# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: monti

# Reference: https://twitter.com/hatching_io/status/1318213481213165570
# Reference: https://tria.ge/201019-52sls692an

contirecovery.info
m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

# Reference: https://www.hackplayers.com/2021/02/sitios-cibercriminales-deepweb.html

fylszpcqfel7joif.onion
htcltkjqoitnez5slo7fvhiou5lbno5bwczu7il2hmfpkowwdpj3q2yd.onion

# Reference: https://twitter.com/GossiTheDog/status/1426114648609337344
# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows
# Reference: https://otx.alienvault.com/pulse/612365feb824f7976425bb2e

209.14.0.234:443

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/BB_Conti.json

belatedconstructs.com
clublatino.xyz
fanyglo.com
groupmentro.com
intensewarer.com
saferoiworks.com
todevelopskills.com
zanzibor.com

# Reference: https://github.com/thetanz/ransomwatch/blob/main/docs/INDEX.md

continews.click
continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion

# Reference: https://twitter.com/Dashowl/status/1498169213168586752

http://185.14.28.109
185.14.28.109:443

# Reference: https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b

contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion
l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion
q3mcco35auwcstmt.onion
/zeh7dkwfdxw99tdk/

# Reference: https://twitter.com/pollo290987/status/1499313323564806147

43oxsnqlub6aydymkwpn3agaaj7u2qexx4wybgrwug46c6cyldhuheid.onion

# Reference: https://twitter.com/silentpush/status/1514637523426885635

juhazigeza.com

# Reference: https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
# Reference: https://otx.alienvault.com/pulse/61a4fea45999d467dfe004e7

perdefue.fr

# Reference: https://us-cert.cisa.gov/ncas/alerts/aa21-265a
# Reference: https://otx.alienvault.com/pulse/614c2c93689f6ced6333d91b
# Reference: https://www.virustotal.com/gui/file/4ff6499f7b73579748b2bf0fe9db201d1f722d989b4712e77fd8e216e31a104a/detection

http://82.118.21.1
162.244.80.235:443
185.141.63.120:443

# Reference: https://twitter.com/marvinkklyvo/status/1517952097936883712
# Reference: https://www.virustotal.com/gui/ip-address/146.70.71.184/relations
# Reference: https://www.virustotal.com/gui/ip-address/37.120.222.242/relations

continews.bz
wildcard-in-use.continews.bz

# Reference: https://www.virustotal.com/gui/ip-address/89.45.4.98/relations

continews.club
continews.xyz

# Reference: https://www.virustotal.com/gui/file/904e0855772f56721cc157641a26bb7963651e5a45c3bb90764328b17081abd5/behavior/Zenbox

contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion

# Reference: https://twitter.com/1ZRR4H/status/1555627392563118081
# Reference: https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g

80.209.241.3:8888

# Reference: https://twitter.com/Unit42_Intel/status/1600179579272024068
# Reference: https://1275.ru/ioc/2459/monti-ransomware-iocs/
# Reference: https://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html
# Reference: https://www.virustotal.com/gui/file/edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1/detection

mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onion
monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid.onion

# Reference: https://www.fortiguard.com/threat-signal-report/4736/new-conti-ransomware-campaign-observed-in-the-wild-1

contirec.poc.onion

# Reference: https://unit42.paloaltonetworks.com/royal-ransomware/
# Reference: https://otx.alienvault.com/pulse/645ba0f99be16ee5437ba95d

royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion
