# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt37, apt-c-37, geumseong121, group123, inkysquid, redeyes, scarcruft, Red Eyes, Venus 121, Thallium, TA-RedAnt, ta406, Temp.Reaper, RokRAT

# Reference: https://otx.alienvault.com/pulse/5d4456d289603cc548ddbc92
# Reference: https://blog.alyac.co.kr/2453 (Korean)
# Reference: https://fortiguard.com/resources/threat-brief/2019/08/09/fortiguard-threat-intelligence-brief-august-09-2019

price365.co.kr/abbi/head0.jpg
price365.co.kr/abbi/json/openssl.php
price365.co.kr/abbi/tail0.jpg
darvishkhan.net/wp-content/uploads/2017/06/update3.dat
darvishkhan.net/wp-content/uploads/2017/06/update6.dat

# Reference: http://blogs.360.cn/post/analysis-of-apt-c-37.html
# Reference: https://otx.alienvault.com/pulse/5d7916e3f619df83fd65778e

adamnews.for.ug
btcaes2.duckdns.org
da3da3.duckdns.org
israanews.zz.com.ve
mmksba.dyndns.org
mmksba.simple-url.com
samd1.duckdns.org
samd2.duckdns.org
sorry.duckdns.org
webhoptest.webhop.info

# Reference: https://twitter.com/blackorbird/status/1188726162928758784
# Reference: https://mp.weixin.qq.com/s/Wnb-r7SWbGGN-XuQ8fW_jw

artmuseums.or.kr/swfupload/fla/1.jpg
casaabadia.es/wp-content/uploads/2018/06/null/
fjtlephare.fr/wp-content/uploads/2018/05/null/

# Reference: https://twitter.com/blackorbird/status/1112904229495042049
# Reference: https://blog.alyac.co.kr/2226 (Korean)

/skin15/include/bin/forlab.php
/ct/data/icon/files/goal.php

# Reference: https://twitter.com/navSi16/status/1066296138498629637

padosori.co.kr
/_controller/admin/upload_sec/down.php

# Reference: https://twitter.com/cyberwar_15/status/1122692430262706178
# Reference: https://blog.alyac.co.kr/2281 (Korean)

youngs.dgweb.kr
/skin15/include/bin/home.php

# Reference: https://ti.qianxin.com/blog/articles/anatomy-of-moonLight-attack-on-the-middle-east/ (Chinese)

http://72.21.245.117
martnews.aba.ae
mslove.mypressonline.com

# Reference: https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU
# Reference: https://malpedia.caad.fkie.fraunhofer.de/actor/apt37
# Reference: https://twitter.com/jfslowik/status/1212097943550873600
# Reference: https://x.com/TIntel2255/status/1840825662925652152
# Reference: https://otx.alienvault.com/pulse/5e0b9895c5ed003a85210202 (# Thallium)
# Reference: https://pastebin.com/ScaPd18W

ahooc.com
app-wallet.com
bigwnet.com
bitwoll.com
cexrout.com
change-pw.com
checkprofie.com
cloudwebappservice.com
com-change.pw
com-serviceround.info
ctquast.com
dataviewering.com
dauurn.net
day-post.com
dialy-post.com
doc-view.work
documentviewingcom.com
dounn.net
dovvn-mail.com
down-error.com
drivecheckingcom.com
drog-service.com
encodingmail.com
files-download.net
filinvestment.com
fixcool.net
foldershareing.com
golangapis.com
graphwin.com
grnaeil.com
gstaticstorage.com
hanrnaii.net
helpnaver.com
hotrnall.com
iinaver.com
imap-login.com
inbox-yahoo.com
lh-logins.com
lh-logs.com
login-sec.com
login-use.com
mai1.info
mail-down.com
maingoogie.com
maingoogle.com
matmiho.com
mihomat.com
mofako.com
naerver.com
natwpersonal-online.com
navuor.com
nid-login.com
nidlogon.com
office356-us.org
office365-us.org
phlogin.com
pieceview.club
pw-change.com
reader.cash
reviewer.mobi
rnaii.com
rnailm.com
rnicrosoft.com
sec-live.com
secrityprocessing.com
securitedmode.com
security-lnfo.com
securytingmail.com
seoulhobi.biz
set-login.com
smtper.org
usrchecking.com
wallet-vahoo.com
yalnoo.com
yrnall.com
http-accounts.maingoogie.com
https-accounts.maingoogie.com

