# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/MichalKoczwara/status/1601324821614194688

165.22.30.136:3000
165.22.30.136:4000
165.227.198.201:3000
165.227.198.201:4000
20.172.22.144:3000
20.172.22.144:4000
23.99.193.156:3000
23.99.193.156:4000
46.101.184.179:3000
46.101.184.179:4000

# Reference: https://twitter.com/MichalKoczwara/status/1602582437648908289

78.141.195.16:1337

# Reference: https://twitter.com/MichalKoczwara/status/1634155939585482754

143.198.32.165:4000
167.71.190.181:4000

# Reference: https://www.virustotal.com/gui/ip-address/209.97.137.33/relations

evilginx-test.ddns.net
okta.evilginx-test.ddns.net
login.okta.evilginx-test.ddns.net

# Reference: https://twitter.com/banthisguy9349/status/1736660660405039482

13.56.179.221:4000
143.198.43.83:4000
178.62.209.220:4000
54.219.177.74:4000
67.207.82.103:4000
foofficel.com
microssofttonline.nl

# Reference: https://threatfox.abuse.ch/browse/tag/EvilGinx/

143.198.138.173:4000
159.65.47.249:4000
185.224.139.32:2053
195.74.86.44:8443
20.98.48.148:2002
45.56.92.137:443
5.42.64.70:2096
68.219.200.71:4000
aa.aeromexico.foundation
account.avenueconsulting.co
account.trabede.com
ads.customerportalverify.store
adsmanager-graph.eyardimgov.org
adsmanager.eyardimgov.org
api.qantas.aeromexico.foundation
apis.customerportalverify.store
autologon.huenumilla.cl
avenueconsulting.co
b.stats.paypal.secureapp.tools
bank.customerportalverify.store
bfp.usaa.website
bitcdemo-com.huenumilla.cl
blogger.customerportalverify.store
book.qantas.aeromexico.foundation
brannptonbrick.com
browser.huenumilla.cl
business.eyardimgov.org
c6.customerportalverify.store
cdn.aa.aeromexico.foundation
clix.usaa.website
collector.logins.services
content.customerportalverify.store
customerportalverify.store
documentsigningonline.com
drive.google.secureapp.tools
employees.carlsberg.site
fc.customerportalverify.store
foremostsgroup.com
fusion.os.gov.aisp.ps
fusion.ps.gov.aisp.ps
gettymefondeploy.online
github.logins.services
global.customerportalverify.store
graph.eyardimgov.org
isf.gov.lb.gov.aisp.ps
jebmefals.com
live.huenumilla.cl
lms.usaa.website
login-us.huenumilla.cl
login.avenueconsulting.co
login.factset.company
login.microsoft.fom-dev1.bloemer-net.de
login.recruiterteams.com
login.trabede.com
logs.customerportalverify.store
m.customerportalverify.store
mail.carlsberg.site
mail.mod.gov.eg.gov.aisp.ps
mail10.email.gov.aisp.ps
mcasproxy.huenumilla.cl
microsoft.huenumilla.cl
mobile2.usaa.website
myaccount.customerportalverify.store
myaccount.google.secureapp.tools
notifications.google.secureapp.tools
objects.usaa.website
office365.huenumilla.cl
ogs.customerportalverify.store
okta.outlook.nerdwriter.com
omns.customerportalverify.store
outlook-1.huenumilla.cl
outlook-us.huenumilla.cl
outlook.avenueconsulting.co
outlook.trabede.com
passwords.dordaa.at
paxful.usaa.website
play.customerportalverify.store
portal.carlsberg.site
potomac-clickstream.usaa.website
qantas.aeromexico.foundation
recruiterteams.com
secure.duevolostore.com
secure07c.usaa.website
sensors.usaa.website
sessions.usaa.website
smetrics.aa.aeromexico.foundation
smetrics.customerportalverify.store
smtc.qantas.aeromexico.foundation
ssl.google.secureapp.tools
sso.drivevvyze.com
sso.outlook.nerdwriter.com
static.customerportalverify.store
static.facebook.secureapp.tools
static.qantas.aeromexico.foundation
stats.customerportalverify.store
sts.securedocumentservices.ca
t.customerportalverify.store
us.azureauth-duo.factset.company
w1.avenueconsulting.co
webdisk.avenueconsulting.co

