# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apachestealer, confucius, patchwork, protego, protegorat, sneepy, droppingelephant, sloppylemming, chinastrats, monsoon, sarit, quilted tiger, apt-c-09, zinc emerson

# Reference: https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/
# Reference: https://otx.alienvault.com/pulse/5d68fa5d04b58d378df39abf

http://123.57.158.115
http://146.185.234.71
http://149.56.80.64
http://176.107.182.24
http://185.203.116.58
http://185.82.217.200
http://188.165.124.30
http://43.249.37.165
http://46.183.216.222
http://81.17.30.28
http://91.229.79.183
http://94.156.35.204
/byuehf8af.php
/dfae43rsfdgq4e.php
/dqvabs.php
/f3af3fasf32.php
/ghsnls.php
/j8fiandfuesmg.php
/sadk9f043ejf.php
/sg4gasdnjf984.php
/u5a3ewfasdk9.php

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/
# Reference: https://twitter.com/shotgunner101/status/1084111296746921986
# Reference: https://otx.alienvault.com/pulse/5c3c8199888d403ecee5e463

kielsoservice.net
frameworksupport.net

# Reference: https://twitter.com/blackorbird/status/1119518720794058752
# Reference: https://www.virustotal.com/gui/file/e94659941847dac6e5483df31d6429c9bfb339a013079f41ea52e7fe86d7f061/detection
# Reference: https://s.tencent.com/research/report/711.html (Chinese)

crowcatcher.net
global-news.center
useraccount.co
188.241.58.60:21
188.241.58.61:21

# Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/
# Reference: https://brica.de/alerts/alert/public/1215663/new-confucius-malware-campaign-has-links-to-patchwork-cybergang/

errorfeedback.com

# Reference: https://twitter.com/h4ckak/status/1161208604566966272

http://139.28.38.231

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confucius-cyberespionage-operations/
# Reference: https://documents.trendmicro.com/assets/appendix-deciphering-confucius-cyberespionage-operations.pdf

http://199.101.187.54
http://45.63.43.29
http://45.76.33.53
http://46.165.207.108
http://5.135.73.109
http://5.135.73.109
http://91.210.107.104
http://94.242.219.205
46.165.249.223:80
5.199.163.51:4343
91.210.107.106:80
91.210.107.109:80
91.210.107.110:80
adhath-learning.com
freeintrnet.com
mfone.net
mofu.tech
simplechatpoint.ddns.net
truth786.com
tweetychat.com
/android_connect/insert_account.php
/android_connect/insert_contacts.php
/android_connect/insert_file_list.php
/android_connect/insert_sms.php
/android_connect/upload_file_content.php

# Reference: https://twitter.com/RedDrip7/status/1184099910892670976

yetwq.twilightparadox.com

# Reference: https://twitter.com/spider_girl22/status/1172044630512164864

192.250.236.76:80

# Reference: https://twitter.com/Rmy_Reserve/status/1172016149971619841

upgrading-office-content.esy.es

# Reference: https://twitter.com/Arkbird_SOLG/status/1225014088755044353

185.193.38.24:443

# Reference: https://www.cymmetria.com/wp-content/uploads/2017/10/Unveiling-Patchwork.pdf

163-cn.org
81-cn.net
aaskmee.com
alfred.ignorelist.com
annchenn.com
asiandefnetwork.com
blingblingg.com
chinastrat.com
chinastrats.com
climaxcn.com
cndailynetwork.info
dailychina.news
epg-cn.com
expatchina.info
extremebolt.com
extrememachine.org
extremerebolt.com
eyescreem.com
greatdexter.com
haiwaipengyou.com
info81.com
junshiyuehui.com
letsgetclose.com
lujunxinxi.com
majidalfuttaiim.com
matrixrevolt.com
militaryworkerscn.com
milresearchcn.com
miltechcn.com
miltechweb.com
modgovcn.com
mozarting.com
nduformation.com
newsnstat.com
nextraload.com
nudtcn.com
numeronez.com
nutcn.com
office-rb-support.com
outlookkz.com
pizzahomez.com
qqgroups.info
revoltmax.com
securematrixx.com
sinodefprog.info
socialfreakzz.com
symantecz.com
telemediaz.com
webworldreq.com
wikifedia.space
xbladezz.com
xmachinez.com
you-yisi.com
yue-lao.info

# Reference: https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/
# Reference: https://www.virustotal.com/gui/file/33c061dcf59d17c950fc450593cb4c3df1ee755f3a6a216eafc9717e76bc0858/behavior/VirusTotal%20Cuckoofork

130dozen.com
adhath-learning.com
avtofrom.us
b3autybab3s.com
bookerstream.com
breachframework.com
breachframework.website
chucknorr.com
com-account-jfnjkr.xyz
cooperednews.info
couchypotatoes.com
cutedazzle.com
didlynews.info
fierybarrels.com
fullhalfempty.com
gallopingroses.com
gomadweb.com
greatleonidas.com
jupanto.com
little-nuts.com
magzinehog.com
mysugarbin.com
neistovo.com
news-letters-4u.com
newsscrapper.com
newstodayreviews.com
nophoz.com
onepickle.com
purple-banana.com
romanrugby.com
roseauster.com
sechshun8.com
softwares-free.com
speedeagles.com
stepontheroof.com
stilletowheels.com
tangyball.com
teens3xweb.com
teensechs.com
templetom.com
transseksualov.com
tumblebin.com
twigreader.com
uchitel-nitsa.com
wetcottonballs.com
wond3rfulworld.com
younghogs.com
your3x.com
zadnitsa.com
znaniye-onlayn.com
http://95.211.38.135/search1.php
/ipimp.txt

# Reference: https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf

nowhatsapp.com
web.nowhatsapp.com
myrocketchat.com
tweetychat.com
secretchatpoint.com
simplechatpoint.ddns.net
android-helper.info
chatit.club
chaton.life
chaton.live
kahmir-n.com
kashmir-n.com
philionschat.com
sync.chatit.club

# Reference: https://twitter.com/malwrhunterteam/status/1273581262750593030
# Reference: https://twitter.com/JAMESWT_MHT/status/1273583949646893056
# Reference: https://twitter.com/Arkbird_SOLG/status/1273627959170121734
# Reference: https://www.virustotal.com/gui/file/977c81bfab432eaeb119167b5342468918645636aa3dc94bdb993667c2e96693/detection
# Reference: https://www.virustotal.com/gui/file/628172ab0dc7360ebc49ec15f6197d7f26f6e06c370aad9c55e5e87542bcb4ec/detection
# Reference: https://app.any.run/tasks/21e6efb4-751f-4135-9f8d-e3f4a9624c5b/
# Reference: https://app.any.run/tasks/0901274f-49ff-41a4-919d-759a68e79685/

http://185.29.10.117
http://94.156.35.204
185.29.10.117:443
altered.twilightparadox.com

# Reference: https://twitter.com/ShadowChasing1/status/1346747278279643137
# Reference: https://www.virustotal.com/gui/file/b9b5a9fa0ad7f802899e82e103a6c2c699c09390b1a79ae2b357cacc68f1ca8e/detection

msoffice.user-assist.site
user-assist.site

# Reference: https://twitter.com/ShadowChasing1/status/1351201320670285836
# Reference: https://www.virustotal.com/gui/file/7fb7944fb452d8588194ea746910ed782865efb991fa02479e429f8fba677d3b/detection

http://176.107.181.213

# Reference: https://twitter.com/mg2_tracy1/status/1358246040302850055

http://108.62.12.210
mlservices.online

# Reference: https://blog.lookout.com/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict
# Reference: https://otx.alienvault.com/pulse/6025716ad1074318fbe5b3c8/

cucuchat.com
pieupdate.online
samaatv.online
tea-time.link

# Reference: https://twitter.com/ShadowChasing1/status/1360806740367876105
# Reference: https://www.virustotal.com/gui/file/f615bb459a91d76ee8a56661666fc450297dd9f9736dbe5b3efda7fb2f2ade70/detection

sunshinereal.000webhostapp.com

# Reference: https://0xthreatintel.medium.com/internals-of-ave-maria-malware-cb0f63bcce8d
# Reference: https://www.virustotal.com/gui/file/a6e56c81c88fdaa28cbd3bf72635c5becb164f75f51ff0aabd46ee7723d4ac23/detection

108.62.12.210:4251

# Reference: https://twitter.com/ShadowChasing1/status/1364925537651617794
# Reference: https://www.virustotal.com/gui/domain/moe-cn.org/relations
# Reference: https://www.virustotal.com/gui/file/153d5941a73f9600046ad859e819db33b323908a99712cd224d454cd5e3ba004/detection
# Reference: https://www.virustotal.com/gui/file/4a4238e7d8c2b0950165fd1d4c6c9e43c20848028cbe1e52945c87bb921cfba8/detection

185.61.148.223:8080
208.91.197.91:8080
moe-cn.org

# Reference: https://twitter.com/AnonySecAgency/status/1371648062460887040
# Reference: https://www.virustotal.com/gui/file/c3f0c89e7cddfe0a130a58c3e9edcae06579ee6d88787d5222368a8f57cc899e/detection

