# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt44, blackenergy, quedagh, voodoo bear, temp.noble, iron viking, seashell blizzard, KALAMBUR backdoor

# CERT-UA: UAC-0082

# Reference: https://web.archive.org/web/20120106212034/http://amada.abuse.ch/blocklist.php?download=domainblocklist

abaronaweb.net
ads.ew.com.cn
all-invite.org
aut0mat.info
bka.im
cazino-game.com
cxim.asia
ddumasz.info
globdomain.ru
hackzona.tk
jakkaru.ru
k0x.ru
kandagarka.net
myprodjs.ru
olololo.in
onlinejobsnet.co.cc
prava-servise.ru
sharp.mcdir.ru
webprofiler.cc
write-dream.ru

# Reference: https://www.virustotal.com/gui/ip-address/185.80.53.22/relations

account-googlmail.ml
account-loginserv.com

# Reference: https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf
# Reference: https://www.virustotal.com/gui/file/dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730/detection

95.216.13.196:53
95.216.13.196:8080
hostapp.be

# Reference: https://twitter.com/kyleehmke/status/1267222198588145664

userarea.click
userarea.eu

# Reference: https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure/

fbapp.info
fbapp.link
fbapp.top
myaccount.click
myaccount.one
userarea.click
userarea.eu
userarea.in
userarea.top
userzone.eu
userzone.one
webcache.one

# Reference: https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
# Reference: https://otx.alienvault.com/pulse/623319918d3021c70ec8f396

