# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Note: Trail for non-classified data stealers

# Reference: https://twitter.com/petikvx/status/1591465219666153474
# Reference: https://tria.ge/221112-tmcqqagf37
# Reference: https://www.joesandbox.com/analysis/744589?idtype=analysisid#iocs
# Reference: https://app.any.run/tasks/481b8157-1049-4145-9a84-978cd7814575/
# Reference: https://www.virustotal.com/gui/file/6663b11dcecaa8077560752dd22f1a801c7aa92c0dc691d6d2cb709be55ba5b5/detection

onsapay.com/loader

# Reference: https://www.virustotal.com/gui/file/3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab/detection

tds-packages-update.com

# Reference: https://twitter.com/ULTRAFRAUD/status/1678849977336954880
# Reference: https://twitter.com/josh_penny/status/1679092742666825731
# Reference: https://www.virustotal.com/gui/file/d6aee63ffe429ddb9340090bff2127efad340240954364f1c996a8da6b711374/detection

download-desktop-capcut.com
avatarcloud.top
cloudimages.net
editorimage.info
getavatar.top
hahaimage.info
hahaimage.top
hahaimage.xyz
heheimage.info
heheimage.top
heheimage.xyz
heyavatar.info
heyavatar.top
heyimage.info
ip-ptr.tech
justjobsnow.com
nametoimage.com
partressure.org.uk
toimageai.top
svs00.ip-ptr.tech
vs1-2_2.ip-ptr.tech

# Reference: https://www.virustotal.com/gui/file/25ed22baa1216bddb7c0588cabe791452adc9f7f668837cafe00537ff85aea82/detection

lorealis.vip

# Reference: https://twitter.com/1ZRR4H/status/1682268170168532992

managedkv.com

# Reference: https://twitter.com/hiramcoop/status/1688616244042412041

/365-stealer.py

# Reference: https://twitter.com/idclickthat/status/1692210489663905972
# Reference: https://twitter.com/fr0s7_/status/1695775953505402985
# Reference: https://tria.ge/230817-tm14bacc7s/behavioral2

kholapqua.com
shoppingvideo247.com

# Reference: https://twitter.com/k3yp0d/status/1693598087556505763
# Reference: https://www.virustotal.com/gui/file/b27d5f5a85c251ea6c603a86087233ce015f012062bf5f023e3e9a1d4b09707f/detection
# Reference: https://www.virustotal.com/gui/file/9e217a0d9a6b44b195f5ee70d38e82507c02e480430bf2508bd8afdea886d846/detection

http://34.89.79.160

# Reference: https://twitter.com/karol_paciorek/status/1696175997513564658

/stealer/Auth/Login

# Reference: https://twitter.com/idclickthat/status/1697772164831944884

secure-update-portal.com

# Reference: https://checkmarx.com/blog/an-ongoing-open-source-attack-reveals-roots-dating-back-to-2021/
# Reference: https://otx.alienvault.com/pulse/64f09d12f52704036d29d312

bind9-or-callback-server.com
cczk46g2vtc0000k68dgggx31deyyyyyb.oast.fun
ck0r1hp2vtc00007c0zggjocy3ryyyyyb.oast.fun

# Reference: https://www.virustotal.com/gui/file/65bfda9a772c6c5eab6a610446b4bf58d43bd025062a1d482cffbf9b2351fa5c/detection
# Reference: https://www.virustotal.com/gui/file/0f6e6c43df42a007f9b70482671b2fea79353e069f6260b04ed6f599abef7a5a/detection

185.130.44.113:8080
185.130.44.113:8443
93.95.229.246:8080
93.95.229.246:8443
microsoft.dynnamn.ru
mswindows.hldns.ru
rckl.hldns.ru
rcnkl.dynnamn.ru
simantec.hldns.ru
simantec.mooo.com
windowsdefender.freemyip.com
windowstelemetry.theworkpc.com

# Reference: https://twitter.com/THProfiler/status/1702136008584900636

red-hacks.com

# Reference: https://twitter.com/ULTRAFRAUD/status/1705209115000070206
# Reference: https://www.virustotal.com/gui/file/60ba10a5bdafa65987f36aa9ba884f686e36788bea22a7f6a7026fa18cbbab1d/detection

http://46.151.29.182
46.151.29.182:443

# Reference: https://twitter.com/1ZRR4H/status/1709421805880877346
# Reference: https://www.virustotal.com/gui/file/759f68868414e8e7bf602a631d34740a125a7d8821b313330ad2469a96616e0c/detection
# Reference: https://www.virustotal.com/gui/file/51574e9dc00eca75a025fe34e729a487624e1f2f77100618ff67cffb80a36686/detection

/oisn38dfs/
/oisn38dfs/logger.php
/oisn38dfs/loggerbad.php

# Reference: https://twitter.com/r3dbU7z/status/1710590656597352560
# Reference: https://twitter.com/Gi7w0rm/status/1711030015016505609

http://3.68.185.165
hackdev.ciaffa.net
/IP-Grabber.ps1
/Steal%20BrowserPassword.ps1
/Steal%20BrowserPasswords.ps1
/Steal%20Doc-v1.ps1
/Steal%20Doc.ps1
/Steal%Key.ps1
/Steal%Keys.ps1
/Steal_BrowserPassword.ps1
/Steal_BrowserPasswords.ps1
/Steal_Doc-v1.ps1
/Steal_Doc.ps1
/Steal_Key.ps1
/Steal_Keys.ps1

# Reference: https://www.virustotal.com/gui/file/a21b406dd4f152c0831201585a21da8e60bd1da218e801e2d7c29076dc6c2be0/detection

http://81.161.229.12

# Reference: https://twitter.com/suyog41/status/1718890969951842554
# Reference: https://www.virustotal.com/gui/ip-address/77.105.146.90/relations
# Reference: https://www.virustotal.com/gui/file/1fbeca1cd511cf894d080d7100a05c5fff0a5f4c6c3fd214f98f28c5dcb866fb/detection
# Reference: https://www.virustotal.com/gui/file/5836eec5ff95e74e21fed63519793f61dea7661a7b555d4e971074f8ab242cf8/detection

http://77.105.146.90
/Up/bistAndAuditAlarmByHandle
/Up/bounterAndPerformanceCounterdll
/Up/bounterAndPerformanceCounteral
/bistAndAuditAlarmByHandle
/bounterAndPerformanceCounteral
/bounterAndPerformanceCounterdll

# Reference: https://www.bleepingcomputer.com/news/security/fake-ledger-live-app-in-microsoft-store-steals-768-000-in-crypto/
# Reference: https://otx.alienvault.com/pulse/654b98775dad45e59c2c2b44

ladgerlivlugio.gitbook.io

# Reference: https://www.virustotal.com/gui/file/fc596cd42b7f1237bd2686059918cbe23b752546dd820b77f91acfc99e2065a1/detection

fhaduasd.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1727754734876913736
# Reference: https://www.virustotal.com/gui/file/f7e56674caa3c0c39d0a177ce6da1063bb7ff83f0acccb5da02527ab6250826c/detection
# Reference: https://www.virustotal.com/gui/file/cc1061c7d42e18a4f987fe2563a0934e1e77322856d4d1f000e1311f1f21ef1c/detection
# Reference: https://www.virustotal.com/gui/file/90ffb9eade13d75f95e25c0b0aaa9a1f9171849cb81f1e2e9494c1fa801deee1/detection

torrecomando.com
peg3z.app.goo.gl

# Reference: https://checkmarx.com/blog/attacker-hidden-in-plain-sight-for-nearly-six-months-targeting-python-developers/
# Reference: https://otx.alienvault.com/pulse/65577803bd352de4281ac497

