# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: carbanak, jssloader, odinaff, wemosis, STAC5143, STAC5777, GrayAlpha

# Reference: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

bigred-tours.com
clients12-google.com
clients2-google.com
p3-marketing.com
cdn-googleapi.com
cdn-googleservice.com
acity-lawfirm.com
algew.me
aloqd.pw
amhs.club
anselbakery.com
apvo.club
arctic-west.com
auyk.club
b-bconsult.com
bcleaningservice.com
bigrussianbss.com
bipismol.com
bipovnerlvd.com
blopsadmvdrl.com
blopsdmvdrl.com
bnrnboerxce.com
bpee.pw
bureauofinspections.com
bvyv.club
bwuk.club
bwwrvada.com
cgqy.us
chatterbuzz-media.com
chenstravelconsulting.com
cihr.site
citizentravel.biz
cjsanandreas.com
ckwl.pw
cloo.com
cnkmoh.pw
cnlu.net
cnmah.pw
coec.club
coffee-joy-usa.com
cspg.pw
ctxdns.org
ctxdns.pw
cuuo.us
daskd.me
dbxa.pw
ddmd.pw
deliciouswingsny.com
dlex.pw
dlox.pw
dnstxt.net
dnstxt.org
doof.pw
dosdkd.mo
dpoo.pw
dsud.com
dtxf.pw
duglas-manufacturing.com
dvso.pw
dyiud.com
eady.club
enuv.club
eter.pw
extmachine.biz
facs.pw
fbjz.pw
fhyi.club
firsthotelgroup.com
firstprolvdrec.com
fkij.net
flowerprosv.com
fredbanan.com
futh.pw
gcan.site
ge-stion.com
gjcu.pw
gjuc.pw
glavpojdfde.com
gnoa.pw
gnsn.us
goldman-travel.com
goproders.com
gprw.site
grand-mars.ru
grij.us
gsdg.site
guopksl.com
gxhp.top
hijrnataj.com
hilertonv.com
hilopser.com
hippsjnv.com
hldu.site
hoplessinple.com
hoplessinples.com
hopsl3.com
hvzr.info
idjb.us
ihrs.pw
imyo.site
itstravel-ekb.ru
ivcm.club
jblz.net
jersetl.com
jimw.club
jipdfonte.com
jiposlve.com
jjee.site
johsimsoft.org
jomp.site
josephevinchi.com
just-easy-travel.com
juste-travel.com
jxhv.site
kalavadar.com
kashtanspb.ru
kbep.pw
kiposerd.com
kiprovol.com
kiprovolswe.com
kjke.pw
kjko.pw
koldsdes.com
kshv.site
kuyarr.com
kwoe.us
ldzp.pw
lgdr.com
lhlv.club
lnoy.site
luckystartwith.com
lvrm.pw
lvxf.pw
manchedevs.org
maofmdfd5.com
meli-travel.com
melitravel.ru
mewt.us
mfka.pw
michigan-construction.com
mjet.pw
mjot.pw
mjut.pw
mkwl.pw
molos-2.com
mtgk.site
mtxf.com
muedandubai.com
muhh.us
mut.pw
mvze.pw
mvzo.pw
mxfg.pw
mxtxt.net
myspoernv.com
navigators-travel.com
neartsay.com
nevaudio.com
neverfaii.com
nroq.pw
ntlw.net
nwrr.pw
nxpu.site
oaax.site
odwf.pw
odyr.us
okiq.pw
oknz.club
olckwses.com
olgw.my
oloqd.pw
oneliveforcopser.com
onokder.com
ooep.pw
oof.pw
ooyh.us
orfn.com
otzd.pw
oxrp.info
oyaw.club
p3marketing.org
pafk.us
palj.us
park-travels.com
parktravel-mx.ru
partnersind.biz
pbbk.us
pbsk.site
pdoklbr.com
pdokls3.com
pgnb.net
pinewood-financial.com
pjpi.com
plusmarketingagency.com
ppdx.pw
prideofhume.com
pronvowdecee.com
proslr3.com
prostelap3.com
proverslokv4.com
provnkfexxw.com
pvze.club
qdtn.us
qefg.info
qlpa.club
qsez.club
qznm.pw
rdnautomotiv.biz
redtoursuk.org
reld.info
rescsovwe.com
revital-travel.com
revitaltravel.com
rmbs.club
rnkj.pw
rtopsmve.com
rzzc.pw
sgvt.pw
shield-checker.com
simpelkocsn.com
simplewovmde.com
soru.pw
sprngwaterman.com
strideindastry.biz
strideindustrial.com
strideindustrialusa.com
strikes-withlucky.com
swio.pw
tijm.pw
tnt-media.net
true-deals.com
trustbankinc.com
tsrs.pw
turp.pw
twfl.us
ueox.club
ufyb.club
utca.site
uwqs.club
vdfe.site
viebsdsccscw.com
viebvbiiwcw.com
vikppsod.com
vjro.club
vkpo.us
voievnenibrinw.com
vpua.pw
vpuo.pw
vqba.info
vwcq.us
vxqt.us
vxwy.pw
wein.net
wfsv.us
whily.pw
wider-machinery-usa.com
widermachinery.biz
widermachinery.com
wnzg.us
wqiy.info
wruj.club
wuc.pw
wvzu.pw
xhqd.pw
xnlz.club
xnmy.com
yamd.pw
ybnz.site
ydvd.net
yedq.pw
yodq.pw
yomd.pw
yqox.pw
ysxy.pw
zcnt.pw
zdqp.pw
zjav.us
zjvz.pw
zmyo.club
zody.pw
zrst.com
zugh.us
clients14-google.com
clients18-google.com
clients19-google.com
clients23-google.com
clients31-google.com
clients33-google.com
clients39-google.com
clients46-google.com
clients47-google.com
clients51-google.com
clients52-google.com
clients55-google.com
clients56-google.com
clients57-google.com
clients58-google.com
clients6-google.com
clients62-google.com
clients7-google.com
fda-gov.com
dropbox-security.com
google-sll1.com
google-ssls.com
google-stel.com
google3-ssl.com
google4-ssl.com
google5-ssl.com
ssl-googles4.com
ssl-googlesr5.com
stats10-google.com
stats25-google.com
treasury-government.com
usdepartmentofrevenue.com
bols-googls.com
moopisndvdvr.com
dewifal.com
essentialetimes.com
fisrdteditionps.com
fisrteditionps.com
micro-earth.com
moneyma-r.com
newuniquesolutions.com
wedogreatpurchases.com

# Reference: http://blog.talosintelligence.com/2017/03/dnsmessenger.html

algew.me
aloqd.pw
bpee.pw
bvyv.club
bwuk.club
cgqy.us
cihr.site
ckwl.pw
cnmah.pw
coec.club
cuuo.us
daskd.me
dbxa.pw
dlex.pw
doof.pw
dtxf.pw
dvso.pw
dyiud.com
eady.club
enuv.club
eter.pw
fbjz.pw
fhyi.club
futh.pw
gjcu.pw
gjuc.pw
gnoa.pw
grij.us
gxhp.top
hvzr.info
idjb.us
ihrs.pw
jimw.club
jomp.site
jxhv.site
kjke.pw
kshv.site
kwoe.us
ldzp.pw
lhlv.club
lnoy.site
lvrm.pw
lvxf.pw
mewt.us
mfka.pw
mjet.pw
mjut.pw
mvze.pw
mxfg.pw
nroq.pw
nwrr.pw
nxpu.site
oaax.site
odwf.pw
odyr.us
okiq.pw
oknz.club
ooep.pw
ooyh.us
otzd.pw
oxrp.info
oyaw.club
pafk.us
palj.us
pbbk.us
ppdx.pw
pvze.club
qefg.info
qlpa.club
qznm.pw
reld.info
rnkj.pw
rzzc.pw
sgvt.pw
soru.pw
swio.pw
tijm.pw
tsrs.pw
turp.pw
ueox.club
ufyb.club
utca.site
vdfe.site
vjro.club
vkpo.us
vpua.pw
vqba.info
vwcq.us
vxqt.us
vxwy.pw
wfsv.us
wqiy.info
wvzu.pw
xhqd.pw
yamd.pw
yedq.pw
yqox.pw
ysxy.pw
zcnt.pw
zdqp.pw
zjav.us
zjvz.pw
zmyo.club
zody.pw
zugh.us
cspg.pw

# Reference: https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf

bipovnerlvd.com
blopsadmvdrl.com
bnrnboerxce.com
dewifal.com
essentialetimes.com
fisrteditionps.com
halyk-bank.com
kiprovolswe.com
kiprovol.com
micro-earth.com
moneyma-r.com
privat-bankau.com
privatbank-ua.com
tejara-bank.com
voievnenibrinw.com
wedogreatpurchases.com

