# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: raindrop, solorigate, sunburst, supernova, teardrop, stellarparticle, dark halo, goldfinder, goldmax, NOBELIUM, sibot, sunshuttle, SilverFish, BlueBravo

# Reference: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
# Reference: https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html
# Reference: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
# Reference: https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/
# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds
# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
# Reference: https://twitter.com/_CPResearch_/status/1339952318717063168
# Reference: https://otx.alienvault.com/pulse/5fd6df943558e0b56eaf3da8
# Reference: https://otx.alienvault.com/pulse/5fdce61ef056eff2ce0a90de
# Reference: https://otx.alienvault.com/pulse/6007149a5ff246c7c18229c1

avsvmcloud.com
bigtopweb.com
databasegalore.com
deftsecurity.com
digitalcollege.org
ervsystem.com
freescanonline.com
globalnetworkissues.com
highdatabase.com
incomeupdate.com
infinitysoftwares.com
kubecloud.com
lcomputers.com
panhardware.com
seobundlekit.com
solartrackingsystem.net
thedoccloud.com
virtualdataserver.com
virtualwebdata.com
webcodez.com
websitetheme.com
zupertech.com
appsync-api.eu-west-1.avsvmcloud.com
appsync-api.us-east-1.avsvmcloud.com
appsync-api.us-east-2.avsvmcloud.com
appsync-api.us-west-2.avsvmcloud.com
6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com
7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com
gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com
ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com
k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com
mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com

# Reference: https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
# Reference: https://otx.alienvault.com/pulse/60088b53da5e673bc2825ce8

aimsecurity.net
datazr.com
financialmarket.org
gallerycenter.org
mobilnweb.com
olapdatabase.com
swipeservice.com
techiefly.com

# Reference: https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/
# Reference: https://otx.alienvault.com/pulse/601da173ed7d3e7e31c67c3d/
# Reference: https://www.virustotal.com/gui/file/a25fc5af86296dcd5bb41668443a36947bccd17a1687f9b118675f1503b3e376/detection
# Reference: https://www.virustotal.com/gui/file/f39dc0dfd43477d65c1380a7cff89296ad72bfa7fc3afcfd8e294f195632030e/detection

216.243.39.167:8090
98.225.248.37:8090

# Reference: https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html
# Reference: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
# Reference: https://www.virustotal.com/gui/file/b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8/detection
# Reference: https://twitter.com/cyb3rops/status/1367794498965766144

185.225.69.69:443
onetechcompany.com
reyweb.com/assets/index.php
srfnetwork.org

# Reference: https://twitter.com/ShadowChasing1/status/1368831762114093059
# Reference: https://www.virustotal.com/gui/file/2375da7528de541b7e60eae80ab14bb88e39f30b798869b26ad67c6cc46af765/detection

example.com/assets/index.php

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SunBurst/SilverFish_Solarwinds.pdf

179.43.141.188:81
179.43.141.188:82
179.43.141.188:83
185.189.151.182:443
185.189.151.182:443
91.219.239.43:143
91.219.239.54:81
91.219.239.54:82

adsprofitnetwork.com
d3ser9acyt7cdp.cloudfront.net
secureconnectiongroup.com
securesearchnow.com
twimg-us.azureedge.net
coloradospringsroofing.info
lamarfish.com
robotvice.com
roofingspecialists.info
signup-now.com


# Traffic Distribution Servers

champions.gdtc.org
flowers.netplusplans.com
flowers.thegardnerco.com
pointers.ecostratas.com
popcorn.net-zerodesign.com
test.news.pocketstay.com

# Javascript Injection Points

jenkins.findfwd.com
test.directfwd.com
securesearchnow.com
alertmeter.info
/sk-jspark_init.php

# C&C Proxies

40ort.750.credit
adagio.betterworldshopping.com
admirer.onehourcfo.com
backup.awarfaregaming.com
bmlor.750.credit
builder.visionarybusiness.net
combat.strategyforgood.com
context.septemberyears.org
daddy.stlouisdemoday.com
defender5.coachwithak.com
fanta.swofficefurniture.com
freespace.givingprofits.net
gallery.wineadam.com
group3.pulsedesigngroup.us
inferno.bigpurposebigimpact.com
inspirer.cartsandmowers.com
joke.webproduct.info
joomla.lifepath.site
lion.vipjoyeria.com
method.nonprofitsustainability.com
phpmyadmin.xsunx.com
pixelapn2.adsprofitnetwork.com
pixelapn.adsprofitnetwork.com
plkiu.daniyalmedicaltech.com
printing.laminatesandthings.com
promo9.promossupply.com
prompt.powerofpartnerships.net
q.promossupply.com
rock.core-thought.com
snuff.mybabyrose.com
standart.sdtranspo.com
time.suehyatt.com
zombie.susan-hyatt.com

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1383113919405903873
# Reference: https://www.virustotal.com/gui/file/4e8f24fb50a08c12636f3d50c94772f355d5229e58110cccb3b4835cb2371aec/detection

megatoolkit.com

# Reference: https://twitter.com/kyleehmke/status/1341107219673341954
# Reference: https://twitter.com/kyleehmke/status/1351617582340694025
# Reference: https://twitter.com/blackorbird/status/1385433029938614274
# Reference: https://community.riskiq.com/article/9a515637/description

