# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: waterbug, snake, whitebear, venomous bear, kypton # Reference: https://github.com/eset/malware-ioc/blob/master/turla/README.adoc shoppingexpert.it/wp-content/gallery/ soheylistore.ir/modules/mod_feed/feed.php tazohor.com/wp-includes/feed-rss-comments.php jucheafrica.com/wp-includes/class-wp-edit.php 61paris.fr/wp-includes/ms-set.php doctorshand.org/wp-content/about/ lasac.eu/credit_payment/url/ # Reference: https://www.welivesecurity.com/2018/01/09/turlas-backdoor-laced-flash-player-installer/ smallcloud.ga fleetwood.tk adstore.twilightparadox.com bigpen.ga ebay-global.publicvm.com psychology-blog.ezua.com agony.compress.to gallop.mefound.com auberdine.etowns.net skyrim.3d-game.com officebuild.4irc.com sendmessage.mooo.com robot.wikaba.com tellmemore.4irc.com # Reference: http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf arctic-zone.bbsindex.com cars-online.zapto.org eunews-online.zapto.org fifa-rules.25u.com forum.sytes.net franceonline.sytes.net freeutils.3utilities.com health-everyday.faqserv.com nhl-blog.servegame.com olympik-blog.4dq.com pockerroom.servebeer.com pressforum.serveblog.net scandinavia-facts.sytes.net sportmusic.servemp3.com stockholm-blog.hopto.org supernews.sytes.net sweeden-history.zapto.org tiger.got-game.org top-facts.sytes.net weather-online.hopto.org wintersport.sytes.net x-files.zapto.org forum.4dq.com forum.acmetoy.com marketplace.servehttp.com music-world.servemp3.com newutils.3utilities.com interesting-news.zapto.org academyawards.effers.com cheapflights.etowns.net toolsthem.xp3.biz softprog.freeoda.com euassociate.6te.net euland.freevar.com communityeu.xp3.biz swim.onlinewebshop.net july.mypressonline.com eu-sciffi.99k.org # Reference: https://www.symantec.com/security-center/writeup/2014-011316-1921-99?tabid=2 nightday.comxa.com sanky.sportsontheweb.net tiger.netii.net north-area.bbsindex.com # Reference: http://artemonsecurity.com/snake_whitepaper.pdf academyawards.effers.com arctic-zone.bbsindex.com cars-online.zapto.org cheapflights.etowns.net communityeu.xp3.biz eu-sciffi.99k.org euassociate.6te.net euland.freevar.com eunews-online.zapto.org fifa-rules.25u.com forum.4dq.com forum.acmetoy.com forum.sytes.net franceonline.sytes.net freeutils.3utilities.com health-everyday.faqserv.com interesting-news.zapto.org july.mypressonline.com marketplace.servehttp.com music-world.servemp3.com newutils.3utilities.com nhl-blog.servegame.com north-area.bbsindex.com olympik-blog.4dq.com pockerroom.servebeer.com pressforum.serveblog.net scandinavia-facts.sytes.net softprog.freeoda.com sportmusic.servemp3.com stockholm-blog.hopto.org supernews.sytes.net sweeden-history.zapto.org swim.onlinewebshop.net tiger.got-game.org toolsthem.xp3.biz top-facts.sytes.net weather-online.hopto.org winter.site11.com wintersport.sytes.net x-files.zapto.org # Reference: https://github.com/eset/malware-ioc/tree/master/turla shoppingexpert.it/wp-content/gallery/ soheylistore.ir/modules/mod_feed/feed.php tazohor.com/wp-includes/feed-rss-comments.php jucheafrica.com/wp-includes/class-wp-edit.php 61paris.fr/wp-includes/ms-set.php doctorshand.org/wp-content/about/ lasac.eu/credit_payment/url/ daybreakhealthcare.co.uk/wp-includes/themees.php simplecreative.design/wp-content/plugins/calculated-fields-form/single.php http://169.255.137.203/rss_0.php outletpiumini.springwaterfeatures.com/wp-includes/pomo/settings.php zerogov.com/wp-content/plugins.deactivate/paypal-donations/src/PaypalDonations/SimpleSubsribe.php ales.ball-mill.es/ckfinder/core/connector/php/php4/CommandHandler/CommandHandler.php