# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: gulpix, dragonrank
# Note: https://securelist.com/plugx-malware-a-good-hacker-is-an-apologetic-hacker/74150/

# Reference: https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/plugx-goes-to-the-registry-and-india.pdf?la=en

freetimes.dns05.com
lucas1.dnset.com
supercat.strangled.net
nusteachers.no-ip.org
ruchi.mysq1.net
lucas1.freetcp.com
unisers.com
freemoney.ignorelist.com
sumy2012.jkub.com
dheeraj_gaurav.mooo.com
notebookhk.net
togolaga.com

# Reference: https://www.threatcrowd.org/listMalware.php?antivirus=plugx

hpservice.homepc.it
facebook.controlliamo.com
twititier.com
peaceful.linkpc.net
mongolia.regionfocus.com
shuimengluosuo.freetcp.com
ria-ru.xicp.net
itar-tass.xicp.net

# Reference: https://citizenlab.ca/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-2014-4114/

dnsupdate.dynamic-dns.net
good.wha.la

# Reference: https://citizenlab.ca/2015/10/targeted-attacks-ngo-burma/
# Reference: https://www.virustotal.com/#/file/365eeb1d5d8282188e5bbfadfda184e612eef61c2398b7c18cad4c31ce7225d1/detection

t1.mailsecurityservice.com
t2.mailsecurityservice.com
client.mailsecurityservice.com

# Reference: https://twitter.com/h4ckak/status/1163328926573137922

apple-net.com

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/plugx-rat-with-time-bomb-abuses-dropbox-for-command-and-control-settings/

bakup.firefox-sync.com
immi.firefox-sync.com
imm.heritageblog.org

# Reference: https://twitter.com/ClearskySec/status/968145266451894278

cisco-ipv4.com

# Reference: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx

dicemention.com
micrnet.net
rumiany.com
yandcx.com

# Reference: https://twitter.com/killamjr/status/1190019855434563600
# Reference: https://app.any.run/tasks/8286e7e1-710a-4570-805d-8a03395caa31/

wouderfulu.impresstravel.ga

# Reference: https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html
# Reference: https://otx.alienvault.com/pulse/5dd2b17f1b7dcef51f0ed38d

steam.suspendedio.com
steams.microsoftdepot.com
update.google.com.updatesrvers.org

# Reference: https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
# Reference: https://otx.alienvault.com/pulse/5e42e25df089cc9cfb28d1d0

apple-net.com
freesmadav.com
infosecvn.com
lameers.com
mmfhlele.com
olk4.com

# Reference: https://app.any.run/tasks/d4e14bc3-7adb-41db-9998-ee6b7e2c21b3/
# Reference: https://www.circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

help.yahoo-upgrade.com
support.yahoo-upgrade.com
update.ayuisyahooapis.com
support.ayuisyahooapis.com
update.trendmicrosoft.co.in

# Reference: https://github.com/silence-is-best/c2db#plugx

185.239.226.61:8080

# Reference: https://twitter.com/kienbigmummy/status/1240559063479402497
# Reference: https://www.virustotal.com/gui/file/6a4224517d66e07707f5a18793dfb3dcecd79bf0e913f9571850637c22b13fe8/detection
# Reference: https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html

vietnam.zing.photos

# Reference: https://app.any.run/tasks/136824e2-885e-4b70-8b6b-20e982f82003/

hou.phimnoi.org

# Reference: https://twitter.com/pancak3lullz/status/1250158700909731845
# Reference: https://twitter.com/pancak3lullz/status/1250386060611391490
# Reference: https://pastebin.com/KdKsaAqV

