# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: cageychameleon, cryptocore, cryptomimic, ta444, wslink

# Reference: https://twitter.com/e_kaspersky/status/1481665686351106053
# Reference: https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/

http://163.25.24.44
http://45.238.25.2
163.25.24.44:443
45.238.25.2:443
118.70.116.154:8080
186.183.185.94:8080
66.181.166.15:8080
163qiye.top
abiesvc.com
abiesvc.info
abiesvc.jp.net
antcapital.us
atom.publicvm.com
att.gdrvupload.xyz
authenticate.azure-drive.com
azure-drive.com
azureprotect.xyz
azure-service.com
azureword.com
backup.163qiye.top
beenos.biz
bhomes.cc
bitcoinnews.mefound.com
bitflyer.team
blog.cloudsecure.space
bloomcloud.org
buidihub.com
chemistryworld.us
circlecapital.us
client.googleapis.online
cloud.azure-service.com
cloud.globalbrains.co
cloud.jumpshare.vip
cloudsecure.space
cloudshare.jumpshare.vip
cloud.venturelabo.co
coinbig.dev
coinbigex.com
coin-squad.co
deepmind.fund
dekryptcap.digital
devprocloud.com
dllhost.xyz
doconline.top
docs.azureword.com
docs.coinbigex.com
docs.gdriveshare.top
docs.goglesheet.com
docs.securedigitalmarkets.co
docstream.online
document.antcapital.us
document.bhomes.cc
document.fastercapital.cc
document.kraken-dev.com
document.lundbergs.cc
documentprotect.live
documentprotect.pro
documents.antcapital.us
document.skandiafastigheter.cc
docuserver.xyz
doc.venturelabo.co
doc.youbicapital.cc
domainhost.dynamic-dns.net
download.azure-safe.com
download.azure-service.com
download.gdriveupload.site
drives.googldrive.xyz
drives.googlecloud.live
driveshare.googldrive.xyz
dronefund.icu
drw.capital
eii.world
etherscan.mrslove.com
faq78.faqserv.com
fastdown.site
fastercapital.cc
filestream.download
file.venturelabo.co
foundico.mefound.com
galaxydigital.cc
galaxydigital.cloud
gdocsdown.com
gdriveshare.top
gdriveupload.info
gdrvupload.xyz
globalbrains.co
gmaildrive.site
goglesheet.com
googldrive.xyz
googleapis.online
googleauth.pro
googlecloud.live
googledocpage.com
googledrive.download
googledrive.email
googledrive.online
googledrive.publicvm.com
googleexplore.net
googleservice.icu
googleservice.xyz
googlesheetpage.org
googleupload.info
gsheet.gdocsdown.com
hiccup.shop
innoenergy.info
isosecurity.xyz
jack710.club
jumpshare.vip
kraken-dev.com
ledgerservice.itsaol.com
lemniscap.cc
lundbergs.cc
mail.gdriveupload.info
mail.gmaildrive.site
mail.googleupload.info
mclland.com
microstratgey.com
miss.outletalertsdaily.com
msoffice.qooqle.download
note.onedocshare.com
onlinedoc.dev
onlinedocpage.org
outletalertsdaily.com
page.googledocpage.com
product.onlinedoc.dev
protect.antcapital.us
protect.azure-drive.com
protectoffice.club
protect.venturelabo.co
pvset.itsaol.com
qooqle.download
qoqle.online
regcnlab.com
reit.live
securedigitalmarkets.ca
securedigitalmarkets.co
share.bloomcloud.org
sharebusiness.xyz
share.devprocloud.com
sharedocs.xyz
share.docuserver.xyz
share.stablemarket.org
signverydn.sharebusiness.xyz
sinovationventures.co
skandiafastigheter.cc
slot0.regcnlab.com
stablemarket.org
svr04.faqserv.com
tokenhub.mefound.com
tokentrack.mrbasic.com
twosigma.publicvm.com
updatepool.online
up.digifincx.com
upload.gdrives.best
venturelabo.co
verify.googleauth.pro
word.azureword.com
youbicapital.cc
devstar.dnsrd.com
fxbet.linkpc.net
lservs.linkpc.net
mmsreceive.linkpc.net
msservices.hxxps443.org
onlineshoping.publicvm.com
palconshop.linkpc.net
pokersonic.publicvm.com
press.linkpc.net
rubbishshop.linkpc.net
rubbishshop.publicvm.com
socins.publicvm.com
vpsfree.linkpc.net

