# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: cageychameleon, cryptocore, cryptomimic, ta444, wslink, RTV4, CoreKit, netchk, upl/tlgrm, NimDoor

# Reference: https://twitter.com/e_kaspersky/status/1481665686351106053
# Reference: https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/

http://163.25.24.44
http://45.238.25.2
163.25.24.44:443
45.238.25.2:443
118.70.116.154:8080
186.183.185.94:8080
66.181.166.15:8080
163qiye.top
abiesvc.com
abiesvc.info
abiesvc.jp.net
antcapital.us
atom.publicvm.com
att.gdrvupload.xyz
authenticate.azure-drive.com
azure-drive.com
azureprotect.xyz
azure-service.com
azureword.com
backup.163qiye.top
beenos.biz
bhomes.cc
bitcoinnews.mefound.com
bitflyer.team
blog.cloudsecure.space
bloomcloud.org
buidihub.com
chemistryworld.us
circlecapital.us
client.googleapis.online
cloud.azure-service.com
cloud.globalbrains.co
cloud.jumpshare.vip
cloudsecure.space
cloudshare.jumpshare.vip
cloud.venturelabo.co
coinbig.dev
coinbigex.com
coin-squad.co
deepmind.fund
dekryptcap.digital
devprocloud.com
dllhost.xyz
doconline.top
docs.azureword.com
docs.coinbigex.com
docs.gdriveshare.top
docs.goglesheet.com
docs.securedigitalmarkets.co
docstream.online
document.antcapital.us
document.bhomes.cc
document.fastercapital.cc
document.kraken-dev.com
document.lundbergs.cc
documentprotect.live
documentprotect.pro
documents.antcapital.us
document.skandiafastigheter.cc
docuserver.xyz
doc.venturelabo.co
doc.youbicapital.cc
domainhost.dynamic-dns.net
download.azure-safe.com
download.azure-service.com
download.gdriveupload.site
drives.googldrive.xyz
drives.googlecloud.live
driveshare.googldrive.xyz
dronefund.icu
drw.capital
eii.world
etherscan.mrslove.com
faq78.faqserv.com
fastdown.site
fastercapital.cc
filestream.download
file.venturelabo.co
foundico.mefound.com
galaxydigital.cc
galaxydigital.cloud
gdocsdown.com
gdriveshare.top
gdriveupload.info
gdrvupload.xyz
globalbrains.co
gmaildrive.site
goglesheet.com
googldrive.xyz
googleapis.online
googleauth.pro
googlecloud.live
googledocpage.com
googledrive.download
googledrive.email
googledrive.online
googledrive.publicvm.com
googleexplore.net
googleservice.icu
googleservice.xyz
googlesheetpage.org
googleupload.info
gsheet.gdocsdown.com
hiccup.shop
innoenergy.info
isosecurity.xyz
jack710.club
jumpshare.vip
kraken-dev.com
ledgerservice.itsaol.com
lemniscap.cc
lundbergs.cc
mail.gdriveupload.info
mail.gmaildrive.site
mail.googleupload.info
mclland.com
microstratgey.com
miss.outletalertsdaily.com
msoffice.qooqle.download
note.onedocshare.com
onlinedoc.dev
onlinedocpage.org
outletalertsdaily.com
page.googledocpage.com
product.onlinedoc.dev
protect.antcapital.us
protect.azure-drive.com
protectoffice.club
protect.venturelabo.co
pvset.itsaol.com
qooqle.download
qoqle.online
regcnlab.com
reit.live
securedigitalmarkets.ca
securedigitalmarkets.co
share.bloomcloud.org
sharebusiness.xyz
share.devprocloud.com
sharedocs.xyz
share.docuserver.xyz
share.stablemarket.org
signverydn.sharebusiness.xyz
sinovationventures.co
skandiafastigheter.cc
slot0.regcnlab.com
stablemarket.org
svr04.faqserv.com
tokenhub.mefound.com
tokentrack.mrbasic.com
twosigma.publicvm.com
updatepool.online
up.digifincx.com
upload.gdrives.best
venturelabo.co
verify.googleauth.pro
word.azureword.com
youbicapital.cc
devstar.dnsrd.com
fxbet.linkpc.net
lservs.linkpc.net
mmsreceive.linkpc.net
msservices.hxxps443.org
onlineshoping.publicvm.com
palconshop.linkpc.net
pokersonic.publicvm.com
press.linkpc.net
rubbishshop.linkpc.net
rubbishshop.publicvm.com
socins.publicvm.com
vpsfree.linkpc.net

