# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/
# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-01-06-malicious-document-targets-pyeongchang-olympics/malicious-document-targets-pyeongchang-olympics.csv

200.122.181.63:443
thlsystems.forfirst.cz
ospf1-apac-sg.stickyadstv.com
mafra.go.kr.jeojang.ga
jeojang.ga
nctc.go.kr

# Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/?mid=1
# Reference: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf
# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-12-12-operation-sharpshooter-targets-global-defense-critical-infrastructure/operation-sharpshooter-targets-global-defense-critical-infrastructure.csv

http://208.117.44.112
http://34.214.99.20/view_style.php
137.74.41.56/board.php
kingkoil.com.sg/board.php
kingkoil.com.sg/query.php

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf
# Reference: https://twitter.com/bkMSFT/status/1093109336740642816

llpsearch.com
miphomanager.com

# Reference: https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/

071790.000webhostapp.com
7077.000webhostapp.com
881.000webhostapp.com
hanbosston.000webhostapp.com
vnik.000webhostapp.com
a7788.1apps.com
attach10132.1apps.com
bluemountain.1apps.com
filer1.1apps.com
s8877.1apps.com
files.000
ftp.byethost7.com
ftp.byethost10.com
webhost.com
webmail-koryogroup.com
61.14.210.72:7117

# Reference: https://twitter.com/blackorbird/status/1107214927402418176
# Reference: https://twitter.com/blackorbird/status/1107479347013672960

ddlove.kr/bbs/dta/1

# Reference: https://twitter.com/blackorbird/status/1082553543280680962

ago2.co.kr/bbs/data/dir

# Reference: https://twitter.com/blackorbird/status/1100691198346354688

46.29.163.222:9999

# Reference: https://otx.alienvault.com/pulse/5c9a457b3acc7f0eba431c81
# Reference: https://www.recordedfuture.com/scanbox-framework-campaign/

mailshield.ga
mail.mailshield.ga
monlamlt.com
oppo.ml
photogram.ga
tibct.net
tibct.org
tracking.dgip.gov.pk

# Reference: https://twitter.com/ClearskySec/status/1055404788635103232
# Reference: https://www.clearskysec.com/iec/

host-gv.appspot.com
journey-in-israel.com
iecr.co
iec-co-il.com
israelalerts.us
israelalert.us
pokemonisrael.yolasite.com
sourcefarge.net
users-management.com
ynetnewes.com

# Reference: https://twitter.com/ClearskySec/status/971454423548530688

baoin.baotintu.com
chinhtri.tourismas.com
kinhte.baotintu.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-12: Malicious Invoice of Telcel Mexican Telecommunication Company)

bambi.sytes.net

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-06: Iranian Greenbug targeting against Arab Emirates - Invoice-NO48935.doc)

acrobatverify.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-1-1: Campaign targeting Turkey with fake purchase order requests, drops low detection Java malware)

gorevleriyok.com

# Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/ (Chinese)

Jospubs.com

# Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/

digi-cert.org
somtelnetworks.com
geotrusts.com
secureclientupdate.com
digicertweb.com
sport-pesa.org
itaxkenya.com
businessdailyafrica.net
infotrak-research.com
nairobiwired.com
k-24tv.com

# Reference: https://twitter.com/blackorbird/status/1132884799310319616
# Reference: http://blogs.360.cn/post/APP_Plugin.html
# Reference: https://securelist.com/whos-who-in-the-zoo/85394/
# Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/24122414/ZooPark_for_public_final_edited.pdf

http://5.61.27.154
http://5.61.27.157
http://5.61.27.173
http://91.109.23.175
androidupdaters.com
adobeactiveupdates.com
adobeactiveupdate.com
adobeseupdater.com
dlgmail.com
dlstube.com
dlstubes.com
entekhab10.xp3.biz
googleupdators.com
rhubarb2.com
rhubarb3.com
solar64.xp3.biz

# Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/

# Aliases: brave prince, gold dragon, ghost419

eodo1.000webhostapp.com
follow_dai.000webhostapp.com
trydai.000webhostapp.com
followgho.byethost7.com
ink.inkboom.co.kr
nid-help-pchange.atwebpages.com

# Reference: https://twitter.com/jq0904/status/1137362044271730694

hellojames.sportsontheweb.net

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/advanced-targeted-attack-tools-used-to-distribute-cryptocurrency-miners/
# Reference: https://otx.alienvault.com/pulse/5d0276b98d2d7d679ed51fa2

tenchier.com
pilutce.com
miniast.com
boreye.com

# Reference: http://www.issuemakerslab.com/research2/index.html

pyeonta.com/board/news/board.asp
sdajunghwa.com/admin/data/admindata.asp
patentmall.net/goods/goods.asp
orentcar.com/rental/sub06.asp

