# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: appleworm, apt-c-26, apt-q-1, dangerous passwords, hidden cobra, guardians of peace, zinc, nickel academy, manuscrypt, applejeus, citrine sleet, diamond sleet, famous chollima, labyrinth chollima, unc4736, poolrat, pondrat, tradertraitor, ottercookie, golangghost, pychollima, pylangghost, pebbledash, hexeval loader, xorindex loader, alluring pisces, bureau-1121, cl-sta-240, covellite, dark seoul, group-77, hastati group, jade sleet, jumpy pisces, moonstone sleet, newromanic cyberarmy team, operation darkseoul, operation ghostsecret, operation troy, pukchong, ref9135, slow pisces, stardust, unit-121, whois hacking team, diamondsleet, romeogolf, themeforestrat, remotepeloader, gleaming pisces, akdoortea, postnaptea, tropidoor, weaselstore, purplebravo, waterplum, unc5342, cl-sta-0240, deceptivedevelopment, dev#popper, gwisin gang, tenacious pungsan, void dokkaebi

# Reference: https://cdn.securelist.com/files/2017/04/Lazarus_Under_The_Hood_PDF_final.pdf

exbonus.mrbasic.com
movis-es.ignorelist.com
tradeboard.mefound.com
update.toythieves.com
sap.misapor.ch

# Reference: https://securelist.com/operation-applejeus/87553/

celasllc.com
185.142.236.226
185.142.239.173
196.38.48.121
80.82.64.91

# Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea

tpddata.com
itaddnet.com
wifispeedcheck.net
coinoen.org
coinmaketcape.com
bitfiniex.org
apshenyihl.com/include/arc.speclist.class.php
ap8898.com/include/arc.search.class.php    
anlway.com/include/arc.search.class.php    
tpddata.com/skins/skin-8.thm         
tpddata.com/skins/skin-6.thm
168wangpi.com/include/charset.php
ando.co.kr/service/s_top.asp
ansetech.co.kr/smarteditor/common.asp
mileage.krb.co.kr/common/db_conf.asp
028xmz.com/include/common.php
33cow.com/include/control.php
51up.com/ace/main.asp
530hr.com/data/common.php
97nb.net/include/arc.sglistview.php
marmarademo.com/include/extend.php
paulkaren.com/synthpop/main.asp
shieldonline.co.za/sitemap.asp

# Reference: https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/
# Reference: https://twitter.com/KevinPerlow/status/1083759627714682880
# Reference: https://twitter.com/Bank_Security/status/1107543887462064128
# Reference: https://www.hybrid-analysis.com/sample/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/5c8a414a0388381b3f329926
# Reference: https://www.virustotal.com/gui/file/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/detection
# Reference: https://twitter.com/ClearskySec/status/1084463729633316864

bodyshoppechiropractic.com
drupdate.club
ecombox.store
/tbl_add.php

# Reference: https://otx.alienvault.com/pulse/5c8b8e19261a7451de02bf60/

http://37.238.135.70/img/anan.jpg

# Reference: https://otx.alienvault.com/pulse/5c9a4d9f90726d0988873a2b
# Reference: https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/

dev.microcravate.com
nzssdm.com
bluecreekrobotics.com/wp-includes/common.php
dev.microcravate.com/wp-includes/common.php
dev.whatsyourcrunch.com/wp-includes/common.php
enterpriseheroes.com.ng/wp-includes/common.php
hrgp.asselsolutions.com/wp-includes/common.php
baseballcharlemagnelegardeur.com/wp-content/languages/common.php
bogorcenter.com/wp-content/themes/index2.php
eventum.cwsdev3.bi.com/wp-includes/common.php
streamf.ru/wp-content/index2.php
towingoperations.com/chat/chat.php
vinhsake.com/wp-content/uploads/index2.php
tangowithcolette.com/pages/common.php

# Reference: https://twitter.com/blackorbird/status/1110750919082147842
# Reference: https://blog.alyac.co.kr/2219

alahbabgroup.com
http://47.91.56.21/verify.php
http://103.225.168.159/admin/verify.php

# Reference: https://twitter.com/blackorbird/status/1111449536910680065

wb-bot.org
wb-invest.net

# Reference: https://twitter.com/KevinPerlow/status/1136994848341409792

sbackservice.com

# Reference: https://twitter.com/navSi16/status/1148192534654439426
# Reference: https://otx.alienvault.com/pulse/5d24562845fe64e37ffc46a7

sensationalsecrets.com/js/left.php

# Reference: https://twitter.com/blackorbird/status/1148843702690832385

194.45.8.41:443

# Reference: https://twitter.com/bad_packets/status/1148864469486854144
# Reference: https://pastebin.com/G0Ad5Ut6

http://178.128.253.67/tbl_add.php

# Reference: https://twitter.com/RedDrip7/status/1148887458152472576

byucksanpaint.com/community/com_gon_open.asp

# Reference: https://otx.alienvault.com/pulse/5d2c64b174175b03e7db85cd

http://103.53.176.145:8080/ServiceDeskPlus/products.do
http://111.68.126.155:8080/ServiceDeskPlus/products.do
http://137.117.57.244:8080/ServiceDeskPlus/products.do
chanbang.co.kr/board/check.asp
chanbang.co.kr/family/check.asp
chanbang.co.kr/gonggu/upload.asp
difa.or.kr/common/asp/inc_Comn.asp
edenenc.co.kr/Report/RptMyReport.asp
egreenland.co.kr/cheditor2/example/newpost.asp
hanbook.co.kr/partnershop/hanmail_ep.asp
img.kindermom.co.kr/frameart/print/footer.mov
kgsa1015.co.kr/upload/member/member.asp
rodaxsankyokorea.com/upload/favicon/favicon.asp
sinokor-eng.com/sub/sub01_09.asp

# Reference: https://otx.alienvault.com/pulse/5d2dca0a1c7d00fa07be15e5

byucksanpaint.com/community/com_gon_open.asp
byucksanpaint.com/main/main4.asp
keyang.co.kr/pub/editor/wa_path.asp
upload.childu.co.kr/include/OnlyOne1.asp

# Reference: https://twitter.com/cyberwar_15/status/1152035187196223488

lavaandstone.com/wp-content/plugins/fusion-core/about.php
sales.alitho.com/wp-content/themes/sketch/about.php
amytanathorn.com/wp-admin/includes/about.php

# Reference: https://twitter.com/cyberwar_15/status/1153123863435214848

rhythm86.com/wp-content/themes/twentysixteen/about.php
cabba-cacao.com/wp-content/themes/integral/about.php
3x-tv.com/plugins/editors/about.php

# Reference: https://twitter.com/KorbenD_Intel/status/1158479283549089792
# Reference: https://www.virustotal.com/gui/file/3bba04f277e7f51a5500f7b144fdbd851954e4f94bb0290e49fc63f6fc807321/detection

policyupdates.info

# Reference: https://twitter.com/cyberwar_15/status/1166282138179624960
# Reference: https://twitter.com/navSi16/status/1166287915959214080

youdermoscopy.org/media/fly.avi
youdermoscopy.org/media/fly312.avi

# Reference: https://blog.alyac.co.kr/2500 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d6940cb9e719255258969f5

alnagm-press.com/wp-content/plugins/cloudflare/list.php
elsouq.org/aramex/left.php
swedishmassageamsterdam.nl/wp-content/themes/top.php

# Reference: https://twitter.com/cyberwar_15/status/1175940165425958912

http://158.69.57.135
http://92.222.106.229

# Reference: https://securelist.com/my-name-is-dtrack/93338/
# Reference: https://unit42.paloaltonetworks.com/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/
# Reference: https://otx.alienvault.com/pulse/5d88b31dea7f4b9d4701d7e8
# Reference: https://www.virustotal.com/gui/file/fe51590db6f835a3a210eba178d78d5eeafe8a47bf4ca44b3a6b3dfb599f1702/detection
# Reference: https://www.virustotal.com/gui/file/58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb/detection

katawaku.jp/bbs/data/theme/profile2.php
materialindia.in
totalmateria.net
cyberub.com/board/icon/template/template_ro.php
/gallery/profile2.php
/theme/profile2.php
/wp/profile2.php

# Reference: https://twitter.com/KseProso/status/1178580006047539200

heromessi.com/wp-public/career/car_add.php

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-12-lazarus-resurfaces-targets-global-banks-bitcoin-users/lazarus-resurfaces-targets-global-banks-bitcoin-users.csv

deltaemis.com

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2017/2017-11-20-android-malware-appears-linked-to-lazarus-cybercrime-group/android-malware-appears-linked-to-lazarus-cybercrime-group.csv

vmware-probe.zol.co.zw

# Reference: https://app.any.run/tasks/01497f45-7fba-4356-bbdc-4270e51c2465/
# Reference: https://twitter.com/Rmy_Reserve/status/1181528617374777344
# Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea

gp-core.com
gp-main.com

# Reference: https://twitter.com/VK_Intel/status/1182722604240719872
# Reference: https://objective-see.com/blog/blog_0x49.html (# AppleJeus)

185.228.83.32:443
beastgoc.com
/grepmonux.php

# Reference: https://twitter.com/kyleehmke/status/1184120287199223808
# Reference: https://www.virustotal.com/gui/ip-address/185.228.83.129/relations

dev.jmttrading.org

# Reference: https://twitter.com/RedDrip7/status/1186562944311517184
# Reference: https://blog.alyac.co.kr/2388 (Korean)
# Reference: https://twitter.com/RedDrip7/status/1186562944311517184
# Reference: https://otx.alienvault.com/pulse/5db06ad90686f3bad959d7fc

crabbedly.club
craypot.live
czinfo.club
indagator.club
pegasusco.net
smilekeepers.co

# Reference: https://twitter.com/0xD0CF11E0A1B11/status/1187264570861076481

thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi
juliesoskin.com/includes/common/list.php
necaled.com/modules/applet/list.php
valentinsblog.de/wp-admin/includes/list.php

# Reference: https://twitter.com/blackorbird/status/1187619261612609536
# Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html
# Reference: https://www.virustotal.com/gui/ip-address/218.255.24.226/relations

119.18.230.253:443
218.255.24.226:443

# Reference: https://twitter.com/Rmy_Reserve/status/1188235835956551680
# Reference: https://app.any.run/tasks/42c972b1-ec38-4637-9354-9de930ff50b2/

curiofirenze.com

# Reference: https://twitter.com/blackorbird/status/1202177008572092417

unioncrypto.vip

# Reference: https://blog.netlab.360.com/dacls-the-dual-platform-rat/

107.172.197.175:443
172.93.201.219:443
192.210.213.178:443
198.180.198.6:443
209.90.234.34:443
23.227.196.116:443
23.227.199.53:443
23.254.119.12:443
23.81.246.179:443
37.72.175.179:443
64.188.19.117:443
74.121.190.121:443

# Reference: https://securelist.com/operation-applejeus-sequel/95596/
# Reference: https://otx.alienvault.com/pulse/5e15b526b4f8bc605744ad76

aeroplans.info
beastgoc.com
buckfast-zucht.de
chainfun365.com
cyptian.com
invesuccess.com
jmttrading.org
mydealoman.com
private-kurier.com
unioncrypto.vip
wb-bot.org
wb-invest.net
wfcwallet.com

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-03-08-hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant.csv

falcancoin.io

# Reference: https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045d
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045e
# Reference: https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045b
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045a
# Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045f

94.177.123.138:8088
193.56.28.103:88
197.211.212.59:7443
181.39.135.126:7443
112.175.92.57:443
81.94.192.147:443
21.252.107.198:23164
70.224.36.194:59681
113.114.117.122:23397
47.206.4.145:59067
84.49.242.125:17770
26.165.218.44:2248
137.139.135.151:64694
97.90.44.200:37120
128.200.115.228:52884
186.169.2.237:65292
188.165.37.168:80
159.100.250.231:80
159.100.250.231:8080
107.6.12.135:443
210.202.40.35:443

# Reference: https://twitter.com/AffableKraut/status/1234726033930248198

74.121.190.140:8443

# Reference: https://twitter.com/RedDrip7/status/1254678135133442048
# Reference: https://ti.qianxin.com/blog/articles/analysis-of-lazarus-apt-targeted-attack-against-south-korea-using-new-crown-outbreak-bait/
# Reference: https://www.virustotal.com/gui/domain/teslacontrols.ir/relations

afuocolento.it/wp-admin/network/server_test.php
kingsvc.cc
mbrainingevents.com/wp-admin/network/server_test.php
sofa.rs/wp-admin/network/server_test.php
sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg
teslacontrols.ir/wp-includes/images/detail31.jpg
teslacontrols.ir/wp-includes/images/detail32.jpg
/wp-admin/network/server_test.php

# Reference: https://twitter.com/cyberwar_15/status/1254736896330133504

matteoragazzini.it/wp-content/uploads/2017/06/category.php

# Reference: https://twitter.com/DeadlyLynn/status/1257504361577496576
# Reference: https://twitter.com/ShadowChasing1/status/1257511608189743105

astedams.it/uploads/template/17.dotm
astedams.it/include/inc-elenco-offerter.asp

# Reference: https://twitter.com/spider_girl22/status/1258224278194941953

astedams.it/uploads/frame/61.dotm

# Reference: https://objective-see.com/blog/blog_0x57.html
# Reference: https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/
# Reference: https://otx.alienvault.com/pulse/5eb2fabf6c26a287f705ca20

185.62.58.207:443
67.43.239.146:443

# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md#IOC
# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/CSV/IOC-Lazarus_2020_05_05.csv
# Reference: https://www.virustotal.com/gui/file/1b0c82e71a53300c969da61b085c8ce623202722cf3fa2d79160dac16642303f/behavior/VMRay
# Reference: https://www.virustotal.com/gui/file/66e5371c3da7dc9a80fb4c0fabfa23a30d82650c434eec86a95b6e239eccab88/behavior/QiAnXin%20RedDrip

51.77.65.154:443
192.169.250.185:443
sanlorenzoyacht.com/newsl/uploads/docs/43.dotm
elite4print.com/admin/order/batchPdfs.asp
od.lk/d/MzBfMjA1Njc0ODdf/pubmaterial.dotm

# Reference: https://twitter.com/cyberwar_15/status/1264353716930412544
# Reference: https://www.virustotal.com/gui/file/e637c86ae20a7f36a0ad43618b00c48f47b5591a03af3fb689a16c45afa43733/detection
# Reference: https://www.virustotal.com/gui/file/d3a402458682c4febacc6ae4bc98e15e92142603a97d51316eeee9e8bca77f88/detection

depts.washington.edu/dswkshp/wordpress/wp-content/themes/twentyfifteen/inc/io/

# Reference: https://twitter.com/spider_girl22/status/1265486116393713665

anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg

# Reference: https://twitter.com/cyberwar_15/status/1265266629044080642
# Reference: https://asec.ahnlab.com/1323 (Korean)

mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php
sixbitsmedia.com/wp-content/uploads/wp-logs/category.php

# Reference: https://twitter.com/ShadowChasing1/status/1267431134662541317

fudcitydelivers.com
sctemarkets.com

# Reference: https://twitter.com/IntezerLabs/status/1268158680593313794

threegood.cc

# Reference: https://twitter.com/ccxsaber/status/1268020350605910016

coingotrade.com
kupaywallet.com

# Reference: https://twitter.com/Vishnyak0v/status/1269635930878545922

bluemoonresearch.org
fitnessdirector.net

# Reference: https://twitter.com/RedDrip7/status/1270201358721769475

paghera.com/include/inc-main-default-news.asp

# Reference: https://twitter.com/ShadowChasing1/status/1270728525926944768

ne-ba.org/files/gallery/img/img.asp

# Reference: https://twitter.com/MBThreatIntel/status/1270741821560406019

160.20.147.253:8443
audiopodcasts.co/verify.php
lastedforcast.com/list.php

# Reference: https://twitter.com/spider_girl22/status/1275366600560873473
# Reference: https://www.virustotal.com/gui/file/0fa91cac5712cfc0848af092190fd3d09948f1a7750547f0f16d1867dac6288a/detection

thestreetsmartsalesman.com/wp-content/uploads/wp-logs/category.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1275396942139469824
# Reference: https://app.any.run/tasks/5ddb7e93-bfc8-49a9-bd52-6b70f57c3846/

scertodisha.nic.in/wp-content/plugins/photo-gallery/admin/controllers/Photo.php
haciendasacchich.com/wp-content/plugins/photo-gallery/admin/views/404.php
annafalkenau.com/awstats/data/upload.php

# Reference: https://blog.reversinglabs.com/blog/hidden-cobra
# Reference: https://otx.alienvault.com/pulse/5ef2252af73ae43d92eecd15

1688dsj.com
amytanathorn.com
ccsnbao.com
fmose.com
fudcitydelivers.com
lavaandstone.com
sctemarkets.com
vns1389.com

# Reference: https://twitter.com/ShadowChasing1/status/1276324740878102529

anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg

# Reference: https://twitter.com/JAMESWT_MHT/status/1276471822217891840
# Reference: https://app.any.run/tasks/109752e9-2c7f-4d5c-9c3f-300bddc4c0db/

down.1230578.com

# Reference: https://twitter.com/felixaime/status/1280053007036624896
# Reference: https://sansec.io/research/north-korea-magecart
# Reference: https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-credit-card-stealing-attacks-on-us-stores/
# Reference: https://www.virustotal.com/gui/file/a6c803d7a185f896a6c90f78891c5dbb904df3535825764e05432641ab059fb1/detection

areac-agr.com
papers0urce.com

# Reference: https://twitter.com/gwillem/status/1281128245052805120

focuscamere.com

# Reference: https://twitter.com/patrickwardle/status/1286109626941845504
# Reference: https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/

104.232.71.7:443
107.172.197.175:443
108.170.31.81:443
111.90.146.105:443
111.90.148.132:443
172.81.132.41:443
172.93.184.62:443
172.93.201.219:443
185.62.58.207:443
192.210.239.122:443
198.180.198.6:443
209.90.234.34:443
216.244.71.233:443
23.227.199.53:443
23.227.199.69:443
23.254.119.12:443
67.43.239.146:443
68.168.123.86:443

# Reference: https://twitter.com/cyberwar_15/status/1287291019537473538

nextlevelliving.pro/wp-content/uploads/js_composer/images/8c206b81-f5b1-4242-84d3-237ce728ff35.php

# Reference: https://twitter.com/AnonySecAgency/status/1290115260116897792
# Reference: https://www.virustotal.com/gui/file/40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13/detection

publishapp.co

# Reference: https://twitter.com/RedDrip7/status/1293462469214531584
# Reference: https://www.virustotal.com/gui/file/b0921142f8d3067c8253931977999a5092470ff3e562586d87af68c28ec66a99/detection

unsunozo.org/include/notes/notes.asp

# Reference: https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html
# Reference: https://otx.alienvault.com/pulse/5f4d20e8d417f271a62e0aeb

gestao.simtelecomrs.com.br/sac/digital/client.jsp
sac.onecenter.com.br/sac/masks/wfr_masks.jsp
mk.bital.com.br/sac/Formule/Manager.jsp

# Reference: https://twitter.com/IntezerLabs/status/1300403461809491969
# Reference: https://analyze.intezer.com/analyses/13d64c6e-6ac7-4888-a682-138a06cbaf16/
# Reference: https://www.virustotal.com/gui/file/390f9aae2dd5f0584106e3aa315bbd28a8c6479f126a4f13c7c3a62e19356634/detection

104.217.163.61:443
107.175.172.129:443
37.72.168.228:443

# Reference: https://twitter.com/ShadowChasing1/status/1302180729174937600

fabianiarte.com/uploads/imgup/21it-23792.jpg

# Reference: https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html
# Reference: https://otx.alienvault.com/pulse/5f7389601681e32d5bf045f6

automercado.co.cr/empleo/css/main.jsp
curiofirenze.com/include/inc-site.asp
ne-ba.org/files/news/thumbs/thumbs.asp
sanlorenzoyacht.com/newsl/include/inc-map.asp

# Reference: https://twitter.com/h2jazi/status/1311644338812792833
# Reference: https://www.virustotal.com/gui/file/d2f1cccfe688c074c3d58ae8f7be7b10dbea5d7ae53320c3f7b6e48cd4f62955/detection

phukien2a.net/images/images.zip.000

# Reference: https://blog.talosintelligence.com/2020/11/crat-and-plugins.html
# Reference: https://otx.alienvault.com/pulse/5faf04431c479940b422288b

teslacontrols.ir/wp-includes/images/detail31.jpg
teslacontrols.ir/wp-includes/images/detail32.jpg
sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg
publishapp.co/update/check.php
sideforum.cc/forum/list.php
freeforum.co/forum/list.php
goodfriend.pro/projects/list.php
friendship.me/users/register.php
threegood.cc/api/manage/customers
Engpro.xyz/images/detail.php
infocop.me/products/list.php
teamspit.pro/adverts/follow.php
dodoi.cc/photos/preview.php
advertapp.me/user/invite.php
insideforum.me/forum/list.php
anyoneforum.cc/forum/list.php
goodproject.xyz/projects/list.php
hellofriend.pro/users/register.php
moonge.cc/wp-content/plugins/google-sitemap-generator/sitemap-builder-embed.php
calculactcal.org/wp-content/themes/twentysixteen/body.php
3cuartos.com/wp-content/plugins/music-press-pro/templates/global/update.php
worldfoodstory.co.uk/wp-includes/register.php
bokkeriejesj.nl/wp-content/plugins/music-press-pro/upload.php
encontrosmaracatu.com.br/wp-content/plugins/music-press-pro/templates/global/topmenu.php
theblackout.fr/wp-content/plugins/music-press-pro/music-pro.php
mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php
tiramisu.it/wp-content/plugins/wp-comment-form.php
kartacnictvi.cz/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/upload.php
dimer-group.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/download.php
ecolerubanvert.com/wp-content/plugins/image-intense/know.php
lwac.com/wp-content/plugins/gallery-plugin/includes/demo-data/images/music/photo.php
copansrl.it/wp-admin/user/invite.php
arar-musique.fr/wp-content/plugins/music-press-pro/includes/admin/upgrade.php
firstalliance.church/wp-content/plugins/music-press/templates/404.php
erickeleo.com.br/wp-content/plugins/music-press-pro/go.php
kingsvc.cc/index.php
sofa.rs/wp-admin/network/server_test.php
afuocolento.it/wp-admin/network/server_test.php
mbrainingevents.com/wp-admin/network/server_test.php
afuocolento.it/wp-includes/process.php

# Reference: https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/
# Reference: https://otx.alienvault.com/pulse/5fb4044fd5f18831c24c6af6

cowp.or.kr/html/board/main.asp
erpmas.co.kr/Member/franchise_modify.asp
fored.or.kr/home/board/view.php
gncaf.or.kr/cafe/cafe_board.asp
gongsinet.kr/comm/comm_gongsi.asp
goojoo.net/board/banner01.asp
hsbutton.co.kr/bbs/bbs_write.asp
hstudymall.co.kr/easypay/web/bottom.asp
ikrea.or.kr/main/main_board.asp
pcdesk.co.kr/Freeboard/mn_board.asp
pgak.net/service/engine/release.asp
quecue.kr/okproj/ex_join.asp
style1.co.kr/main/view.asp
wowpress.co.kr/customer/refuse_05.asp
zndance.com/shop/post.asp

# Reference: https://twitter.com/h2jazi/status/1334353120038678528
# Reference: https://www.virustotal.com/gui/file/c19064733f2a23f09c8b16b3847cceeac8f61488be57911cefceb75425501097/detection

ilhak.co.kr/images/data/upload.asp
ktri.or.kr/upload/mail/upload.asp
warevalley.com/support/orange_open.asp

# Reference: https://twitter.com/BitsOfBinary/status/1321488299932983296
# Reference: https://twitter.com/BitsOfBinary/status/1337330286787518464
# Reference: https://twitter.com/mg2_tracy1/status/1337335098224508928
# Reference: https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=3051

admforte.com.br/wp-content/plugins/top.php
dafnefonseca.com/wp-content/themes/top.php
drei-schneeballen.de/wp-content/plugins/nextgen-gallery/view.php
funny-pictures.picphotos.net/saint-louis-senior-photos-senior-pictures-seniors-st-louis-st-louis/upload.php
greenvideo.nl/wp-content/themes/top.php
haciendadeclarevot.com/wp-content/top.php
justholdfast.com/doodle/wp-content/plugins/top.php
qwerty.creativehonduras.com/wp-includes/class-wp-redirect.php
shahrtdc.com/wp-content/plugins/top.php
tag-cloud-photo.freeware.filetransit.com/login.php
urbankizomba.se/wp-content/plugins/photo-gallery/filemanager/upload.php

# Reference: https://otx.alienvault.com/pulse/5fd8dbfcfed23b6fa1393ea9

yakufreshperu.com/facturacion/public/css/main.php
shikshakibaat.com/classes/detail.jsp
sanlorenzoyacht.com/newsl/include/inc-map.asp
paghera.com/content/view/thumb/info.asp
lyzeum.com/popup/popup.asp
index-consulting.jp/eng/news/index.php
hansolhope.or.kr/welfare/notice/view.jsp
forecareer.com/gdcareer/officetemplate-20nab.asp
fidesarte.it/thumb/multibox/style/common.asp
fabianiarte.com/uploads/imgup/21it-23792.jpg
fabianiarte.com/pdf/thumbs/thumb.asp
emilypress.com/CMWorking/Static/service/center.asp
curiofirenze.com/include/inc-site.asp
calculadoras.mx/themes/pack/pilot.php
automercado.co.cr/empleo/css/main.jsp
astedams.it/photos/image/image.asp
arumdaunresort.com/admin/html/user/contact.asp
apars-surgery.org/bbs/bbs_files/board_photo/menu.php
anca-aste.it/uploads/form/02E319AF73A33547343B71D5CB1064BC.dotm
vega.mh-tec.jp/.well-known/index.php
turnscor.com/ACT/images/slide/view.jsp
prestigein-am.jp/akita/wp-includes/wp-rss1.php
genieaccount.com/images/common/common.asp
acanicjquery.com/slides/style.php
mannpublicwhseltd.com/cservice.asp
hirokawaunso.co.jp/wordpress/wp-includes/review.php
anisweb.org/layout/site/style/preview.jsp
support.medicalinthecloud.com/TechCenter/include/slide.asp
pennontraders.com/assets/slides/view.jsp
indoweb.org/love/data/common/common.php
admin.shcpa.co.kr/_asapro2/formmail/lib.php
http://137.74.114.227/theveniaux/webliotheque/public/css/main.php
http://125.206.177.152/old/viewer.php

# Reference: https://twitter.com/BitsOfBinary/status/1339623925274296323

muzeyyengroup.com/wp-content/help.php
puskesmas-terminal.com/wp-content/help.php
zeandf.com/wp-content/help.php

# Reference: https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
# Reference: https://otx.alienvault.com/pulse/5fe36c30dbe6a83c04783415

bytecortex.com.br/eletronicos/digital.jsp
client.livesistemas.com/Live/posto/system.jsp
cometnet.biz/framework/common/common.asp
gongim.com/board/ajax_Write.asp
iski.silogica.net/events/serial.jsp
k-kiosk.com/bbs/notice_write.asp
kne.co.kr/upload/Customer/BBS.asp
locknlockmall.com/common/popup_left.asp
sac.najatelecom.com.br/sac/Dados/ntlm.jsp
sistema.celllab.com.br/webrun/Navbar/auth.jsp

# Reference: https://twitter.com/ShadowChasing1/status/1349924271791882247
# Reference: https://www.virustotal.com/gui/file/867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36/detection
# Reference: https://www.virustotal.com/gui/file/89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957/detection

aideck.net

# Reference: https://twitter.com/ShadowChasing1/status/1349927630183694339

creaideck.com/update/darwin64.bin

# Reference: https://www.virustotal.com/gui/file/d09041e3d635ddb28540b11cf180a30a28fc04c2ee6e5d994aa0bacc9633e944/detection

hpc.kau.ac.kr/rolling_banner/tmp4c5ae3.p3a
hpc.kau.ac.kr/error2.php

# Reference: https://twitter.com/BushidoToken/status/1353684625382641664
# Reference: https://www.virustotal.com/gui/ip-address/120.138.8.26/relations
# Reference: https://www.virustotal.com/gui/file/cabb45c99ffd8dd189e4e3ed5158fac1d0de4e2782dd704b2b595db5f63e2610/detection
# Reference: https://www.virustotal.com/gui/file/a9b3bc337043c04f529b2c19b3e33df1ad59bce27c074427e7b563db3a83c37b/detection
# Reference: https://www.virustotal.com/gui/file/bdf9fffe1c9ffbeec307c536a2369eefb2a2c5d70f33a1646a15d6d152c2a6fa/detection

advantims.com

# Reference: https://twitter.com/ShadowChasing1/status/1353972356759187456

angeldonationblog.com

# Reference: https://twitter.com/K_N1kolenko/status/1353975032104558592
# Reference: https://twitter.com/500mk500/status/1353992570519609344
# Reference: https://twitter.com/RedDrip7/status/1354038387603197952
# Reference: https://twitter.com/sS55752750/status/1354059524739653633
# Reference: https://twitter.com/vngkv123/status/1357247638228226053
# Reference: https://twitter.com/blackorbird/status/1357259907448229888
# Reference: https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg (Korean)
# Reference: https://enki.co.kr/blog/2021/02/04/ie_0day.html (Korean)
# Reference: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
# Reference: https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/
# Reference: https://otx.alienvault.com/pulse/60103a3268891c63b1f24d74
# Reference: https://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection
# Reference: https://www.virustotal.com/gui/file/a08d24f74027256c6fd5c5a2fdb15b12889971fbdcfa7a28ffebbfe8b15aaefb/detection
# Reference: https://www.virustotal.com/gui/file/9c906c2f3bfb24883a8784a92515e6337e1767314816d5d9738f9ec182beaf44/detection
# Reference: https://www.virustotal.com/graph/embed/g4784ec032b3f4cb987a616f4b2dbc9aa9a982d9b20494f8980ae611a4ca3a1d8

angeldonationblog.com
codebiogblog.com
codevexillium.org
investbooking.de
krakenfolio.com
opsonew3org.sg
transferwiser.io
transplugin.io
blog.br0vvnn.io
codevexillium.org/image/download/download.asp
colasprint.com/_vti_log/upload.asp
dronerc.it/forum/uploads/index.php
dronerc.it/shop_testbr/Adapter/Adapter_Config.php
dronerc.it/shop_testbr/Core/upload.php
dronerc.it/shop_testbr/upload/upload.php
edujikim.com/intro/blue/insert.asp
fabioluciani.com/ae/include/constant.asp
fabioluciani.com/es/include/include.asp
loonsaloon.com/wp-content/plugins/revslider/hello.php
transplugin.io/upload/upload.asp
trophylab.com/notice/images/renewal/upload.asp