# Reference: https://twitter.com/malwrhunterteam/status/1602997656468754432
# Reference: https://www.virustotal.com/gui/file/41c83c80fa348d56ccb10fa48114bac52691c9778812547290d13b3214d98e8c/detection

gdriveshare.com
googledrive.services
wirexapp.app

# Reference: https://securelist.com/bluenoroff-methods-bypass-motw/108383/
# Reference: https://otx.alienvault.com/pulse/63ac10d2a4d29d94a7766d7a

abf-cap.co
abf-cap.com
angelbridge.capital
angelbridge.jp
anobaka.info
anobaka.jp
bankofamerica.nyc
bankofamerica.tel
bankofamerica.us.org
beyondnextventures.co
beyondnextventures.com
lno-prima.lol
mizuhogroup.us
offerings.cloud
perseus.bond
smbc-vc.com
smbc.ltd
smbcgroup.us
tptf.co
tptf.ltd
tptf.us
avid.lno-prima.lol
careers.mizuhogroup.us
cloud.beyondnextventures.co
vote.anobaka.info

# Reference: https://twitter.com/StopMalvertisin/status/1625402506737250304
# Reference: https://www.virustotal.com/gui/file/26e376fc80b090b2ee04e7d3104d308a150e58538580109a74f4ac49bf362423/detection

espcapital.pro
cloud.espcapital.pro

# Reference: https://twitter.com/craiu/status/1625408594886762496
# Reference: https://twitter.com/craiu/status/1625408647508402176

cloud.anobaka.info
cloud.dnx.capital
cloud.gpmtreit.co
cloud.j-ic.co
cloud.j-ic.com
cloud.mekongcapital.net
down.gpmtreit.co
down.gpmtreit.us
down.j-ic.com
down.tomming.us
gpmtreit.co
gpmtreit.us
internal.j-ic.co
j-ic.co
j-ic.com
mekongcapital.net
tet.dnx.capital
tomming.us

# Reference: https://twitter.com/StopMalvertisin/status/1625710611425554434
# Reference: https://www.virustotal.com/gui/file/864f2a624a58cf460689d805e271fbffe24266933cc10166f4342e65143e019f/detection

autoprotect.com.de

# Reference: https://twitter.com/souiten/status/1635210162805018624
# Reference: https://www.virustotal.com/gui/file/2c0a66c6370b4aa88ab3805d520e868cbc513b43119958257a72c9ff58ef241c/detection

share.dedesignanddev.com

# Reference: https://twitter.com/StopMalvertisin/status/1642450636875898880
# Reference: https://twitter.com/StopMalvertisin/status/1642450639618973696
# Reference: https://www.virustotal.com/gui/file/4d5efd08e66c394b025a57995a7065fcda45a982a16ded4cdfc4ed42bd142ea5/detection

jdshare.com.de
mufg.us.com

# Reference: https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/

31ventures.info
deck.31ventures.info

# Reference: https://twitter.com/k3yp0d/status/1650071119074844673
# Reference: https://www.virustotal.com/gui/file/ff8832355ae99ffd66d0fe9eda2d74efdf3ed87bb2a4c215b93ade93165f7c0b/detection
# Reference: https://www.virustotal.com/gui/file/3b6f30369a4ee8bf9409d141b6d1b3fb4286c34984b5de005ed7431df549b17e/detection

hedgehogvc.us
cloud.hedgehogvc.us
down.hedgehogvc.us
laos.hedgehogvc.us
pet.hedgehogvc.us
thai.hedgehogvc.us

# Reference: https://twitter.com/KSeznec/status/1678319191110082560

decentryk.online
protectsh.online
raizerverify.online
association.linkpc.net
c-money.linkpc.net
dma.linkpc.net
docsend.com-proapple.cloud.line.pm
longjourneycapital.publicvm.com
longjourneyfund.publicvm.com
longjourneyventure.publicvm.com
world.linkpc.net

