# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: RADIOSTAR, VIDEOKILLER, HALFSHELL, UNC1151, Ghostwriter, Influence Activity, TA445
# CERT-UA: 4109

# Reference: https://content.fireeye.com/web-assets/rpt-unc1151-ghostwriter-update
# Reference: https://www.fireeye.com/blog/threat-research/2021/04/espionage-group-unc1151-likely-conducts-ghostwriter-influence-activity.html
# Reference: https://otx.alienvault.com/pulse/6089a10aa27c23fdd4ee928e

account-inbox.online
accounts-inbox.ml
accounts-telekom.online
com-account.website
credentials-telekom.online
google-com.online
inbox-admin.site
interia-pl.site
interia-pl.website
login-inbox.online
login-mail.online
login-telekom.online
login-verify.online
logowanie-pl.site
meta-ua.online
net-account.online
net-account.space
net-accounts-mail.ru
net-support.site
net-verification.online
net-verify.site
net-verify.website
no-replay-notification.ga
onet-pl.online
passport-yandex.ru
ron-mil-pl.site
ron-mil-pl.space
ru-passport.online
secured-auth.cf
signin-telekom.online
ua-agreements.online
ua-login.site
ua-passport.online
ukroboronprom-com.site
ukroboronprom.online
verify-ua.online
verify-ua.site
wp-agreements.online
wp-pl-potwierdz-dostep.site
wp-pl.eu
account.no-replay-notification.ga
accounts-support.com-account.website
accounts-support.net-account.space
accounts-ukr.net-account.space
accounts-ukr.net-verification.online
accounts-verification.net-account.space
acounts.net-verification.online
api.passport-yandex.ru
bezpieczenstwo.wp-pl.eu
content.google-com.online
csp.google-com.online
dc-f87c0aa063b8.ron-mil-pl.space
drive.google-com.online
e.mail.ru.net-accounts-mail.ru
facebook.com-account.website
fc.google-com.online
fonts.google-com.online
gmx.net-account.online
google.com-account.website
i.ua-passport.online
idsso.ukroboronprom-com.site
konto.onet-pl.online
mail.passport-yandex.ru
mail.ru.net-accounts-mail.ru
mail.secured-auth.cf
microsoft.com-account.website
net.ru-passport.online
passport.inbox.lt.accounts-inbox.ml
passport.inbox.lv.accounts-inbox.ml
poczta.interia-pl.site
poczta.ron-mil-pl.site
poczta.ron-mil-pl.space
poczta.wp-agreements.online
poczta.wp-pl-potwierdz-dostep.site
poczta.wp-pl.eu
postmilgov.ua-login.site
potwierdzenia.net-support.site
potwierdzenie.wp-pl.eu
ru.net-accounts-mail.ru
shpsale.ukroboronprom.online
verify.account-inbox.online
verify.login-mail.online
verify.login-telekom.online
verify.signin-telekom.online
vilni-ludi.ukroboronprom.online
webmail.login-verify.online
webmail.meta-ua.online
yandex.ru-passport.online
zashita.ukroboronprom.online

# Reference: https://twitter.com/siedlmarpl/status/971593279224537088
# Reference: https://www.hybrid-analysis.com/sample/fa48cd1fd8aab4a43e9ff1f7985c549040389036a03f9117f675d8737e1b34b5?environmentId=100
# Reference: https://www.virustotal.com/gui/file/fa48cd1fd8aab4a43e9ff1f7985c549040389036a03f9117f675d8737e1b34b5/detection
# Reference: https://github.com/stamparm/maltrail/pull/9325/commits/9feaaeddd717efdf2d6dab8b51d17cc5dd6157b6
# Reference: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/unc1151-ghostwriter-update-report.pdf

88.99.104.179:1985
88.99.132.118:1985

# Reference: https://twitter.com/kyleehmke/status/1390243290826563591

op-pl.site

# Reference: https://twitter.com/kyleehmke/status/1390368185455677440

verify-ua.space

# Reference: https://twitter.com/kyleehmke/status/1392825232826802181

com-validate.site
com-verify.site

# Reference: https://twitter.com/kyleehmke/status/1397746852213186561

mil-secure.site

# Reference: https://twitter.com/kyleehmke/status/1403278668445720579

secure-firewall.site

# Reference: https://twitter.com/James_inthe_box/status/1231247315672809473
# Reference: https://www.virustotal.com/gui/file/3b701eac4e3a73aec109120c97102c17edf88a20d1883dd5eef6db60d52b8d92/detection
# Reference: https://app.any.run/tasks/844d5358-bf5d-4a4a-89b2-d3bf06df79e3/
# Reference: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/unc1151-ghostwriter-update-report.pdf

ggpht.ml
socis.cf
tk99.gq
cloud-security.ggpht.ml

# Reference: https://twitter.com/sekoia_io/status/1497239319295279106

creditals-email.space
meta-ua.space
mil-gov.space
mirrohost.space
verify-email.space
verify-mail.space

