# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: BoggySerpens, TEMP.Zagros, Static Kitten, Seedworm, MERCURY, COBALT ULSTER (# https://malpedia.caad.fkie.fraunhofer.de/actor/muddywater), TA450, Toneshell, lightphoenix, unc3313, unc5667

# Reference: https://securelist.com/muddywater/88059/

adibf.ae/wp-includes/js/main.php
benangin.com/wp-includes/widgets/main.php
ektamservis.com/includes/main.php
gtme.ae/font-awesome/css/main.php
hubinasia.com/wp-includes/widgets/main.php
www.adfg.ae/wp-includes/widgets/main.php
www.cankayasrc.com/style/js/main.php

# Reference: https://fortiguard.com/resources/threat-brief/2018/10/12/fortiguard-threat-intelligence-brief-october-12-2018

alibabacloud.dynamic-dns.net
alibabacloud.wikaba.com
alibabacloud.zzux.com
microsoftofice.zyns.com
microword.itemdb.com
moffice.mrface.com
muonline.dns04.com
office.otzo.com
offlce.dnset.com
online.ezua.com
muhacirder.com
muteciyar.info

# Reference: https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/

3cbc.net/dropbox/icon.icon
pazazta.com/app/icon.png
ohe.ie/cli/icon.png
ohe.ie/cp/icon.png
andreabelfi.com/main.php
andreasiegl.com/main.php
andresocana.com/main.php
amorenvena.com/main.php
amphira.com/main.php
amphibiblechurch.com/main.php

# Reference: https://twitter.com/360TIC/status/1108616188173520896
# Reference: https://otx.alienvault.com/pulse/5c939fbb22017040b7e47be4/

/serverScript/clientFrontLine/getCommand.php
/serverScript/clientFrontLine/helloServer.php
/serverScript/clientFrontLine/setCommandResult.php

# Reference: https://twitter.com/360TIC/status/1081080752438009856

getgooogle.hopto.org
shopcloths.ddns.net

# Reference: https://twitter.com/blackorbird/status/1072314411849797632
# Reference: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group
# Reference: https://twitter.com/blackorbird/status/1070911385368809472

ankara24saatacikcicekci.com

# Reference: https://twitter.com/HONKONE_K/status/1115513990594084864

tfu.ae/readme.txt

# Reference: https://otx.alienvault.com/pulse/5caf93777439561cb57d0e2c

googleads.hopto.org
orbe-fzc.com

# Reference: https://research.checkpoint.com/the-muddy-waters-of-apt-attacks/

http://185.117.75.116/tmp.php

# Reference: https://twitter.com/VK_Intel/status/1117673303332667392

http://185.162.235.182

# Reference: https://otx.alienvault.com/pulse/5cb4b3944f62ba0873339ee1

46.105.84.146:443

# Reference: https://twitter.com/HONKONE_K/status/1118406086925504512
# Reference: https://twitter.com/360TIC/status/1118430258451976192

plet.dk/css/
134.19.215.3:443

# Reference: https://twitter.com/ClearskySec/status/1118511605359304705
# Reference: https://app.any.run/tasks/17706fbe-8ac5-45df-b489-c766514cbe0a
# Reference: https://twitter.com/Arkbird_SOLG/status/1133472942661263362

http://185.185.25.175

# Reference: https://securelist.com/muddywaters-arsenal/90659/

78.129.222.56:8090 # LisfonService RAT
192.64.86.174:8980 # Python RAT
104.237.233.38:8085 # SSH Python script
104.237.233.40:7070 # Other stuff
78.129.139.134:8080

# Reference: https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html
# Reference: https://otx.alienvault.com/pulse/5ce2c36a67a0d63bbf18b120

136.243.87.112:3000
http://38.132.99.167/crf.txt
/serverScript/clientFrontLine/
/bcerrxy.php

# Reference: https://habr.com/ru/company/group-ib/blog/452540/ (Russian)
# Reference: https://app.any.run/tasks/04393751-072b-4753-9ab7-5dab2881dc1c/

gladiyator.tk

# Reference: https://twitter.com/Timele9527/status/1134291981176152064

http://185.244.149.218

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/
# Reference: https://otx.alienvault.com/pulse/5cfe6b9d0ecf65e404ef4f85

amazo0n.serveftp.com
shareliverpoolfc.co.uk
shopcloths.ddns.net
zstoreshoping.ddns.net

# Reference: https://twitter.com/Timele9527/status/1138694954140594176

http://185.82.202.240

# Reference: https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf

104.237.233.38:1022
104.237.233.38:8080
104.237.233.40:8443
104.237.233.38:8080
104.237.255.212:443
78.129.139.134:8864
88.99.17.148:443
ciscoupdate2019.gotdns.ch
getgooogle.hopto.org
googleads.hopto.org
latvia-usa.org/wp-includes/customize/main.php
valis-ti.cl/assets/main.php

# Reference: https://twitter.com/HONKONE_K/status/1144438589230419968

http://104.237.255.195
http://91.132.139.196

# Reference: https://twitter.com/0xffff0800/status/1145408553479483392

iec56w4ibovnb4wc.onion

# Reference: https://twitter.com/Rmy_Reserve/status/1146388355162050561
# Reference: https://mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg

http://185.141.27.14
http://185.185.25.175
http://185.244.149.218
http://185.82.202.240
http://83.171.238.62
/ls.php?TOKEN=Pomy
/trjjmfnnv.php
/ttryeJte76.php