1.9.85.247:3269
1.9.85.247:636
1.9.85.247:8443
1.9.85.247:989
1.9.85.247:990
1.9.85.247:994
1.9.85.247:995
1.9.85.248:3269
1.9.85.248:636
1.9.85.248:8443
1.9.85.248:989
1.9.85.248:990
1.9.85.248:994
1.9.85.248:995
1.9.85.249:3269
1.9.85.249:636
1.9.85.249:8443
1.9.85.249:989
1.9.85.249:990
1.9.85.249:994
1.9.85.249:995
1.9.85.252:3269
1.9.85.252:636
1.9.85.252:8443
1.9.85.252:989
1.9.85.252:990
1.9.85.252:994
1.9.85.252:995
1.9.85.253:3269
1.9.85.253:636
1.9.85.253:8443
1.9.85.253:989
1.9.85.253:990
1.9.85.253:994
1.9.85.253:995
1.9.85.254:3269
1.9.85.254:636
1.9.85.254:8443
1.9.85.254:989
1.9.85.254:990
1.9.85.254:994
1.9.85.254:995
102.50.244.205:3269
102.50.244.205:636
102.50.244.205:8443
102.50.244.205:989
102.50.244.205:990
102.50.244.205:994
102.50.244.205:995
148.76.89.2:3269
148.76.89.2:636
148.76.89.2:8443
148.76.89.2:989
148.76.89.2:990
148.76.89.2:994
148.76.89.2:995
148.76.89.3:3269
148.76.89.3:636
148.76.89.3:8443
148.76.89.3:989
148.76.89.3:990
148.76.89.3:994
148.76.89.3:995
148.76.89.4:3269
148.76.89.4:636
148.76.89.4:8443
148.76.89.4:989
148.76.89.4:990
148.76.89.4:994
148.76.89.4:995
148.76.89.5:3269
148.76.89.5:636
148.76.89.5:8443
148.76.89.5:989
148.76.89.5:990
148.76.89.5:994
148.76.89.5:995
148.76.89.6:3269
148.76.89.6:636
148.76.89.6:8443
148.76.89.6:989
148.76.89.6:990
148.76.89.6:994
148.76.89.6:995
151.0.185.146:3269
151.0.185.146:636
151.0.185.146:8443
151.0.185.146:989
151.0.185.146:990
151.0.185.146:994
151.0.185.146:995
151.0.185.147:3269
151.0.185.147:636
151.0.185.147:8443
151.0.185.147:989
151.0.185.147:990
151.0.185.147:994
151.0.185.147:995
151.0.185.148:3269
151.0.185.148:636
151.0.185.148:8443
151.0.185.148:989
151.0.185.148:990
151.0.185.148:994
151.0.185.148:995
151.0.185.149:3269
151.0.185.149:636
151.0.185.149:8443
151.0.185.149:989
151.0.185.149:990
151.0.185.149:994
151.0.185.149:995
151.0.185.150:3269
151.0.185.150:636
151.0.185.150:8443
151.0.185.150:989
151.0.185.150:990
151.0.185.150:994
151.0.185.150:995
182.73.50.114:3269
182.73.50.114:636
182.73.50.114:8443
182.73.50.114:989
182.73.50.114:990
182.73.50.114:994
182.73.50.114:995
182.73.50.115:3269
182.73.50.115:636
182.73.50.115:8443
182.73.50.115:989
182.73.50.115:990
182.73.50.115:994
182.73.50.115:995
217.57.80.18:3269
217.57.80.18:636
217.57.80.18:8443
217.57.80.18:989
217.57.80.18:990
217.57.80.18:994
217.57.80.18:995
37.71.147.186:3269
37.71.147.186:636
37.71.147.186:8443
37.71.147.186:989
37.71.147.186:990
37.71.147.186:994
37.71.147.186:995
50.192.49.210:3269
50.192.49.210:636
50.192.49.210:8443
50.192.49.210:989
50.192.49.210:990
50.192.49.210:994
50.192.49.210:995
96.80.68.193:3269
96.80.68.193:636
96.80.68.193:8443
96.80.68.193:989
96.80.68.193:990
96.80.68.193:994
96.80.68.193:995
96.80.68.194:3269
96.80.68.194:636
96.80.68.194:8443
96.80.68.194:989
96.80.68.194:990
96.80.68.194:994
96.80.68.194:995
96.80.68.195:3269
96.80.68.195:636
96.80.68.195:8443
96.80.68.195:989
96.80.68.195:990
96.80.68.195:994
96.80.68.195:995
96.80.68.196:3269
96.80.68.196:636
96.80.68.196:8443
96.80.68.196:989
96.80.68.196:990
96.80.68.196:994
96.80.68.196:995
96.80.68.197:3269
96.80.68.197:636
96.80.68.197:8443
96.80.68.197:989
96.80.68.197:990
96.80.68.197:994
96.80.68.197:995

