# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: apt-04 # Reference: https://twitter.com/Sebdraven/status/1052864520522223616 # Reference: https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739 # Reference: https://www.virustotal.com/#/ip-address/185.106.120.43 heartissuehigh.win webserv-redir.net # Reference: https://twitter.com/Sebdraven/status/1140597344720830471 # Reference: https://app.any.run/tasks/d7ce191d-c04f-4eff-a13c-02cbe746c256/ # Reference: https://www.virustotal.com/gui/domain/cdn-dl.cn/relations # Reference: https://pastebin.com/rccqdjNB cdn-dl.cn bd-gov.cdn-dl.cn bdgov-mopa.cdn-dl.cn biaa-org-bd.cdn-dl.cn biaa-org.cdn-dl.cn gov-cn.cdn-dl.cn gov-pk.cdn-dl.cn hostmaster.cdn-dl.cn info-account.cdn-dl.cn ministry-gov.cdn-dl.cn ministry-interior-gov-pk.cdn-dl.cn mod-gov.cdn-dl.cn moe-gov.cdn-dl.cn moi-nadra.cdn-dl.cn mopa-bd.cdn-dl.cn mopa-bdgov.cdn-dl.cn mopa-govbd.cdn-dl.cn nadra-interior.cdn-dl.cn nadra-moi.cdn-dl.cn narda-moi.cdn-dl.cn neteease.cdn-dl.cn newmake.pw serve-dropbx-ap-east1.cdn-dl.cn suodeshui.cdn-dl.cn tiexue.cdn-dl.cn # Reference: https://twitter.com/Timele9527/status/1147750939576586244 http://167.86.116.39 # Reference: https://twitter.com/Timele9527/status/1147750939576586244 vidyasagaracademybrg.in/scripts/lnk/ vidyasagaracademybrg.in/scripts/am/ # Reference: https://twitter.com/Timele9527/status/1150597482310619136 # Reference: https://app.any.run/tasks/e15e1cd1-0c38-41b9-aa1e-a29562f17b3d/ # Reference: https://www.freebuf.com/articles/network/196788.html (Chinese) ap12.ms-update-server.net cdn-do.net cdn-edge.net cdn-list.net fb-dn.net google.com.d-dns.co msftupdate.srv-cdn.com nadra.gov.pk.d-dns.co pmo.cdn-load.net s2.cdn-edge.net s12.cdn-apn.net trans-pre.net webserv-redir.net # Reference: https://twitter.com/blackorbird/status/1160734383864610816 trans-can.net # Reference: https://mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA cdn-ps.net # Reference: https://twitter.com/blackorbird/status/1189116884626493440 paknavy.gov.pk.ap1-port.net # Reference: https://twitter.com/Timele9527/status/1195272502135549953 # Reference: https://www.virustotal.com/gui/domain/reawk.net/details reawk.net # Reference: https://twitter.com/ccxsaber/status/1195281985335201794 sd1-bin.net # Reference: https://twitter.com/0xCARNAGE/status/1203882560176218113 # Reference: https://app.any.run/tasks/3abfc241-3ab0-4016-acbb-040b44199d52/ 185.225.17.239:443 # Reference: https://twitter.com/RedDrip7/status/1206898954383740929 ap1-acl.net # Reference: https://twitter.com/Timele9527/status/1211852764688478216 # Reference: https://app.any.run/tasks/c8469e19-96a0-4f2f-9765-72acf72dee05/ fincruitconsulting.in # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/ # Reference: https://otx.alienvault.com/pulse/5e133ac9f5eaf331885e74b4 aws-check.net deb-cn.net ms-db.net ms-ethics.net # Reference: https://github.com/blackorbird/APT_REPORT/tree/master/sidewinder gov-pk.org # Reference: https://mp.weixin.qq.com/s/L3dVwbkfTABtE4ZYtv5r4w # Reference: https://otx.alienvault.com/pulse/5e206d8b77de0b2690b9946c 110.10.176.193:4443 # Reference: https://twitter.com/Timele9527/status/1247325070520750080 # Reference: https://twitter.com/Timele9527/status/1247327952238284800 # Reference: https://twitter.com/Timele9527/status/1247376905956765697 ap-ms.net d01fa.net fdn-en.net nrots.net # Reference: https://twitter.com/ShadowChasing1/status/1252547080070914048 link-cdnl.net # Reference: https://twitter.com/ccxsaber/status/1260775018306236416 au-edu.km01s.net # Reference: https://twitter.com/Arkbird_SOLG/status/1260727623539404800 kat0x.net # Reference: https://twitter.com/ShadowChasing1/status/1268214042637684738 # Reference: https://www.virustotal.com/gui/domain/chrom3.net/relations chrom3.net r0dps.net # Reference: https://twitter.com/ccxsaber/status/1281413683013287936 gov-mil.cn # Reference: https://twitter.com/ShadowChasing1/status/1284319235481538565 cdn-m1l.net tar-gz.net # Reference: https://twitter.com/cyber__sloth/status/1293183011916193793 # Reference: https://twitter.com/cyber__sloth/status/1293187616897028098 # Reference: https://twitter.com/Arkbird_SOLG/status/1293221669134372865 # Reference: https://app.any.run/tasks/e3501b33-28a2-4b7c-bc79-d20891c4832e/ http://111.229.73.84 202.58.104.100:81 # Reference: https://twitter.com/ShadowChasing1/status/1296710024643796992 # Reference: https://www.virustotal.com/gui/file/a89189f1c7c101c8d9c2637e571c4f8546df3ea557a576090cde7b75009981a9/detection fqn-cloud.net # Reference: https://twitter.com/ShadowChasing1/status/1297902086747598852 asw-edu.net filesrvr.net # Reference: https://twitter.com/cyber__sloth/status/1298187291295461376 # Reference: https://www.virustotal.com/gui/ip-address/185.141.25.136/relations mil-pk.net # Reference: https://twitter.com/ShadowChasing1/status/1308620752703299585 aws-pk.net cdn-aws-s2.net # Reference: https://twitter.com/ShadowChasing1/status/1316680709478604800 # Reference: https://twitter.com/mg2_tracy1/status/1316688407280586752 # Reference: https://www.virustotal.com/gui/file/280fb291d49f277067667838cdf30a940eaed9ed7712448158ea29e1ce6af86f/detection cdn-sop.net # Reference: https://twitter.com/ShadowChasing1/status/1324349418162720769 # Reference: https://twitter.com/ShadowChasing1/status/1324349684664528897 # Reference: https://www.virustotal.com/gui/domain/gov-pok.net/detection gov-pok.net # Reference: https://twitter.com/RedDrip7/status/1328639418110865409 # Reference: https://www.virustotal.com/gui/file/1cbec920afe2f978b8f84e0a4e6b757d400aeb96e8c0a221130060b196ece010/detection cdn-edu.net brep.cdn-edu.net # Reference: https://twitter.com/mg2_tracy1/status/1331153718931177473 # Reference: https://www.virustotal.com/gui/file/7238f4e5edbe0e5a2242d8780fb58c47e7d32bf2c4f860c88c511c30675d0857/detection ms-trace.net # Reference: https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html # Reference: https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742 185.225.19.46:4589 185.225.19.46:4875 gov-af.org gov-np.org mail-apfgavnp.hopto.org mail-apfgovnp.ddns.net mail-kmgcom.ddns.net mail-mfagovcn.hopto.org mail-mofagovnp.hopto.org mail-mofagovnp.zapto.org mail-mofgovnp.hopto.org mail-ncporgnp.hopto.org mail-nepalarmymilnp.duckdns.org mail-nepalgovnp.duckdns.org