# Reference: https://twitter.com/RedDrip7/status/1115873829035835392
# Reference: https://twitter.com/RedDrip7/status/1108617989308309504

46.105.84.146:80
94.23.148.194:80

# Reference: https://twitter.com/blackorbird/status/1156778469960769536

http://46.166.176.242/main.php
instmech.uz/meryem.php

# Reference: https://twitter.com/Timele9527/status/1156762307965231104

http://89.33.246.82

# Reference: https://twitter.com/Rmy_Reserve/status/1170187955412992000
# Reference: https://app.any.run/tasks/150759b8-44c7-4fa8-b518-4e2562964663/

http://graphixo.net/wp-includes/utf8.php

# Reference: https://twitter.com/cyb3rops/status/1184759564656402432
# Reference: https://app.any.run/tasks/46cc133c-f3c6-4834-b139-0020ebed1c1e/

assignmenthelptoday.com

# Reference: https://twitter.com/HONKONE_K/status/1115117276565360641

cms.qa

# Reference: https://otx.alienvault.com/pulse/5dd691c33a60512b0675ee35

annapolisfirstlimo.com/editob.nvd
assignmenthelptoday.com/wp-includes/utf8.php
graphixo.net/wp-includes/utf8.php
ksahosting.net/wp-includes/utf8.php

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1198400038629781505

ampacindustries.com

# Reference: https://blog.prevailion.com/2020/01/summer-mirage.html
# Reference: https://otx.alienvault.com/pulse/5e1747ff614f5a153bbc1c08

accesemailaccount.tk
accounts-login.ga
accounts-login.gq
accountslogin.ga
apikeyallervice.business
apikeyallervice.com
login-accounts.gq
login-dc2-verifyaccounts.ga
login-dc2-verifyaccounts.tk
login-secure-account.cf
login-secure-account.gq
login-secure-account.ml
loginaccounts.cf
logind2-secure.tk
reauth92-services.sytes.net
roadtosultan1.org
secure-login-accounts.gq
service0auht-center.ddns.net
signin-secure.tk

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1218958514124722176

advanceorthocenter.com/wp-includes/editor.php

# Reference: https://app.any.run/tasks/733ad416-1e4d-455f-9236-b8cf2196f18b/

http://lalindustries.com/wp-content/upgrade/editor.php

# Reference: https://twitter.com/r00tten/status/1219900503032811520

foura.biz/js/elevatezoom-master/editor.php

# Reference: https://twitter.com/blackorbird/status/1248103015862525953
# Reference: https://docs.google.com/document/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXB85f6VL_Zm79wtTK59xADKh6MG0G7hSBZi8cPOiQVWAIie0/pub

http://185.24.233.19
robusted1020.chickenkiller.com

# Reference: https://twitter.com/xiaocaiccc/status/1249586935275778048
# Reference: https://www.virustotal.com/gui/file/bf696397784b22f8e891dd0627dce731f288d14d4791ac5d0a906bc1cbe10de6/detection