# Reference: https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/
# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-08-10-v10391/855

autodynamics.work.gd

# Reference: https://twitter.com/philofishal/status/1767951302607151351
# Reference: https://www.virustotal.com/gui/file/083f949e4708098b624dca017e2c0294a18e9a581f92baa8348836d7d9ba06c7/detection

atajerefoods.com

# Reference: https://twitter.com/MichalKoczwara/status/1783136320166023648

adiclas-nft.quest
datauploader.online
datauploader.site
dropepe.cfd
koreaair.tattoo
stabucksiren.fun
star-bucks.life
starbucksevent.pics
system-update.cloud
system-update.xyz
thefirststore.bond
appleupdate.datauploader.site
first.system-update.xyz
metamask.awaitingfor.site
root.system-update.cloud

# Reference: https://www.kandji.io/blog/todoswift-disguises-malware-download-behind-bitcoin-pdf

buy2x.com
/OcMySY5QNkY/ABcTDInKWw/4SqSYtx%2B/EKfP7saoiP/BcA%3D%3D
/OcMySY5QNkY/ABcTDInKWw/4SqSYtx%2B/EKfP7saoiP/
/4SqSYtx%2B/
/ABcTDInKWw/
/EKfP7saoiP/
/OcMySY5QNkY/

# Reference: https://x.com/TLP_R3D/status/1826545317229015078
# Reference: https://www.virustotal.com/gui/ip-address/23.254.253.75/relations
# Reference: https://app.validin.com/detail?type=dom&find=panda95sg.asia#tab=host_pairs_v2

cmt.ventures
dourolab.xyz
maelstromfund.org
panda95sg.asia
pixelmonmmo.net
pixleon.net
prismlab.xyz
sendmailed.com
tvdhoenn.net
yoannturp.xyz
mc.tvdhoenn.net

# Reference: https://x.com/Cyberteam008/status/1826585708376850744
# Reference: https://app.validin.com/detail?type=ip&find=45.61.140.26#tab=resolutions

45.61.140.26:3389
versionupdate.dns.army

# Reference: https://twitter.com/behindbreach/status/1287961015506927616
# Reference: https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf
# Reference: https://otx.alienvault.com/pulse/5ef36f8f63a7d8a11972ca54
# Reference: https://vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/
# Reference: https://vblocalhost.com/uploads/VB2020-Takai-etal.pdf
# Reference: https://vblocalhost.com/uploads/VB2020-18.pdf
# Reference: https://otx.alienvault.com/pulse/5f74bcb0be4abfe12d93d2bf

140.136.134.201:8080
41.85.145.164:8080
1driv.org
1drv.email
1drvmail.work
amazonaws1.info
amzonnews.club
blockchaintransparency.institute
bugscrowd.com
cloudfiles.club
cloudocs.space
cloudsecure.space
decurret.site
digifincx.com
drivegmail.top
drivegoogle.org
drivegooglshare.xyz
euprotect.net
fcloudshare.xyz
filecloud.website
financialmarketing.live
gdriverfileshare.com
gdrives.best
gdrives.top
gdriveshare.top
gdriveshareslink.xyz
gdriveupload.info
gdriveupload.site
gdrvauth.cloud
gdrvcheck.co
gdrvshare.site
gdrvup.xyz
gdrvupload.xyz
gmaildrive.info
gmaildrive.site
gmaildriver.info
gogleshare.xyz
goglesheet.com
googldocs.org
googldrive.xyz
googleapis.online
googleauth.pro
googlecloud.live
googleclouddrive.com
googlecstorage.com
googledrive.download
googledrive.email
googledrive.network
googledrive.online
googledriver.info
googledriver.net
googledriver.xyz
googledriveshare.com
googledrv.com
googleexplore.net
googlefiledrive.com
googlefileshare.com
googleshare.org
googleupload.info
krypitalvc.com
liveonedrvshare.xyz
microsoftapp.life
msupdatepms.xyz
navicheck.xyz
onedrivecloud.store
onedriveglobal.com
onedrivems.online
onedrivrshares.xyz
onedrvdn.co
onedrvfile.site
ownemail.me
privacyshield.services
provemail.net
secureshares.online
sendspace.buzz
sharedrivegght.xyz
sharegoogldrive.online
sharesdown.xyz
showprice.xyz
uploadsfiles.xyz
wechart.org
armzon.onmypc.org
blackwell.tekstar.us
btcprime.itsaol.com
chromeupdate.publicvm.com
coindeck.onmypc.org
coinnews.onmypc.org
coinomic.itsaol.com
connsec.publicvm.com
ddsvr.itsaol.com
drive.sharegoogldrive.online
drivegoogle.publicvm.com
drivegooogle.publicvm.com
esosv.itemdb.com
europegdprsec.onmypc.org
eusharesrv.onmypc.org
excinfo.itemdb.com
gdrive.onmypc.org
googledrive.dynu.net
googledrive.linkpc.net
googledrive.publicvm.com
googleupdate.publicvm.com
ledgerservice.itsaol.com
matrixpartners.theworkpc.com
mpksl.publicvm.com
mskpupdate.publicvm.com
msupdate.publicvm.com
onedriveupdate.publicvm.com
sevicebill.itemdb.com
termsofservice.onmypc.org
tokenomic.itsaol.com
twosigma.publicvm.com
vpset.onmypc.org
vpsfree.linkpc.net
windrvupdate.kozow.com