185.157.78.135:4040

# Reference: https://twitter.com/h2jazi/status/1415347869318537220

http://142.202.191.236

# Reference: https://twitter.com/ShadowChasing1/status/1422180936632860677
# Reference: https://www.virustotal.com/gui/file/6ddf7b13312987ed7d85ff6795f279d4c09ef67e7895a84254e53776a7ea9873/detection

142.202.191.234:2022

# Reference: https://twitter.com/ShadowChasing1/status/1449172597816455170

http://23.81.246.170
/doodle14/UploadToServer.php
/doodle14/createDirecotory.php
/doodle14/save_file_str.php
/doodle14/save_target_applist.php
/doodle14/savetargetdeviceinfo.php

# Reference: https://twitter.com/souiten/status/1473142851798114312
# Reference: https://www.virustotal.com/gui/file/3ddbd2f9d4194aaebaffda1417b34aa1c2a5ec948e01b7ef0a1c9e035e78721e/detection

http://104.143.36.19

# Reference: https://twitter.com/ShadowChasing1/status/1491954861402771456

webinstaller.online

# Reference: https://twitter.com/RedDrip7/status/1529403598165004289
# Reference: https://www.virustotal.com/gui/file/9153c0618803e8799472060ac508135933f551581ede827265c78d644aba08b1/detection

dayspringdesk.xyz
/wfgkl/cvrkaf/xkj/test.php
/wfgkl/cvrkaf/

# Reference: https://twitter.com/__0XYC__/status/1540211206211772416
# Reference: https://www.virustotal.com/gui/file/2d5afc95d620bed1ba631a34e6ad7c490da58d931045e1294dcf739326ad053d/detection

taxofill.info

# Reference: https://twitter.com/__0XYC__/status/1535107137441251328

t7g5c.app.link

# Reference: https://twitter.com/__0XYC__/status/1540212682271236096
# Reference: https://twitter.com/__0XYC__/status/1540214103733522432

pmogov.online
pmo.app.link

# Reference: https://twitter.com/__0XYC__/status/1543806683092340737
# Reference: https://twitter.com/__0XYC__/status/1543807380269432832
# Reference: https://twitter.com/jaydinbas/status/1543952789491040257
# Reference: https://twitter.com/jaydinbas/status/1543952905925005314
# Reference: https://twitter.com/h2jazi/status/1543965665526255617
# Reference: https://www.virustotal.com/gui/file/041aa41948f654f8813b0a411f449e91ba84cdd5c0b08040bcdd9592df63a245/detection
# Reference: https://www.virustotal.com/gui/file/9a42cdfe611f7e50cafc33da9e8dc5bd51abf1d16e31d324d28842d0cfef4170/detection
# Reference: https://www.virustotal.com/gui/file/041aa41948f654f8813b0a411f449e91ba84cdd5c0b08040bcdd9592df63a245/detection
# Reference: https://www.virustotal.com/gui/file/8adad3cb57e851c7daefe2e2f61c578c63bffaf61afbda23815ecc3c6eabf902/detection
# Reference: https://www.virustotal.com/gui/file/4e19ca405e8caef23a677609b4fde2cf1c482cc08ea39d72dc89ccddc0d96c79/detection

blingin.shop
blingin.xyz
jizyajan.shop
jusmine.xyz
mamba.live
taxofill.info

# Reference: https://twitter.com/Des00464472/status/1549615287846453248

pankilo.xyz

# Reference: https://twitter.com/h2jazi/status/1558130495891857408
# Reference: https://www.virustotal.com/gui/file/1dd1c52e5eb1b1e5c4abc7c327b63687528118e612e9a42f01b97955676f4ff0/detection

support-office-us.herokuapp.com

# Reference: https://twitter.com/StopMalvertisin/status/1560213184535199749
# Reference: https://www.virustotal.com/gui/file/d732bc4f7bd2951cedef03a3a3235cce4f33602c858e0c5caceeb98f5bf1a4bf/detection

office-fonts.herokuapp.com

# Reference: https://twitter.com/__0XYC__/status/1561917066482966528
# Reference: https://twitter.com/h2jazi/status/1562079407853953024
# Reference: https://www.virustotal.com/gui/file/0e30b6e1b05279aac4c0b3b1d8b6d250fec0999cc72d0506e617fde53bc4f6e9/detection

bonimoni.xyz
viterwin.club

# Reference: https://twitter.com/souiten/status/1565597424013365249
# Reference: https://www.virustotal.com/gui/file/c795a13148b13b6c293c11099fbe06aed8b478e1713d5c3c849fa7acabc215cc/detection
# Reference: https://www.virustotal.com/gui/file/9268c46f5ed8b2f00cf3ef4d14e5bc327907b776a97b466a52bc9fbfea002e5b/detection

http://125.209.76.62
http://192.227.174.165

# Reference: https://twitter.com/t3ft3lb/status/1567947765132435459
# Reference: https://www.virustotal.com/gui/file/aa6b4f8948d8524835dee9064ab54dc8f9f410eae7cbc502b1baf21cca5f8b20/detection

51.89.251.8:443

# Reference: https://twitter.com/SethKingHi/status/1570608984348053508
# Reference: https://www.virustotal.com/gui/file/2592a0b60b5902a5cbdfa19d5612546a53e6f1bf6ead33d1d86d392c5e281263/detection

http://74.119.193.145

# Reference: https://twitter.com/ShadowChasing1/status/1576854577483157504
# Reference: https://www.virustotal.com/gui/file/449b4cee4b9df09777891a70248e000e3bb13f33d579603f69e444d4d175d022/detection

en-us-office.herokuapp.com

# Reference: https://twitter.com/StopMalvertisin/status/1578405262209142785
# Reference: https://www.virustotal.com/gui/file/bba3303974f9b4b0bc2e0b0c52e8b656992b6f18ee6321ff49d87ce1e448c69d/

office-templates.herokuapp.com

# Reference: https://twitter.com/RedDrip7/status/1578687322291593216
# Reference: https://twitter.com/blackorbird/status/1585555349939314688
# Reference: https://mp.weixin.qq.com/s/IwcxY3TqkmyY-pBxnXuM1A
# Reference: https://www.virustotal.com/gui/file/a9175491a108645ba2f0f906d639bd94e895e41370e6c23c59b95ab4a927a6fa/detection

162.216.240.173:1991
housingpanel.info
zaim.pkwebs.com/wp-includes/c
/vwykzjzy2si478c7a2w/terncpx8yr2ufvisgd2j/x8jb9g97kkexor5ihnbq/d91ng62l00hc4vgaxkf.php
/vwykzjzy2si478c7a2w/terncpx8yr2ufvisgd2j/x8jb9g97kkexor5ihnbq/
/vwykzjzy2si478c7a2w/terncpx8yr2ufvisgd2j/
/vwykzjzy2si478c7a2w/
/terncpx8yr2ufvisgd2j/
/x8jb9g97kkexor5ihnbq/
/d91ng62l00hc4vgaxkf.php

# Reference: https://www.virustotal.com/gui/file/2b8194a93c17d82a1814c094768c1fb728c105fd6e89661c9af51370a31dbb17/detection

http://172.81.62.200

# Reference: https://twitter.com/SethKingHi/status/1588054655623659520
# Reference: https://www.virustotal.com/gui/file/115ddd20884fcf42f8937287e2b2cbb52e4d1420c000953ab8945f724c6c2f93/detection

webinstall2.ddns.net

# Reference: https://twitter.com/__0XYC__/status/1593088165556150272
# Reference: https://twitter.com/BaoshengbinCumt/status/1593108148646449152

mail-paf-documents-download-pk.herokuapp.com

# Reference: https://twitter.com/malwrhunterteam/status/1593021085997420544
# Reference: https://www.virustotal.com/gui/file/41e561168a4a26f7d4bc14186c2d7fc2232e12fd1aa44ef77b4a9d45e14fc763/detection

en-officeupdate.herokuapp.com

# Reference: https://twitter.com/souiten/status/1597943643582902273
# Reference: https://twitter.com/souiten/status/1597944825340305408
# Reference: https://www.virustotal.com/gui/file/66d366fcdc0cef9a6af89a46909c9710bab0192a473f5ac583940093b990c86c/detection
# Reference: https://www.virustotal.com/gui/file/ef76d11453a632920dd5835c0f0f8a317fb187972b0a51cdf8d78560f653d35f/detection
# Reference: https://www.virustotal.com/gui/file/d345a80e349b79c78faa9bf10922416b0d5cfb1b805e0bfb2f675d83f63c7e47/detection

142.234.157.195:8989
142.234.157.195:8080
45.56.165.100:8080
microsoftonedriver.com
info-updates.ddns.net

