# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: MQsTTang, RedDelta, Stately Taurus, Earth Preta, ceranakeeper, toneshell, UTG-Q-011, hive0154, pubload, BASIN, HoneyMyte, Red Lich, TEMP.Hex, Twill Typhoon, UNC6384, Yokai

# Reference: https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
# Reference: https://otx.alienvault.com/pulse/5d9c72d7e2efa3b5aa799b41

http://144.202.54.8
http://154.221.24.47
adobephotostage.com
airdndvn.com
apple-net.com
infosecvn.com
officeproduces.com
wbemsystem.com
yahoorealtors.com
update.olk4.com

# Reference: https://twitter.com/cyber__sloth/status/1229080836487540736

149.28.156.153:443

# Reference: https://twitter.com/hackingump1/status/1241760059543244805
# Reference: https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/
# Reference: https://www.virustotal.com/gui/ip-address/123.51.185.75/relations

http://123.51.185.75

# Reference: https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/
# Reference: https://otx.alienvault.com/pulse/5ed7c36c21ae174ca3acfaee

destroy2013.com
fitehook.com
miandfish.store

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf
# Reference: https://otx.alienvault.com/pulse/5f219067fd875a905691df22

cabsecnow.com
hostareas.com
jsquerys.net
ipsoftwarelabs.com
lameers.com
miscrosaft.com
systeminfor.com

# Reference: https://twitter.com/cyber__sloth/status/1296722004964409349

http://103.85.24.161

# Reference: https://twitter.com/IntezerLabs/status/1316384526323638274
# Reference: https://www.virustotal.com/gui/file/c0331d4dee56ef0a8bb8e3d31bdfd3381bafc6ee80b85b338cee4001f7fb3d8c/detection
# Reference: https://www.virustotal.com/gui/file/d0dd9c624bb2b33de96c29b0ccb5aa5b43ce83a54e2842f1643247811487f8d9/detection

flach.cn

# Reference: https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/

103.200.97.189:965
103.200.97.189:110
185.239.226.17:965
185.239.226.17:110

# Reference: https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html
# Reference: https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html
# Reference: https://drive.google.com/file/d/1OpPiT6ieub3_q0sLIxGt8iI85tInqjoU/view
# Reference: https://any.run/report/bbbeb1a937274825b0434414fa2d9ec629ba846b1e3e33a59c613b54d375e4d2/dd877b4d-8b36-48c0-af07-ce37fd9fee7b

vietnam.zing.photos

# Reference: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf
# Reference: https://otx.alienvault.com/pulse/6050e65d389812e02dfca3c3

159.138.84.217:81
buyonebuy.top
careerhuawei.net
huaweiyuncdn.com
cdn.update.huaweiyuncdn.com
cdn1.update.huaweiyuncdn.com
flash-update.buyonebuy.top
hr.careerhuawei.net
info.careerhuawei.net
infoadmin.update.huaweiyuncdn.com
update.careerhuawei.net
update.huaweiyuncdn.com
download.flach.cn
forum.flach.cn
info.flach.cn
m.flach.cn
mobile.flach.cn
terminal.flach.cn
update.flach.cn
/c0c00c0c/

# Reference: https://twitter.com/s1ckb017/status/1475621967160123395
# Reference: https://www.virustotal.com/gui/file/df84d6c284dd39c2bfed6f8eb26149a4154396c27de50595ed5d80b428930dcd/detection

http://103.15.28.208

# Reference: https://twitter.com/s1ckb017/status/1492069505803116546

http://202.58.105.38

# Reference: https://twitter.com/StillAzureH/status/1505823479945625604
# Reference: https://www.virustotal.com/gui/file/bb2990a1bbc417cfec40d5f1a6a8b22cac0ef21aed869dd8503e28573cf84401/detection

