# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: APT29, Cozy Bear, The Dukes, WellMess, WellMail, SoreFang, PinchDuke, GeminiDuke, CosmicDuke, MiniDuke, CozyDuke, OnionDuke, SeaDuke, HammerDuke, CloudDuke

# Reference: https://otx.alienvault.com/pulse/55fae83567db8c6fb3518bcd/
# Reference: https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

nasdaqblog.net
nytunion.com
overpict.com
greencastleadvantage.com
sixsquare.net
oilnewsblog.com
grouptumbler.com
airtravelabroad.com
beijingnewsblog.net
ustradecomp.com
nestedmail.com
leveldelta.com
nostressjob.com
natureinhome.com
deervalleyassociation.com

# Reference: https://www.f-secure.com/weblog/archives/00002822.html

portal.sbn.co.th

# Reference: https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf
# Reference: https://otx.alienvault.com/pulse/5da83c7c104ff3553f418443

acciaio.com.br
bandabonga.fr
busseylawoffice.com
ceycarb.com
coachandcook.at
ecolesndmessines.org
fairfieldsch.org
fisioterapiabb.it
lorriratzlaff.com
ministernetwork.org
motherlodebulldogclub.com
powerpolymerindustry.com
publiccouncil.org
rulourialuminiu.co.uk
salesappliances.com
sistemikan.com
skagenyoga.com
varuhusmc.org
westmedicalgroup.net

# Reference: https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
# Reference: https://otx.alienvault.com/pulse/5f107c022dfb7a7c8fec7903

http://103.13.240.46
http://103.205.8.72
http://103.216.221.19
http://103.253.41.102
http://103.253.41.68
http://103.253.41.82
http://103.253.41.90
http://103.73.188.101
http://111.90.146.143
http://111.90.150.176
http://119.160.234.163
http://119.160.234.194
http://119.81.173.130
http://119.81.178.105
http://119.81.184.11
http://120.53.12.132
http://122.114.197.185
http://122.114.226.172
http://141.255.164.29
http://141.98.212.55
http://145.249.107.73
http://146.0.76.37
http://149.202.12.210
http://169.239.128.110
http://176.119.29.37
http://178.211.39.6
http://185.145.128.35
http://185.225.226.16
http://185.99.133.112
http://188.241.68.137
http://191.101.180.78
http://192.48.88.107
http://202.59.9.59
http://209.58.186.196
http://209.58.186.197
http://209.58.186.240
http://220.158.216.130
http://27.102.130.115
http://31.170.107.186
http://31.7.63.141
http://45.120.156.69
http://45.123.190.167
http://45.123.190.168
http://45.129.229.48
http://45.152.84.57
http://46.19.143.69
http://5.199.174.164
http://66.70.247.215
http://79.141.168.109
http://81.17.17.213
http://85.93.2.116

# Reference: https://twitter.com/IntezerLabs/status/1285487000091598863
# Reference: https://www.virustotal.com/gui/file/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2/detection

111.90.150.140:25

# Reference: https://twitter.com/ShadowChasing1/status/1288403929462530049
# Reference: https://www.virustotal.com/gui/file/95193266e37a3401a0becace6d41171ab2968ed5289d666043251d05552d02fc/detection

http://178.211.39.6
141.98.212.55:121

# Reference: https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/

monitor.syn.cn

# Reference: https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html

103.216.221.18:50031

# Reference: https://twitter.com/joakimkennedy/status/1303626343830167552
# Reference: https://www.virustotal.com/gui/file/ebfe9cc39dfdc1d1abe7fd4b1e248b16238234c5261610456de0317c2045555d/detection

103.253.41.102:8081

# Reference: https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/
# Reference: https://www.virustotal.com/gui/file/7c20ef1547da114c15da8dd617d22dfd5c7fb08bb9eb07e30df35834619b915a/detection

45.91.93.89:443
d1d66buv7blf1z.cloudfront.net
myrric-uses.singlejets.com
sendbits.m2stor4ge.xyz

# Reference: https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/
# Reference: https://otx.alienvault.com/pulse/60b689c652cd41240e77cfbe

