# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/

thlsystems.forfirst.cz
mafra.go.kr.jeojang.ga

# Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/?mid=1
# Reference: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf

34.214.99.20/view_style.php
137.74.41.56/board.php
kingkoil.com.sg/board.php
kingkoil.com.sg/query.php

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf
# Reference: https://twitter.com/bkMSFT/status/1093109336740642816

llpsearch.com
miphomanager.com

# Reference: https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/

071790.000webhostapp.com
7077.000webhostapp.com
881.000webhostapp.com
hanbosston.000webhostapp.com
vnik.000webhostapp.com
a7788.1apps.com
attach10132.1apps.com
bluemountain.1apps.com
filer1.1apps.com
s8877.1apps.com
files.000
ftp.byethost7.com
ftp.byethost10.com
webhost.com
webmail-koryogroup.com
61.14.210.72:7117

# Reference: https://twitter.com/blackorbird/status/1107214927402418176
# Reference: https://twitter.com/blackorbird/status/1107479347013672960

ddlove.kr/bbs/dta/1

# Reference: https://twitter.com/blackorbird/status/1082553543280680962

ago2.co.kr/bbs/data/dir

# Reference: https://twitter.com/blackorbird/status/1100691198346354688

46.29.163.222:9999

# Reference: https://otx.alienvault.com/pulse/5c9a457b3acc7f0eba431c81
# Reference: https://www.recordedfuture.com/scanbox-framework-campaign/

mailshield.ga
mail.mailshield.ga
monlamlt.com
oppo.ml
photogram.ga
tibct.net
tibct.org
tracking.dgip.gov.pk

# Reference: https://twitter.com/ClearskySec/status/1055404788635103232
# Reference: https://www.clearskysec.com/iec/

host-gv.appspot.com
journey-in-israel.com
iecr.co
iec-co-il.com
israelalerts.us
israelalert.us
pokemonisrael.yolasite.com
sourcefarge.net
users-management.com
ynetnewes.com

# Reference: https://twitter.com/ClearskySec/status/971454423548530688

baoin.baotintu.com
chinhtri.tourismas.com
kinhte.baotintu.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-12: Malicious Invoice of Telcel Mexican Telecommunication Company)

bambi.sytes.net

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-06: Iranian Greenbug targeting against Arab Emirates - Invoice-NO48935.doc)

acrobatverify.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-1-1: Campaign targeting Turkey with fake purchase order requests, drops low detection Java malware)

gorevleriyok.com

# Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/ (Chinese)

Jospubs.com

# Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/

digi-cert.org
somtelnetworks.com
geotrusts.com
secureclientupdate.com
digicertweb.com
sport-pesa.org
itaxkenya.com
businessdailyafrica.net
infotrak-research.com
nairobiwired.com
k-24tv.com

# Reference: https://twitter.com/blackorbird/status/1132884799310319616
# Reference: http://blogs.360.cn/post/APP_Plugin.html
# Reference: https://securelist.com/whos-who-in-the-zoo/85394/
# Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/24122414/ZooPark_for_public_final_edited.pdf

http://5.61.27.154
http://5.61.27.157
http://5.61.27.173
http://91.109.23.175
androidupdaters.com
adobeactiveupdates.com
adobeactiveupdate.com
adobeseupdater.com
dlgmail.com
dlstube.com
dlstubes.com
entekhab10.xp3.biz
googleupdators.com
rhubarb2.com
rhubarb3.com
solar64.xp3.biz

# Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/

# Aliases: brave prince, gold dragon, ghost419

eodo1.000webhostapp.com
follow_dai.000webhostapp.com
trydai.000webhostapp.com
followgho.byethost7.com
ink.inkboom.co.kr
nid-help-pchange.atwebpages.com

# Reference: https://twitter.com/jq0904/status/1137362044271730694

hellojames.sportsontheweb.net

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/advanced-targeted-attack-tools-used-to-distribute-cryptocurrency-miners/
# Reference: https://otx.alienvault.com/pulse/5d0276b98d2d7d679ed51fa2

tenchier.com
pilutce.com
miniast.com
boreye.com

# Reference: http://www.issuemakerslab.com/research2/index.html

pyeonta.com/board/news/board.asp
sdajunghwa.com/admin/data/admindata.asp
patentmall.net/goods/goods.asp
orentcar.com/rental/sub06.asp

