# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/malware_traffic/status/1574848307519754242
# Reference: https://github.com/brad-duncan/IOCs/blob/main/2022-09-27-TA569-Soc-Gholish-IOCs.txt

dotimewat.com

# Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-October/030770.html

pastukhova.com
profi-stom.com

# Reference: https://isc.sans.edu/diary/rss/29170
# Reference: https://otx.alienvault.com/pulse/6352a4f01abba547918c8a4d

skambio-porte.com

# Reference: https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond
# Reference: https://otx.alienvault.com/pulse/63fcc40dc61f21260d830fdb

ergpractice.com
luxurycompare.com
neashell1.com
neashell2.com
she32rn2.com
shetrn1.com
shetrn2.com
soendorg.top

# Reference: https://twitter.com/1ZRR4H/status/1637713807345582089
# Reference: https://twitter.com/1ZRR4H/status/1637713810017402880

jqueryj.com
jqueryns.com
jqscr.com

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-03-27-v10278/415

jsqur.com
jqueryh.org

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-03-30-v10281/420

xjquery.com

# Reference: https://www.virustotal.com/gui/ip-address/185.251.88.99/relations

devqeury.org
abc.jqueryh.org

# Reference: https://twitter.com/1ZRR4H/status/1646021980854910978

devcodejs.org

# Reference: https://twitter.com/threatcat_ch/status/1646799785423261697
# Reference: https://www.virustotal.com/gui/ip-address/47.90.178.252/relations

aeryqget.org
assistpayout.org
backendjs.org
debquery.org
deeptrickday.org
etaqeryg.org
getquery.org
greenpapers.org
jsviewdev.org
lemonicecold.org
metallife.org
neworderspath.org
quaryget.org
rygesqua.org
squaryge.org
tqeuryge.org
uaqryges.org
waterlinesheet.org
ygequary.org
120.75.backendjs.org
40.120.75.backendjs.org
75.backendjs.org
awmdm.greenpapers.org
client.greenpapers.org
emv1.getquery.org
h.greenpapers.org
ir.devqeury.org
l9j2sm5mxz.jqscr.com
mta-sts.bluegaslamp.org
portal.backendjs.org
topics.jqueryh.org
xkccowcfuqj.jsqur.com

# Reference: https://twitter.com/MBThreatIntel/status/1580283780350504960
# Reference https://www.virustotal.com/gui/ip-address/62.233.50.75/relations

jquery0.com
jquery01.com

# Reference: https://twitter.com/threatcat_ch/status/1660535867365105666
# Reference: https://www.virustotal.com/gui/ip-address/91.203.193.124/relations

cancelledfirestarter.org
dailytickyclock.org
visionofvivaldi.org
emv1.deeptrickday.org
emv1.jqueryj.com
ep-mimecast.dailytickyclock.org
mcid-6bb27bab-3815-40c3-996b-90b2c3bca7a7.ep-mimecast.dailytickyclock.org

# Reference: https://twitter.com/threatcat_ch/status/1668596702696054785
# Reference: https://www.virustotal.com/gui/ip-address/47.91.94.97/relations

libertader.org
linedgreen.org

# Reference: https://www.virustotal.com/gui/ip-address/91.103.253.14/relations

chestedband.org
drilledgas.org
sevenpunches.org
surelytheme.org
windowlight.org
tracker.drilledgas.org
transfer.drilledgas.org

# Reference: https://bazaar.abuse.ch/sample/f5f167423d31cdd7e742d6ae85d6170f26203ec7496d4e098f9e16f40e864c0a/
# Reference: https://www.virustotal.com/gui/ip-address/178.159.37.73/relations

google-analytiks.com
updateadobeflash.website
deepolis.google-analytiks.com
forexcash.google-analytiks.com
forexfr.google-analytiks.com
forexmax.google-analytiks.com
forexru.google-analytiks.com
forexua.google-analytiks.com
mail.google-analytiks.com
maxi.google-analytiks.com
med17.google-analytiks.com
mmc.google-analytiks.com
poluchit.google-analytiks.com

