# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/ # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-01-06-malicious-document-targets-pyeongchang-olympics/malicious-document-targets-pyeongchang-olympics.csv 200.122.181.63:443 thlsystems.forfirst.cz ospf1-apac-sg.stickyadstv.com mafra.go.kr.jeojang.ga jeojang.ga nctc.go.kr # Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/?mid=1 # Reference: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-12-12-operation-sharpshooter-targets-global-defense-critical-infrastructure/operation-sharpshooter-targets-global-defense-critical-infrastructure.csv http://208.117.44.112 http://34.214.99.20/view_style.php 137.74.41.56/board.php kingkoil.com.sg/board.php kingkoil.com.sg/query.php # Reference: https://twitter.com/h2jazi/status/1361091982433660928 # Reference: https://www.virustotal.com/gui/file/e834ae4132f28ecbbd3b292a94c071c5aaff2c126034fb44069b125c6c2e2484/detection # Reference: https://www.virustotal.com/gui/file/f9658261912aec9d26f8faf8f8ec37bed6dd28c3cb3d569e5c014d3ee838c57b/detection fiori-da.azureedge.net # Reference: https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf # Reference: https://twitter.com/bkMSFT/status/1093109336740642816 llpsearch.com miphomanager.com # Reference: https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/ 071790.000webhostapp.com 7077.000webhostapp.com 881.000webhostapp.com hanbosston.000webhostapp.com vnik.000webhostapp.com a7788.1apps.com attach10132.1apps.com bluemountain.1apps.com filer1.1apps.com s8877.1apps.com files.000 ftp.byethost7.com ftp.byethost10.com webhost.com webmail-koryogroup.com 61.14.210.72:7117 # Reference: https://twitter.com/blackorbird/status/1107214927402418176 # Reference: https://twitter.com/blackorbird/status/1107479347013672960 ddlove.kr/bbs/dta/1 # Reference: https://twitter.com/blackorbird/status/1082553543280680962 ago2.co.kr/bbs/data/dir # Reference: https://twitter.com/blackorbird/status/1100691198346354688 46.29.163.222:9999 # Reference: https://otx.alienvault.com/pulse/5c9a457b3acc7f0eba431c81 # Reference: https://www.recordedfuture.com/scanbox-framework-campaign/ mailshield.ga mail.mailshield.ga monlamlt.com oppo.ml photogram.ga tibct.net tibct.org tracking.dgip.gov.pk # Reference: https://twitter.com/ClearskySec/status/1055404788635103232 # Reference: https://www.clearskysec.com/iec/ host-gv.appspot.com journey-in-israel.com iecr.co iec-co-il.com israelalerts.us israelalert.us pokemonisrael.yolasite.com sourcefarge.net users-management.com ynetnewes.com # Reference: https://twitter.com/ClearskySec/status/971454423548530688 baoin.baotintu.com chinhtri.tourismas.com kinhte.baotintu.com # Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-12: Malicious Invoice of Telcel Mexican Telecommunication Company) bambi.sytes.net # Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-06: Iranian Greenbug targeting against Arab Emirates - Invoice-NO48935.doc) acrobatverify.com # Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-1-1: Campaign targeting Turkey with fake purchase order requests, drops low detection Java malware) gorevleriyok.com # Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/ (Chinese) Jospubs.com # Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ digi-cert.org somtelnetworks.com geotrusts.com secureclientupdate.com digicertweb.com sport-pesa.org itaxkenya.com businessdailyafrica.net infotrak-research.com nairobiwired.com k-24tv.com # Reference: https://twitter.com/blackorbird/status/1132884799310319616 # Reference: http://blogs.360.cn/post/APP_Plugin.html # Reference: https://securelist.com/whos-who-in-the-zoo/85394/ # Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/24122414/ZooPark_for_public_final_edited.pdf http://5.61.27.154 http://5.61.27.157 http://5.61.27.173 http://91.109.23.175 androidupdaters.com adobeactiveupdates.com adobeactiveupdate.com adobeseupdater.com dlgmail.com dlstube.com dlstubes.com entekhab10.xp3.biz googleupdators.com rhubarb2.com rhubarb3.com solar64.xp3.biz # Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/ # Aliases: brave prince, gold dragon, ghost419 eodo1.000webhostapp.com