# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: MQsTTang, RedDelta, StatelyTaurus, Earth Preta # Reference: https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations # Reference: https://otx.alienvault.com/pulse/5d9c72d7e2efa3b5aa799b41 http://144.202.54.8 http://154.221.24.47 adobephotostage.com airdndvn.com apple-net.com infosecvn.com officeproduces.com wbemsystem.com yahoorealtors.com update.olk4.com # Reference: https://twitter.com/cyber__sloth/status/1229080836487540736 149.28.156.153:443 # Reference: https://twitter.com/hackingump1/status/1241760059543244805 # Reference: https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/ # Reference: https://www.virustotal.com/gui/ip-address/123.51.185.75/relations http://123.51.185.75 # Reference: https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/ # Reference: https://otx.alienvault.com/pulse/5ed7c36c21ae174ca3acfaee destroy2013.com fitehook.com miandfish.store # Reference: https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf # Reference: https://otx.alienvault.com/pulse/5f219067fd875a905691df22 cabsecnow.com hostareas.com jsquerys.net ipsoftwarelabs.com lameers.com miscrosaft.com systeminfor.com # Reference: https://twitter.com/cyber__sloth/status/1296722004964409349 http://103.85.24.161 # Reference: https://twitter.com/IntezerLabs/status/1316384526323638274 # Reference: https://www.virustotal.com/gui/file/c0331d4dee56ef0a8bb8e3d31bdfd3381bafc6ee80b85b338cee4001f7fb3d8c/detection # Reference: https://www.virustotal.com/gui/file/d0dd9c624bb2b33de96c29b0ccb5aa5b43ce83a54e2842f1643247811487f8d9/detection flach.cn # Reference: https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/ 103.200.97.189:965 103.200.97.189:110 185.239.226.17:965 185.239.226.17:110 # Reference: https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html # Reference: https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html # Reference: https://drive.google.com/file/d/1OpPiT6ieub3_q0sLIxGt8iI85tInqjoU/view # Reference: https://any.run/report/bbbeb1a937274825b0434414fa2d9ec629ba846b1e3e33a59c613b54d375e4d2/dd877b4d-8b36-48c0-af07-ce37fd9fee7b vietnam.zing.photos # Reference: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf # Reference: https://otx.alienvault.com/pulse/6050e65d389812e02dfca3c3 159.138.84.217:81 buyonebuy.top careerhuawei.net huaweiyuncdn.com cdn.update.huaweiyuncdn.com cdn1.update.huaweiyuncdn.com flash-update.buyonebuy.top hr.careerhuawei.net info.careerhuawei.net infoadmin.update.huaweiyuncdn.com update.careerhuawei.net update.huaweiyuncdn.com download.flach.cn forum.flach.cn info.flach.cn m.flach.cn mobile.flach.cn terminal.flach.cn update.flach.cn /c0c00c0c/ # Reference: https://twitter.com/s1ckb017/status/1475621967160123395 # Reference: https://www.virustotal.com/gui/file/df84d6c284dd39c2bfed6f8eb26149a4154396c27de50595ed5d80b428930dcd/detection http://103.15.28.208 # Reference: https://twitter.com/s1ckb017/status/1492069505803116546 http://202.58.105.38 # Reference: https://twitter.com/StillAzureH/status/1505823479945625604 # Reference: https://www.virustotal.com/gui/file/bb2990a1bbc417cfec40d5f1a6a8b22cac0ef21aed869dd8503e28573cf84401/detection http://155.94.200.206 155.94.200.206:5008 # Reference: https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/ # Reference: https://www.virustotal.com/gui/file/0d154e036b4de53059b5a24a1677fb546e1c136d6d0aa37c21a878c24891ee2c/detection # Reference: https://www.virustotal.com/gui/file/9170169ae732c3a843c871be73875ea1bc8081876db5f9bcfd5f05d792bcaef0/detection # Reference: https://www.virustotal.com/gui/file/effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1/detection # Reference: https://www.virustotal.com/gui/file/effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1/detection http://103.56.53.120 http://154.204.27.181 http://185.207.153.208 http://43.254.218.42 http://45.131.179.179 http://92.118.188.78 103.56.53.120:8080 154.204.27.181:110 45.131.179.179:110 45.131.179.179:5938 92.118.188.78:443 coolboxpc.com locvnpt.com snova-tech.com urmsec.com # Reference: https://twitter.com/G60930953/status/1507031738282909698 # Reference: https://www.virustotal.com/gui/file/887345540f1bf31c40755edcda2e3dd9fe640122fc9020f3873c895daa2378bf/detection http://155.94.200.209 http://155.94.200.211 155.94.200.211:5008 155.94.200.212:443 # Reference: https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/ # Reference: https://otx.alienvault.com/pulse/6144875da41b403380a06521 # Reference: https://www.virustotal.com/gui/file/0198949a02fc4dcd65c29c028ba5f20365dc629d764f9e0a95721300b9fadbad/detection # Reference: https://www.virustotal.com/gui/file/ab9324028bcc347040a058d41c079c0205398d200a63a6ed6cbe1df973634b2d/detection http://103.231.14.134 # Reference: https://otx.alienvault.com/pulse/613914361364535ed5d60bc4 dodefoh.com hidusi.com joxinu.com macuwuf.com /e32c8df2cf6b7a16/ /e8c76295a5f9acb7/ # Reference: https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html 103.15.28.145:6666 110.42.64.64:24680 president-office.gov.mm # Reference: https://twitter.com/kienbigmummy/status/1532305081676464128 # Reference: https://www.virustotal.com/gui/file/843709a59f12ff7aa06a5837be7a1a93fdf6f02f99936af6658c166e8abcaa2d/detection # Reference: https://www.virustotal.com/gui/file/60ee19bb558d20c2591569ddb73fc90787dd47a07453e252a3afcaa222dde125/detection # Reference: https://www.virustotal.com/gui/file/558cbbcb969fe2fa3f1c74c376e307efcdbe3bad7497095619927edd5762363a/detection 154.204.26.120:22 45.134.83.4:22 154.204.26.120:443 154.204.27.130:443 45.134.83.4:443 hilifimyanmar.com myanmarnewsonline.org download.hilifimyanmar.com update.hilifimyanmar.com images.myanmarnewsonline.org # Reference: https://twitter.com/kienbigmummy/status/1544537348670881792 # Reference: https://www.virustotal.com/gui/file/8f32bebce3a4f35531de592ed57af7b63906d64565f36abe91298acc8ea3e93d/detection 64.34.205.41:443 # Reference: https://twitter.com/malwrhunterteam/status/1546857896755044358 # Reference: https://twitter.com/h2jazi/status/1546861105678524418 # Reference: https://www.virustotal.com/gui/file/a693b9f9ffc5f4900e094b1d1360f7e7b907c9c8680abfeace34e1a8e380f405/detection http://98.142.251.29 # Reference: https://twitter.com/kienbigmummy/status/1549058500806197248 # Reference: https://www.virustotal.com/gui/file/1de88a2ad4fd1b16005558591fa2a385f2fe343162bbca328384600c167df721/detection # Reference: https://www.virustotal.com/gui/file/563611caf1787441dcc12c5a77427224b5f1ac0d18efac4032ab67eed3a99928/detection 103.192.226.46:443 45.131.179.179:22 45.131.179.179:443 45.131.179.179:5938 /uVdjpZ # Reference: https://twitter.com/kienbigmummy/status/1553737903398072320 # Reference: https://www.virustotal.com/gui/file/00fbfaf36114d3ff9e2c43885341f1c02fade82b49d1cf451bc756d992c84b06/detection http://45.142.166.112 45.142.166.112:110 45.142.166.112:443 # Reference: https://twitter.com/kienbigmummy/status/1582217448731729920 # Reference: https://twitter.com/kienbigmummy/status/1582217473499140097 # Reference: https://www.virustotal.com/gui/file/becdb31a669676dac3e797fb6db482f9fd644853e73fc28eb0031bd58487d081/detection 107.181.160.16:443 # Reference: https://twitter.com/barberousse_bin/status/1594791243489345537 # Reference: https://www.virustotal.com/gui/file/e8357cacdccdb4670f6ae427a781f36a9c4b268907f83c1ce3502a0fd9ce2606/detection http://158.255.2.63 # Reference: https://twitter.com/katechondic/status/1556940169483264000 # Reference: https://twitter.com/katechondic/status/1557031529141964801 # Reference: https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html # Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/IOCs-earth-preta-spear-phishing-since-march.txt # Reference: https://www.virustotal.com/gui/file/c52828dbf62fc52ae750ada43c505c934f1faeb9c58d71c76bdb398a3fbbe1e2/detection http://103.15.29.179 http://103.75.190.224 http://202.53.148.24 http://202.53.148.26 http://89.38.225.151 # Reference: https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets # Reference: https://www.virustotal.com/gui/file/f70d3601fb456a18ed7e7ed599d10783447016da78234f5dca61b8bd3a084a15/detection http://103.192.226.87 http://104.42.43.178 http://185.80.201.4 http://194.124.227.90 http://43.254.218.128 http://45.147.26.45 http://45.32.101.7 http://62.233.57.49 http://64.34.216.44 http://64.34.216.50 5.34.178.156:443 # Reference: https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/ # Reference: https://www.virustotal.com/gui/file/ab62e351a56e0f749d36dc6ec6b1211f1becc52305478fa5653c6236a221a85e/detection 45.90.59.153:443 # Reference: https://twitter.com/StopMalvertisin/status/1610961056163311619 # Reference: https://www.virustotal.com/gui/ip-address/142.250.178.4/relations # Reference: https://www.virustotal.com/gui/ip-address/5.34.182.68/relations # Reference: https://www.virustotal.com/gui/file/0ac93ddc58e7666eae677812d3be93fe8f922ffc32baeee0f803109341dc1ea7/detection # Reference: https://www.virustotal.com/gui/file/8964dce6ae40681a51226b7912728c589c33febba1a1547c351353fea6a6571c/detection blogdirve.com mashupdatabase.com microsite-manager.com # Reference: https://twitter.com/t3ft3lb/status/1620848769607806976 # Reference: https://www.virustotal.com/gui/file/48e2ebee3f8de80c4a50f1dd948e8e9a41509f4847a574f67a453c154d21ce60/detection 195.123.218.78:443 # Reference: https://twitter.com/Unit42_Intel/status/1626613722700472320 # Reference: https://www.virustotal.com/gui/file/e2a6a2b7a55d0d5cfb406a9ba941558a4b10a998f232e945ceaa79261aa05086/detection 3.228.54.173:1883 54.87.92.106:1883 # Reference: https://twitter.com/StopMalvertisin/status/1635620870214352901 # Reference: https://www.virustotal.com/gui/file/6d18906c49e213ca0db7b2ce28f1a20066c521367fc61caae0710bf0e10cfc9e/detection 45.90.59.39:443 midasconsilium.com # Reference: https://twitter.com/t3ft3lb/status/1656194831830401024 # Reference: https://twitter.com/t3ft3lb/status/1656297883048505346 # Reference: https://www.virustotal.com/gui/file/3489955d23e66d6f34b3ada70b4d228547dbb3ccb0f6c7282553cbbdeaf168cb/detection # Reference: https://www.virustotal.com/gui/file/ce308b538ff3a0be0dbcee753db7e556a54b4aeddbddd0c03db7126b08911fe2/detection 62.233.57.136:443 jcswcd.com # Reference: https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ # Reference: https://otx.alienvault.com/pulse/64a5960b230e2e9a1bf9ec66 newsmailnet.com # Reference: https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/ # Reference: https://www.virustotal.com/gui/file/c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1/detection ivibers.com meetvibersapi.com # Reference: https://twitter.com/Cuser07/status/1748000699122958665 # Reference: https://www.virustotal.com/gui/file/a00673e35eaccf494977f4e9a957d5820a20fe6b589c796f9085a0271e8c380c/detection # Reference: https://www.virustotal.com/gui/file/b7e042d2accdf4a488c3cd46ccd95d6ad5b5a8be71b5d6d76b8046f17debaa18/detection openservername.com # Reference: https://twitter.com/Jane_0sint/status/1750537878420295808 # Reference: https://www.virustotal.com/gui/file/dd261a5db199b32414c33136aed44c3ebe2ae55f18991ae3dc341fc43a1ef7f4/detection # Reference: https://www.virustotal.com/gui/file/5afe21142999659a4050f6e038a6dab96cf4827f332497049a91cdb1a4d4828b/detection # Reference: https://www.virustotal.com/gui/file/2a00d95b658e11ca71a8de532999dd33ddee7f80432653427eaa885b611ddd87/detection # Reference: https://www.virustotal.com/gui/file/51d89afe0a49a3abf88ed6f032e4f0a83949fc44489fc7b45c860020f905c9d7/detection 103.159.132.80:443 103.249.84.137:443 123.253.32.15:443 91.245.253.46:443 militarytc.com # Reference: https://www.secureworks.com/research/bronze-president-targets-ngos # Reference: https://otx.alienvault.com/pulse/5e0a1aa2617f951d88c9d891 apple-net.com forexdualsystem.com ipsoftwarelabs.com lionforcesystems.com oshibadrive.com strust.club svchosts.com svrhosts.com wbemsystem.com # Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Unknown/20-08-19/Malware%20analysis%2020-08-19.md # Reference: https://www.virustotal.com/gui/ip-address/167.88.180.148/relations http://167.88.180.148 247up.org apple-net.com mediadomainservice.org renewyourclicks.org siteup-365.org # Reference: https://www.trendmicro.com/en_za/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html http://103.159.132.91 http://185.144.31.86 http://80.85.156.151 http://80.85.156.232 http://80.85.156.240 http://80.85.157.3 139.180.217.142:5000 80.85.156.151:8000 johnsimde.xyz myanmarfreedomwork.org em2in.johnsimde.xyz iot.johnsimde.xyz rewards.roshan.af sa2il.johnsimde.xyz taiwallace.pserver.space /ewfuck /ewfuck00000 # Reference: https://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html # Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/earth-preta-campaign-uses-doplugs-to-target-asia/ioc-earth-preta-doplugs.txt 103.107.104.37:443 149.104.11.29:443 149.104.12.64:443 185.82.216.184:443 195.123.246.26:22 195.211.96.99:443 45.83.236.105:443 bonuscave.com electrictulsa.com getfiledown.com getfilefox.com iamc2c2.com images.kiidcloud.com images.markplay.net markplay.net meetviberapi.com news.comsnews.com thisistestc2.com web.bonuscave.com # Reference: https://twitter.com/8th_grey_owl/status/1767860327369298026 103.27.109.157:443 # Reference: https://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/ http://139.59.46.88 http://65.20.103.231 139.59.46.88:443 139.59.46.88:8080 139.59.46.88:8443 139.59.46.88:9443 192.153.57.98:8080 193.149.129.93:8443 65.20.103.231:81