# Reference: https://twitter.com/_re_fox/status/1280138335214804995

twosigmateam.info

# Reference: https://twitter.com/_re_fox/status/1298281770597654529

drivegoogles.com

# Reference: https://twitter.com/_re_fox/status/1232320036834025472
# Reference: https://app.any.run/tasks/8d5e66c9-3942-4e00-bfdf-8f2c24054a92/

140.117.91.22:8080
blog.cloudsecure.space

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-12-19-v10199/212

prosec.ink
cloud.prosec.ink
cloudprotect.us.org

# Reference: https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds

autoprotect.com.de
autoprotect.gb.net
azurehosting.co
azureprotect.online
azureprotection.cloud
azuresecurity.online
azuresecurity.site
bankofamerica.offerings.cloud
careers.bankofamerica.nyc
careersbankofamerica.us
cloud.globiscapital.co
cloud.mufg.uk
cloud.tptf.ltd
cloud.wpic.ink
docs.azurehosting.co
globiscapital.co
hoststudio.org
ledgercloud.com
mufg.ink
mufg.uk
mufg.us.org
share.anobaka.info
tptf.fund
unchainedcapital.co
updatezone.org

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-02-09-v10240/306

autoprotect.com.se

# Reference: https://twitter.com/C0ryInTheHous3/status/1630551018084737027

mufg.yokohama

# Reference: https://twitter.com/C0ryInTheHous3/status/1630991590176030738

doc-view.cloud
azure.doc-view.cloud

# Reference: https://twitter.com/C0ryInTheHous3/status/1633897592806408192

daiwa.ventures
cloud.daiwa.ventures

# Reference: https://twitter.com/C0ryInTheHous3/status/1646159776177324044
# Reference: https://twitter.com/C0ryInTheHous3/status/1646161233458999297
# Reference: https://www.virustotal.com/gui/ip-address/104.168.167.88/relations

arbordeck.co.in
shared-document.cloud
spirtblockchain.com
deck.arbordeck.co.in
safe.shared-document.cloud
arborventures.capital
autoupdatecheck.work.gd
companydeck.cloud
companydeck.online
contract-research.blog
contractresearch.blog
crypto.contract-research.blog
crypto.contractresearch.blog
deck.arbordeck.online
docs-send.cloud
docupload.site
file.docupload.site
file.myfirmdocument.cloud
file.myfirmdocument.online
gunosis.global
interalliancemediagroups.cloud
mx.interalliancemediagroups.cloud
myfirmdocument.cloud
myfirmdocument.online
safe.arborventures.capital
safe.gunosis.global
safe.job-description.online
safe.nextera.capital
safe.smart-contracts.blog
securesmtp.interalliancemediagroups.cloud
smtps.interalliancemediagroups.cloud
webhostwatto.work.gd

