# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: apachestealer, confucius, patchwork, sneepy, droppingelephant # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/ # Reference: https://twitter.com/shotgunner101/status/1084111296746921986 # Reference: https://otx.alienvault.com/pulse/5c3c8199888d403ecee5e463 kielsoservice.net frameworksupport.net # Reference: https://twitter.com/blackorbird/status/1119518720794058752 # Reference: https://www.virustotal.com/gui/file/e94659941847dac6e5483df31d6429c9bfb339a013079f41ea52e7fe86d7f061/detection # Reference: https://s.tencent.com/research/report/711.html (Chinese) crowcatcher.net global-news.center useraccount.co 188.241.58.60:21 188.241.58.61:21 # Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/ # Reference: https://brica.de/alerts/alert/public/1215663/new-confucius-malware-campaign-has-links-to-patchwork-cybergang/ errorfeedback.com # Reference: https://twitter.com/h4ckak/status/1161208604566966272 http://139.28.38.231 # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confucius-cyberespionage-operations/ # Reference: https://documents.trendmicro.com/assets/appendix-deciphering-confucius-cyberespionage-operations.pdf http://199.101.187.54 http://45.63.43.29 http://45.76.33.53 http://46.165.207.108 http://5.135.73.109 http://5.135.73.109 http://91.210.107.104 http://94.242.219.205 46.165.249.223:80 5.199.163.51:4343 91.210.107.106:80 91.210.107.109:80 91.210.107.110:80 adhath-learning.com freeintrnet.com mfone.net mofu.tech simplechatpoint.ddns.net truth786.com tweetychat.com /android_connect/insert_account.php /android_connect/insert_contacts.php /android_connect/insert_file_list.php /android_connect/insert_sms.php /android_connect/upload_file_content.php # Reference: https://twitter.com/RedDrip7/status/1184099910892670976 yetwq.twilightparadox.com # Reference: https://twitter.com/spider_girl22/status/1172044630512164864 192.250.236.76:80 # Reference: https://twitter.com/Rmy_Reserve/status/1172016149971619841 upgrading-office-content.esy.es # Reference: https://twitter.com/Arkbird_SOLG/status/1225014088755044353 185.193.38.24:443 # Reference: https://www.cymmetria.com/wp-content/uploads/2017/10/Unveiling-Patchwork.pdf 163-cn.org 81-cn.net aaskmee.com alfred.ignorelist.com annchenn.com asiandefnetwork.com blingblingg.com chinastrat.com chinastrats.com climaxcn.com cndailynetwork.info dailychina.news epg-cn.com expatchina.info extremebolt.com extrememachine.org extremerebolt.com eyescreem.com greatdexter.com haiwaipengyou.com info81.com junshiyuehui.com letsgetclose.com lujunxinxi.com majidalfuttaiim.com matrixrevolt.com militaryworkerscn.com milresearchcn.com miltechcn.com miltechweb.com modgovcn.com mozarting.com nduformation.com newsnstat.com nextraload.com nudtcn.com numeronez.com nutcn.com office-rb-support.com outlookkz.com pizzahomez.com qqgroups.info revoltmax.com securematrixx.com sinodefprog.info socialfreakzz.com symantecz.com telemediaz.com webworldreq.com wikifedia.space xbladezz.com xmachinez.com you-yisi.com yue-lao.info # Reference: https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/ # Reference: https://www.virustotal.com/gui/file/33c061dcf59d17c950fc450593cb4c3df1ee755f3a6a216eafc9717e76bc0858/behavior/VirusTotal%20Cuckoofork 130dozen.com adhath-learning.com