# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: jointworm, phantomocx, phantomc2, phantomcorea

# Reference: https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/

wikipeldia.org

# Reference: https://twitter.com/_re_fox/status/1298268175927140353
# Reference: https://twitter.com/James_inthe_box/status/1298274439151251456
# Reference: https://app.any.run/tasks/e0845226-ee73-4e37-ab47-740cf0d3b757/

corpxtech.com
extrasectr.com
quotingtrx.com
trquotesys.com
veritechx.com
vvxtech.net

# Reference: https://app.any.run/tasks/42a70971-d057-4763-8541-5ebe9b842fcb/
# Reference: https://twitter.com/James_inthe_box/status/1280616037185024000
# Reference: https://twitter.com/_re_fox/status/1285579050241667078
# Reference: https://twitter.com/_re_fox/status/1280548111828561922
# Reference: https://twitter.com/Vishnyak0v/status/1300747696073039873

telefx.net
voipasst.com
voipreq12.com
voipssupport.com

# Reference: https://www.cybereason.com/hubfs/Evilnum%20IOCs.pdf
# Reference: https://otx.alienvault.com/pulse/5f5118e86e2b24d86310cd6d
# Reference: https://twitter.com/_re_fox/status/1273655899073187840

crm-domain.net
fxmt4x.com
leads-management.net
telecomwl.com
xlmfx.com

# Reference: https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf
# Reference: https://otx.alienvault.com/pulse/5f6b7988a48d50ae3e26381a

coinzre.website

# Reference: https://twitter.com/_re_fox/status/1316815091212390400
# Reference: https://app.any.run/tasks/5904a168-b4e4-45e6-bd6f-50ff80665bf9/
# Reference: https://www.virustotal.com/gui/file/da7d3ad1dc2f17b2d2387781e6486682f85d9980c115a10c7f38b3729e0fa273/detection

adsmachineio.com
api-pixtools.com
api-printer-spool.com
msft-cdn.cloud
windows-accs.live
windows-ddnl.com

# Reference: https://twitter.com/ShadowChasing1/status/1341358733817856000
# Reference: https://twitter.com/_pr4gma/status/1341439247384014849
# Reference: https://www.virustotal.com/gui/ip-address/185.161.209.8/relations
# Reference: https://www.virustotal.com/gui/file/3c7def980dfdebc0e03d8a3d3e2ee8367268ea676050e767e3c6ad77b8f9219e/detection

afftrackmedia.com
apple-cdrp.com
cdr-soft.com
community-approch.com
microsft-community.com
msftld.com

# Reference: https://twitter.com/_pr4gma/status/1343630971661332484
# Reference: https://www.virustotal.com/gui/ip-address/185.161.211.219/relations

driver-wds.com
flowerads.cloud
globaladdressbook.cloud

# Reference: https://twitter.com/ESETresearch/status/1360178612201218051
# Reference: https://otx.alienvault.com/pulse/6026ccc95d3a8be27100f687/

api-printsvc.co.in
appronto.in
canopustr.com
cloud-cdn.co.in
corpxtech.com
dn-mcrosoft.com
ecodll.com
eu-mcrosoft.com
extrasectr.com
freepbxs.com
hp-prints.com
imgncdn.online
mediadv.org
myhomelap.com
procyonstr.com
quotingtrx.com
sirius-market.com
ssl-certinfo.eu
trquotesys.com
trvol.com
trvolume.net
veritechx.com
vvxtech.net