# Reference: https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf

100.43.220.234:3269
100.43.220.234:636
100.43.220.234:8443
100.43.220.234:989
100.43.220.234:990
100.43.220.234:994
100.43.220.234:995
100.43.220.234:996
105.159.248.137:3269
105.159.248.137:636
105.159.248.137:8443
105.159.248.137:989
105.159.248.137:990
105.159.248.137:994
105.159.248.137:995
105.159.248.137:996
109.192.30.125:3269
109.192.30.125:636
109.192.30.125:8443
109.192.30.125:989
109.192.30.125:990
109.192.30.125:994
109.192.30.125:995
109.192.30.125:996
151.0.169.250:3269
151.0.169.250:636
151.0.169.250:8443
151.0.169.250:989
151.0.169.250:990
151.0.169.250:994
151.0.169.250:995
151.0.169.250:996
185.82.169.99:3269
185.82.169.99:636
185.82.169.99:8443
185.82.169.99:989
185.82.169.99:990
185.82.169.99:994
185.82.169.99:995
185.82.169.99:996
188.152.254.170:3269
188.152.254.170:636
188.152.254.170:8443
188.152.254.170:989
188.152.254.170:990
188.152.254.170:994
188.152.254.170:995
188.152.254.170:996
2.230.110.137:3269
2.230.110.137:636
2.230.110.137:8443
2.230.110.137:989
2.230.110.137:990
2.230.110.137:994
2.230.110.137:995
2.230.110.137:996
208.81.37.50:3269
208.81.37.50:636
208.81.37.50:8443
208.81.37.50:989
208.81.37.50:990
208.81.37.50:994
208.81.37.50:995
208.81.37.50:996
212.103.208.182:3269
212.103.208.182:636
212.103.208.182:8443
212.103.208.182:989
212.103.208.182:990
212.103.208.182:994
212.103.208.182:995
212.103.208.182:996
212.202.147.10:3269
212.202.147.10:636
212.202.147.10:8443
212.202.147.10:989
212.202.147.10:990
212.202.147.10:994
212.202.147.10:995
212.202.147.10:996
212.234.179.113:3269
212.234.179.113:636
212.234.179.113:8443
212.234.179.113:989
212.234.179.113:990
212.234.179.113:994
212.234.179.113:995
212.234.179.113:996
24.199.247.222:3269
24.199.247.222:636
24.199.247.222:8443
24.199.247.222:989
24.199.247.222:990
24.199.247.222:994
24.199.247.222:995
24.199.247.222:996
37.99.163.162:3269
37.99.163.162:636
37.99.163.162:8443
37.99.163.162:989
37.99.163.162:990
37.99.163.162:994
37.99.163.162:995
37.99.163.162:996
50.255.126.65:3269
50.255.126.65:636
50.255.126.65:8443
50.255.126.65:989
50.255.126.65:990
50.255.126.65:994
50.255.126.65:995
50.255.126.65:996
70.62.153.174:3269
70.62.153.174:636
70.62.153.174:8443
70.62.153.174:989
70.62.153.174:990
70.62.153.174:994
70.62.153.174:995
70.62.153.174:996
78.134.89.167:3269
78.134.89.167:636
78.134.89.167:8443
78.134.89.167:989
78.134.89.167:990
78.134.89.167:994
78.134.89.167:995
78.134.89.167:996
80.15.113.188:3269
80.15.113.188:636
80.15.113.188:8443
80.15.113.188:989
80.15.113.188:990
80.15.113.188:994
80.15.113.188:995
80.15.113.188:996
80.153.75.103:3269
80.153.75.103:636
80.153.75.103:8443
80.153.75.103:989
80.153.75.103:990
80.153.75.103:994
80.153.75.103:995
80.153.75.103:996
80.155.38.210:3269
80.155.38.210:636
80.155.38.210:8443
80.155.38.210:989
80.155.38.210:990
80.155.38.210:994
80.155.38.210:995
80.155.38.210:996
81.4.177.118:3269
81.4.177.118:636
81.4.177.118:8443
81.4.177.118:989
81.4.177.118:990
81.4.177.118:994
81.4.177.118:995
81.4.177.118:996
90.63.245.175:3269
90.63.245.175:636
90.63.245.175:8443
90.63.245.175:989
90.63.245.175:990
90.63.245.175:994
90.63.245.175:995
90.63.245.175:996
93.51.177.66:3269
93.51.177.66:636
93.51.177.66:8443
93.51.177.66:989
93.51.177.66:990
93.51.177.66:994
93.51.177.66:995
93.51.177.66:996

# Reference: https://cert.gov.ua/article/39518 (Ukranian)
# Reference: https://otx.alienvault.com/pulse/62552abdd7e44d9aba08636d

http://195.230.23.19
http://91.245.255.243
195.230.23.19:443
91.245.255.243:443

# Reference: https://cert.gov.ua/article/160530 (Ukrainian)
# CERT-UA: CrescentImp, UAC-0113

185.80.92.143:8998
87.236.161.43:443

# Reference: https://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/
# Reference: https://www.virustotal.com/gui/ip-address/193.239.152.131/relations
# Reference: https://www.virustotal.com/gui/file/43b69a81693488905ef655d22e395c3f8dee2486aba976d571d3b12433d10c93/detection
# Reference: https://www.virustotal.com/gui/file/0bb5e98f77e69d85bf5068bcbc5b5876f8e5855d34d9201d1caffbf83460cccc/detection