dyskurs.com.ua/wp-admin/includes/map-menu.php warrixmalaysia.com.my/wp-content/plugins/jetpack/modules/contact-form/grunion-table-form.php http://217.171.86.137/config.php http://217.171.86.137/rss_0.php shinestars-lifestyle.com/old_shinstar/includes/old/front_footer.old.php aviasiya.com/murad.by/life/wp-content/plugins/wp-accounting/inc/pages/page-search.php baby.greenweb.co.il/wp-content/themes/san-kloud/admin.php soligro.com/wp-includes/pomo/db.php giadinhvabe.net/wp-content/themes/viettemp/out/css/class.php tekfordummies.com/wp-content/plugins/social-auto-poster/includes/libraries/delicious/Delicious.php kennynguyen.esy.es/wp-content/plugins/wp-statistics/vendor/maxmind-db/reader/tests/MaxMind/Db/test/Reader/BuildTest.php sonneteck.com/wp-content/plugins/yith-woocommerce-wishlist/plugin-fw/licence/templates/panel/activation/activation.php chagiocaxuanson.esy.es/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/templates/manage_gallery/gallery_preview_page_field.old.php hotnews.16mb.com/wp-content/themes/twentysixteen/template-parts/content-header.php zszinhyosz.pe.hu/wp-content/themes/twentyfourteen/page-templates/full-hight.php weandcats.com/wp-content/plugins/broken-link-checker/modules/checkers/http-module.php smallcloud.ga fleetwood.tk adstore.twilightparadox.com bigpen.ga ebay-global.publicvm.com psychology-blog.ezua.com agony.compress.to gallop.mefound.com auberdine.etowns.net skyrim.3d-game.com officebuild.4irc.com sendmessage.mooo.com robot.wikaba.com tellmemore.4irc.com # Reference: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf eu-sciffi.99k.org fifa-rules.25u.com franceonline.sytes.net greece-travel.servepics.com hockey-news.servehttp.com marketplace.servehttp.com musicplanet.servemp3.com music-world.servemp3.com newutils.3utilities.com nightday.comxa.com north-area.bbsindex.com olympik-blog.4dq.com pokerface.servegame.com pressforum.serveblog.net sanky.sportsontheweb.net softprog.freeoda.com tiger.got-game.org tiger.netii.net toolsthem.xp3.biz top-facts.sytes.net weather-online.hopto.org wintersport.sytes.net world-weather.zapto.org x-files.zapto.org booking.etowns.org easports.3d-game.com cheapflights.etowns.net academyawards.effers.com te4step.tripod.com scifi.pages.at support4u.5u.com eu-sciffi.99k.org swim.onlinewebshop.net winter.site11.com july.mypressonline.com soheylistore.ir tazohor.com jucheafrica.com 61paris.fr # Reference: https://twitter.com/VK_Intel/status/1089959988116799491 northviewcanada.com/wp-content/galler/slider/ zycie-chotomowa.pl/wp-content/languages/index.php # Reference: https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments codewizard.ml dubaiexpo2020.cf markham-travel.com microsoft.updatemeltdownkb7234.com updatenodes.site vision2030.cf vision2030.tk zebra.wikaba.com # Reference: https://www.virustotal.com/gui/ip-address/94.249.192.182/relations dropbox12.com moscow.stransgroup.com # Reference: https://www.virustotal.com/gui/ip-address/185.141.62.32/relations http://185.141.62.32 # Reference: https://twitter.com/daphiel/status/1174324244127322115 dsme.info # Reference: https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/ accessdest.strangled.net bookstore.strangled.net bug.ignorelist.com cars-online.zapto.org chinafood.chickenkiller.com coldriver.strangled.net developarea.mooo.com downtown.crabdance.com easport-news.publicvm.com eurovision.chickenkiller.com fifa-rules.25u.com forum.sytes.net goldenroade.strangled.net greateplan.ocry.com health-everyday.faqserv.com highhills.ignorelist.com hockey-news.servehttp.com industrywork.mooo.com leagueoflegends.servequake.com