# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/
# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-01-06-malicious-document-targets-pyeongchang-olympics/malicious-document-targets-pyeongchang-olympics.csv

200.122.181.63:443
thlsystems.forfirst.cz
ospf1-apac-sg.stickyadstv.com
mafra.go.kr.jeojang.ga
jeojang.ga
nctc.go.kr

# Reference: https://twitter.com/h2jazi/status/1361091982433660928
# Reference: https://www.virustotal.com/gui/file/e834ae4132f28ecbbd3b292a94c071c5aaff2c126034fb44069b125c6c2e2484/detection
# Reference: https://www.virustotal.com/gui/file/f9658261912aec9d26f8faf8f8ec37bed6dd28c3cb3d569e5c014d3ee838c57b/detection

fiori-da.azureedge.net

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf
# Reference: https://twitter.com/bkMSFT/status/1093109336740642816

llpsearch.com
miphomanager.com

# Reference: https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/

071790.000webhostapp.com
7077.000webhostapp.com
881.000webhostapp.com
hanbosston.000webhostapp.com
vnik.000webhostapp.com
a7788.1apps.com
attach10132.1apps.com
bluemountain.1apps.com
filer1.1apps.com
s8877.1apps.com
files.000
ftp.byethost7.com
ftp.byethost10.com
webhost.com
webmail-koryogroup.com
61.14.210.72:7117

# Reference: https://twitter.com/blackorbird/status/1100691198346354688

46.29.163.222:9999

# Reference: https://otx.alienvault.com/pulse/5c9a457b3acc7f0eba431c81
# Reference: https://www.recordedfuture.com/scanbox-framework-campaign/

mailshield.ga
mail.mailshield.ga
monlamlt.com
oppo.ml
photogram.ga
tibct.net
tibct.org
tracking.dgip.gov.pk

# Reference: https://twitter.com/ClearskySec/status/1055404788635103232
# Reference: https://www.clearskysec.com/iec/

host-gv.appspot.com
journey-in-israel.com
iecr.co
iec-co-il.com
israelalerts.us
israelalert.us
pokemonisrael.yolasite.com
sourcefarge.net
users-management.com
ynetnewes.com

# Reference: https://twitter.com/ClearskySec/status/971454423548530688

baotintu.com
baoin.baotintu.com
chinhtri.tourismas.com
kinhte.baotintu.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-12: Malicious Invoice of Telcel Mexican Telecommunication Company)

bambi.sytes.net

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-06: Iranian Greenbug targeting against Arab Emirates - Invoice-NO48935.doc)

acrobatverify.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-1-1: Campaign targeting Turkey with fake purchase order requests, drops low detection Java malware)

gorevleriyok.com

# Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/ (Chinese)

Jospubs.com

# Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/

digi-cert.org
somtelnetworks.com
geotrusts.com
secureclientupdate.com
digicertweb.com
sport-pesa.org
itaxkenya.com
businessdailyafrica.net
infotrak-research.com
nairobiwired.com
k-24tv.com

# Reference: https://twitter.com/blackorbird/status/1132884799310319616
# Reference: http://blogs.360.cn/post/APP_Plugin.html
# Reference: https://securelist.com/whos-who-in-the-zoo/85394/
# Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/24122414/ZooPark_for_public_final_edited.pdf

http://5.61.27.154
http://5.61.27.157
http://5.61.27.173
http://91.109.23.175
androidupdaters.com
adobeactiveupdates.com
adobeactiveupdate.com
adobeseupdater.com
dlgmail.com
dlstube.com
dlstubes.com
entekhab10.xp3.biz
googleupdators.com
rhubarb2.com
rhubarb3.com
solar64.xp3.biz

# Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/

# Aliases: brave prince, gold dragon, ghost419

eodo1.000webhostapp.com
follow_dai.000webhostapp.com
trydai.000webhostapp.com
followgho.byethost7.com
ink.inkboom.co.kr
nid-help-pchange.atwebpages.com

# Reference: https://twitter.com/jq0904/status/1137362044271730694

hellojames.sportsontheweb.net

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/advanced-targeted-attack-tools-used-to-distribute-cryptocurrency-miners/
# Reference: https://otx.alienvault.com/pulse/5d0276b98d2d7d679ed51fa2

tenchier.com
pilutce.com
miniast.com
boreye.com

# Reference: http://www.issuemakerslab.com/research2/index.html

pyeonta.com/board/news/board.asp
sdajunghwa.com/admin/data/admindata.asp
patentmall.net/goods/goods.asp
orentcar.com/rental/sub06.asp

# Reference: https://twitter.com/blackorbird/status/1141302473623105536

soportearus.com.co
/arus_collect.php

# Reference: https://twitter.com/DbgShell/status/1146012416968417280
# Reference: https://research.checkpoint.com/operation-tripoli/ (# Operation Tripoli)

aarasid.com/libya/index.html
clientstats.epss.org.ly
dexter-ly.com
dexter-ly.space
drpc.duckdns.org
forum.myvnc.com
kalifhaftar.blogspot.com
libyanews111.blogspot.com
libya-10.com.ly
sirtggp.com/libyanew/index.html

# Reference: https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018
# Reference: https://otx.alienvault.com/pulse/5d1e0531908ea7d506ce9839

loge.otzo.com
vvcxvsdvx.dynamic-dns.net

# Reference: https://otx.alienvault.com/pulse/5d23054ff45f6eb94e824460
# Reference: http://blog.ptsecurity.com/2019/07/ironpython-darkly-how-we-uncovered.html
# Reference: https://static.ptsecurity.com/phdays/presentations/phdays-9-ironpython-on-the-dark-side-the-silent-trio-from-croatia.pdf
# Reference: https://app.any.run/tasks/11c30ef5-3297-4a3e-b85f-f9291aac910a/

http://198.46.182.158
176.105.255.59:8089
konzum.win
postahr.online
postahr.vip
posteitaliane.live

# Reference: https://news.sophos.com/en-us/2019/07/11/oto-gonderici-excel-formula-injections-target-turkish-victims/
# Reference: https://github.com/sophoslabs/IoCs/blob/master/Malspam-OtoGonderici
# Reference: https://otx.alienvault.com/pulse/5d276b688642da33ba698260

2073.mobi
25665.club
25665.me
33016.club
60431.club
75735.club
77444.club
80001.me
82813.club
Jdokdo.ml
aetye.ml
aghkf.ml
atessan.online
avrupagoz.online
ayanw.ml
banage.live
basaso.mobi
burcutekstil.online
cinarterlik.online
cnfh.mobi
cpaneh.tk
ekqff.ml
ewouif.gq
fazilet.club
gelovosaja.club
ghtc.mobi
gyqey.ml
hcsscj.ga
hfik.mobi
hocoso.mobi
hvaycz.cf
inssanayi.mobi
iquqy.ml
jahlq.ml
jekarebege.online
jjsiu.ml
jodaje.mobi
johaca.mobi
jurugq.host
kartalescort.mobi
kayaya.mobi
kojero.mobi
lca.mobi
mgw.mobi
nafaro.mobi
nefal.mobi
nehabe.mobi
nejoja.mobi
nvmdv.ml
peindikescort.mobi
pqoyruw.ga
professional.mobi
pvrdn.ml
qoloa.ml
qyhhy.ml
qzitt.ml
rimaw.ml
rlg.mobi
rtrzd.ml
selcukecza.online
specforce.space
supkh.mobi
swtaegs.ml
tamor.mobi
taneketevo.online
tgmml.ml
turkcall.mobi
tzlss.mobi
urdnz.cf
vazawoweso.online
vecoha.mobi
vgplb.ml
vpewqz.tk
walatecaqa.club
wdplf.ml
whyog.ml
wpf.mobi
wqplw.ml
yepeyowora.online
yerago.mobi
yklud.ml
ynngon.ml
yolecafeha.club
yomka.ml
yuktu.ml
zavayo.mobi
zayero.mobi
zororo.mobi