# Reference: https://threatfox.abuse.ch/ioc/1149035/

gstatick.com

# Reference: https://threatfox.abuse.ch/browse/tag/KeitaroTDS/ (# 2023-08-09)

biggreenlimes.org
bluegaslamp.org
deeplakes.org
greedyfines.org
limonpart.org
linedloop.org
slurpslimes.org
zdmserver.greedyfines.org

# Reference: https://twitter.com/0x6rss/status/1698615609234206994
# Reference: https://www.virustotal.com/gui/ip-address/178.159.37.25/relations

http://178.159.37.25
gctatick.com
googlestates.com

# Reference: https://www.virustotal.com/gui/ip-address/178.159.37.73/relations

analytics-google-x91.com
visionproject.website

# Reference: https://www.virustotal.com/gui/ip-address/194.169.175.229/relations

darkmansion.org
draggedline.org
machinetext.org
myowndpp.com
newcres.com
onsepp.com
redsnowynose.org
throatpills.org
biggreenlimes.surelytheme.org
emv1.draggedline.org
mail.jsviewdev.org
mta-sts.myowndpp.com
mta-sts.onsepp.com
sub.throatpills.org
t.throatpills.org
website.newcres.com
www2.throatpills.org

# Reference: https://www.virustotal.com/gui/ip-address/95.214.26.35/relations

climedballon.org
greedyclowns.org
whitedrill.org

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-10-30-v10452/1080

bigbricks.org
frightysever.org

# Reference: https://threatfox.abuse.ch/ioc/1197494/
# Reference: https://www.virustotal.com/gui/ip-address/162.55.189.218/relations

telemetry.africa

# Reference: https://www.virustotal.com/gui/ip-address/95.214.26.19/relations
# Reference: https://app.validin.com/axon?find=95.214.26.19&type=ip

confirmapply.org
daddygarages.org
froggysnow.org
limeerror.org
risenpeaches.org
socksboxes.org
treegreeny.org
vibedroom.org

# Reference: https://www.virustotal.com/gui/ip-address/193.37.197.24/relations

avto.throatpills.org
moda.throatpills.org
plant.linedgreen.org
ru.throatpills.org
seo.linedgreen.org
store.throatpills.org

# Reference: https://www.virustotal.com/gui/ip-address/107.191.98.93/relations

emperorplan.org

# Reference: https://www.virustotal.com/gui/ip-address/193.37.197.24/relations
# Reference: https://www.virustotal.com/gui/ip-address/80.66.64.220/relations

coajuneteenth.org
cosfjuneteenth.com
juneteenthcosf.com
juneteenthsf.org
modernneuropathy.org
onejuneteenth.org

# Reference: https://www.virustotal.com/gui/ip-address/193.106.174.174/relations
# Reference: https://app.validin.com/axon?source=DNS&type=ip&find=193.106.174.174

biggerfun.org
catsndogz.org
circuspride.org
frenchpies.org
nowordshere.org

# Reference: https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates
# Reference: https://www.virustotal.com/gui/ip-address/74.208.41.177/relations

kairoscounselingmi.com
nathumvida.org

# Reference: https://www.virustotal.com/gui/ip-address/82.97.241.207/relations

cloudwebhub.pro

# Reference: https://www.virustotal.com/gui/ip-address/45.11.27.62/relations

codecruncher.pro
searchgear.pro
elk3xlxj.circuspride.org
it.whitedrill.org
ku1720.whitedrill.org
server.whitedrill.org