# Reference: https://twitter.com/kyleehmke/status/1212119523077349378

lnfo-master.com

# Reference: https://twitter.com/kyleehmke/status/1217486993871056899

security-acount.info

# Reference: https://otx.alienvault.com/pulse/5e206c7aef589acc3f96cb79
# Reference: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/

blockochain.info
files-downloader.net
webmail-googie.com
webmail-gooqle.com

# Reference: https://twitter.com/cyberwar_15/status/1313379907926335489 (Korean)

busyday.atwebpages.com

# Reference: https://twitter.com/ShadowChasing1/status/1344266120413384705
# Reference: https://www.virustotal.com/gui/file/7820bc1aa19ed61d035a2b7efb315ddb8b73cdf4df6ca41c365ce60ec160e713/detection
# Reference: https://www.virustotal.com/gui/file/9d58a6920db59a06e513cf077597a8e1848892ad2cf0ec9e3de8fd677efbfedd/detection

hz11.cn/jquery-ui-1.10.4/tests/unit/widget/doc/pu.php

# Reference: https://blog.alyac.co.kr/3489 (Korean)

frog.smtper.co/frog/
park.smtper.co/frogstock/

# Reference: https://blog.alyac.co.kr/3536 (Korean)
# Reference: https://www.virustotal.com/gui/ip-address/23.106.160.32/relations

factorgpu.com
greenulz.com

# Reference: https://twitter.com/cyberwar_15/status/1362413268472655877

klsa.onlinewebshop.net

# Reference: https://twitter.com/C0ryInTheHous3/status/1364275034638942210

down-drive.me

# Reference: https://twitter.com/cyberwar_15/status/1392459596069961734

nid-naver.servepics.com

# Reference: https://twitter.com/cyberwar_15/status/1392488563309105155
# Reference: https://www.virustotal.com/gui/file/1136ba6837a18a39b430cd8d2a7ff276dbaddf813060c47725c7c629dbab7ce5/detection

ahnlab.check.pe.hu

# Reference: https://twitter.com/cyberwar_15/status/1392469490592411651

daum.sytes.net
enolja.com
naver.servemp3.com
nid-naver.servehttp.com

# Reference: https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48
# Reference: https://otx.alienvault.com/pulse/60eeb8b1f8a87529ba8d6d8c

mobile-analytics-d0558.web.app

# Reference: https://twitter.com/cyberwar_15/status/1422376991907450886
# Reference: https://www.boannews.com/media/view.asp?idx=99543 (Korean)
# Reference: https://otx.alienvault.com/pulse/610a5db8cefc6068865ae665

