# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.mandiant.com/resources/seo-poisoning-batloader-atera
# Reference: https://www.virustotal.com/gui/file/e3d7f1af2bc790cf143827d2335b594dc3d54a0f49cb61e0b8d6a2d1f0ad27cb/detection
# Reference: https://www.virustotal.com/gui/file/0c3b0dda9f006860a3dfa7be0adb0194a5dfd5a4a1377933e7fb3681b8aadef7/detection

bartmaaz.com
cloudfiletehnology.com
clouds222.com
cmdadminu.com
commandaadmin.com
firsone1.online
kdsjdsadas.online
pornofilmspremium.com
sweepcakesoffers.com
team-viewer.site
websekir.com
zoomvideo-s.com
zoomvideo.site

# Reference: https://assets.sentinelone.com/sentinellabs/SentinelLabs-Zloader
# Reference: https://otx.alienvault.com/pulse/614056687e876ee92b3f7a1e

teamviewerdownload.fastforbusinessandpersonaluserourserviceaugust.alightindarkplacesbook.com

# Reference: https://tracker.viriback.com/ (# Batloader)
# Reference: https://twitter.com/1ZRR4H/status/1575364101148114944

a1a2a3b4.com
/013x1s/index/login
/01ex93/index/login
/g5i0nq/index/login
/p01kpc/index/login
/p3dr01/index/login
/sh1z01/index/login
/t1mw0r/index/login
/tyr4i1/index/login
/013x1s/index/
/01ex93/index/
/g5i0nq/index/
/p01kpc/index/
/p3dr01/index/
/sh1z01/index/
/t1mw0r/index/
/tyr4i1/index/

# Reference: https://twitter.com/1ZRR4H/status/1575364113542389762

anydeskos.com
logmein-cloud.com
teamcloudcomputing.com
teamviewclouds.com
zoomcloudcomputing.tech

# Reference: https://twitter.com/AlbertPriego/status/1575494025875927041

adueledem.online
appszik.com
/amzccadvadmin

# Reference: https://twitter.com/r3dbU7z/status/1579235837833011201

hank2004.kr
hkmts.kr

# Reference: https://twitter.com/nosecurething/status/1584674460577124352

externalchecksso.com

# Reference: https://twitter.com/SquiblydooBlog/status/1584927323916500993

zoomyclouds.com

# Reference: https://twitter.com/nosecurething/status/1585442441175482368

internalchecksso.com

# Reference: https://twitter.com/th3_protoCOL/status/1587823143854698497

cloudanydesk.com
cloudsintheslack.com
cloudsteamview.com
zoomyinclouds.com

# Reference: https://twitter.com/th3_protoCOL/status/1590469424804663297

photo-editor-mark.com

# Reference: https://twitter.com/nosecurething/status/1593037461915303938
# Reference: https://twitter.com/nosecurething/status/1593037467858644992

24xpixeladvertising.com

# Reference: https://twitter.com/mojoesec/status/1593351287835222016

t1pixel.com
t1pixelsite.com

# Reference: https://twitter.com/1ZRR4H/status/1596563151956619265

clodtechnology.com

# Reference: https://twitter.com/ian_kenefick/status/1596604099524726786

grammarlycheck2.com

# Reference: https://twitter.com/ViriBack/status/1597693963649323008

installationupgrade6.com
/0ssdt1/index/login

# Reference: https://twitter.com/nosecurething/status/1598394820665524224

installationsoftware1.com

# Reference: https://twitter.com/mojoesec/status/1598415404036128769

updatecloudservice1.com

# Reference: https://twitter.com/AdamTheAnalyst/status/1599798656886247424

installationsoftware2.com
installationupgrade20.com
slackoffercloud.com
teamoffercloud.com

# Reference: https://twitter.com/mojoesec/status/1599854170692935680

anydeskinvestingo.com
updateclientssoftware.com
zoominvestingoffer.com

# Reference: https://twitter.com/1ZRR4H/status/1600002894207803394

anydeskofferblackfriday.com
logmeinofferblackfriday.com
zoomofferblackfriday.com

# Reference: https://twitter.com/nosecurething/status/1603560949511774208

ads-check.com

# Reference: https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html
# Reference: https://otx.alienvault.com/pulse/63c9447eb94ba08faec4307d

105105105015.com
internalcheckssso.com
slackcloudservices.com

# Reference: https://twitter.com/ian_kenefick/status/1616929484879368192

statisticpixels.com