# Reference: https://twitter.com/malwrhunterteam/status/1602997656468754432
# Reference: https://www.virustotal.com/gui/file/41c83c80fa348d56ccb10fa48114bac52691c9778812547290d13b3214d98e8c/detection

gdriveshare.com
googledrive.services
wirexapp.app

# Reference: https://securelist.com/bluenoroff-methods-bypass-motw/108383/
# Reference: https://otx.alienvault.com/pulse/63ac10d2a4d29d94a7766d7a

abf-cap.co
abf-cap.com
angelbridge.capital
angelbridge.jp
anobaka.info
anobaka.jp
bankofamerica.nyc
bankofamerica.tel
bankofamerica.us.org
beyondnextventures.co
beyondnextventures.com
jp-aprime.info
lno-prima.lol
mizuhogroup.us
offerings.cloud
perseus.bond
smbc-vc.com
smbc.ltd
smbcgroup.us
tptf.co
tptf.ltd
tptf.us
avid.lno-prima.lol
careers.mizuhogroup.us
cloud.beyondnextventures.co
info.anobaka.info
vote.anobaka.info
word.anobaka.info
ww25.amazon.co.jp-aprime.info
ww25.co.jp-aprime.info
ww25.jp-aprime.info
ww25.login-service.amazon.co.jp-aprime.info
ww25.mail.jp-aprime.info
ww25.webmail.jp-aprime.info
ww38.jp-aprime.info

# Reference: https://twitter.com/StopMalvertisin/status/1625402506737250304
# Reference: https://www.virustotal.com/gui/file/26e376fc80b090b2ee04e7d3104d308a150e58538580109a74f4ac49bf362423/detection

espcapital.pro
cloud.espcapital.pro

# Reference: https://twitter.com/craiu/status/1625408594886762496
# Reference: https://twitter.com/craiu/status/1625408647508402176

cloud.anobaka.info
cloud.dnx.capital
cloud.gpmtreit.co
cloud.j-ic.co
cloud.j-ic.com
cloud.mekongcapital.net
down.gpmtreit.co
down.gpmtreit.us
down.j-ic.com
down.tomming.us
gpmtreit.co
gpmtreit.us
internal.j-ic.co
j-ic.co
j-ic.com
mekongcapital.net
tet.dnx.capital
tomming.us

# Reference: https://twitter.com/StopMalvertisin/status/1625710611425554434
# Reference: https://www.virustotal.com/gui/file/864f2a624a58cf460689d805e271fbffe24266933cc10166f4342e65143e019f/detection

autoprotect.com.de

# Reference: https://twitter.com/souiten/status/1635210162805018624
# Reference: https://www.virustotal.com/gui/file/2c0a66c6370b4aa88ab3805d520e868cbc513b43119958257a72c9ff58ef241c/detection

share.dedesignanddev.com

# Reference: https://twitter.com/StopMalvertisin/status/1642450636875898880
# Reference: https://twitter.com/StopMalvertisin/status/1642450639618973696
# Reference: https://www.virustotal.com/gui/file/4d5efd08e66c394b025a57995a7065fcda45a982a16ded4cdfc4ed42bd142ea5/detection

jdshare.com.de
mufg.us.com

# Reference: https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/

31ventures.info
deck.31ventures.info

# Reference: https://twitter.com/k3yp0d/status/1650071119074844673
# Reference: https://www.virustotal.com/gui/file/ff8832355ae99ffd66d0fe9eda2d74efdf3ed87bb2a4c215b93ade93165f7c0b/detection
# Reference: https://www.virustotal.com/gui/file/3b6f30369a4ee8bf9409d141b6d1b3fb4286c34984b5de005ed7431df549b17e/detection

hedgehogvc.us
cloud.hedgehogvc.us
down.hedgehogvc.us
laos.hedgehogvc.us
pet.hedgehogvc.us
thai.hedgehogvc.us

