# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: apt32, apt-c-32, oceanlotus, SectorF01 # Reference: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html 24.datatimes.org blog.docksugs.org blog.panggin.org contay.deaftone.com check.paidprefund.org datatimes.org docksugs.org economy.bloghop.org emp.gapte.name facebook-cdn.net gap-facebook.com gl-appspot.org help.checkonl.org high.expbas.net high.vphelp.net icon.torrentart.com images.chinabytes.info imaps.qki6.com img.fanspeed.net job.supperpow.com lighpress.info menmin.strezf.com mobile.pagmobiles.info news.lighpress.info notificeva.com nsquery.net pagmobiles.info paidprefund.org push.relasign.org relasign.org share.codehao.net seri.volveri.net ssl.zin0.com static.jg7.org syn.timeizu.net teriava.com timeizu.net tonholding.com tulationeva.com untitled.po9z.com update-flashs.com vieweva.com volveri.net vphelp.net yii.yiihao126.net zone.apize.net # Reference: https://github.com/eset/malware-ioc/tree/master/oceanlotus adineohler.com aisicoin.com alicervois.com anessallie.com antenham.com arinaurna.com arkoimmerma.com aulolloy.com avidilleneu.com avidsontre.com aximilian.com biasatts.com braydenhateaub.com carosseda.com chascloud.com dreyoddu.com dwarduong.com eckenbaue.com eighrimeau.com errellawle.com erstin.com frahreiner.com hieryells.com hristophe.com ichardt.com icmannaws.com iecopeland.com irkaimboeuf.com jamedalue.com jamyer.com jeanessbinder.com jeffreyue.com keoucha.com laudiaouc.com lbertussbau.com loridanase.com marrmann.com meroque.com moureuxacv.com myolton.com nasahlaes.com ntjeilliams.com omasicase.com onnaha.com onteagle.com orinneamoure.com orresto.com orrislark.com rackerasr.com rcuselynac.com sanauer.com stopherau.com tefanie.com tefanortin.com tephens.com traveroyce.com tsworthoa.com ucaargo.com ucairtz.com urnage.com venionne.com virginiaar.com # Reference: https://www.cybereason.com/blog/operation-cobalt-kitty-apt food.letsmiles.org # Reference: https://ti.360.net/blog/articles/oceanlotus-targets-chinese-university/ cctv.avidsonec.com cert.opennetworklab.com cloud.reneark.com cloud.sicaogler.com cnn.befmann.com dieordaunt.com dyndns.angusie.com fox.ailloux.com hotel.bookingshop.info ipv6.uyllain.com isp.cambodiadaily.org login.ticketwitheasy.com myaccount.philtimes.org news.coleope.com news.denekasd.com news.exandre.com ns1.cambodiadaily.org ourkekwiciver.com school.obertamy.com straliaenollma.xyz time.ouisers.com # Reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html (Network Based Indicators (NBI)) http://104.236.77.169 http://138.68.45.9 http://162.243.143.145 autodiscover.2bunny.com lyncdiscover.2bunny.com tk-in-f156.2bunny.com sfo02s01-in-f2.cloudsend.net # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/ # Reference: https://www.virustotal.com/#/file/673ee7a57ba3c5a2384aeb17a66058e59f0a4d0cddc4f01fe32f369f6a845c8f/relations ssl.arkouthrie.com s3.hiahornber.com widget.shoreoa.com # Reference: https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/ theme.blogsite.org cortana.homelinux.com word.webhop.info work.windownoffice.com cortanasyn.com e.browsersyn.com syn.servebbs.com service.windown-update.com check.homeip.net outlook.updateoffices.net mail.fptservice.net office.windown-update.com cortanazone.com beta.officopedia.com videos.dyndns.org service.serveftp.org syn.browserstime.com check.webhop.org ristineho.com # Reference: https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ # Reference: https://otx.alienvault.com/pulse/5c9255f84d2d890341e7f6a1 # Reference: https://twitter.com/vxsh4d0w/status/1109030685090680832 # Reference: https://pastebin.com/BiQKjQaK aliexpresscn.net andreagahuvrauvin.com andreagbridge.com aol.straliaenollma.xyz beaudrysang.xyz becreybour.com byronorenstein.com chinaport.org christienoll.xyz christienollmache.xyz cloud.360cn.info dieordaunt.com dns.chinanews.network illagedrivestralia.xyz karelbecker.com karolinblair.com lauradesnoyers.com ntop.dieordaunt.com office.ourkekwiciver.com ourkekwiciver.com sophiahoule.com stienollmache.xyz straliaenollma.xyz ursulapapst.xyz villagedrivestralia.xyz # Reference: https://twitter.com/blackorbird/status/1108687601475555328 office.allsafebrowsing.com # Reference: https://twitter.com/blackorbird/status/1086186184768815104 