# Reference: https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
# Reference: https://www.fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf
# Reference: https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf

adguard.name
beefeewhewhush-eelu.biz
blizko.net
blizko.org
comixed.org
coral-trevel.com
datsun-auto.com
di-led.com
financialnewson-line.pw
financialwiki.pw
flowindaho.info
freemsk-dns.com
gjhhghjg6798.com
glonass-map.com
great-codes.com
icafyfootsinso.ru
idedroatyxoaxi.ru
vaserivaseeer.biz
microloule461soft-c1pol361.com
microsoftc1pol361.com
mind-finder.com
operatemesscont.net
paradise-plaza.com
public-dns.us
publics-dns.com
systemsvc.net
system-svc.net
traider-pro.com
travel-maps.info
update-java.net
veslike.com
wefwe3223wfdsf.com
worldnews24.pw
worldnewsonline.pw

# Reference: https://www.tr1adx.net/intel/public/TIB-00002_IOC_Domain.txt

ai0ha.com
atlantis-bahamas.com
bentley-systems-ltd.com
bols-googls.com
dhl-service-au.com
esb-energy-int.com
fda-gov.com
google2-ssl.com
google3-ssl.com
google4-ssl.com
google5-ssl.com
google-ssls.com
google-stel.com
iris-woridwide.com
microfocus-official.com
ornuafood.com
perrigointernational.com
prsnewwire.com
sizzier.com
ssl-googles4.com
ssl-googlesr5.com
strideindustrialusa.com
syngenta-usa.com
taskretaiitechnology.com
treasury-government.com
waldorfs-astoria.com
zynga-ltd.com

# Reference: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf
# Reference: https://otx.alienvault.com/pulse/5a16a16d3477580fcf4e359a

1povkjbdw87kgf518nl361.com
adguard.name
adventureseller.com
advetureseller.com
akamai-technologies.org
akkso-dob.in
akkso-dob.xyz
androidn.ne
androidn.net
ass-pussy-fucking.net
baltazar-btc.com
brazilian-love.org
btcshop.cc
c1pol361.com
cameron-archibald.com
casas-curckos.com
castello-casta.com
casting-cortell.com
chugumshimusona.com
comixed.org
coral-travel.com
coral-trevel.com
critical-damage333.org
datsun-auto.com
di-led.com
dimeline.eu
dragonn-force.com
financialnewsonline.pw
freemsk-dns.com
gendelf.com
glonass-map.com
gooip-kumar.com
great-codes.com
ihave5kbtc.biz
ihave5kbtc.org
java-update.co.uk
jhecwhb7832873.com
klyferyinsoxbabesy.biz
levetas-marin.com
maorkkk-grot.xyz
marcello-bascioni.com
mind-finder.com
my-amateur-gals.com
namorushinoshi.com
narko-cartel.com
narko-dispanser.com
ngx.net
nikaka-ost.in
nikaka-ost.xyz
nyugorta.com
oerne.com
onlineoffice.pw
oplesandroxgeoflax.org
paradise-plaza.com
pasteronixca.com
pasteronixus.com
ppc-club.org
public-dns.com
public-dns.us
publics-dns.com
road-to-dominikana.biz
shfdhghghfg.com
skaoow-loyal.net
skaoow-loyal.xyz
strangeerglassingpbx.org
systemsvc.net
travel-maps.info
updateserver.info
vincenzo-bardelli.com
wascodogamel.com
weekend-service.com
worldnewsonline.pw
zaydo.co
zaydo.space
zaydo.website

# Reference: https://twitter.com/VK_Intel/status/1102754053774290946

tw32-cdn.com

# Reference: https://twitter.com/VK_Intel/status/1096515532558340099

logitech-cdn.com

# Reference: https://twitter.com/HONKONE_K/status/1105351576384749568

cdn-skype.com

# Reference: https://twitter.com/MalwareCantFly/status/1059831561498095617

googleapi-cdn.com

# Reference: https://twitter.com/VK_Intel/status/1072716050259681280

cisco-cdn.com

# Reference: https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/
# Reference: https://www.flashpoint-intel.com/wp-content/uploads/2019/03/iocs_astra_sqlrat_dnsbot_flashpoint_March2019.csv

bigmoneyforus.com
magicsoundmusic.com

# Reference: https://twitter.com/VK_Intel/status/1112961058812186624

combisecurity.net

# Reference: https://twitter.com/HONKONE_K/status/1117696735973761025
# Reference: https://otx.alienvault.com/pulse/5cb46aba498cfc2a71bb2936

booking-cdn.com
hpservice-cdn.com
jquery-ca-cdn.com
jquery-us-cdn.com
mse-cdn.com
norton-cdn.com

# Reference: https://twitter.com/kyleehmke/status/1123629309539885058

cdn-akamai.net

# Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ (# FIN7/GRIFFON)
# Reference: https://twitter.com/malz_intel/status/1144295975999221760

hpservice-cdn.com
realtek-cdn.com
logitech-cdn.com
pci-cdn.com
appleservice-cdn.com
servicebing-cdn.com
cisco-cdn.com
facebook77-cdn.com
yahooservices-cdn.com
globaltech-cdn.com
infosys-cdn.com
google-services-s5.com
instagram-cdn.com
mse-cdn.com
akamaiservice-cdn.com
booking-cdn.com
live-cdn2.com
cloudflare-cdn-r5.com
cdnj-cloudflare.com
bing-cdn.com
servicebing-cdn.com
cdn-yahooapi.com
cdn-googleapi.com
googl-analytic.com
mse-cdn.com
tw32-cdn.com
gmail-cdn3.com
digicert-cdn.com
vmware-cdn.com
exchange-cdn.com
cdn-skype.com
windowsupdatemicrosoft.com
msdn-cdn.com
testing-cdn.com
msdn-update.com
185.162.131.25:222

# Reference: https://twitter.com/kyleehmke/status/1127966783284101120

jquery-cdn-us2.com

# Reference: https://twitter.com/kyleehmke/status/1126663210340372480

jquery-cdn-cn.com
jquery-cdn-us1.com
jquery-update2.com

# Reference: https://twitter.com/HONKONE_K/status/1131432019940917248

bindupdate.com

# Reference: https://twitter.com/HONKONE_K/status/1136489932938072064

comodosec.com

# Reference: https://twitter.com/HONKONE_K/status/1138301293636677632

https://185.159.82.237/odrivers/update-9367.php

# Reference: https://hyas.com/news/magecart-group-4-a-link-with-cobalt-group/

aoreestr.com
aoreestr.online
aoreestr.site
curacao-egaming.online
curacaoegaming.online
curacaoegaming.site
my-1xbet.com
my1xbet.online
my1xbet.top
newreg.host
newreg.online
newreg.site
oracle-business.com
orkreestr.com
orkreestr.host
orkreestr.press
sbeibank.com
sbeibank.online
sbelbank.com
sbelbank.online
sbepbank.com
sbepbank.online
sbersafe.top

# Reference: https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html
# Reference: https://otx.alienvault.com/pulse/5d9f3036acdd17b6b5db4d3d

http://109.230.199.227

# Reference: https://twitter.com/Rmy_Reserve/status/1184142117284667393

moviedvdpower.com

# Reference: https://twitter.com/ps66uk/status/1189890438938988544
# Reference: https://app.any.run/tasks/fbad12cf-e3cd-4e27-a554-46c038ba70ff/
# Reference: https://www.virustotal.com/gui/file/9feddbc1e2b90685e444504804670b5f6db9db07f3a2d3d29dafe67540e27c91/detection
# Reference: https://www.virustotal.com/gui/file/08cdc3abc328ab032ed407399926f1d42e2a7fec38e203ab372a9501e5937573/detection
# Reference: https://www.virustotal.com/gui/file/08cdc3abc328ab032ed407399926f1d42e2a7fec38e203ab372a9501e5937573/detection
# Reference: https://www.virustotal.com/gui/file/09720515998190d47bd1e019d7077b0c2996942e269ab8499cfd969f0492415f/detection
# Reference: https://twitter.com/500mk500/status/1189912497102446597

185.156.177.132:443
insta-pulse.ca
insta-pulse.com

# Reference: https://www.endgame.com/blog/technical-blog/protecting-financial-sector-early-detection-trojanodinaff
# Reference: https://www.virustotal.com/gui/ip-address/162.243.45.200/relations