# Reference: https://twitter.com/malwrhunterteam/status/1567483040317816833
# Reference: https://twitter.com/h2jazi/status/1567512391289544704
# Reference: https://www.virustotal.com/gui/file/40831538e59700fd86081130af597623d0779a93cde6f76b86d52174522d8ad4/detection
# Reference: https://www.virustotal.com/gui/file/e2b7181d67ab4a4de5600d7f0f68190894db4d007aa66db94be0ee94631bc701/detection

gov-cloud.herokuapp.com

# Reference: https://twitter.com/RedDrip7/status/1608383205664780289
# Reference: https://www.virustotal.com/gui/ip-address/5.2.77.109/relations
# Reference: https://www.virustotal.com/gui/file/79bde77f2295dbf272b4138db3b42a8e40e67201da5f7a70de1600c15ebfc81e/detection
# Reference: https://www.virustotal.com/gui/file/2be095b201379123f11fd66b382aee0ca9542e3061fa129bc53c1eddd9b895c3/detection

bingoplant.live

# Reference: https://twitter.com/SethKingHi/status/1612377098777133057
# Reference: https://www.virustotal.com/gui/file/e89e0a56fad8e7232015f18bc4fd0287b98d7697e24c66820a0d4d2d501cd444/detection

vlc-updates.ddns.net

# Reference: https://twitter.com/souiten/status/1627613531586834432
# Reference: https://www.virustotal.com/gui/file/716298589ab48b187c127e9dbe47dd78487d0e4fd1841bf09d7e45027a23ac06/detection

23.163.0.133:443

# Reference: https://twitter.com/SethKingHi/status/1628601980682932224
# Reference: https://twitter.com/liqingjia1989/status/1640273312692727809
# Reference: https://www.virustotal.com/gui/file/6a3624f7022bf5797cb4a2bc633c383f4c59e0b6c277dea292657d56d66e29ae/detection
# Reference: https://www.virustotal.com/gui/file/038da443e2ffc69b0c3d6bba7eab229166d1340ff07754fd51019d74a89b0c0b/detection

http://162.216.243.187
/S8hmr7lxi7n4ceD2g93yz/foGpgvbzeYpJx6UeJcBq6/3H5StvwrQGeWkYSFbM5qY/Ztrt1DyB3tTXbjG.php
/foGpgvbzeYpJx6UeJcBq6/3H5StvwrQGeWkYSFbM5qY/Ztrt1DyB3tTXbjG.php
/3H5StvwrQGeWkYSFbM5qY/Ztrt1DyB3tTXbjG.php
/S8hmr7lxi7n4ceD2g93yz/foGpgvbzeYpJx6UeJcBq6/3H5StvwrQGeWkYSFbM5qY/
/S8hmr7lxi7n4ceD2g93yz/foGpgvbzeYpJx6UeJcBq6/
/S8hmr7lxi7n4ceD2g93yz/
/Ztrt1DyB3tTXbjG.php

# Reference: https://twitter.com/ThreatBookLabs/status/1631134841923325958
# Reference: https://www.virustotal.com/gui/ip-address/82.180.172.13/relations
# Reference: https://www.virustotal.com/gui/file/9b3d01dd457b4eeae6712df54c7ef96312f56cd0115612d0d5aece654fc6bc61/detection

officedocuments.info

# Reference: https://twitter.com/ThreatBookLabs/status/1640397245882437632

pitbmail.000webhostapp.com
webmail-pitb-gov-pk.netlify.app

# Reference: https://twitter.com/blackorbird/status/1649005925947310080
# Reference: https://mp.weixin.qq.com/s/Nk2zml2d0HtK0hszyKW2Dw (Chinese)

charliezard.shop
msit5214.b-cdn.net
shhh2564.b-cdn.net

# Reference: https://twitter.com/ThreatBookLabs/status/1650906402792304641

douyni.info

# Reference: https://twitter.com/ThreatBookLabs/status/1651052933142937600

ctg36512.b-cdn.net

# Reference: https://about.fb.com/wp-content/uploads/2023/05/Meta-Quarterly-Adversarial-Threat-Report-Q1-2023.pdf

104.27.172.22:9371
104.27.173.22:9371
106.215.68.174:9371
172.94.99.215:4040
185.82.216.57:2125
195.20.54.105:4040
appplace.life
bayanat.co.nf
beautifullimages.co.nf
chirrups-download.ml
downloader-file.cf
downloadvpn.comli.com
drive-sharefiles-downloads.ga
drive-sharefiles-downloads.gq
faridun.com
file-downloader.ga
file-star.buzz
fileshares.online
fun.socialyte.site
islamicbayanat.ddns.net
kashmirundergroundnews.ml
newice.hopto.org
securemessagingapps.blogspot.com
socialyte.site
stockapp-fresh.com
thenewsnation.ml
videvideocaller.ml
vpndl.co.nf
vpndownload.co.nf
vpndownload.webutu.com
vpndownloads.co.nf
vpndownloads.ddns.net
webmails-authentication.tk
/gdgtgdt1245435/chirrups.apk
/poahbcyskdh/cable.apk
/vdfogrglj/YoTalk.apk
/gdgtgdt1245435/
/poahbcyskdh/
/vdfogrglj/

# Reference: https://twitter.com/malwrhunterteam/status/1676228569263996930
# Reference: https://www.virustotal.com/gui/ip-address/185.225.69.181/detection
# Reference: https://www.virustotal.com/gui/file/1648cc664ab332c446d89a5406cc6adcfa357b2883d44f059c54012a4401b4f2/detection
# Reference: https://www.virustotal.com/gui/file/8cd0ad4572e1f0b71ed8e8e84d4e75942393617afac3962c164ff04a3ab87ea4/detection
# Reference: https://www.virustotal.com/gui/file/a3fc903bf6bf49f8c6e3bd5633433cfcae80be54eeefbb7345764b0059491371/detection
# Reference: https://www.virustotal.com/gui/file/d4fdd37f4aaa486a9ca32d083ba2900f237eb0a186f3a6f4418d63ccdf7d69ca/detection

http://185.225.69.181
onedriver.cloud
toptaskrabbitgroup.com

# Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1681921960731897856
# Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1681924794701455361
# Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1681925487080378368
# Reference: https://twitter.com/Des00464472/status/1687394684652695553
# Reference: https://mp-weixin-qq-com.translate.goog/s/9cqXdFn7erJupk9QPRhqpg?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=zh-CN&_x_tr_pto=wapp (# APT-K-47, ORPCBackdoor)
# Reference: https://www.virustotal.com/gui/file/a7acb7fa69f218475e06fb27dceac3f199b9cb7cbea07d01c0cfb220b465cbc4/detection
# Reference: https://www.virustotal.com/gui/file/556f51b7bd03b9be121f4a35916bef331d1ac82f3a00ed014975c12986d6c1e9/detection
# Reference: https://www.virustotal.com/gui/file/dd53768eb7d5724adeb58796f986ded3c9b469157a1a1757d80ccd7956a3dbda/detection

msdocs.ddns.net
msoutllook.ddns.net
outlook-services.ddns.net
outlook-updates.ddns.net

# Reference: https://twitter.com/binlmmhc/status/1682284911506636800
# Reference: https://www.virustotal.com/gui/file/e43d53c505e0944e6a8ce9f613a1ce5ef2b845fd04b9a777e1515b787206a03c/detection

kdrm201.b-cdn.net

# Reference: https://twitter.com/binlmmhc/status/1684521661926973440

cftn6129.b-cdn.net
johu91837.b-cdn.net
nthb041.b-cdn.net

# Reference: https://twitter.com/StopMalvertisin/status/1691469917475000320

dgdg8675.b-cdn.net

# Reference: https://twitter.com/StopMalvertisin/status/1692879603977908224
# Reference: https://www.virustotal.com/gui/file/709298c36dcc4afedc1ef5725890f119d117df1ad5776cdeecda9c1a7380a33b/detection

ppzo3687.b-cdn.net

# Reference: https://twitter.com/ginkgo_g/status/1694544752350486732

kdrm201.b-cdn.net

# Reference: https://mp.weixin.qq.com/s/nMTQww-jHkdKBWFPYdfprA (Chinese)
# Reference: https://www.virustotal.com/gui/file/1e2b343eb7948ed225dc192e53dfe8d1d587c9b88ef17b910dc48810dccb4f28/detection

http://149.102.225.98
/sun2/UploadToServer.php
/sun2/UploadToServer_gb.php
/sun2/createDirecotory.php
/sun2/save_file_str.php
/sun2/save_target_applist.php
/sun2/save_whats_chat.php
/sun2/savetargetdeviceinfo.php

# Reference: https://twitter.com/malwrhunterteam/status/1704236578053210488
# Reference: https://x.com/malwrhunterteam/status/1831273968000479422
# Reference: https://twitter.com/RexorVc0/status/1715246574748549581
# Reference: https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA==&mid=2247495700&idx=1&sn=5f39caf4d5fafef490ff1ad18f072a16&chksm=f9ed9cabce9a15bd1a5c94d19de5c927bdd0983b55b6183159a40034129bc78b2355aab38d85&scene=178&cur_album_id=1375769135073951745#rd (# RiverStealer)
# Reference: https://www.virustotal.com/gui/file/1f3590c97efdbaff2fff55a9f420863ca543f6ae35d1510f65da8984cb35bba1/detection
# Reference: https://www.virustotal.com/gui/file/5bdd87417c5dc17a994b9880caf54de759c46614f2b16e63d9dcebcf251cc9cf/detection

http://39.104.22.215
http://39.104.65.77
http://45.159.250.181
bluechillyboo.site
redcrocodilepuppet.online
riverelephant.site
riverelephent.site
/JSdfjweuisdfjhg/
/HprodXprnvlm1.php
/VueWsxpogcjwq1.php