follow_dai.000webhostapp.com trydai.000webhostapp.com followgho.byethost7.com ink.inkboom.co.kr nid-help-pchange.atwebpages.com # Reference: https://twitter.com/jq0904/status/1137362044271730694 hellojames.sportsontheweb.net # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/advanced-targeted-attack-tools-used-to-distribute-cryptocurrency-miners/ # Reference: https://otx.alienvault.com/pulse/5d0276b98d2d7d679ed51fa2 tenchier.com pilutce.com miniast.com boreye.com # Reference: http://www.issuemakerslab.com/research2/index.html pyeonta.com/board/news/board.asp sdajunghwa.com/admin/data/admindata.asp patentmall.net/goods/goods.asp orentcar.com/rental/sub06.asp # Reference: https://twitter.com/blackorbird/status/1141302473623105536 soportearus.com.co /arus_collect.php # Reference: https://twitter.com/DbgShell/status/1146012416968417280 # Reference: https://research.checkpoint.com/operation-tripoli/ (# Operation Tripoli) aarasid.com/libya/index.html clientstats.epss.org.ly dexter-ly.com dexter-ly.space drpc.duckdns.org forum.myvnc.com kalifhaftar.blogspot.com libyanews111.blogspot.com libya-10.com.ly sirtggp.com/libyanew/index.html # Reference: https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018 # Reference: https://otx.alienvault.com/pulse/5d1e0531908ea7d506ce9839 loge.otzo.com vvcxvsdvx.dynamic-dns.net # Reference: https://otx.alienvault.com/pulse/5d23054ff45f6eb94e824460 # Reference: http://blog.ptsecurity.com/2019/07/ironpython-darkly-how-we-uncovered.html # Reference: https://static.ptsecurity.com/phdays/presentations/phdays-9-ironpython-on-the-dark-side-the-silent-trio-from-croatia.pdf # Reference: https://app.any.run/tasks/11c30ef5-3297-4a3e-b85f-f9291aac910a/ http://198.46.182.158 176.105.255.59:8089 konzum.win postahr.online postahr.vip posteitaliane.live # Reference: https://news.sophos.com/en-us/2019/07/11/oto-gonderici-excel-formula-injections-target-turkish-victims/ # Reference: https://github.com/sophoslabs/IoCs/blob/master/Malspam-OtoGonderici # Reference: https://otx.alienvault.com/pulse/5d276b688642da33ba698260 2073.mobi 25665.club 25665.me 33016.club 60431.club 75735.club 77444.club 80001.me 82813.club Jdokdo.ml aetye.ml aghkf.ml atessan.online avrupagoz.online ayanw.ml banage.live basaso.mobi burcutekstil.online cinarterlik.online cnfh.mobi cpaneh.tk ekqff.ml ewouif.gq fazilet.club gelovosaja.club ghtc.mobi gyqey.ml hcsscj.ga hfik.mobi hocoso.mobi hvaycz.cf inssanayi.mobi iquqy.ml jahlq.ml jekarebege.online jjsiu.ml jodaje.mobi johaca.mobi jurugq.host kartalescort.mobi kayaya.mobi kojero.mobi lca.mobi mgw.mobi nafaro.mobi nefal.mobi nehabe.mobi nejoja.mobi nvmdv.ml peindikescort.mobi pqoyruw.ga professional.mobi pvrdn.ml qoloa.ml qyhhy.ml qzitt.ml rimaw.ml rlg.mobi rtrzd.ml selcukecza.online specforce.space supkh.mobi swtaegs.ml tamor.mobi taneketevo.online tgmml.ml turkcall.mobi tzlss.mobi urdnz.cf vazawoweso.online vecoha.mobi vgplb.ml vpewqz.tk walatecaqa.club wdplf.ml whyog.ml wpf.mobi wqplw.ml yepeyowora.online yerago.mobi yklud.ml ynngon.ml yolecafeha.club yomka.ml yuktu.ml zavayo.mobi zayero.mobi zororo.mobi # Reference: https://www.zsis.hr/default.aspx?id=415 176.105.255.59:8089 postahr.vip posteitaliane.live # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/ # Reference: https://otx.alienvault.com/pulse/5d3091d8a6d3522c9d5dcaff http://144.202.19.31 http://95.179.168.23 diangovcomuiscia.com eltiempocomco.com medicosempresa.com # Reference: https://twitter.com/cyberwar_15/status/1156091180293206016 http://51.254.60.208 # Reference: https://twitter.com/KevinPerlow/status/1156406115472760835 (# tcpihlp) f1.vr.wincloud.com d1.link.outbox.com # Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Unknown/20-08-19/Malware%20analysis%2020-08-19.md # Reference: https://www.virustotal.com/gui/ip-address/167.88.180.148/relations http://167.88.180.148 247up.org apple-net.com mediadomainservice.org renewyourclicks.org siteup-365.org # Reference: https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/ # Reference: https://otx.alienvault.com/pulse/5d5d7094114b8af4a377f676 gmailusercontent.site protect-outlook.com srf-goolge.site # Reference: https://twitter.com/Timele9527/status/1166188375109296128 mmksba.dyndns.org # Reference: https://research.checkpoint.com/the-eye-on-the-nile/ # Reference: https://otx.alienvault.com/pulse/5d95e00256c29a9623c3cc97 arabindex.info drivebackup.co indexmasr.com indexy.org maillogin.live mailsecure.live servegates.com txtips.com weblogin.live # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2014/2014-07-15-targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities.csv asdf.avstore.com.tw asdf.skypetm.com.tw avast.avstore.com.tw avstore.com.tw bluer.avstore.com.tw bz.kimoo.com.tw chanxe.avstore.com.tw gmail.skypetm.com.tw jamessmith.avstore.com.tw mca.avstore.com.tw skypetm.com.tw sophos.skypetm.com.tw star.yamn.net vbnm.skypetm.com.tw zeng.skypetm.com.tw # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-02-gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems.csv braveprince.com followgho.byethost7.com nid-help-pchange.atwebpages.com # Reference: https://cyberwarzone.com/massive-collection-rat-backdoors-iraq-syria-free-2-share/ aaaaaaaahmad.no-ip.biz abdillahzraibi.no-ip.biz abdou36.noip.me abevahack123.no-ip.biz ahmad83t.no-ip.biz alaa170.no-ip.org alialzainabe.mooo.com alkator.dns53.biz allal.x64.me anroideex1.noip.me attackerman.ddns.net avg99.does-it.net avira2015.no-ip.biz az4511lon.ddns.net bacoussama.no-ip.biz badboy02.no-ip.biz badrop2ch.zapto.org basel123.no-ip.org bctnra.zapto.org beddass.no-ip.biz bilallchefa.zapto.org cat85.no-ip.org charisma1996.linkpc.net codehacker.no-ip.biz cyberyassine.no-ip.org deekay123.linkpc.net djou233.zapto.org drogbaaa.zapto.org druxyhere.ddns.net een21.hopto.org eliadz.no-ip.biz eshta.linkpc.net facebookchanel.servehalflife.com ferkhwazumar.no-ip.biz fifaorigin123.no-ip.biz firas12345.ddns.net freekali1.no-ip.biz gardien.myq-see.com gmlbooter.no-ip.biz gohakeing.no-ip.org hack-c4.zapto.org hacker.syr.linkpc.net hacker963.myq-see.com hoppyhoppy.ddns.net hoxor121.no-ip.org hussienkahoul.no-ip.biz ibrahem1010.no-ip.biz iibbrr.zapto.org isuero.no-ip.info jado7alassad.ddns.net jaziremanoto.no-ip.org joke2014.no-ip.biz kaikun.mooo.com kakalaw25.ddns.net kakar5.ddns.net kakgwl.no-ip.biz kano.ddns.net khaleeel.no-ip.biz khouyatte.duckdns.org kiim.no-ip.biz killerah.no-ip.biz kimou3939.no-ip.biz king-enutroof.no-ip.biz kingoof.ddns.net koknjkoke.myq-see.com kokopopo2.no-ip.biz kurdboy.zapto.org kurdboy666.noip.me kurdish-hacker.no-ip.org kurdish2000.ddns.net kurdustan.no-ip.biz laid0404.ddns.net loki2.linkpc.net lov3black.no-ip.biz lulzpedia.ddns.net m7tagk.zapto.org mahmoudelmassry.no-ip.biz makarov123.no-ip.org max2015.ddns.net mazamoza.no-ip.biz medknass.ddns.net medoblack.no-ip.biz mghool.no-ip.biz mhamedhc.no-ip.org mi3283.ddns.net mo7trf0.no-ip.biz mohchaiba.no-ip.biz momo321.dnsd.info mozilla.myq-see.com mrman.no-ip.biz mth3protn.ddns.net muhanned.myq-see.com mynjrathost.no-ip.biz n5z.no-ip.biz nabard81.ddns.net nada00.no-ip.biz nash2t.linkpc.net nasreen123.no-ip.biz nilolack.zapto.org nj88.no-ip.biz njrat-dz2.no-ip.biz nmb007.no-ip.biz now-see.publicvm.com ooolll.ddns.net optera.hopto.org rami7733.no-ip.org ramisy.ddns.net raoufraouf.ddns.net rapmorix.no-ip.org roma1996.no-ip.org roy5150.no-ip.biz salmanvegeta.no-ip.biz samermax.no-ip.biz sara31.ddns.net sat2014.zapto.org scorpionjo.linkpc.net sfeer55.no-ip.biz sharazoori.zapto.org sifebuissines.noip.us silent404tmd.no-ip.biz silver13.ddns.net sneakking.myq-see.com syria2016.ddns.net syriano.hack.dnsd.info theblack2015.no-ip.biz thejoe.publicvm.com thekingh.linkpc.net tplinkdbk.ddns.net unknownman13.mooo.com vergilalasad.no-ip.biz vip.all4syrian.com vk1000250.no-ip.biz webmaxot.publicvm.com wejden2014.ddns.net wepspacet.publicvm.com x3rbx.ddns.net xhxh1988.no-ip.org yg4h.no-ip.biz younesmer.myq-see.com zasosna.myq-see.com zasosna.no-ip.org zinebzina.ddns.net zoro2015.ddns.net # Reference: https://twitter.com/blackorbird/status/1194824371904237568 pahealth.info # Reference: https://blog.ptsecurity.com/2019/12/turkish-tricks-with-worms-rats-and.html http://192.95.3.137 http://192.95.3.140 http://5.255.63.12 bcorp.fun bkorp.xyz buhar.us definebilimi.com husan.ddns.net