http://193.239.152.131

# Reference: https://cys-centrum.com/ru/news/black_energy_2_3 (Russian)

http://146.0.74.7
http://148.251.82.21
http://188.40.8.72
http://31.210.111.154
http://41.77.136.250
http://5.149.254.114
http://5.9.32.230
http://88.198.25.92
http://95.211.122.36
146.0.74.7:443
148.251.82.21:443
188.40.8.72:443
31.210.111.154:443
41.77.136.250:443
5.149.254.114:443
5.9.32.230:443
88.198.25.92:443
/Microsoft/Update/KS4567890.php
/Microsoft/Update/KS081274.php
/Microsoft/Update/KS081274.php
/Microsoft/Update/KC074913.php
/Microsoft/Update/KS1945777.php
/fHKfvEhleQ/maincraft/derstatus.php
/fHKfvEhleQ/maincraft/
/fHKfvEhleQ/
/l7vogLG/BVZ99/rt170v/solocVI/eegL7p.php
/l7vogLG/BVZ99/rt170v/solocVI/
/l7vogLG/BVZ99/rt170v/
/l7vogLG/BVZ99/
/eegL7p.php

# Reference: https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/

http://46.165.222.28
http://94.185.85.122
46.165.222.28:443

# Reference: https://twitter.com/RecordedFuture/status/1571946803427414016
# Reference: https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine

kievstar.online
ett.ddns.net
ett.hopto.org
darkett.ddns.net
kyiv-star.ddns.net
star-cz.ddns.net
star-link.ddns.net

# Reference: https://twitter.com/Des00464472/status/1590213508423352320

124.115.171.103:443

# Reference: https://twitter.com/RakeshKrish12/status/1687344650963804160 (# Cyclops Ransomware group had discontinued their ops & rebranded themselves as "Knight" Group (Knight ransomware)!)

knight3xppu263m7g4ag3xlit2qxpryjwueobh7vjdc3zrscqlfu3pqd.onion
nt3rrzq5hcyznvdkpslvqbbc2jqecqrinhi5jtwoae2x7psqtcb6dcad.onion

# Reference: https://twitter.com/felixw3000/status/1689541933062868992
# Reference: https://www.virustotal.com/gui/file/5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe/detection

dvjbn4sg4p1ck.cloudfront.net

# Reference: https://twitter.com/fr0s7_/status/1696485604630970879
# Reference: https://www.virustotal.com/gui/file/25497816b84a44be526c4cf048b53fe64118dbda5fdde45bdffe5ce3e2fe259f/detection

knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion

# Reference: https://cert.gov.ua/article/2698320 (Ukrainian, UAC-0133)

185.225.114.108:48765

# Reference: https://cert.gov.ua/article/6278706 (# UAC-0133)

http://178.250.188.114
http://185.225.114.90
http://194.61.121.211
http://195.154.182.165
http://196.245.156.154
http://91.92.137.164
165.231.34.106:443
178.250.188.114:443
185.225.114.90:443
194.61.121.211:443
195.154.182.165:443
196.245.156.154:443
91.92.137.164:443

# Reference: https://x.com/DailyDarkWeb/status/1802234656039051511
# Reference: https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf

account-check.hostapp.link
account.adfs.kyivstar.online
accounts.google-account-settings.spdup.art
adfs.kyivstar.online
claud.in
cloue.link
darksea.ddns.net
drive.google.com.filepreview.auth.userarea.click
filepreview.auth.userarea.click
google-account-settings.spdup.art
i.ua.account-check.hostapp.link
kyivstar.me
kyivstar.online
login.adfs.kyivstar.online
login.kyivstar.online
me-cloud.link
nalog.in
outlook.adfs.kyivstar.online
solntsepek.com
spdup.art
telegramweb.us
tgcloud.link
tgeo.link
tgme.contact
tgset.click
ua.account-check.hostapp.link
ukrnet24.com
xaknet.team
yanoo.com.userarea.eu