# Reference: https://www.zsis.hr/default.aspx?id=415

176.105.255.59:8089
postahr.vip
posteitaliane.live

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/
# Reference: https://otx.alienvault.com/pulse/5d3091d8a6d3522c9d5dcaff

http://144.202.19.31
http://95.179.168.23
diangovcomuiscia.com
eltiempocomco.com
medicosempresa.com

# Reference: https://twitter.com/cyberwar_15/status/1156091180293206016

http://51.254.60.208

# Reference: https://twitter.com/KevinPerlow/status/1156406115472760835 (# tcpihlp)

f1.vr.wincloud.com
d1.link.outbox.com

# Reference: https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/
# Reference: https://otx.alienvault.com/pulse/5d5d7094114b8af4a377f676

gmailusercontent.site
protect-outlook.com
srf-goolge.site

# Reference: https://twitter.com/Timele9527/status/1166188375109296128

mmksba.dyndns.org

# Reference: https://research.checkpoint.com/the-eye-on-the-nile/
# Reference: https://otx.alienvault.com/pulse/5d95e00256c29a9623c3cc97

arabindex.info
drivebackup.co
indexmasr.com
indexy.org
maillogin.live
mailsecure.live
servegates.com
txtips.com
weblogin.live

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2014/2014-07-15-targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities.csv

asdf.avstore.com.tw
asdf.skypetm.com.tw
avast.avstore.com.tw
avstore.com.tw
bluer.avstore.com.tw
bz.kimoo.com.tw
chanxe.avstore.com.tw
gmail.skypetm.com.tw
jamessmith.avstore.com.tw
mca.avstore.com.tw
skypetm.com.tw
sophos.skypetm.com.tw
star.yamn.net
vbnm.skypetm.com.tw
zeng.skypetm.com.tw

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-02-gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems.csv

braveprince.com
followgho.byethost7.com
nid-help-pchange.atwebpages.com

# Reference: https://cyberwarzone.com/massive-collection-rat-backdoors-iraq-syria-free-2-share/

aaaaaaaahmad.no-ip.biz
abdillahzraibi.no-ip.biz
abdou36.noip.me
abevahack123.no-ip.biz
ahmad83t.no-ip.biz
alaa170.no-ip.org
alialzainabe.mooo.com
alkator.dns53.biz
allal.x64.me
anroideex1.noip.me
attackerman.ddns.net
avg99.does-it.net
avira2015.no-ip.biz
az4511lon.ddns.net
bacoussama.no-ip.biz
badboy02.no-ip.biz
badrop2ch.zapto.org
basel123.no-ip.org
bctnra.zapto.org
beddass.no-ip.biz
bilallchefa.zapto.org
cat85.no-ip.org
charisma1996.linkpc.net
codehacker.no-ip.biz
cyberyassine.no-ip.org
deekay123.linkpc.net
djou233.zapto.org
drogbaaa.zapto.org
druxyhere.ddns.net
een21.hopto.org
eliadz.no-ip.biz
eshta.linkpc.net
facebookchanel.servehalflife.com
ferkhwazumar.no-ip.biz
fifaorigin123.no-ip.biz
firas12345.ddns.net
freekali1.no-ip.biz
gardien.myq-see.com
gmlbooter.no-ip.biz
gohakeing.no-ip.org
hack-c4.zapto.org
hacker.syr.linkpc.net
hacker963.myq-see.com
hoppyhoppy.ddns.net
hoxor121.no-ip.org
hussienkahoul.no-ip.biz
ibrahem1010.no-ip.biz
iibbrr.zapto.org
isuero.no-ip.info
jado7alassad.ddns.net
jaziremanoto.no-ip.org
joke2014.no-ip.biz
kaikun.mooo.com
kakalaw25.ddns.net
kakar5.ddns.net
kakgwl.no-ip.biz
kano.ddns.net
khaleeel.no-ip.biz
khouyatte.duckdns.org
kiim.no-ip.biz
killerah.no-ip.biz
kimou3939.no-ip.biz
king-enutroof.no-ip.biz
kingoof.ddns.net
koknjkoke.myq-see.com
kokopopo2.no-ip.biz
kurdboy.zapto.org
kurdboy666.noip.me
kurdish-hacker.no-ip.org
kurdish2000.ddns.net
kurdustan.no-ip.biz
laid0404.ddns.net
loki2.linkpc.net
lov3black.no-ip.biz
lulzpedia.ddns.net
m7tagk.zapto.org
mahmoudelmassry.no-ip.biz
makarov123.no-ip.org
max2015.ddns.net
mazamoza.no-ip.biz
medknass.ddns.net
medoblack.no-ip.biz
mghool.no-ip.biz
mhamedhc.no-ip.org
mi3283.ddns.net
mo7trf0.no-ip.biz
mohchaiba.no-ip.biz
momo321.dnsd.info
mozilla.myq-see.com
mrman.no-ip.biz
mth3protn.ddns.net
muhanned.myq-see.com
mynjrathost.no-ip.biz
n5z.no-ip.biz
nabard81.ddns.net
nada00.no-ip.biz
nash2t.linkpc.net
nasreen123.no-ip.biz
nilolack.zapto.org
nj88.no-ip.biz
njrat-dz2.no-ip.biz
nmb007.no-ip.biz
now-see.publicvm.com
ooolll.ddns.net
optera.hopto.org
rami7733.no-ip.org
ramisy.ddns.net
raoufraouf.ddns.net
rapmorix.no-ip.org
roma1996.no-ip.org
roy5150.no-ip.biz
salmanvegeta.no-ip.biz
samermax.no-ip.biz
sara31.ddns.net
sat2014.zapto.org
scorpionjo.linkpc.net
sfeer55.no-ip.biz
sharazoori.zapto.org
sifebuissines.noip.us
silent404tmd.no-ip.biz
silver13.ddns.net
sneakking.myq-see.com
syria2016.ddns.net
syriano.hack.dnsd.info
theblack2015.no-ip.biz
thejoe.publicvm.com
thekingh.linkpc.net
tplinkdbk.ddns.net
unknownman13.mooo.com
vergilalasad.no-ip.biz
vip.all4syrian.com
vk1000250.no-ip.biz
webmaxot.publicvm.com
wejden2014.ddns.net
wepspacet.publicvm.com
x3rbx.ddns.net
xhxh1988.no-ip.org
yg4h.no-ip.biz
younesmer.myq-see.com
zasosna.myq-see.com
zasosna.no-ip.org
zinebzina.ddns.net
zoro2015.ddns.net

# Reference: https://twitter.com/blackorbird/status/1194824371904237568

pahealth.info

# Reference: https://blog.ptsecurity.com/2019/12/turkish-tricks-with-worms-rats-and.html

http://192.95.3.137
http://192.95.3.140
http://5.255.63.12
bcorp.fun
bkorp.xyz
buhar.us
definebilimi.com
husan.ddns.net
husan2.ddns.net
husan3.ddns.net
i36-imgur.com
i37-imgur.com
i38-imgur.com
i39-imgur.com
prntsrcn.com
qqww.eu

# Reference: https://twitter.com/cyber__sloth/status/1216769444829179904
# Reference: https://otx.alienvault.com/pulse/5e1cde40219fa7e9f40164e7
# Reference: https://www.virustotal.com/gui/ip-address/160.20.147.84/relations

domain-lk.sytes.net
foreign-mv.sytes.net
ncit-gov.sytes.net
windefupdate.sytes.net

# Reference: https://www.isc2peruchapter.org/pdfs/2019-04-24-Eric.pdf

personanddog.info

# Reference: https://lab52.io/blog/intelligence-operation-against-targets-in-indonesia/
# Reference: https://otx.alienvault.com/pulse/5e441513dbb6d26fca51ee52

musicstore.global.ssl.fastly.net

# Reference: https://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/
# Reference: https://otx.alienvault.com/pulse/5e6a5d43825f9463366799c6

acccountsgoog1e.com
account-mail.info
accountapp.xyz
accountsgoog1e.com
alexandr01299.xyz
auth-google.site
auth-mail.email
badoo-account-security.com
check-activity.com.ru
chrome-redirect.top
com-auth.site
com-enter.site
com-gm.site
com-google.site
comericac.com
desktest1.xyz
desktest5.xyz
desktest9.xyz
dokerest.xyz
dokertest.xyz
droinjoin.xyz
emails-support.site
fedortest.xyz
freekremlin.com
frosdank.com
frostdank.com
garant-help.com
gmail-warning.top
google-activity.pw
gvoice8765.online
hpphhpph.com
id-support-email.com
joindroin.xyz
lamatrest.xyz
mail-auth.email
mail-auth.online
mail-google.email
my-short.com
myaccount-support.top
mycabinet.xyz
mynavvfedera1.org
mynavyfedera1.org
mynavyfedral.org
mynevyfedera1.org
navyfedara1.org
navyfedera1.com
navyfedera1.org
navyfederai.org
nayfedera1.org
nevyfedera1.org
nitroqensports.eu
nsdns.xyz
poxypoxy.xyz
rc-room.com
support-emails.host
t1bank.xyz
testdhome1.xyz
testdhome4.xyz
testdom1.xyz
testdom3.xyz
testfor7.xyz
vkontak1e.com
voice98765.online
xn--avyfedera-yubm.org
xn--bckchain-v3a30f.com
xn--blckchain-17c.com
xn--blockcain-lmb.com
xn--mynavyfedera-occ.org
xn--navyfderal-36a.com
xn--navyfedera-j0b.org
yandex-account-security.com

# Reference: https://twitter.com/ximo_lcg/status/1242298741140250624
# Reference: https://app.any.run/tasks/642a1b8c-6232-41c0-8c74-0f4513a44599/
# Reference: https://www.virustotal.com/gui/ip-address/34.247.80.95/relations

javacon.eu
cdn.javacon.eu

# Reference: https://twitter.com/Rmy_Reserve/status/1244817235211739141

cloudfiles.club

# Reference: https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/
# Reference: https://otx.alienvault.com/pulse/5e9f5eb5352e6287ee4c0e67

api.doubles.click
cdn.doublesclick.me
start.apiforssl.com
static.doublesclick.info
status.search-sslkey-flush.com
status.verifyingbycf.com

# Reference: https://twitter.com/ximo_lcg/status/1252771553365782528

a.00-online.com

# Reference: https://blog.alyac.co.kr/242 (Korean)

122.10.93.136:6687

# Reference: https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf (Chimera, Semiconductors)
# Reference: https://medium.com/@cycraft_corp/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730
# Reference: https://otx.alienvault.com/pulse/5ea073a3c14dae77c07976d3

chrome-applatnohp.appspot.com
78276.ussdns01.heketwe.com
78276.ussdns02.heketwe.com
ussdns01.heketwe.com
ussdns02.heketwe.com
ussdns04.heketwe.com

# Reference: https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ (Chimera)
# Reference: https://otx.alienvault.com/pulse/5ffde53573457b19cacf41be

EuDbSyncUp.com
MsCupDb.com
UsMobileSos.com
europe-s03213.appspot.com
eustylejssync.appspot.com
fsdafdsfdsaflkjkxvzcuifsad.azureedge.net
ictsyncserver.appspot.com
officeeuropupd.appspot.com
officeeuupdate.appspot.com
platform-appses.appspot.com
sowfksiw38f2aflwfif.azureedge.net
watson-telemetry.azureedge.net

# Reference: https://twitter.com/w3ndige/status/1265745221419229187

86wts86a8j.com
update.86wts86a8j.com

# Reference: https://twitter.com/cyber__sloth/status/1271580177521414145

mofa-gov-pk.com

# Reference: https://twitter.com/cyber__sloth/status/1271577668752998405

def.support

# Reference: https://twitter.com/MBThreatIntel/status/1273309450992930817
# Reference: https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/

updateeset.com
yenile.asia

# Reference: https://app.any.run/tasks/db1be70f-b51f-4994-95f8-0af911335193/

137.220.180.39:8082

# Reference: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf
# Reference: https://otx.alienvault.com/pulse/5eea47f6776f5e41c8346a31

http://205.210.162.36/start.html
http://205.210.162.36/www2default/css1/style.xsl
cwjamaica.biz/images/logo.png
sbsserv.camdvr.org/top.swf
km.wu.ac.th/image/office.jpg
safebrowsing.gleeze.com
markham.ca/css1/Mar.xsl
markham.ca/css1/style.swf
markham.ca/css1/style.jpg
markham.ca/css1/style.xsl
markham.ca/css1/style.css
markham.ca/view_center.asp
markham.ca/css/first.css
markham.ca/first.jpeg
markham.ca/politicia.asp
markham.ca/taxing-churc.asp
markham.ca/exports-to-Turkey.asp
markham.ca/Climate.asp
markham.ca/discoveries.asp
markham.ca/pay-talks-fai.asp
markham.ca/Nouvelles.asp
markham.ca/News.asp
markham.ca/Noticias.asp
markham.ca/EU-nominee.asp
markham.ca/Business.asp
markham.ca/Culture.asp
markham.ca/Life-Work.asp
markham.ca/Comercio.asp
markham.ca/Links.asp
markham.ca/churc.asp
markham.ca/products.asp
markham.ca/exports.asp
online.verzatec.com/banner.asp
nic.mywire.org
chuta.jp/jtool/dic.css
chuta.jp/jtool/dic.png
chuta.jp/jtool/politicia.asp
chuta.jp/jtool/taxing-churc.asp
chuta.jp/jtool/exports-to-Turkey.asp
chuta.jp/jtool/Climate.asp
chuta.jp/jtool/discoveries.asp
chuta.jp/jtool/pay-talks-fai.asp
chuta.jp/jtool/Nouvelles.asp
chuta.jp/jtool/News.asp
chuta.jp/jtool/Noticias.asp
chuta.jp/jtool/EU-nominee.asp
chuta.jp/jtool/Business.asp
chuta.jp/jtool/Culture.asp
chuta.jp/jtool/Life-Work.asp
chuta.jp/jtool/Comercio.asp
chuta.jp/jtool/Links.asp
chuta.jp/jtool/churc.asp
chuta.jp/jtool/products.asp
chuta.jp/jtool/exports.asp
comnet.aev.com/wik.xsl
servicediscovery.kozow.com
w3.casacam.net

# Reference: https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities
# Reference: https://otx.alienvault.com/pulse/5efccb42e70b867e18ff1825

http://193.29.59.130
http://23.106.122.234

# Reference: https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf
# Reference: https://otx.alienvault.com/pulse/5f04d03c68918d97811bda03

cloud-front-gateway.cc
confidential-privileged.com
email-gateway-host.cc
encrypted-gateway.cc
encrypted-host.cc
encrypted-mail-gateway.cc
encrypted-mail-server.com
encrypted-network.cc
encrypted-smtp-transport.cc
eu-1-host-protection.cc
fortinet-gateway.cc
fortinet-host-protection.cc
fortinet-host.cc
fortinet-protection.cc
fortinet-server.cc
mail-transport-agent.cc
mail-transport-gateway.cc
mail-transport-host.cc
mail-transport-protection.cc
mx-gateway-host.cc
mx-secure-email-host.cc
mx-secure-email-server.cc
mx-secure-net.com
node-protection.cc
privileged-secured.com
relay-secure-smtp.com
secure-email-delivery.cc
secure-email-gateway.cc
secure-email-host.cc
secure-email-host.com
secure-email-net.cc
secure-email-provider.cc
secure-email-provider.com
secure-email-server.cc
secure-email-server.net
secure-email-service.com
secure-mail-cast.com
secure-mail-gateway.cc
secure-mail-host.cc
secure-mail-host.com
secure-mail-net.cc
secure-mail-net.com
secure-mail-provider.cc
secure-mail-provider.com
secure-mail-server.cc
secure-mx-gateway.cc
secure-mx-host.com
secure-mx-provider.cc
secure-mx-server.cc
secure-mx-service.cc
secure-server-smtp.cc
secure-smtp-delivery.cc
secure-smtp-gateway.cc
secure-smtp-host.cc
secure-smtp-host.com
secure-smtp-provider.cc
secure-smtp-server.cc
secure-smtp-server.com
secure-smtp-service.cc
secure-smtp-service.com
secure-ssl-sec.com
smtp-gateway-host.cc
smtp-secure-gateway.cc
smtp-secure-service.cc
smtp-server-relay.com