husan2.ddns.net husan3.ddns.net i36-imgur.com i37-imgur.com i38-imgur.com i39-imgur.com prntsrcn.com qqww.eu # Reference: https://www.secureworks.com/research/bronze-president-targets-ngos # Reference: https://otx.alienvault.com/pulse/5e0a1aa2617f951d88c9d891 apple-net.com forexdualsystem.com ipsoftwarelabs.com lionforcesystems.com oshibadrive.com strust.club svchosts.com svrhosts.com wbemsystem.com # Reference: https://twitter.com/cyber__sloth/status/1216769444829179904 # Reference: https://otx.alienvault.com/pulse/5e1cde40219fa7e9f40164e7 # Reference: https://www.virustotal.com/gui/ip-address/160.20.147.84/relations domain-lk.sytes.net foreign-mv.sytes.net ncit-gov.sytes.net windefupdate.sytes.net # Reference: https://www.isc2peruchapter.org/pdfs/2019-04-24-Eric.pdf personanddog.info # Reference: https://lab52.io/blog/intelligence-operation-against-targets-in-indonesia/ # Reference: https://otx.alienvault.com/pulse/5e441513dbb6d26fca51ee52 musicstore.global.ssl.fastly.net # Reference: https://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/ # Reference: https://otx.alienvault.com/pulse/5e6a5d43825f9463366799c6 acccountsgoog1e.com account-mail.info accountapp.xyz accountsgoog1e.com alexandr01299.xyz auth-google.site auth-mail.email badoo-account-security.com check-activity.com.ru chrome-redirect.top com-auth.site com-enter.site com-gm.site com-google.site comericac.com desktest1.xyz desktest5.xyz desktest9.xyz dokerest.xyz dokertest.xyz droinjoin.xyz emails-support.site fedortest.xyz freekremlin.com frosdank.com frostdank.com garant-help.com gmail-warning.top google-activity.pw gvoice8765.online hpphhpph.com id-support-email.com joindroin.xyz lamatrest.xyz mail-auth.email mail-auth.online mail-google.email my-short.com myaccount-support.top mycabinet.xyz mynavvfedera1.org mynavyfedera1.org mynavyfedral.org mynevyfedera1.org navyfedara1.org navyfedera1.com navyfedera1.org navyfederai.org nayfedera1.org nevyfedera1.org nitroqensports.eu nsdns.xyz poxypoxy.xyz rc-room.com support-emails.host t1bank.xyz testdhome1.xyz testdhome4.xyz testdom1.xyz testdom3.xyz testfor7.xyz vkontak1e.com voice98765.online xn--avyfedera-yubm.org xn--bckchain-v3a30f.com xn--blckchain-17c.com xn--blockcain-lmb.com xn--mynavyfedera-occ.org xn--navyfderal-36a.com xn--navyfedera-j0b.org yandex-account-security.com # Reference: https://twitter.com/ximo_lcg/status/1242298741140250624 # Reference: https://app.any.run/tasks/642a1b8c-6232-41c0-8c74-0f4513a44599/ # Reference: https://www.virustotal.com/gui/ip-address/34.247.80.95/relations javacon.eu cdn.javacon.eu # Reference: https://twitter.com/Rmy_Reserve/status/1244817235211739141 cloudfiles.club # Reference: https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/ # Reference: https://otx.alienvault.com/pulse/5e9f5eb5352e6287ee4c0e67 api.doubles.click cdn.doublesclick.me start.apiforssl.com static.doublesclick.info status.search-sslkey-flush.com status.verifyingbycf.com # Reference: https://twitter.com/ximo_lcg/status/1252771553365782528 a.00-online.com # Reference: https://blog.alyac.co.kr/242 (Korean) 122.10.93.136:6687 # Reference: https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf (Chimera, Semiconductors) # Reference: https://medium.com/@cycraft_corp/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730 # Reference: https://otx.alienvault.com/pulse/5ea073a3c14dae77c07976d3 chrome-applatnohp.appspot.com 78276.ussdns01.heketwe.com 78276.ussdns02.heketwe.com ussdns01.heketwe.com ussdns02.heketwe.com ussdns04.heketwe.com # Reference: https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ (Chimera) # Reference: https://otx.alienvault.com/pulse/5ffde53573457b19cacf41be EuDbSyncUp.com MsCupDb.com UsMobileSos.com europe-s03213.appspot.com eustylejssync.appspot.com fsdafdsfdsaflkjkxvzcuifsad.azureedge.net ictsyncserver.appspot.com officeeuropupd.appspot.com officeeuupdate.appspot.com platform-appses.appspot.com sowfksiw38f2aflwfif.azureedge.net watson-telemetry.azureedge.net # Reference: https://www.cib.gov.tw/News/BulletinDetail/8294 # Reference: https://otx.alienvault.com/pulse/5ec7ff4ec67d6aca23b7c350 outlook-offices.com phonectrl.com