# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: kinsing

# Reference: https://www.lacework.com/h2miner-botnet/
# Reference: https://zhuanlan.zhihu.com/p/101220054

http://45.10.88.102
http://91.215.169.111
http://46.243.253.167
http://195.123.220.193

# Reference: https://www.lacework.com/h2miner-botnet/
# Reference: https://github.com/lacework/lacework-labs/blob/master/blog/h2miner.csv
# Reference: https://otx.alienvault.com/pulse/5e7baacc3c7b8864552f6774

http://142.44.191.122
http://217.12.221.12
http://217.12.221.244
http://45.10.88.102
http://46.243.253.167
http://82.118.17.133
http://91.215.169.111

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining/
# Reference: https://otx.alienvault.com/pulse/5ea068474577163bf614eb39

http://193.33.87.220

# Reference: https://labs.f-secure.com/advisories/saltstack-authorization-bypass
# Reference: https://twitter.com/blackorbird/status/1256944563668672513

http://206.189.92.32
http://217.12.210.192

# Reference: https://www.virustotal.com/gui/file/96589ba7818fae9282b7f69920b7e42b9847e24b7eadc76d6702cbfa293aa43e/detection
# Reference: https://www.virustotal.com/gui/file/20343854b8c348146bf17fe739ce9028a620f93116438291f1b0b89345e18520/detection

http://217.12.221.12
359328.selcdn.ru

# Reference: https://twitter.com/IntezerLabs/status/1298992385041473547

http://93.189.43.3

# Reference: https://twitter.com/r3dbU7z/status/1361235377869185024

http://92.242.40.225

# Reference: https://twitter.com/r3dbU7z/status/1361237420067422208

http://194.40.243.167

# Reference: https://twitter.com/r3dbU7z/status/1361978671310000129

http://194.38.20.199

# Reference: https://twitter.com/r3dbU7z/status/1374715716323188743

http://192.153.76.184
479.bf.run

# Reference: https://www.lacework.com/carbine-loader-cryptojacking-campaign/
# Reference: https://github.com/lacework/lacework-labs/blob/master/blog/carbine_loader_iocs.csv
# Reference: https://otx.alienvault.com/pulse/607e03d9ebfec697172c4b07
# Reference: https://www.virustotal.com/gui/file/4ae513b6f46132aec7d1c268e6ee981af1ac0ab6d92c448c7c9bdedd63e3c303/detection
# Reference: https://www.virustotal.com/gui/file/5f19a959b36c2696ef95873017b48ab03c3ae83ecae2ea5092a30fb6179f5c7c/detection

185.183.84.197:8080
jquery-dns-07.dns05.com
sslcer.justdied.com

# Reference: https://www.virustotal.com/gui/file/0dc0d5e9d127c8027c0a5ed0ce237ab07d3ef86706d1f8d032bc8f140869c5ea/detection

http://45.9.148.85

# Reference: https://www.virustotal.com/gui/file/39ac019520a278e350065d12ebc0c24201584390724f3d8e0dc828664fee6cae/detection

http://85.214.149.236
85.214.149.236:443
zzhreceive.top
oracle.zzhreceive.top
/b2f628/idcheck/uid=

# Reference: https://twitter.com/GelosSnake/status/1469341429541576715
# Reference: https://twitter.com/GelosSnake/status/1469341664477167619

http://185.154.53.140
http://185.191.32.198
http://44.240.146.137
http://45.137.155.55

# Reference: https://twitter.com/Cystrat_GmbH/status/1469296353276801029
# Reference: https://twitter.com/1ZRR4H/status/1469333475476094986
# Reference: https://twitter.com/eromang/status/1469362650534625282
# Reference: https://twitter.com/alphasoc/status/1469463599844192256
# Reference: https://twitter.com/craiu/status/1469994278986424327
# Reference: https://pastebin.com/raw/R8WDSNtE
# Reference: https://github.com/eromang/researches/tree/main/CVE-2021-44228

http://62.181.147.15
http://80.71.158.12
http://80.71.158.44
45.155.205.233:12344
45.155.205.233:5874
45.155.205.233:9999
45.155.205.233:12344
45.155.205.233:33602
80.71.158.12:5557
80.71.158.44:1534