# Reference: https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html
# Reference: https://otx.alienvault.com/pulse/601052e27a2c451b3ba5ed31

akramportal.org/public/voice/voice.php
commodore.com.tr/mobiquo/appExtt/notdefteri/writenote.php
fabianiarte.com/newsletter/arte/view.asp
hirokawaunso.co.jp/wordpress/wp-includes/ID3/module.audio.mp4.php
index-consulting.jp/eng/news/index.php
inovecommerce.com.br/public/pdf/view.php
ja-fc.or.jp/shop/shopping.php
kenpa.org/yokohama/main.php
leemble.com/5mai-lyon/public/webconf.php
mail.clicktocareers.com/dev_clicktocareers/public/mailview.php
scimpex.com/admin/assets/backup/requisition/requisition.php
tronslog.com/public/appstore.php
vega.mh-tec.jp/.well-known/index.php

# Reference: https://twitter.com/Dashowl/status/1354264740692942848

trophylab.com/design/trophy/product/lmages/logo.png
worldspia.kr/upload_images/inc/LOG.PHP

# Reference: https://twitter.com/mattyb1512/status/1354070629469872129

ctrac.online

# Reference: https://twitter.com/h2jazi/status/1362109944791764993
# Reference: https://www.virustotal.com/gui/file/0bc7517aa2f0c1820ced399bfd66b993f10ad77e8d72727b0f3dc1ca35cad7ba/detection
# Reference: https://www.virustotal.com/gui/file/91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd/detection
# Reference: https://www.virustotal.com/gui/file/dcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61/detection

kupaywallet.com
levelframeblog.com
dorusio.com/dorusio_update.php

# Reference: https://twitter.com/ShadowChasing1/status/1362362744909930496

materialindia.in/wp/wp-main/gallery/profile2.php
totalmateria.net/wp/profile2.php

# Reference: https://securelist.com/lazarus-threatneedle/100803/
# Reference: https://otx.alienvault.com/pulse/6037c3cea83bb963f5be0d51/

http://156.245.16.55/admin/admin.asp
americanhotboats.com/forums/core/cache/index.php
astedams.it/photos/image/image.asp
au-pair.org/admin/Newspaper.asp
au-pair.org/admin/login.asp
automercado.co.cr/empleo/css/main.jsp
cloudarray.com/images/logo/videos/cache.jsp
colasprint.com/_vti_log/upload.asp
curiofirenze.com/include/inc-site.asp
dellarocca.net/it/content/img/img.asp
digitaldowns.us/artman/exec/upload.php
djasw.or.kr/sub/popup/images/upfiles.asp
docentfx.com/wp-admin/includes/upload.php
dronerc.it/forum/uploads/index.php
dronerc.it/shop_testbr/Adapter/Adapter_Config.php
edujikim.com/intro/blue/view.asp
edujikim.com/pay/sample/INIstart.asp
edujikim.com/smarteditor/img/upload.asp
fabioluciani.com/ae/include/constant.asp
fabioluciani.com/es/include/include.asp
forum.iron-maiden.ru/core/cache/index.php
forum.snowreport.gr/cache/template/upload.php
fredrikarnell.com/marocko2014/index.php
geeks-board.com/blog/wp-content/uploads/2017/cache.php
gonnelli.it/uploads/catalogo/thumbs/thumb.asp
juvillage.co.kr/img/upload.asp
kannadagrahakarakoota.org/forums/admincp/upload.php
kbcwainwrightchallenge.org.uk/connections/dbconn.asp
kwwa.org/DR6001/FN6006LS.asp
kwwa.org/popup/160307/popup_160308.asp
lyzeum.com/board/bbs/bbs_read.asp
lyzeum.com/images/board/upload.asp
martiancartel.com/forum/customavatars/avatars.php
mdim.in.ua/core/cache/index.php
newidealupvc.com:443/img/prettyPhoto/jquery.max.php
polyboatowners.com/2010/images/BOTM/upload.php
polyboatowners.com/css/index.php
prototypetrains.com:443/forums/core/cache/index.php
raiestatesandbuilders.com/admin/installer/installer/index.php
roit.co.kr/xyz/mainpage/view.asp
sanatoliacare.com/include/index.asp
sanlorenzoyacht.com/newsl/include/inc-map.asp
shinwonbook.co.kr/basket/pay/open.asp
shinwonbook.co.kr/board/editor/upload.asp
theforceawakenstoys.com/vBulletin/core/cache/upload.php
waterdoblog.com/uploads/index.asp

# Reference: https://twitter.com/AnonySecAgency/status/1366971633458548738
# Reference: https://twitter.com/ShadowChasing1/status/1366988046294376450
# Reference: https://www.virustotal.com/gui/file/03cd4ec3defa490e68b1ca2efaf8daea6f89d3cceed51c91f4c4f9e2222d258d/detection

gcloud-share.com
dshellelink.gcloud-share.com

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1225581378840006656 (# DangerousPasswords)
# Reference: https://pastebin.com/raw/cLWvyJ20
# Reference: https://twitter.com/Rmy_Reserve/status/1230881875767377920
# Reference: https://twitter.com/ShadowChasing1/status/1328208737933246464
# Reference: https://www.virustotal.com/gui/file/4c574c1a2b126c8a5ba1ef9560516d0ac9990c0253119f874eb084b57742e3d7/detection

http://84.201.189.216
103.205.179.4:8080
amazonaws1.info
gdrvup.xyz
gmaildrive.site
googleauth.pro
googledriver.info
googleupload.info
liveonedrvshare.xyz
secureshares.online
gdriveupload.info

# Reference: https://twitter.com/Rmy_Reserve/status/1246404220040802309 (# DangerousPassword)

88.204.166.59:8080

# Reference: https://twitter.com/ShadowChasing1/status/1339195498519875585 (# DangerousPassword)

gdocshare.com

# Reference: https://twitter.com/ShadowChasing1/status/1367368069618700291
# Reference: https://twitter.com/_re_fox/status/1260931809103101957
# Reference: https://twitter.com/_re_fox/status/1301564536575733760
# Reference: https://twitter.com/_re_fox/status/1301565785345863689
# Reference: https://twitter.com/mattnotmax/status/1370311682354941954
# Reference: https://twitter.com/cyber__sloth/status/1285510760303656960
# Reference: https://www.virustotal.com/gui/file/d287388e5ff978bf6f8af477460a9b76a74fdc33535e392b70e58176fc9ad805/detection
# Reference: https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_302_kodera_jp.pdf (Japanese)
# Reference: https://www.virustotal.com/gui/file/01184a5acb8b3ec56c9e90f2e6cd6673ae83b4fd6982e17329b33da2f77bcf5b/detection

doc.gsheetshare.org
docs.dsharefile.tech
docs.gdriveshare.top
drop.trailads.net
dsharefile.tech
gsheetshare.org
filehost.network
mdown.showprice.xyz
mse.theworkpc.com
name.ownemail.me
newsbtctech.com
ownemail.me
share.onedrvfile.site
shop.newsbtctech.com
trailads.net
up.digifincx.com
up.myemail.works

# Reference: https://twitter.com/ShadowChasing1/status/1339933511973699584 (# DangerousPassword)
# Reference: https://www.virustotal.com/gui/file/c64e2993563345fd497cfc382de27c7791b4f172d2c50d79b6290c2f9c06102c/detection

google-clouds.com

# Reference: https://twitter.com/cyber__sloth/status/1344208175168368641 (# DangerousPassword)
# Reference: https://twitter.com/cyber__sloth/status/1344208380525752321 (# DangerousPassword)

addrcheck.corecheckmailsrv.com
cloud-sheet.net
cloud.optvers.net
corecheckmailsrv.com
digitalcurencygroup.co
down.privatework.buzz
fidelitydigitalsassets.com
gdocshare.com
goglestorage.com
google-clouds.com
googleproduct.org
gsuiteshare.com
msftoffice.com
myemail.works
official.googleproduct.org
presentonline.xyz
privatework.buzz
sharesvr.net

# Reference: https://twitter.com/h2jazi/status/1369305004922855431
# Reference: https://twitter.com/h2jazi/status/1369307165807280135

torgirf.ru/loginhome.css

# Reference: https://twitter.com/h2jazi/status/1370024802791096320
# Reference: https://www.virustotal.com/gui/file/46fcbc170e84d8ad48434251421bd8f6fa49a7e741d2c24d31c170c607c60d51/detection
# Reference: https://www.virustotal.com/gui/file/c8a8d2caa429a8bbe885ef8d59d982b4bfd9c48f1255ff69e3b81c6bbd7b2925/detection

dronerc.it/shop_testbr/localization/dir_photoes/image.php
dronerc.it/shop_testbr/localization/dir_photoes/logo.php

# Reference: https://twitter.com/h2jazi/status/1354880834092859395
# Reference: https://www.virustotal.com/gui/ip-address/104.168.158.103/relations
# Reference: https://www.virustotal.com/gui/file/aec3ced40a3451dc2c6b1704cc50b0e0c8e549faaa8ae42b6d6f421b4fc2ef8a/detection
# Reference: https://www.virustotal.com/gui/file/e7a4d8b80dc653a47440db2a8deaf782109bb710e5d4311bc3d7685dba715865/detection
# Reference: https://www.virustotal.com/gui/file/75d3d96033db529c9ae698ac6de8fba420c2daa5d97614d7118f49e03c2d83d3/detection

documentprotect.live
documentprotect.pro

# Reference: https://twitter.com/h2jazi/status/1373985591814197250
# Reference: https://www.virustotal.com/gui/file/09b83a501b8f919fc4861735097dd50957f21e81209d362b4fa425bd3348a495/detection

cloudshare.jumpshare.vip

# Reference: https://twitter.com/HONKONE_K/status/1374178555634933762
# Reference: https://www.virustotal.com/gui/file/66e96fbd6e977ddef3f0a2924978d92e5d67bd96e68dc4832f5041dbd40bcfc9/detection
# Reference: https://www.virustotal.com/gui/file/e087d06c552aeef36c2ba9fdd14b06fca499f2d37dfea21e480a02a748b19bf1/detection

antcapital.us
document.antcapital.us
protect.antcapital.us

# Reference: https://twitter.com/DrN1ght/status/1374026917343543301

chemistryworld.us
coinbigex.com
innoenergy.info
mclland.com
qooqle.download

# Reference: https://twitter.com/h2jazi/status/1375528365587894272
# Reference: https://www.virustotal.com/gui/file/2fdba1e332203ca0d01992b137ebeaa1f21f7c3daec7230e6b8a4d36182caed4/detection

sanlorenzoyacht.com/newsl/uploads/docs/

# Reference: https://twitter.com/ShadowChasing1/status/1377610488830291973
# Reference: https://twitter.com/ShadowChasing1/status/1377628563000594433
# Reference: https://securelist.com/dtrack-targeting-europe-latin-america/107798/

toysbagonline.com
purewatertokyo.com
pinkgoat.com
purplebear.com
yellowlion.com
salmonrabbit.com
bluecow.com

# Reference: https://twitter.com/darktracer_int/status/1380309710721622016
# Reference: https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/
# Reference: https://otx.alienvault.com/pulse/60739323ef1b2b3a187f0f15

4bjt2rceijktwedi.onion
cwwpxpxuswo7b6tr.onion

# Reference: https://twitter.com/fr0s7_/status/1381328726819020804
# Reference: https://www.virustotal.com/gui/file/e514d83d2aaa1357b34f5f11ecc35afe10b6240796e085977e9d4a56145bb8b3/detection

protectoffice.club

# Reference: https://twitter.com/ShadowChasing1/status/1382514587589742597
# Reference: https://www.virustotal.com/gui/file/f1eed93e555a0a33c7fef74084a6f8d06a92079e9f57114f523353d877226d72/detection

jinjinpig.co.kr/Anyboard/skin/board.php
mail.namusoft.kr/jsp/user/eam/board.jsp

# Reference: https://www.group-ib.com/blog/btc_changer

luxmodelagency.com/wp-incluses/random_compat/zeus/wongs/wongs.php
/random_compat/zeus/wongs/wongs.php
/zeus/wongs/wongs.php

# Reference: https://twitter.com/ShadowChasing1/status/1384016097494507521
# Reference: https://twitter.com/cyberwar_15/status/1384462513249546244
# Reference: https://www.virustotal.com/gui/file/79e15cc02c6359cdb84885f6b84facbf91f6df1254551750dd642ff96998db35/detection

ddjm.co.kr/bbs/icon/skin/skin.php
snum.or.kr/skin_img/skin.php

# Reference: https://www.virustotal.com/gui/file/6d2ecc3b0a43f0c377ea6d9a68aa5ac0d48635a04219264fb0702976efea8ef6/detection

http://121.146.68.233/fileserver/temp/platform.asp
http://121.254.224.218/angkor.ylw.common.fileserviceserver/web/document/netframework.asp
codibest.com/data/geditor/main_1.php
gbflatinamerica.com
myungokhun.co.kr/_proc/member/member_bk.asp
/angkor.ylw.common.fileserviceserver/web/document/netframework.asp
/data/geditor/main_1.php
/fileserver/temp/platform.asp

# Reference: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/
# Reference: https://otx.alienvault.com/pulse/608af383c5be4591c5da02e5

akramportal.org/delv/public/voice/voice.php
apars-surgery.org/bbs/bbs_files/board_blog/write.php
bootcamp-coders.cnm.edu
ctevt.org.np/ctevt/public/frontend/review.php
forecareer.com/gdcareer/officetemplate-20nab.asp
gbflatinamerica.com/file/filelist.php
goldllama4.sakura.ne.jp
hospitality-partners.co.jp/works/performance/consumer.php
inovecommerce.com.br/public/pdf/view.php
mail.clicktocareers.com/public/jobapplications/jdviewer.php
propro.jp/wp-content/documents/docsmgmt.php
vega.mh-tec.jp/.well-known/gallery/siteview.php

# Reference: https://www.virustotal.com/gui/file/610047be0b2360d609baa71be22ddc5814743868886f8d85ab9985d3f01229d6/detection

mappo-on.life
help.mappo-on.life

# Reference: https://www.virustotal.com/gui/file/27bfac11c1f9184b515fbf5fcd946e921c95506f89eb273e148fcf0068e50932/detection

octo-manage.net
help.octo-manage.net

# Reference: https://twitter.com/ShadowChasing1/status/1391981731394187266
# Reference: https://www.virustotal.com/gui/file/a0d070b66408654cdcb84784e77914dc355a23c81e3e6ef36362470619c4de96/detection

http://45.61.136.204
googledocpage.com

# Reference: https://twitter.com/ShadowChasing1/status/1393356174506921985
# Reference: https://www.virustotal.com/gui/file/8e1746829851d28c555c143ce62283bc011bbd2acfa60909566339118c9c5c97/detection

allgraphicart.com

# Reference: https://twitter.com/ShadowChasing1/status/1397768682776895491
# Reference: https://www.virustotal.com/gui/file/8d48a77e7a4b8c824d8c1b890dc3e2b904e6fa8fbe8dae1a22f5870916c01c20/detection

sslsharecloud.net
dev.sslsharecloud.net

# Reference: https://twitter.com/ShadowChasing1/status/1398468263818928136

ewha-ac.ml

# Reference: https://twitter.com/ShadowChasing1/status/1399369260577681426
# Reference: https://www.virustotal.com/gui/file/4059fea324e27cfbd4955f37dc7791709dbf35a800449373c6715bc53b88f7c5/detection

amene.homepc.it

# Reference: https://twitter.com/360CoreSec/status/1402920149754155010
# Reference: https://www.virustotal.com/gui/file/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c/detection
# Reference: https://www.virustotal.com/gui/file/3b33b0739107411b978c3cbafb312a44b7488bd7adabae3e7b02059240b6dc83/detection

shopweblive.com

# Reference: https://twitter.com/h2jazi/status/1406401709157629952
# Reference: https://twitter.com/ShadowChasing1/status/1406592585796177924
# Reference: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
# Reference: https://www.virustotal.com/gui/file/5c2f339362d0cd8e5a8e3105c9c56971087bea2701ea3b7324771b0ea2c26c6c/detection

allamwith.com/home/mobile/list.php
conkorea.com/cshop/banner/list.php
ddjm.co.kr/bbs/icon/skin/skin.php
hivekorea.com/jdboard/member/list.php
jinjinpig.co.kr/Anyboard/skin/board.php
mail.namusoft.kr/jsp/user/eam/board.jsp
mail.neocyon.com/jsp/user/sms/sms_recv.jsp
mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp
snum.or.kr/skin_img/skin.php
/jsp/user/sms/sms_recv.jsp

# Reference: https://twitter.com/360CoreSec/status/1405790277034418177
# Reference: https://www.virustotal.com/gui/file/35a39299c47bc701dbe7cb72fcb695d08eb2095d1a5b8b7942d3034d16435e89/detection
# Reference: https://www.virustotal.com/gui/file/382a209ce5745c85507b0bd80b87496ad92128e6870199d0c33d6ddedc542dd1/detection
# Reference: https://www.virustotal.com/gui/file/f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4/detection

185.208.158.204:443
193.56.28.251:443

# Reference: https://twitter.com/ShadowChasing1/status/1405515076149284870
# Reference: https://www.virustotal.com/gui/file/4c4cc3abd3ddb15d5306fb647c6d779b18df5b949673bb3f3f87faa2c5f56a6a/detection

authenticate.azure-drive.com

# Reference: https://twitter.com/ShadowChasing1/status/1407993219720224771

elwoodasset.xyz
sharemanage.elwoodasset.xyz

# Reference: https://twitter.com/360CoreSec/status/1410127120177635328

52.202.193.124:443

# Reference: https://twitter.com/fr0s7_/status/1402394083331559431
# Reference: https://twitter.com/Jup1a/status/1402470227292561412
# Reference: https://www.virustotal.com/gui/file/1939d9fdcf831dc4cac001ba193669c75a336258bc99a1775471554229e4a69b/detection

azure-drive.com
download.azure-drive.com
protect.azure-drive.com

# Reference: https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12
# Reference: https://otx.alienvault.com/pulse/60e6d2a6786d43397db19bc7

grandgolf.co.kr/html/facilities/facilities_01_06.asp
kdone.co.kr/Utils/EmailUtil.asp
namchuncheon.co.kr/admin/BookAppl/Search_left.asp

# Reference: https://twitter.com/ShadowChasing1/status/1412934665292316677
# Reference: https://twitter.com/ShadowChasing1/status/1412953330700062726

http://95.179.235.55
sharebusiness.xyz
signverydn.sharebusiness.xyz

# Reference: https://twitter.com/ShadowChasing1/status/1412932935523573760
# Reference: https://www.virustotal.com/gui/file/8afdf8513a6e3bede16187004daccc95e193a29062415d9ba0c29b98a5a927d1/detection

devprocloud.com
share.devprocloud.com

# Reference: https://mp.weixin.qq.com/s/y-SHoh9f5qwAwqml3uf8vw
# Reference: https://otx.alienvault.com/pulse/60f930c9c1a69acdb28adea6

smartaudpor.com

# Reference: https://twitter.com/h2jazi/status/1445596955552272389

gozdeelektronik.net/wp-content/themes/0111/

# Reference: https://twitter.com/s1ckb017/status/1447476954639347712
# Reference: https://www.virustotal.com/gui/file/cf10c1cad090ab31d9e579df3bd22f3d0653792cb010e1d6ac0e2cd1ced52076

digitalguarder.com

# Reference: https://twitter.com/h2jazi/status/1455601350222417926
# Reference: https://www.virustotal.com/gui/file/8562f6b2a95963f076f7bc6ff00401d96656eafda1cfad3af53b3e3b99ae6452/detection

mantis.linkundlink.de
/logs/officetemplate.php

# Reference: https://twitter.com/ESETresearch/status/1458438169502826508
# Reference: https://www.virustotal.com/gui/ip-address/45.147.231.213
# Reference: https://www.virustotal.com/gui/file/fe80e890689b0911d2cd1c29196c1dad92183c40949fe6f8c39deec8e745de7f/detection

devguardmap.org
navercorpservice.com

# Reference: https://twitter.com/ShadowChasing1/status/1455489336850325519
# Reference: https://www.virustotal.com/gui/file/65b5709f67bb0fac31ec977f98cda6f89f4b38703ee5aeef0b633c33669ea88a/detection

thetalkingcanvas.com/jobs/en-gb/jobs/9/details.php

# Reference: https://twitter.com/h2jazi/status/1462832390632583168
# Reference: https://www.virustotal.com/gui/file/c12a0565ea1c59d7c2b73e9c022604dbc827980df58ede7ce42d648f9dd4e096

ditijindal.com/wp-content/gallery/services/globalcareers/12849/jobs/gallery.php

# Reference: https://twitter.com/ShadowChasing1/status/1465998017836707840
# Reference: https://twitter.com/ShadowChasing1/status/1465998020734898176

http://152.89.247.236
silvergatehr.com
ny.silvergatehr.com
/5Ek9724mz8oncul8Zx7E7CVDCdBNxuFFUO6pLk/

# Reference: https://twitter.com/k3yp0d/status/1468485748269662208
# Reference: https://app.any.run/tasks/ff306f89-64d4-4d30-8b72-7c0be0b1f9fb/

cloudplus.one
drive.cloudplus.one

# Reference: https://twitter.com/h2jazi/status/1462832390632583168
# Reference: https://www.virustotal.com/gui/file/c12a0565ea1c59d7c2b73e9c022604dbc827980df58ede7ce42d648f9dd4e096/detection

aditijindal.com/wp-content/gallery/services/globalcareers/12849/jobs/gallery.php

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_Lazarus_APT_Related.json
# Reference: https://www.virustotal.com/gui/ip-address/149.28.162.113/relations

dubbedfinally.link
filesaves.cloud
fsdriveshare.org
googlesheetpage.org
gsheetpage.com
help-optus.com
onedocshare.com
onlinedoc.dev
pilotview.cloud
retrots.net
tresordocs.com
trollinguneaten.org
database.retrots.net
doc.filesaves.cloud
docs.gsheetpage.com
license.cloudplus.one
product.onlinedoc.dev
sheet.tresordocs.com
support.pilotview.cloud

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_Lazarus.json

autodiscover.vin
banner-counter.com
clarionhpdu.top
craptioerne.com
fhewkhwjehwekjfhwehfwe.com
lif0.top
smartscreenfilter.com
statcounters.net
vz206llb19o.com
2ab9.watashinonegai.ru
b.watashinonegai.ru
d.watashinonegai.ru
apkv3.clarionhpdu.top
cltpk.doomdns.org
down.mykings.pw

# Reference: https://twitter.com/souiten/status/1468818352156020737
# Reference: https://www.virustotal.com/gui/file/b3646d8cbadc7620ca7782f2525cc019740a3088f32e2ea9a6c97cc1432537b0/detection

fsdriveshare.org
dmarc.fsdriveshare.org
file.fsdriveshare.org
share.fsdriveshare.org

# Reference: https://twitter.com/ffforward/status/1456239300593524741
# Reference: https://www.virustotal.com/gui/file/0b8d7a851920d4584777505f9fb484b226a8457d4049885a87c847f7d3532d28/detection

stablemarket.org
share.stablemarket.org

# Reference: https://twitter.com/k3yp0d/status/1448552868907204612
# Reference: https://www.virustotal.com/gui/domain/cloudmgmt.org/relations

cloudmgmt.org
share.cloudmgmt.org

# Reference: https://threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families/
# Reference: https://otx.alienvault.com/pulse/61c9aff8d72c2a4731021bee

allamwith.com/home/mobile/list.php
conkorea.com/cshop/banner/list.php
ddjm.co.kr/bbs/icon/skin/skin.php
jinjinpig.co.kr/Anyboard/skin/board.php
mail.namusoft.kr/jsp/user/eam/board.jsp
mail.neocyon.com/jsp/user/sms/sms_recv.jsp
mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp
snum.or.kr/skin_img/skin.php
/jsp/user/sms/sms_recv.jsp

# Reference: https://twitter.com/h2jazi/status/1483521532433473536
# Reference: https://twitter.com/h2jazi/status/1483521535268769793
# Reference: https://www.virustotal.com/gui/file/0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b/detection

lm-career.com

# Reference: https://twitter.com/s1ckb017/status/1484451637653614592
# Reference: https://twitter.com/h2jazi/status/1486448926081302536
# Reference: https://www.virustotal.com/gui/file/0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1/detection

allinfostudio.com
markettrendingcenter.com
yourblogcenter.com

# Reference: https://twitter.com/czy_1116/status/1485813878550597632
# Reference: https://www.virustotal.com/gui/file/3542078fd524e3cb141d5bebf96aea73467505a07ae72fc58395afa14f22e8a3/detection

gfinanzen.net
portal.gfinanzen.net

# Reference: https://twitter.com/ShadowChasing1/status/1486530954382348290
# Reference: https://www.virustotal.com/gui/file/ac7b6ca73207db6ec6d4af2632a7c842c32af6658e3214753e589b567d809125/detection

docusign.agency

# Reference: https://twitter.com/h2jazi/status/1487070198955978753

loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001
/update_coingotrade.php

# Reference: https://twitter.com/h2jazi/status/1490057626134192136
# Reference: https://www.virustotal.com/gui/file/08c3aaeec3da9a106536ad1beff4d2ed23d1e31c9481be60f5dbd5eb1a01d2e5/detection

sportsblogweb.com

# Reference: https://twitter.com/s1ckb017/status/1489591023030448129
# Reference: https://www.virustotal.com/gui/file/29de2289a2b111a4873e49402c310b2ad0e3de51b5562ee1422a37c514910c71/detection

designautocad.org

# Reference: https://twitter.com/cyberoverdrive/status/1490839283803951106
# Reference: https://www.virustotal.com/gui/file/353f82475fcfad5b3f06ed85a931bda46ec34279793b5d70085aa8c603e8ebec/detection

datacentre.center

# Reference: https://twitter.com/ShadowChasing1/status/1490958579930517504
# Reference: https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f/detection

shopapppro.com
shopapptech.com

# Reference: https://twitter.com/pkalnai/status/1489269982814949382
# Reference: http://report.threatbook.cn/LS.pdf (Chinese)
# Reference: https://www.virustotal.com/gui/file/8562f6b2a95963f076f7bc6ff00401d96656eafda1cfad3af53b3e3b99ae6452/detection

bmanal.com
canyonzcc.com
devguardmap.org
industryinfostructure.com
linkundlink.de
mante.li
shopandtravelusa.com
mantis.linkundlink.de

# Reference: https://twitter.com/jaydinbas/status/1468521246862233603
# Reference: https://www.virustotal.com/gui/file/ef2d3e488b781a7c6144afa8fc8ba2b6d085ca671100d04686097f3b4dd2ed42/detection

mantis-gewa.technisat-digital.de

# Reference: https://twitter.com/czy_1116/status/1498190652412203008
# Reference: https://www.virustotal.com/gui/file/4cbad835586faf1d91431d5421b58b4acda0bd280cfbaf8a5d4820aec486b0e6/detection

bloomcloud.org
share.bloomcloud.org

# Reference: https://twitter.com/ShadowChasing1/status/1502240130702065664

open.googlesheetpage.org
/KcyRbGDJKRZoaLq8lHh8/C0sHwcGMH2/
/C0sHwcGMH2/
/KcyRbGDJKRZoaLq8lHh8/

# Reference: https://twitter.com/malwrhunterteam/status/1503640289810038786
# Reference: https://twitter.com/malwrhunterteam/status/1504573045750571010
# Reference: https://twitter.com/malwrhunterteam/status/1506008938197643266
# Reference: https://twitter.com/h2jazi/status/1503826030812925962
# Reference: https://twitter.com/h2jazi/status/1503826034923388929
# Reference: https://www.virustotal.com/gui/file/8672acfb06258f5b6dec3700cd7f91a0c013a70a9664dbc6cf33a4c6406756ed/detection
# Reference: https://www.virustotal.com/gui/file/e62a7d9184a841e2b53e41f2d85aa278b427e2e427dbfd8f4be072108e3089c1/detection
# Reference: https://www.virustotal.com/gui/file/689d5513ad52ad5e7a631a9147049c4cc494ad514b81cf41e841fb244c766b8b/detection
# Reference: https://www.virustotal.com/gui/file/a51cad94475e0af91d270146379574b5a8ae70a03098318ddf9912784ace3cba/detection

encorpost.com
foxiebed.com
hillokay.com
nhn-games.com
sktelecom.help
want-helper.com