# Reference: https://twitter.com/KSeznec/status/1678319191110082560

decentryk.online
protectsh.online
raizerverify.online
association.linkpc.net
c-money.linkpc.net
dma.linkpc.net
docsend.com-proapple.cloud.line.pm
longjourneycapital.publicvm.com
longjourneyfund.publicvm.com
longjourneyventure.publicvm.com
world.linkpc.net

# Reference: https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/
# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-08-10-v10391/855

autodynamics.work.gd

# Reference: https://twitter.com/philofishal/status/1767951302607151351
# Reference: https://www.virustotal.com/gui/file/083f949e4708098b624dca017e2c0294a18e9a581f92baa8348836d7d9ba06c7/detection

atajerefoods.com

# Reference: https://twitter.com/MichalKoczwara/status/1783136320166023648
# Reference: https://www.virustotal.com/gui/ip-address/104.168.198.145/relations
# Reference: https://app.validin.com/detail?type=raw&find=herblin1112%40gmail.com#tab=host_pairs (# 2025-05-20)
# Reference: https://app.validin.com/detail?find=1d398e3b572e906ecca28cc6fadc0fa6dcb0bd20&type=hash&ref_id=575dd0e9111#tab=host_pairs (# 2025-05-23)
# Reference: https://www.virustotal.com/gui/file/c24bb2b28d322faee5a0162675c0c579a5224149874742acdd0bdf0157359756/detection

104.168.145.52:8080
104.168.151.70:8080
104.168.198.145:8080
23.254.202.223:8080
adiclas-nft.quest
automatic-update.online
autoupdate.store
checkdata.wiki
datauploader.online
datauploader.site
dropepe.cfd
firstfromsep.online
instant-update.online
koreaair.tattoo
longlastfor.online
ovalln.top
safeup.online
stabucksiren.fun
star-bucks.life
starbucksevent.pics
system-update.cloud
system-update.xyz
thefirststore.bond
appleupdate.datauploader.site
first.longlastfor.online
first.system-update.xyz
metamask.awaitingfor.site
real.automatic-update.online
root.system-update.cloud

# Reference: https://www.kandji.io/blog/todoswift-disguises-malware-download-behind-bitcoin-pdf

buy2x.com
/OcMySY5QNkY/ABcTDInKWw/4SqSYtx%2B/EKfP7saoiP/BcA%3D%3D
/OcMySY5QNkY/ABcTDInKWw/4SqSYtx%2B/EKfP7saoiP/
/4SqSYtx%2B/
/ABcTDInKWw/
/EKfP7saoiP/
/OcMySY5QNkY/

# Reference: https://x.com/TLP_R3D/status/1826545317229015078
# Reference: https://www.virustotal.com/gui/ip-address/23.254.253.75/relations
# Reference: https://app.validin.com/detail?type=dom&find=panda95sg.asia#tab=host_pairs_v2

cmt.ventures
dourolab.xyz
maelstromfund.org
panda95sg.asia
pixelmonmmo.net
pixleon.net
prismlab.xyz
sendmailed.com
tvdhoenn.net
yoannturp.xyz
mc.tvdhoenn.net

# Reference: https://x.com/Cyberteam008/status/1826585708376850744
# Reference: https://app.validin.com/detail?type=ip&find=45.61.140.26#tab=resolutions

45.61.140.26:3389
versionupdate.dns.army

# Reference: https://twitter.com/behindbreach/status/1287961015506927616
# Reference: https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf
# Reference: https://otx.alienvault.com/pulse/5ef36f8f63a7d8a11972ca54
# Reference: https://vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/
# Reference: https://vblocalhost.com/uploads/VB2020-Takai-etal.pdf
# Reference: https://vblocalhost.com/uploads/VB2020-18.pdf
# Reference: https://otx.alienvault.com/pulse/5f74bcb0be4abfe12d93d2bf