# Reference: https://storage.pardot.com/838563/1676629189Mljyft19/CTI_Advisory_Undetected_North_Korean_Malware_A_Looming_Threat_to_Finan.pdf

http://104.255.172.56
cloud.azurehosting.co
doc.gdocshare.one
down.espcapital.co
nbright.best
ns1.trytiponlineresult.com
ns2.trytiponlineresult.com
safe.doc-share.pro
safe.doc-share.top
site.siteshare.me
siteshare.me
trytiponlineresult.com

# Reference: https://twitter.com/TLP_R3D/status/1649147042680172571
# Reference: https://www.virustotal.com/gui/ip-address/104.255.172.52/relations

256ventures.us
aidpartners.org
altair-vc.co.uk
altair-vc.com
altair.linkpc.net
deck.altair-vc.co.uk
deck.altair-vc.com
deck.toyota-ai.org
deepcore.v.entures
doc.256ventures.us
docsend.me
down.aidpartners.org
down.protectedviewer.co
inter.gpmtreit.co
partner.deepcore.v.entures
protectedviewer.co
sarahbeery.docsend.me
toyota-ai.org

# Reference: https://twitter.com/C0ryInTheHous3/status/1661076239614918660

docupload.lat
docupload.store
getwebconnection.buzz
last-report.online
latest-report.cloud
deck.latest-report.cloud
file.docupload.lat
file.docupload.store
news.last-report.online
ok.docupload.store

# Reference: https://twitter.com/C0ryInTheHous3/status/1661075436783259649

docupload.bond
els.docupload.bond

# Reference: https://twitter.com/C0ryInTheHous3/status/1661756717355483137
# Reference: https://www.virustotal.com/gui/ip-address/104.168.167.88/relations

dontdie.cfd
getwebconnection.cfd
latest-report.online
file.latest-report.online
sts.interalliancemediagroups.cloud

# Reference: https://twitter.com/TLP_R3D/status/1664980484219084801
# Reference: https://www.virustotal.com/gui/ip-address/172.93.193.219/relations

developcore.org
gdrvcloud.com
app.developcore.org

# Reference: https://twitter.com/C0ryInTheHous3/status/1669422415309418496

downloadfile.icu
getfilefrom.site
getfilefrom.store
interalliancemediagroups.cloud

# Reference: https://twitter.com/TLP_R3D/status/1677617586349981696
# Reference: https://www.virustotal.com/gui/ip-address/192.119.64.43/relations

floriventurescapital.linkpc.net
floriventuresfinance.linkpc.net
floriventuresfund.linkpc.net

# Reference: https://www.virustotal.com/gui/file/0be79614938541a4cd85de1b6103f0fdeb3808aaba5856ba5bbd8ef6976cf8c3/detection

obituary2.redirectme.net
yorst.linkpc.net

# Reference: https://twitter.com/TLP_R3D/status/1685581711139102720
# Reference: https://www.virustotal.com/gui/ip-address/23.254.204.173/relations
# Reference: https://www.virustotal.com/gui/file/8949207761f3d09734aa716da1e6c182425bcde2a95dacb3320085f1fe66069c/detection

espcap.fun
pro-tokyo.top
docsend-cloud.espcap.fun
docsend.com-pro.apple.cloud.line.pm
group.pro-tokyo.top

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-09-05-v10410/921

cryptowave.capital
datasend.fun
internal-meeting.online
video-meet.xyz

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-09-20-v10421/970

tp-globa.xyz
pre.alwayswait.site
doc.apple.com.premienoe.aidl.eonw.line.pm

# Reference: https://twitter.com/TLP_R3D/status/1705211957941240212
# Reference: https://www.virustotal.com/gui/ip-address/172.86.121.198/relations

techopscentral.com

# Reference: https://twitter.com/greglesnewich/status/1717963704828915988

internal-document-he-gr-me.run.place
j-ic.co.internal-document-he-gr-me.run.place

# Reference: https://x.com/StrikeReadyLabs/status/1834588185835286571
# Referemce: https://www.virustotal.com/gui/file/5eb788aa33050c19c614a189949fd02ecf22656809f3c8e3ceffab5a0679ae8e/detection

imp-docs.digital
microsoft-rage.world
show-pdf-document.com
uploadfiles.website
uploadmefiles.site
uploadmefiles.space
uploadmefiles.tech
uploadmefiles.xyz
uploadmyfile.space
uploadmyfile.tech