51.178.25.148:8081

# Reference: https://www.virustotal.com/gui/file/f75c5b809e07fe2bdcc52fba4ebed26c82b703acf60d1b6a725189c496ad4753/detection

webvideoshareonline.com

# Reference: https://twitter.com/banthisguy9349/status/1740371850067058701
# Reference: https://twitter.com/malwrhunterteam/status/1753511219594444907

http://5.42.65.115
http://91.92.241.168
http://91.92.241.172
/batushka/twointe

# Reference: https://twitter.com/naumovax/status/1740701521736802556
# Reference: https://tria.ge/231206-mfkz7adg22/behavioral1
# Reference: https://app.any.run/tasks/0de95728-53f5-4027-9655-28d15f129718/

107.148.61.219:8080

# Reference: https://twitter.com/AnFam17/status/1748426722377146822
# Reference: https://blog.phylum.io/npm-package-found-delivering-sophisticated-rat/
# Reference: https://www.virustotal.com/gui/file/631f221da41e5f837a2b0fd44d07ae64640114b803d462688ada3efb88c98403/detection

cookieplay252511.s3.amazonaws.com
devwork9.com
kdark1.com

# Reference: https://www.virustotal.com/gui/file/062404e023a81c9be5959bb78ff149daad5be544017afb765198e8e49caf89cd/detection

http://95.163.241.63
chatgptencoder.site
millionjobs.work
moneyz.fun

# Reference: https://twitter.com/banthisguy9349/status/1753014923796308372
# Reference: https://www.virustotal.com/gui/file/7f97aec4b235fc0fb0e404a95ea49629aaa141054d20e5d43786c210b35baaf1/detection

http://45.81.22.67

# Reference: https://twitter.com/Cuser07/status/1753027958636519425
# Reference: https://www.virustotal.com/gui/file/1cf34e9bee29c171c6a3b5cd073d02d42bd9db2bdbe0f8f9a0d1211b3b4291b7/detection
# Reference: https://www.virustotal.com/gui/file/038fe128a1b7bf6ef427ab3ce8962ebac66b7d355568d593c7d4e384b379df16/detection
# Reference: https://www.virustotal.com/gui/file/c2fa1070ed3827f96501969506926fca40e0393b0b842c62e6b4d7fce5c22135/detection

browsettings.com
desktop-tradingwiew.com
security-update.net

# Reference: https://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65
# Reference: https://twitter.com/ShanHolo/status/1752631749589234120

/StealerClient_Cpp.exe
/StealerClient_Cpp_1_3.exe
/StealerClient_Cpp_1_3_1.exe
/StealerClient_Cpp_1_4.exe
/StealerClient_Sharp.exe
/StealerClient_Sharp_1_3.exe
/StealerClient_Sharp_1_4.exe

# Reference: https://twitter.com/banthisguy9349/status/1754138045681385857
# Reference: https://twitter.com/banthisguy9349/status/1754135708636176601

http://91.92.241.172
http://91.92.246.98
http://94.156.66.186

# Reference: https://twitter.com/naumovax/status/1763518716027826284
# Reference: https://hybrid-analysis.com/sample/3242399d46cf45cab47cd48fd67ab27f20dcc8808364fee494ccbeed60826d23/65dd29b15367b2f8a0091dd0
# Reference: https://www.virustotal.com/gui/file/3242399d46cf45cab47cd48fd67ab27f20dcc8808364fee494ccbeed60826d23/detection

http://67.218.111.202

# Reference: https://twitter.com/DmitriyMelikov/status/1772661332904468851
# Reference: https://tria.ge/240326-rg9gdsbh74/behavioral2
# Reference: https://www.virustotal.com/gui/file/bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea/detection

http://209.182.225.225
adfhjiuyqnmahdfiuad.com

# Reference: https://twitter.com/r3dbU7z/status/1775260364084810193
# Reference: https://twitter.com/r3dbU7z/status/1775458644869435669
# Reference: https://twitter.com/r3dbU7z/status/1776981277989580899

biz.xn--yo-ska.co
deamenop.com
doggie-services.com
getmoss-go.com
getmossc.com
jobs-servers.com
miles-and-more-kreditkartes.com
miles-and-more-kredtikaret.com
reality4ukcit.com
tehnokonsts.com
van-debo.com
xn--fund-qqa.com
xn--getmos-8lc.com
xn--getplant-61a.com
xn--gtmss-lua6v.com
xn--kntist-wxa.com
xn--managr-fva.com
xn--yo-ska.co

# Reference: https://twitter.com/pollo290987/status/1776039471600877598
# Reference: https://www.virustotal.com/gui/file/bacd549a9fb3a1453738f170df3f9ca68c1b9e0a10387d4c116f3e86fe54da30/detection

fileupdatesdrive.com
zozobangpin.com

# Reference: https://twitter.com/pmelson/status/1780045394627428390

enginedaemonwal.site

# Reference: https://twitter.com/biffbiffbiff/status/1779949115822223733

andaclesrealty.com

# Reference: https://twitter.com/banthisguy9349/status/1787461959958294588
# Reference: https://www.virustotal.com/gui/file/523569940c424e1f222df0219f82cbee3e45c5588728f988d82886df765669aa/detection

mm6695.icu

# Reference: https://twitter.com/r3dbU7z/status/1789237495088984225
# Reference: https://www.virustotal.com/gui/file/0e8e895d3c900ba43314b56de3d625609c73cfc5b32c166064275669605829e1/detection

tehnikaldomestos.com
xn--getmss-zxa.com

# Reference: https://x.com/ShanHolo/status/1791371254353613008
# Reference: https://x.com/r3dbU7z/status/1791429395887910965

tehnocorreos1.online
tehnocorreos2.online
tehnoyoubiz1.online
tehnoyoubiz2.online
texnodomainmoss.com
xn--weststeincrd-pcb.com

# Reference: https://x.com/Threat_Down/status/1792953041487900737
# Reference: https://www.threatdown.com/blog/threat-actors-ride-the-hype-for-newly-released-arc-browser/
# Reference: https://www.virustotal.com/gui/file/c2c8a50c5d813970854ace64ed0f430fccd858066daf9bef379d340a2800ccd3/detection
# Reference: https://www.virustotal.com/gui/file/5d32e38d928887077efeb73c6686edf6dbc7c7693623913b043bb7b32bbd3f9d/detection

