# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/MichalKoczwara/status/1601324821614194688

165.22.30.136:3000
165.22.30.136:4000
165.227.198.201:3000
165.227.198.201:4000
20.172.22.144:3000
20.172.22.144:4000
23.99.193.156:3000
23.99.193.156:4000
46.101.184.179:3000
46.101.184.179:4000

# Reference: https://twitter.com/MichalKoczwara/status/1602582437648908289

78.141.195.16:1337

# Reference: https://twitter.com/MichalKoczwara/status/1634155939585482754

143.198.32.165:4000
167.71.190.181:4000

# Reference: https://www.virustotal.com/gui/ip-address/209.97.137.33/relations

evilginx-test.ddns.net
okta.evilginx-test.ddns.net
login.okta.evilginx-test.ddns.net

# Reference: https://twitter.com/banthisguy9349/status/1736660660405039482

13.56.179.221:4000
143.198.43.83:4000
178.62.209.220:4000
54.219.177.74:4000
67.207.82.103:4000
foofficel.com
microssofttonline.nl

# Reference: https://threatfox.abuse.ch/browse/tag/EvilGinx/

143.198.138.173:4000
159.65.47.249:4000
185.224.139.32:2053
195.74.86.44:8443
20.98.48.148:2002
45.56.92.137:443
5.42.64.70:2096
68.219.200.71:4000
aa.aeromexico.foundation
account.avenueconsulting.co
account.trabede.com
ads.customerportalverify.store
adsmanager-graph.eyardimgov.org
adsmanager.eyardimgov.org
api.qantas.aeromexico.foundation
apis.customerportalverify.store
autologon.huenumilla.cl
avenueconsulting.co
b.stats.paypal.secureapp.tools
bank.customerportalverify.store
bfp.usaa.website
bitcdemo-com.huenumilla.cl
blogger.customerportalverify.store
book.qantas.aeromexico.foundation
brannptonbrick.com
browser.huenumilla.cl
business.eyardimgov.org
c6.customerportalverify.store
cdn.aa.aeromexico.foundation
clix.usaa.website
collector.logins.services
content.customerportalverify.store
customerportalverify.store
documentsigningonline.com
drive.google.secureapp.tools
employees.carlsberg.site
fc.customerportalverify.store
foremostsgroup.com
fusion.os.gov.aisp.ps
fusion.ps.gov.aisp.ps
gettymefondeploy.online
github.logins.services
global.customerportalverify.store
graph.eyardimgov.org
isf.gov.lb.gov.aisp.ps
jebmefals.com
live.huenumilla.cl
lms.usaa.website
login-us.huenumilla.cl
login.avenueconsulting.co
login.factset.company
login.microsoft.fom-dev1.bloemer-net.de
login.recruiterteams.com
login.trabede.com
logs.customerportalverify.store
m.customerportalverify.store
mail.carlsberg.site
mail.mod.gov.eg.gov.aisp.ps
mail10.email.gov.aisp.ps
mcasproxy.huenumilla.cl
microsoft.huenumilla.cl
mobile2.usaa.website
myaccount.customerportalverify.store
myaccount.google.secureapp.tools
notifications.google.secureapp.tools
objects.usaa.website
office365.huenumilla.cl
ogs.customerportalverify.store
okta.outlook.nerdwriter.com
omns.customerportalverify.store
outlook-1.huenumilla.cl
outlook-us.huenumilla.cl
outlook.avenueconsulting.co
outlook.trabede.com
passwords.dordaa.at
paxful.usaa.website
play.customerportalverify.store
portal.carlsberg.site
potomac-clickstream.usaa.website
qantas.aeromexico.foundation
recruiterteams.com
secure.duevolostore.com
secure07c.usaa.website
sensors.usaa.website
sessions.usaa.website
smetrics.aa.aeromexico.foundation
smetrics.customerportalverify.store
smtc.qantas.aeromexico.foundation
ssl.google.secureapp.tools
sso.drivevvyze.com
sso.outlook.nerdwriter.com
static.customerportalverify.store
static.facebook.secureapp.tools
static.qantas.aeromexico.foundation
stats.customerportalverify.store
sts.securedocumentservices.ca
t.customerportalverify.store
us.azureauth-duo.factset.company
w1.avenueconsulting.co
webdisk.avenueconsulting.co

# Reference: https://threatfox.abuse.ch/browse/tag/EvilGinx/ (# 2024-01-23)

http://192.119.110.233
143.198.64.151:4000
15.207.223.179:443
188.166.209.186:4000
192.119.110.233:5000
account.deenpel.com
cpanel.dnl-l.ooguy.com
cpcalendars.dnl-l.ooguy.com
cpcontacts.dnl-l.ooguy.com
dnl-l.ooguy.com
expedia-realtime.expeida.net
expedia-rest.expeida.net
expeida.net
hwsrv-1125909.hostwindsdns.com
login.deenpel.com
mediaim.expeida.net
oms.expeida.net
onboarding.expeida.net
outlook.deenpel.com
pay.expeida.net
redirect-r1.pay.expeida.net
static.pay.expeida.net
vap.expeida.net
webmail.dnl-l.ooguy.com

# Reference: https://twitter.com/MichalKoczwara/status/1752446013359403109

miicrossofftonline.nl

# Reference: https://x.com/AvastThreatLabs/status/1806720963205107787

xpfdoc0365090.com
apps.xpfdoc0365090.com

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-09-22)

103.47.226.152:3333
134.209.32.59:3333
137.184.38.108:3333
137.184.53.6:3333
138.197.133.22:4000
147.182.133.204:3333
161.35.232.141:4000
167.71.81.157:3333
170.64.224.234:4000
212.111.43.6:3333

# Reference: https://threatfox.abuse.ch/browse/tag/EvilGinx/ (# 2024-09-22)

account.driddex.shop
amazon.testfish.dosoos.com
apis.accountonline.live
events.api.georgicaautoholding.com
jobsprogress.pro
login.monmt.com
mailsession.com
monmt.com
mrdiy.diy
mrdyi.store
newscom.today
o365.zicar.info
outlook.adminstream.org
outlook.mailsession.com
perfectogruop.net
session.mailsession.com

# Generic

/evilginx-linux-amd64.tar.gz
