# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/
# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-01-06-malicious-document-targets-pyeongchang-olympics/malicious-document-targets-pyeongchang-olympics.csv

200.122.181.63:443
thlsystems.forfirst.cz
ospf1-apac-sg.stickyadstv.com
mafra.go.kr.jeojang.ga
jeojang.ga
nctc.go.kr

# Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/?mid=1
# Reference: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf
# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-12-12-operation-sharpshooter-targets-global-defense-critical-infrastructure/operation-sharpshooter-targets-global-defense-critical-infrastructure.csv

http://208.117.44.112
http://34.214.99.20/view_style.php
137.74.41.56/board.php
kingkoil.com.sg/board.php
kingkoil.com.sg/query.php

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf
# Reference: https://twitter.com/bkMSFT/status/1093109336740642816

llpsearch.com
miphomanager.com

# Reference: https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/

071790.000webhostapp.com
7077.000webhostapp.com
881.000webhostapp.com
hanbosston.000webhostapp.com
vnik.000webhostapp.com
a7788.1apps.com
attach10132.1apps.com
bluemountain.1apps.com
filer1.1apps.com
s8877.1apps.com
files.000
ftp.byethost7.com
ftp.byethost10.com
webhost.com
webmail-koryogroup.com
61.14.210.72:7117

# Reference: https://twitter.com/blackorbird/status/1107214927402418176
# Reference: https://twitter.com/blackorbird/status/1107479347013672960

ddlove.kr/bbs/dta/1

# Reference: https://twitter.com/blackorbird/status/1082553543280680962

ago2.co.kr/bbs/data/dir

# Reference: https://twitter.com/blackorbird/status/1100691198346354688

46.29.163.222:9999

# Reference: https://otx.alienvault.com/pulse/5c9a457b3acc7f0eba431c81
# Reference: https://www.recordedfuture.com/scanbox-framework-campaign/

mailshield.ga
mail.mailshield.ga
monlamlt.com
oppo.ml
photogram.ga
tibct.net
tibct.org
tracking.dgip.gov.pk

# Reference: https://twitter.com/ClearskySec/status/1055404788635103232
# Reference: https://www.clearskysec.com/iec/

host-gv.appspot.com
journey-in-israel.com
iecr.co
iec-co-il.com
israelalerts.us
israelalert.us
pokemonisrael.yolasite.com
sourcefarge.net
users-management.com
ynetnewes.com

# Reference: https://twitter.com/ClearskySec/status/971454423548530688

baoin.baotintu.com
chinhtri.tourismas.com
kinhte.baotintu.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-12: Malicious Invoice of Telcel Mexican Telecommunication Company)

bambi.sytes.net

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-06: Iranian Greenbug targeting against Arab Emirates - Invoice-NO48935.doc)

acrobatverify.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-1-1: Campaign targeting Turkey with fake purchase order requests, drops low detection Java malware)

gorevleriyok.com

# Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/ (Chinese)

Jospubs.com

# Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/

digi-cert.org
somtelnetworks.com
geotrusts.com
secureclientupdate.com
digicertweb.com
sport-pesa.org
itaxkenya.com
businessdailyafrica.net
infotrak-research.com
nairobiwired.com
k-24tv.com

# Reference: https://twitter.com/blackorbird/status/1132884799310319616
# Reference: http://blogs.360.cn/post/APP_Plugin.html
# Reference: https://securelist.com/whos-who-in-the-zoo/85394/
# Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/24122414/ZooPark_for_public_final_edited.pdf

http://5.61.27.154
http://5.61.27.157
http://5.61.27.173
http://91.109.23.175
androidupdaters.com
adobeactiveupdates.com
adobeactiveupdate.com
adobeseupdater.com
dlgmail.com
dlstube.com
dlstubes.com
entekhab10.xp3.biz
googleupdators.com
rhubarb2.com
rhubarb3.com
solar64.xp3.biz

# Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/

# Aliases: brave prince, gold dragon, ghost419

eodo1.000webhostapp.com
follow_dai.000webhostapp.com
trydai.000webhostapp.com
followgho.byethost7.com
ink.inkboom.co.kr
nid-help-pchange.atwebpages.com

