# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: shadowhammer, shadowpad, apt41, apt-c-41, double dragon, earth baku, earth baxia, lowkey, AXIOMATICASYMPTOTE, RedEcho, xianggang, eagerbee, toughprogress, ta415, voldemort

# Reference: https://securelist.com/operation-shadowhammer/89992/

asushotfix.com

# Reference: https://twitter.com/ydklijnsma/status/1110220766778286080
# Reference: https://twitter.com/ydklijnsma/status/1110189880313692160

homeabcd.com
simplexoj.com

# Reference: https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

103.19.3.17:443
103.19.3.43:443
103.19.3.44:443
103.19.3.44:1194
117.16.142.9:443
23.236.77.175:443
23.236.77.177:443
infestexe.com

# Reference: https://content.fireeye.com/apt-41/rpt-apt41
# Reference: https://otx.alienvault.com/pulse/5d4ae9f31ae8a479422a17ab

agegamepay.com
ageofwuxia.com
ageofwuxia.info
ageofwuxia.net
ageofwuxia.org
bugcheck.xigncodeservice.com
byeserver.com
dnsgogle.com
gamewushu.com
gxxservice.com
ibmupdate.com
infestexe.com
kasparsky.net
linux-update.net
macfee.ga
micros0ff.com
micros0tf.com
notped.com
operatingbox.com
paniesx.com
serverbye.com
sexyjapan.ddns.info
symanteclabs.com
techniciantext.com
win7update.net

# Reference: https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
# Reference: https://www.virustotal.com/gui/ip-address/67.229.97.229/relations

http://67.229.97.229
67.229.97.229:5985
67.229.97.229:9999

# Reference: https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html
# Reference: https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/
# Reference: https://otx.alienvault.com/pulse/5da5eaab4516e8056a6d59fb

checkin.travelsanignacio.com

# Reference: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
# Reference: https://otx.alienvault.com/pulse/5e7b4a11d552fbcfce6c314d
# Reference: https://twitter.com/sysgoblin/status/1237054973579583489 (# CVE-2020-10189)

http://66.42.98.220
http://91.208.184.78
66.42.98.220:12345
74.82.201.8:12345
91.208.184.78:443
accounts.longmusic.com
dylerays.tk
exchange.dumb1.com

# Reference: https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/
# Reference: https://otx.alienvault.com/pulse/5e95c0d3d12068d29f538338
# Reference: https://www.virustotal.com/gui/ip-address/66.42.98.220/relations

http://66.42.98.220
66.42.98.220:12345
119.28.139.20:443
alibaba.zzux.com
exchange.longmusic.com

# Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/shadowpad-novaya-aktivnost-gruppirovki-winnti/ (Russian, # ShadowPad IOC)

ertufg.com
filename.onedumb.com
info.kavlabonline.com
ncdle.net
trendupdate.dns05.com
ttareyice.jkub.com
unaecry.zzux.com
yandex2unitedstated.dns04.com

# Reference: https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html
# Reference: https://otx.alienvault.com/pulse/5f650a34fabdf2c7bf7a7616

http://104.233.224.227

# Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 2)

ashcrack.freetcp.com
heatidc.com
infrast.ygto.com
notify.serveuser.com
platform.freetcp.com
reply.ygto.com
tripmerry.com

# Reference: https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf

arestc.net
icefirebest.com
mongolv.com
pneword.net

# Reference: https://blog.macnica.net/blog/2020/11/dtrack.html
# Reference: https://otx.alienvault.com/pulse/5fc12f0ec26699f8ccd97838

mail.gietriangle.org/public/src3.png
tastygoodness.net
ussainc.org

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf
# Reference: https://otx.alienvault.com/pulse/603d0dcc0a0f44e375d16c62/

escanavupdate.club
indrails.com
ixrails.com
ntpc-co.com
pandorarve.com
ptciocl.com
ubuntumax.com
websencl.com
indianrailway.hopto.org
indrra.ddns.net
inraja.ddns.net
modibest.sytes.net
railway.sytes.net
railways.hopto.org
astudycarsceu.net
indiasunsung.com
shipcardonlinehelp.com
smartdevoe.com

# Reference: https://blog.group-ib.com/colunmtk_apt41
# Reference: https://otx.alienvault.com/pulse/60c34510bd6707ce53355efc

colunm.tk
cs.colunm.tk
ns1.colunm.tk
ns2.colunm.tk
service.dns22.ml
server04.dns04.com
service04.dns04.com

# Reference: https://content.fireeye.com/apt41-jp/rpt-apt41-jp
# Reference: https://otx.alienvault.com/pulse/610cf675620c3a10851e62d0

backdoor.apt.photo

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/BB_APT41.json

isbigfish.xyz

# Reference: https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

dbhubspi.com
glbaitech.com
kinopoisksu.com
necemarket.com
dev.kinopoisksu.com
holdmem.dbhubspi.com
m.necemarket.com
mb.glbaitech.com
ns.glbaitech.com
st.kinopoisksu.com

# Reference: https://www.mandiant.com/resources/apt41-us-state-governments

milli-seconds.com
queryip.cf
time12.cf
viewdns.ml
winsproxy.com
work.viewdns.ml
workers.viewdns.ml
work.queryip.cf
cdn.ns.time12.cf
east.winsproxy.com
afdentry.workstation.eu.org
ns1.entrydns.eu.org
subnet.milli-seconds.com

# Reference: https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41
# Reference: https://otx.alienvault.com/pulse/615da9a8e2c277e1749757c3

assistcustody.xyz
chaindefend.bid
defendchain.xyz
isbigfish.xyz
mircosoftdoc.com
zalofilescdn.com
microsoftbooks.dns-dns.com
ns.mircosoftdoc.com

# Reference: https://www.mandiant.com/resources/apt41-us-state-governments

down-flash.com
microsoftfile.com
libxqagv.ns.dns3.cf

# Reference: https://www.mandiant.com/resources/mobileiron-log4shell-exploitation
# Reference: https://otx.alienvault.com/pulse/6244606893ddbc9a6a5bbdeb
# Reference: https://www.virustotal.com/gui/file/fb091547c42fcd5917283b3a79ee86e7388d57789327289d6d357e71ae28ddff/detection

103.224.80.44:8080
103.242.133.48:44322
103.242.133.48:8085
198.13.40.130:2222
note.down-flash.com
111111.note.down-flash.com
2f2640fb.dns.1433.eu.org
335b5282.dns.1433.eu.org
d5922235.dns.1433.eu.org

# Reference: https://twitter.com/0xrb/status/1509396448387153920
# Reference: https://www.virustotal.com/gui/file/536def339fefa0c259cf34f809393322cdece06fc4f2b37f06136375b073dff3/detection

43.129.188.223:10333
longlifetrump.com

# Reference: https://otx.alienvault.com/pulse/624ff0af271429d152b5a27e

greatsong.soundcast.me
supermarket.ownip.net
supership.dynv6.net

# Reference: https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf
# Reference: https://otx.alienvault.com/pulse/613b110f3e005c40fe57317d

dns224.com
mssetting.com
twitterproxy.com
microsofthelp.dns1.us
ns.cloud01.tk
ns.cloud20.tk
ns1.extrsports.ru

# Reference: https://twitter.com/AltShiftPrtScn/status/1519840040637157378
# Reference: https://www.virustotal.com/gui/file/d2d927e7cdb804c416e70e41290453a7902420894b5cb17fdb688e9ee7943b13/detection

138.68.61.82:444

# Reference: https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/
# Reference: https://otx.alienvault.com/pulse/6270f28cc2cfb0f83fe7b211

farisrezky.com
freewula.strangled.net
gfsg.chickenkiller.com
greenhugeman.dns04.com
pic.farisrezky.com
szuunet.strangled.net
final.staticd.dynamic-dns.net

# Reference: https://blog.group-ib.com/apt41-world-tour-2021
# Reference: https://otx.alienvault.com/pulse/630615f326d4b91e473170fe

delaylink.tk
socialpt2021.club
cs16.dns04.com
newimages.socialpt2021.tk

# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
# Reference: https://otx.alienvault.com/pulse/632082a05037fdffef98dcb4
# Reference: https://www.virustotal.com/gui/file/c48e1ff27b6386dadd7a8b696c00b0b96d27dffc8ee5df393765ba538c272c11/detection

27.124.17.222:443

# Reference: https://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html
# Reference: https://github.com/carbonblack/active_c2_ioc_public/blob/main/shadowpad/shadowpad_202210.tsv

http://149.127.176.12
http://149.127.176.14
http://164.155.51.9
http://38.54.4.48
http://45.79.122.225
http://65.21.57.12
103.120.82.243:443
103.133.139.23:443
103.133.139.29:443
103.138.82.202:443
103.138.82.215:443
103.143.73.116:443
103.151.229.130:443
103.151.229.139:443
103.151.229.35:443
103.151.229.74:443
103.209.233.172:443
103.231.14.171:443
103.254.75.140:443
103.27.108.20:443
103.27.109.182:443
103.56.19.113:443
103.56.19.157:443
103.56.19.42:443
103.93.76.135:443
107.155.50.198:443
116.204.134.123:443
120.79.8.23:443
134.122.134.140:443
134.122.188.187:443
137.220.185.203:443
137.220.53.224:443
137.220.55.36:443
139.180.188.58:443
139.180.193.182:443
14.18.191.150:443
149.127.176.12:443
149.127.176.14:443
149.127.176.22:443
149.28.151.244:53
152.32.133.68:443
152.32.139.128:443
154.201.144.60:443
154.215.96.211:443
154.38.118.107:443
156.240.104.115:443
156.240.104.149:443
156.240.107.248:443
158.247.202.188:443
163.197.32.39:443
163.197.34.109:443
167.179.78.160:443
167.179.78.160:53
167.71.236.226:443
172.105.36.249:443
173.254.227.204:443
185.207.155.146:443
188.116.48.62:443
193.239.191.95:443
211.239.213.13:443
213.59.118.124:443
38.54.4.48:443
38.55.223.221:443
43.129.188.223:443
45.134.1.74:443
45.137.10.3:443
45.32.102.50:443
45.32.121.100:443
45.32.248.92:443
45.76.152.71:443
45.76.152.71:53
45.77.169.228:443
45.77.250.209:443
45.77.252.157:443
5.181.4.59:443
61.97.248.72:443
65.21.57.12:443
66.42.60.66:443
8.136.179.117:443
8.208.94.94:443
85.9.26.104:53
92.38.135.71:443
95.85.67.48:443

# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi/IOCs-hack-the-real-box-apt41-new-subgroup-earth-longzhi.txt
# Reference: https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
# Reference: https://otx.alienvault.com/pulse/636d814b3faea55b00ea98b8
# Reference: https://www.virustotal.com/gui/file/f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08/detection
# Reference: https://www.virustotal.com/gui/file/76998c3cef50132d7eb091555b034b03a351bd8639c1c5dc05cf1ea6c19331d9/detection
# Reference: https://www.virustotal.com/gui/file/4bc4d2ad9b608c8564eb5da5d764644cbb088c2f1cb61427d11f7b2ce4733add/detection

http://139.180.138.226
http://47.108.173.88
139.180.138.226:8000
47.108.173.88:8098
47.108.173.88:8099

# Reference: https://community.emergingthreats.net/t/daily-ruleset-update-summary-2022-11-11/149

ymvh8w5.xyz
c.ymvh8w5.xyz

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/APT-hunting/hunting-cobaltstrike-beacons-in-the-dark.pdf
# Reference: https://www.virustotal.com/gui/ip-address/185.14.29.72/relations

schememicrosoft.com
aliyun.com.co
microport.com.cn
microsoftbooks.dynamic-dns.net
microsoftdocs.dns05.com
microsoftonlineupdate.dynamic-dns.net
ns.microsoftdocs.dns05.com

# Reference: https://twitter.com/r3dbU7z/status/1605356770330828802
# Reference: https://twitter.com/jaydinbas/status/1605532948480000002
# Reference: https://www.virustotal.com/gui/file/867e8902612f9e9a390fc667ffd53343e324c8c677c12dcbca4e1b9f14b0e461/detection

43.229.155.42:8000
43.229.155.38:8443
google-au.ga
cdn.google-au.ga

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf 

adobe-cdn.org
akamaixed.net
dl-flash.tk
linuxupdate.info
microsoftcontents.com
portomnail.com
tcplog.com
xxe.pw
a.linuxupdate.info
aejava.ddns.net
aejva.ddns.net
aone.ddns.net
back.rooter.tk
box.xxe.pw
chrome.down-flash.com
cloudat.ddns.net
cloudcat.ddns.net
dash.tcplog.com
dns.xxe.pw
down.xxe.pw
down1.linuxupdate.info
down2.linuxupdate.info
exchange.openmd5.com
exchange.portomnail.com
fonts.google-au.ga
gknbm.ddns.net
help.down-flash.com
help.tcplog.com
js.down-flash.com
jsj1.linuxupdate.info
lemonupdate.ddns.net
linux.down-flash.com
linuxupdate.ddns.net
ltupdate.ddns.net
mail.xxe.pw
mirros.microsoftcontents.com
mirros3.linuxupdate.info
mm.portomnail.com
n2.xxe.pw
ns1.xxe.pw
ns2.xxe.pw
officecdn-microsoft-com.akamaixed.net
proxy.xxe.pw
q.xxe.pw
q2.xxe.pw
q4.xxe.pw
qq.xxe.pw
static.adobe-cdn.org
static.tcplog.com
transcom.ddns.net
twnoc.ddns.net
updatenew.servehttp.com
vbnmob.ddns.net
volleyball.ddns.net
vpnmobupdate.ddns.net
x.xxe.pw
xxe.linuxupdate.info
yunchat.ddns.net

# Reference: https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41
# Reference: https://www.virustotal.com/gui/file/38e18d79b83e7c0afbe1ac246a7a5fe6b2783adc085e9aeb2ec610e76f5ccaad/detection

116.205.4.18:33889
121.42.149.52:8002
andropwn.xyz
win10micros0ft.com
alxc.tbtianyan.com
dns.win10micros0ft.com
huaxin-bantian.duckdns.org
smiss.imwork.net

# Reference: https://twitter.com/tiresearch1/status/1688843159265325056

ap.philancourts.com
atomiclampco.com
closeby.coupons
ftp.gulliverwear.com
gulliverwear.com
news.revecontopsy.com
securityhealthservice.com
test.dagnelie.fr
test.securityhealthservice.com

# Reference: https://twitter.com/tiresearch1/status/1689173376487849984

bulkyservice.info
mexicobulk.info
kdalpqwx312dwjbb.leopard2.com
mta0.bulkyservice.info
mta0.mexicobulk.info
ns1.bulkyservice.info
ns2.bulkyservice.info
ns2.mexicobulk.info
server.mexicobulk.info

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/

120.25.0.139:8443
193.36.117.21:443
219.141.161.65:443
47.94.196.131:444

# Reference: https://stairwell.com/resources/security-alert-enrichment-shadowpad-variants/
# Reference: https://www.virustotal.com/gui/file/48ac2ca316e636109524e72c771afc7e4592f0a6c1de827985aa090f17b98879/detection

rtxwen.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2023-10-13)

http://103.113.8.225
http://103.113.8.232
http://104.233.160.81
http://104.233.161.173
http://107.150.124.43
http://107.173.63.250
http://112.213.109.121
http://112.213.109.131
http://112.213.109.141
http://114.29.254.126
http://114.29.254.17
http://114.29.254.201
http://114.29.254.94
http://143.92.52.130
http://143.92.52.133
http://143.92.52.137
http://149.28.25.119
http://154.26.153.129
http://154.84.23.116
http://156.234.169.19
http://158.247.239.102
http://16.162.44.42
http://182.16.60.150
http://185.161.209.2
http://194.37.97.132
http://198.135.48.10
http://20.214.1.160
http://207.148.97.160
http://3.112.45.157
http://38.47.116.103
http://38.47.123.94
http://38.54.50.224
http://43.135.1.200
http://43.242.34.23
http://43.255.28.190
http://45.63.65.123
http://45.77.157.245
http://5.255.88.185
http://54.249.142.61
http://61.238.103.165
http://63.141.237.100
http://63.141.237.208
http://64.44.184.105
http://72.18.215.38
http://8.218.191.58
http://8.218.234.216
http://96.9.211.159
101.99.94.142:443
103.106.202.158:8443
103.106.202.163:8443
103.113.8.225:443
103.113.8.225:53
103.113.8.225:8080
103.113.8.232:443
103.113.8.232:8080
103.146.231.2:443
103.68.193.225:8443
103.94.76.115:81
103.94.76.163:443
104.208.73.38:53
104.233.161.173:53
104.233.161.173:8080
104.37.175.64:443
107.150.124.43:53
107.173.63.250:21
112.213.109.121:443
112.213.109.121:53
112.213.109.131:443
112.213.109.131:53
112.213.109.141:443
112.213.109.141:53
122.254.94.69:8000
124.220.78.199:8443
13.208.47.9:443
139.84.163.79:443
139.84.163.79:8080
139.84.163.79:8443
143.92.52.130:12345
143.92.52.130:21
143.92.52.130:443
143.92.52.130:53
143.92.52.130:8000
143.92.52.133:21
143.92.52.133:443
143.92.52.133:8000
143.92.52.137:21
143.92.52.137:443
143.92.52.137:53
143.92.52.137:8000
143.92.56.71:10000
149.28.145.25:443
154.19.70.222:8000
154.19.70.222:8080
154.19.70.94:65000
154.84.23.116:12345
154.84.23.116:21
154.84.23.116:443
154.84.23.116:8000
156.234.169.19:443
156.234.169.19:8080
156.234.211.149:8080
158.247.222.2:21
158.247.222.2:53
158.247.222.2:8443
158.247.239.102:443
165.84.180.74:443
180.178.42.34:65000
180.178.42.35:65000
180.178.42.38:65000
182.16.60.150:443
182.16.60.150:53
182.16.60.150:8080
185.161.209.2:443
192.236.195.253:443
193.37.59.246:443
194.37.97.132:443
198.135.48.10:443
20.210.134.241:443
202.182.115.238:443
208.72.153.162:8080
208.85.21.210:443
216.83.41.111:443
216.83.41.112:443
216.83.41.113:443
38.45.120.138:12345
38.45.120.139:12345
38.45.120.140:12345
38.45.120.141:12345
38.45.120.142:12345
38.47.116.103:443
38.47.123.94:443
38.47.220.183:65000
38.47.221.162:12345
38.47.221.86:443
38.54.50.224:443
38.54.50.224:53
38.54.50.224:8080
38.60.217.198:443
43.135.1.200:443
43.135.1.200:8080
43.154.29.157:12345
43.242.34.23:443
45.63.65.123:443
45.74.41.38:21
45.74.6.174:443
45.76.110.175:443
45.76.110.175:8080
45.76.213.19:443
45.76.213.19:8080
45.77.157.245:443
5.253.36.199:443
54.249.142.61:8080
64.44.184.105:21
78.141.208.113:443
8.218.234.216:443
8.218.234.216:8080
96.9.211.159:21
96.9.211.159:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2023-10-26)

