# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: entryshell, sparrowdoor, xiangoop

# Reference: https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/

aftercould.com
datacentreonline.com
freedecrease.com
newfreepre.com
newlylab.com
reclubpress.com
webdignusdata.com
game.newfreepre.com
imap.newlylab.com
imap.webdignusdata.com
mail.reclubpress.com
27.102.113.57:443
27.102.113.57:80
27.102.114.55:443
27.102.114.55:80
27.102.115.51:443
27.102.115.51:80
27.102.113.240:443
27.102.113.240:80
27.102.129.120:443
27.102.129.120:80
107.148.165.158:443
107.148.165.158:80
154.223.135.214:443
154.223.135.214:80

# Reference: https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/
# Reference: https://www.virustotal.com/gui/ip-address/193.239.86.168/relations
# Reference: https://www.virustotal.com/gui/file/f81a2e8a2a272e0bdae4e267fa220d6d40e23214087f33bdcdab6c7ad10b60b8/detection

dateupdata.com
imap.dateupdata.com

# Reference: https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/
# Reference: https://www.virustotal.com/gui/ip-address/45.131.179.24/relations
# Reference: https://www.virustotal.com/gui/ip-address/43.254.216.195/relations
# Reference: https://www.virustotal.com/gui/file/b696fe2f31279af1e006d89beb0ff0c1915df4f8a6d3a201ccda54505688840c/detection

103.85.25.166:8444
amelicen.com