162.243.45.200:443
162.243.45.200:80
beardczaoffr.com
bigtrackrbvo.com
bravotkr.com
bravotrakrday.com
czaroffnow.com
datewomseek.com
extraczaroff.com
getrackroffr.com
goinhancemind.com
gotrackrdeal.com
inteligenbrainoff.com
libertyautogroup.com
livewomensek.com
nerverenewoff.com
newczaroff.online
newoffbravo.com
official-alert.com
savetrackroff.com
seniorwsm.com
staminanoon.com
staminonoffr.com
staminonus.com
trackrealoff.com
trackroffdeal.com
trackroffshop.com
trackrpromoday.com
urtrakrnowoff.com

# Reference: https://twitter.com/ps66uk/status/1190320112894664705

cigpcl.com

# Reference: https://twitter.com/VK_Intel/status/1205205015427727360

hawrickday.com

# Reference: https://twitter.com/VK_Intel/status/1226370026770509824

landscapesboxdesign9.com

# Reference: https://twitter.com/felixaime/status/1243544929281945602
# Reference: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/
# Reference: https://otx.alienvault.com/pulse/5e7e18b31f7f5e7279c15455

milkmovemoney.com

# Reference: https://twitter.com/VK_Intel/status/1250189247895744517
# Reference: https://otx.alienvault.com/pulse/5e973b9172c3f4e1a4153960

domenuscdm.com
environmentalist.com

# Reference: https://twitter.com/TweeterCyber/status/1268956628746813440
# Reference: https://www.virustotal.com/gui/file/967882624ba26c4fcd6806791aa4994b5bf64ca4b1e66dd8d24f1fa54b3a43f0/detection

spacemetic.com

# Reference: https://twitter.com/bryceabdo/status/1271063097722183681

colorpickerdesk.com
expressdesign9.com
softowii.com

# Reference: https://twitter.com/IntezerLabs/status/1291355808811409408 (# GOSH, Carbanak related ELF-malware)
# Reference: https://www.virustotal.com/gui/file/2b03806939d1171f063ba8d14c3b10622edb5732e4f78dc4fe3eac98b56e5d46/detection

45.35.41.12:443

# Reference: https://twitter.com/Bank_Security/status/1301129840754556928
# Reference: https://threatintel.blog/OPBlueRaven-Part1/
# Reference: https://threatintel.blog/OPBlueRaven-Part2/
# Reference: https://pastebin.com/CKNYfMBG
# Reference: https://otx.alienvault.com/pulse/5f4fd46ac0f4e7ee5448bd40

http://172.86.75.175
http://193.187.175.213
digitalsoundmaker99.com
fgfotr.com
hong-security.com
mozillaupdate.com
nattplot.com
tableofcolorize.com
untypicaldesign9.com
uoplotr.com

# Reference: https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/
# Reference: https://www.virustotal.com/gui/file/452315d33f6c0a9fb77e0e6d88a8cfbbe3a778461e90178d26267215522d2ab2/detection
# Reference: https://www.virustotal.com/gui/file/51060b4e21864f229b5945b24d66cb29c727641c36639de395ebc4c83b0860a9/detection
# Reference: https://www.virustotal.com/gui/file/9a00f0edc87a44d10369fdb9f35ebe1b1df57e01719a5b48ac3eddc068f77f87/detection
# Reference: https://www.virustotal.com/gui/file/de5f89ffa034281a20cbcc5d7482c78b0b5b9b249538e1947034166d68cd21ac/detection

104.232.32.61:443
104.232.32.62:443
141.255.167.28:443
162.221.183.109:443
162.221.183.11:443
162.221.183.11:80
178.209.50.245:443
185.29.9.28:443
192.52.166.66:443
193.203.48.41:700
194.146.180.58:80
216.170.116.120:443
216.170.116.120:700
216.170.116.120:80
31.3.155.123:443
50.62.171.62:700
82.163.78.188:443
84.200.4.226:443
87.98.217.9:443
89.144.14.65:80
91.207.60.68:80
adobe-dns-3-adobe.com
clients4-google.com
in-travelusa.com
seven-sky.org

# Reference: https://www.virustotal.com/gui/file/46c551fed052f3f8857709df900e33d1dbfe9b10f55ff597a1986dc108c6a4f4/detection
# Reference: https://www.virustotal.com/gui/file/d8661896d83427642d3fa2b108752691c90e98a9327f9550e24928ac90504a63/detection
# Reference: https://www.virustotal.com/gui/file/3881f459301b073073bfb2befb4545197af1c8c2160b8e583e46fa769b78289f/detection

79.134.225.126:8596
configsamg.bounceme.net
/fasthamid.php?pwdws=
/systeme.php?pwdws=

# Reference: https://twitter.com/Arkbird_SOLG/status/1310966874352635907
# Reference: https://bazaar.abuse.ch/sample/003645e2686bf863585f95532e847dfe8f3b791c5b36f1a02ea2060f97b12125/
# Reference: https://tria.ge/200929-cywpm51vcj/behavioral1
# Reference: https://tria.ge/200929-cywpm51vcj/behavioral2

195.123.227.40:1433
195.123.227.40:443
195.123.227.40:49725
195.123.227.40:53
195.123.227.40:80

# Reference: https://twitter.com/malwrhunterteam/status/1313191441431232522

sec-apps-verify.com

# Reference: https://twitter.com/malwrhunterteam/status/1313191441431232522
# Reference: https://twitter.com/bl4ckh0l3z/status/1316389511182647297
# Reference: https://www.virustotal.com/gui/file/9c8bf89d043ba3ed802d6d4f9b290747d12822402d61065adfbcb48a740a47b8/detection

http://192.236.176.214

# Reference: https://twitter.com/Arkbird_SOLG/status/1319289563404103680
# Reference: https://www.virustotal.com/gui/ip-address/51.210.135.2/relations
# Reference: https://www.virustotal.com/gui/file/da725957d24a193350af135631ab7b286983caeaa1619b61c2535aa1794575c2/detection
# Reference: https://www.virustotal.com/gui/file/c81c1c53b66cdb4d9310bed5e70cec0cd4fa5b6b22f8ae1012b5a9fdcfb218a2/detection

51.210.135.2:443

# Reference: https://twitter.com/ShadowChasing1/status/1339399145933524993
# Reference: https://www.virustotal.com/gui/file/44e95a6a78a80e7ef6f4d92d9708bc04568385304d7a405fa201dfd50be8e172/detection

githubstore.site

# Reference: https://twitter.com/ShadowChasing1/status/1342631173508349952
# Reference: https://www.virustotal.com/gui/file/5a948a8d417c114f13e471cce4141131a496638d0e888564ad9ca74a1170320b/detection (# OSX.Bella)

159.65.147.28:4545

# Reference: https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/
# Reference: https://www.virustotal.com/gui/file/662124b0c998fd0826c192514b1f57f8002f2ab031996aa6dd7832f561679779/detection

170.130.55.85:443
besaintegration.com
sephardimension.com

# Reference: https://blog.morphisec.com/the-evolution-of-the-fin7-jssloader
# Reference: https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf
# Reference: https://otx.alienvault.com/pulse/5ff37057aba1bd56afb7e0cb
# Reference: https://app.any.run/tasks/9ce5148e-531b-415b-9cf4-a047c493ab06/
# Reference: https://www.virustotal.com/gui/file/49895428f1a30131308022dd3aa56eab6a1aa49b08a978ebc1520e289d3d6744/detection

alexisdanger.com
attractivology.com
bungalowphotographyblog.com
culturehiphopcafe.com
dempoloka.com
freshenvironmentaldesigns.com
huskerblackshirts.com
medinamarina.com
mekanuum.com
monusorge.com
petshopbook.com
sdidrichsen.com
skedoilltd.com
spacemetic.com
theelitevailcollection.com

# Reference: https://twitter.com/BushidoToken/status/1346555464931303424

teamgrouppcl-my.sharepoint.com

# Reference: https://twitter.com/z0ul_/status/1361698529228578816
# Reference: https://www.virustotal.com/gui/file/34218554f4469a6c8c5d68fd6c4c90d6e9789d3bf2935704f81897352b3a1627/detection

civilizationidium.com

# Reference: https://twitter.com/kyleehmke/status/1362030909676015618

conglomeratoid.com
cooperativology.com
inspirationizable.com
refrigeratoraholic.com

# Reference: https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control

http://138.201.44.4/informs.jsp
aaa.stage.15594901.en.onokder.com
aaa.stage.4710846.ns3.kiposerd.com

