# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt10, stone panda, gallium

# Reference: http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/

dick.ccfchrist.com
trout.belowto.com
sakai.unhamj.com
zebra.wthelpdesk.com
area.wthelpdesk.com
kawasaki.cloud-maste.com
kawasaki.unhamj.com
fukuoka.cloud-maste.com
scorpion.poulsenv.com
lion.wchildress.com
fbi.sexxxy.biz
cia.toh.info
2014.zzux.com
nttdata.otzo.com
iphone.vizvaz.com
app.lehigtapp.com
jimin.jimindaddy.com
Jepsen.r3u8.com
inspgon.re26.com
nunluck.re26.com
yahoo.incloud-go.com
msn.incloud-go.com
www.mseupdate.ourhobby.com
contractus.qpoe.com
apple.cmdnetview.com
cvnx.zyns.com

# Reference: http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html
# Reference: https://app.any.run/tasks/b5634afb-0d3a-4d0b-97c8-fbbd25b9aa97/

area.wthelpdesk.com
dick.ccfchrist.com
kawasaki.cloud-maste.com
kawasaki.unhamj.com
sakai.unhamj.com
scorpion.poulsenv.com
trout.belowto.com
zebra.wthelpdesk.com
hamiltion.catholicmmb.com
gavin.ccfchrist.com

# Reference: https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html

eservake.jetos.com

# Reference: https://github.com/janhenrikdotcom/iocs/blob/master/APT10/cloud-hopper-indicators-of-compromise-v3.pdf
# Reference: https://raw.githubusercontent.com/jonaslejon/apt10/master/apt_apt10.yar

