# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt-04, apt-c-24, apt-q-39

# Reference: https://twitter.com/Sebdraven/status/1052864520522223616
# Reference: https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739
# Reference: https://www.virustotal.com/#/ip-address/185.106.120.43

heartissuehigh.win
webserv-redir.net

# Reference: https://twitter.com/Sebdraven/status/1140597344720830471
# Reference: https://app.any.run/tasks/d7ce191d-c04f-4eff-a13c-02cbe746c256/
# Reference: https://www.virustotal.com/gui/domain/cdn-dl.cn/relations
# Reference: https://pastebin.com/rccqdjNB

cdn-dl.cn
bd-gov.cdn-dl.cn
bdgov-mopa.cdn-dl.cn
biaa-org-bd.cdn-dl.cn
biaa-org.cdn-dl.cn
gov-cn.cdn-dl.cn
gov-pk.cdn-dl.cn
hostmaster.cdn-dl.cn
info-account.cdn-dl.cn
ministry-gov.cdn-dl.cn
ministry-interior-gov-pk.cdn-dl.cn
mod-gov.cdn-dl.cn
moe-gov.cdn-dl.cn
moi-nadra.cdn-dl.cn
mopa-bd.cdn-dl.cn
mopa-bdgov.cdn-dl.cn
mopa-govbd.cdn-dl.cn
nadra-interior.cdn-dl.cn
nadra-moi.cdn-dl.cn
narda-moi.cdn-dl.cn
neteease.cdn-dl.cn
newmake.pw
serve-dropbx-ap-east1.cdn-dl.cn
suodeshui.cdn-dl.cn
tiexue.cdn-dl.cn

# Reference: https://twitter.com/Timele9527/status/1147750939576586244 

http://167.86.116.39

# Reference: https://twitter.com/Timele9527/status/1147750939576586244

vidyasagaracademybrg.in/scripts/lnk/
vidyasagaracademybrg.in/scripts/am/

# Reference: https://twitter.com/Timele9527/status/1150597482310619136
# Reference: https://app.any.run/tasks/e15e1cd1-0c38-41b9-aa1e-a29562f17b3d/
# Reference: https://www.freebuf.com/articles/network/196788.html (Chinese)

ap12.ms-update-server.net
cdn-do.net
cdn-edge.net
cdn-list.net
fb-dn.net
google.com.d-dns.co
msftupdate.srv-cdn.com
nadra.gov.pk.d-dns.co
pmo.cdn-load.net
s2.cdn-edge.net
s12.cdn-apn.net
trans-pre.net
webserv-redir.net

# Reference: https://twitter.com/blackorbird/status/1160734383864610816

trans-can.net

# Reference: https://mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA

cdn-ps.net

# Reference: https://twitter.com/blackorbird/status/1189116884626493440

paknavy.gov.pk.ap1-port.net

# Reference: https://twitter.com/Timele9527/status/1195272502135549953
# Reference: https://www.virustotal.com/gui/domain/reawk.net/details

reawk.net

# Reference: https://twitter.com/ccxsaber/status/1195281985335201794

sd1-bin.net

# Reference: https://twitter.com/0xCARNAGE/status/1203882560176218113
# Reference: https://app.any.run/tasks/3abfc241-3ab0-4016-acbb-040b44199d52/

185.225.17.239:443

# Reference: https://twitter.com/RedDrip7/status/1206898954383740929

ap1-acl.net

# Reference: https://twitter.com/Timele9527/status/1211852764688478216
# Reference: https://app.any.run/tasks/c8469e19-96a0-4f2f-9765-72acf72dee05/

fincruitconsulting.in

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/
# Reference: https://otx.alienvault.com/pulse/5e133ac9f5eaf331885e74b4

aws-check.net
deb-cn.net
ms-db.net
ms-ethics.net

# Reference: https://github.com/blackorbird/APT_REPORT/tree/master/sidewinder

gov-pk.org

# Reference: https://mp.weixin.qq.com/s/L3dVwbkfTABtE4ZYtv5r4w
# Reference: https://otx.alienvault.com/pulse/5e206d8b77de0b2690b9946c

110.10.176.193:4443

# Reference: https://twitter.com/Timele9527/status/1247325070520750080
# Reference: https://twitter.com/Timele9527/status/1247327952238284800
# Reference: https://twitter.com/Timele9527/status/1247376905956765697

ap-ms.net
d01fa.net
fdn-en.net
nrots.net

# Reference: https://twitter.com/ShadowChasing1/status/1252547080070914048

link-cdnl.net

# Reference: https://twitter.com/ccxsaber/status/1260775018306236416

au-edu.km01s.net

# Reference: https://twitter.com/Arkbird_SOLG/status/1260727623539404800

kat0x.net

# Reference: https://twitter.com/ShadowChasing1/status/1268214042637684738
# Reference: https://www.virustotal.com/gui/domain/chrom3.net/relations

chrom3.net
r0dps.net

# Reference: https://twitter.com/ccxsaber/status/1281413683013287936

gov-mil.cn

# Reference: https://twitter.com/ShadowChasing1/status/1284319235481538565

cdn-m1l.net
tar-gz.net

# Reference: https://twitter.com/cyber__sloth/status/1293183011916193793
# Reference: https://twitter.com/cyber__sloth/status/1293187616897028098
# Reference: https://twitter.com/Arkbird_SOLG/status/1293221669134372865
# Reference: https://app.any.run/tasks/e3501b33-28a2-4b7c-bc79-d20891c4832e/

http://111.229.73.84
202.58.104.100:81

# Reference: https://twitter.com/ShadowChasing1/status/1296710024643796992
# Reference: https://www.virustotal.com/gui/file/a89189f1c7c101c8d9c2637e571c4f8546df3ea557a576090cde7b75009981a9/detection

fqn-cloud.net

# Reference: https://twitter.com/ShadowChasing1/status/1297902086747598852

asw-edu.net
filesrvr.net

# Reference: https://twitter.com/cyber__sloth/status/1298187291295461376
# Reference: https://www.virustotal.com/gui/ip-address/185.141.25.136/relations

mil-pk.net

# Reference: https://twitter.com/ShadowChasing1/status/1308620752703299585

aws-pk.net
cdn-aws-s2.net

# Reference: https://twitter.com/ShadowChasing1/status/1316680709478604800
# Reference: https://twitter.com/mg2_tracy1/status/1316688407280586752
# Reference: https://www.virustotal.com/gui/file/280fb291d49f277067667838cdf30a940eaed9ed7712448158ea29e1ce6af86f/detection

cdn-sop.net

# Reference: https://twitter.com/ShadowChasing1/status/1324349418162720769
# Reference: https://twitter.com/ShadowChasing1/status/1324349684664528897
# Reference: https://www.virustotal.com/gui/domain/gov-pok.net/detection

gov-pok.net

# Reference: https://twitter.com/RedDrip7/status/1328639418110865409
# Reference: https://www.virustotal.com/gui/file/1cbec920afe2f978b8f84e0a4e6b757d400aeb96e8c0a221130060b196ece010/detection

cdn-edu.net
brep.cdn-edu.net

# Reference: https://twitter.com/mg2_tracy1/status/1331153718931177473
# Reference: https://www.virustotal.com/gui/file/7238f4e5edbe0e5a2242d8780fb58c47e7d32bf2c4f860c88c511c30675d0857/detection

ms-trace.net

# Reference: https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html
# Reference: https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742

185.225.19.46:4589
185.225.19.46:4875
gov-af.org
gov-np.org
mail-apfgavnp.hopto.org
mail-apfgovnp.ddns.net
mail-kmgcom.ddns.net
mail-mfagovcn.hopto.org
mail-mofagovnp.hopto.org
mail-mofagovnp.zapto.org
mail-mofgovnp.hopto.org
mail-ncporgnp.hopto.org
mail-nepalarmymilnp.duckdns.org
mail-nepalgovnp.duckdns.org
mail-nepalpolicegov.hopto.org
mail-nepalpolicegovnp.duckdns.org
mail-nrborg.hopto.org
mail-nscaf.myftp.org
mail-ntcnetnp.serveftp.com