# Reference: https://twitter.com/h2jazi/status/1505965580075114498
# Reference: https://www.virustotal.com/gui/file/e3a4e97e27bcfb6126ebfe92827cfb6b7e0c04eb7f5426bf17dd366e4723d1ef/detection

pvacek.cz/wp-content/plugins/akismet/control/en/en.jpg

# Reference: https://twitter.com/h2jazi/status/1505983796897894401
# Reference: https://www.virustotal.com/gui/file/d0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b/detection

webhosttech.org

# Reference: https://twitter.com/blackorbird/status/1507040337097027584
# Reference: https://blog.google/threat-analysis-group/countering-threats-north-korea/

disneycareers.net
find-dreamjob.com
indeedus.org
varietyjob.com
ziprecruiters.org
blockchainnews.vip
chainnews-star.com
financialtimes365.com
fireblocks.vip
gatexpiring.com
gbclabs.com
giantblock.org
humingbot.io
onlynova.org
teenbeanjs.com
colasprint.com/about/about.asp
varietyjob.com/sitemap/sitemap.asp
financialtimes365.com/user/finance.asp
gatexpiring.com/gate/index.asp
humingbot.io/cdn/js.asp
teenbeanjs.com/cloud/javascript.asp

# Reference: https://twitter.com/jaydinbas/status/1506970733997604867
# Reference: https://twitter.com/ShadowChasing1/status/1508637858927587328
# Reference: https://twitter.com/ShadowChasing1/status/1509520460974723072
# Reference: https://twitter.com/ShadowChasing1/status/1511144288830119941
# Reference: https://asec.ahnlab.com/ko/33034/ (Korean)
# Reference: https://www.virustotal.com/gui/ip-address/2.57.90.16/relations
# Reference: https://www.virustotal.com/gui/ip-address/209.126.83.186/relations
# Reference: https://www.virustotal.com/gui/file/2fc71184be22ed1b504b75d7bde6e46caac0bf63a913e7a74c3b65157f9bf1df/detection
# Reference: https://www.virustotal.com/gui/file/392aba0070375051d7bc3cc478c4bb66c5f55be87ad797800f50a338c3e2479b/detection
# Reference: https://www.virustotal.com/gui/file/a7c17e5fa55bcc60d4cff64dd37d0a1f0cc93f4f44b3cebd5633ca5af413e5cc/detection
# Reference: https://www.virustotal.com/gui/file/ae7275988753fffb29bdb254babdf46773daf935b2721006fe66a1747af3d1d4/detection

naveicoipf.online
naveicoipg.online
naveicoiph.online
naveicoiph.online
naveicoipa.tech
naveicoipc.tech
naveicoipd.tech
naveicoipe.tech
navermailteam.online
123fisd.naveicoipg.online
aat1pbil.naveicoipg.online
adzjvazj.naveicoipg.online
aosm8cts.naveicoipg.online
buiweggajhqwj.naveicoipg.online
cecomtp3.naveicoipg.online
edfeiyql.naveicoipg.online
eoinlslsf.naveicoipg.online
fwpoyktt.naveicoipg.online
hytrycnc.naveicoipg.online
jbmnqpwp.naveicoipg.online
jvnquetbon.naveicoipg.online
kdzdm1rq.naveicoipg.online
kygfkdum.naveicoipg.online
l1tog1iv.naveicoipg.online
lbmwbnbieo.naveicoipg.online
olsnvolqwe.naveicoipg.online
pv5pnwlx.naveicoipg.online
qogngnslel.naveicoipg.online
tp0rw6ie.naveicoipg.online
twlekqnwl.naveicoipg.online
urm1o6h0.naveicoipg.online
vm2rjonq.naveicoipg.online
vnwoei.naveicoipg.online
6la0cwds.naveicoiph.online
9yxqida1b.naveicoiph.online
d4yp8bphj3.naveicoiph.online
dtdgwgfvr.naveicoiph.online
gkins2p3i.naveicoiph.online
kashaccn4.naveicoiph.online
lkpiedozd.naveicoiph.online
rxpz7z2yi8.naveicoiph.online
gowelknx.naveicoipf.online
xjowihgnxcvb.naveicoipf.online
xuau0b2i.naveicoipf.online
4w9h8ps9.naveicoipa.tech
4w9h8ps9.naveicoipc.tech
momls4ii.naveicoipa.tech
momls4ii.naveicoipc.tech
tofysz6a.naveicoipa.tech
tofysz6a.naveicoipc.tech
uzzmuqwv.naveicoipa.tech
uzzmuqwv.naveicoipc.tech
zvc1ijau.naveicoipa.tech
zvc1ijau.naveicoipc.tech
bcvbert.naveicoipe.tech
mhf8huuo.naveicoipe.tech
msldkopw.naveicoipe.tech
tyidrtu.naveicoipe.tech
uktyukb.naveicoipe.tech
vkqrwl00.naveicoipe.tech
wrhehdfg.naveicoipe.tech
nredial.navermailteam.online
/1uFnvppj/1uFnvppj32.acm
/1uFnvppj/1uFnvppj64.acm
/1uFnvppj/
/1uFnvppj32.acm
/1uFnvppj64.acm
/018ueCdS/018ueCdS32.acm
/018ueCdS/
/018ueCdS32.acm
/0lvNAK1t/0lvNAK1t32.acm
/0lvNAK1t/
/0lvNAK1t32.acm

# Reference: https://www.virustotal.com/gui/ip-address/15.235.132.77/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.81.246.131/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.82.19.179/relations

mailcontactteam.online
mailcustomerservice.site
mailhelp.online
mailmanagecorp.online
mailsecurity.email
mailservicecorp.online
mailserviceteam.email
navcopcenter.tech
navcorpmanager.site
naveeocorp.xyz
navenida.live
navenida.site
navenidb.live
navenidb.site
navenidc.live
navenidc.site
navenidd.site
navenide.site
navenidf.site
naveorseccorp.link
naveracom.link
naveradmin01.link
naveranid.link
naveranid.live
naveranid.online
naverbcom.link
naverbnid.live
naverbnid.online
naverccom.link
navercert.live
navercert.online
navercnid.link
navercnid.online
navercoa.store
navercob.store
navercoc.store
navercod.store
navercoe.store
navercoma.link
navercoma.online
navercomb.link
navercomb.online
navercomb.tech
navercomc.link
navercomc.online
navercomc.tech
navercomd.link
navercomd.online
navercome.link
navercome.online
navercome.tech
navercomf.link
navercomf.online
navercomg.link
navercomh.link
navercop.link
navercop.online
navercorp.email
navercorp.live
navercorpl.tech
navercorpr.online
navercorpservice.com
navercorpteam.com
navercscorp.com
naverenid.online
naverfnid.online
navergnid.online
naverhnid.online
naverhost.live
naverinid.com
naverinid.online
naverjnid.online
naverlogn.live
navermailcorp.com
navermailmanage.com
navermailservice.com
navermailservice.online
navermailteam.online
navermanage.com
navermanage.live
navermanage.space
navermanageteam.com
navermcorp.com
navernida.link
navernida.online
navernida.tech
navernidb.link
navernidb.online
navernidb.tech
navernidc.link
navernidc.online
navernidc.tech
navernidd.live
navernidd.online
navernide.online
navernidlog.live
navernidmail.com
naverorteam.link
naverreda.xyz
naverredc.xyz
naverredd.xyz
naverrede.xyz
naverredirect.live
naversecurityservice.online
naversecurityteam.com
naverservice.email
naverservice.host
naverservice.link
naverserviceteam.com
naverserviceteam.email
naverteam.live
naverteamcorp.live
navreplya.live
navreplya.online
navreplyb.live
navreplyd.live
navreplye.live
navreplyf.site
navreplyg.site
navreplyh.site
navreplyi.site
navreplyj.site
navreplyk.site
navteamcorp.link
nidbnaver.tech
nidcnaver.tech
niddnaver.tech
nidnavera.online
nidnavere.online
noreplya.xyz
noreplyb.xyz
nvrcopa.link
nvrcopb.link
nvrcopc.link
nvrcope.site
nvrcopf.site
nvricop.online
nvrjcop.online
portalcorpteam.com
help.navreplya.live
logn.navermanagecorp.site
logn.noreplya.website
mail.naveradmina.tech
mail.navercomf.link
nav.cloudcentre.space
nav.naveracom.link
nav.naveradmin06.online
nav.noreplyb.xyz
nav.portalcorpteam.com
nin.navercop.link
nlog.noreplyb.space
red.naveradmin07.site
red.nidnavere.online
sec.naveralert.link
sub.naverbcom.link

# Reference: https://twitter.com/ShadowChasing1/status/1508706298640052225
# Reference: https://www.virustotal.com/gui/ip-address/44.227.65.245/relations

cloudscare.xyz
onlinedocview.biz
cdn.onlinedocview.biz
edit.onlinedocview.biz

# Reference: https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/
# Reference: https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/
# Reference: https://otx.alienvault.com/pulse/61bca21cf212a6842e17c00b

diragame.com
diregame.live
mygametoa.com
d.diragame.com
google.diragame.com
jom.diregame.live
toa.mygametoa.com
tob.mygametoa.com

# Reference: https://twitter.com/h2jazi/status/1509206625701220356
# Reference: https://www.virustotal.com/gui/file/e9894893a8a1f74d7d6a8768dda9ef5ddaf8aac18634a1110e9a79652c9f13ee/detection

aixstore.info
app.aixstore.info

# Reference: https://securelist.com/lazarus-trojanized-defi-app/106195/
# Reference: https://otx.alienvault.com/pulse/6246c2c9082f5d1a7c15ffba

bn-cosmo.com/customer/board_replay.asp
edujikim.com/pay_sample/INIstart.asp
emsystec.com/include/inc.asp
gyro3d.com/common/faq.asp
gyro3d.com/mypage/faq.asp
ilovesvc.com/HomePage1/Inquiry/privacy.asp
newbusantour.co.kr/gallery/left.asp
roit.co.kr/xyz/adminer/edit_fail_decoded.asp
softapp.co.kr/sub/cscenter/privacy.asp
syadplus.com/search/search_00.asp

# Reference: https://twitter.com/ShadowChasing1/status/1514899414367694851
# Reference: https://www.virustotal.com/gui/file/f78b85fc5c9a5f6c8d735f13180d318bf8f5639e71556e2ae0f2c6b9b4181a6c/detection

http://15.235.33.14

# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
# Reference: https://otx.alienvault.com/pulse/625d3bb7b78be557e145d2c7

aumentarelevisite.com
juneprint.com
jungfrau.co.kr
mariamchurch.com
happy.nanoace.co.kr
ric-camid.re.kr

# Reference: https://twitter.com/blackorbird/status/1516300076523548674
# Reference: https://mp.weixin.qq.com/s/Xs54_RDKU5MvkvsPPCGKEw (Chinese)

beenos.biz
zvc.capital
cloud.beenos.biz
it.zvc.capital

# Reference: https://www.cisa.gov/uscert/ncas/alerts/aa22-108a
# Reference: https://otx.alienvault.com/pulse/625e65bf6aa1f7977a316d65

alticgo.com
cryptais.com
dafom.dev
esilet.com
tokenais.com

# Reference: https://asec.ahnlab.com/ko/33706/
# Reference: https://otx.alienvault.com/pulse/625e688f46dbcbce7ac0668d

gaonwell.com/data/base/mail/login.asp
h-cube.co.kr/main/image/gellery/gallery.asp
materic.or.kr/include/main/main_top.asp
materic.or.kr/include/main/main_top.xn--asp
namchoncc.co.kr/include/?ind=
okkids.kr/html/program/display/?re=
shoppingbagsdirect.com/media/images/?ui=

# Reference: https://twitter.com/blackorbird/status/1519504288849874944
# Reference: https://www.virustotal.com/gui/file/672ec8899b8ee513dbfc4590440a61023846ddc2ca94c88ae637144305c497e7/detection

http://109.248.144.155
http://155.94.210.11
http://193.56.28.32
http://45.57.245.17
109.248.144.136:8443
109.248.144.155:8080
109.248.144.155:8443
usengineergroup.com
mail.usengineergroup.com

# Reference: https://twitter.com/ESETresearch/status/1521735320852643840
# Reference: https://twitter.com/ESETresearch/status/1521735343497695232
# Reference: https://www.virustotal.com/gui/file/55571ac52e1f02f18af77e2f3314382c982a37744b58732dfc15faac9d66619f/detection
# Reference: https://www.virustotal.com/gui/file/a0bf5af3f931a428b905fd14d43b61af47b7f272425ae4ff4d78b5cb139b8276/detection
# Reference: https://www.virustotal.com/gui/file/315503862cb7ebb0a731483827016015e355bad51f872db5c650a822de744937/detection

onlinestockwatch.net

# Reference: https://www.virustotal.com/gui/file/5081f54761947bc9ce4aa2a259a0bd60b4ec03d32605f8e3635c4d4edaf48894/detection

66.154.102.91:9090

# Reference: https://blogs.jpcert.or.jp/en/2022/07/vsingle.html

bluedragon.com/login
crm.vncgroup.com/cats/scripts/sphinxview.php
mantis.westlinks.net/api/soap/mc_enum.php
ougreen.com/zone
semiconductboard.com/xcror
shipshorejob.com/ckeditor/samples/samples.php
tecnojournals.com/general
tecnojournals.com/prest

# Reference: https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
# Reference: https://www.virustotal.com/gui/file/f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb/detection

http://213.180.180.154
karin-store.com/recaptcha.php
yoshinorihirano.net/wp-includes/feed-xml.php
/editor/session/aaa000/support.php
/aaa000/support.php

# Reference: https://mp.weixin.qq.com/s/USitU4jAg9y2XkQxbwcAPQ
# Reference: https://otx.alienvault.com/pulse/62d153ef7d6fbe552403bc90

namchuncheon.co.kr/html/notice/list.asp
stracarrara.org/public/photos/image/image.asp
stracarrara.org/public/photos/image/image.xn--asp

# Reference: https://twitter.com/h2jazi/status/1549780561551675393
# Reference: https://www.virustotal.com/gui/ip-address/155.138.219.140/relations
# Reference: https://www.virustotal.com/gui/file/f7170b70a89f4b5d196e3a09c1d6135d36320548f66cdc2c55bf725b0f8d4ab8/detection

documentworkspace.io
fclouddown.co
cdn.documentworkspace.io
file.fclouddown.co

# Reference: https://twitter.com/cyberoverdrive/status/1550175620927299584
# Reference: https://www.virustotal.com/gui/file/1e154b2976cc00d457c0dc2b83ebe81911294c8276691617085c03a3304fd87f/detection

googlesheet.info

# Reference: https://twitter.com/h2jazi/status/1553024107989635073
# Reference: https://www.virustotal.com/gui/file/0fe69e67286203ca2dcd080b4c25ab76fc4ca925e6207b193d47f02da1481843/detection

shconstmarket.com
dps.shconstmarket.com
inst.shconstmarket.com
web.shconstmarket.com

# Reference: https://twitter.com/Des00464472/status/1546403794871001093

http://52.79.92.249/bbs/bbs_post.asp

# Reference: https://twitter.com/h2jazi/status/1555205042331947011
# Reference: https://www.virustotal.com/gui/file/a3ef9fd758bca1c94054a43995a99069abaef672495c1bd3ee831217c1f5e498/detection

mktrending.com
docs.mktrending.com

# Reference: https://twitter.com/ShadowChasing1/status/1557034048345997312
# Reference: https://www.virustotal.com/gui/file/57959c2be2ac6349aa37edb73cd8a88fe8d3e69678cac4b38fac401bd3141fdf/detection

documentshare.info
doc.documentshare.info
ww16.documentshare.info
/DmJMFYpwLPP3ygS/

# Reference: https://twitter.com/malwrhunterteam/status/1557077792075829249
# Reference: https://www.virustotal.com/gui/file/f1ade73b9c61f2f4b774a1b5003a5d70d7a12e0872abe98c52fbf9e9e3a90fc5/detection

wordonline.cloud
cdn.wordonline.cloud
gdoc.wordonline.cloud

# Reference: https://twitter.com/ESETresearch/status/1559553324998955010
# Reference: https://www.virustotal.com/gui/file/49046dfeaefc59747e45e013f3ab5a2895b4245cfaa218dd2863d86451104506/detection
# Reference: https://www.virustotal.com/gui/file/8b427c47a43e6c357d8439fefa7f0ff34b72a2abdaf0461193fb9e6086807e17/detection
# Reference: https://www.virustotal.com/gui/file/94a669041ef572e3fb089179f5c29e2811e2e82613290e39a2ce1b6c273727c9/detection
# Reference: https://www.virustotal.com/gui/file/dae9f37ae5c2a030c0fb3f55d5731cdb37a4f68560a6f2ba38bb54c9533f8805/detection
# Reference: https://www.virustotal.com/gui/file/e29d0db8c013e7eb5820a6f40aae92a085d9550f2f0b2ebc10c8c2c08d14f6d5/detection
# Reference: https://www.virustotal.com/gui/file/fe336a032b564eef07afb2f8a478b0e0a37d9a1a6c4c1e7cd01e404cc5dd2853/detection

concrecapital.com

# Reference: https://twitter.com/h2jazi/status/1559259261665943553
# Reference: https://www.virustotal.com/gui/file/03f6c8f173413302d9c22a44a593fc9a5203fbb7652d3a36b3ace79f3cdc39a3/detection

1drvmicrosoft.com
hare.1drvmicrosoft.com
share.1drvmicrosoft.com

# Reference: https://twitter.com/malwrhunterteam/status/1560563222624710656
# Reference: https://www.virustotal.com/gui/file/c9b4893bdb85d67c13826814ef0cf392648089f416aed40078907054624fba72/detection

cooporatestock.com
doc.cooporatestock.com
docs.cooporatestock.com

# Reference: https://www.virustotal.com/gui/ip-address/45.76.77.197/relations
# Reference: https://www.virustotal.com/gui/file/0f6b6c1596e38e840fb03420317db224739a18dbef0b98285637f5887e90a191/detection

drivegoogle.info
docs.drivegoogle.info

# Reference: https://twitter.com/ShadowChasing1/status/1564980900785373185
# Reference: https://www.virustotal.com/gui/file/51d53ca36a662b4aad5878987548f0f22f2a53545790577d8043373b6bf7eb75/detection

wpsonline.co
edit.wpsonline.co
wps.wpsonline.co

# Reference: https://www.virustotal.com/gui/file/f42c637db03edf83a08e944bc190265167ecea84d77508f37fc1269d267fe5a8/detection

stablehouses.info
app.stablehouses.info

# Reference: https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html
# Reference: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
# Reference: https://www.virustotal.com/gui/file/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332/detection
# Reference: https://www.virustotal.com/gui/file/f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4/detection
# Reference: https://www.virustotal.com/gui/file/eb73c57c6f4ce8bf197ddc689b7e0afd3703a9bf9a78212c9cb838528441df7a/detection
# Reference: https://www.virustotal.com/gui/file/bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1/detection
# Reference: https://www.virustotal.com/gui/file/afb2d4d88f59e528f0e388705113ae54b7b97db4f03a35ae43cc386a48f263a0/detection
# Reference: https://www.virustotal.com/gui/file/196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06eba/detection

http://151.106.2.139
http://193.56.28.251
http://52.202.193.124
http://64.188.27.73
http://66.154.102.91
151.106.2.139:8080
151.106.2.139:8443
66.154.102.91:9090
gendoraduragonkgp126.com
/adm_bord/login_new_check.php

# Reference: https://twitter.com/Des00464472/status/1569331099305918465

techdesignshop.com

# Reference: https://twitter.com/h2jazi/status/1570501870954905600
# Reference: https://www.virustotal.com/gui/file/5816eb32cbaadfc3477c823293a8c49cdf690b443c8fa3c19f98399c143df2b3/detection

azure-protect.online
verify.azure-protect.online

# Reference: https://twitter.com/BaoshengbinCumt/status/1570579732399558656

jbic.us
mufg.tokyo
salt1ending.com
wpic.ink
cloud.jbic.us
cloud.mufg.tokyo

# Reference: https://twitter.com/HaoZhixiang/status/1572434427942432772
# Reference: https://www.virustotal.com/gui/file/0b79e1194644431c2e28c48aa3654e658a2907e1003cd0484cd00a0796ebe6bb/detection

onlineshares.cloud
ms.onlineshares.cloud

# Reference: https://twitter.com/malwrhunterteam/status/1573305740252663809
# Reference: https://www.virustotal.com/gui/file/48bd1c5cf9ccc3d454ab80d7284abaf39028a228607d132bfa92ab2ceca47ca2/detection

azure-protection.cloud
docs.azure-protection.cloud
secure.azure-protection.cloud

# Reference: https://twitter.com/StopMalvertisin/status/1574329188793733120
# Reference: https://www.virustotal.com/gui/file/3b70c3ebffcfd6a97859f8d9e5a31f6902756e23fd6688ca7c7446d24ec76d9d/detection

digiboxes.us
fs.digiboxes.us

# Reference: https://twitter.com/StopMalvertisin/status/1574749887203143680
# Reference: https://www.virustotal.com/gui/file/f00fe4e6da3aaad25d1ac8b268ffeebc98bda184e3df224905626908be24d415/detection

sunlin.org/info/style?title=

# Reference: https://twitter.com/StopMalvertisin/status/1575055809104334848
# Reference: https://twitter.com/ScarletSharkSec/status/1575130042627244038
# Reference: https://twitter.com/malwrhunterteam/status/1593744606172168195
# Reference: https://www.virustotal.com/gui/ip-address/155.138.159.45/relations
# Reference: https://www.virustotal.com/gui/file/99eae95f3271fe7cd2b25aca9a2b69ca8f5cc034f3416b554a4af38903f14233/detection
# Reference: https://www.virustotal.com/gui/file/8f05021071c4bfd4cfce3d02bd30bf16f1322170515d796e13f75eb25b09d533/detection

docuprivacy.com
gdocshare.one
msteam.biz
onlinecloud.cloud
privacysign.org
dmarc.onlineshares.cloud
ms.msteam.biz
team.msteam.biz
open.onlinecloud.cloud

# Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/

137.184.15.189:22
172.93.201.253:22
44.238.74.84:22
44.238.74.84:5900

# Reference: https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/
# Reference: https://otx.alienvault.com/pulse/6336cd77cbc019c475aa2034

contradecapital.com
m.contradecapital.com
market.contradecapital.com
stage.contradecapital.com
vpn.contradecapital.com

# Reference: https://github.com/eset/malware-ioc/tree/master/nukesped_lazarus

cowp.or.kr/html/board/main.asp
erpmas.co.kr/Member/franchise_modify.asp
fored.or.kr/home/board/view.php
gncaf.or.kr/cafe/cafe_board.asp
gongsinet.kr/comm/comm_gongsi.asp
goojoo.net/board/banner01.asp
hsbutton.co.kr/bbs/bbs_write.asp
hstudymall.co.kr/easypay/web/bottom.asp
ikrea.or.kr/main/main_board.asp
pcdesk.co.kr/Freeboard/mn_board.asp
pgak.net/service/engine/release.asp
quecue.kr/okproj/ex_join.asp
style1.co.kr/main/view.asp
wowpress.co.kr/customer/refuse_05.asp
zndance.com/shop/post.asp

# Reference: https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/
# Reference: https://otx.alienvault.com/pulse/633c7f2703c1f6dec01555e5

aquaprographix.com/patterns/Map/maps.php
stracarrara.org/images/img.asp
thetalkingcanvas.com/thetalking/globalcareers/us/5/careers/jobinfo.php
turnscor.com/wp-includes/feedback.php

# Reference: https://twitter.com/Des00464472/status/1580021488433831936

propertys-shop.com

# Reference: https://twitter.com/h2jazi/status/1582809597051826177
# Reference: https://twitter.com/h2jazi/status/1582809599023124481
# Reference: https://www.virustotal.com/gui/file/c114b73da17eb5c8aff5a7b5509ffe26b9770e28c7123f038e98d42f8a065632/detection

bbcnewsagency.com

# Reference: https://twitter.com/h2jazi/status/1582919568384663552

bloombergnewsagency.com

# Reference: https://www.virustotal.com/gui/file/500ae0f1ab40a254f81c73331c9848bada4c26adad613d53d339d14ca3599a32/detection
# Reference: https://www.virustotal.com/gui/file/442c2b7b8e7ec13306bfb6c1332bd87e4d9cac242fd86555df355a606b895c46/detection

11.23.33.44:8050
66.85.157.67:8050
drivetools.xyz
filesspace.xyz
theboxart.xyz

# Reference: https://twitter.com/imp0rtp3/status/1589263364274155520
# Reference: https://twitter.com/imp0rtp3/status/1589263367650578434
# Reference: https://www.virustotal.com/gui/file/06ea41ee563f0ecb884d0640344a1e0006a9e8b1b3d4cda9a769a896f18c4b6d/detection
# Reference: https://www.virustotal.com/gui/file/e1ecf0f7bd90553baaa83dcdc177e1d2b20d6ee5520f5d9b44cdf59389432b10/detection
# Reference: https://www.virustotal.com/gui/file/dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031/detection

leadsblue.com/wp-content/wp-utility/index.php

# Reference: https://twitter.com/Des00464472/status/1590966132596695040

olidhealth.com
dc-ba6f51b553e0.olidhealth.com

# Reference: https://twitter.com/souiten/status/1593449165349978113
# Reference: https://www.virustotal.com/gui/file/0937cbb980cb898eacd8458366fc4de3510266b8fbcd68010aa04e58bf72df28/detection
# Reference: https://www.virustotal.com/gui/file/a3f087c83453cde2bc845122c05ebeb60e8891e395b45823c192869ec1b72ea6/detection

capmarketreport.com

# Reference: https://explore.avertium.com/resource/an-in-depth-look-at-north-korean-threat-actor-zinc
# Reference: https://otx.alienvault.com/pulse/637f670d45a399f00e8aea3c

cats.runtimerec.com/db/dbconn.php
elite4print.com/support/support.asp
hurricanepub.com/include/include.php
olidhealth.com/wp-includes/php-compat/compat.php
recruitment.raystechserv.com/lib/artichow/BarPlotDashboard.object.php
turnscor.com/wp-includes/contacts.php

# Reference: https://twitter.com/jaydinbas/status/1598660262751604738
# Reference: https://www.virustotal.com/gui/file/f14c5bad5219b1ed5166eb02f5ff08a890a181cef2af565f3fe7bcea9c870e22/detection

key.sharedrive.ink

# Reference: https://twitter.com/malwrhunterteam/status/1598405604317442048
# Reference: https://twitter.com/jaydinbas/status/1598722899556577280
# Reference: https://www.virustotal.com/gui/file/741be5e53a5dc7cebaa63d6ff624c5eff1a0e1817ede1e7fc0473a28b1ed7a33/detection

dsx-app.com

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-12-02-v10187/190

bloxholder.com
oilycargo.com
rebelthumb.net
strainservice.com
telloo.io

# Reference: https://twitter.com/h2jazi/status/1602302208325947394
# Reference: https://www.virustotal.com/gui/file/69e5cc9d865301f7e8dd7d4dbf5624db2859c614112d339b2fc07ea6176c776d/detection

microshare.cloud
one.microshare.cloud

# Reference: https://twitter.com/h2jazi/status/1602314597926576131
# Reference: https://twitter.com/h2jazi/status/1602314600753598465
# Reference: https://www.virustotal.com/gui/file/bdd109cba8346548dd6fe5110180aa23eb9f5805c90733025344a5881c15c985/detection

thecloudnet.org

# Reference: https://twitter.com/jaydinbas/status/1608077663532449792
# Reference: https://www.virustotal.com/gui/file/c52028b494c37505cbe073e3b0fcdeb6b7b48636c6fd00a41108e6dc1a66a4ce/detection

professiondesc.com

# Reference: https://twitter.com/Des00464472/status/1610535596262580230
# Reference: https://www.virustotal.com/gui/ip-address/172.86.121.130/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.153.242.37/relations
# Reference: https://www.virustotal.com/gui/file/e04848c1e2908335975dd52793c94624d06a598fdd75d5d3eb6ea8c5d569b8bc/detection

auto-protection.cloud
auto-protection.services
azure-protect.cloud
azure-protection.online
auto-secure.cloud
beyondnextventures.us
doc-protection.cloud
docs-view.cloud
mizuhogroup.uk
offerings.cloud
online-protection.cloud
protection-service.cloud
smbcgroup.uk
tptf.cloud
tptf.ltd
azure.auto-protection.cloud
azure.auto-protection.services
azure.auto-secure.cloud
azure.doc-protection.cloud
azure.doc-protection.online
azure.docs-view.cloud
azure.online-protection.cloud
azure.protection-service.cloud
cloud.beyondnextventures.us
cloud.mizuhogroup.uk
cloud.smbcgroup.uk
docs.tptf.cloud
secure.azure-protection.online
secure.azure-protect.cloud
secure.azure-protection.online

