# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apachestealer, confucius, patchwork, sneepy, droppingelephant, sloppylemming

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/
# Reference: https://twitter.com/shotgunner101/status/1084111296746921986
# Reference: https://otx.alienvault.com/pulse/5c3c8199888d403ecee5e463

kielsoservice.net
frameworksupport.net

# Reference: https://twitter.com/blackorbird/status/1119518720794058752
# Reference: https://www.virustotal.com/gui/file/e94659941847dac6e5483df31d6429c9bfb339a013079f41ea52e7fe86d7f061/detection
# Reference: https://s.tencent.com/research/report/711.html (Chinese)

crowcatcher.net
global-news.center
useraccount.co
188.241.58.60:21
188.241.58.61:21

# Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/
# Reference: https://brica.de/alerts/alert/public/1215663/new-confucius-malware-campaign-has-links-to-patchwork-cybergang/

errorfeedback.com

# Reference: https://twitter.com/h4ckak/status/1161208604566966272

http://139.28.38.231

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confucius-cyberespionage-operations/
# Reference: https://documents.trendmicro.com/assets/appendix-deciphering-confucius-cyberespionage-operations.pdf

http://199.101.187.54
http://45.63.43.29
http://45.76.33.53
http://46.165.207.108
http://5.135.73.109
http://5.135.73.109
http://91.210.107.104
http://94.242.219.205
46.165.249.223:80
5.199.163.51:4343
91.210.107.106:80
91.210.107.109:80
91.210.107.110:80
adhath-learning.com
freeintrnet.com
mfone.net
mofu.tech
simplechatpoint.ddns.net
truth786.com
tweetychat.com
/android_connect/insert_account.php
/android_connect/insert_contacts.php
/android_connect/insert_file_list.php
/android_connect/insert_sms.php
/android_connect/upload_file_content.php

# Reference: https://twitter.com/RedDrip7/status/1184099910892670976

yetwq.twilightparadox.com

# Reference: https://twitter.com/spider_girl22/status/1172044630512164864

192.250.236.76:80

# Reference: https://twitter.com/Rmy_Reserve/status/1172016149971619841

upgrading-office-content.esy.es

# Reference: https://twitter.com/Arkbird_SOLG/status/1225014088755044353

185.193.38.24:443

# Reference: https://www.cymmetria.com/wp-content/uploads/2017/10/Unveiling-Patchwork.pdf

163-cn.org
81-cn.net
aaskmee.com
alfred.ignorelist.com
annchenn.com
asiandefnetwork.com
blingblingg.com
chinastrat.com
chinastrats.com
climaxcn.com
cndailynetwork.info
dailychina.news
epg-cn.com
expatchina.info
extremebolt.com
extrememachine.org
extremerebolt.com
eyescreem.com
greatdexter.com
haiwaipengyou.com
info81.com
junshiyuehui.com
letsgetclose.com
lujunxinxi.com
majidalfuttaiim.com
matrixrevolt.com
militaryworkerscn.com
milresearchcn.com
miltechcn.com
miltechweb.com
modgovcn.com
mozarting.com
nduformation.com
newsnstat.com
nextraload.com
nudtcn.com
numeronez.com
nutcn.com
office-rb-support.com
outlookkz.com
pizzahomez.com
qqgroups.info
revoltmax.com
securematrixx.com
sinodefprog.info
socialfreakzz.com
symantecz.com
telemediaz.com
webworldreq.com
wikifedia.space
xbladezz.com
xmachinez.com
you-yisi.com
yue-lao.info

# Reference: https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/
# Reference: https://www.virustotal.com/gui/file/33c061dcf59d17c950fc450593cb4c3df1ee755f3a6a216eafc9717e76bc0858/behavior/VirusTotal%20Cuckoofork

130dozen.com
adhath-learning.com
avtofrom.us
b3autybab3s.com
bookerstream.com
breachframework.com
breachframework.website
chucknorr.com
com-account-jfnjkr.xyz
cooperednews.info
couchypotatoes.com
cutedazzle.com
didlynews.info
fierybarrels.com
fullhalfempty.com
gallopingroses.com
gomadweb.com
greatleonidas.com
jupanto.com
little-nuts.com
magzinehog.com
mysugarbin.com
neistovo.com
news-letters-4u.com
newsscrapper.com
newstodayreviews.com
nophoz.com
onepickle.com
purple-banana.com
romanrugby.com
roseauster.com
sechshun8.com
softwares-free.com
speedeagles.com
stepontheroof.com
stilletowheels.com
tangyball.com
teens3xweb.com
teensechs.com
templetom.com
transseksualov.com
tumblebin.com
twigreader.com
uchitel-nitsa.com
wetcottonballs.com
wond3rfulworld.com
younghogs.com
your3x.com
zadnitsa.com
znaniye-onlayn.com
http://95.211.38.135/search1.php
/ipimp.txt

# Reference: https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf

nowhatsapp.com
web.nowhatsapp.com
myrocketchat.com
tweetychat.com
secretchatpoint.com
simplechatpoint.ddns.net
android-helper.info
chatit.club
chaton.life
chaton.live
kahmir-n.com
kashmir-n.com
philionschat.com
sync.chatit.club