marketplace.servehttp.com mediahistory.linkpc.net music-world.servemp3.com new-book.linkpc.net newgame.2waky.com newutils.3utilities.com nhl-blog.servegame.com nightstreet.toh.info olympik-blog.4dq.com onlineshop.sellclassics.com pressforum.serveblog.net radiobutton.mooo.com sealand.publicvm.com securesource.strangled.net softstream.strangled.net sportacademy.my03.com sportnewspaper.strangled.net supercar.ignorelist.com supernews.instanthq.com supernews.sytes.net telesport.mooo.com tiger.got-game.org top-facts.sytes.net track.strangled.net wargame.ignorelist.com weather-online.hopto.org wintersport.mrbasic.com x-files.zapto.org # Reference: https://otx.alienvault.com/pulse/57b4ad5cd19e030139028e28 knowledgetime.slyip.net treesofter.mooo.com archive-articles.linkpc.net sendmessage.mooo.com forumgeek.zzux.com psychology-blog.ezua.com priceline.publicvm.com officebuild.4irc.com bestfunc.slyip.net newforum.chickenkiller.com tellmemore.4irc.com priceline.publicvm.com trytowin.ignorelist.com booking.strangled.net ebay-global.publicvm.com blackerror.ignorelist.com ceremon.2waky.com patherror.publicvm.com tellmemore.4irc.com worldlist.linkpc.net ebay-global.publicvm.com top100news.my-wan.de patherror.publicvm.com dellservice.publicvm.com papperbell.effers.com onlineshop.sellclassics.com climbent.mooo.com bestfunc.slyip.net knowledgetime.slyip.net badget.ignorelist.com highhills.ignorelist.com psychology-blog.ezua.com wordlisten.mooo.com dellservice.publicvm.com profound.zzux.com forumgeek.zzux.com kersachi.ignorelist.com worldlist.linkpc.net # Reference: https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/ # Reference: https://otx.alienvault.com/pulse/5e6a1997e4301d0827885c98 http://37.59.60.199 134.209.222.206:15363 85.222.235.156:8000 adgf.am aiisa.am/js/chatem/js_rA9bo8_O3Pnw_5wJXExNhtkUMdfBYCifTJctEJ8C_Mg.js armconsul.ru/user/themes/ayeps/dist/js/bundle.0eb0f2cb2808b4b35a94.js mnp.nkr.am/wp-includes/js/jquery/jquery-migrate.min.js skategirlchina.com/wp-includes/data_from_db_top.php skategirlchina.com/wp-includes/ms-locale.php # Reference: https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/ # Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a # Reference: https://github.com/eset/malware-ioc/tree/master/turla#turla-comrat-v4-indicators-of-compromise arinas.tk bedrost.com branter.tk bronerg.tk celestyna.tk crusider.tk davilta.tk deme.ml dixito.ml duke6.tk elizabi.tk foods.jkub.com hofa.tk hunvin.tk lakify.ml lindaztert.net misters.ml pewyth.ga progress.zyns.com sameera.gq sanitar.ml scrabble.ikwb.com sumefu.gq umefu.gq vefogy.cf vylys.com wekanda.tk # Reference: https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/ # Reference: https://otx.alienvault.com/pulse/5f0e0247a1f88359cebcccb2 newshealthsport.com # Reference: https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity # Reference: https://otx.alienvault.com/pulse/5f99a34fe3c5a08a4093e54d balletmaniacs.com/wp-includes/fonts/icons/ berlinguas.com/wp-content/languages/index.php polishpod101.com/forum/language/en/sign/ bombheros.com/wp-content/languages/index.php simplifiedhomesales.com/wp-includes/images/index.php mtsoft.hol.es/wp-content/gallery/ # Reference: https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/ # Reference: https://otx.alienvault.com/pulse/5fc7b28bd5c07b0b777106b9 ethdns.mywire.org highcolumn.webredirect.org hotspot.accesscam.org theguardian.webredirect.org # Reference: https://twitter.com/rnaksyrn/status/1097522490111418368 # Reference: https://www.virustotal.com/gui/file/5b4ed1dc85f5551f070693cf1faf801f76a92b7b624bd402e7a6ca42bc8486fa/detection