http://155.94.200.206
155.94.200.206:5008

# Reference: https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/
# Reference: https://www.virustotal.com/gui/file/0d154e036b4de53059b5a24a1677fb546e1c136d6d0aa37c21a878c24891ee2c/detection
# Reference: https://www.virustotal.com/gui/file/9170169ae732c3a843c871be73875ea1bc8081876db5f9bcfd5f05d792bcaef0/detection
# Reference: https://www.virustotal.com/gui/file/effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1/detection
# Reference: https://www.virustotal.com/gui/file/effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1/detection

http://103.56.53.120
http://154.204.27.181
http://185.207.153.208
http://43.254.218.42
http://45.131.179.179
http://92.118.188.78
103.56.53.120:8080
154.204.27.181:110
45.131.179.179:110
45.131.179.179:5938
92.118.188.78:443
coolboxpc.com
locvnpt.com
snova-tech.com
urmsec.com

# Reference: https://twitter.com/G60930953/status/1507031738282909698
# Reference: https://www.virustotal.com/gui/file/887345540f1bf31c40755edcda2e3dd9fe640122fc9020f3873c895daa2378bf/detection

http://155.94.200.209
http://155.94.200.211
155.94.200.211:5008
155.94.200.212:443

# Reference: https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/
# Reference: https://otx.alienvault.com/pulse/6144875da41b403380a06521
# Reference: https://www.virustotal.com/gui/file/0198949a02fc4dcd65c29c028ba5f20365dc629d764f9e0a95721300b9fadbad/detection
# Reference: https://www.virustotal.com/gui/file/ab9324028bcc347040a058d41c079c0205398d200a63a6ed6cbe1df973634b2d/detection

http://103.231.14.134

# Reference: https://otx.alienvault.com/pulse/613914361364535ed5d60bc4

dodefoh.com
hidusi.com
joxinu.com
macuwuf.com
/e32c8df2cf6b7a16/
/e8c76295a5f9acb7/

# Reference: https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html

103.15.28.145:6666
110.42.64.64:24680
president-office.gov.mm

# Reference: https://twitter.com/kienbigmummy/status/1532305081676464128
# Reference: https://www.virustotal.com/gui/file/843709a59f12ff7aa06a5837be7a1a93fdf6f02f99936af6658c166e8abcaa2d/detection
# Reference: https://www.virustotal.com/gui/file/60ee19bb558d20c2591569ddb73fc90787dd47a07453e252a3afcaa222dde125/detection
# Reference: https://www.virustotal.com/gui/file/558cbbcb969fe2fa3f1c74c376e307efcdbe3bad7497095619927edd5762363a/detection

154.204.26.120:22
45.134.83.4:22
154.204.26.120:443
154.204.27.130:443
45.134.83.4:443
hilifimyanmar.com
myanmarnewsonline.org
download.hilifimyanmar.com
update.hilifimyanmar.com
images.myanmarnewsonline.org

# Reference: https://twitter.com/kienbigmummy/status/1544537348670881792
# Reference: https://www.virustotal.com/gui/file/8f32bebce3a4f35531de592ed57af7b63906d64565f36abe91298acc8ea3e93d/detection

64.34.205.41:443

# Reference: https://twitter.com/malwrhunterteam/status/1546857896755044358
# Reference: https://twitter.com/h2jazi/status/1546861105678524418
# Reference: https://www.virustotal.com/gui/file/a693b9f9ffc5f4900e094b1d1360f7e7b907c9c8680abfeace34e1a8e380f405/detection

http://98.142.251.29

# Reference: https://twitter.com/kienbigmummy/status/1549058500806197248
# Reference: https://www.virustotal.com/gui/file/1de88a2ad4fd1b16005558591fa2a385f2fe343162bbca328384600c167df721/detection
# Reference: https://www.virustotal.com/gui/file/563611caf1787441dcc12c5a77427224b5f1ac0d18efac4032ab67eed3a99928/detection

103.192.226.46:443
45.131.179.179:22
45.131.179.179:443
45.131.179.179:5938
/uVdjpZ

