# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: beavertail, invisibleferret, tropidoor

# Reference: https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/
# Reference: https://otx.alienvault.com/pulse/655dd802326b4dba522c9d84

blocktestingto.com

# Reference: https://x.com/1ZRR4H/status/1814476691911090466
# Reference: https://www.virustotal.com/gui/ip-address/77.37.37.81/relations
# Reference: https://www.virustotal.com/gui/file/6156127355d8016c8e741de98ee4ef2a4cb5cb02cd44f22fd3c8fef033b69830/detection

hirog.io
files.hirog.io

# Reference: https://x.com/500mk500/status/1814696344272986483
# Reference: https://www.virustotal.com/gui/ip-address/206.206.123.151/relations

greenhouselc.com

# Reference: https://x.com/malwrhunterteam/status/1820385406002872541
# Reference: https://www.virustotal.com/gui/ip-address/82.197.80.64/relations
# Reference: https://www.virustotal.com/gui/file/456b3100d6e0364c036a33ca2d1c68f9e237520ab26da2b78d9dd55f1a2eec09/detection

cestlaviewellnessretreat.com
usconsultinghub.blog
usconsultinghub.cloud
file.cestlaviewellnessretreat.com
files.cestlaviewellnessretreat.com

# Reference: https://x.com/StrikeReadyLabs/status/1826432976894189825
# Reference: https://www.virustotal.com/gui/file/b8e69d6a766b9088d650e850a638d7ab7c9f59f4e24e2bc8eac41c380876b0d8/detection

185.235.241.208:1244

# Reference: https://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/

hopanatech.com
huguotechltd.com
inditechlab.com
tonywangtech.com
wkjllc.com

# Reference: https://x.com/TomHegel/status/1859663831510942204

sunlotustech.com

# Reference: https://asec.ahnlab.com/en/87299/
# Reference: https://www.virustotal.com/gui/file/e967097a02185995ae58cded08f57e8984152124a3a34adc9543bd4ca1569e5e/detection
# Reference: https://www.virustotal.com/gui/file/cdadeb1e8358a00ea6f74a42a2f536acc53981762aa1c01b53c62f8b4e278fb7/detection
# Reference: https://www.virustotal.com/gui/file/b5ed9eb0073ba18e5aee28ff3bc41923ed7e9dbc14c9175c8f2d9bfc58f47402/detection
# Reference: https://www.virustotal.com/gui/file/1fd921159de8ccf3c33c7ad3d52a4186c2695b858435e8e327c4d95a8d1b048a/detection

http://103.35.190.170
http://135.181.242.24
http://191.96.31.38
http://45.12.134.206
http://45.8.146.93
http://86.104.72.247
45.8.146.93:443
86.104.72.247:443
royalsevres.com/bbs/bbs_img/btn_list.psd
royalsevres.com/javascript/activex_patch.hwp

# Reference: https://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages

http://144.217.86.88

# Reference: https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/

172.86.93.139:3000
businesshire.top
nvidiasdk.fly.dev

# Reference: https://blog.talosintelligence.com/beavertail-and-ottercookie/

http://144.172.112.50
http://172.86.113.12
http://172.86.73.46
http://172.86.88.188
138.201.50.5:5961
172.86.88.188:1418
172.86.88.188:1476