# Reference: https://twitter.com/1ZRR4H/status/1469698559775846403
# Reference: https://threatfox.abuse.ch/browse/tag/log4j/

http://82.118.18.201
http://92.242.40.2
194.40.243.149:1534
82.118.18.201:1534
92.242.40.21:5557

# Reference: https://twitter.com/smii_mondher/status/1469945271031316485
# Reference: https://twitter.com/bad_packets/status/1469859064809025538
# Reference: https://twitter.com/bad_packets/status/1469958646431838210
# Reference: https://threatfox.abuse.ch/browse/tag/log4j/

103.104.73.155:8080
185.250.148.157:47324
185.250.148.157:8005
77.88.196.86:8085
/skziyb

# Reference: https://twitter.com/0xDanielLopez/status/1470029308152487940

http://93.189.42.8

# Reference: https://twitter.com/bad_packets/status/1470237945177141249

45.146.164.160:8081

# Reference: https://twitter.com/bad_packets/status/1470230763022917633

193.3.19.159:53

# Reference: https://twitter.com/bad_packets/status/1470166113526829056

http://155.94.154.170

# Reference: https://twitter.com/bad_packets/status/1470291496532332545

67.205.191.102:1099

# Reference: https://twitter.com/bad_packets/status/1470639403546472449

167.172.44.255:1099

# Reference: https://twitter.com/entropyqueen_/status/1470285561638313986

195.54.160.149:12344

# Reference: https://twitter.com/bad_packets/status/1469504458925117441

http://62.210.130.250

# Reference: https://twitter.com/1ZRR4H/status/1470652195678965764

45.146.164.160:8085

# Reference: https://twitter.com/Max_Mal_/status/1472354457920974852

http://194.40.243.149

# Reference: https://twitter.com/bad_packets/status/1470914982405545986

167.99.32.139:9999

# Reference: https://twitter.com/r3dbU7z/status/1474906645704675329

106.12.40.198:22222
116.62.203.85:12222
139.9.77.204:12345
139.9.77.204:26573

# Reference: https://blog.netlab.360.com/public-cloud-threat-intelligence-202112/
# Reference: https://otx.alienvault.com/pulse/61ea977759cc28216fa93688

http://194.40.243.24
en2an.top

# Reference: https://twitter.com/ankit_anubhav/status/1486984894953648131

http://185.191.32.198
http://82.117.252.83

# Reference: https://twitter.com/tolisec/status/1507854421618839564

http://178.20.40.227

# Reference: http://lists.emergingthreats.net/pipermail/emerging-sigs/2022-October/030777.html
# Reference: https://twitter.com/abuse_ch/status/1633512881726660625
# Reference: https://www.virustotal.com/gui/domain/a-dog.top/relations
# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/j/teamtnt-returns-or-does-it/IOCs-WatchDog-TeamTNT-returns-or-does-it.txt

http://107.189.3.150
http://205.185.118.246
194.36.190.30:1414
222.175.244.226:1414
a-dog.top
kiss.a-dog.top
lova.a-dog.top
touch.a-dog.top
/b2f628/
/bWVkaWEK/
/s3f815/

# Reference: https://twitter.com/suyog41/status/1615643102001369089
# Reference: https://www.virustotal.com/gui/file/10317d5ec2be002836ca945c5de4a29c2dd78f5e2c06e7d4e9e31cfa250ec985/detection

http://194.40.243.206

# Reference: https://twitter.com/luc4m/status/1622707694414037016
# Reference: https://search.censys.io/hosts/185.122.204.197/data/table

http://185.122.204.197

# Reference: https://twitter.com/suyog41/status/1638078294733012994
# Reference: https://www.virustotal.com/gui/ip-address/140.99.32.48/relations
# Reference: https://www.virustotal.com/gui/file/c06ce616069db5f71680efea46ebdf70649068e1f485587a4aa8b66acc8dd59f/detection
# Reference: https://www.virustotal.com/gui/file/279a488ce2534a77c0b38389604285828659d499da2d2a3c562c32b77dddb965/detection
# Reference: https://www.virustotal.com/gui/file/16c03a6aaa9d2d8747a73d4b6d0f8b983f9bb64612cec492439229f9ed984042/detection