# Reference: https://twitter.com/z0ul_/status/1388174332325662720
# Reference: https://www.virustotal.com/gui/file/d4b064c13bff1533a339bf6278ca7564577b7f8598be9caafb0ec3b41ea6d1eb/detection

jobsout.com
mail.jobsout.com

# Reference: https://twitter.com/ShadowChasing1/status/1396406910241316866
# Reference: https://www.virustotal.com/gui/ip-address/184.22.121.8/relations
# Reference: https://www.virustotal.com/gui/file/a7051dce028722fbadd198a9fd0481dd800f19b8ea35892d16f5d126d85d7e41/detection

ad-click.org
advclick.org
advuniverse.org
advworld.org

# Reference: https://twitter.com/ShadowChasing1/status/1396814490964873217
# Reference: https://www.virustotal.com/gui/file/8398b5f4654ca42b096d97e7151cf0c37ace65ea1584896218b49c99ef2910d4/detection

afflaf.com
azure-cld.com
azure-ns.com
ibm-hqr.com
microsft-ds.com
office-msf.com
printer-msdc.com
quanatomedia.com
steam-gaming.com

# Reference: https://twitter.com/ShadowChasing1/status/1399697694491254798
# Reference: https://twitter.com/z0ul_/status/1399717925834088462
# Reference: https://www.virustotal.com/gui/file/bc203f44b48c9136786891be153311c37ce74ceb7eb540d515032c152f5eb2fb/detection

amzn-services.com
applecloudnz.com
oauth-azure.com
oautho.com
orbiz.me

# Reference: https://twitter.com/ShadowChasing1/status/1414859581591719937
# Reference: https://www.virustotal.com/gui/ip-address/185.161.208.231/relations
# Reference: https://www.virustotal.com/gui/file/355cb89d112806bc58bfcd3a7631357f97506788125252ff835bbac9fe47b9ad/detection
# Reference: https://www.virustotal.com/gui/file/b60ae30ba90f852f886bb4e9aaabe910add2b70278e3a88a3b7968f644e10554/detection

antiwbz.com
azure-imedia.com
esetsed.com
geolockiz.com
inxout.org
konyork.com
ostoutlook.com
safeiorg.com

# Reference: https://twitter.com/ShadowChasing1/status/1417294960890585088
# Reference: https://www.virustotal.com/gui/ip-address/185.161.208.160/relations
# Reference: https://www.virustotal.com/gui/file/98e20febc7795f7445a2a225027da6177ed5db49577efeb85d3992654546290a/detection

azcloudazure.com
searchvpics.com
yorkccity.com

# Reference: https://twitter.com/Circuitous__/status/1456366694029484039
# Reference: https://www.virustotal.com/gui/file/d8ed85071f9b7a2bb66ad3e65e539e1804f7751843128480fa21503ce97385cf/detection

wazalpne.com

# Reference: https://twitter.com/souiten/status/1473951597986123777
# Reference: https://www.virustotal.com/gui/file/c35e76cbd4b2f6c8869566b2a7ea181dbd98dce251a611e03bb5a2fe1ee8708a/detection

avbcloud.com
jsanalys.com
cdn.avbcloud.com
cdn.jsanalys.com

# Reference: https://twitter.com/souiten/status/1466917520934256646
# Reference: https://www.virustotal.com/gui/file/0e760e5a7fa21627d83c9a9f5f68d0c5f6ecfade4d6c89d84b8680f67b33262c/detection

cjsassets.com
cdn.cjsassets.com

# Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-April/030634.html

allmyad.com
am-reader.com
ananoka.com
gvgnci.com
informaxima.org
jmarrycs.com
liongracem.com
msfbckupsc.com
netpixelds.com
polanicia.com
showsvc.com
upservicemc.com
wicommerece.com
worldchangeos.com

# Reference: https://twitter.com/souiten/status/1524322313411325953

storangefilecloud.vip
puccino.altervista.org/wp-content/uploads/2022/05/6h.txt

# Reference: https://twitter.com/souiten/status/1524325331863171072
# Reference: https://www.virustotal.com/gui/file/d0899cb4b94e66cb8623e823887d87aa7561db0e9cf4028ae3f46a7b599692b9/detection