# Reference: https://twitter.com/BaoshengbinCumt/status/1342297125141454848
# Reference: https://www.virustotal.com/gui/file/c59c6c18f529c88cf352883b23af36f829b8ae1d17daa0762f028184cba7199b/detection

cdn-re.net

# Reference: https://twitter.com/ShadowChasing1/status/1345559958796914694

gov-mail.net

# Reference: https://twitter.com/cyber__sloth/status/1346100925199478784

gov-af.net
gov-crt.net
gov-nadra.net
gov-pbs.net
gov-pmo.net

# Reference: https://www.virustotal.com/gui/domain/gov-cn.net/relations

gov-cn.net

# Reference: https://www.virustotal.com/gui/domain/gov-cnn.net/relations

gov-cnn.net

# Reference: https://www.virustotal.com/gui/domain/paknavy-gov.net/detection

paknavy-gov.net

# Reference: https://www.virustotal.com/gui/file/4b5e0ad20a8d143567cc424edf2010146e24a0b729de7ca0f66292141d363e57/detection

cdn-aws.net
cdn-src.net

# Reference: https://twitter.com/BaoshengbinCumt/status/1354270351702691843

del-ivery.net
trans-aws.net

# Reference: https://twitter.com/jfslowik/status/1362782587345727492

cdn-secure.net

# Reference: https://twitter.com/h2jazi/status/1363683531067715584
# Reference: http://hackdig.com/02/hack-280699.htm
# Reference: https://app.any.run/tasks/b88e935c-b17a-4429-acdc-65156804ad1c/
# Reference: https://otx.alienvault.com/pulse/6033e84e6fb8fc369323e8e3/

151.236.11.147:57670
alsalaf.info
gov-pk.info
govt-pk.org
gov-pak.org
pk-gov.org
attachments.gov-pk.info
nhsrcgovpk.servehttp.com
contact.gov-pak.org
onedrives.pk-gov.org
support.govt-pk.org
support.gov-pak.org
support-gov.myftp.org

# Reference: https://twitter.com/DeadlyLynn/status/1367746507974270981
# Reference: https://www.virustotal.com/gui/file/bb58796f79a913a985eb41f0d12446e7ae8fe99fd3f0d432d77d8d82f202bf5f/detection

cdn-pak.net
fqn-mil.net
mailmofagovpk.cdn-pak.net

# Refereence: https://twitter.com/BaoshengbinCumt/status/1369916500014821377

afd-bdmil.cdn-pak.net
fmprc.cdn-pak.net
ibn.cdn-pak.net
mofa.cdn-pak.net
oimc.cdn-pak.net
pakbj.cdn-pak.net
poly.cdn-pak.net
trgdte.cdn-pak.net

# Reference: https://www.virustotal.com/gui/domain/www-cdn.net/relations

www-cdn.net

# Reference: https://twitter.com/ShadowChasing1/status/1384743822953877505

afohs.mod-pak.co
fbr.mod-pak.co
shaheenfoundation.mod-pak.co
mod-pak.co

# Reference: https://twitter.com/BaoshengbinCumt/status/1384792855692988416
# Reference: https://www.virustotal.com/gui/ip-address/185.163.45.56/relations
# Reference: https://www.virustotal.com/gui/file/37a3855e05c63fdab773fdd39da021f2daf1961cc8137385db079960bdfa18c7/detection

edu-mil.cn
iugur.live
bmac.iugur.live
mofa.iugur.live

# Reference: https://twitter.com/BaoshengbinCumt/status/1387233200871673856
# Reference: https://mp.weixin.qq.com/s/GWVz02_jGaUt_n9JxB1OwQ

autodiscover.mofagov-pk.online
cpanel.mofagov-pk.online
cpcalendars.mofagov-pk.online
cpcontacts.mofagov-pk.online
dgmi-share-folder-nepalarmy-mil-np-coas-sambodhan-pdf.netlify.app
email-nepalarmy-mil-np-owa.netlify.app
imail.aop.gov.af.egateway.nsc-gov.com
mail-nepalarmy-mil-np-fsdafjsd.herokuapp.com
mail-nepalarmy-mil-np-login-download.netlify.app
mail-nepalarmy-mil-np-view.netlify.app
mail-nepalpolice-gov-np-loginn.herokuapp.com
mail-nscaf.hopto.org
mail-ntmail-ntcnetnp.serveftp.comcnetnp.serveftp.com
mail.mofagov-pk.online
medeclinic.ae
mil-pk.net
mod-cn.trans-del.net
mofagov-pk.naatlibrary.com
mofagov-pk.online
naatlibrary.com
nepalarmy.trans-del.net
nsc-gov.com
nsc-gov.net
polyinc-global.trans-del.net
trans-del.net
webdisk.mofagov-pk.online
webmail.mofagov-pk.online
www-punjabpolice-gov-pk-sopforsecurityofforeignersandchinese.trans-aws.net

# Reference: https://twitter.com/ShadowChasing1/status/1391976060472860675

paf-gov.com
img-google.paf-gov.com

# Reference: https://twitter.com/ShadowChasing1/status/1396809305194590211
# Reference: https://www.virustotal.com/gui/file/caaf44f16dcbee93071887ab6844ed79975ccd20f9008deb93c13bfdb436e0b0/detection

bahariafoundation.org
pmaesa.bahariafoundation.org

# Reference: https://twitter.com/ShadowChasing1/status/1397135889327804417

comsates.org
crisismanagementunit.comsates.org
mofa-gov-pk-wireless.comsates.org

# Reference: https://twitter.com/ShadowChasing1/status/1398171992554053632
# Reference: https://www.virustotal.com/gui/file/ff54e9228b7160f9272d67ad1423600d2cb7aa4d335412a28b11f63a517270fe/detection

cdn-gov.net

# Reference: https://twitter.com/Des00464472/status/1399969790471507968

paknavy-gov-cvic.fbise.org

# Reference: https://twitter.com/BaoshengbinCumt/status/1403292104671916032

cdn-in.net
punjabpolice.gov.pk.standingoperatingprocedureforemergencythreat.cdn-in.net

# Reference: https://twitter.com/ShadowChasing1/status/1412695070659153925
# Reference: https://twitter.com/0xrb/status/1412727167151005703

pakmarines.com
as.pakmarines.com
dsadsa.pakmarines.com
gov.pakmarines.com
jmicc-gov-pk.pakmarines.com
pmaesa.pakmarines.com
pnwc-gov-pk.pakmarines.com
pqa.gov.pakmarines.com

# Reference: https://twitter.com/ShadowChasing1/status/1420762840479109122
# Reference: https://twitter.com/ShadowChasing1/status/1420762846980308999
# Reference: https://www.virustotal.com/gui/file/468351924d611359fb181855331da98359bb1b926b5ce3ee8cd3330986d6e12c/detection
# Reference: https://www.virustotal.com/gui/file/84d5a31227eaa3be1134bb6f5a2f92c2621e738ee0c0c4f84758ae8d79d09526/detection

pak-web.com
fbr.pak-web.com

# Reference: https://twitter.com/malwrhunterteam/status/1109085127290900480

nitb.pk-gov.org

# Reference: https://mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ (Chinese)
# Note: APT-C-48

http://213.227.154.175
http://78.142.29.118
141.136.0.91:443
213.227.154.175:443
91.193.18.248:443
cert.pk-gov.org
dns1.pk-gov.org
nccs.pk-gov.org
ntc-pk.sytes.net
quwa-paf.servehttp.com
/F453457Pl_TMP347923592380/
/pl200_TMP2831474WDF.php

# Reference: https://twitter.com/ShadowChasing1/status/1466001768765018116
# Reference: https://www.virustotal.com/gui/file/38853bf262979313483310502d14a78db147586880d34571edf4d90e4bf05eb1

mofa.live
aitkenspencelogistics.mofa.live
careitservices.mofa.live
dsfvgbh.mofa.live
paknavy.mofa.live

# Reference: https://twitter.com/ShadowChasing1/status/1466686780531363840
# Reference: https://www.virustotal.com/gui/file/92dbd7f4399bce8b75e2c248af855df498bbed7e342c2d98ff6fcf15b611c50e

webarchive-datacenter.herokuapp.com

# Reference: https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/

afghannewsnetwork.com
afrepublic.xyz
amsss.in
appsstore.in
eurekawatersolution.com
maajankidevisevasansthan.org
newsroom247.xyz
republicofaf.xyz
scouttable.xyz
securecheker.in
securedesk.one
scout.fontsplugins.com

# Reference: https://twitter.com/souiten/status/1467674804211777536
# Reference: https://twitter.com/souiten/status/1467689489145339915
# Reference: https://twitter.com/souiten/status/1467693133001486337
# Reference: https://www.virustotal.com/gui/file/04206a2217be8d09e6dc6989d2a2b9aae8623f8fac962e5e07d9fa1a1577998b/detection

173.212.242.43:57149
paryavaranindia.com/css/files/docs/Updated-Leave-Rules-Fourth-Edition/css
paryavaranindia.com/css/files/hulfz/