# Reference: https://twitter.com/blackorbird/status/1141302473623105536

soportearus.com.co
/arus_collect.php

# Reference: https://twitter.com/DbgShell/status/1146012416968417280
# Reference: https://research.checkpoint.com/operation-tripoli/ (# Operation Tripoli)

aarasid.com/libya/index.html
clientstats.epss.org.ly
dexter-ly.com
dexter-ly.space
drpc.duckdns.org
forum.myvnc.com
kalifhaftar.blogspot.com
libyanews111.blogspot.com
libya-10.com.ly
sirtggp.com/libyanew/index.html

# Reference: https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018
# Reference: https://otx.alienvault.com/pulse/5d1e0531908ea7d506ce9839

loge.otzo.com
vvcxvsdvx.dynamic-dns.net

# Reference: https://otx.alienvault.com/pulse/5d23054ff45f6eb94e824460
# Reference: http://blog.ptsecurity.com/2019/07/ironpython-darkly-how-we-uncovered.html
# Reference: https://static.ptsecurity.com/phdays/presentations/phdays-9-ironpython-on-the-dark-side-the-silent-trio-from-croatia.pdf
# Reference: https://app.any.run/tasks/11c30ef5-3297-4a3e-b85f-f9291aac910a/

http://198.46.182.158
176.105.255.59:8089
konzum.win
postahr.online
postahr.vip
posteitaliane.live

# Reference: https://news.sophos.com/en-us/2019/07/11/oto-gonderici-excel-formula-injections-target-turkish-victims/
# Reference: https://github.com/sophoslabs/IoCs/blob/master/Malspam-OtoGonderici
# Reference: https://otx.alienvault.com/pulse/5d276b688642da33ba698260

2073.mobi
25665.club
25665.me
33016.club
60431.club
75735.club
77444.club
80001.me
82813.club
Jdokdo.ml
aetye.ml
aghkf.ml
atessan.online
avrupagoz.online
ayanw.ml
banage.live
basaso.mobi
burcutekstil.online
cinarterlik.online
cnfh.mobi
cpaneh.tk
ekqff.ml
ewouif.gq
fazilet.club
gelovosaja.club
ghtc.mobi
gyqey.ml
hcsscj.ga
hfik.mobi
hocoso.mobi
hvaycz.cf
inssanayi.mobi
iquqy.ml
jahlq.ml
jekarebege.online
jjsiu.ml
jodaje.mobi
johaca.mobi
jurugq.host
kartalescort.mobi
kayaya.mobi
kojero.mobi
lca.mobi
mgw.mobi
nafaro.mobi
nefal.mobi
nehabe.mobi
nejoja.mobi
nvmdv.ml
peindikescort.mobi
pqoyruw.ga
professional.mobi
pvrdn.ml
qoloa.ml
qyhhy.ml
qzitt.ml
rimaw.ml
rlg.mobi
rtrzd.ml
selcukecza.online
specforce.space
supkh.mobi
swtaegs.ml
tamor.mobi
taneketevo.online
tgmml.ml
turkcall.mobi
tzlss.mobi
urdnz.cf
vazawoweso.online
vecoha.mobi
vgplb.ml
vpewqz.tk
walatecaqa.club
wdplf.ml
whyog.ml
wpf.mobi
wqplw.ml
yepeyowora.online
yerago.mobi
yklud.ml
ynngon.ml
yolecafeha.club
yomka.ml
yuktu.ml
zavayo.mobi
zayero.mobi
zororo.mobi

# Reference: https://www.zsis.hr/default.aspx?id=415

176.105.255.59:8089
postahr.vip
posteitaliane.live

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/
# Reference: https://otx.alienvault.com/pulse/5d3091d8a6d3522c9d5dcaff

http://144.202.19.31
http://95.179.168.23
diangovcomuiscia.com
eltiempocomco.com
medicosempresa.com

# Reference: https://twitter.com/cyberwar_15/status/1156091180293206016

http://51.254.60.208

# Reference: https://twitter.com/KevinPerlow/status/1156406115472760835 (# tcpihlp)

f1.vr.wincloud.com
d1.link.outbox.com

# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Unknown/20-08-19/Malware%20analysis%2020-08-19.md
# Reference: https://www.virustotal.com/gui/ip-address/167.88.180.148/relations

http://167.88.180.148
247up.org
apple-net.com
mediadomainservice.org
renewyourclicks.org
siteup-365.org

# Reference: https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/
# Reference: https://otx.alienvault.com/pulse/5d5d7094114b8af4a377f676

gmailusercontent.site
protect-outlook.com
srf-goolge.site

# Reference: https://twitter.com/Timele9527/status/1166188375109296128

mmksba.dyndns.org

# Reference: https://research.checkpoint.com/the-eye-on-the-nile/
# Reference: https://otx.alienvault.com/pulse/5d95e00256c29a9623c3cc97

arabindex.info
drivebackup.co
indexmasr.com
indexy.org
maillogin.live
mailsecure.live
servegates.com
txtips.com
weblogin.live

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2014/2014-07-15-targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities.csv

asdf.avstore.com.tw
asdf.skypetm.com.tw
avast.avstore.com.tw
avstore.com.tw
bluer.avstore.com.tw
bz.kimoo.com.tw
chanxe.avstore.com.tw
gmail.skypetm.com.tw
jamessmith.avstore.com.tw
mca.avstore.com.tw
skypetm.com.tw
sophos.skypetm.com.tw
star.yamn.net
vbnm.skypetm.com.tw
zeng.skypetm.com.tw

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-02-gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems.csv

braveprince.com
followgho.byethost7.com
nid-help-pchange.atwebpages.com

# Reference: https://cyberwarzone.com/massive-collection-rat-backdoors-iraq-syria-free-2-share/

aaaaaaaahmad.no-ip.biz
abdillahzraibi.no-ip.biz
abdou36.noip.me
abevahack123.no-ip.biz
ahmad83t.no-ip.biz
alaa170.no-ip.org
alialzainabe.mooo.com
alkator.dns53.biz
allal.x64.me
anroideex1.noip.me
attackerman.ddns.net
avg99.does-it.net
avira2015.no-ip.biz
az4511lon.ddns.net
bacoussama.no-ip.biz
badboy02.no-ip.biz
badrop2ch.zapto.org
basel123.no-ip.org
bctnra.zapto.org
beddass.no-ip.biz
bilallchefa.zapto.org
cat85.no-ip.org
charisma1996.linkpc.net
codehacker.no-ip.biz
cyberyassine.no-ip.org
deekay123.linkpc.net
djou233.zapto.org
drogbaaa.zapto.org
druxyhere.ddns.net
een21.hopto.org
eliadz.no-ip.biz
eshta.linkpc.net
facebookchanel.servehalflife.com
ferkhwazumar.no-ip.biz
fifaorigin123.no-ip.biz
firas12345.ddns.net
freekali1.no-ip.biz
gardien.myq-see.com
gmlbooter.no-ip.biz
gohakeing.no-ip.org
hack-c4.zapto.org
hacker.syr.linkpc.net
hacker963.myq-see.com
hoppyhoppy.ddns.net
hoxor121.no-ip.org
hussienkahoul.no-ip.biz
ibrahem1010.no-ip.biz
iibbrr.zapto.org
isuero.no-ip.info
jado7alassad.ddns.net
jaziremanoto.no-ip.org
joke2014.no-ip.biz
kaikun.mooo.com
kakalaw25.ddns.net
kakar5.ddns.net
kakgwl.no-ip.biz
kano.ddns.net
khaleeel.no-ip.biz
khouyatte.duckdns.org
kiim.no-ip.biz
killerah.no-ip.biz
kimou3939.no-ip.biz
king-enutroof.no-ip.biz
kingoof.ddns.net
koknjkoke.myq-see.com
kokopopo2.no-ip.biz
kurdboy.zapto.org
kurdboy666.noip.me
kurdish-hacker.no-ip.org
kurdish2000.ddns.net
kurdustan.no-ip.biz
laid0404.ddns.net
loki2.linkpc.net
lov3black.no-ip.biz
lulzpedia.ddns.net
m7tagk.zapto.org
mahmoudelmassry.no-ip.biz
makarov123.no-ip.org
max2015.ddns.net
mazamoza.no-ip.biz
medknass.ddns.net
medoblack.no-ip.biz
mghool.no-ip.biz
mhamedhc.no-ip.org
mi3283.ddns.net
mo7trf0.no-ip.biz
mohchaiba.no-ip.biz
momo321.dnsd.info
mozilla.myq-see.com
mrman.no-ip.biz
mth3protn.ddns.net
muhanned.myq-see.com
mynjrathost.no-ip.biz
n5z.no-ip.biz
nabard81.ddns.net
nada00.no-ip.biz
nash2t.linkpc.net
nasreen123.no-ip.biz
nilolack.zapto.org
nj88.no-ip.biz
njrat-dz2.no-ip.biz
nmb007.no-ip.biz
now-see.publicvm.com
ooolll.ddns.net
optera.hopto.org
rami7733.no-ip.org
ramisy.ddns.net
raoufraouf.ddns.net
rapmorix.no-ip.org
roma1996.no-ip.org
roy5150.no-ip.biz
salmanvegeta.no-ip.biz
samermax.no-ip.biz
sara31.ddns.net
sat2014.zapto.org
scorpionjo.linkpc.net
sfeer55.no-ip.biz
sharazoori.zapto.org
sifebuissines.noip.us
silent404tmd.no-ip.biz
silver13.ddns.net
sneakking.myq-see.com
syria2016.ddns.net
syriano.hack.dnsd.info
theblack2015.no-ip.biz
thejoe.publicvm.com
thekingh.linkpc.net
tplinkdbk.ddns.net
unknownman13.mooo.com
vergilalasad.no-ip.biz
vip.all4syrian.com
vk1000250.no-ip.biz
webmaxot.publicvm.com
wejden2014.ddns.net
wepspacet.publicvm.com
x3rbx.ddns.net
xhxh1988.no-ip.org
yg4h.no-ip.biz
younesmer.myq-see.com
zasosna.myq-see.com
zasosna.no-ip.org
zinebzina.ddns.net
zoro2015.ddns.net

# Reference: https://twitter.com/blackorbird/status/1194824371904237568

pahealth.info

# Reference: https://blog.ptsecurity.com/2019/12/turkish-tricks-with-worms-rats-and.html

http://192.95.3.137
http://192.95.3.140
http://5.255.63.12
bcorp.fun
bkorp.xyz
buhar.us
definebilimi.com
husan.ddns.net
husan2.ddns.net
husan3.ddns.net
i36-imgur.com
i37-imgur.com
i38-imgur.com
i39-imgur.com
prntsrcn.com
qqww.eu

# Reference: https://www.secureworks.com/research/bronze-president-targets-ngos
# Reference: https://otx.alienvault.com/pulse/5e0a1aa2617f951d88c9d891

apple-net.com
forexdualsystem.com
ipsoftwarelabs.com
lionforcesystems.com
oshibadrive.com
strust.club
svchosts.com
svrhosts.com
wbemsystem.com

# Reference: https://twitter.com/cyber__sloth/status/1216769444829179904
# Reference: https://otx.alienvault.com/pulse/5e1cde40219fa7e9f40164e7
# Reference: https://www.virustotal.com/gui/ip-address/160.20.147.84/relations

domain-lk.sytes.net
foreign-mv.sytes.net
ncit-gov.sytes.net
windefupdate.sytes.net

# Reference: https://www.isc2peruchapter.org/pdfs/2019-04-24-Eric.pdf

personanddog.info

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1225581378840006656 (# DangerousPasswords)
# Reference: https://pastebin.com/raw/cLWvyJ20
# Reference: https://twitter.com/Rmy_Reserve/status/1230881875767377920
# Reference: https://twitter.com/ShadowChasing1/status/1328208737933246464
# Reference: https://www.virustotal.com/gui/file/4c574c1a2b126c8a5ba1ef9560516d0ac9990c0253119f874eb084b57742e3d7/detection

http://84.201.189.216
103.205.179.4:8080
amazonaws1.info
gdrvup.xyz
gmaildrive.site
googleauth.pro
googledriver.info
googleupload.info
liveonedrvshare.xyz
secureshares.online
gdriveupload.info

# Reference: https://lab52.io/blog/intelligence-operation-against-targets-in-indonesia/
# Reference: https://otx.alienvault.com/pulse/5e441513dbb6d26fca51ee52

musicstore.global.ssl.fastly.net

# Reference: https://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/
# Reference: https://otx.alienvault.com/pulse/5e6a5d43825f9463366799c6

acccountsgoog1e.com
account-mail.info
accountapp.xyz
accountsgoog1e.com
alexandr01299.xyz
auth-google.site
auth-mail.email
badoo-account-security.com
check-activity.com.ru
chrome-redirect.top
com-auth.site
com-enter.site
com-gm.site
com-google.site
comericac.com
desktest1.xyz
desktest5.xyz
desktest9.xyz
dokerest.xyz
dokertest.xyz
droinjoin.xyz
emails-support.site
fedortest.xyz
freekremlin.com
frosdank.com
frostdank.com
garant-help.com
gmail-warning.top
google-activity.pw
gvoice8765.online
hpphhpph.com
id-support-email.com
joindroin.xyz
lamatrest.xyz
mail-auth.email
mail-auth.online
mail-google.email
my-short.com
myaccount-support.top
mycabinet.xyz
mynavvfedera1.org
mynavyfedera1.org
mynavyfedral.org
mynevyfedera1.org
navyfedara1.org
navyfedera1.com
navyfedera1.org
navyfederai.org
nayfedera1.org
nevyfedera1.org
nitroqensports.eu
nsdns.xyz
poxypoxy.xyz
rc-room.com
support-emails.host
t1bank.xyz
testdhome1.xyz
testdhome4.xyz
testdom1.xyz
testdom3.xyz
testfor7.xyz
vkontak1e.com
voice98765.online
xn--avyfedera-yubm.org
xn--bckchain-v3a30f.com
xn--blckchain-17c.com
xn--blockcain-lmb.com
xn--mynavyfedera-occ.org
xn--navyfderal-36a.com
xn--navyfedera-j0b.org
yandex-account-security.com