# Reference: https://twitter.com/kienbigmummy/status/1553737903398072320
# Reference: https://www.virustotal.com/gui/file/00fbfaf36114d3ff9e2c43885341f1c02fade82b49d1cf451bc756d992c84b06/detection

http://45.142.166.112
45.142.166.112:110
45.142.166.112:443

# Reference: https://twitter.com/kienbigmummy/status/1582217448731729920
# Reference: https://twitter.com/kienbigmummy/status/1582217473499140097
# Reference: https://www.virustotal.com/gui/file/becdb31a669676dac3e797fb6db482f9fd644853e73fc28eb0031bd58487d081/detection

107.181.160.16:443

# Reference: https://twitter.com/barberousse_bin/status/1594791243489345537
# Reference: https://www.virustotal.com/gui/file/e8357cacdccdb4670f6ae427a781f36a9c4b268907f83c1ce3502a0fd9ce2606/detection

http://158.255.2.63

# Reference: https://twitter.com/katechondic/status/1556940169483264000
# Reference: https://twitter.com/katechondic/status/1557031529141964801
# Reference: https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/IOCs-earth-preta-spear-phishing-since-march.txt
# Reference: https://www.virustotal.com/gui/file/c52828dbf62fc52ae750ada43c505c934f1faeb9c58d71c76bdb398a3fbbe1e2/detection

http://103.15.29.179
http://103.75.190.224
http://202.53.148.24
http://202.53.148.26
http://89.38.225.151

# Reference: https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
# Reference: https://www.virustotal.com/gui/file/f70d3601fb456a18ed7e7ed599d10783447016da78234f5dca61b8bd3a084a15/detection

http://103.192.226.87
http://104.42.43.178
http://185.80.201.4
http://194.124.227.90
http://43.254.218.128
http://45.147.26.45
http://45.32.101.7
http://62.233.57.49
http://64.34.216.44
http://64.34.216.50
5.34.178.156:443

# Reference: https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/
# Reference: https://www.virustotal.com/gui/file/ab62e351a56e0f749d36dc6ec6b1211f1becc52305478fa5653c6236a221a85e/detection

45.90.59.153:443

# Reference: https://twitter.com/StopMalvertisin/status/1610961056163311619
# Reference: https://www.virustotal.com/gui/ip-address/142.250.178.4/relations
# Reference: https://www.virustotal.com/gui/ip-address/5.34.182.68/relations
# Reference: https://www.virustotal.com/gui/file/0ac93ddc58e7666eae677812d3be93fe8f922ffc32baeee0f803109341dc1ea7/detection
# Reference: https://www.virustotal.com/gui/file/8964dce6ae40681a51226b7912728c589c33febba1a1547c351353fea6a6571c/detection

blogdirve.com
mashupdatabase.com
microsite-manager.com

# Reference: https://twitter.com/t3ft3lb/status/1620848769607806976
# Reference: https://www.virustotal.com/gui/file/48e2ebee3f8de80c4a50f1dd948e8e9a41509f4847a574f67a453c154d21ce60/detection

195.123.218.78:443

# Reference: https://twitter.com/Unit42_Intel/status/1626613722700472320
# Reference: https://www.virustotal.com/gui/file/e2a6a2b7a55d0d5cfb406a9ba941558a4b10a998f232e945ceaa79261aa05086/detection

3.228.54.173:1883
54.87.92.106:1883

# Reference: https://twitter.com/StopMalvertisin/status/1635620870214352901
# Reference: https://www.virustotal.com/gui/file/6d18906c49e213ca0db7b2ce28f1a20066c521367fc61caae0710bf0e10cfc9e/detection