tibet-office.com # Reference: https://twitter.com/w3ndige/status/1265745221419229187 86wts86a8j.com update.86wts86a8j.com # Reference: https://twitter.com/cyber__sloth/status/1271580177521414145 mofa-gov-pk.com # Reference: https://twitter.com/cyber__sloth/status/1271577668752998405 def.support # Reference: https://twitter.com/MBThreatIntel/status/1273309450992930817 # Reference: https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/ updateeset.com yenile.asia # Reference: https://app.any.run/tasks/db1be70f-b51f-4994-95f8-0af911335193/ 137.220.180.39:8082 # Reference: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf # Reference: https://otx.alienvault.com/pulse/5eea47f6776f5e41c8346a31 http://205.210.162.36/start.html http://205.210.162.36/www2default/css1/style.xsl cwjamaica.biz/images/logo.png sbsserv.camdvr.org/top.swf km.wu.ac.th/image/office.jpg safebrowsing.gleeze.com markham.ca/css1/Mar.xsl markham.ca/css1/style.swf markham.ca/css1/style.jpg markham.ca/css1/style.xsl markham.ca/css1/style.css markham.ca/view_center.asp markham.ca/css/first.css markham.ca/first.jpeg markham.ca/politicia.asp markham.ca/taxing-churc.asp markham.ca/exports-to-Turkey.asp markham.ca/Climate.asp markham.ca/discoveries.asp markham.ca/pay-talks-fai.asp markham.ca/Nouvelles.asp markham.ca/News.asp markham.ca/Noticias.asp markham.ca/EU-nominee.asp markham.ca/Business.asp markham.ca/Culture.asp markham.ca/Life-Work.asp markham.ca/Comercio.asp markham.ca/Links.asp markham.ca/churc.asp markham.ca/products.asp markham.ca/exports.asp online.verzatec.com/banner.asp nic.mywire.org chuta.jp/jtool/dic.css chuta.jp/jtool/dic.png chuta.jp/jtool/politicia.asp chuta.jp/jtool/taxing-churc.asp chuta.jp/jtool/exports-to-Turkey.asp chuta.jp/jtool/Climate.asp chuta.jp/jtool/discoveries.asp chuta.jp/jtool/pay-talks-fai.asp chuta.jp/jtool/Nouvelles.asp chuta.jp/jtool/News.asp chuta.jp/jtool/Noticias.asp chuta.jp/jtool/EU-nominee.asp chuta.jp/jtool/Business.asp chuta.jp/jtool/Culture.asp chuta.jp/jtool/Life-Work.asp chuta.jp/jtool/Comercio.asp chuta.jp/jtool/Links.asp chuta.jp/jtool/churc.asp chuta.jp/jtool/products.asp chuta.jp/jtool/exports.asp comnet.aev.com/wik.xsl servicediscovery.kozow.com w3.casacam.net # Reference: https://blog.lookout.com/multiyear-surveillance-campaigns-discovered-targeting-uyghurs # Reference: https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf # Reference: https://otx.alienvault.com/pulse/5efca5ec3da9c1ceace695fc androidsapps.ml babyedu-online.com googleanalyseservice.net googlleservice.com symantecupdate.net vipappdownload.com wephone.top 6006.secpert.com 6006.upupdate.cn amote-366.vicp.cc android.apps.us.to androidapps.duia.in androidapps.fvk.cc androidapps.home.hn.org androidapps.jetos.com androidapps.linkpc.net androidapps.myfirewall.org androidapps.nerdpol.ovh androidapps.npff.co androidapps.nsupdate.info androidapps.spdns.eu androidapps.spdns.org androidapps.tempors.com coco.wikaba.com cookedu-online.com englishedu-online.com heartsys.dnsapi.info joke.upupdate.cn nortonservice.net phpyahoo.mrbasic.com s101.secpert.com s2.upupdate.cn ss903.w3.ezua.com ss904.w3.ezua.com sz.secpert.com tree.ddns.us turknews-online.com turkyedu-online.com umare.zyns.com vipapkdownload.com youtube.dynamicdns.org.uk # Reference: https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities # Reference: https://otx.alienvault.com/pulse/5efccb42e70b867e18ff1825 http://193.29.59.130 http://23.106.122.234 # Reference: https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf # Reference: https://otx.alienvault.com/pulse/5f04d03c68918d97811bda03 cloud-front-gateway.cc confidential-privileged.com email-gateway-host.cc encrypted-gateway.cc encrypted-host.cc encrypted-mail-gateway.cc encrypted-mail-server.com encrypted-network.cc encrypted-smtp-transport.cc eu-1-host-protection.cc fortinet-gateway.cc fortinet-host-protection.cc fortinet-host.cc fortinet-protection.cc fortinet-server.cc mail-transport-agent.cc mail-transport-gateway.cc mail-transport-host.cc mail-transport-protection.cc mx-gateway-host.cc mx-secure-email-host.cc mx-secure-email-server.cc mx-secure-net.com node-protection.cc