# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: xarcen

# Reference: http://bartblaze.blogspot.hr/2015/09/notes-on-linuxxorddos.html
# Reference: https://otx.alienvault.com/pulse/560559844637f21ecf297f9a/

dsaj2a.com
hcxiaoao.com
hostasa.org
dsaj2a1.org
wangzongfacai.com
dsaj2a.org

# Reference: http://blog.malwaremustdie.org/2015/06/mmd-0033-2015-linuxxorddos-infection_23.html

hostasa.org

# Reference: https://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf

gggatat456.com
xxxatat456.com
aaa.gggatat456.com
aaa.xxxatat456.com
www1.gggatat456.com
jq.cfdddos.com
gh.dsaj2a1.org
ndns.dsaj2a1.org
ndns.dsaj2a.org
ndns.hcxiaoao.com
ndns.dsaj2a.com
linux.bc5j.com
uc.f1122.org
navert0p.com
wangzongfacai.com
ns1.hostasa.org
ns2.hostasa.org
ns3.hostasa.org
ns4.hostasa.org
zhegege.3322.org

# Reference: https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/

193.201.224.238:8852
7mfsdfasdmkgmrk.com
8masaxsssaqrk.com
9fdmasaxsssaqrk.com
efbthmoiuykmkjkjgt.com
zxcvbmnnfjjfwq.com
/RTEGFN01

# Reference: https://www.virustotal.com/gui/file/e99b77c5a469018e9543bff5bf3b1798ae62146b5763979659d951451d7ef77f/detection

222.186.128.172:5535
syn4.f3322.org

# Reference: https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/
# Reference: https://otx.alienvault.com/pulse/6011e0e8fe4caceec3d71f63/

112.213.127.156:9393
222.186.128.172:5523
2017fly.com
2018fly.com
2019fly.com
3000uc.com
8uc.linux1.cc
911ddos.com
aa.finance1num.org
aa.hostasa.org
aaa.dsaj2a.org
aaa.gggatat456.com
aaa.xxxatat456.com
assword.xyz
baidu.gddos.com
bc5j.com
benniao.date
benniaogg.benniao.date
caiyundaifu.top
cdn.cloud2cdn.com
cdn.finance1num.com
cdn.netflix2cdn.com
cdn.search2c.com
cloud2cdn.com
ddd.dddgata789.com
dddgata789.com
dnstells.com
dsaj2a.com
dsaj2a.org
dsaj2a1.org
finance1num.com
finance1num.org
fly1989.com
gddos.com
gggatat456.com
gh.dsaj2a1.org
gzcfr5axf6.com
gzcfr5axf7.com
hcxiaoao.com
hostasa.org
info.3000uc.com
k1.2018fly.com
kill.2019fly.com
linux.bc5j.com
linux1.cc
lpjulidny7.com
lzjxn.me
myserv012.com
ndns.dsaj2a.com
ndns.dsaj2a.org
ndns.dsaj2a1.org
ndns.hcxiaoao.com
netflix2cdn.com
ns1.hostasa.org
ns2.hostasa.org
ns3.hostasa.org
ns4.hostasa.org
p.assword.xyz
p10.2017fly.com
p10.2018fly.com
p10.sb1024.net
p12.2017fly.com
p12.2018fly.com
p12.sb1024.net
p2.2019fly.com
p2.fly1989.com
p2.sb1024.net
p4.2019fly.com
p4.fly1989.com
p4.sb1024.net
p5.2017fly.com
p5.2018fly.com
p5.dddgata789.com
p5.lpjulidny7.com
p5.sb1024.net
p6.2017fly.com
p6.2018fly.com
p6.2019fly.com
p6.fly1989.com
p6.sb1024.net
pcdown.gddos.com
pincco.cn
ppp.gggatat456.com
ppp.xxxatat456.com
qq360bidu.me
rouji.pincco.cn
sb1024.net
search2c.com
shaoqian.f3322.org
soft8.gddos.com
suc80.linux1.cc
suc80.twjiasu.com
syn4.f3322.org
twjiasu.com
uc.twjiasu.com
w.qq360bidu.me
wnegerf.com
ww.dnstells.com
ww.gzcfr5axf6.com
ww.gzcfr5axf7.com
ww.myserv012.com
ww.search2c.com
xo.lzjxn.me
xxxatat456.com

# Reference: https://twitter.com/honeymoon_ioc/status/1480003904616210436
# Reference: https://www.virustotal.com/gui/ip-address/23.228.113.246/relations

enoan2107.com
gzcfr5axf6.com
imagetw0.com
myserv012.com
s9xk32c.com

# Reference: https://www.virustotal.com/gui/file/474893179caa590fbbf3da828ebed1715a7591f9b7c259b52d641c436fd29a4a/detection

linux.jum2.com

# Reference: https://www.virustotal.com/gui/file/125abfa4bc8fcacb07016ad093c4e992d42e5c6960acaa7e4faef7eca18f5a8f/detection
# Reference: https://www.virustotal.com/gui/file/80f35b3e6694e8b4ffb297b52cb9001cd53afdd1edbd2df5c2adb94074b04871/detection