185.156.72.18:443
185.156.72.56:443
ailrc.net
aircl.net

# Reference: https://x.com/Threat_Down/status/1792992252307865893

windirstatt.com

# Reference: https://x.com/Threat_Down/status/1793033861225456125

webetnex.com

# Reference: https://www.virustotal.com/gui/file/ef1dea9884255955e28f2bb38975b56b3de3e6abb1f427375a64c69c8d364452/detection
# Reference: https://www.virustotal.com/gui/file/0da1da4e5ec6650654f2114f8fcbbfe196085414c9768a6b72ee0ca546da13f8/detection

storagedsolutions.azurefd.net

# Reference: https://x.com/raghav127001/status/1795203991443284188
# Reference: https://www.virustotal.com/gui/file/e9632a585421432d4e228ec224093a828124c00e8ea87c0a37ed4efe5a2374a4/detection
# Reference: https://www.virustotal.com/gui/file/213d9a5442003f99273523206a023170eecdee1616d44f274f5945af57127428/detection
# Reference: https://www.virustotal.com/gui/file/1f900f090b7bba83e3d96bf64ce81375c278a19ba2f9f1f90a6595508ecbd230/detection

http://195.10.205.162
195.10.205.162:6000
195.10.205.162:9002

# Reference: https://x.com/banthisguy9349/status/1795454820108628205
# Reference: https://www.virustotal.com/gui/file/f39e8229f8deb8e945965ce4ec051ce04bd231ebcc30e4db781e92a745047724/detection

http://94.156.66.220

# Reference: https://x.com/banthisguy9349/status/1799777047969231237
# Reference: https://x.com/banthisguy9349/status/1799777813945634946

http://185.172.128.69
http://5.42.64.56
http://5.42.67.23
http://5.42.65.64

# Reference: https://x.com/morimolymoly2/status/1800422805294719405
# Reference: https://app.any.run/tasks/6752fe18-2357-458e-905f-baa254dfad17/
# Reference: https://app.any.run/tasks/9493f89b-aa5d-4edc-9e2d-7bf5bbe0da42/

http://45.77.20.249

# Reference: https://asec.ahnlab.com/ko/67509/
# Reference: https://www.virustotal.com/gui/file/f13061bcc8b0e607f463ba557130e49ef07ce7c3d749d145197554a226d75d9c/detection
# Reference: https://www.virustotal.com/gui/file/cbb265cfae15aa0f39bc67447aa82fc3ac40be6f9239a111e21e1532295eb4ed/detection

188.116.22.65:5000
imgdev.s3.eu-west-3.amazonaws.com

# Reference: https://www.virustotal.com/gui/file/10a418f349f66ed9d3ace0cf8c419724100af7cf1e2318f03977dd99186dac42/detection

46.166.160.173:5000
spy.top

# Reference: https://x.com/r3dbU7z/status/1810725087064011116
# Reference: https://www.virustotal.com/gui/file/c0c528c02762933bea32d2f01c48761e797f231d05fed3e91fdf4b05a6f845dd/detection
# Reference: https://www.virustotal.com/gui/file/57740d3e8111071bb228548c49bb1f2438f05e4f66f90015c439415da078867e/detection

http://37.114.42.89
37.114.42.89:7723
37.114.42.89:7763

# Reference: https://x.com/johnk3r/status/1811507356380840061
# Reference: https://www.virustotal.com/gui/file/09352f4a540694828f687233d5daa72e7809d49b25fc659b52e79a644c0c9430/detection

codeprotectiongroup.com.au
kdarkplay.online

# Reference: https://x.com/malwrhunterteam/status/1814370019800711223
# Reference: https://www.virustotal.com/gui/file/22156f918e1777fdd502556582331118f63618cce7a16b24d2ba91eed09e85ff/detection
# Reference: https://www.virustotal.com/gui/file/832113e18b31afb0718112b130bfb301719785b1cf175c6737321ab50c62a6f5/detection

http://5.8.38.130
5.8.38.130:8000

# Reference: https://x.com/RacWatchin8872/status/1815685905325191270

http://198.46.178.229

# Reference: https://www.virustotal.com/gui/file/7043433a6cdd317c99eb1bfc68d5d56b7e55e73358f9cc5a1c9c89d710abeb54/detection

http://45.9.74.189

# Reference: https://www.virustotal.com/gui/file/604ea692ed8e041b45cf1961fb7439e269720de29f9052bf081b71767506a92e/detection

impersuasiblyredeliveranceunspleened.com
/v5/ehsq.php?amnf=

# Reference: https://x.com/malwrhunterteam/status/1818912801873637575
# Reference: https://tria.ge/240801-j4dz1a1arj/behavioral1
# Reference: https://www.virustotal.com/gui/file/5bfb6fa39e146a1ac1780c4bc8bdfa1f820e7b61bc2c60c6c13b440fb26616f5/detection
# Reference: https://www.virustotal.com/gui/file/bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40/detection

http://91.92.255.73
/v9/qlmz.php?mfgb=

# Reference: https://x.com/EncapsulateJ/status/1823063698220646760

/HELPFUL_STEAL
/HELPFUL_STEALER

# Reference: https://x.com/r3dbU7z/status/1827916313995485488
# Reference: https://app.validin.com/detail?type=dom&find=maintenance.exe
# Reference: https://www.virustotal.com/gui/file/1dda45d4075ff24afb934506c6b554c1f1db725daeb5974883183c6844b59a2a/detection

109.234.165.215:21
109.234.165.215:54430
109.234.165.215:61457
109.234.165.215:64815
qiza8384.odns.fr
addon-scarlet-analytics.com.qiza8384.odns.fr
ftp.qiza8384.odns.fr
mail.qiza8384.odns.fr
mail.scarlet-analytics.com
scarlet-analytics.com

# Reference: https://x.com/ShanHolo/status/1828371581707387242
# Reference: https://www.virustotal.com/gui/file/05ded1c8dda1a6773fdf0fb455ebf60cf45fcd46d9728a6392ee44cdbf5c9c08/detection

/kabeleblan591c

# Reference: https://www.virustotal.com/gui/file/51d9264e591df98e96eb17cc0fc735cbcd32a4448c2c5497d51924ad95fc9a6d/detection

spy-ware-dudu.squareweb.app

# Reference: https://x.com/0Dayhta/status/1828461255784378562
# Reference: https://search.censys.io/search?q=services.ssh.server_host_key.fingerprint_sha256%3A+0d09ffc6b420774fabce1148e90d9e0d0f1ca5ead4a1bdb0e754341b6826c401&resource=hosts

104.200.16.74:8090
158.140.133.56:8090
186.7.118.9:8090
50.207.70.160:8090

# Reference: https://x.com/iam_rajhans/status/1830957234660032815
# Reference: https://search.censys.io/search?q=services.http.response.html_title%3D%22Stealer%22&resource=hosts

http://91.227.62.102
http://91.227.62.103
52.208.202.196:3000

# Reference: https://x.com/SquiblydooBlog/status/1831323335306953164
# Reference: https://www.virustotal.com/gui/file/0b5fe211d558daa7d54207d2869f53d0a91ae16397343fd2605fd3a0f292dd21/detection
# Reference: https://www.virustotal.com/gui/file/269c3b26b215d397f012a20e241c54b2c693667d4f64243ebf8dba1a5872c02d/detection
# Reference: https://www.virustotal.com/gui/file/b761e91e77b67661db51d6b498ea39ccb6f143e51eeee18925a2dc4aab20adfa/detection

analfucker.lol

# Reference: https://x.com/malwrhunterteam/status/1833429879569760417
# Reference: https://www.virustotal.com/gui/file/ed5b0e8df751ad94212b080f4c94275f333c2aee169bd10c8341579923a88cb3/detection
# Reference: https://www.virustotal.com/gui/file/16d2e5a617f5ab0170c869dbfe68087d21d4e6923d60e0ea58cc6cabe353da0c/detection
# Reference: https://www.virustotal.com/gui/file/0f4824bc494dc0898196f7ff2b775a35b25a34bc1758501b8f8f6f56f19829a3/detection