51.195.57.227:1222
cspapop110.com

# Reference: https://twitter.com/fuyinglab/status/1532318041974837248
# Reference: http://blog.nsfocus.net/darkcasino-apt-evilnum/
# Reference: http://lists.emergingthreats.net/pipermail/emerging-sigs/2022-June/030676.html
# Reference: https://www.virustotal.com/gui/file/ae0102721dd4f8072bf244348847bee547433f61182c20d63a23def4fb74bdf7/detection

185.236.231.74:1111
8as1s2.com
938jss.com
aka7newmalp23.com
bukjut11.com
csmmmsp099q.com
cspapop110.com
kalpoipolpmi.net
muasaashishaj.com
muasaashshaj.com
pallomnareraebrazo.com

# Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-June/030694.html
# Reference: https://www.virustotal.com/gui/file/f0e89639e3796a7b7d5ced50e84d770753e72885df7413cd5204a41b1fd6cfbe/detection
# Reference: https://www.virustotal.com/gui/file/adf4f76ef4132610a79512a607b518a60544790d72238633f55d82403a5590d7/detection
# Reference: https://www.virustotal.com/gui/file/bb975fed53a9fa18a4234b90ffbd489429ea03a91245dad030fe4053f465ec28/detection
# Reference: https://www.virustotal.com/gui/file/598a2a4ca29cfefad69ea02d465c8ce5254b99ed59f90e1924d210b0772dc2c0/detection
# Reference: https://www.virustotal.com/gui/file/3c10a943b28f6322049e5ecea2013a7f4af4d35100fcfcc2f07c420f5f03b7f0/detection

bookaustriavisit.com
estimefm.org
imageztun.com
/G7RJ1u/Z7gN7gNNVAC/
/Z7gN7gNNVAC/
/G7RJ1u/

# Reference: https://www.virustotal.com/gui/ip-address/185.236.76.34/relations

azueracademy.com
booknerfix.com
cyphschool.com
imagegyne.com
netoode.com
olymacademy.com

# Reference: https://www.virustotal.com/gui/ip-address/185.161.208.20/relations

advideoc.org
auzebook.com
enigmadah.com
hubflash.co
kgcharles.com
mstreamvc.com
planetjib.com
plantgrn.com
qeliabhat.com
qnmarry.com
streamsrvc.com
walltoncse.org
wldbooks.com

# Reference: https://www.virustotal.com/gui/ip-address/185.161.208.209/relations

bookingitnow.org
estoniaforall.com
moreofestonia.com
moretraveladv.com
traveladvnow.com
travelbooknow.org
tripadvit.com
visitaustriaislands.com

# Reference: https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets
# Reference: https://otx.alienvault.com/pulse/62bbfdd6093ddc04c95bdf1a

advertbart.com
bgamifieder.com
bingapianalytics.com
book-advp.com
bunflun.com
covdd.org
inetp-service.com
infcloudnet.com
khnga.com
mailservice-ns.com
meetomoves.com
netrcmapi.com
netwebsoc.com
refinance-ltd.com
roblexmeet.com
travinfor.com
webinfors.com
windnetap.com
yomangaw.com

# Reference: https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities
# Reference: https://otx.alienvault.com/pulse/62da79e8ce00d5eb8497f01c

advflat.com
azuredllservices.com
elitefocuc.com
goalrom.com
infntio.com
mailgunltd.com
officelivecloud.com
outlookfnd.com
pngdoma.com

# Reference: https://twitter.com/souiten/status/1554056423843045376
# Reference: https://www.virustotal.com/gui/file/29d75b3b0f509dfd3150edc06be9cbe4053ce41a892403ec94b9187f44dda643/detection
# Reference: https://www.virustotal.com/gui/file/74329f3585df9b4ac4a0bc4476369dc08975201d7fc326d2b0f7b7a4c1eab22b/detection