118.24.26.156:999
re67das.com
aaaaaaaaaa.re67das.com

# Reference: https://www.virustotal.com/gui/file/0001735cf6c4957497af12437ae6f9762a7152b608041547efb74e1d9160d5b1/detection

103.223.120.131:8809

# Reference: https://www.virustotal.com/gui/file/b7596ec8533098af77fd3b2915f102ed3286c437140cc49ba60fbad80b466cbe/detection

googtg.com
a.googtg.com

# Reference: https://www.virustotal.com/gui/file/00013dbdf0e7e5654f31942bfaed21b5c1436c6518b23107a5b87c240805c582/detection
# Reference: https://www.virustotal.com/gui/file/0001735cf6c4957497af12437ae6f9762a7152b608041547efb74e1d9160d5b1/detection

a-dns-google.com
dns-google.org

# Reference: https://www.virustotal.com/gui/file/004a00c222adcabc72bbb4650219273adbfa8bb61f960a31ef5a8aa3e951051f/detection

103.213.247.92:3307

# Reference: https://www.virustotal.com/gui/file/0000c4d3da732d5d47827d4e85557e8f701bd881d6855a6b8e84f9c0da52583b/detection

34.98.99.30:60000

# Reference: https://tria.ge/220602-vewz3aghc6/behavioral1

221.58.22.55:5993
topbannersun.com
wowapplecar.com

# Reference: https://elfdigest.com/brief/848e332e6cdb89a577c665bb79ff87c369379cfdc3b7f3db86590cca9401128a

b12.dddgata789.com
b12.xxxatat456.com

# Reference: https://elfdigest.com/brief/b84cf164fde12dd07192aa44f1b943044610539fd979e0f9359d44062f21a612

54.36.15.96:6003

# Reference: https://elfdigest.com/brief/5a7d7f1d53f039e7b69cf8d040cc043d1264b14107a8a73034e6b90d8e81f87a

54.36.145.104:1523

# Reference: https://www.virustotal.com/gui/file/ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73/detection

http://203.205.254.157

# Reference: https://www.virustotal.com/gui/file/002edfb7593a624139251b08eb986b7a84559dde12b95d1172800b49f27a7c54/detection

54.36.145.106:1523
54.36.15.98:1523
54.36.15.99:1523

# Reference: https://www.virustotal.com/gui/file/0004812beeb3e07a834488a8683b10a9f53ba28f7fdf4565ffd83d839d3a1b3d/detection

23.248.237.29:8000
47.91.170.222:8000
s9xk32a.com
s9xk32b.com
ww.s9xk32a.com
ww.s9xk32b.com
ww.s9xk32c.com

# Reference: https://unit42.paloaltonetworks.com/new-linux-xorddos-trojan-campaign-delivers-malware/
# Reference: https://otx.alienvault.com/pulse/652d705e2bb9be9c8d9bdc7c

0o557.com
2w5.mc150.cn
604418589.xyz
8uc.gwd58.com
98syn.com
a381422.f3322.net
aldz.xyz
b12.gggatat456.com
bb.wordpressau.com
bbb.wordpressau.com
d14.dddgata789.com
g14.gggatat456.com
nishabud.com
p0.lpjulidny7.com
p2.lpjulidny7.com
p3.lpjulidny7.com
p4.lpjulidny7.com
ssh.upx.wang
syn.aldz.xyz
wordpressau.com
x14.xxxatat456.com
xran.xyz
zryl.online

# Reference: https://x.com/redrabytes/status/1882765875994066961

http://169.239.130.10
107.149.213.17:1525
107.149.213.20:1525
107.149.213.21:1525
137.175.90.209:1525
prismpulse.xyz
aass654.com
vvbb321.com
xxcc789.com
hh.aass654.com
hh.vvbb321.com
hh.xxcc789.com

# Reference: https://x.com/redrabytes/status/1883836831776788920

103.254.75.120:112
43.249.172.195:888
markerbio.com
api.enoan2107.com
api.markerbio.com

# Reference: https://x.com/redrabytes/status/1884290770561286337

45.95.146.8:1919

# Reference: https://blog.talosintelligence.com/unmasking-the-new-xorddos-controller-and-infrastructure/
# Reference: https://github.com/Cisco-Talos/IOCs/blob/main/2025/04/new_XorDDoS_controller_and_infrastructure.txt