avtofrom.us b3autybab3s.com bookerstream.com breachframework.com breachframework.website chucknorr.com com-account-jfnjkr.xyz cooperednews.info couchypotatoes.com cutedazzle.com didlynews.info fierybarrels.com fullhalfempty.com gallopingroses.com gomadweb.com greatleonidas.com jupanto.com little-nuts.com magzinehog.com mysugarbin.com neistovo.com news-letters-4u.com newsscrapper.com newstodayreviews.com nophoz.com onepickle.com purple-banana.com romanrugby.com roseauster.com sechshun8.com softwares-free.com speedeagles.com stepontheroof.com stilletowheels.com tangyball.com teens3xweb.com teensechs.com templetom.com transseksualov.com tumblebin.com twigreader.com uchitel-nitsa.com wetcottonballs.com wond3rfulworld.com younghogs.com your3x.com zadnitsa.com znaniye-onlayn.com http://95.211.38.135/search1.php /ipimp.txt # Reference: https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf nowhatsapp.com web.nowhatsapp.com myrocketchat.com tweetychat.com secretchatpoint.com simplechatpoint.ddns.net android-helper.info chatit.club chaton.life chaton.live kahmir-n.com kashmir-n.com philionschat.com sync.chatit.club # Reference: https://twitter.com/malwrhunterteam/status/1273581262750593030 # Reference: https://twitter.com/JAMESWT_MHT/status/1273583949646893056 # Reference: https://twitter.com/Arkbird_SOLG/status/1273627959170121734 # Reference: https://www.virustotal.com/gui/file/977c81bfab432eaeb119167b5342468918645636aa3dc94bdb993667c2e96693/detection # Reference: https://www.virustotal.com/gui/file/628172ab0dc7360ebc49ec15f6197d7f26f6e06c370aad9c55e5e87542bcb4ec/detection # Reference: https://app.any.run/tasks/21e6efb4-751f-4135-9f8d-e3f4a9624c5b/ # Reference: https://app.any.run/tasks/0901274f-49ff-41a4-919d-759a68e79685/ http://185.29.10.117 http://94.156.35.204 185.29.10.117:443 altered.twilightparadox.com # Reference: https://twitter.com/ShadowChasing1/status/1346747278279643137 # Reference: https://www.virustotal.com/gui/file/b9b5a9fa0ad7f802899e82e103a6c2c699c09390b1a79ae2b357cacc68f1ca8e/detection msoffice.user-assist.site user-assist.site # Reference: https://twitter.com/ShadowChasing1/status/1351201320670285836 # Reference: https://www.virustotal.com/gui/file/7fb7944fb452d8588194ea746910ed782865efb991fa02479e429f8fba677d3b/detection http://176.107.181.213 # Reference: https://twitter.com/mg2_tracy1/status/1358246040302850055 http://108.62.12.210 mlservices.online # Reference: https://blog.lookout.com/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict # Reference: https://otx.alienvault.com/pulse/6025716ad1074318fbe5b3c8/ cucuchat.com pieupdate.online samaatv.online tea-time.link # Reference: https://twitter.com/ShadowChasing1/status/1360806740367876105 # Reference: https://www.virustotal.com/gui/file/f615bb459a91d76ee8a56661666fc450297dd9f9736dbe5b3efda7fb2f2ade70/detection sunshinereal.000webhostapp.com # Reference: https://0xthreatintel.medium.com/internals-of-ave-maria-malware-cb0f63bcce8d # Reference: https://www.virustotal.com/gui/file/a6e56c81c88fdaa28cbd3bf72635c5becb164f75f51ff0aabd46ee7723d4ac23/detection 108.62.12.210:4251 # Reference: https://twitter.com/ShadowChasing1/status/1364925537651617794 # Reference: https://www.virustotal.com/gui/domain/moe-cn.org/relations # Reference: https://www.virustotal.com/gui/file/153d5941a73f9600046ad859e819db33b323908a99712cd224d454cd5e3ba004/detection # Reference: https://www.virustotal.com/gui/file/4a4238e7d8c2b0950165fd1d4c6c9e43c20848028cbe1e52945c87bb921cfba8/detection 185.61.148.223:8080 208.91.197.91:8080 moe-cn.org # Reference: https://twitter.com/AnonySecAgency/status/1371648062460887040 # Reference: https://www.virustotal.com/gui/file/c3f0c89e7cddfe0a130a58c3e9edcae06579ee6d88787d5222368a8f57cc899e/detection 185.157.78.135:4040 # Reference: https://twitter.com/h2jazi/status/1415347869318537220 http://142.202.191.236 # Reference: https://twitter.com/ShadowChasing1/status/1422180936632860677 # Reference: https://www.virustotal.com/gui/file/6ddf7b13312987ed7d85ff6795f279d4c09ef67e7895a84254e53776a7ea9873/detection 142.202.191.234:2022 # Reference: https://twitter.com/ShadowChasing1/status/1449172597816455170 http://23.81.246.170 /doodle14/UploadToServer.php /doodle14/createDirecotory.php /doodle14/save_file_str.php /doodle14/save_target_applist.php /doodle14/savetargetdeviceinfo.php # Reference: https://twitter.com/souiten/status/1473142851798114312 # Reference: https://www.virustotal.com/gui/file/3ddbd2f9d4194aaebaffda1417b34aa1c2a5ec948e01b7ef0a1c9e035e78721e/detection http://104.143.36.19 # Reference: https://twitter.com/ShadowChasing1/status/1491954861402771456 webinstaller.online # Reference: https://twitter.com/RedDrip7/status/1529403598165004289 # Reference: https://www.virustotal.com/gui/file/9153c0618803e8799472060ac508135933f551581ede827265c78d644aba08b1/detection dayspringdesk.xyz /wfgkl/cvrkaf/xkj/test.php /wfgkl/cvrkaf/ # Reference: https://twitter.com/__0XYC__/status/1540211206211772416 # Reference: https://www.virustotal.com/gui/file/2d5afc95d620bed1ba631a34e6ad7c490da58d931045e1294dcf739326ad053d/detection taxofill.info # Reference: https://twitter.com/__0XYC__/status/1535107137441251328 t7g5c.app.link # Reference: https://twitter.com/__0XYC__/status/1540212682271236096 # Reference: https://twitter.com/__0XYC__/status/1540214103733522432 pmogov.online pmo.app.link # Reference: https://twitter.com/__0XYC__/status/1543806683092340737 # Reference: https://twitter.com/__0XYC__/status/1543807380269432832 # Reference: https://twitter.com/jaydinbas/status/1543952789491040257 # Reference: https://twitter.com/jaydinbas/status/1543952905925005314 # Reference: https://twitter.com/h2jazi/status/1543965665526255617 # Reference: https://www.virustotal.com/gui/file/041aa41948f654f8813b0a411f449e91ba84cdd5c0b08040bcdd9592df63a245/detection # Reference: https://www.virustotal.com/gui/file/9a42cdfe611f7e50cafc33da9e8dc5bd51abf1d16e31d324d28842d0cfef4170/detection # Reference: https://www.virustotal.com/gui/file/041aa41948f654f8813b0a411f449e91ba84cdd5c0b08040bcdd9592df63a245/detection # Reference: https://www.virustotal.com/gui/file/8adad3cb57e851c7daefe2e2f61c578c63bffaf61afbda23815ecc3c6eabf902/detection # Reference: https://www.virustotal.com/gui/file/4e19ca405e8caef23a677609b4fde2cf1c482cc08ea39d72dc89ccddc0d96c79/detection blingin.shop blingin.xyz jizyajan.shop jusmine.xyz mamba.live taxofill.info # Reference: https://twitter.com/Des00464472/status/1549615287846453248 pankilo.xyz # Reference: https://twitter.com/h2jazi/status/1558130495891857408 # Reference: https://www.virustotal.com/gui/file/1dd1c52e5eb1b1e5c4abc7c327b63687528118e612e9a42f01b97955676f4ff0/detection