# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: appleworm, apt-c-26, dangerous passwords, hidden cobra, guardians of peace, zinc, nickel academy, manuscrypt, applejeus, citrine sleet, diamond sleet, labyrinth chollima, unc4736, poolrat, pondrat

# Reference: https://cdn.securelist.com/files/2017/04/Lazarus_Under_The_Hood_PDF_final.pdf

exbonus.mrbasic.com
movis-es.ignorelist.com
tradeboard.mefound.com
update.toythieves.com
sap.misapor.ch

# Reference: https://securelist.com/operation-applejeus/87553/

celasllc.com
185.142.236.226
185.142.239.173
196.38.48.121
80.82.64.91

# Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea

tpddata.com
itaddnet.com
wifispeedcheck.net
coinoen.org                          
coinmaketcape.com
bitfiniex.org
apshenyihl.com/include/arc.speclist.class.php                                   
ap8898.com/include/arc.search.class.php                              
anlway.com/include/arc.search.class.php                              
tpddata.com/skins/skin-8.thm                                   
tpddata.com/skins/skin-6.thm
168wangpi.com/include/charset.php
ando.co.kr/service/s_top.asp
ansetech.co.kr/smarteditor/common.asp
mileage.krb.co.kr/common/db_conf.asp
028xmz.com/include/common.php
33cow.com/include/control.php
51up.com/ace/main.asp
530hr.com/data/common.php
97nb.net/include/arc.sglistview.php
marmarademo.com/include/extend.php
paulkaren.com/synthpop/main.asp
shieldonline.co.za/sitemap.asp

# Reference: https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/
# Reference: https://twitter.com/KevinPerlow/status/1083759627714682880
# Reference: https://twitter.com/Bank_Security/status/1107543887462064128
# Reference: https://www.hybrid-analysis.com/sample/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/5c8a414a0388381b3f329926
# Reference: https://www.virustotal.com/gui/file/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/detection
# Reference: https://twitter.com/ClearskySec/status/1084463729633316864

bodyshoppechiropractic.com
drupdate.club
ecombox.store
/tbl_add.php

# Reference: https://otx.alienvault.com/pulse/5c8b8e19261a7451de02bf60/

http://37.238.135.70/img/anan.jpg

# Reference: https://otx.alienvault.com/pulse/5c9a4d9f90726d0988873a2b
# Reference: https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/

dev.microcravate.com
nzssdm.com
bluecreekrobotics.com/wp-includes/common.php
dev.microcravate.com/wp-includes/common.php
dev.whatsyourcrunch.com/wp-includes/common.php
enterpriseheroes.com.ng/wp-includes/common.php
hrgp.asselsolutions.com/wp-includes/common.php
baseballcharlemagnelegardeur.com/wp-content/languages/common.php
bogorcenter.com/wp-content/themes/index2.php
eventum.cwsdev3.bi.com/wp-includes/common.php
streamf.ru/wp-content/index2.php
towingoperations.com/chat/chat.php
vinhsake.com/wp-content/uploads/index2.php
tangowithcolette.com/pages/common.php

# Reference: https://twitter.com/blackorbird/status/1110750919082147842
# Reference: https://blog.alyac.co.kr/2219

alahbabgroup.com
http://47.91.56.21/verify.php
http://103.225.168.159/admin/verify.php

# Reference: https://twitter.com/blackorbird/status/1111449536910680065

wb-bot.org
wb-invest.net

# Reference: https://twitter.com/KevinPerlow/status/1136994848341409792

sbackservice.com

# Reference: https://twitter.com/navSi16/status/1148192534654439426
# Reference: https://otx.alienvault.com/pulse/5d24562845fe64e37ffc46a7

sensationalsecrets.com/js/left.php

# Reference: https://twitter.com/blackorbird/status/1148843702690832385

194.45.8.41:443

# Reference: https://twitter.com/bad_packets/status/1148864469486854144
# Reference: https://pastebin.com/G0Ad5Ut6

http://178.128.253.67/tbl_add.php

# Reference: https://twitter.com/RedDrip7/status/1148887458152472576

byucksanpaint.com/community/com_gon_open.asp

# Reference: https://otx.alienvault.com/pulse/5d2c64b174175b03e7db85cd

http://103.53.176.145:8080/ServiceDeskPlus/products.do
http://111.68.126.155:8080/ServiceDeskPlus/products.do
http://137.117.57.244:8080/ServiceDeskPlus/products.do
chanbang.co.kr/board/check.asp
chanbang.co.kr/family/check.asp
chanbang.co.kr/gonggu/upload.asp
difa.or.kr/common/asp/inc_Comn.asp
edenenc.co.kr/Report/RptMyReport.asp
egreenland.co.kr/cheditor2/example/newpost.asp
hanbook.co.kr/partnershop/hanmail_ep.asp
img.kindermom.co.kr/frameart/print/footer.mov
kgsa1015.co.kr/upload/member/member.asp
rodaxsankyokorea.com/upload/favicon/favicon.asp
sinokor-eng.com/sub/sub01_09.asp

# Reference: https://otx.alienvault.com/pulse/5d2dca0a1c7d00fa07be15e5

byucksanpaint.com/community/com_gon_open.asp
byucksanpaint.com/main/main4.asp
keyang.co.kr/pub/editor/wa_path.asp
upload.childu.co.kr/include/OnlyOne1.asp

# Reference: https://twitter.com/cyberwar_15/status/1152035187196223488

lavaandstone.com/wp-content/plugins/fusion-core/about.php
sales.alitho.com/wp-content/themes/sketch/about.php
amytanathorn.com/wp-admin/includes/about.php

# Reference: https://twitter.com/cyberwar_15/status/1153123863435214848

rhythm86.com/wp-content/themes/twentysixteen/about.php
cabba-cacao.com/wp-content/themes/integral/about.php
3x-tv.com/plugins/editors/about.php

# Reference: https://twitter.com/KorbenD_Intel/status/1158479283549089792
# Reference: https://www.virustotal.com/gui/file/3bba04f277e7f51a5500f7b144fdbd851954e4f94bb0290e49fc63f6fc807321/detection

policyupdates.info

# Reference: https://twitter.com/cyberwar_15/status/1166282138179624960
# Reference: https://twitter.com/navSi16/status/1166287915959214080

youdermoscopy.org/media/fly.avi
youdermoscopy.org/media/fly312.avi

# Reference: https://blog.alyac.co.kr/2500 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d6940cb9e719255258969f5

alnagm-press.com/wp-content/plugins/cloudflare/list.php
elsouq.org/aramex/left.php
swedishmassageamsterdam.nl/wp-content/themes/top.php

# Reference: https://twitter.com/cyberwar_15/status/1175940165425958912

http://158.69.57.135
http://92.222.106.229

# Reference: https://securelist.com/my-name-is-dtrack/93338/
# Reference: https://unit42.paloaltonetworks.com/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/
# Reference: https://otx.alienvault.com/pulse/5d88b31dea7f4b9d4701d7e8
# Reference: https://www.virustotal.com/gui/file/fe51590db6f835a3a210eba178d78d5eeafe8a47bf4ca44b3a6b3dfb599f1702/detection
# Reference: https://www.virustotal.com/gui/file/58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb/detection

katawaku.jp/bbs/data/theme/profile2.php
materialindia.in
totalmateria.net
cyberub.com/board/icon/template/template_ro.php
/gallery/profile2.php
/theme/profile2.php
/wp/profile2.php

# Reference: https://twitter.com/KseProso/status/1178580006047539200

heromessi.com/wp-public/career/car_add.php

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-12-lazarus-resurfaces-targets-global-banks-bitcoin-users/lazarus-resurfaces-targets-global-banks-bitcoin-users.csv

deltaemis.com

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2017/2017-11-20-android-malware-appears-linked-to-lazarus-cybercrime-group/android-malware-appears-linked-to-lazarus-cybercrime-group.csv

vmware-probe.zol.co.zw

# Reference: https://app.any.run/tasks/01497f45-7fba-4356-bbdc-4270e51c2465/
# Reference: https://twitter.com/Rmy_Reserve/status/1181528617374777344
# Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea

gp-core.com
gp-main.com

# Reference: https://twitter.com/VK_Intel/status/1182722604240719872
# Reference: https://objective-see.com/blog/blog_0x49.html (# AppleJeus)

185.228.83.32:443
beastgoc.com
/grepmonux.php

# Reference: https://twitter.com/kyleehmke/status/1184120287199223808
# Reference: https://www.virustotal.com/gui/ip-address/185.228.83.129/relations

dev.jmttrading.org

# Reference: https://twitter.com/RedDrip7/status/1186562944311517184
# Reference: https://blog.alyac.co.kr/2388 (Korean)
# Reference: https://twitter.com/RedDrip7/status/1186562944311517184
# Reference: https://otx.alienvault.com/pulse/5db06ad90686f3bad959d7fc

crabbedly.club
craypot.live
czinfo.club
indagator.club
pegasusco.net
smilekeepers.co

# Reference: https://twitter.com/0xD0CF11E0A1B11/status/1187264570861076481

thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi
juliesoskin.com/includes/common/list.php
necaled.com/modules/applet/list.php
valentinsblog.de/wp-admin/includes/list.php

# Reference: https://twitter.com/blackorbird/status/1187619261612609536
# Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html
# Reference: https://www.virustotal.com/gui/ip-address/218.255.24.226/relations

119.18.230.253:443
218.255.24.226:443

# Reference: https://twitter.com/Rmy_Reserve/status/1188235835956551680
# Reference: https://app.any.run/tasks/42c972b1-ec38-4637-9354-9de930ff50b2/

curiofirenze.com

# Reference: https://twitter.com/blackorbird/status/1202177008572092417

unioncrypto.vip

# Reference: https://blog.netlab.360.com/dacls-the-dual-platform-rat/

107.172.197.175:443
172.93.201.219:443
192.210.213.178:443
198.180.198.6:443
209.90.234.34:443
23.227.196.116:443
23.227.199.53:443
23.254.119.12:443
23.81.246.179:443
37.72.175.179:443
64.188.19.117:443
74.121.190.121:443

# Reference: https://securelist.com/operation-applejeus-sequel/95596/
# Reference: https://otx.alienvault.com/pulse/5e15b526b4f8bc605744ad76

aeroplans.info
beastgoc.com
buckfast-zucht.de
chainfun365.com
cyptian.com
invesuccess.com
jmttrading.org
mydealoman.com
private-kurier.com
unioncrypto.vip
wb-bot.org
wb-invest.net
wfcwallet.com

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-03-08-hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant.csv

falcancoin.io

# Reference: https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045d
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045e
# Reference: https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045b
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045a
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045f

94.177.123.138:8088
193.56.28.103:88
197.211.212.59:7443
181.39.135.126:7443
112.175.92.57:443
81.94.192.147:443
21.252.107.198:23164
70.224.36.194:59681
113.114.117.122:23397
47.206.4.145:59067
84.49.242.125:17770
26.165.218.44:2248
137.139.135.151:64694
97.90.44.200:37120
128.200.115.228:52884
186.169.2.237:65292
188.165.37.168:80
159.100.250.231:80
159.100.250.231:8080
107.6.12.135:443
210.202.40.35:443

# Reference: https://twitter.com/AffableKraut/status/1234726033930248198

74.121.190.140:8443

# Reference: https://twitter.com/RedDrip7/status/1254678135133442048
# Reference: https://ti.qianxin.com/blog/articles/analysis-of-lazarus-apt-targeted-attack-against-south-korea-using-new-crown-outbreak-bait/
# Reference: https://www.virustotal.com/gui/domain/teslacontrols.ir/relations

afuocolento.it/wp-admin/network/server_test.php
kingsvc.cc
mbrainingevents.com/wp-admin/network/server_test.php
sofa.rs/wp-admin/network/server_test.php
sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg
teslacontrols.ir/wp-includes/images/detail31.jpg
teslacontrols.ir/wp-includes/images/detail32.jpg
/wp-admin/network/server_test.php

# Reference: https://twitter.com/cyberwar_15/status/1254736896330133504

matteoragazzini.it/wp-content/uploads/2017/06/category.php

# Reference: https://twitter.com/DeadlyLynn/status/1257504361577496576
# Reference: https://twitter.com/ShadowChasing1/status/1257511608189743105

astedams.it/uploads/template/17.dotm
astedams.it/include/inc-elenco-offerter.asp

# Reference: https://twitter.com/spider_girl22/status/1258224278194941953

astedams.it/uploads/frame/61.dotm

# Reference: https://objective-see.com/blog/blog_0x57.html
# Reference: https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/
# Reference: https://otx.alienvault.com/pulse/5eb2fabf6c26a287f705ca20

185.62.58.207:443
67.43.239.146:443

# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md#IOC
# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/CSV/IOC-Lazarus_2020_05_05.csv
# Reference: https://www.virustotal.com/gui/file/1b0c82e71a53300c969da61b085c8ce623202722cf3fa2d79160dac16642303f/behavior/VMRay
# Reference: https://www.virustotal.com/gui/file/66e5371c3da7dc9a80fb4c0fabfa23a30d82650c434eec86a95b6e239eccab88/behavior/QiAnXin%20RedDrip

51.77.65.154:443
192.169.250.185:443
sanlorenzoyacht.com/newsl/uploads/docs/43.dotm
elite4print.com/admin/order/batchPdfs.asp
od.lk/d/MzBfMjA1Njc0ODdf/pubmaterial.dotm

# Reference: https://twitter.com/cyberwar_15/status/1264353716930412544
# Reference: https://www.virustotal.com/gui/file/e637c86ae20a7f36a0ad43618b00c48f47b5591a03af3fb689a16c45afa43733/detection
# Reference: https://www.virustotal.com/gui/file/d3a402458682c4febacc6ae4bc98e15e92142603a97d51316eeee9e8bca77f88/detection

depts.washington.edu/dswkshp/wordpress/wp-content/themes/twentyfifteen/inc/io/

# Reference: https://twitter.com/spider_girl22/status/1265486116393713665

anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg

# Reference: https://twitter.com/cyberwar_15/status/1265266629044080642
# Reference: https://asec.ahnlab.com/1323 (Korean)

mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php
sixbitsmedia.com/wp-content/uploads/wp-logs/category.php

# Reference: https://twitter.com/ShadowChasing1/status/1267431134662541317

fudcitydelivers.com
sctemarkets.com

# Reference: https://twitter.com/IntezerLabs/status/1268158680593313794

threegood.cc

# Reference: https://twitter.com/ccxsaber/status/1268020350605910016

coingotrade.com
kupaywallet.com

# Reference: https://twitter.com/Vishnyak0v/status/1269635930878545922

bluemoonresearch.org
fitnessdirector.net

# Reference: https://twitter.com/RedDrip7/status/1270201358721769475

paghera.com/include/inc-main-default-news.asp

# Reference: https://twitter.com/ShadowChasing1/status/1270728525926944768

ne-ba.org/files/gallery/img/img.asp

# Reference: https://twitter.com/MBThreatIntel/status/1270741821560406019

160.20.147.253:8443
audiopodcasts.co/verify.php
lastedforcast.com/list.php

# Reference: https://twitter.com/spider_girl22/status/1275366600560873473
# Reference: https://www.virustotal.com/gui/file/0fa91cac5712cfc0848af092190fd3d09948f1a7750547f0f16d1867dac6288a/detection

thestreetsmartsalesman.com/wp-content/uploads/wp-logs/category.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1275396942139469824
# Reference: https://app.any.run/tasks/5ddb7e93-bfc8-49a9-bd52-6b70f57c3846/

scertodisha.nic.in/wp-content/plugins/photo-gallery/admin/controllers/Photo.php
haciendasacchich.com/wp-content/plugins/photo-gallery/admin/views/404.php
annafalkenau.com/awstats/data/upload.php

# Reference: https://blog.reversinglabs.com/blog/hidden-cobra
# Reference: https://otx.alienvault.com/pulse/5ef2252af73ae43d92eecd15

1688dsj.com
amytanathorn.com
ccsnbao.com
fmose.com
fudcitydelivers.com
lavaandstone.com
sctemarkets.com
vns1389.com

# Reference: https://twitter.com/ShadowChasing1/status/1276324740878102529

anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg

# Reference: https://twitter.com/JAMESWT_MHT/status/1276471822217891840
# Reference: https://app.any.run/tasks/109752e9-2c7f-4d5c-9c3f-300bddc4c0db/

down.1230578.com

# Reference: https://twitter.com/felixaime/status/1280053007036624896
# Reference: https://sansec.io/research/north-korea-magecart
# Reference: https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-credit-card-stealing-attacks-on-us-stores/
# Reference: https://www.virustotal.com/gui/file/a6c803d7a185f896a6c90f78891c5dbb904df3535825764e05432641ab059fb1/detection

areac-agr.com
papers0urce.com

# Reference: https://twitter.com/gwillem/status/1281128245052805120

focuscamere.com

# Reference: https://twitter.com/patrickwardle/status/1286109626941845504
# Reference: https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/