http://103.158.190.167
http://103.255.118.149
http://103.255.118.150
http://103.51.110.5
http://104.194.129.178
http://104.233.167.99
http://118.193.56.234
http://124.126.116.7
http://139.180.193.182
http://149.202.45.103
http://149.28.157.235
http://149.88.75.49
http://156.236.114.202
http://158.247.202.188
http://158.247.203.58
http://158.247.213.14
http://165.154.227.192
http://167.179.108.149
http://173.199.123.205
http://198.13.42.128
http://216.128.177.23
http://38.60.217.40
http://45.76.189.91
http://45.77.244.237
http://46.17.103.152
http://5.252.178.38
http://64.176.47.148
http://95.174.24.213
http://95.85.91.50
101.99.88.70:4443
103.146.231.40:44444
103.146.231.40:55555
103.22.255.14:8002
103.43.19.239:443
103.51.110.5:443
104.194.129.178:443
104.194.129.178:44444
104.194.129.178:53
111.203.154.198:8002
111.203.154.199:8002
112.94.221.4:8002
112.95.159.90:443
113.98.238.83:443
114.255.80.175:8002
120.236.186.153:8002
121.201.64.100:38002
121.32.27.111:8002
124.126.116.6:8002
124.126.116.7:8002
124.133.230.153:8002
128.14.105.245:443
134.122.189.25:443
134.122.189.25:53
134.122.189.32:443
139.180.193.182:8080
139.180.217.229:443
139.59.29.27:443
141.164.62.87:8443
144.202.27.95:8443
146.185.219.33:443
146.185.219.33:8443
146.70.157.115:8080
146.70.157.115:8081
146.70.157.115:8443
148.66.50.42:4443
148.66.50.43:4443
149.202.45.103:443
149.202.45.103:8080
149.202.45.103:88
149.88.75.49:443
149.88.75.49:53
152.32.133.68:8088
154.7.64.133:44444
154.7.64.169:44444
156.236.114.202:443
156.236.114.202:53
158.247.202.188:53
158.247.202.188:995
158.247.241.217:18443
158.247.241.217:443
158.247.241.217:8443
16.163.146.134:8443
165.154.227.192:443
165.154.227.192:8080
173.199.123.205:443
18.193.11.42:8083
183.162.222.8:8002
183.236.220.4:8002
192.71.26.55:443
194.165.59.120:443
207.148.120.140:993
216.128.177.23:443
217.12.206.194:443
218.3.254.252:44444
220.248.252.114:8002
220.248.252.114:8012
3.19.1.60:8083
3.219.38.25:8083
3.84.66.152:8083
36.255.221.118:44444
36.255.221.118:58443
38.54.20.187:443
39.96.58.23:8084
39.96.58.23:8883
45.76.217.11:443
45.77.244.237:443
45.77.244.237:8080
46.17.103.152:443
46.17.103.152:8080
46.17.103.152:8081
46.17.103.152:88
46.246.98.47:443
47.242.188.74:4443
5.252.178.38:443
5.252.178.38:8080
5.252.178.38:8081
5.78.83.190:443
64.176.37.149:443
64.176.37.149:8080
64.176.58.84:443
77.72.85.16:443
77.72.85.16:8080
77.72.85.16:8081
77.72.85.16:88
8.218.212.77:8080
8.219.186.164:443
88.119.169.116:443
88.218.192.21:443
95.179.217.17:443
95.85.91.50:443
95.85.91.50:53

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2023-11-20)

http://103.97.176.121
http://109.123.230.56
http://16.163.142.128
http://167.179.98.155
http://175.27.191.226
http://203.69.170.86
http://207.148.120.140
http://38.54.84.31
http://45.67.230.185
http://45.86.162.190
103.56.19.158:993
103.97.176.121:443
103.97.176.121:8080
112.121.187.179:12345
13.115.129.191:8080
13.208.47.9:53
154.204.24.244:65000
154.7.64.210:44444
158.247.202.188:993
158.247.253.206:443
165.154.233.32:1024
175.27.191.226:21
175.27.191.226:443
185.189.241.155:53
185.189.241.155:8080
185.189.241.159:443
185.189.241.159:53
185.189.241.186:443
185.189.241.186:53
185.189.241.208:53
185.189.241.208:8080
203.69.170.86:21
203.69.170.86:443
207.148.120.140:443
207.148.120.140:995
209.58.190.167:32443
34.92.77.165:443
43.230.161.205:12345
45.67.230.185:443
45.74.6.148:8443
45.74.6.188:21
95.174.24.213:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2023-11-23)

http://37.120.247.29
101.132.147.163:8002
106.52.128.236:12340
106.52.128.236:8443
106.52.243.150:12340
118.126.107.95:12340
119.29.143.243:12340
119.29.143.243:8443
119.29.165.74:12340
119.29.165.74:8443
119.29.249.227:12340
119.29.249.227:8443
119.29.73.94:12340
119.29.73.94:8443
119.29.8.235:12340
119.29.8.235:8443
119.29.84.169:12340
120.233.114.145:22000
120.233.114.145:22001
120.233.114.145:22002
120.233.114.145:22003
120.233.114.145:22004
120.233.114.145:22005
120.233.114.145:22006
120.233.114.145:22007
120.233.114.212:22000
120.233.114.212:22001
120.233.114.212:22002
120.233.114.212:22003
120.233.114.212:22004
120.233.114.212:22005
120.233.114.212:22006
120.233.114.212:22007
122.114.18.100:12340
122.114.18.103:12340
122.114.18.103:22350
122.114.18.104:12340
122.114.18.106:12340
122.114.18.106:22350
122.114.18.107:12340
122.114.18.107:22350
122.114.18.108:12340
122.114.18.108:22350
122.114.18.109:12340
122.114.18.109:22350
122.114.18.111:12340
122.114.18.111:22350
122.114.18.112:12340
122.114.18.112:22350
122.114.18.113:12340
122.114.18.113:22350
122.114.18.114:12340
122.114.18.115:12340
122.114.18.115:22350
122.114.18.116:12340
122.114.18.116:22350
122.114.18.119:12340
122.114.18.119:22350
122.114.18.120:12340
122.114.18.120:22350
122.114.18.123:12340
122.114.18.123:22350
122.114.18.124:12340
122.114.18.124:22350
122.114.18.19:12340
122.114.18.19:22350
122.114.18.22:12340
122.114.18.22:22350
122.114.18.25:12340
122.114.18.25:22350
122.114.18.26:12340
122.114.18.26:22350
122.114.18.27:12340
122.114.18.27:22350
122.114.18.30:12340
122.114.18.30:22350
122.114.18.31:12340
122.114.18.31:22350
122.114.18.32:12340
122.114.18.32:22350
122.114.18.35:12340
122.114.18.35:22350
122.114.18.38:12340
122.114.18.38:22350
122.114.18.39:12340
122.114.18.39:22350
122.114.18.42:22350
122.114.18.43:12340
122.114.18.43:22350
122.114.18.44:12340
122.114.18.44:22350
122.114.18.46:12340
122.114.18.46:22350
122.114.18.47:12340
122.114.18.47:22350
122.114.18.49:12340
122.114.18.49:22350
122.114.18.50:12340
122.114.18.50:22350
122.114.18.52:12340
122.114.18.52:22350
122.114.18.53:12340
122.114.18.53:22350
122.114.18.54:12340
122.114.18.54:22350
122.114.18.55:12340
122.114.18.55:22350
122.114.18.57:12340
122.114.18.57:22350
122.114.18.58:12340
122.114.18.58:22350
122.114.18.59:12340
122.114.18.59:22350
122.114.18.62:12340
122.114.18.62:22350
122.114.18.64:12340
122.114.18.64:22350
122.114.18.65:12340
122.114.18.65:22350
122.114.18.66:12340
122.114.18.66:22350
122.114.18.68:12340
122.114.18.68:22350
122.114.18.74:12340
122.114.18.74:22350
122.114.18.75:12340
122.114.18.75:22350
122.114.18.76:12340
122.114.18.76:22350
122.114.18.77:12340
122.114.18.77:22350
122.114.18.78:12340
122.114.18.78:22350
122.114.18.79:12340
122.114.18.79:22350
122.114.18.7:12340
122.114.18.7:22350
122.114.18.83:12340
122.114.18.83:22350
122.114.18.85:12340
122.114.18.85:22350
122.114.18.87:12340
122.114.18.87:22350
122.114.18.88:12340
122.114.18.88:22350
122.114.18.89:12340
122.114.18.89:22350
122.114.18.90:12340
122.114.18.90:22350
122.114.18.91:12340
122.114.18.91:22350
122.114.18.94:12340
122.114.18.94:22350
122.114.18.96:12340
122.114.18.96:22350
122.114.18.97:12340
122.114.18.97:22350
122.114.18.98:12340
122.114.18.98:22350
122.9.125.150:8000
122.9.125.150:8001
122.9.125.150:8002
122.9.125.150:8003
122.9.125.150:8004
122.9.125.150:8005
122.9.125.150:8006
122.9.125.150:8007
123.207.16.103:12340
129.204.202.169:12340
139.199.155.188:1235
139.199.166.208:12340
139.199.166.208:8443
139.199.72.163:12340
139.199.72.163:8443
139.199.83.96:12340
192.109.119.100:443
193.200.16.184:443
37.120.247.29:443
37.120.247.29:8080
43.153.63.174:12340

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2023-11-25)