# Reference: https://twitter.com/Des00464472/status/1613893230004965381
# Reference: https://www.virustotal.com/gui/file/9dc04153455d054d7e04d46bcd8c13dd1ca16ab2995e518ba9bf33b43008d592/detection

easyview.kr/board/mb_admin.php
mudeungsan.or.kr/gbbs/bbs/template/g_botton.php
neohr.co.kr/bbs/data/notice/notice.php

# Reference: https://twitter.com/h2jazi/status/1618630926891913217

blurbshop.com
cloudfly.org
dailynewsagent.com
oneweb-host.com
shopwebstudio.com
turacodi.com

# Reference: https://twitter.com/jaydinbas/status/1623295609703636993
# Reference: https://www.virustotal.com/gui/file/3a4aed5b9ad0827696a1bb5f3497a6a2aa26b453d27bfacbe3c8c47673aac98d/detection

doc-share.cloud
safe.doc-share.cloud

# Reference: https://asec.ahnlab.com/ko/48416/
# Reference: https://otx.alienvault.com/pulse/63ff76797371033cf70b2df3

ctmnews.kr
dalbinews.co.kr
kfcjn.com
lightingmart.co.kr
studyholic.co.kr

# Reference: https://www.malwarebytes.com/blog/news/2022/12/lazarus-group-uses-fake-cryptocurrency-apps-to-plant-applejeus-malware

wirexpro.com

# Reference: https://twitter.com/souiten/status/1653999722477268992
# Reference: https://www.virustotal.com/gui/file/69ef7c4cb3849283c03eaa593b02ebbfd1d08d25ef9a58355d2a9909678d6c6d/detection

share.googlefiledrive.com

# Reference: https://twitter.com/ESETresearch/status/1656385173968019456
# Reference: https://twitter.com/ESETresearch/status/1656386549594857472
# Reference: https://www.virustotal.com/gui/ip-address/104.168.138.7/relations
# Reference: https://www.virustotal.com/gui/file/c28e4031129f3e6e5c6fbd7b1cebd8dd21b6f87a8564b0fb9ee741a9b8bc0197/detection
# Reference: https://www.virustotal.com/gui/file/5f00106f7f15e0ca00df4dbb0eeccd57930b4b81bc9aa3fca0c5af4eda339ab7/detection

coto.live
cryptyk.cloud
cryptyk.info
gumicryptos.com
hyperchaincapital.online
parallaxdigital.online
prosec.ink
autoprotect.com.se
cloud.cryptyk.info
cloud.prosec.ink
cloudprotect.us.org
cryptyk.ddns.net
cryptyk.hopto.org
cryptyk.sytes.net
cryptyk.webredirect.org
document.coto.live
document.sharedrive.ink
docusend.coto.live
hostings.webredirect.org

# Reference: https://www.virustotal.com/gui/ip-address/104.168.214.151/relations

azure-defender.cloud
azuredefender.online
bico-news.blog
blockchainworld.info
blockfi.loans
box-docsend.cloud
box-docsend.online
companydetail.online
crypto-ecosystem.world
cryptofundsresearch.com
daiwa.ventures
doc-send.cloud
doc-send.com
docs-send.com
doc-send.online
docs-send.online
docsend-host.cloud
drop-box.cloud
dropbox-docsend.cloud
dropbox-docsend.online
gumi-cryptos.loan
job-description.online
jobdescription.online
nextera.capital
online-meeting.xyz
panteracapital.ventures
private-meeting.online
privatenetwork.online
smart-contracts.blog
swissborg.blog
tokentracking.info
usncet.org
verifydocument.online
video-meet.online
video-meeting.xyz
additional.work.gd
additionalpublic.work.gd
abs.twitter.expublic.linkpc.net
arbor.companydetail.online
asset.crypto-ecosystem.world
autoprotect.gb.net
bico.tokentracking.info
boa.azuredefender.online
boa.job-description.online
boa.jobdescription.online
cloud.daiwa.ventures
cnbc.crypto-ecosystem.world
coinbase.expublic.linkpc.net
crypto.blockchainworld.info
daiwa.azure-defender.cloud
defi.smart-contracts.blog
docs.panteracapital.ventures
draper.online-meeting.xyz
dynamic.expublic.linkpc.net
exceptions.coinbase.expublic.linkpc.net
exceptions.expublic.linkpc.net
expublic.linkpc.net
github.expublic.linkpc.net
google.coinbase.expublic.linkpc.net
hashkey.online-meeting.xyz
hwsrv-1033810.hostwindsdns.com
internal-server.nextera.capital
internal.daiwa.ventures
internal.usncet.org
interview.private-meeting.online
meet.ubi-safemeeting.online
onedrive.azure-defender.cloud
recent.bico-news.blog
shared.box-docsend.cloud
shared.box-docsend.online
shared.doc-send.cloud
shared.drop-box.cloud
shared.dropbox-docsend.cloud
shared.dropbox-docsend.online
support.private-meeting.online
support.trustmeeting.online
support.ubi-safemeeting.live
support.video-meeting.online
support.video-meeting.xyz

# Reference: https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499

http://3.89.226.234
http://40.121.90.194
eflow.co.kr/member_image/about.php
projectcell.niv.co.in/non_scientific/service.php
sora.bz/xoops_root_path/templates_c/login.php 
sora.bz/xoops_root_path/uploads/information/about.php

# Reference: https://twitter.com/blackorbird/status/1675803174551314432
# Reference: https://www.elastic.co/cn/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket
# Reference: https://www.virustotal.com/gui/ip-address/64.44.141.15/relations
# Reference: https://www.virustotal.com/gui/ip-address/91.195.240.123/relations

amazoncojp.one
dropbx-doc.online
hondchain.com
jaicvc.com
previewaccess-doc.online
starbucls.xyz
thefifodoc.online
crypto.hondchain.com
docsend.linkpc.net
docsend.publicvm.com

# Reference: https://www.virustotal.com/gui/ip-address/64.44.141.13/relations

blackleopard.world
docsend.apple.linkpc.net
docsend.apple.work.gd
docsend.camdvr.org
docsend.theworkpc.com
floriventures.linkpc.net
floriventures.publicvm.com
floriventuresfund.com
forest.groundwolf.sbs
groundwolf.sbs
info.floriventuresfund.com
info.racondog.shop
kingstar.publicvm.com
lightkingstar.com
net.lightkingstar.com
nomanstone.shop
origin.blackleopard.world
racondog.shop
sabrpartner.com
starbocks.yachts
xyz.nomanstone.shop
xyz.racondog.shop

# Reference: https://twitter.com/h2jazi/status/1681426768597778440
# Reference: https://twitter.com/ShadowChasing1/status/1681947062471098368
# Reference: https://www.virustotal.com/gui/file/6f11c52f01e5696b1ac0faf6c19b0b439ba6f48f1f9851e34f0fa582b09dfa48/detection

jkmusic.co.kr/shop/data/theme/
notebooksell.kr/mall/m_schema.php

# Reference: https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html

checkdevinc.com
git-hub.me
pkginstall.net

# Reference: https://asec.ahnlab.com/en/54195/
# Reference: https://otx.alienvault.com/pulse/6490761db8416aad20dd9404

bcdm.or.kr/board/type3_D/edit.asp
coupontreezero.com/include/bottom.asp
daehang.com/member/logout.asp
gongsilbox.com/board/bbs.asp
hmedical.co.kr/include/edit.php
ksmarathon.com/admin/excel2.asp
materic.or.kr/files/board/equip/equip_ok.asp
sinae.or.kr/sub01/index.asp

# Reference: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247492789&idx=1&sn=a991e6c5ed7388515d75f02e9c33428f
# Reference: https://otx.alienvault.com/pulse/64a2f58febf38755c4240c34

rowdensurname.org/slideshow/slides/show.asp

# Reference: https://blog.talosintelligence.com/lazarus-collectionrat/
# Reference: https://www.virustotal.com/gui/file/ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6/detection (# QietRAT)
# Reference: https://www.virustotal.com/gui/file/db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984/detection (# CollectionRAT)
# Reference: https://www.virustotal.com/gui/file/773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df/detection (# CollectionRAT)
# Reference: https://www.virustotal.com/gui/file/e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe/detection (# Trojanized Plink)

http://109.248.150.13
http://146.4.21.94
109.248.150.13:443
ec2-15-207-207-64.ap-south-1.compute.amazonaws.com/resource/main/rawmail.php

# Reference: https://twitter.com/fr0s7_/status/1695001873604903348
# Reference: https://twitter.com/fr0s7_/status/1695012385705148748
# Reference: https://twitter.com/fr0s7_/status/1695012576600498679
# Reference: https://www.virustotal.com/gui/ip-address/144.202.17.28/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.63.1.46/relations
# Reference: https://www.virustotal.com/gui/ip-address/66.42.86.109/detection
# Reference: https://www.virustotal.com/gui/file/8e271b07ad050b648321af5aa98ae9f9057342a6c4d3de40ee07a4fbec1ef2b9/detection
# Reference: https://www.virustotal.com/gui/file/7c2721b4beedcff6f8d7af585516af86287a9bab703e8050e97365aa9fd849cb/detection

dliklone.online
sourljsourhs.cfd
ajileuowl.dliklone.online
huweisge.dliklone.online
tales.dliklone.online
tonses.dliklone.online
magmow.sourljsourhs.cfd

# Reference: https://twitter.com/tiresearch1/status/1695342915281965409

online-meeting.pro
private-meeting.xyz
trustmeeting.online
ubi-safemeeting.live
video-meeting.online

# Reference: https://twitter.com/tiresearch1/status/1696067977463087376

safe-meeting.online
trustmeeting.live
ubi-safemeeting.online

# Reference: https://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues
# Reference: https://www.virustotal.com/gui/ip-address/45.61.136.133/relations

tableditermanaging.pro

# Reference: https://asec.ahnlab.com/en/56405/
# Reference: https://otx.alienvault.com/pulse/64f0a87de1d155ccb31c3561

chinesekungfu.org
ipservice.kro.kr
privatemake.bounceme.net
bbs.topigsnorsvin.com.ec

# Reference: https://twitter.com/blackorbird/status/1700047882441908674
# Reference: https://twitter.com/felixaime/status/1699865970041348506
# Reference: https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/
# Reference: https://otx.alienvault.com/pulse/64fa0325f88b5109856801c8

bitsvertise.com
blgbeach.com
dbgsymbol.com
ecordillos.com
ismartrium.com
rapisigns.com

# Reference: https://twitter.com/tiresearch1/status/1701155845608964391

alwayswait.online
alwayswait.site
antifirmware.online
antifirmware.site
antifirmware.store
antiviruscheck.site
antiviruscheck.store
auditprovidre.online
auditprovidre.site
auditprovidre.store
newcoming.cfd
remoteproweb.cfd
systemupdate.site
systemupdate.store
unbelievableresult.site
unbelievableresult.store
updatecheck.site
updatecheck.store
waitingfor.cfd

# Reference: https://twitter.com/h2jazi/status/1702726275012382747
# Reference: https://www.virustotal.com/gui/file/c83c7b000a955f2b8cb92bb112ed606ffd9fbebbe3422f80d90d06b167f2f37b/detection

brianrep.com
/dnquery.phpinteger

# Reference: https://twitter.com/asdasd13asbz/status/1705140120222105777

http://91.206.178.125

# Reference: https://twitter.com/tiresearch1/status/1706312971054412039

datasend.linkpc.net
docsenddata.linkpc.net
docsendinfo.linkpc.net
open-sc.xyz
opensend.linkpc.net
opensend.online
video-meet.team

# Reference: https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/

barsaji.com.mx/src/recaptcha/index.php
bug.restoroad.com/admin/view_status.php
kapata-arkeologi.kemdikbud.go.id/pages/payment/payment.php
kerstpakketten.horesca-meppel.nl/wp-content/plugins/woocommerce/lib.php
kittimasszazs.hu/images/virag.php
nrfm.lk/wp-includes/simplepie/content.php
radiographers.org/aboutus/aboutus.php

# Reference: https://twitter.com/tiresearch1/status/1708141542261809360

bitscrunch.linkpc.net
bitscrunch.publicvm.com
bitscrunnch.linkpc.net
bitscrunnch.run.place
coupang-network.pics
exodus.linkpc.net
jobdescription.linkpc.net

# Reference: https://twitter.com/tiresearch1/status/1708539447908958382

starbocks.shop
starbuck-coffee.cfd
starbuckex.beauty
starbucls.top

# Reference: https://twitter.com/k3yp0d/status/1709851707427975382
# Reference: https://twitter.com/greglesnewich/status/1742926817827422712
# Reference: https://g-les.github.io/yara/2024/01/04/100DaysofYARA-CosmicRust.html
# Reference: https://www.virustotal.com/gui/file/979ef0f43f25a6707fd98f6f0cb6e8452c24f41216ff53486781f487803d69c4/detection
# Reference: https://www.virustotal.com/gui/file/dbe48dc08216850e93082b4d27868a7ca51656d9e55366f2642fc5106e3af980/detection
# Reference: https://www.virustotal.com/gui/file/a8cc70bcd0ef98e3eea54f953166f518a2cf1d898e4eb9e85cf70861f8ec7578/detection
# Reference: https://www.virustotal.com/gui/file/5f4063e3a5583e62ddec2f84ca88eb97fbcfbee31d9269742ab438f441f0cd58/detection
# Reference: https://www.virustotal.com/gui/file/576d1688f744a9f6ae4c1fb4cec1cda3daecabf3a13cb3bafabf083c54d1fcb6/detection
# Reference: https://www.virustotal.com/gui/file/5115be816d0cd579915d079573bfa384d78ac0bd33cc845b7a83a488b0fc1b99/detection
# Reference: https://www.virustotal.com/gui/file/3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a/detection

104.168.136.24:8080
104.168.172.20:8080
commoncome.online
web.commoncome.online
welcome.newcoming.cfd

# Reference: https://twitter.com/tiresearch1/status/1709900227241758810

automatic.antifirmware.store
autoserverupdate.line.pm
huanying.remoteproweb.cfd
real.unbelievableresult.store
stress.antiviruscheck.site
successfulconnection.linkpc.net
sys.antiviruscheck.store
sys.updatecheck.site
web.auditprovidre.site

# Reference: https://twitter.com/asdasd13asbz/status/1711617213944492293
# Reference: https://www.virustotal.com/gui/ip-address/103.179.142.171/relations
# Reference: https://www.virustotal.com/gui/file/f59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc58/detection
# Reference: https://www.virustotal.com/gui/file/00433ebf3b21c1c055d4ab8a599d3e84f03b328496236b54e56042cef2146b1c/detection

blockchain-newtech.com

# Reference: https://twitter.com/tiresearch1/status/1712004829978190112

docs-protection.cloud
docs-protection.online
docs-protection.top
azure.docs-protection.cloud
azure.docs-protection.online
azure.docs-protection.top
docs.smbc-vc.com
meeting.work.gd
orangecake.work.gd
transactions.publicvm.com
updatecheck.publicvm.com

# Reference: https://twitter.com/malwrhunterteam/status/1710379117869150506
# Reference: https://twitter.com/h2jazi/status/1712115378933977444
# Reference: https://www.virustotal.com/gui/file/f59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc58/detection

chiark.greenend.org.uk/~sgtatham/putty/

# Reference: https://twitter.com/tiresearch1/status/1712839519366795733

15248636.site
activity-179384736.site
activity-permission.online
allow-permission.online
book-download.shop
chat-services.online
files-archive.online
mail-roundcube.site
online-meeting.site
online-video-services.site
share-meeting.online
un-call.services
videocallservice.live
webmailaccount.cloud

# Reference: https://twitter.com/tiresearch1/status/1713828674750017852
# Reference: https://twitter.com/tiresearch1/status/1714149818753507596

book.tomming.us
cloud.bdcc.bio
enimvzud.mouradvps8hostwin.online
floriventuresend.linkpc.net
forservercon.run.place
jobintro.linkpc.net
mouradvps8hostwin.online
protectli.online
web3.auditprovidre.store
xjba.linkpc.net
xjbb.linkpc.net
xjbd.linkpc.net

# Reference: https://twitter.com/tiresearch1/status/1714283158588600641

crtypk.run.place
cryptykhost.work.gd
share.prosec.ink
singlelink.work.gd

# Reference: https://securelist.com/updated-mata-attacks-industrial-companies-in-eastern-europe/110829/
# Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/18092216/Updated-MATA-attacks-Eastern-Europe_full-report_ENG.pdf

beeztrend.com
mbafleet.com
prajeshpatel.com
zawajonly.com
icimp.swarkul.com

# Reference: https://twitter.com/malwrhunterteam/status/1715075131175751740
# Reference: https://www.virustotal.com/gui/ip-address/68.170.2.240/relations
# Reference: https://www.virustotal.com/gui/file/5e523ba395d7b92001d14d0d0e607410af9acb61d724a4a7651c3d80a79fb532/detection

coingecko.bond

# Reference: https://twitter.com/tiresearch1/status/1717496437985128862

bitscrunch.co
bitscrunch.deck.linkpc.net
bitscrunch.im.linkpc.net
deck.linkpc.net
doc.global-link.run.place
global-link.run.place

# Reference: https://twitter.com/tiresearch1/status/1717554754023526564
# Reference: https://twitter.com/KSeznec/status/1717542794942660771
# Reference: https://www.virustotal.com/gui/file/47b8b4d55d75505d617e53afcb6c32dd817024be209116f98cbbc3d88e57b4d1/detection

co.intneral-document-he-gr-me.run.place
group.link-net.publicvm.com
internal.group.link-net.publicvm.com
intneral-document-he-gr-me.run.place
j-ic.co.intneral-document-he-gr-me.run.place
link-net.publicvm.com
on-global.xyz

# Reference: https://twitter.com/tiresearch1/status/1717922111749288043

bitscrunch.pd.linkpc.net
bitscrunch.presentations.life
col-link.linkpc.net
docshared.col-link.linkpc.net
pd.linkpc.net
presentations.life

# Reference: https://securelist.com/unveiling-lazarus-new-campaign/110888/
# Reference: https://otx.alienvault.com/pulse/653c0681ae38ba0d7d84e538

admin.esangedu.kr/XPaySample/submit.php
api.shw.kr/login_admin/member/login_fail.php
blastedlevels.com/levels4SqR8/measure.asp
droof.kr/Board/htmlEdit/PopupWin/Editor.asp
friendmc.com/upload/board/asp20062107.asp
hankooktop.com/ko/company/info.asp
hanlasangjo.com/editor/pages/page.asp
happinesscc.com/mobile/include/func.asp
healthpro.or.kr/upload/naver_editor/subview/view.inc
hicar.kalo.kr/data/rental/Coupon/include/inc.asp
hspje.com/menu6/teacher_qna.asp
ictm.or.kr/UPLOAD_file/board/free/edit/index.php
khmcpharm.com/Lib/Modules/HtmlEditor/Util/read.cer
kscmfs.or.kr/member/handle/log_proc.php
kstr.radiology.or.kr/upload/schedule/29431_1687715624.inc
little-pet.com/web/board/skin/default/read.php
mainbiz.or.kr/SmartEditor2/photo_uploader/popup/edit.asp
mainbiz.or.kr/include/common.asp
medric.or.kr/Controls/Board/certificate.cer
muijae.com/daumeditor/pages/template/simple.asp
muijae.com/daumeditor/pages/template/template.asp
muijae.com/daumeditor/pages/template/
new-q-cells.com/upload/newsletter/cn/frame.php
nonstopexpress.com/community/include/index.asp
pediatrics.or.kr/PubReader/build_css.php
pms.nninc.co.kr/app/content/board/inc_list.asp
safemotors.co.kr/daumeditor/pages/template/template.asp
samwoosystem.co.kr/board/list/write.asp
seoulanesthesia.or.kr/mail/mail_211230.html
seouldementia.or.kr/_manage/inc/bbs/jiyeuk1_ok.asp
siriuskorea.co.kr/mall/community/bbs_read.asp
swt-keystonevalve.com/data/editor/index.php
theorigin.co.kr:443/admin/management/index.php
ucware.net/skins/PHPMailer-master/index.php
vietjetairkorea.com/INFO/info.asp
vnfmal2022.com/niabbs5/upload/gongji/index.php
warevalley.com/en/common/include/page_tab.asp
yoohannet.kr/min/tmp/process/proc.php

# Reference: https://twitter.com/tiresearch1/status/1718902558922834192

cisco-webex.online
pdf.cisco-webex.online
support.cisco-webex.online

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-10-30-v10452/1080

bitscrunch.ddns.net
bitscrunch.serveirc.com
bitscrunch.tech.linkpc.net
bitscrunch.zapto.org
bitscrunchtech.linkpc.net
document.shared-link.line.pm
indaddy.xyz
internalpdfviewer.ddns.net
nor-health.xyz
shared-link.line.pm
tech.linkpc.net
voldemort.myvnc.com

# Reference: https://www.virustotal.com/gui/ip-address/192.236.194.152/relations

coupang-networks.pics
ronaldo-nftprojects.shop

# Reference: https://twitter.com/tiresearch1/status/1719979579170009130

cloud.doc-shared.linkpc.net
doc-shared.linkpc.net
dubai.network.cloud.doc-shared.linkpc.net
group.evalaskatours.com
internal.bounceme.net
mclearoptical.com
network.cloud.doc-shared.linkpc.net

# Reference: https://twitter.com/tiresearch1/status/1721811568814624831
# Reference: https://app.validin.com/axon?find=62.133.61.204&type=ip

online-meeting.team
safemeeting.online
team-meet.online
video-meeting.team
videomeethub.online

# Reference: https://twitter.com/tiresearch1/status/1722534103751540999

syncmeet.online
team-meeting.xyz

# Reference: https://twitter.com/tiresearch1/status/1725052270910538103
# Reference: https://www.virustotal.com/gui/ip-address/216.107.136.10/relations

bitscrunch.myvnc.com
blackleopard.myvnc.com
naverk.myvnc.com

# Reference: https://twitter.com/tiresearch1/status/1727306536522043677

privymeet.com

# Reference: https://twitter.com/tiresearch1/status/1727956853794250850

group-meeting.online
group-meeting.team

# Reference: https://asec.ahnlab.com/en/59073/
# Reference: https://otx.alienvault.com/pulse/655e254bda9c2bd236bc188f

109.248.150.147:8585
185.29.8.108:8585
27.102.118.204:6099
27.102.128.152:8098
84.38.132.67:9479
primez.online
song.th

# Reference: https://twitter.com/tiresearch1/status/1729392929612218731

france24.live
meeting-online.site
online-processing.online
ovcloud.online

# Reference: https://twitter.com/tiresearch1/status/1729754195903844484
# Reference: https://www.virustotal.com/gui/ip-address/104.168.137.21/relations

alwayswait.online
audiocheck.store
auditprovidre.online
cryptowave.capital
group-meeting.online
group-meeting.team
internal-meeting.online
kkvps.buzz
meetcentralhub.online
meetingverse.app
online-meeting.team
privymeet.com
safe-meeting.online
safemeeting.online
skyboxdrive.cloud
syncmeet.online
team-meet.online
team-meeting.xyz
trustmeeting.live
trustmeeting.online
ubi-safemeeting.live
ubi-safemeeting.online
video-meet.online
video-meet.team
video-meet.xyz
video-meeting.team
archax.privymeet.com
archax.skyboxdrive.cloud
archax.trustmeeting.live
bitfinex.internal-meeting.online
bitfinex.video-meet.online
cryptowave.internal-meeting.online
cryptowave.video-meet.online
d1.skyboxdrive.cloud
drop.skyboxdrive.cloud
dun.audiocheck.store
dun.auditprovidre.online
email.alwayswait.online
emv1.meetingverse.app
emv1.ubi-safemeeting.live
gumi-cryptos.group-meeting.online
gumi-cryptos.group-meeting.team
gumi-cryptos.team-meet.online
gumi-cryptos.team-meeting.xyz
gumi-cryptos.video-meet.team
hashkey.group-meeting.online
hashkey.group-meeting.team
hashkey.internal-meeting.online
hashkey.online-meeting.team
hashkey.team-meet.online
hashkey.team-meeting.xyz
hashkey.video-meet.online
hashkey.video-meet.team
hashkey.video-meeting.team
help.group-meeting.online
help.team-meet.online
help.video-meet.team
help.video-meeting.team
hwsrv-1093408.hostwindsdns.com
ihsgpnsj.meetingverse.app
internal-meeting.online
kraken.group-meeting.online
kraken.group-meeting.team
kraken.team-meet.online
kraken.video-meeting.team
meet.cryptowave.capital
meet.ubi-safemeeting.online
mta-sts.meetingverse.app
mta-sts.ubi-safemeeting.live
okx.internal-meeting.online
okx.video-meet.online
okx.video-meeting.team
pdf.cisco-webex.online
ryze.privymeet.com
shared.dropbox-docsend.online
support.cisco-webex.online
support.cryptowave.capital
support.group-meeting.online
support.group-meeting.team
support.internal-meeting.online
support.meetcentralhub.online
support.privymeet.com
support.safe-meeting.online
support.skyboxdrive.cloud
support.syncmeet.online
support.team-meet.online
support.team-meeting.xyz
support.trustmeeting.live
support.trustmeeting.online
support.ubi-safemeeting.live
support.ubi-safemeeting.online
support.video-meet.online
support.video-meet.team
support.video-meet.xyz
support.video-meeting.team
technical-support.group-meeting.team
technical-support.internal-meeting.online
technical-support.team-meet.online
technical-support.video-meet.online
troubleshoot.group-meeting.team
troubleshoot.internal-meeting.online
troubleshoot.team-meeting.xyz
ubisoft.group-meeting.online
ubisoft.internal-meeting.online
ubisoft.safe-meeting.online
ubisoft.trustmeeting.live

# Reference: https://www.virustotal.com/gui/file/60674602836323647634016774ea123232160c1b4dfcf3fcd2d2c28c652aa00e/detection

104.168.151.34:8080
audiocheck.store
autoupdate.xyz
botsc.autoupdate.xyz
dun.audiocheck.store

# Reference: https://twitter.com/tiresearch1/status/1730114476786229304

einei.line.pm
onelao.line.pm
tiena.einei.line.pm

# Reference: https://twitter.com/tiresearch1/status/1731600500259524993

team-meet.xyz
team-meeting.pro
archax.meetingverse.app
archax.team-meeting.pro
hashkey.team-meeting.pro
lrakkiqr.team-meeting.pro
mail.privymeet.com
technical-support.safe-meeting.online

# Reference: https://twitter.com/tiresearch1/status/1733020053426282778

wndlwndmfe.xyz

# Reference: https://mp.weixin.qq.com/s/f5YE12w3x3wad5EO0EB53Q

http://103.179.142.171
http://156.236.76.9
chaingrown.com

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-12-06-v10480/1183

manchestercity.work.gd
myself.hopto.org

# Reference: https://slowmist.medium.com/analysis-of-north-korean-hackers-targeted-phishing-scams-on-telegram-872db3f7392b
# Reference: https://otx.alienvault.com/pulse/65773dc2466c7161e66b3d07

archax.team-meeting.xyz
archax.videomeethub.online
emv1.group-meeting.team
emv1.team-meet.xyz

# Reference: https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/
# Reference: https://www.virustotal.com/gui/file/000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee/detection
# Reference: https://www.virustotal.com/gui/file/0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f/detection
# Reference: https://www.virustotal.com/gui/file/e615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f/detection
# Reference: https://www.virustotal.com/gui/file/9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a/detection
# Reference: https://www.virustotal.com/gui/file/534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433/detection
# Reference: https://www.virustotal.com/gui/file/ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4/detection
# Reference: https://www.virustotal.com/gui/file/47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30/detection
# Reference: https://www.virustotal.com/gui/file/f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59/detection
# Reference: https://www.virustotal.com/gui/file/5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541/detection
# Reference: https://www.virustotal.com/gui/file/82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def/detection

http://155.94.208.209
http://185.29.8.53
http://27.102.113.93
201.77.179.66:8082
micrsofts.tech
tech.micrsofts.com
tech.micrsofts.tech

# Reference: https://www.virustotal.com/gui/ip-address/23.254.129.6/relations
# Reference: https://app.validin.com/axon?source=DNS&type=ip&find=23.254.129.6

commoncome.site
good.commoncome.site
wideocean.run.place

# Reference: https://twitter.com/karol_paciorek/status/1749376208477786172

http://173.249.5.112

# Reference: https://twitter.com/malwrhunterteam/status/1750492037936222291
# Reference: https://twitter.com/greglesnewich/status/1750500025346445609
# Reference: https://www.virustotal.com/gui/file/e05142f8375070d1ea25ed3a31404ca37b4e1ac88c26832682d8d2f9f4f6d0ae/detection

fasttet.com

# Reference: https://twitter.com/tiresearch1/status/1755176085610721337
# Reference: https://www.virustotal.com/gui/ip-address/217.20.117.39/relations

continue-meeting.site
drive-access.site
home-continue.online
home-proceed.online
pannel-get-data.us
ushrt.us
join-room.meeting-online.site

# Reference: https://twitter.com/h2jazi/status/1757798585611997236
# Reference: https://www.virustotal.com/gui/file/b557fa6a92e1ecd768aa723258cb453beb6597c583dbe76d8e82ffdf392f5932/detection

franksweeklycall.com/wp-includes/html-api/class-wp-html-user.php

# Reference: https://twitter.com/asdasd13asbz/status/1758054481957450034
# Reference: https://www.virustotal.com/gui/ip-address/35.167.150.110/relations

elshaik.com/wp-content/plugins/elementor/core/editor/editor-ui.php
ssoc.cl/wp-content/plugins/webmention/libraries/emoji-detector/src/Detector.php