104.232.71.7:443
107.172.197.175:443
108.170.31.81:443
111.90.146.105:443
111.90.148.132:443
172.81.132.41:443
172.93.184.62:443
172.93.201.219:443
185.62.58.207:443
192.210.239.122:443
198.180.198.6:443
209.90.234.34:443
216.244.71.233:443
23.227.199.53:443
23.227.199.69:443
23.254.119.12:443
67.43.239.146:443
68.168.123.86:443

# Reference: https://twitter.com/cyberwar_15/status/1287291019537473538

nextlevelliving.pro/wp-content/uploads/js_composer/images/8c206b81-f5b1-4242-84d3-237ce728ff35.php

# Reference: https://twitter.com/AnonySecAgency/status/1290115260116897792
# Reference: https://www.virustotal.com/gui/file/40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13/detection

publishapp.co

# Reference: https://twitter.com/RedDrip7/status/1293462469214531584
# Reference: https://www.virustotal.com/gui/file/b0921142f8d3067c8253931977999a5092470ff3e562586d87af68c28ec66a99/detection

unsunozo.org/include/notes/notes.asp

# Reference: https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html
# Reference: https://otx.alienvault.com/pulse/5f4d20e8d417f271a62e0aeb

gestao.simtelecomrs.com.br/sac/digital/client.jsp
sac.onecenter.com.br/sac/masks/wfr_masks.jsp
mk.bital.com.br/sac/Formule/Manager.jsp

# Reference: https://twitter.com/IntezerLabs/status/1300403461809491969
# Reference: https://analyze.intezer.com/analyses/13d64c6e-6ac7-4888-a682-138a06cbaf16/
# Reference: https://www.virustotal.com/gui/file/390f9aae2dd5f0584106e3aa315bbd28a8c6479f126a4f13c7c3a62e19356634/detection

104.217.163.61:443
107.175.172.129:443
37.72.168.228:443

# Reference: https://twitter.com/ShadowChasing1/status/1302180729174937600

fabianiarte.com/uploads/imgup/21it-23792.jpg

# Reference: https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html
# Reference: https://otx.alienvault.com/pulse/5f7389601681e32d5bf045f6

automercado.co.cr/empleo/css/main.jsp
curiofirenze.com/include/inc-site.asp
ne-ba.org/files/news/thumbs/thumbs.asp
sanlorenzoyacht.com/newsl/include/inc-map.asp

# Reference: https://twitter.com/h2jazi/status/1311644338812792833
# Reference: https://www.virustotal.com/gui/file/d2f1cccfe688c074c3d58ae8f7be7b10dbea5d7ae53320c3f7b6e48cd4f62955/detection

phukien2a.net/images/images.zip.000

# Reference: https://blog.talosintelligence.com/2020/11/crat-and-plugins.html
# Reference: https://otx.alienvault.com/pulse/5faf04431c479940b422288b

teslacontrols.ir/wp-includes/images/detail31.jpg
teslacontrols.ir/wp-includes/images/detail32.jpg
sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg
publishapp.co/update/check.php
sideforum.cc/forum/list.php
freeforum.co/forum/list.php
goodfriend.pro/projects/list.php
friendship.me/users/register.php
threegood.cc/api/manage/customers
Engpro.xyz/images/detail.php
infocop.me/products/list.php
teamspit.pro/adverts/follow.php
dodoi.cc/photos/preview.php
advertapp.me/user/invite.php
insideforum.me/forum/list.php
anyoneforum.cc/forum/list.php
goodproject.xyz/projects/list.php
hellofriend.pro/users/register.php
moonge.cc/wp-content/plugins/google-sitemap-generator/sitemap-builder-embed.php
calculactcal.org/wp-content/themes/twentysixteen/body.php
3cuartos.com/wp-content/plugins/music-press-pro/templates/global/update.php
worldfoodstory.co.uk/wp-includes/register.php
bokkeriejesj.nl/wp-content/plugins/music-press-pro/upload.php
encontrosmaracatu.com.br/wp-content/plugins/music-press-pro/templates/global/topmenu.php
theblackout.fr/wp-content/plugins/music-press-pro/music-pro.php
mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php
tiramisu.it/wp-content/plugins/wp-comment-form.php
kartacnictvi.cz/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/upload.php
dimer-group.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/download.php
ecolerubanvert.com/wp-content/plugins/image-intense/know.php
lwac.com/wp-content/plugins/gallery-plugin/includes/demo-data/images/music/photo.php
copansrl.it/wp-admin/user/invite.php
arar-musique.fr/wp-content/plugins/music-press-pro/includes/admin/upgrade.php
firstalliance.church/wp-content/plugins/music-press/templates/404.php
erickeleo.com.br/wp-content/plugins/music-press-pro/go.php
kingsvc.cc/index.php
sofa.rs/wp-admin/network/server_test.php
afuocolento.it/wp-admin/network/server_test.php
mbrainingevents.com/wp-admin/network/server_test.php
afuocolento.it/wp-includes/process.php

# Reference: https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/
# Reference: https://otx.alienvault.com/pulse/5fb4044fd5f18831c24c6af6

cowp.or.kr/html/board/main.asp
erpmas.co.kr/Member/franchise_modify.asp
fored.or.kr/home/board/view.php
gncaf.or.kr/cafe/cafe_board.asp
gongsinet.kr/comm/comm_gongsi.asp
goojoo.net/board/banner01.asp
hsbutton.co.kr/bbs/bbs_write.asp
hstudymall.co.kr/easypay/web/bottom.asp
ikrea.or.kr/main/main_board.asp
pcdesk.co.kr/Freeboard/mn_board.asp
pgak.net/service/engine/release.asp
quecue.kr/okproj/ex_join.asp
style1.co.kr/main/view.asp
wowpress.co.kr/customer/refuse_05.asp
zndance.com/shop/post.asp

# Reference: https://twitter.com/h2jazi/status/1334353120038678528
# Reference: https://www.virustotal.com/gui/file/c19064733f2a23f09c8b16b3847cceeac8f61488be57911cefceb75425501097/detection

ilhak.co.kr/images/data/upload.asp
ktri.or.kr/upload/mail/upload.asp
warevalley.com/support/orange_open.asp

# Reference: https://twitter.com/BitsOfBinary/status/1321488299932983296
# Reference: https://twitter.com/BitsOfBinary/status/1337330286787518464
# Reference: https://twitter.com/mg2_tracy1/status/1337335098224508928
# Reference: https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=3051

admforte.com.br/wp-content/plugins/top.php
dafnefonseca.com/wp-content/themes/top.php
drei-schneeballen.de/wp-content/plugins/nextgen-gallery/view.php
funny-pictures.picphotos.net/saint-louis-senior-photos-senior-pictures-seniors-st-louis-st-louis/upload.php
greenvideo.nl/wp-content/themes/top.php
haciendadeclarevot.com/wp-content/top.php
justholdfast.com/doodle/wp-content/plugins/top.php
qwerty.creativehonduras.com/wp-includes/class-wp-redirect.php
shahrtdc.com/wp-content/plugins/top.php
tag-cloud-photo.freeware.filetransit.com/login.php
urbankizomba.se/wp-content/plugins/photo-gallery/filemanager/upload.php

# Reference: https://otx.alienvault.com/pulse/5fd8dbfcfed23b6fa1393ea9

yakufreshperu.com/facturacion/public/css/main.php
shikshakibaat.com/classes/detail.jsp
sanlorenzoyacht.com/newsl/include/inc-map.asp
paghera.com/content/view/thumb/info.asp
lyzeum.com/popup/popup.asp
index-consulting.jp/eng/news/index.php
hansolhope.or.kr/welfare/notice/view.jsp
forecareer.com/gdcareer/officetemplate-20nab.asp
fidesarte.it/thumb/multibox/style/common.asp
fabianiarte.com/uploads/imgup/21it-23792.jpg
fabianiarte.com/pdf/thumbs/thumb.asp
emilypress.com/CMWorking/Static/service/center.asp
curiofirenze.com/include/inc-site.asp
calculadoras.mx/themes/pack/pilot.php
automercado.co.cr/empleo/css/main.jsp
astedams.it/photos/image/image.asp
arumdaunresort.com/admin/html/user/contact.asp
apars-surgery.org/bbs/bbs_files/board_photo/menu.php
anca-aste.it/uploads/form/02E319AF73A33547343B71D5CB1064BC.dotm
vega.mh-tec.jp/.well-known/index.php
turnscor.com/ACT/images/slide/view.jsp
prestigein-am.jp/akita/wp-includes/wp-rss1.php
genieaccount.com/images/common/common.asp
acanicjquery.com/slides/style.php
mannpublicwhseltd.com/cservice.asp
hirokawaunso.co.jp/wordpress/wp-includes/review.php
anisweb.org/layout/site/style/preview.jsp
support.medicalinthecloud.com/TechCenter/include/slide.asp
pennontraders.com/assets/slides/view.jsp
indoweb.org/love/data/common/common.php
admin.shcpa.co.kr/_asapro2/formmail/lib.php
http://137.74.114.227/theveniaux/webliotheque/public/css/main.php
http://125.206.177.152/old/viewer.php

# Reference: https://twitter.com/BitsOfBinary/status/1339623925274296323

muzeyyengroup.com/wp-content/help.php
puskesmas-terminal.com/wp-content/help.php
zeandf.com/wp-content/help.php

# Reference: https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
# Reference: https://otx.alienvault.com/pulse/5fe36c30dbe6a83c04783415

bytecortex.com.br/eletronicos/digital.jsp
client.livesistemas.com/Live/posto/system.jsp
cometnet.biz/framework/common/common.asp
gongim.com/board/ajax_Write.asp
iski.silogica.net/events/serial.jsp
k-kiosk.com/bbs/notice_write.asp
kne.co.kr/upload/Customer/BBS.asp
locknlockmall.com/common/popup_left.asp
sac.najatelecom.com.br/sac/Dados/ntlm.jsp
sistema.celllab.com.br/webrun/Navbar/auth.jsp

# Reference: https://twitter.com/ShadowChasing1/status/1349924271791882247
# Reference: https://www.virustotal.com/gui/file/867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36/detection
# Reference: https://www.virustotal.com/gui/file/89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957/detection

aideck.net

# Reference: https://twitter.com/ShadowChasing1/status/1349927630183694339

creaideck.com/update/darwin64.bin

# Reference: https://www.virustotal.com/gui/file/d09041e3d635ddb28540b11cf180a30a28fc04c2ee6e5d994aa0bacc9633e944/detection

hpc.kau.ac.kr/rolling_banner/tmp4c5ae3.p3a
hpc.kau.ac.kr/error2.php

# Reference: https://twitter.com/BushidoToken/status/1353684625382641664
# Reference: https://www.virustotal.com/gui/ip-address/120.138.8.26/relations
# Reference: https://www.virustotal.com/gui/file/cabb45c99ffd8dd189e4e3ed5158fac1d0de4e2782dd704b2b595db5f63e2610/detection
# Reference: https://www.virustotal.com/gui/file/a9b3bc337043c04f529b2c19b3e33df1ad59bce27c074427e7b563db3a83c37b/detection
# Reference: https://www.virustotal.com/gui/file/bdf9fffe1c9ffbeec307c536a2369eefb2a2c5d70f33a1646a15d6d152c2a6fa/detection

advantims.com

# Reference: https://twitter.com/ShadowChasing1/status/1353972356759187456

angeldonationblog.com

# Reference: https://twitter.com/K_N1kolenko/status/1353975032104558592
# Reference: https://twitter.com/500mk500/status/1353992570519609344
# Reference: https://twitter.com/RedDrip7/status/1354038387603197952
# Reference: https://twitter.com/sS55752750/status/1354059524739653633
# Reference: https://twitter.com/vngkv123/status/1357247638228226053
# Reference: https://twitter.com/blackorbird/status/1357259907448229888
# Reference: https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg (Korean)
# Reference: https://enki.co.kr/blog/2021/02/04/ie_0day.html (Korean)
# Reference: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
# Reference: https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/
# Reference: https://otx.alienvault.com/pulse/60103a3268891c63b1f24d74
# Reference: https://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection
# Reference: https://www.virustotal.com/gui/file/a08d24f74027256c6fd5c5a2fdb15b12889971fbdcfa7a28ffebbfe8b15aaefb/detection
# Reference: https://www.virustotal.com/gui/file/9c906c2f3bfb24883a8784a92515e6337e1767314816d5d9738f9ec182beaf44/detection
# Reference: https://www.virustotal.com/graph/embed/g4784ec032b3f4cb987a616f4b2dbc9aa9a982d9b20494f8980ae611a4ca3a1d8

angeldonationblog.com
codebiogblog.com
codevexillium.org
investbooking.de
krakenfolio.com
opsonew3org.sg
transferwiser.io
transplugin.io
blog.br0vvnn.io
codevexillium.org/image/download/download.asp
colasprint.com/_vti_log/upload.asp
dronerc.it/forum/uploads/index.php
dronerc.it/shop_testbr/Adapter/Adapter_Config.php
dronerc.it/shop_testbr/Core/upload.php
dronerc.it/shop_testbr/upload/upload.php
edujikim.com/intro/blue/insert.asp
fabioluciani.com/ae/include/constant.asp
fabioluciani.com/es/include/include.asp
loonsaloon.com/wp-content/plugins/revslider/hello.php
transplugin.io/upload/upload.asp
trophylab.com/notice/images/renewal/upload.asp

# Reference: https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html
# Reference: https://otx.alienvault.com/pulse/601052e27a2c451b3ba5ed31

akramportal.org/public/voice/voice.php
commodore.com.tr/mobiquo/appExtt/notdefteri/writenote.php
fabianiarte.com/newsletter/arte/view.asp
hirokawaunso.co.jp/wordpress/wp-includes/ID3/module.audio.mp4.php
index-consulting.jp/eng/news/index.php
inovecommerce.com.br/public/pdf/view.php
ja-fc.or.jp/shop/shopping.php
kenpa.org/yokohama/main.php
leemble.com/5mai-lyon/public/webconf.php
mail.clicktocareers.com/dev_clicktocareers/public/mailview.php
scimpex.com/admin/assets/backup/requisition/requisition.php
tronslog.com/public/appstore.php
vega.mh-tec.jp/.well-known/index.php

# Reference: https://twitter.com/Dashowl/status/1354264740692942848

trophylab.com/design/trophy/product/lmages/logo.png
worldspia.kr/upload_images/inc/LOG.PHP

# Reference: https://twitter.com/mattyb1512/status/1354070629469872129

ctrac.online

# Reference: https://twitter.com/h2jazi/status/1362109944791764993
# Reference: https://www.virustotal.com/gui/file/0bc7517aa2f0c1820ced399bfd66b993f10ad77e8d72727b0f3dc1ca35cad7ba/detection
# Reference: https://www.virustotal.com/gui/file/91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd/detection
# Reference: https://www.virustotal.com/gui/file/dcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61/detection

kupaywallet.com
levelframeblog.com
dorusio.com/dorusio_update.php

# Reference: https://twitter.com/ShadowChasing1/status/1362362744909930496

materialindia.in/wp/wp-main/gallery/profile2.php
totalmateria.net/wp/profile2.php

# Reference: https://securelist.com/lazarus-threatneedle/100803/
# Reference: https://otx.alienvault.com/pulse/6037c3cea83bb963f5be0d51/

http://156.245.16.55/admin/admin.asp
americanhotboats.com/forums/core/cache/index.php
astedams.it/photos/image/image.asp
au-pair.org/admin/Newspaper.asp
au-pair.org/admin/login.asp
automercado.co.cr/empleo/css/main.jsp
cloudarray.com/images/logo/videos/cache.jsp
colasprint.com/_vti_log/upload.asp
curiofirenze.com/include/inc-site.asp
dellarocca.net/it/content/img/img.asp
digitaldowns.us/artman/exec/upload.php
djasw.or.kr/sub/popup/images/upfiles.asp
docentfx.com/wp-admin/includes/upload.php
dronerc.it/forum/uploads/index.php
dronerc.it/shop_testbr/Adapter/Adapter_Config.php
edujikim.com/intro/blue/view.asp
edujikim.com/pay/sample/INIstart.asp
edujikim.com/smarteditor/img/upload.asp
fabioluciani.com/ae/include/constant.asp
fabioluciani.com/es/include/include.asp
forum.iron-maiden.ru/core/cache/index.php
forum.snowreport.gr/cache/template/upload.php
fredrikarnell.com/marocko2014/index.php
geeks-board.com/blog/wp-content/uploads/2017/cache.php
gonnelli.it/uploads/catalogo/thumbs/thumb.asp
juvillage.co.kr/img/upload.asp
kannadagrahakarakoota.org/forums/admincp/upload.php
kbcwainwrightchallenge.org.uk/connections/dbconn.asp
kwwa.org/DR6001/FN6006LS.asp
kwwa.org/popup/160307/popup_160308.asp
lyzeum.com/board/bbs/bbs_read.asp
lyzeum.com/images/board/upload.asp
martiancartel.com/forum/customavatars/avatars.php
mdim.in.ua/core/cache/index.php
newidealupvc.com:443/img/prettyPhoto/jquery.max.php
polyboatowners.com/2010/images/BOTM/upload.php
polyboatowners.com/css/index.php
prototypetrains.com:443/forums/core/cache/index.php
raiestatesandbuilders.com/admin/installer/installer/index.php
roit.co.kr/xyz/mainpage/view.asp
sanatoliacare.com/include/index.asp
sanlorenzoyacht.com/newsl/include/inc-map.asp
shinwonbook.co.kr/basket/pay/open.asp
shinwonbook.co.kr/board/editor/upload.asp
theforceawakenstoys.com/vBulletin/core/cache/upload.php
waterdoblog.com/uploads/index.asp