# Reference: https://twitter.com/malwrhunterteam/status/1725275794711126259
# Reference: https://twitter.com/RedDrip7/status/1734110428685570139
# Reference: https://www.virustotal.com/gui/file/e8a519d735c3356b10a94f39923a10b76b644e68b74029fe7ec8e060a4345750/detection
# Reference: https://www.virustotal.com/gui/file/13c1cde8ded82f73c5b0ca483c2b2f2ea693ebc9dad6d30b90fcd03ff80795d6/detection

arabcomputersupportgroup.com
firebasebackups.com
/hailo/block.php
/hailo/cert.php
/hailo/load_img.php
/hailo/pakart.php

# Reference: https://twitter.com/ginkgo_g/status/1725445679072587993
# Reference: https://www.virustotal.com/gui/file/b019ed0bb09bda78af75f941ba1bb88f3b3e3604a202309d8661fdaacb04d02e/detection

pd560.b-cdn.net
pld956.b-cdn.net

# Reference: https://otx.alienvault.com/pulse/6566312bddcfb0e7f0991687

grand123099ggcarnivol.com
mfaturk.com
morimocanab.com
omeri12oncloudd.com

# Reference: https://twitter.com/blackorbird/status/1729327114187587854

cflayerprotection.com
cloudlflares.com

# Reference: https://twitter.com/ginkgo_g/status/1731870687562752375
# Reference: https://www.virustotal.com/gui/file/90e7df73e769bf0bde48294c38004341778e6ed2a6cd8db9d20fe57524607607/detection

tyfk1.b-cdn.net

# Reference: https://twitter.com/ginkgo_g/status/1732652858804486614
# Reference: https://www.virustotal.com/gui/ip-address/185.74.222.34/relations
# Reference: https://www.virustotal.com/gui/file/ca24347d80aed81df2a0e89075c645bfd6081a8e66103ea680f3a8758999b32b/detection

wingpao.info
pd35.b-cdn.net
pl335.b-cdn.net

# Reference: https://twitter.com/liqingjia1989/status/1639072245648883712
# Reference: https://www.virustotal.com/gui/file/cb0fe57e84a705a6e6d5d40f621c60095aaf73ba87c424029d2e2813210e09b9/detection

triptrans.info

# Reference: https://twitter.com/Joseliyo_Jstnk/status/1749719852623802384
# Reference: https://www.virustotal.com/gui/ip-address/152.89.247.23/relations
# Reference: https://www.virustotal.com/gui/ip-address/51.79.217.72/relations
# Reference: https://www.virustotal.com/gui/file/8734a8a71c27712f17d08e758a251665e1c81e91ea6482c0045facca5b777e4d/detection

classcentral-drive.ddns.net
deltabook.ddns.net
msdesigns.site
officecloud.store

# Reference: https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/
# Reference: https://www.virustotal.com/gui/file/ba9aeb87025ba26e7a54fe38f97bf28b72b1dac069e9fa6624a195a599c4b0ae/detection

chatapp-6b96e-default-rtdb.firebaseio.com
chit-chat-e9053-default-rtdb.firebaseio.com
glowchat-33103-default-rtdb.firebaseio.com
hello-chat-c47ad-default-rtdb.firebaseio.com
letschat-5d5e3-default-rtdb.firebaseio.com
meetme-abc03-default-rtdb.firebaseio.com
privchat-6cc58-default-rtdb.firebaseio.com
quick-chat-1d242-default-rtdb.firebaseio.com
rafaqat-d131f-default-rtdb.asia-southeast1.firebasedatabase.app
tiktalk-2fc98-default-rtdb.firebaseio.com
wave-chat-e52fe-default-rtdb.firebaseio.com
yooho-c3345-default-rtdb.firebaseio.com

# Reference: https://twitter.com/ginkgo_g/status/1753339086709100633
# Reference: https://www.virustotal.com/gui/file/a4c16bcdf5db8d29688e1112434fe8f7f15e9e4dc78828ba2890bade62b9c7cc/detection

hu51.b-cdn.net

# Reference: https://twitter.com/malwrhunterteam/status/1758395825103798760
# Reference: https://www.virustotal.com/gui/file/e68c9aedfd080fe8e54b005482fcedb16f97caa6f7dcfb932c83b29597c6d957/detection
# Reference: https://www.virustotal.com/gui/file/e89305bd8e01769d024916fb5e286b951382409a5106e31c8bea2e3400ebf603/detection

denv-1.b-cdn.net
denv-2.b-cdn.net

# Reference: https://twitter.com/suyog41/status/1765725837041824121
# Reference: https://www.virustotal.com/gui/file/01ea7197094b9acd50605bda611111eaa822230f81a3cac4b47a2f9d01e146c1/detection
# Reference: https://www.virustotal.com/gui/file/749942726963f0a55380123dff8238cdf54d6b98d3fb083528a41ba287002bad/detection

espncrics.info
ruz98.b-cdn.net

# Reference: https://twitter.com/__0XYC__/status/1770684464470872294
# Reference: https://twitter.com/mal_analysis136/status/1770693119463326144
# Reference: https://twitter.com/suyog41/status/1771135469327417684
# Reference: https://www.virustotal.com/gui/file/8f4cf379ee2bef6b60fec792d36895dce3929bf26d0533fbb1fdb41988df7301/detection

daily-mashriq.org
t-cdn.org
doc.t-cdn.org
quranchapter.t-cdn.org
/javascript/juicesdafekohioshfoshfhiofh/
/juicesdafekohioshfoshfhiofh/
/goyxdrkhjilchyigflztv

# Reference: https://twitter.com/h2jazi/status/1773468430013727186
# Reference: https://twitter.com/PrakkiSathwik/status/1773763707744489594
# Reference: https://www.virustotal.com/gui/file/88558ef568b3c775b2d79499b74dc3ecde7c049440c8872573fc6622433eec17/detection
# Reference: https://www.virustotal.com/gui/file/aaaae5f5d7f58eb8c970c4e5407fb2f4597bc81674d006c5e2d1462a3b133d74/detection

176.56.237.126:443

# Reference: https://twitter.com/k3yp0d/status/1780928811195887973
# Reference: https://twitter.com/k3yp0d/status/1780929118034362708
# Reference: https://twitter.com/k3yp0d/status/1780929459689758926
# Reference: https://www.virustotal.com/gui/ip-address/38.180.94.120/relations
# Reference: https://www.virustotal.com/gui/file/6d6dc50e8e73053763f9b85b7c1f1b532ec3023b5b89b3546f0330b4956e75a9/detection
# Reference: https://www.virustotal.com/gui/file/d0ccad2452cc0124d95214f9a9c5e4df9d842f97c6389c6e01baa0916306ad87/detection

15731.org
c-cdn77.com
dugayqwh.c-cdn77.com
huanetdw.c-cdn77.com
pijaung.c-cdn77.com

# Reference: https://twitter.com/liqingjia1989/status/1790677262146388398
# Reference: https://x.com/PrakkiSathwik/status/1823316607453577258
# Reference: https://www.virustotal.com/gui/file/cd2bd2e66a903c10e90023fc73c993a3bf8a009dd09b03930f3c40ee4e7c35fd/detection

dezhongcn.org
sdfsecs.org
/akwj2iycjeh5347
/fsdhwerui4358vxfg13hgu/
/gtyggfj4ytqej35f/buldgy4ujedhk
/qaloh42bsk093cag41vb/
/qaloh42bsk093cag41vb/stwv32jj197jl1hbfy
/stwv32jj197jl1hbfy
/tueyixahgdw3u265dfer/
/tueyixahgdw3u265dfer/akwj2iycjeh5347

# Reference: https://x.com/StrikeReadyLabs/status/1798687665987989691
# Reference: https://www.virustotal.com/gui/file/ff28cff64b2e37e852e778202b57400f508b94770980b2788914bd3bcbcda627/detection
# Reference: https://www.virustotal.com/gui/file/29420ee792d63aa7d5658f971ba3c62d776615aa56b96b7f055dc7833eef1af0/detection
# Reference: https://www.virustotal.com/gui/file/1a47c99d3167d26b1ac7c7bbf0ca05c5ba53ec50aad3278355a43a5091ac85e8/detection

nihaoucloud.org
guangzhou.nihaoucloud.org
/gsdgsd89iop/sdfger23ty
/gsdgsd89iop/
/sdfger23ty

# Reference: https://x.com/suyog41/status/1810268207241982376
# Reference: https://www.virustotal.com/gui/ip-address/172.81.60.40/relations
# Reference: https://www.virustotal.com/gui/file/f6d171e79e2fb38b3919011835c8117a1c56788bcf634e69ae67a5e255fb9d58/detection
# Reference: https://www.virustotal.com/gui/file/14bbe421abe496531f4c63b16881eee23fb2c92b2938335dca1668206882201a/detection

beijingtv.org
cartmizer.info
hometogeljaya.xyz
icreativez.org
/ogQas32xzsy6/fRgt9azswq1e
/fRgt9azswq1e
/lkqnzntawldqjlwdxivsnemw
/ogQas32xzsy6