194.135.104.214:443

# Reference: https://x.com/cyberfeeddigest/status/1834203974498496743
# Reference: https://www.virustotal.com/gui/file/10722f907c8382a48cbcc2ddda289db6e890280adc953f44091ea12877625e25/detection

data1.mlinkplanner.com

# Reference: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-09-19-IOCs-for-file-downloader-to-Lumma-Stealer.txt

gzipdot.com
/api/machine/injections?uuid=
/machine/injections?uuid=
/injections?uuid=

# Reference: https://sansec.io/research/cosmicsting

http://89.110.84.168
89.110.84.168:21

# Reference: https://x.com/iam_rajhans/status/1846166461061972022

http://139.59.26.181

# Reference: https://cert.gov.ua/article/6281095 (# UAC-0218)
# Reference: https://www.virustotal.com/gui/file/f541d5c6338d65afba2245685ac1189b44c90393d7e67b70289e1f28b6da6c52/detection

109.205.195.233:443

# Reference: https://x.com/malwrhunterteam/status/1850837296859209944
# Reference: https://x.com/ShanHolo/status/1851528395315630273
# Reference: https://www.virustotal.com/gui/file/2c96f2a04b9f113d91f75de79c73f57a570b995098013368432a917fa14c7a45/detection

http://45.151.62.250
unvdwl.com
/un2/botprnt.dat

# Reference: https://x.com/malwrhunterteam/status/1857898166261264844
# Reference: https://www.virustotal.com/gui/file/7c126aee7eff07bcfcdbf417ae47b8ac3aa9bef4bf0b4683dc396e6bac82ffa9/detection

blacksmatter.live

# Reference: https://x.com/StrikeReadyLabs/status/1858522290926784721
# Reference: https://www.virustotal.com/gui/file/88aa1bd65a6ff5d92ac7041e9685c20e08286709971881660df9c0f4a04c06db/detection

http://185.22.153.91
185.22.153.91:443
media-storage.myftp.info
ftp.media-storage.myftp.info

# Reference: https://x.com/DaveLikesMalwre/status/1859031448725938422
# Reference: https://x.com/RussianPanda9xx/status/1859033237143908612
# Reference: https://www.virustotal.com/gui/file/c199f476a2f4d17651073967936c1a572425813a064058393ba216accc872c7f/detection

217.144.186.19:12345

# Reference: https://x.com/r_cky0/status/1859656430888026524
# Reference: https://x.com/1ZRR4H/status/1860223101167968547

nativesolutionsstorage.xyz
primeapis.com
solanaapis.com
solanaapis.net
api.primeapis.com
api.solanaapis.com
docs.primeapis.com
docs.solanaapis.com
pf.solanaapis.com
portal.primeapis.com
roadmap.primeapis.com
server.solanaapis.com
storage.primeapis.com
test.solanaapis.com

# Reference: https://x.com/marsomx_/status/1864330082673647835
# Reference: https://bazaar.abuse.ch/sample/510dfc251b49c6c6eec46441605ce50ed88cf25ebafaa65da4784c139826b654/

46.226.166.190:8080

# Reference: https://x.com/solostalking/status/1864946940288565524
# Reference: https://search.censys.io/hosts/35.197.39.115/data/table#3003-TCP-HTTP

35.197.39.115:3002
35.197.39.115:3003

# Reference: https://x.com/solostalking/status/1864532060896924136

/365-Stealer-master.zip

# Reference: https://x.com/banthisguy9349/status/1865388712827208165
# Reference: https://www.virustotal.com/gui/file/b8984d3efe64ecb87995951b02406dcf6211d5fd36654ca16f771fc3e46f3fe5/detection

211.204.100.20:1234
49.236.184.62:1234

# Reference: https://x.com/banthisguy9349/status/1865376313260794286

truewebmedia.com/dl/downloads/

# Reference: https://x.com/naumovax/status/1880265629992898956
# Reference: https://tria.ge/250116-sx28paxnhq/
# Reference: https://www.joesandbox.com/analysis/1584233/0/html
# Reference: https://www.virustotal.com/gui/file/0d764405a0f82824062292da14bb60dd94c3f5d3a82b2fdc0b9062a89862be19/detection
# Reference: https://www.virustotal.com/gui/file/19b883fd205513f2c8d7933a35ff86c63194312a75a6ff9a83a1c649b55603da/detection

http://107.170.37.196
http://159.223.117.23
http://162.243.39.100
http://162.243.76.72
http://174.138.90.75

# Reference: https://x.com/Merlax_/status/1884375721054728316
# Reference: https://www.virustotal.com/gui/file/db871ccf4cced277c89d82b06d0568f72e4533a94c39f77fac4b9f79d766f9aa/detection
# Reference: https://www.virustotal.com/gui/file/8e5f3bcaa1cbdb7ecd0bb9d52b773cf5879b58b72787880d96779ecaec033dcd/detection

http://172.86.115.125

# Reference: https://x.com/JAMESWT_MHT/status/1884873684411699463

publicity-jenny-paintball-gilbert.trycloudflare.com
spokesman-disagree-comparing-feeling.trycloudflare.com

# Reference: https://x.com/JAMESWT_MHT/status/1887767853140414718
# Reference: https://www.virustotal.com/gui/file/01c98bf4996afe3d974b785d667aa91f118a0351b6c5290db526183548775151/detection

http://46.8.232.106
http://46.8.236.61
http://91.212.166.91
http://93.185.159.253

# Reference: https://x.com/ShanHolo/status/1887509244468945356

orderpo.organiccrap.com

# Reference: https://x.com/malwrhunterteam/status/1889674610842501294
# Reference: https://www.virustotal.com/gui/file/f1fd4dc8a35fa586ea2f3ccd8217f4e46d87bfdaeb3c36fdd07dd7cac416763c/detection

http://194.87.31.68

# Reference: https://x.com/malwrhunterteam/status/1889675648119001467
# Reference: https://www.virustotal.com/gui/file/a1706ec6772daa7a54c67117d5ce7b5fd5285f6245ad08f46b3b4176a7f1e021/detection

http://88.151.192.165

# Reference: https://threatfox.abuse.ch/browse/malware/unknown_stealer/ (# 2025-02-15)
# Reference: https://www.virustotal.com/gui/file/2cb48362e8e925d42fc863e5a19f374719d2d57c8fd0c7393be43e61dae8a7d3/detection

accessbullx.com
ai-helper.xyz
bhju.daowsistem.com
btee.geontrigame.com
bullx.network
cipherinvest.xyz
cryptocompass.dev
cta.berlmember.com
cxmp.scortma.com
greenblock.me
igow.scortma.com
impresacostruire.it
iq-insitute.org
leme.daowsistem.com
lgfd.daowsistem.com
llue.geontrigame.com
marketscan.me
marketsearch.me
nexustrade.club
pumpingpulls.pw
qfab.geontrigame.com
qmnw.daowsistem.com
quit.scortma.com
rtcrypsm.pages.dev
rtcrypsm.xyz
searchesdex.me
skeletonwatcher.rest
stakesol.pro
tbet.geontrigame.com
tokenscan.info
tokentrove.dev
wipeout.pages.dev
xrxw.scortma.com
yezh.geontrigame.com
youarewatched.fun
arrudaalves.arq.br/wp-admin/cc/inspecionando.php