mail-nepalpolicegov.hopto.org mail-nepalpolicegovnp.duckdns.org mail-nrborg.hopto.org mail-nscaf.myftp.org mail-ntcnetnp.serveftp.com # Reference: https://twitter.com/BaoshengbinCumt/status/1342297125141454848 # Reference: https://www.virustotal.com/gui/file/c59c6c18f529c88cf352883b23af36f829b8ae1d17daa0762f028184cba7199b/detection cdn-re.net # Reference: https://twitter.com/ShadowChasing1/status/1345559958796914694 gov-mail.net # Reference: https://twitter.com/cyber__sloth/status/1346100925199478784 gov-af.net gov-crt.net gov-nadra.net gov-pbs.net gov-pmo.net # Reference: https://www.virustotal.com/gui/domain/gov-cn.net/relations gov-cn.net # Reference: https://www.virustotal.com/gui/domain/gov-cnn.net/relations gov-cnn.net # Reference: https://www.virustotal.com/gui/domain/paknavy-gov.net/detection paknavy-gov.net # Reference: https://www.virustotal.com/gui/file/4b5e0ad20a8d143567cc424edf2010146e24a0b729de7ca0f66292141d363e57/detection cdn-aws.net cdn-src.net # Reference: https://twitter.com/BaoshengbinCumt/status/1354270351702691843 del-ivery.net trans-aws.net # Reference: https://twitter.com/jfslowik/status/1362782587345727492 cdn-secure.net # Reference: https://twitter.com/h2jazi/status/1363683531067715584 # Reference: http://hackdig.com/02/hack-280699.htm # Reference: https://app.any.run/tasks/b88e935c-b17a-4429-acdc-65156804ad1c/ # Reference: https://otx.alienvault.com/pulse/6033e84e6fb8fc369323e8e3/ 151.236.11.147:57670 alsalaf.info gov-pk.info govt-pk.org gov-pak.org pk-gov.org attachments.gov-pk.info nhsrcgovpk.servehttp.com contact.gov-pak.org onedrives.pk-gov.org support.govt-pk.org support.gov-pak.org support-gov.myftp.org # Reference: https://twitter.com/DeadlyLynn/status/1367746507974270981 # Reference: https://www.virustotal.com/gui/file/bb58796f79a913a985eb41f0d12446e7ae8fe99fd3f0d432d77d8d82f202bf5f/detection cdn-pak.net fqn-mil.net mailmofagovpk.cdn-pak.net # Refereence: https://twitter.com/BaoshengbinCumt/status/1369916500014821377 afd-bdmil.cdn-pak.net fmprc.cdn-pak.net ibn.cdn-pak.net mofa.cdn-pak.net oimc.cdn-pak.net pakbj.cdn-pak.net poly.cdn-pak.net trgdte.cdn-pak.net # Reference: https://www.virustotal.com/gui/domain/www-cdn.net/relations www-cdn.net # Reference: https://twitter.com/ShadowChasing1/status/1384743822953877505 afohs.mod-pak.co fbr.mod-pak.co shaheenfoundation.mod-pak.co mod-pak.co # Reference: https://twitter.com/BaoshengbinCumt/status/1384792855692988416 # Reference: https://www.virustotal.com/gui/ip-address/185.163.45.56/relations # Reference: https://www.virustotal.com/gui/file/37a3855e05c63fdab773fdd39da021f2daf1961cc8137385db079960bdfa18c7/detection edu-mil.cn iugur.live bmac.iugur.live mofa.iugur.live # Reference: https://twitter.com/BaoshengbinCumt/status/1387233200871673856 # Reference: https://mp.weixin.qq.com/s/GWVz02_jGaUt_n9JxB1OwQ autodiscover.mofagov-pk.online cpanel.mofagov-pk.online cpcalendars.mofagov-pk.online cpcontacts.mofagov-pk.online dgmi-share-folder-nepalarmy-mil-np-coas-sambodhan-pdf.netlify.app email-nepalarmy-mil-np-owa.netlify.app imail.aop.gov.af.egateway.nsc-gov.com mail-nepalarmy-mil-np-fsdafjsd.herokuapp.com