# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: 8ucares # Reference: https://twitter.com/malwaremustd1e/status/1256977666084761602 # Reference: https://www.virustotal.com/gui/domain/1.versionday.xyz/relations 1.versionday.xyz # Reference: https://intezer.com/blog/research/kaiji-chinese-iot-malware-turning-to-golang/ # Reference: https://otx.alienvault.com/pulse/5eb19b29d53d234ac978f51b aresboot.xyz cu.versiondat.xyz # Reference: https://twitter.com/albertzsigovits/status/1264909051227451395 45.138.81.176:35565 0.versiondat.xyz # Reference: https://twitter.com/albertzsigovits/status/1265196913067991040 2s11.com 6x66.com cocoserver.xyz # Reference: https://twitter.com/r3dbU7z/status/1271053327242014721 136.243.18.221:808 # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/ # Reference: https://otx.alienvault.com/pulse/5ef223cce7849b037b7614a5 122.51.133.49:10086 # Reference: https://twitter.com/r3dbU7z/status/1328650015842197506 173.230.150.166:37301 # Reference: https://twitter.com/CujoaiLabs/status/1423258390583812102 # Reference: https://www.virustotal.com/gui/file/e666735eb6c10a27617aac9ffbf1bf29435fa0d1e3d099787d6ce28e079c8768/detection 103.59.113.150:8989 luoyefeihua.site # Reference: https://www.virustotal.com/gui/file/ee310139ba31770b69650d464c999c3526aa5cc4ab924ddcc53cf3cb06727c37/detection 20.187.127.241:11000 20.239.179.30:11001 20.247.3.55:11001 myjiaduobao.xyz myjianlibao.xyz # Reference: https://www.virustotal.com/gui/ip-address/20.247.3.55/relations # Reference: https://www.virustotal.com/gui/file/d5f8e4fac3b005c15a8e5a440d411cb7513f18ab627c49e883e0d40c5f16c57e/detection # Reference: https://www.virustotal.com/gui/file/ca3830454c715c79d8bdafc083d9108d139b155ab87f8cbf0f33ff515cb813de/detection 20.247.3.55:808 20.247.3.55:8567 kivspace.top kivspace.xyz # Reference: https://www.virustotal.com/gui/file/c07c45348a74ff71179a13ec1be8a398fc49183ab04e3f9b0c436c55f1bde423/detection # Reference: https://www.virustotal.com/gui/file/420223e8f59e78148b21b2a90b2ffc080e0bb8084ffceca3f7e26b215eb09a0c/detection 103.254.72.193:10099 103.254.72.193:808 tomca1.com # Reference: https://elfdigest.com/brief/0683b2d2bca6a69bca5f8ac1d9c98a0627514a08d86b2a5602480c10872511e9 23.225.194.65:8080 # Reference: https://twitter.com/0xrb/status/1575354022298411009 115.126.74.37:808 154.12.42.195:808 155.94.141.226:808 195.178.120.201:808 # Reference: https://twitter.com/r3dbU7z/status/1583293071524958208 67.198.237.116:808 ars1.wemix.cc # Reference: https://www.virustotal.com/gui/file/b9728070aabe0442bc58d759c354cdcc93e35dbd6a9d99706ee0b8ff51edf644/detection 156.254.126.18:8080 156.254.126.18:9090 ars.wemix.cc # Reference: https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ 20.90.110.121:808 # Reference: https://elfdigest.com/brief/ec0c849db557051d2f6cdef6973ccc04b246fc58dca933cbb9fa1a7c7c01e71f xn--9kqv03dn4b.xyz tf.xn--9kqv03dn4b.xyz # Reference: https://elfdigest.com/brief/dc4cbafeee9342ff237bf6e8c22a8ca8b687d26a1e9eaa8d7fbd8ee165ae9768 43.249.9.245:888 # Reference: https://twitter.com/suyog41/status/1630172084079939587 http://107.189.13.143 # Reference: https://ti.qianxin.com/blog/articles/Kaiji-Botnet-Resurfaces-Unmasking-Ares-Hacking-Group-EN/ # Reference: https://otx.alienvault.com/pulse/63ffa1fdf2b44bd91fdedeff llkh.net rawrgaming.icu testapiss.online 998n.f3322.net adsl.testapiss.online control.rawrgaming.icu # Reference: https://elfdigest.com/brief/d3965aeab57d429b0cb28a2853e941a0710294b2159755ea354bf32a723fef3a 23.94.57.167:2023 # Reference: https://threatfox.abuse.ch/browse/malware/elf.kaiji/ http://107.189.13.89 http://45.125.238.68 103.254.72.193:10099 104.207.149.94:10099 117.158.206.150:9876 119.6.239.18:888 119.6.239.68:888 119.6.239.80:888 119.6.239.81:888 119.6.239.82:888 119.6.239.83:888 123.249.86.77:8089 123.99.201.37:808 137.175.17.80:8080 137.175.17.80:81 149.115.234.35:9999 