140.136.134.201:8080
41.85.145.164:8080
1driv.org
1drv.email
1drvmail.work
amazonaws1.info
amzonnews.club
blockchaintransparency.institute
bugscrowd.com
cloudfiles.club
cloudocs.space
cloudsecure.space
decurret.site
digifincx.com
drivegmail.top
drivegoogle.org
drivegooglshare.xyz
euprotect.net
fcloudshare.xyz
filecloud.website
financialmarketing.live
gdriverfileshare.com
gdrives.best
gdrives.top
gdriveshare.top
gdriveshareslink.xyz
gdriveupload.info
gdriveupload.site
gdrvauth.cloud
gdrvcheck.co
gdrvshare.site
gdrvup.xyz
gdrvupload.xyz
gmaildrive.info
gmaildrive.site
gmaildriver.info
gogleshare.xyz
goglesheet.com
googldocs.org
googldrive.xyz
googleapis.online
googleauth.pro
googlecloud.live
googleclouddrive.com
googlecstorage.com
googledrive.download
googledrive.email
googledrive.network
googledrive.online
googledriver.info
googledriver.net
googledriver.xyz
googledriveshare.com
googledrv.com
googleexplore.net
googlefiledrive.com
googlefileshare.com
googleshare.org
googleupload.info
krypitalvc.com
liveonedrvshare.xyz
microsoftapp.life
msupdatepms.xyz
navicheck.xyz
onedrivecloud.store
onedriveglobal.com
onedrivems.online
onedrivrshares.xyz
onedrvdn.co
onedrvfile.site
ownemail.me
privacyshield.services
provemail.net
secureshares.online
sendspace.buzz
sharedrivegght.xyz
sharegoogldrive.online
sharesdown.xyz
showprice.xyz
uploadsfiles.xyz
wechart.org
armzon.onmypc.org
blackwell.tekstar.us
btcprime.itsaol.com
chromeupdate.publicvm.com
coindeck.onmypc.org
coinnews.onmypc.org
coinomic.itsaol.com
connsec.publicvm.com
ddsvr.itsaol.com
drive.sharegoogldrive.online
drivegoogle.publicvm.com
drivegooogle.publicvm.com
esosv.itemdb.com
europegdprsec.onmypc.org
eusharesrv.onmypc.org
excinfo.itemdb.com
gdrive.onmypc.org
googledrive.dynu.net
googledrive.linkpc.net
googledrive.publicvm.com
googleupdate.publicvm.com
ledgerservice.itsaol.com
matrixpartners.theworkpc.com
mpksl.publicvm.com
mskpupdate.publicvm.com
msupdate.publicvm.com
onedriveupdate.publicvm.com
sevicebill.itemdb.com
termsofservice.onmypc.org
tokenomic.itsaol.com
twosigma.publicvm.com
vpset.onmypc.org
vpsfree.linkpc.net
windrvupdate.kozow.com

# Reference: https://twitter.com/_re_fox/status/1280138335214804995

twosigmateam.info

# Reference: https://twitter.com/_re_fox/status/1298281770597654529

drivegoogles.com

# Reference: https://twitter.com/_re_fox/status/1232320036834025472
# Reference: https://app.any.run/tasks/8d5e66c9-3942-4e00-bfdf-8f2c24054a92/

140.117.91.22:8080
blog.cloudsecure.space

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-12-19-v10199/212

prosec.ink
cloud.prosec.ink
cloudprotect.us.org

# Reference: https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds

autoprotect.com.de
autoprotect.gb.net
azurehosting.co
azureprotect.online
azureprotection.cloud
azuresecurity.online
azuresecurity.site
bankofamerica.offerings.cloud
careers.bankofamerica.nyc
careersbankofamerica.us
cloud.globiscapital.co
cloud.mufg.uk
cloud.tptf.ltd
cloud.wpic.ink
docs.azurehosting.co
globiscapital.co
hoststudio.org
ledgercloud.com
mufg.ink
mufg.uk
mufg.us.org
share.anobaka.info
tptf.fund
unchainedcapital.co
updatezone.org