# Reference: https://twitter.com/AnonySecAgency/status/1366971633458548738
# Reference: https://twitter.com/ShadowChasing1/status/1366988046294376450
# Reference: https://www.virustotal.com/gui/file/03cd4ec3defa490e68b1ca2efaf8daea6f89d3cceed51c91f4c4f9e2222d258d/detection

gcloud-share.com
dshellelink.gcloud-share.com

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1225581378840006656 (# DangerousPasswords)
# Reference: https://pastebin.com/raw/cLWvyJ20
# Reference: https://twitter.com/Rmy_Reserve/status/1230881875767377920
# Reference: https://twitter.com/ShadowChasing1/status/1328208737933246464
# Reference: https://www.virustotal.com/gui/file/4c574c1a2b126c8a5ba1ef9560516d0ac9990c0253119f874eb084b57742e3d7/detection

http://84.201.189.216
103.205.179.4:8080
amazonaws1.info
gdrvup.xyz
gmaildrive.site
googleauth.pro
googledriver.info
googleupload.info
liveonedrvshare.xyz
secureshares.online
gdriveupload.info

# Reference: https://twitter.com/Rmy_Reserve/status/1246404220040802309 (# DangerousPassword)

88.204.166.59:8080

# Reference: https://twitter.com/ShadowChasing1/status/1339195498519875585 (# DangerousPassword)

gdocshare.com

# Reference: https://twitter.com/ShadowChasing1/status/1367368069618700291
# Reference: https://twitter.com/_re_fox/status/1260931809103101957
# Reference: https://twitter.com/_re_fox/status/1301564536575733760
# Reference: https://twitter.com/_re_fox/status/1301565785345863689
# Reference: https://twitter.com/mattnotmax/status/1370311682354941954
# Reference: https://twitter.com/cyber__sloth/status/1285510760303656960
# Reference: https://www.virustotal.com/gui/file/d287388e5ff978bf6f8af477460a9b76a74fdc33535e392b70e58176fc9ad805/detection
# Reference: https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_302_kodera_jp.pdf (Japanese)
# Reference: https://www.virustotal.com/gui/file/01184a5acb8b3ec56c9e90f2e6cd6673ae83b4fd6982e17329b33da2f77bcf5b/detection

doc.gsheetshare.org
docs.dsharefile.tech
docs.gdriveshare.top
drop.trailads.net
dsharefile.tech
gsheetshare.org
filehost.network
mdown.showprice.xyz
mse.theworkpc.com
name.ownemail.me
newsbtctech.com
ownemail.me
share.onedrvfile.site
shop.newsbtctech.com
trailads.net
up.digifincx.com
up.myemail.works

# Reference: https://twitter.com/ShadowChasing1/status/1339933511973699584 (# DangerousPassword)
# Reference: https://www.virustotal.com/gui/file/c64e2993563345fd497cfc382de27c7791b4f172d2c50d79b6290c2f9c06102c/detection

google-clouds.com

# Reference: https://twitter.com/cyber__sloth/status/1344208175168368641 (# DangerousPassword)
# Reference: https://twitter.com/cyber__sloth/status/1344208380525752321 (# DangerousPassword)

addrcheck.corecheckmailsrv.com
cloud-sheet.net
cloud.optvers.net
corecheckmailsrv.com
digitalcurencygroup.co
down.privatework.buzz
fidelitydigitalsassets.com
gdocshare.com
goglestorage.com
google-clouds.com
googleproduct.org
gsuiteshare.com
msftoffice.com
myemail.works
official.googleproduct.org
presentonline.xyz
privatework.buzz
sharesvr.net

# Reference: https://twitter.com/h2jazi/status/1369305004922855431
# Reference: https://twitter.com/h2jazi/status/1369307165807280135

torgirf.ru/loginhome.css

# Reference: https://twitter.com/h2jazi/status/1370024802791096320
# Reference: https://www.virustotal.com/gui/file/46fcbc170e84d8ad48434251421bd8f6fa49a7e741d2c24d31c170c607c60d51/detection
# Reference: https://www.virustotal.com/gui/file/c8a8d2caa429a8bbe885ef8d59d982b4bfd9c48f1255ff69e3b81c6bbd7b2925/detection

dronerc.it/shop_testbr/localization/dir_photoes/image.php
dronerc.it/shop_testbr/localization/dir_photoes/logo.php

# Reference: https://twitter.com/h2jazi/status/1354880834092859395
# Reference: https://www.virustotal.com/gui/ip-address/104.168.158.103/relations
# Reference: https://www.virustotal.com/gui/file/aec3ced40a3451dc2c6b1704cc50b0e0c8e549faaa8ae42b6d6f421b4fc2ef8a/detection
# Reference: https://www.virustotal.com/gui/file/e7a4d8b80dc653a47440db2a8deaf782109bb710e5d4311bc3d7685dba715865/detection
# Reference: https://www.virustotal.com/gui/file/75d3d96033db529c9ae698ac6de8fba420c2daa5d97614d7118f49e03c2d83d3/detection

documentprotect.live
documentprotect.pro

# Reference: https://twitter.com/h2jazi/status/1373985591814197250
# Reference: https://www.virustotal.com/gui/file/09b83a501b8f919fc4861735097dd50957f21e81209d362b4fa425bd3348a495/detection

cloudshare.jumpshare.vip

# Reference: https://twitter.com/HONKONE_K/status/1374178555634933762
# Reference: https://www.virustotal.com/gui/file/66e96fbd6e977ddef3f0a2924978d92e5d67bd96e68dc4832f5041dbd40bcfc9/detection
# Reference: https://www.virustotal.com/gui/file/e087d06c552aeef36c2ba9fdd14b06fca499f2d37dfea21e480a02a748b19bf1/detection

antcapital.us
document.antcapital.us
protect.antcapital.us

# Reference: https://twitter.com/DrN1ght/status/1374026917343543301

chemistryworld.us
coinbigex.com
innoenergy.info
mclland.com
qooqle.download

# Reference: https://twitter.com/h2jazi/status/1375528365587894272
# Reference: https://www.virustotal.com/gui/file/2fdba1e332203ca0d01992b137ebeaa1f21f7c3daec7230e6b8a4d36182caed4/detection

sanlorenzoyacht.com/newsl/uploads/docs/

# Reference: https://twitter.com/ShadowChasing1/status/1377610488830291973
# Reference: https://twitter.com/ShadowChasing1/status/1377628563000594433
# Reference: https://securelist.com/dtrack-targeting-europe-latin-america/107798/

toysbagonline.com
purewatertokyo.com
pinkgoat.com
purplebear.com
yellowlion.com
salmonrabbit.com
bluecow.com

# Reference: https://twitter.com/darktracer_int/status/1380309710721622016
# Reference: https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/
# Reference: https://otx.alienvault.com/pulse/60739323ef1b2b3a187f0f15

4bjt2rceijktwedi.onion
cwwpxpxuswo7b6tr.onion

# Reference: https://twitter.com/fr0s7_/status/1381328726819020804
# Reference: https://www.virustotal.com/gui/file/e514d83d2aaa1357b34f5f11ecc35afe10b6240796e085977e9d4a56145bb8b3/detection

protectoffice.club

# Reference: https://twitter.com/ShadowChasing1/status/1382514587589742597
# Reference: https://www.virustotal.com/gui/file/f1eed93e555a0a33c7fef74084a6f8d06a92079e9f57114f523353d877226d72/detection

jinjinpig.co.kr/Anyboard/skin/board.php
mail.namusoft.kr/jsp/user/eam/board.jsp

# Reference: https://www.group-ib.com/blog/btc_changer

luxmodelagency.com/wp-incluses/random_compat/zeus/wongs/wongs.php
/random_compat/zeus/wongs/wongs.php
/zeus/wongs/wongs.php

# Reference: https://twitter.com/ShadowChasing1/status/1384016097494507521
# Reference: https://twitter.com/cyberwar_15/status/1384462513249546244
# Reference: https://www.virustotal.com/gui/file/79e15cc02c6359cdb84885f6b84facbf91f6df1254551750dd642ff96998db35/detection

ddjm.co.kr/bbs/icon/skin/skin.php
snum.or.kr/skin_img/skin.php

# Reference: https://www.virustotal.com/gui/file/6d2ecc3b0a43f0c377ea6d9a68aa5ac0d48635a04219264fb0702976efea8ef6/detection

http://121.146.68.233/fileserver/temp/platform.asp
http://121.254.224.218/angkor.ylw.common.fileserviceserver/web/document/netframework.asp
codibest.com/data/geditor/main_1.php
gbflatinamerica.com
myungokhun.co.kr/_proc/member/member_bk.asp
/angkor.ylw.common.fileserviceserver/web/document/netframework.asp
/data/geditor/main_1.php
/fileserver/temp/platform.asp

# Reference: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/
# Reference: https://otx.alienvault.com/pulse/608af383c5be4591c5da02e5

akramportal.org/delv/public/voice/voice.php
apars-surgery.org/bbs/bbs_files/board_blog/write.php
bootcamp-coders.cnm.edu
ctevt.org.np/ctevt/public/frontend/review.php
forecareer.com/gdcareer/officetemplate-20nab.asp
gbflatinamerica.com/file/filelist.php
goldllama4.sakura.ne.jp
hospitality-partners.co.jp/works/performance/consumer.php
inovecommerce.com.br/public/pdf/view.php
mail.clicktocareers.com/public/jobapplications/jdviewer.php
propro.jp/wp-content/documents/docsmgmt.php
vega.mh-tec.jp/.well-known/gallery/siteview.php

# Reference: https://www.virustotal.com/gui/file/610047be0b2360d609baa71be22ddc5814743868886f8d85ab9985d3f01229d6/detection

mappo-on.life
help.mappo-on.life

# Reference: https://www.virustotal.com/gui/file/27bfac11c1f9184b515fbf5fcd946e921c95506f89eb273e148fcf0068e50932/detection

octo-manage.net
help.octo-manage.net

# Reference: https://twitter.com/ShadowChasing1/status/1391981731394187266
# Reference: https://www.virustotal.com/gui/file/a0d070b66408654cdcb84784e77914dc355a23c81e3e6ef36362470619c4de96/detection

http://45.61.136.204
googledocpage.com

# Reference: https://twitter.com/ShadowChasing1/status/1393356174506921985
# Reference: https://www.virustotal.com/gui/file/8e1746829851d28c555c143ce62283bc011bbd2acfa60909566339118c9c5c97/detection

allgraphicart.com

# Reference: https://twitter.com/ShadowChasing1/status/1397768682776895491
# Reference: https://www.virustotal.com/gui/file/8d48a77e7a4b8c824d8c1b890dc3e2b904e6fa8fbe8dae1a22f5870916c01c20/detection

sslsharecloud.net
dev.sslsharecloud.net

# Reference: https://twitter.com/ShadowChasing1/status/1398468263818928136

ewha-ac.ml

# Reference: https://twitter.com/ShadowChasing1/status/1399369260577681426
# Reference: https://www.virustotal.com/gui/file/4059fea324e27cfbd4955f37dc7791709dbf35a800449373c6715bc53b88f7c5/detection

amene.homepc.it

# Reference: https://twitter.com/360CoreSec/status/1402920149754155010
# Reference: https://www.virustotal.com/gui/file/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c/detection
# Reference: https://www.virustotal.com/gui/file/3b33b0739107411b978c3cbafb312a44b7488bd7adabae3e7b02059240b6dc83/detection

shopweblive.com

# Reference: https://twitter.com/h2jazi/status/1406401709157629952
# Reference: https://twitter.com/ShadowChasing1/status/1406592585796177924
# Reference: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
# Reference: https://www.virustotal.com/gui/file/5c2f339362d0cd8e5a8e3105c9c56971087bea2701ea3b7324771b0ea2c26c6c/detection

allamwith.com/home/mobile/list.php
conkorea.com/cshop/banner/list.php
ddjm.co.kr/bbs/icon/skin/skin.php
hivekorea.com/jdboard/member/list.php
jinjinpig.co.kr/Anyboard/skin/board.php
mail.namusoft.kr/jsp/user/eam/board.jsp
mail.neocyon.com/jsp/user/sms/sms_recv.jsp
mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp
snum.or.kr/skin_img/skin.php
/jsp/user/sms/sms_recv.jsp

# Reference: https://twitter.com/360CoreSec/status/1405790277034418177
# Reference: https://www.virustotal.com/gui/file/35a39299c47bc701dbe7cb72fcb695d08eb2095d1a5b8b7942d3034d16435e89/detection
# Reference: https://www.virustotal.com/gui/file/382a209ce5745c85507b0bd80b87496ad92128e6870199d0c33d6ddedc542dd1/detection
# Reference: https://www.virustotal.com/gui/file/f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4/detection

185.208.158.204:443
193.56.28.251:443

# Reference: https://twitter.com/ShadowChasing1/status/1405515076149284870
# Reference: https://www.virustotal.com/gui/file/4c4cc3abd3ddb15d5306fb647c6d779b18df5b949673bb3f3f87faa2c5f56a6a/detection

authenticate.azure-drive.com

# Reference: https://twitter.com/ShadowChasing1/status/1407993219720224771

elwoodasset.xyz
sharemanage.elwoodasset.xyz

# Reference: https://twitter.com/360CoreSec/status/1410127120177635328

52.202.193.124:443

# Reference: https://twitter.com/fr0s7_/status/1402394083331559431
# Reference: https://twitter.com/Jup1a/status/1402470227292561412
# Reference: https://www.virustotal.com/gui/file/1939d9fdcf831dc4cac001ba193669c75a336258bc99a1775471554229e4a69b/detection

azure-drive.com
download.azure-drive.com
protect.azure-drive.com

# Reference: https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12
# Reference: https://otx.alienvault.com/pulse/60e6d2a6786d43397db19bc7

grandgolf.co.kr/html/facilities/facilities_01_06.asp
kdone.co.kr/Utils/EmailUtil.asp
namchuncheon.co.kr/admin/BookAppl/Search_left.asp

# Reference: https://twitter.com/ShadowChasing1/status/1412934665292316677
# Reference: https://twitter.com/ShadowChasing1/status/1412953330700062726

http://95.179.235.55
sharebusiness.xyz
signverydn.sharebusiness.xyz

# Reference: https://twitter.com/ShadowChasing1/status/1412932935523573760
# Reference: https://www.virustotal.com/gui/file/8afdf8513a6e3bede16187004daccc95e193a29062415d9ba0c29b98a5a927d1/detection

devprocloud.com
share.devprocloud.com

# Reference: https://mp.weixin.qq.com/s/y-SHoh9f5qwAwqml3uf8vw
# Reference: https://otx.alienvault.com/pulse/60f930c9c1a69acdb28adea6

smartaudpor.com

# Reference: https://twitter.com/h2jazi/status/1445596955552272389

gozdeelektronik.net/wp-content/themes/0111/

# Reference: https://twitter.com/s1ckb017/status/1447476954639347712
# Reference: https://www.virustotal.com/gui/file/cf10c1cad090ab31d9e579df3bd22f3d0653792cb010e1d6ac0e2cd1ced52076

digitalguarder.com

# Reference: https://twitter.com/h2jazi/status/1455601350222417926
# Reference: https://www.virustotal.com/gui/file/8562f6b2a95963f076f7bc6ff00401d96656eafda1cfad3af53b3e3b99ae6452/detection

mantis.linkundlink.de
/logs/officetemplate.php

# Reference: https://twitter.com/ESETresearch/status/1458438169502826508
# Reference: https://www.virustotal.com/gui/ip-address/45.147.231.213
# Reference: https://www.virustotal.com/gui/file/fe80e890689b0911d2cd1c29196c1dad92183c40949fe6f8c39deec8e745de7f/detection

devguardmap.org
navercorpservice.com

# Reference: https://twitter.com/ShadowChasing1/status/1455489336850325519
# Reference: https://www.virustotal.com/gui/file/65b5709f67bb0fac31ec977f98cda6f89f4b38703ee5aeef0b633c33669ea88a/detection

thetalkingcanvas.com/jobs/en-gb/jobs/9/details.php

# Reference: https://twitter.com/h2jazi/status/1462832390632583168
# Reference: https://www.virustotal.com/gui/file/c12a0565ea1c59d7c2b73e9c022604dbc827980df58ede7ce42d648f9dd4e096

ditijindal.com/wp-content/gallery/services/globalcareers/12849/jobs/gallery.php

# Reference: https://twitter.com/ShadowChasing1/status/1465998017836707840
# Reference: https://twitter.com/ShadowChasing1/status/1465998020734898176

http://152.89.247.236
silvergatehr.com
ny.silvergatehr.com
/5Ek9724mz8oncul8Zx7E7CVDCdBNxuFFUO6pLk/