# Reference: https://twitter.com/ximo_lcg/status/1242298741140250624
# Reference: https://app.any.run/tasks/642a1b8c-6232-41c0-8c74-0f4513a44599/
# Reference: https://www.virustotal.com/gui/ip-address/34.247.80.95/relations

javacon.eu
cdn.javacon.eu

# Reference: https://twitter.com/Rmy_Reserve/status/1244817235211739141

cloudfiles.club

# Reference: https://twitter.com/Rmy_Reserve/status/1246404220040802309 (# DangerousPassword)

88.204.166.59:8080

# Reference: https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/
# Reference: https://otx.alienvault.com/pulse/5e9f5eb5352e6287ee4c0e67

api.doubles.click
cdn.doublesclick.me
start.apiforssl.com
static.doublesclick.info
status.search-sslkey-flush.com
status.verifyingbycf.com

# Reference: https://twitter.com/ximo_lcg/status/1252771553365782528

a.00-online.com

# Reference: https://blog.alyac.co.kr/242 (Korean)

122.10.93.136:6687

# Reference: https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf (Chimera, Semiconductors)
# Reference: https://medium.com/@cycraft_corp/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730
# Reference: https://otx.alienvault.com/pulse/5ea073a3c14dae77c07976d3

chrome-applatnohp.appspot.com
78276.ussdns01.heketwe.com
78276.ussdns02.heketwe.com
ussdns01.heketwe.com
ussdns02.heketwe.com
ussdns04.heketwe.com

# Reference: https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ (Chimera)
# Reference: https://otx.alienvault.com/pulse/5ffde53573457b19cacf41be

EuDbSyncUp.com
MsCupDb.com
UsMobileSos.com
europe-s03213.appspot.com
eustylejssync.appspot.com
fsdafdsfdsaflkjkxvzcuifsad.azureedge.net
ictsyncserver.appspot.com
officeeuropupd.appspot.com
officeeuupdate.appspot.com
platform-appses.appspot.com
sowfksiw38f2aflwfif.azureedge.net
watson-telemetry.azureedge.net

# Reference: https://www.cib.gov.tw/News/BulletinDetail/8294
# Reference: https://otx.alienvault.com/pulse/5ec7ff4ec67d6aca23b7c350

outlook-offices.com
phonectrl.com
tibet-office.com

# Reference: https://twitter.com/w3ndige/status/1265745221419229187

86wts86a8j.com
update.86wts86a8j.com

# Reference: https://twitter.com/cyber__sloth/status/1271580177521414145

mofa-gov-pk.com

# Reference: https://twitter.com/cyber__sloth/status/1271577668752998405

def.support

# Reference: https://twitter.com/MBThreatIntel/status/1273309450992930817
# Reference: https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/

updateeset.com
yenile.asia

# Reference: https://app.any.run/tasks/db1be70f-b51f-4994-95f8-0af911335193/

137.220.180.39:8082

# Reference: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf
# Reference: https://otx.alienvault.com/pulse/5eea47f6776f5e41c8346a31

http://205.210.162.36/start.html
http://205.210.162.36/www2default/css1/style.xsl
cwjamaica.biz/images/logo.png
sbsserv.camdvr.org/top.swf
km.wu.ac.th/image/office.jpg
safebrowsing.gleeze.com
markham.ca/css1/Mar.xsl
markham.ca/css1/style.swf
markham.ca/css1/style.jpg
markham.ca/css1/style.xsl
markham.ca/css1/style.css
markham.ca/view_center.asp
markham.ca/css/first.css
markham.ca/first.jpeg
markham.ca/politicia.asp
markham.ca/taxing-churc.asp
markham.ca/exports-to-Turkey.asp
markham.ca/Climate.asp
markham.ca/discoveries.asp
markham.ca/pay-talks-fai.asp
markham.ca/Nouvelles.asp
markham.ca/News.asp
markham.ca/Noticias.asp
markham.ca/EU-nominee.asp
markham.ca/Business.asp
markham.ca/Culture.asp
markham.ca/Life-Work.asp
markham.ca/Comercio.asp
markham.ca/Links.asp
markham.ca/churc.asp
markham.ca/products.asp
markham.ca/exports.asp
online.verzatec.com/banner.asp
nic.mywire.org
chuta.jp/jtool/dic.css
chuta.jp/jtool/dic.png
chuta.jp/jtool/politicia.asp
chuta.jp/jtool/taxing-churc.asp
chuta.jp/jtool/exports-to-Turkey.asp
chuta.jp/jtool/Climate.asp
chuta.jp/jtool/discoveries.asp
chuta.jp/jtool/pay-talks-fai.asp
chuta.jp/jtool/Nouvelles.asp
chuta.jp/jtool/News.asp
chuta.jp/jtool/Noticias.asp
chuta.jp/jtool/EU-nominee.asp
chuta.jp/jtool/Business.asp
chuta.jp/jtool/Culture.asp
chuta.jp/jtool/Life-Work.asp
chuta.jp/jtool/Comercio.asp
chuta.jp/jtool/Links.asp
chuta.jp/jtool/churc.asp
chuta.jp/jtool/products.asp
chuta.jp/jtool/exports.asp
comnet.aev.com/wik.xsl
servicediscovery.kozow.com
w3.casacam.net

