# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt44, blackenergy, quedagh, voodoo bear, temp.noble, iron viking

# CERT-UA: UAC-0082

# Reference: https://web.archive.org/web/20120106212034/http://amada.abuse.ch/blocklist.php?download=domainblocklist

abaronaweb.net
ads.ew.com.cn
all-invite.org
aut0mat.info
bka.im
cazino-game.com
cxim.asia
ddumasz.info
globdomain.ru
hackzona.tk
jakkaru.ru
k0x.ru
kandagarka.net
myprodjs.ru
olololo.in
onlinejobsnet.co.cc
prava-servise.ru
sharp.mcdir.ru
webprofiler.cc
write-dream.ru

# Reference: https://www.virustotal.com/gui/ip-address/185.80.53.22/relations

account-googlmail.ml
account-loginserv.com

# Reference: https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf
# Reference: https://www.virustotal.com/gui/file/dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730/detection

95.216.13.196:53
95.216.13.196:8080
hostapp.be

# Reference: https://twitter.com/kyleehmke/status/1267222198588145664

userarea.click
userarea.eu

# Reference: https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure/

fbapp.info
fbapp.link
fbapp.top
myaccount.click
myaccount.one
userarea.click
userarea.eu
userarea.in
userarea.top
userzone.eu
userzone.one
webcache.one

# Reference: https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
# Reference: https://otx.alienvault.com/pulse/623319918d3021c70ec8f396

1.9.85.247:3269
1.9.85.247:636
1.9.85.247:8443
1.9.85.247:989
1.9.85.247:990
1.9.85.247:994
1.9.85.247:995
1.9.85.248:3269
1.9.85.248:636
1.9.85.248:8443
1.9.85.248:989
1.9.85.248:990
1.9.85.248:994
1.9.85.248:995
1.9.85.249:3269
1.9.85.249:636
1.9.85.249:8443
1.9.85.249:989
1.9.85.249:990
1.9.85.249:994
1.9.85.249:995
1.9.85.252:3269
1.9.85.252:636
1.9.85.252:8443
1.9.85.252:989
1.9.85.252:990
1.9.85.252:994
1.9.85.252:995
1.9.85.253:3269
1.9.85.253:636
1.9.85.253:8443
1.9.85.253:989
1.9.85.253:990
1.9.85.253:994
1.9.85.253:995
1.9.85.254:3269
1.9.85.254:636
1.9.85.254:8443
1.9.85.254:989
1.9.85.254:990
1.9.85.254:994
1.9.85.254:995
102.50.244.205:3269
102.50.244.205:636
102.50.244.205:8443
102.50.244.205:989
102.50.244.205:990
102.50.244.205:994
102.50.244.205:995
148.76.89.2:3269
148.76.89.2:636
148.76.89.2:8443
148.76.89.2:989
148.76.89.2:990
148.76.89.2:994
148.76.89.2:995
148.76.89.3:3269
148.76.89.3:636