# Reference: https://twitter.com/kyleehmke/status/1363845965208297472

vmwarize.com

# Reference: https://twitter.com/kyleehmke/status/1366366163089956872

shareholderma.com

# Reference: https://twitter.com/kyleehmke/status/1375414387415072768

foundationious.com

# Reference: https://twitter.com/kyleehmke/status/1374696986369216517

eyebrowaholic.com

# Reference: https://twitter.com/kyleehmke/status/1374310441036419075

associationable.com
coincidencious.com
offspringance.com
uncertaintology.com

# Reference: https://twitter.com/kyleehmke/status/1381183857916010498

shareholderery.com

# Reference: https://twitter.com/kyleehmke/status/1381514483126927360

occasionent.com

# Reference: https://twitter.com/z0ul_/status/1381590862300377089
# Reference: https://www.virustotal.com/gui/file/0f083aac77fb734a8e81fb9dff218f0414ac6c4c9a23b2832837fbc2c7e2031d/detection

185.16.40.108:443

# Reference: https://twitter.com/z0ul_/status/1383076948293808129
# Reference: https://www.virustotal.com/gui/file/d41ee5bfeda26eedef14b23efb42497f096c5faf34882d8ff427b66b5afdbc16/detection

192.248.188.166:443

# Reference: https://twitter.com/kyleehmke/status/1384149754045624327
# Reference: https://twitter.com/kyleehmke/status/1384149758613155840

migrationable.com
refrigeratored.com
safarienzo.com

# Reference: https://habr.com/ru/company/bizone/blog/553136/ (Russian)
# Reference: https://www.virustotal.com/gui/file/fbd2d816147112bd408e26b1300775bbaa482342f9b33924d93fd71a5c312cce/detection

108.61.148.97:443
136.244.81.250:443
185.33.84.43:443
195.123.214.181:443
31.192.108.133:443
45.133.203.121:443

# Reference: https://twitter.com/U039b/status/1387487404160860166
# Reference: https://twitter.com/U039b/status/1387495127401308162
# Reference: https://beta.pithus.org/report/ae05bbd31820c566543addbb0ddc7b19b05be3c098d0f7aa658ab83d6f6cd5c8

78.46.120.20:443

# Reference: https://twitter.com/kyleehmke/status/1396803284359319560

halfious.com
jurisdictionious.com

# Reference: https://twitter.com/kyleehmke/status/1398190859137470466
# Reference: https://twitter.com/kyleehmke/status/1399316036957179905
# Reference: https://twitter.com/Nzc2ZjZjNjY/status/1399116019743010816

curriculumance.com
deprivationant.com
dullism.com
hemispherious.com
injuryless.com
myofibrilliance.com

# Reference: https://twitter.com/z0ul_/status/1400099980250058753
# Reference: https://www.virustotal.com/gui/file/2609c6ec5d4fdde28d29c272484da66e0995e529cf302ed46f94c68cd99352e3/detection

legislationient.com

# Reference: https://twitter.com/Arkbird_SOLG/status/1400845444889120783
# Reference: https://twitter.com/Arkbird_SOLG/status/1400845453101522947

bank4america.com
opposedent.com

# Reference: https://twitter.com/kyleehmke/status/1401480321779052547

indulgology.com
trenchize.com

# Reference: https://twitter.com/kyleehmke/status/1401851062592720898
# Reference: https://twitter.com/Nzc2ZjZjNjY/status/1402008850690154504

boldhamia.com
jurisdictionient.com
landownerable.com
perespectable.com
unitious.com
uprestrice.com

# Reference: https://twitter.com/ViriBack/status/1209650095626575872
# Reference: https://www.virustotal.com/gui/file/c1e7d6ec47169ffb1118c4be5ecb492cd1ea34f3f3dd124500d337af3e980436/detection

107.189.11.206:443
huskerblackshirts.com

# Reference: http://tracker.viriback.com/dump.php (# 2020-022-29, JSSLoader)

grepodesk.com

# Reference: https://twitter.com/ShadowChasing1/status/1402533794352025602
# Reference: https://www.virustotal.com/gui/file/5ccf66192ea9d2b6395fbb4a058d0af8409040d6d38b82b7fa1bf120371e9538/detection
# Reference: https://www.virustotal.com/gui/file/fad295cf65552061dc553c21d89d8bbd0b02783c01f5e696232df6a14381c206/detection

http://108.170.20.89
http://195.123.234.24
108.170.20.89:443
195.123.234.24:443

# Reference: https://twitter.com/ShadowChasing1/status/1402291088740675586
# Reference: https://www.virustotal.com/gui/file/944e1871cecddd5c18a8939f246e5f552cb24f0b0179f4902c0559b2ad3d336b/detection

185.203.118.54:443

# Reference: https://twitter.com/z0ul_/status/1401795117678219267
# Reference: https://twitter.com/z0ul_/status/1401795127601991682
# Reference: https://otx.alienvault.com/pulse/60be3e3f6ba2c7d1bec747a2

capermission.com
hidrofilms.com
primeautorecon.com

# Reference: https://twitter.com/z0ul_/status/1401795123294441475
# Reference: https://www.virustotal.com/gui/file/944e47dc9da19b753beba173214cdebea2aa3651c402dfacae2dde82c4fdaa43/detection
# Reference: https://www.virustotal.com/gui/file/fada67a9f89429d6c191cd6fef5d75cd7b49eebaa2e40d1dd1f9884b3038a23b/detection

185.225.17.78:443
185.33.87.24:443
37.1.210.119:443

# Reference: https://twitter.com/z0ul_/status/1401795124556861441
# Reference: https://www.virustotal.com/gui/file/0f083aac77fb734a8e81fb9dff218f0414ac6c4c9a23b2832837fbc2c7e2031d/detection

185.16.40.108:443
195.123.243.169:443

# Reference: https://twitter.com/z0ul_/status/1401795126314344453
# Reference: https://www.virustotal.com/gui/file/5ccf66192ea9d2b6395fbb4a058d0af8409040d6d38b82b7fa1bf120371e9538/detection

108.170.20.89:443
195.123.240.46:443
37.252.4.131:443

# Reference: https://twitter.com/kyleehmke/status/1405822067191300100
# Reference: https://www.virustotal.com/gui/ip-address/85.217.171.64/relations

hooferry.com

# Reference: https://twitter.com/kyleehmke/status/1408000343410085889

blankance.com

# Reference: https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded

bikweb.com

# Reference: https://twitter.com/Nzc2ZjZjNjY/status/1410227748140990469

laccolumn.com

# Reference: https://threatpost.com/fin7s-liquor-lure-law-firm-backdoor/168086/

browm-forman.com
brown-formam.com
pigeonious.com

# Reference: https://twitter.com/_brettfitz/status/1433661555632222251

amusient.com
revokeodoe.com

# Reference: https://www.virustotal.com/gui/file/2ef7d22b9a04e88f3ab84904aa24f05979c37dc7b9ef12194c73fa718dc30415/detection

185.130.104.174:443

# Reference: https://twitter.com/quack_hack/status/1468364640191225864
# Reference: https://twitter.com/quack_hack/status/1468365029229608960
# Reference: https://twitter.com/quack_hack/status/1468366237613031428
# Reference: https://www.virustotal.com/gui/ip-address/45.61.188.31/relations
# Reference: https://www.virustotal.com/gui/file/ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0/detection
# Reference: https://www.virustotal.com/gui/file/154186b5e0f5fae753a1f90c93a7150927bd03017e55f44abf21a5a08b7ec4ba/detection
# Reference: https://www.virustotal.com/gui/file/a29c97cb43cd16fad9276e161017ae654eb9cc989081c7584f8f14a3795deb0e/detection
# Reference: https://www.virustotal.com/gui/file/78d3d78f6bd90fee7bbd25a15bab36b89072dc738183442d9a6a2d9622835840/detection
# Reference: https://www.virustotal.com/gui/file/92a9fec37bc8e92e3d5ef9344c2d997d3ff02b369b9a040df52f513782940046/detection

myhobbyjapan.com
mosondra.com
sumenghong.com

# Reference: https://www.virustotal.com/gui/file/8640c59f4276a0a764d5c9deec1268ebb5c4225b73074f3b707780fdf89ae4a7/detection
# Reference: https://www.virustotal.com/gui/file/96fa0a49b5e15a83914cff5f5d742802055ebb4ce9f8ddd3993b883259d7c158/detection

pwr4life.com

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/BB_FIN7.json

consolidatology.com
hilariousology.com
keywordsance.com
wisecrackism.com
online.versatravel.ru

# Reference: https://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/
# Reference: https://otx.alienvault.com/pulse/61e683b7d020b229a3c12849

http://138.124.180.127
http://185.232.170.24
http://185.233.80.149
http://185.250.151.126
http://185.53.46.100
http://199.80.55.66
http://206.54.190.230
http://206.54.191.37
http://207.246.92.213
http://37.1.213.194
http://45.142.215.148
http://5.252.177.215
138.124.180.127:443
185.232.170.24:443
185.233.80.149:443
185.250.151.126:443
185.53.46.100:443
199.80.55.66:443
206.54.190.230:443
206.54.191.37:443
207.246.92.213:443
37.1.213.194:443
45.142.215.148:443
5.252.177.215:443