# Reference: https://twitter.com/malwrhunterteam/status/1764037492812943550
# Reference: https://www.virustotal.com/gui/file/0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7/detection
# Reference: https://www.virustotal.com/gui/file/bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b/detection

jdkgradle.com

# Reference: https://twitter.com/malwrhunterteam/status/1769840338745659896
# Reference: https://www.virustotal.com/gui/file/09d152aa2b6261e3b0a1d1c19fa8032f215932186829cfcca954cc5e84a6cc38/detection

mingeloem.com

# Reference: https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/

http://145.232.235.222

# Reference: https://asec.ahnlab.com/en/63192/

84.38.129.21:2222
84.38.129.21:5443
ourhome.o-r.kr
mssrv.kro.kr
privacy.hopto.org
panda.ourhome.o-r.kr

# Reference: https://asec.ahnlab.com/en/85400/

http://45.61.148.153

# Reference: https://twitter.com/1ZRR4H/status/1771912721031663841
# Reference: https://www.virustotal.com/gui/file/02d55193310ea19a4ce4c8a7f095c84b0511946d11a647e12758569292014882/detection

http://91.92.248.50
91.92.248.50:445
the.earth.li/~sgtatham/putty/0.80/w64/

# Reference: https://twitter.com/dimitribest/status/1782609281897902426
# Reference: https://twitter.com/Cyberteam008/status/1782983614701162993

147.124.212.89:1244
147.124.214.129:1244
147.124.214.131:1244
147.124.214.237:1244
67.203.7.171:1244
67.203.7.245:1244

# Reference: https://twitter.com/tiresearch1/status/1784118099278741797

star-bucks.autos
star-bucks.beauty
star-bucks.boats
star-bucks.bond
star-bucks.cam
star-bucks.cfd
star-bucks.click
star-bucks.com
star-bucks.fun
star-bucks.gay
star-bucks.guru
star-bucks.homes
star-bucks.lol
star-bucks.makeup
star-bucks.mom
star-bucks.motorcycles
star-bucks.net
star-bucks.pics
star-bucks.quest
star-bucks.rest
star-bucks.sbs
star-bucks.shop
star-bucks.skin
star-bucks.store
star-bucks.tattoo
star-bucks.today
star-bucks.top
star-bucks.xyz
star-bucks.yachts
starbuckscenter.autos
starbuckscenter.beauty
starbuckscenter.boats
starbuckscenter.bond
starbuckscenter.cam
starbuckscenter.cfd
starbuckscenter.click
starbuckscenter.com
starbuckscenter.fun
starbuckscenter.gay
starbuckscenter.guru
starbuckscenter.homes
starbuckscenter.life
starbuckscenter.lol
starbuckscenter.makeup
starbuckscenter.mom
starbuckscenter.motorcycles
starbuckscenter.net
starbuckscenter.pics
starbuckscenter.quest
starbuckscenter.rest
starbuckscenter.sbs
starbuckscenter.shop
starbuckscenter.skin
starbuckscenter.store
starbuckscenter.tattoo
starbuckscenter.today
starbuckscenter.top
starbuckscenter.xyz
starbuckscenter.yachts
starbucksevent.autos
starbucksevent.beauty
starbucksevent.boats
starbucksevent.bond
starbucksevent.cam
starbucksevent.cfd
starbucksevent.click
starbucksevent.com
starbucksevent.fun
starbucksevent.gay
starbucksevent.guru
starbucksevent.homes
starbucksevent.life
starbucksevent.lol
starbucksevent.makeup
starbucksevent.mom
starbucksevent.motorcycles
starbucksevent.net
starbucksevent.quest
starbucksevent.rest
starbucksevent.sbs
starbucksevent.shop
starbucksevent.skin
starbucksevent.store
starbucksevent.tattoo
starbucksevent.today
starbucksevent.top
starbucksevent.xyz
starbucksevent.yachts

# Reference: https://app.validin.com/detail?type=ip&find=194.59.183.241#tab=resolutions

starbucks-goodsitem.cfd
starbucks-greenapron.lol
starbucks-greenapronnft.click
starbucks-odyssey.shop
starbucks-support.store
starbucksnft-service.xyz

# Reference: https://app.validin.com/detail?find=45.86.230.189&type=ip4&ref_id=2dd37ed5db5#tab=resolutions

11stnft.click
starbucks-greenapron.rest
starbucks-greenaprons.cfd
starbucks-newtech.bond
starbucks-newtech.cfd
starbucksgoodsnft.click
starbucksgreenapron.bond
starbucksnftservice.homes

# Reference: https://twitter.com/MichalKoczwara/status/1785379113517154732

private-meet.online
fenbushi.private-meet.online

# Reference: https://twitter.com/MichalKoczwara/status/1787783113742885332

letsmeetnow.site
regular-meeting.team
ngc.regular-meeting.team
fenbushi.regular-meeting.team

# Reference: https://twitter.com/KseProso/status/1788114018722595188
# Reference: https://twitter.com/ValidinLLC/status/1788128803698450591
# Reference: https://x.com/tayvano_/status/1848785112101691511
# Reference: https://www.virustotal.com/gui/ip-address/104.168.157.45/relations

biz-meeting.site
cloudstore.business
group-meeting.pro
instant-patch.online
online-meet.team
online-meet.xyz
online-meeting.co
preconnection.online
sky-meeting.com
team-meeting.net
voov-meeting.site
abc.preconnection.online
alpha.preconnection.online
casteisland.sky-meeting.com
casteisland.team-meeting.net
support.cloudstore.business
email.instant-patch.online
emv1.group-meeting.pro
emv1.preconnection.online
emv1.private-meet.online
hashkey.online-meet.team
hashkey.online-meet.xyz
liwoeson.online-meet.team
ok.preconnection.online
signum.group-meeting.pro
support.group-meeting.pro
support.online-meet.xyz
waterdrip.group-meeting.pro

# Reference: https://twitter.com/ValidinLLC/status/1788134423273034033
# Reference: https://www.virustotal.com/gui/ip-address/104.168.203.159/relations

general-meeting.team
private-meet.team
private-meet.xyz
emv1.general-meeting.team
fenbushi.general-meeting.team
fenbushi.private-meet.team
ngc.private-meet.xyz
support.general-meeting.team

# Reference: https://mp.weixin.qq.com/s/84lUaNSGo4lhQlpnCVUHfQ
# Reference: https://www.cert.si/tz016/

147.124.212.146:1244
147.124.213.11:1244
147.124.213.29:1244
172.86.123.35:1244
172.86.97.80:1224
173.211.106.101:1244
173.211.106.101:1245
45.61.131.218:1245
91.92.120.135:3000

# Reference: https://x.com/dimitribest/status/1796191215626440908
# Reference: https://www.virustotal.com/gui/file/6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0/detection
# Reference: https://www.virustotal.com/gui/file/01611aa9fe649335a7d813fa1693b9421d8585155351f3a696e8bfdcf45440d3/detection
# Reference: https://www.virustotal.com/gui/file/70db987e2545cbc3e22bac0503f89f46a441cc9f206d0aa41d66b54f511638d6/detection

172.86.98.240:1224

# Reference: https://twitter.com/asdasd13asbz/status/1788848468947296398

67.203.7.245:21

# Reference: https://twitter.com/MichalKoczwara/status/1788980517812994267
# Reference: https://app.validin.com/detail?type=ip&find=104.168.203.161

regular-meeting.site
regular-meeting.xyz
ngc.regular-meeting.site

# Reference: https://app.validin.com/detail?find=regular-meeting.online&type=dom#tab=resolutions

regular-meeting.online

# Reference: https://app.validin.com/detail?find=regular-meeting.pro&type=dom#tab=resolutions

regular-meeting.pro

# Reference: https://x.com/banthisguy9349/status/1795545335164490137
# Reference: https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/

bestonlinefilmstudio.org
ccwaterfall.com
defitankzone.com
detankwar.com
freenet-zhilly.org
matrixane.com
pointdnt.com
starglowventures.com

# Reference: https://raw.githubusercontent.com/0xKoda/ioc-public/main/ioc.json

ld-digitaal.com
tiktoks.bio
yayachuhai.top
long.waitingfor.cfd
us13.yayachuhai.top

# Reference: https://checkmarx.com/blog/a-new-north-korean-group-emerges-disrupting-the-open-source-ecosystem/

cryptopriceoffer.com

# Reference: https://x.com/MichalKoczwara/status/1812580245645766928
# Reference: https://www.validin.com/blog/hunting-lazarus-dns-history-host-responses/
# Reference: https://www.virustotal.com/gui/ip-address/104.168.157.45/relations

alwayswelcome.online
docsend.online
docsend.site
docsend.store
dropfile.cloud
dropfile.online
general-meet.online
general-meet.site
general-meet.team
group-meet.online
group-meet.site
group-meet.team
internal-meet.online
internal-meet.team
internal-meet.xyz
live-meeting.world
meet-safe.online
meeting-central.online
meeting-hub.online
meeting-pro.online
meetup-zone.online
online-meeting.community
online-meeting.social
regular-meet.online
regular-meet.site
regular-meet.team
room-connect.online
roomconnect.online
video-meet.site
virtual-collab.online
7xvc.roomconnect.online
abc.roomconnect.online
beta.preconnection.online
http-qjhndbrw.roomconnect.online
https-qjhndbrw.roomconnect.online
xkbaaalpha.preconnection.online

# Reference: https://x.com/malwrhunterteam/status/1812792291876119034
# Reference: https://objective-see.org/blog/blog_0x7A.html
# Reference: https://www.virustotal.com/gui/file/9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c/detection

95.164.17.24:1224
mirotalk.net

# Reference: https://x.com/dimitribest/status/1815789250656301211
# Reference: https://search.censys.io/search?q=services.http.response.headers%3A+%28key%3A+%60ETag%60+and+value.headers%3A+%60W%2F%2286b-1886de13223%22%60%29&resource=hosts

67.203.7.163:1244

# Reference: https://www.virustotal.com/gui/ip-address/23.254.244.242/relations
# Reference: https://search.censys.io/search?q=services.http.response.headers%3A+%28key%3A+%60ETag%60+and+value.headers%3A+%60W%2F%22841-18e75d61ccb%22%60%29&resource=hosts

23.254.244.242:3000
coupang-marketing.rest
coupang-sales.rest
starbucks-services.cyou

# Reference: https://www.virustotal.com/gui/ip-address/192.236.233.51/relations

starbucksservice.homes
yourstabrucks.monster

# Reference: https://www.virustotal.com/gui/ip-address/192.119.81.146/relations

starbucksfirst.icu

# Reference: https://www.virustotal.com/gui/ip-address/104.168.237.182/relations

coca-cola.bond
starbucks-corp.art

# Reference: https://search.censys.io/search?q=services.http.response.html_tags%3D%22%3Ctitle%3ENode.js+upload+multiple+files%3C%2Ftitle%3E%22&resource=hosts

http://143.198.48.95
143.198.48.95:22
143.198.48.95:443

# Reference: https://x.com/h2jazi/status/1818715043800006982
# Reference: https://www.virustotal.com/gui/file/f7559f6d4346f412c2c4ea18363efba3075345b7533af9964298803ffe75f919/detection
# Reference: https://www.virustotal.com/gui/file/dd038040283793c67cd50252fb9ef20eb07e2f36d284f70cb2340e501dcb99d7/detection

honehsn.com

# Reference: https://x.com/JangPr0/status/1818787100130787428
# Reference: https://www.securonix.com/blog/research-update-threat-actors-behind-the-devpopper-campaign-have-retooled-and-are-continuing-to-target-software-developers-via-social-engineering/

166.88.132.114:8000
77.37.37.81:1244
77.37.37.81:8000
ztec.store
de.ztec.store

# Reference: https://www.virustotal.com/gui/file/e90cedfce785b0f1ed30661914a0c169edf8ccb039cd722fec7fd5a85a3e99ad/detection

185.208.158.203:5555

# Reference: https://x.com/malwrhunterteam/status/1820375076312604830
# Reference: https://www.virustotal.com/gui/file/1ab4af3bb2a343e9bc29e177aebe7d175a6b8af317ee3a8527271ed41148212e/detection
# Reference: https://www.virustotal.com/gui/file/3ac93cd715dc191464703b988ba1d72d4bd97836bcddea9a653232fd57facf00/detection

185.208.158.203:8080

# Reference: https://x.com/MichalKoczwara/status/1826162083332829323
# Reference: https://www.virustotal.com/gui/ip-address/104.168.165.173/relations

cloud-storage.world
ryzelabs.net
meet.ryzelabs.net
7xvc.virtual-collab.online
dragonfly.virtual-collab.online
support.virtual-collab.online
technical-support.virtual-collab.online

# Reference: https://x.com/Merlax_/status/1826417594766651777
# Reference: https://www.virustotal.com/gui/file/8a23dd86da0aff9b460b8ebc9dd3e891d44ea0183ace4f5d28a7e4ddab47664a/detection
# Reference: https://www.virustotal.com/gui/file/a87b6664b718a9985267f9670e10339372419b320aa3d3da350f9f71dff35dd1/detection

http://45.140.147.208
45.140.147.208:53421
45.140.147.208:53422

# Reference: https://blog.phylum.io/north-korea-still-attacking-developers-via-npm/
# Reference: https://app.validin.com/detail?find=167.88.36.13&type=ip4&ref_id=545b0c93f1c#tab=resolutions
# Reference: https://app.validin.com/detail?type=ip&find=45.61.158.14#tab=resolutions

ipcheck.cloud
regioncheck.net
repohost.online
support-pishgam.site

# Reference: https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/
# Reference: https://app.validin.com/detail?find=185.135.84.58&type=ip4&ref_id=5a6b4dd9f9e#tab=resolutions

voyagorclub.space
weinsteinfrog.com

# Reference: https://www.group-ib.com/blog/apt-lazarus-python-scripts/
# Reference: https://www.virustotal.com/gui/file/7165aa2157b7cb4e20a0ed68b26a2b9c6957ae370d6bcb58918efb47b595744f/detection
# Reference: https://www.virustotal.com/gui/file/1ef484513c027ccc747a88777559f96018e2b5cad830025911f0786e24d491f3/detection

23.106.253.194:1244
freeconference.io
/brow/N3RFYU07
/payload/N3RFYU07
/N3RFYU07

# Reference: https://x.com/MichalKoczwara/status/1833241777374900497
# Reference: https://x.com/MichalKoczwara/status/1853481507848908950
# Reference: https://www.virustotal.com/gui/ip-address/104.168.165.165/relations

7xvc.meeting-central.online
7xvc.meeting-zone.online
abc.meeting-central.online
abc.meeting-zone.online
access.support.general-meet.site
admin.alwayswelcome.online
admin.general-meet.site
admin.meeting-central.online
admin.meeting-zone.online
admin.support.general-meet.site
affiliate.support.general-meet.site
ann.support.general-meet.site
api.alwayswelcome.online
api.general-meet.site
api.meeting-zone.online
apollo.support.general-meet.site
app.alwayswelcome.online
app.meeting-zone.online
backed.general-meet.site
backend.alwayswelcome.online
backend.meeting-zone.online
demo.alwayswelcome.online
dev.alwayswelcome.online
dev.general-meet.site
dev.meeting-zone.online
emv1.alwayswelcome.online
emv1.group-meet.online
emv1.group-meet.site
foundationcap.regular-meet.team
hack-vc.video-meets.site
hack-vc.video-meets.xyz
invoicez.xyz
longhash.general-meet.site
longhash.video-meets.online
mail1.fuchuangonline.com
meeting-zone.online
metaschool.video-meets.online
newfromjune.xyz
ngc.regular-meet.site
online-meets.site
online-meets.xyz
staging.alwayswelcome.online
staging.meeting-zone.online
support.general-meet.site
support.meeting-zone.online
support.regular-meet.online
support.regular-meet.team
support.video-meet.site
support.video-meets.online
support.video-meets.site
video-meets.online
video-meets.pro
video-meets.site
video-meets.team
video-meets.xyz

# Reference: https://www.elastic.co/security-labs/dprk-code-of-conduct
# Reference: https://app.validin.com/detail?find=92e6a5d3a7f7f2cf909fa50522b44b4d33719202db005383be611a2e68a3d5b3&type=hash&ref_id=77a108e8213#tab=host_pairs_v2
# Reference: https://www.virustotal.com/gui/file/6779f9b40beaf172950372303d89452358403189d236c5856d305ded2e82a15f/detection

akamaitechnologies.online
ceinbase.com
cienbase.com
ceionbase.com
coinblase.com
coinbrase.com
login.ceionbase.com
loading-coinbase.com
accounts.ceinbase.com
links.ceinbase.com
login.ceinbase.com
login.coinblase.com
login.coinbrase.com

# Reference: https://app.validin.com/detail?find=45.32.90.176&type=ip4&ref_id=d162d0bbffd#tab=resolutions

cicoinbase.com
cobinase.com
cobinbase.com
coinbalse.com
coinibrase.com
coininbase.com
eoinbase.com
login.cicoinbase.com
login.cobinase.com
login.cobinbase.com
login.coinbalse.com
login.coinibrase.com
login.coininbase.com
mail.eoinbase.com

# Reference: https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/
# Reference: https://www.virustotal.com/gui/file/f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703/detection

rgedist.com
talesseries.com

# Reference: https://x.com/eastside_nci/status/1836605224020033548
# Reference: https://search.censys.io/hosts/45.61.128.122

caladangroup.xyz
selinicapital.online
selinicapital.xyz
sellinicapital.com
meet.caladangroup.xyz
meet.selinicapital.online
meet.selinicapital.xyz
meeting.sellinicapital.com

# Reference: https://x.com/P4nd3m1cb0y/status/1841829124404343223

23.106.253.221:1224

# Reference: https://x.com/MichalKoczwara/status/1843725315664912877
# Reference: https://www.virustotal.com/gui/ip-address/104.168.165.203/relations

2daojnjnp666jla6.dropfile.online
8190ocvswfyd57v5.docsend.online
ade.dropfile.online
admin.chrome-browser.cloud
admin.docsend.online
admin.docsend.site
admin.dropfile.online
analytic.dropfile.online
api.chrome-browser.cloud
api.docsend.site
api.docsend.store
api.dropfile.cloud
api.dropfile.online
app.docsend.site
app.dropfile.cloud
app.dropfile.online
argoworkflow.chrome-browser.cloud
asl.dropfile.online
auth.dropfile.online
authsmtp.dropfile.online
ayr.dropfile.online
bac.dropfile.online
backed.docsend.site
backend.chrome-browser.cloud
backend.docsend.site
backend.dropfile.cloud
backend.dropfile.online
blo.dropfile.online
bon.dropfile.online
bot.dropfile.online
bqersape.dropfile.online
chrome-browser.cloud
coz.dropfile.online
cro.dropfile.online
dag.dropfile.online
day.dropfile.online
dc-aeea9bdbc87b.dropfile.online
demo.chrome-browser.cloud
demo.docsend.site
demo.docsend.store
demo.dropfile.online
dev.chrome-browser.cloud
dev.docsend.site
dev.docsend.store
dev.dropfile.online
dip.dropfile.online
drive.chrome-browser.cloud
eli.dropfile.online
elm.dropfile.online
email.dropfile.online
emv1.chrome-browser.cloud
emv1.dropfile.cloud
emv1.dropfile.online
eon.dropfile.online
exchange.dropfile.online
flow.dropfile.online
fob.dropfile.online
fog.dropfile.online
ftp.dropfile.online
fw.docsend.online
gen.dropfile.online
iao.dropfile.online
iba.dropfile.online
ice.dropfile.online
ich.dropfile.online
imap.dropfile.online
imap1.dropfile.online
kuadyhfnejh.meeting-hub.online
lad.dropfile.online
lam.dropfile.online
lei.dropfile.online
liymgdc-aeea9bdbc87b.dropfile.online
liz.dropfile.online
llm.docsend.online
login.docsend.online
m.docsend.online
m.dropfile.online
mail.dropfile.online
mail1.dropfile.online
mail2.dropfile.online
mailer.dropfile.online
mailgate.dropfile.online
mailgw.dropfile.online
mailhost.dropfile.online
mailin.dropfile.online
mailout.dropfile.online
mailserver.dropfile.online
mailx.dropfile.online
mx.dropfile.online
mx2.dropfile.online
ns.dropfile.online
ns1.dropfile.online
ns2.dropfile.online
pop.dropfile.online
pop3.dropfile.online
post.dropfile.online
postmaster.dropfile.online
qeiukdemo.docsend.store
relay.dropfile.online
remote.dropfile.online
secure.dropfile.online
server.dropfile.online
smtp.dropfile.online
smtp1.dropfile.online
smtp2.dropfile.online
smtpauth.dropfile.online
smtps.dropfile.online
spam.dropfile.online
staging.chrome-browser.cloud
staging.docsend.site
staging.docsend.store
staging.dropfile.online
support.docsend.site
upport.docsend.site
web-conference.xyz
webmail.dropfile.online
ww25.ann.dropfile.online
ww25.dit.dropfile.online
ww25.dropfile.online
ww25.eli.dropfile.online
ww25.lad.dropfile.online
ww38.asl.dropfile.online
ww38.bed.dropfile.online
ww38.dropfile.online
ww38.gen.dropfile.online
ww38.lei.dropfile.online
www1.docsend.online
www1.dropfile.online
www2.dropfile.online
xyy.dropfile.online
ygpsabacked.docsend.site

# Reference: https://x.com/MichalKoczwara/status/1844302222911476079
# Reference: https://x.com/ishivtripathi/status/1844313316241645886

185.235.241.208:1224
23.106.253.215:1244
23.106.253.221:1244
23.106.253.242:1244
23.106.70.154:1244
45.137.213.30:1224

# Reference: https://x.com/80vul/status/1844345021627236578
# Reference: https://www.zoomeye.hk/searchResult?q=%22%3Ctitle%3ENode.js+upload+multiple+files%3C%2Ftitle%3E%22&page=1&pageSize=50

123.21.4.30:3000
13.126.148.192:3000
13.76.169.115:3000
142.11.210.175:3000
149.28.137.173:7001
149.40.62.82:3000
159.93.36.174:8444
159.93.36.84:8444
195.154.173.4:3000
23.106.253.209:1244
35.188.212.32:3000
35.219.62.75:3001
45.61.169.99:3000
45.76.154.181:3000
52.187.130.188:3000

# Reference: https://x.com/blackorbird/status/1848262847689887757
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/lazarus/2024-10-14%20Lazarus%20InvisibleFerret.pdf
# Reference: https://search.censys.io/hosts/95.164.7.171https://search.censys.io/hosts/95.164.7.171

95.164.17.24:2249
95.164.7.171:1244
95.164.7.171:2249
95.164.7.171:445
privatepool.store
ba5827bf4e00.privatepool.store

# Reference: https://x.com/blackorbird/status/1848563899064586701
# Reference: https://www.esentire.com/blog/bored-beavertail-yacht-club-a-lazarus-lure
# Reference: https://github.com/eSentire/iocs/blob/main/Lazarus/lazarus_iocs_10-15-2024.txt

167.88.168.152:1224
69.43.130.141:3000
69.43.130.153:3000

# Reference: https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/
# Reference: https://www.virustotal.com/gui/ip-address/45.61.132.114/relations

detankzone.com
api.detankzone.com
app.detankzone.com

# Reference: https://x.com/blackorbird/status/1853724721520775677
# Reference: https://github.com/ThreatLabz/iocs/blob/main/contagiousinterview/c2s.txt

w3capi.marketing
payloadrpc.com

# Reference: https://x.com/P4nd3m1cb0y/status/1856123619417428061
# Reference: https://x.com/P4nd3m1cb0y/status/1856520422583353696
# Reference: https://x.com/DaveLikesMalwre/status/1866981595111895209

147.124.197.138:1244
147.124.197.149:1244
165.140.86.227:1244
38.92.47.151:1244
38.92.47.85:1244
38.92.47.91:1244
45.43.11.201:1244
66.235.168.232:1244
66.235.168.238:1244
86.104.74.51:1224

# Reference: https://x.com/TLP_R3D/status/1856645765185110265
# Reference: https://x.com/TLP_R3D/status/1856648392295797009
# Reference: https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/
# Reference: https://hunt.io/blog/suspected-north-korean-hackers-target-blockchain-community-via-telegram

big-typl.online
civ.team-meeting.net
dun.wndlwndmfe.xyz
eosszzc.hateoo.space
hateoo.space
internal-meeting.site
mail.big-typl.online
mouradvps43hostwin.online
ns1.big-typl.online
paycount.webbs-information.login.udaviemayas.com
private-meeting.site
ryzelabs.private-meeting.site
secure.paycount.webbs-information.login.udaviemayas.com
suntcijm.mouradvps43hostwin.online
support.internal-meeting.site
udaviemayas.com
webbs-information.login.udaviemayas.com

# Reference: https://x.com/lontze7/status/1856611739166470347
# Reference: https://x.com/MichalKoczwara/status/1856633769668616614
# Reference: https://x.com/LPX_404/status/1860977091690615172
# Reference: https://x.com/_eremit4/status/1856707514936492089
# Reference: https://x.com/ValidinLLC/status/1861021649522348124
# Reference: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.jarm.fingerprint%3A+2ad2ad0002ad2ad00042d42d00000000f78d2dc0ce6e5bbc5b8149a4872356+AND+%22hwc-hwp-7982830%22

104.168.157.45:3389
104.168.157.45:443
104.168.165.165:3389
104.168.165.165:443
104.168.165.173:3389
104.168.165.173:443
104.168.165.203:3389
104.168.165.203:443
104.168.203.159:3389
104.168.203.159:443
23.254.244.248:3389
23.254.244.248:443
23.254.247.32:3389
23.254.247.32:443
23.254.247.53:3389
23.254.247.53:443
a.videotalks.site
admin.drop-box.store
app.drop-box.store
b.videotalks.site
backend.drop-box.store
comma3.videotalks.online
conference-go.online
demo.drop-box.store
drop-box.info
drop-box.store
emv1.videotalks.online
leavetecs.online
meet-client.online
ns2.videotalks.online
ollie.videotalks.online
online-meets.online
online-meets.pro
room-meeting.xyz
support.videotalks.online
videotalks.online
videotalks.site
web-meet.online
insights.online-meets.pro

# Reference: https://x.com/1ZRR4H/status/1856985633153053060

castleisland.sky-meeting.com
comma3.biz-meeting.site
dragonfly.cloudstore.business

# Reference: https://x.com/asdasd13asbz/status/1859467358013895092
# Reference: https://x.com/asdasd13asbz/status/1859512243471446165
# Reference: https://www.nccgroup.com/es/research-blog/north-korea-s-lazarus-their-initial-access-trade-craft-using-social-media-and-social-engineering/

global-job.org
ics-kr.com/video/player.php
manhotline.or.kr/data/member/search.php

# Reference: https://x.com/malwrhunterteam/status/1860965771242864867
# Reference: https://app.validin.com/detail?find=51.79.133.76&type=ip4&ref_id=e843c726398#tab=resolutions
# Reference: https://app.validin.com/detail?find=%3A%3A%22og%3Atitle%22%3A%3A%22SITUS%20SLOT%20DEPO%2010K%20%F0%9F%92%8E%20Situs%20Viral%20Minimal%20DP%2010.000%20Gampang%20Menang%22&type=raw&ref_id=92eff97ba42#tab=host_pairs
# Reference: https://www.virustotal.com/gui/file/2727e1775588fee0f9e6d69460338cb526a8d0bb34c5d9df6e4609d1b3d56386/detection

internal-meeting.cyou
safe-meeting.site
situsslotdepo10k.org

# Reference: https://app.validin.com/detail?find=195.133.88.31&type=ip4&ref_id=24685dca12a#tab=resolutions

h34fdfbm.store
essendantdock.online

# Reference: https://app.validin.com/detail?type=ip&find=45.11.181.47#tab=resolutions

m-omeets.online
m-teams.live
mo-events.online

# Reference: https://app.validin.com/detail?type=ip&find=67.43.234.98#tab=resolutions

salessgroupss.live
ns1.salessgroupss.live
ns2.salessgroupss.live

# Reference: https://app.validin.com/detail?type=ip&find=94.247.42.70#tab=resolutions

247l.net
dldoc.net
fmi-link.info
greenroad.top
greenways.shop
racksuphde.xyz
rtupdates.net

# Reference: https://app.validin.com/detail?find=wassmestaazh.pro&type=raw&ref_id=22540801568#tab=host_pairs (# 2024-12-10)

avillionrabbitry.com
bizsupport365.com
bobshields.com
contentverge.com
etoffcoinbase.com
gnxcepro.com
gwmspacegpt.com
haifeizhang.com
luosongs.shop
marketplacepcai.com
momentumspace.top
nd6u0.asia
ns2.bizsupport365.com
ns2.contentverge.com
quonexa.com
reddish-dawn.store
sandwich-factory.buzz
sdhsdfhsd.com
serversnoti.com
soar.vip
sssaaaafdafa.top
wassmestaazh.pro
yayun88.one