# Reference: https://www.virustotal.com/gui/file/450de6b332452b8c7387b48071126448da53289cda03fdbcf0fc66514b554afb/detection

elonmusk.zip

# Reference: https://x.com/malwrhunterteam/status/1894368575449698671
# Reference: https://x.com/malwrhunterteam/status/1918622181849751893
# Reference: https://www.virustotal.com/gui/file/9a369fa04d882bae7a93d8b940a7e0021110d787528922ecb869084632d52c99/detection
# Reference: https://www.virustotal.com/gui/file/73792053ed597677b370f380f19e6d9959f2b665eefb9cd21f3a142e1c483136/detection
# Reference: https://www.virustotal.com/gui/file/b11005923c12dcb5e7f5a84ca99891a4c7e5b4c9080c5de14ffc6c6a42c4fafd/detection

157.230.108.102:8880
157.230.111.164:8888

# Reference: https://x.com/suyog41/status/1895099286200918193
# Reference: https://www.virustotal.com/gui/file/f77f2206a5e72f702a0da2ca29bcdb91bee47ef9de3b0bc30810b3c55100c2f3/detection

civet-lucky-bug.ngrok-free.app

# Reference: https://x.com/malwrhunterteam/status/1895762548701741529
# Reference: https://www.virustotal.com/gui/file/987cf8826d30986abaed09e37b90a5da4d4756eb21be007fa73346bb158dc8eb/detection

http://151.243.200.62

# Reference: https://x.com/TuringAlex/status/1896172610008047705
# Reference: https://www.virustotal.com/gui/ip-address/47.76.118.67/relations
# Reference: https://app.validin.com/detail?type=dom&find=webtechnovelty.com#tab=host_pairs
# Reference: https://app.validin.com/detail?find=KAP320%20Login&type=raw&ref_id=d70241f666b#tab=host_pairs (# 2025-03-02)
# Reference: https://www.virustotal.com/gui/file/a73e50c83e9e7f791af4130ff1295b876f7389e8da90a23dff57d60ce33e1819/detection

0a597f79d876441d.xyz
9da8e16d88.nl
9da8e16d88.xyz
aaaql1f9b52c4aec.top
acduca43726a4038.top
aeasz691c8434a71.top
aexub45f1089f8a7.top
amxzw5df0c7148ed.top
aqbdgbaf54dc4e1d.top
aqvbzfeb8fdc46db.top
asckz874464640c7.top
auudqd07d6514ad6.top
auxjvce5b61612c9.top
awtig44c044140f3.top
ayaof0505db5416c.top
aydqk983efd4db82.top
ayxjf49ddc7fa566.top
bbwqp1be5dbe7169.top
bdyrvf84c5588983.top
bftnnad35d0945f1.top
bhyyldb850925538.top
bjtte29790e1b497.top
bjvtj65ab9f84042.top
bjwyqc03ddba48a5.top
bnbcc90f26cc4c25.top
bnwxt2b85da44f6b.top
brdmbdde7e15405d.top
bttcm0ca23204f2e.top
bvxle3ab12446bac.top
ccxtxb55928d5da7.top
cgawof55137d48fe.top
ciusf3bfb9a54bd0.top
cmcil93f183459c8.top
cmgfg406d0344ce8.top
cmxdbfe729eb24a4.top
cmyxn36f7dff4799.top
cmzcx3ad83f04d04.top
cozel9f2896233f6.top
cqdkt91a841b4738.top
cqxin18f99fc4f0f.top
csxfnc0d0dec4f9e.top
cwemdf92aaa8debe.top
cwzmie8a229e46c1.top
cyyqnf9da0714551.top
dbzqreb1bbc3f30b.top
ddfet0eeb5a6b934.top
ddlx555.com
dfgyk4b0f14f478d.top
dhdbs88c8d724acd.top
dhhap923cbaf4d33.top
djeax040faca4f2e.top
djzxneadfdb948a8.top
dlegm5564da94fd6.top
doj1amghl1f8.com
dradode8de114e82.top
dtfod5362f067478.top
dvylx49c6ed34236.top
dxhww45d9b414092.top
dxzrpe4e1e5427f8.top
dzhcn6efee36479f.top
dzxic9c784cbd549.top
eezxdd2e17d8aa7e.top
egymining.com
ekbaw38a26874780.top
embjm6405186be91.top
emdmz71cd874071e.top
emgovf8a4a120f40.top
esdnb1eb80f617ae.top
eshvq014d1965680.top
eswagb3151e825bf.top
eugmjd9f43439330.top
ewcqt98052034ec3.top
eydss08250fb41eb.top
fbarr6758d205659.top
fbawk8099b9f4e3b.top
fbcqrbaa07bc0fee.top
fbedn8afc1c0ba2e.top
fbfsae2b4ba5e546.top
fbiziae133684d22.top
fdban74c3b6241e9.top
fdhxia9dfb57a92d.top
fotarftrial.net
fradlb0bcaf8040c.top
frektc673aa601f0.top
ftcia06bb2600555.top
fthpfd55d1d9f5bb.top
fvcjw37d6b2c2dd4.top
fxguz6d7bdb84e72.top
fxjevf64b29d3bc3.top
fzbmie2b03f45b87.top
fzbml8f02b7c5699.top
fzgym63d1a5547c9.top
fzhsud863de0126a.top
gagtac2d844c0eec.top
gahwjc4ccc9a4348.top
gcecm88a4eb1f5e0.top
ggaty405b1c1b620.top
ggecs16a614e680c.top
ggibx304981b4ca7.top
gkzwq84aa7ad2385.top
gmedbaf889dc40a3.top
gobjp97c1e084576.top
gscmy6b9b81efc47.top
gsiqi6d9778f46fb.top
gwhbga207f755426.top
gybvx6af4f296933.top
gybxba9f68a54354.top
gycyk69ba5c84f35.top
gyiuz5c5d5fc2c4c.top
gykerb9dd5b8c3bc.top
hbgwd51dce49b7ec.top
hbhxi118af4e4625.top
hbkjc1b8fdc04e64.top
hdcziea687211b74.top
hdhzg974c945fd0e.top
hhzvh70cbfa191ea.top
hjkqnmxymqwec.xyz
hnilrc15367b4930.top
hpdpga2d1b514ccd.top
iahxd891466c0dd9.top
ialbobfc77854bcb.top
icjai7080f7b5238.top
igkmtfdfccb84e13.top
iilio5e1d4d7946b.top
ikfeae481044b4b4.top
ikkms64452f634da.top
imbeaf798f024fd9.top
iqdjx2b5560f5ebf.top
iqflb08f579d4756.top
isjrn17ca7209e3d.top
iugqpdc1efa162ab.top
iuiajf79d876441d.top
iwjvz18cdaaa4c2d.top
iydqtbf9cd38043e.top
iyetud9ae7de4c11.top
iykxab825924a6cb.top
jbmle84ea85c4fe5.top
jbnhb82c38594a17.top
jdhau4cd4dd2b968.top
jdkeu4ac4c14a675.top
jdnol7e7e6e0430a.top
jfidw6ef6a1840cc.top
jfmie56025bafe82.top
jfnmkc1f291676ff.top
jngjmc702dda4ac8.top
jniso79e54604932.top
jnkvk1e5444f4c8a.top
jnmui0a0e94c48b3.top
jnnrheefcc5ecd70.top
jrjrj74d40fe82b8.top
jrnuu3dfb7c30362.top
jtblzd7e394fa72d.top
jtend43d0f17cea3.top
jtirm81911f40026.top
kclfve16378fbe09.top
kegcqcbc368872b9.top
keokd3b72f1b7171.top
kgkhic3aeb66e61d.top
kifev313a3da4019.top
kintg1e24fab4efa.top
kkegm83970a7415e.top
knshubsazvytuszbzsinasz.xyz
ksfoef9b4a773f51.top
kwdrra918a2b96e2.top
kyixd993eeb0e617.top
lbgezd7d10273451.top
ldpkl2793f634059.top
lhgif777f7e72fa7.top
ljdki897cc184833.top
llalr2987b3521e4.top
lnhrhc97cd684dfd.top
lxeuuef1cbb9423c.top
lzmdne2ad0434ec5.top
mclgx6d074d17a4e.top
menke7bd632eabf6.top
mmkqeb8eb8641092.top
momuj45f97bb9005.top
myldpba4527b1f1a.top
nbmihc2f08204ae6.top
ndifc06ea0da4608.top
njkob93f8ed94945.top
njmqae2131e74892.top
npnxu1a7f035ebc7.top
nrjuq57c92be79fe.top
ntgup3e65f197570.top
ntmaea30bcdb62fe.top
nxmfff5d77d85bd0.top
oklrxe1f819c271c.top
oknsb14470014550.top
okoti05eb2fca7c0.top
onwatchpercontact.org
oogrc512a29a4dc2.top
oowoo.cc
oqrceee632efc3cf.top
osnab3ad02794605.top
pbihxa61c2a04406.top
pjhny8e97de16d0b.top
plkrae21a4449b56.top
privatemeris.net
ptshy00e4f0f42f7.top
pxkdm5354d286b39.top
pxoit5a1da562f02.top
pzieu4ebfe5d1076.top
qcpovbb3fff646e4.top
qilqxfc975904fc9.top
qqjwq0fd984a4ad1.top
qsodhc512ead4fee.top
qvdfugoagjl.com
qynidd0fd22f8f9b.top
rbkja7d872b7eb6a.top
rdhff496d8de9044.top
rloxqd68e4bc39d1.top
ry58j8eutglu.com
tftkgbf9f26f14e2.top
tnxwod00372b459a.top
tplmv9fc788ed799.top
uuqwac911437455c.top
uvdfugoagjl.com
uyqbj8d8a1444e4a.top
vpsvp2ccae6baa8a.top
vrorheaa1306430e.top
vrosi9c20a840321.top
vrqvpcfadb312dd2.top
vrvzz3ddb3b85df2.top
vtsya09d790049c5.top
vtyeo9462cff2d45.top
vxakqf75bk0j.com
vxpah8fd6a8ac449.top
vxtdi2bee66ecea9.top
wgoie06bfc3de90d.top
wqqvqb1042a7c82c.top
wssyc15153bf96cd.top
wsyft2d490aa4112.top
wwwetbb5ac944271.top
wytfped4f94443a0.top
xjytd883fae1447a.top
xltum77cbbbc3f26.top
xpuvkfe42a7541ab.top
xpvzv0aff4b8a5c9.top
xrrxbb3601042986.top
xrrxs10dfa1945df.top
xrtwte0d676a4e94.top
xruab74b04f7ed50.top
xruaiae6f9974314.top
xtsbe1616ebbd0fe.top
xvuej3f404114fed.top
xxrbhf51ab4c4d9d.top
yczrp203542f73bf.top
ymobr60b33d7929a.com
yovxw5b08cbe4dce.top
yqcjr23de6a5d416.top
yqqwu81d73326513.top
yqwdibfeace1439a.top
ysqwsa7a5bd9474c.top
ysrabad17165aab7.top
ystab407f5784411.top
ysudfe841aadf6ee.top
ysvcbf06948f4322.top
yuvgme2b6d52b62b.top
yuxhr0dabe572575.top
yyshwdf9629b3b9b.top
yytfuf3b7d264d53.top
zdytg4bcd02b4e39.top
zfwprf035c3bd0b8.top
zjxxn31bc7eaabfd.top
zntxqadaedc01ee2.top
zpruo502eda1419f.top
zraiq91f02aab2e0.top
zrchw2e4182f459f.top
ztzjtd18a40bfb55.top
zvboi0aac1dc4165.top
zvrdl8c831472e33.top
zvxjyd982fda0dd0.top
zvxkz4c43bc24585.top
zxapo1a47ee04b27.top
zxigz2940637fafa.com
zxigz2940637fafa.top
zxrfsa808e0a0020.top
zzsft66e80474075.top
zzvmk81a3b0553ee.top