1cloudserver.com
actualityworld.com
aimsecurity.net
apexwebtech.com
appsprovider.com
armrvrholo.com
assetdata.net
autonetonline.com
bigdataanalysts.com
bigtopweb.com
computerrepublic.com
databasegalore.com
datatidy.com
datazr.com
deftsecurity.com
diamondglobalnetwork.com
digitalcollege.org
digitalphotohub.com
domainingdirectory.com
ebbcloud.com
ebookstorelive.com
ervsystem.com
eyetechltd.com
financialmarket.org
fqtel.com
freescanonline.com
gallerycenter.org
gdbcloud.com
globalnetworkissues.com
globalsection.org
globesoftwares.com
gnadptech.com
graphicscodex.net
highdatabase.com
incomeupdate.com
infinitysoftwares.com
ioxmesh.com
ipadsreview.org
kubecloud.com
lcomputers.com
limoservicecompany.com
mappsglobal.com
megatoolkit.com
microtransito.com
mobilnweb.com
nikeoutletinc.org
olapdatabase.com
onetechcompany.com
panhardware.com
productpitfalls.com
reyweb.com
rollver.com
ryaxtech.com
securitysystemnews.com
sense4baby.fr
seobundlekit.com
softwarelaunches.com
softweblinks.com
solartrackingsystem.net
srfnetwork.org
storagewithoutborders.com
swipeservice.com
techforefront.com
techiefly.com
thedoccloud.com
topwebservers.com
virtualdataserver.com
virtualwebdata.com
vmdisk.com
webcodez.com
webpp.com
websitesline.com
websitetheme.com
xrlinks.com
zupertech.com

# Reference: https://twitter.com/MalwareRE/status/1399407960368025609
# Reference: https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
# Reference: https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv

cityloss.com
cross-checking.com
dailydews.com
doggroomingnews.com
emergencystreet.com
enpport.com
giftbox4u.com
hanproud.com
holescontracting.com
newsplacec.com
newstepsco.com
pcmsar.net
stockmarketon.com
stsnews.com
tacomanewspaper.com
theadminforum.com
trendignews.com
74d6b7b2.app.giftbox4u.com
cdnappservice.firebaseio.com
content.pcmsar.net
dataplane.theyardservice.com
email.theyardservice.com
eventbrite-com-default-rtdb.firebaseio.com
humanitarian-forum-default-rtdb.firebaseio.com
security-updater-default-rtdb.firebaseio.com
smtp2.theyardservice.com
supportcdn-default-rtdb.firebaseio.com
usaid.theyardservice.com

# Reference: https://www.mandiant.com/resources/russian-targeting-gov-business

http://23.106.123.15
nordicmademedia.com
stonecrestnews.com
theandersonco.com/wp_info.php
tomasubiera.com/wp_getcontent.php

# Reference: https://twitter.com/s1ckb017/status/1468160915883315204
# Reference: https://www.telsy.com/nobelium-again-or-ecrime-operation/

camogit.com
kaceloj.com
kirute.com
muyipep.com
pahohu.com
vuvalog.com

# Reference: https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/

bfilmnews.com
crochetnews.com
dom-news.com
galatinonews.com
midcitylanews.com
muslimnewsdaily.com
pharaosjournal.com
readnewshot.com
theanalyticsnews.com

# Reference: https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ (# GoldMax)

vm-srv-1.gel.ulaval.ca

# Reference: https://twitter.com/h2jazi/status/1506439550968676360
# Reference: https://www.virustotal.com/gui/file/34e7482d689429745dd3866caf5ddd5de52a179db7068f6b545ff51542abb76c/detection
# Reference: https://www.virustotal.com/gui/file/e5de12f16af0b174537bbdf779b34a7c66287591323c2ec86845cecdd9d57f53/detection
# Reference: https://www.virustotal.com/gui/file/e8da0c4416f4353aad4620b5a83ff84d6d8b9b8a748fdbe96d8a4d02a4a1a03c/detection

ernesttheskoolie.com
theskoolieblog.com

# Reference: https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/
# Reference: https://otx.alienvault.com/pulse/61558f3021612e32de83311f

http://185.193.126.172
http://51.195.68.217
softhouse.store
update.softhouse.store

# Reference: https://www.menlosecurity.com/blog/ta551-targeted-malicious-campaign-breakdown/
# Reference: https://otx.alienvault.com/pulse/62bdd4f0a8d82702782ea614

bacionera.top
nopogew.com
sobolpand.top

# Reference: https://twitter.com/RedDrip7/status/1545245625662418945
# Reference: https://twitter.com/JAMESWT_MHT/status/1545303433959411714

agencijazaregistraciju.rs/i.html
agencijazaregistraciju.rs/t.php

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf (# GraphicalNeutrino)
# Reference: https://otx.alienvault.com/pulse/63d95dd289e5b68a19e9c791

totalmassasje.no/schedule.php

# Reference: https://twitter.com/BushidoToken/status/1633459935697838081
# Reference: https://www.shodan.io/host/5.75.159.186

http://5.75.159.186
5.75.159.186:22
5.75.159.186:3306
5.75.159.186:3389
5.75.159.186:443
5.75.159.186:5800
5.75.159.186:5900

# Reference: https://twitter.com/malwrhunterteam/status/1677023534294487049
# Reference: https://twitter.com/h2jazi/status/1677027834890469376
# Reference: https://www.virustotal.com/gui/file/966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281/detection
# Reference: https://www.virustotal.com/gui/file/4875a9c4af3044db281c5dc02e5386c77f331e3b92e5ae79ff9961d8cd1f7c4f/detection
# Reference: https://www.virustotal.com/gui/file/af1922c665e9be6b29a5e3d0d3ac5916ae1fc74ac2fe9931e5273f3c4043f395/detection
# Reference: https://www.virustotal.com/gui/file/7fc9e830756e23aa4b050f4ceaeb2a83cd71cfc0145392a0bc03037af373066b/detection

kefas.id

# Scripts

/46tt83y6.ps1
/buildus9_3.ps1
/build_eu.ps1
/p0fd798.ps1
/pwrvw.ps1