103.127.157.9:443
103.127.157.9:80
103.136.40.141:443
103.136.40.141:80
103.148.244.59:443
103.148.244.59:80
103.192.226.44:443
103.192.226.44:80
103.193.149.26:443
103.193.149.26:80
103.200.97.150:443
103.200.97.150:80
103.212.223.125:443
103.212.223.125:80
103.213.244.203:443
103.213.244.203:80
103.230.15.155:443
103.230.15.155:80
103.51.147.227:443
103.51.147.227:80
103.56.16.231:443
103.56.16.231:80
103.56.55.69:443
103.56.55.69:80
103.59.165.87:443
103.59.165.87:80
103.79.76.205:443
103.79.76.205:80
104.148.13.252:443
104.148.13.252:80
104.192.80.102:443
104.192.80.102:80
104.199.131.72:443
104.199.131.72:80
104.238.188.213:443
104.238.188.213:80
107.150.112.250:443
107.150.112.250:80
107.179.8.66:443
107.179.8.66:80
112.121.187.178:443
112.121.187.178:80
112.121.187.179:443
112.121.187.179:80
112.121.187.180:443
112.121.187.180:80
112.121.187.181:443
112.121.187.181:80
112.121.187.182:443
112.121.187.182:80
112.196.204.151:443
112.196.204.151:80
112.213.109.32:443
112.213.109.32:80
114.29.253.26:443
114.29.253.26:80
121.127.232.67:443
121.127.232.67:80
13.234.145.7:443
13.234.145.7:80
136.244.102.157:443
136.244.102.157:80
137.59.18.183:443
137.59.18.183:80
139.28.37.102:443
139.28.37.102:80
144.202.50.219:443
144.202.50.219:80
149.248.62.83:443
149.248.62.83:80
149.28.137.203:443
149.28.137.203:80
149.28.150.210:443
149.28.150.210:80
149.28.239.88:443
149.28.239.88:80
149.28.93.163:443
149.28.93.163:80
15.164.104.227:443
15.164.104.227:80
152.32.162.250:443
152.32.162.250:80
152.32.211.67:443
152.32.211.67:80
154.210.12.8:443
154.210.12.8:80
154.215.13.149:443
154.215.13.149:80
154.223.167.105:443
154.223.167.105:80
154.83.13.105:443
154.83.13.105:80
167.179.86.140:443
167.179.86.140:80
167.88.177.191:443
167.88.177.191:80
167.88.178.4:443
167.88.178.4:80
167.88.180.151:443
167.88.180.151:80
167.88.180.32:443
167.88.180.32:80
167.88.180.5:443
167.88.180.5:80
172.245.86.123:443
172.245.86.123:80
172.93.220.201:443
172.93.220.201:80
178.236.44.58:443
178.236.44.58:80
18.138.29.108:443
18.138.29.108:80
185.133.40.223:443
185.133.40.223:80
185.133.42.6:443
185.133.42.6:80
185.161.209.234:443
185.161.209.234:80
185.172.112.212:443
185.172.112.212:80
185.211.246.203:443
185.211.246.203:80
185.225.19.115:443
185.225.19.115:80
185.231.245.119:443
185.231.245.119:80
185.239.226.28:443
185.239.226.28:80
185.239.226.38:443
185.239.226.38:80
185.239.226.53:443
185.239.226.53:80
185.239.226.65:443
185.239.226.65:80
185.243.114.68:443
185.243.114.68:80
185.243.41.200:443
185.243.41.200:80
192.169.7.189:443
192.169.7.189:80
207.148.68.124:443
207.148.68.124:80
211.62.228.141:443
211.62.228.141:80
213.159.202.41:443
213.159.202.41:80
213.252.246.141:443
213.252.246.141:80
27.102.101.52:443
27.102.101.52:80
27.102.130.30:443
27.102.130.30:80
27.255.64.75:443
27.255.64.75:80
3.6.50.223:443
3.6.50.223:80
34.80.27.200:443
34.80.27.200:80
34.92.251.135:443
34.92.251.135:80
35.229.151.34:443
35.229.151.34:80
37.157.245.38:443
37.157.245.38:80
42.99.117.95:443
42.99.117.95:80
43.228.125.9:443
43.228.125.9:80
43.251.118.79:443
43.251.118.79:80
45.115.236.22:443
45.115.236.22:80
45.147.228.131:443
45.147.228.131:80
45.248.87.217:443
45.248.87.217:80
45.251.241.25:443
45.251.241.25:80
45.32.149.253:443
45.32.149.253:80
45.76.153.250:443
45.76.153.250:80
45.76.53.241:443
45.76.53.241:80
45.77.34.128:443
45.77.34.128:80
45.77.60.116:443
45.77.60.116:80
45.81.10.9:443
45.81.10.9:80
45.91.26.140:443
45.91.26.140:80
60.169.81.26:443
60.169.81.26:80
66.42.38.60:443
66.42.38.60:80
66.42.41.140:443
66.42.41.140:80
66.42.48.186:443
66.42.48.186:80
69.171.72.232:443
69.171.72.232:80
91.229.79.226:443
91.229.79.226:80

# Reference: https://twitter.com/KorbenD_Intel/status/1275542304351109120
# Reference: https://www.virustotal.com/gui/domain/subupdata.com/relations
# Reference: https://www.virustotal.com/gui/file/b2c6474f27c1beab3ba9a3e956c5e65d96db8aad686a99a6cc1f9c66bee82b29/detection

185.231.245.119:443
subupdata.com

# Reference: https://twitter.com/cyber__sloth/status/1304042505604861952

http://103.85.24.158

# Reference: https://twitter.com/XOR_Hex/status/1307233839425695744

103.56.53.46:80
103.56.53.46:110
103.56.53.46:443
103.56.53.46:5938

# Reference: https://twitter.com/XOR_Hex/status/1315367371268386817

45.251.240.55:443
45.251.240.55:8000
45.251.240.55:8080

# Reference: https://twitter.com/XOR_Hex/status/1333832546589749249
# Reference: https://twitter.com/noottrak/status/1334165739423608834
# Reference: https://otx.alienvault.com/pulse/5fcaa5df270f075f05c34204
# Reference: https://www.virustotal.com/gui/file/9699c3f5dd99345b04aaf5e7dc5002de7dbabf922e43125a10eb3f5fc574e51e/detection

43.254.217.165:110
43.254.217.165:80
45.248.87.217:8080
http://43.254.217.165

# Reference: https://twitter.com/James_inthe_box/status/1341422354589573120
# Reference: https://twitter.com/Arkbird_SOLG/status/1341479376035168256

caonimade.11i.me

# Reference: https://www.virustotal.com/gui/file/eb649c114f5e0edaf3dda0d4cb97dc06c3b0f437dca8803c0d315d997e273178/detection