tksrpdl.atwebpages.com

# Reference: https://github.com/EmergingThreats/threatresearch/blob/master/ta406/ta406_ioclist.csv

acount-pro.club
acount-pro.live
anlysis-info.xyz
asia-studies.net
bignaver.com
carnegieinsider.com
change-pw.com
clonesec.us
cloudnaver.com
cloudocument.com
cloudsecurityservice.net
dailycloudservice.com
daumhelp.net
daum-protect.com
deioncube.biz
delivernaver.com
delivers-security.com
delivers-security.net
diplomatictraining.com
document-package.online
documentpackages.link
documentpackages.online
documentpackage.space
documentpackages.space
documentpackages.store
documentserver.site
down-error.com
download-apks.com
downloader-hanmail.net
download-live.com
emailnaver.com
globalcloudservices.org
gooapi.online
google-acount.com
goolg-e.com
goolge.space
govermentweb.site
help-master.online
helpnaver.host
helpnaver.link
helpnaver.online
help-naver.site
helpnaver.site
help-secure.info
hpronto-login.com
itamaraty.net
knowledgeofworld.org
lnfo-master.com
login-protect.club
login-protect.online
mail-master.online
microsoft-pro.host
microsoft-pro.live
microsoft-pro.site
microsoft-pro.space
midsecurity.org
mid-service.com
mid-service.org
myethrvvallet.com
mysoftazure.com
naverhelp.com
navermain.com
naversecurity.us
nicnaver.com
nidnaver.host
nidnaver.press
nidnaver.site
nidnaver.store
noreply-cc.online
noreply-goolge.com
noreply-sec.online
noreply-yahoo.com
oaass-torrent.com
proattachfile.com
pronto-login.info
pw-change.com
resetpolicy.com
resetprofile.com
rfa.news
rnaii.com
rnail-inbox.com
rnailm.com
rnail-suport.site
rneail.com
secureaction.ru
securelevel.site
security-acount.info
securitycounci1report.org
security-delivers.com
securityforcastreport.com
security-lnfo.com
security-nid.space
security-pro.me
security-pro.online
securitysettings.info
seoulhobi.biz
servicenaver.com
servicenidnaver.com
sinoforecast.com
softfilemanage.com
ssidnaver.com
stategov.biz
support-info.network
unosa.org
voakorea.news
voakoreas.com
voipgoogle.com
vpsino.org
webofknowledg.com
xfindphoneloc.com
xn--mcrosoft-online-hic.com
0member-services.hol.es
1006ieudneu.atwebpages.com
1995ieudneu.atwebpages.com
attachdown.000webhostapp.com
attachdownload.000webhostapp.com
attachdownload.99on.com
dnsservice.esy.es
emailru.99on.com
firefox-plug.c1.biz
koryogroup.1apps.com
lookyes.c1.biz
north-korea.medianewsonline.com
online-manual.c1.biz
romanovawillkillyou.c1.biz
securitydownload.99on.com
silverlog.hol.es
softlay-ware.c1.biz
takemetoyouheart.c1.biz
taketodjnfnei898.c1.biz
taketodjnfnei898.ueuo.com
u13448720.ct.sendgrid.net
u19402039.ct.sendgrid.net
u7747409.ct.sendgrid.net
u8253848.ct.sendgrid.net
u9810308.ct.sendgrid.net
upsrv.16mb.com
vscode-plug.c1.biz
win10-ms.c1.biz

# Reference: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/

acddesigns.com.au
buttyfly.000webhostapp.com
kmbr1.nitesbr1.org
planar-progress.000webhostapp.com
stjohns-burscough.org

# Reference: https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/

djsm.co.kr/js/20170805.hwp
doseoul.com/bbs/data/hnc/update.php
haeundaejugong.com/data/jugong/do.php
haeundaejugong.com/editor/chinotto/do.php
hz11.cn/jquery-ui-1.10.4/tests/unit/widget/doc/pu.php
kjdnc.gp114.net/data/log/do.php
kumdo.org/admin/cont/do.php
luminix.kr/bbs/data/proc/proc.php
luminix.openhaja.com/bbs/data/proc1/proc.php

# Reference: https://0xthreatintel.medium.com/apt37-targets-journalists-security-researchers-4d18c559767c

js5950.cafe24.com
kjdnc.gp114.net

# Reference: https://twitter.com/midnight_comms/status/1467886870226952199
# Reference: https://www.virustotal.com/gui/file/3f3d492fe284569abb0ee60595e63ca5220ca8206c62df2a1f0ccfb8b9060405/detection

annstyle.ru

# Reference: https://twitter.com/midnight_comms/status/1467887093561053188
# Reference: https://www.virustotal.com/gui/file/facb0525447439cb402c1808e5a3a2436b887f8aa01af63201b1ca5350bee34e/detection

iblcor.cafe24.com

# Reference: https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf
# Reference: https://otx.alienvault.com/pulse/61978976fed1a4a1794586e7

acl-medias.fr
christinadudley.com
fd-com.fr
kswebdesign.eu
oaass.co.kr
rabadaun.com
influencer.jvproduccionessv.com
mail.apm.co.kr
mail.summitz.com
securitydownload.99on.com
simple.kswebdesign.eu