support-office-us.herokuapp.com # Reference: https://twitter.com/StopMalvertisin/status/1560213184535199749 # Reference: https://www.virustotal.com/gui/file/d732bc4f7bd2951cedef03a3a3235cce4f33602c858e0c5caceeb98f5bf1a4bf/detection office-fonts.herokuapp.com # Reference: https://twitter.com/__0XYC__/status/1561917066482966528 # Reference: https://twitter.com/h2jazi/status/1562079407853953024 # Reference: https://www.virustotal.com/gui/file/0e30b6e1b05279aac4c0b3b1d8b6d250fec0999cc72d0506e617fde53bc4f6e9/detection bonimoni.xyz viterwin.club # Reference: https://twitter.com/souiten/status/1565597424013365249 # Reference: https://www.virustotal.com/gui/file/c795a13148b13b6c293c11099fbe06aed8b478e1713d5c3c849fa7acabc215cc/detection # Reference: https://www.virustotal.com/gui/file/9268c46f5ed8b2f00cf3ef4d14e5bc327907b776a97b466a52bc9fbfea002e5b/detection http://125.209.76.62 http://192.227.174.165 # Reference: https://twitter.com/t3ft3lb/status/1567947765132435459 # Reference: https://www.virustotal.com/gui/file/aa6b4f8948d8524835dee9064ab54dc8f9f410eae7cbc502b1baf21cca5f8b20/detection 51.89.251.8:443 # Reference: https://twitter.com/SethKingHi/status/1570608984348053508 # Reference: https://www.virustotal.com/gui/file/2592a0b60b5902a5cbdfa19d5612546a53e6f1bf6ead33d1d86d392c5e281263/detection http://74.119.193.145 # Reference: https://twitter.com/ShadowChasing1/status/1576854577483157504 # Reference: https://www.virustotal.com/gui/file/449b4cee4b9df09777891a70248e000e3bb13f33d579603f69e444d4d175d022/detection en-us-office.herokuapp.com # Reference: https://twitter.com/StopMalvertisin/status/1578405262209142785 # Reference: https://www.virustotal.com/gui/file/bba3303974f9b4b0bc2e0b0c52e8b656992b6f18ee6321ff49d87ce1e448c69d/ office-templates.herokuapp.com # Reference: https://twitter.com/RedDrip7/status/1578687322291593216 # Reference: https://twitter.com/blackorbird/status/1585555349939314688 # Reference: https://mp.weixin.qq.com/s/IwcxY3TqkmyY-pBxnXuM1A # Reference: https://www.virustotal.com/gui/file/a9175491a108645ba2f0f906d639bd94e895e41370e6c23c59b95ab4a927a6fa/detection 162.216.240.173:1991 housingpanel.info zaim.pkwebs.com/wp-includes/c /vwykzjzy2si478c7a2w/terncpx8yr2ufvisgd2j/x8jb9g97kkexor5ihnbq/d91ng62l00hc4vgaxkf.php /vwykzjzy2si478c7a2w/terncpx8yr2ufvisgd2j/x8jb9g97kkexor5ihnbq/ /vwykzjzy2si478c7a2w/terncpx8yr2ufvisgd2j/ /vwykzjzy2si478c7a2w/ /terncpx8yr2ufvisgd2j/ /x8jb9g97kkexor5ihnbq/ /d91ng62l00hc4vgaxkf.php # Reference: https://www.virustotal.com/gui/file/2b8194a93c17d82a1814c094768c1fb728c105fd6e89661c9af51370a31dbb17/detection http://172.81.62.200 # Reference: https://twitter.com/SethKingHi/status/1588054655623659520 # Reference: https://www.virustotal.com/gui/file/115ddd20884fcf42f8937287e2b2cbb52e4d1420c000953ab8945f724c6c2f93/detection webinstall2.ddns.net # Reference: https://twitter.com/__0XYC__/status/1593088165556150272 # Reference: https://twitter.com/BaoshengbinCumt/status/1593108148646449152 mail-paf-documents-download-pk.herokuapp.com # Reference: https://twitter.com/malwrhunterteam/status/1593021085997420544 # Reference: https://www.virustotal.com/gui/file/41e561168a4a26f7d4bc14186c2d7fc2232e12fd1aa44ef77b4a9d45e14fc763/detection en-officeupdate.herokuapp.com # Reference: https://twitter.com/souiten/status/1597943643582902273 # Reference: https://twitter.com/souiten/status/1597944825340305408 # Reference: https://www.virustotal.com/gui/file/66d366fcdc0cef9a6af89a46909c9710bab0192a473f5ac583940093b990c86c/detection # Reference: https://www.virustotal.com/gui/file/ef76d11453a632920dd5835c0f0f8a317fb187972b0a51cdf8d78560f653d35f/detection # Reference: https://www.virustotal.com/gui/file/d345a80e349b79c78faa9bf10922416b0d5cfb1b805e0bfb2f675d83f63c7e47/detection 142.234.157.195:8989 142.234.157.195:8080 45.56.165.100:8080 microsoftonedriver.com info-updates.ddns.net # Reference: https://twitter.com/malwrhunterteam/status/1567483040317816833 # Reference: https://twitter.com/h2jazi/status/1567512391289544704 # Reference: https://www.virustotal.com/gui/file/40831538e59700fd86081130af597623d0779a93cde6f76b86d52174522d8ad4/detection # Reference: https://www.virustotal.com/gui/file/e2b7181d67ab4a4de5600d7f0f68190894db4d007aa66db94be0ee94631bc701/detection gov-cloud.herokuapp.com # Reference: https://twitter.com/RedDrip7/status/1608383205664780289 # Reference: https://www.virustotal.com/gui/ip-address/5.2.77.109/relations # Reference: https://www.virustotal.com/gui/file/79bde77f2295dbf272b4138db3b42a8e40e67201da5f7a70de1600c15ebfc81e/detection # Reference: https://www.virustotal.com/gui/file/2be095b201379123f11fd66b382aee0ca9542e3061fa129bc53c1eddd9b895c3/detection bingoplant.live # Reference: https://twitter.com/SethKingHi/status/1612377098777133057 # Reference: https://www.virustotal.com/gui/file/e89e0a56fad8e7232015f18bc4fd0287b98d7697e24c66820a0d4d2d501cd444/detection vlc-updates.ddns.net # Reference: https://twitter.com/souiten/status/1627613531586834432 # Reference: https://www.virustotal.com/gui/file/716298589ab48b187c127e9dbe47dd78487d0e4fd1841bf09d7e45027a23ac06/detection 23.163.0.133:443 # Reference: https://twitter.com/SethKingHi/status/1628601980682932224 # Reference: https://twitter.com/liqingjia1989/status/1640273312692727809 # Reference: https://www.virustotal.com/gui/file/6a3624f7022bf5797cb4a2bc633c383f4c59e0b6c277dea292657d56d66e29ae/detection # Reference: https://www.virustotal.com/gui/file/038da443e2ffc69b0c3d6bba7eab229166d1340ff07754fd51019d74a89b0c0b/detection http://162.216.243.187 /S8hmr7lxi7n4ceD2g93yz/foGpgvbzeYpJx6UeJcBq6/3H5StvwrQGeWkYSFbM5qY/Ztrt1DyB3tTXbjG.php /foGpgvbzeYpJx6UeJcBq6/3H5StvwrQGeWkYSFbM5qY/Ztrt1DyB3tTXbjG.php /3H5StvwrQGeWkYSFbM5qY/Ztrt1DyB3tTXbjG.php /S8hmr7lxi7n4ceD2g93yz/foGpgvbzeYpJx6UeJcBq6/3H5StvwrQGeWkYSFbM5qY/ /S8hmr7lxi7n4ceD2g93yz/foGpgvbzeYpJx6UeJcBq6/ /S8hmr7lxi7n4ceD2g93yz/ /Ztrt1DyB3tTXbjG.php # Reference: https://twitter.com/ThreatBookLabs/status/1631134841923325958 # Reference: https://www.virustotal.com/gui/ip-address/82.180.172.13/relations # Reference: https://www.virustotal.com/gui/file/9b3d01dd457b4eeae6712df54c7ef96312f56cd0115612d0d5aece654fc6bc61/detection officedocuments.info # Reference: https://twitter.com/ThreatBookLabs/status/1640397245882437632 pitbmail.000webhostapp.com webmail-pitb-gov-pk.netlify.app # Reference: https://twitter.com/blackorbird/status/1649005925947310080 # Reference: https://mp.weixin.qq.com/s/Nk2zml2d0HtK0hszyKW2Dw (Chinese) charliezard.shop msit5214.b-cdn.net shhh2564.b-cdn.net # Reference: https://twitter.com/ThreatBookLabs/status/1650906402792304641 