140.99.32.48:3355
cc-ccbim.com
c-px.com
na-cs.com
cc.cc-ccbim.com
ct.c-px.com
s.na-cs.com
xccwp.a-dog.top

# Reference: https://threatfox.abuse.ch/ioc/1150857/

http://45.15.158.124

# Reference: https://threatfox.abuse.ch/ioc/1150855/

83.97.73.87:9000

# Reference: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-enterprise-applications-honeypot-unveiling-findings-from-six-worldwide-locations/
# Reference: https://otx.alienvault.com/pulse/64a59ca7b59439d7c6e3a019

http://109.248.59.253
http://185.122.204.196
http://185.17.0.226
http://185.209.29.94
http://185.221.154.208
http://185.224.212.104
http://185.237.224.182
http://185.246.90.203
http://185.246.90.205
http://185.246.90.206
http://193.187.173.76
http://194.169.160.157
http://194.38.20.196
http://194.38.20.225
http://194.38.20.27
http://194.38.23.2
http://194.40.243.205
http://31.184.240.34
http://62.113.113.60
http://62.113.115.166
http://91.240.87.98
http://93.185.166.75
http://93.189.42.217
http://93.189.46.81
rolibztiz3zfysof5q2rja6airtmbw74am4oc4rgqsh3ktir6zwdmzid.onion

# Reference: https://blog.aquasec.com/kinsing-malware-exploits-novel-openfire-vulnerability
# Reference: https://otx.alienvault.com/pulse/64ef41c91baab11a7cb2d16a

http://103.164.138.183
http://109.237.96.124
http://109.237.96.251
http://152.89.198.113
http://162.142.125.215
http://167.248.133.36
http://194.87.252.159
http://5.35.101.62
http://51.222.154.100
http://65.21.151.9
http://83.97.73.87

# Reference: https://blog.aquasec.com/loony-tunables-vulnerability-exploited-by-kinsing
# Reference: https://otx.alienvault.com/pulse/654ac58a27e7d638a81bbbbd
# Reference: https://www.virustotal.com/gui/file/a01fe8c1bff66ff8258089d27ac947ca127d89fc3bcee4f95a25221689e1f6dd/detection

http://194.233.65.92
194.233.65.92:1337
haxx.in

# Reference: https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq

http://185.122.204.197
http://194.38.22.53

# Reference: https://twitter.com/banthisguy9349/status/1782694612815012287
# Reference: https://urlhaus.abuse.ch/host/93.183.94.157/

http://93.183.94.157

# Reference: https://twitter.com/banthisguy9349/status/1785933389947646374

http://83.97.73.245
83.97.73.245:3333
83.97.73.245:9000

# Reference: https://x.com/banthisguy9349/status/1850482884219425226

cat.dashabi.in
cat.xiaojiji.nl
cat.xiaoshabi.nl
sec.dashabi.in
sec.xiaojiji.nl
sec.xiaoshabi.nl
shangmei-test.oss-cn-beijing.aliyuncs.com
soc.xiaoshabi.nl

# Reference: https://x.com/banthisguy9349/status/1865705579429179595
# Reference: https://www.virustotal.com/gui/file/6de6bf5c97c8c78d61a9c8e1424c6fd29217f32f52f411c34a2ebb573e416ef5/detection

pyats.top

# Reference: https://x.com/BlinkzSec/status/1951344597398950175
# Reference: https://urlhaus.abuse.ch/host/matrix.masscan.cloud/

masscan.cloud
matrix.masscan.cloud

# Reference: https://x.com/BlinkzSec/status/1969107023791878384

145.223.69.175:8000

# Generic

/kinsing
/kinsing2
/kinsing_aarch64