# Reference: https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report_-The-ink-stained-trail-of-GOLDBACKDOOR.pdf
# Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-April/030646.html
# Reference: https://otx.alienvault.com/pulse/6261887e15fc527fe850e657

dailynk.us
lit-peak-25706.herokuapp.com
mail.dailynk.us
main.dailynk.us

# Reference: https://twitter.com/cyberwar_15/status/1481430358629707776
# Reference: https://twitter.com/cyberwar_15/status/1528619208183287809
# Reference: https://twitter.com/ShadowChasing1/status/1529451994532167682

bigfilemail.net
work3.b4a.app

# Reference: https://otx.alienvault.com/pulse/62e127f6ae973b499899ff9b
# Reference: https://www.virustotal.com/gui/file/0675443b6438e3a7e910d591aaefcf616a65e55856aa0aea58305f23035818f8/detection

http://185.176.43.106

# Reference: https://twitter.com/Timele9527/status/1600690222685032448
# Reference: https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/

free-xmlformat.com
ms-office.services
ms-offices.com
openxmlformat.org
template-openxml.com
word-template.net

# Reference: https://www.cib.gov.tw/News/BulletinDetail/8294
# Reference: https://otx.alienvault.com/pulse/5ec7ff4ec67d6aca23b7c350
# Reference: https://www.virustotal.com/gui/file/926a947ea2b59d3e9a5a6875b4de2bd071b15260370f4da5e2a60ece3517a32f/detection
# Reference: https://www.virustotal.com/gui/file/af5fb99d3ff18bc625fb63f792ed7cd955171ab509c2f8e7c7ee44515e09cebf/detection

outlook-offices.com
phonectrl.com
tibet-office.com
conference.outlook-offices.com
file.outlook-offices.com
mofa.outlook-offices.com
nds1.outlook-offices.com
office.phonectrl.com
file-sharing.tibet-office.com

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/group123/ScarCruft%20(APT37)%20active%20in%20South%20Korea.pdf

/bbs/data/cjdc/proc.php
/bbs/data/comb/price.php

# Reference: https://asec.ahnlab.com/en/48063/
# Reference: https://otx.alienvault.com/pulse/63f67cceee1cc80ed9497ecf

elearning.or.kr

# Reference: https://asec-ahnlab-com.translate.goog/ko/48764/?_x_tr_sl=auto&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp
# Reference: https://otx.alienvault.com/pulse/6408a4922f014d07a51f1f77

shacc.kr/skin/product/mid.xn--php

# Reference: https://blog.sekoia.io/peeking-at-reaper-surveillance-operations-against-north-korea-defectors/

http://141.105.65.165
attiferstudio.com/install.bak/sony/
clovery-shapes.000webhostapp.com/defcon/
hk-law.co.kr/data/file/joomla/
jdwanxiang.com/win/shenti/
koaagj.co.kr/files/2014/12/fix/
ri-guard.com/download/temp/cn-var/

# Reference: https://twitter.com/fmc_nan/status/1638528180947668993
# Reference: https://twitter.com/malwrhunterteam/status/1638661235146104832
# Reference: https://www.virustotal.com/gui/file/40cb1016a2d962482f40f1ce712403fbd8e23ce3d24b08241a6d5102306ecbc0/detection

yangak.com/data/cheditor4/pro/mid.php
yangak.com/data/cheditor4/pro/temp/7.html
yangak.com/data/cheditor4/pro/

# Reference: https://twitter.com/malwrhunterteam/status/1646612420683526146
# Reference: https://www.virustotal.com/gui/ip-address/194.165.16.93/relations
# Reference: https://www.virustotal.com/gui/file/1f3d808d89ea6c78d0fb0ff7e7d4be2115d231289c8dabd1663c4ffa19c56c26/detection

sharefiles-betterbusinessbureau-upload.com
sharefiles-betterbusinessbureau-us1.com

