.gdriveshare.top
drop.trailads.net
dsharefile.tech
gsheetshare.org
filehost.network
mdown.showprice.xyz
mse.theworkpc.com
name.ownemail.me
newsbtctech.com
ownemail.me
share.onedrvfile.site
shop.newsbtctech.com
trailads.net
up.digifincx.com
up.myemail.works

# Reference: https://twitter.com/ShadowChasing1/status/1339933511973699584 (# DangerousPassword)
# Reference: https://www.virustotal.com/gui/file/c64e2993563345fd497cfc382de27c7791b4f172d2c50d79b6290c2f9c06102c/detection

google-clouds.com

# Reference: https://twitter.com/cyber__sloth/status/1344208175168368641 (# DangerousPassword)
# Reference: https://twitter.com/cyber__sloth/status/1344208380525752321 (# DangerousPassword)

addrcheck.corecheckmailsrv.com
cloud-sheet.net
cloud.optvers.net
corecheckmailsrv.com
digitalcurencygroup.co
down.privatework.buzz
fidelitydigitalsassets.com
gdocshare.com
goglestorage.com
google-clouds.com
googleproduct.org
gsuiteshare.com
msftoffice.com
myemail.works
official.googleproduct.org
presentonline.xyz
privatework.buzz
sharesvr.net

# Reference: https://twitter.com/h2jazi/status/1369305004922855431
# Reference: https://twitter.com/h2jazi/status/1369307165807280135

torgirf.ru/loginhome.css

# Reference: https://twitter.com/h2jazi/status/1370024802791096320
# Reference: https://www.virustotal.com/gui/file/46fcbc170e84d8ad48434251421bd8f6fa49a7e741d2c24d31c170c607c60d51/detection
# Reference: https://www.virustotal.com/gui/file/c8a8d2caa429a8bbe885ef8d59d982b4bfd9c48f1255ff69e3b81c6bbd7b2925/detection

dronerc.it/shop_testbr/localization/dir_photoes/image.php
dronerc.it/shop_testbr/localization/dir_photoes/logo.php

# Reference: https://twitter.com/h2jazi/status/1354880834092859395
# Reference: https://www.virustotal.com/gui/ip-address/104.168.158.103/relations
# Reference: https://www.virustotal.com/gui/file/aec3ced40a3451dc2c6b1704cc50b0e0c8e549faaa8ae42b6d6f421b4fc2ef8a/detection
# Reference: https://www.virustotal.com/gui/file/e7a4d8b80dc653a47440db2a8deaf782109bb710e5d4311bc3d7685dba715865/detection
# Reference: https://www.virustotal.com/gui/file/75d3d96033db529c9ae698ac6de8fba420c2daa5d97614d7118f49e03c2d83d3/detection

documentprotect.live
documentprotect.pro

# Reference: https://twitter.com/h2jazi/status/1373985591814197250
# Reference: https://www.virustotal.com/gui/file/09b83a501b8f919fc4861735097dd50957f21e81209d362b4fa425bd3348a495/detection

cloudshare.jumpshare.vip

# Reference: https://twitter.com/HONKONE_K/status/1374178555634933762
# Reference: https://www.virustotal.com/gui/file/66e96fbd6e977ddef3f0a2924978d92e5d67bd96e68dc4832f5041dbd40bcfc9/detection
# Reference: https://www.virustotal.com/gui/file/e087d06c552aeef36c2ba9fdd14b06fca499f2d37dfea21e480a02a748b19bf1/detection

antcapital.us
document.antcapital.us
protect.antcapital.us

# Reference: https://twitter.com/DrN1ght/status/1374026917343543301

chemistryworld.us
coinbigex.com
innoenergy.info
mclland.com
qooqle.download

# Reference: https://twitter.com/h2jazi/status/1375528365587894272
# Reference: https://www.virustotal.com/gui/file/2fdba1e332203ca0d01992b137ebeaa1f21f7c3daec7230e6b8a4d36182caed4/detection

sanlorenzoyacht.com/newsl/uploads/docs/

# Reference: https://twitter.com/ShadowChasing1/status/1377610488830291973
# Reference: https://twitter.com/ShadowChasing1/status/1377628563000594433

toysbagonline.com
purewatertokyo.com
pinkgoat.com
yellowlion.com
salmonrabbit.com
bluecow.com