http://103.146.230.153
103.146.230.153:443
106.14.196.21:8000
106.14.196.21:8001
106.14.196.21:8002
106.14.196.21:8003
111.230.31.215:1235
114.116.237.206:8000
114.116.237.206:8001
114.116.237.206:8002
114.116.237.206:8003
114.116.237.206:8004
114.116.237.206:8005
114.116.237.206:8006
114.116.237.206:8007
117.78.9.251:8000
117.78.9.251:8001
117.78.9.251:8002
117.78.9.251:8003
117.78.9.251:8004
117.78.9.251:8005
117.78.9.251:8006
117.78.9.251:8007
118.89.62.61:12340
119.29.170.82:1235
119.3.157.2:8000
119.3.157.2:8001
119.3.157.2:8002
119.3.157.2:8003
119.3.157.2:8004
119.3.157.2:8005
119.3.157.2:8006
119.3.157.2:8007
119.3.164.101:8000
119.3.164.101:8001
119.3.164.101:8002
119.3.164.101:8003
119.3.164.101:8004
119.3.164.101:8005
119.3.164.101:8006
119.3.164.101:8007
120.233.114.141:22000
120.233.114.141:22002
120.233.114.141:22003
120.233.114.141:22004
120.233.114.141:22005
120.233.114.141:22006
120.233.114.141:22007
120.233.114.144:22000
120.233.114.144:22001
120.233.114.144:22002
120.233.114.144:22003
120.233.114.144:22004
120.233.114.144:22006
120.233.114.144:22007
120.233.114.146:22000
120.233.114.146:22001
120.233.114.146:22002
120.233.114.146:22003
120.233.114.146:22004
120.233.114.146:22005
120.233.114.146:22007
120.233.114.156:22000
120.233.114.156:22001
120.233.114.156:22002
120.233.114.156:22003
120.233.114.156:22004
120.233.114.156:22005
120.233.114.156:22006
120.233.114.156:22007
120.233.114.161:22000
120.233.114.161:22001
120.233.114.161:22002
120.233.114.161:22003
120.233.114.161:22004
120.233.114.161:22006
120.233.114.161:22007
120.233.114.167:22000
120.233.114.167:22001
120.233.114.167:22002
120.233.114.167:22003
120.233.114.167:22004
120.233.114.167:22005
120.233.114.167:22006
120.233.114.167:22007
120.233.114.169:22000
120.233.114.169:22001
120.233.114.169:22002
120.233.114.169:22003
120.233.114.169:22004
120.233.114.169:22005
120.233.114.169:22007
120.233.114.171:22000
120.233.114.171:22001
120.233.114.171:22002
120.233.114.171:22003
120.233.114.171:22004
120.233.114.171:22005
120.233.114.171:22006
120.233.114.171:22007
120.233.114.177:22000
120.233.114.177:22001
120.233.114.177:22002
120.233.114.177:22003
120.233.114.177:22004
120.233.114.177:22005
120.233.114.177:22006
120.233.114.177:22007
120.233.114.182:22001
120.233.114.182:22002
120.233.114.182:22004
120.233.114.182:22005
120.233.114.182:22006
120.233.114.182:22007
120.233.114.187:22001
120.233.114.187:22002
120.233.114.187:22003
120.233.114.187:22004
120.233.114.187:22005
120.233.114.187:22006
120.233.114.187:22007
120.233.114.190:22000
120.233.114.190:22001
120.233.114.190:22002
120.233.114.190:22003
120.233.114.190:22004
120.233.114.190:22005
120.233.114.190:22006
120.233.114.190:22007
120.233.114.204:22000
120.233.114.204:22001
120.233.114.204:22003
120.233.114.204:22004
120.233.114.204:22005
120.233.114.204:22007
120.233.114.210:22000
120.233.114.210:22001
120.233.114.210:22002
120.233.114.210:22003
120.233.114.210:22004
120.233.114.210:22005
120.233.114.210:22006
120.233.114.210:22007
120.233.114.214:22000
120.233.114.214:22001
120.233.114.214:22002
120.233.114.214:22003
120.233.114.214:22004
120.233.114.214:22005
120.233.114.214:22006
120.233.114.214:22007
120.233.114.215:22000
120.233.114.215:22001
120.233.114.215:22002
120.233.114.215:22003
120.233.114.215:22004
120.233.114.215:22005
120.233.114.215:22007
120.233.114.218:22001
120.233.114.218:22002
120.233.114.218:22003
120.233.114.218:22004
120.233.114.218:22005
120.233.114.218:22006
120.233.114.218:22007
120.233.114.225:22000
120.233.114.225:22001
120.233.114.225:22002
120.233.114.225:22003
120.233.114.225:22004
120.233.114.225:22005
120.233.114.225:22006
120.233.114.225:22007
120.233.114.226:22000
120.233.114.226:22001
120.233.114.226:22002
120.233.114.226:22004
120.233.114.226:22005
120.233.114.226:22006
120.233.114.226:22007
120.233.114.235:22000
120.233.114.235:22001
120.233.114.235:22002
120.233.114.235:22003
120.233.114.235:22004
120.233.114.235:22005
120.233.114.235:22006
120.233.114.235:22007
120.233.114.237:22001
120.233.114.237:22003
120.233.114.237:22004
120.233.114.237:22006
120.233.114.237:22007
120.233.114.242:22000
120.233.114.242:22001
120.233.114.242:22003
120.233.114.242:22004
120.233.114.242:22005
120.233.114.242:22006
120.233.114.242:22007
120.233.114.243:22000
120.233.114.243:22001
120.233.114.243:22003
120.233.114.243:22004
120.233.114.243:22005
120.233.114.243:22006
120.233.114.243:22007
120.233.114.244:22000
120.233.114.244:22002
120.233.114.244:22003
120.233.114.244:22004
120.233.114.244:22005
120.233.114.244:22006
120.233.114.244:22007
120.46.141.88:8000
120.46.141.88:8001
120.46.141.88:8002
120.46.141.88:8003
120.46.141.88:8004
120.46.141.88:8005
120.46.141.88:8006
120.46.141.88:8007
120.46.152.197:8000
120.46.152.197:8001
120.46.152.197:8002
120.46.152.197:8003
120.46.152.197:8004
120.46.152.197:8005
120.46.152.197:8006
120.46.152.197:8007
120.46.157.112:8000
120.46.157.112:8001
120.46.157.112:8002
120.46.157.112:8003
120.46.157.112:8004
120.46.157.112:8005
120.46.157.112:8006
120.46.157.112:8007
121.36.200.164:8000
121.36.200.164:8001
121.36.200.164:8002
121.36.200.164:8003
121.36.200.164:8004
121.36.200.164:8005
121.36.200.164:8006
121.36.200.164:8007
121.36.203.169:8000
121.36.203.169:8001
121.36.203.169:8002
121.36.203.169:8003
121.36.203.169:8004
121.36.203.169:8005
121.36.203.169:8006
121.36.203.169:8007
121.36.205.81:8000
121.36.205.81:8001
121.36.205.81:8002
121.36.205.81:8003
121.36.205.81:8004
121.36.205.81:8005
121.36.205.81:8006
121.36.205.81:8007
121.36.21.47:8000
121.36.21.47:8001
121.36.21.47:8002
121.36.21.47:8003
121.36.21.47:8004
121.36.21.47:8005
121.36.21.47:8006
121.36.21.47:8007
121.36.212.187:8000
121.36.212.187:8001
121.36.212.187:8002
121.36.212.187:8003
121.36.212.187:8004
121.36.212.187:8005
121.36.212.187:8006
121.36.212.187:8007
121.36.22.58:8000
121.36.22.58:8001
121.36.22.58:8002
121.36.22.58:8003
121.36.22.58:8004
121.36.22.58:8005
121.36.22.58:8006
121.36.22.58:8007
121.36.223.91:8000
121.36.223.91:8001
121.36.223.91:8002
121.36.223.91:8003
121.36.223.91:8004
121.36.223.91:8005
121.36.223.91:8006
121.36.223.91:8007
121.36.241.218:8000
121.36.241.218:8001
121.36.241.218:8002
121.36.241.218:8003
121.36.241.218:8004
121.36.241.218:8005
121.36.241.218:8006
121.36.241.218:8007
121.36.43.95:8000
121.36.43.95:8001
121.36.43.95:8002
121.36.43.95:8003
121.36.43.95:8004
121.36.43.95:8005
121.36.43.95:8006
121.36.43.95:8007
121.36.64.43:8000
121.36.64.43:8001
121.36.64.43:8002
121.36.64.43:8003
121.36.64.43:8004
121.36.64.43:8005
121.36.64.43:8006
121.36.64.43:8007
121.37.136.145:8000
121.37.136.145:8001
121.37.136.145:8002
121.37.136.145:8003
121.37.136.145:8004
121.37.136.145:8005
121.37.136.145:8006
121.37.136.145:8007
121.37.161.136:8000
121.37.161.136:8001
121.37.161.136:8002
121.37.161.136:8003
121.37.161.136:8004
121.37.161.136:8005
121.37.161.136:8006
121.37.161.136:8007
121.37.179.2:8000
121.37.179.2:8001
121.37.179.2:8002
121.37.179.2:8003
121.37.179.2:8004
121.37.179.2:8005
121.37.179.2:8006
121.37.179.2:8007
121.37.184.68:8000
121.37.184.68:8001
121.37.184.68:8002
121.37.184.68:8003
121.37.184.68:8004
121.37.184.68:8005
121.37.184.68:8006
121.37.184.68:8007
122.114.18.13:12340
122.114.18.13:22350
122.114.18.86:22350
122.114.18.92:12340
122.114.18.92:22350
122.9.111.24:8000
122.9.111.24:8001
122.9.111.24:8002
122.9.111.24:8003
122.9.111.24:8004
122.9.111.24:8005
122.9.111.24:8006
122.9.111.24:8007
122.9.112.171:8000
122.9.112.171:8001
122.9.112.171:8002
122.9.112.171:8003
122.9.112.171:8004
122.9.112.171:8005
122.9.112.171:8006
122.9.112.171:8007
122.9.121.124:8000
122.9.121.124:8001
122.9.121.124:8002
122.9.121.124:8003
122.9.121.124:8004
122.9.121.124:8005
122.9.121.124:8006
122.9.121.124:8007
122.9.122.105:8000
122.9.122.105:8001
122.9.122.105:8002
122.9.122.105:8003
122.9.122.105:8004
122.9.122.105:8005
122.9.122.105:8006
122.9.122.105:8007
122.9.122.166:8000
122.9.122.166:8001
122.9.122.166:8002
122.9.122.166:8003
122.9.122.166:8004
122.9.122.166:8005
122.9.122.166:8006
122.9.122.166:8007
122.9.123.90:8000
122.9.123.90:8001
122.9.123.90:8002
122.9.123.90:8003
122.9.123.90:8004
122.9.123.90:8005
122.9.123.90:8006
122.9.123.90:8007
122.9.124.131:8000
122.9.124.131:8001
122.9.124.131:8002
122.9.124.131:8003
122.9.124.131:8004
122.9.124.131:8005
122.9.124.131:8006
122.9.124.131:8007
122.9.124.96:8000
122.9.124.96:8001
122.9.124.96:8002
122.9.124.96:8003
122.9.124.96:8004
122.9.124.96:8005
122.9.124.96:8006
122.9.124.96:8007
122.9.125.139:8000
122.9.125.139:8001
122.9.125.139:8002
122.9.125.139:8003
122.9.125.139:8004
122.9.125.139:8005
122.9.125.139:8006
122.9.125.139:8007
122.9.125.184:8000
122.9.125.184:8001
122.9.125.184:8002
122.9.125.184:8003
122.9.125.184:8004
122.9.125.184:8005
122.9.125.184:8006
122.9.125.184:8007
122.9.125.26:8000
122.9.125.26:8001
122.9.125.26:8002
122.9.125.26:8003
122.9.125.26:8004
122.9.125.26:8005
122.9.125.26:8006
122.9.125.26:8007
122.9.126.138:8000
122.9.126.138:8001
122.9.126.138:8002
122.9.126.138:8003
122.9.126.138:8004
122.9.126.138:8005
122.9.126.138:8006
122.9.126.138:8007
122.9.126.21:8000
122.9.126.21:8001
122.9.126.21:8002
122.9.126.21:8003
122.9.126.21:8004
122.9.126.21:8005
122.9.126.21:8006
122.9.126.21:8007
122.9.126.235:8000
122.9.126.235:8001
122.9.126.235:8002
122.9.126.235:8003
122.9.126.235:8004
122.9.126.235:8005
122.9.126.235:8006
122.9.126.235:8007
122.9.126.59:8000
122.9.126.59:8001
122.9.126.59:8002
122.9.126.59:8003
122.9.126.59:8004
122.9.126.59:8005
122.9.126.59:8006
122.9.126.59:8007
122.9.126.74:8000
122.9.126.74:8001
122.9.126.74:8002
122.9.126.74:8003
122.9.126.74:8004
122.9.126.74:8005
122.9.126.74:8006
122.9.126.74:8007
122.9.96.62:8000
122.9.96.62:8001
122.9.96.62:8002
122.9.96.62:8003
122.9.96.62:8004
122.9.96.62:8005
122.9.96.62:8006
122.9.96.62:8007
122.9.98.121:8000
122.9.98.121:8001
122.9.98.121:8002
122.9.98.121:8003
122.9.98.121:8004
122.9.98.121:8005
122.9.98.121:8006
122.9.98.121:8007
123.207.12.142:1235
123.207.16.103:8443
123.207.18.157:12340
123.207.18.157:8443
123.60.12.32:8000
123.60.12.32:8001
123.60.12.32:8002
123.60.12.32:8003
123.60.12.32:8004
123.60.12.32:8005
123.60.12.32:8006
123.60.12.32:8007
123.60.218.46:8000
123.60.218.46:8001
123.60.218.46:8002
123.60.218.46:8003
123.60.218.46:8004
123.60.218.46:8005
123.60.218.46:8006
123.60.218.46:8007
123.60.221.78:8000
123.60.221.78:8001
123.60.221.78:8002
123.60.221.78:8003
123.60.221.78:8004
123.60.221.78:8005
123.60.221.78:8006
123.60.221.78:8007
123.60.31.114:8000
123.60.31.114:8001
123.60.31.114:8002
123.60.31.114:8003
123.60.31.114:8004
123.60.31.114:8005
123.60.31.114:8006
123.60.31.114:8007
123.60.31.166:8000
123.60.31.166:8001
123.60.31.166:8002
123.60.31.166:8003
123.60.31.166:8004
123.60.31.166:8005
123.60.31.166:8006
123.60.31.166:8007
123.60.92.210:8000
123.60.92.210:8001
123.60.92.210:8002
123.60.92.210:8003
123.60.92.210:8004
123.60.92.210:8005
123.60.92.210:8006
123.60.92.210:8007
123.60.94.121:8000
123.60.94.121:8001
123.60.94.121:8002
123.60.94.121:8003
123.60.94.121:8004
123.60.94.121:8005
123.60.94.121:8006
123.60.94.121:8007
124.70.128.38:8000
124.70.128.38:8001
124.70.128.38:8002
124.70.128.38:8003
124.70.128.38:8004
124.70.128.38:8005
124.70.128.38:8006
124.70.128.38:8007
124.70.186.208:8000
124.70.186.208:8001
124.70.186.208:8002
124.70.186.208:8003
124.70.186.208:8004
124.70.186.208:8005
124.70.186.208:8006
124.70.186.208:8007
124.70.204.39:8000
124.70.204.39:8001
124.70.204.39:8002
124.70.204.39:8003
124.70.204.39:8004
124.70.204.39:8005
124.70.204.39:8006
124.70.204.39:8007
124.70.21.77:8000
124.70.21.77:8001
124.70.21.77:8002
124.70.21.77:8003
124.70.21.77:8004
124.70.21.77:8005
124.70.21.77:8006
124.70.21.77:8007
124.70.29.43:8000
124.70.29.43:8001
124.70.29.43:8002
124.70.29.43:8003
124.70.29.43:8004
124.70.29.43:8005
124.70.29.43:8006
124.70.29.43:8007
124.70.87.2:8000
124.70.87.2:8001
124.70.87.2:8002
124.70.87.2:8003
124.70.87.2:8004
124.70.87.2:8005
124.70.87.2:8006
124.70.87.2:8007
124.71.10.22:8000
124.71.10.22:8001
124.71.10.22:8002
124.71.10.22:8003
124.71.10.22:8004
124.71.10.22:8005
124.71.10.22:8006
124.71.10.22:8007
124.71.14.157:8000
124.71.14.157:8001
124.71.14.157:8002
124.71.14.157:8003
124.71.14.157:8004
124.71.14.157:8005
124.71.14.157:8006
124.71.14.157:8007
124.71.186.151:8000
124.71.186.151:8001
124.71.186.151:8002
124.71.186.151:8003
124.71.186.151:8004
124.71.186.151:8005
124.71.186.151:8006
124.71.186.151:8007
124.71.192.182:8000
124.71.192.182:8001
124.71.192.182:8002
124.71.192.182:8003
124.71.192.182:8004
124.71.192.182:8005
124.71.192.182:8006
124.71.192.182:8007
124.71.193.201:8000
124.71.193.201:8001
124.71.193.201:8002
124.71.193.201:8003
124.71.193.201:8004
124.71.193.201:8005
124.71.193.201:8006
124.71.193.201:8007
124.71.205.70:8000
124.71.205.70:8001
124.71.205.70:8002
124.71.205.70:8003
124.71.205.70:8004
124.71.205.70:8005
124.71.205.70:8006
124.71.205.70:8007
124.71.228.182:8000
124.71.228.182:8001
124.71.228.182:8002
124.71.228.182:8003
124.71.228.182:8004
124.71.228.182:8005
124.71.228.182:8006
124.71.228.182:8007
124.71.63.158:8000
124.71.63.158:8001
124.71.63.158:8002
124.71.63.158:8003
124.71.63.158:8004
124.71.63.158:8005
124.71.63.158:8006
124.71.63.158:8007
124.71.99.215:8000
124.71.99.215:8001
124.71.99.215:8002
124.71.99.215:8003
124.71.99.215:8004
124.71.99.215:8005
124.71.99.215:8006
124.71.99.215:8007
139.159.152.195:8000
139.159.152.195:8001
139.159.152.195:8002
139.159.152.195:8003
139.159.152.195:8004
139.159.152.195:8005
139.159.152.195:8006
139.159.152.195:8007
139.9.119.173:8000
139.9.119.173:8001
139.9.119.173:8002
139.9.119.173:8003
139.9.119.173:8004
139.9.119.173:8005
139.9.119.173:8006
139.9.119.173:8007
139.9.135.156:8000
139.9.135.156:8001
139.9.135.156:8002
139.9.135.156:8003
139.9.135.156:8004
139.9.135.156:8005
139.9.135.156:8006
139.9.135.156:8007
139.9.138.15:8000
139.9.138.15:8001
139.9.138.15:8002
139.9.138.15:8003
139.9.138.15:8004
139.9.138.15:8005
139.9.138.15:8006
139.9.138.15:8007
139.9.221.228:8000
139.9.221.228:8001
139.9.221.228:8002
139.9.221.228:8003
139.9.221.228:8004
139.9.221.228:8005
139.9.221.228:8006
139.9.221.228:8007
139.9.36.241:8000
139.9.36.241:8001
139.9.36.241:8002
139.9.36.241:8003
139.9.36.241:8004
139.9.36.241:8005
139.9.36.241:8006
139.9.36.241:8007
139.9.37.126:8000
139.9.37.126:8001
139.9.37.126:8002
139.9.37.126:8003
139.9.37.126:8004
139.9.37.126:8005
139.9.37.126:8006
139.9.37.126:8007
139.9.80.84:8000
139.9.80.84:8001
139.9.80.84:8002
139.9.80.84:8003
139.9.80.84:8004
139.9.80.84:8005
139.9.80.84:8006
139.9.80.84:8007
139.9.86.92:8000
139.9.86.92:8001
139.9.86.92:8002
139.9.86.92:8003
139.9.86.92:8004
139.9.86.92:8005
139.9.86.92:8006
139.9.86.92:8007
141.164.54.104:443
185.126.237.57:443
193.112.241.118:12340
218.64.122.107:8081
37.120.247.29:8443
38.54.32.114:443
38.54.84.31:443
45.77.174.203:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2023-12-03)