# Reference: https://twitter.com/James_inthe_box/status/1491550200007065603
# Reference: https://app.any.run/tasks/ed2c009a-df98-4bcb-8e03-5c2b9e0570ed/

205.185.117.138:443
divorceradio.com

# Reference: https://twitter.com/0xhido/status/1506672594526822404
# Reference: https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files

physiciansofficenews.com
thechinastyle.com

# Reference: https://www.mandiant.com/resources/evolution-of-fin7
# Reference: https://otx.alienvault.com/pulse/624c4e2fe492d9e618422ffc

chyprediction.com
estetictrance.com
fashionableeder.com
incongruousance.com
internethabit.com
modestoobgyn.com
myshortbio.com

# Reference: https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor
# Reference: https://otx.alienvault.com/pulse/6131dd8772536483ad294965

bypassociation.com
tnskvggujjqfcskwk.com

# Reference: https://www.joesandbox.com/analysis/1019077#iocs

idontgetitpodcast.com

# Reference: https://twitter.com/jtrombley90/status/1552504158397337600

bamadora.com
essentialsmassageanddayspa.com
whiteheadscanesyrup.com

# Reference: https://twitter.com/Des00464472/status/1552492184922116096

tuschbrothersbrewery.com

# Reference: https://twitter.com/Des00464472/status/1590548647053524992

pannamoon.com

# Reference: https://twitter.com/Des00464472/status/1593499379322982400

bullerdix.com

# Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/APT-hunting/hunting-cobaltstrike-beacons-in-the-dark.pdf (# Page 103)

http://188.120.248.114
http://195.2.93.160
http://213.202.211.246
http://85.217.171.12
http://89.163.214.57
188.120.248.114:443
195.2.93.160:443
213.202.211.246:443
85.217.171.12:443
89.163.214.57:443
cdnoid.com
techniquesaholic.com

# Reference: https://twitter.com/ThreatBookLabs/status/1600010809031028736
# Reference: https://www.virustotal.com/gui/file/898f75562187c0d4b4d542c7fabf6cf75b7a88f348b817d9a3de9c852dfddeeb/detection

bamadora.com
marioterno.com

# Reference: https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang
# Reference: https://otx.alienvault.com/pulse/63a5a3d0765aef678afbc794

colormiagi.com
225ppqutwykx2or3.onion
4ktbtv54flfhs6ea.onion
4r7hlqzkxl5xtjxn.onion
ba2xy52xrtagkrh3.onion
bgumuduxnkkecg3b.onion
dppnmjep33rf6ct3.onion
fndqgtdkj4v6g4aq.onion
red6djrs7fbkchy3.onion
2cedhihsepjtcpwuwes77cle5wb6ml7e5ys6ivsb4a4ivlrw2vc4wwad.onion
xft6kit4fj5mnzsdt75ejf2spriszgaqpujclwimvfz7gtangi72suad.onion

# Reference: https://github.com/WithSecureLabs/iocs/blob/master/FIN7VEEAM/iocs.csv

http://162.248.225.115
http://194.87.148.41
http://195.123.244.162
http://217.12.206.176
http://45.136.199.128
http://77.75.230.112
http://91.149.243.181
http://91.199.147.152
http://95.217.49.123
162.248.225.115:443
194.87.148.41:443
195.123.244.162:443
217.12.206.176:443
45.136.199.128:443
77.75.230.112:443
91.149.243.181:443
91.199.147.152:443
95.217.49.123:443
/icsnd16_64refl.ps1

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2024-04-11-v10573/1563

cdn31.space
cdn32.space
cdn33.space
cdn34.space
cdn35.space
cdn36.space
cdn37.space
cdn38.space

# Reference: https://twitter.com/JAMESWT_MHT/status/1784900827930349915
# Reference: https://app.any.run/tasks/a7482c6d-5f77-47ce-b1a9-3f981df5d990/

5.8.63.140:443
86.104.72.157:443

# Reference: https://twitter.com/rewscel/status/1785407518522401223
# Reference: https://twitter.com/RussianPanda9xx/status/1785682585315647526
# Reference: https://app.validin.com/detail?find=89.105.198.190&type=ip4&ref_id=eda9f1500aa#tab=resolutions
# Reference: https://app.validin.com/detail?type=dom&find=adik33338.gmail.com#tab=dns

acdinf.com
airdrop-claim-web3.eu
airtables.net
app-trello.com
binance-give.us
bitwarden.in.net
bloomberg-t.com
bloomberg-terminal.net
catandpetshouse.com
communityofmatcha.com
d8h37sh29ds.biz
depemsersniziks.com
dkefuj33r8jdwa2.com
dyrnension.xyz
gingersoftware.info
glngersoftware.com
glowwell.eu
jd83hnsy6wbdwds9wjms.biz
keepess.info
keeqess.info
lexisnexis.day
matchablogtime.online
medidenaodmewnx.com
nmap.re
notlon.eu
pepe20.eu
quicken-install.com
trackvar.com
tradingview-softs.com
userfriendlyblogs.com
usuallyfornow.com
varizanantarprisae.com
varizanenterpize.com
verizonbusinesspage.com
verizonenterpriseaccount.com
verizonenterpriselogin.com
verizonenterpriseloginpage.com
vitalityhub.nl
webex-download.pics
webex-install.com
wellbeinghub.nl
wellful.nl
wen-airdrop.net
wen-airdrop.network
wincsp.net
wlncsp.net
workable.uk.com
youngtube.in
yt-panel-1488.com
zabblx.com
zabinewblogofcats.com
zabnewblogofcats.com
zbdemi.com

# Reference: https://twitter.com/ValidinLLC/status/1785973800661594460
# Reference: https://www.virustotal.com/gui/ip-address/94.131.107.181/relations

docusjgn.com
dsui38js2.com
gramrnarly.com
loadsoft.net
sluok.com
account.docusjgn.com

# Reference: https://twitter.com/NDA0E/status/1785729767548797079
# Reference: https://www.virustotal.com/gui/ip-address/94.131.101.65/relations

asana.pm
asana.tel
asana.wf
blackrock.re
blackrock.wf

# Reference: https://twitter.com/RussianPanda9xx/status/1786185148121174450
# Reference: https://urlscan.io/search/#filename%3A%229e4e27b7-bcfb-4298-bf8f-2cf4a6bdb3bf-9b6b40d6-3f8e-4755-9063-562658ebdb95%22

http://94.131.101.65
7-zip.cfd
7-zip.day
advanced-ip-scanner.link
advancedipscannerapp.com
aimp.day
any-connectcisco.com
autodesk.pm
bikejogot.com
bloornberg.org
business-directories.com
cdn1701.com
cdn25.space
cdn2828.com
cdn48f.space
ciscoconnecctt.com
concur.pm
concur.re
concur.skin
hubspot.pm
investing.wf
meet-go.click
meet-go.day
meet-go.link
pdfreader.link
pgadmin.link
rawafedgold.com
sapconcur.pro
storage.cdn48f.space
tendergram.com
thefoxtech.com
vkontakte.in
wall-street-journal.link
winscp-install.com
workday.pm
wsj.re
wsj.wales
wsj.wf
wwwlegals.com

# Reference: https://twitter.com/cyber_ra1/status/1786288753377718639

http://103.113.70.134
http://103.113.70.142
http://103.113.70.37
http://103.35.191.28
http://103.35.191.53
http://138.124.183.95
http://138.124.184.64
concur.cfd
hubspot.wf
stream-mix.com

# Reference: https://twitter.com/crep1x/status/1786150734121120075
# Reference: https://gist.github.com/qbourgue/62ceee8edf1159452778a8750dd43116

138.124.183.91:3000
138.124.184.247:3000
138.124.184.249:3000
138.124.184.250:3000
45.142.212.150:3000
45.67.229.73:3000
45.89.53.244:3000
86.104.72.155:3000
86.104.72.157:3000
86.104.72.158:3000
91.149.239.120:3000
138.124.183.79.sslip.io
advanced-ip-scanner.cfd
aimp.pm
cdn1102.com
cdn1124.net
cdn1168.net
cdn1702.click
cdn1704.com
cdn2525.com
cdn27.space
cdn30.space
cdn40.click
cdn41.space
cdn42.space
cdn43.space
cdn44.space
cdn45.space
cdn46.space
cdn47.space
eprst251.boo
eprst281.boo
eprst431.boo
hidifypro.turkalphapro.ir
meet-go.org
msq2323232300000.online
static.cdn40.click
statistic.cdn47.space

