# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: Raspberry Robin, QNAPWorm, Roshtyak, hacked qnapnas

# Reference: https://blog.netlab.360.com/in-the-wild-qnap-nas-attacks-en/
# Reference: https://www.qnap.com/en-us/security-advisories/
# Reference: https://otx.alienvault.com/pulse/5f4d3b803650ae87f911b28c

165.227.39.105:1234
165.227.39.105:3730
165.227.39.105:5678
165.227.39.105:80
165.227.39.105:8096
165.227.39.105:9393

# Reference: https://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices
# Reference: https://www.virustotal.com/gui/ip-address/179.60.150.126/relations
# Reference: https://www.virustotal.com/gui/ip-address/195.158.67.252/relations

179.60.150.126:8080
195.158.67.252:8080
0e.si
4q.pm
5qw.pw
6w.re
6y.re
c7.lc
f0.tel
i6n.xyz
j2.gy
j4z.co
jjl.one
k5m.co
k6c.org
kr4.xyz
lwip.re
mirw.wf
mwgq.net
mzjc.is
omzk.org
p9.tel
q2.rs
r6.nz
ri7.biz
rx3.xyz
s8.cx
t7.nz
tz6.org
u0.pm
uoej.net
uz3.me
xjam.hk
zbs.is
zk.qa
/80wOpGuotSU/
/5CBniie70Rw/

# Reference: https://twitter.com/x3ph1/status/1572228866789502977
# Reference: https://www.virustotal.com/gui/ip-address/61.244.156.107/relations
# Reference: https://www.virustotal.com/gui/file/9af18d0a651daf5fc264150ac1e2d1c3522caa3e603108d4211488c0587ea25b/detection
# Reference: https://www.virustotal.com/gui/file/04fe16cada29101117cc454d956a9231959b10d7e896c3c54cc8df63965216a7/detection

1h3.me
2i.nu
5kj.xyz
5s.pm
5v0.nl
6t.nz
6wr9.com
7yfb.com
8t.pm
8t.wf
9r.re
c0.wf
cb3u.com
e9.wf
ejk.bz
fnx.wf
i0.wf
j5m.biz
jrx.tw
k6j.me
m0.yt
mn1.biz
mz3.biz
n54.me
n5k.me
rn9v.com
t0.wf
u0.rs
u8wp.com
vs.gy
w0.pm
w4.nz
xz4.biz
zjc.bz

# Reference: https://twitter.com/1ZRR4H/status/1588766861612617728
# Reference: https://www.joesandbox.com/analysis/738633/2/html

85.56.236.45:49845
85.56.236.45:8080

# Reference: https://redcanary.com/blog/raspberry-robin/
# Reference: https://otx.alienvault.com/pulse/6274f50b11f1e83fe900d4bf

3h.wf
v0.cx
ivuoq6si2a.com

# Reference: https://twitter.com/felixaime/status/1524406445978136576

77.99.129.181:8080

# Reference: https://github.com/avast/ioc/tree/master/RaspberryRobin
# Reference: https://www.virustotal.com/gui/ip-address/185.55.243.109/relations

0dz.me
0i.pm
0t.yt
0v.wf
0w.pm
0x9.biz
13j.me
1i.pm
1j.pm
1j4.xyz
1k4.xyz
1n4.xyz
1u.pm
21k.website
2i.pm
2j4.xyz
2um.xyz
2yd.eu
3e.pm
3h1.xyz
4c.pm
4j.pm
4j1.xyz
4j5.xyz
4k1.xyz
4kx.xyz
4m.wf
4s.pm
4s3.me
4w.rs
4w.wf
5j8.xyz
5jb.me
5jk.club
5kx.me
5qe8.com
5z.wf
66j.me
6id.xyz
6qo.at
6t.re
6xj.xyz
7d.rs
9r.sk
aij.hk
as3.biz
b3vv.com
b8x.org
b9.pm
bpyo.in
c4z.pl
d4j.club
dj2.biz
doem.re
dsi.mk
egso.net
ej3.xyz
ejk.li
euya.cn
fxb.tw
fz.ms
g3.rs
g4.tel
g4.wf
getmyfile.eu
glnj.nl
gz3.nl
h0.wf
i0up.com
i49.xyz
i4x.xyz
iz.gy
j1n.me
j3n.xyz
j4r.xyz
j4z.xyz
j5n.xyz
j68.info
j8.si
jrtz.re
jrx.fr
jzm.pw
k0.pm
k1n.club
k5j.one
k5x.xyz
k6j.pw
kglo.link
kj1.xyz
kjaj.top
krrz.pm
l5k.xyz
l6nk.com
l9b.org
lgf.pw
lwxa.eu
m0.wf
m5n.biz
mnem.wf
msix.pm
n3.wf
n5.ms
n51.biz
nk0.club
nwz.li
nz4.xyz
nzm.one
oj8.eu
p3.ms
pjz.one
q0.pm
qji6.com
qmpo.art
r0.pm
r0.wf
r4e.pl
s0.pm
skqv.eu
tiua.uk
trzx.eu
ue2.eu
uqw.futbol
vn6.co
w4.rs
w4.wf
w6.nz
wak.rocks
y0.wf
y3x.biz
ynns.uk
yuiw.xyz
z7s.org
zie5.com
zk4.me
zk5.co
zxn.fyi

# Reference: https://twitter.com/malwrhunterteam/status/1572968889197150209
# Reference: https://www.virustotal.com/gui/file/dc0d4c35716a41be5c19f274fbba881505071cc206ac1e843b99ac9228e2c9e2/detection

220.135.222.186:8080
0j.re
0p.rs
2i.wf
2t.pm
2t.wf
3z.nu
4n.wf
5z.pm
6t.pm
7d.wf
q0.wf
g4.nu
gz.qa
h6.re
m0.nu
u0.nz
/AkBIoJY1ou07oX/celS6c2LNQal0iQ/
/ymANLl6ViZl/0s96yYaFStRcmPx4vffZTOqpvtdo/
/0s96yYaFStRcmPx4vffZTOqpvtdo/
/AkBIoJY1ou07oX/
/Aly5NW5lm/
/BlAcepWx9xjNwCtQOGKeQ/
/BNBH26SDSNM6upvcKpKobq9h6LM8S/
/BXB6pgOgqT1sCWK7Yms/
/celS6c2LNQal0iQ/
/mbhlMpvzllz/
/OxjYaLnal1V/
/rpT5w9Nr8d8H17tjt/
/ymANLl6ViZl/

# Reference: https://www.virustotal.com/gui/file/f7b9e262f52af04086b26988ce980dd28cae38f36ca16cc896418dbc0b8f2714/detection

82.46.34.46:8080
3y.nu
/yxyhTBLSNaVBSMBY/kF/Y2R8p/
/yxyhTBLSNaVBSMBY/

# Reference: https://www.virustotal.com/gui/file/d6463d8191fcb7850703ecef692aaa40634c80b9958400a9fafaa9624e38a9cf/detection
# Reference: https://www.virustotal.com/gui/file/b31629e423c4fabf8d9734b9c23bcc77cd0cd41d6fd69a3ca01041ea8d8c133c/detection
# Reference: https://www.virustotal.com/gui/file/a8602aaf11458f826659e44b3bb47d99058228866242361af76439b46267faa4/detection
# Reference: https://www.virustotal.com/gui/file/5da9e410971f68b2447cee61a1e22da60217c7eb744e6eacaf4b14f1988f41da/detection
# Reference: https://www.virustotal.com/gui/file/532cfcc07c32a774d546681cc8032c0cf4ec0bbaed382eb3e699bd5918c4bec1/detection

