# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: apt-04, apt-c-24, apt-q-39 # Reference: https://twitter.com/Sebdraven/status/1052864520522223616 # Reference: https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739 # Reference: https://www.virustotal.com/#/ip-address/185.106.120.43 heartissuehigh.win webserv-redir.net # Reference: https://twitter.com/Sebdraven/status/1140597344720830471 # Reference: https://app.any.run/tasks/d7ce191d-c04f-4eff-a13c-02cbe746c256/ # Reference: https://www.virustotal.com/gui/domain/cdn-dl.cn/relations # Reference: https://pastebin.com/rccqdjNB cdn-dl.cn bd-gov.cdn-dl.cn bdgov-mopa.cdn-dl.cn biaa-org-bd.cdn-dl.cn biaa-org.cdn-dl.cn gov-cn.cdn-dl.cn gov-pk.cdn-dl.cn hostmaster.cdn-dl.cn info-account.cdn-dl.cn ministry-gov.cdn-dl.cn ministry-interior-gov-pk.cdn-dl.cn mod-gov.cdn-dl.cn moe-gov.cdn-dl.cn moi-nadra.cdn-dl.cn mopa-bd.cdn-dl.cn mopa-bdgov.cdn-dl.cn mopa-govbd.cdn-dl.cn nadra-interior.cdn-dl.cn nadra-moi.cdn-dl.cn narda-moi.cdn-dl.cn neteease.cdn-dl.cn newmake.pw serve-dropbx-ap-east1.cdn-dl.cn suodeshui.cdn-dl.cn tiexue.cdn-dl.cn # Reference: https://twitter.com/Timele9527/status/1147750939576586244 http://167.86.116.39 # Reference: https://twitter.com/Timele9527/status/1147750939576586244 vidyasagaracademybrg.in/scripts/lnk/ vidyasagaracademybrg.in/scripts/am/ # Reference: https://twitter.com/Timele9527/status/1150597482310619136 # Reference: https://app.any.run/tasks/e15e1cd1-0c38-41b9-aa1e-a29562f17b3d/ # Reference: https://www.freebuf.com/articles/network/196788.html (Chinese) ap12.ms-update-server.net cdn-do.net cdn-edge.net cdn-list.net fb-dn.net google.com.d-dns.co msftupdate.srv-cdn.com nadra.gov.pk.d-dns.co pmo.cdn-load.net s2.cdn-edge.net s12.cdn-apn.net trans-pre.net webserv-redir.net # Reference: https://twitter.com/blackorbird/status/1160734383864610816 trans-can.net # Reference: https://mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA cdn-ps.net # Reference: https://twitter.com/blackorbird/status/1189116884626493440 paknavy.gov.pk.ap1-port.net # Reference: https://twitter.com/Timele9527/status/1195272502135549953 # Reference: https://www.virustotal.com/gui/domain/reawk.net/details reawk.net # Reference: https://twitter.com/ccxsaber/status/1195281985335201794 sd1-bin.net # Reference: https://twitter.com/0xCARNAGE/status/1203882560176218113 # Reference: https://app.any.run/tasks/3abfc241-3ab0-4016-acbb-040b44199d52/ 185.225.17.239:443 # Reference: https://twitter.com/RedDrip7/status/1206898954383740929 ap1-acl.net # Reference: https://twitter.com/Timele9527/status/1211852764688478216 # Reference: https://app.any.run/tasks/c8469e19-96a0-4f2f-9765-72acf72dee05/ fincruitconsulting.in # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/ # Reference: https://otx.alienvault.com/pulse/5e133ac9f5eaf331885e74b4 aws-check.net deb-cn.net ms-db.net ms-ethics.net # Reference: https://github.com/blackorbird/APT_REPORT/tree/master/sidewinder gov-pk.org # Reference: https://mp.weixin.qq.com/s/L3dVwbkfTABtE4ZYtv5r4w # Reference: https://otx.alienvault.com/pulse/5e206d8b77de0b2690b9946c 110.10.176.193:4443 # Reference: https://twitter.com/Timele9527/status/1247325070520750080 # Reference: https://twitter.com/Timele9527/status/1247327952238284800 # Reference: https://twitter.com/Timele9527/status/1247376905956765697 ap-ms.net d01fa.net fdn-en.net nrots.net # Reference: https://twitter.com/ShadowChasing1/status/1252547080070914048 link-cdnl.net # Reference: https://twitter.com/ccxsaber/status/1260775018306236416 au-edu.km01s.net # Reference: https://twitter.com/Arkbird_SOLG/status/1260727623539404800 kat0x.net # Reference: https://twitter.com/ShadowChasing1/status/1268214042637684738 # Reference: https://www.virustotal.com/gui/domain/chrom3.net/relations chrom3.net r0dps.net # Reference: https://twitter.com/ccxsaber/status/1281413683013287936 gov-mil.cn # Reference: https://twitter.com/ShadowChasing1/status/1284319235481538565 cdn-m1l.net tar-gz.net # Reference: https://twitter.com/cyber__sloth/status/1293183011916193793 # Reference: https://twitter.com/cyber__sloth/status/1293187616897028098 # Reference: https://twitter.com/Arkbird_SOLG/status/1293221669134372865 # Reference: https://app.any.run/tasks/e3501b33-28a2-4b7c-bc79-d20891c4832e/ http://111.229.73.84 202.58.104.100:81 # Reference: https://twitter.com/ShadowChasing1/status/1296710024643796992 # Reference: https://www.virustotal.com/gui/file/a89189f1c7c101c8d9c2637e571c4f8546df3ea557a576090cde7b75009981a9/detection fqn-cloud.net # Reference: https://twitter.com/ShadowChasing1/status/1297902086747598852 asw-edu.net filesrvr.net # Reference: https://twitter.com/cyber__sloth/status/1298187291295461376 # Reference: https://www.virustotal.com/gui/ip-address/185.141.25.136/relations mil-pk.net # Reference: https://twitter.com/ShadowChasing1/status/1308620752703299585 aws-pk.net cdn-aws-s2.net # Reference: https://twitter.com/ShadowChasing1/status/1316680709478604800 # Reference: https://twitter.com/mg2_tracy1/status/1316688407280586752 # Reference: https://www.virustotal.com/gui/file/280fb291d49f277067667838cdf30a940eaed9ed7712448158ea29e1ce6af86f/detection cdn-sop.net # Reference: https://twitter.com/ShadowChasing1/status/1324349418162720769 # Reference: https://twitter.com/ShadowChasing1/status/1324349684664528897 # Reference: https://www.virustotal.com/gui/domain/gov-pok.net/detection gov-pok.net # Reference: https://twitter.com/RedDrip7/status/1328639418110865409 # Reference: https://www.virustotal.com/gui/file/1cbec920afe2f978b8f84e0a4e6b757d400aeb96e8c0a221130060b196ece010/detection cdn-edu.net brep.cdn-edu.net # Reference: https://twitter.com/mg2_tracy1/status/1331153718931177473 # Reference: https://www.virustotal.com/gui/file/7238f4e5edbe0e5a2242d8780fb58c47e7d32bf2c4f860c88c511c30675d0857/detection ms-trace.net # Reference: https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html # Reference: https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742 185.225.19.46:4589 185.225.19.46:4875 gov-af.org gov-np.org mail-apfgavnp.hopto.org mail-apfgovnp.ddns.net mail-kmgcom.ddns.net mail-mfagovcn.hopto.org mail-mofagovnp.hopto.org mail-mofagovnp.zapto.org mail-mofgovnp.hopto.org mail-ncporgnp.hopto.org mail-nepalarmymilnp.duckdns.org mail-nepalgovnp.duckdns.org mail-nepalpolicegov.hopto.org mail-nepalpolicegovnp.duckdns.org mail-nrborg.hopto.org mail-nscaf.myftp.org mail-ntcnetnp.serveftp.com # Reference: https://twitter.com/BaoshengbinCumt/status/1342297125141454848 # Reference: https://www.virustotal.com/gui/file/c59c6c18f529c88cf352883b23af36f829b8ae1d17daa0762f028184cba7199b/detection cdn-re.net # Reference: https://twitter.com/ShadowChasing1/status/1345559958796914694 gov-mail.net # Reference: https://twitter.com/cyber__sloth/status/1346100925199478784 gov-af.net gov-crt.net gov-nadra.net gov-pbs.net gov-pmo.net # Reference: https://www.virustotal.com/gui/domain/gov-cn.net/relations gov-cn.net # Reference: https://www.virustotal.com/gui/domain/gov-cnn.net/relations gov-cnn.net # Reference: https://www.virustotal.com/gui/domain/paknavy-gov.net/detection paknavy-gov.net # Reference: https://www.virustotal.com/gui/file/4b5e0ad20a8d143567cc424edf2010146e24a0b729de7ca0f66292141d363e57/detection cdn-aws.net cdn-src.net # Reference: https://twitter.com/BaoshengbinCumt/status/1354270351702691843 del-ivery.net trans-aws.net # Reference: https://twitter.com/jfslowik/status/1362782587345727492 cdn-secure.net # Reference: https://twitter.com/h2jazi/status/1363683531067715584 # Reference: http://hackdig.com/02/hack-280699.htm # Reference: https://app.any.run/tasks/b88e935c-b17a-4429-acdc-65156804ad1c/ # Reference: https://otx.alienvault.com/pulse/6033e84e6fb8fc369323e8e3/ 151.236.11.147:57670 alsalaf.info gov-pk.info govt-pk.org gov-pak.org pk-gov.org attachments.gov-pk.info nhsrcgovpk.servehttp.com contact.gov-pak.org onedrives.pk-gov.org support.govt-pk.org support.gov-pak.org support-gov.myftp.org # Reference: https://twitter.com/DeadlyLynn/status/1367746507974270981 # Reference: https://www.virustotal.com/gui/file/bb58796f79a913a985eb41f0d12446e7ae8fe99fd3f0d432d77d8d82f202bf5f/detection cdn-pak.net fqn-mil.net mailmofagovpk.cdn-pak.net # Refereence: https://twitter.com/BaoshengbinCumt/status/1369916500014821377 afd-bdmil.cdn-pak.net fmprc.cdn-pak.net ibn.cdn-pak.net mofa.cdn-pak.net oimc.cdn-pak.net pakbj.cdn-pak.net poly.cdn-pak.net trgdte.cdn-pak.net # Reference: https://www.virustotal.com/gui/domain/www-cdn.net/relations