# Reference: https://x.com/StrikeReadyLabs/status/1811339489136066615
# Reference: https://www.virustotal.com/gui/file/0f0ed90e3a825e86ce4fe46c065f60f01f22fd878cb02e7ee5eb9d103a80b156/detection

mato3.b-cdn.net
matozip1.b-cdn.net

# Reference: https://mp.weixin.qq.com/s/Bf4ZN7Hr124vi3H3k-v3Bg
# Reference: https://www.virustotal.com/gui/file/da10810b38385f2c674c8f5aba08c04a0b30c7b3ac828c6a86da927839b80b48/detection

longwang.b-cdn.net

# Reference: https://x.com/naumovax/status/1813151432419254656
# Reference: https://www.ctfiot.com/193014.html
# Reference: https://tria.ge/240715-lrfzyazfmm/behavioral2
# Reference: https://www.virustotal.com/gui/file/6afdf4a3088bff045e1998d2dc2863b90d06765abb2dc35c7b93c456b9818e55/detection

shrilongu.info
yw56.info
centling.nihaoucloud.org
hengtian.nihaoucloud.org
weibo.nihaoucloud.org
xinhuanet.nihaoucloud.org
/akowutbuu753dtRWq21jk/odiworukdjo2375kjkl1lk87hl0
/akowutbuu753dtRWq21jk/
/koqiiwyekj5458bj32uoiWQ21/kjtw83nkQ
/koqiiwyekj5458bj32uoiWQ21/
/kjtw83nkQ
/odiworukdjo2375kjkl1lk87hl0
/ymybisvimqjoknhmgryit/getocmskdmsm/
/getocmskdmsm/
/ymybisvimqjoknhmgryit/
/gtw2jh43/css.txt
/gtw2jh43/

# Reference: https://x.com/malwrhunterteam/status/1816424803022057883
# Reference: https://x.com/RexorVc0/status/1818517432467706147
# Reference: https://www.virustotal.com/gui/file/6795dac9944b17ba82d40cf18ad5c57b8c4363bc5634d525bdbff3dfa18762d8/detection

ghshijie.com
telsiairegion.xyz
yuxuan.ghshijie.com
/1WrCVzW4kSDNbNTt/cqWf4vQlofzqFkc7.php
/1WrCVzW4kSDNbNTt/
/cqWf4vQlofzqFkc7.php

# Reference: https://x.com/PrakkiSathwik/status/1822328733610430860
# Reference: https://www.virustotal.com/gui/file/c3805b8b37eb1ba34057cd6c882dc9bedcebc01ec90a6d4be8d0f6fc82859ecb/detection
# Reference: https://www.virustotal.com/gui/file/1e977b2ea2421b9ee3878e21550533e765ea8bb54f11383893a9b3772bc76dc5/detection
# Reference: https://www.virustotal.com/gui/file/0954c455576ff84efe67a3b2a2fd5de64aaa5540af648116e6b9d716be77240b/detection

bhutanembassynepal.com
apcas.bhutanembassynepal.com
docdailyupdate.bhutanembassynepal.com
energynews.bhutanembassynepal.com
/aqoqi43bjdewsfgTg4/iq2387skl844xWq1
/bgTAqwhPaYvtrkwu5445jkj4n/koaquwd73hkd
/latehtu454fh4/setwcx328nvy4.bin
/aqoqi43bjdewsfgTg4/
/bgTAqwhPaYvtrkwu5445jkj4n/
/sqalopej47gkjuiczdWreq2/
/PswqaDyeh6Fs2g12-g34fyu/
/latehtu454fh4/
/iq2387skl844xWq1
/koaquwd73hkd
/setwcx328nvy4.bin

# Reference: https://x.com/RexorVc0/status/1833389801162023417
# Reference: https://x.com/JAMESWT_MHT/status/1842213101011108237
# Reference: https://www.ctfiot.com/204087.html
# Reference: https://www.virustotal.com/gui/file/83e4962419f2d4e99c5aa02ed6a077c9fc19e15d6427c79c6cdef2df4530fb53/detection
# Reference: https://www.virustotal.com/gui/file/2fc76a42fb7af2fbe480c0cf3d63e2eaf8d2b904a38b962261887f163ad6b4a2/detection

172.81.62.199:6606
172.81.62.199:7707
172.81.62.199:8808
194.156.99.229:443
74.119.193.8:1005
dasiqueiros.info
mdridefys.info
socialrg.info
parkways.info
rootranger.info
anabel.rootranger.info
biwef.rootranger.info
hangei.rootranger.info
hidescw.dasiqueiros.info
kinomei.rootranger.info
rebgyuxi.rootranger.info
siang.rootranger.info
viang.rootranger.info
xiahong.rootranger.info
xiam.dasiqueiros.info
xiamo.dasiqueiros.info
zhiming.ghshijie.com
/bIHTfcVHegEoMrv/WCcod7JY3zwUpDH.php
/eruksfjg/wruiowu
/kjwgdjg/euitug
/latexcb71ni/vtyu89ni.bin
/latexcb71ni/
/qwytjhcey/aocmnvfnd
/aocmnvfnd
/euitug
/wruiowu
/eruksfjg/
/kjwgdjg/
/qwytjhcey/
/bIHTfcVHegEoMrv/
/vtyu89ni.bin
/WCcod7JY3zwUpDH.php

# Reference: https://x.com/ginkgo_g/status/1834859844261577158
# Reference: https://x.com/Timele9527/status/1834875792872161613
# Reference: https://www.virustotal.com/gui/ip-address/172.81.62.40/relations
# Reference: https://www.virustotal.com/gui/file/ba262c587f1f5df7c2ab763434ef80785c5b51cac861774bf66d579368b56e31/detection
# Reference: https://www.virustotal.com/gui/file/d7b278d20f47203da07c33f646844e74cb690ed802f2ba27a74e216368df7db9/detection

iceandfire.xyz
kartenkauf.info
scapematic.info
jihang.scapematic.info
shianchi.scapematic.info
/cDiCQddlQr
/chBXgPelzd
/peCDMAFXQN

# Reference: https://x.com/StrikeReadyLabs/status/1836724951941882101
# Reference: https://www.virustotal.com/gui/file/1ee756cd6608235454f0877c51881803d52c0887479838925b3caf4a976a17f0/detection
# Reference: https://www.virustotal.com/gui/file/fd96ac431474ce6ba502f89a1d4f3bdaa182428a22aab15dd05483dd0b46de2d/detection

coldchikenshop29.info
greenearthtreeh.info
whitemissycorp.info

# Reference: https://x.com/k3yp0d/status/1836877748708552958
# Reference: https://www.virustotal.com/gui/file/136221a89f1042aea42ef4ba78f0c4d7244e78607deb4cc619aa9d6f19f0fbca/detection

http://121.199.0.104
http://39.100.91.201

# Reference: https://x.com/k3yp0d/status/1836875647865528508
# Reference: https://www.virustotal.com/gui/file/b5e6f8e2203f086d85e64b0687f0c000407a1fa0563eb4cb19c184ffb85d63fd/detection

http://89.47.160.244
/HSfuywrhjerfsd.txt

# Reference: https://www.virustotal.com/gui/file/14bbe421abe496531f4c63b16881eee23fb2c92b2938335dca1668206882201a/detection
# Reference: https://www.virustotal.com/gui/file/f6d171e79e2fb38b3919011835c8117a1c56788bcf634e69ae67a5e255fb9d58/detection

adaptation-funds.org

# Referemce: https://blog.cloudflare.com/unraveling-sloppylemming-operations/

adobefileshare.com
maldevfudding.com
accounts.opensecurity-legacy.com
api.opensecurity-legacy.com
bin.opensecurity-legacy.com
cloud.adobefileshare.com
cloud.cflayerprotection.com
data.cloudlflares.com
frontend-m.opensecurity-legacy.com
m.opensecurity-legacy.com
monitor.opensecurity-legacy.com
secure.cflayerprotection.com
secure.cloudlflares.com
sensors.opensecurity-legacy.com
static.opensecurity-legacy.com

# Reference: https://x.com/SquiblydooBlog/status/1842535888938729871
# Reference: https://www.virustotal.com/gui/file/e6071ae0da3289eb87edf67b2b198b0a3f0cf9da8eb35a8a2b5aa8989b6c0ef5/detection

winfileshare.com

# Reference: https://x.com/SquiblydooBlog/status/1842535888938729871
# Reference: https://www.virustotal.com/gui/file/bf9445ded122ee5853bb45d69b390ed5a0b36baa0c48adc7a8fa65e526116720/detection
# Reference: https://www.virustotal.com/gui/file/1753abbd3a79ff9db264b3e05bbbd2fa6f0b983de1a66c341a8a4cc71b4d6429/detection

nodejsupdates.com
/ticket_line/afa.php
/ticket_line/certificate.php
/ticket_line/llb.php
/ticket_line/lockdown.php