14.200.211.18:8080
213.22.1.225:8080
/AMB/U98GXRx5IdwBdEs/
/yMyVqr74TqZsCeDTs4jpLXDMR/x8O/596ac/
/yMy3gcw0EH3gJUwBUG9VJld0y76MWmWm/
/yAyWywwnv0Dxx4W2XVo7N4ayKF1haZb8AQA/
/yDASWuZoFaLmiSl3XmbhlMpvzluWuxXpE4w7/e/
/yDASWuZoFaLmiSl3XmbhlMpvzluWuxXpE4w7/
/yMyVqr74TqZsCeDTs4jpLXDMR/
/U98GXRx5IdwBdEs/

# Reference: https://www.virustotal.com/gui/file/d34e8779799f74938b2f3756f6440bcdc697a7ecb077ee90e246813b89d65b47/detection
# Reference: https://www.virustotal.com/gui/file/9eade2054d3efd2ec2fe81612f26f43c8838d6bbbbf79e4206fbfb0dc19ea61a/detection
# Reference: https://www.virustotal.com/gui/file/947b2ba998bc8e123a94993db359e1746de7ca57633f4def39bd9266f15015c3/detection
# Reference: https://www.virustotal.com/gui/file/432f3f264d7fef16dd303412c4259c0b9367998adfe31c44d130c64b4741daff/detection

124.168.120.117:8080
/AZA0qrMiHcVdS/tR/cmPx4vffonl/
/AdAel/L7uIfp3f98W1Rc0BspXUdorvydVeBqqfAEkQbx/v/
/ySy/BL9sC7GM9Ljp5kAPDRK15QeRDZw/Zp5i9/qrDx/
/AZA0qrMiHcVdS/
/BL9sC7GM9Ljp5kAPDRK15QeRDZw/
/BSArv8u89akrL69jep9wyoHJ/
/cmPx4vffonl/
/L7uIfp3f98W1Rc0BspXUdorvydVeBqqfAEkQbx/

# Reference: https://github.com/SEKOIA-IO/Community/blob/main/IOCs/20220704_QNAP_Worm_Infrastructure

03s30.com
0i.wf
0j.wf
1u.wf
27o.nl
4aw.ro
4xq.nl
5ap.nl
5g7.at
5qy.ro
60i.nl
6ax.nl
6t4.nl
6uy.at
bcomb.net
bo2sv.com
d0.wf
e0.wf
eznb.net
g0.pm
getmyfile.click
getmyfile.link
h0.pm
ldnr.net
li1iv.com
n9fz.com
o7car.com
u7u.ro
vqdn.net
xtabr.com
y0.pm

# Reference: https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html

2qlvvvnhqyda2ahd.onion
3bbaaaccczcbdddz.onion
5j7saze5byfqccf3.onion
76qugh5bey5gum7l.onion
answerstedhctbek.onion
archivecaslytosk.onion
bcwpy5wca456u7tz.onion
bitmailendavkbec.onion
clgs64523yi2bkhz.onion
cmgvqnxjoiqthvrc.onion
cyphdbyhiddenbhs.onion
expressobutiolem.onion
fncuwbiisyh6ak3i.onion
gl3n4wtekbfaubye.onion
habaivdfcyamjhkk.onion
hd37oiauf5uoz7gg.onion
ihdhoeoovbtgutfm.onion
kyk55bof3hzdiwrm.onion
njalladnspotetti.onion
pornhubthbh7ap3u.onion
psychonaut3z5aoz.onion
qqvyib4j3fz66nuc.onion
sejnfjrq6szgca7v.onion
sgvtcaew4bxjd7ln.onion
tapeucwutvne7l5o.onion
torwikignoueupfm.onion
ugw3zjsayleoamaz.onion
ynvs3km32u33agwq.onion
zdfsyv3rubuhpql3.onion

# Reference: https://blog.sekoia.io/raspberry-robins-botnet-second-life/
# Reference: https://otx.alienvault.com/pulse/63bd98efc676e4b6c7858e1c
# Reference: https://www.virustotal.com/gui/file/12f05d82487b9cee35476d8b8de81daf118014f195dd81d4219352fa08f0513e/detection