# Reference: https://twitter.com/jq0904/status/1137362044271730694

hellojames.sportsontheweb.net

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/advanced-targeted-attack-tools-used-to-distribute-cryptocurrency-miners/
# Reference: https://otx.alienvault.com/pulse/5d0276b98d2d7d679ed51fa2

tenchier.com
pilutce.com
miniast.com
boreye.com

# Reference: http://www.issuemakerslab.com/research2/index.html

pyeonta.com/board/news/board.asp
sdajunghwa.com/admin/data/admindata.asp
patentmall.net/goods/goods.asp
orentcar.com/rental/sub06.asp

# Reference: https://twitter.com/blackorbird/status/1141302473623105536

soportearus.com.co
/arus_collect.php

# Reference: https://twitter.com/DbgShell/status/1146012416968417280
# Reference: https://research.checkpoint.com/operation-tripoli/ (# Operation Tripoli)

aarasid.com/libya/index.html
clientstats.epss.org.ly
dexter-ly.com
dexter-ly.space
drpc.duckdns.org
forum.myvnc.com
kalifhaftar.blogspot.com
libyanews111.blogspot.com
libya-10.com.ly
sirtggp.com/libyanew/index.html

# Reference: https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018
# Reference: https://otx.alienvault.com/pulse/5d1e0531908ea7d506ce9839

loge.otzo.com
vvcxvsdvx.dynamic-dns.net

# Reference: https://otx.alienvault.com/pulse/5d23054ff45f6eb94e824460
# Reference: http://blog.ptsecurity.com/2019/07/ironpython-darkly-how-we-uncovered.html
# Reference: https://static.ptsecurity.com/phdays/presentations/phdays-9-ironpython-on-the-dark-side-the-silent-trio-from-croatia.pdf

http://198.46.182.158
176.105.255.59:8089
konzum.win
postahr.online
postahr.vip
posteitaliane.live

# Reference: https://news.sophos.com/en-us/2019/07/11/oto-gonderici-excel-formula-injections-target-turkish-victims/
# Reference: https://github.com/sophoslabs/IoCs/blob/master/Malspam-OtoGonderici
# Reference: https://otx.alienvault.com/pulse/5d276b688642da33ba698260

2073.mobi
25665.club
25665.me
33016.club
60431.club
75735.club
77444.club
80001.me
82813.club
Jdokdo.ml
aetye.ml
aghkf.ml
atessan.online
avrupagoz.online
ayanw.ml
banage.live
basaso.mobi
burcutekstil.online
cinarterlik.online
cnfh.mobi
cpaneh.tk
ekqff.ml
ewouif.gq
fazilet.club
gelovosaja.club
ghtc.mobi
gyqey.ml
hcsscj.ga
hfik.mobi
hocoso.mobi
hvaycz.cf
inssanayi.mobi
iquqy.ml
jahlq.ml
jekarebege.online
jjsiu.ml
jodaje.mobi
johaca.mobi
jurugq.host
kartalescort.mobi
kayaya.mobi
kojero.mobi
lca.mobi
mgw.mobi
nafaro.mobi
nefal.mobi
nehabe.mobi
nejoja.mobi
nvmdv.ml
peindikescort.mobi
pqoyruw.ga
professional.mobi
pvrdn.ml
qoloa.ml
qyhhy.ml
qzitt.ml
rimaw.ml
rlg.mobi
rtrzd.ml
selcukecza.online
specforce.space
supkh.mobi
swtaegs.ml
tamor.mobi
taneketevo.online
tgmml.ml
turkcall.mobi
tzlss.mobi
urdnz.cf
vazawoweso.online
vecoha.mobi
vgplb.ml
vpewqz.tk
walatecaqa.club
wdplf.ml
whyog.ml
wpf.mobi
wqplw.ml
yepeyowora.online
yerago.mobi
yklud.ml
ynngon.ml
yolecafeha.club
yomka.ml
yuktu.ml
zavayo.mobi
zayero.mobi
zororo.mobi