# Reference: https://github.com/hagezi/dns-blocklists/issues/5455

guildmerger.me

# Reference: https://x.com/Jane_0sint/status/1899063529015046241
# Reference: https://app.any.run/tasks/dc8ba6e2-8cb7-448f-a241-d63167e66041

datagayo.batch33.xyz

# Reference: https://socket.dev/blog/new-pypi-malware-exfiltrates-ethereum-private-keys

rpc-amoy.polygon.technology

# Reference: https://x.com/malwrhunterteam/status/1902290970718224638
# Reference: https://www.virustotal.com/gui/file/ed296039c2cc5a8339eaf3346ca178ca67d728fb44a4311e5649354df3f465e5/detection

iwannaeatcats.com
leetb.iwannaeatcats.com

# Reference: https://x.com/malwrhunterteam/status/1903146810237128802
# Reference: https://www.virustotal.com/gui/ip-address/8.218.124.102/relations
# Reference: https://www.virustotal.com/gui/file/776b4fb58d76105a60bccfbc09abad82330b8ee5138b93b826deaa7689030bbf/detection
# Reference: https://www.virustotal.com/gui/file/f3d1778d95a4d159dd79684dee33d1d2a3952ebedb1e567c448ff64140fe14b9/detection

http://8.218.50.207
185.198.166.41:9999
myrnicrosoft.com
center.myrnicrosoft.com
cloud.myrnicrosoft.com
profile.myrnicrosoft.com
proxyx.myrnicrosoft.com
update.myrnicrosoft.com
/aasdasdqrunshkkkkkkk
/asdqsadsdahhhhhtxt

# Reference: https://www.virustotal.com/gui/file/0d88fa985329594a69447766a3f475041ddfff777b0edaba6795e633944847c9/detection
# Reference: https://www.virustotal.com/gui/file/b9ced50dac1fd85ac9846541d74543f85ba75e02d30ff96b6ba9f10f8c4ff953/detection

mssysupdate.com
sssupdate.pw
stat.mssysupdate.com
stat2.mssysupdate.com
stat.sssupdate.pw
stat2.sssupdate.pw

# Reference: https://x.com/malwrhunterteam/status/1904483090086367467
# Reference: https://www.virustotal.com/gui/file/da2a28b696269f41d2b3300298a455b67889ed3223930ece69d12dc288b43931/detection
# Reference: https://www.virustotal.com/gui/file/68938329576be32f84babff5afb770dac8cc3b13e2e5e114a3ec13b0bba8771f/detection
# Reference: https://www.virustotal.com/gui/file/4ef943f0de2e811f1e57fdb5a7fc8040c75e4ce446a0838a1847bcdf58775490/detection
# Reference: https://www.virustotal.com/gui/file/4ec41afc275e281584f046a65ed5b1e04ea1a5033d5b10ea15e16b0f7b02a1a0/detection
# Reference: https://www.virustotal.com/gui/file/00cb74eb8c6e502955474e7e4ef26ee0c86fd5ad712d0f4721b30662c631234c/detection