# Reference: https://www.virustotal.com/gui/ip-address/8.208.89.9/relations

shiningmoons.org

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2024-01-25-v10514/1322

mwasro.com

# Reference: https://www.virustotal.com/gui/ip-address/193.106.175.40/relations

debasesingle.life
eeatgoodx.com
gspiceyl.com
snackfunp.com
16.jsqur.com
1fxdddhkyn.biggerfun.org
212.jsqur.com
4m.jsqur.com
91.jsqur.com
9mvrlhjf.biggerfun.org
account.admin.backendjs.org
apps.jqueryj.com
arehn.jsqur.com
asims-rdck1.jsqur.com
b10.jsqur.com
babbar.jsqur.com
basenetgear.world
beal.jsqur.com
best-funny-quotes.jsqur.com
billtieleman.jsqur.com
carpinteros-aluminio.jsqur.com
cassandre.jsqur.com
castlerea.jsqur.com
cdn.jsqur.com
cfg.circuspride.org
cgxdave.jsqur.com
cmu-cc-vma.jsqur.com
cn.circuspride.org
comtenc.jsqur.com
cpfm.jsqur.com
cprat.jsqur.com
currier.jsqur.com
dannyfilm.jsqur.com
dashtiha.jsqur.com
daws-43-5.jsqur.com
daws-512.jsqur.com
daws91-3.jsqur.com
derby.jsqur.com
descarte.jsqur.com
dkline.jsqur.com
dooly.jsqur.com
download.windowlight.org
dvan.jsqur.com
eggert.jsqur.com
emv1.vibedroom.org
facman.jsqur.com
florida.jsqur.com
forms.admin.backendjs.org
frente-a-camaras.jsqur.com
fserver.jsqur.com
gazeta.jsqur.com
gdsz.jsqur.com
gmailblog.jsqur.com
gorki.jsqur.com
hoytek-gw4.jsqur.com
indiajobscircle.jsqur.com
interlock.jsqur.com
ip90.jsqur.com
ivbdimir.surelytheme.org
ivladimir.surelytheme.org
ivtorlypqfyi.greedyclowns.org
ivtortypqfyi.greedyclowns.org
jeanm.jsqur.com
jkelley.jsqur.com
kb.windowlight.org
khtrnb0wv8.biggerfun.org
liorida.surelytheme.org
longtail.jsqur.com
m88z2iier.biggerfun.org
macgo.jsqur.com
marcusdesigninc.jsqur.com
mdm.backendjs.org
melpar-emh1.jsqur.com
mntc.jsqur.com
mrbotn.jsqur.com
mtf-misawa.jsqur.com
mytabletpcuk.jsqur.com
njnr8mkm.biggerfun.org
norman.jsqur.com
nuvoleparlanti.jsqur.com
office.backendjs.org
oily.jsqur.com
olympics.jsqur.com
pay.circuspride.org
permisdeconduire.jsqur.com
physiology.jsqur.com
powerful.jsqur.com
rota-sts.climedballon.org
routetest.jsqur.com
secure-ite2-origin.jsqur.com
shems.jsqur.com
si.jsqur.com
sn007.jsqur.com
sorteios-e-promocoes.jsqur.com
ssl.circuspride.org
store.debasesingle.life
stream.jsqur.com
survey.backendjs.org
sws.jsqur.com
tamarack.jsqur.com
tnoodlezy.com
u.admin.backendjs.org
uhost.jsqur.com
unix3.jsqur.com
user179.jsqur.com
v.circuspride.org
vigen.jsqur.com
vitkutin.jsqur.com
wallah.jsqur.com
web18332.jsqur.com
web3449.jsqur.com
web3933.jsqur.com
web5422.jsqur.com
web6201.jsqur.com
whitney.jsqur.com
win24.jsqur.com
wp.admin.backendjs.org
x.circuspride.org
xxxl80.jsqur.com

# Reference: https://www.virustotal.com/gui/ip-address/45.15.159.95/relations

361renti.com
hafkus.com
osruv.com
pocbv.com
ronreznick.com

# Reference: https://www.virustotal.com/gui/ip-address/83.69.236.143/relations

asyncfunctionapi.com
creativecore.shop
fromatodor.com
funcallback.com
gitbrancher.com
pportnoy-secureportal.com
varinspector.com