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-02-09-v10240/306

autoprotect.com.se

# Reference: https://twitter.com/C0ryInTheHous3/status/1630551018084737027

mufg.yokohama

# Reference: https://twitter.com/C0ryInTheHous3/status/1630991590176030738

doc-view.cloud
azure.doc-view.cloud

# Reference: https://twitter.com/C0ryInTheHous3/status/1633897592806408192

daiwa.ventures
cloud.daiwa.ventures

# Reference: https://twitter.com/C0ryInTheHous3/status/1646159776177324044
# Reference: https://twitter.com/C0ryInTheHous3/status/1646161233458999297
# Reference: https://www.virustotal.com/gui/ip-address/104.168.167.88/relations

arbordeck.co.in
shared-document.cloud
spirtblockchain.com
deck.arbordeck.co.in
safe.shared-document.cloud
arborventures.capital
autoupdatecheck.work.gd
companydeck.cloud
companydeck.online
contract-research.blog
contractresearch.blog
crypto.contract-research.blog
crypto.contractresearch.blog
deck.arbordeck.online
docs-send.cloud
docupload.site
file.docupload.site
file.myfirmdocument.cloud
file.myfirmdocument.online
gunosis.global
interalliancemediagroups.cloud
mx.interalliancemediagroups.cloud
myfirmdocument.cloud
myfirmdocument.online
safe.arborventures.capital
safe.gunosis.global
safe.job-description.online
safe.nextera.capital
safe.smart-contracts.blog
securesmtp.interalliancemediagroups.cloud
smtps.interalliancemediagroups.cloud
webhostwatto.work.gd

# Reference: https://storage.pardot.com/838563/1676629189Mljyft19/CTI_Advisory_Undetected_North_Korean_Malware_A_Looming_Threat_to_Finan.pdf

http://104.255.172.56
cloud.azurehosting.co
doc.gdocshare.one
down.espcapital.co
nbright.best
ns1.trytiponlineresult.com
ns2.trytiponlineresult.com
safe.doc-share.pro
safe.doc-share.top
site.siteshare.me
siteshare.me
trytiponlineresult.com

# Reference: https://twitter.com/TLP_R3D/status/1649147042680172571
# Reference: https://www.virustotal.com/gui/ip-address/104.255.172.52/relations

256ventures.us
aidpartners.org
altair-vc.co.uk
altair-vc.com
altair.linkpc.net
deck.altair-vc.co.uk
deck.altair-vc.com
deck.toyota-ai.org
deepcore.v.entures
doc.256ventures.us
docsend.me
down.aidpartners.org
down.protectedviewer.co
inter.gpmtreit.co
partner.deepcore.v.entures
protectedviewer.co
sarahbeery.docsend.me
toyota-ai.org

# Reference: https://twitter.com/C0ryInTheHous3/status/1661076239614918660

docupload.lat
docupload.store
getwebconnection.buzz
last-report.online
latest-report.cloud
deck.latest-report.cloud
file.docupload.lat
file.docupload.store
news.last-report.online
ok.docupload.store

# Reference: https://twitter.com/C0ryInTheHous3/status/1661075436783259649

docupload.bond
els.docupload.bond

# Reference: https://twitter.com/C0ryInTheHous3/status/1661756717355483137
# Reference: https://www.virustotal.com/gui/ip-address/104.168.167.88/relations

dontdie.cfd
getwebconnection.cfd
latest-report.online
file.latest-report.online
sts.interalliancemediagroups.cloud

# Reference: https://twitter.com/TLP_R3D/status/1664980484219084801
# Reference: https://www.virustotal.com/gui/ip-address/172.93.193.219/relations

developcore.org
gdrvcloud.com
app.developcore.org

# Reference: https://twitter.com/C0ryInTheHous3/status/1669422415309418496

downloadfile.icu
getfilefrom.site
getfilefrom.store
interalliancemediagroups.cloud

# Reference: https://twitter.com/TLP_R3D/status/1677617586349981696
# Reference: https://www.virustotal.com/gui/ip-address/192.119.64.43/relations

floriventurescapital.linkpc.net
floriventuresfinance.linkpc.net
floriventuresfund.linkpc.net

