# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: mirrorstealer, lodeinfo

# Reference: https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/
# Reference: https://otx.alienvault.com/pulse/639b01a88df8698311dc2b43
# Reference: https://www.virustotal.com/gui/ip-address/167.179.116.56/relations
# Reference: https://www.virustotal.com/gui/ip-address/172.105.217.233/relations
# Reference: https://www.virustotal.com/gui/file/f53c5fd78000755ccfff11d2f1b7d659f4a71c887083697d54b8fe8cf905ef6a/detection
# Reference: https://www.virustotal.com/gui/file/a8ec766eee6cc3c6416519f8407ac534f088637ed1a6bc05ed0596d8a0237548/detection

http://167.179.116.56
http://172.105.217.233
http://45.32.13.180
aesorunwe.com
ninesmn.com

# Reference: https://x.com/780thC/status/1856027964112044127
# Reference: https://x.com/pancak3lullz/status/1862959850180804935
# Reference: https://x.com/pancak3lullz/status/1863005095375319345
# Reference: https://therecord.media/china-linked-hackers-tasked-with-japanese-targets-pursue-through-europe
# Reference: https://search.censys.io/search?q=services.tls.certificates.leaf_data.subject_dn%3D%22CN%3DDESKTOP-QKVE59Z%22&resource=hosts

104.238.149.37:3389
108.160.138.20:3389
139.180.197.13:3389
149.28.31.17:3389
167.179.105.29:3389
198.13.51.211:3389
198.13.55.8:3389
207.148.104.176:3389
43.224.34.61:3389
45.32.14.107:3389
45.32.18.42:3389
45.76.193.104:3389
45.76.202.254:3389
45.76.202.98:3389
45.76.97.113:3389
45.77.28.195:3389
45.77.29.108:3389