# Reference: https://twitter.com/malwrhunterteam/status/1273581262750593030
# Reference: https://twitter.com/JAMESWT_MHT/status/1273583949646893056
# Reference: https://twitter.com/Arkbird_SOLG/status/1273627959170121734
# Reference: https://www.virustotal.com/gui/file/977c81bfab432eaeb119167b5342468918645636aa3dc94bdb993667c2e96693/detection
# Reference: https://www.virustotal.com/gui/file/628172ab0dc7360ebc49ec15f6197d7f26f6e06c370aad9c55e5e87542bcb4ec/detection
# Reference: https://app.any.run/tasks/21e6efb4-751f-4135-9f8d-e3f4a9624c5b/
# Reference: https://app.any.run/tasks/0901274f-49ff-41a4-919d-759a68e79685/

http://185.29.10.117
http://94.156.35.204
185.29.10.117:443
altered.twilightparadox.com

# Reference: https://twitter.com/ShadowChasing1/status/1346747278279643137
# Reference: https://www.virustotal.com/gui/file/b9b5a9fa0ad7f802899e82e103a6c2c699c09390b1a79ae2b357cacc68f1ca8e/detection

msoffice.user-assist.site
user-assist.site

# Reference: https://twitter.com/ShadowChasing1/status/1351201320670285836
# Reference: https://www.virustotal.com/gui/file/7fb7944fb452d8588194ea746910ed782865efb991fa02479e429f8fba677d3b/detection

http://176.107.181.213

# Reference: https://twitter.com/mg2_tracy1/status/1358246040302850055

http://108.62.12.210
mlservices.online

# Reference: https://blog.lookout.com/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict
# Reference: https://otx.alienvault.com/pulse/6025716ad1074318fbe5b3c8/

cucuchat.com
pieupdate.online
samaatv.online
tea-time.link

# Reference: https://twitter.com/ShadowChasing1/status/1360806740367876105
# Reference: https://www.virustotal.com/gui/file/f615bb459a91d76ee8a56661666fc450297dd9f9736dbe5b3efda7fb2f2ade70/detection

sunshinereal.000webhostapp.com

# Reference: https://0xthreatintel.medium.com/internals-of-ave-maria-malware-cb0f63bcce8d
# Reference: https://www.virustotal.com/gui/file/a6e56c81c88fdaa28cbd3bf72635c5becb164f75f51ff0aabd46ee7723d4ac23/detection

108.62.12.210:4251

# Reference: https://twitter.com/ShadowChasing1/status/1364925537651617794
# Reference: https://www.virustotal.com/gui/domain/moe-cn.org/relations
# Reference: https://www.virustotal.com/gui/file/153d5941a73f9600046ad859e819db33b323908a99712cd224d454cd5e3ba004/detection
# Reference: https://www.virustotal.com/gui/file/4a4238e7d8c2b0950165fd1d4c6c9e43c20848028cbe1e52945c87bb921cfba8/detection

185.61.148.223:8080
208.91.197.91:8080
moe-cn.org

# Reference: https://twitter.com/AnonySecAgency/status/1371648062460887040
# Reference: https://www.virustotal.com/gui/file/c3f0c89e7cddfe0a130a58c3e9edcae06579ee6d88787d5222368a8f57cc899e/detection

185.157.78.135:4040

# Reference: https://twitter.com/h2jazi/status/1415347869318537220

http://142.202.191.236

# Reference: https://twitter.com/ShadowChasing1/status/1422180936632860677
# Reference: https://www.virustotal.com/gui/file/6ddf7b13312987ed7d85ff6795f279d4c09ef67e7895a84254e53776a7ea9873/detection

142.202.191.234:2022

# Reference: https://twitter.com/ShadowChasing1/status/1449172597816455170

http://23.81.246.170
/doodle14/UploadToServer.php
/doodle14/createDirecotory.php
/doodle14/save_file_str.php
/doodle14/save_target_applist.php
/doodle14/savetargetdeviceinfo.php

# Reference: https://twitter.com/souiten/status/1473142851798114312
# Reference: https://www.virustotal.com/gui/file/3ddbd2f9d4194aaebaffda1417b34aa1c2a5ec948e01b7ef0a1c9e035e78721e/detection

http://104.143.36.19

# Reference: https://twitter.com/ShadowChasing1/status/1491954861402771456

webinstaller.online

# Reference: https://twitter.com/RedDrip7/status/1529403598165004289
# Reference: https://www.virustotal.com/gui/file/9153c0618803e8799472060ac508135933f551581ede827265c78d644aba08b1/detection

dayspringdesk.xyz
/wfgkl/cvrkaf/xkj/test.php
/wfgkl/cvrkaf/

# Reference: https://twitter.com/__0XYC__/status/1540211206211772416
# Reference: https://www.virustotal.com/gui/file/2d5afc95d620bed1ba631a34e6ad7c490da58d931045e1294dcf739326ad053d/detection

taxofill.info

# Reference: https://twitter.com/__0XYC__/status/1535107137441251328

t7g5c.app.link

# Reference: https://twitter.com/__0XYC__/status/1540212682271236096
# Reference: https://twitter.com/__0XYC__/status/1540214103733522432