http://103.56.55.153
http://141.164.54.104
http://154.84.23.110
http://165.154.64.215
http://40.74.70.136
http://45.74.6.169
http://45.74.6.251
http://45.77.174.203
http://5.183.95.202
http://54.219.223.239
http://96.9.210.77
101.132.147.163:8000
101.132.147.163:8001
101.132.147.163:8003
101.200.77.210:6051
116.72.78.89:8443
118.249.189.96:13702
118.69.225.164:1433
118.89.52.171:8000
118.89.52.171:8001
118.89.52.171:8002
118.89.52.171:8003
119.3.188.193:8000
119.3.188.193:8001
119.3.188.193:8002
119.3.188.193:8003
119.3.188.193:8004
119.3.188.193:8005
119.3.188.193:8006
119.3.188.193:8007
119.3.227.189:8000
119.3.227.189:8001
119.3.227.189:8002
119.3.227.189:8003
119.3.227.189:8004
119.3.227.189:8005
119.3.227.189:8006
119.3.227.189:8007
120.233.114.141:22001
120.233.114.144:22005
120.233.114.146:22006
120.233.114.161:22005
120.233.114.169:22006
120.233.114.182:22000
120.233.114.182:22003
120.233.114.184:22000
120.233.114.184:22001
120.233.114.184:22002
120.233.114.184:22003
120.233.114.184:22004
120.233.114.184:22005
120.233.114.184:22006
120.233.114.184:22007
120.233.114.186:22000
120.233.114.186:22001
120.233.114.186:22002
120.233.114.186:22003
120.233.114.186:22004
120.233.114.186:22005
120.233.114.186:22006
120.233.114.186:22007
120.233.114.187:22000
120.233.114.204:22002
120.233.114.204:22006
120.233.114.215:22006
120.233.114.218:22000
120.233.114.226:22003
120.233.114.229:22000
120.233.114.229:22001
120.233.114.229:22002
120.233.114.229:22003
120.233.114.229:22004
120.233.114.229:22005
120.233.114.229:22006
120.233.114.229:22007
120.233.114.237:22000
120.233.114.237:22002
120.233.114.237:22005
120.233.114.242:22002
120.233.114.243:22002
120.233.114.244:22001
120.233.50.14:22000
120.233.50.14:22001
120.233.50.14:22002
120.233.50.14:22003
120.233.50.14:22004
120.233.50.14:22005
120.233.50.14:22006
120.233.50.14:22007
120.46.142.56:8000
120.46.142.56:8001
120.46.142.56:8002
120.46.142.56:8003
120.46.142.56:8004
120.46.142.56:8005
120.46.142.56:8006
120.46.142.56:8007
121.36.106.89:8000
121.36.106.89:8001
121.36.106.89:8002
121.36.106.89:8003
121.36.106.89:8004
121.36.106.89:8005
121.36.106.89:8006
121.36.106.89:8007
121.36.83.144:8000
121.36.83.144:8001
121.36.83.144:8002
121.36.83.144:8003
121.36.83.144:8004
121.36.83.144:8005
121.36.83.144:8006
121.36.83.144:8007
122.114.18.100:22350
122.114.18.42:12340
122.254.94.69:443
123.60.55.205:8000
123.60.55.205:8001
123.60.55.205:8002
123.60.55.205:8003
123.60.55.205:8004
123.60.55.205:8005
123.60.55.205:8006
123.60.55.205:8007
124.223.102.72:8443
124.70.200.238:8000
124.70.200.238:8001
124.70.200.238:8002
124.70.200.238:8003
124.70.200.238:8004
124.70.200.238:8005
124.70.200.238:8006
124.70.200.238:8007
124.70.202.122:8000
124.70.202.122:8001
124.70.202.122:8002
124.70.202.122:8003
124.70.202.122:8004
124.70.202.122:8005
124.70.202.122:8006
124.70.202.122:8007
124.70.38.91:8000
124.70.38.91:8001
124.70.38.91:8002
124.70.38.91:8003
124.70.38.91:8004
124.70.38.91:8005
124.70.38.91:8006
124.70.38.91:8007
124.70.56.41:8000
124.70.56.41:8001
124.70.56.41:8002
124.70.56.41:8003
124.70.56.41:8004
124.70.56.41:8005
124.70.56.41:8006
124.70.56.41:8007
124.70.63.174:8000
124.70.63.174:8001
124.70.63.174:8002
124.70.63.174:8003
124.70.63.174:8004
124.70.63.174:8005
124.70.63.174:8006
124.70.63.174:8007
13.115.194.155:53
14.225.192.198:443
148.66.22.106:443
148.66.22.106:8443
148.66.22.107:443
148.66.22.107:8443
148.66.22.108:443
148.66.22.108:8443
148.66.22.109:443
148.66.22.109:8443
148.66.22.110:443
148.66.22.110:8443
149.202.45.103:8081
149.28.23.65:12345
154.84.23.116:53
156.59.39.106:443
165.154.64.215:443
208.76.222.168:443
211.75.116.27:443
216.83.40.84:443
3.91.231.34:8083
35.77.99.82:53
38.180.54.6:443
38.181.24.48:8000
38.181.24.48:8080
38.60.221.150:443
43.128.40.28:8080
43.229.112.203:65000
45.195.76.26:443
45.74.6.77:8443
45.76.110.175:53
45.77.183.245:8080
45.86.162.190:443
52.128.229.100:443
52.128.229.98:443
52.128.229.99:443
54.219.223.239:53
64.176.59.90:443
96.9.210.77:21
96.9.210.77:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2023-12-24)