100.186.28.101:1520
101.19.17.63:1520
102.102.40.93:1520
102.104.20.163:1520
103.233.139.67:1520
103.67.204.12:1520
105.154.197.21:1520
105.204.157.116:1520
105.82.165.229:1520
108.6.121.201:1520
11.120.253.147:1520
11.90.157.105:1520
11.94.220.78:1520
110.198.221.255:1520
112.82.170.116:1520
113.39.108.38:1520
113.4.120.133:1520
114.93.129.252:1520
115.47.150.194:1520
115.54.123.68:1520
117.211.25.159:1520
122.253.213.233:1520
126.131.151.182:1520
128.201.165.117:1520
128.213.58.181:1520
130.13.170.191:1520
130.149.28.49:1520
130.220.81.136:1520
130.92.41.45:1520
132.210.208.126:1520
132.22.130.182:1520
134.179.122.20:1520
135.215.42.239:1520
135.80.130.171:1520
136.21.19.226:1520
138.223.171.81:1520
139.5.72.243:1520
141.56.191.234:1520
142.128.90.47:1520
142.147.137.57:1520
142.53.46.88:1520
145.148.78.213:1520
145.231.225.189:1520
148.130.188.55:1520
152.53.201.191:1520
153.135.4.100:1520
155.121.26.72:1520
158.90.0.57:1520
16.245.213.94:1520
160.66.194.46:1520
163.111.174.25:1520
164.65.179.249:1520
169.19.44.236:1520
171.141.101.142:1520
172.164.145.39:1520
177.60.27.182:1520
181.180.191.184:1520
181.74.116.236:1520
182.250.145.200:1520
184.207.146.227:1520
187.196.123.241:1520
189.202.168.57:1520
189.47.95.188:1520
19.29.200.49:1520
19.3.185.48:1520
19.54.27.231:1520
19.92.109.169:1520
193.72.100.178:1520
196.173.160.72:1520
197.138.181.205:1520
197.147.63.205:1520
198.210.156.184:1520
199.255.31.187:1520
199.75.66.7:1520
2.36.134.24:1520
2.77.15.250:1520
20.150.29.7:1520
20.52.55.108:1520
200.41.207.138:1520
201.37.105.118:1520
202.254.97.111:1520
202.40.100.109:1520
204.228.249.108:1520
205.166.57.152:1520
206.87.16.148:1520
206.97.241.198:1520
208.160.103.78:1520
209.142.199.108:1520
21.109.28.217:1520
211.185.232.213:1520
215.169.69.253:1520
216.111.225.121:1520
217.69.177.221:1520
217.69.203.76:1520
218.131.25.110:1520
221.137.188.10:1520
221.205.226.233:1520
223.39.125.83:1520
24.114.63.133:1520
28.155.77.80:1520
28.201.96.131:1520
29.180.243.229:1520
30.242.210.74:1520
32.103.199.94:1520
32.113.253.123:1520
33.110.9.107:1520
4.111.141.150:1520
42.189.51.36:1520
43.220.64.255:1520
44.236.83.193:1520
45.220.152.136:1520
46.102.78.38:1520
46.242.77.170:1520
47.42.59.162:1520
47.77.88.203:1520
48.138.207.203:1520
49.14.187.47:1520
5.209.26.204:1520
51.183.72.67:1520
52.152.113.213:1520
52.178.131.251:1520
53.137.188.173:1520
53.87.218.39:1520
54.59.0.130:1520
55.26.131.230:1520
56.160.63.29:1520
56.80.128.46:1520
59.117.62.235:1520
6.187.63.174:1520
60.156.128.82:1520
60.255.204.219:1520
61.7.67.243:1520
62.170.108.36:1520
63.142.154.110:1520
66.152.9.129:1520
66.79.176.61:1520
67.111.174.34:1520
69.170.30.33:1520
69.61.83.248:1520
69.69.2.11:1520
70.109.15.46:1520
70.174.94.91:1520
70.189.186.116:1520
71.130.126.169:1520
71.136.118.192:1520
72.251.246.128:1520
73.95.47.244:1520
74.1.137.255:1520
74.77.87.71:1520
76.12.154.30:1520
76.169.112.216:1520
78.66.242.133:1520
79.75.239.146:1520
8.133.158.119:1520
80.84.123.83:1520
81.205.6.128:1520
83.179.130.214:1520
83.222.159.154:1520
83.50.5.138:1520
85.57.171.146:1520
85.67.160.134:1520
88.57.63.244:1520
89.106.211.21:1520
89.54.90.113:1520
91.54.10.57:1520
92.118.168.196:1520
94.249.26.200:1520
96.222.90.160:1520
98.2.205.78:1520
99.222.161.114:1520

# Reference: https://x.com/UNP4CK/status/1913652184081731719
# Reference: https://x.com/redrabytes/status/1913896265777115484

http://172.82.91.106
107.149.213.17:1430
107.149.213.18:1430
107.149.213.20:1430
137.175.86.215:1430
137.175.86.216:1430
137.175.86.217:1430
137.175.86.219:1430
137.175.90.209:1430
137.175.90.210:1430
137.175.90.211:1430
137.175.90.212:1430
137.175.90.213:1430
198.2.208.57:1430
198.2.208.59:1430
198.2.208.60:1430
198.2.208.61:1430
dd.vvbb321.com