# Reference: https://twitter.com/k3yp0d/status/1468485748269662208
# Reference: https://app.any.run/tasks/ff306f89-64d4-4d30-8b72-7c0be0b1f9fb/

cloudplus.one
drive.cloudplus.one

# Reference: https://twitter.com/h2jazi/status/1462832390632583168
# Reference: https://www.virustotal.com/gui/file/c12a0565ea1c59d7c2b73e9c022604dbc827980df58ede7ce42d648f9dd4e096/detection

aditijindal.com/wp-content/gallery/services/globalcareers/12849/jobs/gallery.php

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_Lazarus_APT_Related.json
# Reference: https://www.virustotal.com/gui/ip-address/149.28.162.113/relations

dubbedfinally.link
filesaves.cloud
fsdriveshare.org
googlesheetpage.org
gsheetpage.com
help-optus.com
onedocshare.com
onlinedoc.dev
pilotview.cloud
retrots.net
tresordocs.com
trollinguneaten.org
database.retrots.net
doc.filesaves.cloud
docs.gsheetpage.com
license.cloudplus.one
product.onlinedoc.dev
sheet.tresordocs.com
support.pilotview.cloud

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_Lazarus.json

autodiscover.vin
banner-counter.com
clarionhpdu.top
craptioerne.com
fhewkhwjehwekjfhwehfwe.com
lif0.top
smartscreenfilter.com
statcounters.net
vz206llb19o.com
2ab9.watashinonegai.ru
b.watashinonegai.ru
d.watashinonegai.ru
apkv3.clarionhpdu.top
cltpk.doomdns.org
down.mykings.pw

# Reference: https://twitter.com/souiten/status/1468818352156020737
# Reference: https://www.virustotal.com/gui/file/b3646d8cbadc7620ca7782f2525cc019740a3088f32e2ea9a6c97cc1432537b0/detection

fsdriveshare.org
dmarc.fsdriveshare.org
file.fsdriveshare.org
share.fsdriveshare.org

# Reference: https://twitter.com/ffforward/status/1456239300593524741
# Reference: https://www.virustotal.com/gui/file/0b8d7a851920d4584777505f9fb484b226a8457d4049885a87c847f7d3532d28/detection

stablemarket.org
share.stablemarket.org

# Reference: https://twitter.com/k3yp0d/status/1448552868907204612
# Reference: https://www.virustotal.com/gui/domain/cloudmgmt.org/relations

cloudmgmt.org
share.cloudmgmt.org

# Reference: https://threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families/
# Reference: https://otx.alienvault.com/pulse/61c9aff8d72c2a4731021bee

allamwith.com/home/mobile/list.php
conkorea.com/cshop/banner/list.php
ddjm.co.kr/bbs/icon/skin/skin.php
jinjinpig.co.kr/Anyboard/skin/board.php
mail.namusoft.kr/jsp/user/eam/board.jsp
mail.neocyon.com/jsp/user/sms/sms_recv.jsp
mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp
snum.or.kr/skin_img/skin.php
/jsp/user/sms/sms_recv.jsp

# Reference: https://twitter.com/h2jazi/status/1483521532433473536
# Reference: https://twitter.com/h2jazi/status/1483521535268769793
# Reference: https://www.virustotal.com/gui/file/0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b/detection

lm-career.com

# Reference: https://twitter.com/s1ckb017/status/1484451637653614592
# Reference: https://twitter.com/h2jazi/status/1486448926081302536
# Reference: https://www.virustotal.com/gui/file/0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1/detection

allinfostudio.com
markettrendingcenter.com
yourblogcenter.com

# Reference: https://twitter.com/czy_1116/status/1485813878550597632
# Reference: https://www.virustotal.com/gui/file/3542078fd524e3cb141d5bebf96aea73467505a07ae72fc58395afa14f22e8a3/detection

gfinanzen.net
portal.gfinanzen.net

# Reference: https://twitter.com/ShadowChasing1/status/1486530954382348290
# Reference: https://www.virustotal.com/gui/file/ac7b6ca73207db6ec6d4af2632a7c842c32af6658e3214753e589b567d809125/detection

docusign.agency

# Reference: https://twitter.com/h2jazi/status/1487070198955978753

loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001
/update_coingotrade.php

# Reference: https://twitter.com/h2jazi/status/1490057626134192136
# Reference: https://www.virustotal.com/gui/file/08c3aaeec3da9a106536ad1beff4d2ed23d1e31c9481be60f5dbd5eb1a01d2e5/detection

sportsblogweb.com

# Reference: https://twitter.com/s1ckb017/status/1489591023030448129
# Reference: https://www.virustotal.com/gui/file/29de2289a2b111a4873e49402c310b2ad0e3de51b5562ee1422a37c514910c71/detection

designautocad.org

# Reference: https://twitter.com/cyberoverdrive/status/1490839283803951106
# Reference: https://www.virustotal.com/gui/file/353f82475fcfad5b3f06ed85a931bda46ec34279793b5d70085aa8c603e8ebec/detection

datacentre.center

# Reference: https://twitter.com/ShadowChasing1/status/1490958579930517504
# Reference: https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f/detection

shopapppro.com
shopapptech.com

# Reference: https://twitter.com/pkalnai/status/1489269982814949382
# Reference: http://report.threatbook.cn/LS.pdf (Chinese)
# Reference: https://www.virustotal.com/gui/file/8562f6b2a95963f076f7bc6ff00401d96656eafda1cfad3af53b3e3b99ae6452/detection

bmanal.com
canyonzcc.com
devguardmap.org
industryinfostructure.com
linkundlink.de
mante.li
shopandtravelusa.com
mantis.linkundlink.de

# Reference: https://twitter.com/jaydinbas/status/1468521246862233603
# Reference: https://www.virustotal.com/gui/file/ef2d3e488b781a7c6144afa8fc8ba2b6d085ca671100d04686097f3b4dd2ed42/detection

mantis-gewa.technisat-digital.de

# Reference: https://twitter.com/czy_1116/status/1498190652412203008
# Reference: https://www.virustotal.com/gui/file/4cbad835586faf1d91431d5421b58b4acda0bd280cfbaf8a5d4820aec486b0e6/detection

bloomcloud.org
share.bloomcloud.org

# Reference: https://twitter.com/ShadowChasing1/status/1502240130702065664

open.googlesheetpage.org
/KcyRbGDJKRZoaLq8lHh8/C0sHwcGMH2/
/C0sHwcGMH2/
/KcyRbGDJKRZoaLq8lHh8/

# Reference: https://twitter.com/malwrhunterteam/status/1503640289810038786
# Reference: https://twitter.com/malwrhunterteam/status/1504573045750571010
# Reference: https://twitter.com/malwrhunterteam/status/1506008938197643266
# Reference: https://twitter.com/h2jazi/status/1503826030812925962
# Reference: https://twitter.com/h2jazi/status/1503826034923388929
# Reference: https://www.virustotal.com/gui/file/8672acfb06258f5b6dec3700cd7f91a0c013a70a9664dbc6cf33a4c6406756ed/detection
# Reference: https://www.virustotal.com/gui/file/e62a7d9184a841e2b53e41f2d85aa278b427e2e427dbfd8f4be072108e3089c1/detection
# Reference: https://www.virustotal.com/gui/file/689d5513ad52ad5e7a631a9147049c4cc494ad514b81cf41e841fb244c766b8b/detection
# Reference: https://www.virustotal.com/gui/file/a51cad94475e0af91d270146379574b5a8ae70a03098318ddf9912784ace3cba/detection

encorpost.com
foxiebed.com
hillokay.com
nhn-games.com
sktelecom.help
want-helper.com

# Reference: https://twitter.com/h2jazi/status/1505965580075114498
# Reference: https://www.virustotal.com/gui/file/e3a4e97e27bcfb6126ebfe92827cfb6b7e0c04eb7f5426bf17dd366e4723d1ef/detection

pvacek.cz/wp-content/plugins/akismet/control/en/en.jpg

# Reference: https://twitter.com/h2jazi/status/1505983796897894401
# Reference: https://www.virustotal.com/gui/file/d0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b/detection

webhosttech.org

# Reference: https://twitter.com/blackorbird/status/1507040337097027584
# Reference: https://blog.google/threat-analysis-group/countering-threats-north-korea/

disneycareers.net
find-dreamjob.com
indeedus.org
varietyjob.com
ziprecruiters.org
blockchainnews.vip
chainnews-star.com
financialtimes365.com
fireblocks.vip
gatexpiring.com
gbclabs.com
giantblock.org
humingbot.io
onlynova.org
teenbeanjs.com
colasprint.com/about/about.asp
varietyjob.com/sitemap/sitemap.asp
financialtimes365.com/user/finance.asp
gatexpiring.com/gate/index.asp
humingbot.io/cdn/js.asp
teenbeanjs.com/cloud/javascript.asp

# Reference: https://twitter.com/jaydinbas/status/1506970733997604867
# Reference: https://twitter.com/ShadowChasing1/status/1508637858927587328
# Reference: https://twitter.com/ShadowChasing1/status/1509520460974723072
# Reference: https://twitter.com/ShadowChasing1/status/1511144288830119941
# Reference: https://asec.ahnlab.com/ko/33034/ (Korean)
# Reference: https://www.virustotal.com/gui/ip-address/2.57.90.16/relations
# Reference: https://www.virustotal.com/gui/ip-address/209.126.83.186/relations
# Reference: https://www.virustotal.com/gui/file/2fc71184be22ed1b504b75d7bde6e46caac0bf63a913e7a74c3b65157f9bf1df/detection
# Reference: https://www.virustotal.com/gui/file/392aba0070375051d7bc3cc478c4bb66c5f55be87ad797800f50a338c3e2479b/detection
# Reference: https://www.virustotal.com/gui/file/a7c17e5fa55bcc60d4cff64dd37d0a1f0cc93f4f44b3cebd5633ca5af413e5cc/detection
# Reference: https://www.virustotal.com/gui/file/ae7275988753fffb29bdb254babdf46773daf935b2721006fe66a1747af3d1d4/detection

naveicoipf.online
naveicoipg.online
naveicoiph.online
naveicoiph.online
naveicoipa.tech
naveicoipc.tech
naveicoipd.tech
naveicoipe.tech
navermailteam.online
123fisd.naveicoipg.online
aat1pbil.naveicoipg.online
adzjvazj.naveicoipg.online
aosm8cts.naveicoipg.online
buiweggajhqwj.naveicoipg.online
cecomtp3.naveicoipg.online
edfeiyql.naveicoipg.online
eoinlslsf.naveicoipg.online
fwpoyktt.naveicoipg.online
hytrycnc.naveicoipg.online
jbmnqpwp.naveicoipg.online
jvnquetbon.naveicoipg.online
kdzdm1rq.naveicoipg.online
kygfkdum.naveicoipg.online
l1tog1iv.naveicoipg.online
lbmwbnbieo.naveicoipg.online
olsnvolqwe.naveicoipg.online
pv5pnwlx.naveicoipg.online
qogngnslel.naveicoipg.online
tp0rw6ie.naveicoipg.online
twlekqnwl.naveicoipg.online
urm1o6h0.naveicoipg.online
vm2rjonq.naveicoipg.online
vnwoei.naveicoipg.online
6la0cwds.naveicoiph.online
9yxqida1b.naveicoiph.online
d4yp8bphj3.naveicoiph.online
dtdgwgfvr.naveicoiph.online
gkins2p3i.naveicoiph.online
kashaccn4.naveicoiph.online
lkpiedozd.naveicoiph.online
rxpz7z2yi8.naveicoiph.online
gowelknx.naveicoipf.online
xjowihgnxcvb.naveicoipf.online
xuau0b2i.naveicoipf.online
4w9h8ps9.naveicoipa.tech
4w9h8ps9.naveicoipc.tech
momls4ii.naveicoipa.tech
momls4ii.naveicoipc.tech
tofysz6a.naveicoipa.tech
tofysz6a.naveicoipc.tech
uzzmuqwv.naveicoipa.tech
uzzmuqwv.naveicoipc.tech
zvc1ijau.naveicoipa.tech
zvc1ijau.naveicoipc.tech
bcvbert.naveicoipe.tech
mhf8huuo.naveicoipe.tech
msldkopw.naveicoipe.tech
tyidrtu.naveicoipe.tech
uktyukb.naveicoipe.tech
vkqrwl00.naveicoipe.tech
wrhehdfg.naveicoipe.tech
nredial.navermailteam.online
/1uFnvppj/1uFnvppj32.acm
/1uFnvppj/1uFnvppj64.acm
/1uFnvppj/
/1uFnvppj32.acm
/1uFnvppj64.acm
/018ueCdS/018ueCdS32.acm
/018ueCdS/
/018ueCdS32.acm
/0lvNAK1t/0lvNAK1t32.acm
/0lvNAK1t/
/0lvNAK1t32.acm

# Reference: https://www.virustotal.com/gui/ip-address/15.235.132.77/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.81.246.131/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.82.19.179/relations

mailcontactteam.online
mailcustomerservice.site
mailhelp.online
mailmanagecorp.online
mailsecurity.email
mailservicecorp.online
mailserviceteam.email
navcopcenter.tech
navcorpmanager.site
naveeocorp.xyz
navenida.live
navenida.site
navenidb.live
navenidb.site
navenidc.live
navenidc.site
navenidd.site
navenide.site
navenidf.site
naveorseccorp.link
naveracom.link
naveradmin01.link
naveranid.link
naveranid.live
naveranid.online
naverbcom.link
naverbnid.live
naverbnid.online
naverccom.link
navercert.live
navercert.online
navercnid.link
navercnid.online
navercoa.store
navercob.store
navercoc.store
navercod.store
navercoe.store
navercoma.link
navercoma.online
navercomb.link
navercomb.online
navercomb.tech
navercomc.link
navercomc.online
navercomc.tech
navercomd.link
navercomd.online
navercome.link
navercome.online
navercome.tech
navercomf.link
navercomf.online
navercomg.link
navercomh.link
navercop.link
navercop.online
navercorp.email
navercorp.live
navercorpl.tech
navercorpr.online
navercorpservice.com
navercorpteam.com
navercscorp.com
naverenid.online
naverfnid.online
navergnid.online
naverhnid.online
naverhost.live
naverinid.com
naverinid.online
naverjnid.online
naverlogn.live
navermailcorp.com
navermailmanage.com
navermailservice.com
navermailservice.online
navermailteam.online
navermanage.com
navermanage.live
navermanage.space
navermanageteam.com
navermcorp.com
navernida.link
navernida.online
navernida.tech
navernidb.link
navernidb.online
navernidb.tech
navernidc.link
navernidc.online
navernidc.tech
navernidd.live
navernidd.online
navernide.online
navernidlog.live
navernidmail.com
naverorteam.link
naverreda.xyz
naverredc.xyz
naverredd.xyz
naverrede.xyz
naverredirect.live
naversecurityservice.online
naversecurityteam.com
naverservice.email
naverservice.host
naverservice.link
naverserviceteam.com
naverserviceteam.email
naverteam.live
naverteamcorp.live
navreplya.live
navreplya.online
navreplyb.live
navreplyd.live
navreplye.live
navreplyf.site
navreplyg.site
navreplyh.site
navreplyi.site
navreplyj.site
navreplyk.site
navteamcorp.link
nidbnaver.tech
nidcnaver.tech
niddnaver.tech
nidnavera.online
nidnavere.online
noreplya.xyz
noreplyb.xyz
nvrcopa.link
nvrcopb.link
nvrcopc.link
nvrcope.site
nvrcopf.site
nvricop.online
nvrjcop.online
portalcorpteam.com
help.navreplya.live
logn.navermanagecorp.site
logn.noreplya.website
mail.naveradmina.tech
mail.navercomf.link
nav.cloudcentre.space
nav.naveracom.link
nav.naveradmin06.online
nav.noreplyb.xyz
nav.portalcorpteam.com
nin.navercop.link
nlog.noreplyb.space
red.naveradmin07.site
red.nidnavere.online
sec.naveralert.link
sub.naverbcom.link

# Reference: https://twitter.com/ShadowChasing1/status/1508706298640052225
# Reference: https://www.virustotal.com/gui/ip-address/44.227.65.245/relations

cloudscare.xyz
onlinedocview.biz
cdn.onlinedocview.biz
edit.onlinedocview.biz

# Reference: https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/
# Reference: https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/
# Reference: https://otx.alienvault.com/pulse/61bca21cf212a6842e17c00b

diragame.com
diregame.live
mygametoa.com
d.diragame.com
google.diragame.com
jom.diregame.live
toa.mygametoa.com
tob.mygametoa.com