# Reference: https://twitter.com/darktracer_int/status/1380309710721622016
# Reference: https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/
# Reference: https://otx.alienvault.com/pulse/60739323ef1b2b3a187f0f15

4bjt2rceijktwedi.onion
cwwpxpxuswo7b6tr.onion

# Reference: https://twitter.com/fr0s7_/status/1381328726819020804
# Reference: https://www.virustotal.com/gui/file/e514d83d2aaa1357b34f5f11ecc35afe10b6240796e085977e9d4a56145bb8b3/detection

protectoffice.club

# Reference: https://twitter.com/ShadowChasing1/status/1382514587589742597
# Reference: https://www.virustotal.com/gui/file/f1eed93e555a0a33c7fef74084a6f8d06a92079e9f57114f523353d877226d72/detection

jinjinpig.co.kr/Anyboard/skin/board.php
mail.namusoft.kr/jsp/user/eam/board.jsp

# Reference: https://www.group-ib.com/blog/btc_changer

luxmodelagency.com/wp-incluses/random_compat/zeus/wongs/wongs.php
/random_compat/zeus/wongs/wongs.php
/zeus/wongs/wongs.php

# Reference: https://twitter.com/ShadowChasing1/status/1384016097494507521
# Reference: https://twitter.com/cyberwar_15/status/1384462513249546244
# Reference: https://www.virustotal.com/gui/file/79e15cc02c6359cdb84885f6b84facbf91f6df1254551750dd642ff96998db35/detection

ddjm.co.kr/bbs/icon/skin/skin.php
snum.or.kr/skin_img/skin.php

# Reference: https://www.virustotal.com/gui/file/6d2ecc3b0a43f0c377ea6d9a68aa5ac0d48635a04219264fb0702976efea8ef6/detection

http://121.146.68.233/fileserver/temp/platform.asp
http://121.254.224.218/angkor.ylw.common.fileserviceserver/web/document/netframework.asp
codibest.com/data/geditor/main_1.php
gbflatinamerica.com
myungokhun.co.kr/_proc/member/member_bk.asp
/angkor.ylw.common.fileserviceserver/web/document/netframework.asp
/data/geditor/main_1.php
/fileserver/temp/platform.asp

# Reference: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/
# Reference: https://otx.alienvault.com/pulse/608af383c5be4591c5da02e5

akramportal.org/delv/public/voice/voice.php
apars-surgery.org/bbs/bbs_files/board_blog/write.php
bootcamp-coders.cnm.edu
ctevt.org.np/ctevt/public/frontend/review.php
forecareer.com/gdcareer/officetemplate-20nab.asp
gbflatinamerica.com/file/filelist.php
goldllama4.sakura.ne.jp
hospitality-partners.co.jp/works/performance/consumer.php
inovecommerce.com.br/public/pdf/view.php
mail.clicktocareers.com/public/jobapplications/jdviewer.php
propro.jp/wp-content/documents/docsmgmt.php
vega.mh-tec.jp/.well-known/gallery/siteview.php

# Reference: https://www.virustotal.com/gui/file/610047be0b2360d609baa71be22ddc5814743868886f8d85ab9985d3f01229d6/detection

mappo-on.life
help.mappo-on.life

# Reference: https://www.virustotal.com/gui/file/27bfac11c1f9184b515fbf5fcd946e921c95506f89eb273e148fcf0068e50932/detection

octo-manage.net
help.octo-manage.net

# Reference: https://twitter.com/ShadowChasing1/status/1391981731394187266
# Reference: https://www.virustotal.com/gui/file/a0d070b66408654cdcb84784e77914dc355a23c81e3e6ef36362470619c4de96/detection

http://45.61.136.204
googledocpage.com

# Reference: https://twitter.com/ShadowChasing1/status/1393356174506921985
# Reference: https://www.virustotal.com/gui/file/8e1746829851d28c555c143ce62283bc011bbd2acfa60909566339118c9c5c97/detection

allgraphicart.com

# Reference: https://twitter.com/ShadowChasing1/status/1397768682776895491
# Reference: https://www.virustotal.com/gui/file/8d48a77e7a4b8c824d8c1b890dc3e2b904e6fa8fbe8dae1a22f5870916c01c20/detection