# Reference: https://infosec.exchange/@jeromesegura/112531661509144906
# Reference: https://x.com/1ZRR4H/status/1799589362251809058
# Reference: https://x.com/ValidinLLC/status/1799776587367510508
# Reference: https://www.virustotal.com/gui/ip-address/86.104.72.208/relations
# Reference: https://www.virustotal.com/gui/file/96dfb6337647d890875919334a8dfc1f8f6e887f4b9ff6afedfb3574c7b444a3/detection

c0ncuur.com
c0oncur.com
concur2024.com
concuur.com
concuur.net
concuur.org
sapconcur.one
sapconcur.team
sapconcur.top

# Reference: https://x.com/r3dbU7z/status/1825446480213135418
# Reference: https://www.virustotal.com/gui/ip-address/2.58.14.10/relations

concoursec.com

# Reference: https://www.linkedin.com/feed/update/urn:li:activity:7216688084350889984/
# Reference: https://www.virustotal.com/gui/ip-address/86.104.72.19/relations
# Reference: https://www.virustotal.com/gui/ip-address/86.104.72.23/relations
# Reference: https://urlscan.io/search/#2024-7zip.info%20OR%202024-aimp.info

2024-7zip.info
2024-7zip.pw
2024-aimp.info
2024aimp.live
2024-aimp.pw
2024aimp.info
2024mycase.com
2024mycase.win
7zip2024.info
antispam-ms.pw
c24digital.com
ms-antispam.live
nellasecurities.com
overstockads.com
proneet.online
sustainableprofitgrowth.com
successfulportfolioadvisor.com
thomsonreuter.info
thomsonreuter.pro
westlaw.top
wilandsabim.info
workinhome.pro

# Reference: https://x.com/malwrhunterteam/status/1817959103282692598
# Reference: https://www.virustotal.com/gui/ip-address/45.89.53.60/relations

2024aimp.top
aimp2024.pw
gogogononono.top

# Reference: https://www.virustotal.com/gui/ip-address/103.35.190.215/relations

20247zip.one

# Reference: https://www.silentpush.com/blog/fin7/

accountverify.business-helpcase718372649.click
app.rmscloud.pro
book.louvre-ticketing.com
business-helpcase718372649.click
cybercloudsec.com
cybercloudsecure.com
dr1ve.xyz
driv3.net
driv7.com
escueladeletrados.com
go-ia.info
go-ia.site
hotnotepad.com
identity-wpengine.com
kun-quang-api.lordofscan.pro
lordofscan.pro
louvre-event.com
louvrebil.click
miidjourney.net
nexuslink.click
paris-journey.com
paybx.world
quang.business-helpcase718372649.click
techevolveproservice.com
themetasupporrtbusiness.nexuslink.click
tivi2.com
womansvitamin.com
wpenglneweb.com

# Reference: https://x.com/IronNetTR/status/1811454800803799077
# Reference: https://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/

109.107.170.57:443
193.233.22.99:443
38.180.62.115:443
77.105.162.254:443

# Reference: https://x.com/splinter_code/status/1813560986852569185
# Reference: https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/
# Reference: https://www.virustotal.com/gui/file/489ae594906d54b0d52235641595fb2c369ac91117665c045bdc45d56dffc950/detection

http://104.193.255.99
http://146.59.217.154
http://15.235.156.105
http://162.248.225.148
http://176.97.75.244
http://184.95.51.185
http://185.117.119.108
http://185.117.88.245
http://185.16.40.108
http://185.161.208.45
http://185.161.210.11
http://185.172.129.70
http://185.232.170.205
http://185.232.170.83
http://185.234.247.62
http://185.244.151.114
http://185.250.151.141
http://185.250.151.33
http://185.250.151.60
http://192.248.188.166
http://193.109.120.69
http://193.178.210.227
http://193.233.22.68
http://193.233.23.158
http://193.233.23.45
http://193.233.23.59
http://193.42.36.231
http://194.104.136.113
http://194.180.174.86
http://194.180.191.85
http://194.87.191.198
http://194.87.82.7
http://195.123.218.99
http://195.123.240.46
http://195.123.246.20
http://195.123.246.46
http://198.15.119.69
http://208.88.226.158
http://213.109.192.116
http://213.109.192.198
http://37.1.210.119
http://37.157.254.8
http://45.66.249.75
http://45.82.13.64
http://45.87.154.208
http://46.17.107.32
http://46.17.107.7
http://5.161.41.51
http://62.233.57.163
http://62.233.57.19
http://62.233.57.241
http://62.233.57.31
http://65.108.20.101
http://65.108.20.165
http://79.141.162.131
http://80.71.157.173
http://85.239.54.214
http://91.149.221.195
http://91.149.243.129
http://91.149.253.184
http://91.193.19.163
http://91.199.147.60
http://94.140.114.173
http://94.158.244.107
http://94.158.244.23
http://95.123.243.169
http://95.216.251.213
http://95.217.102.49
http://95.217.82.121
104.193.255.99:443
146.59.217.154:443
15.235.156.105:443
162.248.225.148:443
176.97.75.244:443
184.95.51.185:443
185.117.119.108:443
185.117.88.245:443
185.161.208.45:443
185.161.210.11:443
185.172.129.70:443
185.232.170.205:443
185.232.170.83:443
185.234.247.62:443
185.244.151.114:443
185.250.151.141:443
185.250.151.33:443
185.250.151.60:443
193.109.120.69:443
193.178.210.227:443
193.233.22.68:443
193.233.23.158:443
193.233.23.45:443
193.233.23.59:443
193.42.36.231:443
194.104.136.113:443
194.180.174.86:443
194.180.191.85:443
194.87.191.198:443
194.87.82.7:443
195.123.246.20:443
195.123.246.46:443
198.15.119.69:443
213.109.192.116:443
213.109.192.198:443
37.157.254.8:443
45.66.249.75:443
45.82.13.64:443
45.87.154.208:443
46.17.107.32:443
46.17.107.7:443
5.161.41.51:443
5.252.177.7:443
62.233.57.163:443
62.233.57.19:443
62.233.57.241:443
62.233.57.31:443
65.108.20.101:443
65.108.20.165:443
79.141.162.131:443
80.71.157.173:443
85.239.54.214:443
91.149.221.195:443
91.149.243.129:443
91.149.253.184:443
91.193.19.163:443
91.199.147.60:443
94.140.114.173:443
94.158.244.107:443
94.158.244.23:443
95.216.251.213:443
95.217.102.49:443
95.217.82.121:443

# Reference: https://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark

2024clio.one
2024clio.top
2024sage.win
2024xero.com
2bonmai.buzz
antispam-ms.pro
ariba.lat
blackrock-alladin.pro
clio.lat
clio.pw
clio2024.info
clio2024.one
clio2024.top
dhlpost.lat
dhlpost.nl
dhlpost.sbs
edankhk.top
gl-meet2024.com
gogogogogotests.xyz
gogogononono.xyz
law2024.info
law2024.top
law360.one
lexis2024.info
lexis2024.pro
lexisnex.pro
lexisnex.team
lexisnex.top
lexisnexis.lat
lexisnexis.one
lexisnexis.pro
lexisnexis.top
meet-gl.com
meet-goo.net
meet-goo.org
meet.com.de
meet2024.com
miles-and-mroe.com
otpdank24.top
ttlpcs.lat
unicrebitdank.top
unicredibank.top
wuriye.com

# Reference: https://x.com/silentpush_labs/status/1825904688274854148
# Reference: https://www.virustotal.com/gui/ip-address/154.216.20.106/relations

1kartkesbek.com
7zip-1508.one
7zip-1508.top
7zip-2024.info
7zip-2024.pro
akart-bonus.com
ucardaz.com

# Reference: https://x.com/ValidinLLC/status/1826271041015935099
# Reference: https://app.validin.com/detail?type=ip&find=103.35.191.222#tab=resolutions
# Reference: https://app.validin.com/detail?find=38.180.80.124&type=ip4&ref_id=a85aa4ccd5d#tab=resolutions
# Reference: https://app.validin.com/detail?type=ip&find=45.88.91.8#tab=resolutions
# Reference: https://app.validin.com/detail?find=85.209.134.137&type=ip4&ref_id=b7fd6a1ef44#tab=resolutions

concur-cloud.net
concur-sap.info
concur-sap.life
concur-sap.one
concur-sap.pro
concur.life
concur24news.one
concurnews.one
newsconcur.one
newsconcur2024.life
newsconcur2024.world
newsconcur24.one
sapc0ncur24.one
sapconcur-2024.info
sapconcur2-24.pro

# Reference: https://www.virustotal.com/gui/ip-address/86.104.72.101/relations

sebblv.com

# Reference: https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/

85.209.134.137:443
ai-nude.adult
ai-nude.click
ai-nude.click
ai-nude.cloud
ai-nude.pro
ainude.site
aipornsites.ai
easynude.website
nude-ai.pro