http://192.109.119.100
http://45.32.106.247
http://46.246.98.47
1.12.224.214:12340
192.109.119.100:8080
45.129.199.38:443
45.129.199.38:8080
45.76.83.253:443
89.38.131.70:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2024-01-03)

http://107.148.73.109
http://110.173.53.162
http://141.98.212.38
http://143.92.60.54
http://155.138.142.176
http://185.189.241.209
http://194.246.114.4
http://34.96.231.241
http://45.117.102.174
http://45.67.34.151
http://45.74.6.14
http://45.74.6.175
http://8.130.26.42
http://8.212.157.140
1.94.125.189:8000
1.94.125.189:8001
103.86.45.200:2096
103.86.45.200:53
107.148.45.172:443
107.148.73.109:443
110.173.53.162:443
121.37.164.60:8000
121.37.164.60:8001
121.37.164.60:8002
121.37.164.60:8003
121.37.164.60:8004
121.37.164.60:8005
121.37.164.60:8007
122.114.18.86:12340
122.254.94.69:8080
123.60.174.4:8000
123.60.174.4:8001
124.71.188.124:8000
124.71.188.124:8001
124.71.188.124:8002
124.71.188.124:8004
124.71.188.124:8005
124.71.188.124:8007
141.98.212.38:8080
149.28.136.218:443
151.236.18.179:443
156.255.3.7:443
156.59.168.116:1688
156.59.168.116:443
175.27.191.226:53
185.130.214.116:443
185.189.241.209:443
185.189.241.254:443
185.189.241.254:53
192.71.26.172:443
194.116.191.150:443
194.116.191.150:8081
194.116.191.150:88
194.246.114.4:21
194.246.114.4:443
20.6.82.79:443
23.225.71.115:12345
23.225.71.115:8888
34.81.45.231:443
34.96.231.241:53
37.1.193.156:443
43.132.173.7:12345
43.135.1.200:53
45.32.106.247:443
45.67.34.151:443
45.67.34.151:8080
45.74.6.175:21
52.128.229.100:12345
52.128.229.101:443
52.128.229.102:12345
52.128.229.102:443
52.128.229.98:12345
52.128.229.99:12345
58.20.44.195:13702
60.204.211.54:8000
60.204.211.54:8001
8.130.26.42:12345
8.130.26.42:443
8.212.157.140:443
94.131.119.167:8080
sdfsj3h1s54-yh.foy9dong.com
stationarycell.xyz

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2024-01-16)

http://155.138.154.203
1.92.75.200:8000
1.92.75.200:8001
1.92.75.200:8002
1.92.75.200:8003
1.92.75.200:8004
1.92.75.200:8005
1.92.75.200:8006
1.92.75.200:8007
1.92.91.219:8000
1.92.91.219:8001
1.92.91.219:8002
1.92.91.219:8003
1.92.91.219:8004
1.92.91.219:8005
1.92.91.219:8006
1.92.91.219:8007
1.94.125.189:8002
1.94.125.189:8003
1.94.125.189:8004
1.94.125.189:8005
1.94.125.189:8006
1.94.125.189:8007
103.91.64.204:443
103.91.64.204:80
120.46.66.113:8000
120.46.66.113:8001
120.46.66.113:8002
120.46.66.113:8003
120.46.66.113:8004
120.46.66.113:8005
120.46.66.113:8006
120.46.66.113:8007
121.37.164.60:8006
123.60.174.4:8002
123.60.174.4:8003
123.60.174.4:8004
123.60.174.4:8005
123.60.174.4:8006
123.60.174.4:8007
124.70.0.94:8000
124.70.0.94:8001
124.70.0.94:8002
124.70.0.94:8003
124.70.0.94:8004
124.70.0.94:8005
124.70.0.94:8006
124.70.0.94:8007
124.70.98.249:8000
124.70.98.249:8001
124.70.98.249:8002
124.70.98.249:8003
124.70.98.249:8004
124.70.98.249:8005
124.70.98.249:8006
124.70.98.249:8007
124.71.188.124:8003
124.71.188.124:8006
124.71.218.160:8000
124.71.218.160:8001
124.71.218.160:8002
124.71.218.160:8003
124.71.218.160:8004
124.71.218.160:8005
124.71.218.160:8006
124.71.218.160:8007
124.71.222.120:8000
124.71.222.120:8001
124.71.222.120:8002
124.71.222.120:8003
124.71.222.120:8004
124.71.222.120:8005
124.71.222.120:8006
124.71.222.120:8007
139.159.146.137:8000
139.159.146.137:8001
139.159.146.137:8002
139.159.146.137:8003
139.159.146.137:8004
139.159.146.137:8005
139.159.146.137:8006
139.159.146.137:8007
139.9.180.3:8000
139.9.180.3:8001
139.9.180.3:8002
139.9.180.3:8003
139.9.180.3:8004
139.9.180.3:8005
139.9.180.3:8006
139.9.180.3:8007
139.9.41.174:8000
139.9.41.174:8001
139.9.41.174:8002
139.9.41.174:8003
139.9.41.174:8004
139.9.41.174:8005
139.9.41.174:8006
139.9.41.174:8007
194.116.191.150:8080
45.77.183.245:443
5.252.178.189:443
5.252.178.189:8080
60.204.211.54:8002
60.204.211.54:8003
60.204.211.54:8004
60.204.211.54:8005
60.204.211.54:8006
60.204.211.54:8007

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2024-01-23)

http://103.91.64.204
http://38.55.204.19
http://5.252.178.189
155.138.154.203:443
195.123.217.139:443
20.2.219.165:3389
27.44.204.144:22000
27.44.204.144:22002
27.44.204.144:22003
27.44.204.144:22004
27.44.204.144:22005
27.44.204.144:22007
27.44.204.161:22000
27.44.204.161:22001
27.44.204.161:22002
27.44.204.161:22003
27.44.204.161:22004
27.44.204.161:22005
27.44.204.161:22006
27.44.204.161:22007
27.44.204.219:22000
27.44.204.219:22001
27.44.204.219:22003
27.44.204.219:22004
27.44.204.219:22007
27.44.204.229:22000
27.44.204.233:22001
27.44.204.233:22002
45.32.106.247:8080
5.252.178.189:8443

# Reference: https://twitter.com/nahamike01/status/1755183472677924879

supermirco.us
micro.supermirco.us
mircoo.supermirco.us
ns.supermirco.us

# Reference: https://twitter.com/luc4m/status/1778110699870310840

165.154.227.192:6005
165.154.227.192:7000

# Reference: https://twitter.com/Cyberteam008/status/1779763262722355512

173.199.71.210:443
185.174.172.41:443
194.156.99.115:443
194.156.99.115:8443
195.85.250.254:443
45.77.65.219:443
65.20.98.31:443

# Reference: https://twitter.com/ValidinLLC/status/1779916377039495523

80.92.204.66:3306
80.92.204.66:443

# Reference: https://twitter.com/1ZRR4H/status/1783528366194196585
# Reference: https://app.validin.com/detail?type=raw&find=AndroidControl+v1.0.4#tab=host_pairs

http://120.78.223.152
http://47.241.218.217
http://8.219.55.216
120.78.223.152:443
47.241.218.217:443
8.219.55.216:443
vmess.xhhzs.cn

# Reference: https://x.com/SBousseaden/status/1794484811064586632
# Reference: https://www.virustotal.com/gui/file/deecc7fa56d74dcf87ddf728261a1fe9a4f7a0e0d187111ab60e5b8051e59ae3/detection

prod.microsoftdirect.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2024-06-09)