sslsharecloud.net
dev.sslsharecloud.net

# Reference: https://twitter.com/ShadowChasing1/status/1398468263818928136

ewha-ac.ml

# Reference: https://twitter.com/ShadowChasing1/status/1399369260577681426
# Reference: https://www.virustotal.com/gui/file/4059fea324e27cfbd4955f37dc7791709dbf35a800449373c6715bc53b88f7c5/detection

amene.homepc.it

# Reference: https://twitter.com/360CoreSec/status/1402920149754155010
# Reference: https://www.virustotal.com/gui/file/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c/detection
# Reference: https://www.virustotal.com/gui/file/3b33b0739107411b978c3cbafb312a44b7488bd7adabae3e7b02059240b6dc83/detection

shopweblive.com

# Reference: https://twitter.com/h2jazi/status/1406401709157629952
# Reference: https://twitter.com/ShadowChasing1/status/1406592585796177924
# Reference: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
# Reference: https://www.virustotal.com/gui/file/5c2f339362d0cd8e5a8e3105c9c56971087bea2701ea3b7324771b0ea2c26c6c/detection

allamwith.com/home/mobile/list.php
conkorea.com/cshop/banner/list.php
ddjm.co.kr/bbs/icon/skin/skin.php
hivekorea.com/jdboard/member/list.php
jinjinpig.co.kr/Anyboard/skin/board.php
mail.namusoft.kr/jsp/user/eam/board.jsp
mail.neocyon.com/jsp/user/sms/sms_recv.jsp
mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp
snum.or.kr/skin_img/skin.php
/jsp/user/sms/sms_recv.jsp

# Reference: https://twitter.com/360CoreSec/status/1405790277034418177
# Reference: https://www.virustotal.com/gui/file/35a39299c47bc701dbe7cb72fcb695d08eb2095d1a5b8b7942d3034d16435e89/detection
# Reference: https://www.virustotal.com/gui/file/382a209ce5745c85507b0bd80b87496ad92128e6870199d0c33d6ddedc542dd1/detection
# Reference: https://www.virustotal.com/gui/file/f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4/detection

185.208.158.204:443
193.56.28.251:443

# Reference: https://twitter.com/ShadowChasing1/status/1405515076149284870
# Reference: https://www.virustotal.com/gui/file/4c4cc3abd3ddb15d5306fb647c6d779b18df5b949673bb3f3f87faa2c5f56a6a/detection

authenticate.azure-drive.com

# Reference: https://twitter.com/ShadowChasing1/status/1407993219720224771

elwoodasset.xyz
sharemanage.elwoodasset.xyz

# Reference: https://twitter.com/360CoreSec/status/1410127120177635328

52.202.193.124:443

# Reference: https://twitter.com/fr0s7_/status/1402394083331559431
# Reference: https://twitter.com/Jup1a/status/1402470227292561412
# Reference: https://www.virustotal.com/gui/file/1939d9fdcf831dc4cac001ba193669c75a336258bc99a1775471554229e4a69b/detection

azure-drive.com
download.azure-drive.com
protect.azure-drive.com

# Reference: https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12
# Reference: https://otx.alienvault.com/pulse/60e6d2a6786d43397db19bc7

grandgolf.co.kr/html/facilities/facilities_01_06.asp
kdone.co.kr/Utils/EmailUtil.asp
namchuncheon.co.kr/admin/BookAppl/Search_left.asp

# Reference: https://twitter.com/ShadowChasing1/status/1412934665292316677
# Reference: https://twitter.com/ShadowChasing1/status/1412953330700062726

http://95.179.235.55
sharebusiness.xyz
signverydn.sharebusiness.xyz

# Reference: https://twitter.com/ShadowChasing1/status/1412932935523573760
# Reference: https://www.virustotal.com/gui/file/8afdf8513a6e3bede16187004daccc95e193a29062415d9ba0c29b98a5a927d1/detection

devprocloud.com
share.devprocloud.com

# Reference: https://mp.weixin.qq.com/s/y-SHoh9f5qwAwqml3uf8vw
# Reference: https://otx.alienvault.com/pulse/60f930c9c1a69acdb28adea6

smartaudpor.com