39.98.228.46:2653
sdd34dfgfg.xyzs666.xyz

# Reference: https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz
# Reference: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/012/156/original/snort3-community-rules.tar.gz

microsoftsp3.com
java.ns1.name
wm1.ns01.us

# Reference: https://app.any.run/tasks/34ef8d2b-6e2c-4da6-9c34-1d73ecd4b040/

krmai1s.servehttp.com

# Reference: https://www.virustotal.com/gui/file/642c17be83f9e9f693990f43a65be25e99e69b245d38da627a3e19e0eb87d79d/detection
# Reference: https://app.any.run/tasks/b0d1f612-e69e-4e0b-9b4c-84e067ffd19a/

www2.molnews.net

# Reference: https://twitter.com/wwp96/status/1372553920942379014
# Reference: https://app.any.run/tasks/e001e6f3-0098-4c23-87d7-da31a7015528/

asmlbigip.com
sec.asmlbigip.com

# Reference: https://twitter.com/KorbenD_Intel/status/1374128386130522118
# Reference: https://www.virustotal.com/gui/file/bb0a3d73169882cc9f70a16692d67cc359ef5fee62f3719f819723cc677903f0/detection
# Reference: https://www.virustotal.com/gui/file/264f0a6d47f8c4578be602be1ea01dd634eace574afd7d44d854431721ffcabf/detection

cdn.6c18.com

# Reference: https://www.virustotal.com/gui/file/93d33626886e97abf4087f5445b2a02738ea21d8624b3f015625cd646e9d986e/detection

154.211.14.156:443
154.211.14.156:53
154.211.14.156:8080
rainydaysweb.com

# Reference: https://twitter.com/KorbenD_Intel/status/1398309439573315584
# Reference: https://twitter.com/James_inthe_box/status/1398310426832637956
# Reference: https://www.virustotal.com/gui/file/2cd18c340d412d1c09215c828190621ce558d8ea43ba0ad28e3365ff0619fe8b/detection

chromeserver-dns.com

# Reference: https://tria.ge/210615-gx3w14v8xn/behavioral1

gamegame.info
email.yg9.me
iw.gamegame.info

# Reference: https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html (# Win.Packed.Zusy-9878432-0)

vrthcobj.com
ol.gamegame.info
google.vrthcobj.com

# Reference: https://unit42.paloaltonetworks.com/thor-plugx-variant/
# Reference: https://otx.alienvault.com/pulse/61012d6562eb005d61c4a457

apple-net.com
cabsecnow.com
cqpeizi.com
destroy2013.com
emicrosoftinterview.com
fitehook.com
flashplayerup.com
indonesiaport.info
ixiaoyver.com
manager2013.com
mmfhlele.com
msdntoolkit.com
petalossccaf.com
quochoice.com
rainydaysweb.com
scbbgroup.com
systeminfor.com
tv-vn.com
ukbbcnews.com
detail.misecure.com
down.emicrosoftinterview.com
downloads.flashplayerup.com
hdviet.tv-vn.com
help.flashplayerup.com
index.flashplayerup.com
news.cqpeizi.com
news.petalossccaf.com
tools.scbbgroup.com
upload.ukbbcnews.com
web.flashplayerup.com

# Reference: https://www.virustotal.com/gui/file/cae7469e7f5dc88962b9993f4b415a46f60fcaeea494abb53d19b7d05f28525b/detection

dirfgame.com
by.dirfgame.com

# Reference: https://www.virustotal.com/gui/file/071231d29a8548be8cb0a8f48a4b23d12e08139fd8dba842781912a11dc7c5f6/detection

goatgame.co
goatgame.live
a.goatgame.co
live.goatgame.live

# Reference: https://twitter.com/xorhex/status/1422815329684758537
# Reference: https://www.virustotal.com/gui/file/e6ba5de3a9b0287291def0317789b871fa1984a11021d55d3a0371c6d65a872b/detection

http://45.134.83.41
45.134.83.41:443
45.134.83.41:8080

# Reference: https://twitter.com/BitsOfBinary/status/1422823721170087941
# Reference: https://twitter.com/BitsOfBinary/status/1422828937500037121

101.36.125.203:110
101.36.125.203:197
veitdannews.com

# Reference: https://www.virustotal.com/gui/file/34f907b9f543ecf0f4f99adb7e55963ab5bc1c8e6e64081a8fef9a06043828b7/detection

185.231.245.119:8080
brushupdata.com
sery.brushupdata.com

# Reference: https://www.virustotal.com/gui/file/986d19d75880a23917127bab92cd3a92cfec42b31be51e20718da761b1747cbc/detection

mirsoftcheckie.com
sery.mirsoftcheckie.com

# Reference: https://twitter.com/0xrb/status/1465558631454105603

blobimgybag.com
brushupdata.com
copaininfo.com
globnewsline.com
microsoftlab.club
nvidialab.us
twwtteer.com
user-update.com
apicon.nvidialab.us
apis.microsoftlab.club
cbn.copaininfo.com
dark.twwtteer.com
mail.globnewsline.com
sery.brushupdata.com
testmmm.blobimgybag.com

# Reference: https://twitter.com/0xrb/status/1468146226835034113

time4update.com
ns3.time4update.com

# Reference: https://twitter.com/0xrb/status/1469184108030955529

11i.me
daj8.me
fbi.am
nmb.bet
wy01.com
fuckeryoumm.nmb.bet
helloword.daj8.me
nitamade.11i.me
tcp.wy01.com
udp.wy01.com
windows.fbi.am