# Reference: https://x.com/dimitribest/status/1869572308178010492
# Reference: https://www.virustotal.com/gui/file/56a666601e66a01cc8dcb53a470d9ea092633c76197cd13919c7749e51ebccbc/detection

atokyonews.com

# Reference: https://x.com/AzakaSekai_/status/1871118429501128863
# Reference: https://search.censys.io/hosts/67.203.7.209/data/table#1244-TCP-HTTP
# Reference: https://search.censys.io/search?q=services.http.response.html_title%3D%22Node.js+upload+multiple+files%22&resource=hosts (# 2024-12-23)

147.124.212.125:1244
67.203.7.200:1244
67.203.7.209:1244
66.235.175.109:1244
/bro/gbNsNg6
/payl/gbNsNg6
/gbNsNg6

# Reference: https://x.com/AzakaSekai_/status/1871960523698545069
# Reference: https://www.virustotal.com/gui/file/672757d8ead192ea797570b0bc25a07cd0e6424af7819bd6bab33f49a304f6bf/detection
# Reference: https://www.virustotal.com/gui/file/8637fb723054087f42c0ba93b4528588adc4954a077dc0860912bbfbcbdd8013/detection

http://108.181.185.2
108.181.185.2:23
108.181.185.2:443
108.181.185.2:5001
/adc/empOQO
/payload/empOQO

# Reference: https://jp.security.ntt/tech_blog/contagious-interview-ottercookie
# Reference: https://app.validin.com/detail?find=135.181.163.182&type=ip4&ref_id=9058ba7500b#tab=resolutions
# Reference: https://app.validin.com/detail?find=65.21.19.33&type=ip4&ref_id=9058ba7500b#tab=resolutions

45.128.52.14:1224
blastapi.org
zkservice.cloud
ethereum.blastapi.org

# Reference: https://x.com/dimitribest/status/1872743641166606737
# Reference: https://x.com/dimitribest/status/1873003988536230241
# Reference: https://www.virustotal.com/gui/file/1fa62f29313e55ee1bca18820d2f1ca3aaecf438a137a67106d413c655004f0e/detection
# Reference: https://www.virustotal.com/gui/file/aee26c1ac2cbb598bd2ed4747e58efe68de20cb4c6cf5863c1a9dcf33dc6aae9/detection

5.253.43.122:1224
5.253.43.122:5346
95.164.17.24:5346

# Reference: https://x.com/tayvano_/status/1872980013542457802
# Reference: https://x.com/dimitribest/status/1873024742690857009
# Reference: https://x.com/StrikeReadyLabs/status/1873182889128673422
# Reference: https://x.com/StrikeReadyLabs/status/1873388149566747069
# Reference: https://x.com/banthisguy9349/status/1873329177312875005
# Reference: https://x.com/G60930953/status/1876050261023875128
# Reference: https://dmpdump.github.io/posts/NorthKorea_Backdoor_Stealer/
# Reference: https://www.virustotal.com/gui/ip-address/162.254.39.9/relations
# Reference: https://www.virustotal.com/gui/file/a803c043e12a5dac467fae092b75aa08b461b8e9dd4c769cea375ff87287a361/detection

camera-drive.cloud
imoda.site
nvidia-cloud.online
nvidia-drive.cloud
nvidia-release.cloud
nvidia-release.org
nvidia-release.us
api.camera-drive.cloud
api.imoda.site
api.nvidia-cloud.online
api.nvidia-drive.cloud
api.nvidia-release.cloud
api.nvidia-release.org
api.nvidia-release.us

# Reference: https://x.com/banthisguy9349/status/1873348678540493273

hyphen-connect.com

# Reference: https://x.com/banthisguy9349/status/1873338361928466759
# Reference: https://x.com/dimitribest/status/1873367811822903765
# Reference: https://www.virustotal.com/gui/file/d05f805d172583f1436eac2cfddcc5413ef6be0b37eda98ebca0cb0cfae8ad9e/detection

216.74.123.191:22
216.74.123.191:3001
216.74.123.191:8080
jz-aws.info
api.jz-aws.info

# Reference: https://x.com/tayvano_/status/1872980013542457802
# Reference: https://x.com/MichalKoczwara/status/1878451947734204660
# Reference: https://app.validin.com/detail?find=190.97.166.164&type=ip4&ref_id=ce0a2dc7d44#tab=resolutions
# Reference: https://www.virustotal.com/gui/ip-address/193.242.184.2/relations
# Reference: https://www.virustotal.com/gui/ip-address/91.222.173.30/relations
# Reference: https://app.validin.com/detail?find=%3A%3A%22og%3Adescription%22%3A%22description%22%3A%22Willo%20is%20a%20platform%20for%20structured%2C%20asynchronous%2C%20video%20creation%20and%20sharing.%20We%20help%20organisations%20everywhere%20discover%20and%20connect%20with%20more%20people.%22&type=raw&ref_id=a33de82ac6e#tab=host_pairs (# 2024-12-28)

atdfinancial.com
blockchain-assess.com
blockchain-checkup.com
blockchain-talent-search.com
blockchainrecruitment360.com
careerinterview360.com
complexassess.com
complexassessment.com
crypto-assess.com
crypto-assessment.com
decentscrippts.com
digitpotalent.com
distscrippts.com
elitewholetalent.com
easyinterview360.com
fundcandidates.com
gethirednow.org
helpdeskassistance.org
hiring-interview.com
hiringinterview.org
hiringtalent.pro
insight-interview.com
insightquestion.com
interview-talent.com
interviewhub.org
interviewnest.org
intervu-talent.pro
intro-crypto-assess.com
jobinterview360.com
jobinterviewguide.org
primestacks.org
questionnairehq.com
quickhire360.com
quickhiretest.com
quickinterview360.com
quickskillup.us
skilluplifestylehub.com
quickvidintro.com
screenquestion.com
screenquestions.com
skill-share.org
skillmasteryhub.org
smarthiretop.online
talentassesspro.com
talentcompetency.com
talentvideopro.com
talentview360.com
test29292.com
topinnomastertech.com
videoforrecruitment.com
videorecruitpro.com
videoscreening.org
vidintroexam.com
vinterview.org
wholecryptoloom.com
wiilotalent.com
wilio-talent.net
willo-interview.us
willo-video.com
willoassess.com
willoassess.net
willoassess.org
willoassessment.com
willocandidate.com
willohire.com
willohiring.com
willointerview.com
willomexcvip.us
willorecruit.com
willotalant.com
willotalent.pro
willotalent.us
willotalent.xyz
willotalentes.com
willotalents.org
wilo-talent.com
winterviews.net
winyourrole.com
workwizards.org
wtalents.in
wtalents.info
wtalents.us
api.willoassessment.com
app.blockchain-assess.com
app.blockchain-checkup.com
app.crypto-assessment.com
app.hiring-interview.com
app.hiringinterview.org
app.hiringtalent.pro
app.interviewnest.org
app.quickvidintro.com
app.skill-share.org
app.videoforrecruitment.com
app.videoscreening.org
app.vidintroexam.com
app.vinterview.org
app.willo-interview.us
app.willoassess.com
app.willoassessment.com
app.willocandidate.com
app.willohiring.com
app.willomexcvip.us
app.willorecruit.com
app.willotalant.com
app.willotalent.pro
app.willotalent.us
app.willotalent.xyz
app.willotalentes.com
app.willotalents.org
app.wilo-talent.com
app.wtalents.us
consensys.willoassessment.com
final.hiringtalent.pro
frontend-dev-bnp.pages.dev
frontend-eu1.pages.dev
frontend-staging-egw.pages.dev
frontend-us1.pages.dev
gemini.crypto-assessment.com
gemini.willoassess.com
gemini.willohiring.com
geminiskill.willoassessment.com
hiring.willoassessment.com
holi.intervu-talent.pro
mail.crypto-assess.com
mail.digitpotalent.com
mail.gethirednow.org
mail.interviewhub.org
robinhood.interview.org
robinhood.intro-crypto-assess.com
talent.willo-interview.us
vid.blockchain-assess.com
vid.intro-crypto-assess.com
vid.willoassess.com
web.videoscreening.org
werhiring.willomexcvip.us

# Reference: https://x.com/banthisguy9349/status/1873358841053949966
# Reference: https://urlscan.io/search/#hash%3A6b7038bab8c410aeb6714e1d98d609a61b6dc3e418a6b5c74a17f2d6d6cb4aaf

willohiringtalent.org
app.willohiringtalent.org
cpanel.wtalents.us
d12rlkj8v5mwse.cloudfront.net
d1yzmjg018adwf.cloudfront.net
d20zx0lguyxj2p.cloudfront.net
d3o9p0hkd7eul5.cloudfront.net
dal-shared-22.hostwindsdns.com
dal-shared-25.hostwindsdns.com
dal-shared-37.hostwindsdns.com
gemini.willohiringtalent.org
mail.willomexcvip.us
mail.wtalents.us
sea-shared-10.hostwindsdns.com

# Reference: https://x.com/lazarusholic/status/1873360845939621945
# Reference: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247505438&idx=1&sn=cf1947c7af6581f4a66460ae6d14dc2f
# Reference: https://www.virustotal.com/gui/file/33be1a646e5ed46aa707455637e2116715592d1ef63feafb0fd2f66c872a634d/detection

cryptocopedia.com

# Reference: https://www.virustotal.com/gui/file/78b845050c78daf92ed44f7928d8755cc6b4773bd774409a21b09b5a4dd7ddf1/detection
# Reference: https://www.virustotal.com/gui/file/76cb3de448bdbd761beb917eed0d71c058db643fca6a37f7bbf00afbcec9d22d/detection
# Reference: https://www.virustotal.com/gui/file/68725d4cbc05d8e344addd27c3d831a62faa7860042ed5dbef55b12ad6fbe4b8/detection

37.221.126.117:5000
lianxinxiao.com

# Reference: https://search.censys.io/hosts/216.173.115.200/data/table#1244-TCP-UNKNOWN

216.173.115.200:1244

# Reference: https://search.censys.io/hosts/95.179.135.133

95.179.135.133:1244

# Reference: https://x.com/banthisguy9349/status/1873358841053949966
# Reference: https://urlscan.io/search/#hash%3A6b7038bab8c410aeb6714e1d98d609a61b6dc3e418a6b5c74a17f2d6d6cb4aaf

/video-questions/create/531fbaedf67046d6904478f15d3e7142

# Reference: https://x.com/StrikeReadyLabs/status/1878822875081372108
# Reference: https://www.virustotal.com/gui/ip-address/54.39.128.125/relations

digitptalent.com
camera-drive.org
api.camera-drive.org

# Reference: https://x.com/cyber__sloth/status/1879848914230374457
# Reference: https://search.censys.io/hosts/185.153.182.241/data/table#1224-TCP-HTTP

185.153.182.241:1224

# Reference: https://x.com/ValidinLLC/status/1879884999652229588
# Reference: https://www.validin.com/blog/inoculating_contagious_interview_with_validin/
# Reference: https://app.validin.com/detail?find=23.254.244.74&type=ip4&ref_id=263630d721d#tab=resolutions

willocandidates.com
willovideorec.com

# Reference: https://x.com/StrikeReadyLabs/status/1880368325047521678
# Reference: https://www.virustotal.com/gui/ip-address/199.188.200.35/relations

drive-release.cloud
api.drive-release.cloud

# Reference: https://x.com/TLP_R3D/status/1881385663897231704
# Reference: https://www.virustotal.com/gui/ip-address/91.222.173.108/relations
# Reference: https://app.validin.com/detail?find=Crypto%20Ledger&type=raw&ref_id=fb1de658046#tab=host_pairs (# 2025-01-20)

ledgep.net
ledgemail.net
support-ledger.net
mail.support-ledger.net

# Reference: https://x.com/RexorVc0/status/1881973724712452577
# Reference: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247505519&idx=1&sn=594229f2c0123673d1fa9c6cf729858b&chksm=f9c1e566ceb66c701d875de8481fe02d89654d4b56cfc51088de6e421cb701437cdab52a0851&scene=178&cur_album_id=1955835290309230595

138.201.199.46:1224

# Reference: https://x.com/dyingbreeds_/status/1881986240020709401

94.131.9.32:1224
94.232.247.192:1224

# Reference: https://x.com/smica83/status/1883855708963442892
# Reference: https://www.virustotal.com/gui/file/6744ca5d49833c9b90aee0f3be39d28dec94579b028b05c647354ec5e1ab53e1/detection
# Reference: https://www.virustotal.com/gui/file/875b0cbad25e04a255b13f86ba361b58453b6f3c5cc11aca2db573c656e64e24/detection
# Reference: https://www.virustotal.com/gui/file/d0a41dfe8f5b5c8ba6a5d0bdc3754543210ec2d36290564d9a774e9d22e3ad97/detection
# Reference: https://www.virustotal.com/gui/file/dd9607913e9c422d6dcf2e8d11be71afbc76f761c8208f76f6ed80a0efa75255/detection

addfriend.kr/board/userfiles/temp/index.html

# Reference: https://x.com/eastside_nci/status/1884354415387365458
# Reference: https://www.virustotal.com/gui/file/efd555e779a25e1be16e594866d4cb758b078ae336b589421c3b9f676cd2ef5d/detection
# Reference: https://www.virustotal.com/gui/file/c4b8ac6b919c61315a3ed47ee5e2839813a6e87888e4bb518f916d4582bbf6b4/detection
# Reference: https://www.virustotal.com/gui/file/4b2b157041e8bbeace43320ec93a4206daa9818a6406279999636b2fbc3d08c9/detection
# Reference: https://www.virustotal.com/gui/file/4a6b7409d79e51113e88c1e62c7f5bad55e5c27a19d0b986b9347c4869233893/detection
# Reference: https://www.virustotal.com/gui/file/3fb46ed9876d5f3a0aaa57a3726a574fa7e3626f16c86dea685cbf63d721f3ce/detection
# Reference: https://www.virustotal.com/gui/file/05d7113cd17ee12b26c772716d3370dc0f0fa3c7f996d25d516d22b45b68a43e/detection
# Reference: https://www.virustotal.com/gui/file/0e3b1ad900604f0f27bcf718592beb50a7ace9af6b7d9c1439a416647e47dd7b/detection

45.59.163.56:1244
5.135.5.48:1244
95.179.135.133:1245
/bro/ugDtMe1
/payl/ugDtMe1
/bro/ZU1RIOk9
/payl/ZU1RIOk9
/bro/ZU1WJVq1
/payl/ZU1WJVq1

# Reference: https://x.com/lazarusholic/status/1885289504401142011
# Reference: https://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package

http://91.92.120.132

# Reference: https://sourcecodered.com/malicious-arcus-npm-package/
# Reference: https://www.linkedin.com/feed/update/urn:li:activity:7290126497732837378/
# Reference: https://www.virustotal.com/gui/ip-address/195.250.29.94/relations
# Reference: https://tria.ge/250124-1k3bxs1paj/behavioral2
# Reference: https://www.virustotal.com/gui/file/d390d23d6d96f105de24e85ecd4d2d2d2379bb565ca7cc3923c604518b6a97fa/detection
# Reference: https://www.virustotal.com/gui/file/9efd70e4bbf658dc374594d8c1251810a954ffa7ccc7155abc1a831c77f9fb6b/detection
# Reference: https://www.virustotal.com/gui/file/7b5843c32b8ee8ac3a54b6c09bff6d67140e74e548b4b31e7c3c5e35ba4341dc/detection
# Reference: https://www.virustotal.com/gui/file/6a0ed1976dd871000ab3dad9228e7e8df01df77d17ba4f50fa210d409200d437/detection
# Reference: https://www.virustotal.com/gui/file/56655ea5ba27f14b860bac62c37e4c45940908e8a45d7c2a6117ce9951baf10d/detection
# Reference: https://www.virustotal.com/gui/file/0463351dc7858ac1f9038c4c2bf27a1977f462ac0e4a494b7c51f1c8005e0587/detection

http://195.250.29.94
195.250.29.94:1337
195.250.29.94:3001

# Reference: https://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/
# Reference: https://www.virustotal.com/gui/file/cd6e548b085eaaee31b260489c932088f1ea58390bccce54b546cba9e8dca228/detection

bsc-dash.us
callapp.us
callservice.us
infuy.us
linkedinservice.us
versus-dash.us
versus-x.us
versusx.us
zoom.callservice.us

# Reference: https://x.com/_notdodo_/status/1888867769006850395
# Reference: https://www.virustotal.com/gui/file/1cd0ce9ce247b8cabe491515dcd70f5b23209ec08c1a7f80ee9663c946e6365c/detection

67.203.7.205:1244
45.59.163.55:1244

# Reference: https://x.com/solostalking/status/1889307324453625988
# Reference: https://www.virustotal.com/gui/ip-address/147.45.167.128/relations

candy-pdf.com
myqr-generator.com
pdf-candy.com
pdftool25.com

# Reference: https://x.com/abuse_ch/status/1889398273376424103
# Reference: https://app.validin.com/detail?find=d590539b3bdf826ec5f7ce7be46d7dcb&type=hash&ref_id=8e7c052fd41#tab=host_pairs (# 2025-02-11)

checknewversion.com
express--vpn.com
hwsrv-1091010.hostwindsdns.com
meetingzoom.org
nv-onlines.info
runningcloudx.com
secfilecert.com
sunbutterfly.meme
wallpaper-flare.com

# Reference: https://x.com/morimolymoly2/status/1889722965459181881
# Reference: https://app.validin.com/detail?find=Node.js%20upload%20multiple%20files&type=raw&ref_id=02496d38d39#tab=host_pairs (# 2025-04-30)
# Reference: https://www.virustotal.com/gui/file/c4399052e5801f4947edf3bf634c43a77870ca46ec0c27ded50062f8219aef28/detection

http://144.172.98.23
http://172.86.109.49
http://172.86.114.141
http://172.86.70.173
http://185.231.205.75
45.59.163.23:1244
172-86-114-141.dal.priv.octovpn.net
ns1.coponde.com
pepeartly-foundry.net
redirect-smartwallet.com
/bro/ahNjWa2
/payl/ahNjWa2

# Reference: https://hackernoon.com/cybercrooks-are-using-fake-job-listings-to-steal-crypto
# Reference: https://search.censys.io/hosts/95.169.180.146

95.169.180.146:3389
95.169.180.146:4444
95.169.180.146:8080

# Reference: https://securityscorecard.com/wp-content/uploads/2025/02/Operation-Marstech-Mayhem-Report_021025_03.pdf
# Reference: https://search.censys.io/hosts/74.119.194.129/
# Reference: https://search.censys.io/hosts/95.164.45.239/

74.119.194.129:3000
74.119.194.129:3001
95.164.45.239:3000
95.164.45.239:3001
/client/marstech1
/j/marstech1
/marstech1

# Reference: https://x.com/Cybercyberbp04/status/1892039442157666815
# Reference: https://app.validin.com/detail?find=Interview&type=raw&ref_id=64a8ed2f563#tab=host_pairs

hiringinterview360.com
talenthiring360.com
okx.hiringinterview360.com
okx.talenthiring360.com

# Reference: https://app.validin.com/detail?find=SkillMaster&type=raw&ref_id=04a9609e38c#tab=host_pairs (# 2025-03-05)

deepmindschematic.com
devchallengehq.com
skillmasteryhub.us
zenspiretech.com

# Reference: https://www.virustotal.com/gui/ip-address/13.248.213.45/relations
# Reference: https://www.virustotal.com/gui/ip-address/3.33.130.190/relations
# Reference: https://www.virustotal.com/gui/ip-address/91.195.240.123/relations

ayrshire360.com
elitetalent360.com
fetchtalent360.com
findhelptalent360.com
inst.fetchtalent360.com

# Reference: https://app.validin.com/detail?find=8452ce8ad04afa240e1e8b65d4b3343a&type=hash&ref_id=e867567f0d8#tab=host_pairs (# 2025-02-24)
# Reference: https://app.validin.com/detail?find=Video%20Recruting%20-%20Find%2C%20Interview&type=raw&ref_id=6b735d3d78d#tab=host_pairs (# 2025-02-24)
# Reference: https://app.validin.com/detail?find=3934696b4640069f357c788ff3508f4f&type=hash&ref_id=029fac138c3#tab=host_pairs (# 2025-02-27)

livehirehub.com
quickskill-review.com
test-wolf.com
vid-crypto-assess.com
vidcruiterinterview.com
app.vid-crypto-assess.com
inter.vid-crypto-assess.com
inter.quickskill-review.com
intro.vid-crypto-assess.com
intro.quickskill-review.com
rec.vid-crypto-assess.com
robinhood.quickskill-review.com
skill.vidcruiterinterview.com

# Reference: https://www.virustotal.com/gui/ip-address/168.231.70.177/relations
# Reference: https://app.validin.com/detail?find=195.35.38.215&type=ip4&ref_id=25087bf71b4#tab=resolutions (# 2025-03-01)
# Reference: https://app.validin.com/detail?find=6c38526ceb115206329131fc840bb881&type=hash&ref_id=04d59776778#tab=host_pairs
# Reference: https://app.validin.com/detail?find=TalentCheck&type=raw#tab=host_pairs
# Reference: https://app.validin.com/detail?find=c35874ba204e503c8e96bd275956e0cb&type=hash&ref_id=f5e249222ea#tab=host_pairs (# 2025-07-22)

blockassess.com
careerquestion.com
driverpool.online
rastreojerezexpress.com
skillcheck.pro
talentcheck.pro
testwolf-assessment.com
testwolfpro.com
doodles.careerquestion.com
etoro.careerquestion.com

# Reference: https://app.validin.com/detail?find=45.89.245.88&type=ip4&ref_id=49b32a66a80#tab=resolutions (# 2025-02-26)

ecareerscan.com
evalvidz.com
gethiring360.com
hotstreamx.stream
intervwolf.com
paxosassessments.com
robinhood.evalvidz.com
robinhood.intervwolf.com

# Reference: https://app.validin.com/detail?find=91.222.173.30&type=ip4&ref_id=8b2f0b868b7#tab=resolutions (# 2025-02-24)

blockchainjobhub.com
bybit-assessment.com
evalassesso.com
skillprops.com
talentsnaptest.com
vidassesspro.com

# Reference: https://x.com/lazarusholic/status/1893684791406715003
# Reference: https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
# Reference: https://www.virustotal.com/gui/ip-address/131.226.2.120/relations
# Reference: https://www.virustotal.com/gui/ip-address/5.206.227.51/relations
# Reference: https://www.virustotal.com/gui/file/b9f6a9d4f837f5b8a5dc9987a91ba44bc7ae7f39aa692b5b21dba460f935a0ae/detection

clubinfo.io
coreladao.com
eclairdomain.com
getstockprice.info
gossipsnare.com
replaydreary.com
showmanroast.com
cdn.clubinfo.io

# Reference: https://x.com/malwrhunterteam/status/1894301990286471388
# Reference: https://app.validin.com/detail?find=954d80b823db3724aa3936475f9a7505&type=hash&ref_id=8ae40870ea8#tab=host_pairs
# Reference: https://www.virustotal.com/gui/file/bf1986ecd37dbc9917b31077615c48fb5d64b904b95e789f9e73be47b1573c0d/detection

72.5.42.93:8080
camdriversupport.com
cameradriverx.cloud
camtechdrivers.com
drivercams.cloud
releasedrive.live
stockdata.tech
api.camdriversupport.com
api.cameradriverx.cloud
api.camtechdrivers.com
api.drivercams.cloud
api.releasedrive.live
api.stockdata.tech

# Reference: https://cybersecuritynews.com/lazarus-group-infostealer-malwares-attacking-developers/

http://41.208.185.235
41.208.185.235:443

# Reference: https://x.com/RakeshKrish12/status/1894626162061840605

assessiohq.com

# Reference: https://x.com/lontze7/status/1894676242349048110

blockchainjobassessment.com

# Reference: https://x.com/CreateFileInt_/status/1894739132678599091

http://91.222.173.110
http://91.222.173.138
http://91.222.173.168
91.222.173.110:443
91.222.173.138:443
91.222.173.168:443
bonusdali.com
btcblender.live
chipmixer.live
ido-epargne.com
stream-football.org
safefinanceltd.com
vngpubgm.com

# Reference: https://x.com/CreateFileInt_/status/1894741888743223449

http://152.89.61.240
http://152.89.61.96
152.89.61.240:443
152.89.61.96:443
acoustickoala.com
acroadovw.com
app-solaxy.world
binancestransfers.com
boofparadise.com
carllamb4judge.com
cdpll-couk.top
nadlan-dubai.com
pitisalot.site
reliableservers.org
sumy.fun
turkishmob.com

# Reference: https://x.com/0xmh1/status/1894951955333865918
# Reference: https://search.censys.io/hosts/185.53.46.38
# Reference: https://www.virustotal.com/gui/file/a1171ffade3d147e54fab021bc4d56f30645aeb401a88517e9df93d852b78c73/detection

185.53.46.38:1244
185.53.46.38:3000
185.53.46.38:3389

# Reference: https://x.com/lontze7/status/1895044097129496782
# Reference: https://x.com/lontze7/status/1896131895223841044
# Reference: https://x.com/lontze7/status/1897214445107175780
# Reference: https://app.validin.com/detail?find=66.29.141.73&type=ip4&ref_id=5db4210a5c4#tab=resolutions
# Reference: https://app.validin.com/detail?find=f002a88cbb7b49e66036&type=hash&ref_id=a4d0e878c1e#tab=host_pairs (# 2025-06-05)
# Reference: https://www.virustotal.com/gui/file/ff1d5ee6dbf77b79eec7e7405d864eb2445213aa0f5b5b665d322c4565d5b6a5/detection

africamall.chat
autodriverfix.online
auto-fixer.online
autofixer.online
camallupdate.cloud
camdriverhelp.club
camdriverhub.cloud
camdrivers.cloud
camdriverstore.cloud
camtuneup.online
deepdriverupdate.online
devicefixer.online
drivercamhub.cloud
driversnap.cloud
driversofthub.online
driverstream.cloud
drivfixer.online
drivhost.store
drvfixer.online
fix-drivers.online
fixdiskpro.online
olaestudiocreativo.com
provideodrivers.cloud
quickdriverupdate.online
rapiddrivers.cloud
release-driver.online
release-drivers.online
retailpackagingpartner.xyz
smartchecker.online
smartdriverfix.cloud
smartdrvupdate.online
soft-dev.online
updatecall.live
updatewebcamnow.live
vblimitedgroup.com
vcamfixer.online
vcamdriverupdate.cloud
vcamsupport.cloud
videocarddrivers.cloud
videodriverzone.cloud
videotechdrivers.cloud
vidtechdrv.online
vidtechdrivers.com
vidtechhub.cloud
web-cam.cloud
webcamdrivers.cloud
webcamfix.cloud
webcamfixer.cloud
webcamfixer.online
webcamwizard.cloud
west-app.online
wikahmart.com
yourdomainhost.store
api.africamall.chat
api.autodriverfix.online
api.auto-fixer.online
api.autofixer.online
api.camallupdate.cloud
api.camdriverhelp.club
api.camdriverhub.cloud
api.camdrivers.cloud
api.camdriverstore.cloud
api.camtuneup.online
api.deepdriverupdate.online
api.devicefixer.online
api.drivercamhub.cloud
api.driversnap.cloud
api.driversofthub.online
api.driverstream.cloud
api.drivfixer.online
api.drivhost.store
api.drvfixer.online
api.fix-drivers.online
api.fixdiskpro.online
api.olaestudiocreativo.com
api.provideodrivers.cloud
api.quickdriverupdate.online
api.rapiddrivers.cloud
api.release-driver.online
api.release-drivers.online
api.retailpackagingpartner.xyz
api.smartchecker.online
api.smartdriverfix.cloud
api.smartdrvupdate.online
api.updatecall.live
api.updatewebcamnow.live
api.vblimitedgroup.com
api.vcamdriverupdate.cloud
api.vcamfixer.online
api.vcamsupport.cloud
api.videocarddrivers.cloud
api.videodriverzone.cloud
api.videotechdrivers.cloud
api.vidtechdrivers.com
api.vidtechdrv.online
api.vidtechhub.cloud
api.web-cam.cloud
api.webcamdrivers.cloud
api.webcamfix.cloud
api.webcamfixer.cloud
api.webcamfixer.online
api.webcamwizard.cloud
api.wikahmart.com
api.yourdomainhost.store
fix.soft-dev.online

# Reference: https://app.validin.com/detail?find=138.128.165.91&type=ip4&ref_id=d07daaf12d1#tab=resolutions (# 2025-02-27)

skillhiretrack.com

# Reference: https://x.com/im23pds/status/1895284359911088358

enrollcrux.com
postedviral.com
speeduneasy.com
viperpager.com

# Reference: https://app.validin.com/detail?find=78.110.166.82&type=ip4&ref_id=3862e914a67#tab=resolutions (# 2025-03-01)

aiagentnow.online
biomedsurgcial.com
carandcclasic.com
citce-group.com
competency-core.com
digitaltalent.review
evalvideo.com
febintllc.com
ftutech.store
gamesmasterbb.com
grainituae.com
j-rl.com
jumping-mechellen.com
kirschneigroup.com
livehirepro.com
livesnotnumbers.org
livetalentpro.com
lucas-gaming.com
massmedia24.com
medcialbiotop.com
notaiospuglisi.com
online-globaleurope.com
panelcvedata.com
paxosvideointerviewassesment.com
phubauto.space
prohirevideo.com
quickassessio.com
skill-bridges.com
smartvirtual-assessment.com
smartwalletfinder.com
stratosshipping.com
superdocsoff.com
talent-hiring-step.com
talent-hiringstep.com
thelightstower.com
treelifeups.com
vidcruitermaster.com
videomaxgreece.com
videoplayermaxgr.com
vidhirehub.com
vidintermaster.com
web3remotework.com
xchangetrump.com
mail.massmedia24.com
skill.vidcruitermaster.com