# Reference: https://twitter.com/spider_girl22/status/1287952503280082944
# Reference: https://www.virustotal.com/gui/file/126986d2789c932a473e606ba936d97dbef87ba64659f4515e95237de1701b3b/detection

techimplement.com/wp-content/uploads/wp-logs/mailchimp.php

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/water-nue-campaign-targets-c-suites-office-365-accounts/

highstreetmuch.xyz
takeusall.online

# Reference: https://www.bitdefender.com/files/News/CaseStudies/study/365/Bitdefender-PR-Whitepaper-APTHackers-creat4740-en-EN-GenericUse.pdf
# Reference: https://otx.alienvault.com/pulse/5f475fecd47f88519e3140e2

175.197.40.61:3445

# Reference: https://www.threatcrowd.org/domain.php?domain=abc69696969.vicp.net
# Reference: https://www.virustotal.com/gui/domain/abc69696969.vicp.net/detection
# Reference: https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-blond.pdf
# Reference: https://www.virustotal.com/gui/ip-address/103.105.59.104/relations

abc69696969.vicp.net
googleimg.top

# Reference: https://twitter.com/h2jazi/status/1304492241898090496
# Reference: https://www.virustotal.com/gui/file/60399bf2cc5bd28a39f2498adcc6113fc86327872dbaa0f0b280d333c5675908/detection
# Reference: https://www.virustotal.com/gui/domain/storagecdn.eu/relations

storagecdn.eu

# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a
# Reference: https://otx.alienvault.com/pulse/5f6d08b2d10722175748a71e

185.193.127.18
185.86.151.223
207.220.1.3
78.27.70.237
91.219.236.166

# Reference: https://github.com/DoctorWebLtd/malware-iocs/blob/master/APT_news2020/README.adoc
# Reference: https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf
# Reference: https://otx.alienvault.com/pulse/5f7a0e9cd535606ddee04448
# Reference: https://www.virustotal.com/gui/file/c9de1dad018236049ed88be9ccab28e75a04609466288451c4c1971b27e5e3eb/detection
# Reference: https://www.virustotal.com/gui/file/01118e56a1c5dafc2d82f154eb1a67d39a19f131ca1dc5e0f356a017b1932611/detection
# Reference: https://www.virustotal.com/gui/file/845198a33ca50860688cac016323302cf33054e1b52a3bff1b66f15a625a0b66/detection
# Reference: https://www.virustotal.com/gui/file/dfbec38959eae893dfa13c7ce526862f9306f5fb95102e0885debeec4a063d45/detection

122.10.82.65:8080
176.10.118.154:8443
185.158.249.120:8080
http://176.10.118.154
download.inklingpaper.com
duck.manhajnews.com
gova.manhajnews.com
john.newss.nl
news.microotf.com
news.newss.nl
news.zannews.com
newsfor.newss.nl
newsinfo.newss.nl
nissen.newss.nl
sports.manhajnews.com
webnews.newss.nl
inklingpaper.com
microotf.com
newss.nl
zannews.com

# Reference: https://twitter.com/Rajer_arthur/status/1313099977141481474
# Reference: https://app.any.run/tasks/25c9ee95-f8b8-4124-9e27-82a348ba3301/
# Reference: https://www.virustotal.com/gui/file/7007f35df3292a4ecd741839fc2dafde471538041e54cfc24207d9f49016dc77/detection

cannabispropertybrokers.com

# Reference: https://securelist.com/olympic-destroyer-is-still-alive/86169/
# Reference: https://systemtek.co.uk/2018/06/olympic-destroyer-malware/

http://79.142.76.40/news.php
http://159.148.186.116/admin/get.php
http://159.148.186.116/login/process.php
http://159.148.186.116/news.php
ppgca.ufob.edu.br/components/com_finder/helpers/access.log
ppgca.ufob.edu.br/components/com_finder/views/default.php
narpaninew.linuxuatwebspiders.com
mysent.org
79.142.76.40:8989
5.133.12.224:333

# Reference: https://www.proofpoint.com/us/blog/threat-insight/persistent-actor-targets-ledger-cryptocurrency-wallets
# Reference: https://otx.alienvault.com/pulse/5fa472e97ef9fd555c12347d

au-ledger.com
ca-ledger.com
com-client.email
de-ledger.com
dogcat.space
dogcowbat.com
fr-ledger.com
funnerhere.com
homeandfamilyuniverse.com
it-ledger.com
ledger-chain.com
ledger-chain.info
ledger-live.io
ledger-support.io
ledger.buzz
ledger.deals
ledger.legal
ledger.org.pl
ledger.report
ledgermailer.io
ledgersupport.io
legder-support.io
legder.com
lmao.money
loldevs.com
nl-ledger.com
numisconsult.com
nz-ledger.com
quikview-update.com
quikview.work
t-mobile-sq.com
theironshop.net
tmobile.digital
us-ledger.com
usa-ledger.com
xn--ldger-6za.com
xn--ldger-n51b.com
xn--ldgr-vvac.com
xn--ledge-xbb.com
xn--ledgr-9za.com
xn--ledgr-q51b.com
ledger.uk.com
ledger.us.org
secure.hbccing.com

# Reference: https://twitter.com/0xthreatintel/status/1330027963157508096
# Reference: https://mp.weixin.qq.com/s/aMj_EDmTYyAouHWFbY64-A (Chinese)
# Reference: https://www.virustotal.com/gui/ip-address/176.119.2.122/relations
# Reference: https://www.virustotal.com/gui/ip-address/78.140.162.22/relations
# Reference: https://www.virustotal.com/gui/ip-address/87.251.77.19/relations
# Reference: https://otx.alienvault.com/pulse/5fb83d70906bd27194456779
# Note: Potentially could be related to APT Gamaredon campaign, but currently there're no evidences on it.

176.119.2.122:443
87.251.77.19:443
24ua.website
bukovel.host
d0t.host
depo.host
glavpost.site
inforesist.press
inforesist.site
kharkiv.host
mytv.host
obozrevatel.press
rttv.host
tribun.site
uanews.press
ukrnet.press
unian.pw
vgolos.press
w0x.host

# Reference: https://securityintelligence.com/posts/ibm-uncovers-global-phishing-covid-19-vaccine-cold-chain/
# Reference: https://otx.alienvault.com/pulse/5fc923119243821757b02f15

e-mailer.cf
e-mailer.ga
mailerdeamon.cf
mailerdeamon.ga
mailerdeamon.gq
mailerdeamon.ml
mailerdeamon.tk
nwa-oma.ml
nwa-oma2.ml
routermanager.ga
routermanager.gq
routermanager.ml
routermanager.tk
routermanagers.cf
routermanagers.ga
routermanagers.gq
routermanagers.ml
routermanagers.tk
serverrouter.cf
serverrouter.ga
serverrouter.tk
serversrouter.cf
serversrouter.gq

# Reference: https://twitter.com/ClearskySec/status/1311291935685070848
# Reference: https://www.clearskysec.com/operation-kremlin/

http://185.243.112.18
http://185.243.112.57
http://5.9.242.126
bibigreen.ru/wp-content/energia/wp/
bibigreen.ru/up/up.php
hesheflowershop.ru/wp/up.php

# Reference: https://blog.malwarebytes.com/threat-analysis/2021/03/new-steganography-attack-targets-azerbaijan/
# Reference: https://www.virustotal.com/gui/file/69e880b0545330b8e6d1543c47d89b4907fb79899b40c2478c591225ffc551ce/detection

vnedoprym.kozow.com

# Reference: https://blog.malwarebytes.com/threat-analysis/2021/04/aurora-campaign-attacking-azerbaijan-using-multiple-rats/
# Reference: https://otx.alienvault.com/pulse/606dfd9079e30b337044cdaf

