# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: sidecopy, falseflag # Reference: https://twitter.com/Timele9527/status/1144069969845481474 # Reference: https://app.any.run/tasks/69351273-5fd3-4590-a5a5-da639f86f9ec/ # Reference: https://www.virustotal.com/gui/file/bf34be94275f5b05d82b3805bccb30f217020d88f501d156324f98b5eda9ba7e/detection # Reference: https://www.virustotal.com/gui/file/071c2ac354452d484a37e7af15dd4685061dd4af93abad4308f41df673132ff0/detection 192.99.241.4:4915 # Reference: https://twitter.com/Timele9527/status/1130670958971215873 # Reference: https://www.virustotal.com/gui/file/386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef/detection # Reference: https://vtbehaviour.commondatastorage.googleapis.com/386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef_Tencent%20HABO.html 95.168.176.141:4864 95.168.176.141:16672 # Reference: https://twitter.com/HONKONE_K/status/1122327639249698816 # Reference: https://www.freebuf.com/articles/network/197398.html bdrive.club bdrive.space cloudserve.online cynqms.com data-backup.online firebasebox.com scan9t.com tprlink.com # Reference: https://twitter.com/Timele9527/status/1121607912676261890 # Reference: https://www.virustotal.com/gui/file/b80635fed8c7fce92385ddb66fb6f58337a8a150c4a1d158888adaa8db0cfebc/detection # Reference: https://vtbehaviour.commondatastorage.googleapis.com/b80635fed8c7fce92385ddb66fb6f58337a8a150c4a1d158888adaa8db0cfebc_Tencent%20HABO.html peechtrees.com # Reference: https://twitter.com/HONKONE_K/status/1104951156730544128 # Reference: https://www.virustotal.com/gui/file/500f8798dd582b22928097f24d8516893beb84d155f5a2a6ebf30bbcf4d91dae/detection # Reference: https://vtbehaviour.commondatastorage.googleapis.com/500f8798dd582b22928097f24d8516893beb84d155f5a2a6ebf30bbcf4d91dae_Tencent%20HABO.html 81.17.56.226:3864 # Reference: https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf 178.238.228.113:7861 178.238.235.143:80 178.238.235.143:9001 193.37.152.28:9990 213.136.87.122:10001 5.189.143.225:11114 5.189.145.248:10032 5.189.145.248:1453 5.189.145.248:6318 62.4.23.46:1500 ad2.admart.tv afgcloud7.com avadhnama.com bbmdroid.com bbmsync2727.com bhai123.no-ip.biz bhai1.ddns.net brooksidebiblefellowship.org cdrfox.xyz intribune.blogspot.com lolxone.com mvssync8767.com ordering-checks.com thefriendsmedia.com sahirlodhi.com sms.totalworthy.com sudhir71nda.no-ip.org winupdatess.no-ip.biz comdtoscc.attachment.biz ceengrmes.attachment.biz email.attachment.biz fileshare.attachment.biz # Reference: https://twitter.com/Timele9527/status/1167626219916972032 kmcodecs.com # Reference: https://twitter.com/Timele9527/status/1186816375857139712 isroddp.com /rEmt1t_pE7o_pe0Ry/ # Reference: https://twitter.com/Arkbird_SOLG/status/1219769450989334528 198.46.177.73:6421 198.46.177.73:4920 198.46.177.73:10422 198.46.177.73:14823 198.46.177.73:16824 # Reference: https://twitter.com/_re_fox/status/1232402275181703169 185.136.163.197:4442 # Reference: https://twitter.com/_re_fox/status/1226344529046929408 awsyscloud.com /E@t!aBbU0le8hiInks/ /H!pT0pNSc3nd/ /eNn!T5eals/ /Pon0N.php /Cor2PoRJSet!On.php /f3dlPr00f.php /pR0T5o-Niums.php /Dev3l2Nmpo7nt.php /xwunThedic@t6.php # Reference: https://twitter.com/spider_girl22/status/1246082462649683968 # Reference: https://twitter.com/teamcymru_S2/status/1382724143444004866 # Reference: https://www.virustotal.com/gui/file/94fc14e5c961c1dd8ff63330f0bdd11c8f5e1563468d7d35127ae486144c3dd2/detection # Reference: https://www.virustotal.com/gui/file/736c9682399885ca1219cb10472b406d381ce66bd3a5cdc919cb28ee59b898fe/detection 107.175.1.103:14686 107.175.1.103:3268 107.175.1.103:5418 107.175.1.103:7646 107.175.1.103:9348 # Reference: https://twitter.com/ShadowChasing1/status/1250303709013147650 # Reference: https://www.virustotal.com/gui/file/3c7eb76db2a503d495d1332dc50acbcf511d56a6ff5a7f1a5f9c16c5efc10b5d/detection 64.188.25.205:3692 # Reference: https://twitter.com/ShadowChasing1/status/1257268847175860224 # Reference: https://twitter.com/KodaES/status/1257265452654497792 # Reference: https://app.any.run/tasks/250c2c2d-fdfb-4f46-8565-a9b2538c1ace/ 107.175.64.251:6286 # Reference: https://twitter.com/_re_fox/status/1286826493335805953 # Reference: https://www.virustotal.com/gui/file/99b24003e4d5a19430653760db6492d920dfda94194ba8aaa9e82d2949aab740/detection 164.68.101.194:3312 # Reference: https://twitter.com/ShadowChasing1/status/1296988003911360516 # Reference: https://www.virustotal.com/gui/file/e91836bbf90b1eafd5cdcf8868408309470d4a06c5239dfee7dd74eca1a7f222/detection 64.188.12.126:4676 # Reference: https://securelist.com/transparent-tribe-part-2/98233/ # Reference: https://otx.alienvault.com/pulse/5f46861db7f081f8c83140dc http://212.8.240.221 212.8.240.221:5987 sharemydrives.com sharingmymedia.com tryanotherhorse.com # Reference: https://twitter.com/ShadowChasing1/status/1311590568674291712 servicesmail.site # Reference: https://twitter.com/DeadlyLynn/status/1318006847949819912 # Reference: https://www.virustotal.com/gui/file/d4b36731cb37ad05b0b9678b568c10a56f2e84967b393b626afb19d2df41c9b9/detection 173.249.14.104:6630 # Reference: https://twitter.com/ShadowChasing1/status/1337000347810729984 # Reference: https://www.virustotal.com/gui/file/6257ab26547f390bfd67d60766a708a95998452eb487d6d7208a52dc3e9840e0/detection 198.12.90.116:3691 # Reference: https://twitter.com/ShadowChasing1/status/1338077086896963584 # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1338177112059088903 # Reference: https://www.virustotal.com/gui/file/2714b12d0c65cb6fe783571a2d103866c4059f40b2905f58a6cd5de80eefeb73/detection # Reference: https://www.virustotal.com/gui/file/26a4d9bd2961d724ef07aaec5cbbd120891c600ab7932e5e4ddef38aa3ee9700/detection 89.249.65.206:4816 89.249.65.206:49483 # Reference: https://twitter.com/ShadowChasing1/status/1338507666373558273 # Reference: https://www.virustotal.com/gui/file/48f662986a80c5c73a878b0f46cd7e3a548e556ad9c3f76c4eb867968b240eaf/detection 172.217.15.110:4876 # Reference: https://twitter.com/ShadowChasing1/status/1360018043703762945 # Reference: https://www.virustotal.com/gui/file/86d43578ba26f02cf845f16a38ab29a48ad86c17f4a2ec3b69fc0d5fe82b4af7/detection 64.188.25.143:4586 # Reference: https://twitter.com/h2jazi/status/1367102521400053767 # Reference: https://twitter.com/h2jazi/status/1367105848544284676 # Reference: https://twitter.com/teamcymru_S2/status/1367436864941150208 # Reference: https://www.virustotal.com/gui/file/f6bec3c2d0503978f88734c6d52f2a01552c1d24b8e014ab835827ba3c9cc548/detection 23.254.119.118:11214 23.254.119.118:15822 23.254.119.118:17443 23.254.119.118:6128 23.254.119.118:8761 # Reference: https://twitter.com/InQuest/status/1368879546695618561 # Reference: https://twitter.com/ShadowChasing1/status/1368902119051325447 # Reference: https://www.virustotal.com/gui/file/d0a5ffa3b9c40eb1e4277e7c41a100b0836c9424b36fb9bbe281711c0b116883/detection 173.249.14.104:4568 templatesmanagersync.info # Reference: https://twitter.com/modubyk/status/1215690858131066881 # Reference: https://www.virustotal.com/gui/file/3cbb07af5c85a539ba970bd831de6ad53473afe6d99b3cdbb963711e2b1ee9c3/detection # Reference: https://www.virustotal.com/gui/file/fde8b0e2ce949e09070d6788194f63131070afab0ebd479bedd545091e7cc8aa/detection cfrbackup.com /P0urWa1t3_r!es/ /P0urWa1t3_r!es/iptonps.php # Reference: https://twitter.com/h2jazi/status/1374754308676280323 # Reference: https://www.virustotal.com/gui/file/8bd2a1aa58cd9fb15ce499be7131e810abbdcc7770806ebfbd83b8e8f701c5e4/detection 75.119.139.169:4568 # Reference: https://twitter.com/ShadowChasing1/status/1374713010472685569 185.136.169.155:8761 # Reference: https://twitter.com/h2jazi/status/1385577616606961664 # Reference: https://www.virustotal.com/gui/file/f87d8b4376bdb341964801a836bb7ae4843351ded70801d401e951cbbe05d613/detection 167.160.166.177:4698 # Reference: https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/ 134.119.181.15:6818 134.119.181.15:8561 134.119.181.15:8861 151.106.14.125:14618 151.106.14.125:16418 151.106.14.125:3468 151.106.14.125:8722 151.106.19.220:2682 172.245.247.112:11824 172.245.247.112:14624 172.245.247.112:8666 172.245.87.12:12447 172.245.87.12:18856 172.245.87.12:4586 172.245.87.12:8443 173.212.192.229:16564 173.249.22.30:10864 173.249.22.30:16582 173.249.22.30:4228 173.249.14.104:3312 173.249.14.104:9808 173.249.42.113:8148 185.136.169.155:11214 185.136.169.155:15882 185.136.169.155:17443 185.136.169.155:6128 185.174.102.105:54131 198.12.90.116:3691 198.12.90.116:4684 198.12.90.116:6582 23.254.119.11:3163 23.254.119.11:4828 23.254.119.11:5661 23.254.119.11:6614 45.32.151.155:11427 45.32.151.155:12835 45.77.246.69:16185 5.189.134.216:5156 64.188.12.126:12824 64.188.12.126:49747 64.188.12.126:9666 64.188.25.206:11422 64.188.25.206:16621 64.188.25.206:4125 64.188.25.206:6522 66.154.113.38:3878 66.154.113.38:8666 # Reference: https://twitter.com/ShadowChasing1/status/1385561727559864321 # Reference: https://www.virustotal.com/gui/file/fafcbb35db7cd2725d2f3f4268ffb32390f0e7602263841914fae72f37baca5b/detection 109.236.85.16:5987 myabcxyz1.ddns.net # Reference: https://twitter.com/ShadowChasing1/status/1387357625013080064 167.86.89.53:1443 167.86.89.53:16688 167.86.89.53:24619 167.86.89.53:6118 167.86.89.53:8843 # Reference: https://twitter.com/cyber__sloth/status/1383394061965348867 # Reference: https://twitter.com/ShadowChasing1/status/1383217637853831169 # Reference: https://twitter.com/_re_fox/status/1383207625874083841 # Reference: https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf # Reference: https://www.virustotal.com/gui/file/54759951089f44a3918e164b8bf29c8f388cfd41f9930f81b8103852947fed93/detection http://161.97.142.96/htt_p http://173.212.224.110/h_ttp 144.91.65.100:6102 144.91.91.236:6102 164.68.108.22:6102 173.212.224.110:6102 173.249.50.230:3245 drivetoshare.com mailfourms.com iiieyehealth.com socialistfourm.com updatedportal.com mfahost.ddns.net newsindia.ddns.net tor-relay2.innonetlife.com vmi192147.contaboserver.net vmi268056.contaboserver.net vmi296708.contaboserver.net vmi312537.contaboserver.net vmi314646.contaboserver.net demo.smart-hospital.in/uploads/staff_documents/18/html/ demo.smart-hospital.in/uploads/staff_documents/18/h-xmlhttp/ demo.smart-hospital.in/uploads/staff_documents/19/Armed-Forces-Spl-Allowance-Order/html/ demo.smart-hospital.in/uploads/staff_documents/19/Defence-Production-Policy-2020/html/ demo.smart-hospital.in/uploads/staff_documents/19/Images/8534 demo.smart-hospital.in/uploads/staff_documents/19/IncidentReport/html/ demo.smart-hospital.in/uploads/staff_documents/19/ParaMil-Forces-Spl-Allowance-Order/html/ demo.smart-hospital.in/uploads/staff_documents/19/Req-Data/html demo.smart-hospital.in/uploads/staff_documents/19/Sheet_Roll/html demo.smart-school.in/uploads/staff_documents/9/Sheet_Roll/html demo.smart-school.in/uploads/student_documents/12/css/ drivetoshare.com/mod.gov.in_dod_sites_default_files_Revisedrates/html sparc.org.in/wp-content/uploads/2020/06/now/rt.rtf # Reference: https://twitter.com/ShadowChasing1/status/1391680709207609347 londonkids.in/preschool/video/Emergency_Vaccination/css/ # Reference: https://twitter.com/KseProso/status/1392063980961734657 # Reference: https://www.virustotal.com/gui/file/2491caddf4445d9297404493c7707b54591c989b94fd4634a7afdf54c0d22e9c/detection vmi433658.contaboserver.net # Reference: https://twitter.com/KseProso/status/1392063980961734657 # Reference: https://www.virustotal.com/gui/file/871cab3256acdbc3c27650adde878658568a85b87e85d3e3c137bdeb4592fb2c/detection 173.249.14.104:6140 # Reference: https://twitter.com/KseProso/status/1392064101103378437 # Reference: https://www.virustotal.com/gui/file/c7dbca435039a6148dc25208f04b734465e8b7c92010ede1401d88f5f8003f2d/detection 173.249.14.104:5670 # Reference: https://twitter.com/pollo290987/status/1564886555306692608 # Reference: https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html # Reference: https://otx.alienvault.com/pulse/609d7a98443a742cd63c2784 # Reference: https://www.virustotal.com/gui/file/ee4615ba6097bde423549aadac4caea4e74493f93c91ad6cfa3372f2d1fae04d/detection 139.28.36.141:6922 7thcpcupdates.info armypostalservice.com clawsindia.com isroddp.com larsentobro.com millitarytocorp.com pmayindia.com tprlink.com awsyscloud.com cloudsbox.net datacyncorize.com digiphotostudio.live drivestransfer.com emailhost.network file-attachment.com filelinks.live filestudios.net hostflix.live maildrive.email mediabox.live mediaclouds.live mediadrive.cc mediafiles.live mediaflix.net medialinks.cc mediashare.cc onedrives.cc servicesmail.site shareboxs.net shareflix.co sharemydrives.com shareone.live sharingmymedia.com studioflix.net templatesmanagersync.info urservices.net bjorn111.duckdns.org micrsoft.ddns.net newsupdates.myftp.org share.medialinks.cc social.medialinks.cc systemsupdated.duckdns.org tgservermax.duckdns.org vmd41059.contaboserver.net vmi433658.contaboserver.net email.gov.in.attachment.drive.servicesmail.site email.gov.in.maildrive.email india.gov.in.attachments.downloads.7thcpcupdates.info mail.clawsindia.com mail.isroddp.com mailer.pmayindia.com mailout.pmayindia.com # Reference: https://tria.ge/210514-fsd2fkks9a/behavioral1 5.189.134.216:12538 5.189.134.216:7218 5.189.134.216:9686 # Reference: https://twitter.com/ShadowChasing1/status/1394229310911762434 # Reference: https://www.virustotal.com/gui/file/7f800784b00354dd15eee129317a63bd3f7bb25622e898c873603e5b142cbb09/detection 5-135-125-106.cinfuserver.com # Reference: https://twitter.com/ShadowChasing1/status/1399012433520324617 # Reference: https://www.virustotal.com/gui/file/71a8e488b3d142bfdfcc4092ac35cf32e7d5e55b68acd262d16707f6a09f9321/detection 134.119.181.142:6672 # Reference: https://twitter.com/bofheaded/status/1399384209353969667 # Reference: https://www.virustotal.com/gui/file/cad6dcfe6942bb5ac648fb25b8aa3359f1d30b6671c132ce8c7c8c3cd08e8825/detection 178.238.229.192:11884 178.238.229.192:15285 