# Reference: https://twitter.com/blackorbird/status/1141302473623105536

soportearus.com.co
/arus_collect.php

# Reference: https://twitter.com/DbgShell/status/1146012416968417280
# Reference: https://research.checkpoint.com/operation-tripoli/ (# Operation Tripoli)

aarasid.com/libya/index.html
clientstats.epss.org.ly
dexter-ly.com
dexter-ly.space
drpc.duckdns.org
forum.myvnc.com
kalifhaftar.blogspot.com
libyanews111.blogspot.com
libya-10.com.ly
sirtggp.com/libyanew/index.html

# Reference: https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018
# Reference: https://otx.alienvault.com/pulse/5d1e0531908ea7d506ce9839

loge.otzo.com
vvcxvsdvx.dynamic-dns.net

# Reference: https://otx.alienvault.com/pulse/5d23054ff45f6eb94e824460
# Reference: http://blog.ptsecurity.com/2019/07/ironpython-darkly-how-we-uncovered.html
# Reference: https://static.ptsecurity.com/phdays/presentations/phdays-9-ironpython-on-the-dark-side-the-silent-trio-from-croatia.pdf

http://198.46.182.158
176.105.255.59:8089
konzum.win
postahr.online
postahr.vip
posteitaliane.live

# Reference: https://news.sophos.com/en-us/2019/07/11/oto-gonderici-excel-formula-injections-target-turkish-victims/
# Reference: https://github.com/sophoslabs/IoCs/blob/master/Malspam-OtoGonderici
# Reference: https://otx.alienvault.com/pulse/5d276b688642da33ba698260

2073.mobi
25665.club
25665.me
33016.club
60431.club
75735.club
77444.club
80001.me
82813.club
Jdokdo.ml
aetye.ml
aghkf.ml
atessan.online
avrupagoz.online
ayanw.ml
banage.live
basaso.mobi
burcutekstil.online
cinarterlik.online
cnfh.mobi
cpaneh.tk
ekqff.ml
ewouif.gq
fazilet.club
gelovosaja.club
ghtc.mobi
gyqey.ml
hcsscj.ga
hfik.mobi
hocoso.mobi
hvaycz.cf
inssanayi.mobi
iquqy.ml
jahlq.ml
jekarebege.online
jjsiu.ml
jodaje.mobi
johaca.mobi
jurugq.host
kartalescort.mobi
kayaya.mobi
kojero.mobi
lca.mobi
mgw.mobi
nafaro.mobi
nefal.mobi
nehabe.mobi
nejoja.mobi
nvmdv.ml
peindikescort.mobi
pqoyruw.ga
professional.mobi
pvrdn.ml
qoloa.ml
qyhhy.ml
qzitt.ml
rimaw.ml
rlg.mobi
rtrzd.ml
selcukecza.online
specforce.space
supkh.mobi
swtaegs.ml
tamor.mobi
taneketevo.online
tgmml.ml
turkcall.mobi
tzlss.mobi
urdnz.cf
vazawoweso.online
vecoha.mobi
vgplb.ml
vpewqz.tk
walatecaqa.club
wdplf.ml
whyog.ml
wpf.mobi
wqplw.ml
yepeyowora.online
yerago.mobi
yklud.ml
ynngon.ml
yolecafeha.club
yomka.ml
yuktu.ml
zavayo.mobi
zayero.mobi
zororo.mobi

# Reference: https://www.zsis.hr/default.aspx?id=415

176.105.255.59:8089
postahr.vip
posteitaliane.live

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/
# Reference: https://otx.alienvault.com/pulse/5d3091d8a6d3522c9d5dcaff

http://144.202.19.31
http://95.179.168.23
diangovcomuiscia.com
eltiempocomco.com
medicosempresa.com

# Reference: https://www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/

coolbrowsering.xyz
alfapromo.info
archivepoisk-zone.info
onlinemobsoft.ru
anyaaplanet.info
decentsite.xyz
archivepoisk.info
sympleplace.info
adsmeneger.club

# Reference: https://twitter.com/cyberwar_15/status/1156091180293206016

http://51.254.60.208

# Reference: https://twitter.com/KevinPerlow/status/1156406115472760835 (# tcpihlp)

f1.vr.wincloud.com
d1.link.outbox.com

# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Unknown/20-08-19/Malware%20analysis%2020-08-19.md
# Reference: https://www.virustotal.com/gui/ip-address/167.88.180.148/relations

http://167.88.180.148
247up.org
apple-net.com
mediadomainservice.org
renewyourclicks.org
siteup-365.org

# Reference: https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/
# Reference: https://otx.alienvault.com/pulse/5d5d7094114b8af4a377f676

gmailusercontent.site
protect-outlook.com
srf-goolge.site