# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/malwaremustd1e/status/1256977666084761602
# Reference: https://www.virustotal.com/gui/domain/1.versionday.xyz/relations

1.versionday.xyz

# Reference: https://intezer.com/blog/research/kaiji-chinese-iot-malware-turning-to-golang/
# Reference: https://otx.alienvault.com/pulse/5eb19b29d53d234ac978f51b

aresboot.xyz
cu.versiondat.xyz

# Reference: https://twitter.com/albertzsigovits/status/1264909051227451395

45.138.81.176:35565
0.versiondat.xyz

# Reference: https://twitter.com/albertzsigovits/status/1265196913067991040

2s11.com
6x66.com
cocoserver.xyz

# Reference: https://twitter.com/r3dbU7z/status/1271053327242014721

136.243.18.221:808

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/
# Reference: https://otx.alienvault.com/pulse/5ef223cce7849b037b7614a5

122.51.133.49:10086

# Reference: https://twitter.com/r3dbU7z/status/1328650015842197506

173.230.150.166:37301

# Reference: https://twitter.com/CujoaiLabs/status/1423258390583812102
# Reference: https://www.virustotal.com/gui/file/e666735eb6c10a27617aac9ffbf1bf29435fa0d1e3d099787d6ce28e079c8768/detection

103.59.113.150:8989
luoyefeihua.site

# Reference: https://www.virustotal.com/gui/file/ee310139ba31770b69650d464c999c3526aa5cc4ab924ddcc53cf3cb06727c37/detection

20.187.127.241:11000
20.239.179.30:11001
20.247.3.55:11001
myjiaduobao.xyz
myjianlibao.xyz

# Reference: https://www.virustotal.com/gui/ip-address/20.247.3.55/relations
# Reference: https://www.virustotal.com/gui/file/d5f8e4fac3b005c15a8e5a440d411cb7513f18ab627c49e883e0d40c5f16c57e/detection
# Reference: https://www.virustotal.com/gui/file/ca3830454c715c79d8bdafc083d9108d139b155ab87f8cbf0f33ff515cb813de/detection

20.247.3.55:808
20.247.3.55:8567
kivspace.top
kivspace.xyz

# Reference: https://www.virustotal.com/gui/file/c07c45348a74ff71179a13ec1be8a398fc49183ab04e3f9b0c436c55f1bde423/detection
# Reference: https://www.virustotal.com/gui/file/420223e8f59e78148b21b2a90b2ffc080e0bb8084ffceca3f7e26b215eb09a0c/detection

103.254.72.193:10099
103.254.72.193:808
tomca1.com

# Reference: https://elfdigest.com/brief/0683b2d2bca6a69bca5f8ac1d9c98a0627514a08d86b2a5602480c10872511e9

23.225.194.65:8080

# Reference: https://twitter.com/0xrb/status/1575354022298411009

115.126.74.37:808
154.12.42.195:808
155.94.141.226:808
195.178.120.201:808

# Reference: https://twitter.com/r3dbU7z/status/1583293071524958208

67.198.237.116:808
ars1.wemix.cc

# Reference: https://www.virustotal.com/gui/file/b9728070aabe0442bc58d759c354cdcc93e35dbd6a9d99706ee0b8ff51edf644/detection

156.254.126.18:8080
156.254.126.18:9090
ars.wemix.cc

# Reference: https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/

20.90.110.121:808

# Reference: https://elfdigest.com/brief/ec0c849db557051d2f6cdef6973ccc04b246fc58dca933cbb9fa1a7c7c01e71f

xn--9kqv03dn4b.xyz
tf.xn--9kqv03dn4b.xyz

# Reference: https://elfdigest.com/brief/dc4cbafeee9342ff237bf6e8c22a8ca8b687d26a1e9eaa8d7fbd8ee165ae9768

43.249.9.245:888

# Reference: https://twitter.com/suyog41/status/1630172084079939587

http://107.189.13.143

# Reference: https://ti.qianxin.com/blog/articles/Kaiji-Botnet-Resurfaces-Unmasking-Ares-Hacking-Group-EN/
# Reference: https://otx.alienvault.com/pulse/63ffa1fdf2b44bd91fdedeff

llkh.net
rawrgaming.icu
testapiss.online
998n.f3322.net
adsl.testapiss.online
control.rawrgaming.icu

