# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://twitter.com/Timele9527/status/1144069969845481474 # Reference: https://app.any.run/tasks/69351273-5fd3-4590-a5a5-da639f86f9ec/ # Reference: https://www.virustotal.com/gui/file/bf34be94275f5b05d82b3805bccb30f217020d88f501d156324f98b5eda9ba7e/detection # Reference: https://www.virustotal.com/gui/file/071c2ac354452d484a37e7af15dd4685061dd4af93abad4308f41df673132ff0/detection 192.99.241.4:4915 # Reference: https://twitter.com/Timele9527/status/1130670958971215873 # Reference: https://www.virustotal.com/gui/file/386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef/detection # Reference: https://vtbehaviour.commondatastorage.googleapis.com/386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef_Tencent%20HABO.html 95.168.176.141:4864 95.168.176.141:16672 # Reference: https://twitter.com/HONKONE_K/status/1122327639249698816 # Reference: https://www.freebuf.com/articles/network/197398.html bdrive.club bdrive.space cloudserve.online cynqms.com data-backup.online firebasebox.com scan9t.com tprlink.com # Reference: https://twitter.com/Timele9527/status/1121607912676261890 # Reference: https://www.virustotal.com/gui/file/b80635fed8c7fce92385ddb66fb6f58337a8a150c4a1d158888adaa8db0cfebc/detection # Reference: https://vtbehaviour.commondatastorage.googleapis.com/b80635fed8c7fce92385ddb66fb6f58337a8a150c4a1d158888adaa8db0cfebc_Tencent%20HABO.html peechtrees.com # Reference: https://twitter.com/HONKONE_K/status/1104951156730544128 # Reference: https://www.virustotal.com/gui/file/500f8798dd582b22928097f24d8516893beb84d155f5a2a6ebf30bbcf4d91dae/detection # Reference: https://vtbehaviour.commondatastorage.googleapis.com/500f8798dd582b22928097f24d8516893beb84d155f5a2a6ebf30bbcf4d91dae_Tencent%20HABO.html 81.17.56.226:3864 # Reference: https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf 178.238.228.113:7861 178.238.235.143:80 178.238.235.143:9001 193.37.152.28:9990 213.136.87.122:10001 5.189.143.225:11114 5.189.145.248:10032 5.189.145.248:1453 5.189.145.248:6318 62.4.23.46:1500 ad2.admart.tv afgcloud7.com avadhnama.com bbmdroid.com bbmsync2727.com bhai123.no-ip.biz bhai1.ddns.net brooksidebiblefellowship.org cdrfox.xyz intribune.blogspot.com lolxone.com mvssync8767.com ordering-checks.com thefriendsmedia.com sahirlodhi.com sms.totalworthy.com sudhir71nda.no-ip.org winupdatess.no-ip.biz comdtoscc.attachment.biz ceengrmes.attachment.biz email.attachment.biz fileshare.attachment.biz # Reference: https://twitter.com/Timele9527/status/1167626219916972032 kmcodecs.com # Reference: https://twitter.com/Timele9527/status/1186816375857139712 isroddp.com /rEmt1t_pE7o_pe0Ry/ # Reference: https://twitter.com/Arkbird_SOLG/status/1219769450989334528 198.46.177.73:6421 198.46.177.73:4920 198.46.177.73:10422 198.46.177.73:14823 198.46.177.73:16824 # Reference: https://twitter.com/_re_fox/status/1232402275181703169 185.136.163.197:4442 # Reference: https://twitter.com/_re_fox/status/1226344529046929408 awsyscloud.com /E@t!aBbU0le8hiInks/ /H!pT0pNSc3nd/ /eNn!T5eals/ /Pon0N.php /Cor2PoRJSet!On.php /f3dlPr00f.php /pR0T5o-Niums.php /Dev3l2Nmpo7nt.php /xwunThedic@t6.php # Reference: https://twitter.com/spider_girl22/status/1246082462649683968 # Reference: https://twitter.com/teamcymru_S2/status/1382724143444004866 # Reference: https://www.virustotal.com/gui/file/94fc14e5c961c1dd8ff63330f0bdd11c8f5e1563468d7d35127ae486144c3dd2/detection # Reference: https://www.virustotal.com/gui/file/736c9682399885ca1219cb10472b406d381ce66bd3a5cdc919cb28ee59b898fe/detection 107.175.1.103:14686 107.175.1.103:3268 107.175.1.103:5418 107.175.1.103:7646 107.175.1.103:9348 # Reference: https://twitter.com/ShadowChasing1/status/1250303709013147650 # Reference: https://www.virustotal.com/gui/file/3c7eb76db2a503d495d1332dc50acbcf511d56a6ff5a7f1a5f9c16c5efc10b5d/detection 64.188.25.205:3692 # Reference: https://twitter.com/ShadowChasing1/status/1257268847175860224 # Reference: https://twitter.com/KodaES/status/1257265452654497792 # Reference: https://app.any.run/tasks/250c2c2d-fdfb-4f46-8565-a9b2538c1ace/ 107.175.64.251:6286 # Reference: https://twitter.com/_re_fox/status/1286826493335805953 # Reference: https://www.virustotal.com/gui/file/99b24003e4d5a19430653760db6492d920dfda94194ba8aaa9e82d2949aab740/detection 164.68.101.194:3312 # Reference: https://twitter.com/ShadowChasing1/status/1296988003911360516 # Reference: https://www.virustotal.com/gui/file/e91836bbf90b1eafd5cdcf8868408309470d4a06c5239dfee7dd74eca1a7f222/detection 64.188.12.126:4676 # Reference: https://securelist.com/transparent-tribe-part-2/98233/ # Reference: https://otx.alienvault.com/pulse/5f46861db7f081f8c83140dc http://212.8.240.221 212.8.240.221:5987 sharemydrives.com sharingmymedia.com tryanotherhorse.com # Reference: https://twitter.com/ShadowChasing1/status/1311590568674291712 servicesmail.site # Reference: https://twitter.com/DeadlyLynn/status/1318006847949819912 # Reference: https://www.virustotal.com/gui/file/d4b36731cb37ad05b0b9678b568c10a56f2e84967b393b626afb19d2df41c9b9/detection 173.249.14.104:6630 # Reference: https://twitter.com/ShadowChasing1/status/1337000347810729984 # Reference: https://www.virustotal.com/gui/file/6257ab26547f390bfd67d60766a708a95998452eb487d6d7208a52dc3e9840e0/detection 198.12.90.116:3691 # Reference: https://twitter.com/ShadowChasing1/status/1338077086896963584 # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1338177112059088903 # Reference: https://www.virustotal.com/gui/file/2714b12d0c65cb6fe783571a2d103866c4059f40b2905f58a6cd5de80eefeb73/detection # Reference: https://www.virustotal.com/gui/file/26a4d9bd2961d724ef07aaec5cbbd120891c600ab7932e5e4ddef38aa3ee9700/detection 89.249.65.206:4816 89.249.65.206:49483 # Reference: https://twitter.com/ShadowChasing1/status/1338507666373558273 # Reference: https://www.virustotal.com/gui/file/48f662986a80c5c73a878b0f46cd7e3a548e556ad9c3f76c4eb867968b240eaf/detection 172.217.15.110:4876 # Reference: https://twitter.com/ShadowChasing1/status/1360018043703762945 # Reference: https://www.virustotal.com/gui/file/86d43578ba26f02cf845f16a38ab29a48ad86c17f4a2ec3b69fc0d5fe82b4af7/detection 64.188.25.143:4586 # Reference: https://twitter.com/h2jazi/status/1367102521400053767 # Reference: https://twitter.com/h2jazi/status/1367105848544284676 # Reference: https://twitter.com/teamcymru_S2/status/1367436864941150208 # Reference: https://www.virustotal.com/gui/file/f6bec3c2d0503978f88734c6d52f2a01552c1d24b8e014ab835827ba3c9cc548/detection 23.254.119.118:11214 23.254.119.118:15822 23.254.119.118:17443 23.254.119.118:6128 23.254.119.118:8761 # Reference: https://twitter.com/InQuest/status/1368879546695618561 # Reference: https://twitter.com/ShadowChasing1/status/1368902119051325447 # Reference: https://www.virustotal.com/gui/file/d0a5ffa3b9c40eb1e4277e7c41a100b0836c9424b36fb9bbe281711c0b116883/detection 173.249.14.104:4568 templatesmanagersync.info # Reference: https://twitter.com/modubyk/status/1215690858131066881 # Reference: https://www.virustotal.com/gui/file/3cbb07af5c85a539ba970bd831de6ad53473afe6d99b3cdbb963711e2b1ee9c3/detection # Reference: https://www.virustotal.com/gui/file/fde8b0e2ce949e09070d6788194f63131070afab0ebd479bedd545091e7cc8aa/detection cfrbackup.com /P0urWa1t3_r!es/ /P0urWa1t3_r!es/iptonps.php # Reference: https://twitter.com/h2jazi/status/1374754308676280323 # Reference: https://www.virustotal.com/gui/file/8bd2a1aa58cd9fb15ce499be7131e810abbdcc7770806ebfbd83b8e8f701c5e4/detection 75.119.139.169:4568 # Reference: https://twitter.com/ShadowChasing1/status/1374713010472685569 185.136.169.155:8761 # Reference: https://twitter.com/h2jazi/status/1385577616606961664 # Reference: https://www.virustotal.com/gui/file/f87d8b4376bdb341964801a836bb7ae4843351ded70801d401e951cbbe05d613/detection 167.160.166.177:4698 # Reference: https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/ 134.119.181.15:6818 134.119.181.15:8561 134.119.181.15:8861 151.106.14.125:14618 151.106.14.125:16418 151.106.14.125:3468 151.106.14.125:8722 151.106.19.220:2682 172.245.247.112:11824 172.245.247.112:14624 172.245.247.112:8666 172.245.87.12:12447 172.245.87.12:18856 172.245.87.12:4586 172.245.87.12:8443 173.212.192.229:16564 173.249.22.30:10864 173.249.22.30:16582 173.249.22.30:4228 173.249.14.104:3312 173.249.14.104:9808 173.249.42.113:8148 185.136.169.155:11214 185.136.169.155:15882 185.136.169.155:17443 185.136.169.155:6128 185.174.102.105:54131 198.12.90.116:3691 198.12.90.116:4684 198.12.90.116:6582 23.254.119.11:3163 23.254.119.11:4828 23.254.119.11:5661 23.254.119.11:6614 45.32.151.155:11427 45.32.151.155:12835 45.77.246.69:16185 5.189.134.216:5156 64.188.12.126:12824 64.188.12.126:49747 64.188.12.126:9666 64.188.25.206:11422 64.188.25.206:16621 64.188.25.206:4125 64.188.25.206:6522 66.154.113.38:3878 66.154.113.38:8666 # Reference: https://twitter.com/ShadowChasing1/status/1385561727559864321 # Reference: https://www.virustotal.com/gui/file/fafcbb35db7cd2725d2f3f4268ffb32390f0e7602263841914fae72f37baca5b/detection 109.236.85.16:5987 myabcxyz1.ddns.net # Reference: https://twitter.com/ShadowChasing1/status/1387357625013080064 167.86.89.53:1443 167.86.89.53:16688 167.86.89.53:24619 167.86.89.53:6118 167.86.89.53:8843