# Reference: https://blog.avast.com/fakecrack-campaign

14redirect.cfd
aeddkiu6745q.cfd
asud28cv.cfd
baed92all.cfd
bny734uy.cfd
dert1mku.cfd
er67ilky.cfd
fr56cvfi.cfd
freefiles33.xyz
freefiles34.xyz
freefilesxx.xyz
goes12by.cfd
kohuy31ng.cfd
lixn62ft.cfd
mihatrt34er.cfd
oliy67sd.cfd
uzas871iu.cfd
wae23iku.cfd
wrtgh56mh.cfd
xzctn14il.cfd
yhf78aq.cfd

# Reference: https://app.validin.com/detail?type=hash&find=a4161ee18a72e85440751fdc66cbc561#tab=host_pairs_v2

13landing.cfd
14redirect.cfd
185-216-143-74.cprapid.com
261githubfiles.shop
4-9.261githubfiles.shop
5vgy7.pro
ak19c.click
akale4.pro
as1sw.pro
as2w3.pro
as7yh.pro
ascas.click
ased48u.pro
ax5g.pro
bazi78.pro
bg6y7.pro
bitch12.pro
bnf8.pro
cfr4res.top
civik78.pro
ck9px.pro
cvt6v.pro
cwiaswe.pro
de4rf.pro
de4rv.pro
dewihfa.online
dewihfa.online.matona.online
dexsoftzfile.shop
dfty6tfghu87.click
dick56.pro
dispensewith.xyz
doulbesofts.cfd
download-rarsfree.com
downloadlinkworld.cfd
dutre.cfd
eu9n.pro
ex4redirect.cfd
exe2redirectbox.pro
exe3redirects.pro
fbdhurke.shop
fejirose234.click
fg7y.pro
fileblaze.click
filecr.click
filecr.one
filesarchive1.261githubfiles.shop
filesarchive2.261githubfiles.shop
filesarchive3.261githubfiles.shop
filesarchive4.261githubfiles.shop
freeredirect.top
freesetup.sbs
ftp.efektbielskopl.puter.site
fukir4.pro
fukk7en.pro
fulldownloadpro.top
fullfreesetup.top
fullredirect.top
fvgy7.pro
generatorx.art
generatorx.bar
generatorx.boats
generatorx.click
get-file.click
getlabs.lol
getpcintopc.pro
gfbmdsnr6.pro
hbg6.pro
hfhnvoelw.pro
hgfgbvjd9.pro
ia34r.pro
ijbh45.pro
ijj8by0.pro
installerz.top
installpp.com
installppi.xyz
iptvbites.buzz
jojoiu.cfd
keep-tech.cfd
kmil1.pro
ku8in.pro
lioytyr.cfd
loadingrars-free.com
lq2w3.pro
lummafine.fejirose234.click
m7yi.pro
mail.185-216-143-74.cprapid.com
mail.dewihfa.online
mail.doulbesofts.cfd
mail.filecr.click
mail.filecr.one
mail.iptvbites.buzz
matona.online
meta.fejirose234.click
mfjoaloek.pro
mino45.pro
molpiu.cfd
mrrsi8.pro
mysite1.fejirose234.click
nbb7.pro
nfjienks.pro
nh72w.pro
nik8.pro
nmh7y.pro
nolpf.cfd
noltd.cfd
nu3d5.pro
nvrikxme.click
olk8c.pro
olkout.cfd
olp0v.pro
online.matona.online
plo9j.pro
processhub.beauty
puter.site
qa2dc.pro
qa2s2.pro
qli90.pro
qn5ty.pro
rar-freeload.com
rars-freeload.com
rdrwsf.cfd
redirectbox.pro
redirectnewnetwork.click
rf83c.click
rhfiems4j.pro
rncskod.pro
rover5t.pro
rtrsoftfile.cfd
rtuecf.click
rutchem.puter.site
sat7.pro
sdnb40.pro
sdrb9.pro
setupdownload.top
stage.credittransfer.tcu.puter.site
thvnjd5bd1.pro
trial-uploader.store
tryget.store
tyye.shop
uyryte.click
vbne4.pro
vdbhjvb0h.pro
vf4fg.pro
vg6y7.click
vgh2t6.pro
vurjkxsik4.pro
vvt7y.pro
vxr8n.pro
ws3ed.pro
ws4rt6.pro
xc5f6.pro
xcvzdstry.cfd
xerv6.pro
xh7tyh98ik.world
xhgtoi.click
xxlim67.pro
yhein8.pro
zjwndi5ka.pro

# Reference: https://app.validin.com/detail?type=dom&find=installsppi.com#tab=host_pairs_v2

acvsoftzfile.shop
alinasoftzfile.shop
aloesoftzfile.shop
alxsoftzfile.shop
asdffdsa.cfd
asdffgfc.cfd
asdfgmaalalk.cfd
asdfsam.cfd
asdsoftzfile.shop
ashgrsoftz.shop
aswrwp.cfd
awehre8o8.click
bcmcsamn.shop
bfiies.shop
bhiui.shop
bhslfueion.click
bjosoftzfile.shop
bkout.cfd
bncbvhisofh.click
bolire.shop
bsoftzfile.click
cdert.cfd
cjusoftzfile.shop
cjviereureo.click
cloprw.cfd
coler.cfd
comeandgetfile.xyz
ddsoftzfile.shop
dhfgdk.click
dkolr.cfd
dolpiyu.cfd
doposoftzfile.shop
downldabsari.online
downldbsecdr.online
downldfsli.site
downldharipr.site
downldharon.online
downldjknn.shop
downldkcbcs.online
downldmac.shop
downldmunire.shop
downldsaki.site
downldsakif.shop
downldsamn.shop
downldsamni.shop
downldsamni.site
downldshmsi.click
downldtayb.shop
downldwrsi.shop
downloadabsr.click
downloadahmd.shop
downloadasi.click
downloadejaz.shop
downloadhfsa.click
downloadkasi.click
downloadonlypc.click
downloadonlysoftz.shop
downloadshad.click
downloadsofts.click
downloadsoftz.xyz
downloadsundi.site
downloadtaskn.click
downloadtkn.shop
dowrtjiw.cfd
dowsen7844.click
dsasoftzfile.shop
dxcsoftzfile.shop
easygetup.xyz
efilecom.shop
ejazasdf.cfd
eolsoftzfile.shop
eorihdli37.click
ergehilehi.click
eroenfod.click
exesetps.click
fgiurhho22.click
fgsoftfile.click
fhe9oif79.click
fhjsoftzfile.shop
fhlop.shop
filedriveo.xyz
filegethere.click
filesfreedownld.shop
filesinhand.click
filesonlydownld.xyz
filespcdownld.click
filessoftz.shop
fleokr.shop
fosoftzfile.shop
freehostinghub.click
freepremiumhost.click
fsgdifu22.click
geirugdf.cfd
geiruhg79er.cfd
gejhljey.click
gerhgfhl.click
gerkeypro.xyz
getpre44fre.click
getprosetup.click
harondownload.shop
haronkcbc.click
hfsfis99.cfd
hhsoftzfile.shop
highkey33.click
hihum.shop
hikeypro1.xyz
hnadsda99.click
holputy.shop
hosoftfile.cfd
hsmsan82.click
hsumjad9.click
hsuojel9e.click
hsuosefel8.click
huieroige.click
huiosoftzfile.shop
huysoftzfile.shop
hyenkghw.pro
infosjhk.cfd
infossz-tech.cfd
infossz979.cfd
infossztech.cfd
intopctech.pro
iuyur.click
jknesoftzfile.shop
jknsoftzfiles.shop
johnsoftz.xyz
joisoftzfile.cfd
jrealgames.site
jsdsoftz.shop
keyprehere.xyz
khilsoftzfile.shop
khosoftzfile.shop
kolsoftzfile.shop
kposoftzfile.shop
kpoug.cfd
licte733.cfd
lictechmj.cfd
lkodfre.click
lksoftzfile.shop
logosoftzfile.shop
lopid.cfd
lsdkjh.xyz
megapremium.click
megaupload.click
misssoftzfile.shop
misswowsoftzfile.shop
molted.shop
mplopop.shop
nkjir.shop
nolhyr.shop
noorsoftzfile.shop
ns189.mukhost.uk
ns190.mukhost.uk
nussoftzfile.shop
okelae.click
okhgew.cfd
oknela.pro
olesoftzfile.shop
olvhe.click
olxcrs.cfd
onlysoftzdownload.xyz
oplree.cfd
oposoftfile.cfd
ouiy.shop
ouiyh.click
ouiyh.shop
ovbsoftzfile.shop
pafilehrere.shop
plnyrtwfile.click
ploiu.cfd
ploiyt.shop
pouit.click
pre-infoss.cfd
prekeyoyh.pro
prelicense878.cfd
premiuas.cfd
premiumfile.click
premiumfiles.click
princeupload.xyz
prizcan.pro
prkeyher.click
prosetupupgrade.xyz
prosrikei.pro
prossdownloads.pro
proz-infoz.pro
prtechoidd.cfd
pzcsoftzfile.shop
qolop.shop
realhostfile.xyz
realprekeyt.click
redyr.cfd
ressoftzfile.shop
rtuef.cfd
rtysoftzfile.shop
runhostfile.click
samnibcmc.shop
scvsoftzfile.shop
sdred.cfd
sevetokey.click
sheoifoi.click
shfuoejf.click
sifusfsdf.click
sikoip.cfd
sodfile.click
softsreal.click
softzdownld.xyz
softzdownload.click
softzdownload.xyz
sokolp.shop
splolp.cfd
sreogiwqdh.click
stftr.shop
stryjihe.pro
sutrrre.cfd
taybsamn.shop
teach-info.cfd
tecpre8776.cfd
tghsoftzfile.shop
tkgsoftzfile.shop
tkgsoftzfiles.shop
tkndownload.click
trtsoftzfile.shop
trydrivefree.click
ucbsoftzfile.shop
ufgdfg.click
uoltyr.shop
usoftzfile.cfd
utrr.shop
uyuydfyte.shop
valuekeyget.click
vgcsoftzfile.shop
vhgsoftzfile.shop
vhopl.shop
vhuop.shop
vlkfile.click
volopi.cfd
walsoftzfile.shop
weuros88.cfd
wfilecom.shop
wokoli.shop
wokolop.shop
wordpressz.cfd
wosoftzfile.shop
wqsoftzfile.shop
xgsoftfile.click
xhgyty.shop
xsoftzfile.click
yerdwnfile.click
yfgsoftzfile.shop
yobnilbjho.click
yoiergeh55.click
youcangethare.click
ysoftzfile.cfd
ytdtrs.cfd
ytfrytsoftzfile.cfd
yureoig88.click
zdtsoftzfile.shop