111.90.150.37:220
pook.mywire.org

# Reference: https://twitter.com/ShadowChasing1/status/1387602989033017346
# Reference: https://www.virustotal.com/gui/file/5bd954c9f91f65e2ac270703ef0595c6385432bcfda2572af28fade2f6474135/detection

archive.org/download/hbankers-latest/HBankers_Latest.hta
ia601400.us.archive.org/31/items/bypass_20210428_0905/bypass.txt
ia601408.us.archive.org/18/items/server_20210428_0903/Server.txt
ia801402.us.archive.org/6/items/bat_20210331/bat.txt

# Reference: https://twitter.com/petrovic082/status/1406910865518075904
# Reference: https://www.virustotal.com/gui/file/8445c0189735766edf0e3d01b91f6f98563fef272ac5c92d3701a1174ad072dd/detection
# Reference: https://s.threatbook.cn/report/file/8445c0189735766edf0e3d01b91f6f98563fef272ac5c92d3701a1174ad072dd/?env=win7_sp1_enx64_office2013

flashdownloadserver.oss-cn-hongkong.aliyuncs.com

# Reference: https://www.facebook.com/UACERT/posts/4321920377829335 (Ukrainian)

gov-ua.info
president.gov.ua.administration.vakansiyi.administration.president.gov-ua.info

# Reference: https://twitter.com/ShadowChasing1/status/1415292150258880513
# Reference: https://www.virustotal.com/gui/file/654393966ff2c352c5b0a1286fa78c2a54410068ea1d7b1f60ab4924bfa5e36e/detection

http://81.27.243.51

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2021-0715.pdf
# Reference: https://otx.alienvault.com/pulse/60f1412406464b3eb5e00c85

2021olympic.cn
2021olympics.jp
2021olympicupdates.com
2021olympicupdates.live
2021olympicupdateslive.com
cancel-olympic.tokyo
cxaolympicgames2021.org
lost-olympic.tokyo
no-olympic.tokyo
olympic2020.in
olympic2020in.tokyo
olympic2021.in
olympicgames2021.cn
olympicgames2021.co.za
olympicnewstokyo.com
olympics2020.icu
olympics2020.in
olympics2020.vip
olympics2021.in
olympicvirtual2021.com
perrigoselfcareolympics2021.com
stop-olympic.tokyo
summerolympics-2020.org
teamnl2020-olympic-paralympic.games
the2021olympicgames.com
the2021olympicgames.org
the2021olympicstokyo.com
theolympicstokyo2021.com
tokyo----olympics.org
tokyo---olympics.org
tokyo--olympics.org
tokyo-olympicslive.com
tokyoolympicplay.com
tokyoolympics.org
tokyoolympicsfootballlive.com
tokyoolympicsolympics.com
tokyoolympicsport.com
tokyoolympicswaterpololive.com
tokyotokyoolympics.com
usolympics2020.com
usolympics2021.com
tokyoolympicplay.blogspot.com
tokyoolympicsplay.blogspot.com

# Reference: https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/ (# CVE-2021-1844, CVE-2021-21166, CVE-2021-30551, CVE-2021-33742)
# Reference: https://otx.alienvault.com/pulse/60ef0c90a9b787a794c38975

armenpress.org
armlur.org
armradio.org
armtimes.net
armtimes.org
asbares.com
hetq.org
hraparak.org
lragir.org
db-control-uplink.com
kidone.xyz
lioiamcount.com
wordzmncount.com
workaj.com

# Reference: https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/ (# CVE-2021-1879)
# Reference: https://otx.alienvault.com/pulse/60ef0ec9c0275001c7314643

vegmobile.com
supportcdn.web.app

# Reference: https://twitter.com/Legen78695928/status/1417394224639582215
# Reference: https://www.virustotal.com/gui/file/66882db537a3166f60b45f65a56705d5e838b750cb45a0a54a0645d3793b572a/detection

66.42.43.177:443
nationalcollege.edu.np/admin/assets/js/jquery/tiny/plugins/anchor/.anchor/sysWow64-e1.exe

# Reference: https://us-cert.cisa.gov/ncas/alerts/aa21-201a
# Reference: https://otx.alienvault.com/pulse/60f7f55ab4b22e92326a3f0e

18center.com
arrowservice.net
businessconsults.net
fni.itgamezone.net
fpso.bigish.net
un.linuxd.org

# Reference: https://twitter.com/ShadowChasing1/status/1420900093683666945
# Reference: https://www.virustotal.com/gui/file/4db59d3e610a4c80db60741e8d27fc983d4febbda9df507b47594ae1d84dbff1/detection

prince.g0v.org.cn

# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-south-east-asia-espionage
# Reference: https://otx.alienvault.com/pulse/610cebdae529d35878dd99b9

espnnews.org
tv.espnnews.org
uuu.espnnews.org

# Reference: https://twitter.com/k3yp0d/status/1432957515248062464
# Reference: https://www.virustotal.com/gui/file/3c527783024730f43841e1015061d3a85000e862fc6f238c60b41570da468146/detection

gosusylugi.ru
s.gosusylugi.ru

# Reference: https://twitter.com/ShadowChasing1/status/1438126675565244417
# Reference: https://www.virustotal.com/gui/file/d793193c2d0c31bc23639725b097a6a0ffbe9f60a46eabfe0128e006f0492a08/detection

hr.dedyn.io

# Reference: https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf
# Reference: https://www.welivesecurity.com/2021/08/06/iistealer-server-side-threat-ecommerce-transactions/
# Reference: https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/
# Reference: https://www.welivesecurity.com/2021/08/11/iiserpent-malware-driven-seo-fraud-service/
# Reference: https://otx.alienvault.com/pulse/6110fb1735fb2fb876d0cb89

http://143.92.48.38
008php.com
0660sf.com
300bt.com
3323sf.com
allsoulu.com
asmkpo.com
b1174.com
breakavs.com
chunj1m.xyz
cmdxb.com
csdsx.com
e652.com
g666.org
goudie.in
nmnsw.com
pz8.in
pz9.in
qiu6j2.xyz
qrfy.net
sf2223.com
whtjz.com
wlaspsd.com
wzrpx.com
ycfhx.com
yyphw.com
20.3323sf.com
bj.whtjz.com
bj2.wzrpx.com
center.g666.org
cs.whtjz.com
df.e652.com
dfcp.yyphw.com
ee.allsoulu.com
es.csdsx.com
haha.chunj1m.xyz
hehe.qiu6j2.xyz
hz.wzrpx.com
id.3323sf.com
js.breakavs.com
m.goudie.in
m.pz8.in
now.asmkpo.com
qp.008php.com
qp.nmnsw.com
sb.qrfy.net
sc.300bt.com
sc.wzrpx.com
speed.wlaspsd.com
sx.cmdxb.com
sz.ycfhx.com
tz.allsoulu.com
xinxx.allsoulu.com
xpq.0660sf.com
xsc.b1174.com
zz.allsoulu.com

# Reference: https://twitter.com/cluster25_io/status/1463880206167556098

musicalopps.cc

# Reference: https://twitter.com/h2jazi/status/1440418522950107140
# Reference: https://twitter.com/h2jazi/status/1440418525714079750
# Reference: https://www.virustotal.com/gui/file/ce27c2a9d54c9c2de777c735d5be6a532878591455082468251ace96adb276cf/detection

aljazeera.cc
ibs.significantbyte.com
r.significantbyte.com

# Reference: https://twitter.com/s1ckb017/status/1480847085167648768
# Reference: https://www.virustotal.com/gui/file/41b37de3256a5d1577bbed4a04a61bd7bc119258266d2b8f10a9bb7ae7c0d4ec/detection

official-updates.info

# Reference: https://twitter.com/malwrhunterteam/status/1484966581620949005
# Reference: https://twitter.com/malwrhunterteam/status/1487437084759572483
# Reference: https://twitter.com/malwrhunterteam/status/1489247821236617224
# Reference: https://twitter.com/m0br3v/status/1538835454606336001
# Reference: https://twitter.com/m0br3v/status/1582371353570574336
# Reference: https://twitter.com/m0br3v/status/1605193202960588804
# Reference: https://www.virustotal.com/gui/file/80c0d95fc2d8308d70388c0492d41eb087a20015ce8a7ea566828e4f1b5510d0/detection
# Reference: https://www.virustotal.com/gui/file/c0a3a2401b966c1fb73453c5675ff7da2ef777ab040ff9af5ffdbb79dbeb425c/detection
# Reference: https://www.virustotal.com/gui/file/f7e67e5bd0bd08b99821eee2ee2f9121bb75ff7e91396a1828f25035e1f81ec4/detection
# Reference: https://www.virustotal.com/gui/file/1e31e3dc6428bec9b8c41185619c2e68f4bd56d69bc6ab44e47b82561654f9c1/detection
# Reference: https://www.virustotal.com/gui/file/aa13c6cbd1caec145d06f1ac8568dbe460fa50b1f4025825ef54e5f32c184e07/detection

