# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: anatsa, teabot, toddler

# Reference: https://www.cleafy.com/documents/teabot
# Reference: https://twitter.com/malwrhunterteam/status/1376502472462770176
# Reference: https://twitter.com/malwrhunterteam/status/1353816938892423169
# Reference: https://twitter.com/bl4ckh0l3z/status/1354323713907372033
# Reference: https://www.virustotal.com/gui/ip-address/45.128.150.34/relations
# Reference: https://www.virustotal.com/gui/file/6cc2421b86392072fece2d63e9731eb902001f2d812e56d26553e8ad0dac4b8e/detection
# Reference: https://www.virustotal.com/gui/file/89e5746d0903777ef68582733c777b9ee53c42dc4d64187398e1131cccfc0599/detection

http://178.32.130.170
http://185.215.113.31
bookreader.fun
kopozkapalo.xyz
oinregoinroseg.xyz
pokymase.xyz
shavac.xyz
sepoloskotop.xyz

# Reference: https://twitter.com/illegalFawn/status/1387719591619665921
# Reference: https://twitter.com/_icebre4ker_/status/1387721989524185092
# Reference: https://www.virustotal.com/gui/file/5c7d2f8deb230594e8b61f4cb896eb49eb076dd22119861adef43c0fdb37bd39/detection

185.215.113.31:82

# Reference: https://twitter.com/alberto__segura/status/1408806004968542212
# Reference: https://www.virustotal.com/gui/file/fb00adb4c51834b5d37f5881b4baa6153b07cf44b6fe523fbedf7c2943d4f661/detection

178.32.130.175:84
185.215.113.31:84

# Reference: https://twitter.com/BushidoToken/status/1392189145250996226

akilomansoanap.xyz
batroslunk.top
buleworis.top
caramelcorp.cc
firsttechfed.top
fraud-world.top
gaweawgeaweg232.top
ghslitvomuurepj.top
gotxest.top
jamelal.xyz
terulinaor.top

# Reference: https://www.virustotal.com/gui/ip-address/104.154.230.245/relations

aloloksaop20a.top
kotlovina20a2a.top
pomidoaproko222a.top

# Reference: https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/
# Reference: https://www.virustotal.com/gui/file/d6f9197d9b452cb0c13f9dca40d47e8ea11d382cfbadb1f353d43b54dad5af58/detection
# Reference: https://www.virustotal.com/gui/file/1d8ffa729c0decd436624669e8ff65076ab567cd2b5b52f703b7d5528db8c67e/detection
# Reference: https://www.virustotal.com/gui/file/1d8ffa729c0decd436624669e8ff65076ab567cd2b5b52f703b7d5528db8c67e/detection

http://185.215.113.39
biomakein202best.top
foreannul.top
forunkulosko2122.top
losh190sup29asp.top
peskoleonido9201.top

# Reference: https://www.virustotal.com/gui/file/5e549d4c10cc23f499e13f14ba678aa3e4af9986b9748d74a8c785fee48a9efe/detection
# Reference: https://www.virustotal.com/gui/file/d558bf125f8446078d2fda390e7e22b1e4dcdf449585db7b01462bc35930baa9/detection

http://37.1.218.149
awehsjslpjanoad.top
kolaosmaoiamal.top
ohk4ose4on4npserho.top
zoposoekaoejn.top

# Reference: https://threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html
# Reference: https://www.virustotal.com/gui/file/2db34aa26b1ca5b3619a0cf26d166ae9e85a98babf1bc41f784389ccc6f54afb/detection

http://178.63.27.179
http://195.201.70.88
http://195.201.70.89
http://91.242.229.85

# Reference: https://twitter.com/LukasStefanko/status/1498958659174514691
# Reference: https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe

185.215.113.31:83
195.201.70.80:8000

# Reference: https://twitter.com/cleafylabs/status/1759549014540705825
# Reference: https://twitter.com/cleafylabs/status/1759549001672618436
# Reference: https://www.virustotal.com/gui/ip-address/178.250.189.164/relations
# Reference: https://www.virustotal.com/gui/ip-address/91.215.85.220/relations
# Reference: https://www.virustotal.com/gui/file/418c72cc6908f1689a0aabf028ad72f4836116f4431c2c23bcd008d2d634fe3a/detection

befukiv.com
mazuxan.com
/muchaspuchas

# Reference: https://twitter.com/0x6rss/status/1759581146038603973
# Reference: https://www.virustotal.com/gui/file/fc0f6196cf75ed858d908c73dafde912b53acca49c11a75870201e74196809d9/detection

http://185.215.113.31
http://91.215.85.55
185.215.113.31:85
91.215.85.55:85
mexenoma.com
mirugan.com
zompras.com

# Reference: https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-campaigns-android-banking-malware-active-google

becorist.com
menusand.com

# Reference: https://x.com/banthisguy9349/status/1868676261436178488

185.215.113.31:85
185.76.79.112:85
91.215.85.55:85

# Reference: https://www.zscaler.com/blogs/security-research/android-document-readers-and-deception-tracking-latest-updates-anatsa

http://37.235.54.59
185.215.113.108:85
162.252.173.37:85
193.24.123.18:85
91.215.85.55:85
docsresearchgroup.com
saurkanot.com

# Generic

/api/botupdate
/api/getbotinjects
/api/getkeyloggers