www-cdn.net # Reference: https://twitter.com/ShadowChasing1/status/1384743822953877505 afohs.mod-pak.co fbr.mod-pak.co shaheenfoundation.mod-pak.co mod-pak.co # Reference: https://twitter.com/BaoshengbinCumt/status/1384792855692988416 # Reference: https://www.virustotal.com/gui/ip-address/185.163.45.56/relations # Reference: https://www.virustotal.com/gui/file/37a3855e05c63fdab773fdd39da021f2daf1961cc8137385db079960bdfa18c7/detection edu-mil.cn iugur.live bmac.iugur.live mofa.iugur.live # Reference: https://twitter.com/BaoshengbinCumt/status/1387233200871673856 # Reference: https://mp.weixin.qq.com/s/GWVz02_jGaUt_n9JxB1OwQ autodiscover.mofagov-pk.online cpanel.mofagov-pk.online cpcalendars.mofagov-pk.online cpcontacts.mofagov-pk.online dgmi-share-folder-nepalarmy-mil-np-coas-sambodhan-pdf.netlify.app email-nepalarmy-mil-np-owa.netlify.app imail.aop.gov.af.egateway.nsc-gov.com mail-nepalarmy-mil-np-fsdafjsd.herokuapp.com mail-nepalarmy-mil-np-login-download.netlify.app mail-nepalarmy-mil-np-view.netlify.app mail-nepalpolice-gov-np-loginn.herokuapp.com mail-nscaf.hopto.org mail-ntmail-ntcnetnp.serveftp.comcnetnp.serveftp.com mail.mofagov-pk.online medeclinic.ae mil-pk.net mod-cn.trans-del.net mofagov-pk.naatlibrary.com mofagov-pk.online naatlibrary.com nepalarmy.trans-del.net nsc-gov.com nsc-gov.net polyinc-global.trans-del.net trans-del.net webdisk.mofagov-pk.online webmail.mofagov-pk.online www-punjabpolice-gov-pk-sopforsecurityofforeignersandchinese.trans-aws.net # Reference: https://twitter.com/ShadowChasing1/status/1391976060472860675 paf-gov.com img-google.paf-gov.com # Reference: https://twitter.com/ShadowChasing1/status/1396809305194590211 # Reference: https://www.virustotal.com/gui/file/caaf44f16dcbee93071887ab6844ed79975ccd20f9008deb93c13bfdb436e0b0/detection bahariafoundation.org pmaesa.bahariafoundation.org # Reference: https://twitter.com/ShadowChasing1/status/1397135889327804417 comsates.org crisismanagementunit.comsates.org mofa-gov-pk-wireless.comsates.org # Reference: https://twitter.com/ShadowChasing1/status/1398171992554053632 # Reference: https://www.virustotal.com/gui/file/ff54e9228b7160f9272d67ad1423600d2cb7aa4d335412a28b11f63a517270fe/detection cdn-gov.net # Reference: https://twitter.com/Des00464472/status/1399969790471507968 paknavy-gov-cvic.fbise.org # Reference: https://twitter.com/BaoshengbinCumt/status/1403292104671916032 cdn-in.net punjabpolice.gov.pk.standingoperatingprocedureforemergencythreat.cdn-in.net # Reference: https://twitter.com/ShadowChasing1/status/1412695070659153925 # Reference: https://twitter.com/0xrb/status/1412727167151005703 pakmarines.com as.pakmarines.com dsadsa.pakmarines.com gov.pakmarines.com jmicc-gov-pk.pakmarines.com pmaesa.pakmarines.com pnwc-gov-pk.pakmarines.com pqa.gov.pakmarines.com # Reference: https://twitter.com/ShadowChasing1/status/1420762840479109122 # Reference: https://twitter.com/ShadowChasing1/status/1420762846980308999 # Reference: https://www.virustotal.com/gui/file/468351924d611359fb181855331da98359bb1b926b5ce3ee8cd3330986d6e12c/detection # Reference: https://www.virustotal.com/gui/file/84d5a31227eaa3be1134bb6f5a2f92c2621e738ee0c0c4f84758ae8d79d09526/detection pak-web.com fbr.pak-web.com # Reference: https://twitter.com/malwrhunterteam/status/1109085127290900480 nitb.pk-gov.org # Reference: https://mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ (Chinese) # Note: APT-C-48 http://213.227.154.175 http://78.142.29.118 141.136.0.91:443 213.227.154.175:443 91.193.18.248:443 cert.pk-gov.org dns1.pk-gov.org nccs.pk-gov.org ntc-pk.sytes.net quwa-paf.servehttp.com /F453457Pl_TMP347923592380/ /pl200_TMP2831474WDF.php # Reference: https://twitter.com/ShadowChasing1/status/1466001768765018116 # Reference: https://www.virustotal.com/gui/file/38853bf262979313483310502d14a78db147586880d34571edf4d90e4bf05eb1 mofa.live aitkenspencelogistics.mofa.live careitservices.mofa.live dsfvgbh.mofa.live paknavy.mofa.live # Reference: https://twitter.com/ShadowChasing1/status/1466686780531363840 # Reference: https://www.virustotal.com/gui/file/92dbd7f4399bce8b75e2c248af855df498bbed7e342c2d98ff6fcf15b611c50e webarchive-datacenter.herokuapp.com # Reference: https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/ afghannewsnetwork.com afrepublic.xyz amsss.in appsstore.in eurekawatersolution.com maajankidevisevasansthan.org newsroom247.xyz republicofaf.xyz scouttable.xyz securecheker.in securedesk.one scout.fontsplugins.com # Reference: https://twitter.com/souiten/status/1467674804211777536 # Reference: https://twitter.com/souiten/status/1467689489145339915 # Reference: https://twitter.com/souiten/status/1467693133001486337 # Reference: https://www.virustotal.com/gui/file/04206a2217be8d09e6dc6989d2a2b9aae8623f8fac962e5e07d9fa1a1577998b/detection 173.212.242.43:57149 paryavaranindia.com/css/files/docs/Updated-Leave-Rules-Fourth-Edition/css paryavaranindia.com/css/files/hulfz/ # Reference: https://twitter.com/h2jazi/status/1469399194435735553 # Reference: https://twitter.com/h2jazi/status/1469399196369313792 # Reference: https://www.virustotal.com/gui/file/2cf842ec2bac099d200c079375a4be7a4d0b3b5869dd739582b7df168e6c4fb6 # Reference: https://www.virustotal.com/gui/file/a7b52acc18ce7fd14b4a410019a1f0042a6743dcbe887e82d498130848ce195c/detection # Reference: https://www.virustotal.com/gui/file/c02108f0b413ecdcb8fe48ff445cb75d45324bfd06734011409de57c7cfdeb73/detection # Reference: https://www.virustotal.com/gui/file/4219de40e65c89ecba9bd392f744fa26b867cad82d1b994e1e9266482089d8f9/detection # Reference: https://www.virustotal.com/gui/file/16467586cb1a11ce2e1ca81ae6fb490fbc8f5602245f883c14e940189dfd2b79/detection http://62.171.172.199 62.171.172.199:443 62.171.172.199:81 # Reference: https://twitter.com/GGGGh0st/status/1471323446713864193 # Reference: https://www.virustotal.com/gui/file/1bf584616477e16b54d6be7ce4d69f7ea26ee7841ec9a17ed162f4d560ab125a/detection 62.171.187.53:43 62.171.187.53:44 62.171.187.53:45 # Reference: https://twitter.com/ShadowChasing1/status/1474901903418949636 # Reference: https://twitter.com/ShadowChasing1/status/1474901905474129922 # Reference: https://www.virustotal.com/gui/file/d3a0b7c5a1eafbf7d381b6ee064083496476163da5dfed53096fac36c2b30738/detection bahariafoundation.live compress.bahariafoundation.live invitation.bahariafoundation.live mohgovsg.bahariafoundation.live pnwc.bahariafoundation.live # Reference: https://twitter.com/ShadowChasing1/status/1435546349856907268 # Reference: https://www.virustotal.com/gui/file/da08044373bc9bd54fd2ead9705446917e8f6e53d32f0885854e720e601cdbef/detection asw-sns.link edu-cx.org afd.edu-cx.org f.edu-cx.org fsfdsf.edu-cx.org go.edu-cx.org mofagovpk.edu-cx.org paknavy.edu-cx.org rkvisa200de.edu-cx.org rrkvisa200de.edu-cx.org yahoo.edu-cx.org # Reference: https://twitter.com/ShadowChasing1/status/1433038639961804800 # Reference: https://www.virustotal.com/gui/file/8a1c9a28ba0c74bafd71705aa12128831d66bbae06536a81d680cd207e740a65/detection ppra.live nima.ppra.live # Reference: https://twitter.com/ShadowChasing1/status/1427258373532119044 # Reference: https://www.virustotal.com/gui/file/66ddbdfe9328d6a3f49abbb814252617fce0e05934ceeef9813e8bd30385fe50/detection ppinewsagency.live behr.ppinewsagency.live # Reference: https://twitter.com/h2jazi/status/1478496217789341698 # Reference: https://www.virustotal.com/gui/file/df0b09c9f359f2e086e5e6b78f6fc6f63c9be1c6023cc6ee1e698d6e0daba31b/detection teckblog.live ms.teckblog.live # Reference: https://twitter.com/s1ckb017/status/1478750005594927109 # Reference: https://twitter.com/s1ckb017/status/1478750907827429380 # Reference: https://twitter.com/500mk500/status/1478758092611407876 # Reference: https://www.virustotal.com/gui/ip-address/164.68.108.153/relations # Reference: https://www.virustotal.com/gui/file/88a174855020c69d7719779a09c9b1058ec6732aa0fb04343c1d82fe13ca2e6e/detection # Reference: https://www.virustotal.com/gui/file/f4777f8751ed6818a693817513a5685f13a249803658d1f12190d7b1aa26079e/detection # Reference: https://www.virustotal.com/gui/file/9abd42a9f2cc147db47d4bb9598870eab96a2094964e97a6cb231f58d4d4ada2/detection # Reference: https://www.virustotal.com/gui/file/c401fc82d3ffdf118aac1bc247838fcd554b7faa3fd10aaa00ed83d80d00b87b/detection 164.68.108.153:4142 164.68.108.153:5000 164.68.108.153:8062 digitalworldonline.net # Reference: https://twitter.com/uslss_etr/status/1478784684452720646 # Reference: https://www.virustotal.com/gui/domain/paknvay-pk.net/relations # Reference: https://www.virustotal.com/gui/ip-address/94.158.245.67/relations # Reference: https://www.virustotal.com/gui/file/146e2c51cd7c904e0eeb641daa6ee956e80b48b198b9d2a9fd9b92b68399f9d1/detection # Reference: https://www.virustotal.com/gui/file/e74be8bbad2fa8577b7383e6ad4dffd5d0cd44e75c0a7148a971c417d38d8ee7/detection paknvay-pk.net careitservices.paknvay-pk.net dgpr.paknvay-pk.net mofa.paknvay-pk.net # Reference: https://www.virustotal.com/gui/domain/cdn-noc.net/relations cdn-noc.net # Reference: https://twitter.com/souiten/status/1474200802344386560 # Reference: https://www.virustotal.com/gui/file/ed4912f09e212479a319de1e95dd3e7d0e3574658be60782369c0e7a19ae0173/detection 62.171.172.199:88 # Reference: https://twitter.com/h2jazi/status/1479502335328112645 # Reference: https://www.virustotal.com/gui/ip-address/144.126.141.41/relations # Reference: https://www.virustotal.com/gui/file/d15f76acb846b237956a6373bd6646ef804419dd9a9fd3c9501acc241fcddff9/detection # Reference: https://www.virustotal.com/gui/file/947b81c1ecdb34533f7bc9c41d6678fa525c17eae5b8f383e89c6c66db0743c1/detection afcat.xyz # Reference: https://twitter.com/alex_lanstein/status/1479569375971713029 # Reference: https://pastebin.com/9HwieuS2 moma-pk.org dfgrthy.moma-pk.org mofa.moma-pk.org sppc.moma-pk.org # Reference: https://www.virustotal.com/gui/domain/cvix.live/relations cvix.live cn.cvix.live cosmic.cvix.live defencelk.cvix.live mailaplf.cvix.live mailmfagovnp.cvix.live mailmofagoug.cvix.live mailmofagovpk.cvix.live mailoutlookcom.cvix.live mailyahoocom.cvix.live # Reference: https://twitter.com/ShadowChasing1/status/1481583143735808001 # Reference: https://www.virustotal.com/gui/file/cb933361cd6c26ca61c441a40da394a505086f572fd7e9bd425bf086adf50edc/detection ministry-pk.net cabinet-gov-pk.ministry-pk.net # Reference: https://twitter.com/cyber__sloth/status/1485361081329631236 email-gov-in.digital mailnic.info indianarmy.mailnic.info kavach.mailnic.info mod.mailnic.info passapp.mailnic.info # Reference: https://twitter.com/uslss_etr/status/1489274205917044736 # Reference: https://www.virustotal.com/gui/file/85ab1c3ee01c5456eb45bf13c69dda88fa014a1dc5e832bdaa3e801a29d84ccd/detection aeltron.xyz incometaxreturn.aeltron.xyz instructions.aeltron.xyz rgdtyt.aeltron.xyz # Reference: https://twitter.com/ShadowChasing1/status/1490984172797984770 # Reference: https://www.virustotal.com/gui/file/eeeb99f94029fd366dcde7da2a75a849833c5f5932d8f1412a89ca15b9e9ebb7/detection mod-pk.com dgmp-paknavy.mod-pk.com # Reference: http://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html # Reference: https://www.virustotal.com/gui/ip-address/45.153.240.66/relations changeworld.hopto.org mail-argaf.myftp.org mail-meagovmv.hopto.org mail-modaf.hopto.org mail-modgav.hopto.org mail-mofa.hopto.org mail-mofagovpk.myftp.org mail-mopitgovnp.hopto.org mail-nepalpolgavnp.hopto.org mail-nepalpolice.hopto.org mail-opmcmgavnp.hopto.org microsoft-winupdate.servehttp.com teamchat.hopto.org webmail-accbt.hopto.org webmail-morrgovaf.hopto.org # Reference: https://twitter.com/souiten/status/1491681294391992325 # Reference: https://www.virustotal.com/gui/file/44c720bc1adde78e11c202615260fb9e2e4301cf06edfefe06cde09a373a6c0e/detection asianetnews.xyz awww.asianetnews.xyz mofa-gov-pk.asianetnews.xyz ofa-gov-pk.asianetnews.xyz # Reference: https://assets.sentinelone.com/sentinellabs-apt/modified-elephant-apt bbcworld-news.net newsinbbc.com # Reference: https://twitter.com/uslss_etr/status/1496118824944697345 # Reference: https://www.virustotal.com/gui/file/94214e83441e3a6a5cde971f6abe0d4bf226fd0750a0ad26d2241c085de9b604/detection crclab-bahria.org dbms.crclab-bahria.org # Reference: https://twitter.com/__0XYC__/status/1502593457201811459 nationalhelpdesk.pk pkgov.org sngpl.org.pk bok.pkgov.org bop.pkgov.org csd.pkgov.org cybernet.pkgov.org dawn.pkgov.org energy.pkgov.org fauji.pkgov.org mail.pkgov.org mofa.pkgov.org myth.pkgov.org nespak.pkgov.org nitb.pkgov.org nlc.pkgov.org np.pkgov.org nrlpak.pkgov.org ns1.pkgov.org ns2.pkgov.org ntc.pkgov.org ntdc.pkgov.org ogdcl.pkgov.org pakoil.pkgov.org parco.pkgov.org pmo.nationalhelpdesk.pk pmsa.pkgov.org ptcl.pkgov.org ptv.pkgov.org radio.pkgov.org sco.pkgov.org