# Reference: https://twitter.com/bread08/status/1497200607282798601

bigmir.space
ua-passport.space
i.ua-passport.space
id.bigmir.space

# Reference: https://twitter.com/jaimeblascob/status/1497258705984835591

akademia-mil.space
authorization-inbox.site
bigmir-net.site
command-email.online
konto-verify.space
kontrola-poczty.space
mirohost-creditals.space
mirohost.site
ron-mil.space
sign-in-inbox.site
sprawdzanie-konta.space
ua-passport.site
walidacja-poczty.space
walidacja-uzytkownika.space
walidacja-uzytkownika.website
weryfikacja-konta.space
weryfikacja-poczty.space
weryfikacja-uzytkownika.website
passport.command-email.online

# Reference: https://twitter.com/Arkbird_SOLG/status/1497602147084644362
# Reference: https://twitter.com/threatinsight/status/1497355737844133895
# Reference: https://twitter.com/threatinsight/status/1497355994543779844
# Reference: https://twitter.com/cybercdh/status/1497486233743863812
# Reference: https://www.virustotal.com/gui/ip-address/84.32.188.80/relations
# Reference: https://www.virustotal.com/gui/ip-address/84.32.188.141/relations
# Reference: https://www.virustotal.com/gui/file/d7ce7d6de1aa23c9f54a11a84238ec07281745e4ba67ad1b548c71cc18158891/detection
# Reference: https://www.virustotal.com/gui/file/31d765deae26fb5cb506635754c700c57f9bd0fc643a622dc0911c42bf93d18f/detection

http://84.32.188.141
http://84.32.188.96
canada-deposit-gst.com
canada-gst-deposit.com
financial-gst-canada.com
gst-canada-gov.com
onlinereactivation-service.com
wirelessequixtranscan247.com
aplikacje.ron-mil.space

# Reference: https://www.virustotal.com/gui/ip-address/208.91.197.91/relations

croasian-connection.com
demo009.space
demo002.space
demo006.space
demo004.space
demo008.space
demo007.space
demo005.space
demo000.space
demo001.space
demo003.space
emsun-mobile.online
nowar44.site
nowar66.site
nowar22.site
nowar88.site
nowar00.site
stopwar77.site
stopwar55.site
stopwar11.site
stopwar33.site
stopwar99.site
ua-email.press
us-news.online
web-camera.live

# Reference: https://community.riskiq.com/article/e3a7ceea/description
# Reference: https://otx.alienvault.com/pulse/621cce4e2752128dbfe537ed

creditals-mirohost.space
kontrola-poczty.site
mirohost.online
mod-mil.online
mod-mil.site
secure-ua.space
verification-email.space

# Reference: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
# Reference: https://otx.alienvault.com/pulse/621f7303abae83b8f3814de0
# Reference: https://www.virustotal.com/gui/file/de270380565fcf45aa6a18091fd75f0bbe22993ae6d7f225f1b088d06efe68d7/detection

http://157.230.104.79
http://45.61.137.231

# Reference: https://cert.gov.ua/article/37626 (Ukrainian)
# Reference: https://twitter.com/h2jazi/status/1500607147989684224
# Reference: https://www.virustotal.com/gui/ip-address/185.175.158.27/relations
# Reference: https://www.virustotal.com/gui/file/7f0511b09b1ab3a64c8827dd8af017acbf7d2688db31a5d98fea8a5029a89d56/detection

185.175.158.27:8443
xbeta.online

# Reference: https://twitter.com/JAMESWT_MHT/status/1501197380225490949
# Reference: https://app.any.run/tasks/4d96f03e-317e-498d-a9d7-e2d719a70b5b/
# Reference: https://www.virustotal.com/gui/file/a7b7a7bfc7d0a41436596795bf7da8b9b9ed571e592b5b4770b70271d4fcadff/detection

109.237.111.251:8880
91.142.77.157:8880
tvasahi.online

# Reference: https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/

rambler-profile.site
secure-ua.website
ua-passport.top
accounts.secure-ua.website
i.ua-passport.top
login.creditals-email.space
post.mil-gov.space
verify.rambler-profile.site

# Reference: https://ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/
# Reference: https://otx.alienvault.com/pulse/622f3ca087e68a2746132fc8

gov-ua.net
vuxner.com

# Reference: https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/

login-verify.top
login-verification.top
secure-ua.top
ua-login.top

# Reference: https://otx.alienvault.com/pulse/6272996039678903e0b73dd5

accountsverify.top
com-validation.top
com-verification.top
email-verify.top
serure-email.online
facebook.com-validation.top
lt-facebook.com-verification.top
lt-meta.com-verification.top
lt-microsoftgroup.serure-email.online
microsoftonline.email-verify.top
noreply.accountsverify.top

# Generic

/update/microsoft_corp
/update/microsoft_corpsh
/update/microsoft_corpshd
/update/microsoft_crp
/update/microsoft_crpn
/win_update/upgrade