# Reference: https://threatfox.abuse.ch/browse/tag/EvilGinx/ (# 2024-01-23)

http://192.119.110.233
143.198.64.151:4000
15.207.223.179:443
188.166.209.186:4000
192.119.110.233:5000
account.deenpel.com
cpanel.dnl-l.ooguy.com
cpcalendars.dnl-l.ooguy.com
cpcontacts.dnl-l.ooguy.com
dnl-l.ooguy.com
expedia-realtime.expeida.net
expedia-rest.expeida.net
expeida.net
hwsrv-1125909.hostwindsdns.com
login.deenpel.com
mediaim.expeida.net
oms.expeida.net
onboarding.expeida.net
outlook.deenpel.com
pay.expeida.net
redirect-r1.pay.expeida.net
static.pay.expeida.net
vap.expeida.net
webmail.dnl-l.ooguy.com

# Reference: https://twitter.com/MichalKoczwara/status/1752446013359403109

miicrossofftonline.nl

# Reference: https://x.com/AvastThreatLabs/status/1806720963205107787

xpfdoc0365090.com
apps.xpfdoc0365090.com

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-09-22)

103.47.226.152:3333
134.209.32.59:3333
137.184.38.108:3333
137.184.53.6:3333
138.197.133.22:4000
147.182.133.204:3333
161.35.232.141:4000
167.71.81.157:3333
170.64.224.234:4000
212.111.43.6:3333

# Reference: https://threatfox.abuse.ch/browse/tag/EvilGinx/ (# 2024-09-22)

account.driddex.shop
amazon.testfish.dosoos.com
apis.accountonline.live
events.api.georgicaautoholding.com
jobsprogress.pro
login.monmt.com
mailsession.com
monmt.com
mrdiy.diy
mrdyi.store
newscom.today
o365.zicar.info
outlook.adminstream.org
outlook.mailsession.com
perfectogruop.net
session.mailsession.com

# Reference: https://threatfox.abuse.ch/browse/tag/EvilGinx/ (# 2024-10-13)

134.209.32.140:3333
134.209.40.17:3333
137.184.83.183:4000
161.35.11.78:4000
161.35.4.145:4000
165.22.185.225:3333
167.99.145.60:3333
46.105.63.11:3333
62.84.102.226:3333
85.119.82.36:3333

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-01-02)

142.93.165.129:3333
143.110.149.242:4000
146.19.254.74:3333
154.213.187.9:4444
159.223.245.31:3333
161.35.67.226:3333
163.5.160.51:443
18.117.79.177:4444
192.34.59.54:3333
194.62.167.248:3333
209.127.255.68:3333
23.94.148.18:443
34.71.33.30:3333
45.56.69.210:3333
93.95.228.242:3333

# Reference: https://x.com/MichalKoczwara/status/1926722005199470620

mlcrosofft.com
ads.mlcrosofft.com
sso.mlcrosofft.com
ssoo.mlcrosofft.com

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-06-14)

101.32.60.83:4000
104.248.117.30:3333
104.248.167.114:3333
107.161.24.157:3000
119.28.223.139:4000
123.57.143.3:3333
13.60.69.8:3333
137.184.89.150:3333
138.197.25.162:3333
139.59.170.92:3333
143.110.253.93:9000
143.198.105.117:3333
144.172.104.45:3333
146.70.158.214:4000
148.163.80.27:3333
154.58.204.91:9000
156.238.230.148:3333
156.238.230.224:3333
158.160.18.227:3333
159.100.6.112:9000
159.100.9.105:3333
159.65.128.86:3333
159.65.130.32:3333
160.119.251.40:8443
161.35.194.66:3333
164.92.72.96:4000
167.88.164.138:3333
167.99.42.160:4000
172.245.152.21:4000
174.136.229.54:3333
176.111.216.82:3333
176.123.1.151:9000
176.123.2.185:9000
176.126.103.125:4000
176.126.103.251:4000
176.126.103.64:4000
178.62.29.13:3333
18.177.125.151:9000
18.217.106.242:4444
185.101.23.248:3333
185.101.23.252:3333
185.146.232.235:4000
185.193.125.249:4000
185.238.2.142:9000
188.166.199.174:3333
193.56.23.80:3333
194.180.158.14:80
194.195.251.227:4000
194.233.76.207:443
194.62.166.165:3333
194.62.167.215:3333
196.251.114.4:4000
20.83.181.241:443
209.38.202.104:4000
209.38.96.47:4000
209.74.88.128:4000
212.224.86.224:9000
216.176.190.164:3333
217.114.43.122:4000
217.114.43.234:4000
217.114.43.53:4000
23.137.104.78:4000
23.137.105.217:4000
23.227.199.88:443
3.141.231.53:3333
3.145.74.158:3333
31.172.87.193:4000
35.87.129.75:443
37.221.111.94:3333
38.146.27.131:4000
38.146.28.166:4000
43.160.207.83:3333
45.61.160.127:3333
45.86.86.49:9000
52.62.100.83:3333
52.78.43.89:9000
57.182.91.111:4000
62.60.187.68:3333
63.133.220.145:3333
64.23.243.220:3333
77.92.145.20:9000
79.133.51.132:8443
81.0.247.170:143
81.0.247.170:25
81.0.247.170:443
81.0.247.170:993
81.0.247.170:995
84.200.17.247:4000
84.200.24.88:443
84.32.131.104:3333
84.32.131.163:3333
85.239.33.253:9000
87.251.78.217:4000
87.251.78.239:4000
87.251.78.30:4000
87.251.78.37:4000
88.216.68.32:3333
91.209.135.198:4000
91.209.135.199:4000
91.209.135.202:4000
91.209.135.229:4000
91.209.135.231:4000
91.209.135.233:4000
91.209.135.252:4000
91.209.135.71:4000
91.209.135.84:4000
91.209.135.88:4000
93.177.109.20:3333