# Reference: https://blog.lookout.com/multiyear-surveillance-campaigns-discovered-targeting-uyghurs
# Reference: https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf
# Reference: https://otx.alienvault.com/pulse/5efca5ec3da9c1ceace695fc

androidsapps.ml
babyedu-online.com
googleanalyseservice.net
googlleservice.com
symantecupdate.net
vipappdownload.com
wephone.top
6006.secpert.com
6006.upupdate.cn
amote-366.vicp.cc
android.apps.us.to
androidapps.duia.in
androidapps.fvk.cc
androidapps.home.hn.org
androidapps.jetos.com
androidapps.linkpc.net
androidapps.myfirewall.org
androidapps.nerdpol.ovh
androidapps.npff.co
androidapps.nsupdate.info
androidapps.spdns.eu
androidapps.spdns.org
androidapps.tempors.com
coco.wikaba.com
cookedu-online.com
englishedu-online.com
heartsys.dnsapi.info
joke.upupdate.cn
nortonservice.net
phpyahoo.mrbasic.com
s101.secpert.com
s2.upupdate.cn
ss903.w3.ezua.com
ss904.w3.ezua.com
sz.secpert.com
tree.ddns.us
turknews-online.com
turkyedu-online.com
umare.zyns.com
vipapkdownload.com
youtube.dynamicdns.org.uk

# Reference: https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities
# Reference: https://otx.alienvault.com/pulse/5efccb42e70b867e18ff1825

http://193.29.59.130
http://23.106.122.234

# Reference: https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf
# Reference: https://otx.alienvault.com/pulse/5f04d03c68918d97811bda03

cloud-front-gateway.cc
confidential-privileged.com
email-gateway-host.cc
encrypted-gateway.cc
encrypted-host.cc
encrypted-mail-gateway.cc
encrypted-mail-server.com
encrypted-network.cc
encrypted-smtp-transport.cc
eu-1-host-protection.cc
fortinet-gateway.cc
fortinet-host-protection.cc
fortinet-host.cc
fortinet-protection.cc
fortinet-server.cc
mail-transport-agent.cc
mail-transport-gateway.cc
mail-transport-host.cc
mail-transport-protection.cc
mx-gateway-host.cc
mx-secure-email-host.cc
mx-secure-email-server.cc
mx-secure-net.com
node-protection.cc
privileged-secured.com
relay-secure-smtp.com
secure-email-delivery.cc
secure-email-gateway.cc
secure-email-host.cc
secure-email-host.com
secure-email-net.cc
secure-email-provider.cc
secure-email-provider.com
secure-email-server.cc
secure-email-server.net
secure-email-service.com
secure-mail-cast.com
secure-mail-gateway.cc
secure-mail-host.cc
secure-mail-host.com
secure-mail-net.cc
secure-mail-net.com
secure-mail-provider.cc
secure-mail-provider.com
secure-mail-server.cc
secure-mx-gateway.cc
secure-mx-host.com
secure-mx-provider.cc
secure-mx-server.cc
secure-mx-service.cc
secure-server-smtp.cc
secure-smtp-delivery.cc
secure-smtp-gateway.cc
secure-smtp-host.cc
secure-smtp-host.com
secure-smtp-provider.cc
secure-smtp-server.cc
secure-smtp-server.com
secure-smtp-service.cc
secure-smtp-service.com
secure-ssl-sec.com
smtp-gateway-host.cc
smtp-secure-gateway.cc
smtp-secure-service.cc
smtp-server-relay.com