douyni.info # Reference: https://twitter.com/ThreatBookLabs/status/1651052933142937600 ctg36512.b-cdn.net # Reference: https://about.fb.com/wp-content/uploads/2023/05/Meta-Quarterly-Adversarial-Threat-Report-Q1-2023.pdf 104.27.172.22:9371 104.27.173.22:9371 106.215.68.174:9371 172.94.99.215:4040 185.82.216.57:2125 195.20.54.105:4040 appplace.life bayanat.co.nf beautifullimages.co.nf chirrups-download.ml downloader-file.cf downloadvpn.comli.com drive-sharefiles-downloads.ga drive-sharefiles-downloads.gq faridun.com file-downloader.ga file-star.buzz fileshares.online fun.socialyte.site islamicbayanat.ddns.net kashmirundergroundnews.ml newice.hopto.org securemessagingapps.blogspot.com socialyte.site stockapp-fresh.com thenewsnation.ml videvideocaller.ml vpndl.co.nf vpndownload.co.nf vpndownload.webutu.com vpndownloads.co.nf vpndownloads.ddns.net webmails-authentication.tk /gdgtgdt1245435/chirrups.apk /poahbcyskdh/cable.apk /vdfogrglj/YoTalk.apk /gdgtgdt1245435/ /poahbcyskdh/ /vdfogrglj/ # Reference: https://twitter.com/malwrhunterteam/status/1676228569263996930 # Reference: https://www.virustotal.com/gui/ip-address/185.225.69.181/detection # Reference: https://www.virustotal.com/gui/file/1648cc664ab332c446d89a5406cc6adcfa357b2883d44f059c54012a4401b4f2/detection # Reference: https://www.virustotal.com/gui/file/8cd0ad4572e1f0b71ed8e8e84d4e75942393617afac3962c164ff04a3ab87ea4/detection # Reference: https://www.virustotal.com/gui/file/a3fc903bf6bf49f8c6e3bd5633433cfcae80be54eeefbb7345764b0059491371/detection # Reference: https://www.virustotal.com/gui/file/d4fdd37f4aaa486a9ca32d083ba2900f237eb0a186f3a6f4418d63ccdf7d69ca/detection http://185.225.69.181 onedriver.cloud toptaskrabbitgroup.com # Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1681921960731897856 # Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1681924794701455361 # Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1681925487080378368 # Reference: https://twitter.com/Des00464472/status/1687394684652695553 # Reference: https://mp-weixin-qq-com.translate.goog/s/9cqXdFn7erJupk9QPRhqpg?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=zh-CN&_x_tr_pto=wapp (# APT-K-47, ORPCBackdoor) # Reference: https://www.virustotal.com/gui/file/a7acb7fa69f218475e06fb27dceac3f199b9cb7cbea07d01c0cfb220b465cbc4/detection # Reference: https://www.virustotal.com/gui/file/556f51b7bd03b9be121f4a35916bef331d1ac82f3a00ed014975c12986d6c1e9/detection # Reference: https://www.virustotal.com/gui/file/dd53768eb7d5724adeb58796f986ded3c9b469157a1a1757d80ccd7956a3dbda/detection msdocs.ddns.net msoutllook.ddns.net outlook-services.ddns.net outlook-updates.ddns.net # Reference: https://twitter.com/binlmmhc/status/1682284911506636800 # Reference: https://www.virustotal.com/gui/file/e43d53c505e0944e6a8ce9f613a1ce5ef2b845fd04b9a777e1515b787206a03c/detection kdrm201.b-cdn.net # Reference: https://twitter.com/binlmmhc/status/1684521661926973440 cftn6129.b-cdn.net johu91837.b-cdn.net nthb041.b-cdn.net # Reference: https://twitter.com/StopMalvertisin/status/1691469917475000320 dgdg8675.b-cdn.net # Reference: https://twitter.com/StopMalvertisin/status/1692879603977908224 # Reference: https://www.virustotal.com/gui/file/709298c36dcc4afedc1ef5725890f119d117df1ad5776cdeecda9c1a7380a33b/detection ppzo3687.b-cdn.net # Reference: https://twitter.com/ginkgo_g/status/1694544752350486732 kdrm201.b-cdn.net # Reference: https://mp.weixin.qq.com/s/nMTQww-jHkdKBWFPYdfprA (Chinese) # Reference: https://www.virustotal.com/gui/file/1e2b343eb7948ed225dc192e53dfe8d1d587c9b88ef17b910dc48810dccb4f28/detection http://149.102.225.98 /sun2/UploadToServer.php /sun2/UploadToServer_gb.php /sun2/createDirecotory.php /sun2/save_file_str.php /sun2/save_target_applist.php /sun2/save_whats_chat.php /sun2/savetargetdeviceinfo.php # Reference: https://twitter.com/malwrhunterteam/status/1704236578053210488 # Reference: https://twitter.com/RexorVc0/status/1715246574748549581 # Reference: https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA==&mid=2247495700&idx=1&sn=5f39caf4d5fafef490ff1ad18f072a16&chksm=f9ed9cabce9a15bd1a5c94d19de5c927bdd0983b55b6183159a40034129bc78b2355aab38d85&scene=178&cur_album_id=1375769135073951745#rd (# RiverStealer) # Reference: https://www.virustotal.com/gui/file/1f3590c97efdbaff2fff55a9f420863ca543f6ae35d1510f65da8984cb35bba1/detection bluechillyboo.site redcrocodilepuppet.online riverelephant.site riverelephent.site /JSdfjweuisdfjhg/ /HprodXprnvlm1.php /VueWsxpogcjwq1.php # Reference: https://twitter.com/malwrhunterteam/status/1725275794711126259 # Reference: https://twitter.com/RedDrip7/status/1734110428685570139 # Reference: https://www.virustotal.com/gui/file/e8a519d735c3356b10a94f39923a10b76b644e68b74029fe7ec8e060a4345750/detection # Reference: https://www.virustotal.com/gui/file/13c1cde8ded82f73c5b0ca483c2b2f2ea693ebc9dad6d30b90fcd03ff80795d6/detection arabcomputersupportgroup.com firebasebackups.com /hailo/block.php /hailo/cert.php /hailo/load_img.php /hailo/pakart.php # Reference: https://twitter.com/ginkgo_g/status/1725445679072587993 # Reference: https://www.virustotal.com/gui/file/b019ed0bb09bda78af75f941ba1bb88f3b3e3604a202309d8661fdaacb04d02e/detection pd560.b-cdn.net pld956.b-cdn.net # Reference: https://otx.alienvault.com/pulse/6566312bddcfb0e7f0991687 grand123099ggcarnivol.com mfaturk.com morimocanab.com omeri12oncloudd.com # Reference: https://twitter.com/blackorbird/status/1729327114187587854 cflayerprotection.com cloudlflares.com # Reference: https://twitter.com/ginkgo_g/status/1731870687562752375 # Reference: https://www.virustotal.com/gui/file/90e7df73e769bf0bde48294c38004341778e6ed2a6cd8db9d20fe57524607607/detection tyfk1.b-cdn.net # Reference: https://twitter.com/ginkgo_g/status/1732652858804486614 # Reference: https://www.virustotal.com/gui/ip-address/185.74.222.34/relations # Reference: https://www.virustotal.com/gui/file/ca24347d80aed81df2a0e89075c645bfd6081a8e66103ea680f3a8758999b32b/detection wingpao.info pd35.b-cdn.net pl335.b-cdn.net # Reference: https://twitter.com/liqingjia1989/status/1639072245648883712 # Reference: https://www.virustotal.com/gui/file/cb0fe57e84a705a6e6d5d40f621c60095aaf73ba87c424029d2e2813210e09b9/detection triptrans.info # Reference: https://twitter.com/Joseliyo_Jstnk/status/1749719852623802384 # Reference: https://www.virustotal.com/gui/ip-address/152.89.247.23/relations # Reference: https://www.virustotal.com/gui/ip-address/51.79.217.72/relations # Reference: https://www.virustotal.com/gui/file/8734a8a71c27712f17d08e758a251665e1c81e91ea6482c0045facca5b777e4d/detection classcentral-drive.ddns.net deltabook.ddns.net