# Reference: https://www.virustotal.com/gui/ip-address/170.130.55.124/relations

egisela.com

# Reference: https://www.virustotal.com/gui/ip-address/87.251.79.15/relations

apiasyncpromise.com
apieventemitter.com
apifetchmethod.com
apiframeworknode.com
apifunctioncall.com
apijsonparserkit.com
apistoragecache.com
asyncawaitapi.com
45.eeatgoodx.com
ep-mimecast.eeatgoodx.com
stage.asyncawaitapi.com
web.asyncawaitapi.com

# Reference: https://www.virustotal.com/gui/file/8db746785b95abb0aae35b95365334064a361a033b62e55703fafa10072fdc0d/detection

lyddemper.com

# Reference: https://www.virustotal.com/gui/ip-address/91.212.166.21/relations

admin-heteml.com
app-falconx.io
apps-falconx.io
client-mysau.com
falconx.tech
letmespellmoons.com
login-liquidweb.com
login-rackspace.com
marvin-occentus.net
my-kinsta.com
my-kinsta.net
my-nexcecs.net
my-nexecss.com
my-nexecss.net
mykinsta-cloud.com
mynexecss.com
nexen-bnynellom.com
orion-managewp.com
panel-descom-es.com
platform-copper.co
seacraftsgallery.com
secure1-imnotionhosting.com
web-etrade.pro
web-kinsta.com
web-order-london-lmaxdigital.com
wp-umbrelia.com
wpmanager-orion.com
wpumdev.net
wpundev.com
www-kinsta.com
www-mysau.com

# Reference: https://www.virustotal.com/gui/ip-address/141.8.193.79/relations

apidevst.com

# Reference: https://twitter.com/ValidinLLC/status/1788278762863243483

apidevwa.com

# Reference: https://twitter.com/GroupIB_TI/status/1790230873285242992

elamoto.com
kongtuke.com

# Reference: https://www.virustotal.com/gui/ip-address/213.226.112.82/relations

advancedapiintegrations.com
asyncprogramminghub.com
modularfunctiondev.com

# Reference: https://www.virustotal.com/gui/ip-address/158.160.167.238/relations

cssanimationtools.com
frontenddeveloperhub.com
modernwebframework.com
responsiveuikit.com

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2024-05-29-v10605/1672
# Reference: https://www.virustotal.com/gui/file/c8e4df16ee7e3c21644e6785934a54a8dc428fdda77af3a30d97a288de807069/detection

cdnjscloudnetwork.co

# Reference: https://x.com/threatcat_ch/status/1798333648099582316
# Reference: https://www.virustotal.com/gui/ip-address/84.38.182.217/relations

frontendcodingtips.com
interactiveuidevelopment.com
moderncssframeworks.com
progressivewebappsdev.com
webapidevelopment.com
airwatch.webapidevelopment.com
app.webapidevelopment.com
au.webapidevelopment.com
awds.webapidevelopment.com
awmdm.webapidevelopment.com
balmbagent.webapidevelopment.com
data.webapidevelopment.com
devops.apidevwa.com
dhcp.webapidevelopment.com
elastic.webapidevelopment.com
enterpriseenrollment.webapidevelopment.com
learn.webapidevelopment.com
mag.webapidevelopment.com
mam.webapidevelopment.com
mdm-ds.webapidevelopment.com
onjira.webapidevelopment.com
rack.webapidevelopment.com
rcvltemv1.modularfunctiondev.com
s2.webapidevelopment.com
stream.webapidevelopment.com
touch.webapidevelopment.com
transfer.webapidevelopment.com

# Reference: https://x.com/banthisguy9349/status/1799771706330087549
# Reference: https://x.com/ViriBack/status/1799777041900023877
# Reference: https://tracker.viriback.com/index.php?q=keitaro

http://109.248.206.101
http://109.248.206.118
http://109.248.206.138
http://109.248.206.49
http://109.248.206.83
http://159.69.234.10
http://185.172.128.68
http://31.41.244.55