178.238.229.192:3687 178.238.229.192:6782 178.238.229.192:8529 # Reference: https://twitter.com/ShadowChasing1/status/1402526383293624323 http://167.86.75.119 selforder.in/wp-content/uploads/wp-commerce/04/05/ # Reference: https://www.virustotal.com/gui/file/d228c1186003ae37e6c9e26222782291fa97580a254e77f290b46c2376b712e4/detection 185.136.169.155:15822 # Reference: https://twitter.com/ShadowChasing1/status/1406962468010614785 # Reference: https://www.virustotal.com/gui/file/907f594f49e498f0526684e03afd76e953b46b2c4947dd260f90f2665b7ff875/detection afghannewsnetwork.com dadsasoa.in/font/js/images/files/My-CV/css # Reference: https://www.virustotal.com/gui/ip-address/144.91.65.100/relations # Reference: https://www.virustotal.com/gui/file/1ac0288aaebbe07b6145f20dc3ba2c0107ab00b47a4fe90215a784c887bad35d/detection mmfaa.ddns.net # Reference: https://www.virustotal.com/gui/file/149b121b8f5755bc841ddd38f8dbcb6f857b00c8943b446ab85e1706e2216bde/detection http://144.91.65.100 # Reference: https://blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/ # Reference: https://otx.alienvault.com/pulse/60d2f18dfd693f4314446f84 # Reference: https://twitter.com/0xrb/status/1409729774956597250 ankaraembassy.hopto.org certindia.chickenkiller.com certindia.ignorelist.com coronavirusupdate.ddns.net coronavirusupdate.ddnsking.com defencecyberorg.myddns.me frankooxyz2.ddns.net minofdefence.mooo.com minofdefenceindia.ddns.net pmreference.ddnsking.com iiieyehealth.com/fonts/times/files/Call-for-Proposal-DGSP-COAS-Chair-Excellance/css/ ikiranastore.com/images/files/ist/doc/i.php londonkids.in/echoolz/assets/css/front/hwo/DATE-OF-NEXT-INCREMENT-ON-UP-GRADATION-OF-PAY-ON-01-JAN-AND-01-JUL/css londonkids.in/preschool/video/Emergency_Vaccination/css/ minervacollege.co.in/fonts/plugins/mrt/Image-7563/css2 # Reference: https://twitter.com/h2jazi/status/1407788867260923908 # Reference: https://www.virustotal.com/gui/file/aadaa8d23cc2e49f9f3624038566c3ebb38f5d955b031d47b79dcfc94864ce40/detection 5.189.170.84:3901 # Reference: https://www.virustotal.com/gui/file/2bb2a640376a52b1dc9c2b7560a027f07829ae9c5398506dc506063a3e334c3a/detection # Reference: https://www.virustotal.com/gui/file/d2113b820db894f08c47aa905b6f643b1e6f38cce7adf7bf7b14d8308c3eaf6e/detection 5.189.170.84:3312 iwestcloud.com /Pick@Whatsoever/Mac.php /Pick@Whatsoever/Qu33nRocQCl!mbing.php /Pick@Whatsoever/S3r&eryvUed.php /Pick@Whatsoever/ /Qu33nRocQCl!mbing.php /S3r&eryvUed.php # Reference: https://twitter.com/ShadowChasing1/status/1410157094343364609 # Reference: https://www.virustotal.com/gui/file/af5dec1a8eed98bbab9c03dd76a980edc987347c43798d726b0ca538376f27be/detection drigablockszip.sytes.net medizz.co/wp-content/base/phr/shareddocuments/Agenda # Reference: https://twitter.com/BaoshengbinCumt/status/1411963177626046467 # Reference: https://www.virustotal.com/gui/file/c3e56af0c0a13e8ab4e6f2269d1c15586e72f9b7a90c22980f976e6786388a03/detection 185.233.202.230:44567 templateworkshop.site /template_storage/normal_template/template48.dot # Reference: https://twitter.com/ShadowChasing1/status/1411991006489112582 # Reference: https://www.virustotal.com/gui/file/49387b1a799944bb19f5b83cd5a05e421bcaff8ddc59750aba800ec03c447245/detection 167.86.105.43:6588 # Reference: https://twitter.com/teamcymru_S2/status/1412397642286522368 # Reference: https://team-cymru.com/blog/2021/07/02/transparent-tribe-apt-infrastructure-mapping-2/ 107.173.204.38:6576 107.173.204.38:8586 # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt digitalfilestores.com filehubspot.com freewindowssoftware.com mailupdater.net mfahost.ddns.net mffatool.ddns.net nscinfo.ddns.net vmi240582.contaboserver.net vmi281634.contaboserver.net vmi312537.contaboserver.net vmi369553.contaboserver.net vmi388643.contaboserver.net vmi420862.contaboserver.net vmi475662.contaboserver.net vmi489177.contaboserver.net vmi512038.contaboserver.net vmi532529.contaboserver.net # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt # Reference: https://www.virustotal.com/gui/file/132870a1ae6a0bdecaa52c03cfe97a47df8786f148fa8ca113ac2a8d59e3624a/detection 173.249.50.230:1238 muzicmirchi.000webhostapp.com # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt # Reference: https://www.virustotal.com/gui/file/71bbf2394fe4909a6ce0f7085ca41f21cf5e05e3d761620e4d7f307183fb1e1b/detection 167.86.70.194:9091 # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt # Reference: https://www.virustotal.com/gui/file/852612666095aec2e9f3456ec4f8a9566be2c690c8583aff6055d180507d5476/detection 167.86.70.194:9092 # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt # Reference: https://www.virustotal.com/gui/file/956f0f369082068ef24b76ec162cfc2119adbffda94e33e41b40f39d2f192ffe/detection 161.97.90.175:8080 # Reference: https://twitter.com/bofheaded/status/1420466901466030083 # Reference: https://twitter.com/teamcymru_S2/status/1423281518034575363 # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt # Reference: https://www.virustotal.com/gui/file/57466da1095f6c28d5d7c56d171417bb796b153f1c545e846fee1743cacc15fc/detection # Reference: https://www.virustotal.com/gui/file/772bc22f6238eb368c47f4d34fb98db9124a44b8443cee92d73c6086609fd2f1/detection http://149.248.52.61 /vpn-update/vpn-update.php /weisenborn/aziroboro.php # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt 144.91.65.100:3245 144.91.65.100:4145 144.91.91.236:4140 144.91.91.236:4145 149.248.52.61:2323 149.248.52.61:5656 149.248.52.61:87 149.248.52.61:89 149.248.52.61:8989 161.97.90.175:6666 164.68.104.126:3245 164.68.104.126:4140 173.212.224.110:4140 173.212.224.110:4145 173.249.50.230:1144 173.249.50.230:1244 173.249.50.230:1245 173.249.50.230:1289 173.249.50.230:3245 173.249.50.230:4145 # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt http://109.236.85.152 http://164.68.104.126 http://161.97.142.96 http://167.86.75.119 http://173.249.41.175 # Reference: https://twitter.com/Timele9527/status/1419853559860920320 # Reference: https://twitter.com/Timele9527/status/1419853918293544967 # Reference: https://www.virustotal.com/gui/file/8b20b81f05c0acebb97200b5cfa3bec23ddeb9f7307e47c9b942c6f9bee91b44/detection # Reference: https://www.virustotal.com/gui/file/70fab64895bcfaf7e9bd713e3b3b4c354e19ff9d083285b791d43bb39c5d3253/detection # Reference: https://www.virustotal.com/gui/file/670bf2bad23645b731a67e3299f4f1692da3bdaa711c588b17024ed916e55438/detection 122.166.149.57:8888 161.97.164.143:20121 161.97.164.143:2121 161.97.164.143:2123 161.97.164.143:2124 161.97.164.143:2122 161.97.164.143:2125 161.97.164.143:8011 161.97.164.143:9512 161.97.164.143:9515 182.188.181.224:2255 certindia.ignorelist.com certindia.chickenkiller.com defencecyberorg.myddns.me email-govin.duia.eu emailgov-in.sytes.net kavachhost.ddns.net nicindia.mywire.org /005056A0A34C-X-061544/ /005056A052CF-X-445817/ /005056A05902-X-088753/ /005056A0A34C-X-061544/file.pdf /005056A052CF-X-445817/fastag.jpg /005056A05902-X-088753/fastag.jpg # Reference: https://twitter.com/teamcymru_S2/status/1420446957961625602 # Reference: https://www.virustotal.com/gui/file/67a225feedc5ce4adf75acb41e8b0e746e7daaec779225cd72f860a263b92a6e/detection 191.101.172.44:11422 191.101.172.44:14624 191.101.172.44:16621 191.101.172.44:4125 191.101.172.44:6522 64.188.25.206:3389 # Reference: https://www.virustotal.com/gui/ip-address/104.227.146.200/relations http://104.227.146.200 /KingEfulefu/ /KingEfulefu/login.php # Reference: https://twitter.com/ShadowChasing1/status/1422452244079779841 # Reference: https://twitter.com/360CoreSec/status/1422403743354482692 # Reference: https://www.virustotal.com/gui/file/8554b5cace52a0fdf0fd3378e4df6606efb45b8ee686ed5b3c1657633405eb85/detection # Reference: https://www.virustotal.com/gui/file/f5e7b8dddd4137ac008186a4c5e9cb644dc1bbddb61612c29c2087b1efe48974/detection # Reference: https://www.virustotal.com/gui/file/bc3ff3fb73736649a9aad6ccb811819a912c03aaa9ec81c6fa733f1459e66af9/detection # Reference: https://www.virustotal.com/gui/file/640ffa981ef531f5ceb98c59cfa1c65a9da9a088dc3157f78ffa0fa6cd5e8e02/detection # Reference: https://www.virustotal.com/gui/file/72950c1a7d26f9bb6acc0e33d1cd65310db31f5b03c3b3e722ce216bb20f12fe/detection # Reference: https://www.virustotal.com/gui/file/bc3ff3fb73736649a9aad6ccb811819a912c03aaa9ec81c6fa733f1459e66af9/detection 66.154.112.206:6188 # Reference: https://twitter.com/ShadowChasing1/status/1422914152381616134 # Reference: https://otx.alienvault.com/pulse/610baec1825b7a6f14ae8c21 # Reference: https://www.virustotal.com/gui/file/dc9002bc8fec5e678ae60285dd9fc303e87a9ea15b037be76285e41b50f62f8b/detection 149.248.52.61:91 149.248.52.61:92 149.248.52.61:93 bsnlplots.com/css/css/ # Reference: https://twitter.com/ShadowChasing1/status/1423194120512688133 # Reference: https://www.virustotal.com/gui/file/460c098565a7f5866bb96281ebada37d8e3a7f9e4112de663a05bba470e27929/detection pafwa.info independenceday.pafwa.info # Reference: https://twitter.com/ShadowChasing1/status/1460614611200217093 # Reference: https://www.virustotal.com/gui/file/f79445105ab2dc3c3be899c1e1fd1adca60723f613c242ce4e0b95ee835ac82a/detection isteandhrapradesh.in/NewSite/Admin/try/b/ # Reference: https://twitter.com/h2jazi/status/1460744936635224064 # Reference: https://twitter.com/h2jazi/status/1460744939105669132 # Reference: https://www.virustotal.com/gui/file/9836cfb7c54febcbbf2b252414dbdc95784ed429c228a363b65b7586ffcc3b0c/detection 194.233.67.90:6785 securedesk.one # Reference: https://twitter.com/0xrb/status/1460900779175276550 # Reference: https://www.virustotal.com/gui/file/df87afed0b9bef37d4ff79b0065e95b65cb3ffd320dc258548a229720e4bf99f/detection # Reference: https://www.virustotal.com/gui/file/ac80eb10f16f3da1651b8fcb7dbc714255f4ec9719e922baeeb3499d9bd89e23/detection mojochamps.com assessment.mojochamps.com # Reference: https://twitter.com/RedDrip7/status/1486656925320183809 # Reference: https://www.virustotal.com/gui/file/476c183a7ac3435b0085d652c816b07910d081a92c83b85dfda7ba630cd4957f/detection 45.138.172.222:3691 # Reference: https://twitter.com/ShadowChasing1/status/1490988027354648576 # Reference: https://twitter.com/ShadowChasing1/status/1491261131800780810 # Reference: https://twitter.com/0xrb/status/1491021258741653511 # Reference: https://www.virustotal.com/gui/file/d15f76acb846b237956a6373bd6646ef804419dd9a9fd3c9501acc241fcddff9/detection # Reference: https://www.virustotal.com/gui/file/46828fb51abae8b9ca21090f56d90d63270464318cd81235872a8fba35ce3064/detection http://144.91.87.179 144.91.87.179:6659 softwiz.xyz singleseller.blueappsoftware.com # Reference: https://twitter.com/bofheaded/status/1491350274937868291 # Reference: https://www.virustotal.com/gui/file/14f4fe625daf1ac498d8557a4fddc67f8183f6a097e84b52f311bf436640d7cc/detection 5.189.182.93:6659 # Reference: https://twitter.com/0xrb/status/1491344919155589124 # Reference: https://www.virustotal.com/gui/file/0d7fdeea6cd1f7732db11f78c2dfd2c4bc5053b6f1bc590d3963705b4a256f22/detection kokotech.xyz # Reference: https://twitter.com/0xrb/status/1493801814005022723 161.97.85.89:12786 173.249.50.34:12182 198.12.91.240:18876 198.23.213.22:7776 198.23.213.22:7778 207.180.245.93:12184 209.127.19.241:10284 # Reference: https://blog.lumen.com/reverserat-reemerges-with-a-nightfury-new-campaign-and-new-developments-same-familiar-side-actor/ (# preBotHta) # Reference: https://github.com/blacklotuslabs/IOCs/blob/main/ReverseRat2.0_NightFury_IoCs.txt http://62.171.191.230 62.171.191.230:5310 zimbrasoft.ddns.net # Reference: https://twitter.com/malwrhunterteam/status/1494655193002266625 # Reference: https://twitter.com/malwrhunterteam/status/1494655193002266625 # Reference: https://twitter.com/JAMESWT_MHT/status/1494664440175865865 # Reference: https://app.any.run/tasks/5dc8d5eb-b9c0-4c08-b2b1-ae80cd25da62/ 160.20.147.202:7421 highexpresspass.zapto.org /softwaredailyupdate # Reference: https://twitter.com/h2jazi/status/1495825063299403785 # Reference: https://www.virustotal.com/gui/file/656124b7148dd8c72add0bfcc1a1ec856232c9e6dd13d8ea9d0f1d0a148889a4/detection # Reference: https://www.virustotal.com/gui/file/7d834e9caaaadd4f7e43777873550dd195d552038e7bd7ce4319f5cd51ed5c9d/detection 107.150.18.166:6849 # Reference: https://twitter.com/s1ckb017/status/1499312004426870788 # Reference: https://www.virustotal.com/gui/file/f66c2e249931b4dfab9b79beb69b84b5c7c4a4e885da458bc10759c11a97108f/detection # Reference: https://www.virustotal.com/gui/file/d9037f637566d20416c37bad76416328920997f22ffec9340610f2ea871522d8/detection 45.147.228.195:5524 # Reference: https://twitter.com/ShadowChasing1/status/1499704398284345345 # Reference: https://www.virustotal.com/gui/file/ec9b9a711f81df91d3b243c4e90d2f33abe2dffe4ebb2ed284bd6d0e11cdfb6c/detection gdcrvpm.ac.in # Reference: https://twitter.com/0xrb/status/1501061897604730881 # Reference: https://twitter.com/GGGGh0st/status/1513477203828559876 # Reference: https://www.virustotal.com/gui/file/d10e90484ebdeea8a5d2b15820d067f99139a76302e3cc558d942d77fe7fb9f3/detection # Reference: https://www.virustotal.com/gui/file/bdeb9d019a02eb49c21f7c04169406ac586d630032a059f63c497951303b8d00/detection 161.97.176.42:10019 161.97.176.42:33009 161.97.176.42:47834 161.97.176.42:57000 161.97.176.42:35010 161.97.176.52:10015 161.97.176.52:47822 sunjaydut.ddns.net swissaccount.ddns.net # Reference: https://twitter.com/teamcymru_S2/status/1501955807499403270 194.163.139.250:3389 # Reference: https://twitter.com/ShadowChasing1/status/1505893006070583301 # Reference: https://www.virustotal.com/gui/file/94f50d46f72e533ffceb464f2824ef1e0bb2b6638de918ced25123e741339e40/detection inapharma.in # Reference: https://twitter.com/0xrb/status/1506155286289326085 # Reference: https://www.virustotal.com/gui/file/2e1ebb72b3b483797564fe541e4b0bb23ec57373a825a927407c17dc107c1888/detection # Reference: https://www.virustotal.com/gui/file/2ace3b4ea7ecacb6ef8b4da7f5c315a31663523808a685d3600bc57571c1eb83/detection 209.145.55.95:3676 # Reference: https://www.virustotal.com/gui/file/7778f344aae32175751c4f3ec2c43abe637ff6aa67d2731dfa072fd86a9c9b47/detection 209.145.55.95:6659 # Reference: https://www.virustotal.com/gui/file/94f50d46f72e533ffceb464f2824ef1e0bb2b6638de918ced25123e741339e40/detection 209.145.55.95:443 # Reference: https://twitter.com/malwareforme/status/1505935361234677760 209.145.55.95:3285 # Reference: https://twitter.com/0xrb/status/1506879902146269184 # Reference: https://www.virustotal.com/gui/file/868b3d9c6431e57b5a10b04c2c385ee4e507395224e431fdef8012c1351d5325/detection # Reference: https://www.virustotal.com/gui/file/694e9f128904c4e456c76cff2d7534d43afb53384999fd32e4f0b72dd078385e/detection 95.111.230.252:3349 95.111.230.252:4098 # Reference: https://ti.qianxin.com/blog/articles/transparent-tribe-and-sidecopy-share-infrastructure/ (Chinese) # Reference: https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html # Reference: https://www.virustotal.com/gui/file/a0f6963845d7aeae328048da66059059fdbcb6cc30712fd10a34018caf0bd28a/detection # Reference: https://www.virustotal.com/gui/file/45ed0b23cc90fbe8eade520bdc230e4103435c6e0d64f779b12da90bc1f1596f/detection 144.91.79.40:12427 194.163.129.89:14427 directfileshare.net dsoi.info kavach-app.in otbmail.com secure256.net zoneflare.com download.kavach-app.in /C2L!Dem0&PeN/A@llPack3Ts/ /A@llPack3Ts/ /C2L!Dem0&PeN/ /C2L!Dem0&PeN/A@llPack3Ts/Cor2PoRJSet!On.php /C2L!Dem0&PeN/A@llPack3Ts/Dev3l2Nmpo7nt.php /C2L!Dem0&PeN/A@llPack3Ts/f3dlPr00f.php /C2L!Dem0&PeN/A@llPack3Ts/xwunThedic@t6.php /Pick@Whatsoever/Qu33nRocQCl!mbing.php /Pick@Whatsoever/S3r&eryvUed.php /R!bB0nBr3@k3r/FunBreaker.php /R!bB0nBr3@k3r/tallerthanhills.php /Pick@Whatsoever/ /R!bB0nBr3@k3r/ # Reference: https://twitter.com/h2jazi/status/1509887066204745743 # Reference: https://www.virustotal.com/gui/file/388f212dfca2bfb5db0a8b9958a43da6860298cdd4fcd53ed2c75e3b059ee622/detection # Reference: https://www.virustotal.com/gui/file/e2cf71c78d198fdc0017b7bfd6ce8115301174302b3eaaf50cfc384db96bc573/detection sunnyleone.ddns.net # Reference: https://twitter.com/h2jazi/status/1513360845807534081 # Reference: https://www.virustotal.com/gui/file/bdeb9d019a02eb49c21f7c04169406ac586d630032a059f63c497951303b8d00/detection studentsportal.live # Reference: https://twitter.com/0xrb/status/1515979150515122178 # Reference: https://www.virustotal.com/gui/file/477147271a54e32ef184030393f17c30d68d4aeb8bd6202a225e354f1800b279/detection 66.154.112.251:5235 # Reference: https://twitter.com/0xrb/status/1517052777167732736 # Reference: https://www.virustotal.com/gui/file/4342dd4999d1247fc9032003bafb7d3d58d2cbefe1705d5d91e258d0ed1fef86/detection # Reference: https://www.virustotal.com/gui/file/bc3441864f2e9276261733b35e2473b7beed0e6ed14ad8fa13d99d15ee5477b6/detection 185.197.249.247:16252 185.197.249.247:18696 185.197.249.247:20862 185.197.249.247:4858 # Reference: https://twitter.com/h2jazi/status/1518382259228844033 # Reference: https://www.virustotal.com/gui/file/b3f8e026f39056ec5e66700e03eeaf57454ee9c0bc1c719d74e10f5702957305/detection sunnyleone.hopto.org # Reference: https://www.virustotal.com/gui/file/4841e73697c846f33ffa09d38c0ce58e978b06e32c6807cd21c22dfeadbfd0fa/detection 206.189.185.75:8000 66.63.162.16:4788 # Reference: https://twitter.com/0xrb/status/1523929430238035968 # Reference: https://www.virustotal.com/gui/file/1e0fe0c057163e5cc1a2598b7de1adf06db8bfe814e172557383eea3acbf9a2b/detection # Reference: https://www.virustotal.com/gui/file/5091ca8bcfee8d3980700de91d3b1f6286420f85be9069bde944ffceac2b02fd/detection # Reference: https://www.virustotal.com/gui/file/b53e73189ad4db83a5891d0dd73fd86d290fb7de8ab9378a1b9f29cddfc14d8c/detection # Reference: https://www.virustotal.com/gui/file/b9e1c9e0e8a169b7055d39720b862782922090f0a08cf73de730e2e6ce73eac8/detection 104.129.42.102:16862 104.129.42.102:21584 104.129.42.102:28184 104.129.42.102:6276 104.129.42.102:8891 # Reference: https://twitter.com/ShadowChasing1/status/1526583480867758084 # Reference: https://twitter.com/ShadowChasing1/status/1526583490732781568 indianblog.xyz indiantrainer.in dns1.indianblog.xyz # Reference: https://twitter.com/RedDrip7/status/1533659387277221888 # Reference: https://www.virustotal.com/gui/file/0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2/detection # Reference: https://www.virustotal.com/gui/file/f3a1ac021941b481ac7e2335b74ebf1e44728e8917381728f1f5b390c6f34706/detection # Reference: https://www.virustotal.com/gui/file/fc34f9087ab199d0bac22aa97de48e5592dbf0784342b9ecd01b4a429272ab5b/detection 192.3.99.68:10268 192.3.99.68:16098 192.3.99.68:25822 192.3.99.68:28441 192.3.99.68:7514 # Reference: https://twitter.com/RedDrip7/status/1545363738991403009 # Reference: https://www.virustotal.com/gui/file/21721fe37e170ac53bcfe9dde528dad341dcce6df4abacbaacf50ba804108f2f/detection # Reference: https://www.virustotal.com/gui/file/fa8c21188ab5a2425f7909d720c54fb1a86be418d1f69e92f5c7ee61af32cb6e/detection 38.74.14.137:12267 38.74.14.137:18197 38.74.14.137:25821 38.74.14.137:26442 38.74.14.137:7516 # Reference: https://www.virustotal.com/gui/file/2dd0416a1a530a56357887709cd37d691a32a30326b75218c5e92b34773d00f3/detection http://167.86.97.221 # Reference: http://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html cloud-drive.store drive-phone.online geo-news.tv studentsportal.co studentsportal.website user-onedrive.live cloud-drive.geo-news.tv drive-phone.geo-news.tv studentsportal.geo-news.tv user-onedrive.geo-news.tv # Reference: https://twitter.com/bofheaded/status/1547801705198518272 # Reference: https://www.virustotal.com/gui/file/085f9bfbb1ff54afe4a562824470aeff4d69b1ce3eeeedd4dbef537d2015f627/detection 209.126.80.23:3281 209.126.80.23:6391 # Reference: https://twitter.com/souiten/status/1548952536257679361 # Reference: https://www.virustotal.com/gui/file/1db3adc06f4dccee2cc936333367f1e611092396a21102d9a54296c5a67c89af/detection # Reference: https://www.virustotal.com/gui/file/ee4615ba6097bde423549aadac4caea4e74493f93c91ad6cfa3372f2d1fae04d/detection 207.180.221.51:5731 test1480.000webhostapp.com # Reference: https://twitter.com/ShadowChasing1/status/1562072883580764165 ryanglobalschools.com/js/files/IMPL_OF_SPL_ALLCE_ORDER # Reference: https://twitter.com/InQuest/status/1561659933808119810 # Reference: https://twitter.com/InQuest/status/1561999463933157377 # Reference: https://twitter.com/InQuest/status/1562019017879175169 # Reference: https://twitter.com/InQuest/status/1562043288860991489 # Reference: https://www.virustotal.com/gui/file/bc32040a1ebb05c38e9d564b576b158c71390011c4812aa8ba810e462f62d4d6/detection # Reference: https://www.virustotal.com/gui/file/6cac8225634748e673e5ae53a14c3c8d403d7e979280874663cea129b0ee5849/detection http://192.3.108.11 /https/www_a/ /https/www_b/ /https/www_c/ /https/www_d/ /https/www_e/ /https/www_f/ /https/www_g/ /https/www_h/ /https/www_i/ /https/www_j/ /https/www_k/ /https/www_l/ /https/www_m/ /https/www_n/ /https/www_o/ /https/www_p/ /https/www_q/ /https/www_r/ /https/www_s/ /https/www_t/ /https/www_u/ /https/www_v/ /https/www_w/ /https/www_x/ /https/www_y/ /https/www_z/ /www/https_a/ /www/https_b/ /www/https_c/ /www/https_d/ /www/https_e/ /www/https_f/ /www/https_g/ /www/https_h/ /www/https_i/ /www/https_j/ /www/https_k/ /www/https_l/ /www/https_m/ /www/https_n/ /www/https_o/ /www/https_p/ /www/https_q/ /www/https_r/ /www/https_s/ /www/https_t/ /www/https_u/ /www/https_v/ /www/https_w/ /www/https_x/ /www/https_y/ /www/https_z/ # Reference: https://twitter.com/0xrb/status/1577981859287293952 # Reference: https://www.virustotal.com/gui/file/ca74472613129855bd7fc79c4a245a2f27de85086cfd191506f1c9906b9ae460/detection 164.68.96.32:3468 164.68.96.32:8169 # Reference: https://twitter.com/h2jazi/status/1580302226597478401 # Reference: https://www.virustotal.com/gui/file/7658cc15e65b9000860658e8d2c7e6c305d972254d21072dfb4955e79649d1f9/detection # Reference: https://www.virustotal.com/gui/file/0d865bdcd75c4ec6fc1e182c4e68fc34db36cde8467988221d742413609da8c3/detection # Reference: https://www.virustotal.com/gui/file/77259c0d236c96450663fcf1d0837ebf4d10e024293cc89de1082a76e3e9ce10/detection 23.254.119.234:6178 23.254.119.234:8989 # Reference: https://twitter.com/Des00464472/status/1581873684478046208 161.97.119.238:7778 # Reference: https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations http://139.59.23.88 http://139.59.79.86 acmarketsapp.com gcloudsvc.com kavach.mail.gov.in kavach.mail.nic-updates.in kavachauthentication.blogspot.com kavachmail-govin.rf.gd ncloudup.com nic-updates.in wzxdao.com # Reference: https://twitter.com/0xrb/status/1589502482786713600 # Reference: https://www.virustotal.com/gui/file/5d2b37c02e60bbed036c9bb6e4f2c75de6e42c03b69c713c33d3b9325ed1b1ea/detection 154.127.54.168:35010 154.127.54.168:47834 # Reference: https://twitter.com/Des00464472/status/1597845527168970752 # Reference: https://www.virustotal.com/gui/file/46262d79b7e21b5536dc1910a78a6db2b11789503e44a6a89d22a1c169220426/detection 185.225.19.165:4862 185.225.19.165:5350 185.225.19.165:8419 # Generic /h_ttp /h_tt_p /htt_p /h_t_t_p /h-xmlhttp/ /classics/abnormal.php /classifieds/classifieds.php /classification/updatecs.php /Armed-Forces-Spl-Allowance-Order/ /Defence-Production-Policy-2020/ /IMPL_OF_SPL_ALLCE_ORDER/ /ParaMil-Forces-Spl-Allowance-Order/ /mod.gov.in_dod_sites_default_files_Revisedrates/