mail-nepalarmy-mil-np-login-download.netlify.app mail-nepalarmy-mil-np-view.netlify.app mail-nepalpolice-gov-np-loginn.herokuapp.com mail-nscaf.hopto.org mail-ntmail-ntcnetnp.serveftp.comcnetnp.serveftp.com mail.mofagov-pk.online medeclinic.ae mil-pk.net mod-cn.trans-del.net mofagov-pk.naatlibrary.com mofagov-pk.online naatlibrary.com nepalarmy.trans-del.net nsc-gov.com nsc-gov.net polyinc-global.trans-del.net trans-del.net webdisk.mofagov-pk.online webmail.mofagov-pk.online www-punjabpolice-gov-pk-sopforsecurityofforeignersandchinese.trans-aws.net # Reference: https://twitter.com/ShadowChasing1/status/1391976060472860675 paf-gov.com img-google.paf-gov.com # Reference: https://twitter.com/ShadowChasing1/status/1396809305194590211 # Reference: https://www.virustotal.com/gui/file/caaf44f16dcbee93071887ab6844ed79975ccd20f9008deb93c13bfdb436e0b0/detection bahariafoundation.org pmaesa.bahariafoundation.org # Reference: https://twitter.com/ShadowChasing1/status/1397135889327804417 comsates.org crisismanagementunit.comsates.org mofa-gov-pk-wireless.comsates.org # Reference: https://twitter.com/ShadowChasing1/status/1398171992554053632 # Reference: https://www.virustotal.com/gui/file/ff54e9228b7160f9272d67ad1423600d2cb7aa4d335412a28b11f63a517270fe/detection cdn-gov.net # Reference: https://twitter.com/Des00464472/status/1399969790471507968 paknavy-gov-cvic.fbise.org # Reference: https://twitter.com/BaoshengbinCumt/status/1403292104671916032 cdn-in.net punjabpolice.gov.pk.standingoperatingprocedureforemergencythreat.cdn-in.net # Reference: https://twitter.com/ShadowChasing1/status/1412695070659153925 # Reference: https://twitter.com/0xrb/status/1412727167151005703 pakmarines.com as.pakmarines.com dsadsa.pakmarines.com gov.pakmarines.com jmicc-gov-pk.pakmarines.com pmaesa.pakmarines.com pnwc-gov-pk.pakmarines.com pqa.gov.pakmarines.com # Reference: https://twitter.com/ShadowChasing1/status/1420762840479109122 # Reference: https://twitter.com/ShadowChasing1/status/1420762846980308999 # Reference: https://www.virustotal.com/gui/file/468351924d611359fb181855331da98359bb1b926b5ce3ee8cd3330986d6e12c/detection # Reference: https://www.virustotal.com/gui/file/84d5a31227eaa3be1134bb6f5a2f92c2621e738ee0c0c4f84758ae8d79d09526/detection pak-web.com fbr.pak-web.com # Reference: https://twitter.com/malwrhunterteam/status/1109085127290900480 nitb.pk-gov.org # Reference: https://mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ (Chinese) # Note: APT-C-48 http://213.227.154.175 http://78.142.29.118 141.136.0.91:443 213.227.154.175:443 91.193.18.248:443 cert.pk-gov.org dns1.pk-gov.org nccs.pk-gov.org ntc-pk.sytes.net quwa-paf.servehttp.com /F453457Pl_TMP347923592380/ /pl200_TMP2831474WDF.php # Reference: https://twitter.com/ShadowChasing1/status/1466001768765018116 # Reference: https://www.virustotal.com/gui/file/38853bf262979313483310502d14a78db147586880d34571edf4d90e4bf05eb1 mofa.live aitkenspencelogistics.mofa.live careitservices.mofa.live dsfvgbh.mofa.live paknavy.mofa.live # Reference: https://twitter.com/ShadowChasing1/status/1466686780531363840 # Reference: https://www.virustotal.com/gui/file/92dbd7f4399bce8b75e2c248af855df498bbed7e342c2d98ff6fcf15b611c50e