ssgc.pkgov.org sui.nationalhelpdesk.pk wapda.pkgov.org web.sngpl.org.pk whale.pkgov.org email.nespak.pkgov.org email.nitb.pkgov.org email.nlc.pkgov.org lotussrv01.fauji.pkgov.org mail-corp.cybernet.pkgov.org mail.bok.pkgov.org mail.bop.pkgov.org mail.csd.pkgov.org mail.dawn.pkgov.org mail.mofa.pkgov.org mail.nrlpak.pkgov.org mail.ntc.pkgov.org mail.ntdc.pkgov.org mail.ogdcl.pkgov.org mail.pakoil.pkgov.org mail.pkgov.org mail.pmsa.pkgov.org mail.ptv.pkgov.org mail.radio.pkgov.org mail.sco.pkgov.org parchqwebmail.parco.pkgov.org webmail.cybernet.pkgov.org webmail.ssgc.pkgov.org webmail.wapda.pkgov.org zmail.ptcl.pkgov.org # Reference: https://twitter.com/ShadowChasing1/status/1504347312838959106 # Reference: https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/ # Reference: https://www.virustotal.com/gui/domain/kpt-pk.net/relations # Reference: https://otx.alienvault.com/pulse/624c29baad734a210134b02c # Reference: https://www.virustotal.com/gui/file/f765b0b6e4a34eb95c6f0ddf058bc88d5ef9ec2b11a5f3504d1673f4f69aceca/detection kpt-pk.net awww.kpt-pk.net job.kpt-pk.net maritimepakistan.kpt-pk.net # Reference: https://twitter.com/ShadowChasing1/status/1512011407838961664 # Reference: https://www.virustotal.com/gui/file/37baf7415c755688e1e89679130b5cfd713d662330734eb310089d1f2afd82b8/detection ksew.org srilankanavy.ksew.org # Reference: https://twitter.com/ShadowChasing1/status/1518594904393355264 # Reference: https://www.virustotal.com/gui/file/5dfe303f04e3432101b676fa0f230667eb6c9bc1715d5b4042f99d9522aa00fe/detection ksewpk.com defrgthyj.ksewpk.com mofabn.ksewpk.com # Reference: https://twitter.com/botlabsDev/status/1522500574956109825 # Reference: https://www.virustotal.com/gui/file/b3caa7ce9a8de209d5a63ab95485c1181f7fca03346330fe92ff3c0a0a9c1040/detection paknavy.live awww.paknavy.live dxfgbdfh.paknavy.live pmsa.paknavy.live yfghvjb.paknavy.live # Reference: https://twitter.com/blackorbird/status/1526840629010894848 # Reference: https://mp.weixin.qq.com/s/qsGxZIiTsuI7o-_XmiHLHg # Reference: https://otx.alienvault.com/pulse/6285048d921d21c8d9beaf1f # Reference: https://www.virustotal.com/gui/domain/cssc.info/relations cssc.info job.cssc.info mailcantonfair.cssc.info mailcitifs.cssc.info mailgu.cssc.info mailmofa.cssc.info mailturkmenembassy.cssc.info mofa.cssc.info rancher.cssc.info sdgsfg.cssc.info # Reference: https://twitter.com/__0XYC__/status/1528616671103131649 # Reference: https://www.virustotal.com/gui/ip-address/92.118.190.165/relations # Reference: https://www.virustotal.com/gui/file/fedc3b7cdb07f7b6f5a6bc85720528057297282bfae7960b3d33001ab34a51d6/detection govpk-mail.net csd.govpk-mail.net finance.govpk-mail.net # Reference: https://twitter.com/__0XYC__/status/1529707301979947009 # Reference: https://twitter.com/0xrb/status/1529709439808602113 # Reference: https://www.virustotal.com/gui/domain/interior-pk.org/relations # Reference: https://www.virustotal.com/gui/file/6f4e89fce6a490d619cad9078079c6f6694b2798fc875288faa92b721f25d3cb/detection comsats.xyz interior-pk.org awww.interior-pk.org mofa-gov.interior-pk.org punjab.interior-pk.org paknavy.comsats.xyz # Reference: https://twitter.com/virqdroid/status/1532094635170238464 # Reference: https://twitter.com/ReBensk/status/1532245757322924032 # Reference: https://www.virustotal.com/gui/ip-address/2.56.245.21/relations pakgov.net covid.pakgov.net csd.pakgov.net dvdbhjk.pakgov.net finance.pakgov.net financial.pakgov.net flix.pakgov.net hajj.pakgov.net ji.pakgov.net nadra.pakgov.net ncoc.pakgov.net nhsrc.pakgov.net pt.pakgov.net vpn.pakgov.net wsde.pakgov.net ww2.pakgov.net # Reference: https://blog.group-ib.com/sidewinder-antibot # Reference: https://otx.alienvault.com/pulse/62987c8eafd38f2088986035 bahariafoundation.org bbcnew.cn bitlyy.me cdn-pak.net cloud-apt.net cr20g.org csd-pk.co cvix.live dawnpk.org docuserve.ltd edu-cx.org fdn-trace.net fileserve.work gov-mail.net gov.pakmarines govpk-mail.net iugur.live kdf-mail.com kpt-pk.net krlwin.org ksew.org mod-pk.com mohp-gov.org moma-pk.org paf-gov.net pafwa.info pak-gov.com pak-web.com pakgov.net pakgov.org pakmarines.com paknvay-pk.net pkrepublic.org ppinewsagency.live tin-url.com vpn-secure.co api.vpn-secure.co as.pakmarines.com askari.bitlyy.me