# Reference: https://x.com/jaydinbas/status/1797968559668400536
# Reference: https://x.com/HaCkyWang/status/1824384420574634214
# Reference: https://mp.weixin.qq.com/s/M6xoCfqMCSDsv32S0vrGEw
# Reference: https://www.virustotal.com/gui/file/e5b332d6f860d00d5d2d94cb6d9e07b0c9ba3f204bdcc77a7765272cf8d9feae/detection

http://89.147.109.143
http://93.95.230.16
l0p1.shop
firebaseupdater.com
onlinecsstutorials.com

# Reference: https://x.com/liqingjia1989/status/1843206630428823889
# Reference: https://www.virustotal.com/gui/file/97ba91d1208f7726a794a919fc8a5623d43d26f0b645f4d35ed1c2967421901d/detection

cloudcdn-storage.org
henghi.cloudcdn-storage.org
tiangfu.cloudcdn-storage.org
/azmil93p/bhnl41mp
/qzxnmpl/zplqmw
/azmil93p/
/bhnl41mp
/qzxnmpl/
/zplqmw

# Reference: https://x.com/k3yp0d/status/1845725805940179239
# Reference: https://x.com/k3yp0d/status/1845726834786197674
# Reference: https://www.virustotal.com/gui/ip-address/193.149.176.131/relations
# Reference: https://www.virustotal.com/gui/file/516c1f3d7dceb9c257b30ac3c10e53a5798beb3cf6ddb2e7cdb11cce2960a1e4/detection
# Reference: https://www.virustotal.com/gui/file/986c6ff539eeb1d1692ca5b9498422b546c3e1513dd6c9b5003cbdf3d1e967fb/detection
# Reference: https://www.virustotal.com/gui/file/a2768e6bb920bc9224662c08c7da7d0c09fb2101662a8265a20a27b90140122d/detection

pinshare.net
shareboostfile.com
springbring.info

# Reference: https://x.com/blackorbird/status/1846741250076213514
# Reference: https://app.validin.com/detail?type=ip&find=79.132.130.231#tab=resolutions

anglerrscovey.com
nationalsecuritysolutions.com.co
stjets.com
microsftonline-sharpoint.nationalsecuritysolutions.com.co
microsftonline-sharpoint.stjets.com

# Reference: https://x.com/ThreatBookLabs/status/1846916072441778474

kirdycorp.com

# Reference: https://x.com/ginkgo_g/status/1848197886988972154
# Reference: https://www.virustotal.com/gui/file/0a88cea0c0daf56cfed74b734177fceda7e107bf24f8ec45da47ebcd215454c0/detection

dajeneats.xyz

# Reference: https://x.com/k3yp0d/status/1848263969225458043
# Reference: https://www.virustotal.com/gui/ip-address/103.106.2.35/relations
# Reference: https://www.virustotal.com/gui/ip-address/185.74.222.233/relations

igcontest.xyz
provoxil.live

# Reference: https://x.com/mal_analysis136/status/1848407166186885486
# Reference: https://pastebin.com/qY9jicQh

103.106.2.35:443
146.70.79.15:443
172.67.180.160:443
185.74.222.165:443
185.74.222.169:443
185.74.222.233:443
185.74.222.34:443
194.156.98.121:443
194.156.98.141:443
194.156.98.21:443
194.156.98.51:443
194.156.99.203:443
194.156.99.239:443
38.180.95.185:443
43.241.73.185:443
45.125.64.219:443
45.125.67.102:443
45.125.67.215:443
47.92.162.135:443
74.119.193.154:443
74.119.193.246:443
74.119.193.254:443
74.119.193.29:443
91.245.255.122:443
arkiverat.info
daricaspot.info
eldpathy.hk
flexmade.org
guardianofgalaxy.live
infinityink.xyz
nicolehertz.info
radixsand.org
remitmetahk.org
sfpay.online
shenyeng.org
sibedgee.org
solidfiles.cloud
wazsy.info
zprodigital.org

# Reference: https://x.com/k3yp0d/status/1848454682974265361

reconge.info
shenzhan.org

# Reference: https://x.com/blackorbird/status/1848658633179205742
# Reference: https://x.com/ginkgo_g/status/1864486667375239561
# Reference: https://www.virustotal.com/gui/ip-address/172.81.60.76/relations
# Reference: https://www.virustotal.com/gui/file/c417fb3008a6180fc6099d5e4d3d8849b3b12477dfa7008af1fdd356f0840622/detection
# Reference: https://www.virustotal.com/gui/file/a4fd69efc6fbd8b69e45924f4bbd577a6b7630e1ca2189ceee5da58f6fa09ac1/detection
# Reference: https://www.virustotal.com/gui/file/5f0c2aa0f02167aa4f94c30fecce629c9de7095173e811181e0f388792f9764d/detection

avangrid.info
dagros.live
jiansmst.info
zanderz.me
zscaller.live
/YcKOjLMxiwCZfSS//comrCVPEffFiPvF.php
/YcKOjLMxiwCZfSS/comrCVPEffFiPvF.php
/YcKOjLMxiwCZfSS/
/comrCVPEffFiPvF.php

# Reference: https://x.com/blackorbird/status/1851211200635543912

alieanmote.live
aquilei.live
bovnle.info
masatex.info
novasphere.live
ragonrise.info
renovaragora.info
sanping.info

# Reference: https://x.com/blackorbird/status/1853800938739241342
# Reference: https://threatbook.io/domain/gyyun.xyz

gyyun.xyz
a.gyyun.xyz

# Reference: https://x.com/blackorbird/status/1857061171456782341

aurorafoss.xyz

# Reference: https://x.com/wa1Ile/status/1859510826627105274
# Reference: https://x.com/blackorbird/status/1859598390193160630
# Reference: https://x.com/wa1Ile/status/1859961890593735100
# Reference: https://app.validin.com/detail?find=MIT%20Technology%20Review&type=raw&ref_id=824eb1886b9#tab=host_pairs
# Reference: https://www.virustotal.com/gui/file/12cf713242ae7eb11eceddbcc535f562f16e5be645f07a87e805e7f4f81b362a/detection
# Reference: https://www.virustotal.com/gui/file/7250c63c0035065eeae6757854fa2ac3357bab9672c93b77672abf7b6f45920a/detection
# Reference: https://www.virustotal.com/gui/file/30024cadaf9aead441d926132c2a83aa478aa153e02a5b248b4c0dec33fcab94/detection
# Reference: https://www.virustotal.com/gui/file/36c3aa180b8466d94b34397d786c913cc83bb33dbb1d6cc3bda0c83bd2392122/detection
# Reference: https://www.virustotal.com/gui/file/74ce1c5bfdfd095a974b5457aa13cb2912fd2f3fe00558793bdb02907dbfd3ce/detection

mingyn.org
stealthcomm.org
toproid.xyz
weixein.info
zdnets.top
atus.toproid.xyz
plete.toproid.xyz
tected.toproid.xyz
zon.toproid.xyz
/aewbf_jsd_td/
/aewbf_jsd_td/ktrgdysvt
/jyuecvdgt
/klhju_rdf_gd/
/klhju_rdf_gd/ktdfersfr
/ktdfersfr
/ktrgdysvt
/pfetc_ksr_lo/
/pfetc_ksr_lo/jyuecvdgt

# Reference: https://x.com/suyog41/status/1864271210739323023
# Reference: https://www.virustotal.com/gui/ip-address/185.74.222.242/relations
# Reference: https://www.virustotal.com/gui/file/d60e979ee44c9dc16e36657ec3a41016627cc685965befed018058986dd5d45e/detection
# Reference: https://www.virustotal.com/gui/file/9057de3409fcceaa7fd91ce3e0a692181e2dac028cc70f9fc370576925c7698d/detection

vormliebe.club
vorm.vormliebe.club
/djk_mdf81JH_jdJK_j999hf_kf/fdjhfd_dj81_kmdjk99999jfJHG_skl
/djk_mdf81JH_jdJK_j999hf_kf/
/fdjhfd_dj81_kmdjk99999jfJHG_skl
/mfjHJJK_jkfdjkfd999JKLLH_81_kfj_fdk/fdkfd_kdfjh81_djhndjJSjfjHdd_djfdj9999_djdJdk_jkf
/mfjHJJK_jkfdjkfd999JKLLH_81_kfj_fdk/
/fdkfd_kdfjh81_djhndjJSjfjHdd_djfdj9999_djdJdk_jkf
/SeEcdjJsdkKGFH_djm9_jfk_81_jkKSfj/JShJS_9jsGR_81FKSiaISH_jfhJS999hfISK
/SeEcdjJsdkKGFH_djm9_jfk_81_jkKSfj/
/JShJS_9jsGR_81FKSiaISH_jfhJS999hfISK

# Reference: https://x.com/SecAI_AI/status/1866441205715755518

wanghk.org

# Reference: https://x.com/blackorbird/status/1867205766307807405
# Reference: https://app.validin.com/detail?find=Flysas.com%20-%20Scandinavian%20Airlines%20Official%20Website%20%7C%20SAS&type=raw&ref_id=d6843ce3510#tab=host_pairs (# 2024-12-14)

instantindustri.live
sheicen.info
youdoa.info

# Reference: https://x.com/blackorbird/status/1869019971424313688

aquileia.live
dartshoppe.info
queretero.xyz

# Reference: https://x.com/blackorbird/status/1869740211481227541
# Reference: https://x.com/ThreatBookLabs/status/1869754057893855561
# Reference: https://x.com/StrikeReadyLabs/status/1869720899345318182
# Reference: https://www.virustotal.com/gui/file/784558045434404fff48c4599cbac24b079b45dcfdf94ceac488a33ce312f98d/detection

insightglobel.info
skyconect.org
tribunepk.org
biaonton.insightglobel.info
domran.insightglobel.info
documentsrequire.insightglobel.info
docs.tribunepk.org