# Reference: https://twitter.com/h2jazi/status/1509206625701220356
# Reference: https://www.virustotal.com/gui/file/e9894893a8a1f74d7d6a8768dda9ef5ddaf8aac18634a1110e9a79652c9f13ee/detection

aixstore.info
app.aixstore.info

# Reference: https://securelist.com/lazarus-trojanized-defi-app/106195/
# Reference: https://otx.alienvault.com/pulse/6246c2c9082f5d1a7c15ffba

bn-cosmo.com/customer/board_replay.asp
edujikim.com/pay_sample/INIstart.asp
emsystec.com/include/inc.asp
gyro3d.com/common/faq.asp
gyro3d.com/mypage/faq.asp
ilovesvc.com/HomePage1/Inquiry/privacy.asp
newbusantour.co.kr/gallery/left.asp
roit.co.kr/xyz/adminer/edit_fail_decoded.asp
softapp.co.kr/sub/cscenter/privacy.asp
syadplus.com/search/search_00.asp

# Reference: https://twitter.com/ShadowChasing1/status/1514899414367694851
# Reference: https://www.virustotal.com/gui/file/f78b85fc5c9a5f6c8d735f13180d318bf8f5639e71556e2ae0f2c6b9b4181a6c/detection

http://15.235.33.14

# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
# Reference: https://otx.alienvault.com/pulse/625d3bb7b78be557e145d2c7

aumentarelevisite.com
juneprint.com
jungfrau.co.kr
mariamchurch.com
happy.nanoace.co.kr
ric-camid.re.kr

# Reference: https://twitter.com/blackorbird/status/1516300076523548674
# Reference: https://mp.weixin.qq.com/s/Xs54_RDKU5MvkvsPPCGKEw (Chinese)

beenos.biz
zvc.capital
cloud.beenos.biz
it.zvc.capital

# Reference: https://www.cisa.gov/uscert/ncas/alerts/aa22-108a
# Reference: https://otx.alienvault.com/pulse/625e65bf6aa1f7977a316d65

alticgo.com
cryptais.com
dafom.dev
esilet.com
tokenais.com

# Reference: https://asec.ahnlab.com/ko/33706/
# Reference: https://otx.alienvault.com/pulse/625e688f46dbcbce7ac0668d

gaonwell.com/data/base/mail/login.asp
h-cube.co.kr/main/image/gellery/gallery.asp
materic.or.kr/include/main/main_top.asp
materic.or.kr/include/main/main_top.xn--asp
namchoncc.co.kr/include/?ind=
okkids.kr/html/program/display/?re=
shoppingbagsdirect.com/media/images/?ui=

# Reference: https://twitter.com/blackorbird/status/1519504288849874944
# Reference: https://www.virustotal.com/gui/file/672ec8899b8ee513dbfc4590440a61023846ddc2ca94c88ae637144305c497e7/detection

http://109.248.144.155
http://155.94.210.11
http://193.56.28.32
http://45.57.245.17
109.248.144.136:8443
109.248.144.155:8080
109.248.144.155:8443
usengineergroup.com
mail.usengineergroup.com

# Reference: https://twitter.com/ESETresearch/status/1521735320852643840
# Reference: https://twitter.com/ESETresearch/status/1521735343497695232
# Reference: https://www.virustotal.com/gui/file/55571ac52e1f02f18af77e2f3314382c982a37744b58732dfc15faac9d66619f/detection
# Reference: https://www.virustotal.com/gui/file/a0bf5af3f931a428b905fd14d43b61af47b7f272425ae4ff4d78b5cb139b8276/detection
# Reference: https://www.virustotal.com/gui/file/315503862cb7ebb0a731483827016015e355bad51f872db5c650a822de744937/detection

onlinestockwatch.net

# Reference: https://www.virustotal.com/gui/file/5081f54761947bc9ce4aa2a259a0bd60b4ec03d32605f8e3635c4d4edaf48894/detection

66.154.102.91:9090

# Reference: https://blogs.jpcert.or.jp/en/2022/07/vsingle.html

bluedragon.com/login
crm.vncgroup.com/cats/scripts/sphinxview.php
mantis.westlinks.net/api/soap/mc_enum.php
ougreen.com/zone
semiconductboard.com/xcror
shipshorejob.com/ckeditor/samples/samples.php
tecnojournals.com/general
tecnojournals.com/prest

# Reference: https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
# Reference: https://www.virustotal.com/gui/file/f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb/detection

http://213.180.180.154
karin-store.com/recaptcha.php
yoshinorihirano.net/wp-includes/feed-xml.php
/editor/session/aaa000/support.php
/aaa000/support.php

# Reference: https://mp.weixin.qq.com/s/USitU4jAg9y2XkQxbwcAPQ
# Reference: https://otx.alienvault.com/pulse/62d153ef7d6fbe552403bc90

namchuncheon.co.kr/html/notice/list.asp
stracarrara.org/public/photos/image/image.asp
stracarrara.org/public/photos/image/image.xn--asp

# Reference: https://twitter.com/h2jazi/status/1549780561551675393
# Reference: https://www.virustotal.com/gui/ip-address/155.138.219.140/relations
# Reference: https://www.virustotal.com/gui/file/f7170b70a89f4b5d196e3a09c1d6135d36320548f66cdc2c55bf725b0f8d4ab8/detection

documentworkspace.io
fclouddown.co
cdn.documentworkspace.io
file.fclouddown.co

# Reference: https://twitter.com/cyberoverdrive/status/1550175620927299584
# Reference: https://www.virustotal.com/gui/file/1e154b2976cc00d457c0dc2b83ebe81911294c8276691617085c03a3304fd87f/detection

googlesheet.info

# Reference: https://twitter.com/h2jazi/status/1553024107989635073
# Reference: https://www.virustotal.com/gui/file/0fe69e67286203ca2dcd080b4c25ab76fc4ca925e6207b193d47f02da1481843/detection

shconstmarket.com
dps.shconstmarket.com
inst.shconstmarket.com
web.shconstmarket.com

# Reference: https://twitter.com/Des00464472/status/1546403794871001093

http://52.79.92.249/bbs/bbs_post.asp

# Reference: https://twitter.com/h2jazi/status/1555205042331947011
# Reference: https://www.virustotal.com/gui/file/a3ef9fd758bca1c94054a43995a99069abaef672495c1bd3ee831217c1f5e498/detection

mktrending.com
docs.mktrending.com

# Reference: https://twitter.com/ShadowChasing1/status/1557034048345997312
# Reference: https://www.virustotal.com/gui/file/57959c2be2ac6349aa37edb73cd8a88fe8d3e69678cac4b38fac401bd3141fdf/detection

documentshare.info
doc.documentshare.info
ww16.documentshare.info
/DmJMFYpwLPP3ygS/

# Reference: https://twitter.com/malwrhunterteam/status/1557077792075829249
# Reference: https://www.virustotal.com/gui/file/f1ade73b9c61f2f4b774a1b5003a5d70d7a12e0872abe98c52fbf9e9e3a90fc5/detection

wordonline.cloud
cdn.wordonline.cloud
gdoc.wordonline.cloud

# Reference: https://twitter.com/ESETresearch/status/1559553324998955010
# Reference: https://www.virustotal.com/gui/file/49046dfeaefc59747e45e013f3ab5a2895b4245cfaa218dd2863d86451104506/detection
# Reference: https://www.virustotal.com/gui/file/8b427c47a43e6c357d8439fefa7f0ff34b72a2abdaf0461193fb9e6086807e17/detection
# Reference: https://www.virustotal.com/gui/file/94a669041ef572e3fb089179f5c29e2811e2e82613290e39a2ce1b6c273727c9/detection
# Reference: https://www.virustotal.com/gui/file/dae9f37ae5c2a030c0fb3f55d5731cdb37a4f68560a6f2ba38bb54c9533f8805/detection
# Reference: https://www.virustotal.com/gui/file/e29d0db8c013e7eb5820a6f40aae92a085d9550f2f0b2ebc10c8c2c08d14f6d5/detection
# Reference: https://www.virustotal.com/gui/file/fe336a032b564eef07afb2f8a478b0e0a37d9a1a6c4c1e7cd01e404cc5dd2853/detection

concrecapital.com

# Reference: https://twitter.com/h2jazi/status/1559259261665943553
# Reference: https://www.virustotal.com/gui/file/03f6c8f173413302d9c22a44a593fc9a5203fbb7652d3a36b3ace79f3cdc39a3/detection

1drvmicrosoft.com
hare.1drvmicrosoft.com
share.1drvmicrosoft.com

# Reference: https://twitter.com/malwrhunterteam/status/1560563222624710656
# Reference: https://www.virustotal.com/gui/file/c9b4893bdb85d67c13826814ef0cf392648089f416aed40078907054624fba72/detection

cooporatestock.com
doc.cooporatestock.com
docs.cooporatestock.com

# Reference: https://www.virustotal.com/gui/ip-address/45.76.77.197/relations
# Reference: https://www.virustotal.com/gui/file/0f6b6c1596e38e840fb03420317db224739a18dbef0b98285637f5887e90a191/detection

drivegoogle.info
docs.drivegoogle.info

# Reference: https://twitter.com/ShadowChasing1/status/1564980900785373185
# Reference: https://www.virustotal.com/gui/file/51d53ca36a662b4aad5878987548f0f22f2a53545790577d8043373b6bf7eb75/detection

wpsonline.co
edit.wpsonline.co
wps.wpsonline.co

# Reference: https://www.virustotal.com/gui/file/f42c637db03edf83a08e944bc190265167ecea84d77508f37fc1269d267fe5a8/detection

stablehouses.info
app.stablehouses.info

# Reference: https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html
# Reference: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
# Reference: https://www.virustotal.com/gui/file/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332/detection
# Reference: https://www.virustotal.com/gui/file/f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4/detection
# Reference: https://www.virustotal.com/gui/file/eb73c57c6f4ce8bf197ddc689b7e0afd3703a9bf9a78212c9cb838528441df7a/detection
# Reference: https://www.virustotal.com/gui/file/bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1/detection
# Reference: https://www.virustotal.com/gui/file/afb2d4d88f59e528f0e388705113ae54b7b97db4f03a35ae43cc386a48f263a0/detection
# Reference: https://www.virustotal.com/gui/file/196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06eba/detection

http://151.106.2.139
http://193.56.28.251
http://52.202.193.124
http://64.188.27.73
http://66.154.102.91
151.106.2.139:8080
151.106.2.139:8443
66.154.102.91:9090
gendoraduragonkgp126.com
/adm_bord/login_new_check.php

# Reference: https://twitter.com/Des00464472/status/1569331099305918465

techdesignshop.com

# Reference: https://twitter.com/h2jazi/status/1570501870954905600
# Reference: https://www.virustotal.com/gui/file/5816eb32cbaadfc3477c823293a8c49cdf690b443c8fa3c19f98399c143df2b3/detection

azure-protect.online
verify.azure-protect.online

# Reference: https://twitter.com/BaoshengbinCumt/status/1570579732399558656

jbic.us
mufg.tokyo
salt1ending.com
wpic.ink
cloud.jbic.us
cloud.mufg.tokyo

# Reference: https://twitter.com/HaoZhixiang/status/1572434427942432772
# Reference: https://www.virustotal.com/gui/file/0b79e1194644431c2e28c48aa3654e658a2907e1003cd0484cd00a0796ebe6bb/detection

onlineshares.cloud
ms.onlineshares.cloud

# Reference: https://twitter.com/malwrhunterteam/status/1573305740252663809
# Reference: https://www.virustotal.com/gui/file/48bd1c5cf9ccc3d454ab80d7284abaf39028a228607d132bfa92ab2ceca47ca2/detection

azure-protection.cloud
docs.azure-protection.cloud
secure.azure-protection.cloud

# Reference: https://twitter.com/StopMalvertisin/status/1574329188793733120
# Reference: https://www.virustotal.com/gui/file/3b70c3ebffcfd6a97859f8d9e5a31f6902756e23fd6688ca7c7446d24ec76d9d/detection

digiboxes.us
fs.digiboxes.us

# Reference: https://twitter.com/StopMalvertisin/status/1574749887203143680
# Reference: https://www.virustotal.com/gui/file/f00fe4e6da3aaad25d1ac8b268ffeebc98bda184e3df224905626908be24d415/detection

sunlin.org/info/style?title=

# Reference: https://twitter.com/StopMalvertisin/status/1575055809104334848
# Reference: https://twitter.com/ScarletSharkSec/status/1575130042627244038
# Reference: https://twitter.com/malwrhunterteam/status/1593744606172168195
# Reference: https://www.virustotal.com/gui/ip-address/155.138.159.45/relations
# Reference: https://www.virustotal.com/gui/file/99eae95f3271fe7cd2b25aca9a2b69ca8f5cc034f3416b554a4af38903f14233/detection
# Reference: https://www.virustotal.com/gui/file/8f05021071c4bfd4cfce3d02bd30bf16f1322170515d796e13f75eb25b09d533/detection

docuprivacy.com
gdocshare.one
msteam.biz
onlinecloud.cloud
privacysign.org
dmarc.onlineshares.cloud
ms.msteam.biz
team.msteam.biz
open.onlinecloud.cloud

# Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/

137.184.15.189:22
172.93.201.253:22
44.238.74.84:22
44.238.74.84:5900

# Reference: https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/
# Reference: https://otx.alienvault.com/pulse/6336cd77cbc019c475aa2034

contradecapital.com
m.contradecapital.com
market.contradecapital.com
stage.contradecapital.com
vpn.contradecapital.com

# Reference: https://github.com/eset/malware-ioc/tree/master/nukesped_lazarus

cowp.or.kr/html/board/main.asp
erpmas.co.kr/Member/franchise_modify.asp
fored.or.kr/home/board/view.php
gncaf.or.kr/cafe/cafe_board.asp
gongsinet.kr/comm/comm_gongsi.asp
goojoo.net/board/banner01.asp
hsbutton.co.kr/bbs/bbs_write.asp
hstudymall.co.kr/easypay/web/bottom.asp
ikrea.or.kr/main/main_board.asp
pcdesk.co.kr/Freeboard/mn_board.asp
pgak.net/service/engine/release.asp
quecue.kr/okproj/ex_join.asp
style1.co.kr/main/view.asp
wowpress.co.kr/customer/refuse_05.asp
zndance.com/shop/post.asp

# Reference: https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/
# Reference: https://otx.alienvault.com/pulse/633c7f2703c1f6dec01555e5

aquaprographix.com/patterns/Map/maps.php
stracarrara.org/images/img.asp
thetalkingcanvas.com/thetalking/globalcareers/us/5/careers/jobinfo.php
turnscor.com/wp-includes/feedback.php

# Reference: https://twitter.com/Des00464472/status/1580021488433831936

propertys-shop.com

# Reference: https://twitter.com/h2jazi/status/1582809597051826177
# Reference: https://twitter.com/h2jazi/status/1582809599023124481
# Reference: https://www.virustotal.com/gui/file/c114b73da17eb5c8aff5a7b5509ffe26b9770e28c7123f038e98d42f8a065632/detection

bbcnewsagency.com

# Reference: https://twitter.com/h2jazi/status/1582919568384663552

bloombergnewsagency.com

# Reference: https://www.virustotal.com/gui/file/500ae0f1ab40a254f81c73331c9848bada4c26adad613d53d339d14ca3599a32/detection
# Reference: https://www.virustotal.com/gui/file/442c2b7b8e7ec13306bfb6c1332bd87e4d9cac242fd86555df355a606b895c46/detection

11.23.33.44:8050
66.85.157.67:8050
drivetools.xyz
filesspace.xyz
theboxart.xyz

# Reference: https://twitter.com/imp0rtp3/status/1589263364274155520
# Reference: https://twitter.com/imp0rtp3/status/1589263367650578434
# Reference: https://www.virustotal.com/gui/file/06ea41ee563f0ecb884d0640344a1e0006a9e8b1b3d4cda9a769a896f18c4b6d/detection
# Reference: https://www.virustotal.com/gui/file/e1ecf0f7bd90553baaa83dcdc177e1d2b20d6ee5520f5d9b44cdf59389432b10/detection
# Reference: https://www.virustotal.com/gui/file/dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031/detection

leadsblue.com/wp-content/wp-utility/index.php

# Reference: https://twitter.com/Des00464472/status/1590966132596695040

olidhealth.com
dc-ba6f51b553e0.olidhealth.com

# Reference: https://twitter.com/souiten/status/1593449165349978113
# Reference: https://www.virustotal.com/gui/file/0937cbb980cb898eacd8458366fc4de3510266b8fbcd68010aa04e58bf72df28/detection
# Reference: https://www.virustotal.com/gui/file/a3f087c83453cde2bc845122c05ebeb60e8891e395b45823c192869ec1b72ea6/detection

capmarketreport.com

# Reference: https://explore.avertium.com/resource/an-in-depth-look-at-north-korean-threat-actor-zinc
# Reference: https://otx.alienvault.com/pulse/637f670d45a399f00e8aea3c

cats.runtimerec.com/db/dbconn.php
elite4print.com/support/support.asp
hurricanepub.com/include/include.php
olidhealth.com/wp-includes/php-compat/compat.php
recruitment.raystechserv.com/lib/artichow/BarPlotDashboard.object.php
turnscor.com/wp-includes/contacts.php