# Reference: https://x.com/solostalking/status/1946069612090495059
# Reference: https://app.validin.com/detail?find=Login%20%C2%B7%20OXF%20Panel&type=raw&ref_id=72f38ae3a48#tab=host_pairs (# 2025-07-18)

176.65.134.138:4000
176.65.140.81:4000
194.195.122.86:4000
20.200.144.201:4000
206.123.145.218:4000
40.89.209.119:4000
45.74.16.75:4000
45.74.16.91:4000
45.83.28.66:4000
45.83.28.67:4000
51.89.242.47:4000

# Reference: https://x.com/BlinkzSec/status/1948015815501938851

164.92.199.192:4000
43.162.116.186:4000
43.162.122.245:4000
43.162.123.118:4000

# Reference: https://app.validin.com/detail?find=Evilginx%20Super-Evil%20Root%20CA&type=raw&ref_id=bbf2b37b491#tab=host_pairs (# 2025-07-23)

4.fbads.store
acc.fbads.store
acc.teams.m365.acenm.com
access.accessingdiba.posteid-a365.com
account.authlitemathhk.ru
account.miicrosofts.org
account.offfec.me
account.quarles.exploreainow.com
account.teams.m365.acenm.com
account.viber.posteid-a365.com
account.zalopay.site
accounts.appauthservice.online
accounts.identity-zillow.cam
accounts.upsite.up-edu-mx.shop
accountyahoo.posteid-a365.com
acctcdn.miicrosofts.org
acount.support
adfs.fbads.store
ads.login.posteid-a365.com
ads.miicrosofts.org
ads.posteid-a365.com
ads.yahoorecovery.posteid-a365.com
advath.appauthservice.online
advath.miicrosofts.org
aircraftspartsstore.com
allied-constructionllc.online
amazingshinenail.org
ap.appauthservice.online
api-aa1a6aea.offfec.me
api.login.appauthservice.online
api.loginpaxful.posteid-a365.com
api.phish.bejkfkje.store
api2.usaa.com.broadpli.com
apm.vpce.gdw55e.quarles.exploreainow.com
apm.vpce.gdw55e.teams.m365.acenm.com
appauthservice.online
apple.posteid-a365.com
appleid.apple.posteid-a365.com
auth.ebanking.posteid-a365.com
auth.miicrosofts.org
authh.miicrosofts.org
authlitemathhk.ru
authserv-misciosoft.net
b.stats.paypal.posteid-a365.com
baker221.co.uk
bli.su
bqztzw.postfinancelogin.posteid-a365.com
browser.miicrosofts.org
burnsmcd.co
c.paypal.posteid-a365.com
c6.paypal.posteid-a365.com
c6.postfinancelogin.posteid-a365.com
canvvapro.com
cdn.apple.posteid-a365.com
cdn.livee.publicvm.com
cdn.miicrosofts.org
chuongvn.space
cloudflare.posteid-a365.com
cloudviewer-dashboardclearinghouse.art
cloumi.website
comet.appauthservice.online
consent.appauthservice.online
consent.cmp.appauthservice.online
csp.fbads.store
csp.login.posteid-a365.com
csp.miicrosofts.org
csp.teams.m365.acenm.com
dealerhub.ebanking.posteid-a365.com
deskschoolpro.com
dhl.posteid-a365.com
dotfoods.miicrosofts.org
dreamhome.lat
ebanking.posteid-a365.com
edge-chat-fb.cloumi.website
exchangeodds.live
exploreainow.com
familysparents.site
fbads.store
fbsvm.cam
fbwatch.live
fc.login.posteid-a365.com
fc.posteid-a365.com
feedbackws.apple.posteid-a365.com
feedbackws.icloud.posteid-a365.com
fpt2.miicrosofts.org
frenchfluencys.club
ftp.miicrosofts.org
g.sst.quarles.exploreainow.com
g.sst.teams.m365.acenm.com
geo.appauthservice.online
google.posteid-a365.com
graph.cloumi.website
guce.login.posteid-a365.com
guce.yahoorecovery.posteid-a365.com
gui.miicrosofts.org
gui.teams.m365.acenm.com
hagtr.com
help.miicrosofts.org
hnd.stats.paypal.posteid-a365.com
hypstarcdn.service-tiktok.cam
id.appauthservice.online
id.miicrosofts.org
idd.miicrosofts.org
identity-zillow.cam
img1.miicrosofts.org
img6.miicrosofts.org
iwannatest.site
jigpgt4.yatebyaviyebu.shop
js.loginpaxful.posteid-a365.com
js.miicrosofts.org
kakao.service-tiktok.cam
kliknlbmontenegro.posteid-a365.com
link1url.help
live.teams.m365.acenm.com
livee.publicvm.com
livelogin.posteid-a365.com
login-yahoo.posteid-a365.com
login.baker221.co.uk
login.d.benzeta.com
login.livee.publicvm.com
login.livelogin.posteid-a365.com
login.login.posteid-a365.com
login.microsoftonline.login.posteid-a365.com
login.miicrosofts.org
login.notrust.es
login.office.safelogins.su
login.outlook.secprojectapptest.xyz
