# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: chrysalis, warbird, hacked notepad++

# Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/operation-lotus-blossom/unit42-operation-lotus-blossom.pdf

asean-star.com
aseaneco.org
aseansec.dynalias.org
beckhammer.xicp.net
boshman09.com
chris201.net
cpcl2006.dyndns-free.com
cybertunnel.dyndns.info
harryleed.dyndns.org
jackyson.dyndns.info
kid.dyndns.org
kjd.dyndns.org
newinfo32.eicp.net
newshappys.dyndns-blog.com
petto.mooo.com
phil-army.gotdns.org
phil-gov.gotdns.org
scristioned.dyndns-web.com
shotacon.dyndns.info
usa-moon.net
verolalia.dyndns.org
wsi.dyndns.org
aliancesky.com
babysoal.com
boshman09.com
chris201.net
iascas.net
imonju.com
imonju.net
interhero.net
seachers.net
serchers.net
tgecc.org
tintuchoahau.com
vienclp.com
www3.bkav2010.net

# Reference: https://www.accenture.com/t20180131T100734Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf

3qyo4o7.7r7i3.info
dtdf5vu.nt7yq.info
j.4tc3ldw.g9ml.www0.org
38qmk6.0to9.info
ubkv1t.ec0.com
7g91xhp.envuy3.net
l.hovux.eln9wj7.7gpj.org
w.7sytdjc.wroi.cxy.com

# Reference: https://x.com/cyb3rops/status/2018253965645766993
# Reference: https://x.com/cyb3rops/status/2018361184626356411
# Reference: https://x.com/ValidinLLC/status/2018680305364685102
# Reference: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
# Reference: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
# Reference: https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
# Reference: https://securelist.com/notepad-supply-chain-attack/118708/
# Reference: https://www.virustotal.com/gui/ip-address/160.250.93.48/relations
# Reference: https://www.virustotal.com/gui/file/e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda/detection
# Reference: https://www.virustotal.com/gui/file/0755d2dc99c0a44f4e5435c398d9afca0db783e51a9df9ea472ac6936384d0d8/detection
# Reference: https://www.virustotal.com/gui/file/0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd/detection
# Reference: https://www.virustotal.com/gui/file/7f2e0f51e83d6cf9c50922f898126b139f69cc49e8768830042358c1bd336dbc/detection
# Reference: https://www.virustotal.com/gui/file/f365cfbca03a28a7692308c9766f8ae92f74f6c79aaa68458b1facbc74b534f2/detection
# Reference: https://www.virustotal.com/gui/file/b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3/detection
# Reference: https://www.virustotal.com/gui/file/fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a/detection

http://45.32.144.255
http://45.76.155.202
http://95.179.213.0
124.222.137.114:9999
59.110.7.32:8880
59.110.7.32:8999
95.179.213.0:443
95.179.213.0:8080
cloudtrafficservice.com
skycloudcenter.com
wiresguard.com
api.cloudtrafficservice.com
api.skycloudcenter.com
api.wiresguard.com
cdncheck.it.com
# link-dns.it.com
safe-dns.it.com
self-dns.it.com
/ukalDxyz