45.90.59.39:443
midasconsilium.com

# Reference: https://twitter.com/t3ft3lb/status/1656194831830401024
# Reference: https://twitter.com/t3ft3lb/status/1656297883048505346
# Reference: https://www.virustotal.com/gui/file/3489955d23e66d6f34b3ada70b4d228547dbb3ccb0f6c7282553cbbdeaf168cb/detection
# Reference: https://www.virustotal.com/gui/file/ce308b538ff3a0be0dbcee753db7e556a54b4aeddbddd0c03db7126b08911fe2/detection

62.233.57.136:443
jcswcd.com

# Reference: https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
# Reference: https://otx.alienvault.com/pulse/64a5960b230e2e9a1bf9ec66

newsmailnet.com

# Reference: https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/
# Reference: https://www.virustotal.com/gui/file/c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1/detection

ivibers.com
meetvibersapi.com

# Reference: https://twitter.com/Cuser07/status/1748000699122958665
# Reference: https://www.virustotal.com/gui/file/a00673e35eaccf494977f4e9a957d5820a20fe6b589c796f9085a0271e8c380c/detection
# Reference: https://www.virustotal.com/gui/file/b7e042d2accdf4a488c3cd46ccd95d6ad5b5a8be71b5d6d76b8046f17debaa18/detection

openservername.com

# Reference: https://twitter.com/Jane_0sint/status/1750537878420295808
# Reference: https://www.virustotal.com/gui/file/dd261a5db199b32414c33136aed44c3ebe2ae55f18991ae3dc341fc43a1ef7f4/detection
# Reference: https://www.virustotal.com/gui/file/5afe21142999659a4050f6e038a6dab96cf4827f332497049a91cdb1a4d4828b/detection
# Reference: https://www.virustotal.com/gui/file/2a00d95b658e11ca71a8de532999dd33ddee7f80432653427eaa885b611ddd87/detection
# Reference: https://www.virustotal.com/gui/file/51d89afe0a49a3abf88ed6f032e4f0a83949fc44489fc7b45c860020f905c9d7/detection

103.159.132.80:443
103.249.84.137:443
123.253.32.15:443
91.245.253.46:443
militarytc.com

# Reference: https://www.secureworks.com/research/bronze-president-targets-ngos
# Reference: https://otx.alienvault.com/pulse/5e0a1aa2617f951d88c9d891

apple-net.com
forexdualsystem.com
ipsoftwarelabs.com
lionforcesystems.com
oshibadrive.com
strust.club
svchosts.com
svrhosts.com
wbemsystem.com

# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Unknown/20-08-19/Malware%20analysis%2020-08-19.md
# Reference: https://www.virustotal.com/gui/ip-address/167.88.180.148/relations

http://167.88.180.148
247up.org
apple-net.com
mediadomainservice.org
renewyourclicks.org
siteup-365.org

# Reference: https://www.trendmicro.com/en_za/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html

http://103.159.132.91
http://185.144.31.86
http://80.85.156.151
http://80.85.156.232
http://80.85.156.240
http://80.85.157.3
139.180.217.142:5000
80.85.156.151:8000
johnsimde.xyz
myanmarfreedomwork.org
em2in.johnsimde.xyz
iot.johnsimde.xyz
rewards.roshan.af
sa2il.johnsimde.xyz
taiwallace.pserver.space
/ewfuck
/ewfuck00000

# Reference: https://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html
# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/earth-preta-campaign-uses-doplugs-to-target-asia/ioc-earth-preta-doplugs.txt

103.107.104.37:443
149.104.11.29:443
149.104.12.64:443
185.82.216.184:443
195.123.246.26:22
195.211.96.99:443
45.83.236.105:443
bonuscave.com
electrictulsa.com
getfiledown.com
getfilefox.com
iamc2c2.com
images.kiidcloud.com
images.markplay.net
markplay.net
meetviberapi.com
news.comsnews.com
thisistestc2.com
web.bonuscave.com

