# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: apachestealer, confucius, patchwork, sneepy, droppingelephant # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/ # Reference: https://twitter.com/shotgunner101/status/1084111296746921986 # Reference: https://otx.alienvault.com/pulse/5c3c8199888d403ecee5e463 kielsoservice.net frameworksupport.net # Reference: https://twitter.com/blackorbird/status/1119518720794058752 # Reference: https://www.virustotal.com/gui/file/e94659941847dac6e5483df31d6429c9bfb339a013079f41ea52e7fe86d7f061/detection # Reference: https://s.tencent.com/research/report/711.html (Chinese) crowcatcher.net global-news.center useraccount.co 188.241.58.60:21 188.241.58.61:21 # Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/ # Reference: https://brica.de/alerts/alert/public/1215663/new-confucius-malware-campaign-has-links-to-patchwork-cybergang/ errorfeedback.com # Reference: https://twitter.com/h4ckak/status/1161208604566966272 http://139.28.38.231 # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confucius-cyberespionage-operations/ # Reference: https://documents.trendmicro.com/assets/appendix-deciphering-confucius-cyberespionage-operations.pdf http://199.101.187.54 http://45.63.43.29 http://45.76.33.53 http://46.165.207.108 http://5.135.73.109 http://5.135.73.109 http://91.210.107.104 http://94.242.219.205 46.165.249.223:80 5.199.163.51:4343 91.210.107.106:80 91.210.107.109:80 91.210.107.110:80 adhath-learning.com freeintrnet.com mfone.net mofu.tech simplechatpoint.ddns.net truth786.com tweetychat.com /android_connect/insert_account.php /android_connect/insert_contacts.php /android_connect/insert_file_list.php /android_connect/insert_sms.php /android_connect/upload_file_content.php # Reference: https://twitter.com/RedDrip7/status/1184099910892670976 yetwq.twilightparadox.com # Reference: https://twitter.com/spider_girl22/status/1172044630512164864 192.250.236.76:80 # Reference: https://twitter.com/Rmy_Reserve/status/1172016149971619841 upgrading-office-content.esy.es # Reference: https://twitter.com/Arkbird_SOLG/status/1225014088755044353 185.193.38.24:443 # Reference: https://www.cymmetria.com/wp-content/uploads/2017/10/Unveiling-Patchwork.pdf 163-cn.org 81-cn.net aaskmee.com alfred.ignorelist.com annchenn.com asiandefnetwork.com blingblingg.com chinastrat.com chinastrats.com climaxcn.com cndailynetwork.info dailychina.news epg-cn.com expatchina.info extremebolt.com extrememachine.org extremerebolt.com eyescreem.com greatdexter.com haiwaipengyou.com info81.com junshiyuehui.com letsgetclose.com lujunxinxi.com majidalfuttaiim.com matrixrevolt.com militaryworkerscn.com milresearchcn.com miltechcn.com miltechweb.com modgovcn.com mozarting.com nduformation.com newsnstat.com nextraload.com nudtcn.com numeronez.com nutcn.com office-rb-support.com outlookkz.com pizzahomez.com qqgroups.info revoltmax.com securematrixx.com sinodefprog.info socialfreakzz.com symantecz.com telemediaz.com webworldreq.com wikifedia.space xbladezz.com xmachinez.com you-yisi.com yue-lao.info # Reference: https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/ # Reference: https://www.virustotal.com/gui/file/33c061dcf59d17c950fc450593cb4c3df1ee755f3a6a216eafc9717e76bc0858/behavior/VirusTotal%20Cuckoofork 130dozen.com adhath-learning.com avtofrom.us b3autybab3s.com bookerstream.com breachframework.com breachframework.website chucknorr.com com-account-jfnjkr.xyz cooperednews.info couchypotatoes.com cutedazzle.com didlynews.info fierybarrels.com fullhalfempty.com