002562066559681.r3u8.com
031168053846049.r3u8.com
0625.have8000.com
1.gadskysun.com
100fanwen.com
11.usyahooapis.com
19518473326.r3u8.com
1960445709311199.r3u8.com
1j.www1.biz
1z.itsaol.com
2012yearleft.com
2014.zzux.com
202017845.r3u8.com
2139465544784.r3u8.com
2789203959848958.r3u8.com
5590428449750026.r3u8.com
5q.niushenghuo.info
6r.suibian2010.info
9gowg.tech
hamiltion.catholicmmb.com
a.wubangtu.info
a1.suibian2010.info
ab.4pu.com
abc.wikaba.com
abcd120719.6600.org
abcd120807.3322.org
acc.emailfound.info
acc.lehigtapp.com
acsocietyy.com
ad.getfond.info
ad.webbooting.com
additional.sexidude.com
af.zyns.com
afc.https443.org
ako.ddns.us
androidmusicapp.onmypc.us
announcements.toythieves.com
anvprn.com
aotuo.9966.org
apec.qtsofta.com
app.lehigtapp.com
apple.cmdnetview.com
apple.defensewar.org
apple.ikwb.com
appledownload.ourhobby.com
appleimages.itemdb.com
appleimages.longmusic.com
applelib120102.9966.org
applemirror.organiccrap.com
applemirror.squirly.info
applemusic.isasecret.com
applemusic.itemdb.com
applemusic.wikaba.com
applemusic.xxuz.com
applemusic.zzux.com
apples.sytes.net
appleupdate.itemdb.com
architectisusa.com
area.wthelpdesk.com
army.xxuz.com
art.p6p6.net
asfzx.x24hr.com
av.ddns.us
availab.wikaba.com
availability.justdied.com
ba.my03.com
baby.macforlinux.net
baby.myie12.com
baby.usmirocomney.net
back.jungleheart.com
back.mofa.dynamic-dns.net
bak.have8000.com
bak.ignorelist.com
bak.un.dnsrd.com
balance1.wikaba.com
balk.n7go.com
banana.cmdnetview.com
barrybaker.6600.org
bbs.jungleheart.com
bdoncloud.com
be.mrslove.com
be.yourtrap.com
belowto.com
bethel.webhop.net
bexm.cleansite.biz
bezu.itemdb.com
bk56.twilightparadox.com
blaaaaaaaaaaaa.windowsupdate.3-a.net
blog.defensewar.org
brand.fartit.com
bridgeluxlightmadness.com
bulletproof.squirly.info
cao.p6p6.net
cata.qtsofta.com
catholicmmb.com
cc.dynamicdns.co.uk
ccfchrist.com
ccupdatedata.authorizeddns.net
cd.usyahooapis.com
cdn.incloud-go.com
center.shenajou.com
cgei493860.r3u8.com
chaindungeons.com
chibashiri.com
childrenstow.com
cia.ezua.com
cia.toh.info
ciaoci.chickenkiller.com
civilwar123.authorizeddns.org
civilwar520.onmypc.org
ckusshani.com
cloud-kingl.com
cloud-maste.com
cloudns.8800.org
cmdnetview.com
cms.sindeali.com
cnnews.mylftv.com
commissioner.shenajou.com
commons.onedumb.com
contactus.myddns.com
contactus.onmypc.us
contract.4mydomain.com
contractus.qpoe.com
contractus.zzux.com
coreck.suayay.com
cpu.4pu.com
cs.lflink.com
ctdl.windowsupdate.itsaol.com
ctdl.windowsupdate.nsatcdns.com
ctldl.appledownload.ourhobby.com
ctldl.applemusic.itemdb.com
ctldl.itunesmusic.jkub.com
ctldl.microsoftmusic.onedumb.com
ctldl.microsoftupdate.qhigh.com
ctldl.windowsupdate.authorizeddns.org
ctldl.windowsupdate.authorizeddns.us
ctldl.windowsupdate.dnset.com
ctldl.windowsupdate.esmtp.biz
ctldl.windowsupdate.ezua.com
ctldl.windowsupdate.gettrials.com
ctldl.windowsupdate.itsaol.com
ctldl.windowsupdate.lflinkup.com
ctldl.windowsupdate.mrface.com
ctldl.windowsupdate.nsatcdns.com
ctldl.windowsupdate.organiccrap.com
ctldl.windowsupdate.x24hr.com
cvnx.zyns.com
cwiinatonal.com
daddy.gostudyantivirus.com
dcc.jimingroup.com
dd.ddns.us
de.onmypc.info
dear.loveddos.com
dec.seyesb.acmetoy.com
dedgesuite.net
dedydns.ns01.us
defensewar.org
demoones.com
department.shenajou.com
details.squirly.info
development.shenajou.com
devilcase.acmetoy.com
dfgwerzc.3322.org
dick.ccfchrist.com
digsby.ourhobby.com
disruptive.https443.net
dlmix.ourdvs.com
dnspoddwg.authorizeddns.org
do.ddns.ms
document.methoder.com
document.shenajou.com
domainnow.yourtrap.com
download.applemusic.itemdb.com
download.microsoftmusic.onedumb.com
download.windowsupdate.authorizeddns.org
download.windowsupdate.dedgesuite.net
download.windowsupdate.dnset.com
download.windowsupdate.itsaol.com
download.windowsupdate.lflinkup.com
download.windowsupdate.nsatcdns.com
download.windowsupdate.x24hr.com
downloadlink.mypicture.info
drives.methoder.com
dst.1dumb.com
duosay.com
dyncojinf.6600.org
dynsbluecheck.7766.org
ea.onmypc.info
ea.rebatesrule.net
edgar.ccfchrist.com
ehshiroshima.mylftv.com
emailfound.info
eric-averyanov.wha.la
essashi.com
eu.acmetoy.com
eu.wha.la
eu.zzux.com
everydayfilmlink.com
ewe.toshste.com
eweek.2waky.com
exprenum.com
express.lflinkup.com
extraordinary.dynamic-dns.net
f068v.site
fabian.ccfchrist.com
fastemail.dnsrd.com
fastmail2.com
fbi.sexxxy.biz
fbi.zyns.com
fcztqbg.zj.r3u8.com
feed.jungleheart.com
fftpoor.com
fg.v4.download.windowsupdates.dnsrd.com
fgipv6.download.windowsupdate.com.mwcname.com
file.zzux.com
files.architectisusa.com
film.everydayfilmlink.com
filmlist.everydayfilmlink.com
findme.epac.to
fire.mrface.com
fish.toh.info
fiveavmersi.websegoo.net
fjs.wikaba.com
flea.poulsenv.com
flynews.edns.biz
fo.mysecondarydns.com
foal.wchildress.com
follow.wha.la
foo.shenajou.com
for.ddns.mobi
fr.wikaba.com
franck.demoones.com
ftp.2014.zzux.com
ftp.additional.sexidude.com
ftp.afc.https443.org
ftp.announcements.toythieves.com
ftp.apple.ikwb.com
ftp.appledownload.ourhobby.com
ftp.appleimages.itemdb.com
ftp.appleimages.longmusic.com
ftp.appleimages.organiccrap.com
ftp.applemirror.organiccrap.com
ftp.applemirror.squirly.info
ftp.applemusic.isasecret.com
ftp.applemusic.itemdb.com