1nationnews.com/wp-admin/includes/wp-config-ini.php
24newstube.com/wp-config-ini.php
2mseng.com/wp-config-ini.php
3axis.co/wp-admin/includes/wp-config-ini.php
3darch.net/modules/wp-config-ini.php
92pizza.pk/wp-content/plugins/wp-config-ini.php
9newshd.com/wp-config-ini.php
aahung.org/assets/wp-config-ini.php
aboutbodybuildingworkout.com/wp-config-ini.php
aboutduvetcovers.com/Seller/wp-config-ini.php
addictdkp.com/wp-config-ini.php
advcadsys.com/wp-config-ini.php
afikapower.com/wp-config-ini.php
afikaquadpro.com/wp-config-ini.php
afrogeo.com/wp-config-ini.php
ahsanfarooqui.xyz/wp/wp-config-ini.php
ahsfoundation.co.uk/wp-config-ini.php
ahworld.com.pk/wp-config-ini.php
aimalproduction.com/wp-admin/wp-config-ini.php
aimsagro.com/wp-admin/includes/wp-config-ini.php
aimswelfare.org/wp-admin/includes/wp-config-ini.php
albedogida.com/Eski_web/wp-config-ini.php
alessioborzuola.com/downloads/wp-config-ini.php
allsporthealthandfitness.com/wp-config-ini.php
almaqsd.com/wp-includes/wp-config-ini.php
amazingtour.pk/wp-config-ini.php
ancoeng.co.za/wp-config-ini.php
andrebruton.com/wp-config-ini.php
andrew-snyder.net/TemplateData/wp-config-ini.php
anubandh.in/wp-config-ini.php
arabelaholdings.com/wp-config-ini.php
aresebetseng.co.za/wp-config-ini.php
astrumtechnologies.co.za/templates/wp-config-ini.php
azadpattanhpp.com/wp-config-ini.php
balaateen.co.za/less/wp-config-ini.php
bartabee.com/wp-config-ini.php
batthiqbal.com/sagenda/webroot/wp-config-ini.php
bestencouragementwords.com/wp-config-ini.php
bhg-tech.com/wp-config-ini.php
bhsmusic.net/wp-config-ini.php
biglickentertainment.com/wp-config-ini.php
biljum.com/wp/wp-includes/wp-config-ini.php
billielaw.com/wp-config-ini.php
biondi.co/wp-config-ini.php
bitsym.com/wp-content/plugins/duplicate-page/wp-config-ini.php
bitteeth.com/docbank/wp-config-ini.php
blackgoldoilserv.com/wp-config-ini.php
blackstar.com.pk/wp-includes/wp-config-ini.php
blackwolfco.com/wp-config-ini.php
blattoamsterdam.com/wp-config-ini.php
bluefor.com/magento/wp-config-ini.php
blushagency.com/wp-config-ini.php
bmasokaprojects.co.za/wp-config-ini.php
bntlaminates.com/wp-config-ini.php
boardaffairs.com/wp-config-ini.php
breathehope4maira.com/wp-config-ini.php
bridgepakistan.org/wp-config-ini.php
britishofficefitout.com/wp-config-ini.php
broadstone.com.pk/wp-config-ini.php
buhlebayoacademy.com/wp-config-ini.php
burgeystikihut.com/wp-config-ini.php
burlesonlelas.com/wp-config-ini.php
buttarandbuttars.com/wp-config-ini.php
buzzfeedhealth.com/wp-config-ini.php
cafeliquiteria.pk/wp-config-ini.php
cafeperrin.com/wp-config-ini.php
cazochem.co.za/cazochem/wp-config-ini.php
cemsolutions.org/wp-config-ini.php
centuriongsd.co.za/wp-config-ini.php
centuryacademy.co.za/css/wp-config-ini.php
chrishanicdc.org/wpimages/wp-config-ini.php
constructionsolutions.info/wp-includes/wp-config-ini.php
cosmeticsurgeryisb.pk/wp-includes/wp-config-ini.php
coverpixs.com/wp-config-ini.php
craigslistadsposting.com/wp-includes/wp-config-ini.php
createch.solutions/wp-includes/wp-config-ini.php
creativenex.com/wp-includes/wp-config-ini.php
creativetiers.com/wp-config-ini.php
crystaltidings.co.za/wp-config-ini.php
cybercraft.biz/dist/wp-config-ini.php
debnoch.com/image/wp-config-ini.php
diegemmerkat.co.za/wp-config-ini.php
duotonedigital.co.za/wp-config-ini.php
ecs-consult.com/wp-config-ini.php
edgeforensic.co.za/wp-config-ini.php
elemech.com.pk/wp-config-ini.php
evansmokaba.com/evansmokaba.com/thabiso/wp-config-ini.php
fgpcw-kr.edu.pk/wp-admin/includes/wp-config-ini.php
funeralbusinesssolution.com/email_template/wp-config-ini.php
getcord.co.za/wp-config-ini.php
gilforsenate.com/wp-config-ini.php
h-u-i.co.za/heiren/wp-config-ini.php
habibtextiles.pk/wp-config-ini.php
heritagetravelmw.com/wp-config-ini.php
hisandherskennels.co.za/php/wp-config-ini.php
hmholdings360.co.za/wp-config-ini.php
humorcarbons.com/wp-config-ini.php
iancullen.co.za/wp-config-ini.php
icsswaziland.com/wp-config-ini.php
ihlosiqs-pm.co.za/wp-config-ini.php
indiba-africa.co.za/wp-config-ini.php
laraibgroup.com/plugins/system/redirect/wp-config-ini.php
loansonhomes.co.za/wp-config-ini.php
luxconprojects.co.za/wp-config-ini.php
mgamule.co.za/oldweb/wp-config-ini.php
mukhtarfeeds.com/wp-config-ini.php
mumtazandbrohi.com/coughingdish/93grahammiller/wp-config-ini.php
mumtazandbrohi.com/wp-includes/wp-config-ini.php
myhealthmedical.ae/old/includes/wp-config-ini.php
mzansicompanies.co.za/wp-config-ini.php
nbscorporation.co.za/wp-config-ini.php
neomfarming.com/wp-config-ini.php
oc.tsfengineering.com/wp-config-ini.php
odcpkintranet.org/wp-admin/includes/wp-config-ini.php
organisejournalise.co.za/wp-config-ini.php
oursort.co.za/timothyowenauthor/wp-config-ini.php
pamudzi.co.za/wp-config-ini.php
penisdevelopmentcentre.co.za/wp-config-ini.php
pgkhi.com/css/wp-config-ini.php
phoenix.zar.cc/wp-config-ini.php
pkproud.com/roshitrust/wp-config-ini.php
plantconsultants.co.za/wp-config-ini.php
prestbusiness.co.za/wp-config-ini.php
promechtransport.co.za/scripts/wp-config-ini.php
quikteam.com/scripts/contrib/wp-config-ini.php
rashidalinawabshahi.com/ranwp/db-config-ini.php
saacma.co.za/wp-admin/wp-config-ini.php
seismicfactory.co.za/wp-config-ini.php
servicebox.co.za/wp-config-ini.php
shullen.co.za/wp-config-ini.php
sikanderajam.com/wp-config-ini.php
sinebar.co.za/wp-config-ini.php
sirketcv.com/admin/_islemler/wp-config-ini.php
sonafoundation.org.pk/wp-config-ini.php
tanati.co.za/wp-config-ini.php
thebedspace.com/wp-includes/pomo/wp-config-ini.php
theguitarstudio.co.za/wp-includes/wp-config-ini.php
themotoringcalendar.co.za/wp-config-ini.php
ventronics.co.za/wp-config-ini.php
vhupo-tours.com/wp-config-ini.php
waohost.com/wp-includes/wp-config-ini.php
wicloud.pk/store/wp-config-ini.php
willpowerpos.co.za/wp-config-ini.php
winagainstebola.com/wp-config-ini.php
wmcpk.org/wp/wp-config-ini.php