161.97.167.88:3617
167.86.98.190:3617
173.212.220.230:3617
173.212.254.151:3617
173.249.38.99:3617
armaanapp.in

# Reference: https://twitter.com/GaborSzappanos/status/1489253021804494858
# Reference: https://www.virustotal.com/gui/file/391fdbe672177aeff9e5413036e59bec6a21d5552f07756478132105dff7da62/detection
# Reference: https://www.virustotal.com/gui/file/e02369c0d9fde27eee8471102e7f58c28c5460d07fd46f83c076a241fef46827/detection

http://188.214.134.116

# Reference: https://twitter.com/James_inthe_box/status/1501604645759709186
# Reference: https://app.any.run/tasks/33c91888-00ea-4d04-bb2c-57d0f8527dd2/

80.99.133.161:25565

# Reference: https://twitter.com/cyberwar_15/status/1503942567192576004

samsungairb2b.co.kr

# Reference: https://twitter.com/__0XYC__/status/1503943578741006339
# Reference: https://twitter.com/__0XYC__/status/1509492778337718277
# Reference: https://www.virustotal.com/gui/file/cebd3337d414e5dc140600cee22685da521d699cc79461ce90167aa3e0798d89/detection
# Reference: https://www.virustotal.com/gui/file/08334f25d72a312b962555d710cd8e7d60f28e75a85b2b15b9bed5c71bcf8c45/detection

moitt-auditform.app.link
ncoc-update.app.link

# Reference: https://www.virustotal.com/gui/file/cffb65fb95b85a0d4e8fcc82d923d38ddf960bf7e3343517e16e2e112e92ff21/detection

aldimarche.eu

# Reference: https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/
# Reference: https://www.hybrid-analysis.com/sample/8f435accbb65d3786a28f016e856465440a5c41dc679cc9fd3b1da323b160bc9/6216d3cc5357607d8a4d1c42

gcbejm2rcjftouqbxuhimj5oroouqcuxb2my4raxqa7efkz5bd5464id.onion
gcbejm2rcjftouqbxuhimj5oroouqcuxb2my4raxqa7efkz5bd5464id.onion.ws

# Reference: https://twitter.com/h2jazi/status/1508544917420843013
# Reference: https://www.virustotal.com/gui/file/48fc39e20e00e2b09d29614dc4935367c31411fe87857b03e692378909f63885/detection

windowscer.shop

# Reference: https://asec.ahnlab.com/ko/33141/ (Korean)
# Reference: https://otx.alienvault.com/pulse/62443548be47f35370309b43

cmaildowninvoice.webcindario.com
fserverone.webcindario.com
/contri/sqlite/msgbugGlog.php
/contri/sqlite/msgbugPlog.php
/msgbugGlog.php
/msgbugPlog.php

# Reference: https://twitter.com/ShadowChasing1/status/1509143612746993669
# Reference: https://www.virustotal.com/gui/file/e91167ff17ccdffaf7a81a640b85efc1bacc9333c5ba56e988d6b58370c3aaf6/detection

mckeaguee.com
mclartyc.com

# Reference: https://twitter.com/h2jazi/status/1511036268825751553
# Reference: https://www.virustotal.com/gui/file/75a131a79c2d7d130d327253488c37211f08e889e1d76f1825512d7e0ae19524/detection
# Reference: https://www.virustotal.com/gui/file/c59afba3f20006c146145d129ff5327255b25451ca7c39af68af749356061050/detection

globalinfosta.com
ibcloudtech.com

# Reference: https://twitter.com/malwrhunterteam/status/1511709938447491075
# Reference: https://www.virustotal.com/gui/file/3299c43eb07892d1e63c69ddaad7bcc848c3b685830d6cc384ce4919408090e9/detection

816e-182-227-90-53.ngrok.io

# Reference: https://twitter.com/malwrhunterteam/status/1484169625935888385
# Reference: https://www.virustotal.com/gui/file/78e877a478770d3f01152b89b946b81dae60c00d40ebba82883bf3ecf24142bf/detection
# Reference: https://www.virustotal.com/gui/file/78e877a478770d3f01152b89b946b81dae60c00d40ebba82883bf3ecf24142bf/detection

185.233.202.133:890
185.233.202.133:90

# Reference: https://twitter.com/fr0s7_/status/1520706128153395205
# Reference: https://www.virustotal.com/gui/file/efbdff790ee1549acd693e727633e4baa4272f76e8e4a84c0d47af572c989f48/detection

8.142.13.143:44444

# Reference: https://twitter.com/ShadowChasing1/status/1522172808763101184
# Reference: https://www.virustotal.com/gui/file/74499ea86f7973388a5854946aae79a4c6e539282a6b1c89d84005516fae998c/detection

http://91.247.36.29

# Reference: https://twitter.com/h2jazi/status/1522302380406153219
# Reference: https://www.virustotal.com/gui/file/d118f2c99400e773b8cfd3e08a5bcf6ecaa6a644cb58ef8fd5b8aa6c29af4cf1/detection

http://141.98.215.99

# Reference: https://twitter.com/ShadowChasing1/status/1525101999033032707
# Reference: https://www.virustotal.com/gui/file/09cc7d0af801e5a3bebaa46a5b61bcc4eb133e2fe5159c65d47073c6a8163d80/detection

msdefender.xyz
av.msdefender.xyz
bk.msdefender.xyz
tm.msdefender.xyz
msd.msdefender.xyz

# Reference: https://twitter.com/fr0s7_/status/1526823177028087810
# Reference: https://www.virustotal.com/gui/ip-address/18.117.194.96/relations
# Reference: https://www.virustotal.com/gui/file/5b1ad8bf1cebaaa1b570e36c7f2552ae3d5e5a6c51e3c969414954eb2fc9a11d/detection

boundaryfence.link
southdakota.cloud

# Reference: https://twitter.com/h2jazi/status/1531312666987347968
# Reference: https://www.virustotal.com/gui/file/49e2accd92278074a39800afacac74472782a1577bb91b3434fe5cd0e89c8531/detection

gridnetworking.net

# Reference: https://twitter.com/h2jazi/status/1540018662568083456
# Reference: https://www.virustotal.com/gui/file/7fe6db9438e5dadfd2b333f77fab14c956d57ddfded2aa58c3b13cad94b16bfa/detection

http://45.148.120.76

# Reference: https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf

moregeek.xyz

# Reference: https://twitter.com/__0XYC__/status/1543919186346385409
# Reference: https://www.virustotal.com/gui/file/0ae8707820a5d268fc8eb12391a7f97b87e79f13559b63bcfc8d4e01993b7e04/detection

zimbra-server.org
o.zimbra-server.org
r.zimbra-server.org

# Reference: https://twitter.com/malwrhunterteam/status/1546559398113320960
# Reference: https://twitter.com/h2jazi/status/1546566120878100480
# Reference: https://www.virustotal.com/gui/file/2485af3bfb6211fbb62df75578bc833bdc6a4388a253f356b1430e8b892225e8/detection

ru-file.info
check.ru-file.info
cloud-mail.ru-file.info
download-mail.ru-file.info
fileapi.ru-file.info
linkapi.ru-file.info
yandex.ru-file.info