149.115.234.54:9999 149.115.234.80:9999 154.19.243.107:808 154.37.152.123:998 154.55.139.35:8080 154.55.139.35:8081 154.7.10.30:808 158.101.74.227:8080 173.249.198.97:8888 175.24.197.196:808 182.43.6.129:6565 183.249.20.106:8090 192.227.146.253:8080 20.239.156.147:8080 209.141.35.151:888 219.128.25.2:8088 223.87.225.90:8080 23.224.143.170:888 23.224.85.39:8888 23.94.57.167:808 36.152.201.67:65535 39.134.69.79:17080 45.113.1.126:808 45.32.166.73:8080 52.140.208.75:9527 98.159.100.118:8080 # Reference: https://twitter.com/0xrb/status/1635901959420121088 154.19.243.107:8868 154.7.10.30:89 # Reference: https://twitter.com/SecureSh3ll/status/1710788954239193376 # Reference: https://www.virustotal.com/gui/file/95c4343841b314420110ba70ba480a284a42736b701da9cdec68ef2dcc9d89c4/detection 154.82.85.42:9528 179527.com # Reference: https://www.virustotal.com/gui/file/41409bc3d3ac6561f4be718a47295e4c36bbe37686e7af671bce5f7b1e3fb569/detection 211.101.247.80:1997 xiaozhuddos.co tf.xiaozhuddos.co # Reference: https://www.virustotal.com/gui/file/41409bc3d3ac6561f4be718a47295e4c36bbe37686e7af671bce5f7b1e3fb569/detection 156.96.155.233:19370 # Reference: https://twitter.com/banthisguy9349/status/1780546149918589090 http://205.234.200.26 103.42.31.29:808 # Reference: https://urlhaus.abuse.ch/browse/tag/Kaiji/ (# 2024-04-18) http://137.220.202.168 http://154.12.42.230 http://175.24.197.196 http://198.98.61.160 http://20.187.67.224 http://20.187.86.47 http://20.239.193.47 http://209.141.42.90 http://209.141.52.195 http://23.224.95.13 http://62.171.160.189 156.96.155.237:808 goodl1.com gouzapay.cn ares.goodl1.com zf.gouzapay.cn # Reference: https://twitter.com/banthisguy9349/status/1780978526658670683 # Reference: https://www.virustotal.com/gui/file/3fd83cc93718799c19670c69ba7dd44596defdd2adff3709c4a24d14d13a0334/detection http://136.244.98.80 136.244.98.80:443 # Reference: https://twitter.com/banthisguy9349/status/1783104262882382323 # Reference: https://www.virustotal.com/gui/file/4dc8ceeec5f723882a6162a9fbed9f82b3a42d22f6dac6103a9107e30a22d5ea/detection http://154.12.83.216 154.12.83.216:808 # Reference: https://twitter.com/banthisguy9349/status/1783102073191489701 # Reference: https://www.virustotal.com/gui/file/fbf3a16ce086471e1ad1462f21a536fb0331372f45e2d8b7f68785a747462103/detection 23.224.176.68:8081 23.224.176.68:8082 # Reference: https://www.virustotal.com/gui/ip-address/154.9.26.118/detection http://154.9.26.118 # Reference: https://www.virustotal.com/gui/ip-address/91.92.241.101/detection http://91.92.241.101 # Reference: https://www.virustotal.com/gui/ip-address/91.92.241.82/detection http://91.92.241.82 # Reference: https://x.com/banthisguy9349/status/1801596571160559923 # Reference: https://urlhaus.abuse.ch/host/103.116.246.38/ 103.116.246.38:8088 # Reference: https://x.com/banthisguy9349/status/1795397594006556768 # Reference: https://www.virustotal.com/gui/file/c33491b6462bc94c3882376bdb87057f340e05a4c36fc74e0b90e2964f8589ce/detection # Reference: https://www.virustotal.com/gui/file/2eb2eeac77fa2a33b8429f9351d277fe53b9b3b4c8ec931a64513f70fa9e09d6/detection http://51.81.135.251 http://77.68.37.125 51.81.138.208:8080 77.68.37.125:8080 # Reference: https://threatfox.abuse.ch/browse/malware/elf.kaiji/ (# 2024-08-25) 13.228.173.120:808 172.247.44.218:808 182.106.149.83:808 198.98.60.49:8080 38.150.13.6:808 42.194.196.162:8080 # Reference: https://threatfox.abuse.ch/browse/malware/elf.kaiji (# 2024-09-09) 108.181.228.101:808 123.249.104.74:808 154.213.192.24:808 154.82.95.210:808 207.211.144.153:8088 83.229.120.164:808 # Reference: https://threatfox.abuse.ch/browse/malware/elf.kaiji (# 2024-09-22) 172.247.194.228:23812 199.119.138.85:8087 20.2.144.116:8081 23.224.121.29:60888 ava9527.cc cc.ava9527.cc # Reference: https://threatfox.abuse.ch/browse/malware/elf.kaiji (# 2024-10-20) 103.135.101.188:8087 