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_APT-C-23_MICROPSIA_Variant.json

freesmadav.com
update.freesmadav.com

# Reference: https://twitter.com/0xrb/status/1495646507110133761
# Reference: https://www.virustotal.com/gui/file/9857e40be1fb5b9b6db93dc03f96f6b3ff0ffab85af7944dddcac0e37775ab02/detection

103.26.79.150:9019

# Reference: https://twitter.com/0xrb/status/1496747426505531398
# Reference: https://www.virustotal.com/gui/file/0a2a64a36997777d3655b879aa6983bed02c1324cd5b243c014224f7f8c8a8af/detection
# Reference: https://www.virustotal.com/gui/file/4833fa5f75c3d8f76693b20eb90aa572d6d385640f88bc79b6ed9530450d0736/detection
# Reference: https://www.virustotal.com/gui/file/0bc0016dc58dc01276639b80392cc98f9910872ac6be1d6a6288df69b547814c/detection

45.195.67.64:8000
45.195.67.64:49000
c1c.ren
qq.c1c.ren

# Reference: https://twitter.com/0xrb/status/1499287458500194304

aoisudoisadn.kkb.tv

# Reference: https://twitter.com/0xrb/status/1499294678830960642
# Reference: https://twitter.com/0xrb/status/1499296288466436098
# Reference: https://www.virustotal.com/gui/file/8aacb0fd6ea3143d0e7a6b56f7b90c3be760bcc8abbbb29c4334b50f06e822f6/detection
# Reference: https://www.virustotal.com/gui/file/5a9468a87997f2363995e264505105f6a235b66543bb28635fb74f78704e9111/detection

202.182.115.238:13111
202.182.115.238:8080
apps.imangolm.com

# Reference: https://twitter.com/nao_sec/status/1501126308771733505
# Reference: https://www.virustotal.com/gui/file/bee9c438aced1fb1ca7402ef8665ebe42cab6f5167204933eaa07b11d44641bb/detection

http://107.178.71.211

# Reference: https://twitter.com/0xrb/status/1503983616321552384
# Reference: https://www.virustotal.com/gui/file/28d2fef9323884cc81b1a39f3c17734606a79e79786496c5a556e25e00bdf10a/detection

fuckeryoumm.nmb.bet

# Reference: https://www.virustotal.com/gui/ip-address/18.138.107.235/relations
# Reference: https://www.virustotal.com/gui/file/68feab7ef7a2bd4754620b3a5a511988d18384bbd42d100e528cc5b876a1d771/detection

47.242.146.213:8080
fuckyou.fbi.am
windows.fbi.am

# Reference: https://www.virustotal.com/gui/file/2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e/detection

182.255.60.82:81
whoamis.info
list.whoamis.info
mail.whoamis.info
poer.whoamis.info

# Reference: https://www.virustotal.com/gui/file/1d8cef17a8588c216a9e69f3b4acd55dad1b9c69b25b344452ade112eaa96cb5/detection

mmr.whoamis.info

# Reference: https://twitter.com/0xrb/status/1508330395250868229
# Reference: https://www.virustotal.com/gui/file/eeadacdfb1d0c571362ff86b34cd736a80531e635ad46f20b2e90ec862af36af/detection

45.249.245.35:8008
ntpserver.xyz

# Reference: https://tria.ge/220329-llf3rahafr/behavioral2

http://104.110.191.133

# Reference: https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/

http://45.86.162.135
45.86.162.135:443

# Reference: https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/
# Reference: https://otx.alienvault.com/pulse/61430c5741b154348534ae3f

http://185.161.211.97
center.asmlbigip.com
dnssery.brushupdata.com

# Reference: https://twitter.com/0xrb/status/1522474101826551809

http://156.247.10.118
http://34.92.30.54
http://43.230.161.70
http://43.230.161.71
http://43.230.161.83
http://43.242.34.12
http://43.242.34.30
http://45.76.153.100
http://47.75.177.15
http://52.203.216.120
http://66.154.111.63
http://92.38.178.133
http://94.198.40.21
156.247.10.118:443
34.92.30.54:443
43.230.161.70:443
43.230.161.71:443
43.230.161.83:443
43.242.34.12:443
43.242.34.30:443
45.76.153.100:443
47.75.177.15:443
52.203.216.120:443
66.154.111.63:443
92.38.178.133:443
94.198.40.21:443
156.247.10.118:8080
34.92.30.54:8080
43.230.161.70:8080
43.230.161.71:8080
43.230.161.83:8080
43.242.34.12:8080
43.242.34.30:8080
45.76.153.100:8080
47.75.177.15:8080
52.203.216.120:8080
66.154.111.63:8080
92.38.178.133:8080
94.198.40.21:8080

# Reference: https://twitter.com/0xrb/status/1524642728663187456
# Reference: https://www.virustotal.com/gui/file/e374c396735e4202dee76916d74d211a9e21f4956be6f6ef613e70b0489ba95c/detection

47.243.49.249:5050
qwer.asdf.zxcv.88tech.org

# Reference: https://twitter.com/kienbigmummy/status/1539550403465220096

http://69.90.190.110
69.90.190.110:443
69.90.190.110:8080

# Reference: https://twitter.com/kienbigmummy/status/1542454625781321728
# Reference: https://twitter.com/kienbigmummy/status/1542454634618437635
# Reference: https://www.virustotal.com/gui/file/c9f7248e64b531031822e3cda468bf52fcfe169ad15d7d8ddf379cb27ad8b63b/detection
# Reference: https://www.virustotal.com/gui/file/e99ce4fc9697335549cab26717d75abbaf75895c3cd0e77a844769fe9674e3bc/detection