ftp.applemusic.wikaba.com
ftp.applemusic.xxuz.com
ftp.applemusic.zzux.com
ftp.appleupdate.itemdb.com
ftp.architectisusa.com
ftp.asfzx.x24hr.com
ftp.availab.wikaba.com
ftp.availability.justdied.com
ftp.back.jungleheart.com
ftp.balance1.wikaba.com
ftp.be.mrslove.com
ftp.brand.fartit.com
ftp.bulletproof.squirly.info
ftp.cia.ezua.com
ftp.cia.toh.info
ftp.civilwar123.authorizeddns.org
ftp.civilwar520.onmypc.org
ftp.cloudfileserverbs.dynamicdns.co.uk
ftp.cnnews.mylftv.com
ftp.commons.onedumb.com
ftp.contractus.qpoe.com
ftp.cvnx.zyns.com
ftp.de.onmypc.info
ftp.details.squirly.info
ftp.devilcase.acmetoy.com
ftp.disruptive.https443.net
ftp.domainnow.yourtrap.com
ftp.ea.onmypc.info
ftp.ehshiroshima.mylftv.com
ftp.eric-averyanov.wha.la
ftp.eu.acmetoy.com
ftp.eu.wha.la
ftp.eu.zzux.com
ftp.fbi.sexxxy.biz
ftp.file.zzux.com
ftp.findme.epac.to
ftp.fire.mrface.com
ftp.fjs.wikaba.com
ftp.fr.wikaba.com
ftp.fuck.ikwb.com
ftp.fuckmm.dns-dns.com
ftp.generat.almostmy.com
ftp.goldtoyota.com
ftp.goodmusic.justdied.com
ftp.helpus.ddns.info
ftp.hii.qhigh.com
ftp.innocent-isayev.sexidude.com
ftp.invoices.sexxxy.biz
ftp.iphone.vizvaz.com
ftp.itlans.isasecret.com
ftp.itunesdownload.jkub.com
ftp.itunesdownload.wikaba.com
ftp.itunesimages.itemdb.com
ftp.itunesimages.itsaol.com
ftp.itunesimages.qpoe.com
ftp.itunesmirror.fartit.com
ftp.itunesmirror.itsaol.com
ftp.itunesmusic.ikwb.com
ftp.itunesmusic.jetos.com
ftp.itunesmusic.jkub.com
ftp.itunesmusic.zzux.com
ftp.itunesupdate.itsaol.com
ftp.itunesupdates.organiccrap.com
ftp.japanfilmsite.ikwb.com
ftp.jimin.mymom.info
ftp.jp.serveuser.com
ftp.key.zzux.com
ftp.knowledge.sellclassics.com
ftp.lan.dynssl.com
ftp.latestnews.epac.to
ftp.latestnews.organiccrap.com
ftp.leedong.longmusic.com
ftp.macfee.mrface.com
ftp.maffc.mrface.com
ftp.malware.dsmtp.com
ftp.manager.jetos.com
ftp.martin.sellclassics.com
ftp.mason.vizvaz.com
ftp.mediapath.organiccrap.com
ftp.microsoft.got-game.org
ftp.microsoft.mrface.com
ftp.microsoftimages.organiccrap.com
ftp.microsoftmusic.mrbasic.com
ftp.microsoftqckmanager.pcanywhere.net
ftp.microsoftupdate.mrbasic.com
ftp.microsoftupdate.qhigh.com
ftp.micrsoftware.dsmtp.com
ftp.mircsoft.compress.to
ftp.mmy.ddns.us
ftp.mod.jetos.com
ftp.mofa.dynamic-dns.net
ftp.mofa.ns01.info
ftp.moscowdic.trickip.org
ftp.msg.ezua.com
ftp.musicfile.ikwb.com
ftp.musicjj.zzux.com
ftp.mymusicbox.vizvaz.com
ftp.myphpwebsite.itsaol.com
ftp.myrestroomimage.isasecret.com
ftp.na.americanunfinished.com
ftp.na.onmypc.org
ftp.newsdata.jkub.com
ftp.newsroom.cleansite.info
ftp.no.authorizeddns.org
ftp.nsa.mefound.com
ftp.nt.mynumber.org
ftp.nttdata.otzo.com
ftp.nz.compress.to
ftp.ol.almostmy.com
ftp.oracleupdate.dns04.com
ftp.portal.mrface.com
ftp.portal.sendsmtp.com
ftp.portalser.dynamic-dns.net
ftp.praskovya-matveyeva.mefound.com
ftp.praskovya-ulyanova.dumb1.com
ftp.products.almostmy.com
ftp.products.cleansite.us
ftp.products.serveuser.com
ftp.purchase.lflinkup.org
ftp.recent.dns-stuff.com
ftp.recent.fartit.com
ftp.referred.gr8domain.biz
ftp.referred.yourtrap.com
ftp.register.ourhobby.com
ftp.registration2.instanthq.com
ftp.registrations.4pu.com
ftp.registrations.organiccrap.com
ftp.remeberdata.iownyour.org
ftp.reserveds.onedumb.com
ftp.rethem.almostmy.com
ftp.sdmsg.onmypc.org
ftp.se.toythieves.com
ftp.secertnews.mrbasic.com
ftp.senseye.ikwb.com
ftp.senseye.mrbonus.com
ftp.septdlluckysystem.jungleheart.com
ftp.seraphim-yurieva.justdied.com
ftp.serv.justdied.com
ftp.server1.proxydns.com
ftp.seyesb.acmetoy.com
ftp.shugiin.jkub.com
ftp.singed.otzo.com
ftp.sstday.jkub.com
ftp.support1.mrface.com
ftp.supportus.mefound.com
ftp.svc.dynssl.com
ftp.synssl.dnset.com
ftp.tamraj.fartit.com
ftp.tfa.longmusic.com
ftp.thunder.wikaba.com
ftp.ticket.instanthq.com
ftp.ticket.serveuser.com
ftp.tokyofile.2waky.com
ftp.tophost.dynamicdns.co.uk
ftp.transfer.lflinkup.org
ftp.transfer.mrbasic.com
ftp.transfer.vizvaz.com
ftp.ugreen.itemdb.com
ftp.uk.dynamicdns.org.uk
ftp.un.ddns.info
ftp.un.dnsrd.com
ftp.usa.itsaol.com
ftp.well.itsaol.com
ftp.well.mrbasic.com
ftp.wike.wikaba.com
ftp.windowfile.itemdb.com
ftp.windowsimages.itemdb.com
ftp.windowsimages.qhigh.com
ftp.windowsmirrors.vizvaz.com
ftp.windowsupdate.2waky.com
ftp.windowsupdate.3-a.net
ftp.windowsupdate.authorizeddns.us
ftp.windowsupdate.dns05.com
ftp.windowsupdate.esmtp.biz
ftp.windowsupdate.ezua.com
ftp.windowsupdate.fartit.com
ftp.windowsupdate.gettrials.com
ftp.windowsupdate.instanthq.com
ftp.windowsupdate.jungleheart.com
ftp.windowsupdate.lflink.com
ftp.windowsupdate.mrface.com
ftp.windowsupdate.mylftv.com
ftp.windowsupdate.rebatesrule.net
ftp.windowsupdate.sellclassics.com
ftp.windowsupdate.serveusers.com
ftp.yandexr.sellclassics.com
fu.epac.to
fuck.ikwb.com
fuckanti.com
fuckdd.8800.org
fuckmm.8800.org
fuckmm.dns-dns.com
fukuoka.cloud-maste.com
g3ypf.online
gadskysun.com
gavin.ccfchrist.com
generat.almostmy.com
generousd.hopto.org
gensuzuki.6600.org
getfond.info
gh.mysecondarydns.com
gifuonlineshopping.mynumber.org
glicense.shenajou.com
globalnews.wikaba.com
gmail.com.mailsserver.com
gmpcw.com
gold.polopurple.com
goldtoyota.com
goodmusic.justdied.com
goodsampjp.com
gooesdataios.instanthq.com
google.macforlinux.net
google.usrobothome.com
googlemeail.com
gostudyantivirus.com