gallopingroses.com gomadweb.com greatleonidas.com jupanto.com little-nuts.com magzinehog.com mysugarbin.com neistovo.com news-letters-4u.com newsscrapper.com newstodayreviews.com nophoz.com onepickle.com purple-banana.com romanrugby.com roseauster.com sechshun8.com softwares-free.com speedeagles.com stepontheroof.com stilletowheels.com tangyball.com teens3xweb.com teensechs.com templetom.com transseksualov.com tumblebin.com twigreader.com uchitel-nitsa.com wetcottonballs.com wond3rfulworld.com younghogs.com your3x.com zadnitsa.com znaniye-onlayn.com http://95.211.38.135/search1.php /ipimp.txt # Reference: https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf nowhatsapp.com web.nowhatsapp.com myrocketchat.com tweetychat.com secretchatpoint.com simplechatpoint.ddns.net android-helper.info chatit.club chaton.life chaton.live kahmir-n.com kashmir-n.com philionschat.com sync.chatit.club # Reference: https://twitter.com/malwrhunterteam/status/1273581262750593030 # Reference: https://twitter.com/JAMESWT_MHT/status/1273583949646893056 # Reference: https://twitter.com/Arkbird_SOLG/status/1273627959170121734 # Reference: https://www.virustotal.com/gui/file/977c81bfab432eaeb119167b5342468918645636aa3dc94bdb993667c2e96693/detection # Reference: https://www.virustotal.com/gui/file/628172ab0dc7360ebc49ec15f6197d7f26f6e06c370aad9c55e5e87542bcb4ec/detection # Reference: https://app.any.run/tasks/21e6efb4-751f-4135-9f8d-e3f4a9624c5b/ # Reference: https://app.any.run/tasks/0901274f-49ff-41a4-919d-759a68e79685/ http://185.29.10.117 http://94.156.35.204 185.29.10.117:443 altered.twilightparadox.com # Reference: https://twitter.com/ShadowChasing1/status/1346747278279643137 # Reference: https://www.virustotal.com/gui/file/b9b5a9fa0ad7f802899e82e103a6c2c699c09390b1a79ae2b357cacc68f1ca8e/detection msoffice.user-assist.site user-assist.site # Reference: https://twitter.com/ShadowChasing1/status/1351201320670285836 # Reference: https://www.virustotal.com/gui/file/7fb7944fb452d8588194ea746910ed782865efb991fa02479e429f8fba677d3b/detection http://176.107.181.213 # Reference: https://twitter.com/mg2_tracy1/status/1358246040302850055 http://108.62.12.210 mlservices.online # Reference: https://blog.lookout.com/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict # Reference: https://otx.alienvault.com/pulse/6025716ad1074318fbe5b3c8/ cucuchat.com pieupdate.online samaatv.online tea-time.link # Reference: https://twitter.com/ShadowChasing1/status/1360806740367876105 # Reference: https://www.virustotal.com/gui/file/f615bb459a91d76ee8a56661666fc450297dd9f9736dbe5b3efda7fb2f2ade70/detection sunshinereal.000webhostapp.com # Reference: https://0xthreatintel.medium.com/internals-of-ave-maria-malware-cb0f63bcce8d # Reference: https://www.virustotal.com/gui/file/a6e56c81c88fdaa28cbd3bf72635c5becb164f75f51ff0aabd46ee7723d4ac23/detection 108.62.12.210:4251 # Reference: https://twitter.com/ShadowChasing1/status/1364925537651617794 # Reference: https://www.virustotal.com/gui/domain/moe-cn.org/relations # Reference: https://www.virustotal.com/gui/file/153d5941a73f9600046ad859e819db33b323908a99712cd224d454cd5e3ba004/detection # Reference: https://www.virustotal.com/gui/file/4a4238e7d8c2b0950165fd1d4c6c9e43c20848028cbe1e52945c87bb921cfba8/detection 185.61.148.223:8080 208.91.197.91:8080 moe-cn.org # Reference: https://twitter.com/AnonySecAgency/status/1371648062460887040 # Reference: https://www.virustotal.com/gui/file/c3f0c89e7cddfe0a130a58c3e9edcae06579ee6d88787d5222368a8f57cc899e/detection 185.157.78.135:4040 # Reference: https://twitter.com/h2jazi/status/1415347869318537220 http://142.202.191.236 # Reference: https://twitter.com/ShadowChasing1/status/1422180936632860677 # Reference: https://www.virustotal.com/gui/file/6ddf7b13312987ed7d85ff6795f279d4c09ef67e7895a84254e53776a7ea9873/detection 142.202.191.234:2022 # Reference: https://twitter.com/ShadowChasing1/status/1449172597816455170 http://23.81.246.170 /doodle14/UploadToServer.php /doodle14/createDirecotory.php /doodle14/save_file_str.php /doodle14/save_target_applist.php /doodle14/savetargetdeviceinfo.php # Reference: https://twitter.com/souiten/status/1473142851798114312 # Reference: https://www.virustotal.com/gui/file/3ddbd2f9d4194aaebaffda1417b34aa1c2a5ec948e01b7ef0a1c9e035e78721e/detection http://104.143.36.19 # Reference: https://twitter.com/ShadowChasing1/status/1491954861402771456 webinstaller.online # Reference: https://twitter.com/RedDrip7/status/1529403598165004289 # Reference: https://www.virustotal.com/gui/file/9153c0618803e8799472060ac508135933f551581ede827265c78d644aba08b1/detection dayspringdesk.xyz /wfgkl/cvrkaf/xkj/test.php /wfgkl/cvrkaf/ # Reference: https://twitter.com/__0XYC__/status/1540211206211772416 # Reference: https://www.virustotal.com/gui/file/2d5afc95d620bed1ba631a34e6ad7c490da58d931045e1294dcf739326ad053d/detection taxofill.info # Reference: https://twitter.com/__0XYC__/status/1535107137441251328 t7g5c.app.link # Reference: https://twitter.com/__0XYC__/status/1540212682271236096 # Reference: https://twitter.com/__0XYC__/status/1540214103733522432 pmogov.online pmo.app.link # Reference: https://twitter.com/__0XYC__/status/1543806683092340737 # Reference: https://twitter.com/__0XYC__/status/1543807380269432832 # Reference: https://twitter.com/jaydinbas/status/1543952789491040257 # Reference: https://twitter.com/jaydinbas/status/1543952905925005314 # Reference: https://twitter.com/h2jazi/status/1543965665526255617 # Reference: https://www.virustotal.com/gui/file/041aa41948f654f8813b0a411f449e91ba84cdd5c0b08040bcdd9592df63a245/detection # Reference: https://www.virustotal.com/gui/file/9a42cdfe611f7e50cafc33da9e8dc5bd51abf1d16e31d324d28842d0cfef4170/detection # Reference: https://www.virustotal.com/gui/file/041aa41948f654f8813b0a411f449e91ba84cdd5c0b08040bcdd9592df63a245/detection # Reference: https://www.virustotal.com/gui/file/8adad3cb57e851c7daefe2e2f61c578c63bffaf61afbda23815ecc3c6eabf902/detection # Reference: https://www.virustotal.com/gui/file/4e19ca405e8caef23a677609b4fde2cf1c482cc08ea39d72dc89ccddc0d96c79/detection blingin.shop blingin.xyz jizyajan.shop jusmine.xyz mamba.live taxofill.info # Reference: https://twitter.com/Des00464472/status/1549615287846453248 pankilo.xyz # Reference: https://twitter.com/h2jazi/status/1558130495891857408 # Reference: https://www.virustotal.com/gui/file/1dd1c52e5eb1b1e5c4abc7c327b63687528118e612e9a42f01b97955676f4ff0/detection support-office-us.herokuapp.com # Reference: https://twitter.com/StopMalvertisin/status/1560213184535199749 # Reference: https://www.virustotal.com/gui/file/d732bc4f7bd2951cedef03a3a3235cce4f33602c858e0c5caceeb98f5bf1a4bf/detection office-fonts.herokuapp.com # Reference: https://twitter.com/__0XYC__/status/1561917066482966528 # Reference: https://twitter.com/h2jazi/status/1562079407853953024 # Reference: https://www.virustotal.com/gui/file/0e30b6e1b05279aac4c0b3b1d8b6d250fec0999cc72d0506e617fde53bc4f6e9/detection bonimoni.xyz viterwin.club # Reference: https://twitter.com/souiten/status/1565597424013365249 # Reference: https://www.virustotal.com/gui/file/c795a13148b13b6c293c11099fbe06aed8b478e1713d5c3c849fa7acabc215cc/detection # Reference: https://www.virustotal.com/gui/file/9268c46f5ed8b2f00cf3ef4d14e5bc327907b776a97b466a52bc9fbfea002e5b/detection http://125.209.76.62 http://192.227.174.165 # Reference: https://twitter.com/t3ft3lb/status/1567947765132435459 # Reference: https://www.virustotal.com/gui/file/aa6b4f8948d8524835dee9064ab54dc8f9f410eae7cbc502b1baf21cca5f8b20/detection 51.89.251.8:443 # Reference: https://twitter.com/SethKingHi/status/1570608984348053508 # Reference: https://www.virustotal.com/gui/file/2592a0b60b5902a5cbdfa19d5612546a53e6f1bf6ead33d1d86d392c5e281263/detection http://74.119.193.145 # Reference: https://twitter.com/ShadowChasing1/status/1576854577483157504 # Reference: https://www.virustotal.com/gui/file/449b4cee4b9df09777891a70248e000e3bb13f33d579603f69e444d4d175d022/detection en-us-office.herokuapp.com # Reference: https://twitter.com/StopMalvertisin/status/1578405262209142785 # Reference: https://www.virustotal.com/gui/file/bba3303974f9b4b0bc2e0b0c52e8b656992b6f18ee6321ff49d87ce1e448c69d/ office-templates.herokuapp.com # Reference: https://twitter.com/RedDrip7/status/1578687322291593216 # Reference: https://twitter.com/blackorbird/status/1585555349939314688 # Reference: https://mp.weixin.qq.com/s/IwcxY3TqkmyY-pBxnXuM1A # Reference: https://www.virustotal.com/gui/file/a9175491a108645ba2f0f906d639bd94e895e41370e6c23c59b95ab4a927a6fa/detection 162.216.240.173:1991 housingpanel.info zaim.pkwebs.com/wp-includes/c /vwykzjzy2si478c7a2w/terncpx8yr2ufvisgd2j/x8jb9g97kkexor5ihnbq/d91ng62l00hc4vgaxkf.php /vwykzjzy2si478c7a2w/terncpx8yr2ufvisgd2j/x8jb9g97kkexor5ihnbq/ /vwykzjzy2si478c7a2w/terncpx8yr2ufvisgd2j/ /vwykzjzy2si478c7a2w/ /terncpx8yr2ufvisgd2j/ /x8jb9g97kkexor5ihnbq/ /d91ng62l00hc4vgaxkf.php # Reference: https://www.virustotal.com/gui/file/2b8194a93c17d82a1814c094768c1fb728c105fd6e89661c9af51370a31dbb17/detection http://172.81.62.200 # Reference: https://twitter.com/SethKingHi/status/1588054655623659520 # Reference: https://www.virustotal.com/gui/file/115ddd20884fcf42f8937287e2b2cbb52e4d1420c000953ab8945f724c6c2f93/detection webinstall2.ddns.net # Reference: https://twitter.com/__0XYC__/status/1593088165556150272 # Reference: https://twitter.com/BaoshengbinCumt/status/1593108148646449152 mail-paf-documents-download-pk.herokuapp.com # Reference: https://twitter.com/malwrhunterteam/status/1593021085997420544 # Reference: https://www.virustotal.com/gui/file/41e561168a4a26f7d4bc14186c2d7fc2232e12fd1aa44ef77b4a9d45e14fc763/detection en-officeupdate.herokuapp.com # Reference: https://twitter.com/souiten/status/1597943643582902273 # Reference: https://twitter.com/souiten/status/1597944825340305408 # Reference: https://www.virustotal.com/gui/file/66d366fcdc0cef9a6af89a46909c9710bab0192a473f5ac583940093b990c86c/detection # Reference: https://www.virustotal.com/gui/file/ef76d11453a632920dd5835c0f0f8a317fb187972b0a51cdf8d78560f653d35f/detection # Reference: https://www.virustotal.com/gui/file/d345a80e349b79c78faa9bf10922416b0d5cfb1b805e0bfb2f675d83f63c7e47/detection 142.234.157.195:8989 142.234.157.195:8080 45.56.165.100:8080 microsoftonedriver.com info-updates.ddns.net # Reference: https://twitter.com/malwrhunterteam/status/1567483040317816833 # Reference: https://twitter.com/h2jazi/status/1567512391289544704 # Reference: https://www.virustotal.com/gui/file/40831538e59700fd86081130af597623d0779a93cde6f76b86d52174522d8ad4/detection # Reference: https://www.virustotal.com/gui/file/e2b7181d67ab4a4de5600d7f0f68190894db4d007aa66db94be0ee94631bc701/detection gov-cloud.herokuapp.com # Reference: https://twitter.com/RedDrip7/status/1608383205664780289 # Reference: https://www.virustotal.com/gui/ip-address/5.2.77.109/relations # Reference: https://www.virustotal.com/gui/file/79bde77f2295dbf272b4138db3b42a8e40e67201da5f7a70de1600c15ebfc81e/detection # Reference: https://www.virustotal.com/gui/file/2be095b201379123f11fd66b382aee0ca9542e3061fa129bc53c1eddd9b895c3/detection bingoplant.live # Reference: https://twitter.com/SethKingHi/status/1612377098777133057 # Reference: https://www.virustotal.com/gui/file/e89e0a56fad8e7232015f18bc4fd0287b98d7697e24c66820a0d4d2d501cd444/detection vlc-updates.ddns.net # Reference: https://twitter.com/souiten/status/1627613531586834432 # Reference: https://www.virustotal.com/gui/file/716298589ab48b187c127e9dbe47dd78487d0e4fd1841bf09d7e45027a23ac06/detection 23.163.0.133:443 # Reference: https://twitter.com/SethKingHi/status/1628601980682932224 # Reference: https://twitter.com/liqingjia1989/status/1640273312692727809 # Reference: https://www.virustotal.com/gui/file/6a3624f7022bf5797cb4a2bc633c383f4c59e0b6c277dea292657d56d66e29ae/detection # Reference: https://www.virustotal.com/gui/file/038da443e2ffc69b0c3d6bba7eab229166d1340ff07754fd51019d74a89b0c0b/detection http://162.216.243.187 /S8hmr7lxi7n4ceD2g93yz/foGpgvbzeYpJx6UeJcBq6/3H5StvwrQGeWkYSFbM5qY/Ztrt1DyB3tTXbjG.php /foGpgvbzeYpJx6UeJcBq6/3H5StvwrQGeWkYSFbM5qY/Ztrt1DyB3tTXbjG.php /3H5StvwrQGeWkYSFbM5qY/Ztrt1DyB3tTXbjG.php /S8hmr7lxi7n4ceD2g93yz/foGpgvbzeYpJx6UeJcBq6/3H5StvwrQGeWkYSFbM5qY/ /S8hmr7lxi7n4ceD2g93yz/foGpgvbzeYpJx6UeJcBq6/ /S8hmr7lxi7n4ceD2g93yz/ /Ztrt1DyB3tTXbjG.php # Reference: https://twitter.com/ThreatBookLabs/status/1631134841923325958 # Reference: https://www.virustotal.com/gui/ip-address/82.180.172.13/relations # Reference: https://www.virustotal.com/gui/file/9b3d01dd457b4eeae6712df54c7ef96312f56cd0115612d0d5aece654fc6bc61/detection officedocuments.info # Reference: https://twitter.com/ThreatBookLabs/status/1640397245882437632 pitbmail.000webhostapp.com webmail-pitb-gov-pk.netlify.app # Reference: https://twitter.com/blackorbird/status/1649005925947310080 # Reference: https://mp.weixin.qq.com/s/Nk2zml2d0HtK0hszyKW2Dw (Chinese) charliezard.shop msit5214.b-cdn.net shhh2564.b-cdn.net # Reference: https://twitter.com/ThreatBookLabs/status/1650906402792304641 douyni.info # Reference: https://twitter.com/ThreatBookLabs/status/1651052933142937600 ctg36512.b-cdn.net # Reference: https://about.fb.com/wp-content/uploads/2023/05/Meta-Quarterly-Adversarial-Threat-Report-Q1-2023.pdf 104.27.172.22:9371 104.27.173.22:9371 106.215.68.174:9371 172.94.99.215:4040 185.82.216.57:2125 195.20.54.105:4040 appplace.life bayanat.co.nf beautifullimages.co.nf chirrups-download.ml downloader-file.cf downloadvpn.comli.com drive-sharefiles-downloads.ga drive-sharefiles-downloads.gq faridun.com file-downloader.ga file-star.buzz fileshares.online fun.socialyte.site islamicbayanat.ddns.net kashmirundergroundnews.ml newice.hopto.org securemessagingapps.blogspot.com socialyte.site stockapp-fresh.com thenewsnation.ml videvideocaller.ml vpndl.co.nf vpndownload.co.nf vpndownload.webutu.com vpndownloads.co.nf vpndownloads.ddns.net webmails-authentication.tk /gdgtgdt1245435/chirrups.apk /poahbcyskdh/cable.apk /vdfogrglj/YoTalk.apk /gdgtgdt1245435/ /poahbcyskdh/ /vdfogrglj/ # Generic /4sVKAOvu3D/ /e3e7e71a0b28b5e96cc492e636722f73/ /ABDYot0NxyG.php /BDYot0NxyG.php /UYEfgEpXAOE.php