pmogov.online
pmo.app.link

# Reference: https://twitter.com/__0XYC__/status/1543806683092340737
# Reference: https://twitter.com/__0XYC__/status/1543807380269432832
# Reference: https://twitter.com/jaydinbas/status/1543952789491040257
# Reference: https://twitter.com/jaydinbas/status/1543952905925005314
# Reference: https://twitter.com/h2jazi/status/1543965665526255617
# Reference: https://www.virustotal.com/gui/file/041aa41948f654f8813b0a411f449e91ba84cdd5c0b08040bcdd9592df63a245/detection
# Reference: https://www.virustotal.com/gui/file/9a42cdfe611f7e50cafc33da9e8dc5bd51abf1d16e31d324d28842d0cfef4170/detection
# Reference: https://www.virustotal.com/gui/file/041aa41948f654f8813b0a411f449e91ba84cdd5c0b08040bcdd9592df63a245/detection
# Reference: https://www.virustotal.com/gui/file/8adad3cb57e851c7daefe2e2f61c578c63bffaf61afbda23815ecc3c6eabf902/detection
# Reference: https://www.virustotal.com/gui/file/4e19ca405e8caef23a677609b4fde2cf1c482cc08ea39d72dc89ccddc0d96c79/detection

blingin.shop
blingin.xyz
jizyajan.shop
jusmine.xyz
mamba.live
taxofill.info

# Reference: https://twitter.com/Des00464472/status/1549615287846453248

pankilo.xyz

# Reference: https://twitter.com/h2jazi/status/1558130495891857408
# Reference: https://www.virustotal.com/gui/file/1dd1c52e5eb1b1e5c4abc7c327b63687528118e612e9a42f01b97955676f4ff0/detection

support-office-us.herokuapp.com

# Reference: https://twitter.com/StopMalvertisin/status/1560213184535199749
# Reference: https://www.virustotal.com/gui/file/d732bc4f7bd2951cedef03a3a3235cce4f33602c858e0c5caceeb98f5bf1a4bf/detection

office-fonts.herokuapp.com

# Reference: https://twitter.com/__0XYC__/status/1561917066482966528
# Reference: https://twitter.com/h2jazi/status/1562079407853953024
# Reference: https://www.virustotal.com/gui/file/0e30b6e1b05279aac4c0b3b1d8b6d250fec0999cc72d0506e617fde53bc4f6e9/detection

bonimoni.xyz
viterwin.club

# Reference: https://twitter.com/souiten/status/1565597424013365249
# Reference: https://www.virustotal.com/gui/file/c795a13148b13b6c293c11099fbe06aed8b478e1713d5c3c849fa7acabc215cc/detection
# Reference: https://www.virustotal.com/gui/file/9268c46f5ed8b2f00cf3ef4d14e5bc327907b776a97b466a52bc9fbfea002e5b/detection

http://125.209.76.62
http://192.227.174.165

# Reference: https://twitter.com/t3ft3lb/status/1567947765132435459
# Reference: https://www.virustotal.com/gui/file/aa6b4f8948d8524835dee9064ab54dc8f9f410eae7cbc502b1baf21cca5f8b20/detection

51.89.251.8:443

# Reference: https://twitter.com/SethKingHi/status/1570608984348053508
# Reference: https://www.virustotal.com/gui/file/2592a0b60b5902a5cbdfa19d5612546a53e6f1bf6ead33d1d86d392c5e281263/detection

http://74.119.193.145

# Reference: https://twitter.com/ShadowChasing1/status/1576854577483157504
# Reference: https://www.virustotal.com/gui/file/449b4cee4b9df09777891a70248e000e3bb13f33d579603f69e444d4d175d022/detection

en-us-office.herokuapp.com

# Reference: https://twitter.com/StopMalvertisin/status/1578405262209142785
# Reference: https://www.virustotal.com/gui/file/bba3303974f9b4b0bc2e0b0c52e8b656992b6f18ee6321ff49d87ce1e448c69d/

office-templates.herokuapp.com

# Reference: https://twitter.com/RedDrip7/status/1578687322291593216
# Reference: https://twitter.com/blackorbird/status/1585555349939314688
# Reference: https://mp.weixin.qq.com/s/IwcxY3TqkmyY-pBxnXuM1A
# Reference: https://www.virustotal.com/gui/file/a9175491a108645ba2f0f906d639bd94e895e41370e6c23c59b95ab4a927a6fa/detection

162.216.240.173:1991
housingpanel.info
zaim.pkwebs.com/wp-includes/c
/vwykzjzy2si478c7a2w/terncpx8yr2ufvisgd2j/x8jb9g97kkexor5ihnbq/d91ng62l00hc4vgaxkf.php
/vwykzjzy2si478c7a2w/terncpx8yr2ufvisgd2j/x8jb9g97kkexor5ihnbq/
/vwykzjzy2si478c7a2w/terncpx8yr2ufvisgd2j/
/vwykzjzy2si478c7a2w/
/terncpx8yr2ufvisgd2j/
/x8jb9g97kkexor5ihnbq/
/d91ng62l00hc4vgaxkf.php

# Reference: https://www.virustotal.com/gui/file/2b8194a93c17d82a1814c094768c1fb728c105fd6e89661c9af51370a31dbb17/detection

http://172.81.62.200

# Reference: https://twitter.com/SethKingHi/status/1588054655623659520
# Reference: https://www.virustotal.com/gui/file/115ddd20884fcf42f8937287e2b2cbb52e4d1420c000953ab8945f724c6c2f93/detection

webinstall2.ddns.net

# Reference: https://twitter.com/__0XYC__/status/1593088165556150272
# Reference: https://twitter.com/BaoshengbinCumt/status/1593108148646449152

mail-paf-documents-download-pk.herokuapp.com

# Reference: https://twitter.com/malwrhunterteam/status/1593021085997420544
# Reference: https://www.virustotal.com/gui/file/41e561168a4a26f7d4bc14186c2d7fc2232e12fd1aa44ef77b4a9d45e14fc763/detection

en-officeupdate.herokuapp.com

# Reference: https://twitter.com/souiten/status/1597943643582902273
# Reference: https://twitter.com/souiten/status/1597944825340305408
# Reference: https://www.virustotal.com/gui/file/66d366fcdc0cef9a6af89a46909c9710bab0192a473f5ac583940093b990c86c/detection
# Reference: https://www.virustotal.com/gui/file/ef76d11453a632920dd5835c0f0f8a317fb187972b0a51cdf8d78560f653d35f/detection
# Reference: https://www.virustotal.com/gui/file/d345a80e349b79c78faa9bf10922416b0d5cfb1b805e0bfb2f675d83f63c7e47/detection