# Reference: https://twitter.com/iamwinstonm/status/1276804076534034433
# Reference: https://www.virustotal.com/gui/file/1f38eea8caf63ff911fa97f2a20328796a62fc760f24c7e6347753e8112bf92d/detection
# Reference: https://www.virustotal.com/gui/file/92cb75c15da69fd6ef9368c03fd5001778d5fa1f7b024d63c84c13f501d5acd5/detection

http://185.244.149.202
enreji.gov.tr

# Reference: https://www.virustotal.com/gui/file/2ad0c8e29a364005f3aa0aaab770f919f8a65202b06721143e2d19dc6b75f323/detection

linkupdate.org

# Reference: https://twitter.com/BushidoToken/status/1298572507914670080

windowsupdate.me

# Reference: https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf
# Reference: https://otx.alienvault.com/pulse/5f886761020a5e059b24dd74
# Reference: https://www.virustotal.com/gui/file/a1282dde503e911d5653e1d9d1214e4780e61c96d1530c3a1be22d88a81dcf5f/detection

http://185.117.75.101
http://185.183.96.28
http://185.183.96.61
http://185.183.98.242
http://185.244.149.215
http://185.82.202.66
http://185.82.202.70
http://212.143.154.158
http://46.4.105.116
server.lax.co.il
webmail.lax.co.il

# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east
# Reference: https://otx.alienvault.com/pulse/5fa1deab84fa772abb100f92

104.168.44.16:443
http://23.95.220.166

# Reference: https://twitter.com/ShadowChasing1/status/1329247256122322944
# Reference: https://twitter.com/h2jazi/status/1329188203178373120
# Reference: https://otx.alienvault.com/pulse/5fb6cd8f40663e290766fdff
# Reference: https://www.virustotal.com/gui/file/4e8a2b592ed90ed13eb604ea2c29bfb3fbc771c799b3615ac84267b85dd26d1c/detection

107.175.196.104:443

# Reference: https://twitter.com/Arkbird_SOLG/status/1343001491121065984
# Reference: https://www.virustotal.com/gui/file/d1c7a7511bd09b53c651f8ccc43e9c36ba80265ba11164f88d6863f0832d8f81/detection

193.161.193.99:44451
mazzion1234-44451.portmap.host

# Reference: https://twitter.com/ShadowChasing1/status/1354232892323373057

oauth-services.live

# Reference: https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
# Reference: https://otx.alienvault.com/pulse/60243229fdc9a2c67990218b/

instance-sy9at2-relay.screenconnect.com
instance-uwct38-relay.screenconnect.com

# Reference: https://www.virustotal.com/gui/file/6497a723c3ef7d7bae5a2cd1b109a14e457f2e69d85be2e4a26d01c89ca21345/detection

instance-s6p2r4-relay.screenconnect.com

# Reference: https://twitter.com/Marco_Ramilli/status/1390556742262665216

/api/add_rat_permission
/api/add_rat_permissions
/add_rat_permission
/add_rat_permissions

# Reference: https://twitter.com/silv0123/status/1404295902202793985
# Reference: https://www.virustotal.com/gui/file/48e75909520f1a19a8a2cfc34ed5938c69750af7966f40bdf3a2d340a0ca98ad/detection
# Reference: https://www.virustotal.com/gui/file/c13cb1c9277324534075f807a3fcd24d0d3c024197c7437bf65db78f6a987f7a/detection

instance-n3e3x9-relay.screenconnect.com

# Reference: https://twitter.com/ShadowChasing1/status/1475819281648553986
# Reference: https://www.virustotal.com/gui/file/2f2492b7bb55f7a12f7530c9973c9b81fdd5e24001e4a21528ff1d5b47e3446e/detection

http://107.174.68.60
http://192.227.147.152
t7170-d.de

# Reference: https://twitter.com/czy_1116/status/1476048626313056257
# Reference: https://www.virustotal.com/gui/file/cab75e26febd111dd5483666c215bb6b56059f806f83384f864c51ceddd0b1cf/detection
# Reference: https://www.virustotal.com/gui/file/84d523833db6cc74a079b12312da775d4281bf1034b2af0203c9d14c098e6f29/detection

http://185.117.73.74

# Reference: https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/

http://185.247.137.89
http://51.255.219.222

# Reference: https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html
# Reference: https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html
# Reference: https://www.virustotal.com/gui/file/f6569039513e261ba9c70640e6eb8f59a0c72471889d3c0eaba51bdebb91d285/detection
# Reference: https://www.virustotal.com/gui/file/c13cb1c9277324534075f807a3fcd24d0d3c024197c7437bf65db78f6a987f7a/detection

http://185.118.167.120
http://185.118.164.195
137.74.131.16:443
149.202.242.84:443
185.141.27.211:443
172.245.81.135:10196
/Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/