# Reference: https://twitter.com/jaydinbas/status/1598660262751604738
# Reference: https://www.virustotal.com/gui/file/f14c5bad5219b1ed5166eb02f5ff08a890a181cef2af565f3fe7bcea9c870e22/detection

key.sharedrive.ink

# Reference: https://twitter.com/malwrhunterteam/status/1598405604317442048
# Reference: https://twitter.com/jaydinbas/status/1598722899556577280
# Reference: https://www.virustotal.com/gui/file/741be5e53a5dc7cebaa63d6ff624c5eff1a0e1817ede1e7fc0473a28b1ed7a33/detection

dsx-app.com

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-12-02-v10187/190

bloxholder.com
oilycargo.com
rebelthumb.net
strainservice.com
telloo.io

# Reference: https://twitter.com/h2jazi/status/1602302208325947394
# Reference: https://www.virustotal.com/gui/file/69e5cc9d865301f7e8dd7d4dbf5624db2859c614112d339b2fc07ea6176c776d/detection

microshare.cloud
one.microshare.cloud

# Reference: https://twitter.com/h2jazi/status/1602314597926576131
# Reference: https://twitter.com/h2jazi/status/1602314600753598465
# Reference: https://www.virustotal.com/gui/file/bdd109cba8346548dd6fe5110180aa23eb9f5805c90733025344a5881c15c985/detection

thecloudnet.org

# Reference: https://twitter.com/jaydinbas/status/1608077663532449792
# Reference: https://www.virustotal.com/gui/file/c52028b494c37505cbe073e3b0fcdeb6b7b48636c6fd00a41108e6dc1a66a4ce/detection

professiondesc.com

# Reference: https://twitter.com/Des00464472/status/1610535596262580230
# Reference: https://www.virustotal.com/gui/ip-address/172.86.121.130/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.153.242.37/relations
# Reference: https://www.virustotal.com/gui/file/e04848c1e2908335975dd52793c94624d06a598fdd75d5d3eb6ea8c5d569b8bc/detection

auto-protection.cloud
auto-protection.services
azure-protect.cloud
azure-protection.online
auto-secure.cloud
beyondnextventures.us
doc-protection.cloud
docs-view.cloud
mizuhogroup.uk
offerings.cloud
online-protection.cloud
protection-service.cloud
smbcgroup.uk
tptf.cloud
tptf.ltd
azure.auto-protection.cloud
azure.auto-protection.services
azure.auto-secure.cloud
azure.doc-protection.cloud
azure.doc-protection.online
azure.docs-view.cloud
azure.online-protection.cloud
azure.protection-service.cloud
cloud.beyondnextventures.us
cloud.mizuhogroup.uk
cloud.smbcgroup.uk
docs.tptf.cloud
secure.azure-protection.online
secure.azure-protect.cloud
secure.azure-protection.online

# Reference: https://twitter.com/Des00464472/status/1613893230004965381
# Reference: https://www.virustotal.com/gui/file/9dc04153455d054d7e04d46bcd8c13dd1ca16ab2995e518ba9bf33b43008d592/detection

easyview.kr/board/mb_admin.php
mudeungsan.or.kr/gbbs/bbs/template/g_botton.php
neohr.co.kr/bbs/data/notice/notice.php

# Reference: https://twitter.com/h2jazi/status/1618630926891913217

blurbshop.com
cloudfly.org
dailynewsagent.com
oneweb-host.com
shopwebstudio.com
turacodi.com

# Reference: https://twitter.com/jaydinbas/status/1623295609703636993
# Reference: https://www.virustotal.com/gui/file/3a4aed5b9ad0827696a1bb5f3497a6a2aa26b453d27bfacbe3c8c47673aac98d/detection

doc-share.cloud
safe.doc-share.cloud

# Reference: https://asec.ahnlab.com/ko/48416/
# Reference: https://otx.alienvault.com/pulse/63ff76797371033cf70b2df3

ctmnews.kr
dalbinews.co.kr
kfcjn.com
lightingmart.co.kr
studyholic.co.kr

# Reference: https://www.malwarebytes.com/blog/news/2022/12/lazarus-group-uses-fake-cryptocurrency-apps-to-plant-applejeus-malware

wirexpro.com

# Reference: https://twitter.com/souiten/status/1653999722477268992
# Reference: https://www.virustotal.com/gui/file/69ef7c4cb3849283c03eaa593b02ebbfd1d08d25ef9a58355d2a9909678d6c6d/detection

share.googlefiledrive.com

# Reference: https://twitter.com/ESETresearch/status/1656385173968019456
# Reference: https://twitter.com/ESETresearch/status/1656386549594857472
# Reference: https://www.virustotal.com/gui/ip-address/104.168.138.7/relations
# Reference: https://www.virustotal.com/gui/file/c28e4031129f3e6e5c6fbd7b1cebd8dd21b6f87a8564b0fb9ee741a9b8bc0197/detection
# Reference: https://www.virustotal.com/gui/file/5f00106f7f15e0ca00df4dbb0eeccd57930b4b81bc9aa3fca0c5af4eda339ab7/detection

coto.live
cryptyk.cloud
cryptyk.info
gumicryptos.com
hyperchaincapital.online
parallaxdigital.online
prosec.ink
autoprotect.com.se
cloud.cryptyk.info
cloud.prosec.ink
cloudprotect.us.org
cryptyk.ddns.net
cryptyk.hopto.org
cryptyk.sytes.net
cryptyk.webredirect.org
document.coto.live
document.sharedrive.ink
docusend.coto.live
hostings.webredirect.org

# Reference: https://www.virustotal.com/gui/ip-address/104.168.214.151/relations

azure-defender.cloud
azuredefender.online
bico-news.blog
blockchainworld.info
blockfi.loans
box-docsend.cloud
box-docsend.online
companydetail.online
crypto-ecosystem.world
cryptofundsresearch.com
daiwa.ventures
doc-send.cloud
doc-send.com
docs-send.com
doc-send.online
docs-send.online
docsend-host.cloud
drop-box.cloud
dropbox-docsend.cloud
dropbox-docsend.online
gumi-cryptos.loan
job-description.online
jobdescription.online
nextera.capital
online-meeting.xyz
panteracapital.ventures
private-meeting.online
privatenetwork.online
smart-contracts.blog
swissborg.blog
tokentracking.info
usncet.org
verifydocument.online
video-meet.online
video-meeting.xyz
additional.work.gd
additionalpublic.work.gd
abs.twitter.expublic.linkpc.net
arbor.companydetail.online
asset.crypto-ecosystem.world
autoprotect.gb.net
bico.tokentracking.info
boa.azuredefender.online
boa.job-description.online
boa.jobdescription.online
cloud.daiwa.ventures
cnbc.crypto-ecosystem.world
coinbase.expublic.linkpc.net
crypto.blockchainworld.info
daiwa.azure-defender.cloud
defi.smart-contracts.blog
docs.panteracapital.ventures
draper.online-meeting.xyz
dynamic.expublic.linkpc.net
exceptions.coinbase.expublic.linkpc.net
exceptions.expublic.linkpc.net
expublic.linkpc.net
github.expublic.linkpc.net
google.coinbase.expublic.linkpc.net
hashkey.online-meeting.xyz
hwsrv-1033810.hostwindsdns.com
internal-server.nextera.capital
internal.daiwa.ventures
internal.usncet.org
interview.private-meeting.online
meet.ubi-safemeeting.online
onedrive.azure-defender.cloud
recent.bico-news.blog
shared.box-docsend.cloud
shared.box-docsend.online
shared.doc-send.cloud
shared.drop-box.cloud
shared.dropbox-docsend.cloud
shared.dropbox-docsend.online
support.private-meeting.online
support.trustmeeting.online
support.ubi-safemeeting.live
support.video-meeting.online
support.video-meeting.xyz

# Reference: https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499

http://3.89.226.234
http://40.121.90.194
eflow.co.kr/member_image/about.php
projectcell.niv.co.in/non_scientific/service.php
sora.bz/xoops_root_path/templates_c/login.php 
sora.bz/xoops_root_path/uploads/information/about.php

# Reference: https://twitter.com/blackorbird/status/1675803174551314432
# Reference: https://www.elastic.co/cn/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket
# Reference: https://www.virustotal.com/gui/ip-address/64.44.141.15/relations
# Reference: https://www.virustotal.com/gui/ip-address/91.195.240.123/relations

amazoncojp.one
dropbx-doc.online
hondchain.com
jaicvc.com
previewaccess-doc.online
starbucls.xyz
thefifodoc.online
crypto.hondchain.com
docsend.linkpc.net
docsend.publicvm.com

# Reference: https://www.virustotal.com/gui/ip-address/64.44.141.13/relations

blackleopard.world
docsend.apple.linkpc.net
docsend.apple.work.gd
docsend.camdvr.org
docsend.theworkpc.com
floriventures.linkpc.net
floriventures.publicvm.com
floriventuresfund.com
forest.groundwolf.sbs
groundwolf.sbs
info.floriventuresfund.com
info.racondog.shop
kingstar.publicvm.com
lightkingstar.com
net.lightkingstar.com
nomanstone.shop
origin.blackleopard.world
racondog.shop
sabrpartner.com
starbocks.yachts
xyz.nomanstone.shop
xyz.racondog.shop

# Reference: https://twitter.com/h2jazi/status/1681426768597778440
# Reference: https://twitter.com/ShadowChasing1/status/1681947062471098368
# Reference: https://www.virustotal.com/gui/file/6f11c52f01e5696b1ac0faf6c19b0b439ba6f48f1f9851e34f0fa582b09dfa48/detection

jkmusic.co.kr/shop/data/theme/
notebooksell.kr/mall/m_schema.php

# Reference: https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html

checkdevinc.com
git-hub.me
pkginstall.net

# Reference: https://asec.ahnlab.com/en/54195/
# Reference: https://otx.alienvault.com/pulse/6490761db8416aad20dd9404

bcdm.or.kr/board/type3_D/edit.asp
coupontreezero.com/include/bottom.asp
daehang.com/member/logout.asp
gongsilbox.com/board/bbs.asp
hmedical.co.kr/include/edit.php
ksmarathon.com/admin/excel2.asp
materic.or.kr/files/board/equip/equip_ok.asp
sinae.or.kr/sub01/index.asp

# Reference: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247492789&idx=1&sn=a991e6c5ed7388515d75f02e9c33428f
# Reference: https://otx.alienvault.com/pulse/64a2f58febf38755c4240c34

rowdensurname.org/slideshow/slides/show.asp

# Reference: https://blog.talosintelligence.com/lazarus-collectionrat/
# Reference: https://www.virustotal.com/gui/file/ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6/detection (# QietRAT)
# Reference: https://www.virustotal.com/gui/file/db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984/detection (# CollectionRAT)
# Reference: https://www.virustotal.com/gui/file/773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df/detection (# CollectionRAT)
# Reference: https://www.virustotal.com/gui/file/e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe/detection (# Trojanized Plink)

http://109.248.150.13
http://146.4.21.94
109.248.150.13:443
ec2-15-207-207-64.ap-south-1.compute.amazonaws.com/resource/main/rawmail.php

# Reference: https://twitter.com/fr0s7_/status/1695001873604903348
# Reference: https://twitter.com/fr0s7_/status/1695012385705148748
# Reference: https://twitter.com/fr0s7_/status/1695012576600498679
# Reference: https://www.virustotal.com/gui/ip-address/144.202.17.28/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.63.1.46/relations
# Reference: https://www.virustotal.com/gui/ip-address/66.42.86.109/detection
# Reference: https://www.virustotal.com/gui/file/8e271b07ad050b648321af5aa98ae9f9057342a6c4d3de40ee07a4fbec1ef2b9/detection
# Reference: https://www.virustotal.com/gui/file/7c2721b4beedcff6f8d7af585516af86287a9bab703e8050e97365aa9fd849cb/detection

dliklone.online
sourljsourhs.cfd
ajileuowl.dliklone.online
huweisge.dliklone.online
tales.dliklone.online
tonses.dliklone.online
magmow.sourljsourhs.cfd

# Reference: https://twitter.com/tiresearch1/status/1695342915281965409

online-meeting.pro
private-meeting.xyz
trustmeeting.online
ubi-safemeeting.live
video-meeting.online

# Reference: https://twitter.com/tiresearch1/status/1696067977463087376

safe-meeting.online
trustmeeting.live
ubi-safemeeting.online

# Reference: https://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues
# Reference: https://www.virustotal.com/gui/ip-address/45.61.136.133/relations

tableditermanaging.pro

# Reference: https://asec.ahnlab.com/en/56405/
# Reference: https://otx.alienvault.com/pulse/64f0a87de1d155ccb31c3561

chinesekungfu.org
ipservice.kro.kr
privatemake.bounceme.net
bbs.topigsnorsvin.com.ec

# Reference: https://twitter.com/blackorbird/status/1700047882441908674
# Reference: https://twitter.com/felixaime/status/1699865970041348506
# Reference: https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/
# Reference: https://otx.alienvault.com/pulse/64fa0325f88b5109856801c8

bitsvertise.com
blgbeach.com
dbgsymbol.com
ecordillos.com
ismartrium.com
rapisigns.com

# Reference: https://twitter.com/tiresearch1/status/1701155845608964391

alwayswait.online
alwayswait.site
antifirmware.online
antifirmware.site
antifirmware.store
antiviruscheck.site
antiviruscheck.store
auditprovidre.online
auditprovidre.site
auditprovidre.store
newcoming.cfd
remoteproweb.cfd
systemupdate.site
systemupdate.store
unbelievableresult.site
unbelievableresult.store
updatecheck.site
updatecheck.store
waitingfor.cfd

# Reference: https://twitter.com/h2jazi/status/1702726275012382747
# Reference: https://www.virustotal.com/gui/file/c83c7b000a955f2b8cb92bb112ed606ffd9fbebbe3422f80d90d06b167f2f37b/detection

brianrep.com
/dnquery.phpinteger

# Reference: https://twitter.com/asdasd13asbz/status/1705140120222105777

http://91.206.178.125

# Reference: https://twitter.com/tiresearch1/status/1706312971054412039

datasend.linkpc.net
docsenddata.linkpc.net
docsendinfo.linkpc.net
open-sc.xyz
opensend.linkpc.net
opensend.online
video-meet.team

# Reference: https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/

barsaji.com.mx/src/recaptcha/index.php
bug.restoroad.com/admin/view_status.php
kapata-arkeologi.kemdikbud.go.id/pages/payment/payment.php
kerstpakketten.horesca-meppel.nl/wp-content/plugins/woocommerce/lib.php
kittimasszazs.hu/images/virag.php
nrfm.lk/wp-includes/simplepie/content.php
radiographers.org/aboutus/aboutus.php

# Reference: https://twitter.com/tiresearch1/status/1708141542261809360

bitscrunch.linkpc.net
bitscrunch.publicvm.com
bitscrunnch.linkpc.net
bitscrunnch.run.place
coupang-network.pics
exodus.linkpc.net
jobdescription.linkpc.net

# Reference: https://twitter.com/tiresearch1/status/1708539447908958382

starbocks.shop
starbuck-coffee.cfd
starbuckex.beauty
starbucls.top

# Reference: https://twitter.com/k3yp0d/status/1709851707427975382
# Reference: https://twitter.com/greglesnewich/status/1742926817827422712
# Reference: https://g-les.github.io/yara/2024/01/04/100DaysofYARA-CosmicRust.html
# Reference: https://www.virustotal.com/gui/file/979ef0f43f25a6707fd98f6f0cb6e8452c24f41216ff53486781f487803d69c4/detection
# Reference: https://www.virustotal.com/gui/file/dbe48dc08216850e93082b4d27868a7ca51656d9e55366f2642fc5106e3af980/detection
# Reference: https://www.virustotal.com/gui/file/a8cc70bcd0ef98e3eea54f953166f518a2cf1d898e4eb9e85cf70861f8ec7578/detection
# Reference: https://www.virustotal.com/gui/file/5f4063e3a5583e62ddec2f84ca88eb97fbcfbee31d9269742ab438f441f0cd58/detection
# Reference: https://www.virustotal.com/gui/file/576d1688f744a9f6ae4c1fb4cec1cda3daecabf3a13cb3bafabf083c54d1fcb6/detection
# Reference: https://www.virustotal.com/gui/file/5115be816d0cd579915d079573bfa384d78ac0bd33cc845b7a83a488b0fc1b99/detection
# Reference: https://www.virustotal.com/gui/file/3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a/detection