# Reference: https://twitter.com/8th_grey_owl/status/1767860327369298026

103.27.109.157:443

# Reference: https://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/
# Reference: https://www.virustotal.com/gui/file/02f4186b532b3e33a5cd6d9a39d9469b8d9c12df7cb45dba6dcab912b03e3cb8/detection

http://123.253.32.71
http://139.59.46.88
http://65.20.103.231
139.59.46.88:443
139.59.46.88:8080
139.59.46.88:8443
139.59.46.88:9443
146.70.149.36:443
192.153.57.98:8080
193.149.129.93:8443
65.20.103.231:81
daydreamdew.net
nerdnooks.com
ai.nerdnooks.com
web.daydreamdew.net

# Reference: https://twitter.com/h2jazi/status/1775911374821941432
# Reference: https://www.virustotal.com/gui/file/f1f6024579e7c3475f5182aa177f791d1bdffc2e8ceb1e71758d02c2bdf3715a/detection

45.76.132.25:443

# Reference: https://x.com/StrikeReadyLabs/status/1795091326398009447
# Reference: https://www.virustotal.com/gui/file/e0e0f2af3af10b09951983badd05b48be1bc0530381e0fd369ebc5a1c86e39ed/detection
# Reference: https://www.virustotal.com/gui/file/d4b9f7c167bc69471baf9e18afd924cf9583b12eee0f088c98abfc55efd77617/detection

shreyaninfotech.com

# Reference: https://x.com/h2jazi/status/1796201393415418282
# Reference: https://www.virustotal.com/gui/file/47eb43acdd342d3975000f650cf656d9f0f759780d85f16d806d6b9a70f1be46/detection

tripadviso.online
vlvlvlvl.site
back.vlvlvlvl.site
mega.vlvlvlvl.site
deleted.tripadviso.online
payment.tripadviso.online

# Reference: https://x.com/4rchib4ld/status/1805514091240296879
# Reference: https://www.virustotal.com/gui/file/736036bc0069eaec6c489e95553111cd235adb07bc19ddbdd2c63ec41a90d0dd/detection
# Reference: https://www.virustotal.com/gui/file/3adf6df9bfc377a762f4cebe9e5b5e7d7a823de03f6bfe8efa8ed5473ce10bc1/detection

61.4.102.75:443

# Reference: https://www.macnica.co.jp/business/security/security-reports/pdf/cyberespionage_report_2023.pdf
# Reference: https://www.virustotal.com/gui/file/505f0409d896d34be04565609fd3484d78dd93469e9c338c365b106a802c1082/detection

45.43.63.219:111
45.43.63.219:236

# Reference: https://x.com/StrikeReadyLabs/status/1811711337313042845
# Reference: https://www.virustotal.com/gui/file/cb42d6a839d2cb81479fb04c9fb3bd9264b2f0ea08d96549c8c8f0a0d6567346/detection

104.194.154.150:443

# Reference: https://x.com/nao_sec/status/1819021807602782522
# Reference: https://www.virustotal.com/gui/file/ca0dfda9a329f5729b3ca07c6578b3b6560e7cfaeff8d988d1fe8c9ca6896da5/detection

cdn7s65.z13.web.core.windows.net

# Reference: https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html
# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-preta-evolves-its-attacks-with-new-malware-and-strategies/IOC%20List%20-%20Earth%20Preta%20Evolves%20its%20Attacks%20with%20New%20Malware%20and%20Strategies.txt

103.15.29.17:443
154.90.32.88:443
18.163.112.181:443
47.253.106.177:443
47.76.87.55:443
aihkstore.com
bcller.com
ynsins.com

# Reference: https://x.com/VirITeXplorer/status/1829426003103363123
# Reference: https://x.com/Thisism23567356/status/1834216409787674754
# Reference: https://www.virustotal.com/gui/file/79d3481bac60ac1ecc7e2d1a4b86bde8a6b2c66f4e9c755f28512f7717f7badd/detection
# Reference: https://www.virustotal.com/gui/file/0b152012c1deab39c6ed7fe75a27168eaaec43ae025ee74d35c2fee2651b8902/detection
# Reference: https://www.virustotal.com/gui/file/00619a5312d6957248bac777c44c0e9dd871950c6785830695c51184217a1437/detection

conflictaslesson.com
goclamdep.net
kxmmcdmnb.online
lokjopppkuimlpo.shop
/eciwrnjnx
/eufzyzhd
/kjuehbit