103.158.190.167:443
128.14.105.154:443
139.180.208.107:443
146.70.157.115:443
164.215.103.248:443
173.199.71.24:443
185.167.61.21:443
185.81.114.45:443
193.56.255.142:443
207.148.95.161:443
38.55.204.19:80
38.60.193.62:443
45.116.78.250:443
45.159.250.235:443
45.32.115.37:443
47.242.52.22:443
47.243.60.4:443
64.176.8.105:443
8.210.134.47:443
8.210.167.64:443
8.210.168.192:443
8.210.174.168:443
8.210.221.119:443
8.210.4.242:443
8.210.74.92:443
8.217.0.193:443
8.217.107.25:443
8.217.122.135:443
8.217.84.192:443
8.217.96.167:443
8.218.128.35:443
8.218.163.77:443
8.218.17.11:443
8.218.193.197:443
8.218.213.245:443
8.218.217.76:443
8.218.244.117:443
8.218.248.158:443
8.218.56.204:443
94.131.110.28:443

# Reference: https://x.com/nahamike01/status/1799730688725508290

http://158.247.199.185
158.247.199.185:3389
158.247.199.185:443
158.247.199.185:53

# Reference: https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust
# Reference: https://www.virustotal.com/gui/ip-address/95.164.16.231/relations

http://152.89.244.185
akacur.tk
eloples.com
ns1.akacur.tk
ns2.akacur.tk
orange-breeze-66bb.tezsfsoikdvd.workers.dev

# Reference: https://x.com/Cyberteam008/status/1818119578204934582
# Reference: https://pastebin.com/AYzCKMsf

amazonlivenews.com
gmail.verifypay.shop
google.pythonpplus.org
googleaccount.org
microsoftbackups.com
microsoftremotehelps.com
micsoftonedrive.com
pishgaman.pw
pythonpplus.org
verifypay.shop
youtubedownloading.com
qw05.liaoqazqq.com
s.pishgaman.pw
voiptelsolutions.splynx.app

# Reference: https://x.com/Huntio/status/1824654200955080733
# Reference: https://x.com/_langly/status/1824768675548672100

bingsearches.com
buildhosting.club
cargobussi.org
googlelivenews.com
mail-pk.xyz
microsoftcode.com
microsoftdaily.com
microsoftdesktop.com
pk-information.com
solarwindsaf.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2024-08-18)

http://167.179.103.75
http://207.246.119.197
http://46.29.163.195
http://64.176.179.67
http://64.176.44.238
http://95.179.235.165
http://96.30.196.210
108.61.208.146:443
149.28.146.215:443
152.32.201.190:443
167.179.106.174:443
173.199.122.23:53
185.76.78.78:443
198.13.51.5:443
199.247.10.114:443
199.247.23.228:443
202.182.118.85:443
207.246.106.76:443
207.246.119.197:443
207.246.119.197:8080
38.54.79.213:443
38.60.134.143:443
45.77.170.31:443
45.77.36.13:443
89.38.128.94:443
95.179.163.123:443
95.179.242.107:443
95.179.249.161:443
96.30.196.210:443
app.kaspersky-scan.com
auth.microsoftsservice.com
bold-hamilton.207-246-119-197.plesk.page
cloud.kaspersky-scan.com
cloud.microsoftsservice.com
db.microsoftsservice.com
gov.jmjejij.otzo.com
hb.kaspersky-scan.com
id2.microsoftsservice.com
img.shaduruanjian8.com
it.jmjejij.otzo.com
jmjejij.otzo.com
kaspersky-scan.com
micro.gay
microsoftsservice.com
randzalo.com
shaduruanjian8.com
stdhgd.com
tc.microsoftsservice.com
top.microsoftsservice.com
update.micro.gay
weblink.microsoftsservice.com

# Reference: https://www.trendmicro.com/en_sg/research/24/h/earth-baku-latest-campaign.html
# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/h/earth-baku/ioc-a-dive-into-earth-baku-latest-campaign.txt
# Reference: https://www.virustotal.com/gui/file/7f24bc080281d250ec88493e5803e488721a17c9382cd54ba8dfbcb785f23a88/detection

cdn7854.workers.dev
icy-bar-c375.microsoft-updates.workers.dev
microsoft-updates.workers.dev
mircoupdate.https443.net
realgodad.workers.dev
shrill-tooth-b557.vgfjuic.workers.dev
track.cdn78544.ru
vgfjuic.workers.dev
update-chrome.realgodad.workers.dev

# Reference: https://x.com/Cyberteam008/status/1826126334919082085
# Reference: https://www.virustotal.com/gui/ip-address/154.90.58.189/relations
# Reference: https://www.virustotal.com/gui/ip-address/38.54.50.46/relations
# Reference: https://www.virustotal.com/gui/file/b2d2380ec8001acfacbba10305c5dd4fe8bd153bfb00377bb6c6a0f94b29e804/detection
# Reference: https://www.virustotal.com/gui/file/f16faa26f8871692c49c5bc4a047b33aad0dcffdba5c6d8f08ad636b94859cf7/detection

http://38.60.198.164
91newai.com
new-openai.com
ngo.91newai.com
tw.new-openai.com

# Reference: https://x.com/Cyberteam008/status/1826433189012730325
# Reference: https://www.virustotal.com/gui/ip-address/89.38.128.94/relations
# Reference: https://www.virustotal.com/gui/ip-address/94.231.205.25/relations

netbill.pk
admin.netbill.pk
mail.netbill.pk
random.netbill.pk

# Reference: https://x.com/Cyberteam008/status/1828624431117181112
# Reference: https://en.fofa.info/result?qbase64=Y2VydD0iMTgyMDk2NTM3Njc1ODE0NDk5NDEi

152.32.139.23:443
45.112.53.130:8080

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2024-09-08)

http://103.27.111.247
http://103.87.10.214
112.120.226.125:5006
121.229.58.86:3306
123.56.0.80:10000
139.180.223.116:443
141.164.50.114:443
144.202.1.189:21
144.202.1.189:443
154.205.145.210:443
156.244.2.26:443
159.69.83.16:443
165.22.117.169:443
167.179.112.116:443
192.71.213.155:443
194.5.212.218:443
194.5.212.218:53
199.247.2.134:443
199.247.23.86:443
207.148.120.98:443
207.148.66.49:443
208.85.16.252:443
219.78.165.215:5006
31.192.107.196:443
35.181.55.11:443
38.60.217.161:443
38.60.250.74:443
45.32.151.219:443
45.32.32.252:443
45.76.189.33:443
45.77.133.154:443
45.77.9.96:443
66.42.37.139:443
80.240.16.246:443
82.67.49.76:63601
95.179.145.120:443
95.179.220.191:443
95.179.221.218:443
95.179.240.31:443

# Reference: https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/

185.132.125.72:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2024-09-09)

158.247.243.186:443
206.189.224.6:443
5.42.74.254:2083

# Reference: https://x.com/malwrhunterteam/status/1815256468431528370
# Reference: https://x.com/nao_sec/status/1826977609328325111
# Reference: https://jp.security.ntt/tech_blog/appdomainmanager-injection
# Reference: https://www.virustotal.com/gui/file/1d40ac126547b1523a3fb7d584deec907315c5ef7f44ffa96ef4bd18702101f6/detection

krislab.site
msn-microsoft.org
s3-microsoft.com
s3bucket-azure.online
trendmicrotech.com
visualstudio-microsoft.com
xtools.lol
static.krislab.site

# Reference: https://x.com/StrikeReadyLabs/status/1819460764517683658
# Reference: https://x.com/dez_/status/1825896855466565963
# Reference: https://www.virustotal.com/gui/file/4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54/detection

s3cloud-azure.com
status.s3cloud-azure.com
360photo.oss-cn-hongkong.aliyuncs.com
s3-r-w.me-south-1.amazonaws.com
wordpresss-data.s3.me-south-1.amazonaws.com

# Reference: https://x.com/suyog41/status/1835557924443509029
# Reference: https://www.virustotal.com/gui/file/7d8894520e26755e0f191078df140898882837c90d338174487c1e2d17a72756/detection

http://103.214.173.55
103.214.173.55:443
xiang1234.oss-cn-hongkong.aliyuncs.com

# Reference: https://x.com/StrikeReadyLabs/status/1826969590494064789
# Reference: https://www.virustotal.com/gui/file/0ba468400dd88b6dbe96407cb104f28876adb62805689d97de5d2650770ff39c/detection

proradead.s3.sa-east-1.amazonaws.com

# Reference: https://x.com/Cyberteam008/status/1836967191893176652
# Reference: https://www.virustotal.com/gui/ip-address/139.84.133.219/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.76.165.217/relations

microsoftdnshelp.com
techsupport-microsoft.co.in
ns1.microsoftdnshelp.com
ns2.microsoftdnshelp.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2024-09-22)

http://47.242.52.22
http://8.210.174.168
http://8.217.122.135
109.207.171.191:443
121.162.13.25:21
121.162.13.25:8022
139.84.236.159:443
141.164.35.65:443
149.28.186.14:443
149.28.28.9:443
151.236.23.49:443
155.138.195.85:443
167.179.70.58:443
217.69.6.191:443
38.60.199.119:443
45.80.215.133:443
47.242.52.22:53
64.176.229.94:443
8.217.107.25:44444
8.217.107.25:53
8.217.122.135:53
8.218.163.77:53
8.218.193.197:44444
8.218.193.197:53
95.179.134.240:53
95.179.176.94:8443

# Reference: https://x.com/r0ny_123/status/1837896240865923072
# Reference: https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html
# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt

http://152.42.243.170
http://167.172.84.142
http://167.172.89.142
http://188.166.252.85
152.42.243.170:22
152.42.243.170:443
167.172.84.142:443
167.172.89.142:443
188.166.252.85:443
browser-events-data-microsoft.com
hinet.ink
hinet.lat
islot.ink
oca.pics
s3-azure.com
bobs8.oss-cn-hongkong.aliyuncs.com
cooltours.s3.sa-east-1.amazonaws.com
doare-assets.s3.sa-east-1.amazonaws.com
ecgglass-arq.s3.sa-east-1.amazonaws.com
homologacao-sisp.s3.sa-east-1.amazonaws.com
kcalmoments.s3.me-south-1.amazonaws.com
ms1.hinet.lat
msa.hinet.ink
recordar-simmco.s3.sa-east-1.amazonaws.com
rocean.oca.pics
s3-contemp.s3.sa-east-1.amazonaws.com
souzacambos.s3.sa-east-1.amazonaws.com
static.trendmicrotech.com
us2.s3bucket-azure.online
xiiltrionsoledadprod.s3.sa-east-1.amazonaws.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2024-09-29)

http://8.210.134.47
http://8.210.167.64
http://8.210.221.119
http://8.210.74.92
http://8.218.17.11
http://8.218.56.204
136.244.119.156:443
198.13.39.189:443
202.162.108.45:443
38.60.196.212:443
45.76.191.59:443
46.246.98.47:8080