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-05-01-v10312/521

daum-store.com
docx1.b4a.app
link.b4a.app
nate-download.com
naver-file.com
naver-storage.com

# Reference: https://twitter.com/StopMalvertisin/status/1662733487768739842

http://128.199.133.121

# Reference: https://twitter.com/fmc_nan/status/1664179152331866112
# Reference: https://www.virustotal.com/gui/file/c26746a7a3e474e2c4915b4e05042a0ca53c195ac32f440bda73382008519793/detection

http://172.93.181.249

# Reference: https://twitter.com/h2jazi/status/1681122432000618499
# Reference: https://www.virustotal.com/gui/file/012063e0b7b4f7f3ce50574797112f95492772a9b75fc3d0934a91cc60faa240/detection
# Reference: https://www.virustotal.com/gui/file/01e7405ddd5545ffb4a57040acc4b6f8b8a5cc328fa8172e1800a1cb49bdf15c/detection

atusay.lat
tosals.ink

# Reference: https://twitter.com/malwrhunterteam/status/1681595936991064064
# Reference: https://www.virustotal.com/gui/file/eb21cf8e6f64340216e9c326fb58956d5408d6f2c0c5126ff8af9a4aac39e1a2/detection

ppangz.mom
/mjifi

# Reference: https://twitter.com/h2jazi/status/1688977725279600648
# Reference: https://www.virustotal.com/gui/file/d42ef12b6b40c1e3d0132a4be8954bb44d4019b7b82061651604895feb3ab016/detection

jutise.fun

# Reference: https://twitter.com/StopMalvertisin/status/1690399427255758848
# Reference: https://www.virustotal.com/gui/file/5071a29f42689c6d83de6fc16bbc6272b50ff06a53c721f34b0d94a29112bba6/detection

drimby.top

# Reference: https://twitter.com/StopMalvertisin/status/1690399430405734400
# Reference: https://www.virustotal.com/gui/file/f5e46e18facc6f8fde6658b96dcd379b82cc6ae2e676fb47f08cbeccd307b1b4/detection
# Reference: https://www.virustotal.com/gui/file/fcfb0398eb0216332bb3ce25e5e353e59a2f7af84e0b96fa04b65666276f5785/detection

crilts.cfd
labimy.ink

# Reference: https://twitter.com/StopMalvertisin/status/1690422578509479936
# Reference: https://www.virustotal.com/gui/file/7dd84cc7d8271a88063ce1ff1f1abe74c8e5b33301cb957b951161e6fe1b73fc/detection

http://75.119.136.207
ableinfo.co.kr/member/
bian0151.cafe24.com
vmi810830.contaboserver.net

# Reference: https://twitter.com/suyog41/status/1691027132254986240
# Reference: https://www.virustotal.com/gui/file/ee08d70c66ce95755b6936d59290eca71ebacce3efeae075e1454bb0f577a5d7/detection

nobuay.ink

# Reference: https://twitter.com/blackorbird/status/1694912623299674230
# Reference: https://mp.weixin.qq.com/s/pIdyesArvoXaD-lLYVvXiw

bajut.pro
giath.xyz
oebil.lat

# Reference: https://twitter.com/suyog41/status/1697536913610314016
# Reference: https://www.virustotal.com/gui/file/b31b89e646de6e9c5cbe21798e0157fef4d8e612d181085377348c974540760a/detection

navercorp.ru

# Reference: https://twitter.com/suyog41/status/1704025925187473638
# Reference: https://twitter.com/suyog41/status/1704098124762132790
# Reference: https://www.virustotal.com/gui/file/02489e283a347299152394ca9ef82812808501ab8a5b458bebc5a658644d2799/detection

teishin.org/img/Updater.zip
teishin.org/treasury/wp_asist.php
teishin.org/treasury/resources/admin/wp-admin/attack.php