login.portal-github.com
login.posteid-a365.com
login.quarles.exploreainow.com
login.secprojectapptest.xyz
login.teams.m365.acenm.com
login.thecrabsterchief.work
login.usersettings.gianteaglepharmacy.it.com
login.zalopay.site
login1-sow.com
login1.miicrosofts.org
login4.fbads.store
logincdn.miicrosofts.org
loginpaxful.posteid-a365.com
m.identity-zillow.cam
m.instasec.nl
m.paypal.posteid-a365.com
m.service-tiktok.cam
m365.office.safelogins.su
magnificent-goods-catch-and-sons.com
mail-googlservice.site
mail.cadescorretora.com.br
mail.login.posteid-a365.com
mail.posteid-a365.com
mail.yahoorecovery.posteid-a365.com
microsoft-onedrive.trunetkings.xyz
microsoft-onedrive.trunetkings.xyz.trunetkings.xyz
microsoft.suvorovaart.ru
microsoft.upgrade1.zip
microsoftonline.login.posteid-a365.com
miicrosofts.org
mmcapi.miicrosofts.org
mon-va.instasec.nl
mon-va.service-tiktok.cam
mrdiy.diy
msalaunch.miicrosofts.org
msf-mfa.cam
msfed.appauthservice.online
msfed.miicrosofts.org
myaccount.appauthservice.online
myaccount.google.posteid-a365.com
nipponindiaim.co.in
ns1.chuongvn.space
ns2.chuongvn.space
ns2.magnificent-goods-catch-and-sons.com
ns2.skinsgonewild.com
o.appauthservice.online
o.miicrosofts.org
o365.zicar.info
offauth0.com
offfec.me
office.miicrosofts.org
office.safelogins.su
ogs.mail-googlservice.site
oidc.mail.appauthservice.online
ok.teams.m365.acenm.com
okta.teams.m365.acenm.com
onlyfame.icu
outlook.appauthservice.online
outlook.livee.publicvm.com
outlook.livelogin.posteid-a365.com
outlook.login.secprojectapptest.xyz
outlook.microsoft.upgrade1.zip
outlook.miicrosofts.org
outlook.notrust.es
outlook.offfec.me
outlook.secprojectapptest.xyz
paypal.posteid-a365.com
pbnj.site
play.focusv.ru
play.google.posteid-a365.com
play.up-edu-mx.shop
polyfill.service-tiktok.cam
portal.zalopay.site
posteid-a365.com
postfinancelogin.posteid-a365.com
privacynotice.hengxaingltd.com
query.appauthservice.online
react.appauthservice.online
react.miicrosofts.org
rengine.zalopay.site
res.miicrosofts.org
sbbe.loginpaxful.posteid-a365.com
sci.miicrosofts.org
sci.offfec.me
search.appauthservice.online
secprojectapptest.xyz
secure.appauthservice.online
secure.miicrosofts.org
secureee.miicrosofts.org
securitytestpasskey.ru
sensors.login1-sow.com
service-tiktok.cam
setup.apple.posteid-a365.com
shhwwerfa.com
signin.miicrosofts.org
smusxath.miicrosofts.org
sofianeyaya.fr
southwesternconstructiongroup.site
sp.authpoint.usa.miicrosofts.org
sp.authpoint.usa.offauth0.com
sp.authpoint.usa1.miicrosofts.org
ssl.accountgoogle.posteid-a365.com
ssl.link1url.help
ssl.securitytestpasskey.ru
ssl.up-edu-mx.shop
sso.appauthservice.online
sso.miicrosofts.org
sso.offfec.me
sso.office.safelogins.su
sso.teams.m365.acenm.com
sso.zalopay.site
sso3.miicrosofts.org
sso4.miicrosofts.org
ssoo.miicrosofts.org
stake.moi
static-cdn.cloumi.website
static.fbsvm.cam
static.fbwatch.live
static.login1-sow.com
static.service-tiktok.cam
stats.paypal.posteid-a365.com
stats.postfinancelogin.posteid-a365.com
sub.item516115614531821.fbads.store
sub.item516885621531826.fbads.store
sub.item518475621531819.fbads.store
sub.item519985621531817.fbads.store
t.paypal.posteid-a365.com
team-endurancecom.sofianeyaya.fr
the-inconsulting.net
thecrabsterchief.work
thexfil.site
trunetkings.xyz
turiagaa.ru
udc.yahoorecovery.posteid-a365.com
ui.miicrosofts.org
ulgroup.miicrosofts.org
up-edu-mx.shop
upgrade1.zip
upsite.up-edu-mx.shop
usa.appauthservice.online
usa.miicrosofts.org
usaa.miicrosofts.org
usersettings.gianteaglepharmacy.it.com
video.appauthservice.online
vn3hg.miicrosofts.org
vn3hg.offfec.me
wcpstatic.miicrosofts.org
wmw-o365.cam
wmw-tik-tok.cam
yahoo.posteid-a365.com
yahoorecovery.posteid-a365.com
ycom.appauthservice.online
ywnjb.appauthservice.online
ywnjb.offfec.me
zalopay.site
zdassets.loginpaxful.posteid-a365.com