# Reference: https://twitter.com/h2jazi/status/1469399194435735553
# Reference: https://twitter.com/h2jazi/status/1469399196369313792
# Reference: https://www.virustotal.com/gui/file/2cf842ec2bac099d200c079375a4be7a4d0b3b5869dd739582b7df168e6c4fb6
# Reference: https://www.virustotal.com/gui/file/a7b52acc18ce7fd14b4a410019a1f0042a6743dcbe887e82d498130848ce195c/detection
# Reference: https://www.virustotal.com/gui/file/c02108f0b413ecdcb8fe48ff445cb75d45324bfd06734011409de57c7cfdeb73/detection
# Reference: https://www.virustotal.com/gui/file/4219de40e65c89ecba9bd392f744fa26b867cad82d1b994e1e9266482089d8f9/detection
# Reference: https://www.virustotal.com/gui/file/16467586cb1a11ce2e1ca81ae6fb490fbc8f5602245f883c14e940189dfd2b79/detection

http://62.171.172.199
62.171.172.199:443
62.171.172.199:81

# Reference: https://twitter.com/GGGGh0st/status/1471323446713864193
# Reference: https://www.virustotal.com/gui/file/1bf584616477e16b54d6be7ce4d69f7ea26ee7841ec9a17ed162f4d560ab125a/detection

62.171.187.53:43
62.171.187.53:44
62.171.187.53:45

# Reference: https://twitter.com/ShadowChasing1/status/1474901903418949636
# Reference: https://twitter.com/ShadowChasing1/status/1474901905474129922
# Reference: https://www.virustotal.com/gui/file/d3a0b7c5a1eafbf7d381b6ee064083496476163da5dfed53096fac36c2b30738/detection

bahariafoundation.live
compress.bahariafoundation.live
invitation.bahariafoundation.live
mohgovsg.bahariafoundation.live
pnwc.bahariafoundation.live

# Reference: https://twitter.com/ShadowChasing1/status/1435546349856907268
# Reference: https://www.virustotal.com/gui/file/da08044373bc9bd54fd2ead9705446917e8f6e53d32f0885854e720e601cdbef/detection

asw-sns.link
edu-cx.org
afd.edu-cx.org
f.edu-cx.org
fsfdsf.edu-cx.org
go.edu-cx.org
mofagovpk.edu-cx.org
paknavy.edu-cx.org
rkvisa200de.edu-cx.org
rrkvisa200de.edu-cx.org
yahoo.edu-cx.org

# Reference: https://twitter.com/ShadowChasing1/status/1433038639961804800
# Reference: https://www.virustotal.com/gui/file/8a1c9a28ba0c74bafd71705aa12128831d66bbae06536a81d680cd207e740a65/detection

ppra.live
nima.ppra.live

# Reference: https://twitter.com/ShadowChasing1/status/1427258373532119044
# Reference: https://www.virustotal.com/gui/file/66ddbdfe9328d6a3f49abbb814252617fce0e05934ceeef9813e8bd30385fe50/detection

ppinewsagency.live
behr.ppinewsagency.live

# Reference: https://twitter.com/h2jazi/status/1478496217789341698
# Reference: https://www.virustotal.com/gui/file/df0b09c9f359f2e086e5e6b78f6fc6f63c9be1c6023cc6ee1e698d6e0daba31b/detection

teckblog.live
ms.teckblog.live

# Reference: https://twitter.com/s1ckb017/status/1478750005594927109
# Reference: https://twitter.com/s1ckb017/status/1478750907827429380
# Reference: https://twitter.com/500mk500/status/1478758092611407876
# Reference: https://www.virustotal.com/gui/ip-address/164.68.108.153/relations
# Reference: https://www.virustotal.com/gui/file/88a174855020c69d7719779a09c9b1058ec6732aa0fb04343c1d82fe13ca2e6e/detection
# Reference: https://www.virustotal.com/gui/file/f4777f8751ed6818a693817513a5685f13a249803658d1f12190d7b1aa26079e/detection
# Reference: https://www.virustotal.com/gui/file/9abd42a9f2cc147db47d4bb9598870eab96a2094964e97a6cb231f58d4d4ada2/detection
# Reference: https://www.virustotal.com/gui/file/c401fc82d3ffdf118aac1bc247838fcd554b7faa3fd10aaa00ed83d80d00b87b/detection

164.68.108.153:4142
164.68.108.153:5000
164.68.108.153:8062
digitalworldonline.net

# Reference: https://twitter.com/uslss_etr/status/1478784684452720646
# Reference: https://www.virustotal.com/gui/domain/paknvay-pk.net/relations
# Reference: https://www.virustotal.com/gui/ip-address/94.158.245.67/relations
# Reference: https://www.virustotal.com/gui/file/146e2c51cd7c904e0eeb641daa6ee956e80b48b198b9d2a9fd9b92b68399f9d1/detection
# Reference: https://www.virustotal.com/gui/file/e74be8bbad2fa8577b7383e6ad4dffd5d0cd44e75c0a7148a971c417d38d8ee7/detection

paknvay-pk.net
careitservices.paknvay-pk.net
dgpr.paknvay-pk.net
mofa.paknvay-pk.net

# Reference: https://www.virustotal.com/gui/domain/cdn-noc.net/relations

cdn-noc.net

# Reference: https://twitter.com/souiten/status/1474200802344386560
# Reference: https://www.virustotal.com/gui/file/ed4912f09e212479a319de1e95dd3e7d0e3574658be60782369c0e7a19ae0173/detection

62.171.172.199:88

# Reference: https://twitter.com/h2jazi/status/1479502335328112645
# Reference: https://www.virustotal.com/gui/ip-address/144.126.141.41/relations
# Reference: https://www.virustotal.com/gui/file/d15f76acb846b237956a6373bd6646ef804419dd9a9fd3c9501acc241fcddff9/detection
# Reference: https://www.virustotal.com/gui/file/947b81c1ecdb34533f7bc9c41d6678fa525c17eae5b8f383e89c6c66db0743c1/detection

afcat.xyz

# Reference: https://twitter.com/alex_lanstein/status/1479569375971713029
# Reference: https://pastebin.com/9HwieuS2

moma-pk.org
dfgrthy.moma-pk.org
mofa.moma-pk.org
sppc.moma-pk.org

# Reference: https://www.virustotal.com/gui/domain/cvix.live/relations

cvix.live
cn.cvix.live
cosmic.cvix.live
defencelk.cvix.live
mailaplf.cvix.live
mailmfagovnp.cvix.live
mailmofagoug.cvix.live
mailmofagovpk.cvix.live
mailoutlookcom.cvix.live
mailyahoocom.cvix.live

# Reference: https://twitter.com/ShadowChasing1/status/1481583143735808001
# Reference: https://www.virustotal.com/gui/file/cb933361cd6c26ca61c441a40da394a505086f572fd7e9bd425bf086adf50edc/detection

ministry-pk.net
cabinet-gov-pk.ministry-pk.net

# Reference: https://twitter.com/cyber__sloth/status/1485361081329631236

email-gov-in.digital
mailnic.info
indianarmy.mailnic.info
kavach.mailnic.info
mod.mailnic.info
passapp.mailnic.info

# Reference: https://twitter.com/uslss_etr/status/1489274205917044736
# Reference: https://www.virustotal.com/gui/file/85ab1c3ee01c5456eb45bf13c69dda88fa014a1dc5e832bdaa3e801a29d84ccd/detection

aeltron.xyz
incometaxreturn.aeltron.xyz
instructions.aeltron.xyz
rgdtyt.aeltron.xyz

# Reference: https://twitter.com/ShadowChasing1/status/1490984172797984770
# Reference: https://www.virustotal.com/gui/file/eeeb99f94029fd366dcde7da2a75a849833c5f5932d8f1412a89ca15b9e9ebb7/detection

mod-pk.com
dgmp-paknavy.mod-pk.com

# Reference: http://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html
# Reference: https://www.virustotal.com/gui/ip-address/45.153.240.66/relations

changeworld.hopto.org
mail-argaf.myftp.org
mail-meagovmv.hopto.org
mail-modaf.hopto.org
mail-modgav.hopto.org
mail-mofa.hopto.org
mail-mofagovpk.myftp.org
mail-mopitgovnp.hopto.org
mail-nepalpolgavnp.hopto.org
mail-nepalpolice.hopto.org
mail-opmcmgavnp.hopto.org
microsoft-winupdate.servehttp.com
teamchat.hopto.org
webmail-accbt.hopto.org
webmail-morrgovaf.hopto.org

# Reference: https://twitter.com/souiten/status/1491681294391992325
# Reference: https://www.virustotal.com/gui/file/44c720bc1adde78e11c202615260fb9e2e4301cf06edfefe06cde09a373a6c0e/detection

asianetnews.xyz
awww.asianetnews.xyz
mofa-gov-pk.asianetnews.xyz
ofa-gov-pk.asianetnews.xyz