# Reference: https://www.virustotal.com/gui/file/4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c/detection

http://5.199.133.149
/jznkmustntblvmdvgcwbvqb
/oeajgyxyxclqmfqayv

# Reference: https://www.cisa.gov/uscert/ncas/alerts/aa22-055a
# Reference: https://otx.alienvault.com/pulse/621cf48c69b2caf2c2f4bb3e/

http://164.132.237.65
http://185.118.164.21
http://185.141.27.143
http://185.141.27.248
http://185.183.96.7
http://185.25.51.108
http://192.210.191.188
http://192.210.226.128
http://45.142.212.61
http://45.142.213.17
http://46.166.129.159
http://80.85.158.49
http://87.236.212.22
http://88.119.170.124
http://88.119.171.213
http://89.163.252.232
http://95.181.161.49
http://95.181.161.50

# Reference: https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/
# Reference: https://otx.alienvault.com/pulse/62b1bfcf88e55b6f69deb3bc
# Reference: https://www.virustotal.com/gui/file/ddd9eb1f6c58517bf58cc20ab820113ca137221fb2330589f3fd1ce5df4c8c1c/detection

http://185.183.96.34
http://185.198.57.75

# Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
# Reference: https://otx.alienvault.com/pulse/6308c120cac2d8874c250093

sygateway.com

# Reference: https://twitter.com/Des00464472/status/1564541906381864960

3.129.246.94:443

# Reference: https://twitter.com/Des00464472/status/1587279425200336896

18.229.88.34:443

# Reference: https://twitter.com/suyog41/status/1601225014715461632

admin.syncroapi.com

# Reference: https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/
# Reference: https://otx.alienvault.com/pulse/643423acc27e303808a2c523

http://104.194.222.219
http://141.95.22.153
http://146.70.106.89
http://192.169.6.88
http://192.52.166.191
http://192.52.167.209
http://193.200.16.3
http://194.61.121.86
http://45.56.162.111
http://45.86.230.20
http://46.249.35.243
104.194.222.219:443
141.95.22.153:443
146.70.106.89:443
192.169.6.88:443
192.52.166.191:443
192.52.167.209:443
193.200.16.3:443
194.61.121.86:443
45.56.162.111:443
45.86.230.20:443
46.249.35.243:443
vatacloud.com
webstore4tech.uaenorth.cloudapp.azure.com

# Reference: https://www.group-ib.com/blog/muddywater-infrastructure/
# Reference: https://twitter.com/malwrhunterteam/status/1708931063693689196
# Reference: https://twitter.com/1ZRR4H/status/1709215529532002551
# Reference: https://www.virustotal.com/gui/file/3c41bd2befcb1f890d6f9751f22ca78080bc477fdac5dcc312604428e4b2b8f2/detection
# Reference: https://www.virustotal.com/gui/file/3d82e013aa638344d2fb1c80da0121e244648b691a784dbed28e2b6b5e6c58cc/detection
# Reference: https://www.virustotal.com/gui/file/3f9db7bf1c9d897d46f669854e7ecc945778024f04cac9cd1585140d0d73a34f/detection
# Reference: https://www.virustotal.com/gui/file/5366c1937b22c377843a04b716cd62fb57b3ed36042f6af11a403dcfc63608e0/detection
# Reference: https://www.virustotal.com/gui/file/fb69c821f14cb0d89d3df9eef2af2d87625f333535eb1552b0fcd1caba38281f/detection
# Reference: https://www.virustotal.com/gui/file/42f4ee20087893d8e7f3b5fa49d96b095e7d124df914e77c61cd3aa6b53d859e/detection

http://137.74.131.24
http://149.202.242.80
http://178.32.30.3
http://51.254.25.36
http://91.121.240.104
http://91.121.240.108
http://91.121.240.96
149.202.242.80:22
149.202.242.80:443
149.202.242.85:22
149.202.242.86:22
164.132.237.64:22
164.132.237.65:22
164.132.237.66:22
51.254.25.36:443
51.255.19.178:443
51.255.19.179:443
51.255.19.183:22
91.121.240.104:443
91.121.240.108:443
94.131.98.34:443
/gcvvPu2KXdqEbDpJQ33
/rrvvPu2KXdqEbDpJQ33
/kz10n2f9d5c4pkz10n2f9s2vhkz10n2f9
/ln8mykyrd5c4pln8mykyrs2vhln8mykyr
/kz10n2f9d5c4pkz10n2f9s2vhkz10n2f9/gcvvPu2KXdqEbDpJQ33/
/ln8mykyrd5c4pln8mykyrs2vhln8mykyr/gcvvPu2KXdqEbDpJQ33/
/ln8mykyrd5c4pln8mykyrs2vhln8mykyr/rrvvPu2KXdqEbDpJQ33/

# Reference: https://twitter.com/josh_penny/status/1655256615774302215

6nc110821hdb.co
nc6jan20pol.co

# Reference: https://twitter.com/k3yp0d/status/1719269176101990574
# Reference: https://www.virustotal.com/gui/file/a2ae5e994c0b515cadd425cfda4d4ae33b71893c45b702e1f8c1a495dc1b440f/detection

146.70.149.61:8008
/access/JWrapper-JWrapper-version.txt
/access/JWrapper-Remote%20Access-00089360998-archive.p2.l2