# Reference: https://x.com/JAMESWT_MHT/status/1842217911680741377
# Reference: https://app.any.run/tasks/c58bddb9-7664-41da-9886-55cb3f60c440
# Reference: https://www.virustotal.com/gui/file/132e3a98848543509737db7e75fe09ef34772dc9a39c2798c205cb271d4684fd/detection

9780pk.com
logo-base.com
mlq-p.net

# Reference: https://app.validin.com/detail?type=ip&find=116.202.55.91

12setupfree.xyz
1lv8n.pro
adrt6.pro
as76b.pro
ckue35nc.click
cnaiv4vd.click
dcvbji876yuj.xyz
dfrtx7.pro
drt78iol.xyz
eyfcb3s.click
ft678ik.xyz
hy65rews.click
jvknujm4.click
m876yu98i.world
macredirect.click
mvn2cj0.click
n76yuio9.world
newbutton.click
newcode.click
oki0l.pro
qtr6us0old.world
reufkao6.click
ser678uikl.xyz

# Reference: https://x.com/crep1x/status/1850965395114508452
# Reference: https://x.com/crep1x/status/1850965399619453170
# Reference: https://www.virustotal.com/gui/ip-address/38.180.141.203/relations
# Reference: https://www.virustotal.com/gui/ip-address/85.209.134.106/relations
# Reference: https://www.virustotal.com/gui/ip-address/85.209.134.186/relations
# Reference: https://www.virustotal.com/gui/ip-address/85.209.134.188/relations
# Reference: https://www.virustotal.com/gui/ip-address/85.209.134.45/relations
# Reference: https://app.validin.com/lookalikes?limit=1000&lookback=90&depth=2&find=%2F7zip%3F%3F-%5Cw%2B%5C.%5Cw%2B%24%2F

7zip-2024.cfd
7zip10-2024.life
7zip10-2024.live
7zip10-2024.top
7zip2024.one
7zip2024.top
cdn251.lol
meetgo2024.life
meetgo2024.top
public7zip-1508.top
public7zip-2024.info

# Reference: https://www.virustotal.com/gui/ip-address/82.112.229.217/relations

meesho2024.shop

# Misc.

accutecfilestoragedev.blob.core.windows.net
adv-pardorudy.site
avr-energie.com
bastobbd.com
batimadenas.com
bccilive.com
beta3alpha.com
betagolfgame.pro
bhattiexclusiive.com
c-upd.online
chromeupdate.tech
ds-workbench-msix-amer.choreograph.com.edgekey.net
dwaacart.com
emobileo.com
exposeghboard.com
file.safe-guard.online
geeksroot.net
guiamedico.info
hub2shop.online
ia-creativa.com
icecreampdf.com
info.revenera.com
int.hub2shop.online
intrigi.net
kratomdc.com
lmc.geeksroot.net
paisahero.com
pkudzuformsstorage.blob.core.windows.net
prezemp.com
qfyus.com
riofficial.com
safe-guard.online
shahenterprisenj.com
sharedhostdist.blob.core.windows.net
sigean.info
sivaspastane.com
teknoware.ae
w6trw.com
weirdmodels.com

# Reference: https://x.com/TRACLabs_/status/1862019189331968155
# Reference: https://app.validin.com/detail?find=94.159.96.222&type=ip4&ref_id=8ed40c928c7#tab=resolutions

7zip2024.pro
7zip2024.shop
7zip2024.store
7zipx.site
7zlp112024.top
7zlp2024.shop
7zlp2024.top

# Reference: https://x.com/TRACLabs_/status/1862019189331968155
# Reference: https://app.validin.com/detail?find=85.209.134.64&type=ip4&ref_id=61eec879521#tab=resolutions

2024-7zip-10.top
7zip1024.life

# Reference: https://x.com/TRACLabs_/status/1862019189331968155
# Reference: https://app.validin.com/detail?find=85.209.134.209&type=ip4&ref_id=c92b1c6e334#tab=resolutions

2024-7zip-10.shop
7zip1024.top

# Reference: https://x.com/TRACLabs_/status/1862019189331968155
# Reference: https://app.validin.com/detail?find=85.209.134.118&type=ip4&ref_id=a2a5acd2cf7#tab=resolutions

2024-7zip-10.life
7zip1024.live

# Reference: https://app.validin.com/detail?find=94.159.100.111&type=ip4&ref_id=1252b305998#tab=resolutions

7-z1p.top
7-zip.shop
7zip.sbs

# Reference: https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/ (# STAC5143, STAC5777)
# Reference: https://www.virustotal.com/gui/ip-address/89.185.80.86/relations
# Reference: https://www.virustotal.com/gui/file/2667be2dc4e52e1a753551bb77672804d842264659b17b23a1c47243c43ca515/detection
# Reference: https://www.virustotal.com/gui/file/293b389124c083680b33fbc6264bc10bdfcd6bab2aa6dd5b9fab72944589c63a/detection

185.190.251.16:443
207.90.238.52:443
89.185.80.86:443
isrnmd.org
pinnockinvestment.com

# Reference: https://x.com/PRODAFT/status/1899475407977759008
# Reference: https://catalyst.prodaft.com/public/report/anubis-backdoor
# Reference: https://github.com/prodaft/malware-ioc/blob/master/SavageLadybug/AnubisBackdoor.md
# Reference: https://www.virustotal.com/gui/file/96b9f84cc7bf11bdc3ce56c81cca550753790b3021aa70ec63b38d84b0b50f89/detection
# Reference: https://www.virustotal.com/gui/file/e5255d5f476784fcef97f9c41b12665004c1b961e35ad445ed41e0d6dbbc4f8e/detection

195.133.67.35:443
212.224.107.203:443
38.134.148.20:443
5.252.177.249:443

# Reference: https://catalyst.prodaft.com/public/report/anubis-backdoor/overview

166.1.190.133:443
5.252.177.249:443

# Reference: https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat
# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdf (# GrayAlpha)

2024concur.com
2024lexisnexis.com
7zip-archiver.click
7zip-archiver.shop
7zip-org.live
a-asana.com
advanced-ip-scanner.xyz
aimp.link
aimp.xyz
as-a-n4.com
as-an-a.org
as4na.com
asaana.net
asanaa.net
assana.monster
assana.vip
cnn-news.org
h2.den4ik440.ru
lexis-nexis.site
lexisnexis2024.com
lexisnexises.net
meet-go.info
news-cnn.net
seven-zip.click
sevenzip.shop
sevenzip.today