148.76.89.3:8443
148.76.89.3:989
148.76.89.3:990
148.76.89.3:994
148.76.89.3:995
148.76.89.4:3269
148.76.89.4:636
148.76.89.4:8443
148.76.89.4:989
148.76.89.4:990
148.76.89.4:994
148.76.89.4:995
148.76.89.5:3269
148.76.89.5:636
148.76.89.5:8443
148.76.89.5:989
148.76.89.5:990
148.76.89.5:994
148.76.89.5:995
148.76.89.6:3269
148.76.89.6:636
148.76.89.6:8443
148.76.89.6:989
148.76.89.6:990
148.76.89.6:994
148.76.89.6:995
151.0.185.146:3269
151.0.185.146:636
151.0.185.146:8443
151.0.185.146:989
151.0.185.146:990
151.0.185.146:994
151.0.185.146:995
151.0.185.147:3269
151.0.185.147:636
151.0.185.147:8443
151.0.185.147:989
151.0.185.147:990
151.0.185.147:994
151.0.185.147:995
151.0.185.148:3269
151.0.185.148:636
151.0.185.148:8443
151.0.185.148:989
151.0.185.148:990
151.0.185.148:994
151.0.185.148:995
151.0.185.149:3269
151.0.185.149:636
151.0.185.149:8443
151.0.185.149:989
151.0.185.149:990
151.0.185.149:994
151.0.185.149:995
151.0.185.150:3269
151.0.185.150:636
151.0.185.150:8443
151.0.185.150:989
151.0.185.150:990
151.0.185.150:994
151.0.185.150:995
182.73.50.114:3269
182.73.50.114:636
182.73.50.114:8443
182.73.50.114:989
182.73.50.114:990
182.73.50.114:994
182.73.50.114:995
182.73.50.115:3269
182.73.50.115:636
182.73.50.115:8443
182.73.50.115:989
182.73.50.115:990
182.73.50.115:994
182.73.50.115:995
217.57.80.18:3269
217.57.80.18:636
217.57.80.18:8443
217.57.80.18:989
217.57.80.18:990
217.57.80.18:994
217.57.80.18:995
37.71.147.186:3269
37.71.147.186:636
37.71.147.186:8443
37.71.147.186:989
37.71.147.186:990
37.71.147.186:994
37.71.147.186:995
50.192.49.210:3269
50.192.49.210:636
50.192.49.210:8443
50.192.49.210:989
50.192.49.210:990
50.192.49.210:994
50.192.49.210:995
96.80.68.193:3269
96.80.68.193:636
96.80.68.193:8443
96.80.68.193:989
96.80.68.193:990
96.80.68.193:994
96.80.68.193:995
96.80.68.194:3269
96.80.68.194:636
96.80.68.194:8443
96.80.68.194:989
96.80.68.194:990
96.80.68.194:994
96.80.68.194:995
96.80.68.195:3269
96.80.68.195:636
96.80.68.195:8443
96.80.68.195:989
96.80.68.195:990
96.80.68.195:994
96.80.68.195:995
96.80.68.196:3269
96.80.68.196:636
96.80.68.196:8443
96.80.68.196:989
96.80.68.196:990
96.80.68.196:994
96.80.68.196:995
96.80.68.197:3269
96.80.68.197:636
96.80.68.197:8443
96.80.68.197:989
96.80.68.197:990
96.80.68.197:994
96.80.68.197:995

