# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: disdroth, mercurial, phext

# Reference: https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts
# Reference: https://www.virustotal.com/gui/file/05d9012f987b135416cc2982164c65fdc299474dba2e981d5dd87c40edee3212/detection
# Reference: https://www.virustotal.com/gui/file/14db03939100ff535d410324140e95db8e3c8b11c18b4d588d6d80457ce5cfa8/detection
# Reference: https://www.virustotal.com/gui/file/dd5c77163d87fcaa1f141273a4681e6db4a7050f3a73b6e31073afc2d4531689/detection

9todesigns.com
buaq.download
chawood.com
citywods.com
djderov.com
emisfer.com
fazacell.com
gksg.men
passion79.com
smowind.com
xpaysmart.com

# Reference: https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf
# Reference: https://github.com/WithSecureLabs/iocs/blob/master/DUCKTAIL/iocs.csv
# Reference: https://otx.alienvault.com/pulse/6380b7df615a70ddb2369653

do242.afl
ductai.xyz
ductai90.com
fs77.eco
gp532.mls
lh118.nra
oa20.aws
ub65.wow

# Reference: https://twitter.com/500mk500/status/1610733449836630016
# Reference: https://twitter.com/James_inthe_box/status/1610739773622325248
# Reference: https://twitter.com/jw4lsec/status/1613631976015073293
# Reference: https://www.virustotal.com/gui/file/ad1f8f94c4e36ee0b8f34668c0b684327891457668c3ea3f36fd14cb4e9d8d8f/detection
# Reference: https://www.virustotal.com/gui/file/b6f3588b0d8f974470047ce81dbeb0f7ade42a66b1489c92c87ee14a2f8042b6/detection

ariedretu.com
delurais.com
ivanurivega.com
sensetria.com
thravegese.com

# Generic

/ads_optimize_result/cext