185.239.226.5:108
185.239.226.5:111
185.239.226.5:236
185.239.226.5:438

# Reference: https://twitter.com/0xrb/status/1559764331612364801

103.27.108.77:443
118.107.45.21:443
118.107.45.31:443
118.107.45.33:443
118.194.239.178:443
139.5.200.6:443
152.32.153.134:443
158.247.222.2:443
159.65.188.162:443
198.13.56.122:443
http://103.27.108.77
http://118.107.45.21
http://118.107.45.31
http://118.107.45.33
http://118.194.239.178
http://139.5.200.6
http://152.32.153.134
http://152.32.211.67
http://158.247.222.2
http://159.65.188.162
http://185.243.41.200
http://198.13.56.122

# Reference: https://twitter.com/Metemcyber/status/1561570370993668096
# Reference: https://www.virustotal.com/gui/file/27b8e572902ffbdc746766e1d315721e282cfc470e98bc9218bec78f1046214c/detection

miscrosofts.gq
defender.miscrosofts.gq
windows.defender.miscrosofts.gq

# Reference: https://twitter.com/kienbigmummy/status/1610535062889717763
# Reference: https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware
# Reference: https://otx.alienvault.com/pulse/63dd6a44b4f337a53baa56fb

217.12.206.116:443
217.12.206.116:8088
45.134.83.29:443

# Reference: https://twitter.com/WhichbufferArda/status/1611006137112961027
# Reference: https://www.virustotal.com/gui/file/a9f7d06b9929be61853910876129318ef56efd1eaef168e9ac412a090a6f09da/detection

195.211.97.117:443

# Reference: https://www.virustotal.com/gui/file/2bf3e8bac1f5ecfb8f8ec07952e39608ca5567a9adcd4a651e71b6b1dcea663b/detection

auraann.p-e.kr
versioncheck.p-e.kr

# Reference: https://www.virustotal.com/gui/file/057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7/detection

45.116.161.95:8080
luckfafa.com
googleupdate.luckfafa.com

# Reference: https://www.virustotal.com/gui/file/c5402f8882960bb73a0fd7b1b4badcb12ca96791c189b430cc234fbd2965aa34/detection

216.83.59.185:15858
microsoftdefender.luckfafa.com

# Reference: https://www.virustotal.com/gui/file/7fa8231dc167ec6aa87874a10d3daf798407a37c11bb921efb05664dfafdb38f/detection

wpsupdate.luckfafa.com

# Reference: https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/ (#AmericanUSA, #HELLO_USA_PRISIDENT, #KilllSomeOne)
# Reference: https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html
# Reference: https://www.virustotal.com/gui/file/446a9176ab41fe9be895d1a34481ea3e0bb70a2d86bb9b6f0347efc9425302f7/detection

http://160.20.147.254
160.20.147.254:9999

# Reference: https://www.virustotal.com/gui/file/5307dac6f70b86c669c46741e5953a13db6920542fd81ce37650971511367ee6/detection