outlook.officebetas.com # Reference: https://twitter.com/blackorbird/status/1086188558413586432 outlook.betamedias.com # Reference: https://twitter.com/blackorbird/status/1113328823947264001 # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/aptnote0402 # Reference: https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html kermacrescen.com stellefaff.com manongrover.com background.ristians.com enum.arkoorr.com worker.baraeme.com plan.evillese.com # Reference: https://twitter.com/blackorbird/status/1113737430501212161 att.illagedrivestralia.xyz clipboard.christienoll.xyz snort.lauradesnoyers.com # Reference: https://twitter.com/blackorbird/status/1115617606218727425 # Reference: https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/ daff.faybilodeau.com sarc.onteagleroad.com au.charlineopkesston.com /dp/B074WC4NHW/ # Reference: https://twitter.com/blackorbird/status/1118396419595837440 load.updatetag.com # Reference: https://twitter.com/blackorbird/status/1119232980801785856 nvidia.benjamiilliams.club 365.urielcallum.com # Reference: https://twitter.com/Timele9527/status/1125941317689925632 load.newappssystems.com # Reference: https://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/ 163mailservice.com api.blogdns.com b.cortanazone.com blog.artinhauvin.com bluesky2018man.com cdn.eworldship-news.com cdn3.onlinesurveygorilla.com dominikmagoffin.com enormousamuses.com eworldship-news.com image.fontstaticloader.com kingsoftcdn.com mailserviceactivation.com mappingpotentials.com online.stienollmache.xyz open.betaoffice.net p12.alerentice.com pong.dynathome.net rio.imbandaad.com stackbio.com style.fontstaticloader.com vnbizcom.com web.dalalepredaa.com zone.servehttp.com # Reference: https://otx.alienvault.com/pulse/5cd5446ba9324bd2a35b3bd4 copy.byronorenstein.com suricata.radeordaunt.com # Reference: https://twitter.com/blackorbird/status/1128534704825618432 ps.andreagahuvrauvin.com # Reference: https://twitter.com/RedDrip7/status/1130780807318999040 139.59.30.109:8090 # Reference: https://twitter.com/blackorbird/status/1131862769500737538 # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/Oceanlotus-APK-sample.TXT ckoen.dmkatti.com jang.goongnam.com mtk.baimind.com # Reference: https://otx.alienvault.com/pulse/5cff85da279bf2ae275592c5 andreagahuvrauvin.com mikus19201.ddns.net msoffice-templates.info playnetflix.com # Reference: https://twitter.com/RedDrip7/status/1141598356113780737 # Reference: https://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/ udt.sophiahoule.com # Reference: https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html dns.domain-resolve.org search.webstie.net /cl_client_cmd.php /cl_client_cmd_res.php /cl_client_logs.php /cl_client_online.php # Reference: https://twitter.com/ThreatBookLabs/status/1155815604332273666 get.freelicenses.net # Reference: https://twitter.com/Arkbird_SOLG/status/1157319751238131717 195.12.50.172:46405 # Reference: https://twitter.com/RedDrip7/status/1162253139631730689 cloud.doomdns.org # Reference: https://twitter.com/ccxsaber/status/1185104546332213248 cloud.chinatel.org oa.chinarailways.net # Reference: https://twitter.com/ItsReallyNick/status/1188639544528248832 background.ristians.com plan.evillese.com worker.baraeme.com enum.arkoorr.com # Reference: https://twitter.com/h4ckak/status/1115511637979553792 ls.andreagbridge.com # Reference: https://twitter.com/spider_girl22/status/1192276923784691712 api.myddns.me # Reference: https://twitter.com/ccxsaber/status/1187199752145752064 cdn.redirectme.net # Reference: https://twitter.com/Rmy_Reserve/status/1200089355307536384 # Reference: https://www.google.com/search?q=%22jessicajoshua.com%22 jessicajoshua.com # Reference: https://otx.alienvault.com/pulse/5de9067483d85294ef9e77b4 360skylar.host baidu-search.net cdnwebmedia.com jcdn.jsoid.com upgrade.coldriverhardware.com us.melvillepitcairn.com libjs.inquirerjs.com ad.ssageevrenue.com clip.shangweidesign.com sys.genevrebreinl.com tel.caitlynwells.com news.shangrilaexports.com # Reference: https://twitter.com/pancak3lullz/status/1204059496005488642 raffesla.idfnv.net h61.p.ctrader.com bmwthailand.org huyndai-auto.com bmw-corp.net netsy.trutanner.com # Reference: https://twitter.com/pancak3lullz/status/1204065037448613889 auth.lineage2ez.com