# Reference: https://assets.sentinelone.com/sentinellabs-apt/modified-elephant-apt

bbcworld-news.net
newsinbbc.com

# Reference: https://twitter.com/uslss_etr/status/1496118824944697345
# Reference: https://www.virustotal.com/gui/file/94214e83441e3a6a5cde971f6abe0d4bf226fd0750a0ad26d2241c085de9b604/detection

crclab-bahria.org
dbms.crclab-bahria.org

# Reference: https://twitter.com/__0XYC__/status/1502593457201811459

nationalhelpdesk.pk
pkgov.org
sngpl.org.pk
bok.pkgov.org
bop.pkgov.org
csd.pkgov.org
cybernet.pkgov.org
dawn.pkgov.org
energy.pkgov.org
fauji.pkgov.org
mail.pkgov.org
mofa.pkgov.org
myth.pkgov.org
nespak.pkgov.org
nitb.pkgov.org
nlc.pkgov.org
np.pkgov.org
nrlpak.pkgov.org
ns1.pkgov.org
ns2.pkgov.org
ntc.pkgov.org
ntdc.pkgov.org
ogdcl.pkgov.org
pakoil.pkgov.org
parco.pkgov.org
pmo.nationalhelpdesk.pk
pmsa.pkgov.org
ptcl.pkgov.org
ptv.pkgov.org
radio.pkgov.org
sco.pkgov.org
ssgc.pkgov.org
sui.nationalhelpdesk.pk
wapda.pkgov.org
web.sngpl.org.pk
whale.pkgov.org
email.nespak.pkgov.org
email.nitb.pkgov.org
email.nlc.pkgov.org
lotussrv01.fauji.pkgov.org
mail-corp.cybernet.pkgov.org
mail.bok.pkgov.org
mail.bop.pkgov.org
mail.csd.pkgov.org
mail.dawn.pkgov.org
mail.mofa.pkgov.org
mail.nrlpak.pkgov.org
mail.ntc.pkgov.org
mail.ntdc.pkgov.org
mail.ogdcl.pkgov.org
mail.pakoil.pkgov.org
mail.pkgov.org
mail.pmsa.pkgov.org
mail.ptv.pkgov.org
mail.radio.pkgov.org
mail.sco.pkgov.org
parchqwebmail.parco.pkgov.org
webmail.cybernet.pkgov.org
webmail.ssgc.pkgov.org
webmail.wapda.pkgov.org
zmail.ptcl.pkgov.org

# Reference: https://twitter.com/ShadowChasing1/status/1504347312838959106
# Reference: https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/
# Reference: https://www.virustotal.com/gui/domain/kpt-pk.net/relations
# Reference: https://otx.alienvault.com/pulse/624c29baad734a210134b02c
# Reference: https://www.virustotal.com/gui/file/f765b0b6e4a34eb95c6f0ddf058bc88d5ef9ec2b11a5f3504d1673f4f69aceca/detection

kpt-pk.net
awww.kpt-pk.net
job.kpt-pk.net
maritimepakistan.kpt-pk.net

# Reference: https://twitter.com/ShadowChasing1/status/1512011407838961664
# Reference: https://www.virustotal.com/gui/file/37baf7415c755688e1e89679130b5cfd713d662330734eb310089d1f2afd82b8/detection

ksew.org
srilankanavy.ksew.org

# Reference: https://twitter.com/ShadowChasing1/status/1518594904393355264
# Reference: https://www.virustotal.com/gui/file/5dfe303f04e3432101b676fa0f230667eb6c9bc1715d5b4042f99d9522aa00fe/detection

ksewpk.com
defrgthyj.ksewpk.com
mofabn.ksewpk.com

# Reference: https://twitter.com/botlabsDev/status/1522500574956109825
# Reference: https://www.virustotal.com/gui/file/b3caa7ce9a8de209d5a63ab95485c1181f7fca03346330fe92ff3c0a0a9c1040/detection

paknavy.live
awww.paknavy.live
dxfgbdfh.paknavy.live
pmsa.paknavy.live
yfghvjb.paknavy.live

# Reference: https://twitter.com/blackorbird/status/1526840629010894848
# Reference: https://mp.weixin.qq.com/s/qsGxZIiTsuI7o-_XmiHLHg
# Reference: https://otx.alienvault.com/pulse/6285048d921d21c8d9beaf1f
# Reference: https://www.virustotal.com/gui/domain/cssc.info/relations

cssc.info
job.cssc.info
mailcantonfair.cssc.info
mailcitifs.cssc.info
mailgu.cssc.info
mailmofa.cssc.info
mailturkmenembassy.cssc.info
mofa.cssc.info
rancher.cssc.info
sdgsfg.cssc.info

# Reference: https://twitter.com/__0XYC__/status/1528616671103131649
# Reference: https://www.virustotal.com/gui/ip-address/92.118.190.165/relations
# Reference: https://www.virustotal.com/gui/file/fedc3b7cdb07f7b6f5a6bc85720528057297282bfae7960b3d33001ab34a51d6/detection

govpk-mail.net
csd.govpk-mail.net
finance.govpk-mail.net

# Reference: https://twitter.com/__0XYC__/status/1529707301979947009
# Reference: https://twitter.com/0xrb/status/1529709439808602113
# Reference: https://www.virustotal.com/gui/domain/interior-pk.org/relations
# Reference: https://www.virustotal.com/gui/file/6f4e89fce6a490d619cad9078079c6f6694b2798fc875288faa92b721f25d3cb/detection

comsats.xyz
interior-pk.org
awww.interior-pk.org
mofa-gov.interior-pk.org
punjab.interior-pk.org
paknavy.comsats.xyz

# Reference: https://twitter.com/virqdroid/status/1532094635170238464
# Reference: https://twitter.com/ReBensk/status/1532245757322924032
# Reference: https://www.virustotal.com/gui/ip-address/2.56.245.21/relations

pakgov.net
covid.pakgov.net
csd.pakgov.net
dvdbhjk.pakgov.net
finance.pakgov.net
financial.pakgov.net
flix.pakgov.net
hajj.pakgov.net
ji.pakgov.net
nadra.pakgov.net
ncoc.pakgov.net
nhsrc.pakgov.net
pt.pakgov.net
vpn.pakgov.net
wsde.pakgov.net
ww2.pakgov.net

# Reference: https://blog.group-ib.com/sidewinder-antibot
# Reference: https://otx.alienvault.com/pulse/62987c8eafd38f2088986035

bahariafoundation.org
bbcnew.cn
bitlyy.me
cdn-pak.net
cloud-apt.net
cr20g.org
csd-pk.co
cvix.live
dawnpk.org
docuserve.ltd
edu-cx.org
fdn-trace.net
fileserve.work
gov-mail.net
gov.pakmarines
govpk-mail.net
iugur.live
kdf-mail.com
kpt-pk.net
krlwin.org
ksew.org
mod-pk.com
mohp-gov.org
moma-pk.org
paf-gov.net
pafwa.info
pak-gov.com
pak-web.com
pakgov.net
pakgov.org
pakmarines.com
paknvay-pk.net
pkrepublic.org
ppinewsagency.live
tin-url.com
vpn-secure.co
api.vpn-secure.co
as.pakmarines.com
askari.bitlyy.me
askaribank.bitlyy.me
bangladeshmarineacademylibrary.ppinewsagency.live
bb.kdf-mail.com
china.bbcnew.cn
covid.bbcnew.cn
covid.pakgov.net
covid.pkrepublic.org
covid19.mohp-gov.org
csd.bitlyy.me
csd.pakgov.net
dasds.pak-gov.com
dasdsadsa.pak-gov.com
dawn.pakgov.org
defencelk.cvix.live
dgmp-paknavy.mod-pk.com
dgpr.paknvay-pk.net
dha.pakgov.org
dsadsa.pakmarines.com
dsasa.cr20g.org
faujifoundation.bitlyy.me
fbr.pak-web.com
fdscv.tin-url.com
finance.govpk-mail.net
finance.pakgov.net
financial.pakgov.net
flix.pakgov.net
hajj.pakgov.net
hajjplanner.bitlyy.me
hajjplanner.tin-url.com
hbl.pakgov.org
hpupdate.csd-pk.co
ibn.cdn-pak.net
independenceday.pafwa.info
islamabadclub.docuserve.ltd
islamicfinder.bitlyy.me
ji.pakgov.net
jp.pkrepublic.org
karachishipyard.krlwin.org
ltd.cdn-pak.net
luckydraw.csd-pk.co
mail.paf-gov.net
mail.pak-gov.com
mailmofagovpk.cdn-pak.net
mailoutlookcom.cvix.live
maritimepakistan.kpt-pk.net
meet.kdf-mail.com
min.tin-url.com
ministryofinterior.fileserve.work
mofa-gov-pk.fdn-trace.net
mofa.iugur.live
mofa.paknvay-pk.net
nadra.pakgov.net
ncoc.pakgov.net
news.bitlyy.me
news.dawnpk.org
news.kdf-mail.com
news.pakgov.org
news.pkrepublic.org
nhsrc.pakgov.net
niims.pakgov.org
paf.gov-mail.net
pafroa.pak-gov.com
paknavy.edu-cx.org
pk.kdf-mail.com
pkflix.bitlyy.me
pkflix.tin-url.com
pmaesa.bahariafoundation.org
pqa.gov.pakmarines.com
pt.pakgov.net
sbp.pakgov.org
sec-vpn.bitlyy.me
secp.pakgov.org
secure.tin-url.com
shoprex.bitlyy.me
smstest.kdf-mail.com
sppc.moma-pk.org
srilankanavy.ksew.org
t.bitlyy.me
telemart.bitlyy.me
ubl.pakgov.org
vim.kdf-mail.com
vpn.pakgov.net
vpn.tin-url.com
wsde.pakgov.net
wsed.pkrepublic.org
ww2.pakgov.net
xyz.kdf-mail.com