# Reference: https://x.com/Cyberteam008/status/1871394361935819179
# Reference: https://pastebin.com/QfYTkXWY

bilibil.info
bolizhi.info
cialiseight.info
clomidtab.info
douhin.org
elsiver.info
huashan.info
overtures.info
retinoa.info
sjtu-edu-cn.org
welsends.live
youdianx.info

# Reference: https://x.com/ThreatBookLabs/status/1876637665875132770

amelaits.info
evolutiondebt.info

# Reference: https://x.com/ginkgo_g/status/1877602843106095567
# Reference: https://www.virustotal.com/gui/file/6faccd85e9c1cbeb7d12131fd55b551e4e1d86accbe53751214600664efdd106/detection
# Reference: https://www.virustotal.com/gui/file/49e2ca78803e0a903bf898a8c8332b3e0bb4661f74057b4553e19fe76ac443fe/detection

fyicompsol.xyz
metformina.live
ados.fyicompsol.xyz
auth.fyicompsol.xyz
kens.fyicompsol.xyz
kila.fyicompsol.xyz
omai.fyicompsol.xyz
rkde.fyicompsol.xyz
wg.fyicompsol.xyz
/aloetdg_74dfs/asgdneu9_lfd2
/bFIbN_sj9/ksJ9_Ks9J.bin
/jsgdevdw_3ed/hdbdewsq1_sc3
/kfdgbcws_rf4/dcsxwer32khd_esf
/lkasedb_4edsw/hsvdcxsew-3dsw
/aloetdg_74dfs/
/bFIbN_sj9/
/jsgdevdw_3ed/
/kfdgbcws_rf4/
/lkasedb_4edsw/
/asgdneu9_lfd2
/dcsxwer32khd_esf
/hdbdewsq1_sc3
/hsvdcxsew-3dsw
/ksJ9_Ks9J.bin

# Reference: https://x.com/blackorbird/status/1879155994036785155

emodigital.info
tingding.info

# Reference: https://x.com/blackorbird/status/1879894088562213070
# Reference: https://app.validin.com/detail?find=45.125.67.78&type=ip4&ref_id=0e5127cb794#tab=resolutions

haolaoshi.info

# Reference: https://x.com/suyog41/status/1881662594119024808
# Reference: https://app.validin.com/detail?find=%E5%85%89%E6%98%8E%E7%BD%91_%E6%96%B0%E9%97%BB%E8%A7%86%E9%87%8E%E3%80%81%E6%96%87%E5%8C%96%E8%A7%86%E8%A7%92%E3%80%81%E6%80%9D%E6%83%B3%E6%B7%B1%E5%BA%A6%E3%80%81%E7%90%86%E8%AE%BA%E9%AB%98%E5%BA%A6&type=raw#tab=host_pairs (# 2025-03-17)
# Reference: https://www.virustotal.com/gui/file/9f27d7b82a70ba3d8ff1ad9f26acf8245a45cf80fbe0c3cf9f026814167e8dc6/detection

hongbaow.info
neectar.info
sphereinc.info
liuyi.neectar.info
tian.neectar.info
/hsdverd_3ed5d/mdswsourt_4rfs
/lksderdd_4dferd/jhdfer3s_jh3de
/hsdverd_3ed5d/
/lksderdd_4dferd/
/jhdfer3s_jh3de
/mdswsourt_4rfs

# Reference: https://www.virustotal.com/gui/file/657357e43cdc0f83cf73658cfef160b020f72c08f41ce11d4f6b2da481f8c5e2/detection
# Reference: https://www.virustotal.com/gui/file/b976462859c61ae29f6509f980641f59f27e968072edc78fa4bf0f74caff634d/detection

pxcauto.info

# Reference: https://x.com/skocherhan/status/1885165347826758052/history
# Reference: https://app.validin.com/detail?find=193.239.86.136&type=ip4&ref_id=0cce4f3356d#tab=resolutions

bolizy.info
ritamorenodoc.com
sapdf.org
hk-ping.virtono.com

# Reference: https://x.com/RedDrip7/status/1897535706416996662
# Reference: https://www.virustotal.com/gui/file/34e260c301ee81b228d35ac721b06a3aa41fb5b07835078b5b4e2941fef8aa85/detection

myprivatedrives.com
/ticket_line/certificate.php
/ticket_line/openai.php

# Reference: https://x.com/suyog41/status/1908125176442622354
# Reference: https://www.virustotal.com/gui/file/8c233e13a0bc27bce7555b9a89f63c0eadaa5c618fe7301eebd7a32e2bd79bcf/detection

apps-house.com
playst0re.com

# Reference: https://app.validin.com/detail?find=146.70.161.26&type=ip4&ref_id=7975039e594#tab=resolutions (# 2025-04-04)

bluefileshare.com
muqaddasquran.com

# Reference: https://x.com/ginkgo_g/status/1915332815308403152
# Reference: https://www.virustotal.com/gui/file/4a626d128f00ed616e9eb3ba098920fd1d830c92cb8bdc8944e8bd9521a165ef/detection

breatlee.org
bonfo.breatlee.org
feng.breatlee.org
fimong.breatlee.org
giamon.breatlee.org
gioamo.breatlee.org
gomong.breatlee.org
hiaki.breatlee.org
hibnao.breatlee.org
jiamjo.breatlee.org
jiamo.breatlee.org
jiamon.breatlee.org
jianom.breatlee.org
kiamo.breatlee.org
kiamon.breatlee.org
kiamoz.breatlee.org
kimaho.breatlee.org
kmong.breatlee.org
komonnv.breatlee.org
loma.breatlee.org
lomong.breatlee.org
mianyo.breatlee.org
mingo.breatlee.org
mingom.breatlee.org
minsaz.breatlee.org
miqasn.breatlee.org
mkiang.breatlee.org
nimon.breatlee.org
nomon.breatlee.org
olama.breatlee.org
viamo.breatlee.org
xiamo.breatlee.org
xuang.breatlee.org

# Reference: https://app.validin.com/detail?find=051ff0b41b082ef28e65c17d5787cb30&type=hash&ref_id=f17897a12eb#tab=host_pairs (# 2025-05-09)
# Reference: https://www.virustotal.com/gui/file/a264edcd1845fde6af17ea935a4f7da82a96d4f93b0d7f563907255aa3e05918/detection

mrnextnewfeso.co

# Reference: https://x.com/volrant136/status/1921476422452789578

fredcounting.org
geochebrew.org
zithropak.org

# Reference: https://x.com/blackorbird/status/1926844187430789520
# Reference: https://mp.weixin.qq.com/s/pJTPeK1Cam5n4RUElWzb2Q
# Reference: https://www.virustotal.com/gui/ip-address/45.77.43.128/relations

viperdenx.info

# Reference: https://x.com/ginkgo_g/status/1926915716793413749
# Reference: https://app.validin.com/detail?find=29b09458486f130ead14f1143f4a2b72&type=hash&ref_id=05ab0d824fc#tab=host_pairs (# 2025-05-26)
# Reference: https://www.virustotal.com/gui/file/8f845267623cb3b8dbc99fcb374afcd695778addcc57c098714610c8f854e58a/detection

foundersthub.org
musickeepers.org

# Reference: https://x.com/malwrhunterteam/status/1928036337292132790
# Reference: https://app.validin.com/detail?find=b0a0f886d1efaa5802076ac21043632186b5a781&type=hash&ref_id=15af9f26bc4#tab=host_pairs (# 2025-05-29)
# Reference: https://www.virustotal.com/gui/file/2b24fe48628fe0405db4fa3534d31c305947a7eed8ff5e42724ab4d8117fb8ab/detection
# Reference: https://www.virustotal.com/gui/file/abefd29c85d69f35f3cf8f5e6a2be76834416cc43d87d1f6643470b359ed4b1b/detection

applepicker.info
asftbngh.top
blackmoo.info
bloomwpp.info
blueberrytree.info
brightpathos.eu
buzzstack.org
crownmedicals.com
evendarkness.info
fideline.info
flyinfishwater.info
fusionnook.info
goooglecloud.site
govpak.cloud
govpak.info
greenhippo.info
greenpop.info
hreatlittleheaven.info
ksecure.bio
martkartout.info
pineappleworld.info
pinkoceanbees.info
plumpinr.info
popcornstudy.info
purpleyh.info
redcardboard.info
sohbettr.info
sunmelonontheway.info
vibrantforest.info
mail.asftbngh.top
ns1.buzzstack.org
ns2.buzzstack.org
/Cljfdghdjhndklh_ommjhfdgj/cfnbgjfghom_mun_jkghdfjkghdjklgfk_ication.php
/reckjfhgjkRETldfhger/ljhgs563ERWHY3fkdhynkykntn_auto.php
/reckjfhgjkRETldfhger/rkgjdfDRRdfYklhjdlghecived.php
/cfnbgjfghom_mun_jkghdfjkghdjklgfk_ication.php
/ljhgs563ERWHY3fkdhynkykntn_auto.php
/rkgjdfDRRdfYklhjdlghecived.php
/Cljfdghdjhndklh_ommjhfdgj/
/reckjfhgjkRETldfhger/
/modjghdjkhnlkdnhkdhn/