askaribank.bitlyy.me bangladeshmarineacademylibrary.ppinewsagency.live bb.kdf-mail.com china.bbcnew.cn covid.bbcnew.cn covid.pakgov.net covid.pkrepublic.org covid19.mohp-gov.org csd.bitlyy.me csd.pakgov.net dasds.pak-gov.com dasdsadsa.pak-gov.com dawn.pakgov.org defencelk.cvix.live dgmp-paknavy.mod-pk.com dgpr.paknvay-pk.net dha.pakgov.org dsadsa.pakmarines.com dsasa.cr20g.org faujifoundation.bitlyy.me fbr.pak-web.com fdscv.tin-url.com finance.govpk-mail.net finance.pakgov.net financial.pakgov.net flix.pakgov.net hajj.pakgov.net hajjplanner.bitlyy.me hajjplanner.tin-url.com hbl.pakgov.org hpupdate.csd-pk.co ibn.cdn-pak.net independenceday.pafwa.info islamabadclub.docuserve.ltd islamicfinder.bitlyy.me ji.pakgov.net jp.pkrepublic.org karachishipyard.krlwin.org ltd.cdn-pak.net luckydraw.csd-pk.co mail.paf-gov.net mail.pak-gov.com mailmofagovpk.cdn-pak.net mailoutlookcom.cvix.live maritimepakistan.kpt-pk.net meet.kdf-mail.com min.tin-url.com ministryofinterior.fileserve.work mofa-gov-pk.fdn-trace.net mofa.iugur.live mofa.paknvay-pk.net nadra.pakgov.net ncoc.pakgov.net news.bitlyy.me news.dawnpk.org news.kdf-mail.com news.pakgov.org news.pkrepublic.org nhsrc.pakgov.net niims.pakgov.org paf.gov-mail.net pafroa.pak-gov.com paknavy.edu-cx.org pk.kdf-mail.com pkflix.bitlyy.me pkflix.tin-url.com pmaesa.bahariafoundation.org pqa.gov.pakmarines.com pt.pakgov.net sbp.pakgov.org sec-vpn.bitlyy.me secp.pakgov.org secure.tin-url.com shoprex.bitlyy.me smstest.kdf-mail.com sppc.moma-pk.org srilankanavy.ksew.org t.bitlyy.me telemart.bitlyy.me ubl.pakgov.org vim.kdf-mail.com vpn.pakgov.net vpn.tin-url.com wsde.pakgov.net wsed.pkrepublic.org ww2.pakgov.net xyz.kdf-mail.com # Reference: https://twitter.com/GroupIB_GIB/status/1532651046111023104 # Reference: https://www.virustotal.com/gui/file/e089dc65af44ff334304e52c29755c96460691d93cfd4e4ab75f75bc6078993e/detection # Reference: https://www.virustotal.com/gui/file/42b828e187e4b7f1ca5d774553c8b85c1fed204a2a5a8c50fd4c7e9a491fb118/detection almighty-allah.com supremeallah.world api.almighty-allah.com api.supremeallah.world # Reference: https://twitter.com/GroupIB_GIB/status/1532651049776865280 # Reference: https://www.virustotal.com/gui/domain/srvapp.co/relations # Reference: https://www.virustotal.com/gui/ip-address/185.225.19.142/relations # Reference: https://www.virustotal.com/gui/file/c17cbe229e743df8993b96f2887393b2565ae355f3ba61d09c901e552e7ee4d1/detection srvapp.co awww.srvapp.co discount.srvapp.co localhost.srvapp.co register.srvapp.co # Reference: https://twitter.com/blackorbird/status/1534373342446202881 # Reference: https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg (Chinese) # Reference: https://www.virustotal.com/gui/file/d74900bf7418f3ad39a5ab27326ad6591f792d1dfdfe44deb89f1b319b7d83b4/detection afg-refugee.net brwse.co civix.live crclab-bahria.org cssc.info cvix.live dawnpk.org docusserve.cc docusserve.ltd doken.xyz fdn-mac.net filedownload.work gov-pk.net kpt-pk.net ministry-pk.net mod-pk.com mofa-pk.co nationpk.org norter.xyz paf-gov.net paf-mail.com pak-gov.net pakgov.net pakgov.org paknavy.live pkrepublic.org slap-games.club trik.live watch-earn.live api.watch-earn.live # Reference: https://twitter.com/h2jazi/status/1536330475656171520 # Reference: https://www.virustotal.com/gui/file/cf79ecafd3e1ae354fcf9cf33acdb06b6b64dc9a8128656a9d27ff94e154f9c4/detection bahriafoundation.live pnwc.bahriafoundation.live # Reference: https://otx.alienvault.com/pulse/62a864daa688835ed774c449 srvapp.co register.srvapp.co # Reference: https://twitter.com/h2jazi/status/1536707820799807489 # Reference: https://www.virustotal.com/gui/ip-address/5.230.71.95/relations # Reference: https://www.virustotal.com/gui/file/4bad3e34a192a8f305e188538b4370ea835446cc6ba32fe046d9a5f2bc3df172/detection jmicc.xyz navy.jmicc.xyz navy-mil-bd.jmicc.xyz # Reference: https://twitter.com/malwareforme/status/1540037682314629120 # Reference: https://www.virustotal.com/gui/ip-address/5.230.69.153/relations # Reference: https://www.virustotal.com/gui/file/ee77e136f7df758c2ab9092529dc5c6b64b35bc9f4d2c16c65bcd05965ccd92a/detection alit.live bdmil.alit.live mailmofa.alit.live mailh.alit.live # Reference: https://twitter.com/BaoshengbinCumt/status/1545247231938244610 