# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: noodlerat

# Reference: https://intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples
# Reference: https://otx.alienvault.com/pulse/5e25cfbcd7e22ce9b7d4ea71

huawel.site
7xin.bitscan.win

# Reference: https://twitter.com/r3dbU7z/status/1569027881715523585
# Reference: https://www.virustotal.com/gui/file/92efa48191c1bb2e925d29220e38acfda0f014ff7e5486a04f12e87eab708887/detection
# Reference: https://elfdigest.com/brief/92efa48191c1bb2e925d29220e38acfda0f014ff7e5486a04f12e87eab708887

43.140.251.218:8080

# Reference: https://www.virustotal.com/gui/file/50b73742726b0b7e00856e288e758412c74371ea2f0eaf75b957d73dfb396fd7/detection

45.32.106.94:443

# Reference: https://twitter.com/BaoshengbinCumt/status/1747190760917930074
# Reference: https://www.virustotal.com/gui/file/bf1b88385aebb37182421e967749f057fbefb4e4386bb47b5098abac7c70c476/detection
# Reference: https://www.virustotal.com/gui/file/ada011bd870ea06c381651c319f22030cc0f0360b3270d0d709a44049b394cc5/detection

http://103.140.186.42
kkuac.org
niupilao.vip
b.niupilao.vip
vip.niupilao.vip
hadecon.com.vn/pki.rar

# Reference: https://x.com/banthisguy9349/status/1795416436602450049

/03-23-x64.bin

# Reference: https://www.trendmicro.com/en_no/research/24/f/noodle-rat-reviewing-the-new-backdoor-used-by-chinese-speaking-g.html
# Reference: https://www.virustotal.com/gui/file/2a9636c108b33d32231f53cb7d06c51b4f5b0f64a5100c37b87a84fef9ffd1d3/detection
# Reference: https://www.virustotal.com/gui/file/22e3b2dd513930ff35c03abb6d0818391b072d595a97d192751d0ff79dc43103/detection
# Reference: https://www.virustotal.com/gui/file/2bc26a4f1156d6a115a78a65f554105d8621dbc31440b90caf489ca9cb24b694/detection
# Reference: https://www.virustotal.com/gui/file/5cda94180b245de8421f226eb516d0aa1d3fd8167ebed4fa06070dd38344cec0/detection

40.74.77.165:443
40.74.77.165:8080
40.74.77.165:81

# Reference: https://x.com/naumovax/status/1803788216924877090
# Reference: https://tria.ge/240408-nqp8bsgb46/

http://195.123.228.73
103.41.106.131:8080
103.60.148.186:10021
202.61.85.80:12345

# Reference: https://x.com/malwrhunterteam/status/1831765106533003400
# Reference: https://www.virustotal.com/gui/file/430b75daecc412e3d7c9fc66428a440e64fddd4e66a99a78842ca743eb4ee17e/detection
# Reference: https://www.virustotal.com/gui/file/4e2efb5dddc21dcb40fde667ae2b960148ac9ec7e55c4034bc49f401133685a7/detection

16.163.146.131:44568

# Reference: https://x.com/malwrhunterteam/status/1837458772794470726
# Reference: https://www.virustotal.com/gui/file/0b3f1982d1f460f59fce8dd77c860b2cc9df18758523b7cbe13b8844275c996d/detection
# Reference: https://www.virustotal.com/gui/file/00ec7c7fa996162c18dacd72ee5b1a73c93e08ed530a6793be9e547b4948bf96/detection

107.172.214.214:30012
107.172.214.214:44401

# Reference: https://x.com/malwrhunterteam/status/1846608857407029582
# Reference: https://www.virustotal.com/gui/file/fa69c05b78784ebe7ebc0d1219db0ce8aee0c9c047b1342a0dac67fb44294c50/detection

134.122.129.15:9601
134.122.129.38:8899

# Reference: https://x.com/malwrhunterteam/status/1847199035188220068
# Reference: https://www.virustotal.com/gui/file/d1e5f12f83e5f428642708beef887892aed7527ca7cd5ddda6285fcef32e3e4d/detection
# Reference: https://www.virustotal.com/gui/file/a3eeba38c4ecdd0e346fdaef051c3d5fbf435d373e631ca6ca5290b983354d20/detection
# Reference: https://www.virustotal.com/gui/file/a330d63e261b6f9808ef6a441a6434a18b89661e80630b78c24aa538aff38bf7/detection
# Reference: https://www.virustotal.com/gui/file/4ca6d77d9a3bf6d09b1c8c8ccd31e7452255ac322510424618b312b1a425ab0b/detection
# Reference: https://www.virustotal.com/gui/file/307359081e5f025009163dae77f132595e52114888c933d7c740dd22f4f888e2/detection

8.218.92.123:11234
8.218.92.123:4005
8.218.92.123:9797
8.218.92.123:9911
8.218.92.123:9987

# Reference: https://x.com/naumovax/status/1851289664205828335
# Reference: https://app.any.run/tasks/f0dc332a-ffa6-4450-963b-fa4adcd4c30a

112.121.174.66:1234
47.242.13.213:8000

# Reference: https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users

390698.ru
49246.sx
56204.sx
70332.club
734439.com
836833.cc
94783.club
953388.cc
963388.cc
tradingviewll.com
tradingviewlll.com
admin.tradingviewll.com
admin.tradingviewlll.com

# Reference: https://x.com/malwrhunterteam/status/1861113555396723026
# Reference: https://www.virustotal.com/gui/file/8fb306db295b985327e2f9b15f5560a36c5ed244da6fe0103ef08dea52b8f69a/detection

198.46.177.114:18080