# Reference: https://x.com/StrikeReadyLabs/status/1869210151439253673
# Reference: https://x.com/StrikeReadyLabs/status/1869359670290468993
# Reference: https://www.virustotal.com/gui/file/d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2/detection

aplusdesktop.workers.dev
aplusmodgovua.workers.dev
armylpus.workers.dev
armyplus-desktop.workers.dev
desktopaplus.workers.dev
desktopapluscom.workers.dev
beta-0-110.armyplus-desktop.workers.dev
beta-0-2237.desktopapluscom.workers.dev
old-lab-1001.armyplus-desktop.workers.dev
yellow-butterfly-6fcd.armyplus-desktop.workers.dev
wvtmsouaa2gt6jmcuxj5hkfrqdss5lhecoqijt5dl7gfruueu3i5mkad.onion

# Reference: https://x.com/TLP_R3D/status/1889627590970757502
# Reference: https://x.com/TLP_R3D/status/1889627590970757502
# Reference: https://app.validin.com/detail?find=a78dda24e41edb22c214a4d5db1caf2671b5dff7&type=hash&ref_id=4c558f1ca34#tab=host_pairs (# 2025-02-12)
# Reference: https://app.validin.com/detail?find=dca40e790cd76198c6748dc8d5c90ee58d3f0f84&type=hash&ref_id=6ad15c0868a#tab=host_pairs (# 2025-02-12)
# Reference: https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns

http://5.255.119.183
http://5.255.119.195
http://5.255.114.16
http://5.255.99.169
http://5.255.121.218
http://5.255.122.118
http://5.255.101.146
activationsmicrosoft.com
kalambur.net
kms-win11-update.net
kmsupdate2023.com
onedrivestandaloneupdater.com
ratiborus2023.com
windowsdrivepack.com
windowsupdatesystem.org
2zilmiystfbjib2k4hvhpnv2uhni4ax5ce4xlpb7swkjimfnszxbkaid.onion

# Reference: https://x.com/Now_on_VT/status/1889750562230407235
# Reference: https://x.com/BaoshengbinCumt/status/1889865641223659527
# Reference: https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/

http://103.201.129.130
103.201.129.130:443
cloud-sync.org
hwupdates.com

# Reference: https://x.com/TLP_R3D/status/1892221224094445666
# Reference: https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger

150.107.31.194:18000

# Reference: https://x.com/StrikeReadyLabs/status/1847329950443184313
# Reference: https://strikeready.com/blog/ru-apt-targeting-energy-infrastructure-unknown-unknowns-part-3/
# Reference: https://www.virustotal.com/gui/file/b8d97d29e99e1f96e06836468db56855dc09305e3ed663c720fe700ea4bf6e73/detection
# Reference: https://www.virustotal.com/gui/file/806b5269e7aa9c2c82ce247b30a3e92a4f7285b21e2bcf54c8ffad86bd92ea68/detection

adobeprotectcheck.com
annualgieconferenceinmunich2024.com
antimailspam.com
gieannualconferenceinmunich.com
protectconnections.com
protectraid.com
login.antimailspam.com
afi-ukraine.org/wp-includes/bestone.php
calendar.stib.com.ua/bestone.php
ertel-audit.com/wp-includes/caramel.php
helpdesk.katolik.bydgoszcz.pl/bydgoszcz.php
gurt.duna.ua/programy-nauczania/GIEAnnualConferenceStage2
gurt.duna.ua/programy-nauczania/GTSvitikgasuStage5
gurt.duna.ua/programy-nauczania/ssowoface.dll
gurt.duna.ua/programy-nauczania/

