# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://twitter.com/malwaremustd1e/status/1256977666084761602 # Reference: https://www.virustotal.com/gui/domain/1.versionday.xyz/relations 1.versionday.xyz # Reference: https://intezer.com/blog/research/kaiji-chinese-iot-malware-turning-to-golang/ # Reference: https://otx.alienvault.com/pulse/5eb19b29d53d234ac978f51b aresboot.xyz cu.versiondat.xyz # Reference: https://twitter.com/albertzsigovits/status/1264909051227451395 45.138.81.176:35565 0.versiondat.xyz # Reference: https://twitter.com/albertzsigovits/status/1265196913067991040 2s11.com 6x66.com cocoserver.xyz # Reference: https://twitter.com/r3dbU7z/status/1271053327242014721 136.243.18.221:808 # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/ # Reference: https://otx.alienvault.com/pulse/5ef223cce7849b037b7614a5 122.51.133.49:10086 # Reference: https://twitter.com/r3dbU7z/status/1328650015842197506 173.230.150.166:37301 # Reference: https://twitter.com/CujoaiLabs/status/1423258390583812102 # Reference: https://www.virustotal.com/gui/file/e666735eb6c10a27617aac9ffbf1bf29435fa0d1e3d099787d6ce28e079c8768/detection 103.59.113.150:8989 luoyefeihua.site # Reference: https://www.virustotal.com/gui/file/ee310139ba31770b69650d464c999c3526aa5cc4ab924ddcc53cf3cb06727c37/detection 20.187.127.241:11000 20.239.179.30:11001 20.247.3.55:11001 myjiaduobao.xyz myjianlibao.xyz # Reference: https://www.virustotal.com/gui/ip-address/20.247.3.55/relations # Reference: https://www.virustotal.com/gui/file/d5f8e4fac3b005c15a8e5a440d411cb7513f18ab627c49e883e0d40c5f16c57e/detection # Reference: https://www.virustotal.com/gui/file/ca3830454c715c79d8bdafc083d9108d139b155ab87f8cbf0f33ff515cb813de/detection 20.247.3.55:808 20.247.3.55:8567 kivspace.top kivspace.xyz # Reference: https://www.virustotal.com/gui/file/c07c45348a74ff71179a13ec1be8a398fc49183ab04e3f9b0c436c55f1bde423/detection # Reference: https://www.virustotal.com/gui/file/420223e8f59e78148b21b2a90b2ffc080e0bb8084ffceca3f7e26b215eb09a0c/detection 103.254.72.193:10099 103.254.72.193:808 tomca1.com # Reference: https://elfdigest.com/brief/0683b2d2bca6a69bca5f8ac1d9c98a0627514a08d86b2a5602480c10872511e9 23.225.194.65:8080 # Reference: https://twitter.com/0xrb/status/1575354022298411009 115.126.74.37:808 154.12.42.195:808 155.94.141.226:808 195.178.120.201:808 # Reference: https://twitter.com/r3dbU7z/status/1583293071524958208 67.198.237.116:808 ars1.wemix.cc # Reference: https://www.virustotal.com/gui/file/b9728070aabe0442bc58d759c354cdcc93e35dbd6a9d99706ee0b8ff51edf644/detection 156.254.126.18:8080 156.254.126.18:9090 ars.wemix.cc # Reference: https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ 20.90.110.121:808 # Reference: https://elfdigest.com/brief/ec0c849db557051d2f6cdef6973ccc04b246fc58dca933cbb9fa1a7c7c01e71f xn--9kqv03dn4b.xyz tf.xn--9kqv03dn4b.xyz # Reference: https://elfdigest.com/brief/dc4cbafeee9342ff237bf6e8c22a8ca8b687d26a1e9eaa8d7fbd8ee165ae9768 43.249.9.245:888 # Reference: https://twitter.com/suyog41/status/1630172084079939587 http://107.189.13.143 # Reference: https://ti.qianxin.com/blog/articles/Kaiji-Botnet-Resurfaces-Unmasking-Ares-Hacking-Group-EN/ # Reference: https://otx.alienvault.com/pulse/63ffa1fdf2b44bd91fdedeff llkh.net rawrgaming.icu testapiss.online 998n.f3322.net adsl.testapiss.online control.rawrgaming.icu # Reference: https://elfdigest.com/brief/d3965aeab57d429b0cb28a2853e941a0710294b2159755ea354bf32a723fef3a 23.94.57.167:2023 # Reference: https://threatfox.abuse.ch/browse/malware/elf.kaiji/ http://107.189.13.89 http://45.125.238.68 103.254.72.193:10099 104.207.149.94:10099 117.158.206.150:9876 119.6.239.18:888 119.6.239.68:888 119.6.239.80:888 119.6.239.81:888 119.6.239.82:888 119.6.239.83:888 123.249.86.77:8089 123.99.201.37:808 137.175.17.80:8080 137.175.17.80:81 149.115.234.35:9999 149.115.234.54:9999 149.115.234.80:9999 154.19.243.107:808 154.37.152.123:998 154.55.139.35:8080 154.55.139.35:8081 154.7.10.30:808 158.101.74.227:8080 173.249.198.97:8888 175.24.197.196:808 182.43.6.129:6565 183.249.20.106:8090 192.227.146.253:8080 20.239.156.147:8080 209.141.35.151:888 219.128.25.2:8088 223.87.225.90:8080 23.224.143.170:888 23.224.85.39:8888 23.94.57.167:808 36.152.201.67:65535 39.134.69.79:17080 45.113.1.126:808 45.32.166.73:8080 52.140.208.75:9527 98.159.100.118:8080 # Reference: https://twitter.com/0xrb/status/1635901959420121088 154.19.243.107:8868 154.7.10.30:89 # Reference: https://twitter.com/SecureSh3ll/status/1710788954239193376 # Reference: https://www.virustotal.com/gui/file/95c4343841b314420110ba70ba480a284a42736b701da9cdec68ef2dcc9d89c4/detection 154.82.85.42:9528 179527.com # Reference: https://www.virustotal.com/gui/file/41409bc3d3ac6561f4be718a47295e4c36bbe37686e7af671bce5f7b1e3fb569/detection 211.101.247.80:1997 xiaozhuddos.co tf.xiaozhuddos.co # Reference: https://www.virustotal.com/gui/file/41409bc3d3ac6561f4be718a47295e4c36bbe37686e7af671bce5f7b1e3fb569/detection 156.96.155.233:19370 # Reference: https://twitter.com/banthisguy9349/status/1780546149918589090 http://205.234.200.26 103.42.31.29:808 # Reference: https://urlhaus.abuse.ch/browse/tag/Kaiji/ (# 2024-04-18) http://137.220.202.168 http://154.12.42.230 http://175.24.197.196 http://198.98.61.160 http://20.187.67.224 http://20.187.86.47 http://20.239.193.47 http://209.141.42.90 http://209.141.52.195 http://23.224.95.13 http://62.171.160.189 156.96.155.237:808 goodl1.com gouzapay.cn ares.goodl1.com zf.gouzapay.cn # Reference: https://twitter.com/banthisguy9349/status/1780978526658670683 # Reference: https://www.virustotal.com/gui/file/3fd83cc93718799c19670c69ba7dd44596defdd2adff3709c4a24d14d13a0334/detection http://136.244.98.80 136.244.98.80:443 # Reference: https://twitter.com/banthisguy9349/status/1783104262882382323 # Reference: https://www.virustotal.com/gui/file/4dc8ceeec5f723882a6162a9fbed9f82b3a42d22f6dac6103a9107e30a22d5ea/detection http://154.12.83.216 154.12.83.216:808 # Reference: https://twitter.com/banthisguy9349/status/1783102073191489701 # Reference: https://www.virustotal.com/gui/file/fbf3a16ce086471e1ad1462f21a536fb0331372f45e2d8b7f68785a747462103/detection 23.224.176.68:8081 23.224.176.68:8082