154.12.95.219:606 172.247.194.226:23812 172.247.194.227:23812 172.247.194.229:23812 172.247.194.230:23812 209.141.58.104:808 # Reference: https://x.com/banthisguy9349/status/1854809251731915065 # Reference: https://www.virustotal.com/gui/file/ff466605516a4e2b5b2baf5f98efff8178892a96d9043a77b29088953ea3f12a/detection 154.201.84.237:7850 154.201.84.237:888 /linux_arc_softfloat /linux_arm_softfloat /linux_arm4_softfloat /linux_arm4l_softfloat /linux_arm4t_softfloat /linux_arm4tl_softfloat /linux_arm4tll_softfloat /linux_arm5_softfloat /linux_arm5l_softfloat /linux_arm5n_softfloat /linux_arm6_softfloat /linux_arm64_softfloat /linux_arm6l_softfloat /linux_arm7_softfloat /linux_arm7l_softfloat /linux_arm8_softfloat /linux_armv4_softfloat /linux_armv4l_softfloat /linux_armv5l_softfloat /linux_armv6_softfloat /linux_armv61_softfloat /linux_armv6l_softfloat /linux_armv7l_softfloat /linux_dbg_softfloat /linux_exploit_softfloat /linux_i4_softfloat /linux_i486_softfloat /linux_i586_softfloat /linux_i6_softfloat /linux_i686_softfloat /linux_kill_softfloat /linux_m68_softfloat /linux_m68k_softfloat /linux_mips_softfloat /linux_mips64_softfloat /linux_mipseb_softfloat /linux_mipsel_softfloat /linux_mpsl_softfloat /linux_pcc_softfloat /linux_powerpc_softfloat /linux_powerpc-440fp_softfloat /linux_powerppc_softfloat /linux_ppc_softfloat /linux_ppc2_softfloat /linux_ppc440_softfloat /linux_ppc440fp_softfloat /linux_root_softfloat /linux_root32_softfloat /linux_sh_softfloat /linux_sh4_softfloat /linux_sparc_softfloat /linux_spc_softfloat /linux_ssh4_softfloat /linux_x32_softfloat /linux_x64_softfloat /linux_x86_softfloat /linux_x86_32_softfloat /linux_x86_64_softfloat # Reference: https://threatfox.abuse.ch/browse/malware/elf.kaiji/ (# 2025-07-13) http://115.120.241.43 http://45.60.28.19 http://62.216.93.113 1.94.234.116:808 103.119.15.163:808 103.178.57.159:808 103.45.68.160:808 110.40.80.89:88 111.180.147.145:808 111.67.206.166:808 114.80.124.67:808 115.120.241.43:808 120.48.34.233:808 129.150.32.120:8888 129.158.232.239:808 138.2.110.186:8888 144.48.8.243:808 15.197.85.250:10081 154.201.90.76:8520 154.201.91.52:808 154.204.177.59:808 154.213.187.27:808 154.37.219.142:60000 154.37.219.249:60000 154.40.47.248:888 154.44.26.214:8080 154.44.30.160:808 154.64.249.169:8085 154.7.10.30:888 156.238.224.101:808 156.238.224.205:808 156.238.253.27:808 156.238.253.44:808 158.178.235.53:808 158.178.235.53:8088 160.202.251.191:808 172.247.194.226:26352 172.247.194.227:26352 172.247.194.228:26352 172.247.194.229:26352 172.247.194.230:26352 176.100.37.158:4031 182.106.149.84:808 185.92.182.246:808 192.140.163.10:60000 192.140.166.53:808 192.140.188.34:808 192.238.206.9:808 194.147.98.238:10081 198.98.53.199:808 198.98.59.117:8080 198.98.61.69:1234 199.195.252.200:808 209.141.54.49:8080 213.35.108.193:808 23.146.40.48:2095 23.146.40.48:8087 23.94.247.46:8080 45.131.65.11:808 45.142.115.211:808 45.192.102.5:808 45.192.215.195:808 45.196.239.74:808 45.207.199.11:808 45.207.207.195:808 45.207.207.222:808 45.207.207.97:808 45.61.187.202:808 5.255.111.128:54741 51.79.160.146:808 51.79.160.209:808 65.75.211.232:10081 65.75.211.237:10081 69.165.70.241:808 76.223.125.223:10081 77.90.7.86:8080 89.117.94.224:8080 # Reference: https://x.com/Xlab_qax/status/1980932756537528614 61.147.247.41:44442 # Reference: https://tlpblack.net/blog/20251209-the-anatomy-of-a-react2shell-compromise # Reference: https://www.virustotal.com/gui/file/e76f54b7b98ba3a08f39392e6886a9cb3e97d57b8a076e6b948968d0be392ed8/detection 192.238.204.149:808 47.84.113.198:8000 ldbot.top # Reference: https://bi-zone.medium.com/adversaries-exploit-cve-2025-55182-to-attack-russian-companies-1b4e98ca5804 # Reference: https://www.virustotal.com/gui/file/013041d5a4a13a5b2703b28dce68920fd00f078fa02a09b7e293485c0fb16ab8/detection 103.135.101.15:12348 kds3s.oks0418.com