# Reference: https://x.com/ESETresearch/status/1841466248367915019
# Reference: https://x.com/ESETresearch/status/1841466250469261374
# Reference: https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/
# Reference: https://github.com/eset/malware-ioc/tree/master/ceranakeeper
# Reference: https://www.virustotal.com/gui/ip-address/103.245.165.237/relations
# Reference: https://www.virustotal.com/gui/ip-address/103.27.202.185/relations
# Reference: https://www.virustotal.com/gui/file/b25c79ba507a256c9ca12a9bd34def6a33f9c087578c03d083d7863c708eca21/detection
# Reference: https://www.virustotal.com/gui/file/dafad19900fff383c2790e017c958a1e92e84f7bb159a2a7136923b715a4c94f/detection
# Reference: https://www.virustotal.com/gui/file/451ee465675e674cebe3c42ed41356ae2c972703e1dc7800a187426a6b34efdc/detection
# Reference: https://www.virustotal.com/gui/file/6655c5686b9b0292cf5121fc6346341bb888704b421a85a15011456a9a2c192a/detection

dl6yfsl.com
dljmp2p.com
inly5sf.com
toptipvideo.com
uvfr4ep.com

# Reference: https://x.com/frdfzi/status/1849616996222349674
# Reference: https://www.virustotal.com/gui/file/f00e5ff2dc47a7625c86ac89784d5aa26b210a8437b9fb150b66eb3798b3c1d6/detection

lyjxq3.com

# Reference: https://x.com/frdfzi/status/1858524001947279652
# Reference: https://www.virustotal.com/gui/ip-address/188.208.141.218/relations
# Reference: https://www.virustotal.com/gui/file/035d1f670b5e9d29d65fbb2b309ae042d6ee6807300162be9e3f6046ea27113f/detection

formainservercheap.com
preperlanguageserver.com

# Reference: https://x.com/Thisism23567356/status/1858518325346574666

openai-cheapagent.com

# Reference: https://x.com/Thisism23567356/status/1863490595550883976
# Reference: https://www.virustotal.com/gui/file/065585a379615b6bec23d1c9c414542c34c93ac269b6971b46e37007dd331da1/detection

146.70.149.186:443
srv1.blackberrygame.com

# Reference: https://x.com/smica83/status/1870033683547111614
# Reference: https://x.com/frdfzi/status/1870018996717924829
# Reference: https://www.virustotal.com/gui/file/5b18f8b379cb32945ef7722b7ec175f5d24e7c468f6f5d593c51610f6b87f21f/detection
# Reference: https://www.virustotal.com/gui/file/62087a1226c5433d6f6184d627c4874c347c1de1cb1c1fdbdc1b0cac1e354201/detection

http://185.62.57.118
http://45.144.165.66
185.62.57.118:443
45.144.165.66:443

# Reference: https://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/

b8pjmgd6.com
fjke5oe.com
ggrdl4.com
gm4rys.com
hbsanews.com
i5y3dl.com
zimbra.page
update.fjke5oe.com

# Reference: https://ti.qianxin.com/blog/articles/operation-sea-elephant-the-dying-walrus-wandering-the-indian-ocean-en/
# Reference: https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247514297&idx=1&sn=976e0be3763db78860ce88dc76342a54&chksm=ea664fcedd11c6d8388a94c786a447613fd762176ae1bc0e3db9392494e787a019d71b37d415&scene=178&cur_album_id=1539799351089283075