gostudymbaa.com
gotourisma.com
gt4study.com
gtsofta.com
haoyujd.info
happy.workerisgood.com
have8000.com
helpus.ddns.info
helshellfucde.8866.org
hg8fmv.racing
hii.qhigh.com
hk.2012yearleft.com
hk.cmdnetview.com
hk.have8000.com
hk.loveddos.com
home.trickip.org
hostport9.net
hotmai.info
hotmail.com.mailsserver.com
hukuoka.cloud-maste.com
iamges.itunesmusic.jkub.com
ibmmsg.strangled.net
icfeds.cf
idpmus.hostport9.net
ijica.in
im.suibian2010.info
image.websago.info
images.itunesmusic.jkub.com
images.thedomais.info
images.tyoto-go-jp.com
images.windowsupdate.organiccrap.com
imap.architectisusa.com
imap.dnset.com
imap.lflink.com
imap.onmypc.net
imap.ygto.com
img.station155.com
improvejpese.com
incloud-go.com
incloud-obert.com
ingemar.catholicmmb.com
innocent-isayev.sexidude.com
innov-tec.com.ua
inspgon.re26.com
interpreter.shenajou.com
invoices.sexxxy.biz
io.jkub.com
iphone.vizvaz.com
ipv4.applemusic.itemdb.com
ipv4.itunesmusic.jkub.com
ipv4.japanenvnews.qpoe.com
ipv4.microsoftmusic.onedumb.com
ipv4.microsoftupdate.mrbasic.com
ipv4.microsoftupdate.qhigh.com
ipv4.windowsupdate.3-a.net
ipv4.windowsupdate.authorizeddns.org
ipv4.windowsupdate.authorizeddns.us
ipv4.windowsupdate.dnset.com
ipv4.windowsupdate.esmtp.biz
ipv4.windowsupdate.ezua.com
ipv4.windowsupdate.fartit.com
ipv4.windowsupdate.gettrials.com
ipv4.windowsupdate.itsaol.com
ipv4.windowsupdate.lflink.com
ipv4.windowsupdate.lflinkup.com
ipv4.windowsupdate.mrface.com
ipv4.windowsupdate.mylftv.com
ipv4.windowsupdate.nsatcdns.com
ipv4.windowsupdate.x24hr.com
ipv6microsoft.dlmix.ourdvs.com
itlans.isasecret.com
itunesdownload.jkub.com
itunesdownload.vizvaz.com
itunesdownload.wikaba.com
itunesimages.itemdb.com
itunesimages.itsaol.com
itunesimages.qpoe.com
itunesmirror.fartit.com
itunesmirror.itsaol.com
itunesmusic.ikwb.com
itunesmusic.jetos.com
itunesmusic.jkub.com
itunesmusic.zzux.com
itunesupdate.itsaol.com
itunesupdates.organiccrap.com
iw.mrslove.com
ixrayeye.com
james.tffghelth.com
janpan.bigmoney.biz
janpun.americanunfinished.com
jap.japanmusicinfo.com
japan.fuckanti.com
japan.linuxforover.com
japan.loveddos.com
japanenvnews.qpoe.com
japanfilmsite.ikwb.com
japanfst.japanteam.org
japanmusicinfo.com
japanteam.org
jcie.mofa.ns01.info
jepsen.r3u8.com
jica-go-jp.bike
jica-go-jp.biz
jimin-jp.biz
jimin.jimindaddy.com
jimin.mymom.info
jimindaddy.com
jimingroup.com
jimintokoy.com
jj.mysecondarydns.com
jmuroran.com
jp.rakutenmusic.com
jp.serveuser.com
jpcert.org
jpn.longmusic.com
jpnxzshopdata.authorizeddns.org
jpstarmarket.serveusers.com
kaka.lehigtapp.com
kawasaki.cloud-maste.com
kawasaki.unhamj.com
kennedy.tffghelth.com
key.zzux.com
kikimusic.sellclassics.com
kmd.crabdance.com
knowledge.sellclassics.com
ktgmktanxgvn.r3u8.com
kxsbwappupdate.dhcp.biz
kztmusiclnk.dnsrd.com
lan.dynssl.com
last.p6p6.net
latestnews.epac.to
latestnews.organiccrap.com
leedong.longmusic.com
lehigtapp.com
lennon.fftpoor.com
license.shenajou.com
lie.jetos.com
linuxforover.com
linuxsofta.com
lion.wchildress.com
lizard.poulsenv.com
logon-live.com
lottedfstravel.webbooting.com
loveddos.com
lzf550.r3u8.com
ma.vizvaz.com
mac.goldtoyota.com
mac.methoder.com
macfee.mrface.com
macforlinux.net
maffc.mrface.com
mail.architectisusa.com
mail.macforlinux.net
mailcarriage.co.uk
mailj.hostport9.net
mailserever.com
mailsserver.com
mailvserver.com
malcolm.fftpoor.com
malware.dsmtp.com
manager.architectisusa.com
manager.jetos.com
markabcinfo.dynamicdns.me.uk
martin.sellclassics.com
mason.vizvaz.com
mbaby.macforlinux.net
medexplor.thedomais.info
mediapath.organiccrap.com
meiji-ac-jp.com
mesjm.emailfound.info
message.emailfound.info
message.p6p6.net
messagea.emailfound.info
methoder.com
mf.ddns.info
microcnmlgb.3322.org
microdef.2288.org
microhome.wikaba.com
microsoft.got-game.org
microsoft.mrface.com
microsoftdownload.zzux.com
microsoftempowering.sendsmtp.com
microsoften.com
microsoftgame.mrface.com
microsoftgetstarted.sexidude.com
microsoftimages.organiccrap.com
microsoftmirror.mrbasic.com
microsoftmusic.itemdb.com
microsoftmusic.mrbasic.com
microsoftmusic.onedumb.com
microsoftqckmanager.pcanywhere.net
microsoftstore.jetos.com
microsoftstores.itemdb.com
microsoftupdate.mrbasic.com
microsoftupdate.qhigh.com
microsoftupdates.vizvaz.com
micrsoftware.dsmtp.com
mircsoft.compress.to
mivsee.website0012.net
mmofoojap.2288.org
mmy.ddns.us
mobile.2waky.com
mocha.100fanwen.com
mod.jetos.com
mofa-go-jp.com
mofa.dynamic-dns.net
mofa.ns01.info
mofa.strangled.net
mofaess.com
mongoles.3322.org
monkey.2012yearleft.com
moscowstdsupdate.toythieves.com
mrsloveaqx.mrslove.com
ms.ecc.u-tokyo-ac-jp.com
mseupdate.ourhobby.com
msg.ezua.com
msn.incloud-go.com
muller.exprenum.com
music.applemusic.itemdb.com
music.cleansite.us
music.websegoo.net
musicfile.ikwb.com
musicinfo.everydayfilmlink.com
musiclinker.jkub.com
musicsecph.squirly.info
mx.yetrula.eu
myie12.com
mymusicbox.lflinkup.org
mymusicbox.vizvaz.com
myphpwebsite.itsaol.com
myrestroomimage.isasecret.com
mytwhomeinst.sendsmtp.com
myurinikoreaaps.ninth.biz
na.americanunfinished.com
na.onmypc.org
nasa.xxuz.com
nec.website0012.net
news.100fanwen.com
newsdata.jkub.com
newsfile.toythieves.com
newsreport.justdied.com
newsroom.cleansite.info
nezwq.ezua.com
ngcc.8800.org
