# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html

32player.com
appswonder.info
capsnit.com
hiltrox.com
hytechmart.com
ios-update-whatsapp.com
ios-certificate-update.com
metclix.com
nfinx.info
referfile.com
scrollayer.com
techwach.com
twitck.com
wpitcher.com

# Reference: https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf
# Reference: https://otx.alienvault.com/pulse/5f7dd394005536c84adbaf56

account-googie.com
accountvalidate.com
airfitgym.com
ambicluster.com
aspnet.dyndns.info
aspnet.dyndns.infoassurecom.info
assurecom.info
bulletinalerts.com
by4mode.com
cdn-icloud.co
cdn-icloud.cocelebsnightmares.com
celebsnightmares.com
citrusquad.com
classmunch.com
cloud-authorize.com
cocahut.com
cocelebsnightmares.com
cocoka.info
cocoka.infocrawloofle.com
cohealthclubfun.com
crawloofle.com
cyroonline.com
devicesupport-rnicrosoft.com
domforworld.com
electrobric.com
everification-session-load.com
flux2key.com
freepunjab2020.info
frexinq.com
gateway-yahoo.com
ghelp.co
ghelp.cohealthclubfun.com
healthclubfun.com
hypforever.com
i3mode.com
imging.site
imging.siteinlineirnage.com
infoassurecom.info
infocrawloofle.com
inlineirnage.com
justsikhthings.com
kannat.ns01.us
kannat.ns01.uskhalistanlehar.com
khalistanlehar.com
leastinfo.com
leelee.dnset.com
lizacorner.com
lobertica.info
login-private.com
logon-info-gsupport.com
logstrick.com
m0-rnaiil-siina-chn-reload.everification-session-load.com
mail-incc.com
mail-king.com
mail-validation.info
mail.techsprouts.com
mailinfo-bh.com
me-yahoo.com
medieczema.com
middleeastleaks.com
mideastleaks.com
mindcraftstore.com
musicbandfiles.com
myaccount-googie.com
myappie.comyfoodzone.net
myggl.ioo-auth.net
netonlinetokenid.com
netstring2me.com
onlinetokenid.com
opticscold.com
opticzstore.com
optusiy.com
orgyes2khalistanis.com
out-look-mail-bh.com
oyesterclub.info
passwordsaverr.com
poiusavid.com
portal549.com
privacylog.info
prontexim.com
regditogo.com
rhc-jo.com
risalaencryptor.com
rnaiill2-rnaill-slna-m0.everification-session-load.com
rnail-appld-oath-varfiction.everification-session-load.com
scan8t.comsecure-useraccount.com
service-authorization.com
setting-secure.com
shiaar-e-islam.com
signtabo.com
sikhforjustice.org
sikhforjustice.orgsimilerwork.netstring2me.com
similerwork.net
string2me.com
sync-tokens.com
tansyroof.com
techsprouts.com
techwach.com
thegogl.com
tierradom.com
timesofarab.com
toysforislam.com
trailhinder.com
traxbin.com
treemanic.com
trioganic.com
user-privacy.com
uskhalistanlehar.com
uyghuri.51vip.biz
uyghuri.51vip.bizuyghurie.51vip.bizuygur.5166.info
uyghurie.51vip.biz
uygur.5166.info
uygur.51vip.biz
uygur.51vip.bizuygur.eicp.netuygur.xicp.netvlprnaiill2-rnaill-slna.m0.everification-session-load.com
uygur.eicp.net
uygur.xicp.net
vlprnaiill2-rnaill-slna.m0.everification-session-load.com
weddnest.com
yes2khalistan.org
yes2khalistan.orgyes2khalistanis.com
yes2khalistanis.com
yfoodzone.netmyggl.ioo-auth.netonlinetokenid.com
zhqdgk.com

# Reference: https://twitter.com/bl4ckh0l3z/status/1321746458308128769
# Reference: https://www.virustotal.com/gui/file/cef4be533954e5bb901080cbca26976929d55692674f1bb9fefeca0c349c86db/detection
# Reference: https://www.virustotal.com/gui/file/4fd441183ffd576aea2cf50b19d263f6b07b7548ea24725a496a0a929daaf912/detection

procompass.org
voiceofislam.info

# Reference: https://twitter.com/Circuitous__/status/1377767299709550593
# Reference: https://pastebin.com/9U57CHZn

fastfiterzone.com
lobertica.info
memoadvicr.com
zovwelle.com

# Reference: https://twitter.com/m0br3v/status/1413076245152141316
# Reference: https://www.virustotal.com/gui/file/73b516a0a3996ec1c685ad3d8e26a7191e5d7698bfd98970afc27d5356003cac/detection

onlinedomain.link

# Reference: https://www.virustotal.com/gui/file/815466ec21c59f7704f094a0e4cfc4f817c8b98231d10fe01919b6bd60eca64e/detection

lepze.com

# Reference: https://www.virustotal.com/gui/domain/ie-settings.com/detection

ie-settings.com

# Reference: https://twitter.com/m0br3v/status/1502262179390758913
# Reference: https://www.virustotal.com/gui/file/c921363c790c2eb82ab009f94ac0961164690d795c4ae87bed61897cc80fb33f/detection

datahost.click
/jkRt5e/check.php
/jkRt5e/

# Reference: https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=zh-CN
# Reference: https://otx.alienvault.com/pulse/625591f0fdef5bd852d84afe

5iw68rugwfcir37uj8z3r6rfaxwd8g8cdcfcqw62.de
h94xnghlldx6a862moj3.de
freesexvideos.ch
securechatnow.com