196.196.57.73:333
91.192.100.9:3479
c9spus.com

# Reference: https://twitter.com/Des00464472/status/1554648175876907008
# Reference: https://www.virustotal.com/gui/file/00a253287ebfe7cd44ff4510ebc8dc92cd26b9ccd6d94f371a090a1a76b1ee80/detection
# Reference: https://www.virustotal.com/gui/file/bbbdfa627d119bb7761fbcaeb1c090405f27237bbf9645bacc4064572ca65eac/detection

eroeurovc.com

# Reference: https://twitter.com/souiten/status/1555484652143403010
# Reference: https://www.virustotal.com/gui/file/fd8b80db189d9ffff96d8aed16d55406fd94b72c1cad092c782342036c0b01d2/detection
# Reference: https://www.virustotal.com/gui/file/c2a3958006dd5cb31ce7c7e4e145616aa0dd6734ebe0065f1daf810d630d391c/detection

165.231.200.201:333
aacfdhr34wgr.com

# Reference: https://twitter.com/h2jazi/status/1565721319047630849
# Reference: https://twitter.com/h2jazi/status/1565721321513914373
# Reference: https://www.virustotal.com/gui/file/fa6c26e9e0bc269937b94637c407f8b0a1ffb19d3fc2df580633aaa6708e5e69/detection

image.jamespage.net

# Reference: https://twitter.com/Des00464472/status/1572202986881044480

morgansho.com

# Reference: https://twitter.com/h2jazi/status/1572578230607183874
# Reference: https://www.virustotal.com/gui/file/46ee8dd4c1a6205983c1317b021e6bcbaf7c1545fc56433cdde099f331fc7dab/detection

marywisker.com/skgnbrkfgryogjs

# Reference: https://twitter.com/souiten/status/1587021264807337984

01cs1sp.com
bajnmd45cfstyg.com
bujhsp9.com
k2nysp1.com
loboo33.com
lodo3.com
namfdsjg32kjsd.net
tgsp2121.com

# Reference: https://twitter.com/jaydinbas/status/1633063201607675909

http://172.86.75.75
telemistry.net

# Reference: https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-smartscreen-zero-day/ioc-list-water-hydra-cve-2024-21412.txt

http://179.43.172.127
http://179.43.172.191
http://64.31.63.194
http://64.31.63.70
http://84.32.189.74
179.43.172.127:445
179.43.172.191:445
64.31.63.194:445
64.31.63.70:445
84.32.189.74:445
87iavv.com
fxbulls.ru
p2oaviwt39ui.com
unfawjelesst322.com

# Reference: https://blog.talosintelligence.com/threat-actors-using-macropack/
# Reference: https://www.virustotal.com/gui/file/80731db97c33b50cd3d8727decec7e6a12bbf5f671527648c4cbb559fabc3074/detection
# Reference: https://www.virustotal.com/gui/file/89ada20be17c37d143ae33a0114d6f6dc95bde5318e9e2f5e165361caf0b02de/detection
# Reference: https://www.virustotal.com/gui/file/98de5c66a439e4d261d09cd62a968b8faad959593203702691b929c4474223bb/detection
# Reference: https://www.virustotal.com/gui/file/ba980c51559e97ca3f59c41f44cdd1b6bbab606d916408a231a5ce99604211e9/detection
# Reference: https://www.virustotal.com/gui/file/d3458c7369cb7d8d7320b3376aa722100b143728aa55bed7ffb61ceb92321ee8/detection
# Reference: https://www.virustotal.com/gui/file/e1ee389b2af2d3a0eff4aa14f2ac3de6cdd4a73de80b5d450a44ec69cd332dbf/detection

http://151.248.122.143
wilbderreis.ru
api.wilbderreis.ru
td.tula-steel.ru

# Reference: https://x.com/malwrhunterteam/status/1846651730190389520
# Reference: https://www.virustotal.com/gui/file/8aad7f80f0120d1455320489ff1f807222c02c8703bd46250dd7c3868164ab70/detection

http://45.87.245.53

# Generic

/c?v=1&u=
/c?v=2&u=
/c?v=3&u=
/c?v=4&u=
/c?v=5&u=
/c?v=6&u=
/c?v=7&u=
/c?v=8&u=
/c?v=9&u=