niushenghuo.info
nk10.belowto.com
nk20.belowto.com
nlddnsinfo.https443.org
nmrx.mrbonus.com
nn.dynssl.com
no.authorizeddns.org
node.mofaess.com
nodns2.qipian.org
nposnewsinfo.qhigh.com
ns1.belowto.com
ns1.tlchs2.ml
ns2.belowto.com
ns21.belowto.com
ns22.belowto.com
ns4.belowto.com
ns5.belowto.com
nsa.mefound.com
nsatcdns.com
nt.mynumber.org
nttdata.otzo.com
nunluck.re26.com
nz.compress.to
oipbl.com
ol.almostmy.com
oldbmwy.com
oms.sindeali.com
openmofa.8866.org
oracleupdate.dns04.com
osaka-jpgo.com
outlook.otzo.com
owlmedia.mefound.com
p6p6.net
peopleinfodata.3-a.net
phptecinfohelp.itemdb.com
pictures.everydayfilmlink.com
pj.qpoe.com
points.mofaess.com
polopurple.com
pop.architectisusa.com
pop.loveddos.com
portal.mrface.com
portal.sendsmtp.com
portalser.dynamic-dns.net
poulsenv.com
praskovya-matveyeva.mefound.com
praskovya-ulyanova.dumb1.com
premium.redforlinux.com
products.almostmy.com
products.cleansite.us
products.serveuser.com
program.acmetoy.com
prrmes4019.r3u8.com
purchase.lflinkup.org
q6.niushenghuo.info
qtsofta.com
quick.oldbmwy.com
r3u8.com
radiorig.com
rain.orctldl.windowsupdate.authorizeddns.us
rakutenmusic.com
rdns-4.infoproduto1.tk
re26.com
read.xxuz.com
recent.dns-stuff.com
recent.fartit.com
record.hostport9.net
record.webssl9.info
record.wschandler.com
redforlinux.com
referred.gr8domain.biz
referred.yourtrap.com
register.ourhobby.com
registration2.instanthq.com
registrations.4pu.com
registrations.organiccrap.com
reports.tomorrowforgood.com
reserveds.onedumb.com
resources.applemusic.itemdb.com
rethem.almostmy.com
rg197.win
rlbeiydn.hi.r3u8.com
saiyo.exprenum.com
sakai.unhamj.com
salvaiona.com
sappore.cloud-maste.com
sapporo.cloud-maste.com
sapporot.com
sat.suayay.com
saverd.re26.com
sbuudd.webssl9.info
sc.weboot.info
scholz-versand.com
scorpion.poulsenv.com
scrlk.exprenum.com
sdmsg.onmypc.org
se.toythieves.com
sea.websegoo.net
secertnews.mrbasic.com
secmicrosooo.6600.org
secnetshit.com
secserverupdate.toh.info
sell.mofaess.com
sema.linuxsofta.com
send.have8000.com
send.mofa.ns01.info
sendmsg.jumpingcrab.com
senseye.ikwb.com
senseye.mrbonus.com
septdlluckysystem.jungleheart.com
seraphim-yurieva.justdied.com
serv.justdied.com
server1.proxydns.com
seyesb.acmetoy.com
sha.25u.com
sha.ikwb.com
shenajou.com
shoppingcentre.station155.com
shrimp.usffunicef.com
shrimp.bdoncloud.com
shugiin.jkub.com
sindeali.com
singed.otzo.com
siteinit.info
sky.oldbmwy.com
sma.jimindaddy.com
smo.gadskysun.com
smtp.architectisusa.com
smtp.macforlinux.net
smtp230.toldweb.com
somthing.re26.com
sstday.jkub.com
start.usrobothome.com
station155.com
stevenlf.com
stone.jumpingcrab.com
style.u-tokyo-ac-jp.com
suayay.com
suibian2010.info
support1.mrface.com
supportus.mefound.com
suzukigooogle.8866.org
svc.dynssl.com
synssl.dnset.com
sz.thedomais.info
taipei.yourtrap.com
taipeifoodsite.ocry.com
tamraj.fartit.com
telegraph.mefound.com
test.usyahooapis.com
tfa.longmusic.com
tffghelth.com
thedomais.info
ticket.instanthq.com
ticket.jetos.com
ticket.serveuser.com
tidatacenter.shenajou.com
tisdatacenter.shenajou.com
tisupdateinfo.faqserv.com
tokyo-gojp.com
tokyofile.2waky.com
tomorrowforgood.com
tophost.dynamicdns.co.uk
toshste.com
toya.7766.org
transfer.lflinkup.org
transfer.mrbasic.com
transfer.vizvaz.com
trasul.mypicture.info
travelyokogawafz.fartit.com
trendmicroupdate.shenajou.com
trendsecurity.shenajou.com
trout.belowto.com
tv.goldtoyota.com
tw.2012yearleft.com
twmusic.proxydns.com
twpeoplemusicsite.my03.com
twtravelinfomation.toythieves.com
twx.mynumber.org
tyoto-go-jp.com
u-tokyo-ac-jp.com
u1.fartit.com
u1.haoyujd.info
ubuntusofta.com
ugreen.itemdb.com
ui.hdcdui.com
uk.dynamicdns.org.uk
ukuoka.cloud-maste.com
ultimedia.vmmini.com
un.ddns.info
un.dnsrd.com
unhamj.com
update.yourtrap.com
updatemirrors.fartit.com
updates.itsaol.com
ups.improvejpese.com
urearapetsu.com
usa.got-game.org
usa.itsaol.com
usa.japanteam.org
usffunicef.com
usmirocomney.net
usrobothome.com
usyahooapis.com
uu.logon-live.com
uu.niushenghuo.info
ux.niushenghuo.info
v4.appledownload.ourhobby.com
v4.itunesmusic.jkub.com
v4.microsoftmusic.onedumb.com
v4.microsoftupdate.mrbasic.com
v4.windowsupdate.dedgesuite.net
v4.windowsupdate.authorizeddns.org
v4.windowsupdate.dnset.com
v4.windowsupdate.itsaol.com
v4.windowsupdate.lflinkup.com
v4.windowsupdate.mrface.com
v4.windowsupdate.nsatcdns.com
v4.windowsupdate.x24hr.com
v4.windowsupdates.dnsrd.com
veryhuai.info
video.vmdnsup.org
vmdnsup.org
vmmini.com
vmyiersend.websago.info
vmyisan.website0012.net
vscue.com
wchildress.com
wcwname.com
wcxh.mynetav.net
wdsupdates.com
webbooting.com
webdirectnews.dynamicdns.biz
webinfoseco.ygto.com
webmailentry.jetos.com
weboot.info
websago.info
websegoo.net
website0012.net
websiteboo.website0012.net
websqlnewsmanager.ninth.biz
webssl9.info
well.itsaol.com
well.mrbasic.com
whale.toshste.com
whellbuy.wschandler.com
whyis.haoyujd.info
wike.wikaba.com
windowfile.itemdb.com
windowsimages.itemdb.com
windowsimages.qhigh.com
windowsmirrors.vizvaz.com
windowsstores.gettrials.com
windowsstores.organiccrap.com
windowsupdate.2waky.com
windowsupdate.3-a.net
windowsupdate.acmetoy.com
windowsupdate.authorizeddns.net
windowsupdate.authorizeddns.org
windowsupdate.authorizeddns.us
