# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: jointworm, phantomocx, phantomc2, phantomcorea # Reference: https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/ wikipeldia.org # Reference: https://twitter.com/_re_fox/status/1298268175927140353 # Reference: https://twitter.com/James_inthe_box/status/1298274439151251456 # Reference: https://app.any.run/tasks/e0845226-ee73-4e37-ab47-740cf0d3b757/ corpxtech.com extrasectr.com quotingtrx.com trquotesys.com veritechx.com vvxtech.net # Reference: https://app.any.run/tasks/42a70971-d057-4763-8541-5ebe9b842fcb/ # Reference: https://twitter.com/James_inthe_box/status/1280616037185024000 # Reference: https://twitter.com/_re_fox/status/1285579050241667078 # Reference: https://twitter.com/_re_fox/status/1280548111828561922 # Reference: https://twitter.com/Vishnyak0v/status/1300747696073039873 telefx.net voipasst.com voipreq12.com voipssupport.com # Reference: https://www.cybereason.com/hubfs/Evilnum%20IOCs.pdf # Reference: https://otx.alienvault.com/pulse/5f5118e86e2b24d86310cd6d # Reference: https://twitter.com/_re_fox/status/1273655899073187840 crm-domain.net fxmt4x.com leads-management.net telecomwl.com xlmfx.com # Reference: https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf # Reference: https://otx.alienvault.com/pulse/5f6b7988a48d50ae3e26381a coinzre.website # Reference: https://twitter.com/_re_fox/status/1316815091212390400 # Reference: https://app.any.run/tasks/5904a168-b4e4-45e6-bd6f-50ff80665bf9/ # Reference: https://www.virustotal.com/gui/file/da7d3ad1dc2f17b2d2387781e6486682f85d9980c115a10c7f38b3729e0fa273/detection adsmachineio.com api-pixtools.com api-printer-spool.com msft-cdn.cloud windows-accs.live windows-ddnl.com # Reference: https://twitter.com/ShadowChasing1/status/1341358733817856000 # Reference: https://twitter.com/_pr4gma/status/1341439247384014849 # Reference: https://www.virustotal.com/gui/ip-address/185.161.209.8/relations # Reference: https://www.virustotal.com/gui/file/3c7def980dfdebc0e03d8a3d3e2ee8367268ea676050e767e3c6ad77b8f9219e/detection afftrackmedia.com apple-cdrp.com cdr-soft.com community-approch.com microsft-community.com msftld.com # Reference: https://twitter.com/_pr4gma/status/1343630971661332484 # Reference: https://www.virustotal.com/gui/ip-address/185.161.211.219/relations driver-wds.com flowerads.cloud globaladdressbook.cloud # Reference: https://twitter.com/ESETresearch/status/1360178612201218051 # Reference: https://otx.alienvault.com/pulse/6026ccc95d3a8be27100f687/ api-printsvc.co.in appronto.in canopustr.com cloud-cdn.co.in corpxtech.com dn-mcrosoft.com ecodll.com eu-mcrosoft.com extrasectr.com freepbxs.com hp-prints.com imgncdn.online mediadv.org myhomelap.com procyonstr.com quotingtrx.com sirius-market.com ssl-certinfo.eu trquotesys.com trvol.com trvolume.net veritechx.com vvxtech.net # Reference: https://twitter.com/z0ul_/status/1388174332325662720 # Reference: https://www.virustotal.com/gui/file/d4b064c13bff1533a339bf6278ca7564577b7f8598be9caafb0ec3b41ea6d1eb/detection jobsout.com mail.jobsout.com # Reference: https://twitter.com/ShadowChasing1/status/1396406910241316866 # Reference: https://www.virustotal.com/gui/ip-address/184.22.121.8/relations # Reference: https://www.virustotal.com/gui/file/a7051dce028722fbadd198a9fd0481dd800f19b8ea35892d16f5d126d85d7e41/detection ad-click.org advclick.org advuniverse.org advworld.org # Reference: https://twitter.com/ShadowChasing1/status/1396814490964873217 # Reference: https://www.virustotal.com/gui/file/8398b5f4654ca42b096d97e7151cf0c37ace65ea1584896218b49c99ef2910d4/detection afflaf.com azure-cld.com azure-ns.com ibm-hqr.com microsft-ds.com office-msf.com printer-msdc.com quanatomedia.com steam-gaming.com # Reference: https://twitter.com/ShadowChasing1/status/1399697694491254798 # Reference: https://twitter.com/z0ul_/status/1399717925834088462 # Reference: https://www.virustotal.com/gui/file/bc203f44b48c9136786891be153311c37ce74ceb7eb540d515032c152f5eb2fb/detection amzn-services.com applecloudnz.com oauth-azure.com oautho.com orbiz.me # Reference: https://twitter.com/ShadowChasing1/status/1414859581591719937 # Reference: https://www.virustotal.com/gui/ip-address/185.161.208.231/relations # Reference: https://www.virustotal.com/gui/file/355cb89d112806bc58bfcd3a7631357f97506788125252ff835bbac9fe47b9ad/detection # Reference: https://www.virustotal.com/gui/file/b60ae30ba90f852f886bb4e9aaabe910add2b70278e3a88a3b7968f644e10554/detection antiwbz.com azure-imedia.com esetsed.com geolockiz.com inxout.org konyork.com ostoutlook.com safeiorg.com # Reference: https://twitter.com/ShadowChasing1/status/1417294960890585088 # Reference: https://www.virustotal.com/gui/ip-address/185.161.208.160/relations # Reference: https://www.virustotal.com/gui/file/98e20febc7795f7445a2a225027da6177ed5db49577efeb85d3992654546290a/detection azcloudazure.com searchvpics.com yorkccity.com # Reference: https://twitter.com/Circuitous__/status/1456366694029484039 # Reference: https://www.virustotal.com/gui/file/d8ed85071f9b7a2bb66ad3e65e539e1804f7751843128480fa21503ce97385cf/detection wazalpne.com # Reference: https://twitter.com/souiten/status/1473951597986123777 # Reference: https://www.virustotal.com/gui/file/c35e76cbd4b2f6c8869566b2a7ea181dbd98dce251a611e03bb5a2fe1ee8708a/detection avbcloud.com jsanalys.com cdn.avbcloud.com cdn.jsanalys.com # Reference: https://twitter.com/souiten/status/1466917520934256646 # Reference: https://www.virustotal.com/gui/file/0e760e5a7fa21627d83c9a9f5f68d0c5f6ecfade4d6c89d84b8680f67b33262c/detection cjsassets.com cdn.cjsassets.com # Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-April/030634.html allmyad.com am-reader.com ananoka.com gvgnci.com informaxima.org jmarrycs.com liongracem.com msfbckupsc.com netpixelds.com polanicia.com showsvc.com upservicemc.com wicommerece.com worldchangeos.com # Reference: https://twitter.com/souiten/status/1524322313411325953 storangefilecloud.vip puccino.altervista.org/wp-content/uploads/2022/05/6h.txt # Reference: https://twitter.com/souiten/status/1524325331863171072 # Reference: https://www.virustotal.com/gui/file/d0899cb4b94e66cb8623e823887d87aa7561db0e9cf4028ae3f46a7b599692b9/detection 51.195.57.227:1222 cspapop110.com # Reference: https://twitter.com/fuyinglab/status/1532318041974837248 # Reference: http://blog.nsfocus.net/darkcasino-apt-evilnum/ # Reference: http://lists.emergingthreats.net/pipermail/emerging-sigs/2022-June/030676.html # Reference: https://www.virustotal.com/gui/file/ae0102721dd4f8072bf244348847bee547433f61182c20d63a23def4fb74bdf7/detection 185.236.231.74:1111 8as1s2.com 938jss.com aka7newmalp23.com bukjut11.com csmmmsp099q.com cspapop110.com kalpoipolpmi.net muasaashishaj.com muasaashshaj.com pallomnareraebrazo.com # Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-June/030694.html # Reference: https://www.virustotal.com/gui/file/f0e89639e3796a7b7d5ced50e84d770753e72885df7413cd5204a41b1fd6cfbe/detection # Reference: https://www.virustotal.com/gui/file/adf4f76ef4132610a79512a607b518a60544790d72238633f55d82403a5590d7/detection # Reference: https://www.virustotal.com/gui/file/bb975fed53a9fa18a4234b90ffbd489429ea03a91245dad030fe4053f465ec28/detection # Reference: https://www.virustotal.com/gui/file/598a2a4ca29cfefad69ea02d465c8ce5254b99ed59f90e1924d210b0772dc2c0/detection # Reference: https://www.virustotal.com/gui/file/3c10a943b28f6322049e5ecea2013a7f4af4d35100fcfcc2f07c420f5f03b7f0/detection bookaustriavisit.com estimefm.org imageztun.com /G7RJ1u/Z7gN7gNNVAC/ /Z7gN7gNNVAC/ /G7RJ1u/ # Reference: https://www.virustotal.com/gui/ip-address/185.236.76.34/relations azueracademy.com booknerfix.com cyphschool.com imagegyne.com netoode.com olymacademy.com # Reference: https://www.virustotal.com/gui/ip-address/185.161.208.20/relations advideoc.org auzebook.com enigmadah.com hubflash.co kgcharles.com mstreamvc.com planetjib.com plantgrn.com qeliabhat.com qnmarry.com streamsrvc.com walltoncse.org wldbooks.com # Reference: https://www.virustotal.com/gui/ip-address/185.161.208.209/relations bookingitnow.org estoniaforall.com moreofestonia.com moretraveladv.com traveladvnow.com travelbooknow.org tripadvit.com visitaustriaislands.com # Reference: https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets # Reference: https://otx.alienvault.com/pulse/62bbfdd6093ddc04c95bdf1a advertbart.com bgamifieder.com bingapianalytics.com book-advp.com bunflun.com covdd.org inetp-service.com infcloudnet.com khnga.com mailservice-ns.com meetomoves.com netrcmapi.com netwebsoc.com refinance-ltd.com roblexmeet.com travinfor.com webinfors.com windnetap.com yomangaw.com # Reference: https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities # Reference: https://otx.alienvault.com/pulse/62da79e8ce00d5eb8497f01c advflat.com azuredllservices.com elitefocuc.com goalrom.com infntio.com mailgunltd.com officelivecloud.com outlookfnd.com pngdoma.com # Reference: https://twitter.com/souiten/status/1554056423843045376 # Reference: https://www.virustotal.com/gui/file/29d75b3b0f509dfd3150edc06be9cbe4053ce41a892403ec94b9187f44dda643/detection # Reference: https://www.virustotal.com/gui/file/74329f3585df9b4ac4a0bc4476369dc08975201d7fc326d2b0f7b7a4c1eab22b/detection 196.196.57.73:333 91.192.100.9:3479 c9spus.com # Reference: https://twitter.com/Des00464472/status/1554648175876907008 # Reference: https://www.virustotal.com/gui/file/00a253287ebfe7cd44ff4510ebc8dc92cd26b9ccd6d94f371a090a1a76b1ee80/detection # Reference: https://www.virustotal.com/gui/file/bbbdfa627d119bb7761fbcaeb1c090405f27237bbf9645bacc4064572ca65eac/detection eroeurovc.com # Reference: https://twitter.com/souiten/status/1555484652143403010 # Reference: https://www.virustotal.com/gui/file/fd8b80db189d9ffff96d8aed16d55406fd94b72c1cad092c782342036c0b01d2/detection # Reference: https://www.virustotal.com/gui/file/c2a3958006dd5cb31ce7c7e4e145616aa0dd6734ebe0065f1daf810d630d391c/detection 165.231.200.201:333 aacfdhr34wgr.com # Reference: https://twitter.com/h2jazi/status/1565721319047630849 # Reference: https://twitter.com/h2jazi/status/1565721321513914373 # Reference: https://www.virustotal.com/gui/file/fa6c26e9e0bc269937b94637c407f8b0a1ffb19d3fc2df580633aaa6708e5e69/detection image.jamespage.net # Reference: https://twitter.com/Des00464472/status/1572202986881044480 morgansho.com # Reference: https://twitter.com/h2jazi/status/1572578230607183874 # Reference: https://www.virustotal.com/gui/file/46ee8dd4c1a6205983c1317b021e6bcbaf7c1545fc56433cdde099f331fc7dab/detection marywisker.com/skgnbrkfgryogjs # Reference: https://twitter.com/souiten/status/1587021264807337984 01cs1sp.com bajnmd45cfstyg.com bujhsp9.com k2nysp1.com loboo33.com lodo3.com namfdsjg32kjsd.net tgsp2121.com # Reference: https://twitter.com/jaydinbas/status/1633063201607675909 http://172.86.75.75 telemistry.net # Reference: https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html # Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-smartscreen-zero-day/ioc-list-water-hydra-cve-2024-21412.txt http://179.43.172.127 http://179.43.172.191 http://64.31.63.194 http://64.31.63.70 http://84.32.189.74 179.43.172.127:445 179.43.172.191:445 64.31.63.194:445 64.31.63.70:445 84.32.189.74:445 87iavv.com fxbulls.ru p2oaviwt39ui.com unfawjelesst322.com # Generic /c?v=1&u= /c?v=2&u= /c?v=3&u= /c?v=4&u= /c?v=5&u= /c?v=6&u= /c?v=7&u= /c?v=8&u= /c?v=9&u=