# Reference: https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf

100.43.220.234:3269
100.43.220.234:636
100.43.220.234:8443
100.43.220.234:989
100.43.220.234:990
100.43.220.234:994
100.43.220.234:995
100.43.220.234:996
105.159.248.137:3269
105.159.248.137:636
105.159.248.137:8443
105.159.248.137:989
105.159.248.137:990
105.159.248.137:994
105.159.248.137:995
105.159.248.137:996
109.192.30.125:3269
109.192.30.125:636
109.192.30.125:8443
109.192.30.125:989
109.192.30.125:990
109.192.30.125:994
109.192.30.125:995
109.192.30.125:996
151.0.169.250:3269
151.0.169.250:636
151.0.169.250:8443
151.0.169.250:989
151.0.169.250:990
151.0.169.250:994
151.0.169.250:995
151.0.169.250:996
185.82.169.99:3269
185.82.169.99:636
185.82.169.99:8443
185.82.169.99:989
185.82.169.99:990
185.82.169.99:994
185.82.169.99:995
185.82.169.99:996
188.152.254.170:3269
188.152.254.170:636
188.152.254.170:8443
188.152.254.170:989
188.152.254.170:990
188.152.254.170:994
188.152.254.170:995
188.152.254.170:996
2.230.110.137:3269
2.230.110.137:636
2.230.110.137:8443
2.230.110.137:989
2.230.110.137:990
2.230.110.137:994
2.230.110.137:995
2.230.110.137:996
208.81.37.50:3269
208.81.37.50:636
208.81.37.50:8443
208.81.37.50:989
208.81.37.50:990
208.81.37.50:994
208.81.37.50:995
208.81.37.50:996
212.103.208.182:3269
212.103.208.182:636
212.103.208.182:8443
212.103.208.182:989
212.103.208.182:990
212.103.208.182:994
212.103.208.182:995
212.103.208.182:996
212.202.147.10:3269
212.202.147.10:636
212.202.147.10:8443
212.202.147.10:989
212.202.147.10:990
212.202.147.10:994
212.202.147.10:995
212.202.147.10:996
212.234.179.113:3269
212.234.179.113:636
212.234.179.113:8443
212.234.179.113:989
212.234.179.113:990
212.234.179.113:994
212.234.179.113:995
212.234.179.113:996
24.199.247.222:3269
24.199.247.222:636
24.199.247.222:8443
24.199.247.222:989
24.199.247.222:990
24.199.247.222:994
24.199.247.222:995
24.199.247.222:996
37.99.163.162:3269
37.99.163.162:636
37.99.163.162:8443
37.99.163.162:989
37.99.163.162:990
37.99.163.162:994
37.99.163.162:995
37.99.163.162:996
50.255.126.65:3269
50.255.126.65:636
50.255.126.65:8443
50.255.126.65:989
50.255.126.65:990
50.255.126.65:994
50.255.126.65:995
50.255.126.65:996
70.62.153.174:3269
70.62.153.174:636
70.62.153.174:8443
70.62.153.174:989
70.62.153.174:990
70.62.153.174:994
70.62.153.174:995
70.62.153.174:996
78.134.89.167:3269
78.134.89.167:636
78.134.89.167:8443
78.134.89.167:989
78.134.89.167:990
78.134.89.167:994
78.134.89.167:995
78.134.89.167:996
80.15.113.188:3269
80.15.113.188:636
80.15.113.188:8443
80.15.113.188:989
80.15.113.188:990
80.15.113.188:994
80.15.113.188:995
80.15.113.188:996
80.153.75.103:3269
80.153.75.103:636
80.153.75.103:8443
80.153.75.103:989
80.153.75.103:990
80.153.75.103:994
80.153.75.103:995
80.153.75.103:996
80.155.38.210:3269
80.155.38.210:636
80.155.38.210:8443
80.155.38.210:989
80.155.38.210:990
80.155.38.210:994
80.155.38.210:995
80.155.38.210:996
81.4.177.118:3269
81.4.177.118:636
81.4.177.118:8443
81.4.177.118:989
81.4.177.118:990
81.4.177.118:994
81.4.177.118:995
81.4.177.118:996
90.63.245.175:3269
90.63.245.175:636
90.63.245.175:8443
90.63.245.175:989
90.63.245.175:990
90.63.245.175:994
90.63.245.175:995
90.63.245.175:996
93.51.177.66:3269
93.51.177.66:636
93.51.177.66:8443
93.51.177.66:989
93.51.177.66:990
93.51.177.66:994
93.51.177.66:995
93.51.177.66:996

# Reference: https://cert.gov.ua/article/39518 (Ukranian)
# Reference: https://otx.alienvault.com/pulse/62552abdd7e44d9aba08636d

http://195.230.23.19
http://91.245.255.243
195.230.23.19:443
91.245.255.243:443

# Reference: https://cert.gov.ua/article/160530 (Ukrainian)
# CERT-UA: CrescentImp, UAC-0113

185.80.92.143:8998
87.236.161.43:443

# Reference: https://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/
# Reference: https://www.virustotal.com/gui/ip-address/193.239.152.131/relations
# Reference: https://www.virustotal.com/gui/file/43b69a81693488905ef655d22e395c3f8dee2486aba976d571d3b12433d10c93/detection
# Reference: https://www.virustotal.com/gui/file/0bb5e98f77e69d85bf5068bcbc5b5876f8e5855d34d9201d1caffbf83460cccc/detection