# Reference: https://twitter.com/GroupIB_GIB/status/1532651046111023104
# Reference: https://www.virustotal.com/gui/file/e089dc65af44ff334304e52c29755c96460691d93cfd4e4ab75f75bc6078993e/detection
# Reference: https://www.virustotal.com/gui/file/42b828e187e4b7f1ca5d774553c8b85c1fed204a2a5a8c50fd4c7e9a491fb118/detection

almighty-allah.com
supremeallah.world
api.almighty-allah.com
api.supremeallah.world

# Reference: https://twitter.com/GroupIB_GIB/status/1532651049776865280
# Reference: https://www.virustotal.com/gui/domain/srvapp.co/relations
# Reference: https://www.virustotal.com/gui/ip-address/185.225.19.142/relations
# Reference: https://www.virustotal.com/gui/file/c17cbe229e743df8993b96f2887393b2565ae355f3ba61d09c901e552e7ee4d1/detection

srvapp.co
awww.srvapp.co
discount.srvapp.co
localhost.srvapp.co
register.srvapp.co

# Reference: https://twitter.com/blackorbird/status/1534373342446202881
# Reference: https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg (Chinese)
# Reference: https://www.virustotal.com/gui/file/d74900bf7418f3ad39a5ab27326ad6591f792d1dfdfe44deb89f1b319b7d83b4/detection

afg-refugee.net
brwse.co
civix.live
crclab-bahria.org
cssc.info
cvix.live
dawnpk.org
docusserve.cc
docusserve.ltd
doken.xyz
fdn-mac.net
filedownload.work
gov-pk.net
kpt-pk.net
ministry-pk.net
mod-pk.com
mofa-pk.co
nationpk.org
norter.xyz
paf-gov.net
paf-mail.com
pak-gov.net
pakgov.net
pakgov.org
paknavy.live
pkrepublic.org
slap-games.club
trik.live
watch-earn.live
api.watch-earn.live

# Reference: https://twitter.com/h2jazi/status/1536330475656171520
# Reference: https://www.virustotal.com/gui/file/cf79ecafd3e1ae354fcf9cf33acdb06b6b64dc9a8128656a9d27ff94e154f9c4/detection

bahriafoundation.live
pnwc.bahriafoundation.live

# Reference: https://otx.alienvault.com/pulse/62a864daa688835ed774c449

srvapp.co
register.srvapp.co

# Reference: https://twitter.com/h2jazi/status/1536707820799807489
# Reference: https://www.virustotal.com/gui/ip-address/5.230.71.95/relations
# Reference: https://www.virustotal.com/gui/file/4bad3e34a192a8f305e188538b4370ea835446cc6ba32fe046d9a5f2bc3df172/detection

jmicc.xyz
navy.jmicc.xyz
navy-mil-bd.jmicc.xyz

# Reference: https://twitter.com/malwareforme/status/1540037682314629120
# Reference: https://www.virustotal.com/gui/ip-address/5.230.69.153/relations
# Reference: https://www.virustotal.com/gui/file/ee77e136f7df758c2ab9092529dc5c6b64b35bc9f4d2c16c65bcd05965ccd92a/detection

alit.live
bdmil.alit.live
mailmofa.alit.live
mailh.alit.live

# Reference: https://twitter.com/BaoshengbinCumt/status/1545247231938244610

mail-mofa-gov-pk-satellite-proposal-for-pakistan-files-ops.netlify.app

# Reference: https://twitter.com/Malwar3Ninja/status/1545376308196147200

mofa-pk.org
br.mofa-pk.org
mofa.g0v.cq.cn

# Reference: https://blog.checkpoint.com/2022/07/13/a-hit-is-made-suspected-india-based-sidewinder-apt-successfully-cyber-attacks-pakistan-military-focused-targets/
# Reference: https://otx.alienvault.com/pulse/62cffda72568807d4e9a9f2e
# Reference: https://www.virustotal.com/gui/ip-address/5.230.67.73/relations
# Reference: https://www.virustotal.com/gui/file/898513123f0f0342b1c47a4a65c88a60f895f90a9d0fa5fc5928c26dfab622b0/detection

bgevin.live
eterplicity.live
polvcrit.info
cdn.bgevin.live
cdn.polvcrit.info
/W6taHcwqKwhgzWGWr7ElpRAfWA7JcsXC0A2a4eFv/

# Reference: https://twitter.com/h2jazi/status/1549762807624880128
# Reference: https://www.virustotal.com/gui/file/cd1a9ae4a3968643a6fb41b36b67838d952dac83ad63c63ce4ad3c672fac31b8/detection

kpt-gov.org
discount.kpt-gov.org
ksew.kpt-gov.org

# Reference: https://twitter.com/h2jazi/status/1550524741202726919
# Reference: https://www.virustotal.com/gui/file/a28a5417d707ecae61313bd5b7c53736d40afba2280cd7ae673963075ae37072/detection

paf-gov.org
awww.paf-gov.org
summer.paf-gov.org
finance.paf-gov.org

# Reference: https://twitter.com/Des00464472/status/1550064523964338176
# Reference: https://www.virustotal.com/gui/ip-address/5.230.72.15/relations

ghaflah.top
cdn.ghaflah.top

# Reference: https://twitter.com/Des00464472/status/1548924681008590853

mawazna.info

# Reference: https://twitter.com/Des00464472/status/1531519247293513728

bluket.live

# Reference: https://twitter.com/Des00464472/status/1528935733888970753
# Reference: https://www.virustotal.com/gui/ip-address/185.234.72.188/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.138.172.23/relations

balcon.live
greploc.live
cdn.greploc.live
tray.balcon.live
treaty.balcon.live

# Reference: https://twitter.com/Des00464472/status/1555024895020769280

paf-media.com

# Reference: https://twitter.com/Des00464472/status/1553931751852244992
# Reference: https://www.virustotal.com/gui/ip-address/192.71.166.139/relations

ubrig.live
cdn.ubrig.live

# Reference: https://twitter.com/Des00464472/status/1559010528013729792

fritor.xyz
cdn.fritor.xyz

# Reference: https://twitter.com/Des00464472/status/1559395659559899136
# Reference: https://www.virustotal.com/gui/ip-address/151.236.21.26/relations

nelpec.top
cdn.nelpec.top

# Reference: https://twitter.com/uslss_etr/status/1562641328055336960
# Reference: https://www.virustotal.com/gui/ip-address/103.149.46.237/relations
# Reference: https://www.virustotal.com/gui/file/efac11fcecbceb4e6273852207a3875ac1edd69158415c3a0bba704e58adeb2c/detection

office-drive.live
dsfbgnh.office-drive.live
sl-navy.office-drive.live

# Reference: https://twitter.com/Des00464472/status/1567657961887252480
# Reference: https://www.virustotal.com/gui/ip-address/5.255.104.124/relations

cssc.live
mailarmy.cssc.live
mailoutlook.cssc.live

# Reference: https://twitter.com/Des00464472/status/1569818563657224193

gov-pknet.org

# Reference: https://twitter.com/malwrhunterteam/status/1570061932706635781
# Reference: https://twitter.com/h2jazi/status/1570070185620512768
# Reference: https://www.virustotal.com/gui/file/719cbc3e08d90d557d464f1a27498626c1b76d6e8db302cb53cb3013a1c35dee/detection

d2klia4zfdp2mg.cloudfront.net

# Reference: https://twitter.com/uslss_etr/status/1570487402694590464
# Reference: https://www.virustotal.com/gui/file/53cc8f46f10e4b3958834d75b15db3aa0d8c86a63b8bd3e6ac180c05ce27d748/detection

ptcl-gov.com
mofadividion.ptcl-gov.com

# Reference: https://twitter.com/Des00464472/status/1571639928483885056

hare-ap.live

# Reference: https://twitter.com/RedDrip7/status/1575745702021705728
# Reference: https://www.virustotal.com/gui/file/e6a6066594160a053fe7d68d688b95920936d5880a37a2c91872fb2fc128adf6/detection
# Reference: https://www.virustotal.com/gui/file/5eec9df0c62b8a0d8c922d366e38ac91907d2a7f5cd13a717d7714015ae362c1/detection
# Reference: https://www.virustotal.com/gui/file/37eca58386fbf9c1e381f88776435565623e3d2d1e2b01218f7717b963449735/detection

comsats-net.com
lforvk.com
moma.comsats-net.com
promotionlist.comsats-net.com
srilanka-navy.lforvk.com