142.234.157.195:8989
142.234.157.195:8080
45.56.165.100:8080
microsoftonedriver.com
info-updates.ddns.net

# Reference: https://twitter.com/malwrhunterteam/status/1567483040317816833
# Reference: https://twitter.com/h2jazi/status/1567512391289544704
# Reference: https://www.virustotal.com/gui/file/40831538e59700fd86081130af597623d0779a93cde6f76b86d52174522d8ad4/detection
# Reference: https://www.virustotal.com/gui/file/e2b7181d67ab4a4de5600d7f0f68190894db4d007aa66db94be0ee94631bc701/detection

gov-cloud.herokuapp.com

# Reference: https://twitter.com/RedDrip7/status/1608383205664780289
# Reference: https://www.virustotal.com/gui/ip-address/5.2.77.109/relations
# Reference: https://www.virustotal.com/gui/file/79bde77f2295dbf272b4138db3b42a8e40e67201da5f7a70de1600c15ebfc81e/detection
# Reference: https://www.virustotal.com/gui/file/2be095b201379123f11fd66b382aee0ca9542e3061fa129bc53c1eddd9b895c3/detection

bingoplant.live

# Reference: https://twitter.com/SethKingHi/status/1612377098777133057
# Reference: https://www.virustotal.com/gui/file/e89e0a56fad8e7232015f18bc4fd0287b98d7697e24c66820a0d4d2d501cd444/detection

vlc-updates.ddns.net

# Reference: https://twitter.com/souiten/status/1627613531586834432
# Reference: https://www.virustotal.com/gui/file/716298589ab48b187c127e9dbe47dd78487d0e4fd1841bf09d7e45027a23ac06/detection

23.163.0.133:443

# Reference: https://twitter.com/SethKingHi/status/1628601980682932224
# Reference: https://twitter.com/liqingjia1989/status/1640273312692727809
# Reference: https://www.virustotal.com/gui/file/6a3624f7022bf5797cb4a2bc633c383f4c59e0b6c277dea292657d56d66e29ae/detection
# Reference: https://www.virustotal.com/gui/file/038da443e2ffc69b0c3d6bba7eab229166d1340ff07754fd51019d74a89b0c0b/detection

http://162.216.243.187
/S8hmr7lxi7n4ceD2g93yz/foGpgvbzeYpJx6UeJcBq6/3H5StvwrQGeWkYSFbM5qY/Ztrt1DyB3tTXbjG.php
/foGpgvbzeYpJx6UeJcBq6/3H5StvwrQGeWkYSFbM5qY/Ztrt1DyB3tTXbjG.php
/3H5StvwrQGeWkYSFbM5qY/Ztrt1DyB3tTXbjG.php
/S8hmr7lxi7n4ceD2g93yz/foGpgvbzeYpJx6UeJcBq6/3H5StvwrQGeWkYSFbM5qY/
/S8hmr7lxi7n4ceD2g93yz/foGpgvbzeYpJx6UeJcBq6/
/S8hmr7lxi7n4ceD2g93yz/
/Ztrt1DyB3tTXbjG.php

# Reference: https://twitter.com/ThreatBookLabs/status/1631134841923325958
# Reference: https://www.virustotal.com/gui/ip-address/82.180.172.13/relations
# Reference: https://www.virustotal.com/gui/file/9b3d01dd457b4eeae6712df54c7ef96312f56cd0115612d0d5aece654fc6bc61/detection

officedocuments.info

# Reference: https://twitter.com/ThreatBookLabs/status/1640397245882437632

pitbmail.000webhostapp.com
webmail-pitb-gov-pk.netlify.app

# Reference: https://twitter.com/blackorbird/status/1649005925947310080
# Reference: https://mp.weixin.qq.com/s/Nk2zml2d0HtK0hszyKW2Dw (Chinese)

charliezard.shop
msit5214.b-cdn.net
shhh2564.b-cdn.net

# Reference: https://twitter.com/ThreatBookLabs/status/1650906402792304641

douyni.info

# Reference: https://twitter.com/ThreatBookLabs/status/1651052933142937600

ctg36512.b-cdn.net

# Reference: https://about.fb.com/wp-content/uploads/2023/05/Meta-Quarterly-Adversarial-Threat-Report-Q1-2023.pdf

104.27.172.22:9371
104.27.173.22:9371
106.215.68.174:9371
172.94.99.215:4040
185.82.216.57:2125
195.20.54.105:4040
appplace.life
bayanat.co.nf
beautifullimages.co.nf
chirrups-download.ml
downloader-file.cf
downloadvpn.comli.com
drive-sharefiles-downloads.ga
drive-sharefiles-downloads.gq
faridun.com
file-downloader.ga
file-star.buzz
fileshares.online
fun.socialyte.site
islamicbayanat.ddns.net
kashmirundergroundnews.ml
newice.hopto.org
securemessagingapps.blogspot.com
socialyte.site
stockapp-fresh.com
thenewsnation.ml
videvideocaller.ml
vpndl.co.nf
vpndownload.co.nf
vpndownload.webutu.com
vpndownloads.co.nf
vpndownloads.ddns.net
webmails-authentication.tk
/gdgtgdt1245435/chirrups.apk
/poahbcyskdh/cable.apk
/vdfogrglj/YoTalk.apk
/gdgtgdt1245435/
/poahbcyskdh/
/vdfogrglj/