windowsupdate.com.mwcname.com
windowsupdate.dedgesuite.net
windowsupdate.dns05.com
windowsupdate.dnset.com
windowsupdate.esmtp.biz
windowsupdate.ezua.com
windowsupdate.fartit.com
windowsupdate.gettrials.com
windowsupdate.instanthq.com
windowsupdate.itsaol.com
windowsupdate.jungleheart.com
windowsupdate.lflink.com
windowsupdate.mrface.com
windowsupdate.mylftv.com
windowsupdate.nsatcdns.com
windowsupdate.organiccrap.com
windowsupdate.rebatesrule.net
windowsupdate.sellclassics.com
windowsupdate.serveusers.com
windowsupdate.vizvaz.com
windowsupdate.wcwname.com
windowsupdate.x24hr.com
windowsupdate.ygto.com
windowsupdates.dnset.com
windowsupdates.ezua.com
windowsupdates.ikwb.com
windowsupdates.itemdb.com
windowsupdates.proxydns.com
workerisgood.com
woyaofanwen.com
wschandler.com
wthelpdesk.com
wubangtu.info
www-meti-go-jp.tyoto-go-jp.com
www.2014.zzux.com
www.97sm.com
www.9gowg.tech
www.abdominal.faqserv.com
www.additional.sexidude.com
www.afc.https443.org
www.androidmusicapp.onmypc.us
www.announcements.toythieves.com
www.anx-own-334.mrbasic.com
www.apple.ikwb.com
www.appledownload.ourhobby.com
www.appleimages.itemdb.com
www.appleimages.longmusic.com
www.appleimages.organiccrap.com
www.applejuice.itemdb.com
www.applemirror.organiccrap.com
www.applemirror.squirly.info
www.applemusic.isasecret.com
www.applemusic.itemdb.com
www.applemusic.wikaba.com
www.applemusic.xxuz.com
www.applemusic.zzux.com
www.appleupdate.itemdb.com
www.appleupdateurl.2waky.com
www.architectisusa.com
www.army.xxuz.com
www.art.p6p6.net
www.asfzx.x24hr.com
www.availab.wikaba.com
www.availability.justdied.com
www.babymusicsitetr.mymom.info
www.back.jungleheart.com
www.balance1.wikaba.com
www.be.mrslove.com
www.belowto.com
www.billing.organiccrap.com
www.blaaaaaaaaaaaa.windowsupdate.3-a.net
www.brand.fartit.com
www.bulletproof.squirly.info
www.cabbage.iownyour.biz
www.ccupdatedata.authorizeddns.net
www.cdn.incloud-go.com
www.center.shenajou.com
www.chaindungeons.com
www.cia.ezua.com
www.cia.toh.info
www.civilwar123.authorizeddns.org
www.civilwar520.onmypc.org
www.cloud-maste.com
www.cnnews.mylftv.com
www.commissioner.shenajou.com
www.commons.onedumb.com
www.contractus.qpoe.com
www.corp-dnsonline.itsaol.com
www.courier.jetos.com
www.cress.mynetav.net
www.ctdl.windowsupdate.nsatcdns.com
www.ctldl.microsoftupdate.qhigh.com
www.ctldl.windowsupdate.authorizeddns.us
www.ctldl.windowsupdate.esmtp.biz
www.ctldl.windowsupdate.mrface.com
www.cwiinatonal.com
www.dasoftactivemodule.toythieves.com
www.dasonews.youdontcare.com
www.daughter.vizvaz.com
www.de.onmypc.info
www.details.squirly.info
www.development.shenajou.com
www.devilcase.acmetoy.com
www.disruptive.https443.net
www.dns-hinettw.25u.com
www.document.shenajou.com
www.domainnow.yourtrap.com
www.download.windowsupdate.nsatcdns.com
www.ea.onmypc.info
www.eddo.qpoe.com
www.ehshiroshima.mylftv.com
www.eric-averyanov.wha.la
www.eu.acmetoy.com
www.eu.wha.la
www.express.lflinkup.com
www.extraordinary.dynamic-dns.net
www.f068v.site
www.facefile.fartit.com
www.fertile.authorizeddns.net
www.file.zzux.com
www.findme.epac.to
www.fire.mrface.com
www.firstnews.jkub.com
www.fjs.wikaba.com
www.foal.wchildress.com
www.fr.wikaba.com
www.freegamecenter.onedumb.com
www.fruit.qhigh.com
www.fuck.ikwb.com
www.fuckmm.dns-dns.com
www.fukuoka.cloud-maste.com
www.g3ypf.online
www.garlic.dyndns.pro
www.generat.almostmy.com
www.glicense.shenajou.com
www.goldtoyota.com
www.goodmusic.justdied.com
www.gooesdataios.instanthq.com
www.grammar.jkub.com
www.helpus.ddns.info
www.hii.qhigh.com
www.hinetonlinedns.dns05.com
www.incloud-go.com
www.innocent-isayev.sexidude.com
www.interpreter.shenajou.com
www.invoices.sexxxy.biz
www.iphone.vizvaz.com
www.ipv4.microsoftupdate.mrbasic.com
www.ipv4.windowsupdate.3-a.net
www.ipv4.windowsupdate.esmtp.biz
www.ipv4.windowsupdate.fartit.com
www.ipv4.windowsupdate.lflink.com
www.ipv4.windowsupdate.mrface.com
www.ipv4.windowsupdate.mylftv.com
www.ipv4.windowsupdate.nsatcdns.com
www.itlans.isasecret.com
www.itunesdownload.jkub.com
www.itunesdownload.vizvaz.com
www.itunesdownload.wikaba.com
www.itunesimages.itemdb.com
www.itunesimages.itsaol.com
www.itunesimages.qpoe.com
www.itunesmirror.fartit.com
www.itunesmirror.itsaol.com
www.itunesmusic.ikwb.com
www.itunesmusic.jetos.com
www.itunesmusic.jkub.com
www.itunesmusic.zzux.com
www.itunesupdate.itsaol.com
www.itunesupdates.organiccrap.com
www.japanenvnews.qpoe.com
www.jd978.com
www.jimin.jimindaddy.com
www.jimin.mymom.info
www.jp.serveuser.com
www.jpnappstore.ourhobby.com
www.jpnewslogs.sendsmtp.com
www.jpnxzshopdata.authorizeddns.org
www.kawasaki.cloud-maste.com
www.kawasaki.unhamj.com
www.key.zzux.com
www.knowledge.sellclassics.com
www.lan.dynssl.com
www.last.p6p6.net
www.latestnews.epac.to
www.latestnews.organiccrap.com
www.leedong.longmusic.com
www.leeks.mrbonus.com
www.liberty.acmetoy.com
www.license.shenajou.com
www.lion.wchildress.com
www.loveddos.com
www.macfee.mrface.com
www.macforlinux.net
www.maffc.mrface.com
www.malware.dsmtp.com
www.manager.jetos.com
www.markabcinfo.dynamicdns.me.uk
www.mason.vizvaz.com
www.mediapath.organiccrap.com
www.meiji-ac-jp.com
www.messagea.emailfound.info
www.microsoft.got-game.org
www.microsoft.mrface.com