# Reference: https://twitter.com/MichalKoczwara/status/1719294254206288001
# Reference: https://www.virustotal.com/gui/file/7fddecd93c277db31ec0755faac087c3f3d4af735df0ffad704c9f3b954283e5/detection
# Reference: https://www.virustotal.com/gui/file/52e625ca4e9af0848749f3134c23103595e8a5c4f0951155f5d966b89b805bf1/detection
# Reference: https://www.virustotal.com/gui/file/7e82615194d58f3a6ab5abe130ac841195ffb744eb437092879c81d0fb0891b7/detection

http://146.70.124.102
http://37.120.237.204
http://37.120.237.248
146.70.124.102:443
37.120.237.204:443
37.120.237.248:443
/access/JWrapper-Windows64JRE-00084000053-archive.p2.l2
/access/JWrapper-Windows64JRE-version.txt?time=
/access/JWrapper-Windows64JRE-version.txt

# Reference: https://twitter.com/k3yp0d/status/1720008194016133619
# Reference: https://www.virustotal.com/gui/file/8a6226b02af996e06d956b000630271f23b82235c36c22afc9da36a3f043e00b/detection
# Reference: https://www.virustotal.com/gui/file/500a7c4e89e02f972da68946496b66b3204690f209858df6637bde0d4ef03f18/detection
# Reference: https://www.virustotal.com/gui/file/111f9e2228a6b6f663cda85f8211ee6cfcbcab5d9fa8c6c5aa38a808ccf671ba/detection
# Reference: https://www.virustotal.com/gui/file/1b5604d023673b07f16af8404657637c3077100abd8d81b8db946d653ce032df/detection

http://94.131.9.239
/access/JWrapper-Remote%20Access-version.txt
/access/JWrapper-Remote%20Access_os_jwwin-version.txt
/access/JWrapper-Windows64JRE-00084000053-archive.p2.l2
/access/JWrapper-Remote%20Access_winutils64-00091670477-archive.p2.l2
/access/jwdyna_sg_scripttruejwdyna_force_spawntruejwdyna_install_typeperm_alljwdy
/access/jwdyna_sg_scripttruejwdyna_install_typeperm_alljwdyna_sg_reconnectfalsejw

# Reference: https://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel
# Reference: https://otx.alienvault.com/pulse/654cebe5f4bb9281496a1b4b
# Reference: https://app.any.run/tasks/9190151a-739e-41c0-b89d-71bf74414ab4/
# Reference: https://www.virustotal.com/gui/ip-address/94.131.109.65/relations
# Reference: https://www.virustotal.com/gui/file/63e404011aeabb964ce63f467be29d678d0576bddb72124d491ab5565e1044cf/detection
# Reference: https://www.virustotal.com/gui/file/ffbcafc28eb2e83603479882a17f04c4df0a9a2cbe952724c4279fc347906df0/detection
# Reference: https://www.virustotal.com/gui/file/5e871ae33537e7e98c81ef55e662d7052ead20195212bf16ebd6fe0a506c9638/detection

http://109.201.140.103
http://137.74.131.18
http://137.74.131.20
http://141.95.177.130
http://162.223.89.11
http://164.132.237.65
http://185.248.144.158
http://45.150.64.23
http://45.150.64.239
http://45.150.64.39
http://45.67.230.91
http://91.121.240.108
http://91.121.61.76
http://94.131.109.65
http://94.131.98.14
http://95.164.38.99
http://95.164.46.199
http://95.164.46.35
6nc051221c.co
googlechromeupdate.ga
googlechromeupdate.ml
nc1310022a.biz
ghostrider.serveirc.com
jbf1.nc1310022a.biz
mbcaction.hopto.org
microsoftfice.ddns.net
mirosoftcloud.ddns.net
qjk2.6nc051221c.co
/Q8s1qzzUdDhaPaRm

# Reference: https://twitter.com/1ZRR4H/status/1743683396369273219
# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms

45.150.64.39:443
45.67.230.91:443
94.131.109.65:443
94.131.98.14:443
95.164.38.99:443
95.164.46.199:443
/HJ3ytbqpne2tsJTEJi2D8s0hWo172A0aT
/HR5rOv8enEKonD4a0UdeGXD3xtxWix2Nf

# Reference: https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater

6nc051221a.co
6nc220721.co

# Reference: https://twitter.com/k3yp0d/status/1768102580142432694

kinneretacil.egnyte.com

# Reference: https://twitter.com/MichalKoczwara/status/1786833922426310802
# Reference: https://app.validin.com/detail?type=dom&find=mason.burton.onionmail.org
# Reference: https://www.virustotal.com/gui/file/d7588487206137cbdc95d990bc5266af6a0538653862665534c14bb8f56b76c6/detection
# Reference: https://www.virustotal.com/gui/file/d7588487206137cbdc95d990bc5266af6a0538653862665534c14bb8f56b76c6/detection

appsharecloud.com
asure-onlinee.com
aurasync2.com
googleonlinee.com
jetscaler.com
microsoft-corp.com
microsofthosting.com
softwaree-cloud.com
webapicloud.com
webftpcloud.com
websiteapicloud.com
websiteftpcloud.com
webhook.site/39cc8972-28eb-4721-b77d-12287d038f67