# Reference: https://twitter.com/malwrhunterteam/status/1676228569263996930
# Reference: https://www.virustotal.com/gui/ip-address/185.225.69.181/detection
# Reference: https://www.virustotal.com/gui/file/1648cc664ab332c446d89a5406cc6adcfa357b2883d44f059c54012a4401b4f2/detection
# Reference: https://www.virustotal.com/gui/file/8cd0ad4572e1f0b71ed8e8e84d4e75942393617afac3962c164ff04a3ab87ea4/detection
# Reference: https://www.virustotal.com/gui/file/a3fc903bf6bf49f8c6e3bd5633433cfcae80be54eeefbb7345764b0059491371/detection
# Reference: https://www.virustotal.com/gui/file/d4fdd37f4aaa486a9ca32d083ba2900f237eb0a186f3a6f4418d63ccdf7d69ca/detection

http://185.225.69.181
onedriver.cloud
toptaskrabbitgroup.com

# Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1681921960731897856
# Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1681924794701455361
# Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1681925487080378368
# Reference: https://twitter.com/Des00464472/status/1687394684652695553
# Reference: https://mp-weixin-qq-com.translate.goog/s/9cqXdFn7erJupk9QPRhqpg?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=zh-CN&_x_tr_pto=wapp (# APT-K-47, ORPCBackdoor)
# Reference: https://www.virustotal.com/gui/file/a7acb7fa69f218475e06fb27dceac3f199b9cb7cbea07d01c0cfb220b465cbc4/detection
# Reference: https://www.virustotal.com/gui/file/556f51b7bd03b9be121f4a35916bef331d1ac82f3a00ed014975c12986d6c1e9/detection
# Reference: https://www.virustotal.com/gui/file/dd53768eb7d5724adeb58796f986ded3c9b469157a1a1757d80ccd7956a3dbda/detection

msdocs.ddns.net
msoutllook.ddns.net
outlook-services.ddns.net
outlook-updates.ddns.net

# Reference: https://twitter.com/binlmmhc/status/1682284911506636800
# Reference: https://www.virustotal.com/gui/file/e43d53c505e0944e6a8ce9f613a1ce5ef2b845fd04b9a777e1515b787206a03c/detection

kdrm201.b-cdn.net

# Reference: https://twitter.com/binlmmhc/status/1684521661926973440

cftn6129.b-cdn.net
johu91837.b-cdn.net
nthb041.b-cdn.net

# Reference: https://twitter.com/StopMalvertisin/status/1691469917475000320

dgdg8675.b-cdn.net

# Reference: https://twitter.com/StopMalvertisin/status/1692879603977908224
# Reference: https://www.virustotal.com/gui/file/709298c36dcc4afedc1ef5725890f119d117df1ad5776cdeecda9c1a7380a33b/detection

ppzo3687.b-cdn.net

# Reference: https://twitter.com/ginkgo_g/status/1694544752350486732

kdrm201.b-cdn.net

# Reference: https://mp.weixin.qq.com/s/nMTQww-jHkdKBWFPYdfprA (Chinese)
# Reference: https://www.virustotal.com/gui/file/1e2b343eb7948ed225dc192e53dfe8d1d587c9b88ef17b910dc48810dccb4f28/detection

http://149.102.225.98
/sun2/UploadToServer.php
/sun2/UploadToServer_gb.php
/sun2/createDirecotory.php
/sun2/save_file_str.php
/sun2/save_target_applist.php
/sun2/save_whats_chat.php
/sun2/savetargetdeviceinfo.php

# Reference: https://twitter.com/malwrhunterteam/status/1704236578053210488
# Reference: https://x.com/malwrhunterteam/status/1831273968000479422
# Reference: https://twitter.com/RexorVc0/status/1715246574748549581
# Reference: https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA==&mid=2247495700&idx=1&sn=5f39caf4d5fafef490ff1ad18f072a16&chksm=f9ed9cabce9a15bd1a5c94d19de5c927bdd0983b55b6183159a40034129bc78b2355aab38d85&scene=178&cur_album_id=1375769135073951745#rd (# RiverStealer)
# Reference: https://www.virustotal.com/gui/file/1f3590c97efdbaff2fff55a9f420863ca543f6ae35d1510f65da8984cb35bba1/detection
# Reference: https://www.virustotal.com/gui/file/5bdd87417c5dc17a994b9880caf54de759c46614f2b16e63d9dcebcf251cc9cf/detection

http://39.104.22.215
http://39.104.65.77
http://45.159.250.181
bluechillyboo.site
redcrocodilepuppet.online
riverelephant.site
riverelephent.site
/JSdfjweuisdfjhg/
/HprodXprnvlm1.php
/VueWsxpogcjwq1.php