# Reference: https://x.com/pancak3lullz/status/1853452698919555575
# Reference: https://www.virustotal.com/gui/ip-address/136.244.116.245/relations
# Reference: https://www.virustotal.com/gui/ip-address/64.176.69.95/relations

kasperskyupdate.com
paloaltonetworkhelp.com

# Reference: https://x.com/DmitriyMelikov/status/1856721308802793496
# Reference: https://blogs.blackberry.com/en/2024/11/lightspy-apt41-deploys-advanced-deepdata-framework-in-targeted-southern-asia-espionage-campaign

103.255.176.176:28992
119.147.213.48:28992
202.43.239.13:28992

# Reference: https://x.com/Cyberteam008/status/1858703453981450712
# Reference: https://www.virustotal.com/gui/file/79c2c656eac34f628406855c9fafe36161ac423c071d9b20b64f4f511c9ec241/detection

http://37.120.222.37
37.120.222.37:443

# Reference: https://x.com/Cyberteam008/status/1861596387625890122

103.96.130.107:443
139.180.129.136:443
139.84.168.41:443
158.247.214.28:443
165.154.201.115:443
188.208.141.207:443
45.125.67.58:443

# Reference: https://securelist.com/eagerbee-backdoor/115175/
# Reference: https://www.virustotal.com/gui/ip-address/151.236.16.167/relations
# Reference: https://www.virustotal.com/gui/ip-address/194.71.107.215/relations
# Reference: https://www.virustotal.com/gui/ip-address/62.233.57.94/relations
# Reference: https://www.virustotal.com/gui/ip-address/82.118.21.230/relations

http://195.123.242.120
http://5.34.176.46
195.123.242.120:443
5.34.176.46:443
carruthersfredericklawyers.com
carruthersfredericklegals.com
ellisonpeterslaws.com
ellisonpeterslawyer.com
feedfoodconcerning.info
feedfoodconcerning.org
gnel.feedfoodconcerning.org
goldmanrichardlegal.com
goldmanrichardlegals.com
oldfriendsnetwork.com
rambiler.com
socialentertainments.store

# Reference: https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set
# Reference: https://www.virustotal.com/gui/file/e9cb02690d987de8d392d0e24b3ccbb294c751dff73962135913c7ec0d8a8064/detection

185.195.237.123:443
185.82.217.164:443
195.123.245.79:443
45.90.58.103:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.shadowpad/ (# 2025-01-05)

http://104.167.16.95
http://185.117.89.125
http://185.22.153.161
http://185.22.154.64
http://45.140.168.49
http://46.17.41.15
http://46.17.41.154
http://47.242.0.122
http://47.242.16.105
http://5.252.178.185
http://8.210.30.189
http://8.210.6.230
http://8.217.0.193
http://8.217.84.192
http://8.218.163.77
http://8.218.193.197
http://8.218.213.245
http://8.218.217.76
http://8.218.244.117
http://8.218.25.58
103.215.216.72:443
103.27.109.72:443
103.87.8.199:443
104.167.16.95:443
107.191.62.206:443
117.50.213.101:443
118.194.249.212:8080
136.244.116.245:443
136.244.80.115:443
139.84.214.241:443
139.84.214.241:53
141.164.49.53:8443
149.28.128.65:443
149.28.159.61:443
158.247.252.152:443
166.1.22.41:443
176.126.83.225:443
185.186.76.151:443
185.213.20.117:443
185.81.115.126:443
199.247.22.187:443
212.192.215.143:443
217.69.15.243:443
27.124.53.33:443
38.60.211.116:443
43.246.208.207:443
43.246.210.196:443
45.32.121.197:8080
45.32.51.228:8080
45.76.209.205:443
45.77.16.161:443
45.77.170.188:443
47.242.0.122:443
47.242.16.105:443
47.242.16.105:53
5.189.221.41:443
5.252.178.185:443
64.176.59.232:443
64.176.65.49:443
64.176.69.95:443
65.20.76.134:443
65.20.78.130:443
8.210.30.189:443
8.210.6.230:443
8.218.25.58:443
8.218.25.58:53
91.149.240.153:443
91.149.241.103:443
95.179.179.83:443
95.179.244.134:443
64-176-59-232.ipv4.staticdns3.io
64.176.65.49.sslip.io
app.microsoftstaticapi.com
asdasw21.icu
cdn.withrental.com
hopeful-jang.207-246-119-197.plesk.page
micheeasodh.top
microsoftstaticapi.com
node5.cnaidun.net
sapress.help
silly-swirles.207-246-119-197.plesk.page

# Reference: https://app.validin.com/detail?type=hash&find=e760bb9ce1e83e274def380574509c7b9e9088ff#tab=host_pairs (# 2025-02-27)

139.180.205.23:443
45.32.115.128:443
64.176.226.182:443
95.179.156.122:443
gomyhalf.com
microsoftasps.com
symence.org

# Reference: https://www.scrible.com/view/source/R2IO1C0L20LQG2MG3443K8O48P4CM20E:1424161239/

139.84.137.63:443
192.142.18.42:443
193.56.255.214:443
37.120.239.33:443
boopainc.com
chtq.net
dsqurey.com
emazemedia.com
oossafe.com
superdasqe.me
api.emazemedia.com
caba.superdasqe.me
czs.superdasqe.me
dscriy.chtq.net
home.boopainc.com
network.oossafe.com
notes.oossafe.com
updata.dsqurey.com

# Reference: https://x.com/Cyberteam008/status/1899314534999019567

101.99.93.140:443
139.84.137.60:443
89.38.225.202:443
89.38.225.208:443
91.245.253.79:443

# Reference: https://x.com/smica83/status/1904134295087718450
# Reference: https://www.welivesecurity.com/en/eset-research/operation-fishmedley/

162.33.178.23:443
168.100.10.136:443
192.46.223.211:443
78.141.202.70:443
googleauthenticatoronline.com
api.googleauthenticatoronline.com

# Reference: https://x.com/Cyberteam008/status/1909432343976091981
# Reference: https://www.virustotal.com/gui/file/7ad3331be038b43c1a19066f1e4edbe85dfb08596d70774a5e15480394626d39/detection

45.77.33.174:443
updatemic.com
update.updatemic.com

# Reference: https://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad

developers-cloudfare.us
gjbopwmail.kozow.com
gssllxqxqzyo.giize.com
opwmail.kozow.com
static.developers-cloudfare.us
zngb.kozow.com

# Reference: https://x.com/Cyberteam008/status/1910171025137934629

139.84.168.246:443
158.247.253.66:443
172.235.10.225:443
172.235.10.252:443
206.71.149.117:443
23.227.199.38:443
38.132.122.152:443
38.180.82.106:443
43.255.158.158:443
43.255.158.97:443
45.32.172.203:443
64.190.113.165:443
64.227.185.216:443
65.20.66.77:443

# Reference: https://x.com/Jane_0sint/status/1910650292342862257
# Reference: https://app.any.run/tasks/2c3b303a-b412-449e-b380-f1e7de76d452

154.31.217.200:443

# Reference: https://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity

103.146.230.130:443
103.146.230.165:443
103.146.230.183:443
103.226.155.96:443
103.226.155.98:443
103.234.96.167:443
103.244.148.80:443
108.61.159.145:443
111.180.200.74:443
114.55.6.216:443
13.124.47.148:443
13.209.204.54:443
13.214.160.122:443
13.214.172.25:443
13.214.203.53:443
13.228.200.171:443
13.250.182.175:443
139.180.145.193:443
139.180.153.109:443
139.180.188.174:443
139.180.189.81:443
139.180.211.30:443
139.180.213.58:443
139.84.175.197:443
149.28.130.130:443
149.28.131.126:443
15.168.60.114:443
154.12.87.168:443
154.92.16.198:443
158.247.203.247:443
158.247.234.25:443
158.247.245.229:443
158.247.251.91:443
158.247.253.114:443
173.209.62.187:443
173.209.62.189:443
173.209.62.190:443
18.142.113.169:443
18.142.162.202:443
18.143.183.217:443
18.163.6.115:443
202.182.121.16:443
202.79.173.211:443
202.79.173.220:443
202.79.173.228:443
205.185.121.28:443
207.148.71.45:443
209.141.36.195:443
3.0.139.139:443
3.1.206.135:443
3.38.151.172:443
36.255.220.179:443
38.55.24.53:443
39.106.32.186:443
43.130.61.252:443
43.201.51.16:443
43.249.36.84:443
45.137.10.166:443
45.137.10.37:443
45.148.244.220:443
45.32.101.56:443
45.32.125.90:443
45.76.150.120:443
45.77.34.88:443
47.245.60.81:443
47.245.99.137:443
47.92.204.81:443
5.188.34.87:443
51.79.177.23:443
54.151.200.128:443
64.176.50.30:443
64.176.51.12:443
64.176.83.46:443
65.20.69.6:443
65.20.70.52:443
65.20.78.204:443
65.20.78.223:443
65.20.79.14:443
65.20.79.156:443
65.20.84.44:443
66.42.49.65:443
67.43.228.18:443
67.43.228.19:443
67.43.228.20:443
67.43.228.21:443
67.43.228.22:443
67.43.234.149:443
67.43.234.150:443
8.209.255.168:443
8.213.131.120:443
8.218.156.56:443
8.219.191.81:443
8.222.220.3:443
8.222.243.185:443
88.218.192.22:443

# Reference: https://x.com/Tac_Mangusta/status/1828077441925157172
# Reference: https://www.virustotal.com/gui/file/3e8f51ec601e6e9c3aaafd3d156721fc85911544417d43f6b6c0b029a009c584/detection
# Reference: https://www.virustotal.com/gui/file/9ed37a790ed5d90511d5b88140e531d789357e6fd745efba6a1ec0d42f20aeec/detection

resource.infinityfreeapp.com

# Reference: https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort
# Reference: https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics

cloud.msapp.workers.dev
invasion-prisoners-inns-aging.trycloudflare.com
pants-graphs-optics-worse.trycloudflare.com
pubs.infinityfreeapp.com
recall-addressed-who-collector.trycloudflare.com
term-restore-satisfied-hence.trycloudflare.com
ways-sms-pmc-shareholders.trycloudflare.com
word.msapp.workers.dev