94.10.67.162:8080
gloa.in
/Qvt3YjpXH4k/

# Reference: https://www.virustotal.com/gui/file/f0dbd45e60816b6193ce17e15c74124bfd522f1a11333b95a917ebee46f39ea7/detection

73.84.232.188:8080
77.20.37.151:8080
/KmJo8so8904/

# Reference: https://www.virustotal.com/gui/file/e24a094c5e9ae8cb79c7575e07f60016425f7222efabaa89e2ae456095d2df7e/detection

173.54.51.210:8080
176.25.167.244:8080
77.20.37.151:8080
84.231.5.50:8080
/U81FxNWIdSB/

# Reference: https://www.virustotal.com/gui/file/ae33a1ebee017279112a029a33e771bb63a1780f7bf1ddc96d1f45d0fd30ff2a/detection

24.150.220.32:8080
/Su4WNNlh9N0/

# Reference: https://www.virustotal.com/gui/file/a090b38024ae69a32d0869bb28fd6d9d849c68968ff0fd9a648acc7cccca7dab/detection

109.250.7.127:8080
/TM9vBlPS2WX/

# Reference: https://www.virustotal.com/gui/file/96ff8e9a493b5d43010d6682960a7c9f3e6b4f3adc392bda4b8b80be722851aa/detection

172.124.74.77:8080
/JRfdc66PdMP/

# Reference: https://www.virustotal.com/gui/file/334863561713b7c59dd9f87348d3f4453ec2045166cb6d9afe82fcb0ddd5b7c3/detection
# Reference: https://www.virustotal.com/gui/file/83a69c1c951863a84d27749f5a0936ec436ee01867de291a413f642340e38051/detection

179.60.150.126:8080
216.48.162.99:8080
77.20.37.151:8080
/IzVtNTfU2xD/

# Reference: https://www.virustotal.com/gui/file/81183d996bf7ad22961480facd4865c523daedf4747dc2bfbdccd342d1dc84c9/detection

76.184.196.154:8080
/VSYQQV5alFZ/

# Reference: https://www.virustotal.com/gui/file/0a78ec57f50462d29f50319eb194b4294d386f561dbeae0bf633e5b0ad536b92/detection

/NRAMSGu6Xsk/

# Reference: https://twitter.com/1ZRR4H/status/1613068335104626690

2ipn.com
4w.pm
a5az.com
a7k.ro
c43p.com
hlv1.com
ubv5.com
v4a3.com

# Reference: https://twitter.com/BushidoToken/status/1616386734928928770
# Reference: https://www.virustotal.com/gui/file/e74cf1c88298d16af252c0ef6ce81fdbff4adae0226d5f962de4744016f1fcb6/detection

76.95.39.48:8080

# Reference: https://twitter.com/BushidoToken/status/1618611195266887683
# Reference: https://www.virustotal.com/gui/file/c8ff8a9793a99c0f6ac19a1a3bdcf6b34862a6e38a4130c7e1390752a20579a9/detection

61.244.156.107:8080
fgcz.net

# Reference: https://twitter.com/malwrhunterteam/status/1562081732983128064
# Reference: https://www.virustotal.com/gui/ip-address/58.177.98.79/relations
# Reference: https://www.virustotal.com/gui/file/5867549d009fbecef49d924ff55fe7e809583b7d72decf6bd49ef453e1366680/detection
# Reference: https://www.virustotal.com/gui/file/03f63afedfd4126975418147a2450ba510c7173f3cc1faf966dfd7ebfb2c81f2/detection

220.135.222.186:8080
37.103.169.218:8080
58.177.98.79:8080
3p.ms
6c.nz
7k.rs
a0.pm
/B/ZyqCiaZCij2tRl1yWkrtqckK1x/
/BNBH26SDSNM6upvcKpKobq9h6LM8S/
/ZyqCiaZCij2tRl1yWkrtqckK1x/

# Reference: https://threatfox.abuse.ch/browse/tag/raspberryrobin

118.167.131.52:8080
118.167.144.103:8080
218.221.150.148:8080
61.68.74.170:8080
naskk.myqnapcloud.com

