# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: castlebot

# Reference: https://x.com/PRODAFT/status/1948382357725024565
# Reference: https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview
# Reference: https://github.com/prodaft/malware-ioc/tree/master/CastleLoader
# Reference: https://www.virustotal.com/gui/file/05ecf871c7382b0c74e5bac267bb5d12446f52368bb1bfe5d2a4200d0f43c1d8/detection
# Reference: https://www.virustotal.com/gui/file/31493e6366d3e7275a1e01937a4a18b27db8e5ef21bc21df666690d455f2acaf/detection
# Reference: https://www.virustotal.com/gui/file/0d7a46cedeb866930ebe808a596b44c5cf8941e448b4f8012018283ea55ec309/detection
# Reference: https://www.virustotal.com/gui/file/6e11ec22fd31d9eb4bd6060711dbd5d3c7c05bd7dfaa20daaee2c2c8a4dcf524/detection
# Reference: https://www.virustotal.com/gui/file/3329d3011f8f4c3df16230a1e6ed3ffe3c3cffaa7dadf0238eb6b011a659c84f/detection

http://173.44.141.89
185.39.19.165:5354
buzzedcompany.com
lekuvam.com
polarcompany.org
rinasalleh.com
teamsapi.net

# Reference: https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation
# Reference: https://www.virustotal.com/gui/file/3329d3011f8f4c3df16230a1e6ed3ffe3c3cffaa7dadf0238eb6b011a659c84f/detection
# Reference: https://www.virustotal.com/gui/file/f31e9ef8a59bacda22d8310750b91841878e1f398270676718d3a0b4949880a2/detection
# Reference: https://www.virustotal.com/gui/file/4cd0a2eb8662b5bdacf7f5db62827dd29a0c75d2b3b3f28eefb584e44a1ef2a5/detection

http://107.158.128.45
http://107.158.128.90
http://45.11.180.174
45.11.180.174:6666