# Reference: https://x.com/byrne_emmy12099/status/1856178461515362623
# Reference: https://x.com/DaveLikesMalwre/status/1893691921995878762
# Reference: https://x.com/Cyber0verload/status/1893952471342428182
# Reference: https://cert.gov.ua/article/6282517
# Reference: https://www.virustotal.com/gui/file/36db27f5eb3343cfc72d261d78da44957a49cb6731acb50a96ea5694f4d616c5/detection
# Reference: https://www.virustotal.com/gui/file/d0a6c1f647ae9f21789bc12f88f00e44f0e92c77cb901f3f80da08b033aa9f36/detection
# Reference: https://www.virustotal.com/gui/file/baa76590f0917782ca070401feb83cf11ee001b644a4ef44219df81d4eb1ecb5/detection
# Reference: https://www.virustotal.com/gui/file/9507beb5f00ae19cbd3fc3ac74d761fd497d5e999abf5f6d4e2b3af30706389d/detection
# Reference: https://www.virustotal.com/gui/file/05285298ae543665503ab8880204607078f63fd87c10f966838aa6ee0325f222/detection
# Reference: https://www.virustotal.com/gui/file/0a2a18aac9f5683d4a65e402e22503d1b20a736d12ac71d0f1eff2f9bc0788a8/detection
# Reference: https://www.virustotal.com/gui/file/4a302c0ed3c47231bc7c34cf2d41bc0ceb60d9c7b0023df015f75a58853f43d2/detection

http://212.237.217.78
http://51.222.43.200
http://66.63.187.79
http://91.232.31.178
91.232.31.178:873
cdnauthsoft.com
documents-reader.com
documentreader.net
object-storage-service.com
afi-ukraine.org/wp-includes/bestone.php
calendar.stib.com.ua/bestone.php
gieannualconferenceinmunich.com/Downloads/
annualgieconferenceinmunich2024.com/Downloads/
gurt.duna.ua/programy-nauczania/arst.dll
protectraid.com/Downloads/
protectraid.com/Downloads/Resume.lnk
protectraid.com/Downloads/Resume.pdf.lnk
protectraid.com/Downloads/VASY.lnk
dobeprotectcheck.com/Downloads/
adobeprotectcheck.com/Downloads/zayavka.lnk
furqaanenergy.com/wp-includes/b1tuZmhqZXJbaGZkYmdhbmFkZmhyZmEK.php
furqaanenergy.com/wp-includes/b1tuZmhqZXJbaGZkYmdhbmFkZmhyZmEKb1.php
furqaanenergy.com/wp-includes/Text/November/
furqaanenergy.com/wp-includes/Text/November2/
ertel-audit.com/wp-includes/caramel.php
ertel-audit.com/wp-includes/b1tuZmhqZXJbaGZkYmdhbmFkZmhyZmEK.php
ertel-audit.com/wp-includes/b1tuZmhqZXJbaGZkYmdhbmFkZmhyZmEKb1.php
ertel-audit.com/wp-includes/GIE_Annual_Conference_2024_Participant_Form.pdf
ertel-audit.com/wp-includes/Zayava_pro_vitik_gasu.pdf
helpdesk.katolik.bydgoszcz.pl/bydgoszcz.php
helpdesk.katolik.bydgoszcz.pl/eliot.php
/wp-includes/b1tuZmhqZXJbaGZkYmdhbmFkZmhyZmEK.php
/wp-includes/b1tuZmhqZXJbaGZkYmdhbmFkZmhyZmEKb1.php
/b1tuZmhqZXJbaGZkYmdhbmFkZmhyZmEK.php
/b1tuZmhqZXJbaGZkYmdhbmFkZmhyZmEKb1.php

# Reference: https://x.com/WhichbufferArda/status/1972012355983720623
# Reference: https://www.virustotal.com/gui/file/6472d2f027e25639b98381affdeb6932a82a530aa593198d6d85f99a1d74c114/detection
# Reference: https://www.virustotal.com/gui/file/a1b41f7ee862ee9703afda7793d22728e4f8fa571241520b97d523875d81333e/detection

esetpremium.com