mail-mofa-gov-pk-satellite-proposal-for-pakistan-files-ops.netlify.app # Reference: https://twitter.com/Malwar3Ninja/status/1545376308196147200 mofa-pk.org br.mofa-pk.org mofa.g0v.cq.cn # Reference: https://blog.checkpoint.com/2022/07/13/a-hit-is-made-suspected-india-based-sidewinder-apt-successfully-cyber-attacks-pakistan-military-focused-targets/ # Reference: https://otx.alienvault.com/pulse/62cffda72568807d4e9a9f2e # Reference: https://www.virustotal.com/gui/ip-address/5.230.67.73/relations # Reference: https://www.virustotal.com/gui/file/898513123f0f0342b1c47a4a65c88a60f895f90a9d0fa5fc5928c26dfab622b0/detection bgevin.live eterplicity.live polvcrit.info cdn.bgevin.live cdn.polvcrit.info /W6taHcwqKwhgzWGWr7ElpRAfWA7JcsXC0A2a4eFv/ # Reference: https://twitter.com/h2jazi/status/1549762807624880128 # Reference: https://www.virustotal.com/gui/file/cd1a9ae4a3968643a6fb41b36b67838d952dac83ad63c63ce4ad3c672fac31b8/detection kpt-gov.org discount.kpt-gov.org ksew.kpt-gov.org # Reference: https://twitter.com/h2jazi/status/1550524741202726919 # Reference: https://www.virustotal.com/gui/file/a28a5417d707ecae61313bd5b7c53736d40afba2280cd7ae673963075ae37072/detection paf-gov.org awww.paf-gov.org summer.paf-gov.org finance.paf-gov.org # Reference: https://twitter.com/Des00464472/status/1550064523964338176 # Reference: https://www.virustotal.com/gui/ip-address/5.230.72.15/relations ghaflah.top cdn.ghaflah.top # Reference: https://twitter.com/Des00464472/status/1548924681008590853 mawazna.info # Reference: https://twitter.com/Des00464472/status/1531519247293513728 bluket.live # Reference: https://twitter.com/Des00464472/status/1528935733888970753 # Reference: https://www.virustotal.com/gui/ip-address/185.234.72.188/relations # Reference: https://www.virustotal.com/gui/ip-address/45.138.172.23/relations balcon.live greploc.live cdn.greploc.live tray.balcon.live treaty.balcon.live # Reference: https://twitter.com/Des00464472/status/1555024895020769280 paf-media.com # Reference: https://twitter.com/Des00464472/status/1553931751852244992 # Reference: https://www.virustotal.com/gui/ip-address/192.71.166.139/relations ubrig.live cdn.ubrig.live # Reference: https://twitter.com/Des00464472/status/1559010528013729792 fritor.xyz cdn.fritor.xyz # Reference: https://twitter.com/Des00464472/status/1559395659559899136 # Reference: https://www.virustotal.com/gui/ip-address/151.236.21.26/relations nelpec.top cdn.nelpec.top # Reference: https://twitter.com/uslss_etr/status/1562641328055336960 # Reference: https://www.virustotal.com/gui/ip-address/103.149.46.237/relations # Reference: https://www.virustotal.com/gui/file/efac11fcecbceb4e6273852207a3875ac1edd69158415c3a0bba704e58adeb2c/detection office-drive.live dsfbgnh.office-drive.live sl-navy.office-drive.live # Reference: https://twitter.com/Des00464472/status/1567657961887252480 # Reference: https://www.virustotal.com/gui/ip-address/5.255.104.124/relations cssc.live mailarmy.cssc.live mailoutlook.cssc.live # Reference: https://twitter.com/Des00464472/status/1569818563657224193 gov-pknet.org # Reference: https://twitter.com/malwrhunterteam/status/1570061932706635781 # Reference: https://twitter.com/h2jazi/status/1570070185620512768 # Reference: https://www.virustotal.com/gui/file/719cbc3e08d90d557d464f1a27498626c1b76d6e8db302cb53cb3013a1c35dee/detection d2klia4zfdp2mg.cloudfront.net # Reference: https://twitter.com/uslss_etr/status/1570487402694590464 # Reference: https://www.virustotal.com/gui/file/53cc8f46f10e4b3958834d75b15db3aa0d8c86a63b8bd3e6ac180c05ce27d748/detection ptcl-gov.com mofadividion.ptcl-gov.com # Reference: https://twitter.com/Des00464472/status/1571639928483885056 hare-ap.live # Reference: https://twitter.com/RedDrip7/status/1575745702021705728 # Reference: https://www.virustotal.com/gui/file/e6a6066594160a053fe7d68d688b95920936d5880a37a2c91872fb2fc128adf6/detection # Reference: https://www.virustotal.com/gui/file/5eec9df0c62b8a0d8c922d366e38ac91907d2a7f5cd13a717d7714015ae362c1/detection # Reference: https://www.virustotal.com/gui/file/37eca58386fbf9c1e381f88776435565623e3d2d1e2b01218f7717b963449735/detection comsats-net.com lforvk.com moma.comsats-net.com promotionlist.comsats-net.com srilanka-navy.lforvk.com