# Reference: https://twitter.com/bofheaded/status/1577197626852003840
# Reference: https://www.virustotal.com/gui/ip-address/173.249.18.251/relations
# Reference: https://www.virustotal.com/gui/file/e5ca4a6c4d2dbd0343cf59d7eb7fb034f45b86c13c8d80b92f289b464828d3bf/detection
# Reference: https://www.virustotal.com/gui/file/7034fd95d764429b5b4b84fc7e63fa259879c10a7c0786fa47e86f911970614e/detection

http://173.249.18.251
drivebrox.xyz

# Reference: https://twitter.com/__0XYC__/status/1580083623717658624
# Reference: https://twitter.com/__0XYC__/status/1580796395052670976
# Reference: https://www.virustotal.com/gui/file/cd592c969a3a940e43888a1902ec9e4605ed28676d3945ab84d72175fbc87253/detection
# Reference: https://www.virustotal.com/gui/file/bbcca0dc10b700c01e557612f009c050ca618f227e0b8be3d4f471dd9d887a18/detection

comsats-mail.pk
ntc-gov.com
paf-pk-gov.org
finance.gov.pk.ntc-gov.com

# Reference: https://twitter.com/Des00464472/status/1582922779707703297

bentec.tech
front.bentec.tech

# Reference: https://twitter.com/t3ft3lb/status/1582838910857932802
# Reference: https://www.virustotal.com/gui/file/808058f4e1c47b91cacfc032f348a617961a463d19ee5389f472d29c65197438/detection

tsinghua.institute
awww.tsinghua.institute
fdgnyt.tsinghua.institute
mail.tsinghua.institute

# Reference: https://twitter.com/ShadowChasing1/status/1583063616667799552
# Reference: https://www.virustotal.com/gui/file/b27968c0d0f55a06cbf424cacf62d0b22e64f021c72d51d4adb0c1771709fe70/detection

gov-net.co
finance.gov-net.co

# Reference: https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0 (# WarHawk)
# Reference: https://www.virustotal.com/gui/ip-address/3.239.29.103/relations
# Reference: https://www.virustotal.com/gui/file/58b3686e4255d32dbcf7dee9dac1d5be6d4692d086cde167da1e1a5e0e1b315a/detection
# Reference: https://www.virustotal.com/gui/file/624c6b56ee3865f4a5792ad1946a8e86b876440a5af3bac22ac1dee92f1b7372/detection
# Reference: https://www.virustotal.com/gui/file/7d3574c62df44b74337fc74ec7877792b4ffa1486a49bb19668433c3ca8836b5/detection
# Reference: https://www.virustotal.com/gui/file/f97d5d3e1c2ceb3e9d23ae5b5d4e7c9857155df5acf7f67fee995cb041c797dc/detection

http://146.190.235.137
74.125.196.113:53
customs-lk.org
fia-gov.org
nadra-pk.org
1c1157fa.caa.update.customs-lk.org
1d06bfb2.check.update.fia-gov.org
1d06bfb2.local.update.fia-gov.org
1d06bfb2.scan.update.fia-gov.org
64115cb6.check.update.fia-gov.org
753fa5b2.check.update.fia-gov.org
a.bc.1d06bfb2.check.update.fia-gov.org
a.bc.1d06bfb2.local.update.fia-gov.org
a.bc.1d06bfb2.scan.update.fia-gov.org
a.bc.64115cb6.check.update.fia-gov.org
bc.1d06bfb2.local.update.fia-gov.org
bc.1d06bfb2.scan.update.fia-gov.org
bc.753fa5b2.check.update.fia-gov.org
caa.update.customs-lk.org
check.update.fia-gov.org
generic.update.fia-gov.org
lms.update.fia-gov.org
local.update.fia-gov.org
microsoft.update.fia-gov.org
nadra.update.customs-lk.org
scan.update.fia-gov.org
update.customs-lk.org
update.fia-gov.org
nepra.org.pk/css/32-Advisory-No-32.iso
/wh/glass.php

# Reference: https://twitter.com/Des00464472/status/1585171289261891585

plokin.top
count.plokin.top

# Reference: https://twitter.com/Timele9527/status/1585824832842653696
# Reference: https://twitter.com/Timele9527/status/1585824983598538752

alit.info
civix.site
direct88.org
fenctor.top
file-server.co
gov-netpk.net
hblbank.co
marksafe.org
net-pk.org
outlookk.co
paf-govt.com
paf-govt.org
pak-navy.co
paknavy.net
paknavygov.org
playstore.cloud
reas.tech
supportgovpk.co
tinlly.co
tinly.org
vopler.tech

# Reference: https://twitter.com/Des00464472/status/1586959212596563968

tonse.info
rock.tonse.info

# Reference: https://twitter.com/jaydinbas/status/1591096310870179840
# Reference: https://www.virustotal.com/gui/ip-address/5.230.74.58/relations
# Reference: https://www.virustotal.com/gui/file/ee2018f7b42ed56fb8b272c9662bf9ddd01f6058abd756019a857a33e54d8faf/detection

mofagov.com
mailnepalarmy.mofagov.com

# Reference: https://twitter.com/Des00464472/status/1592039315823276032

play-store.co
google.play-store.co
hostmaster.play-store.co

# Reference: https://twitter.com/Des00464472/status/1592393354138259457
# Reference: https://www.virustotal.com/gui/ip-address/192.36.41.43/relations

fbr.net-pk.org

# Reference: https://twitter.com/Des00464472/status/1597099850075901957
# Reference: https://www.virustotal.com/gui/ip-address/158.255.211.188/relations
# Reference: https://www.virustotal.com/gui/file/023a9b64f4a97bebca72cbfa58553cf7ab3f6b80beba908447a441ef4870f284/detection

mofs-gov.org
mailpakbj.mofs-gov.org
mailv.mofs-gov.org

# Reference: https://twitter.com/Des00464472/status/1597474158367379456

graty.tech
guide.graty.tech

# Reference: https://twitter.com/RedDrip7/status/1598252489866121216
# Reference: https://www.virustotal.com/gui/ip-address/5.230.73.106/relations
# Reference: https://www.virustotal.com/gui/file/cd09bf437f46210521ad5c21891414f236e29aa6869906820c7c9dc2b565d8be/detection

bol-north.com
abc.bol-north.com
cdsve.bol-north.com
dgdfvdf.bol-north.com
dger.bol-north.com
dvdf.bol-north.com
fyujv.bol-north.com
pnwc.bol-north.com
pnwc.bol-north.com

# Reference: https://twitter.com/Des00464472/status/1599652629403299840

appsrv.live

# Reference: https://twitter.com/malwareforme/status/1600150609616949248
# Reference: https://www.virustotal.com/gui/file/bc9d4eb09711f92e4e260efcf7e48906dca6bf239841e976972fd74dac412e2f/detection

downld.net
paknavy-gov-pk.downld.net

# Reference: https://twitter.com/t3ft3lb/status/1605501885531553797
# Reference: https://www.virustotal.com/gui/file/46cc2e14b7daeadc9f7e5be5cb2004f1370620c93ac97a31cd9a7d329211fd9e/detection

paf-govt.net
csd.paf-govt.net

# Reference: https://twitter.com/fr0s7_/status/1605917826711048193
# Reference: https://www.virustotal.com/gui/file/a2faee1e5fe8717d6360458f1fd6d83902a2c9c6bb2e84f9ea5e4b67ffafbebd/detection

foodies.alit.info
mail.alit.info
maildefence.alit.info
mailmofa.alit.info

# Reference: https://twitter.com/Des00464472/status/1621434286816759808
# Reference: https://www.virustotal.com/gui/ip-address/5.255.105.243/relations

pmdu-gov.org
dsfgb.pmdu-gov.org
elchxdnj.pmdu-gov.org
ghj.pmdu-gov.org
qhacgeao.pmdu-gov.org