# Reference: https://twitter.com/malwrhunterteam/status/1510919695423184896
# Reference: https://www.virustotal.com/gui/file/e6091e6bf8135e09f46b6a230873a6cacc6f7fc2fa4d8c3d5899b210eed1a5a9/detection
# Reference: https://www.virustotal.com/gui/file/e4ff04fe1aa1f28a993ac57cac277cd1e4bd8777d57644eb9e22d891194a90bf/detection
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/20231016_threat_inteligence_report_DarkHorse.pdf

successgoo.com
vhostnetwork.com

# Reference: https://twitter.com/malwrhunterteam/status/1523754342402052097
# Reference: https://www.virustotal.com/gui/file/ce1a5653444eb9902dd98365b1e2fd1bfee4ceb4e8d6746078d557bbaa764fe7/detection
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/20231016_threat_inteligence_report_DarkHorse.pdf

cerebrovascular.net

# Reference: https://twitter.com/blackorbird/status/1714576304279032023
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/20231016_threat_inteligence_report_DarkHorse.pdf

cheth.lol
honess.fun
plifty.lat
sgibn.cam

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/20231016_threat_inteligence_report_DarkHorse.pdf
# Reference: https://www.virustotal.com/gui/file/fd25c643565fdd42bb9a9af7d965b2dcfd80a889b50526abc5e9a4fd1bab6542/detection

shoru.net

# Reference: https://twitter.com/StopMalvertisin/status/1722227919634981372
# Reference: https://www.virustotal.com/gui/file/7387d00194adf8a8f15e12e191bfaa8dbd6c7af227ddc14d7fec742b30adc245/detection

ebpp.airport.kr

# Reference: https://twitter.com/fmc_nan/status/1729428966967271693
# Reference: https://www.virustotal.com/gui/file/194354cae93878dc3ba6ca2f71b70452ea0f1ac9d62f95431e5d3483b4f83074/detection

goodmarket.or.kr

# Reference: https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/

alireza.traderfree.online
bellissues.live
benefitinfo.live
benefitinfo.pro
benefiturl.pro
careagency.online
cra-receivenow.online
crareceive.site
depositurl.co
depositurl.lat
direct.traderfree.online
faguo.namecentless.top
forex.traderfree.online
groceryrebate.online
groceryrebate.site
gstcreceive.online
hl.namecentless.top
instantreceive.org
li.namecentless.top
lin.namecentless.top
namecentless.top
receive.bio
receiveinstant.online
rentsubsidy.help
rentsubsidy.online
shate.namecentless.top
tes.namecentless.top
tes1.namecentless.top
tes2.namecentless.top
tes3.namecentless.top
tes4.namecentless.top
tinyurlinstant.co
traderfree.online
ttt.namecentless.top
urldepost.co
verifyca.online
visiononline.store

# Reference: https://twitter.com/suyog41/status/1772149859698524630
# Reference: https://www.virustotal.com/gui/file/fb55f221a1c382eaaea943c9c4c3bc35f512f0ae515d9f33693bff9ccd1b7483/detection

sklims.lat
ems.nps.or.kr

# Reference: https://www.virustotal.com/gui/file/2ede67e3953d9d8519f450c6be70f2b8f4826e17b2b5f43fa1144a3a5d15973f/detection

urbiusla.homes

# Reference: https://x.com/JangPr0/status/1793945744577364344
# Reference: https://www.virustotal.com/gui/file/2222f1d7ccd05655f0492769bc54ec016679d59da258affa9b8686021fada59d/detection

sharingdocument.one
host.sharingdocument.one

# Reference: https://x.com/JAMESWT_MHT/status/1836784273191297442
# Reference: https://x.com/JAMESWT_MHT/status/1836847390638362767
# Reference: https://www.virustotal.com/gui/file/9d0807210b0615870545a18ab8eae8cecf324e89ab8d3b39a461d45cab9ef957/detection
# Reference: https://www.virustotal.com/gui/file/133359336ed60b94e9cd500fb518a72fe8711c4a8f8fc83ef2cc242173d8cb96/detection

http://208.85.16.88
208.85.16.88:5555

# Reference: https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/
# Reference: https://otx.alienvault.com/pulse/611ce45950765f93f688ba00

jquery.services
api.jquery.services
cdns.jquery.services
gallery.jquery.services
image.jquery.services
module.jquery.services
slider.jquery.services
stock.jquery.services
storage.jquery.services
svg.jquery.services
table.jquery.services
treeview.jquery.services
ui.jquery.services
dailynk.com/wp-includes/js/jquery/jquery.min.js
dailynk.com/wp-includes/js/jquery/jquery-migrate.min.js