# Reference: https://www.virustotal.com/gui/file/0be79614938541a4cd85de1b6103f0fdeb3808aaba5856ba5bbd8ef6976cf8c3/detection

obituary2.redirectme.net
yorst.linkpc.net

# Reference: https://twitter.com/TLP_R3D/status/1685581711139102720
# Reference: https://www.virustotal.com/gui/ip-address/23.254.204.173/relations
# Reference: https://www.virustotal.com/gui/file/8949207761f3d09734aa716da1e6c182425bcde2a95dacb3320085f1fe66069c/detection

espcap.fun
pro-tokyo.top
docsend-cloud.espcap.fun
docsend.com-pro.apple.cloud.line.pm
group.pro-tokyo.top

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-09-05-v10410/921

cryptowave.capital
datasend.fun
internal-meeting.online
video-meet.xyz

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-09-20-v10421/970

tp-globa.xyz
pre.alwayswait.site
doc.apple.com.premienoe.aidl.eonw.line.pm

# Reference: https://twitter.com/TLP_R3D/status/1705211957941240212
# Reference: https://www.virustotal.com/gui/ip-address/172.86.121.198/relations

techopscentral.com

# Reference: https://twitter.com/greglesnewich/status/1717963704828915988

internal-document-he-gr-me.run.place
j-ic.co.internal-document-he-gr-me.run.place

# Reference: https://x.com/StrikeReadyLabs/status/1834588185835286571
# Referemce: https://www.virustotal.com/gui/file/5eb788aa33050c19c614a189949fd02ecf22656809f3c8e3ceffab5a0679ae8e/detection

imp-docs.digital
microsoft-rage.world
show-pdf-document.com
uploadfiles.website
uploadmefiles.site
uploadmefiles.space
uploadmefiles.tech
uploadmefiles.xyz
uploadmyfile.space
uploadmyfile.tech

# Reference: https://x.com/LabsSentinel/status/1854550940243702083
# Reference: https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/

analysis.arkinvst.com
ankanimatoka.com
appleaccess.pro
arkinvst.com
caladan.video
calendly.caladan.video
cardiagnostic.net
community.edwardcaputo.shop
community.kevinaraujo.shop
community.selincapital.com
customer-app.xyz
delphidigital.org
doc.solanalab.org
drogueriasanjose.net
edwardcaputo.shop
email.sellinicapital.com
frameworks.ventures
hananetwork.video
happyz.one
huspot.blog
hwsrv-1225327.hostwindsdns.com
info.ankanimatoka.com
info.customer-app.xyz
kevinaraujo.shop
maelstroms.fund
matuaner.com
meet.caladan.video
meet.hananetwork.video
meet.selinicapital.info
meet.sellinicapital.com
meeting.zoom-client.com
mg21.1056.uk
nodnote.com
online.selinicapital.info
online.zoom-client.com
selincapital.com
selinicapital.info
selinicapital.network
sendmailer.org
shh5.baranftw.xyz
solanalab.org
verify.selinicapital.info
xu10.1056.uk
zoom-client.com

# Reference: https://www.virustotal.com/gui/ip-address/45.61.157.78/relations

hanagroup.video
meet.hanagroup.video

# Reference: https://x.com/TLP_R3D/status/1665014879151960065
# Reference: https://www.virustotal.com/gui/file/66916b0dfd9956b4b74640a4feb9459ea7986b056b2cecd361e4402d44a445a1/detection

werfaultserver.com

# Reference: https://x.com/JRehbergCSK/status/1877800515871936822
# Reference: https://x.com/cosmonaut_joon/status/1879435681547858086
# Reference: https://x.com/tayvano_/status/1879611039953924592
# Reference: https://www.virustotal.com/gui/ip-address/216.107.136.11/relations

twosigmavc.capital
twosigmaventures.us
zoom-sdk.com
jobs.twosigmavc.capital
jobs.twosigmaventures.us
meet.twosigmavc.capital
meet.twosigmaventures.us
api.zoom-sdk.com

# Reference: https://x.com/cyberoverdrive/status/1879616942040125648
# Reference: https://www.virustotal.com/gui/ip-address/5.230.44.79/relations

baiduweb.pro
daiwa-v.com
dunamuventures.com
in-zoom.us
mzweb3.fund
playgroundvc.capital
playgroundventures.capital
saisoncapital.net
app.baiduweb.pro
daiwa.in-zoom.us
dunamu.in-zoom.us
meet.baiduweb.pro
meet.daiwa-v.com
meet.dunamuventures.com
meet.mzweb3.fund
meet.playgroundvc.capital
meet.playgroundventures.capital
meet.saisoncapital.net
newtribe.in-zoom.us
updatecheck.v6.rocks