104.168.136.24:8080
104.168.172.20:8080
commoncome.online
web.commoncome.online
welcome.newcoming.cfd

# Reference: https://twitter.com/tiresearch1/status/1709900227241758810

automatic.antifirmware.store
autoserverupdate.line.pm
huanying.remoteproweb.cfd
real.unbelievableresult.store
stress.antiviruscheck.site
successfulconnection.linkpc.net
sys.antiviruscheck.store
sys.updatecheck.site
web.auditprovidre.site

# Reference: https://twitter.com/asdasd13asbz/status/1711617213944492293
# Reference: https://www.virustotal.com/gui/ip-address/103.179.142.171/relations
# Reference: https://www.virustotal.com/gui/file/f59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc58/detection
# Reference: https://www.virustotal.com/gui/file/00433ebf3b21c1c055d4ab8a599d3e84f03b328496236b54e56042cef2146b1c/detection

blockchain-newtech.com

# Reference: https://twitter.com/tiresearch1/status/1712004829978190112

docs-protection.cloud
docs-protection.online
docs-protection.top
azure.docs-protection.cloud
azure.docs-protection.online
azure.docs-protection.top
docs.smbc-vc.com
meeting.work.gd
orangecake.work.gd
transactions.publicvm.com
updatecheck.publicvm.com

# Reference: https://twitter.com/malwrhunterteam/status/1710379117869150506
# Reference: https://twitter.com/h2jazi/status/1712115378933977444
# Reference: https://www.virustotal.com/gui/file/f59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc58/detection

chiark.greenend.org.uk/~sgtatham/putty/

# Reference: https://twitter.com/tiresearch1/status/1712839519366795733

15248636.site
activity-179384736.site
activity-permission.online
allow-permission.online
book-download.shop
chat-services.online
files-archive.online
mail-roundcube.site
online-meeting.site
online-video-services.site
share-meeting.online
un-call.services
videocallservice.live
webmailaccount.cloud

# Reference: https://twitter.com/tiresearch1/status/1713828674750017852
# Reference: https://twitter.com/tiresearch1/status/1714149818753507596

book.tomming.us
cloud.bdcc.bio
enimvzud.mouradvps8hostwin.online
floriventuresend.linkpc.net
forservercon.run.place
jobintro.linkpc.net
mouradvps8hostwin.online
protectli.online
web3.auditprovidre.store
xjba.linkpc.net
xjbb.linkpc.net
xjbd.linkpc.net

# Reference: https://twitter.com/tiresearch1/status/1714283158588600641

crtypk.run.place
cryptykhost.work.gd
share.prosec.ink
singlelink.work.gd

# Reference: https://securelist.com/updated-mata-attacks-industrial-companies-in-eastern-europe/110829/
# Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/18092216/Updated-MATA-attacks-Eastern-Europe_full-report_ENG.pdf

beeztrend.com
mbafleet.com
prajeshpatel.com
zawajonly.com
icimp.swarkul.com

# Reference: https://twitter.com/malwrhunterteam/status/1715075131175751740
# Reference: https://www.virustotal.com/gui/ip-address/68.170.2.240/relations
# Reference: https://www.virustotal.com/gui/file/5e523ba395d7b92001d14d0d0e607410af9acb61d724a4a7651c3d80a79fb532/detection

coingecko.bond

# Reference: https://twitter.com/tiresearch1/status/1717496437985128862

bitscrunch.co
bitscrunch.deck.linkpc.net
bitscrunch.im.linkpc.net
deck.linkpc.net
doc.global-link.run.place
global-link.run.place

# Reference: https://twitter.com/tiresearch1/status/1717554754023526564
# Reference: https://twitter.com/KSeznec/status/1717542794942660771
# Reference: https://www.virustotal.com/gui/file/47b8b4d55d75505d617e53afcb6c32dd817024be209116f98cbbc3d88e57b4d1/detection

co.intneral-document-he-gr-me.run.place
group.link-net.publicvm.com
internal.group.link-net.publicvm.com
intneral-document-he-gr-me.run.place
j-ic.co.intneral-document-he-gr-me.run.place
link-net.publicvm.com
on-global.xyz

# Reference: https://twitter.com/tiresearch1/status/1717922111749288043

bitscrunch.pd.linkpc.net
bitscrunch.presentations.life
col-link.linkpc.net
docshared.col-link.linkpc.net
pd.linkpc.net
presentations.life

# Reference: https://securelist.com/unveiling-lazarus-new-campaign/110888/
# Reference: https://otx.alienvault.com/pulse/653c0681ae38ba0d7d84e538

admin.esangedu.kr/XPaySample/submit.php
api.shw.kr/login_admin/member/login_fail.php
blastedlevels.com/levels4SqR8/measure.asp
droof.kr/Board/htmlEdit/PopupWin/Editor.asp
friendmc.com/upload/board/asp20062107.asp
hankooktop.com/ko/company/info.asp
hanlasangjo.com/editor/pages/page.asp
happinesscc.com/mobile/include/func.asp
healthpro.or.kr/upload/naver_editor/subview/view.inc
hicar.kalo.kr/data/rental/Coupon/include/inc.asp
hspje.com/menu6/teacher_qna.asp
ictm.or.kr/UPLOAD_file/board/free/edit/index.php
khmcpharm.com/Lib/Modules/HtmlEditor/Util/read.cer
kscmfs.or.kr/member/handle/log_proc.php
kstr.radiology.or.kr/upload/schedule/29431_1687715624.inc
little-pet.com/web/board/skin/default/read.php
mainbiz.or.kr/SmartEditor2/photo_uploader/popup/edit.asp
mainbiz.or.kr/include/common.asp
medric.or.kr/Controls/Board/certificate.cer
muijae.com/daumeditor/pages/template/simple.asp
muijae.com/daumeditor/pages/template/template.asp
muijae.com/daumeditor/pages/template/
new-q-cells.com/upload/newsletter/cn/frame.php
nonstopexpress.com/community/include/index.asp
pediatrics.or.kr/PubReader/build_css.php
pms.nninc.co.kr/app/content/board/inc_list.asp
safemotors.co.kr/daumeditor/pages/template/template.asp
samwoosystem.co.kr/board/list/write.asp
seoulanesthesia.or.kr/mail/mail_211230.html
seouldementia.or.kr/_manage/inc/bbs/jiyeuk1_ok.asp
siriuskorea.co.kr/mall/community/bbs_read.asp
swt-keystonevalve.com/data/editor/index.php
theorigin.co.kr:443/admin/management/index.php
ucware.net/skins/PHPMailer-master/index.php
vietjetairkorea.com/INFO/info.asp
vnfmal2022.com/niabbs5/upload/gongji/index.php
warevalley.com/en/common/include/page_tab.asp
yoohannet.kr/min/tmp/process/proc.php

# Reference: https://twitter.com/tiresearch1/status/1718902558922834192

cisco-webex.online
pdf.cisco-webex.online
support.cisco-webex.online

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-10-30-v10452/1080

bitscrunch.ddns.net
bitscrunch.serveirc.com
bitscrunch.tech.linkpc.net
bitscrunch.zapto.org
bitscrunchtech.linkpc.net
document.shared-link.line.pm
indaddy.xyz
internalpdfviewer.ddns.net
nor-health.xyz
shared-link.line.pm
tech.linkpc.net
voldemort.myvnc.com

# Reference: https://www.virustotal.com/gui/ip-address/192.236.194.152/relations

coupang-networks.pics
ronaldo-nftprojects.shop

# Reference: https://twitter.com/tiresearch1/status/1719979579170009130

cloud.doc-shared.linkpc.net
doc-shared.linkpc.net
dubai.network.cloud.doc-shared.linkpc.net
group.evalaskatours.com
internal.bounceme.net
mclearoptical.com
network.cloud.doc-shared.linkpc.net

# Reference: https://twitter.com/tiresearch1/status/1721811568814624831
# Reference: https://app.validin.com/axon?find=62.133.61.204&type=ip

online-meeting.team
safemeeting.online
team-meet.online
video-meeting.team
videomeethub.online

# Reference: https://twitter.com/tiresearch1/status/1722534103751540999

syncmeet.online
team-meeting.xyz

# Reference: https://twitter.com/tiresearch1/status/1725052270910538103
# Reference: https://www.virustotal.com/gui/ip-address/216.107.136.10/relations

bitscrunch.myvnc.com
blackleopard.myvnc.com
naverk.myvnc.com

# Reference: https://twitter.com/tiresearch1/status/1727306536522043677

privymeet.com

# Reference: https://twitter.com/tiresearch1/status/1727956853794250850

group-meeting.online
group-meeting.team

# Reference: https://asec.ahnlab.com/en/59073/
# Reference: https://otx.alienvault.com/pulse/655e254bda9c2bd236bc188f

109.248.150.147:8585
185.29.8.108:8585
27.102.118.204:6099
27.102.128.152:8098
84.38.132.67:9479
primez.online
song.th

# Reference: https://twitter.com/tiresearch1/status/1729392929612218731

france24.live
meeting-online.site
online-processing.online
ovcloud.online

# Reference: https://twitter.com/tiresearch1/status/1729754195903844484
# Reference: https://www.virustotal.com/gui/ip-address/104.168.137.21/relations

alwayswait.online
audiocheck.store
auditprovidre.online
cryptowave.capital
group-meeting.online
group-meeting.team
internal-meeting.online
kkvps.buzz
meetcentralhub.online
meetingverse.app
online-meeting.team
privymeet.com
safe-meeting.online
safemeeting.online
skyboxdrive.cloud
syncmeet.online
team-meet.online
team-meeting.xyz
trustmeeting.live
trustmeeting.online
ubi-safemeeting.live
ubi-safemeeting.online
video-meet.online
video-meet.team
video-meet.xyz
video-meeting.team
archax.privymeet.com
archax.skyboxdrive.cloud
archax.trustmeeting.live
bitfinex.internal-meeting.online
bitfinex.video-meet.online
cryptowave.internal-meeting.online
cryptowave.video-meet.online
d1.skyboxdrive.cloud
drop.skyboxdrive.cloud
dun.audiocheck.store
dun.auditprovidre.online
email.alwayswait.online
emv1.meetingverse.app
emv1.ubi-safemeeting.live
gumi-cryptos.group-meeting.online
gumi-cryptos.group-meeting.team
gumi-cryptos.team-meet.online
gumi-cryptos.team-meeting.xyz
gumi-cryptos.video-meet.team
hashkey.group-meeting.online
hashkey.group-meeting.team
hashkey.internal-meeting.online
hashkey.online-meeting.team
hashkey.team-meet.online
hashkey.team-meeting.xyz
hashkey.video-meet.online
hashkey.video-meet.team
hashkey.video-meeting.team
help.group-meeting.online
help.team-meet.online
help.video-meet.team
help.video-meeting.team
hwsrv-1093408.hostwindsdns.com
ihsgpnsj.meetingverse.app
internal-meeting.online
kraken.group-meeting.online
kraken.group-meeting.team
kraken.team-meet.online
kraken.video-meeting.team
meet.cryptowave.capital
meet.ubi-safemeeting.online
mta-sts.meetingverse.app
mta-sts.ubi-safemeeting.live
okx.internal-meeting.online
okx.video-meet.online
okx.video-meeting.team
pdf.cisco-webex.online
ryze.privymeet.com
shared.dropbox-docsend.online
support.cisco-webex.online
support.cryptowave.capital
support.group-meeting.online
support.group-meeting.team
support.internal-meeting.online
support.meetcentralhub.online
support.privymeet.com
support.safe-meeting.online
support.skyboxdrive.cloud
support.syncmeet.online
support.team-meet.online
support.team-meeting.xyz
support.trustmeeting.live
support.trustmeeting.online
support.ubi-safemeeting.live
support.ubi-safemeeting.online
support.video-meet.online
support.video-meet.team
support.video-meet.xyz
support.video-meeting.team
technical-support.group-meeting.team
technical-support.internal-meeting.online
technical-support.team-meet.online
technical-support.video-meet.online
troubleshoot.group-meeting.team
troubleshoot.internal-meeting.online
troubleshoot.team-meeting.xyz
ubisoft.group-meeting.online
ubisoft.internal-meeting.online
ubisoft.safe-meeting.online
ubisoft.trustmeeting.live

# Reference: https://www.virustotal.com/gui/file/60674602836323647634016774ea123232160c1b4dfcf3fcd2d2c28c652aa00e/detection

104.168.151.34:8080
audiocheck.store
autoupdate.xyz
botsc.autoupdate.xyz
dun.audiocheck.store

# Reference: https://twitter.com/tiresearch1/status/1730114476786229304

einei.line.pm
onelao.line.pm
tiena.einei.line.pm

# Reference: https://twitter.com/tiresearch1/status/1731600500259524993

team-meet.xyz
team-meeting.pro
archax.meetingverse.app
archax.team-meeting.pro
hashkey.team-meeting.pro
lrakkiqr.team-meeting.pro
mail.privymeet.com
technical-support.safe-meeting.online

# Reference: https://twitter.com/tiresearch1/status/1733020053426282778

wndlwndmfe.xyz

# Reference: https://mp.weixin.qq.com/s/f5YE12w3x3wad5EO0EB53Q

http://103.179.142.171
http://156.236.76.9
chaingrown.com

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-12-06-v10480/1183

manchestercity.work.gd
myself.hopto.org

# Reference: https://slowmist.medium.com/analysis-of-north-korean-hackers-targeted-phishing-scams-on-telegram-872db3f7392b
# Reference: https://otx.alienvault.com/pulse/65773dc2466c7161e66b3d07

archax.team-meeting.xyz
archax.videomeethub.online
emv1.group-meeting.team
emv1.team-meet.xyz

# Reference: https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/
# Reference: https://www.virustotal.com/gui/file/000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee/detection
# Reference: https://www.virustotal.com/gui/file/0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f/detection
# Reference: https://www.virustotal.com/gui/file/e615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f/detection
# Reference: https://www.virustotal.com/gui/file/9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a/detection
# Reference: https://www.virustotal.com/gui/file/534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433/detection
# Reference: https://www.virustotal.com/gui/file/ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4/detection
# Reference: https://www.virustotal.com/gui/file/47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30/detection
# Reference: https://www.virustotal.com/gui/file/f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59/detection
# Reference: https://www.virustotal.com/gui/file/5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541/detection
# Reference: https://www.virustotal.com/gui/file/82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def/detection

http://155.94.208.209
http://185.29.8.53
http://27.102.113.93
201.77.179.66:8082
micrsofts.tech
tech.micrsofts.com
tech.micrsofts.tech

# Reference: https://www.virustotal.com/gui/ip-address/23.254.129.6/relations
# Reference: https://app.validin.com/axon?source=DNS&type=ip&find=23.254.129.6

commoncome.site
good.commoncome.site
wideocean.run.place

# Reference: https://twitter.com/karol_paciorek/status/1749376208477786172

http://173.249.5.112

# Reference: https://twitter.com/malwrhunterteam/status/1750492037936222291
# Reference: https://twitter.com/greglesnewich/status/1750500025346445609
# Reference: https://www.virustotal.com/gui/file/e05142f8375070d1ea25ed3a31404ca37b4e1ac88c26832682d8d2f9f4f6d0ae/detection

fasttet.com

# Reference: https://twitter.com/tiresearch1/status/1755176085610721337
# Reference: https://www.virustotal.com/gui/ip-address/217.20.117.39/relations

continue-meeting.site
drive-access.site
home-continue.online
home-proceed.online
pannel-get-data.us
ushrt.us
join-room.meeting-online.site

# Reference: https://twitter.com/h2jazi/status/1757798585611997236
# Reference: https://www.virustotal.com/gui/file/b557fa6a92e1ecd768aa723258cb453beb6597c583dbe76d8e82ffdf392f5932/detection

franksweeklycall.com/wp-includes/html-api/class-wp-html-user.php

# Reference: https://twitter.com/asdasd13asbz/status/1758054481957450034
# Reference: https://www.virustotal.com/gui/ip-address/35.167.150.110/relations

elshaik.com/wp-content/plugins/elementor/core/editor/editor-ui.php
ssoc.cl/wp-content/plugins/webmention/libraries/emoji-detector/src/Detector.php

# Reference: https://twitter.com/malwrhunterteam/status/1764037492812943550
# Reference: https://www.virustotal.com/gui/file/0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7/detection
# Reference: https://www.virustotal.com/gui/file/bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b/detection

jdkgradle.com

# Reference: https://twitter.com/malwrhunterteam/status/1769840338745659896
# Reference: https://www.virustotal.com/gui/file/09d152aa2b6261e3b0a1d1c19fa8032f215932186829cfcca954cc5e84a6cc38/detection

mingeloem.com

# Reference: https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/

http://145.232.235.222

# Reference: https://asec.ahnlab.com/en/63192/

84.38.129.21:2222
84.38.129.21:5443
ourhome.o-r.kr
mssrv.kro.kr
privacy.hopto.org
panda.ourhome.o-r.kr