# Reference: https://x.com/ginkgo_g/status/1933447492668174785
# Reference: https://www.virustotal.com/gui/file/bca3cd5be5def46264b2a2e2170954b5829659f7527be1549d55821e290facf5/detection
# Reference: https://www.virustotal.com/gui/file/cf89a287a5c2397d52fe3c3e8dded1a7bd2804be38ecdaa5d87cea9530ed8264/detection

bizzshared.com
/gandalf/cane.php

# Reference: https://x.com/ginkgo_g/status/1943201717580972343
# Reference: https://www.virustotal.com/gui/file/4466995be863ec4405fc053296cfe74d0098f94e61aa89c95fa2cc80c8ad6cb9/detection
# Reference: https://www.virustotal.com/gui/file/755f6c8ed6aacfd51915b0732815bce26db82484a205ef333a7ee96760e44c32/detection

arpawebdom.org
jlu-edu.org

# Reference: https://x.com/suyog41/status/1943231579699970405
# Reference: https://www.virustotal.com/gui/file/341f27419becc456b52d6fbe2d223e8598065ac596fa8dec23cc722726a28f62/detection

expouav.org

# Reference: https://x.com/blackorbird/status/1943536808438173973
# Reference: https://mp.weixin.qq.com/s/xn313WWNi7rln-WfwFgE5w

aonepiece.org

# Reference: https://x.com/volrant136/status/1943953485982314988

dawnnewstv.news

# Reference: https://x.com/teamcymru_S2/status/1948448626323099733

cypowertech.org
techzcore.org

# Reference: https://x.com/volrant136/status/1948762052010365403
# Reference: https://www.virustotal.com/gui/file/36830efbbf2999d50758b55b2a3140af749ab08a8ede1ac9e75801eeedc7ea08/detection

globalsoler.org

# Reference: https://x.com/volrant136/status/1948796460675297464
# Reference: https://www.virustotal.com/gui/file/e7472e7c75533cb6f548742d9e945b36a11e985788304b8f10572d1d08f28185/detection

zebydigital.org

# Reference: https://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/
# Reference: https://www.virustotal.com/gui/file/a328280618fc09c9f3dd50e5aa4d85fa5063a6073306069a451bc9da816365e6/detection
# Reference: https://www.virustotal.com/gui/file/969fb3e705ba8afe757ba7617e75d1096d4793d14796e2734613cfcc50675652/detection
# Reference: https://www.virustotal.com/gui/file/8b6acc087e403b913254dd7d99f09136dc54fa45cf3029a8566151120d34d1c2/detection

roseserve.org

# Reference: https://x.com/WhichbufferArda/status/1933300356370325981
# Reference: https://x.com/volrant136/status/1933769135931981969
# Reference: https://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/
# Reference: https://www.virustotal.com/gui/file/a3ba53a0d59bda812b01a1864358f0561ed844c5b58c0132d5a2582aee8d221b/detection
# Reference: https://www.virustotal.com/gui/file/21270aab75e9e552db617885bcb10621d0de92a293ab5579df31309945a61eab/detection

caapakistaan.com
datamero.org
d11d6t6zp1jvtm.cloudfront.net

# Reference: https://x.com/ginkgo_g/status/1951229859616661766
# Reference: https://www.virustotal.com/gui/file/d1a9ad4186abdb66340dcad87833d30ea8ecc977f530163ad10e053e9e37cf5a/detection
# Reference: https://www.virustotal.com/gui/file/998c270a5fea8645a7b9c6e45d310f23eb757a23ea0408d05bf42fd211da5557/detection

cas-cn.org

# Reference: https://x.com/ginkgo_g/status/1954803958637056198

xydzaim.org

# Reference: https://x.com/RedDrip7/status/1963425314815840568
# Reference: https://www.virustotal.com/gui/file/2410f2fe2067aba972d9f255530499fbce40664308cf55c220f382256ab09b54/detection

baidunetdisk.info
sinopakgateway.info
/MRTP28ZW7DH.tut
/NR44PZXRWND8A.tut

# Reference: https://x.com/ThreatBookLabs/status/1963799261180830133
# Reference: https://www.virustotal.com/gui/ip-address/5.252.177.34/relations
# BODY_SHA1-HOST=301bfc79cdbc67aa7ae2a9f6ae31a8c8a394dac6
# CERT_FINGERPRINT_SHA256-HOST=157e79283f5c5326dc6d671d537db91f59e612937d4998626e82d0a1801c61ea

nlc-pk.org
nrtc-com-pk.org
pnra-pk.org
ptv-news.org
socialback.org
stm-tr.org
doc.nrtc-com-pk.org
documents.nrtc-com-pk.org
propriated.co.in

# Reference: https://app.validin.com/detail?find=301bfc79cdbc67aa7ae2a9f6ae31a8c8a394dac6&type=hash&ref_id=f339ccf85bf#tab=host_pairs (# 2025-09-05)

delpenzy.org
jlu-edu-cn.org
tsinghua-edu.org

# Reference: https://x.com/RedDrip7/status/1966329373927288941
# Reference: https://app.validin.com/detail?find=7d70e351fecf88c99b1db4c14b2b393e&type=hash&ref_id=92fece9cefb#tab=host_pairs (# 2025-09-12)
# Reference: https://www.virustotal.com/gui/file/b7c1a2f05b74613f8ff47d40c0a8562121bfb97482421c4475355b9ccd53c866/detection
# Reference: https://www.virustotal.com/gui/file/d20d4e90de355c90f4d9a0b7b80cf1aa32fe8b9b7aba5db730cfdde16df43021/detection
# Reference: https://www.virustotal.com/gui/file/2f329a1171d2c6b1471604bf76157b6487c3e59d21bf4a0856e29dc4ba8753cb/detection
# CLASS_1_HASH-HOST=3c6d096f3309de27c7ef2ad0f3dbb749
# HEADER_HASH-HOST=e4e0a0c81e9231d671c3

anchorsoft.org
civihr.org
codendigital.org
driftlance.org
empirecu.org
inboundhealthcare.us
laddervector.org
lamusicawards.org
learnroots.org
nr3cgovpk.org
plasnes.org
st-wcde.org
stubblers.org
ternuimert.org
thelifeafter.org
verbaleryer.org
vespalabs.org
whywouldwe.org
abcvip.us.org
api.inboundhealthcare.us
dev.lamusicawards.org
stmu-edu-pk-localhost.pages.dev

# Reference: https://x.com/__0XYC__/status/1970083613636251836
# Reference: https://www.virustotal.com/gui/file/29b0fcf9aa01e87255bf9941e01c22b3cb103607bfccbdc52d933df48dc98639/detection

cloudexchangeshare.center

# Reference: https://x.com/volrant136/status/1973762443009794065
# Reference: https://www.fortinet.com/blog/threat-research/confucius-espionage-from-stealer-to-backdoor
# BANNER_0_HASH-HOST=2d8e60ff8c0529182772d2e51cb738cd
# BANNER_0_HASH-HOST=2ef615a690c27dc9bb0a63c24c885ab9
# BANNER_0_HASH-HOST=379e17ffbbdcb62714366cfadb3ff7d8
# BANNER_0_HASH-HOST=459b2cdb1d4f71de7f87fa387d17a5ce
# BANNER_0_HASH-HOST=00842f351f17093154183ac20158003f
# BANNER_0_HASH-HOST=26d70c1f84b7de0a95a4302004b176a2
# BANNER_0_HASH-HOST=42dc94be6acb8d310d5570da53880f6d

cornfieldblue.info
dropmicis.info
food-madeness.info
greenxeonsr.info
govpak.digital
hauntedfishtree.info
indomax138slot.org
marshmellowflowerscar.info
nayatelmediashare.info
petricgreen.info
redbanana36.info
/Jsdfwejhrg.rko

# Reference: https://x.com/RedDrip7/status/1977641871532077238
# Reference: https://www.virustotal.com/gui/file/01b7a6cccfa1d596e75e997fe2bd2063af3c264f169df60a0c8723818f22b39f/detection
# Reference: https://www.virustotal.com/gui/file/582f4c583086a67f8942777b7a65a054b020a6732abd954a92ff525d9d0a3dba/detection

adskochbus.org
theserveunity.org

# Reference: https://x.com/suyog41/status/1978396001778999417
# Reference: https://www.virustotal.com/gui/file/9f5b34ee5a5cd2eebc8923a961de8bc7b67c3048f7b6ebc1287fa8be613b9d83/detection

snugluxe.org

# Generic

/4sVKAOvu3D/
/e3e7e71a0b28b5e96cc492e636722f73/
/ABDYot0NxyG.php
/BDYot0NxyG.php
/UYEfgEpXAOE.php