# Reference: https://elfdigest.com/brief/d3965aeab57d429b0cb28a2853e941a0710294b2159755ea354bf32a723fef3a

23.94.57.167:2023

# Reference: https://threatfox.abuse.ch/browse/malware/elf.kaiji/

http://107.189.13.89
http://45.125.238.68
103.254.72.193:10099
104.207.149.94:10099
117.158.206.150:9876
119.6.239.18:888
119.6.239.68:888
119.6.239.80:888
119.6.239.81:888
119.6.239.82:888
119.6.239.83:888
123.249.86.77:8089
123.99.201.37:808
137.175.17.80:8080
137.175.17.80:81
149.115.234.35:9999
149.115.234.54:9999
149.115.234.80:9999
154.19.243.107:808
154.37.152.123:998
154.55.139.35:8080
154.55.139.35:8081
154.7.10.30:808
158.101.74.227:8080
173.249.198.97:8888
175.24.197.196:808
182.43.6.129:6565
183.249.20.106:8090
192.227.146.253:8080
20.239.156.147:8080
209.141.35.151:888
219.128.25.2:8088
223.87.225.90:8080
23.224.143.170:888
23.224.85.39:8888
23.94.57.167:808
36.152.201.67:65535
39.134.69.79:17080
45.113.1.126:808
45.32.166.73:8080
52.140.208.75:9527
98.159.100.118:8080

# Reference: https://twitter.com/0xrb/status/1635901959420121088

154.19.243.107:8868 
154.7.10.30:89

# Reference: https://twitter.com/SecureSh3ll/status/1710788954239193376
# Reference: https://www.virustotal.com/gui/file/95c4343841b314420110ba70ba480a284a42736b701da9cdec68ef2dcc9d89c4/detection

154.82.85.42:9528
179527.com

# Reference: https://www.virustotal.com/gui/file/41409bc3d3ac6561f4be718a47295e4c36bbe37686e7af671bce5f7b1e3fb569/detection

211.101.247.80:1997
xiaozhuddos.co
tf.xiaozhuddos.co

# Reference: https://www.virustotal.com/gui/file/41409bc3d3ac6561f4be718a47295e4c36bbe37686e7af671bce5f7b1e3fb569/detection

156.96.155.233:19370

# Reference: https://twitter.com/banthisguy9349/status/1780546149918589090

http://205.234.200.26
103.42.31.29:808

# Reference: https://urlhaus.abuse.ch/browse/tag/Kaiji/ (# 2024-04-18)

http://137.220.202.168
http://154.12.42.230
http://175.24.197.196
http://198.98.61.160
http://20.187.67.224
http://20.187.86.47
http://20.239.193.47
http://209.141.42.90
http://209.141.52.195
http://23.224.95.13
http://62.171.160.189
156.96.155.237:808
goodl1.com
gouzapay.cn
ares.goodl1.com
zf.gouzapay.cn

# Reference: https://twitter.com/banthisguy9349/status/1780978526658670683
# Reference: https://www.virustotal.com/gui/file/3fd83cc93718799c19670c69ba7dd44596defdd2adff3709c4a24d14d13a0334/detection

http://136.244.98.80
136.244.98.80:443

# Reference: https://twitter.com/banthisguy9349/status/1783104262882382323
# Reference: https://www.virustotal.com/gui/file/4dc8ceeec5f723882a6162a9fbed9f82b3a42d22f6dac6103a9107e30a22d5ea/detection

http://154.12.83.216
154.12.83.216:808

# Reference: https://twitter.com/banthisguy9349/status/1783102073191489701
# Reference: https://www.virustotal.com/gui/file/fbf3a16ce086471e1ad1462f21a536fb0331372f45e2d8b7f68785a747462103/detection

23.224.176.68:8081
23.224.176.68:8082

# Reference: https://www.virustotal.com/gui/ip-address/154.9.26.118/detection

http://154.9.26.118

# Reference: https://www.virustotal.com/gui/ip-address/91.92.241.101/detection

http://91.92.241.101

# Reference: https://www.virustotal.com/gui/ip-address/91.92.241.82/detection

http://91.92.241.82

# Reference: https://x.com/banthisguy9349/status/1801596571160559923
# Reference: https://urlhaus.abuse.ch/host/103.116.246.38/

103.116.246.38:8088

# Reference: https://x.com/banthisguy9349/status/1795397594006556768
# Reference: https://www.virustotal.com/gui/file/c33491b6462bc94c3882376bdb87057f340e05a4c36fc74e0b90e2964f8589ce/detection
# Reference: https://www.virustotal.com/gui/file/2eb2eeac77fa2a33b8429f9351d277fe53b9b3b4c8ec931a64513f70fa9e09d6/detection

http://51.81.135.251
http://77.68.37.125
51.81.138.208:8080
77.68.37.125:8080

# Reference: https://threatfox.abuse.ch/browse/malware/elf.kaiji/ (# 2024-08-25)

13.228.173.120:808
172.247.44.218:808
182.106.149.83:808
198.98.60.49:8080
38.150.13.6:808
42.194.196.162:8080

# Reference: https://threatfox.abuse.ch/browse/malware/elf.kaiji (# 2024-09-09)

108.181.228.101:808
123.249.104.74:808
154.213.192.24:808
154.82.95.210:808
207.211.144.153:8088
83.229.120.164:808

# Reference: https://threatfox.abuse.ch/browse/malware/elf.kaiji (# 2024-09-22)

172.247.194.228:23812
199.119.138.85:8087
20.2.144.116:8081
23.224.121.29:60888
ava9527.cc
cc.ava9527.cc