# Reference: https://twitter.com/GroupIB_TI/status/1625762101758140416

http://160.20.147.84
http://185.163.47.226
http://185.243.112.186
http://185.248.101.231
http://185.248.102.15
http://194.32.76.244
http://45.153.240.66
http://45.92.156.114
http://46.30.188.222
http://5.2.79.135
http://83.171.236.49
akamai.servehttp.com
bankofceylon.sytes.net
expolanka.serveftp.com
gavaf.org
gavnp.org
lankabelltd.myftp.org
mail-mohs.ddns.net
mail.gavaf.org
mail.nepal.gavnp.org
nepal.gavnp.org
nic-share.myftp.org
nucleusvision.co
outlook.gavaf.org
sltelecom.servehttp.com
sltmobitel.hopto.org
srilankanairlines.redirectme.net
webmail.gavaf.org
windowupdate.myftp.org
/@/@/h31l0

# Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1626044765874814977
# Reference: https://www.virustotal.com/gui/ip-address/62.113.255.80/relations
# Reference: https://www.virustotal.com/gui/file/0ad752520774efca09add91df67ec72d2b1a8b503975569b077e43f40fc7a599/detection

mod-gov.org
_domainkey.mod-gov.org
gysdj.mod-gov.org
iididbiy.mod-gov.org
service.mod-gov.org
slpa.mod-gov.org
_._domainkey.mod-gov.org
_._domainkey.service.mod-gov.org
_.service.mod-gov.org
_domainkey.service.mod-gov.org

# Reference: https://twitter.com/ThreatBookLabs/status/1628764544331059201

sinacn.co

# Reference: https://twitter.com/jaydinbas/status/1629149185806069761
# Reference: https://www.virustotal.com/gui/file/f81d1c47a666d4ec32e69b3e1312dda62c932298e32cc42d5c0c6543589d96be/detection
# Reference: https://www.virustotal.com/gui/file/3ed1dc92e8399f062e5e62e5483a87736e51ad4ce651f0628abf98d5e10aee27/detection

kcps.edu.in/css/fonts/files/jquery/
kcps.edu.in/css/fonts/files/ntsfonts/
kcps.edu.in/css/fonts/files/docs/graentsodocumentso/ganeshostwoso/
/graentsodocumentso/ganeshostwoso/
/graentsodocumentso/
/ganeshostwoso/

# Reference: https://twitter.com/StopMalvertisin/status/1630934296113577984
# Reference: https://www.virustotal.com/gui/file/cdcc1e6e62df117cc40103c3b2821c10fd5f0372cf06e238663e634a05741764/detection

hpuniversity.in

# Reference: https://twitter.com/suyog41/status/1633822870601363457
# Reference: https://twitter.com/bofheaded/status/1634309581705715712
# Reference: https://twitter.com/fmc_nan/status/1634096201577660416
# Reference: https://www.virustotal.com/gui/file/9aed0c5a047959ef38ec0555ccb647688c67557a6f8f60f691ab0ec096833cce/detection

144.91.72.17:8080
cornerstonebeverly.org/js/files/DRDO-K4-Missile-Clean-room
cornerstonebeverly.org/js/files/docufentososo/doecumentosoneso/pantomime.hta
cornerstonebeverly.org/js/files/ntfonts/
cornerstonebeverly.org/js/files/ntfonts/avena

# Reference: https://twitter.com/StopMalvertisin/status/1634084568608264192
# Reference: https://www.virustotal.com/gui/ip-address/79.141.174.208/relations
# Reference: https://www.virustotal.com/gui/file/a45258389a3c0d4615f3414472c390a0aabe77315663398ebdea270b59b82a5c/detection

bol-south.org
mtss.bol-south.org

# Reference: https://twitter.com/StopMalvertisin/status/1634084573620604934
# Reference: https://www.virustotal.com/gui/ip-address/5.255.106.249/relations
# Reference: https://www.virustotal.com/gui/file/8af93bed967925b3e5a70d0ad90eae1f13bc6e362ae3dac705e984f8697aaaad/detection

dowmload.net
cstc-spares-vip-163.dowmload.net

# Reference: https://twitter.com/bofheaded/status/1634290081627271168

connectiiest.com
goinfinity.tech

# Reference: https://twitter.com/StopMalvertisin/status/1638194026162827265
# Reference: https://www.virustotal.com/gui/file/7dcf935a24039dff2d084f41ab8ca318b28c53c01f9de069f087b3be15457ba9/detection

defpak.org
paknavy.defpak.org

# Reference: https://twitter.com/ThreatBookLabs/status/1644346009198395392

awrah.live
blesico.site

# Reference: https://twitter.com/ThreatBookLabs/status/1645269421873840129

mod-gov.com

# Reference: https://twitter.com/__0XYC__/status/1648577567840952321
# Reference: https://www.virustotal.com/gui/ip-address/2.58.14.249/relations

fia-gov.com
cabinet-division-pk.fia-gov.com
dad.fia-gov.com
desk.fia-gov.com
foooders.fia-gov.com
ghckjxvo.fia-gov.com
m.fia-gov.com
plbulcbo.fia-gov.com
test.fia-gov.com
tmlbxveb.fia-gov.com
wndro.fia-gov.com

# Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1648890379943706625

halterarks.co.uk

# Reference: https://twitter.com/jaydinbas/status/1653361390491430915
# Reference: https://www.virustotal.com/gui/ip-address/39.104.50.12/relations
# Reference: https://www.virustotal.com/gui/file/88c10674bb6a53791bfe08497948699bf57ea9980a878a3a5fc1afb160d1d234/detection

alibababackupcloud.com
portal.alibababackupcloud.com
secure.alibababackupcloud.com
vpn.alibababackupcloud.com

# Reference: https://twitter.com/500mk500/status/1653860821020049410
# Reference: https://www.virustotal.com/gui/file/d236df798c56b2a32ff744f16d93c6a0412b4caaf2ea35b171a3953b19609074/detection

nadra-gov-pk.com

# Reference: https://twitter.com/ThreatBookLabs/status/1655769610116038657
# Reference: https://threatbook.io/domain/ntc-pk.org

ntc-pk.org

# Reference: https://twitter.com/ThreatBookLabs/status/1656499255056687104
# Reference: https://www.virustotal.com/gui/ip-address/5.230.72.98/relations

aliit.org
cxvdfg.aliit.org

# Reference: https://twitter.com/t3ft3lb/status/1656554005491859456
# Reference: https://www.virustotal.com/gui/ip-address/5.230.73.198/relations
# Reference: https://www.virustotal.com/gui/file/a703c6772e8bcf7cd0aef05ecbee4c7f7f39371d45b42bf1030df2be5261717c/detection

dytt88.org
mail-dmp-navy-pk.dytt88.org
ministryofforeignaffairs-mofa-gov-pk.dytt88.org

# Reference: https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan

govpk.net
paknavy-gov.com
dgms.paknavy-gov.com
forecast.comsats-net.com
mailnavybd.govpk.net
mailnavymilbd.govpk.net
paknavy-gov-pkp.downld.net
paknavy.jmicc.xyz
paknavy.paknavy.live