msdesigns.site officecloud.store # Reference: https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/ # Reference: https://www.virustotal.com/gui/file/ba9aeb87025ba26e7a54fe38f97bf28b72b1dac069e9fa6624a195a599c4b0ae/detection chatapp-6b96e-default-rtdb.firebaseio.com chit-chat-e9053-default-rtdb.firebaseio.com glowchat-33103-default-rtdb.firebaseio.com hello-chat-c47ad-default-rtdb.firebaseio.com letschat-5d5e3-default-rtdb.firebaseio.com meetme-abc03-default-rtdb.firebaseio.com privchat-6cc58-default-rtdb.firebaseio.com quick-chat-1d242-default-rtdb.firebaseio.com rafaqat-d131f-default-rtdb.asia-southeast1.firebasedatabase.app tiktalk-2fc98-default-rtdb.firebaseio.com wave-chat-e52fe-default-rtdb.firebaseio.com yooho-c3345-default-rtdb.firebaseio.com # Reference: https://twitter.com/ginkgo_g/status/1753339086709100633 # Reference: https://www.virustotal.com/gui/file/a4c16bcdf5db8d29688e1112434fe8f7f15e9e4dc78828ba2890bade62b9c7cc/detection hu51.b-cdn.net # Reference: https://twitter.com/malwrhunterteam/status/1758395825103798760 # Reference: https://www.virustotal.com/gui/file/e68c9aedfd080fe8e54b005482fcedb16f97caa6f7dcfb932c83b29597c6d957/detection # Reference: https://www.virustotal.com/gui/file/e89305bd8e01769d024916fb5e286b951382409a5106e31c8bea2e3400ebf603/detection denv-1.b-cdn.net denv-2.b-cdn.net # Reference: https://twitter.com/suyog41/status/1765725837041824121 # Reference: https://www.virustotal.com/gui/file/01ea7197094b9acd50605bda611111eaa822230f81a3cac4b47a2f9d01e146c1/detection # Reference: https://www.virustotal.com/gui/file/749942726963f0a55380123dff8238cdf54d6b98d3fb083528a41ba287002bad/detection espncrics.info ruz98.b-cdn.net # Reference: https://twitter.com/__0XYC__/status/1770684464470872294 # Reference: https://twitter.com/mal_analysis136/status/1770693119463326144 # Reference: https://twitter.com/suyog41/status/1771135469327417684 # Reference: https://www.virustotal.com/gui/file/8f4cf379ee2bef6b60fec792d36895dce3929bf26d0533fbb1fdb41988df7301/detection daily-mashriq.org t-cdn.org doc.t-cdn.org quranchapter.t-cdn.org /javascript/juicesdafekohioshfoshfhiofh/ /juicesdafekohioshfoshfhiofh/ /goyxdrkhjilchyigflztv # Reference: https://twitter.com/h2jazi/status/1773468430013727186 # Reference: https://twitter.com/PrakkiSathwik/status/1773763707744489594 # Reference: https://www.virustotal.com/gui/file/88558ef568b3c775b2d79499b74dc3ecde7c049440c8872573fc6622433eec17/detection # Reference: https://www.virustotal.com/gui/file/aaaae5f5d7f58eb8c970c4e5407fb2f4597bc81674d006c5e2d1462a3b133d74/detection 176.56.237.126:443 # Reference: https://twitter.com/k3yp0d/status/1780928811195887973 # Reference: https://twitter.com/k3yp0d/status/1780929118034362708 # Reference: https://twitter.com/k3yp0d/status/1780929459689758926 # Reference: https://www.virustotal.com/gui/ip-address/38.180.94.120/relations # Reference: https://www.virustotal.com/gui/file/6d6dc50e8e73053763f9b85b7c1f1b532ec3023b5b89b3546f0330b4956e75a9/detection # Reference: https://www.virustotal.com/gui/file/d0ccad2452cc0124d95214f9a9c5e4df9d842f97c6389c6e01baa0916306ad87/detection 15731.org c-cdn77.com dugayqwh.c-cdn77.com huanetdw.c-cdn77.com pijaung.c-cdn77.com # Generic /4sVKAOvu3D/ /e3e7e71a0b28b5e96cc492e636722f73/ /ABDYot0NxyG.php /BDYot0NxyG.php /UYEfgEpXAOE.php