# Reference: https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html

2jks.com
2kbq.com
3fvz.com
3lzj.com
6gcr.com
79r.nl
i1.pm
iyw5.com
j0.wf
l0.wf
p0.wf
v0.wf
w0iq.com
x1vl.com
yt6.ro
zf0.ro
zi9f.com

# Reference: https://twitter.com/1ZRR4H/status/1653873318510952448

13i6.com
4osq.com
7r6.nl
9b.nu
c4x.at
hv9.at
l45w.com
tu6p.com
z19.ro

# Reference: https://twitter.com/BushidoToken/status/1656293067064836096
# Reference: https://www.virustotal.com/gui/file/14d488d94656f25cec3a1011b37e352da9c8df1a46dfd419d7b529fd48b350f8/detection

80.78.24.30:8080

# Reference: https://threatfox.abuse.ch/browse/malware/win.raspberry_robin/

1.163.239.22:8080
1.175.125.217:8080
1.175.137.191:8080
1.175.153.226:8080
1.175.74.58:8080
101.109.242.118:8080
101.109.242.88:8080
119.237.136.30:8080
121.171.184.22:8080
122.213.27.148:8080
125.191.5.20:8080
179.60.150.120:8080
2.11.150.174:8081
31.17.3.210:8080
58.136.1.101:8080
58.136.239.28:8080
61.69.195.109:8080
67.171.80.255:8080
70.124.238.72:8080
77.183.5.151:8080
77.191.244.198:8080
78.55.212.34:8080
79.19.192.68:8080
79.21.111.16:8080
79.26.16.93:8080
79.27.61.23:8080
79.46.2.104:8080
82.124.243.57:8081
82.125.202.251:8080
82.53.94.232:8080
84.3.114.216:8080
86.101.164.105:8080
86.146.133.125:8080
86.146.133.44:8080
89.14.204.241:8080
94.11.86.46:8080
94.5.200.190:8080
c7.ic

# Reference: https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/

4inahjbeyrmqzhvqbsgtcmoibz47joueo3f44rgidig6xdzmljue7uyd.onion
archiveiya74codqgiixo33q62qlrqtkgmcitqx5u2oeqnmn5bpcbiyd.onion
bbcnewsd73hkzno2ini43t4gblxvycyac5aw4gnv7t2rccijh7745uqd.onion
blkchairbknpn73cfjhevhla7rkp4ed5gg2knctvv7it4lioy22defid.onion
brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion
ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion
darkfailenbsdla5mal2mxn2uz66od5vtzd5qozslagrfzachha3f3id.onion
duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion
facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion
fpfjxcrmw437h6z2xl3w4czl55kvkmxpapg37bbopsafdu7q454byxid.onion
guardian2zotagl6tmjucg3lrhxdk4dw3lhbqnkvvkywawy3oqfoprid.onion
hctxrvjzfpvmzh2jllqhgvvkoepxb4kfzdjm6h7egcwlumggtktiftid.onion
juhanurmihxlp77nkq76byazcldy2hlmovfu2epvl5ankdibsot4csyd.onion
ncidetfs7banpz2d7vpndev5somwoki5vwdpfty2k7javniujekit6ad.onion
nytimesn7cgmftshazwhfgzm37qxb44r64ytbb2dj3x62d2lljsciiyd.onion
onionamev33r7w4zckyttobq3vrt725iuyr6xessihxifhxrhupixqad.onion
p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd.onion
protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion
reddittorjg6rue252oqsxryoxengawnmo46qy4kyii5wtqnwfj4ooad.onion
torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion
vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion
wasabiukrxmkdgve5kynjztuovbg43uxcbcxn6y2okcrsg7gb6jdmbad.onion
zerobinftagjpeeebbvyzjcqyjpmjvynj5qlexwyxe7l3vqejxnqv5qd.onion
zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion

# Reference: https://twitter.com/suyog41/status/1772156091897348258
# Reference: https://www.virustotal.com/gui/file/4e70dbccf82cee8adc9d4662d2fe027ca5995a6c9b253147ac91172266387a69/detection

46.142.175.40:8080
/AVBe3HzAI/eZLyiwCY/W4VhP/dV399hGIrV/
/AVBe3HzAI/eZLyiwCY/W4VhP/
/AVBe3HzAI/eZLyiwCY/
/eZLyiwCY/W4VhP/dV399hGIrV/
/eZLyiwCY/W4VhP/
/W4VhP/dV399hGIrV/

# Reference: https://twitter.com/suyog41/status/1772157302512275503
# Reference: https://www.virustotal.com/gui/file/ad910ee2804a608edde23d0a8c7420a9bf7912f519089a8724ce93097b3ef11d/detection

93.195.137.99:8080
/yhyz01YOOpOS0rk/q2v2m/sabWa/
/yhyz01YOOpOS0rk/q2v2m/
/yhyz01YOOpOS0rk/
/q2v2m/sabWa/

# Reference: https://www.virustotal.com/gui/file/537dce2b6bc454c42574575271fdc3d61ea6d031b32d8613986d485262a349bd/detection

210.3.92.122:8080
/SDJeyGvOEf7/

# Reference: https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/
# Reference: https://github.com/hpthreatresearch/iocs/blob/main/raspberryrobin/domains.txt

1v.nz
7t.nz
9y.si
294anacamptometer.sbs
294unmendaciously.sbs
acid-fastlindbom.sbs
anguilliform.sbs
annuelertimes.sbs
arctiidkwatumaindwelt.sbs
audiovisuals.sbs
axiologies.sbs
azoospermia.sbs
biltongpumpsiecrumrod.sbs
bootedpindusvalenba.sbs
brittlebush.sbs
buxbaumiaceae.sbs
chroococcoid.sbs
contretemps.sbs
counterboring.sbs
craighleserapic.sbs
cunyguddlefrodina.sbs
curricular.sbs
dechlorinatingdermatropic.sbs
dominieunflaming.sbs
dundeelieflydeflect.sbs
freamingrafttwoway.sbs
glubeulaufuggy.sbs
halsalkalindivvies.sbs
hemimetabolism.sbs
hockersmixtecsquier.sbs
indulgement.sbs
ingressfloor-walker.sbs
jossesdialykreamer.sbs
juniorstwosometogt.sbs
kepfoipnjw.sbs
mammaterijekasumy.sbs
metriconetimeagley.sbs
misalienate.sbs
nametagsweatseyelike.sbs
noematachograph.sbs
oilproofing.sbs
okruzihealdsburg.sbs
ophthalmomyositis.sbs
perrputtnomi.sbs
polyideism.sbs
proconsulships.sbs
quarrelers.sbs
refractorily.sbs
rockerstalbertcerate.sbs
semantical.sbs
smartville.sbs
spendthriftiness.sbs
sphere-born.sbs
squeezably.sbs
subextensibleness.sbs
syllabication.sbs
unconstrainedness.sbs
undefinitely.sbs
uninsolvent.sbs
unthematically.sbs
urvkwwqhjb.sbs
viandelarkishness.sbs

# Reference: https://x.com/suyog41/status/1810645879033856081
# Reference: https://www.virustotal.com/gui/file/6e0fe38664019cf3f1fbbb58689e8f12cb8bc512d29fb1cc4fec7c18a22ba3cd/detection

93.205.171.151:8080
/BiBSx9boKo4/b1Lc0s/HRF8aioRAjCDviO/
/BiBSx9boKo4/b1Lc0s/HRF8aioRAjCDviO/
/BiBSx9boKo4/b1Lc0s/HRF8aioRAjCDviO/
/BiBSx9boKo4/b1Lc0s/
/b1Lc0s/HRF8aioRAjCDviO/
/b1Lc0s/
/BiBSx9boKo4/
/HRF8aioRAjCDviO/