imango.ink
api.imango.ink
cdn.imango.ink
update.imango.ink

# Reference: https://threatfox.abuse.ch/browse/malware/win.plugx/

http://103.244.3.107
http://103.244.3.109
http://104.233.173.53
http://108.61.163.91
http://112.213.125.75
http://185.101.139.99
http://27.102.106.153
http://54.250.239.189
101.200.59.103:443
103.113.11.78:443
103.127.124.226:443
103.135.33.253:443
103.140.238.92:443
103.149.48.56:443
103.149.48.57:443
103.164.203.164:443
103.186.214.216:443
103.186.214.216:8080
103.194.187.147:443
103.194.187.148:443
103.194.187.148:8080
103.194.187.149:443
103.194.187.149:8080
103.218.243.167:443
103.244.3.107:8443
103.244.3.109:443
103.244.3.109:8443
103.27.108.158:443
103.27.109.130:443
103.27.109.130:8080
103.86.44.198:443
103.94.76.158:443
103.94.76.169:443
103.94.76.183:443
104.199.159.226:443
104.233.160.81:443
104.233.160.81:53
104.233.173.53:53
106.55.60.126:443
106.55.60.126:8080
107.148.14.49:443
107.150.124.43:443
107.150.124.43:8080
107.155.55.15:443
107.155.55.15:8080
107.155.56.134:8080
107.173.63.250:443
108.61.163.91:443
109.123.230.56:443
109.123.230.56:8080
110.50.48.222:8443
112.121.187.178:12345
112.196.204.141:443
112.196.204.141:8080
112.196.204.151:8080
112.213.109.35:443
112.213.109.47:443
114.29.254.126:443
114.29.254.126:8080
114.29.254.17:443
114.29.254.17:8080
114.29.254.201:443
114.29.254.201:8080
114.29.254.94:443
114.29.254.94:8080
124.223.102.72:8080
128.14.227.104:443
128.14.227.104:8080
139.180.215.111:443
139.180.215.111:8080
139.84.137.183:443
139.84.138.129:443
139.84.167.181:443
139.84.171.4:443
143.92.52.133:12345
143.92.52.133:53
143.92.52.137:12345
143.92.60.54:8088
143.92.60.75:8088
143.92.60.77:8088
149.28.130.206:443
149.28.25.119:443
150.129.52.95:443
152.32.164.67:443
152.32.164.67:8080
152.32.211.67:53
152.32.211.67:8080
154.204.24.243:65000
154.31.172.86:443
154.39.239.155:443
154.39.239.205:443
154.91.84.128:443
158.247.213.215:8443
158.247.222.2:8080
158.247.238.22:443
167.172.76.129:443
167.172.76.129:8080
167.179.109.96:443
172.111.244.164:21
172.93.167.211:443
172.93.167.227:443
18.179.5.105:443
18.179.5.105:8080
180.178.42.37:65000
180.235.137.85:443
180.235.137.85:8080
185.101.139.99:443
185.135.77.199:443
185.239.87.173:443
185.243.41.247:443
185.243.41.247:8080
193.22.152.56:443
198.13.36.205:443
202.182.115.238:53
206.119.75.253:443
207.148.103.108:443
207.148.103.108:53
207.148.105.154:443
207.148.97.160:443
209.250.241.189:443
210.68.108.46:443
23.224.239.44:12345
23.224.239.44:8000
27.102.118.76:446
3.112.45.157:443
3.112.45.157:53
3.112.45.157:8080
34.150.33.252:443
34.96.231.241:443
35.229.246.12:443
38.47.123.94:53
38.47.220.85:8000
38.54.40.60:443
38.54.76.128:443
43.135.1.200:21
43.154.29.157:443
43.248.133.54:443
43.255.28.190:443
43.255.28.201:443
45.120.55.154:443
45.120.55.162:443
45.134.82.191:443
45.142.166.65:443
45.32.119.152:443
45.32.34.154:443
45.63.41.197:443
45.64.184.248:443
45.76.213.19:53
45.76.80.13:443
45.77.157.245:53
45.77.172.61:443
45.77.172.61:8080
45.77.177.209:443
45.87.43.60:443
47.57.118.245:53
47.57.118.245:8443
5.255.88.185:443
54.249.142.61:443
54.249.142.61:53
54.250.239.189:443
54.250.239.189:8080
61.238.103.165:443
61.238.103.170:443
63.141.237.100:443
63.141.237.208:443
64.44.184.105:443
65.20.112.193:443
72.18.215.38:443
8.217.48.154:443
8.218.191.58:443
8.218.191.58:53
8.218.191.58:8080
8.218.201.52:443
8.218.234.216:53
8.218.242.93:443
8.218.37.29:443
8.218.37.29:8080
85.206.160.121:8080
87.121.52.23:443
87.121.52.23:8080
92.223.85.90:443
92.38.132.128:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.plugx/ (# 2023-10-26)

103.106.202.158:443
103.106.202.163:443
103.135.33.250:443
103.135.33.251:443
103.135.33.252:443
103.169.90.98:443
103.244.3.107:443
103.254.73.20:443
103.254.73.21:443
103.254.73.22:443
103.45.68.125:443
103.56.55.153:443
103.68.193.225:443
103.94.76.115:443
103.94.76.135:443
104.208.73.38:443
104.233.161.173:443
104.233.173.53:443
107.148.0.190:443
107.155.56.134:443
107.175.69.184:443
109.94.209.44:443
110.50.48.222:443
112.213.125.75:443
118.99.29.173:443
124.220.78.199:443
124.223.102.72:443
13.229.153.26:443
139.180.212.205:443
14.161.4.152:443
141.164.37.94:443
143.92.56.71:443
143.92.60.54:443
143.92.60.75:443
143.92.60.76:443
143.92.60.77:443
149.104.22.138:443
154.19.70.222:443
154.26.153.129:443
156.234.211.149:443
158.247.213.215:443
159.65.157.64:443
16.162.44.42:443
167.179.98.155:443
172.111.233.204:443
172.111.244.178:443
172.111.245.162:443
185.135.77.239:443
20.214.1.160:443
202.162.108.48:443
206.189.80.15:443
207.148.118.170:443
208.72.153.162:443
216.238.115.148:443
217.197.160.235:443
23.224.239.44:443
27.102.106.146:443
27.102.106.153:443
38.47.220.85:443
38.47.221.162:443
38.54.79.103:443
38.60.254.243:443
45.32.100.40:443
45.32.103.109:443
45.32.39.15:443
45.74.41.38:443
45.74.6.122:443
45.74.6.163:443
45.74.6.197:443
45.74.6.228:443
45.74.6.245:443
45.74.6.24:443
45.74.6.253:443
45.76.219.71:443
45.77.174.174:443
45.77.43.75:443
45.86.163.230:443
47.57.118.245:443
8.212.149.44:443
80.240.28.192:443
a-white.vn
americafirst3d.com
cahayashop.shop
cctv.liveonlin.com
google-inc.ltd
img.cdn.jsdblog.com
liveonlin.com
main.liveonlin.com
npgsql.liveonlin.com
public.liveonlin.com
tech.liveonlin.com
windows-sns2.dns-microsoft.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.plugx/ (# 2023-10-30)

http://103.192.226.100
http://103.56.53.106
101.36.106.114:8443
103.192.226.100:110
103.192.226.100:5938
103.192.226.100:8000
103.192.226.100:8080
103.56.53.106:110
103.56.53.106:443
103.56.53.106:5938

