# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: RedDelta

# Reference: https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
# Reference: https://otx.alienvault.com/pulse/5d9c72d7e2efa3b5aa799b41

http://144.202.54.8
http://154.221.24.47
adobephotostage.com
airdndvn.com
apple-net.com
infosecvn.com
officeproduces.com
wbemsystem.com
yahoorealtors.com
update.olk4.com

# Reference: https://twitter.com/cyber__sloth/status/1229080836487540736

149.28.156.153:443

# Reference: https://twitter.com/hackingump1/status/1241760059543244805
# Reference: https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/
# Reference: https://www.virustotal.com/gui/ip-address/123.51.185.75/relations

http://123.51.185.75

# Reference: https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/
# Reference: https://otx.alienvault.com/pulse/5ed7c36c21ae174ca3acfaee

destroy2013.com
fitehook.com
miandfish.store

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf
# Reference: https://otx.alienvault.com/pulse/5f219067fd875a905691df22

cabsecnow.com
hostareas.com
jsquerys.net
ipsoftwarelabs.com
lameers.com
miscrosaft.com
systeminfor.com

# Reference: https://twitter.com/cyber__sloth/status/1296722004964409349

http://103.85.24.161

# Reference: https://twitter.com/IntezerLabs/status/1316384526323638274
# Reference: https://www.virustotal.com/gui/file/c0331d4dee56ef0a8bb8e3d31bdfd3381bafc6ee80b85b338cee4001f7fb3d8c/detection
# Reference: https://www.virustotal.com/gui/file/d0dd9c624bb2b33de96c29b0ccb5aa5b43ce83a54e2842f1643247811487f8d9/detection

flach.cn

# Reference: https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/

103.200.97.189:965
103.200.97.189:110
185.239.226.17:965
185.239.226.17:110

# Reference: https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html
# Reference: https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html
# Reference: https://drive.google.com/file/d/1OpPiT6ieub3_q0sLIxGt8iI85tInqjoU/view
# Reference: https://any.run/report/bbbeb1a937274825b0434414fa2d9ec629ba846b1e3e33a59c613b54d375e4d2/dd877b4d-8b36-48c0-af07-ce37fd9fee7b

vietnam.zing.photos

# Reference: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf
# Reference: https://otx.alienvault.com/pulse/6050e65d389812e02dfca3c3

159.138.84.217:81
buyonebuy.top
careerhuawei.net
huaweiyuncdn.com
cdn.update.huaweiyuncdn.com
cdn1.update.huaweiyuncdn.com
flash-update.buyonebuy.top
hr.careerhuawei.net
info.careerhuawei.net
infoadmin.update.huaweiyuncdn.com
update.careerhuawei.net
update.huaweiyuncdn.com
download.flach.cn
forum.flach.cn
info.flach.cn
m.flach.cn
mobile.flach.cn
terminal.flach.cn
update.flach.cn
/c0c00c0c/

# Reference: https://twitter.com/s1ckb017/status/1475621967160123395
# Reference: https://www.virustotal.com/gui/file/df84d6c284dd39c2bfed6f8eb26149a4154396c27de50595ed5d80b428930dcd/detection

http://103.15.28.208

# Reference: https://twitter.com/s1ckb017/status/1492069505803116546

http://202.58.105.38

# Reference: https://twitter.com/StillAzureH/status/1505823479945625604
# Reference: https://www.virustotal.com/gui/file/bb2990a1bbc417cfec40d5f1a6a8b22cac0ef21aed869dd8503e28573cf84401/detection

http://155.94.200.206
155.94.200.206:5008

# Reference: https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/
# Reference: https://www.virustotal.com/gui/file/0d154e036b4de53059b5a24a1677fb546e1c136d6d0aa37c21a878c24891ee2c/detection
# Reference: https://www.virustotal.com/gui/file/9170169ae732c3a843c871be73875ea1bc8081876db5f9bcfd5f05d792bcaef0/detection
# Reference: https://www.virustotal.com/gui/file/effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1/detection
# Reference: https://www.virustotal.com/gui/file/effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1/detection

http://103.56.53.120
http://154.204.27.181
http://185.207.153.208
http://43.254.218.42
http://45.131.179.179
http://92.118.188.78
103.56.53.120:8080
154.204.27.181:110
45.131.179.179:110
45.131.179.179:5938
92.118.188.78:443
coolboxpc.com
locvnpt.com
snova-tech.com
urmsec.com

# Reference: https://twitter.com/G60930953/status/1507031738282909698
# Reference: https://www.virustotal.com/gui/file/887345540f1bf31c40755edcda2e3dd9fe640122fc9020f3873c895daa2378bf/detection

http://155.94.200.209
http://155.94.200.211
155.94.200.211:5008
155.94.200.212:443

# Reference: https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/
# Reference: https://otx.alienvault.com/pulse/6144875da41b403380a06521
# Reference: https://www.virustotal.com/gui/file/0198949a02fc4dcd65c29c028ba5f20365dc629d764f9e0a95721300b9fadbad/detection
# Reference: https://www.virustotal.com/gui/file/ab9324028bcc347040a058d41c079c0205398d200a63a6ed6cbe1df973634b2d/detection

http://103.231.14.134

# Reference: https://otx.alienvault.com/pulse/613914361364535ed5d60bc4

dodefoh.com
hidusi.com
joxinu.com
macuwuf.com
/e32c8df2cf6b7a16/
/e8c76295a5f9acb7/

# Reference: https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html

103.15.28.145:6666
110.42.64.64:24680
president-office.gov.mm

# Reference: https://twitter.com/kienbigmummy/status/1532305081676464128
# Reference: https://www.virustotal.com/gui/file/843709a59f12ff7aa06a5837be7a1a93fdf6f02f99936af6658c166e8abcaa2d/detection
# Reference: https://www.virustotal.com/gui/file/60ee19bb558d20c2591569ddb73fc90787dd47a07453e252a3afcaa222dde125/detection
# Reference: https://www.virustotal.com/gui/file/558cbbcb969fe2fa3f1c74c376e307efcdbe3bad7497095619927edd5762363a/detection

154.204.26.120:22
45.134.83.4:22
154.204.26.120:443
154.204.27.130:443
45.134.83.4:443
hilifimyanmar.com
myanmarnewsonline.org
download.hilifimyanmar.com
update.hilifimyanmar.com
images.myanmarnewsonline.org