# Reference: https://app.validin.com/detail?find=0a4bb3c47c527ff1cd8b53fbe0dcd159&type=hash#tab=host_pairs (# 2025-03-05)
# Reference: https://app.validin.com/detail?find=51.210.235.36&type=ip4&ref_id=9c0bb8dc123#tab=host_pairs (# 2025-04-13)
# Reference: https://app.validin.com/detail?find=51.210.235.45&type=ip4&ref_id=d5055d61a61#tab=resolutions (# 2025-03-07)
# Reference: https://app.validin.com/detail?find=rockhoster.gmail.com&type=dom&ref_id=b801936350f#tab=dns (# 2025-05-29)

assessbay.com
bofhintl.com
careerscreeners.com
coinhouse360.com
crypto-briefings.com
diamondhilllaw.com
eskillfolio.com
eskillpilot.com
expertssavingai.com
greendottb.com
greendtb.com
heritagetbk.com
hireqora.com
hireskillhub.com
insight-hire.com
job-career-portal.com
jobskillmatch360.com
krakenhire.com
livehiringhub.com
livehiringpro.com
onchainhiringtool.com
onlinesearchlic.com
quiz-nest.com
smartdriverfixer.com
smartvideoassess.com
smartvideohire.com
stdheritb.com
sunflowbikes.com
talentelevate360.com
talentvidintro.com
ugethired360.com
unionminerscorp.com
vidassess360.com
vidassessmentmaster.com
vidinterviewmaster.com
web3neptune.com
alchemy.onchainhiringtool.com
ai.coinhouse360.com
api.smartdriverfixer.com
app.coinhouse360.com
app.expertssavingai.com
archblock.careerscreeners.com
bitgo.talentelevate360.com
coinbase.onchainhiringtool.com
coinbase.talentelevate360.com
crosstheages.talentelevate360.com
kraken.livehiringpro.com
mail.archblock.careerscreeners.com
mail.careerscreeners.com
online.stdheritb.com
robinhood.eskillfolio.com
robinhood.eskillpilot.com
secure.greendtb.com
secure.greendottb.com
skill.vidassessmentmaster.com
video.coinhouse360.com

# Reference: https://x.com/safe/status/1897663514975649938
# Reference: https://x.com/0xKoda/status/1897787501592617160
# Reference: https://x.com/MichalKoczwara/status/1898074044274294948
# Reference: https://www.validin.com/blog/crawl_history_artifact_upgrade/
# Reference: https://app.validin.com/detail?find=f4407a84d90c5ecc1025&type=hash&ref_id=297005cc469#tab=host_pairs (# 2025-07-22)

anglerstatic.com
blockfi-krollra.com
electoralvictory.site
financecap.io
getstockprice.com
goingladies.com
stocksitem.org
trashcrease.com
truthwillsetyoufree.online
verification-blockfi.com
api.financecap.io
en.stocksitem.org

# Reference: https://app.validin.com/detail?find=a142257525e31628ead74927c88695f8&type=hash#tab=host_pairs (# 2025-03-08)

candidateinsightinfo.com
eskillprof.com
skillprooflab.com
toptalentassess.com
robinhood.eskillprof.com

# Reference: https://x.com/ValidinLLC/status/1899512759965868072
# Reference: https://www.validin.com/blog/bybit_hack_infrastructure_hunt/

firexch.com
getcoinprice.info
stockinfo.io
stocksindex.org
wfinance.org
api.stockinfo.io

# Reference: https://x.com/dazhengzhang/status/1899776299725680975
# Reference: https://x.com/tayvano_/status/1899896814536712334
# Reference: https://www.virustotal.com/gui/ip-address/5.230.252.157/relations
# Reference: https://app.validin.com/detail?find=528ab116aa10f63a5156ed906744fcc9&type=hash#tab=host_pairs (# 2025-03-24)
# Reference: https://app.validin.com/detail?find=Zoom%20Meeting&type=raw&ref_id=af1604aa97f#tab=host_pairs

118274-zoomid.com
ae-zoom.us
ae-zooom-hegne-meetingsfromf6758s.pages.dev
alejandro.uefa-meeting.com
api-zoom.com
api.zoom-sdk.us
app-center.download
app-zoom.website
as-zoom.us
baincapitalcrypto.zm-meeting.com
biz-zoom.us
bizmeet.online
bizmeet.org
bizmeet.pro
bizmeeting.org
bizmeeting.video
boolnetwork.xyz
bu-zoom.us
business-zoom.us
businessmeet.xyz
calystiabusiness.com
capitalviabtc.com
capitalviabtc.comhollow-jordan-narrow.on-fleek.app
communicationhub.us
cr-zoom.us
downloadcenter.website
dunamu.jp-zoom.com
ecosystem.openfort.video
en-zoom.us
er-zoom.us
extrazoom.us
fronterixbusiness.com
gcp.webzoom.video
globiscapital.co
globiscapitals.com
group.superstatefund.co
hanagroup.live
hanagroup.video
hartmanmcapital.com
hk05web.us
hwsrv-1275416.hostwindsdns.com
ignite.bizmeeting.org
ignite.bizmeeting.video
innerteams.us
interzoom.us
jp-zoom.com
justbuiltprojects.com.au
kourosh.uefa-meeting.com
krakenmeetings.com
lido.web05zoom.us
lostdungeon.openfort.xyz
luc.uefa-meeting.com
mail.web021zoom.us
matias.uefa-meeting.com
mediaprime.team
meet.capitalviabtc.com
meet.capitalviabtc.comhollow-jordan-narrow.on-fleek.app
meet.globiscapital.co
meet.globiscapitals.com
meet.hanagroup.video
meet.mythicaigames.foundation
meet.mythicalgames.foundation
meet.openfort-team.xyz
meet.picwe-team.com
meet.re7.network
meet.rwa-team.video
meet.str8fire-team.network
meet.superstatefund.co
meet.synternetlab.com
meet.twosigma-vc.com
meeting-zoom-witcam-tests-meet-id-5u83-82f3-8h39-83h9-d9e3.pages.dev
meeting-zoom-witcam-tests-meet-id-5u83-82f3-8h39-83h9-n9e3.pages.dev
meetwithhealthyh2o.com
mythicaigames.foundation
mythicalgames.foundation
mzweb3.bu-zoom.us
mzweb3.er-zoom.us
mzweb3.jp-zoom.com
officezoom.us
openfort-team.xyz
openfort.businessmeet.xyz
openfort.video
openfort.xyz
partner.hartmanmcapital.com
partners.boolnetwork.xyz
picwe-team.com
pre-zoom.us
re7.network
republic.biz-zoom.us
republic.bu-zoom.us
republic.cr-zoom.us
republic.er-zoom.us
republic.extrazoom.us
republic.innerteams.us
republic.officezoom.us
republic.pre-zoom.us
republic.usweb-zoom.us
republic.web021zoom.us
riccardo.uefa-meeting.com
rwa-team.video
rwa.business-zoom.us
rwa.businessmeet.xyz
sammy.uefa-meeting.com
silencio.webzoom.video
silvermine.web05zoom.us
skalelabs.as-zoom.us
skalelabs.bu-zoom.us
skalelabs.cr-zoom.us
skalelabs.en-zoom.us
skalelabs.mediaprime.team
skalelabs.pre-zoom.us
skalelabs.usweb-zoom.us
stage.bizmeet.online
stage.bizmeet.org
stage.bizmeet.pro
str8fire-team.network
str8fire.businessmeet.xyz
su05web.us
superstatefund.co
synternetlab.com
tom.uefa-meeting.com
twosigma-vc.com
uefa-meeting.com
uk03web.us
uk06web.us
uk07web.us
ukweb05.us
ukweb06.us
ukweb07.us
us04office.us
us04we.us
usweb-zoom.us
usweb02.us
viabtc.webmeet.video
viabtc.webmeet.vip
web.interzoom.us
web.zoomhub.us
web001-zoom.us
web001zoom.us
web011zoom.us
web021zoom.us
web05zoom.us
web3fund.as-zoom.us
web3fund.en-zoom.us
web3fund.io
webmeet.icu
webmeet.video
webmeet.vip
webus02.us
webus07.us
webus08.us
webus09.us
webzoom.video
xn--rxamia.com
zach.uefa-meeting.com
zm-meeting.com
zoom-sdk.us
zoommeetspace.com
zoom.app-center.download
zoom.communicationhub.us
zoom.downloadcenter.website
zoom.hanagroup.live
zoom.hk05web.us
zoom.personifyio.com
zoom.su05web.us
zoom.uk03web.us
zoom.uk06web.us
zoom.uk07web.us
zoom.ukweb05.us
zoom.ukweb06.us
zoom.ukweb07.us
zoom.us04office.us
zoom.us04we.us
zoom.usweb02.us
zoom.webus02.us
zoom.webus07.us
zoom.webus08.us
zoom.webus09.us
zoomapp.downloadcenter.website
zoomhub.us
zoomtomeet.pposbc.org
zoomzipdrop.pages.dev
zooom.in
zooom.pages.dev
zooommeeting.pages.dev

# Reference: https://x.com/zoomeye_team/status/1901822378348568825
# Reference: https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages
# Reference: https://app.validin.com/detail?find=L-Administrator&type=raw&ref_id=7c876e7935a#tab=host_pairs

104.194.133.88:1224
104.194.133.88:1245
107.189.16.122:1224
107.189.16.122:1245
107.189.16.176:1224
107.189.16.176:1245
107.189.20.152:1224
107.189.20.152:1245
107.189.24.80:1224
107.189.24.80:1245
107.189.25.109:1224
107.189.25.109:1245
144.172.100.124:1224
144.172.100.124:1245
144.172.100.142:1224
144.172.100.142:1245
144.172.101.45:1224
144.172.101.45:1245
144.172.102.148:1224
144.172.102.148:1245
144.172.102.21:1224
144.172.102.21:1245
144.172.103.97:1224
144.172.103.97:1245
144.172.104.10:1224
144.172.104.10:1245
144.172.104.113:1224
144.172.104.113:1245
144.172.105.189:1224
144.172.105.189:1245
144.172.105.235:1224
144.172.105.235:1245
144.172.106.133:1224
144.172.106.133:1245
144.172.106.7:1224
144.172.106.7:1245
144.172.109.98:1224
144.172.109.98:1245
144.172.112.106:1224
144.172.112.106:1245
144.172.86.27:1224
144.172.86.27:1245
144.172.95.226:1224
144.172.95.226:1245
144.172.96.80:1224
144.172.96.80:1245
144.172.97.7:1224
144.172.97.7:1245
146.70.253.107:1224
146.70.253.107:1245
172.86.113.115:1244
172.86.113.115:1245
172.86.113.18:1224
172.86.113.18:1245
172.86.116.90:1224
172.86.116.90:1245
172.86.123.55:1224
172.86.123.55:1245
172.86.73.198:1224
172.86.73.198:1245
172.86.84.38:1224
172.86.84.38:1245
185.153.182.251:1224
185.153.182.251:1245
214.75.112.56:1224
214.75.112.56:1244
214.75.112.56:1245
216.126.229.166:1224
216.126.229.166:1245
23.227.202.244:1224
23.227.202.244:1245
23.227.203.204:1224
23.227.203.204:1245
45.61.128.110:1224
45.61.128.110:1245
45.61.128.61:1224
45.61.128.61:1245
45.61.133.110:1224
45.61.133.110:1245
45.61.135.4:1224
45.61.135.4:1245
45.61.149.222:1224
45.61.149.222:1245
45.61.150.30:1224
45.61.150.30:1245
45.61.150.31:1224
45.61.150.31:1245
45.61.150.67:1224
45.61.150.67:1245
45.61.151.71:1244
45.61.151.71:1245
45.61.160.28:1224
45.61.160.28:1245
45.61.165.45:1224
45.61.165.45:1245
88.218.0.78:1224
88.218.0.78:1245
94.131.97.195:1224
94.131.97.195:1245

# Reference: https://x.com/blackorbird/status/1924832471621030031

mayonestore.online
ofo-home.top

# Reference: https://x.com/TLP_R3D/status/1900511506518970638

onlinemeet.pro
zincnetwork.tk
zoom-client.xyz
ignite.onlinemeet.pro

# Reference: https://x.com/TLP_R3D/status/1900528743732367865
# Reference: https://www.validin.com/blog/zooming_through_bluenoroff_pivots/
# Reference: https://app.validin.com/detail?find=%2Fzoom%2Fjoin&type=raw&ref_id=cca7f8289eb#tab=host_pairs (# 2025-03-14)
# Reference: https://app.validin.com/detail?find=%2Fzoom%2Ferror&type=raw&ref_id=cca7f8289eb#tab=host_pairs (# 2025-03-14)
# Reference: https://app.validin.com/detail?find=38.110.228.112&type=ip4&ref_id=7b554bab928#tab=resolutions (# 2025-03-14)

http://144.76.201.229
http://216.107.137.53
http://23.254.164.232
http://23.254.204.184
http://38.110.228.112
http://45.42.40.200
http://45.42.40.208
http://45.84.226.239
http://5.230.251.49
http://5.230.252.157
http://5.230.44.79
zmwebsdk.com
zoomsdk.us
api.zoomsdk.us

# Reference: https://x.com/capodieci/status/1903075585414533144
# Reference: https://x.com/lontze7/status/1903091260216189306
# Reference: https://app.validin.com/detail?find=31.220.40.22&type=ip4&ref_id=e4480ae66af#tab=resolutions

provevidskillcheck.com
quantumnodespro.com

# Reference: https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/
# Reference: https://app.validin.com/detail?find=Coinbase%20-%20Buy%20and%20Sell%20Bitcoin%2C%20Ethereum%2C%20and%20more%20with%20trust&type=raw&ref_id=c888fcffa16#tab=host_pairs (# 2025-03-31)
# Reference: https://www.virustotal.com/gui/file/e79e28865cfa4b31030133b62d26367ceb06a49b3f449fdd85e136d4f6443edf/detection

154.62.226.22:8080
38.134.148.218:8080
coinbase-walet.biz
coinbase-walet.me

# Reference: https://x.com/0xmh1/status/1907245404766531772
# Reference: https://platform.censys.io/search?q=b86140ad75113e930e40228d3e1d7ba1f9e48abb0e02ee293bdd40d6cde8c061

91.198.66.112:3000
91.198.66.158:3000

# Reference: https://x.com/malwrhunterteam/status/1908069353796292714
# Reference: https://www.virustotal.com/gui/file/a45b34c97e45d73fd60b683e8543a1bb50d73eb30823b9e933fe2436edc35f2b/detection
# Reference: https://www.virustotal.com/gui/file/d78fe3bd46a1fddddaee98634a4fb082dd47d84bf6a24c3d9b422efef1a01a03/detection
# Reference: https://www.virustotal.com/gui/file/f5a24d157881801fd13c5e6b6e870dea2873010e75765c231c1437b42fa82dd2/detection

158.62.198.177:8080

# Reference: https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket

144.172.87.27:1224
ip-api-server.vercel.app
ip-check-api.vercel.app
m21gk.wiremockapi.cloud
mocki.io/v1/32f16c80-602a-4c80-80af-32a9b8220a6b

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2025-03-05-v10872/2497

alchemy-api-v3.cloud

# Reference: https://x.com/malwrhunterteam/status/1910604983201902976
# Reference: https://www.virustotal.com/gui/file/c0682c72db57aae7c05d08e79f2d82825be2c2cdcb162c19e4c8bf5a737dcb20/detection

cryptomn.vercel.app

# Reference: https://x.com/malwrhunterteam/status/1910818212834353408
# Reference: https://app.validin.com/detail?find=dd5bd7746a6f5cbc843f54ecfc7ed780&type=hash&ref_id=056495bef48#tab=host_pairs (# 2025-06-24)

aduresi.com
cpromoter.com
dabacof.com
digipairx.com
growzy.tech
koliinfotech.company
macamhelp.online
unimeta.biz
updatemycam.online
api.crm.koliinfotech.company
api.digipairx.com
api.growzy.tech
api.macamhelp.online
api.unimeta.biz
api.updatemycam.online
development-server.aduresi.com
elitedrivva-app.dabacof.com
gatuga-api.cpromoter.com

# Reference: https://x.com/jamieantisocial/status/1911968062062166078
# Reference: https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/

bitzone.io
blockprices.io
chainanalyser.com
clublogos.io
coinhar.io
coinpricehub.io
ethzone.io
fivebit.io
indobit.io
jquery-release.com
jquerycloud.io
jqueryversion.net
leaguehub.net
logoeye.net
logosports.net
mavenradar.com
skypredict.org
soccerlab.io
stockslab.org
thaibit.io
weatherdatahub.org
api.bitzone.io
api.coinhar.io
api.coinpricehub.io
api.ethzone.io
api.fivebit.io
api.jquery-release.com
api.thaibit.io
cdn.clublogos.io
cdn.jqueryversion.net
cdn.leaguehub.net
cdn.logoeye.net
cdn.logosports.net
cdn.soccerlab.io
en.stocksindex.org
en.stockslab.org
en.wfinance.org
update.jquerycloud.io

# Reference: https://app.validin.com/detail?find=23.254.253.148&type=ip4&ref_id=5af70a4c3a0#tab=resolutions (# 2025-04-17)

phantom-phantomwallet.us
phantomwallet-us.us
rabbywallet-app.us
wallet-trustwallet.us

# Reference: https://socket.dev/blog/npm-malware-targets-telegram-bot-developers

validator.blog
solana.validator.blog

# Reference: https://x.com/BaoshengbinCumt/status/1914881621226033430
# Reference: https://x.com/malwrhunterteam/status/1915157662733394036
# Reference: https://www.virustotal.com/gui/file/75699cc6d3cfc2e4d0f2fe920e45f559f084acc65f2df48c117016d2642b154b/detection

http://159.100.18.177
173.211.70.210:8080
173.211.70.246:8080
212.81.47.217:8080

# Reference: https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/

smartmanagerex.com
bluekostec.com/eng/community/write.asp
builsf.com/inc/left.php
dream.bluit.gethompy.com/mobile/skin/board/gallery/index.skin.php
htns.com/eng/skin/member/basic/skin.php
kadsm.org/skin/board/basic/write_comment_skin.php
rsdf.kr/wp-content/uploads/2024/01/index.php
shcpump.com/admin/form/skin/formBasic/style.php
thek-portal.com/eng/career/index.asp

# Reference: https://www.silentpush.com/blog/contagious-interview-front-companies/

angeloper.com
angeloperonline.online
apply-blocknovas.site
attisscmo.com
bigrocks918.com
blocknovas.com
camdriversupport.com
easydriver.cloud
insomnianwin.site
softglide.co
wonthegame.site
xn--12c5eglc5bd7i.site
apply.blocknovas.com
chat.blocknovas.com

# Reference: https://x.com/TLP_R3D/status/1915851139301708283
# Reference: https://app.validin.com/detail?find=1da7c4f8368cdc8cf054e3f3ef560ec8&type=hash&ref_id=c4a2719f1ec#tab=host_pairs (# 2025-04-25)

171.22.127.221:5000
88.119.169.226:5000

# Reference: https://app.validin.com/detail?type=raw&find=BlockNovas+LLC#tab=host_pairs (# 2025-04-25)
# Reference: https://app.validin.com/detail?find=Alphanomics%20Racer&type=raw&ref_id=48da85c573d#tab=host_responses (# 2025-04-26)
# Reference: https://app.validin.com/detail?find=Team%20Monitor&type=raw&ref_id=48da85c573d#tab=host_responses (# 2025-04-26)
# Reference: https://app.validin.com/detail?find=2e8498a098fd04d28ee900521de053b3&type=hash&ref_id=4d03061f4ff#tab=host_pairs (# 2025-04-27)

167.88.39.55:3000
167.88.39.55:4000
172.86.114.170:4000
172.86.114.170:5000
172-86-114-170.dal.priv.octovpn.net
alpcoin.anomgaming.online
anomgaming.online
blocknovasllc.com
dprk-it.pages.dev
easyvps.net
srv587993.hstgr.cloud
apply.blocknovasllc.com
facial.anomgaming.online

# Reference: https://x.com/teamcymru_S2/status/1915827990774063179

167.88.39.141:5000
171.22.127.221:8000
188.43.33.250:3389
188.43.33.250:5000
188.43.33.250:8080
188.43.33.251:12323
188.43.33.251:12324
188.43.33.251:5000
188.43.33.251:8000
188.43.33.251:8080
37.221.126.117:3011
37.221.126.117:4000
86.104.74.169:27017
worldenterprise-beta.com

# Reference: https://app.validin.com/detail?type=raw&find=BlockNovas#tab=host_pairs (# 2025-04-26)
# Reference: https://app.validin.com/detail?find=b68075c8f2aaef80fa70d7c562804f25&type=hash&ref_id=799956bbc73#tab=host_pairs (# 2025-04-26)
# Reference: https://app.validin.com/detail?find=b99acd5a518e05c1adbb592ad4192334&type=hash&ref_id=05f30f00222#tab=host_pairs (# 2025-04-26)
# Reference: https://app.validin.com/detail?type=hash&find=b68075c8f2aaef80fa70d7c562804f25#tab=host_pairs (# 2025-04-27)

203.161.52.90:3000
203.161.52.90:4000
203.161.52.90:8090
effectiveengineeringleader.com
lunoxbet77--yes.site
lunoxbet77rain.baby
lunoxbet77rain.online
lunoxbet77rain.store
lunoxbet77speed.site
sadborgroup.site
talenthiringexpert.com
theeffectiveengineeringleader.com
blocknovas.talenthiringexpert.com

# Reference: https://www.virustotal.com/gui/ip-address/50.6.4.97/relations

gladneyocivpsdedinvme4.com
mail.gladneyocivpsdedinvme4.com

# Reference: https://x.com/malwrhunterteam/status/1925298281329901682
# Reference: https://gbhackers.com/lazarus-group-malware-with-ottercookie/
# Reference: https://app.validin.com/detail?find=Coinlend%20DeFi&type=raw&ref_id=af6318fa6e3#tab=host_pairs (# 2025-05-22)
# Reference: https://www.virustotal.com/gui/file/b2a203b9391987049ad60c826e6d7a76554f38dfc8b9ce88fea083ca1b106800/detection

http://135.181.123.177
http://144.172.96.35
135.181.123.177:8080
135.181.123.177:8081
135.181.123.177:9000
135.181.123.177:9001
144.172.96.35:3000
144.172.96.35:8000
144.172.96.35:8080
31.97.218.133:6168
77.37.74.86:6168
bujey.store
coinlenddefi.com
coinlendefi.com
fashdefi.store
cdn-static-server.vercel.app

# Reference: https://x.com/morimolymoly2/status/1926877622350279117

144.172.109.155:1224
bs-production.up.railway.app

# Reference: https://any.run/cybersecurity-blog/ottercookie-malware-analysis/
# Reference: https://www.virustotal.com/gui/ip-address/135.181.123.177/relations

chainlink-api-v3.cloud

# Reference: https://app.validin.com/detail?find=contato.impreza.email&type=dom&ref_id=63a84babf20#tab=dns (# 2025-06-13)
# Reference: https://app.validin.com/detail?find=d7434f80ddd2395783c6f935cab65a6c&type=hash&ref_id=85f9a34e59c#tab=host_pairs (# 2025-06-16)

assessforhire.com
quizterview.com
speakure.com
testforhire.com
mail.testforhire.com
ripple.quizterview.com
ripple.speakure.com
uniswap.assessforhire.com
uniswap.speakure.com
uniswap.quizterview.com

# Reference: https://x.com/AlvieriD/status/1933822421007847594

prehireiq.com
uniswap.prehireiq.com

# Reference: https://www.aikido.dev/blog/malicious-package-web3

http://74.119.194.244

# Reference: https://x.com/lazarusholic/status/1935329204020855066
# Reference: https://blog.talosintelligence.com/python-version-of-golangghost-rat/ (# pychollima)
# Reference: https://app.validin.com/detail?find=91.90.121.28&type=ip4&ref_id=8c1f7873b55#tab=resolutions

154.58.204.15:8080
31.57.243.190:8080
31.57.243.29:8080
autocamfixer.online
quickcamfix.online
api.autocamfixer.online
api.quickcamfix.online
assesstrack.com
drivertools.org
eskillora.com
eskillprov.com
evalswift.com
fast-video-recording.com
hireviavideo.com
skillence360.com
skillquestions.com
talent-hiringtalk.com
talenthiringtool.com
talentmonitoringtool.com
talentscreeningtool.com
alchemy.talentscreeningtool.com
coinbase.talenthiringtool.com
coinbase.talentmonitoringtool.com
coinbase.talentscreeningtool.com
crosstheages.skillence360.com
doodles.skillquestions.com
mail.hireviavideo.com
parallel.eskillora.com
parallel.eskillprov.com
thorequities.skillence360.com
yuga.skillquestions.com
/cam-v-ri69.fix
/mac-v-ri69.fixer

# Reference: https://x.com/ThreatBookLabs/status/1935542389793341808

hiremployee.com
office-theme.com

# Reference: https://app.validin.com/detail?find=Zoom%20Meeting&type=raw#tab=host_pairs (# 2025-06-19)

conferenceauth.coffeebrain.co
demo.techsaeein.com
document-content.online
emeetings.zoominvites.com
gbmaudiologininstructions.esdinfra.com
getdonald.xyz
hollow-jordan-narrow.on-fleek.app
hysf6-baaaa-aaaag-algfa-cai.icp0.io
joinustoday.online
ksrtcaudiologininstructions.esdinfra.com
ksrtceccsgbmaudiologininstructions.esdinfra.com
live.bankdost.in
live.econceptual.com
meeting.document-content.online
register-meeting.pages.dev
stagging-apiresources.caspiansr.kz
tdlgzoom.com
us.meeting.document-content.online
v2ray.gelithagithmal.workers.dev
z8048w4.caspiansr.kz
zoominvites.com
zoom-meeting-web-static.eventx.com.cn
zoom.2vanx.com
zoom.eventx.io
zoom.eventxtra.com
zoom.petersen.ai
zoom.qa.retrocubedev.com
zoomfiledrop.pages.dev
zoommetting.dev.retrocubedevs.com
zoomworkspace.us.meeting.document-content.online

# Reference: https://app.validin.com/detail?find=185.100.87.82&type=ip4&ref_id=2c13cb80e43#tab=resolutions

cyptoconnections.com
easywalletconnect.com

# Reference: https://x.com/lazarusholic/status/1937865917289168970
# Reference: https://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages

172.86.80.145:1224
ip-check-server.vercel.app
log-server-lovat.vercel.app

# Reference: https://app.validin.com/detail?find=Talent%20Hire%20Flow&type=raw&ref_id=060cb05f4b2#tab=host_pairs (# 2025-07-15)
# Reference: https://app.validin.com/detail?find=%3A%3A%3A%22twitter%3Acard%22%3A%22MotionAssess%20Card%22&type=raw&ref_id=060cb05f4b2#tab=host_pairs (# 2025-07-16)
# Reference: https://app.validin.com/detail?find=%3A%3A%3A%22twitter%3Acreator%22%3A%22%40skillvisions%22&type=raw&ref_id=91cf464b398#tab=host_pairs (# 2025-07-16)

abilityscan360.com
easyhiringtool.com
joblitic.com
motionassess.com
professionalsnapshot.com
skillvisions.com
talentcatchingtool360.com
talenthireflow.com
talentmatchingtools.com
talentmatchingtools.net
alchemy.motionassess.com
chaoslabs.abilityscan360.com
chaoslabs.motionassess.com
chaoslabs.professionalsnapshot.com
circle.talentmonitoringtool.com
coinbase.abilityscan360.com
coinbase.motionassess.com
coinbase.professionalsnapshot.com
defianceanalytics.abilityscan360.com
defianceanalytics.easyhiringtool.com
shimacapital.abilityscan360.com
shimacapital.easyhiringtool.com

# Reference: https://app.validin.com/detail?find=%3A%3A%3A%22keywords%22%3A%22hiring%2C%20recruitment%2C%20assessment%2C%20talent%20evaluation%2C%20interview%20platform%2C%20employee%20skills%22&type=raw&ref_id=b6a09e2884b#tab=host_pairs (# 2025-07-16)

apply-camera.com
assessalign.com
assessdome.com
carrervision.com
eliteshire.com
eskillence.com
evalonboard.com
hirehatch360.com
hirelytics360.com
hirequestion.com
interviews360.com
ixcareer.com
jobinterviews360.com
mat-techcore.org
roleassessor.com
rolematches.com
skillquestion.com
workquestion.com
aveva.roleassessor.com
axieinfinity.assessalign.com
axieinfinity.hirelytics360.com
blog.evalonboard.com
cex.apply-camera.com
crosstheages.eskillence.com
crosstheages.hirehatch360.com
crosstheages.hirelytics360.com
doodles.carrervision.com
doodles.hirequestion.com
doodles.interviews360.com
doodles.skillquestion.com
doodles.workquestion.com
finnt.evalonboard.com
tellus.evalonboard.com
theta.apply-camera.com
theta.evalonboard.com
thorequities.eskillence.com
wintermute.workquestion.com
workiva.roleassessor.com
yuga.hirequestion.com
yuga.ixcareer.com
yuga.jobinterviews360.com
yuga.workquestion.com