# Reference: https://twitter.com/1ZRR4H/status/1771912721031663841
# Reference: https://www.virustotal.com/gui/file/02d55193310ea19a4ce4c8a7f095c84b0511946d11a647e12758569292014882/detection

http://91.92.248.50
91.92.248.50:445
the.earth.li/~sgtatham/putty/0.80/w64/

# Reference: https://twitter.com/dimitribest/status/1782609281897902426
# Reference: https://twitter.com/Cyberteam008/status/1782983614701162993

147.124.212.89:1244
147.124.214.129:1244
147.124.214.131:1244
147.124.214.237:1244
67.203.7.171:1244
67.203.7.245:1244

# Reference: https://twitter.com/tiresearch1/status/1784118099278741797

star-bucks.autos
star-bucks.beauty
star-bucks.boats
star-bucks.bond
star-bucks.cam
star-bucks.cfd
star-bucks.click
star-bucks.com
star-bucks.fun
star-bucks.gay
star-bucks.guru
star-bucks.homes
star-bucks.lol
star-bucks.makeup
star-bucks.mom
star-bucks.motorcycles
star-bucks.net
star-bucks.pics
star-bucks.quest
star-bucks.rest
star-bucks.sbs
star-bucks.shop
star-bucks.skin
star-bucks.store
star-bucks.tattoo
star-bucks.today
star-bucks.top
star-bucks.xyz
star-bucks.yachts
starbuckscenter.autos
starbuckscenter.beauty
starbuckscenter.boats
starbuckscenter.bond
starbuckscenter.cam
starbuckscenter.cfd
starbuckscenter.click
starbuckscenter.com
starbuckscenter.fun
starbuckscenter.gay
starbuckscenter.guru
starbuckscenter.homes
starbuckscenter.life
starbuckscenter.lol
starbuckscenter.makeup
starbuckscenter.mom
starbuckscenter.motorcycles
starbuckscenter.net
starbuckscenter.pics
starbuckscenter.quest
starbuckscenter.rest
starbuckscenter.sbs
starbuckscenter.shop
starbuckscenter.skin
starbuckscenter.store
starbuckscenter.tattoo
starbuckscenter.today
starbuckscenter.top
starbuckscenter.xyz
starbuckscenter.yachts
starbucksevent.autos
starbucksevent.beauty
starbucksevent.boats
starbucksevent.bond
starbucksevent.cam
starbucksevent.cfd
starbucksevent.click
starbucksevent.com
starbucksevent.fun
starbucksevent.gay
starbucksevent.guru
starbucksevent.homes
starbucksevent.life
starbucksevent.lol
starbucksevent.makeup
starbucksevent.mom
starbucksevent.motorcycles
starbucksevent.net
starbucksevent.quest
starbucksevent.rest
starbucksevent.sbs
starbucksevent.shop
starbucksevent.skin
starbucksevent.store
starbucksevent.tattoo
starbucksevent.today
starbucksevent.top
starbucksevent.xyz
starbucksevent.yachts

# Reference: https://app.validin.com/detail?type=ip&find=194.59.183.241#tab=resolutions

starbucks-goodsitem.cfd
starbucks-greenapron.lol
starbucks-greenapronnft.click
starbucks-odyssey.shop
starbucks-support.store
starbucksnft-service.xyz

# Reference: https://app.validin.com/detail?find=45.86.230.189&type=ip4&ref_id=2dd37ed5db5#tab=resolutions

11stnft.click
starbucks-greenapron.rest
starbucks-greenaprons.cfd
starbucks-newtech.bond
starbucks-newtech.cfd
starbucksgoodsnft.click
starbucksgreenapron.bond
starbucksnftservice.homes

# Reference: https://twitter.com/MichalKoczwara/status/1785379113517154732

private-meet.online
fenbushi.private-meet.online

# Reference: https://twitter.com/MichalKoczwara/status/1787783113742885332

letsmeetnow.site
regular-meeting.team
ngc.regular-meeting.team
fenbushi.regular-meeting.team

# Reference: https://twitter.com/KseProso/status/1788114018722595188
# Reference: https://twitter.com/ValidinLLC/status/1788128803698450591
# Reference: https://www.virustotal.com/gui/ip-address/104.168.157.45/relations

cloudstore.business
group-meeting.pro
instant-patch.online
online-meet.team
online-meet.xyz
online-meeting.co
preconnection.online
team-meeting.net
voov-meeting.site
abc.preconnection.online
alpha.preconnection.online
email.instant-patch.online
emv1.group-meeting.pro
emv1.preconnection.online
emv1.private-meet.online
hashkey.online-meet.team
hashkey.online-meet.xyz
liwoeson.online-meet.team
ok.preconnection.online
signum.group-meeting.pro
support.group-meeting.pro
support.online-meet.xyz
waterdrip.group-meeting.pro

# Reference: https://twitter.com/ValidinLLC/status/1788134423273034033
# Reference: https://www.virustotal.com/gui/ip-address/104.168.203.159/relations

general-meeting.team
private-meet.team
private-meet.xyz
emv1.general-meeting.team
fenbushi.general-meeting.team
fenbushi.private-meet.team
ngc.private-meet.xyz
support.general-meeting.team

# Reference: https://mp.weixin.qq.com/s/84lUaNSGo4lhQlpnCVUHfQ

147.124.212.146:1244
147.124.213.11:1244
147.124.213.29:1244
172.86.123.35:1244
172.86.97.80:1224
173.211.106.101:1245
45.61.131.218:1245
91.92.120.135:3000

# Reference: https://x.com/dimitribest/status/1796191215626440908
# Reference: https://www.virustotal.com/gui/file/6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0/detection
# Reference: https://www.virustotal.com/gui/file/01611aa9fe649335a7d813fa1693b9421d8585155351f3a696e8bfdcf45440d3/detection
# Reference: https://www.virustotal.com/gui/file/70db987e2545cbc3e22bac0503f89f46a441cc9f206d0aa41d66b54f511638d6/detection

172.86.98.240:1224

# Reference: https://twitter.com/asdasd13asbz/status/1788848468947296398

67.203.7.245:21

# Reference: https://twitter.com/MichalKoczwara/status/1788980517812994267
# Reference: https://app.validin.com/detail?type=ip&find=104.168.203.161

regular-meeting.site
regular-meeting.xyz
ngc.regular-meeting.site

# Reference: https://app.validin.com/detail?find=regular-meeting.online&type=dom#tab=resolutions

regular-meeting.online

# Reference: https://app.validin.com/detail?find=regular-meeting.pro&type=dom#tab=resolutions

regular-meeting.pro

# Reference: https://x.com/banthisguy9349/status/1795545335164490137
# Reference: https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/

bestonlinefilmstudio.org
ccwaterfall.com
defitankzone.com
detankwar.com
freenet-zhilly.org
matrixane.com
pointdnt.com
starglowventures.com

# Reference: https://raw.githubusercontent.com/0xKoda/ioc-public/main/ioc.json

ld-digitaal.com
tiktoks.bio
yayachuhai.top
long.waitingfor.cfd
us13.yayachuhai.top

# Reference: https://checkmarx.com/blog/a-new-north-korean-group-emerges-disrupting-the-open-source-ecosystem/

cryptopriceoffer.com

# Reference: https://x.com/MichalKoczwara/status/1812580245645766928
# Reference: https://www.validin.com/blog/hunting-lazarus-dns-history-host-responses/
# Reference: https://www.virustotal.com/gui/ip-address/104.168.157.45/relations

alwayswelcome.online
docsend.online
docsend.site
docsend.store
dropfile.cloud
dropfile.online
general-meet.online
general-meet.site
general-meet.team
group-meet.online
group-meet.site
group-meet.team
internal-meet.online
internal-meet.team
internal-meet.xyz
live-meeting.world
meet-safe.online
meeting-central.online
meeting-hub.online
meeting-pro.online
meetup-zone.online
online-meeting.community
online-meeting.social
regular-meet.online
regular-meet.site
regular-meet.team
room-connect.online
roomconnect.online
video-meet.site
virtual-collab.online
7xvc.roomconnect.online
abc.roomconnect.online
beta.preconnection.online
http-qjhndbrw.roomconnect.online
https-qjhndbrw.roomconnect.online
xkbaaalpha.preconnection.online

# Reference: https://x.com/malwrhunterteam/status/1812792291876119034
# Reference: https://objective-see.org/blog/blog_0x7A.html
# Reference: https://www.virustotal.com/gui/file/9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c/detection

95.164.17.24:1224
mirotalk.net

# Reference: https://x.com/dimitribest/status/1815789250656301211
# Reference: https://search.censys.io/search?q=services.http.response.headers%3A+%28key%3A+%60ETag%60+and+value.headers%3A+%60W%2F%2286b-1886de13223%22%60%29&resource=hosts

67.203.7.163:1244

# Reference: https://www.virustotal.com/gui/ip-address/23.254.244.242/relations
# Reference: https://search.censys.io/search?q=services.http.response.headers%3A+%28key%3A+%60ETag%60+and+value.headers%3A+%60W%2F%22841-18e75d61ccb%22%60%29&resource=hosts

23.254.244.242:3000
coupang-marketing.rest
coupang-sales.rest
starbucks-services.cyou

# Reference: https://www.virustotal.com/gui/ip-address/192.236.233.51/relations

starbucksservice.homes
yourstabrucks.monster

# Reference: https://www.virustotal.com/gui/ip-address/192.119.81.146/relations

starbucksfirst.icu

# Reference: https://www.virustotal.com/gui/ip-address/104.168.237.182/relations

coca-cola.bond
starbucks-corp.art

# Reference: https://search.censys.io/search?q=services.http.response.html_tags%3D%22%3Ctitle%3ENode.js+upload+multiple+files%3C%2Ftitle%3E%22&resource=hosts

http://143.198.48.95
143.198.48.95:22
143.198.48.95:443

# Reference: https://x.com/h2jazi/status/1818715043800006982
# Reference: https://www.virustotal.com/gui/file/f7559f6d4346f412c2c4ea18363efba3075345b7533af9964298803ffe75f919/detection
# Reference: https://www.virustotal.com/gui/file/dd038040283793c67cd50252fb9ef20eb07e2f36d284f70cb2340e501dcb99d7/detection

honehsn.com

# Reference: https://x.com/JangPr0/status/1818787100130787428
# Reference: https://www.securonix.com/blog/research-update-threat-actors-behind-the-devpopper-campaign-have-retooled-and-are-continuing-to-target-software-developers-via-social-engineering/

166.88.132.114:8000
77.37.37.81:1244
77.37.37.81:8000
ztec.store
de.ztec.store

# Reference: https://www.virustotal.com/gui/file/e90cedfce785b0f1ed30661914a0c169edf8ccb039cd722fec7fd5a85a3e99ad/detection

185.208.158.203:5555

# Reference: https://x.com/malwrhunterteam/status/1820375076312604830
# Reference: https://www.virustotal.com/gui/file/1ab4af3bb2a343e9bc29e177aebe7d175a6b8af317ee3a8527271ed41148212e/detection
# Reference: https://www.virustotal.com/gui/file/3ac93cd715dc191464703b988ba1d72d4bd97836bcddea9a653232fd57facf00/detection

185.208.158.203:8080

# Reference: https://x.com/MichalKoczwara/status/1826162083332829323
# Reference: https://www.virustotal.com/gui/ip-address/104.168.165.173/relations

cloud-storage.world
ryzelabs.net
meet.ryzelabs.net
7xvc.virtual-collab.online
dragonfly.virtual-collab.online
support.virtual-collab.online
technical-support.virtual-collab.online

# Reference: https://x.com/Merlax_/status/1826417594766651777
# Reference: https://www.virustotal.com/gui/file/8a23dd86da0aff9b460b8ebc9dd3e891d44ea0183ace4f5d28a7e4ddab47664a/detection
# Reference: https://www.virustotal.com/gui/file/a87b6664b718a9985267f9670e10339372419b320aa3d3da350f9f71dff35dd1/detection

http://45.140.147.208
45.140.147.208:53421
45.140.147.208:53422

# Reference: https://blog.phylum.io/north-korea-still-attacking-developers-via-npm/
# Reference: https://app.validin.com/detail?find=167.88.36.13&type=ip4&ref_id=545b0c93f1c#tab=resolutions
# Reference: https://app.validin.com/detail?type=ip&find=45.61.158.14#tab=resolutions

ipcheck.cloud
regioncheck.net
repohost.online
support-pishgam.site

# Reference: https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/
# Reference: https://app.validin.com/detail?find=185.135.84.58&type=ip4&ref_id=5a6b4dd9f9e#tab=resolutions

voyagorclub.space
weinsteinfrog.com

# Reference: https://www.group-ib.com/blog/apt-lazarus-python-scripts/
# Reference: https://www.virustotal.com/gui/file/7165aa2157b7cb4e20a0ed68b26a2b9c6957ae370d6bcb58918efb47b595744f/detection
# Reference: https://www.virustotal.com/gui/file/1ef484513c027ccc747a88777559f96018e2b5cad830025911f0786e24d491f3/detection

23.106.253.194:1244
freeconference.io
/brow/N3RFYU07
/payload/N3RFYU07
/N3RFYU07

# Reference: https://x.com/MichalKoczwara/status/1833241777374900497
# Reference: https://www.virustotal.com/gui/ip-address/104.168.165.165/relations

meeting-zone.online
video-meets.online
7xvc.meeting-central.online
7xvc.meeting-zone.online
abc.meeting-central.online
abc.meeting-zone.online
access.support.general-meet.site
admin.alwayswelcome.online
admin.general-meet.site
admin.meeting-central.online
admin.meeting-zone.online
admin.support.general-meet.site
affiliate.support.general-meet.site
ann.support.general-meet.site
api.alwayswelcome.online
api.general-meet.site
api.meeting-zone.online
apollo.support.general-meet.site
app.alwayswelcome.online
app.meeting-zone.online
backed.general-meet.site
backend.alwayswelcome.online
backend.meeting-zone.online
demo.alwayswelcome.online
dev.alwayswelcome.online
dev.general-meet.site
dev.meeting-zone.online
emv1.alwayswelcome.online
emv1.group-meet.online
emv1.group-meet.site
foundationcap.regular-meet.team
longhash.general-meet.site
longhash.video-meets.online
mail1.fuchuangonline.com
meeting-zone.online
metaschool.video-meets.online
ngc.regular-meet.site
staging.alwayswelcome.online
staging.meeting-zone.online
support.general-meet.site
support.meeting-zone.online
support.regular-meet.online
support.regular-meet.team
support.video-meet.site
support.video-meets.online

# Reference: https://www.elastic.co/security-labs/dprk-code-of-conduct
# Reference: https://app.validin.com/detail?find=92e6a5d3a7f7f2cf909fa50522b44b4d33719202db005383be611a2e68a3d5b3&type=hash&ref_id=77a108e8213#tab=host_pairs_v2
# Reference: https://www.virustotal.com/gui/file/6779f9b40beaf172950372303d89452358403189d236c5856d305ded2e82a15f/detection

akamaitechnologies.online
ceinbase.com
cienbase.com
ceionbase.com
coinblase.com
coinbrase.com
login.ceionbase.com
loading-coinbase.com
accounts.ceinbase.com
links.ceinbase.com
login.ceinbase.com
login.coinblase.com
login.coinbrase.com

# Reference: https://app.validin.com/detail?find=45.32.90.176&type=ip4&ref_id=d162d0bbffd#tab=resolutions

cicoinbase.com
cobinase.com
cobinbase.com
coinbalse.com
coinibrase.com
coininbase.com
eoinbase.com
login.cicoinbase.com
login.cobinase.com
login.cobinbase.com
login.coinbalse.com
login.coinibrase.com
login.coininbase.com
mail.eoinbase.com

# Reference: https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/
# Reference: https://www.virustotal.com/gui/file/f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703/detection

rgedist.com
talesseries.com

# Reference: https://x.com/eastside_nci/status/1836605224020033548
# Reference: https://search.censys.io/hosts/45.61.128.122

caladangroup.xyz
selinicapital.online
selinicapital.xyz
sellinicapital.com
meet.caladangroup.xyz
meet.selinicapital.online
meet.selinicapital.xyz
meeting.sellinicapital.com

# Generic

/daumeditor/pages/template/
/daumeditor/pages/template/simple.asp
/daumeditor/pages/template/template.asp
/levels4SqR8/measure.asp
/mall/community/bbs_read.asp
/niabbs5/upload/gongji/index.php
/niabbs5/upload/gongji/
/_manage/inc/bbs/jiyeuk1_ok.asp
/inc/bbs/jiyeuk1_ok.asp
/asdfghjkl
/qwertyuiop
/qwertyuiop/asdfghjkl
/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/
/Of56cYsfVV8/
/OJITWH2WFx/
/Jy5S7hSx0K/
/fP7saoiPBc/