www.microsoftempowering.sendsmtp.com
www.microsoftgame.mrface.com
www.microsoftgetstarted.sexidude.com
www.microsoftimages.organiccrap.com
www.microsoftmirror.mrbasic.com
www.microsoftmusic.itemdb.com
www.microsoftmusic.mrbasic.com
www.microsoftqckmanager.pcanywhere.net
www.microsoftupdate.mrbasic.com
www.microsoftupdate.qhigh.com
www.micrsoftware.dsmtp.com
www.mircsoft.compress.to
www.mmy.ddns.us
www.mod.jetos.com
www.mofa.dynamic-dns.net
www.mofa.ns01.info
www.moonnightthse.zyns.com
www.moscowdic.trickip.org
www.moscowstdsupdate.toythieves.com
www.mseupdate.ourhobby.com
www.msg.ezua.com
www.msn.incloud-go.com
www.musicfile.ikwb.com
www.musicjj.zzux.com
www.musicsecph.squirly.info
www.mymusicbox.lflinkup.org
www.mymusicbox.vizvaz.com
www.myrestroomimage.isasecret.com
www.mytwhomeinst.sendsmtp.com
www.myurinikoreaaps.ninth.biz
www.na.americanunfinished.com
www.na.onmypc.org
www.networkjpnzee.mynetav.org
www.newcityoforward.rebatesrule.net
www.newdnssec-info.4mydomain.com
www.newsdata.jkub.com
www.newsfile.toythieves.com
www.newsroom.cleansite.info
www.nlddnsinfo.https443.org
www.no.authorizeddns.org
www.nposnewsinfo.qhigh.com
www.nsa.mefound.com
www.nt.mynumber.org
www.nttdata.otzo.com
www.nuisance.serveusers.com
www.nz.compress.to
www.ol.almostmy.com
www.oldbmwy.com
www.onion.jkub.com
www.onlinednsserver.sendsmtp.com
www.oracleupdate.dns04.com
www.oyster.jkub.com
www.p6p6.net
www.packetsdsquery.dns05.com
www.pepper.sexxxy.biz
www.phptecinfohelp.itemdb.com
www.pickled.myddns.com
www.polopurple.com
www.portal.mrface.com
www.portal.sendsmtp.com
www.portalser.dynamic-dns.net
www.praskovya-matveyeva.mefound.com
www.praskovya-ulyanova.dumb1.com
www.products.almostmy.com
www.products.cleansite.us
www.products.serveuser.com
www.purchase.lflinkup.org
www.rainbow.mypop3.org
www.re26.com
www.read.xxuz.com
www.recent.dns-stuff.com
www.recent.fartit.com
www.redflower.isasecret.com
www.referred.gr8domain.biz
www.referred.yourtrap.com
www.register.ourhobby.com
www.registration2.instanthq.com
www.registrations.4pu.com
www.registrations.organiccrap.com
www.remeberdata.iownyour.org
www.reserveds.onedumb.com
www.rethem.almostmy.com
www.rg197.win
www.sakai.unhamj.com
www.sapporo.cloud-maste.com
www.sauerkraut.sellclassics.com
www.saverd.re26.com
www.sbuudd.webssl9.info
www.sdmsg.onmypc.org
www.se.toythieves.com
www.secertnews.mrbasic.com
www.secnetshit.com
www.secserverupdate.toh.info
www.senseye.ikwb.com
www.senseye.mrbonus.com
www.septdlluckysystem.jungleheart.com
www.seraphim-yurieva.justdied.com
www.serv.justdied.com
www.server1.proxydns.com
www.seyesb.acmetoy.com
www.showy.almostmy.com
www.shugiin.jkub.com
www.sindeali.com
www.singed.otzo.com
www.sojourner.mypicture.info
www.sstday.jkub.com
www.support1.mrface.com
www.supportus.mefound.com
www.svc.dynssl.com
www.sweetheart.sexxxy.biz
www.synssl.dnset.com
www.tamraj.fartit.com
www.telegraph.mefound.com
www.tfa.longmusic.com
www.thunder.wikaba.com
www.ticket.instanthq.com
www.ticket.serveuser.com
www.tisupdateinfo.faqserv.com
www.tokyofile.2waky.com
www.tophost.dynamicdns.co.uk
www.transfer.lflinkup.org
www.transfer.mrbasic.com
www.transfer.vizvaz.com
www.twgovernmentinfo.acmetoy.com
www.twsslpopservupro.dynssl.com
www.ugreen.itemdb.com
www.uk.dynamicdns.org.uk
www.un.ddns.info
www.un.dnsrd.com
www.unhamj.com
www.usa.itsaol.com
www.usffunicef.com
www.usliveupdateonline.ygto.com
www.ut-portal-u-tokyo-ac-jp.tyoto-go-jp.com
www.v4.windowsupdate.mrface.com
www.v4.windowsupdate.nsatcdns.com
www.vmmini.com
www.wchildress.com
www.webdirectnews.dynamicdns.biz
www.webmailentry.jetos.com
www.websqlnewsmanager.ninth.biz
www.well.itsaol.com
www.well.mrbasic.com
www.windowfile.itemdb.com
www.windowsimages.itemdb.com
www.windowsimages.qhigh.com
www.windowsmirrors.vizvaz.com
www.windowsupdate.2waky.com
www.windowsupdate.3-a.net
www.windowsupdate.acmetoy.com
www.windowsupdate.authorizeddns.net
www.windowsupdate.authorizeddns.org
www.windowsupdate.authorizeddns.us
www.windowsupdate.dns05.com
www.windowsupdate.dnset.com
www.windowsupdate.esmtp.biz
www.windowsupdate.ezua.com
www.windowsupdate.fartit.com
www.windowsupdate.gettrials.com
www.windowsupdate.instanthq.com
www.windowsupdate.itsaol.com
www.windowsupdate.jungleheart.com
www.windowsupdate.lflink.com
www.windowsupdate.mrface.com
www.windowsupdate.mylftv.com
www.windowsupdate.nsatcdns.com
www.windowsupdate.organiccrap.com
www.windowsupdate.rebatesrule.net
www.windowsupdate.sellclassics.com
www.windowsupdate.serveusers.com
www.windowsupdate.x24hr.com
www.yahoo.incloud-go.com
www.yandexr.sellclassics.com
www.yeahyeahyeahs.3322.org
www.yokohamajpinstaz.mrbonus.com
www.zaigawebinfo.rebatesrule.net
www.zebra.incloud-go.com
www2.qpoe.com
www2.zyns.com
www2.zzux.com
x7.usyahooapis.com
xi.dyndns.pro
xi.sexxxy.biz
xread10821.9966.org
xsince.tk
xt.dnset.com
xyrn998754.2288.org
yahoo.incloud-go.com
yallago.cu.cc
yandexr.sellclassics.com
yeahyeahyeahs.3322.org
yeap1.jumpingcrab.com
yfrfyhf.youdontcare.com
yo.acmetoy.com
za.myftp.info
zabbix.servercontrols.pw
zaigawebinfo.rebatesrule.net
zccw.cc
zebra.usffunicef.com
zebra.bdoncloud.com
zebra.incloud-go.com
zebra.unhamj.com
zebra.wthelpdesk.com
zero.pcanywhere.net
zg.ns02.biz
zone.demoones.com