# Reference: https://x.com/blackorbird/status/1846828667718234555
# Reference: https://medium.com/s2wblog/unmasking-cve-2024-38178-the-silent-threat-of-windows-scripting-engine-91ad954dbf83

js.ad4949.co.kr
mini.gomlab.com/player/html/toast/toast_KR_N.html

# Reference: https://x.com/the_yellow_fall/status/1846484897495699929
# Reference: https://x.com/k3yp0d/status/1848277967387963582
# Reference: https://www.virustotal.com/gui/ip-address/84.32.131.214/relations
# Reference: https://securityonline.info/north-korean-hackers-exploit-zero-day-flaw-cve-2024-38178-in-operation-code-on-toast/

mobonad.com
admin.mobonad.com
img.mobonad.com

# Reference: https://www.genians.co.kr/blog/threat_intelligence/apt37_recon

filedownloadserve.com
kakaofilestorage.com
navarar.com

# Reference: https://x.com/byrne_emmy12099/status/1864880849277325376
# Reference: https://www.virustotal.com/gui/file/d9e3eba6067eec0aa32214b2a9811f4b579b66b34fe4e5bff4d754102dffdb91/detection

uploader1j.disk.yandex.net
uploader77j.disk.yandex.net

# Reference: https://x.com/SwitHak/status/1922259600113328605
# Reference: https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front

pokijhgcfsdfghnj.mywebcommunity.org
qweasdzxc.mygamesonline.org
wersdfxcv.mygamesonline.org

# Reference: https://x.com/Cyberteam008/status/1940265872402403341

admin.primgs.lol
grip-cdns.space
img.responsive.pstatic.autos
img.smartnords.site
img.worksongo.store
primgs.lol
pstatic.autos
responsive.pstatic.autos
show.grip-cdns.space
smartnords.site
worksongo.store

# Reference: https://x.com/volrant136/status/1944429848807530870

cleanos.online
darklights.store
monderhouse.space
socialteams.store
app.cleanos.online
img.darklights.store
img.monderhouse.space
img.socialteams.store

# Reference: https://x.com/lazarusholic/status/1947650364825866590
# Reference: https://asec.ahnlab.com/ko/89116/
# Reference: https://www.virustotal.com/gui/file/e27467f7fdfa721e917384542ce10cc6108dfd78df14e23872cf8df916e0b8c6/detection
# Reference: https://www.virustotal.com/gui/file/41d9b6d8cf0fff85bf35327d4b94db629cd9f754c487672911b7f701fe8c5539/detection
# Reference: https://www.virustotal.com/gui/file/6a2d984ef3fa0de9b9feb5f558381201e6dff42ef5efe4867fb24e47c6a2aade/detection

uploader10klg.disk.yandex.net

# Reference: https://x.com/byrne_emmy12099/status/1951675987198173489
# Reference: https://www.seqrite.com/blog/operation-hankook-phantom-north-korean-apt37-targeting-south-korea/
# Reference: https://www.virustotal.com/gui/file/d8d86b15e68889bf76b3cf8e335f43afe0287b9b20aeb18b136b90a516695989/detection

daily.alltop.asia/blog/article/d2.php
daily.alltop.asia/blog/article/del2.php
daily.alltop.asia/blog/article/up2.php

# Reference: https://x.com/Threatlabz/status/1965060646405574786
# Reference: https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader
# Reference: https://www.virustotal.com/gui/file/738a31e7a0d96fe1b0ad6778db39425160835a80ac33ce8a84f26b71c00c26b9/detection

hnkoaa.co.kr/files/2023/12/01/win.php