# Reference: https://twitter.com/spider_girl22/status/1287952503280082944
# Reference: https://www.virustotal.com/gui/file/126986d2789c932a473e606ba936d97dbef87ba64659f4515e95237de1701b3b/detection

techimplement.com/wp-content/uploads/wp-logs/mailchimp.php

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/water-nue-campaign-targets-c-suites-office-365-accounts/

highstreetmuch.xyz
takeusall.online

# Reference: https://www.bitdefender.com/files/News/CaseStudies/study/365/Bitdefender-PR-Whitepaper-APTHackers-creat4740-en-EN-GenericUse.pdf
# Reference: https://otx.alienvault.com/pulse/5f475fecd47f88519e3140e2

175.197.40.61:3445

# Reference: https://www.threatcrowd.org/domain.php?domain=abc69696969.vicp.net
# Reference: https://www.virustotal.com/gui/domain/abc69696969.vicp.net/detection
# Reference: https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-blond.pdf
# Reference: https://www.virustotal.com/gui/ip-address/103.105.59.104/relations

abc69696969.vicp.net
googleimg.top

# Reference: https://twitter.com/h2jazi/status/1304492241898090496
# Reference: https://www.virustotal.com/gui/file/60399bf2cc5bd28a39f2498adcc6113fc86327872dbaa0f0b280d333c5675908/detection
# Reference: https://www.virustotal.com/gui/domain/storagecdn.eu/relations

storagecdn.eu

# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a
# Reference: https://otx.alienvault.com/pulse/5f6d08b2d10722175748a71e

185.193.127.18
185.86.151.223
207.220.1.3
78.27.70.237
91.219.236.166

# Reference: https://github.com/DoctorWebLtd/malware-iocs/blob/master/APT_news2020/README.adoc
# Reference: https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf
# Reference: https://otx.alienvault.com/pulse/5f7a0e9cd535606ddee04448
# Reference: https://www.virustotal.com/gui/file/c9de1dad018236049ed88be9ccab28e75a04609466288451c4c1971b27e5e3eb/detection
# Reference: https://www.virustotal.com/gui/file/01118e56a1c5dafc2d82f154eb1a67d39a19f131ca1dc5e0f356a017b1932611/detection
# Reference: https://www.virustotal.com/gui/file/845198a33ca50860688cac016323302cf33054e1b52a3bff1b66f15a625a0b66/detection
# Reference: https://www.virustotal.com/gui/file/dfbec38959eae893dfa13c7ce526862f9306f5fb95102e0885debeec4a063d45/detection

122.10.82.65:8080
176.10.118.154:8443
185.158.249.120:8080
http://176.10.118.154
download.inklingpaper.com
duck.manhajnews.com
gova.manhajnews.com
john.newss.nl
news.microotf.com
news.newss.nl
news.zannews.com
newsfor.newss.nl
newsinfo.newss.nl
nissen.newss.nl
sports.manhajnews.com
webnews.newss.nl
inklingpaper.com
microotf.com
newss.nl
zannews.com

# Reference: https://twitter.com/Rajer_arthur/status/1313099977141481474
# Reference: https://app.any.run/tasks/25c9ee95-f8b8-4124-9e27-82a348ba3301/
# Reference: https://www.virustotal.com/gui/file/7007f35df3292a4ecd741839fc2dafde471538041e54cfc24207d9f49016dc77/detection

cannabispropertybrokers.com

# Reference: https://securelist.com/olympic-destroyer-is-still-alive/86169/
# Reference: https://systemtek.co.uk/2018/06/olympic-destroyer-malware/

http://79.142.76.40/news.php
http://159.148.186.116/admin/get.php
http://159.148.186.116/login/process.php
http://159.148.186.116/news.php
ppgca.ufob.edu.br/components/com_finder/helpers/access.log
ppgca.ufob.edu.br/components/com_finder/views/default.php
narpaninew.linuxuatwebspiders.com
mysent.org
79.142.76.40:8989
5.133.12.224:333

# Reference: https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/ (#AmericanUSA, #HELLO_USA_PRISIDENT, #KilllSomeOne)

160.20.147.254:9999

# Reference: https://www.proofpoint.com/us/blog/threat-insight/persistent-actor-targets-ledger-cryptocurrency-wallets
# Reference: https://otx.alienvault.com/pulse/5fa472e97ef9fd555c12347d

au-ledger.com
ca-ledger.com
com-client.email
de-ledger.com
dogcat.space
dogcowbat.com
fr-ledger.com
funnerhere.com
homeandfamilyuniverse.com
it-ledger.com
ledger-chain.com
ledger-chain.info
ledger-live.io
ledger-support.io
ledger.buzz
ledger.deals
ledger.legal
ledger.org.pl
ledger.report
ledgermailer.io
ledgersupport.io
legder-support.io
legder.com
lmao.money
loldevs.com
nl-ledger.com
numisconsult.com
nz-ledger.com
quikview-update.com
quikview.work
t-mobile-sq.com
theironshop.net
tmobile.digital
us-ledger.com
usa-ledger.com
xn--ldger-6za.com
xn--ldger-n51b.com
xn--ldgr-vvac.com
xn--ledge-xbb.com
xn--ledgr-9za.com
xn--ledgr-q51b.com
ledger.uk.com
ledger.us.org
secure.hbccing.com

