# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: TEMP.Zagros, Static Kitten, Seedworm, MERCURY, COBALT ULSTER (# https://malpedia.caad.fkie.fraunhofer.de/actor/muddywater) # Reference: https://securelist.com/muddywater/88059/ adibf.ae/wp-includes/js/main.php benangin.com/wp-includes/widgets/main.php ektamservis.com/includes/main.php gtme.ae/font-awesome/css/main.php hubinasia.com/wp-includes/widgets/main.php www.adfg.ae/wp-includes/widgets/main.php www.cankayasrc.com/style/js/main.php # Reference: https://fortiguard.com/resources/threat-brief/2018/10/12/fortiguard-threat-intelligence-brief-october-12-2018 alibabacloud.dynamic-dns.net alibabacloud.wikaba.com alibabacloud.zzux.com microsoftofice.zyns.com microword.itemdb.com moffice.mrface.com muonline.dns04.com office.otzo.com offlce.dnset.com online.ezua.com muhacirder.com muteciyar.info # Reference: https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/ 3cbc.net/dropbox/icon.icon pazazta.com/app/icon.png ohe.ie/cli/icon.png ohe.ie/cp/icon.png andreabelfi.com/main.php andreasiegl.com/main.php andresocana.com/main.php amorenvena.com/main.php amphira.com/main.php amphibiblechurch.com/main.php # Reference: https://twitter.com/360TIC/status/1108616188173520896 # Reference: https://otx.alienvault.com/pulse/5c939fbb22017040b7e47be4/ /serverScript/clientFrontLine/getCommand.php /serverScript/clientFrontLine/helloServer.php /serverScript/clientFrontLine/setCommandResult.php # Reference: https://twitter.com/360TIC/status/1081080752438009856 getgooogle.hopto.org shopcloths.ddns.net # Reference: https://twitter.com/blackorbird/status/1072314411849797632 # Reference: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group # Reference: https://twitter.com/blackorbird/status/1070911385368809472 ankara24saatacikcicekci.com # Reference: https://twitter.com/HONKONE_K/status/1115513990594084864 tfu.ae/readme.txt # Reference: https://otx.alienvault.com/pulse/5caf93777439561cb57d0e2c googleads.hopto.org orbe-fzc.com # Reference: https://research.checkpoint.com/the-muddy-waters-of-apt-attacks/ http://185.117.75.116/tmp.php # Reference: https://twitter.com/VK_Intel/status/1117673303332667392 http://185.162.235.182 # Reference: https://otx.alienvault.com/pulse/5cb4b3944f62ba0873339ee1 46.105.84.146:443 # Reference: https://twitter.com/HONKONE_K/status/1118406086925504512 # Reference: https://twitter.com/360TIC/status/1118430258451976192 plet.dk/css/ 134.19.215.3:443 # Reference: https://twitter.com/ClearskySec/status/1118511605359304705 # Reference: https://app.any.run/tasks/17706fbe-8ac5-45df-b489-c766514cbe0a # Reference: https://twitter.com/Arkbird_SOLG/status/1133472942661263362 http://185.185.25.175 # Reference: https://securelist.com/muddywaters-arsenal/90659/ 78.129.222.56:8090 # LisfonService RAT 192.64.86.174:8980 # Python RAT 104.237.233.38:8085 # SSH Python script 104.237.233.40:7070 # Other stuff 78.129.139.134:8080 # Reference: https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html # Reference: https://otx.alienvault.com/pulse/5ce2c36a67a0d63bbf18b120 136.243.87.112:3000 http://38.132.99.167/crf.txt /serverScript/clientFrontLine/ /bcerrxy.php # Reference: https://habr.com/ru/company/group-ib/blog/452540/ (Russian) # Reference: https://app.any.run/tasks/04393751-072b-4753-9ab7-5dab2881dc1c/ gladiyator.tk # Reference: https://twitter.com/Timele9527/status/1134291981176152064 http://185.244.149.218 # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/ # Reference: https://otx.alienvault.com/pulse/5cfe6b9d0ecf65e404ef4f85 