# Reference: https://twitter.com/ThreatBookLabs/status/1657207787397718018

daraz-pk.com

# Reference: https://twitter.com/ThreatBookLabs/status/1657941419401805824

ntc-pk.com

# Reference: https://twitter.com/ThreatBookLabs/status/1658323281420881926

govpk.org

# Reference: https://www.bridewell.com/insights/news/detail/the-distinctive-rattle-of-apt-sidewinder

aa173.bank-ok.com
active.roteh.site
aeryple.xyz
agarg.tech
ailyun.live
amuck.scoler.tech
article-viewer.com
assbutt.xyz
ausib-edu.org
avail.freay.tech
axis.heplor.biz
bank-ok.com
basic.gruh.site
basis.agarg.tech
blesis.live
bless.agarg.tech
bluedoor.click
brac.tech
brave.agarg.tech
breat.info
cater.sphery.live
cdn.torsey.xyz
ceiling.kalpo.xyz
cert.repta.live
climb.kalpo.xyz
cluster.jotse.info
confluence.assbutt.xyz
countpro.info
cpec.site
csdstore.app
cssc-net.co
cvix.cc
dirctt88.org
directt88.org
dolper.top
dr-doom.xyz
dsmes.xyz
e-tohfa.net
elopter.top
enclose.info
endure.sphery.live
estate.ovil.tech
fdrek.live
file-download.co
focus.mectel.tech
focus.semain.tech
found.neger.site
found.troks.site
freay.tech
freedom.olerpic.info
ftp.true-islam.org
fujit.info
gearfill.biz
geoloc.top
georgion.info
gitlab.enclose.info
glorec.tech
gretic.info
groove.olipy.info
gruve.site
hakimiya.live
handle.proey.tech
helpdesk-gov.info
heplor.biz
hertic.tech
hldren.info
hostmaster.enclose.info
hread.live
hyat.tech
inkly.net
insert.roteh.site
islamic-path.com
jester.hyat.tech
jotse.info
kalpo.xyz
kito.countpro.info
krontec.info
leron.info
leyra.tech
lines.aeryple.xyz
livo.silvon.site
lucas.hertic.tech
mat.trelin.tech
mectel.tech
mfagov.org
moon.tfrend.org
mopiler.top
msoft-updt.net
neger.site
nelcec.info
normal.aeryple.xyz
offshore.leron.info
olerpic.info
olipy.info
oprad.top
opt.freay.tech
ortra.tech
ovil.tech
paf-govt.info
pak-gov.info
pak-govt.net
pak-news.info
pastlet.live
plors.tech
portal.breat.info
preag.info
preat.fujit.info
preat.info
privacy.olerpic.info
private.hldren.info
proey.tech
prol.info
ptcl-gov.org
rack.nelcec.info
reay.tech
repta.live
reth.cvix.cc
reveal.troks.site
ridlay.live
roof.wsink.live
rugby.wsink.live
sbp-pk.org
sdfsdg.enclose.info
semain.tech
service.true-islam.org
shortney.org
shrtny.co
shrtny.live
silk.freat.site
silvon.site
sindhpolice-govpk.org
sk.krontec.info
spec.trelin.tech
sphery.live
split.tyoin.biz
square.oprad.top
srv-app.co
storeapp.site
straight.hldren.info
support-twitter.com
tab.gruve.site
telemart-pk.com
tfrend.org
tiinly.co
tinurl.click
torsey.xyz
treat.fraty.info
trelin.tech
troks.site
true-islam.org
tyoin.biz
utilize.elopter.top
verocal.info
view.proey.tech
vtray.tech
wsink.live
yrak.info
zed.shrtny.live
zolosy.top
zone.vtray.tech
zretw.xyz

# Reference: https://twitter.com/ThreatBookLabs/status/1658669939010715653
# Reference: https://www.virustotal.com/gui/ip-address/192.36.27.97/relations

_._domainkey.pak-ntc.org
_._domainkey.service.pak-ntc.org
_.service.pak-ntc.org
_domainkey.pak-ntc.org
_domainkey.service.pak-ntc.org
efrgfh.pak-ntc.org
emv1.pak-ntc.org
service.pak-ntc.org

# Reference: https://twitter.com/ThreatBookLabs/status/1659021576841601026
# Reference: https://www.virustotal.com/gui/ip-address/5.255.99.99/relations

ntc-net.co
_._domainkey.ntc-net.co
_._domainkey.service.ntc-net.co
_.service.ntc-net.co
_domainkey.ntc-net.co
_domainkey.service.ntc-net.co
emv1.ntc-net.co
service.ntc-net.co

# Reference: https://twitter.com/ThreatBookLabs/status/1660854037149884417
# Reference: https://www.virustotal.com/gui/ip-address/5.230.78.184/relations

mofss.co
_._domainkey.mofss.co
_._domainkey.service.mofss.co
_.service.mofss.co
_domainkey.mofss.co
_domainkey.service.mofss.co
drtgfhj.mofss.co
emv1.mofss.co
service.mofss.co

# Reference: https://twitter.com/__0XYC__/status/1664581189766610944
# Reference: https://twitter.com/uslss_etr/status/1664705054069215252
# Reference: https://www.virustotal.com/gui/ip-address/8.208.90.73/relations
# Reference: virustotal.com/gui/file/e7d2d26cc056b607b7af96cc08d66a168555afc38cf29b37729f4b90141fa5db/detection

http://149.129.237.253
ebill-ptclnetpk.servehttp.com
flysmart-piaccompk.servehttp.com
nlc-govpk.servehttp.com
offers-ptclnetpk.servehttp.com
online-csdgovpk.servehttp.com

# Reference: https://www.virustotal.com/gui/ip-address/146.70.161.36/relations

pkgov-mail.com
_._domainkey.pkgov-mail.com
_._domainkey.service.pkgov-mail.com
_.service.pkgov-mail.com
_domainkey.pkgov-mail.com
_domainkey.service.pkgov-mail.com
emv1.pkgov-mail.com
service.pkgov-mail.com

# Reference: https://twitter.com/ThreatBookLabs/status/1663729069811458048
# Reference: https://www.virustotal.com/gui/ip-address/5.230.78.76/relations

ruve.live
cgate.ruve.live
volt.ruve.live

# Reference: https://twitter.com/ThreatBookLabs/status/1663400816907272192
# Reference: https://www.virustotal.com/gui/ip-address/5.255.124.203/relations

pargue.tech

# Reference: https://twitter.com/ThreatBookLabs/status/1661558607857717248

data-protect.tech

# Reference: https://twitter.com/StopMalvertisin/status/1668668882108940288
# Reference: https://www.virustotal.com/gui/ip-address/13.213.47.21/relations
# Reference: https://www.virustotal.com/gui/file/8a431314696e82f994dd7fd32e6151232a9bbdc948c64cc6ee8a6e3dc67bb4f6/detection

csd-govpk.servehttp.com
finance-govpk.servehttp.com
ntc-govpk.servehttp.com

# Reference: https://twitter.com/TLP_R3D/status/1672174181935464448

pk-co.info

# Reference: https://www.group-ib.com/blog/hunting-sidewinder/

bol-south.com
ishd.directt88.org
microsoft-365.directt88.org
punjabpolice-gov-pk.fia-gov.com

# Reference: https://twitter.com/ThreatBookLabs/status/1675852641874632705

fssp.tech

# Reference: https://twitter.com/TLP_R3D/status/1676537779574931457
# Reference: https://www.virustotal.com/gui/ip-address/98.142.254.52/relations

mofagov.live

# Reference: https://twitter.com/t3ft3lb/status/1676511378117648386
# Reference: https://www.virustotal.com/gui/file/4e86f36820d5e96739fa6ed192d410eeca975c3a2ec48e13eb98d3486c9262b0/detection

mailsiis.alit.info

# Reference: https://twitter.com/TLP_R3D/status/1676680838774136832
# Reference: https://www.virustotal.com/gui/ip-address/193.42.39.133/relations

ptcl-gov.info

# Reference: https://twitter.com/__0XYC__/status/1676905915885187073
# Reference: https://www.virustotal.com/gui/file/3ef7b9a872dc1247edb0f3947d0db681ff14be81cb46be22ce4f896f2d2dc7f0/detection

pakistanarmy.xyz

# Reference: https://twitter.com/ThreatBookLabs/status/1678384704679182336
# Reference: https://www.virustotal.com/gui/ip-address/5.230.74.80/relations

mofa-gov.info

# Reference: https://twitter.com/ThreatBookLabs/status/1678934448186728448

cylit.info

# Reference: https://twitter.com/ThreatBookLabs/status/1679132754842390529

nbcot.info

# Reference: https://twitter.com/ThreatBookLabs/status/1680766347255611394

mofagov.info

# Reference: https://twitter.com/ThreatBookLabs/status/1680943216114253825

tref.tech

# Reference: https://twitter.com/ThreatBookLabs/status/1681132716534923267
# Reference: https://www.virustotal.com/gui/ip-address/85.113.70.48/relations

mod-pkgov.org
mailafdbd.mod-pkgov.org

# Reference: https://twitter.com/Axel_F5/status/1681354510642429982
# Reference: https://www.virustotal.com/gui/file/61a839aaba4807e492922a3ba0000b98568669626638acf5e5ed0b597fdd5e40/detection

libreofficeupdates.com

# Reference: https://twitter.com/Axel_F5/status/1669794530592170001
# Reference: https://www.virustotal.com/gui/file/b41d54a9686b312f9e114f62e6bf11e21c8e97dda477d488ca19e2afa45efc9e/detection

plainboardssixty.com

# Reference: https://twitter.com/Axel_F5/status/1597978238542057473
# Reference: https://www.virustotal.com/gui/file/f946663a780806693ea3fb034215bd6da25971eb07d28fe9c209594c90ec3225/detection

sinacn.co
mailtsinghua.sinacn.co
mailstinghua.sinacn.co