privileged-secured.com relay-secure-smtp.com secure-email-delivery.cc secure-email-gateway.cc secure-email-host.cc secure-email-host.com secure-email-net.cc secure-email-provider.cc secure-email-provider.com secure-email-server.cc secure-email-server.net secure-email-service.com secure-mail-cast.com secure-mail-gateway.cc secure-mail-host.cc secure-mail-host.com secure-mail-net.cc secure-mail-net.com secure-mail-provider.cc secure-mail-provider.com secure-mail-server.cc secure-mx-gateway.cc secure-mx-host.com secure-mx-provider.cc secure-mx-server.cc secure-mx-service.cc secure-server-smtp.cc secure-smtp-delivery.cc secure-smtp-gateway.cc secure-smtp-host.cc secure-smtp-host.com secure-smtp-provider.cc secure-smtp-server.cc secure-smtp-server.com secure-smtp-service.cc secure-smtp-service.com secure-ssl-sec.com smtp-gateway-host.cc smtp-secure-gateway.cc smtp-secure-service.cc smtp-server-relay.com # Reference: https://twitter.com/spider_girl22/status/1287952503280082944 # Reference: https://www.virustotal.com/gui/file/126986d2789c932a473e606ba936d97dbef87ba64659f4515e95237de1701b3b/detection techimplement.com/wp-content/uploads/wp-logs/mailchimp.php # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/water-nue-campaign-targets-c-suites-office-365-accounts/ highstreetmuch.xyz takeusall.online # Reference: https://www.bitdefender.com/files/News/CaseStudies/study/365/Bitdefender-PR-Whitepaper-APTHackers-creat4740-en-EN-GenericUse.pdf # Reference: https://otx.alienvault.com/pulse/5f475fecd47f88519e3140e2 175.197.40.61:3445 # Reference: https://www.threatcrowd.org/domain.php?domain=abc69696969.vicp.net # Reference: https://www.virustotal.com/gui/domain/abc69696969.vicp.net/detection # Reference: https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-blond.pdf # Reference: https://www.virustotal.com/gui/ip-address/103.105.59.104/relations abc69696969.vicp.net googleimg.top # Reference: https://twitter.com/h2jazi/status/1304492241898090496 # Reference: https://www.virustotal.com/gui/file/60399bf2cc5bd28a39f2498adcc6113fc86327872dbaa0f0b280d333c5675908/detection # Reference: https://www.virustotal.com/gui/domain/storagecdn.eu/relations storagecdn.eu # Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a # Reference: https://otx.alienvault.com/pulse/5f6d08b2d10722175748a71e 185.193.127.18 185.86.151.223 207.220.1.3 78.27.70.237 91.219.236.166 # Reference: https://github.com/DoctorWebLtd/malware-iocs/blob/master/APT_news2020/README.adoc # Reference: https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf # Reference: https://otx.alienvault.com/pulse/5f7a0e9cd535606ddee04448 # Reference: https://www.virustotal.com/gui/file/c9de1dad018236049ed88be9ccab28e75a04609466288451c4c1971b27e5e3eb/detection # Reference: https://www.virustotal.com/gui/file/01118e56a1c5dafc2d82f154eb1a67d39a19f131ca1dc5e0f356a017b1932611/detection # Reference: https://www.virustotal.com/gui/file/845198a33ca50860688cac016323302cf33054e1b52a3bff1b66f15a625a0b66/detection # Reference: https://www.virustotal.com/gui/file/dfbec38959eae893dfa13c7ce526862f9306f5fb95102e0885debeec4a063d45/detection 122.10.82.65:8080 176.10.118.154:8443 185.158.249.120:8080 http://176.10.118.154 download.inklingpaper.com duck.manhajnews.com gova.manhajnews.com john.newss.nl news.microotf.com news.newss.nl news.zannews.com newsfor.newss.nl newsinfo.newss.nl nissen.newss.nl sports.manhajnews.com webnews.newss.nl inklingpaper.com microotf.com newss.nl zannews.com # Reference: https://twitter.com/Rajer_arthur/status/1313099977141481474 # Reference: https://app.any.run/tasks/25c9ee95-f8b8-4124-9e27-82a348ba3301/ # Reference: https://www.virustotal.com/gui/file/7007f35df3292a4ecd741839fc2dafde471538041e54cfc24207d9f49016dc77/detection cannabispropertybrokers.com # Reference: https://securelist.com/olympic-destroyer-is-still-alive/86169/ # Reference: https://systemtek.co.uk/2018/06/olympic-destroyer-malware/ http://79.142.76.40/news.php http://159.148.186.116/admin/get.php http://159.148.186.116/login/process.php http://159.148.186.116/news.php ppgca.ufob.edu.br/components/com_finder/helpers/access.log