86.92.186.238:3000

# Reference: https://x.com/malwrhunterteam/status/1905270488680542413
# Reference: https://www.virustotal.com/gui/file/16451074c8122178d3b20aca1727119552d8709d06da75f7d059a8c2f24057f9/detection
# Reference: https://www.virustotal.com/gui/file/d60964e96e5252cc062fff7b0ab9b62fe08566d1d2c7d40d988dfb8801d0701e/detection

45.138.16.209:6382
45.138.16.209:7719
dat-voip-sit-cio.trycloudflare.com
endurancefloorferqecrace.de
qed245t3kreiscryoz-gueterslohewr33w.de
teamvontaxi-koblenz.it.com
right-championships-junior-pubs.trycloudflare.com

# Reference: https://x.com/malwrhunterteam/status/1906091446077382997
# Reference: https://x.com/malwrhunterteam/status/1906091446077382997
# Reference: https://www.virustotal.com/gui/file/d80f23bc6fe3b83e9d62745afc34e5762e1a83bbca724ec7f8969569f5432bc5/detection
# Reference: https://www.virustotal.com/gui/file/d651584b219c46b1710546cb8d2a9899a09ac180a0f20cdb3981df2fe88b1c78/detection
# Reference: https://www.virustotal.com/gui/file/bd84d6ff599401f7a627d823dceb1c46eaca3038cf500f6702001e6109dc63be/detection
# Reference: https://www.virustotal.com/gui/file/83c209ff95e7561a37aac3788a25a20f0e531bb8efc6062b5ecf2ed088040957/detection
# Reference: https://www.virustotal.com/gui/file/c788eaf9b6b7fb6a8483a9c58569f5407bdfc07c9e5ffcc9c2c480de08060608/detection
# Reference: https://www.virustotal.com/gui/file/3e84f1476ba94cf7ade7ffb8e1bd067806c58eee373fa92cef249976191f13ae/detection

141.98.7.127:1337
83.168.110.38:1337
/dqw3udn9uwhfu?xaowdo0adm=
/e9fd219aidi3
/ed8972dsiocm?sakjd818djn=
/dqw3udn9uwhfu
/ed8972dsiocm

# Reference: https://www.virustotal.com/gui/file/f7272b7a51058ca34b65fe6fa97ab0d3dc25cd08a23a3bb2570a0447e581ec10/detection

cloudbridgebetweenworlds.com

# Reference: https://cert.gov.ua/article/6282902 (# UAC-0219)

http://144.172.98.178
http://167.88.167.254
http://172.86.104.17
http://172.86.114.149
http://172.86.88.15
http://172.86.88.186
http://45.61.159.252
drobbox.cloud
eschool-ua.online
iocreestr.tech
mfashara.com
rrrt.website

# Reference: https://x.com/malwrhunterteam/status/1907683448304660795
# Reference: https://www.virustotal.com/gui/file/f11cec17a37fd445aa0b8e848a5a2df28d440feb01cc932b250c49fb567e1d4d/detection
# Reference: https://www.virustotal.com/gui/file/b0c565a109b36c712e0b34b5134cf66c0f9169af877f25453933f95a63b05f20/detection

connect.paul-stein.com
lkilljl.paul-stein.com
/dbuiqo

# Reference: https://x.com/G60930953/status/1908444570335007052
# Reference: https://app.validin.com/detail?find=a7c5a1ba0d8a18716218aeca55b11bdf&type=hash&ref_id=ac8ae8a53df#tab=host_pairs (# 2025-04-05)
# Reference: https://www.virustotal.com/gui/file/300fafb0adfe9fc702834361f4cdcc57f2bbac1ed20a0e8f820ce3ab83d042bd/detection
# Reference: https://www.virustotal.com/gui/file/c323361c072c13a15bacb14ab61d2d4d581bbd5a551421140deab80e88b68cd9/detection

http://145.224.94.134
http://185.105.188.13
http://185.120.16.53
http://185.126.117.97
http://45.10.90.95
http://45.128.153.140
http://45.128.153.145
http://5.183.179.119
http://5.183.179.120
http://5.183.179.243
http://5.183.179.97
http://5.183.179.99
http://62.16.0.50

# Reference: https://www.fortinet.com/blog/threat-research/rolandskimmer-silent-credit-card-thief-uncovered

bg3dsec.com
exmkleo.com
invsetmx.com
fzhivka-001-site1.btempurl.com
kleoti-001-site1.htempurl.com
mgproperties-001-site1.itempurl.com
rinootracebg-001-site1.etempurl.com
topclima-001-site1.itempurl.com
zzigi20-001-site1.atempurl.com

# Reference: https://x.com/malwrhunterteam/status/1915693958333714459
# Reference: https://www.virustotal.com/gui/file/27db3aa51165039daa27af441eebad180b89085415cf33ef42bfac42eae1b0f4/detection
# Reference: https://www.virustotal.com/gui/file/19a1a9bb5891f8dd370b7062a026c5b32ed1c49a9393756791915868be6e280a/detection

185.147.124.90:7001

# Reference: https://x.com/JAMESWT_WT/status/1922185649056100727
# Reference: https://github.com/km3dg3/IOCs/blob/main/2025-05-12%20%7C%20UNK%20Stealer%20%7C%20Booking%20ClickFix
# Reference: https://www.virustotal.com/gui/file/5c02bfe719c33a92eeb98c5e871f109b9b0f47b16b37969149f7e8bf052487aa/detection

avegoldenbrhpe.blogspot.com
blackprinceoxy.blogspot.com
bridgundefinedbelltbtws.blogspot.com
desodgucdyy.blogspot.com
gutsyheartscy.blogspot.com
hopundefinedevbeag.blogspot.com
modhopmdoroteaucq.blogspot.com
powerbladethax.blogspot.com
russianboypdo.blogspot.com
stafnigetvpgdm.blogspot.com
undercloudxatabubkgpwrd.blogspot.com
upleamrzadrotppv.blogspot.com
wertyimrproperbyxiwo.blogspot.com

# Reference: https://x.com/skocherhan/status/1921905749061480463
# Reference: https://www.virustotal.com/gui/ip-address/146.0.73.28/relations
# Reference: https://www.virustotal.com/gui/file/cbd6ff8f7b5c3ac598eb73d457320ddda121afd84cf90134d47e5a8307e7882b/detection

45fgdfg.store
arganoilbio.com
astrocore.rest
astroglow.makeup
boldforge.info
brighthaven.help
cloudlynx.work
cloudorbit.pro
das45fg.website
digiloom.info
dolsdf.space
ds445.store
dsde4.art
dsde4.asia
dsde4.autos
dsde4.baby
dsde4.beauty
dsde4.cfd
dsde4.christmas
dsde4.click
dsde4.cyou
elamnh.com
espero.uk
greencortex.work
instafarm.live
lsdf.online
lsdfsd3e4.store
lsdfsdf.online
lumanest.hair
lumanest.help
lunawave.rest
mindloom.space
pixelhive.beauty
plugdepot.com
primehaven.help
quantumnest.wiki
quantumpulse.help
sadfsdf.store
skyloomer.help
turbocore.ink
turbosphere.help
weekas.com
zdse.xyz
zuckerloh.live
mail.dsde4.cfd
otkrut.instafarm.live
/zuckerloh