# Reference: https://twitter.com/malwrhunterteam/status/1725275794711126259
# Reference: https://twitter.com/RedDrip7/status/1734110428685570139
# Reference: https://www.virustotal.com/gui/file/e8a519d735c3356b10a94f39923a10b76b644e68b74029fe7ec8e060a4345750/detection
# Reference: https://www.virustotal.com/gui/file/13c1cde8ded82f73c5b0ca483c2b2f2ea693ebc9dad6d30b90fcd03ff80795d6/detection

arabcomputersupportgroup.com
firebasebackups.com
/hailo/block.php
/hailo/cert.php
/hailo/load_img.php
/hailo/pakart.php

# Reference: https://twitter.com/ginkgo_g/status/1725445679072587993
# Reference: https://www.virustotal.com/gui/file/b019ed0bb09bda78af75f941ba1bb88f3b3e3604a202309d8661fdaacb04d02e/detection

pd560.b-cdn.net
pld956.b-cdn.net

# Reference: https://otx.alienvault.com/pulse/6566312bddcfb0e7f0991687

grand123099ggcarnivol.com
mfaturk.com
morimocanab.com
omeri12oncloudd.com

# Reference: https://twitter.com/blackorbird/status/1729327114187587854

cflayerprotection.com
cloudlflares.com

# Reference: https://twitter.com/ginkgo_g/status/1731870687562752375
# Reference: https://www.virustotal.com/gui/file/90e7df73e769bf0bde48294c38004341778e6ed2a6cd8db9d20fe57524607607/detection

tyfk1.b-cdn.net

# Reference: https://twitter.com/ginkgo_g/status/1732652858804486614
# Reference: https://www.virustotal.com/gui/ip-address/185.74.222.34/relations
# Reference: https://www.virustotal.com/gui/file/ca24347d80aed81df2a0e89075c645bfd6081a8e66103ea680f3a8758999b32b/detection

wingpao.info
pd35.b-cdn.net
pl335.b-cdn.net

# Reference: https://twitter.com/liqingjia1989/status/1639072245648883712
# Reference: https://www.virustotal.com/gui/file/cb0fe57e84a705a6e6d5d40f621c60095aaf73ba87c424029d2e2813210e09b9/detection

triptrans.info

# Reference: https://twitter.com/Joseliyo_Jstnk/status/1749719852623802384
# Reference: https://www.virustotal.com/gui/ip-address/152.89.247.23/relations
# Reference: https://www.virustotal.com/gui/ip-address/51.79.217.72/relations
# Reference: https://www.virustotal.com/gui/file/8734a8a71c27712f17d08e758a251665e1c81e91ea6482c0045facca5b777e4d/detection

classcentral-drive.ddns.net
deltabook.ddns.net
msdesigns.site
officecloud.store

# Reference: https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/
# Reference: https://www.virustotal.com/gui/file/ba9aeb87025ba26e7a54fe38f97bf28b72b1dac069e9fa6624a195a599c4b0ae/detection

chatapp-6b96e-default-rtdb.firebaseio.com
chit-chat-e9053-default-rtdb.firebaseio.com
glowchat-33103-default-rtdb.firebaseio.com
hello-chat-c47ad-default-rtdb.firebaseio.com
letschat-5d5e3-default-rtdb.firebaseio.com
meetme-abc03-default-rtdb.firebaseio.com
privchat-6cc58-default-rtdb.firebaseio.com
quick-chat-1d242-default-rtdb.firebaseio.com
rafaqat-d131f-default-rtdb.asia-southeast1.firebasedatabase.app
tiktalk-2fc98-default-rtdb.firebaseio.com
wave-chat-e52fe-default-rtdb.firebaseio.com
yooho-c3345-default-rtdb.firebaseio.com

# Reference: https://twitter.com/ginkgo_g/status/1753339086709100633
# Reference: https://www.virustotal.com/gui/file/a4c16bcdf5db8d29688e1112434fe8f7f15e9e4dc78828ba2890bade62b9c7cc/detection

hu51.b-cdn.net

# Reference: https://twitter.com/malwrhunterteam/status/1758395825103798760
# Reference: https://www.virustotal.com/gui/file/e68c9aedfd080fe8e54b005482fcedb16f97caa6f7dcfb932c83b29597c6d957/detection
# Reference: https://www.virustotal.com/gui/file/e89305bd8e01769d024916fb5e286b951382409a5106e31c8bea2e3400ebf603/detection

denv-1.b-cdn.net
denv-2.b-cdn.net

# Reference: https://twitter.com/suyog41/status/1765725837041824121
# Reference: https://www.virustotal.com/gui/file/01ea7197094b9acd50605bda611111eaa822230f81a3cac4b47a2f9d01e146c1/detection
# Reference: https://www.virustotal.com/gui/file/749942726963f0a55380123dff8238cdf54d6b98d3fb083528a41ba287002bad/detection

espncrics.info
ruz98.b-cdn.net

# Reference: https://twitter.com/__0XYC__/status/1770684464470872294
# Reference: https://twitter.com/mal_analysis136/status/1770693119463326144
# Reference: https://twitter.com/suyog41/status/1771135469327417684
# Reference: https://www.virustotal.com/gui/file/8f4cf379ee2bef6b60fec792d36895dce3929bf26d0533fbb1fdb41988df7301/detection

daily-mashriq.org
t-cdn.org
doc.t-cdn.org
quranchapter.t-cdn.org
/javascript/juicesdafekohioshfoshfhiofh/
/juicesdafekohioshfoshfhiofh/
/goyxdrkhjilchyigflztv