# Reference: https://threatfox.abuse.ch/browse/malware/win.plugx/ (# 2023-11-06)

http://13.229.238.49
http://156.234.211.149
http://18.163.46.232
http://185.189.241.155
http://185.189.241.208
http://43.136.245.27
http://45.76.219.71
http://47.242.189.104
http://8.212.149.44
http://80.240.28.192
101.36.106.114:12345
103.135.33.254:443
107.173.63.250:53
112.121.187.182:12345
113.160.186.153:8080
118.69.111.118:8080
118.99.29.173:65000
119.29.225.72:8080
13.229.238.49:443
149.104.22.138:21
149.104.22.138:8080
149.28.130.206:53
154.204.24.242:65000
154.204.24.246:65000
156.234.169.19:53
172.111.233.249:8443
18.163.46.232:443
18.163.46.232:53
185.189.241.155:443
185.189.241.208:443
20.2.65.28:443
23.225.71.115:8000
23.225.71.115:8080
38.47.116.103:53
38.47.220.85:12345
38.54.23.192:443
43.132.173.7:443
43.229.112.202:65000
43.229.112.205:65000
43.229.112.206:65000
43.231.113.62:443
45.32.148.180:443
45.74.6.240:21
45.74.6.9:443
47.117.177.231:443
47.242.189.104:443
47.242.189.104:8080
65.20.107.216:8080
78.141.208.113:8080
8.130.46.30:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.plugx/ (# 2023-11-16)

http://103.45.68.125
http://13.115.129.191
http://13.115.194.155
http://34.92.77.165
http://35.77.99.82
http://43.153.162.95
http://45.74.6.203
118.193.35.61:8443
13.115.129.191:443
13.115.194.155:443
13.115.194.155:8080
13.229.238.49:53
14.161.32.142:8443
154.204.24.245:65000
194.37.97.132:21
195.133.11.98:8080
216.83.41.111:53
216.83.41.113:53
217.197.160.235:8080
23.224.239.44:8080
23.225.71.115:443
35.77.99.82:443
35.77.99.82:8080
43.155.95.97:443
43.229.112.204:65000
45.74.6.168:8443
45.74.6.203:21
47.117.177.231:21
5.255.88.185:53
70.34.198.203:443

# Reference: https://www.virustotal.com/gui/ip-address/45.121.146.113/relations
# Reference: https://www.virustotal.com/gui/file/bebde82e636e27aa91e2e60c6768f30beb590871ea3a3e8fb6aedbd9f5c154c5/detection
# Reference: https://www.virustotal.com/gui/file/54be4a5e76bdca2012db45b1c5a8d1a9345839b91cc2984ca80ae2377ca48f51/detection
# Reference: https://www.virustotal.com/gui/file/3a6887963920c8bc1ae35fdca69af2c0865f8b5c6ef90b4db91fa152bc56050d/detection

http://45.121.146.113
45.121.146.113:443

# Reference: https://any.run/malware-trends/plugx (# 2024-02-02)

http://103.143.209.16
/poMdDDxDkOkkML/update.php
/poMdDDxDkOkkML/

# Reference: https://asec.ahnlab.com/ko/64073/

http://45.32.16.248

# Reference: https://twitter.com/Cyberteam008/status/1790951752528724122

1.94.50.14:800
119.3.126.15:800
121.36.203.84:800
123.60.48.78:800
123.60.80.229:800
47.104.14.198:800

# Reference: https://x.com/SBousseaden/status/1796167554592805257
# Reference: https://www.virustotal.com/gui/file/65f4208e7335b4a3c5f091a7801420b3e7b3fe5d774357dec2198200f369bc2a/detection
# Reference: https://www.virustotal.com/gui/file/51d38688ae91d2f1dd91a042861073491989b2cbcd4a85ab6ff92948c2d1ddf9/detection

buyinginfo.org

# Reference: https://x.com/nao_sec/status/1798697869106668011
# Reference: https://x.com/r0ny_123/status/1798739751815753869
# Reference: https://jp.security.ntt/tech_blog/controlplug
# Reference: https://threatfox.abuse.ch/browse/tag/OperationControlPlug/

7gzi.com
ankokunews.com
bkller.com
bramjtop.com
calgarycarfinancing.com
comparetextbook.com
dmfarmnews.com
epsross.com
flaworkcomp.com
glassdoog.org
goodrapp.com
gulfesolutions.com
indiinfo.com
iplanforamerica.com
jorzineonline.com
lebohdc.com
lifeyomi.com
londonisthereason.com
onmnews.com
profilepimpz.com
starlightstar.com
unixhonpo.com
versaillesinfo.com

# Reference: https://asec.ahnlab.com/ko/67509/

104.233.173.53:8080
185.173.93.167:13306
support.firewallsupportservers.com

# Reference: https://x.com/Huntio/status/1822923743410168113
# Reference: https://www.virustotal.com/gui/ip-address/156.245.13.9/relations
# Reference: https://www.virustotal.com/gui/ip-address/156.245.13.12/relations

googlewired.com
kasperskye.com
skypeinc.com
cf.kasperskye.com
cloud.google-inc.ltd
dns.skypeinc.com
update.googlewired.com
update.kasperskye.com