amazo0n.serveftp.com shareliverpoolfc.co.uk shopcloths.ddns.net zstoreshoping.ddns.net # Reference: https://twitter.com/Timele9527/status/1138694954140594176 http://185.82.202.240 # Reference: https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf 104.237.233.38:1022 104.237.233.38:8080 104.237.233.40:8443 104.237.233.38:8080 104.237.255.212:443 78.129.139.134:8864 88.99.17.148:443 ciscoupdate2019.gotdns.ch getgooogle.hopto.org googleads.hopto.org latvia-usa.org/wp-includes/customize/main.php valis-ti.cl/assets/main.php # Reference: https://twitter.com/HONKONE_K/status/1144438589230419968 http://104.237.255.195 http://91.132.139.196 # Reference: https://twitter.com/0xffff0800/status/1145408553479483392 iec56w4ibovnb4wc.onion # Reference: https://twitter.com/Rmy_Reserve/status/1146388355162050561 # Reference: https://mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg http://185.141.27.14 http://185.185.25.175 http://185.244.149.218 http://185.82.202.240 http://83.171.238.62 /ls.php?TOKEN=Pomy /trjjmfnnv.php /ttryeJte76.php # Reference: https://twitter.com/RedDrip7/status/1115873829035835392 # Reference: https://twitter.com/RedDrip7/status/1108617989308309504 46.105.84.146:80 94.23.148.194:80 # Reference: https://twitter.com/blackorbird/status/1156778469960769536 http://46.166.176.242/main.php instmech.uz/meryem.php # Reference: https://twitter.com/Timele9527/status/1156762307965231104 http://89.33.246.82 # Reference: https://twitter.com/Rmy_Reserve/status/1170187955412992000 # Reference: https://app.any.run/tasks/150759b8-44c7-4fa8-b518-4e2562964663/ http://graphixo.net/wp-includes/utf8.php # Reference: https://twitter.com/cyb3rops/status/1184759564656402432 # Reference: https://app.any.run/tasks/46cc133c-f3c6-4834-b139-0020ebed1c1e/ assignmenthelptoday.com # Reference: https://twitter.com/HONKONE_K/status/1115117276565360641 cms.qa # Reference: https://otx.alienvault.com/pulse/5dd691c33a60512b0675ee35 annapolisfirstlimo.com/editob.nvd assignmenthelptoday.com/wp-includes/utf8.php graphixo.net/wp-includes/utf8.php ksahosting.net/wp-includes/utf8.php # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1198400038629781505 ampacindustries.com # Reference: https://blog.prevailion.com/2020/01/summer-mirage.html # Reference: https://otx.alienvault.com/pulse/5e1747ff614f5a153bbc1c08 accesemailaccount.tk accounts-login.ga accounts-login.gq accountslogin.ga apikeyallervice.business apikeyallervice.com login-accounts.gq login-dc2-verifyaccounts.ga login-dc2-verifyaccounts.tk login-secure-account.cf login-secure-account.gq login-secure-account.ml loginaccounts.cf logind2-secure.tk reauth92-services.sytes.net roadtosultan1.org secure-login-accounts.gq service0auht-center.ddns.net signin-secure.tk # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1218958514124722176 advanceorthocenter.com/wp-includes/editor.php # Reference: https://app.any.run/tasks/733ad416-1e4d-455f-9236-b8cf2196f18b/ http://lalindustries.com/wp-content/upgrade/editor.php # Reference: https://twitter.com/r00tten/status/1219900503032811520 foura.biz/js/elevatezoom-master/editor.php # Reference: https://twitter.com/blackorbird/status/1248103015862525953 # Reference: https://docs.google.com/document/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXB85f6VL_Zm79wtTK59xADKh6MG0G7hSBZi8cPOiQVWAIie0/pub http://185.24.233.19 robusted1020.chickenkiller.com # Reference: https://twitter.com/xiaocaiccc/status/1249586935275778048 # Reference: https://www.virustotal.com/gui/file/bf696397784b22f8e891dd0627dce731f288d14d4791ac5d0a906bc1cbe10de6/detection 1nationnews.com/wp-admin/includes/wp-config-ini.php 24newstube.com/wp-config-ini.php 2mseng.com/wp-config-ini.php 3axis.co/wp-admin/includes/wp-config-ini.php 3darch.net/modules/wp-config-ini.php 92pizza.pk/wp-content/plugins/wp-config-ini.php 9newshd.com/wp-config-ini.php aahung.org/assets/wp-config-ini.php aboutbodybuildingworkout.com/wp-config-ini.php aboutduvetcovers.com/Seller/wp-config-ini.php addictdkp.com/wp-config-ini.php advcadsys.com/wp-config-ini.php afikapower.com/wp-config-ini.php afikaquadpro.com/wp-config-ini.php afrogeo.com/wp-config-ini.php ahsanfarooqui.xyz/wp/wp-config-ini.php ahsfoundation.co.uk/wp-config-ini.php ahworld.com.pk/wp-config-ini.php aimalproduction.com/wp-admin/wp-config-ini.php aimsagro.com/wp-admin/includes/wp-config-ini.php aimswelfare.org/wp-admin/includes/wp-config-ini.php albedogida.com/Eski_web/wp-config-ini.php alessioborzuola.com/downloads/wp-config-ini.php allsporthealthandfitness.com/wp-config-ini.php almaqsd.com/wp-includes/wp-config-ini.php amazingtour.pk/wp-config-ini.php ancoeng.co.za/wp-config-ini.php andrebruton.com/wp-config-ini.php andrew-snyder.net/TemplateData/wp-config-ini.php anubandh.in/wp-config-ini.php arabelaholdings.com/wp-config-ini.php aresebetseng.co.za/wp-config-ini.php astrumtechnologies.co.za/templates/wp-config-ini.php azadpattanhpp.com/wp-config-ini.php balaateen.co.za/less/wp-config-ini.php bartabee.com/wp-config-ini.php batthiqbal.com/sagenda/webroot/wp-config-ini.php bestencouragementwords.com/wp-config-ini.php bhg-tech.com/wp-config-ini.php bhsmusic.net/wp-config-ini.php biglickentertainment.com/wp-config-ini.php biljum.com/wp/wp-includes/wp-config-ini.php billielaw.com/wp-config-ini.php biondi.co/wp-config-ini.php bitsym.com/wp-content/plugins/duplicate-page/wp-config-ini.php bitteeth.com/docbank/wp-config-ini.php blackgoldoilserv.com/wp-config-ini.php blackstar.com.pk/wp-includes/wp-config-ini.php blackwolfco.com/wp-config-ini.php blattoamsterdam.com/wp-config-ini.php bluefor.com/magento/wp-config-ini.php blushagency.com/wp-config-ini.php bmasokaprojects.co.za/wp-config-ini.php bntlaminates.com/wp-config-ini.php boardaffairs.com/wp-config-ini.php breathehope4maira.com/wp-config-ini.php bridgepakistan.org/wp-config-ini.php britishofficefitout.com/wp-config-ini.php broadstone.com.pk/wp-config-ini.php buhlebayoacademy.com/wp-config-ini.php burgeystikihut.com/wp-config-ini.php burlesonlelas.com/wp-config-ini.php buttarandbuttars.com/wp-config-ini.php buzzfeedhealth.com/wp-config-ini.php cafeliquiteria.pk/wp-config-ini.php cafeperrin.com/wp-config-ini.php cazochem.co.za/cazochem/wp-config-ini.php cemsolutions.org/wp-config-ini.php centuriongsd.co.za/wp-config-ini.php centuryacademy.co.za/css/wp-config-ini.php chrishanicdc.org/wpimages/wp-config-ini.php constructionsolutions.info/wp-includes/wp-config-ini.php cosmeticsurgeryisb.pk/wp-includes/wp-config-ini.php coverpixs.com/wp-config-ini.php craigslistadsposting.com/wp-includes/wp-config-ini.php createch.solutions/wp-includes/wp-config-ini.php creativenex.com/wp-includes/wp-config-ini.php creativetiers.com/wp-config-ini.php crystaltidings.co.za/wp-config-ini.php cybercraft.biz/dist/wp-config-ini.php debnoch.com/image/wp-config-ini.php diegemmerkat.co.za/wp-config-ini.php duotonedigital.co.za/wp-config-ini.php ecs-consult.com/wp-config-ini.php edgeforensic.co.za/wp-config-ini.php elemech.com.pk/wp-config-ini.php evansmokaba.com/evansmokaba.com/thabiso/wp-config-ini.php fgpcw-kr.edu.pk/wp-admin/includes/wp-config-ini.php funeralbusinesssolution.com/email_template/wp-config-ini.php getcord.co.za/wp-config-ini.php gilforsenate.com/wp-config-ini.php h-u-i.co.za/heiren/wp-config-ini.php habibtextiles.pk/wp-config-ini.php heritagetravelmw.com/wp-config-ini.php hisandherskennels.co.za/php/wp-config-ini.php hmholdings360.co.za/wp-config-ini.php humorcarbons.com/wp-config-ini.php iancullen.co.za/wp-config-ini.php icsswaziland.com/wp-config-ini.php ihlosiqs-pm.co.za/wp-config-ini.php indiba-africa.co.za/wp-config-ini.php laraibgroup.com/plugins/system/redirect/wp-config-ini.php loansonhomes.co.za/wp-config-ini.php luxconprojects.co.za/wp-config-ini.php mgamule.co.za/oldweb/wp-config-ini.php mukhtarfeeds.com/wp-config-ini.php mumtazandbrohi.com/coughingdish/93grahammiller/wp-config-ini.php mumtazandbrohi.com/wp-includes/wp-config-ini.php myhealthmedical.ae/old/includes/wp-config-ini.php mzansicompanies.co.za/wp-config-ini.php nbscorporation.co.za/wp-config-ini.php neomfarming.com/wp-config-ini.php oc.tsfengineering.com/wp-config-ini.php odcpkintranet.org/wp-admin/includes/wp-config-ini.php organisejournalise.co.za/wp-config-ini.php oursort.co.za/timothyowenauthor/wp-config-ini.php pamudzi.co.za/wp-config-ini.php penisdevelopmentcentre.co.za/wp-config-ini.php pgkhi.com/css/wp-config-ini.php phoenix.zar.cc/wp-config-ini.php pkproud.com/roshitrust/wp-config-ini.php plantconsultants.co.za/wp-config-ini.php prestbusiness.co.za/wp-config-ini.php promechtransport.co.za/scripts/wp-config-ini.php quikteam.com/scripts/contrib/wp-config-ini.php rashidalinawabshahi.com/ranwp/db-config-ini.php saacma.co.za/wp-admin/wp-config-ini.php seismicfactory.co.za/wp-config-ini.php servicebox.co.za/wp-config-ini.php shullen.co.za/wp-config-ini.php sikanderajam.com/wp-config-ini.php sinebar.co.za/wp-config-ini.php sirketcv.com/admin/_islemler/wp-config-ini.php sonafoundation.org.pk/wp-config-ini.php tanati.co.za/wp-config-ini.php thebedspace.com/wp-includes/pomo/wp-config-ini.php theguitarstudio.co.za/wp-includes/wp-config-ini.php themotoringcalendar.co.za/wp-config-ini.php ventronics.co.za/wp-config-ini.php vhupo-tours.com/wp-config-ini.php waohost.com/wp-includes/wp-config-ini.php wicloud.pk/store/wp-config-ini.php willpowerpos.co.za/wp-config-ini.php winagainstebola.com/wp-config-ini.php wmcpk.org/wp/wp-config-ini.php # Reference: https://twitter.com/iamwinstonm/status/1276804076534034433 # Reference: https://www.virustotal.com/gui/file/1f38eea8caf63ff911fa97f2a20328796a62fc760f24c7e6347753e8112bf92d/detection # Reference: https://www.virustotal.com/gui/file/92cb75c15da69fd6ef9368c03fd5001778d5fa1f7b024d63c84c13f501d5acd5/detection http://185.244.149.202 enreji.gov.tr # Reference: https://www.virustotal.com/gui/file/2ad0c8e29a364005f3aa0aaab770f919f8a65202b06721143e2d19dc6b75f323/detection linkupdate.org # Reference: https://twitter.com/BushidoToken/status/1298572507914670080 windowsupdate.me # Reference: https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf # Reference: https://otx.alienvault.com/pulse/5f886761020a5e059b24dd74 # Reference: https://www.virustotal.com/gui/file/a1282dde503e911d5653e1d9d1214e4780e61c96d1530c3a1be22d88a81dcf5f/detection http://185.117.75.101 http://185.183.96.28 http://185.183.96.61 http://185.183.98.242 http://185.244.149.215 http://185.82.202.66 http://185.82.202.70 http://212.143.154.158 http://46.4.105.116 server.lax.co.il webmail.lax.co.il # Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east # Reference: https://otx.alienvault.com/pulse/5fa1deab84fa772abb100f92 104.168.44.16:443 http://23.95.220.166 # Reference: https://twitter.com/ShadowChasing1/status/1329247256122322944 # Reference: https://twitter.com/h2jazi/status/1329188203178373120 # Reference: https://otx.alienvault.com/pulse/5fb6cd8f40663e290766fdff # Reference: https://www.virustotal.com/gui/file/4e8a2b592ed90ed13eb604ea2c29bfb3fbc771c799b3615ac84267b85dd26d1c/detection 107.175.196.104:443 # Reference: https://twitter.com/Arkbird_SOLG/status/1343001491121065984 # Reference: https://www.virustotal.com/gui/file/d1c7a7511bd09b53c651f8ccc43e9c36ba80265ba11164f88d6863f0832d8f81/detection 193.161.193.99:44451 mazzion1234-44451.portmap.host # Reference: https://twitter.com/ShadowChasing1/status/1354232892323373057 oauth-services.live # Reference: https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies # Reference: https://otx.alienvault.com/pulse/60243229fdc9a2c67990218b/ instance-sy9at2-relay.screenconnect.com instance-uwct38-relay.screenconnect.com # Reference: https://www.virustotal.com/gui/file/6497a723c3ef7d7bae5a2cd1b109a14e457f2e69d85be2e4a26d01c89ca21345/detection instance-s6p2r4-relay.screenconnect.com # Reference: https://twitter.com/Marco_Ramilli/status/1390556742262665216 /api/add_rat_permission /api/add_rat_permissions /add_rat_permission /add_rat_permissions # Reference: https://twitter.com/silv0123/status/1404295902202793985 # Reference: https://www.virustotal.com/gui/file/48e75909520f1a19a8a2cfc34ed5938c69750af7966f40bdf3a2d340a0ca98ad/detection # Reference: https://www.virustotal.com/gui/file/c13cb1c9277324534075f807a3fcd24d0d3c024197c7437bf65db78f6a987f7a/detection instance-n3e3x9-relay.screenconnect.com # Reference: https://twitter.com/ShadowChasing1/status/1475819281648553986 # Reference: https://www.virustotal.com/gui/file/2f2492b7bb55f7a12f7530c9973c9b81fdd5e24001e4a21528ff1d5b47e3446e/detection http://107.174.68.60 http://192.227.147.152 t7170-d.de # Reference: https://twitter.com/czy_1116/status/1476048626313056257 # Reference: https://www.virustotal.com/gui/file/cab75e26febd111dd5483666c215bb6b56059f806f83384f864c51ceddd0b1cf/detection # Reference: https://www.virustotal.com/gui/file/84d523833db6cc74a079b12312da775d4281bf1034b2af0203c9d14c098e6f29/detection http://185.117.73.74 # Reference: https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/ http://185.247.137.89 http://51.255.219.222 # Reference: https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html # Reference: https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html # Reference: https://www.virustotal.com/gui/file/f6569039513e261ba9c70640e6eb8f59a0c72471889d3c0eaba51bdebb91d285/detection # Reference: https://www.virustotal.com/gui/file/c13cb1c9277324534075f807a3fcd24d0d3c024197c7437bf65db78f6a987f7a/detection http://185.118.167.120 http://185.118.164.195 137.74.131.16:443 149.202.242.84:443 185.141.27.211:443 172.245.81.135:10196 /Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/ # Reference: https://www.virustotal.com/gui/file/4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c/detection http://5.199.133.149 /jznkmustntblvmdvgcwbvqb /oeajgyxyxclqmfqayv # Reference: https://www.cisa.gov/uscert/ncas/alerts/aa22-055a # Reference: https://otx.alienvault.com/pulse/621cf48c69b2caf2c2f4bb3e/ http://164.132.237.65 http://185.118.164.21 http://185.141.27.143 http://185.141.27.248 http://185.183.96.7 http://185.25.51.108 http://192.210.191.188 http://192.210.226.128 http://45.142.212.61 http://45.142.213.17 