# Reference: https://x.com/solostalking/status/1922183568207311300

194.102.104.47:3000

# Reference: https://x.com/malwrhunterteam/status/1926390382432026817
# Reference: https://www.virustotal.com/gui/file/121bf2a99533e1591c22725ab769b3c26776f09b29585f7c3148ed2a7cc459bf/detection

http://146.185.233.170

# Reference: https://x.com/malwrhunterteam/status/1927319321987977698
# Reference: https://www.virustotal.com/gui/file/6e116ef59d775f252828c0b58dcacf7f8d3500d19a35224e9ef4dc7fabaf9a89/detection
# Reference: https://www.virustotal.com/gui/file/30890f2e20243d6ea815c88de1f9fd0ff9ce4f4f4a0737d4a964e875de74bfba/detection

sellyourniggersfor.me

# Reference: https://x.com/suyog41/status/1928305661810544856
# Reference: https://www.virustotal.com/gui/file/46ea7ea00376add887f39f1992bca8dd98770b8369c109c9d9bd05dbf182cc9e/detection

4hteocibnkyarcsawup7sa7hv43w6rw6ziw3tx3uf45d6wokvihl3vid.onion

# Reference: https://x.com/malwrhunterteam/status/1929823042072346877
# Reference: https://www.virustotal.com/gui/file/e889e7e99b71dbdaa9b939f4c0e4730e62761759f4d932ea2fc92f1498905928/detection
# Reference: https://www.virustotal.com/gui/file/12ccaa0b9eb15a5e0d4e7d9d370a31fb90442d82af6c53c0ec7ec68baf89e212/detection
# Reference: https://www.virustotal.com/gui/file/0559f003151aaf2bbc115fae13802d098f0c4b2401b1c40cf2b81f7807ea889a/detection

http://80.94.95.141

# Reference: https://x.com/Dkavalanche/status/1930645057587081640
# Reference: https://x.com/JAMESWT_WT/status/1930842539843600518

lubovtolkunova.ru

# Reference: https://x.com/JAMESWT_WT/status/1930826646749151384

reconve.io

# Reference: https://x.com/malwrhunterteam/status/1931464477171437955
# Reference: https://www.virustotal.com/gui/file/6416beda6b4273788d3b2197534573a0dfd43a8fde07038ec0776e1b4eccae84/detection
# Reference: https://www.virustotal.com/gui/file/08a7e858c7006883c8609555d42d107abeb7385e7ea889e6a7a14e2bc65b889e/detection
# Reference: https://www.virustotal.com/gui/file/55625060998fa49ff778b6fc10d4401dca3182baa634761bb8be045660ae56e0/detection

http://195.154.176.101
195.154.176.101:5635

# Reference: https://x.com/dez_/status/1932966046119408056
# Reference: https://x.com/SquiblydooBlog/status/1957577434041315440
# Reference: https://app.validin.com/detail?find=pythonmemorymodule.zip&type=dom&ref_id=3c22fa8fa6c#tab=host_pairs (# 2025-06-14)
# Reference: https://app.validin.com/detail?find=crypto.exe&type=dom&ref_id=3c22fa8fa6c#tab=host_pairs (# 2025-08-20)
# Reference: https://www.virustotal.com/gui/file/3fd6f78600d58c88f734b01fff2e605087d1c2957cc1d6c2867df575816c9dd4/detection

http://104.194.11.212
http://109.232.250.39
http://176.124.198.168
http://95.170.139.18
104.194.11.212:81
104.194.11.212:82
walkthroudshareoldgroup.cfd

# Reference: https://www.virustotal.com/gui/file/62715da608f7bb4bdf158669c2af610048a9e77f3adf4b86db7eb8dccc9f7e94/detection

http://45.141.233.90

# Reference: https://x.com/Fact_Finder03/status/1942435828958916716

stealer.gg

# Reference: https://x.com/anyrun_app/status/1942905210294124892
# Reference: https://app.any.run/tasks/7f03cd5b-ad02-4b3a-871f-c31ac0f5dc15/
# Reference: https://www.virustotal.com/gui/file/409947e013b06cd8adc9f34b9f2a0ba11cca37ffc7c476740c73b1d91e6fd00c/detection
# Reference: https://www.virustotal.com/gui/file/03035f1afe0c276243997e4de1c80188208a7d98393c1e6dcbc9800214e5de8f/detection

192.76.28.19:139
192.76.28.19:445

# Reference: https://x.com/ElementalX2/status/1955654890664927343
# Reference: https://app.validin.com/detail?find=9571ade7b5e2bead9f65d946c3627aea&type=hash&ref_id=9916aa2e2ad#tab=host_pairs
# Reference: https://www.virustotal.com/gui/file/2bf42a1d3430586fa3893060685c5dc5053c35f74d9df236fde81085ce7a63ce/detection
# Reference: https://www.virustotal.com/gui/file/aed6529bc656f8efff82a8d10edae738bb62a84cc0aa332ac63367b23b6e3c7f/detection

140.82.16.230:445
140-82-16-230.cprapid.com
bmidrive.pro
integration.click
nkbada.online

# Reference: https://x.com/Fact_Finder03/status/1960946706272432315

keylogger.hicominfo.com

# Reference: https://x.com/suyog41/status/1962425261825130647
# Reference: https://www.virustotal.com/gui/file/6b4f6f922ac903659b7e224f1f422f36914b67ee2f60104e6fa7018a3ec66e47/detection

114.116.227.117:7777

# Reference: https://x.com/malwrhunterteam/status/1965020671165202704
# Reference: https://www.virustotal.com/gui/file/6adc16d1082326285b771f52eb9128089b9cc260b77e45972ec46656244ce7d6/detection

http://107.173.181.149
islacolabs.com
/ahD4pa13ox96/bzuQa84la.php
/ahD4pa13ox96/
/bzuQa84la.php

# Reference: https://x.com/G60930953/status/1965613344834171135
# Reference: https://dmpdump.github.io/posts/AzureFunctionsMalware/
# Reference: https://www.virustotal.com/gui/file/28e85fd3546c8ad6fb2aef37b4372cc4775ea8435687b4e6879e96da5009d60a/detection
# Reference: https://www.virustotal.com/gui/file/184f2a9b1f53cd00e1ea780707fb7ffcffafc2c7df84d11cfdb14f50a89e9f4b/detection

logsapi.azurewebsites.net
hosts.logsapi.azurewebsites.net

# Reference: https://x.com/BlinkzSec/status/1967195702515449967

/cookie_stealer.py
/cookie_stealert.py

# Reference: https://x.com/Officialwhyte22/status/1972537070301360192

193.34.167.88:22
193.34.167.88:2222
cache-logs.ru
cdn.cache-logs.ru

# Generic

/inject-keylogger.exe
/loader0AA004BA90B
/loadermeLMEM8
/loaderrogram
/Stealer/
/StealerLogs/
/stealer_php/
/.steal/
/Token_Stealer.bat
/FormGrabber/
/HistoryStealer/
/rust-stealer-public.exe
/rust-stealer-xss.exe
/Stealer.php
/StealerRegistration.php