http://193.239.152.131

# Reference: https://cys-centrum.com/ru/news/black_energy_2_3 (Russian)

http://146.0.74.7
http://148.251.82.21
http://188.40.8.72
http://31.210.111.154
http://41.77.136.250
http://5.149.254.114
http://5.9.32.230
http://88.198.25.92
http://95.211.122.36
146.0.74.7:443
148.251.82.21:443
188.40.8.72:443
31.210.111.154:443
41.77.136.250:443
5.149.254.114:443
5.9.32.230:443
88.198.25.92:443
/Microsoft/Update/KS4567890.php
/Microsoft/Update/KS081274.php
/Microsoft/Update/KS081274.php
/Microsoft/Update/KC074913.php
/Microsoft/Update/KS1945777.php
/fHKfvEhleQ/maincraft/derstatus.php
/fHKfvEhleQ/maincraft/
/fHKfvEhleQ/
/l7vogLG/BVZ99/rt170v/solocVI/eegL7p.php
/l7vogLG/BVZ99/rt170v/solocVI/
/l7vogLG/BVZ99/rt170v/
/l7vogLG/BVZ99/
/eegL7p.php

# Reference: https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/

http://46.165.222.28
http://94.185.85.122
46.165.222.28:443

# Reference: https://twitter.com/RecordedFuture/status/1571946803427414016
# Reference: https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine

kievstar.online
ett.ddns.net
ett.hopto.org
darkett.ddns.net
kyiv-star.ddns.net
star-cz.ddns.net
star-link.ddns.net

# Reference: https://twitter.com/Des00464472/status/1590213508423352320

124.115.171.103:443

# Reference: https://twitter.com/RakeshKrish12/status/1687344650963804160 (# Cyclops Ransomware group had discontinued their ops & rebranded themselves as "Knight" Group (Knight ransomware)!)

knight3xppu263m7g4ag3xlit2qxpryjwueobh7vjdc3zrscqlfu3pqd.onion
nt3rrzq5hcyznvdkpslvqbbc2jqecqrinhi5jtwoae2x7psqtcb6dcad.onion

# Reference: https://twitter.com/felixw3000/status/1689541933062868992
# Reference: https://www.virustotal.com/gui/file/5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe/detection

dvjbn4sg4p1ck.cloudfront.net

# Reference: https://twitter.com/fr0s7_/status/1696485604630970879
# Reference: https://www.virustotal.com/gui/file/25497816b84a44be526c4cf048b53fe64118dbda5fdde45bdffe5ce3e2fe259f/detection

knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion

# Reference: https://cert.gov.ua/article/2698320 (Ukrainian, UAC-0133)

185.225.114.108:48765

# Reference: https://cert.gov.ua/article/6278706 (# UAC-0133)

http://178.250.188.114
http://185.225.114.90
http://194.61.121.211
http://195.154.182.165
http://196.245.156.154
http://91.92.137.164
165.231.34.106:443
178.250.188.114:443
185.225.114.90:443
194.61.121.211:443
195.154.182.165:443
196.245.156.154:443
91.92.137.164:443

# Reference: https://x.com/DailyDarkWeb/status/1802234656039051511
# Reference: https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf

account-check.hostapp.link
account.adfs.kyivstar.online
accounts.google-account-settings.spdup.art
adfs.kyivstar.online
claud.in
cloue.link
darksea.ddns.net
drive.google.com.filepreview.auth.userarea.click
filepreview.auth.userarea.click
google-account-settings.spdup.art
i.ua.account-check.hostapp.link
kyivstar.me
kyivstar.online
login.adfs.kyivstar.online
login.kyivstar.online
me-cloud.link
nalog.in
outlook.adfs.kyivstar.online
solntsepek.com
spdup.art
telegramweb.us
tgcloud.link
tgeo.link
tgme.contact
tgset.click
ua.account-check.hostapp.link
ukrnet24.com
xaknet.team
yanoo.com.userarea.eu