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-07-26)

http://13.61.105.64
http://194.180.158.14
103.124.105.76:4000
104.193.69.173:443
13.210.249.235:3333
144.172.117.108:443
159.223.109.10:3333
18.221.91.216:3333
196.251.72.3:4000
3.106.188.239:3333
35.228.18.60:3333
45.9.149.15:4000
8.218.222.240:443
82.29.72.11:4000
95.217.15.168:3333

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-10-05)

http://35.171.186.126
104.218.50.250:4000
104.234.36.60:4000
104.234.37.139:4000
104.234.37.156:4000
111.90.151.129:2850
111.90.151.72:2850
124.198.132.121:4000
146.103.119.187:4000
146.190.135.251:3333
146.190.68.5:3333
162.213.249.133:4000
164.92.178.59:3333
168.231.124.24:3333
172.237.131.251:3333
185.161.209.117:443
185.230.161.155:2850
194.180.158.22:8443
195.77.8.140:4444
20.199.83.166:6666
208.113.131.209:3333
208.73.203.229:443
38.146.28.85:4000
4.216.156.191:3333
40.160.2.204:3333
43.162.108.133:4000
43.162.114.107:4000
43.162.114.240:4000
46.101.93.233:3333
62.60.226.57:4000
65.108.80.194:3333
66.45.248.205:4000
77.223.214.71:8443
83.229.112.185:3333
91.241.93.244:4000

# Generic

/evilginx-linux-amd64.tar.gz