# Reference: https://twitter.com/souiten/status/1548963032574767104
# Reference: https://www.virustotal.com/gui/file/712c1138fe72447bd18938903add184ede957c4b6056176a98261586145d06e7/detection
# Reference: https://www.virustotal.com/gui/file/a69cb1abec0ca809deaa03bd70300948692d9a024d45ebfea980ad57ea5aa528/detection

my-zo.org
am.my-zo.org

# Reference: https://twitter.com/h2jazi/status/1549102722732986368
# Reference: https://www.virustotal.com/gui/file/65d1928316dfb8130c2bf2a301ce375ca0c0938af17ffe7b43e003aa366f0515/detection
# Reference: https://www.virustotal.com/gui/file/c07a332b932a211c5477d3a9941c5ee308aa3463eb3ed3dd1ddba09987261aba/detection

watchcartoon-live.org

# Reference: https://twitter.com/ShadowChasing1/status/1556966731373232129
# Reference: https://twitter.com/StopMalvertisin/status/1557319722194337792
# Reference: https://tria.ge/220809-nqkmvahfbn/behavioral1
# Reference: https://www.virustotal.com/gui/file/131209d5e752300d4af86375abd81d244467b50238e2ffecf62239efaec6e361/detection

64.34.205.178:443

# Reference: https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html

137.184.67.33:443
206.188.196.77:8080

# Reference: https://twitter.com/souiten/status/1590217739251363840
# Reference: https://twitter.com/WhichbufferArda/status/1590238518441566209
# Reference: https://www.virustotal.com/gui/ip-address/172.86.75.220/detection
# Reference: https://www.virustotal.com/gui/file/f3d8916b99d7e6301a885b2ec4aaf9635f1713464c53b1604d3b4e1abd673c36/detection

http://172.86.75.220
az-link.email
doc.az-link.email
doca.az-link.email
docs.az-link.email
download.az-link.email
mfa.az-link.email
redirect.az-link.email
redirects.az-link.email
mail.mfa.az-link.email

# Reference: https://cert.gov.ua/article/3192088 (Ukrainian, DolphinCape, UAC-0140)

http://195.123.237.147
http://202.157.187.190
dsns.com.ua

# Reference: https://cert.gov.ua/article/3349703 (Ukrainian, FateGrab/StealDeal, UAC-0142)

46.249.49.109:21
46.249.49.109:4444
delta-storages.com
hexactor.com
ua.delta-storages.com
gov.ua.delta-storages.com
mil.gov.ua.delta-storages.com
delta.mil.gov.ua.delta-storages.com

# Reference: https://twitter.com/Cyber0verload/status/1622857089503690752
# Reference: https://twitter.com/Cyber0verload/status/1622857222282682368
# Reference: https://twitter.com/Cyber0verload/status/1661779923713896467

exchange-gov-tm.online
exchange-gov-tm.ru
id-get-ua.site
id-send-ua.site
mfa-gov-tm.online
mfa-gov-tm.ru
saglykministriligi.online
saglykministriligi.ru
saylanan-com.ru
tdh-gov-tm.online
tdh-gov-tm.ru
tizkomek.online
turkmentel22-gov.online
turkmentel22-gov.ru

# Reference: https://twitter.com/Cyber0verload/status/1641817410217947136

ahalteke-gov.ru
avaza-gov.ru
cbt-tm.ru
cci-gov.ru
exchange-gov.ru
lalezar-apteka-com.ru
mfa-gov.ru
tizkomek.ga
turkmenairlines.ru
turkmentel-gov.ru

# Reference: https://twitter.com/malwrhunterteam/status/1628161092282208258
# Reference: https://www.virustotal.com/gui/file/671fdd73aac6e7cf5571bfe7930e438f3fab00867962a66a2ac34f1f96cb8140/detection

167.179.66.121:1337

# Reference: https://twitter.com/WaChinYu1/status/1644240227433586689
# Reference: https://app.any.run/tasks/53fa4193-0f28-4da5-abef-033051aeaaae/
# Reference: https://www.virustotal.com/gui/file/f2549c623eeabcedd54cf476abe347cd827c117298842d015d099c2f3a75f1dc/detection

download-update-msword.com
tovaryvsem.com
lb2.download-update-msword.com

# Reference: https://twitter.com/souiten/status/1644245259482980354
# Reference: https://www.virustotal.com/gui/file/ee10a5f9fbde7c394f5251908fe1fc39f9b7091c4ee9a800fa275b101d61d2b1/detection

http://194.135.91.60
http://62.77.156.188

# Reference: https://ddanchev.blogspot.com/2019/09/massive-portfolio-of-apt-advanced.html  (Note: removed trails already appearing in other files)

amana1.duckdns.org
casinonono.ddns.net
daisy101.ddns.net
ezelogs.ddns.net
glendyling.ddns.net
gujulio.duckdns.org
hykedscams.ddns.net
jaaav.ddns.net
koutafa.ddns.net
ldouab.ddns.net
lilop.ddns.net
mogofockerdu94.chickenkiller.com
oryano.ddns.net
probityjrat5.duckdns.org
projecttestingforedu.chickenkiller.com
ramadan.mywire.org
servicepcinfo.myddns.rocks
stanley10.linkpc.net
sugesu.ddns.net
thefuturisus.ddns.net
trasatlis.sytes.net
xfxf.ddns.net
yurmaufat.ddns.net
abbaass313.hopto.org
an.droidsuper.su
android.no-ip.org
droidcraftismelmao.ddns.net
droidjack.hopto.org
droidjack1.sytes.net
ehsanmaali.ddns.net
hacker-81.no-ip.biz
haker-2119.ddns.net
jackdroid.systes.net
jnkey.ddns.net
opt91.ddns.net
pplweb.pplmotorhomes.com
ratforandroid.ddns.net
s.leas.im
test.pagez.kr
usa.myftp.biz

# Reference: https://twitter.com/h2jazi/status/1681046977562148865
# Reference: https://www.virustotal.com/gui/file/8b51824d968a95c4d6212265b0702a98785e97013a3cb543aacc9c3dd304ab6b/detection
# Reference: https://www.virustotal.com/gui/file/420f37c2d25ed5a31f18c34b5a8c5ac8045e530200f947fb3ba930e506095a03/detection

ticanews.com

# Reference: https://twitter.com/k3yp0d/status/1683811748871122944
# Reference: https://www.virustotal.com/gui/file/a0a3eeb6973f12fe61e6e90fe5fe8e406a8e00b31b1511a0dfe9a88109d0d129/detection
# Reference: https://www.virustotal.com/gui/file/471e61015ff18349f4bf357447597a54579839336188d98d299b14cff458d132/detection

estmongolia.com
mongolianshipregistrar.com

# Reference: https://cert.gov.ua/article/5391805 (# UAC-0154)
# Reference: https://twitter.com/malwrhunterteam/status/1687790506363768832
# Reference: https://twitter.com/lightC07379408/status/1734389267701670249
# Reference: https://www.virustotal.com/gui/file/0acd4a9ef18f3fd1ccf440879e768089d4dd2107e1ce19d2a17a59ebed8c7f5d/detection
# Reference: https://www.virustotal.com/gui/file/6f5f265110490158df91ca8ad429a96f8af69ca30b9e3b0d9c11d4fef74091e8/detection
# Reference: https://www.virustotal.com/gui/file/87291b918218e01cac58ea55472d809d8cdd79266c372aebe9ee593c0f4e3b77/detection

147.78.46.40:37662
147.78.46.40:43891
listen.servemp3.com
/RcebKRvainvQnoeS/
/xsSpQbSOGHyzMLxZ/
/RcebKRvainvQnoeS/page311/upgrade.txt
/RcebKRvainvQnoeS/page311/
/xsSpQbSOGHyzMLxZ/page164/upgrade.txt
/xsSpQbSOGHyzMLxZ/page164/

# Reference: https://twitter.com/malwrhunterteam/status/1689533484597952514
# Reference: https://twitter.com/jaydinbas/status/1689558903774736384
# Reference: https://www.virustotal.com/gui/ip-address/211.62.228.157/relations
# Reference: https://www.virustotal.com/gui/file/94b8a01ad4b53d202984afb6781d7f88cb5cd329349791516e985ea88e08ad66/detection

email--page.mrbasic.com
makeup.dynamic-dns.net
yurtumawat.wwwhost.us
ftp.email--page.mrbasic.com
ftp.makeup.dynamic-dns.net
ftp.yurtumawat.wwwhost.us