# Reference: https://twitter.com/h2jazi/status/1773468430013727186
# Reference: https://twitter.com/PrakkiSathwik/status/1773763707744489594
# Reference: https://www.virustotal.com/gui/file/88558ef568b3c775b2d79499b74dc3ecde7c049440c8872573fc6622433eec17/detection
# Reference: https://www.virustotal.com/gui/file/aaaae5f5d7f58eb8c970c4e5407fb2f4597bc81674d006c5e2d1462a3b133d74/detection

176.56.237.126:443

# Reference: https://twitter.com/k3yp0d/status/1780928811195887973
# Reference: https://twitter.com/k3yp0d/status/1780929118034362708
# Reference: https://twitter.com/k3yp0d/status/1780929459689758926
# Reference: https://www.virustotal.com/gui/ip-address/38.180.94.120/relations
# Reference: https://www.virustotal.com/gui/file/6d6dc50e8e73053763f9b85b7c1f1b532ec3023b5b89b3546f0330b4956e75a9/detection
# Reference: https://www.virustotal.com/gui/file/d0ccad2452cc0124d95214f9a9c5e4df9d842f97c6389c6e01baa0916306ad87/detection

15731.org
c-cdn77.com
dugayqwh.c-cdn77.com
huanetdw.c-cdn77.com
pijaung.c-cdn77.com

# Reference: https://twitter.com/liqingjia1989/status/1790677262146388398
# Reference: https://x.com/PrakkiSathwik/status/1823316607453577258
# Reference: https://www.virustotal.com/gui/file/cd2bd2e66a903c10e90023fc73c993a3bf8a009dd09b03930f3c40ee4e7c35fd/detection

dezhongcn.org
sdfsecs.org
/akwj2iycjeh5347
/fsdhwerui4358vxfg13hgu/
/gtyggfj4ytqej35f/buldgy4ujedhk
/qaloh42bsk093cag41vb/
/qaloh42bsk093cag41vb/stwv32jj197jl1hbfy
/stwv32jj197jl1hbfy
/tueyixahgdw3u265dfer/
/tueyixahgdw3u265dfer/akwj2iycjeh5347

# Reference: https://x.com/StrikeReadyLabs/status/1798687665987989691
# Reference: https://www.virustotal.com/gui/file/ff28cff64b2e37e852e778202b57400f508b94770980b2788914bd3bcbcda627/detection
# Reference: https://www.virustotal.com/gui/file/29420ee792d63aa7d5658f971ba3c62d776615aa56b96b7f055dc7833eef1af0/detection
# Reference: https://www.virustotal.com/gui/file/1a47c99d3167d26b1ac7c7bbf0ca05c5ba53ec50aad3278355a43a5091ac85e8/detection

nihaoucloud.org
guangzhou.nihaoucloud.org
/gsdgsd89iop/sdfger23ty
/gsdgsd89iop/
/sdfger23ty

# Reference: https://x.com/suyog41/status/1810268207241982376
# Reference: https://www.virustotal.com/gui/ip-address/172.81.60.40/relations
# Reference: https://www.virustotal.com/gui/file/f6d171e79e2fb38b3919011835c8117a1c56788bcf634e69ae67a5e255fb9d58/detection
# Reference: https://www.virustotal.com/gui/file/14bbe421abe496531f4c63b16881eee23fb2c92b2938335dca1668206882201a/detection

beijingtv.org
cartmizer.info
hometogeljaya.xyz
icreativez.org
/ogQas32xzsy6/fRgt9azswq1e
/fRgt9azswq1e
/lkqnzntawldqjlwdxivsnemw
/ogQas32xzsy6

# Reference: https://x.com/StrikeReadyLabs/status/1811339489136066615
# Reference: https://www.virustotal.com/gui/file/0f0ed90e3a825e86ce4fe46c065f60f01f22fd878cb02e7ee5eb9d103a80b156/detection

mato3.b-cdn.net
matozip1.b-cdn.net

# Reference: https://mp.weixin.qq.com/s/Bf4ZN7Hr124vi3H3k-v3Bg
# Reference: https://www.virustotal.com/gui/file/da10810b38385f2c674c8f5aba08c04a0b30c7b3ac828c6a86da927839b80b48/detection

longwang.b-cdn.net

# Reference: https://x.com/naumovax/status/1813151432419254656
# Reference: https://www.ctfiot.com/193014.html
# Reference: https://tria.ge/240715-lrfzyazfmm/behavioral2
# Reference: https://www.virustotal.com/gui/file/6afdf4a3088bff045e1998d2dc2863b90d06765abb2dc35c7b93c456b9818e55/detection

shrilongu.info
yw56.info
centling.nihaoucloud.org
hengtian.nihaoucloud.org
weibo.nihaoucloud.org
xinhuanet.nihaoucloud.org
/akowutbuu753dtRWq21jk/odiworukdjo2375kjkl1lk87hl0
/akowutbuu753dtRWq21jk/
/koqiiwyekj5458bj32uoiWQ21/kjtw83nkQ
/koqiiwyekj5458bj32uoiWQ21/
/kjtw83nkQ
/odiworukdjo2375kjkl1lk87hl0
/ymybisvimqjoknhmgryit/getocmskdmsm/
/getocmskdmsm/
/ymybisvimqjoknhmgryit/
/gtw2jh43/css.txt
/gtw2jh43/