# Reference: https://www.virustotal.com/gui/ip-address/5.188.88.218/relations

speedchaoptimise.com

# Reference: https://www.virustotal.com/gui/ip-address/185.68.93.221/relations

approvewidget.com
speedcashoptimise.com

# Reference: https://www.virustotal.com/gui/ip-address/45.143.94.2/detection

01wsecue3n2n.com
0n1au2hm0b1.com
0n1c1b2s3ccess.com
0n1n54b5m04.com
10g1n2w43554.com
2accon4l0ginclb.com
4clbl0gineas3y.com
5clbl0gineas3sy.com
8accon7l0gclb.com
8clbeas7yl0gicanada.com
a1h1ock8c0nd.com
a1t0h3h8c0nd.com
accesd1-authentification9.com
acct0reset08938.com
acct0reset896075.com
acct0reset95187.com
acct0support038291.com
atw2b1ogsecc1u.com
au2t1hm8bc0nd.com
b6193cj782n9163.com
bioc4remi2be.com
c1b3w2ba2h.com
c6182h728tw184.com
c7ech4ct6nh1in.com
desj1-auth9-securite.com
desjardins-online-auth.com
e2758gt321c6743.com
g9299c83j38.com
j9m6vri8n5c4w5.com
k0m7f4ds3m96v4.com
k8538yt1592a582.com
kcl8clv7ioginow.com
kwclbcinstantlogn.com
l0g1n0m54655.com
l0gaccwbauh.com
m0b1atw3s1ytm.com
m3271vt1358j734.com
m3bion1i3ath.com
m3h45ha1h.com
m8b4f8a3hw2s.com
m8g6s3hs63g6.com
m9l4d3s2j7b4m8.com
mb4m3c2m3c3lb.com
n6297v738yc2381.com
p810h628ydh72.com
personal1accmsg.com
prefs2us1ci.com
private-737473-access.com
q0r4ch1in8yz3ux.com
q735hv8919b912.com
r5m9c4l9m5d3y7.com
r618ut1749wk737.com
r637cs2753df533.com
r8ts62c89190.com
rbc-secureonline2024.com
reship-coliscan01.com
s1yt1cn5d3h3aut.com
s3t1m0n1i3a2h.com
setup1acct1139.com
survey-canada.com
syst1n0tifatws.com
syst2ldentityseccu.com
t295y729ck3442j2.com
t4172h718vc331.com
v2729b821ad1337.com
v417tp8318h502.com
v4f87b9m98.com
verifyacesspagebmo1.com
w0sm3b6h1t.com
w2ba1h3m8b.com
w562h2682gw828.com
w5b-lntr.com
w8b-sec-auuth.com
www1cibcinforequest202406.com
y7120bk472r4185.com

# Reference: https://www.virustotal.com/gui/ip-address/84.38.182.16/relations

canpost-avislivraison.com
canpostresh.com
cdnjulyrevagnt.com
cdnjulyrevnuagnt.com
delivery-update-postecanada-canadapost.com
etransfercaiponline.com
nr3-anth00.com
paydirectnowetrsfr.com
quebecfinances.com
quebecsolution.com
rbconline-app.info
revcanadaagency.ca
scotiabankresetlogin.com
scotiabankresetonline.com
intrc.quebecsolution.com

# Reference: https://www.virustotal.com/gui/ip-address/45.131.41.57/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.132.19.137/relations
# Reference: https://www.virustotal.com/gui/ip-address/80.249.145.207/relations

blacksaltys.com
brickedpack.com
losttwister.com
packedbrick.com
upsadministration.com

# Reference: https://app.validin.com/detail?type=ip&find=78.128.112.217#tab=resolutions

tayhodloeces.com
yotpo-static.com

# Reference: https://app.validin.com/detail?find=5.188.89.16&type=ip4&ref_id=5fa7f6bcf86#tab=resolutions

benefiit2024.site
canadapost-support-exception.com
canadapost-update-postecanada-support.com
cdnrevenue2024.com
etrsfpaydirectgiga.com
interac1.com
loginsupportscotiabank.com
trillium-mm-int.online