# Reference: https://asec.ahnlab.com/en/54375/
# Reference: https://otx.alienvault.com/pulse/649062a8bb28df7b6697767e

pita1.sportsontheweb.net

# Reference: https://twitter.com/souiten/status/1716388138493632836
# Reference: https://www.virustotal.com/gui/file/987bc934bf99021763399808d9a24bc5cd4ba351edf5addd6e4a16aa6cbeb68a/detection
# Reference: https://www.virustotal.com/gui/file/4a86e70b48b1de3725cf2262377c139a3d440909d015b25e7a488a9e51e4ad7c/detection
# Reference: https://www.virustotal.com/gui/file/03edccc606b54bed98c3eba3cf3a2d46539c82e2b166ceb3878926227fe89085/detection
# Reference: https://www.virustotal.com/gui/file/4ddae23da7181ed5e7d290080f2117e7e52e0003b12ef87c04bb5d95a212ba3d/detection

http://13.211.167.218
13.211.167.218:4444
3.106.196.145:4433
bssnonline.ddns.net

# Reference: https://twitter.com/souiten/status/1716389261421977727
# Reference: https://www.virustotal.com/gui/file/abed5ead9c0bf7b23cf41a3cac841658943dd4059af3287c87e577471ecefd43/detection

g119847.hostde20.fornex.host

# Reference: https://cert.gov.ua/article/6123309 (# UAC-0165)
# Reference: https://otx.alienvault.com/pulse/652e95bde547f6e590a6fad2

eurotelle.com

# Reference: https://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/
# Reference: https://otx.alienvault.com/pulse/654c01e3816f8a6abc840b4d
# Reference: https://www.virustotal.com/gui/ip-address/161.35.85.243/relations
# Reference: https://www.virustotal.com/gui/ip-address/192.153.57.222/relations

http://165.232.186.197
http://167.71.226.171
104.248.153.204:443
104.248.153.204:82
143.110.189.141:443
165.232.186.197:443
165.232.186.197:4433
167.71.226.171:443
167.71.226.171:4433
167.71.226.171:769
167.71.226.171:8086
167.71.226.171:8089
167.71.226.171:81
167.71.226.171:82
172.105.34.34:8081
172.105.34.34:8087
172.105.34.34:8443
172.105.34.34:8888
194.195.114.199:8080
194.195.114.199:8443
194.195.114.199:9200
ammopak.site
cakici.cloud
clinkvl.com
infinitybackup.net
infinitycloud.info
teleryanhart.com
wonderbackup.com
workflowit.website
ads.teleryanhart.com
api.infinitycloud.info
c.cakici.cloud
committed.cakici.cloud
connect.clinkvl.com
connect.infinitybackup.net
connect.infinitycloud.info
dfg.ammopak.site
file.wonderbackup.com
fwg.ammopak.site
jlp.ammopak.site
kwe.ammopak.site
login.wonderbackup.com
lxo.ammopak.site
mfi.teleryanhart.com
mtenerji.cakici.cloud
ns.infinitycloud.info
ns1.cakici.cloud
ns1.infinitybackup.net
ns2.cakici.cloud
odoo.cakici.cloud
share.infinitybackup.net
stok.cakici.cloud
sync.wonderbackup.com
update.wonderbackup.com
vpn.cakici.cloud
wer.ammopak.site

# Reference: https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/
# Reference: https://otx.alienvault.com/pulse/656a4d9ef3793676ba2c304e

geoinfocdn.com
geostatcdn.com
telemetry.geoinfocdn.com
telemetry.geostatcdn.com
dlbh.telemetry.geostatcdn.com
fdsb.telemetry.geostatcdn.com
g1sw.telemetry.geoinfocdn.com
hfhs.telemetry.geostatcdn.com
lc3w.telemetry.geostatcdn.com

# Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
# Reference: https://otx.alienvault.com/pulse/656de9ae8d88a6c091f68c3c

http://178.162.227.180
http://185.162.235.206
178.162.227.180:443
185.162.235.206:443

# Reference: https://twitter.com/SI_FalconTeam/status/1737480275674710221
# Reference: https://twitter.com/k3yp0d/status/1737125808907387248
# Reference: https://twitter.com/Nevermore_cyber/status/1737114306209255561
# Reference: https://www.gov.il/he/Departments/publications/reports/alert_1687
# Reference: https://www.virustotal.com/gui/file/6f79c0e0e1aab63c3aba0b781e0e46c95b5798b2d4f7b6ecac474b5c40b840ad/detection
# Reference: https://www.virustotal.com/gui/file/64c5fd791ee369082273b685f724d5916bd4cad756750a5fe953c4005bb5428c/detection
# Reference: https://www.virustotal.com/gui/file/454e6d3782f23455875a5db64e1a8cd8eb743400d8c6dadb1cd8fd2ffc2f9567/detection
# Reference: https://www.virustotal.com/gui/file/ca9bf13897af109cb354f2629c10803966eb757ee4b2e468abc04e7681d0d74a/detection

31.192.237.207:2515

# Reference: https://cert.gov.ua/article/6276799 (# UAC-0177)

authcheck.in
authssl.in
authssl.link
authssl.online
authssl.org
authssl.site
certifiedauth.in
connectssl.in
exmo.day
getssl.click
getssl.ink
goaccount.link
hsts.online
passport2.zip
personlog.in
ssl1.online
ssl1.site
ssl2.in
ssl2.link
ssl2.online
ssl2.site
ssl3.online
ssl3.site
ssl4.online
ssl4.site

# Reference: https://twitter.com/DmitriyMelikov/status/1752270530126741920
# Reference: https://www.virustotal.com/gui/ip-address/142.93.233.186/relations
# Reference: https://www.virustotal.com/gui/file/5509ec26758c3c0dcf2bf1b0d7d8600da08cdcfb73cd6b90d46f84ea61c71094/detection

mistressally.com

# Reference: https://twitter.com/__0XYC__/status/1753000391770317099

zimbrauser.me

# Reference: https://cert.gov.ua/article/6277849 (# UAC-0149)

array.myftp.biz
bom02.gotdns.ch
worker-test-6f41.idv64828.workers.dev

# Reference: https://twitter.com/Cyber0verload/status/1764400497312608652

govua.bar
govua.one
my.govua.bar
my.govua.one

# Reference: https://twitter.com/jaydinbas/status/1766121403625963801
# Reference: https://www.virustotal.com/gui/file/ba42b13fafb9b38cc905b0764c8953cd0888c203d17dfd37f491de1793cc7c0a/detection

89.116.233.57:8090

# Reference: https://twitter.com/suyog41/status/1768558626929860749
# Reference: https://www.virustotal.com/gui/ip-address/146.70.157.120/detection
# Reference: https://www.virustotal.com/gui/ip-address/146.70.80.58/detection
# Reference: https://www.virustotal.com/gui/file/92145633823ed4a4c56915ab81f6bc0582fd27700d8515400edd0a153d39829f/detection
# Reference: https://www.virustotal.com/gui/file/736315462b91943de9df6210db3bb52564982dd6c758d06ea79e3a404548569b/detection
# Reference: https://www.virustotal.com/gui/file/6e4a4d25c2e8f5bacc7e0f1c8b538b8ad61571266f271cfdfc14725b3be02613/detection
# Reference: https://www.virustotal.com/gui/file/316e01b962bf844c3483fce26ff3b2d188338034b1dbd41f15767b06c6e56041/detection
# Reference: https://www.virustotal.com/gui/file/2f5f44863048243c1bbec6e16b1c0902f8c61d61fdb8277f5c514b2f04ce8993/detection
# Reference: https://www.virustotal.com/gui/file/2027a5acbfea586f2d814fb57a97dcfce6c9d85c2a18a0df40811006d74aa7e3/detection

syncscheduler.com
/r3diRecT/redirector/
/r3diRecT/redirector/proxy.php