# Reference: https://x.com/malwrhunterteam/status/1816424803022057883
# Reference: https://x.com/RexorVc0/status/1818517432467706147
# Reference: https://www.virustotal.com/gui/file/6795dac9944b17ba82d40cf18ad5c57b8c4363bc5634d525bdbff3dfa18762d8/detection

ghshijie.com
telsiairegion.xyz
yuxuan.ghshijie.com
/1WrCVzW4kSDNbNTt/cqWf4vQlofzqFkc7.php
/1WrCVzW4kSDNbNTt/
/cqWf4vQlofzqFkc7.php

# Reference: https://x.com/PrakkiSathwik/status/1822328733610430860
# Reference: https://www.virustotal.com/gui/file/c3805b8b37eb1ba34057cd6c882dc9bedcebc01ec90a6d4be8d0f6fc82859ecb/detection
# Reference: https://www.virustotal.com/gui/file/1e977b2ea2421b9ee3878e21550533e765ea8bb54f11383893a9b3772bc76dc5/detection
# Reference: https://www.virustotal.com/gui/file/0954c455576ff84efe67a3b2a2fd5de64aaa5540af648116e6b9d716be77240b/detection

bhutanembassynepal.com
apcas.bhutanembassynepal.com
docdailyupdate.bhutanembassynepal.com
energynews.bhutanembassynepal.com
/aqoqi43bjdewsfgTg4/iq2387skl844xWq1
/bgTAqwhPaYvtrkwu5445jkj4n/koaquwd73hkd
/latehtu454fh4/setwcx328nvy4.bin
/aqoqi43bjdewsfgTg4/
/bgTAqwhPaYvtrkwu5445jkj4n/
/sqalopej47gkjuiczdWreq2/
/PswqaDyeh6Fs2g12-g34fyu/
/latehtu454fh4/
/iq2387skl844xWq1
/koaquwd73hkd
/setwcx328nvy4.bin

# Reference: https://x.com/RexorVc0/status/1833389801162023417
# Reference: https://www.ctfiot.com/204087.html
# Reference: https://www.virustotal.com/gui/file/83e4962419f2d4e99c5aa02ed6a077c9fc19e15d6427c79c6cdef2df4530fb53/detection
# Reference: https://www.virustotal.com/gui/file/2fc76a42fb7af2fbe480c0cf3d63e2eaf8d2b904a38b962261887f163ad6b4a2/detection

194.156.99.229:443
74.119.193.8:1005
mdridefys.info
socialrg.info
/bIHTfcVHegEoMrv/WCcod7JY3zwUpDH.php
/bIHTfcVHegEoMrv/
/WCcod7JY3zwUpDH.php

# Reference: https://x.com/ginkgo_g/status/1834859844261577158
# Reference: https://x.com/Timele9527/status/1834875792872161613
# Reference: https://www.virustotal.com/gui/ip-address/172.81.62.40/relations
# Reference: https://www.virustotal.com/gui/file/ba262c587f1f5df7c2ab763434ef80785c5b51cac861774bf66d579368b56e31/detection
# Reference: https://www.virustotal.com/gui/file/d7b278d20f47203da07c33f646844e74cb690ed802f2ba27a74e216368df7db9/detection

iceandfire.xyz
kartenkauf.info
scapematic.info
jihang.scapematic.info
shianchi.scapematic.info
/cDiCQddlQr
/chBXgPelzd
/peCDMAFXQN

# Reference: https://x.com/StrikeReadyLabs/status/1836724951941882101
# Reference: https://www.virustotal.com/gui/file/1ee756cd6608235454f0877c51881803d52c0887479838925b3caf4a976a17f0/detection
# Reference: https://www.virustotal.com/gui/file/fd96ac431474ce6ba502f89a1d4f3bdaa182428a22aab15dd05483dd0b46de2d/detection

coldchikenshop29.info
greenearthtreeh.info
whitemissycorp.info

# Reference: https://x.com/k3yp0d/status/1836877748708552958
# Reference: https://www.virustotal.com/gui/file/136221a89f1042aea42ef4ba78f0c4d7244e78607deb4cc619aa9d6f19f0fbca/detection

http://121.199.0.104
http://39.100.91.201

# Reference: https://x.com/k3yp0d/status/1836875647865528508
# Reference: https://www.virustotal.com/gui/file/b5e6f8e2203f086d85e64b0687f0c000407a1fa0563eb4cb19c184ffb85d63fd/detection

http://89.47.160.244
/HSfuywrhjerfsd.txt

# Reference: https://www.virustotal.com/gui/file/14bbe421abe496531f4c63b16881eee23fb2c92b2938335dca1668206882201a/detection
# Reference: https://www.virustotal.com/gui/file/f6d171e79e2fb38b3919011835c8117a1c56788bcf634e69ae67a5e255fb9d58/detection

adaptation-funds.org

# Referemce: https://blog.cloudflare.com/unraveling-sloppylemming-operations/

adobefileshare.com
maldevfudding.com
accounts.opensecurity-legacy.com
api.opensecurity-legacy.com
bin.opensecurity-legacy.com
cloud.adobefileshare.com
cloud.cflayerprotection.com
data.cloudlflares.com
frontend-m.opensecurity-legacy.com
m.opensecurity-legacy.com
monitor.opensecurity-legacy.com
secure.cflayerprotection.com
secure.cloudlflares.com
sensors.opensecurity-legacy.com
static.opensecurity-legacy.com

# Generic

/4sVKAOvu3D/
/e3e7e71a0b28b5e96cc492e636722f73/
/ABDYot0NxyG.php
/BDYot0NxyG.php
/UYEfgEpXAOE.php