# Reference: https://www.zsis.hr/default.aspx?id=415

176.105.255.59:8089
postahr.vip
posteitaliane.live

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/
# Reference: https://otx.alienvault.com/pulse/5d3091d8a6d3522c9d5dcaff

http://144.202.19.31
http://95.179.168.23
diangovcomuiscia.com
eltiempocomco.com
medicosempresa.com

# Reference: https://www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/

coolbrowsering.xyz
alfapromo.info
archivepoisk-zone.info
onlinemobsoft.ru
anyaaplanet.info
decentsite.xyz
archivepoisk.info
sympleplace.info
adsmeneger.club

# Reference: https://twitter.com/cyberwar_15/status/1156091180293206016

http://51.254.60.208

# Reference: https://twitter.com/KevinPerlow/status/1156406115472760835 (# tcpihlp)

f1.vr.wincloud.com
d1.link.outbox.com

# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Unknown/20-08-19/Malware%20analysis%2020-08-19.md
# Reference: https://www.virustotal.com/gui/ip-address/167.88.180.148/relations

http://167.88.180.148
247up.org
apple-net.com
mediadomainservice.org
renewyourclicks.org
siteup-365.org

# Reference: https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/
# Reference: https://otx.alienvault.com/pulse/5d5d7094114b8af4a377f676

gmailusercontent.site
protect-outlook.com
srf-goolge.site

# Reference: https://twitter.com/Timele9527/status/1166188375109296128

mmksba.dyndns.org

# Reference: https://research.checkpoint.com/the-eye-on-the-nile/
# Reference: https://otx.alienvault.com/pulse/5d95e00256c29a9623c3cc97

arabindex.info
drivebackup.co
indexmasr.com
indexy.org
maillogin.live
mailsecure.live
servegates.com
txtips.com
weblogin.live

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2014/2014-07-15-targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities.csv

asdf.avstore.com.tw
asdf.skypetm.com.tw
avast.avstore.com.tw
avstore.com.tw
bluer.avstore.com.tw
bz.kimoo.com.tw
chanxe.avstore.com.tw
gmail.skypetm.com.tw
jamessmith.avstore.com.tw
mca.avstore.com.tw
skypetm.com.tw
sophos.skypetm.com.tw
star.yamn.net
vbnm.skypetm.com.tw
zeng.skypetm.com.tw

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-02-gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems.csv