74d6b7b2.app.giftbox4u.com
content.pcmsar.net
doggroomingnews.com
hanproud.com

# Reference: https://www.riskiq.com/blog/external-threat-management/apt29-bear-tracks/
# Reference: https://otx.alienvault.com/pulse/61090c601d7bda90aed534df
# Reference: https://www.virustotal.com/gui/file/775eff1087c9e134a370cc767aa8fee128ed0ede436a1860119bb1a5ea91111f/detection

http://103.193.4.101
http://111.90.147.248
http://111.90.151.120
http://116.202.251.49
http://116.202.251.5
http://141.255.164.11
http://141.98.214.14
http://152.44.45.10
http://152.89.160.81
http://178.157.13.168
http://185.140.55.35
http://185.207.205.174
http://193.36.116.119
http://193.36.119.162
http://193.36.119.184
http://31.13.195.210
http://37.120.247.163
http://45.124.132.10
http://45.124.132.106
http://91.132.139.195

# Reference: https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ (# TrailBlazer)

satkas.waw.pl
/rainloop/forecast

# Reference: https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/

porodicno.ba/wp-content/Agenda.html
wethe6and9.ca/wp-content/Agenda.html

# Reference: https://tria.ge/220721-s7pqcageb5

141.98.212.55:53
209.58.186.196:443

# Reference: https://twitter.com/WhichbufferArda/status/1581688188938358785
# Reference: https://www.virustotal.com/gui/file/56ddc93f0555b4934eef3c5ccd3cf09291240465aaccf373c28e2a0d1eb292a5/detection
# Reference: https://www.virustotal.com/gui/file/05d8b678bc3f14295fe6e8089e144b8adc622d5510e3a8fd7d0dda8f15c4bd13/detection
# Reference: https://www.virustotal.com/gui/file/6ee1e629494d7b5138386d98bd718b010ee774fe4a4c9d0e069525408bb7b1f7/detection

sinitude.com

# Reference: https://twitter.com/felixaime/status/1632448523995103232
# Reference: https://github.com/pan-unit42/tweets/blob/master/2023-03-10-IOCs-for-CloakedUrsa-APT29-Activity.txt

literaturaelsalvador.com/Instructions.html
literaturaelsalvador.com/Schedule.html
signitivelogics.com/BMW.html
signitivelogics.com/Schedule.html

# Reference: https://twitter.com/WhichbufferArda/status/1659254174620557314
# Reference: https://www.virustotal.com/gui/file/6e3b557b1a9c1ecd89eb3be978f8c1b775ee4822262aae9c1ee6c08399a37f73/detection

poetpages.com/pp/l4.php

# Reference: https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/

gtjas.site
info.gtjas.site
1597ebba.info.gtjas.site
3bcc1bba.info.gtjas.site
7c291bbe.info.gtjas.site

# Reference: https://twitter.com/doc_guard/status/1683971701023932416
# Reference: https://twitter.com/StopMalvertisin/status/1684084388546633728
# Reference: https://www.virustotal.com/gui/file/302c0d553c9e7f2561864d79022b780a53ec0a5927e8962d883b88dde249d044/detection

sgrhf.org.pk

# Reference: https://twitter.com/RexorVc0/status/1684820825998774272
# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf
# Reference: https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
# Reference: https://otx.alienvault.com/pulse/64aed22c405b3e8f605125e8

easym6.com/Information.php
fondoftravel.com/contact.php
mightystake.com/sponsorship.php
reidao.com/dashboard.php
resetlocations.com/bmw.htm
sharpledge.com/login.php
simplesalsamix.com/e-yazi.html
sylvio.com.br/form.php
te-as.no/wine.php
willyminiatures.com/e-yazi.html

# Reference: https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing
# Reference: https://otx.alienvault.com/pulse/6511f107da5fed8d065d9477

inovaoftalmologia.com.br
kegas.id
kitaeri.com
gavice.ng/event_program.php
parquesanrafael.cl/note.html
sgrfh.org.pk/wp-content/idx.php

# Reference: https://twitter.com/h2jazi/status/1714986809229251067
# Reference: https://www.virustotal.com/gui/file/f78ee3005ca9f0e78a9dd136fc69afe7c06d69d1fc6218bc9e7eb3adec045977/detection

d287-206-123-149-139.ngrok-free.app

# Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
# Reference: https://otx.alienvault.com/pulse/657a2c924ea0e3e9e95e9433

matclick.com

# Reference: https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793

103.76.128.34:8080
bringthenoiseappnew.s3.amazonaws.com
fisheries-states-codes-camps.trycloudflare.com
/ujwphtigdcokr

# Reference: https://twitter.com/SinghSoodeep/status/1763808104221737156 (# SPIKEDWINE)
# Reference: https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
# Reference: https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
# Reference: https://www.virustotal.com/gui/file/a0f183ea54cb25dd8bdba586935a258f0ecd3cba0d94657985bb1ea02af8d42c/detection

siestakeying.com/auth.php
waterforvoiceless.org/invite.php
waterforvoiceless.org/util.php