# Reference: https://x.com/malwrhunterteam/status/1826308741400273233
# Reference: https://x.com/smica83/status/1826315908014329996
# Reference: https://www.virustotal.com/gui/file/ee6febf6f1a088dd965ba800989fcf27e2392454c15370f3231a8cefd7934969/detection
# Reference: https://www.virustotal.com/gui/file/fbce6d143fac667ebbcd1c80102252f7baf678de7f575be76d4639acfeeef134/detection

http://85.90.196.19
85.90.196.19:443

# Reference: https://x.com/Cyberteam008/status/1830421848527409162
# Reference: https://www.virustotal.com/gui/ip-address/38.60.171.133/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.133.239.183/relations

bssn-gov.id

# Reference: https://x.com/Cyberteam008/status/1833338188808786059
# Reference: https://www.virustotal.com/gui/file/5f7c5c2f76ef97b94fd77d13fd03bf210a158ebf722d6371368f6e858a7b26ff/detection

http://23.227.203.181

# Reference: https://x.com/malwrhunterteam/status/1833579645528121742
# Reference: https://www.virustotal.com/gui/file/6c420bfa9f6b40ccc371a68df0a7f3e5d32ac2cf432696c338a9b4ace915004c/detection

http://23.227.196.31

# Reference: https://blog.talosintelligence.com/dragon-rank-seo-poisoning/
# Reference: https://github.com/Cisco-Talos/IOCs/blob/main/2024/09/DragonRank%2C%20a%20Chinese-speaking%20SEO%20manipulator%20service%20provider.txt

http://35.247.175.184
134.122.204.174:53
154.23.179.133:443
154.23.179.133:888
35.247.175.184:443
a.googie.pw
admin1.tttseo.com
b.googie.pw
ddos.tttseo.com
googie.pw
ig26.com
mail.tttseo.com
web.googie.pw
yx52.pw

# Reference: https://app.validin.com/detail?find=moxing1&type=raw&ref_id=c155934b2f9#tab=host_pairs_v2

2pt.me
367z.vip
421.vc
976.vc
autofirst.cn
nf235.com
oxfam-th.cc
oxfam-th.com
oxfam-th.top
testnewline.com
tk315e47xu2w2bsn6.com
ad.oxfam-th.top
fn300mhk002.testnewline.com
mamnon.nguyendinhanh.com
vd.nguyendinhanh.com

# Reference: https://x.com/r0ny_123/status/1833949268291584249

govamazon.com

# Reference: https://x.com/r0ny_123/status/1835980018008080489
# Reference: https://www.virustotal.com/gui/file/c9c81a2a4866e858060fe91cda6085c8ea01295ef3e7dbe813d62ea48434195b/detection

103.238.225.248:443

# Reference: https://x.com/suyog41/status/1838192182378770546
# Referecne: https://www.virustotal.com/gui/file/976ffe00ca06a4e3d2482815c2770086e7283025eeecad0a750001dedaa2d16a/detection
# Reference: https://www.virustotal.com/gui/file/397afb74746b2fe01abc63789412b38f44ceb234a278a04b85b2bb5b4e64cc8c/detection

loginge.com
vabercoach.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.plugx/ (# 2024-09-24)

103.107.104.57:443
107.148.32.206:443
107.155.56.87:443
146.66.215.206:443
147.78.12.202:443
154.205.136.105:443
155.138.203.78:443
185.120.16.133:443
202.91.39.201:443
365officemail.com
38.180.75.197:443
45.133.239.183:443
45.135.119.132:443
abecopiers.com
abeparanormal.com
alphadawgrecords.com
alvinclayman.com
armzrace.com
atasensors.com
bangnightclub.com
bonuscuk.com
cloudsafeuae.com
cuanhuaanbinh.com
expertoenexcel.com
finasterideanswers.com
flfprlkgpppg.shop
getupdates.net
homeimageidea.com
instalaymantiene.com
irprofiles.com
kelownahomerenovations.com
myynzl.com
normalverkehr.com
nymsportsmen.com
pgfabrics.com
pinaylizzie.com
richwoodgrill.com
rpcgenetics.com
somlwebtactics.com
spencerinfo.net
tigermm.com
tophooks.org
trafikexperten.com
truckingaccidentattorneyblog.com
webdisk.psd2.info.87-121-52-23.cprapid.com
webmail.psd2.info.87-121-52-23.cprapid.com

# Reference: https://www.virustotal.com/gui/file/369e74a8e1f686896f82d92ee2467ca6736bc44b06faab9db9ea6473aef4c397/detection

103.43.18.19:433
103.43.18.19:53
117.18.14.20:443
117.18.14.20:53

# Reference: https://www.virustotal.com/gui/file/356ce79cd2da57824586ab26c4af440e21ea380f9ab1bcc880e060f4879d0a05/detection
# Reference: https://www.virustotal.com/gui/file/ac98f9e40966561c581bb7c79bdb617feba8daf323e9acdcf1c75f53431e91ad/detection

103.43.18.220:443
103.43.18.220:53

# Reference: https://www.virustotal.com/gui/file/81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9/detection

120.89.69.3:443
120.89.69.3:53

# Reference: https://www.virustotal.com/gui/file/354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379/detection

203.86.234.16:443
203.86.234.16:53

# Reference: https://www.virustotal.com/gui/file/cee3f10cff54cbc96abb17ceac88e69a00c3c2ef9267ccce7fc79ed59997d0b7/detection

117.18.14.22:443
117.18.14.22:53