# Reference: https://x.com/birchb0y/status/1935436678602055682
# Reference: https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis

productnews.online
readysafe.xyz
safefor.xyz
safeupload.online
us05web-zoom.biz
us05web-zoom.space
support.us05web-zoom.biz

# Reference: https://x.com/TLP_R3D/status/1935782157454078277
# Reference: https://x.com/TLP_R3D/status/1935782161757749475
# Reference: https://x.com/IstaPee/status/1935788234468213130

autoupdate.online
awaitingfor.online
check-address.xyz
clearit.sbs
flashstore.sbs
image-support.xyz
safefor.xyz
safeup.store
secondshop.online
signsafe.site
signsafe.xyz
update-assist.org
upload-test.xyz
usecrowdpay.xyz
web3-support.xyz
zerodev.pro
api.zerodev.pro
bots.autoupdate.online
cron-stage.usecrowdpay.xyz

# Reference: https://x.com/ValidinLLC/status/1943648048401244489
# Reference: https://www.validin.com/blog/zooming_through_bluenoroff_pivots/

aleslosev.workers.dev
bizmeeting.online
bizwebmeet.com
businesstalks.site
cn-zoom.us
communicationhub.vip
datatabletemplate.shop
deliverypost.cloud
doc-bridge.com
em-oujuit78ytserve.com
em-oujuit78ytserve.net
laserdigital.xyz
mediazoom.us
meet-client.xyz
meeting-hub.team
meeting-zone.team
meetup-room.online
meetuphub.online
mylingocoin.com
newfromjune.shop
newfromjune.site
newwebapi.us
nexologin.xyz
online-conference.online
online-conference.pro
online-conference.site
online-conference.store
online-conference.xyz
online-meets.cloud
online-meets.store
onlinemeet.video
republicrypto.vc
room-meeting.online
rxamia.com
secure-meeting.cloud
secure-meeting.xyz
sg05web.us
sidezoom.us
support-gmeet.com
support-google.co.im
support-google.co.in
support-google.us
support-google.ws
support-zoom.us
team-meets.cloud
team-meets.online
team-meets.site
team-meets.store
team-meets.xyz
techevent.us
twosigmacap.com
ukweb08.us
us-playground.vc
us001web.us
us004web.us
us02web-zoom.com
us02www-zoom.us
us03web-zoom.cc
us03web-zoom.com
us03www-zoom.us
us05-zoom.com
us05-zoom.uk
us05biz-zoom.us
us05web-zoom.click
us05web-zoom.cloud
us05web-zoom.forum
us05web-zoom.info
us05web-zoom.ink
us05web-zoom.pro
us05web-zoom.site
us05web-zoom.store
us05web-zoom.uk
us05web-zoom.xyz
us05www-zoom.us
us05zoom.com
us05zoom.us.com
us06web-zoom.cc
us06web-zoom.xyz
us07web-zoom.cc
usweb005.us
usweb01.us
usweb08.us
usweb09.us
venture-meeting.online
video-conference.cloud
video-conference.pro
video-conference.site
video-conference.store
video-conference.xyz
video-meeting.store
videotalks.xyz
vipocapital.com
web01zoom.com
web02zoom.us
web031zoom.us
web041zoom.us
web06zoom.us
web071zoom.us
web082zoom.us
web091zoom.us
web21zoom.us
web3fund.us
webmeetapi.us
webmeetoffice.us
webus05.us
zm-meeting.com
zoom-support.com
zoom-tech.us
app.republicrypto.vc