# Reference: https://brica.de/alerts/alert/public/1214983/apt10-using-cobalt-strike-confirm-new-attack-with-apt-attacker-group-menupass-apt10/
# Reference: https://otx.alienvault.com/pulse/5b02d669f283a83d0cc4e7b5

jadl-or.com

# Reference: https://unit42.paloaltonetworks.com/menupass-playbook-and-iocs/

belowto.com
keyscratch.com

# Reference: https://otx.alienvault.com/pulse/5ce7e40de8145f2cd9272a4e
# Reference: https://blog.ensilo.com/uncovering-new-activity-by-apt10

caibi379.com
kaspresksy.com
miscrosofts.com
microsofts.org
tencentchat.net

# Reference: https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers
# Reference: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
# Reference: https://otx.alienvault.com/pulse/5d120d47d09d67b4d8dc5241

asyspy256.ddns.net
cvdfhjh1231.ddns.net
cvdfhjh1231.myftp.biz
cvdfhjh12311.ddns.net
dffwescwer4325.myftp.biz
hotkillmail9sddcc.ddns.net
rosaf112.ddns.net
sz2016rose.ddns.net

# Reference: https://github.com/pan-unit42/iocs/blob/master/menuPass

1j.www1.biz
2014.zzux.com
abcd100621.3322.org
abcd120719.6600.org
algorithm.ddnsgeek.com
amsidgoo.thedomais.info
aotuo.9966.org
app.lehigtapp.com
apple.cmdnetview.com
apple.ikwb.com
applelib120102.9966.org
area.wthelpdesk.com
arkouowi.com
army.xxuz.com
art.p6p6.net
av.ddns.us
baby.macforlinux.net
babyprintf.2288.org
bak.have8000.com
bak.ignorelist.com
be.yourtrap.com
belowto.com
bk56.twilightparadox.com
bulk.tmpxctl.com
cao.p6p6.net
ccfchrist.com
cia.toh.info
cloud-maste.com
cmdnetview.com
contacts.rvenee.com
cpu.4pu.com
creatos.kozow.com
cvnx.zyns.com
davidgagnon.org
dedydns.ns01.us
diamond.ninth.biz
dick.ccfchrist.com
document.methoder.com
domain.casacam.net
drives.methoder.com
ducksow.ddnsgeek.com
emailfound.info
fbi.sexxxy.biz
firefoxcomt.arkouowi.com
firtstdata.kozow.com
fiveavmersi.websegoo.net
forward.davidgagnon.org
friendlysupport.giize.com
fuckanti.com
fukuoka.cloud-maste.com
gadskysun.com
gold.polopurple.com
goldtoyota.com
google.macforlinux.net
google.usrobothome.com
grandeur.kozow.com
have8000.com
herring.kozow.com
hk.cmdnetview.com
hk.have8000.com
hostport9.net
idpmus.hostport9.net
im.suibian2010.info
img.microtoo.info
info.uroljp.com
inspgon.re26.com
iphone.vizvaz.com
iu.niushenghuo.info
jadl-or.com
janpan.bigmoney.biz
japan.fuckanti.com
jepsen.r3u8.com
jimin.jimindaddy.com
jimindaddy.com
jpn.longmusic.com
js001.3322.org
kawasaki.cloud-maste.com
kawasaki.unhamj.com
keyscratch.com
kmd.crabdance.com
last.p6p6.net
lehigtapp.com
lion.wchildress.com
macforlinux.net
mailj.hostport9.net
malware.DSMTP.COM
meibubaker.3322.org
messagea.emailfound.info
microcnmlgb.3322.org
microtoo.info
music.websegoo.net
nttdata.otzo.com
nunluck.re26.com
oldbmwy.com
p6p6.net
polopurple.com
poulsenv.com
quick.oldbmwy.com
r3u8.com
radiorig.com
re26.com
record.hostport9.net
record.wschandler.com
resource.arkouowi.com
rvenee.com
sakai.unhamj.com
sbuudd.webssl9.info
scorpion.poulsenv.com
sdmsg.onmypc.org
send.have8000.com
send.mofa.ns01.info
sendmsg.jumpingcrab.com
services.arkouowi.com
sh.chromeenter.com
sky.oldbmwy.com
smo.gadskysun.com
sstday.Jkub.com
sstday.jkub.com
start.usrobothome.com
stone.jumpingcrab.com
suibian2010.info
support1.mrface.com
synssl.dnset.com
sz.thedomais.info
taipei.yourtrap.com
thedomais.info
tmpxctl.com
trasul.myPicture.info
trems.rvenee.com
tv.goldtoyota.com
un.dnsrd.com
unhamj.com
unspa.hostport9.net
uroljp.com
usa.radiorig.com
usrobothome.com
video.vmdnsup.org
vm.vmdnsup.org
vmyiersend.websago.info
voov.2288.org
wchildress.com
web.casacam.net
websago.info
websegoo.net
webssl9.info
weile3322a.3322.org
weile3322b.3322.org
whellbuy.wschandler.com
wike.wikaba.com
wschandler.com
wthelpdesk.com
yz.chromeenter.com
zebra.wthelpdesk.com
zone.usrobothome.com

# Reference: https://twitter.com/Vishnyak0v/status/1239908264831311872
# Reference: https://twitter.com/Vishnyak0v/status/1239908305117552644
# Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/shadowpad-novaya-aktivnost-gruppirovki-winnti/ (# Related Domains chapter)

g00gle_jp.dynamic-dns.net
g00gle_kr.dns05.com
g00gle_mn.dynamic-dns.net
g0ogle_mn.dynamic-dns.net
oseupdate.dns-dns.com
yandex2unitedstated.dns05.com
yandex2unitedstated.dynamic-dns.net

# Reference: https://twitter.com/KorbenD_Intel/status/1243668874102321152
# Reference: https://otx.alienvault.com/indicator/ip/185.117.88.80

185.117.88.80:8088

# Reference: https://app.any.run/tasks/875fe058-ade2-4d26-86fc-411417e33dff/

zebra.wthelpdesk.com

# Reference: http://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf
# Reference: https://otx.alienvault.com/pulse/601832343e90a9658287a666/

rare-coisns.com

# Reference: https://unit42.paloaltonetworks.com/pingpull-gallium/
# Reference: https://www.virustotal.com/gui/file/861abfc3ca4e8b450afdc33af689219505ad9bb9fbc6f4b6ed9c3c036e25cbda/detection

61.221.66.85:8080
hinitial.com
micfkbeljacob.com
df.micfkbeljacob.com
jack.micfkbeljacob.com
goodjob36.publicvm.com
goodluck23.jp.us
helpinfo.publicvm.com
mailedc.publicvm.com
t1.hinitial.com
v2.hinitial.com
v3.hinitial.com
v4.hinitial.com
v5.hinitial.com

# Reference: https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/

cargobussiness.site
defineyourid.site
grandfoodtony.com
kankuedu.org
musicweb.xyz
obj.services
videocenter.org
documents.kankuedu.org
houwags.defineyourid.site
live.musicweb.xyz
noub.crabdance.com
obo.videocenter.org
order.cargobussiness.site
tech.obj.services

# Reference: https://unit42.paloaltonetworks.com/alloy-taurus/
# Reference: https://www.virustotal.com/gui/file/5ba043c074818fdd06ae1d3939ddfe7d3d35bab5d53445bc1f2f689859a87507/detection
# Reference: https://www.virustotal.com/gui/file/cb0922d8b130504bf9a3078743294791201789c5a3d7bc0369afd096ea15f0ae/detection

204.79.197.200:8443
5.181.25.99:8443
saspecialforces.co.za
vpn729380678.softether.net
yrhsywu2009.zapto.org

# Reference: https://twitter.com/malwrhunterteam/status/1659534793124593665
# Reference: https://www.virustotal.com/gui/file/70c4600d6920dadc1899603b131119427784fcd83d04da5c886bcad5a7af913b/detection

info.publicvm.com

# Reference: https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/
# Reference: https://otx.alienvault.com/pulse/651aca1636127242b4dd6af9

cdn-sina.twы
images.cdn-sina.tw
shell.cdn-sina.tw