braveprince.com
followgho.byethost7.com
nid-help-pchange.atwebpages.com

# Reference: https://cyberwarzone.com/massive-collection-rat-backdoors-iraq-syria-free-2-share/

aaaaaaaahmad.no-ip.biz
abdillahzraibi.no-ip.biz
abdou36.noip.me
abevahack123.no-ip.biz
ahmad83t.no-ip.biz
alaa170.no-ip.org
alialzainabe.mooo.com
alkator.dns53.biz
allal.x64.me
anroideex1.noip.me
attackerman.ddns.net
avg99.does-it.net
avira2015.no-ip.biz
az4511lon.ddns.net
bacoussama.no-ip.biz
badboy02.no-ip.biz
badrop2ch.zapto.org
basel123.no-ip.org
bctnra.zapto.org
beddass.no-ip.biz
bilallchefa.zapto.org
cat85.no-ip.org
charisma1996.linkpc.net
codehacker.no-ip.biz
cyberyassine.no-ip.org
deekay123.linkpc.net
djou233.zapto.org
drogbaaa.zapto.org
druxyhere.ddns.net
een21.hopto.org
eliadz.no-ip.biz
eshta.linkpc.net
facebookchanel.servehalflife.com
ferkhwazumar.no-ip.biz
fifaorigin123.no-ip.biz
firas12345.ddns.net
freekali1.no-ip.biz
gardien.myq-see.com
gmlbooter.no-ip.biz
gohakeing.no-ip.org
hack-c4.zapto.org
hacker.syr.linkpc.net
hacker963.myq-see.com
hoppyhoppy.ddns.net
hoxor121.no-ip.org
hussienkahoul.no-ip.biz
ibrahem1010.no-ip.biz
iibbrr.zapto.org
isuero.no-ip.info
jado7alassad.ddns.net
jaziremanoto.no-ip.org
joke2014.no-ip.biz
kaikun.mooo.com
kakalaw25.ddns.net
kakar5.ddns.net
kakgwl.no-ip.biz
kano.ddns.net
khaleeel.no-ip.biz
khouyatte.duckdns.org
kiim.no-ip.biz
killerah.no-ip.biz
kimou3939.no-ip.biz
king-enutroof.no-ip.biz
kingoof.ddns.net
koknjkoke.myq-see.com
kokopopo2.no-ip.biz
kurdboy.zapto.org
kurdboy666.noip.me
kurdish-hacker.no-ip.org
kurdish2000.ddns.net
kurdustan.no-ip.biz
laid0404.ddns.net
loki2.linkpc.net
lov3black.no-ip.biz
lulzpedia.ddns.net
m7tagk.zapto.org
mahmoudelmassry.no-ip.biz
makarov123.no-ip.org
max2015.ddns.net
mazamoza.no-ip.biz
medknass.ddns.net
medoblack.no-ip.biz
mghool.no-ip.biz
mhamedhc.no-ip.org
mi3283.ddns.net
mo7trf0.no-ip.biz
mohchaiba.no-ip.biz
momo321.dnsd.info
mozilla.myq-see.com
mrman.no-ip.biz
mth3protn.ddns.net
muhanned.myq-see.com
mynjrathost.no-ip.biz
n5z.no-ip.biz
nabard81.ddns.net
nada00.no-ip.biz
nash2t.linkpc.net
nasreen123.no-ip.biz
nilolack.zapto.org
nj88.no-ip.biz
njrat-dz2.no-ip.biz
nmb007.no-ip.biz
now-see.publicvm.com
ooolll.ddns.net
optera.hopto.org
rami7733.no-ip.org
ramisy.ddns.net
raoufraouf.ddns.net
rapmorix.no-ip.org
roma1996.no-ip.org
roy5150.no-ip.biz
salmanvegeta.no-ip.biz
samermax.no-ip.biz
sara31.ddns.net
sat2014.zapto.org
scorpionjo.linkpc.net
sfeer55.no-ip.biz
sharazoori.zapto.org
sifebuissines.noip.us
silent404tmd.no-ip.biz
silver13.ddns.net
sneakking.myq-see.com
syria2016.ddns.net
syriano.hack.dnsd.info
theblack2015.no-ip.biz
thejoe.publicvm.com
thekingh.linkpc.net
tplinkdbk.ddns.net
unknownman13.mooo.com
vergilalasad.no-ip.biz
vip.all4syrian.com
vk1000250.no-ip.biz
webmaxot.publicvm.com
wejden2014.ddns.net
wepspacet.publicvm.com
x3rbx.ddns.net
xhxh1988.no-ip.org
yg4h.no-ip.biz
younesmer.myq-see.com
zasosna.myq-see.com
zasosna.no-ip.org
zinebzina.ddns.net
zoro2015.ddns.net

# Reference: https://twitter.com/blackorbird/status/1194824371904237568

pahealth.info

# Reference: https://blog.ptsecurity.com/2019/12/turkish-tricks-with-worms-rats-and.html

http://192.95.3.137
http://192.95.3.140
http://5.255.63.12
bcorp.fun
bkorp.xyz
buhar.us
definebilimi.com
husan.ddns.net
husan2.ddns.net
husan3.ddns.net
i36-imgur.com
i37-imgur.com
i38-imgur.com
i39-imgur.com
prntsrcn.com
qqww.eu

# Reference: https://www.secureworks.com/research/bronze-president-targets-ngos
# Reference: https://otx.alienvault.com/pulse/5e0a1aa2617f951d88c9d891

apple-net.com
forexdualsystem.com
ipsoftwarelabs.com
lionforcesystems.com
oshibadrive.com
strust.club
svchosts.com
svrhosts.com
wbemsystem.com

# Reference: https://twitter.com/cyber__sloth/status/1216769444829179904
# Reference: https://otx.alienvault.com/pulse/5e1cde40219fa7e9f40164e7
# Reference: https://www.virustotal.com/gui/ip-address/160.20.147.84/relations

domain-lk.sytes.net
foreign-mv.sytes.net
ncit-gov.sytes.net
windefupdate.sytes.net