# Reference: https://app.validin.com/lookalikes?lookback=90&depth=2&find=%2Fus%5B0-9%5D%7B2%7D%5Ba-z%5D%7B3%7D-zoom%5C.%5Ba-z%5D%7B2%2C5%7D%2F (# 2025-06-20)

us00web-zoom.us
us01web-zoom.cloud
us01web-zoom.com
us01web-zoom.info
us01web-zoom.org
us01web-zoom.site
us01web-zoom.store
us01web-zoom.xyz
us02biz-zoom.us
us02cam-zoom.us
us02web-zoom.info
us02web-zoom.live
us02web-zoom.org
us02web-zoom.xyz
us03biz-zoom.us
us03web-zoom.biz
us03web-zoom.info
us03web-zoom.org
us03web-zoom.site
us03web-zoom.store
us03web-zoom.top
us03web-zoom.xyz
us04web-zoom.info
us04web-zoom.live
us04web-zoom.org
us04web-zoom.xyz
us04www-zoom.us
us05ad-zoom.us
us05cc-zoom.us
us05pro-zoom.us
us05vip-zoom.us
us05web-zoom.cc
us05web-zoom.fun
us05web-zoom.guru
us05web-zoom.help
us05web-zoom.live
us05web-zoom.org
us05web-zoom.top
us05web-zoom.watch
us05web-zoom.work
us06web-zoom.info
us06web-zoom.live
us06web-zoom.org
us06web-zoom.space
us06www-zoom.us
us07biz-zoom.us
us07web-zoom.biz
us07web-zoom.com
us07web-zoom.live
us08web-zoom.cc
us08web-zoom.online
us08www-zoom.us
us09web-zoom.live
us09www-zoom.us
us12web-zoom.us
us17web-zoom.us

# Reference: https://github.com/hagezi/dns-blocklists/issues/6545

cdnkit.io
static.cdnkit.io

# Reference: https://fieldeffect.com/blog/zoom-doom-bluenoroff-call-opens-the-door
# Reference: https://www.virustotal.com/gui/ip-address/191.96.235.88/relations

ajayplamingo.com
app-wechat.xyz
bluewhale7.xyz
devlab.locker
doc-secure.it.com
doc-secure.me
hanaconference.xyz
honavolae.xyz
pacificyouth.club
rentyourmac.xyz
securetech.fun

# Reference: https://x.com/ValidinLLC/status/1937089880439329047
# Reference: https://app.validin.com/detail?type=hash&find=23c501daff7991f82a93d94a4f14bd68fb5f61d9#tab=host_pairs (# 2025-06-23)

join-meets.com
suweb05.us
us01web.com
us07office.us
us007web.us
web08zoom.us
refogevc.web08zoom.us
reforgevc.web08zoom.us
silver.web08zoom.us
zoom.join-meets.com
zoom.suweb05.us
zoom.us01web.com
zoom.us07office.us
zoom.us007web.us

# Reference: https://app.validin.com/detail?find=One%20platform%20to%20connect%20%7C%20Zoom&type=raw&ref_id=ea83c6e2c8d#tab=host_pairs

us4web.us
usweb5.us
zoom.us4web.us

# Reference: https://x.com/AlvieriD/status/1938253401868976404

us05-zoom.forum
us05-zoom.us
us06-zoom.forum
us06-zoom.uk
us06-zoom.us
us06www-zoom.com

# Reference: https://darkatlas.io/blog/bluenoroff-apt38-live-infrastructure-hunting

gost.run
nicrft.site
socialsuport.com

# Reference: https://huntability.tech/threat-note-2025-04-23-nk-zoom/
# Reference: https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/

dataupload.store
us06web-zoom.online
writeup.live
gumi-cryptos.us05web-zoom.pro
support.us05web-zoom.cloud
support.us05web-zoom.forum
support.us05web-zoom.pro
support.us06web-zoom.online

# Reference: https://app.validin.com/detail?find=%3A%3A%22twitter%3Asite%22%3A%3A%22%40zoom%22&type=raw&ref_id=1a212fb7b37#tab=host_pairs (# 2025-07-07)

us05webzoom.link

# Reference: https://www.validin.com/blog/pivots_revisited/#bluenoroff

app.thorwsap.finance
teams-meet.us
thorwsap.finance
us004zoom.com
us005zoom.com
us04web.com
web3insider.forum
web3journal.io
web3journal.xyz
web3signal.xyz
webthreefinance.club
whisperroom.forum
ww1.us04web.com
ww12.web3journal.io