ppgca.ufob.edu.br/components/com_finder/views/default.php narpaninew.linuxuatwebspiders.com mysent.org 79.142.76.40:8989 5.133.12.224:333 # Reference: https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/ (#AmericanUSA, #HELLO_USA_PRISIDENT, #KilllSomeOne) 160.20.147.254:9999 # Reference: https://www.proofpoint.com/us/blog/threat-insight/persistent-actor-targets-ledger-cryptocurrency-wallets # Reference: https://otx.alienvault.com/pulse/5fa472e97ef9fd555c12347d au-ledger.com ca-ledger.com com-client.email de-ledger.com dogcat.space dogcowbat.com fr-ledger.com funnerhere.com homeandfamilyuniverse.com it-ledger.com ledger-chain.com ledger-chain.info ledger-live.io ledger-support.io ledger.buzz ledger.deals ledger.legal ledger.org.pl ledger.report ledgermailer.io ledgersupport.io legder-support.io legder.com lmao.money loldevs.com nl-ledger.com numisconsult.com nz-ledger.com quikview-update.com quikview.work t-mobile-sq.com theironshop.net tmobile.digital us-ledger.com usa-ledger.com xn--ldger-6za.com xn--ldger-n51b.com xn--ldgr-vvac.com xn--ledge-xbb.com xn--ledgr-9za.com xn--ledgr-q51b.com ledger.uk.com ledger.us.org secure.hbccing.com # Reference: https://twitter.com/AnonySecAgency/status/1316292983508013056 # Reference: https://www.virustotal.com/gui/file/c88d0f7d623b2a2c066dd6b15597d1f4c44d89e7a8e660e28c3494f441826ea5/detection 103.139.2.93:1702 # Reference: https://twitter.com/0xthreatintel/status/1330027963157508096 # Reference: https://mp.weixin.qq.com/s/aMj_EDmTYyAouHWFbY64-A (Chinese) # Reference: https://www.virustotal.com/gui/ip-address/176.119.2.122/relations # Reference: https://www.virustotal.com/gui/ip-address/78.140.162.22/relations # Reference: https://www.virustotal.com/gui/ip-address/87.251.77.19/relations # Reference: https://otx.alienvault.com/pulse/5fb83d70906bd27194456779 # Note: Potentially could be related to APT Gamaredon campaign, but currently there're no evidences on it. 176.119.2.122:443 87.251.77.19:443 24ua.website bukovel.host d0t.host depo.host glavpost.site inforesist.press inforesist.site kharkiv.host mytv.host obozrevatel.press rttv.host tribun.site uanews.press ukrnet.press unian.pw vgolos.press w0x.host # Reference: https://securityintelligence.com/posts/ibm-uncovers-global-phishing-covid-19-vaccine-cold-chain/ # Reference: https://otx.alienvault.com/pulse/5fc923119243821757b02f15 e-mailer.cf e-mailer.ga mailerdeamon.cf mailerdeamon.ga mailerdeamon.gq mailerdeamon.ml mailerdeamon.tk nwa-oma.ml nwa-oma2.ml routermanager.ga routermanager.gq routermanager.ml routermanager.tk routermanagers.cf routermanagers.ga routermanagers.gq routermanagers.ml routermanagers.tk serverrouter.cf serverrouter.ga serverrouter.tk serversrouter.cf serversrouter.gq # Reference: https://twitter.com/ClearskySec/status/1311291935685070848 # Reference: https://www.clearskysec.com/operation-kremlin/ http://185.243.112.18 http://185.243.112.57 http://5.9.242.126 bibigreen.ru/wp-content/energia/wp/ bibigreen.ru/up/up.php hesheflowershop.ru/wp/up.php # Reference: https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/ # Reference: https://otx.alienvault.com/pulse/6019b7d8f25640334bd72d00/ boshiamys.com cloudfronte.com cloudfronter.com cloudistcdn.com # Reference: https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf # Reference: https://otx.alienvault.com/pulse/603693b42a32d06720efad59/ # Reference: https://twitter.com/h2jazi/status/1366759252757512194 # Reference: https://www.virustotal.com/gui/file/0652962c5dace16ed170a932e3ce7eb3097b34bc809343fbb96b27cf3d22a5c7/detection iatassl-telechargementsecurity.duckdns.org varifsecuripass.duckdns.org # Reference: https://blog.malwarebytes.com/threat-analysis/2021/03/new-steganography-attack-targets-azerbaijan/ # Reference: https://www.virustotal.com/gui/file/69e880b0545330b8e6d1543c47d89b4907fb79899b40c2478c591225ffc551ce/detection vnedoprym.kozow.com # Reference: https://blog.malwarebytes.com/threat-analysis/2021/04/aurora-campaign-attacking-azerbaijan-using-multiple-rats/ # Reference: https://otx.alienvault.com/pulse/606dfd9079e30b337044cdaf 111.90.150.37:220 pook.mywire.org # Reference: https://twitter.com/ShadowChasing1/status/1387602989033017346 # Reference: https://www.virustotal.com/gui/file/5bd954c9f91f65e2ac270703ef0595c6385432bcfda2572af28fade2f6474135/detection archive.org/download/hbankers-latest/HBankers_Latest.hta ia601400.us.archive.org/31/items/bypass_20210428_0905/bypass.txt ia601408.us.archive.org/18/items/server_20210428_0903/Server.txt ia801402.us.archive.org/6/items/bat_20210331/bat.txt # Reference: https://twitter.com/petrovic082/status/1406910865518075904 # Reference: https://www.virustotal.com/gui/file/8445c0189735766edf0e3d01b91f6f98563fef272ac5c92d3701a1174ad072dd/detection # Reference: https://s.threatbook.cn/report/file/8445c0189735766edf0e3d01b91f6f98563fef272ac5c92d3701a1174ad072dd/?env=win7_sp1_enx64_office2013 flashdownloadserver.oss-cn-hongkong.aliyuncs.com # Reference: https://www.facebook.com/UACERT/posts/4321920377829335 (Ukrainian) gov-ua.info president.gov.ua.administration.vakansiyi.administration.president.gov-ua.info # Reference: https://twitter.com/ShadowChasing1/status/1415292150258880513 # Reference: https://www.virustotal.com/gui/file/654393966ff2c352c5b0a1286fa78c2a54410068ea1d7b1f60ab4924bfa5e36e/detection http://81.27.243.51 # Reference: https://go.recordedfuture.com/hubfs/reports/cta-2021-0715.pdf # Reference: https://otx.alienvault.com/pulse/60f1412406464b3eb5e00c85 2021olympic.cn 2021olympics.jp 2021olympicupdates.com 2021olympicupdates.live 2021olympicupdateslive.com cancel-olympic.tokyo cxaolympicgames2021.org lost-olympic.tokyo no-olympic.tokyo olympic2020.in olympic2020in.tokyo olympic2021.in olympicgames2021.cn olympicgames2021.co.za olympicnewstokyo.com olympics2020.icu olympics2020.in olympics2020.vip olympics2021.in olympicvirtual2021.com perrigoselfcareolympics2021.com stop-olympic.tokyo summerolympics-2020.org teamnl2020-olympic-paralympic.games the2021olympicgames.com the2021olympicgames.org the2021olympicstokyo.com theolympicstokyo2021.com tokyo----olympics.org tokyo---olympics.org tokyo--olympics.org tokyo-olympicslive.com tokyoolympicplay.com tokyoolympics.org tokyoolympicsfootballlive.com tokyoolympicsolympics.com tokyoolympicsport.com tokyoolympicswaterpololive.com tokyotokyoolympics.com usolympics2020.com usolympics2021.com tokyoolympicplay.blogspot.com tokyoolympicsplay.blogspot.com # Reference: https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/ (# CVE-2021-1844, CVE-2021-21166, CVE-2021-30551, CVE-2021-33742) # Reference: https://otx.alienvault.com/pulse/60ef0c90a9b787a794c38975 armenpress.org armlur.org armradio.org armtimes.net armtimes.org asbares.com hetq.org hraparak.org lragir.org db-control-uplink.com kidone.xyz lioiamcount.com wordzmncount.com workaj.com # Reference: https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/ (# CVE-2021-1879) # Reference: https://otx.alienvault.com/pulse/60ef0ec9c0275001c7314643 vegmobile.com supportcdn.web.app # Reference: https://twitter.com/Legen78695928/status/1417394224639582215 # Reference: https://www.virustotal.com/gui/file/66882db537a3166f60b45f65a56705d5e838b750cb45a0a54a0645d3793b572a/detection 66.42.43.177:443 nationalcollege.edu.np/admin/assets/js/jquery/tiny/plugins/anchor/.anchor/sysWow64-e1.exe # Reference: https://us-cert.cisa.gov/ncas/alerts/aa21-201a # Reference: https://otx.alienvault.com/pulse/60f7f55ab4b22e92326a3f0e 18center.com arrowservice.net businessconsults.net fni.itgamezone.net fpso.bigish.net un.linuxd.org # Reference: https://twitter.com/ShadowChasing1/status/1420900093683666945 # Reference: https://www.virustotal.com/gui/file/4db59d3e610a4c80db60741e8d27fc983d4febbda9df507b47594ae1d84dbff1/detection prince.g0v.org.cn # Reference: https://blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/ # Reference: https://otx.alienvault.com/pulse/6103af154ae2e3373990e70c # Reference: https://www.virustotal.com/gui/ip-address/75.126.173.133/relations # Reference: https://www.virustotal.com/gui/file/0661fc4eb09e99ba4d8e28a2d5fae6bb243f6acc0289870f9414f9328721010a/detection # Reference: https://www.virustotal.com/gui/file/03eb08a930bb464837ede77df6c66651d526bab1560e7e6e0e8466ab23856bac/detection cloud-documents.com cloud-documents.net cloud-documents.org