# Reference: https://x.com/byrne_emmy12099/status/1945890954604605497
# Reference: https://x.com/byrne_emmy12099/status/1946062275183575474
# Reference: https://www.virustotal.com/gui/file/760bbec57ef20807abebecfbc6fa345b5ac83483de0cb26dcf0306806e98f317/detection

bizzyclub.org
unmannedsystemstechnology.org

# Reference: https://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages (# hexeval loader, xorindex loader)

1215.vercel.app
log-writter.vercel.app
process-log-update.vercel.app
soc-log.vercel.app
api.npoint.io/1f901a22daea7694face

# Reference: https://app.validin.com/detail?find=BlockOvas&type=raw#tab=host_pairs (# 2025-07-21)

103.35.189.107:3000
103.35.189.107:4000
74.119.194.205:3000
74.119.194.205:4000
crostox.com
waventic.com
apply.waventic.com
contract.waventic.com
hiring.crostox.com
hiring.waventic.com
support.waventic.com

# Reference: https://www.virustotal.com/gui/ip-address/194.164.64.90/relations

globalelitehire.com

# Reference: https://www.virustotal.com/gui/ip-address/52.223.13.41/relations

softshare.online
api.softshare.online

# Reference: https://www.virustotal.com/gui/ip-address/198.251.81.14/relations

vidfastinterviewmaster.com

# Reference: https://www.virustotal.com/gui/ip-address/78.110.166.82/relations

interviewskillmaster.com

# Reference: https://www.virustotal.com/gui/ip-address/104.243.33.214/relations
# Reference: https://www.virustotal.com/gui/ip-address/198.251.84.129/relations

paxos-video-interview.com
paxos-video-talk.com

# Reference: https://www.virustotal.com/gui/ip-address/145.223.77.219/relations

wegrowup.us
geocollab.wegrowup.us
silverrabbit.wegrowup.us
younginvest.wegrowup.us

# Reference: https://www.virustotal.com/gui/ip-address/194.164.64.193/relations

certifyedge360.com
axieinfinity.certifyedge360.com

# Reference: https://www.virustotal.com/gui/ip-address/212.85.29.40/relations

skillpilothq.com

# Reference: https://www.virustotal.com/gui/ip-address/212.85.28.229/relations

evaluateiq.com

# Reference: https://www.virustotal.com/gui/ip-address/51.210.235.45/relations

fireblocksinsight.com

# Reference: https://www.virustotal.com/gui/ip-address/82.29.199.129/relations

hirefeedbacker.com
hiringtestpro.com
quickproassess.com
rolefit360.com
archblock.quickproassess.com
archblock.rolefit360.com
zora.quickproassess.com
zora.rolefit360.com

# Reference: https://www.virustotal.com/gui/ip-address/147.93.44.252/relations

edividy.pro

# Reference: https://www.virustotal.com/gui/ip-address/104.21.32.1/relations

wavelyhire.com

# Reference: https://www.virustotal.com/gui/ip-address/82.29.81.1/relations

candidatescope.com
archblock.candidatescope.com
deadfellaz.candidatescope.com

# Reference: https://www.virustotal.com/gui/ip-address/193.242.184.2/relations

360share.pro
applylens.com
assessmentbay.com
assesstoday.com
backupwizard.net
digitaltalentassess.com
drivercamsupport.com
eskillforge.com
eskillmetric.com
glitchmedic.com
hiresyncer.us
hiretestzone.com
kryptoneer.com
meetingjoin.us
patchpal.pro
paxosinterview.com
prehighiq.com
quizpathway.com
rolltojoin.com
skillsquestions.com
smrtassess.com
softdebugnest.pro
talenttracker.us
web3talentreview.com
api.drivercamsupport.com

# Reference: https://app.validin.com/detail?find=IT%20Company%20Website&type=raw&ref_id=3511f31a488#tab=host_pairs (# 2025-07-26)

4caddie.com
8cap.inashtech.com
aa2akhtech.in
aarnaitsolution.in
abiyz.com
acom.capital
adg-japan.com
admin.nexcloudinfo.com
admireservices.in
adrinfinitiniaga.com
ads.inashtech.com
afriinnovativetech.co.za
agree-business.com
ai.uoon.com.cn
aidcore.co.uk
aitc.vn
ajaforensicsol.com
alkamdevelopers.com.ng
alphabet-in.com
alphalabs.consulting
alphatechenterprises.in
ampreh.com.ng
andrewmuz.ddns.net
andrewmuz.direct.quickconnect.to
ankly.net
ankly.net.bytelinker.net
annovate.tech
aooaoollc.com
apiarc.net
apnsolution.in
apply-oneof.com
apply.blockforgex.com
apply.dappspire.com
apply.softcloudnet.co
arcaoffice.com
aria.halfpower.top
artifactsbd.com
artzoneservices.freewebhostmost.com
artzoneservicesllc.freewebhostmost.com
ashlyasoftwares.ashlya.com
aunix.run.place
aunix.work.gd
avisoltechnologies.com
babyqlimited.com
bearcatalog.info
beekayprecision.com
biraj-karki.com.np
bitnewly.com
blackmatrix.in
blockforgex.com
brands.kavishala.com
broussardinnovations.com
busy-bee-design.com
busybee.vercel.app
butikplus.com
buttgas.vsoltech.com
bytelinker.net
c365.tech
cadancecove.com
cadresol.com
caj.bli.mybluehost.me
campus2career.in
care-covid19.inashtech.com
celestikon.com
cieosglobal.com
cieosglobal.com.131-153-147-50.cpanel.site
cimakcimento.online
ckite.in
cloudhub24.in
cloudsforge.in
code-lab.website
codefusion.it.com
codekrew.decrypt4.me
codesharkstudiowebsite.pages.dev
cognitosparkinnovations.com
com.fixnap.com
completehomenetworks.com
confiableindia.com
consult.aesthera.ninja
coreit.com.pk
corp.cherniuk.ca
cpanel.inashtech.com
cpcalendars.inashtech.com
cpcontacts.inashtech.com
creaciontechnologies.com
cta.inashtech.com
cta2020.inashtech.com
cyberconfidential.co.za
cybernonics.in
cybertreeindia.com
cybervstacks.in
cybervstacks.work.gd
dappspire.com
dcprob.com
delta-diving.com
demo.nacos.org.ng
demo2.wzcare.in
demo3.wzcare.in
demo6-mmitsg.pages.dev
dev.devanshibeverages.in
devlineinnovations.co.ke
dhruvatech.in
digicyber.org
dinotik.pages.dev
ditlousolutions.co.za
ditlousolutions.co.za.154-0-174-246.cpanel.site
doorsteptech.online
download-device-files.pages.dev
downloader-of-files.pages.dev
dropke.org
dtgm.ovh
earthtechnologis.co.za
ecomm-git-main-tparfum.vercel.app
edoble.in
eftoll.info
engedzanitechnologies.co.za
envy-labs.com
epicms.com.pk
epicms.com.pk.confido360.com
eventorg.online
evoford.com
fb1.a71.myftpupload.com
file-downloader-and-warranty-checker.pages.dev
files-download-manager.pages.dev
files-download.pages.dev
files-downloader-and-warrenty-checker-0618.pages.dev
files-downloader-and-warrenty-checker-downloade-diagnois.pages.dev
files-downloader-and-warrenty-checker-downloader-diagnois.pages.dev
files-downloader-and-warrenty-checker-pricing-page.pages.dev
files-downloader-and-warrenty-checker-pricing-pages-ads.pages.dev
files-downloader-and-warrenty-checker-pricing-pages.pages.dev
files-downloader-and-warrenty-checker-update-0614.pages.dev
files-downloader-and-warrenty-checker.pages.dev
files0uuplaod.pages.dev
fixnap.com
food.inovetta.com
freezologi.com
freezologi.com.staycalm.in
ftp.artifactsbd.com
fxprimus.inashtech.com
gadgetproteam.com
gangaaramtechnologies.in
gaurisoft.com
gemperts.com
getursoft.in
golendusformacion.com
golite.vn
goqua.org.in
greyspireinnovation.com
groutmix.co.za
grtclean.ai
grtcleanai.com
grupogolendus.com
gtreksolution.co.ke
gulf-byte-it.com
haazlo.com
hanumantainfotech.com
harsudhtechnologies.site
heart-blossom.org
heart-blossom.pages.dev
hfginternalsite.pages.dev
hfgsite.pages.dev
hhzhu.com
hitechpune.co.in
hly.shplh.com
home.codesharkstudio.com
hugconsulting.s3-website-us-east-1.amazonaws.com
hyacinth.cloud
hybrid.nairobiskates.com
iboyotech.com
idioctis.com
ignitexsolutions.com
imediaafrica.com
inashtech.com
industrysolutiongroup.com
infinitech.co.in
infinity4it.com
inflecto.pro
innoventumtech.com
inoozar.com
insightboosts.com
invored.com
irymia.pl
isatinfotech.com
isgranada.com
it-company-website-1v7.pages.dev
it-company-website-44k.pages.dev
it-company-website-5cv.pages.dev
it-company-website.pages.dev
itcompany.ikramprofile.com
itcompanywebsite.pages.dev
itfebsolutions.co.za
itsofttech.org
itsupportzoran.com
itworldinternational.com
itwsolrizeindia.com
jade-clafoutis-26e6ab.netlify.app
jaston.serv00.net
josephcleaningservicesllc.com
june.it.com
kas-technology.com
katztechgroup.com
kenzou.co.in
kmsignite.dev
kodecamp.org
langitinfo.com
laravel.wzshop.in
layen.co
lebamfinancials.com
linforthsolutions.com
linquana.com
lspmaestro.com
luckywatermelon.xyz
m-rna.com.tr
maaetech.in
mail.afriinnovativetech.co.za
mail.alphabet-in.com
mail.ampreh.com.ng
mail.ankly.net
mail.apiarc.net
mail.artifactsbd.com
mail.bytelinker.net
mail.caj.bli.mybluehost.me
mail.cieosglobal.com
mail.coreit.com.pk
mail.cyberconfidential.co.za
mail.dhruvatech.in
mail.ditlousolutions.co.za
mail.dropke.org
mail.earthtechnologis.co.za
mail.engedzanitechnologies.co.za
mail.epicms.com.pk
mail.gangaaramtechnologies.in
mail.greyspireinnovation.com
mail.imediaafrica.com
mail.itfebsolutions.co.za
mail.kodecamp.org
mail.langitinfo.com
mail.layen.co
mail.lebamfinancials.com
mail.linquana.com
mail.melakutamiruauditing.com
mail.micronlab.com
mail.milancyber.com
mail.mojuko.co.za
mail.nexcloudinfo.com
mail.phygitaltech.in
mail.preyfoxtechnology.com
mail.qubemindz.com
mail.robosolutionsbd.com
mail.server1.vitesol.net
mail.shivanshitsolutions.com
mail.signalhands.co.bw
mail.smartdevcloud.sbs
mail.tamilnadusoftwaresolutions.com
mail.techspheresolution.in
mail.thedevsaar.com
mail.thewebecho.com
mail.trustwavecybersecurity.info
mail.undangandigital.cyou
mail.vidcraft.co.in
mail.whoisraihan.com
mail.wtcglobalsolutions.com
mail.zacmaa.net
mail.zephyrits.com
mail.zootiz.in
main-website-domail-temp-soon0update.pages.dev
makerzonelanka.com.lk
mamta-electronics.com
maruapps.inashtech.com
maruday.inashtech.com
maruteam.inashtech.com
masilaresidency.com.fixnap.com
melakutamiruauditing.com
mgwastemanagement.com
microfinance.work
micronlab.com
milancyber.com
mmg3033-health-care-covid19.inashtech.com
mmg3033-health.care-covid19.inashtech.com
mojait.co.za
mojuko.co.za
moonsys.co
mulvara.co.za
muyunqichen.com
my3website.pages.dev
myrareaesthetics.com
nawar.site
ncode.neoays.com
neoays.com
neoays.com.ymcgroups.com
nettemsoftware.in
netzenix.co.in
neuralisitsolutions.com
nexcloudinfo.com
nextlinktechnologies.net
nexvergetech.com
ngkore.com
ngkore.org
nibsbridge.com
nibsbridge.in
nilmangkorncyber.com
nobaton.ltd
nomadzsolutions.com
norg-abc.com
novasmart.in
nprservices.in
numantrainfotech.com
nuwan-softgroup.com
olenaunhurianu.com
onrtech.fr
oyatsu.org
patternsinfotech.in
peacockengr.com
pepperstone.inashtech.com
phoenixaircraft.com.au
php.wzshop.in
phygitaltech.in
pkppl.com
plasiohomeautomation.com
platosweb.com
preyfoxtechnology.com
primaryweb1.pages.dev
project-files-downlaoder.pages.dev
prominenttrades.in
prosaham.inashtech.com
pttpa.com
qasaralbahar.com
quantumdev.online
qubemindz.com
quintlogic.com
radianttechnosft.in
raibsinfotech.com
rajmatienterprises.in
ratanpolyelastomers.com
remote.envy-labs.com
robosolutionsbd.com
robosolutionsbd.com.jamiatulabrargouripur.com
rvprconsultancy.com
saibersys.com
saldymosistemos.eu
scuretech.com
securityanddatasolutions.com
server1.vitesol.net
servintec.net
servodev.in
seyoo.net
shahnaz.inashtech.com
shimonitservices.com
shivanshitsolutions.com
shplh.com
shrikhatushyamjidigital.com
signalhands.co.bw
signinbd.com
skeey.in
skylinetechsinc.com
smartdevcloud.sbs
sniper.inashtech.com
sobatrinjani.net
softcloudnet.co
softcps.co.in
softwaresphereit.com
sonear-sports.com.cn
sonetic-ae.com
spbtech.site
sshsoftwares.in
sssss-company-website-c71dc7dc1f12.herokuapp.com
sssss.co.in
sssuppport.pages.dev
staffordlaboratories.com
staging.vhilv.com
starkcloudie.netlify.app
stepwebtech.com
sunahromeoenterprise.online
swifttechnology.tech
syncgrass.com
syneritesystems.co.ke
taditafrica.com
takinsite.ir
tamilnadusoftwaresolutions.com
tamizhiautomatetechnology.in
techfellow.in
techflixo.com
techspheresolution.in
techspheresolution.in.junctionarts.in
temp.cybertouch.tech
tensormesh.ai
terrawizz.com
test.yourhelp247.com
test22233.pages.dev
thesurepass.com
thesurepass.pages.dev
theusaseries.com
thewebecho.com
thilinasakuna.com
titaniums.de
toapply.me
touhid.tech
tricodeblog.abiyz.com
truesouthstl.com
trustwavecybersecurity.cxstocktrade.com
trustwavecybersecurity.info
tsf8.com
tskautomations.com
ubsrcr.zugy.online
ui.gcp.po.ateme.ninja
ukcarservice.in
umtechnologies.de
undangandigital.cyou
unnaturalai.com
uoon.com.cn
upland.toapply.me
venvietech.co.ke
vfconsults.com
vhilv.com
vidcraft.co.in
vidyagoyal.com
visindosinergy.com
vitaminurse.com
vsservices.in
w.wzshop.in
web.halfpower.top
webcodetech.in
webdisk.inashtech.com
webli-bd.com
webmail.inashtech.com
whoisraihan.com
whoisraihan.com.bytelinker.net
window-update-and-warrenty-check-updated-0522.pages.dev
winwinsolutionway.com
wisemindtech.com
wizard.inashtech.com
wondoro.site
wtcglobal.pages.dev
wtcglobalsolutions.com
x5k.c7d.mywebsitetransfer.com
xtreamdigitech.in
ykvinfotech.in
yourhelp247.com
zacmaa.net
zaozaozao.tech
zephyrits.com
zootiz.in
zyperfect.com
zzyzxz.net

# Reference: https://www.virustotal.com/gui/ip-address/82.198.232.148/relations

assessintel.com
agora.assessintel.com
axieinfinity.assessintel.com

# Reference: https://x.com/lazarusholic/status/1950911891498488244
# Reference: https://www.sonatype.com/hubfs/White_Papers/How-North-Korea-Backed-Lazarus-Group-is-Weaponizing-Open-Source-Whitepaper.pdf

http://144.172.94.226
144.172.94.226:5961
144.172.94.226:5974
0927.vercel.app

# Reference: https://www.virustotal.com/gui/ip-address/82.29.80.153/relations

greennovadigital.com

# Reference: https://www.virustotal.com/gui/ip-address/84.32.84.32/relations

icareerc.com
ixscreen.com
frameworkvc.icareerc.com
frameworkvc.ixscreen.com
sfdfsdf.icareerc.com
yugalabs.icareerc.com
yugalabs.ixscreen.com

# Reference: https://www.virustotal.com/gui/ip-address/82.197.83.216/relations

ixcareers.com
frameworkvc.ixcareers.com
yugalabs.ixcareers.com

# Reference: https://app.validin.com/detail?find=Node.js%20upload%20multiple%20files&type=raw&ref_id=02496d38d39#tab=host_pairs (# 2025-08-02)

147.124.213.19:1244
147.124.213.232:1244
165.140.86.154:1244
165.140.86.160:1244
207.189.164.137:1244
38.92.47.152:1244
66.235.175.117:1244

# Reference: https://www.veracode.com/blog/north-korean-crypto-stealing-campaign-again/

http://95.216.46.218
api.npoint.io/e5a5e32cdf9bfe7d2386

# Reference: https://x.com/lazarusholic/status/1953086237193150753
# Reference: https://any.run/cybersecurity-blog/pylangghost-malware-analysis/

151.243.101.229:8080
360scanner.store

# Reference: https://x.com/RedDrip7/status/1954801591938170935
# Reference: https://www.virustotal.com/gui/file/93f11750014fa65066ffa7f7896c3a5b127ef8e68a4062a38610931057fe3dae/detection
# Reference: https://www.virustotal.com/gui/file/c67e8f51c086ce3c7f6fbd3e0d6d29212def08c321197449afbaecdd799173f1/detection
# Reference: https://www.virustotal.com/gui/file/259e8845176a665765f488e136931b2aca27be30eb27eb1074606213473d0446/detection
# Reference: https://www.virustotal.com/gui/file/bc229eca6d7a46acd195a7364c1caa97db96ea8c6c1f0bec10d3929930e89457/detection
# Reference: https://www.virustotal.com/gui/file/d39f0e201762e5eb4c335371abf29b3192367808f95815123bb58a4f59436476/detection

http://45.159.248.110
103.231.75.101:8888
driverservices.store

# Reference: https://www.virustotal.com/gui/ip-address/198.54.116.86/relations

fix-driver.online

# Reference: https://www.virustotal.com/gui/ip-address/76.76.21.21/relations

block-digital.fit
block-digital.site
block-digital.store

# Reference: https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
# Reference: https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/
# Reference: https://otx.alienvault.com/pulse/65534130052d1800f62e7ba2
# Reference: https://otx.alienvault.com/pulse/655f0ab585a20bff0cac8b7c

aeon-petro.com/wcms/plugins/addition_contents/cfg.png
aeon-petro.com/wcms/plugins/addition_contents/user64.png
bandarpowder.com/public/assets/img/cfg.png
bandarpowder.com/public/assets/img/user64.png
commune-fraita.ma/wp-content/plugins/wp-contact/contact.php
mantis.jancom.pl/bluemantis/image/addon/addin.php
mge.sn/themes/classic/modules/ps_rssfeed/feed.zip
mge.sn/themes/classic/modules/ps_rssfeed/feedmd.zip
vadtalmandir.org/admin/ckeditor/plugins/icontact/about.php
zeduzeventos.busqueabuse.com/wpadmin/js/widgets/sub/wids.php

# Reference: https://slowmist.medium.com/threat-intelligence-uncovering-a-web3-interview-scam-bb366694b7f3

http://172.86.64.67
172.86.64.67:4181
172.86.64.67:4186
172.86.64.67:4187
172.86.64.67:4188
api.npoint.io/96979650f5739bcbaebb

# Reference: https://x.com/SttyK/status/1956180410104471917

0xraiseup.com
ascendrix.us
ballroller.fun
corebiz.fun
donmuzzi.site
funnyboy0719.fun
greenservice.tech
gsoftcompany.com
innovateinc.fun
limitlesstechltd.com
litslink.online
memecoinmania.net
resumegenie.us
thediversityandinclusionteam.com
pay.resumegenie.us

# Reference: https://www.virustotal.com/gui/ip-address/51.210.235.45/relations

superstarscanner.com

# Reference: https://www.virustotal.com/gui/ip-address/72.60.32.153/relations

toolshare.cloud

# Reference: https://www.virustotal.com/gui/ip-address/148.230.98.183/relations

open-src.org

# Reference: https://www.virustotal.com/gui/ip-address/212.85.29.150/relations

assesspro360.com
parallel.assesspro360.com

# Reference: https://www.virustotal.com/gui/ip-address/84.32.84.32/relations

careerboard.video
framework.careerboard.video
yugalabs.careerboard.video

# Reference: https://app.validin.com/detail?find=IT%20Company%20Website&type=raw#tab=host_pairs (# 2025-08-26)

anifintech.xyz
echelonfnd.io
admin.echelonfnd.io
apply.echelonfnd.io
support.echelonfnd.io
authnsecuresystems.com
finovec.co.ke
ipv6.srv755058.hstgr.cloud
mail.anifintech.xyz
mediajourney.digital
precisioncoderss.com
srv755058.hstgr.cloud
tenspick.shop
thehubservice.cloud
vern.thehubservice.cloud

# Reference: https://www.ctfiot.com/267223.html

http://45.89.53.54
block-digital.online

# Reference: https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/
# Reference: https://www.virustotal.com/gui/file/d8de31bcaf5b9ebb99bef36244b0ab3c21367821947a789dff69c33d49aaffc9/detection

144.172.74.120:3389
aes-secure.net
arcashop.org
azuredeploypackages.net
azureglobalaccelerator.com
calendly.live
dpkgrepo.com
ftxstock.com
go.oncehub.co
keondigital.com
latamics.org
lmaxtrd.com
nansenpro.org
natefi.org
oncehub.co
paxosfuture.com
picktime.live
plexisco.com
pypilibrary.com
pypistorage.com

# Reference: https://www.virustotal.com/gui/ip-address/82.29.157.117/relations
# Reference: https://app.validin.com/detail?find=%3A%3A%3A%22keywords%22%3A%22hiring%20platform%2C%20recruitment%20software%2C%20candidate%20screening%2C%20talent%20evaluation%2C%20skills-based%20hiring%2C%20interview%20tools%2C%20tech%20hiring%2C%20remote%20hiring%2C%20hiring%20automation%2C%20team%20building%22&type=raw#tab=host_pairs (# 2025-09-08)

answerpanel.org
avalabs-digital.online
avalabs-digital.space
avalabs-network.live
avalabs-network.online
elitehireaxis360.com
free-loader.org
queryyard.com
recruitboard.video
skillstandard360.com
softcaredesk.pro
standard-ai.org
base-cei.pages.dev
career-8hp.pages.dev
recruitboard-base.pages.dev
sub-recruitboard.pages.dev
stage-framework.recruitboard.video
stage-yuga.recruitboard.video

# Reference: https://www.virustotal.com/gui/ip-address/157.173.209.152/relations

auto-ai.online
auto-patch.tech
insighthire360.com
talentgauge360.com
talentpreview360.com
talentradar360.com
talentverge360.com
web3elitesmint.com
web3elitesmint.pages.dev
web3globalmint.com
web3globalmint.pages.dev
web3talentmint.com

# Reference: https://x.com/volrant136/status/1965126588745613721
# Reference: https://www.virustotal.com/gui/file/15e2d1390aff1c4b83607152cb75ecf5c9b5a20cb732780379265a7b8df80f6b/detection

avalabs-digital.store
avalabs-hiring.online
avalabs-hiring.site
avalabs-hiring.space
avalabs-hiring.store
avalabs-hiring.world
avalabs-io.online
avalabs-io.space
avalabs-io.store
avalabs-network.space
avalabs-org.online
avalabs-talent.online
avalabs-talent.space
avalabs-talent.store
avalabs-tech.online
avalabs-tech.space
avalabs-tech.store

# Reference: https://www.virustotal.com/gui/ip-address/82.25.83.175/relations

globalskillconnect360.com

# Reference: https://www.virustotal.com/gui/ip-address/82.25.87.27/relations

assesscrew.com
hiremodozone.com
staffingedges.com
talentedstarmodo.com
bitmart.hiremodozone.com
mythicalgames.hiremodozone.com
paradigm.hiremodozone.com
solulab.hiremodozone.com
stake.assesscrew.com
stake.hiremodozone.com
stake.staffingedges.com
stake.talentedstarmodo.com

# Reference: https://x.com/RedDrip7/status/1968500301377458222
# Reference: https://www.virustotal.com/gui/file/c105f8c14f3903af3051ae1811ea4ba8898c49b45687f20e22e13a40685c7521/detection
# Reference: https://www.virustotal.com/gui/file/0c78a1c0809a6a8bcd9e857272817ceafd20c49051fbb8540c4bc1777c7356e6/detection

http://141.98.168.79
http://69.10.53.86

# Reference: https://x.com/RedDrip7/status/1970391207051436538
# Reference: https://x.com/RedDrip7/status/1970391207051436538
# Reference: https://www.virustotal.com/gui/file/24326e187f082c73f1aa8952696dc1b0b47f8cf205c518194c2c4bb20d8e36b7/detection
# Reference: https://www.virustotal.com/gui/file/914ebde62460fa8daf6dd57fa91f88000314c8aeb48e2de41576d3c15899cf98/detection
# Reference: https://www.virustotal.com/gui/file/a3bb64de9782d000a1fb50401a8c26a65ea99cb2698cccbb3916dc546761587f/detection
# Reference: https://www.virustotal.com/gui/file/cba0189ba9f6ef80ce03948c07a8e85fffb41a835d90502903a6f306927f5653/detection

165.140.85.106:1243
165.140.85.106:1244
165.140.85.106:1245
165.140.85.106:1248
165.140.85.106:3389

# Reference: https://www.virustotal.com/gui/ip-address/191.101.15.48/relations

radarsync.pro

# Reference: https://www.virustotal.com/gui/ip-address/72.60.28.66/relations

softmedic.pro

# Reference: https://www.virustotal.com/gui/ip-address/72.60.71.89/relations

softsquashers.pro

# Reference: https://x.com/tayvano_/status/1971206871076991302

advisoryfit.com
advisoryfit.pages.dev
api.ixcareer.video
app.eboardcareer.com
app.evalixhub.com
app.ixcareer.video
candidatesnap.com
eboardcareer.com
eboardcareer.pages.dev
evalixhub.com
ixcareer-video.pages.dev
ixcareer.video
proficientmint.com
proficientmint.pages.dev

# BANNER_0_HASH-HOST=fda47416f397bac31d80d8e73d01fe0c

introon.com
onchainassess.com
skilllens360.com
skillview360.com
api.introon.com
api.onchainassess.com
api.skilllens360.com
ftp.skillview360.com
parallel.skillview360.com

# BANNER_0_HASH-HOST=bdce8fdf1bf366047ba5479342c64b07

axionara.com
snap-screening.com
api.snap-screening.com
app.axionara.com

# Reference: https://www.virustotal.com/gui/ip-address/82.29.199.206/relations

talentevaluate.com
ftp.talentevaluate.com

# Reference: https://www.virustotal.com/gui/ip-address/82.29.87.223/relations

anchoragedigitalhireflow.com
anchoragehireflow.com
anchoragehiring.com
fireblocks-assessment.com
fireblockshireflow.com
fireblockshiring.com
ftp.anchoragehireflow.com

# Reference: https://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages

http://138.201.50.5
http://23.127.202.249
json-project-hazel.vercel.app
process-log.vercel.app
/apikey/QWERTYU890T12HML
/QWERTYU890T12HML

# Reference: https://jp.security.ntt/insights_resources/tech_blog/ottercandy_malware_e/

139.60.163.206:4000
172.86.114.31:3000
54.146.239.83:8080
80.209.243.85:4000
80.209.243.85:5000

# Reference: https://www.virustotal.com/gui/ip-address/216.24.57.1/relations

businesshire.cv
ehireflex.com
ehireflix.com
hirebest.cv
hirefiix.pro
hireflix.pro
hireflix360.com
hireone.top
hireproflix.online
hirevision360.com
onehire.pro

# Reference: https://www.picussecurity.com/resource/blog/lazarus-group-apt38-explained-timeline-ttps-and-major-attacks
# Reference: https://www.virustotal.com/gui/file/0a472fdc188c9da6b8610e9eabed467b4a76457fb01ab16cf3a887d24adb9065/detection

palgong-cc.co.kr

# Generic

/daumeditor/pages/template/
/daumeditor/pages/template/simple.asp
/daumeditor/pages/template/template.asp
/levels4SqR8/measure.asp
/mall/community/bbs_read.asp
/niabbs5/upload/gongji/index.php
/niabbs5/upload/gongji/
/_manage/inc/bbs/jiyeuk1_ok.asp
/inc/bbs/jiyeuk1_ok.asp
/asdfghjkl
/qwertyuiop
/qwertyuiop/asdfghjkl
/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/
/Of56cYsfVV8/
/OJITWH2WFx/
/Jy5S7hSx0K/
/fP7saoiPBc/