http://46.166.129.159 http://80.85.158.49 http://87.236.212.22 http://88.119.170.124 http://88.119.171.213 http://89.163.252.232 http://95.181.161.49 http://95.181.161.50 # Reference: https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/ # Reference: https://otx.alienvault.com/pulse/62b1bfcf88e55b6f69deb3bc # Reference: https://www.virustotal.com/gui/file/ddd9eb1f6c58517bf58cc20ab820113ca137221fb2330589f3fd1ce5df4c8c1c/detection http://185.183.96.34 http://185.198.57.75 # Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ # Reference: https://otx.alienvault.com/pulse/6308c120cac2d8874c250093 sygateway.com # Reference: https://twitter.com/Des00464472/status/1564541906381864960 3.129.246.94:443 # Reference: https://twitter.com/Des00464472/status/1587279425200336896 18.229.88.34:443 # Reference: https://twitter.com/suyog41/status/1601225014715461632 admin.syncroapi.com # Reference: https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/ # Reference: https://otx.alienvault.com/pulse/643423acc27e303808a2c523 http://104.194.222.219 http://141.95.22.153 http://146.70.106.89 http://192.169.6.88 http://192.52.166.191 http://192.52.167.209 http://193.200.16.3 http://194.61.121.86 http://45.56.162.111 http://45.86.230.20 http://46.249.35.243 104.194.222.219:443 141.95.22.153:443 146.70.106.89:443 192.169.6.88:443 192.52.166.191:443 192.52.167.209:443 193.200.16.3:443 194.61.121.86:443 45.56.162.111:443 45.86.230.20:443 46.249.35.243:443 vatacloud.com webstore4tech.uaenorth.cloudapp.azure.com # Reference: https://www.group-ib.com/blog/muddywater-infrastructure/ # Reference: https://twitter.com/malwrhunterteam/status/1708931063693689196 # Reference: https://twitter.com/1ZRR4H/status/1709215529532002551 # Reference: https://www.virustotal.com/gui/file/3c41bd2befcb1f890d6f9751f22ca78080bc477fdac5dcc312604428e4b2b8f2/detection # Reference: https://www.virustotal.com/gui/file/3d82e013aa638344d2fb1c80da0121e244648b691a784dbed28e2b6b5e6c58cc/detection # Reference: https://www.virustotal.com/gui/file/3f9db7bf1c9d897d46f669854e7ecc945778024f04cac9cd1585140d0d73a34f/detection # Reference: https://www.virustotal.com/gui/file/5366c1937b22c377843a04b716cd62fb57b3ed36042f6af11a403dcfc63608e0/detection # Reference: https://www.virustotal.com/gui/file/fb69c821f14cb0d89d3df9eef2af2d87625f333535eb1552b0fcd1caba38281f/detection # Reference: https://www.virustotal.com/gui/file/42f4ee20087893d8e7f3b5fa49d96b095e7d124df914e77c61cd3aa6b53d859e/detection http://137.74.131.24 http://149.202.242.80 http://178.32.30.3 http://51.254.25.36 http://91.121.240.104 http://91.121.240.108 http://91.121.240.96 149.202.242.80:22 149.202.242.80:443 149.202.242.85:22 149.202.242.86:22 164.132.237.64:22 164.132.237.65:22 164.132.237.66:22 51.254.25.36:443 51.255.19.178:443 51.255.19.179:443 51.255.19.183:22 91.121.240.104:443 91.121.240.108:443 94.131.98.34:443 /gcvvPu2KXdqEbDpJQ33 /rrvvPu2KXdqEbDpJQ33 /kz10n2f9d5c4pkz10n2f9s2vhkz10n2f9 /ln8mykyrd5c4pln8mykyrs2vhln8mykyr /kz10n2f9d5c4pkz10n2f9s2vhkz10n2f9/gcvvPu2KXdqEbDpJQ33/ /ln8mykyrd5c4pln8mykyrs2vhln8mykyr/gcvvPu2KXdqEbDpJQ33/ /ln8mykyrd5c4pln8mykyrs2vhln8mykyr/rrvvPu2KXdqEbDpJQ33/ # Reference: https://twitter.com/josh_penny/status/1655256615774302215 6nc110821hdb.co nc6jan20pol.co # Reference: https://twitter.com/k3yp0d/status/1719269176101990574 # Reference: https://www.virustotal.com/gui/file/a2ae5e994c0b515cadd425cfda4d4ae33b71893c45b702e1f8c1a495dc1b440f/detection 146.70.149.61:8008 /access/JWrapper-JWrapper-version.txt /access/JWrapper-Remote%20Access-00089360998-archive.p2.l2 # Reference: https://twitter.com/MichalKoczwara/status/1719294254206288001 # Reference: https://www.virustotal.com/gui/file/7fddecd93c277db31ec0755faac087c3f3d4af735df0ffad704c9f3b954283e5/detection # Reference: https://www.virustotal.com/gui/file/52e625ca4e9af0848749f3134c23103595e8a5c4f0951155f5d966b89b805bf1/detection # Reference: https://www.virustotal.com/gui/file/7e82615194d58f3a6ab5abe130ac841195ffb744eb437092879c81d0fb0891b7/detection http://146.70.124.102 http://37.120.237.204 http://37.120.237.248 146.70.124.102:443 37.120.237.204:443 37.120.237.248:443 /access/JWrapper-Windows64JRE-00084000053-archive.p2.l2 /access/JWrapper-Windows64JRE-version.txt?time= /access/JWrapper-Windows64JRE-version.txt # Reference: https://twitter.com/k3yp0d/status/1720008194016133619 # Reference: https://www.virustotal.com/gui/file/8a6226b02af996e06d956b000630271f23b82235c36c22afc9da36a3f043e00b/detection # Reference: https://www.virustotal.com/gui/file/500a7c4e89e02f972da68946496b66b3204690f209858df6637bde0d4ef03f18/detection # Reference: https://www.virustotal.com/gui/file/111f9e2228a6b6f663cda85f8211ee6cfcbcab5d9fa8c6c5aa38a808ccf671ba/detection # Reference: https://www.virustotal.com/gui/file/1b5604d023673b07f16af8404657637c3077100abd8d81b8db946d653ce032df/detection http://94.131.9.239 /access/JWrapper-Remote%20Access-version.txt /access/JWrapper-Remote%20Access_os_jwwin-version.txt /access/JWrapper-Windows64JRE-00084000053-archive.p2.l2 /access/JWrapper-Remote%20Access_winutils64-00091670477-archive.p2.l2 /access/jwdyna_sg_scripttruejwdyna_force_spawntruejwdyna_install_typeperm_alljwdy /access/jwdyna_sg_scripttruejwdyna_install_typeperm_alljwdyna_sg_reconnectfalsejw # Reference: https://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel # Reference: https://otx.alienvault.com/pulse/654cebe5f4bb9281496a1b4b # Reference: https://app.any.run/tasks/9190151a-739e-41c0-b89d-71bf74414ab4/ # Reference: https://www.virustotal.com/gui/ip-address/94.131.109.65/relations # Reference: https://www.virustotal.com/gui/file/63e404011aeabb964ce63f467be29d678d0576bddb72124d491ab5565e1044cf/detection # Reference: https://www.virustotal.com/gui/file/ffbcafc28eb2e83603479882a17f04c4df0a9a2cbe952724c4279fc347906df0/detection # Reference: https://www.virustotal.com/gui/file/5e871ae33537e7e98c81ef55e662d7052ead20195212bf16ebd6fe0a506c9638/detection http://109.201.140.103 http://137.74.131.18 http://137.74.131.20 http://141.95.177.130 http://162.223.89.11 http://164.132.237.65 http://185.248.144.158 http://45.150.64.23 http://45.150.64.239 http://45.150.64.39 http://45.67.230.91 http://91.121.240.108 http://91.121.61.76 http://94.131.109.65 http://94.131.98.14 http://95.164.38.99 http://95.164.46.199 http://95.164.46.35 6nc051221c.co googlechromeupdate.ga googlechromeupdate.ml nc1310022a.biz ghostrider.serveirc.com jbf1.nc1310022a.biz mbcaction.hopto.org microsoftfice.ddns.net mirosoftcloud.ddns.net qjk2.6nc051221c.co /Q8s1qzzUdDhaPaRm # Reference: https://twitter.com/1ZRR4H/status/1743683396369273219 # Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms 45.150.64.39:443 45.67.230.91:443 94.131.109.65:443 94.131.98.14:443 95.164.38.99:443 95.164.46.199:443 /HJ3ytbqpne2tsJTEJi2D8s0hWo172A0aT /HR5rOv8enEKonD4a0UdeGXD3xtxWix2Nf # Reference: https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater 6nc051221a.co 6nc220721.co # Reference: https://twitter.com/k3yp0d/status/1768102580142432694 kinneretacil.egnyte.com # Generic /getCommand?guid= /getTargetInfo?guid=