# Reference: https://twitter.com/AnonySecAgency/status/1316292983508013056
# Reference: https://www.virustotal.com/gui/file/c88d0f7d623b2a2c066dd6b15597d1f4c44d89e7a8e660e28c3494f441826ea5/detection

103.139.2.93:1702

# Reference: https://twitter.com/0xthreatintel/status/1330027963157508096
# Reference: https://mp.weixin.qq.com/s/aMj_EDmTYyAouHWFbY64-A (Chinese)
# Reference: https://www.virustotal.com/gui/ip-address/176.119.2.122/relations
# Reference: https://www.virustotal.com/gui/ip-address/78.140.162.22/relations
# Reference: https://www.virustotal.com/gui/ip-address/87.251.77.19/relations
# Reference: https://otx.alienvault.com/pulse/5fb83d70906bd27194456779
# Note: Potentially could be related to APT Gamaredon campaign, but currently there're no evidences on it.

176.119.2.122:443
87.251.77.19:443
24ua.website
bukovel.host
d0t.host
depo.host
glavpost.site
inforesist.press
inforesist.site
kharkiv.host
mytv.host
obozrevatel.press
rttv.host
tribun.site
uanews.press
ukrnet.press
unian.pw
vgolos.press
w0x.host

# Reference: https://www.domaintools.com/resources/blog/current-events-to-widespread-campaigns-pivoting-from-samples-to-identify
# Reference: https://otx.alienvault.com/pulse/5fb8172cdb6535bd6935bfd6

2020-windows.com
azureblog.info
brexitimpact.com
doc-fid.com
e-government-pk.com
e-govoffice.com
get-news-online.com
gmocloudhosting.com
interior-gov.com
iphoneupdatecheck.com
live-media.org
liveinfo.org
log1inbox.com
ms-check-new-update.com
msofficeupdate.com
msofficeupdate.org
msupdatecheck.com
netserviceupdater.com
new-office.org
newoffice-template.com
newoffice-update.com
newupdate.org
officeupgrade.org
petronas-me.com
rarnbler.com
rneil.ru
srv3-serveup-ads.net
template-new.com
template-office.org
tls-login.com
update-office.com
upgrade-office.com
upgrade-office.org
user-twitter.com
weather-server.net

# Reference: https://securityintelligence.com/posts/ibm-uncovers-global-phishing-covid-19-vaccine-cold-chain/
# Reference: https://otx.alienvault.com/pulse/5fc923119243821757b02f15

e-mailer.cf
e-mailer.ga
mailerdeamon.cf
mailerdeamon.ga
mailerdeamon.gq
mailerdeamon.ml
mailerdeamon.tk
nwa-oma.ml
nwa-oma2.ml
routermanager.ga
routermanager.gq
routermanager.ml
routermanager.tk
routermanagers.cf
routermanagers.ga
routermanagers.gq
routermanagers.ml
routermanagers.tk
serverrouter.cf
serverrouter.ga
serverrouter.tk
serversrouter.cf
serversrouter.gq

# Reference: https://twitter.com/ShadowChasing1/status/1339195498519875585 (# DangerousPassword)

gdocshare.com

# Reference: https://twitter.com/ShadowChasing1/status/1339933511973699584 (# DangerousPassword)
# Reference: https://www.virustotal.com/gui/file/c64e2993563345fd497cfc382de27c7791b4f172d2c50d79b6290c2f9c06102c/detection

google-clouds.com

# Reference: https://twitter.com/cyber__sloth/status/1344208175168368641 (# DangerousPassword)
# Reference: https://twitter.com/cyber__sloth/status/1344208380525752321 (# DangerousPassword)

addrcheck.corecheckmailsrv.com
cloud-sheet.net
cloud.optvers.net
corecheckmailsrv.com
digitalcurencygroup.co
down.privatework.buzz
fidelitydigitalsassets.com
gdocshare.com
goglestorage.com
google-clouds.com
googleproduct.org
gsuiteshare.com
msftoffice.com
myemail.works
official.googleproduct.org
presentonline.xyz
privatework.buzz
sharesvr.net

# Reference: https://twitter.com/ClearskySec/status/1311291935685070848
# Reference: https://www.clearskysec.com/operation-kremlin/

http://185.243.112.18
http://185.243.112.57
http://5.9.242.126
bibigreen.ru/wp-content/energia/wp/
bibigreen.ru/up/up.php
hesheflowershop.ru/wp/up.php