worldnews.ath.cx # Reference: https://lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server/ # Reference: https://thehackernews.com/2022/04/researchers-uncover-new-android-spyware.html # Reference: https://otx.alienvault.com/pulse/624c2c7f9f25362f604a9606 # Reference: https://www.virustotal.com/gui/file/e0eacd72afe39de3b327a164f9c69a78c9c0f672d3ad202271772d816db4fad8/detection http://82.146.35.240 da.anythinktech.com d3hdbjtb1686tn.cloudfront.net # Reference: https://otx.alienvault.com/pulse/6272996039678903e0b73dd5 jadlactnato.webredirect.org wkoinfo.webredirect.org # Reference: https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/ # Reference: https://otx.alienvault.com/pulse/628ba3b7c4e0efc200be0582 # Reference: https://www.virustotal.com/gui/ip-address/45.153.241.162/relations # Reference: https://www.virustotal.com/gui/ip-address/79.110.52.218/relations baltdefcol.webredirect.org jadlactnato.webredirect.org wkoinfo.webredirect.org # Reference: https://twitter.com/billyleonard/status/1545461166377508865 # Reference: https://twitter.com/billyleonard/status/1545461171456729090 # Reference: https://www.virustotal.com/gui/file/3c62b24594ec3cacc14bdca068a0277e855967210e92c2c17bcf7c7d0d6b782a/ # Reference: https://www.virustotal.com/gui/file/745e8c90a8e76f81021ff491cbc275bc134cdd7d23826b8dd23e58297fd0dd33/detection cyberazov.com /CyberAzov.apk # Reference: https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/ stopwar.pro # Reference: https://twitter.com/sekoia_io/status/1554086468104196096 cyberazov.tk # Reference: https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/ # Reference: https://otx.alienvault.com/pulse/64469f924625bdef62b1debc crane.mn/wp-content/plugins/jetpack/modules/photon-cdn/ telegram.akipress.news/lsasss.rar mail.mfa.uz.webmails.info # Reference: https://cert.gov.ua/article/5213167 (# UAC-0024, UAC-0003) adelaida.ua/plugins/vmsearch/wp-config-plugins.php adelaida.ua/plugins/vmsearch/wp-config-themes.php adelaida.ua/plugins/vmsearch/wp-file-script.js atomydoc.kg/src/open_center/ aleimportadora.net/images/slides_logo/ octoberoctopus.co.za/wp-includes/sitemaps/web/ sansaispa.com/wp-includes/images/gallery/ pierreagencement.fr/wp-content/languages/index.php mail.aet.in.ua/outlook/api/logon.aspx mail.kzp.bg/outlook/api/logon.aspx mail.numina.md/owa/scripts/logon.aspx mail.aet.in.ua/outlook/api/logoff.aspx mail.arlingtonhousing.us/outlook/api/logoff.aspx mail.kzp.bg/outlook/api/logoff.aspx mail.lechateaudelatour.fr/microsoft.exchange.mailboxreplicationservice.proxyservice/rpcwithcert/sync mail.lebsack.de/microsoft.exchange.mailboxreplicationservice.proxyservice/rpcwithcert/sync /microsoft.exchange.mailboxreplicationservice.proxyservice/rpcwithcert/sync /microsoft.exchange.mailboxreplicationservice.proxyservice/rpcwithcert/ /microsoft.exchange.mailboxreplicationservice.proxyservice/ # Reference: https://blog.talosintelligence.com/tinyturla-next-generation/ # Reference: https://www.virustotal.com/gui/file/267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b/detection # Reference: https://www.virustotal.com/gui/file/d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40/detection caduff-sa.ch/wordpress/wp-includes/rss.old.php hanagram.jp/wp/wp-content/themes/hanagram/rss-old.php jeepcarlease.com/wp-includes/blocks/rss.old.php thefinetreats.com/wp-content/themes/twentyseventeen/rss-old.php # Reference: https://blog.talosintelligence.com/tinyturla-full-kill-chain/ buy-new-car.com carleasingguru.com chjeepcarlease.com jpthefinetreats.com caduff-sa.chjeepcarlease.com hanagram.jpthefinetreats.com