185.140.12.224:443
185.243.112.79:52736
192.52.166.252:443
2.58.15.28:8090
45.86.162.125:52736
45.86.162.79:443
66.85.26.161:443
aliyunconsole.com
/cgyusdft/whfgujfg/
/csgdyhfywhefdj/gdydfhasc/
/cgyusdft/
/csgdyhfywhefdj/
/gdydfhasc/
/whfgujfg/

# Reference: https://x.com/Cyberteam008/status/1901817451274539274
# Reference: https://www.virustotal.com/gui/file/080386f5dc89d42d7c1e684ca371b57ea4f7df85a6ea05acaa364247e3f8d390/detection

103.56.18.101:443
103.56.18.101:53

# Reference: https://www.validin.com/blog/hunting_pandas/
# Reference: https://x.com/Thisism23567356/status/1904855651936776202
# Reference: https://app.validin.com/detail?find=b9dceb7aa7369a63f1c64648a3b8d0fa&type=hash&ref_id=98fc0b0493f#tab=host_pairs (# 2025-04-04)

103.107.104.61:443
103.107.104.61:8088
103.79.120.70:443
103.79.120.70:8088
103.79.120.71:443
103.79.120.71:8088
103.79.120.73:443
103.79.120.73:8088
103.79.120.74:443
103.79.120.74:8088
103.79.120.81:443
103.79.120.81:8088
103.79.120.85:443
103.79.120.89:443
136.0.141.189:443
136.0.141.189:5000
136.0.141.189:8088
139.180.192.163:443
139.180.192.163:8088
173.199.71.152:443
173.199.71.152:8443
223.26.52.245:443
223.26.52.245:5000
223.26.52.245:8090
38.89.72.133:443
45.152.65.213:443
45.195.69.111:443
45.195.69.111:5000
45.195.69.111:8088
83.229.127.115:443
83.229.127.115:5000
gclm.name
haberciinternational.com
jpkinki.com
renxinguo.com

# Reference: https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1
# Reference: https://www.virustotal.com/gui/ip-address/181.215.246.155/relations
# Reference: https://www.virustotal.com/gui/file/0d0296e94f6117ac0852b5c11a4caba09c4653a4927e62df0b7ec06c34f33354/detection

http://103.13.31.75
103.13.31.75:443
43.229.79.163:443
43.254.132.217:443
dest-working.com
profile-keybord.com
/heugojhgriuhn78867jhkbjkdgfhuie78/jhegiokj7889seghjegh786jkhegfukj/
/heugojhgriuhn78867jhkbjkdgfhuie78/
/jhegiokj7889seghjegh786jkhegfukj/

