# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/
# Reference: https://blog.sicehice.com/2023/03/androxgh0st-stealing-your-aws-key-pairs.html
# Reference: https://otx.alienvault.com/pulse/63d43565fa3638d6d936705e

http://109.237.97.180
http://185.83.146.154

# Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a
# Reference: https://otx.alienvault.com/pulse/65a7d3eed9b9cc8a7ed724cd

rockylinux.si
mc.rockylinux.si

# Reference: https://x.com/banthisguy9349/status/1855870231861715197
# Reference: https://search.censys.io/search?q=services.http.response.body%3D%220x%255B%255D%3Dandroxgh0st%22&resource=hosts&cursor=eyJhbGciOiJFZERTQSJ9.eyJub25jZSI6InhxVFIySXdiRkFZYk1FZXVWRDZHU2hQWHFJTUgxK3NXL2lUQk5ERFRFZUkiLCJwYWdlIjozLCJyZXZlcnNlZCI6ZmFsc2UsInNlYXJjaF9hZnRlciI6WzEuMCwxNzMxMzI2NTU0MDc3LCIzNy44Mi43LjUzIixudWxsXSwic29ydCI6W3siX3Njb3JlIjp7Im9yZGVyIjoiZGVzYyJ9fSx7Imxhc3RfdXBkYXRlZF9hdCI6eyJtaXNzaW5nIjoiX2xhc3QiLCJtb2RlIjoibWluIiwib3JkZXIiOiJkZXNjIn19LHsiaXAiOnsibWlzc2luZyI6Il9sYXN0IiwibW9kZSI6Im1pbiIsIm9yZGVyIjoiYXNjIn19LHsibmFtZS5fX3JhdyI6eyJtaXNzaW5nIjoiX2xhc3QiLCJtb2RlIjoibWluIiwib3JkZXIiOiJhc2MifX1dLCJ2ZXJzaW9uIjoxfQ.6Mr8RmlYVp5R5_Yw_ZR1WLWpxD-OKQcjrlfGrSdp4HyZAH01-pOvz-RMiz5RJPlwA7DsFXojRmwPtnX4k3DDAg

http://136.255.200.154
http://14.0.131.117
http://178.115.252.206
http://188.5.35.227
http://193.105.228.36
http://213.158.146.148
http://213.158.146.226
http://217.245.68.118
http://217.91.39.102
http://34.199.68.218
http://34.202.222.133
http://37.189.61.33
http://5.26.129.52
http://77.239.46.106
http://79.205.123.185
http://81.200.163.186
http://84.169.35.14
http://89.123.194.20
http://94.168.56.100
http://94.227.42.150
176.30.202.242:40080
178.242.0.119:40080
178.242.103.252:82
178.242.156.191:11082
178.242.44.226:83
178.242.5.231:82
178.242.82.62:10080
188.38.122.169:81
188.59.107.168:85
188.59.134.105:85
188.59.2.169:82
213.200.229.12:8000
213.233.116.106:1025
213.233.116.106:1026
213.233.116.106:502
213.43.160.13:82
31.177.41.57:9004
31.177.41.57:9005
37.80.81.108:8089
37.80.9.207:86
37.82.64.78:8089
37.84.163.238:120
37.84.170.135:85
37.85.48.170:83
45.79.69.171:60402
46.104.88.51:40080
46.104.89.21:40080
46.97.202.150:83
5.11.151.151:40080
5.11.240.244:90
5.11.241.48:40080
5.26.117.32:81
5.26.165.2:84
5.26.178.232:81
5.26.198.55:40080
5.26.213.203:85
5.26.228.111:81
5.26.229.220:10082
5.26.60.144:83
5.26.64.201:81
77.129.105.125:82
77.130.118.223:82
8.136.7.221:8000
86.71.99.76:82
87.139.197.249:82
92.95.255.227:82

# Reference: https://x.com/AndreGironda/status/1937704608476074329
# Reference: https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger

cgim5hrh18vvdb38d1905iah3br5dyhji.oast.pro
cgim5hrh18vvdb38d190nnkcjrgc11cns.oast.pro
ch14vjilcoecm8580ft0bhwxm3yjaacyo.oast.live
ch14vjilcoecm8580ft0g6xsmrkewgwro.oast.live
ch14vjilcoecm8580ft0owzy7e9c7hu36.oast.live
chcmp35oujaubpa7e86g1wz9dypg9oc67.oast.site
chcmp35oujaubpa7e86g7mnzmqr9qadow.oast.site
chcmp35oujaubpa7e86gke4ba4r5iwxwz.oast.site
chcmp35oujaubpa7e86gkmmxw6tzhz5s6.oast.site
chi2p4r4bcdfd791dh50af56ny6e5p6e3.oast.fun
chi2p4r4bcdfd791dh50c6dpgu4h9rdhc.oast.fun
chi2p4r4bcdfd791dh50e76q1is16rh83.oast.fun
chi2p4r4bcdfd791dh50tp6ptaa1syixo.oast.fun
chke3769l5m6jbj8hq90cjcau8b594eu.oast.fun
chke3769l5m6jbj8hq90d4dhb4nx4zagt.oast.fun
chke3769l5m6jbj8hq90dzxqghnrfe6x6.oast.fun
chke3769l5m6jbj8hq90fu71kckky5x63.oast.fun
chke3769l5m6jbj8hq90grzqgusyh11ep.oast.fun
chke3769l5m6jbj8hq90kumuzndndpokb.oast.fun
chke3769l5m6jbj8hq90mrpez639ppnhj.oast.fun
chke3769l5m6jbj8hq90q5hqbd8rq5gkk.oast.fun
chke3769l5m6jbj8hq90tyrybjrzu9d1x.oast.fun
chke3769l5m6jbj8hq90up1kyouqdf7hx.oast.fun
chke3769l5m6jbj8hq90wc79578iwhft1.oast.fun
chke3769l5m6jbj8hq90y47n3ayz4uryc.oast.fun
cj7409i4t88ukb0publgakedcbwnz7nzy.oast.live
cj7409i4t88ukb0publgep4f3ii11ogdk.oast.live
cj7409i4t88ukb0publgjtkyt534mnrby.oast.live
cj7409i4t88ukb0publgtphu9h34f9bpn.oast.live
cv032vemsb87jtt2p11g5h8xztka6kruj.oast.me
cv032vemsb87jtt2p11g5y63nwb1ekujx.oast.me
cv032vemsb87jtt2p11g9n8d9kmxqhq6q.oast.me
cv032vemsb87jtt2p11ger6hddhzm5j4p.oast.me
cv032vemsb87jtt2p11getfd9zd4tpqqs.oast.me
cv032vemsb87jtt2p11gnn3nghfxgd3bt.oast.me
cv032vemsb87jtt2p11gwf68p1xw7rgtk.oast.me
cv032vemsb87jtt2p11gxzy7j9ziaf4j3.oast.me
cv032vemsb87jtt2p11gybdoc66nuxxxh.oast.me
cv032vemsb87jtt2p11gz8mdcbnsokgf6.oast.me
cv032vemsb87jtt2p11gzhoc81cijqymg.oast.me
cv032vemsb87jtt2p11gzs4xhcki44oof.oast.me
d0i0taritt4c9dh9hln06thpknw9dcqhu.oast.today
d0i0taritt4c9dh9hln0h7xsu7h88cxfr.oast.today
d0i0taritt4c9dh9hln0rhrdyu5ds8frk.oast.today
d0i0taritt4c9dh9hln0w8mzbmxi5bu96.oast.today
i-sh.detectors-testing.com

# Generic

/data="0x%5B%5D=androxgh0st"