webarchive-datacenter.herokuapp.com # Reference: https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/ afghannewsnetwork.com afrepublic.xyz amsss.in appsstore.in eurekawatersolution.com maajankidevisevasansthan.org newsroom247.xyz republicofaf.xyz scouttable.xyz securecheker.in securedesk.one scout.fontsplugins.com # Reference: https://twitter.com/souiten/status/1467674804211777536 # Reference: https://twitter.com/souiten/status/1467689489145339915 # Reference: https://twitter.com/souiten/status/1467693133001486337 # Reference: https://www.virustotal.com/gui/file/04206a2217be8d09e6dc6989d2a2b9aae8623f8fac962e5e07d9fa1a1577998b/detection 173.212.242.43:57149 paryavaranindia.com/css/files/docs/Updated-Leave-Rules-Fourth-Edition/css paryavaranindia.com/css/files/hulfz/ # Reference: https://twitter.com/h2jazi/status/1469399194435735553 # Reference: https://twitter.com/h2jazi/status/1469399196369313792 # Reference: https://www.virustotal.com/gui/file/2cf842ec2bac099d200c079375a4be7a4d0b3b5869dd739582b7df168e6c4fb6 # Reference: https://www.virustotal.com/gui/file/a7b52acc18ce7fd14b4a410019a1f0042a6743dcbe887e82d498130848ce195c/detection # Reference: https://www.virustotal.com/gui/file/c02108f0b413ecdcb8fe48ff445cb75d45324bfd06734011409de57c7cfdeb73/detection # Reference: https://www.virustotal.com/gui/file/4219de40e65c89ecba9bd392f744fa26b867cad82d1b994e1e9266482089d8f9/detection # Reference: https://www.virustotal.com/gui/file/16467586cb1a11ce2e1ca81ae6fb490fbc8f5602245f883c14e940189dfd2b79/detection http://62.171.172.199 62.171.172.199:443 62.171.172.199:81 # Reference: https://twitter.com/GGGGh0st/status/1471323446713864193 # Reference: https://www.virustotal.com/gui/file/1bf584616477e16b54d6be7ce4d69f7ea26ee7841ec9a17ed162f4d560ab125a/detection 62.171.187.53:43 62.171.187.53:44 62.171.187.53:45 # Reference: https://twitter.com/ShadowChasing1/status/1474901903418949636 # Reference: https://twitter.com/ShadowChasing1/status/1474901905474129922 # Reference: https://www.virustotal.com/gui/file/d3a0b7c5a1eafbf7d381b6ee064083496476163da5dfed53096fac36c2b30738/detection bahariafoundation.live compress.bahariafoundation.live invitation.bahariafoundation.live mohgovsg.bahariafoundation.live pnwc.bahariafoundation.live # Reference: https://twitter.com/ShadowChasing1/status/1435546349856907268 # Reference: https://www.virustotal.com/gui/file/da08044373bc9bd54fd2ead9705446917e8f6e53d32f0885854e720e601cdbef/detection asw-sns.link edu-cx.org afd.edu-cx.org f.edu-cx.org fsfdsf.edu-cx.org go.edu-cx.org mofagovpk.edu-cx.org paknavy.edu-cx.org rkvisa200de.edu-cx.org rrkvisa200de.edu-cx.org yahoo.edu-cx.org # Reference: https://twitter.com/ShadowChasing1/status/1433038639961804800 # Reference: https://www.virustotal.com/gui/file/8a1c9a28ba0c74bafd71705aa12128831d66bbae06536a81d680cd207e740a65/detection ppra.live nima.ppra.live # Reference: https://twitter.com/ShadowChasing1/status/1427258373532119044 # Reference: https://www.virustotal.com/gui/file/66ddbdfe9328d6a3f49abbb814252617fce0e05934ceeef9813e8bd30385fe50/detection ppinewsagency.live behr.ppinewsagency.live # Reference: https://twitter.com/h2jazi/status/1478496217789341698 # Reference: https://www.virustotal.com/gui/file/df0b09c9f359f2e086e5e6b78f6fc6f63c9be1c6023cc6ee1e698d6e0daba31b/detection teckblog.live ms.teckblog.live # Reference: https://twitter.com/s1ckb017/status/1478750005594927109 # Reference: https://twitter.com/s1ckb017/status/1478750907827429380 # Reference: https://twitter.com/500mk500/status/1478758092611407876 # Reference: https://www.virustotal.com/gui/ip-address/164.68.108.153/relations # Reference: https://www.virustotal.com/gui/file/88a174855020c69d7719779a09c9b1058ec6732aa0fb04343c1d82fe13ca2e6e/detection # Reference: https://www.virustotal.com/gui/file/f4777f8751ed6818a693817513a5685f13a249803658d1f12190d7b1aa26079e/detection # Reference: https://www.virustotal.com/gui/file/9abd42a9f2cc147db47d4bb9598870eab96a2094964e97a6cb231f58d4d4ada2/detection # Reference: https://www.virustotal.com/gui/file/c401fc82d3ffdf118aac1bc247838fcd554b7faa3fd10aaa00ed83d80d00b87b/detection 164.68.108.153:4142 164.68.108.153:5000 164.68.108.153:8062 digitalworldonline.net # Reference: https://twitter.com/uslss_etr/status/1478784684452720646 # Reference: https://www.virustotal.com/gui/domain/paknvay-pk.net/relations # Reference: https://www.virustotal.com/gui/ip-address/94.158.245.67/relations # Reference: https://www.virustotal.com/gui/file/146e2c51cd7c904e0eeb641daa6ee956e80b48b198b9d2a9fd9b92b68399f9d1/detection # Reference: https://www.virustotal.com/gui/file/e74be8bbad2fa8577b7383e6ad4dffd5d0cd44e75c0a7148a971c417d38d8ee7/detection paknvay-pk.net careitservices.paknvay-pk.net dgpr.paknvay-pk.net mofa.paknvay-pk.net # Reference: https://www.virustotal.com/gui/domain/cdn-noc.net/relations cdn-noc.net # Reference: https://twitter.com/souiten/status/1474200802344386560 # Reference: https://www.virustotal.com/gui/file/ed4912f09e212479a319de1e95dd3e7d0e3574658be60782369c0e7a19ae0173/detection 62.171.172.199:88 # Reference: https://twitter.com/h2jazi/status/1479502335328112645 # Reference: https://www.virustotal.com/gui/ip-address/144.126.141.41/relations # Reference: https://www.virustotal.com/gui/file/d15f76acb846b237956a6373bd6646ef804419dd9a9fd3c9501acc241fcddff9/detection # Reference: https://www.virustotal.com/gui/file/947b81c1ecdb34533f7bc9c41d6678fa525c17eae5b8f383e89c6c66db0743c1/detection afcat.xyz # Reference: https://twitter.com/alex_lanstein/status/1479569375971713029 # Reference: https://pastebin.com/9HwieuS2 moma-pk.org dfgrthy.moma-pk.org mofa.moma-pk.org sppc.moma-pk.org # Reference: https://www.virustotal.com/gui/domain/cvix.live/relations cvix.live cn.cvix.live cosmic.cvix.live defencelk.cvix.live mailaplf.cvix.live mailmfagovnp.cvix.live mailmofagoug.cvix.live mailmofagovpk.cvix.live mailoutlookcom.cvix.live mailyahoocom.cvix.live # Reference: https://twitter.com/ShadowChasing1/status/1481583143735808001 # Reference: https://www.virustotal.com/gui/file/cb933361cd6c26ca61c441a40da394a505086f572fd7e9bd425bf086adf50edc/detection ministry-pk.net cabinet-gov-pk.ministry-pk.net # Reference: https://twitter.com/cyber__sloth/status/1485361081329631236 email-gov-in.digital mailnic.info