# Reference: https://x.com/Cyberteam008/status/1914501911241228629

aadcdn.msauth.document-invoiceviewer.online
aadcdn.msauth.document-viewer.xyz
aadcdn.msauth.documentpdfviewer.xyz
account.live.document-invoiceviewer.online
account.live.document-viewer.xyz
account.live.office-docs.online
accounts.documentpdfviewer.xyz
accounts.hmailevma5.documentpdfviewer.xyz
api.document-invoiceviewer.online
api.document-viewer.xyz
api.office-docs.online
b.document-viewer.xyz
csp.document-invoiceviewer.online
csp.document-viewer.xyz
csp.documentpdfviewer.xyz
csp.office-docs.online
document-invoiceviewer.online
document-viewer.xyz
documentinvoice-viewer.top
documentpdfviewer.xyz
events.api.document-invoiceviewer.online
events.api.document-viewer.xyz
events.api.office-docs.online
files.document-invoiceviewer.online
files.document-viewer.xyz
files.documentpdfviewer.xyz
files.office-docs.online
files.office3-docviewer.com
flowise.document-viewer.xyz
gui.document-invoiceviewer.online
gui.documentpdfviewer.xyz
gui.office-docs.online
hmailevma5.documentpdfviewer.xyz
img1.document-invoiceviewer.online
img1.documentpdfviewer.xyz
img1.office-docs.online
img6.document-invoiceviewer.online
img6.document-viewer.xyz
img6.documentpdfviewer.xyz
img6.office-docs.online
live.document-invoiceviewer.online
live.document-viewer.xyz
live.documentpdfviewer.xyz
live.office-docs.online
login-us.document-viewer.xyz
login.document-invoiceviewer.online
login.document-viewer.xyz
login.documentpdfviewer.xyz
login.live.document-invoiceviewer.online
login.live.documentpdfviewer.xyz
login.live.office-docs.online
login.office-docs.online
logincdn.document-invoiceviewer.online
logincdn.documentpdfviewer.xyz
logincdn.office-docs.online
m365.office-docs.online
msauth.document-invoiceviewer.online
msauth.document-viewer.xyz
msauth.documentpdfviewer.xyz
myaccount.documentpdfviewer.xyz
myaccount.hmailevma5.documentpdfviewer.xyz
myanmarclouddrive.ru
office-docs.online
office.document-invoiceviewer.online
office.document-viewer.xyz
office.documentpdfviewer.xyz
office.office-docs.online
office3-docviewer.com
pdf.document-viewer.xyz
pdf.documentpdfviewer.xyz
portal.document-invoiceviewer.online
portal.document-viewer.xyz
portal.office-docs.online
qa.flowise.document-viewer.xyz
sajjadsmziranir.iransmz.tech
share.office-docs.online
smz4.iransmz.tech
sso.document-invoiceviewer.online
webmail.documentpdfviewer.xyz

# Reference: https://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor
# Reference: https://www.virustotal.com/gui/file/d99e33878e23582308b1e217aff4a5f8f0836735338b4a4dff80ee85989d22a8/detection
# Reference: https://www.virustotal.com/gui/file/98c1527d4b064fcf4a95488c34576e5f443585cb6e385c7b8765e63fa9e83ccc/detection
# Reference: https://www.virustotal.com/gui/file/9335e9ec308de135651bec4b3f2f4f43324e7ab40329796e6d4343698c8a0d2a/detection
# Reference: https://www.virustotal.com/gui/file/6e408aada775eaf19c524792344cabca0b406247154e2b03ed03a929e0feee5a/detection

218.255.96.245:443

# Reference: https://twitter.com/k3yp0d/status/1683811748871122944
# Reference: https://go.recordedfuture.com/hubfs/reports/cta-cn-2025-0109.pdf
# Reference: https://www.virustotal.com/gui/file/a0a3eeb6973f12fe61e6e90fe5fe8e406a8e00b31b1511a0dfe9a88109d0d129/detection
# Reference: https://www.virustotal.com/gui/file/471e61015ff18349f4bf357447597a54579839336188d98d299b14cff458d132/detection

estmongolia.com
mongolianshipregistrar.com
tasensors.com

# Reference: http://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/

166.88.2.90:443
mediareleaseupdates.com

# Reference: https://x.com/felixaime/status/1674724194976776194
# Referecne: https://www.virustotal.com/gui/file/1ea6fe1028f14b75dcacc7ec4ffab5fcea9fd3322ae8f790a4804f764883983d/detection

107.155.56.87:443
107.155.56.87:53
152.32.130.139:443
152.32.130.139:5000
86.0.0.13:8080

# Reference: https://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor
# Reference: https://www.virustotal.com/gui/file/564a03763879aaed4da8a8c1d6067f4112d8e13bb46c2f80e0fcb9ffdd40384c/detection
# Reference: https://www.virustotal.com/gui/file/c6e2d561b20fa38f79a28350cb397ae0863008585190b6857faabda6cb9b9d7c/detection

http://118.174.183.89
146.70.29.229:443
sclickvpn.com
/kptinfo/import/index.php

# Reference: https://x.com/SinghSoodeep/status/1974780785782837632

mydownload.z29.web.core.windows.net