# Reference: https://twitter.com/k3yp0d/status/1781235018037137554
# Reference: https://twitter.com/N3wbound/status/1781416864158990536
# Reference: https://www.virustotal.com/gui/ip-address/193.109.120.59/relations
# Reference: https://www.virustotal.com/gui/ip-address/194.4.50.133/relations
# Reference: https://www.virustotal.com/gui/ip-address/5.252.23.52/relations
# Reference: https://www.virustotal.com/gui/ip-address/91.235.234.202/relations
# Reference: https://www.virustotal.com/gui/ip-address/95.164.32.69/relations
# Reference: https://www.virustotal.com/gui/file/4f839eac8204930ecc21a35476069daabbd40c14ef5af4db0e66de9b6a2e62fb/detection

193.109.120.59:8008
onlinemailerservices.com
smtpcloudapp.com
smartcloudcompany.com
softwarehosts.com

# Reference: https://twitter.com/MichalKoczwara/status/1789731234844749991
# Reference: https://www.virustotal.com/gui/ip-address/185.234.67.49/relations

suppcloudtech.com
supptechcloud.com

# Reference: https://twitter.com/MichalKoczwara/status/1790072660984029583
# Reference: https://twitter.com/dimitribest/status/1790089941856170152

bing-google-soft.com
google-softnet.com
softnewdomain.com

# Reference: https://x.com/suyog41/status/1793935723961143625
# Reference: https://x.com/IronNetTR/status/1793665413898977363
# Reference: https://x.com/beacon_exe/status/1793683124494438490
# Reference: https://www.virustotal.com/gui/file/d2809e3e60e5d9671be8644750ad1b385aaa6b4ff01fef8fc594d81c69275a33/detection
# Reference: https://www.virustotal.com/gui/file/7b1b332c653d62effffffd27a8da5bf78c0a5e5c1fb04191e0943333671c46c3/detection

http://45.140.147.81
bing-google-soft.com
domainsoftcloud.com
google-softnet.com
google-word.com
googlelinks.net
googlevalues.com
softnewdomain.com

# Reference: https://app.validin.com/detail?find=hosterdaddy.mars.orderbox-dns.com&type=dom&ref_id=7cd5a407820#tab=dns

administratie.in
bevestig.in
binden.in
hoofgroup.com
logincheck.in
metamask-zendesk.in
pagevalid.in
protocol-security.in
secureportal.in
security-verification.in
securitycloud.in
supportstaff.in
updateaccount.in
valiantservicesltd.com
validsignature.in
veiligheid-gebruikers.com
verbinden.in
verfypage.in
virtualscopemedia.com
wallet-confirmation.in
wallet-sign.in
web3secureapp.com

# Reference: https://x.com/ClearskySec/status/1799829814011994120
# Reference: https://www.virustotal.com/gui/file/b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca/detection
# Reference: https://www.virustotal.com/gui/file/960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809/detection
# Reference: https://www.virustotal.com/gui/file/94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472/detection
# Reference: https://www.virustotal.com/gui/file/73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e/detection

146.19.143.14:443
91.235.234.202:443
alkan.egnyte.com
cnsmportal.egnyte.com

# Reference: https://x.com/ClearskySec/status/1801195517763789103
# Reference: https://x.com/k3yp0d/status/1801216991379718151
# Reference: https://x.com/k3yp0d/status/1801219587544846764
# Reference: https://x.com/k3yp0d/status/1801218600398627185
# Reference: https://www.virustotal.com/gui/file/9fa005b02525c2b654f32faf842c440339b23bd20723708b2414e278cabb9989/detection
# Reference: https://www.virustotal.com/gui/file/c23f17b92b13464a570f737a86c0960d5106868aaa5eac2f2bac573c3314eb0f/detection

fbcsoft.egnyte.com
gcare.egnyte.com
ksa1.egnyte.com
nour.egnyte.com

# Reference: https://x.com/ClearskySec/status/1804888199535194312

cairoairport.egnyte.com

# Reference: https://x.com/ClearskySec/status/1808059886237782423

airpaz.egnyte.com

# Reference: https://x.com/k3yp0d/status/1808479675808731632
# Reference: https://www.virustotal.com/gui/file/8fbd374d4659efdc5b5a57ff4168236aeaab6dae4af6b92d99ac28e05f04e5c1/detection

d25btwd9wax8gu.cloudfront.net
silbermintz1.egnyte.com

# Reference: https://x.com/ClearskySec/status/1811386859844444296
# Reference: https://www.virustotal.com/gui/file/a0c86b0a16fe8e491da3cd01e76ce9ed26c0d4ecd13ebaea6e26b8a7c1c8b90c/detection
# Reference: https://www.virustotal.com/gui/file/5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0/detection
# Reference: https://www.virustotal.com/gui/file/94b5c49eda9868d53fe8c3b7622eabde2c452d60d0c6bc881b1e79f709b81b16/detection

downloadfile.egnyte.com
fileuploadcloud.egnyte.com

# Reference: https://x.com/k3yp0d/status/1812434712800960718
# Reference: https://www.virustotal.com/gui/file/5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0/detection