# Reference: https://twitter.com/malwrhunterteam/status/1539985809184641024
# Reference: https://twitter.com/malwrhunterteam/status/1540332848577667073
# Reference: https://www.virustotal.com/gui/ip-address/193.23.161.164/relations
# Reference: https://www.virustotal.com/gui/file/1084b7ff4758b5d13dcfc4f9167b16e6b834bfff2032b540e74959ceb18a5b1e/detection

172.64.168.30:2053
172.64.168.30:8443
193.23.161.164:8443
gkcx6ye4t4zafw8ju2xdr5na5.de
iminglechat.de
fjasfjfas89e.gkcx6ye4t4zafw8ju2xdr5na5.de

# Reference: https://twitter.com/Des00464472/status/1552146340515561472
# Reference: https://www.virustotal.com/gui/ip-address/5.249.160.136/relations

ay3a9j7pc3.de
yu27izuchc.de

# Reference: https://twitter.com/Des00464472/status/1567097126999703553
# Reference: https://www.virustotal.com/gui/ip-address/5.249.160.150/relations

32e6dwbbpg.de

# Reference: https://twitter.com/m0br3v/status/1570415612014530562
# Reference: https://www.virustotal.com/gui/file/c5f29fcb69ffaaac4568b0607d94bce55641ab5e7c6279393cd9605d14be0311/detection

newshostpoint.co

# Reference: https://twitter.com/malwrhunterteam/status/1595141450177871872
# Reference: https://twitter.com/midnight_comms/status/1596156830363029504
# Reference: https://twitter.com/midnight_comms/status/1596566303598182401
# Reference: https://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/
# Reference: https://www.virustotal.com/gui/file/45a6a0b2b02a9d288afba1ff41c689be9b9bd40ee862aa4bd6b036e3f0a4c3ab/detection
# Reference: https://www.virustotal.com/gui/file/a2abdf1d3439c9598f76c3732770b98725315efd32db322d926207ed28edf0db/detection

http://45.156.84.129
45.156.84.129:3000
14.16.88.35:5000
194.156.88.235:5000
45.156.85.161:2096
96r1yh643o.de
cdw1ir0dc9g3dwl5oh1y.de

# Reference: https://twitter.com/malwrhunterteam/status/1504892577975259141
# Reference: https://twitter.com/midnight_comms/status/1596563852035903488
# Reference: https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/
# Reference: https://otx.alienvault.com/pulse/63809fb03dacd453ae69d37b
# Reference: https://www.virustotal.com/gui/file/a40c7cabf874517f5d3d069e0377fa9348e10344000e39717c1a6571939ba7c0/detection
# Reference: https://www.virustotal.com/gui/file/a71290070f826292c0ce907f21280e46cb4b800163ca3b81301c75710387ff1b/detection

ft8hua063okwfdcu21pw.de
thesecurevpn.com

# Reference: https://twitter.com/malwrhunterteam/status/1616145101343817750
# Reference: https://twitter.com/dyngnosis/status/1616149602578595846
# Reference: https://www.virustotal.com/gui/file/0d7c1dffbd5abab02c174836cf1075bdc24f125b4084e5ba75e2c8ecccb747a3/detection
# Reference: https://www.virustotal.com/gui/file/38d0804412c47a77f08ecb346df27a9036dc02b83c51f70ab830902a2eab66dc/detection

162.55.103.212:20121
162.55.103.212:20122
162.55.103.212:20123
fvbyavgyea.com
jkiohreh.com
rondwsign.com
tokenmajorp.com
varweregofo.com

# Reference: https://twitter.com/0x6rsk/status/1656554067160702982
# Reference: https://twitter.com/BaoshengbinCumt/status/1656577909224796161
# Reference: https://about.fb.com/wp-content/uploads/2023/05/Meta-Quarterly-Adversarial-Threat-Report-Q1-2023.pdf
# Reference: https://www.virustotal.com/gui/file/0a7a9a3e5915f390e8a0d89c0ec21dd056504b0b759ea57ef68a000ee05b12e9/detection
# Reference: https://www.virustotal.com/gui/file/672d56b13708752b9d5287a8ac5e063174aa0af0c616a3ce8dd0dfbaff13386a/detection

hbx5adg6vk.de
khalsaforum.com
mamoonchat.com
rwzj2nntc3.de
usmimedia.com
play-store-secure-safechat.usmimedia.com
punjab-news18media-tribuneindia-mail.usmimedia.com

# Reference: https://www.welivesecurity.com/en/eset-research/unlucky-kamran-android-malware-spying-urdu-speaking-residents-gilgit-baltistan/
# Reference: https://otx.alienvault.com/pulse/6552657c0e444a423248f10c
# Reference: https://www.virustotal.com/gui/file/8609ce3bd3f395a25f3a2e2e343eb3ee87b0f1375202b5cec8bfcf8579d0472e/detection

hunzanews.net/wp-content/uploads/apk/

# Reference: https://threatfox.abuse.ch/browse/malware/apk.bahamut/

134.255.231.233:8443

# Reference: https://x.com/malwrhunterteam/status/1826580072645431357
# Reference: https://www.virustotal.com/gui/file/701016a39ff5656b6a7e6cf17a6ae0e7c3442b65c2f9b1d609c78b483b5cfe26/detection
# Reference: https://www.virustotal.com/gui/file/b8e797526a4d22ddfe0d9cf97a24264c305f5c09aa5cf63b56b067d92a1ad66e/detection

162.55.103.211:20121
162.55.103.211:20122
162.55.103.211:20123
oha.alpinemap.net
srv.psyberia.org
xyz.psyberia.org

# APK

/Kashmir-Youth.apk
/Kashmir.apk
/ChatService_master.apk
/securechatnow_v1_0_6.apk
/securechatnow_v1_0_7.apk