85.239.61.97:443
airpazflys.egnyte.com

# Reference: https://x.com/k3yp0d/status/1820078443075141969

offtecportal.egnyte.com

# Reference: https://x.com/k3yp0d/status/1825168139169964466
# Reference: https://www.virustotal.com/gui/file/bb3f5b0faa1b98be3881ae2d59c7f42a8696a96b3e56e19c9cc2f22cd2e1ebec/detection

michlalah.egnyte.com

# Reference: https://x.com/k3yp0d/status/1826614306592739732
# Reference: https://www.virustotal.com/gui/file/ac5489796f759fbb23fe2ed60ec7a48855ee24a4e8bd2d33391617f1a69c029d/detection

http://5.196.249.163

# Reference: https://x.com/k3yp0d/status/1826552421956399176
# Reference: https://aksk.gov.al/wp-content/uploads/2024/04/Spear-Phishing_Malware-analysis-kurs-trajnimi.zip-ScreenConnectWindows.pdf
# Reference: https://www.virustotal.com/gui/file/7863a1d2d90b2b739663843f977876640a10760896e74f15655fbbefa444ccc2/detection
# Reference: https://www.virustotal.com/gui/file/ac34e44a897a626c34db1c18efcf707fc1d5473a46117586649f31f53c28496a/detection

instance-s1t9su-relay.screenconnect.com

# Reference: https://x.com/Huntio/status/1827587808225325130
# Reference: https://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit
# Reference: https://tria.ge/240816-pn7j9sydlj/behavioral5
# Reference: https://app.any.run/tasks/afe95446-ef52-4acb-a4fb-a76b636e8b8b/

http://103.27.108.14
103.27.108.14:3389
103.27.108.14:443

# Reference: https://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit

http://103.27.109.206
http://103.27.109.52
http://103.43.16.65
http://137.220.251.44
http://43.246.209.139
http://45.115.236.142
http://45.115.236.143
103.27.109.206:3389
103.27.109.52:3389
103.43.16.65:3389
137.220.251.44:3389
43.246.209.139:3389
45.115.236.142:3389
45.115.236.143:3389
103.27.109.206:443
103.27.109.52:443
103.43.16.65:443
137.220.251.44:443
43.246.209.139:443
45.115.236.142:443
45.115.236.143:443

# Reference: https://x.com/k3yp0d/status/1838916882067271948
# Reference: https://www.virustotal.com/gui/file/4133ba05e42f4f302652f79ae65c4f81a6a0d617a7d36752a4be14abe3aee502/detection

pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com

# Reference: https://x.com/StrikeReadyLabs/status/1848534955724357771
# Reference: https://app.validin.com/detail?type=ip&find=192.3.95.152#tab=resolutions
# Reference: https://www.virustotal.com/gui/file/c3b7cb3b81fecd98d3c5be37034b0f81e99ecf31cbbfb45e3e5fcb75842587ac/detection
# Reference: https://www.virustotal.com/gui/file/74daa75b074f404016b480c2b63ddd1b02e1181ce8a6b564b61008f47251cce3/detection

my-sharepoint-inc.com
safelinks-microsoftonline.com
secure-cloudnow.com

# Reference: https://news.sophos.com/en-us/2024/11/20/sophos-mdr-blocks-and-tracks-activity-from-probable-iranian-state-actor-muddywater/

51.16.209.105:22

# Reference: https://x.com/k3yp0d/status/1933859019443057057
# Reference: https://www.virustotal.com/gui/file/b99edfb9ef9e1fb4a587e4a4a66d1947739036887dd22e24602c877b0045f070/detection
# Reference: https://www.virustotal.com/gui/file/c3afd5ce1ca50a38438bb5026cca27bfbf2d8e786e03f323adceb8ad17517eca/detection

46.101.36.39:443

# Reference: https://x.com/k3yp0d/status/1938251405585785188
# Reference: https://x.com/k3yp0d/status/1938251408244945128
# Reference: https://www.virustotal.com/gui/file/40dead1e1d83107698ff96bce9ea52236803b15b63fb0002e0b55af71a9b5e05/detection
# Reference: https://www.virustotal.com/gui/file/e9a59bbb4e2c28130d4daae12219f7ec2876c66ca9ab7e051cbf587770afab94/detection

netivtech.org

# Reference: https://x.com/hiphoponelove_/status/1947284227956904441
# Reference: https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware
# Reference: https://www.virustotal.com/gui/file/aa656a243d2008327e06fd5bbad919eea99aa271132dbaeabb146e22effbfd1b/detection
# Reference: https://www.virustotal.com/gui/file/524ae76c16a38476e9a4d1721d2f0144ee1c93e6d01261af958a0043488b68d4/detection

http://185.203.119.134
http://192.121.113.60
http://194.26.213.176
http://45.86.163.10
http://46.30.188.243
http://77.75.230.135
http://79.132.128.81
45.86.163.44:1254
hs1.iphide.net
hs2.iphide.net
hs3.iphide.net
hs4.iphide.net
it1.comodo-vpn.com
n14mit69company.top
r1.earthvpn.org
r2.earthvpn.org

# Reference: https://hunt.io/blog/apt-muddywater-deploys-multi-stage-phishing-to-target-cfos

cloud-233f9.firebaseapp.com
cloud-233f9.web.app
cloud-ed980.web.app
googl-165a0.web.app
googl-6c11f.web.app
my1cloudlive.com
my2cloudlive.com

# Generic

/getCommand?guid=
/getTargetInfo?guid=
