# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: elephantrat, gh0st, pcrat, smanagerrat, winos4

# Reference: https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html

bj6po.a1free9bird.com
beiyeye.401hk.com

# Reference: https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant
# Reference: https://otx.alienvault.com/pulse/5c9900511d123a6d16e75561/
# Reference: https://www.virustotal.com/gui/file/54f62979c8c7637af238093fbf204b1edb16e9ce7ca371f9f62c4039f934cede/detection
# Reference: https://www.virustotal.com/gui/file/d3dfa0f0582818e24caaccdda78c0b0833d30aa97a8ca9c43cacc7fe3bebab67/detection
# Reference: https://www.virustotal.com/gui/file/23414344a6c2afdec92a4679f7947b44498db151dff2822ca7c72d704c6e28e0/detection
# Reference: https://www.virustotal.com/gui/file/beade05902c2bd59b1aafe77e0a043766f5e507ac4024640f17ad1fe7c890d6c/detection
# Reference: https://www.virustotal.com/gui/file/cbd875b7f9516d4662526457c2132f17e4ac4596380202aac105bc3c146ea93a/detection
# Reference: https://www.virustotal.com/gui/file/d4dec64053fa6de0aa85fefd692ce71fb71d3cdd295e7169c8b9b9bd4210b023/detection
# Reference: https://www.virustotal.com/gui/file/ea49fbabc6f69ffc9f93993e3d7d5fe47f743fbdc1cc031557a8595fb1594d94/detection
# Reference: https://www.virustotal.com/gui/file/d4a21390dd9c85fe6f3b41038a4b270de055a30ad6f9500699775e3ae78d7fd1/detection
# Reference: https://www.virustotal.com/gui/file/77722a09b3cc0b17159e27433945548b3e6bd9160d4de4919b02ea6eea671111/detection
# Reference: https://www.virustotal.com/gui/file/8e1c369e8b470c9bad0aee715da300dda9a50db153a025b3c797c219d537bb68/detection
# Reference: https://www.virustotal.com/gui/file/6d79053611e0d0e2f586061636f337d27de51325b24070edefe08af7d9c5006d/detection
# Reference: https://www.virustotal.com/gui/file/88df6448d091acba48dfea761e5360d111f4f50acaf15b4bd2734d81a79ab21b/detection
# Reference: https://www.virustotal.com/gui/file/1f824c7b70667072964e4c08a372305cc78a0833beacad52b3e0d24a84e89065/detection
# Reference: https://www.virustotal.com/gui/file/0caf2987bca2ca7f644c2cb33099950eb8a5aebe03244ddf8de5e6f3fc8bf1cf/detection
# Reference: https://www.virustotal.com/gui/file/45a84d5bb8ce67685504a4409bf4604a500628e454e80ef3f3b832507a4cf855/detection
# Reference: https://www.virustotal.com/gui/file/af8f6c9a5a588e4d61913d54c2ae4fb3de2e50b43f57290b0657b11466a18779/detection
# Reference: https://www.virustotal.com/gui/file/dfe0e061279f0d67ba84bb4f945b0115b20759f6c48a91dd6c09782cb232266e/detection
# Reference: https://www.virustotal.com/gui/file/3b925244721054a15cbb845ba4b617e5c7c46d80ea1c78e7fa5d02bb2069553b/detection
# Reference: https://www.virustotal.com/gui/file/258b70d70b856484b65bdaaf4a5c23efb200b160af0babfb21ccd0679bd09749/detection
# Reference: https://www.virustotal.com/gui/file/d19bf8ad35b8d494e68ca817a324a4eac3d456a527c8963145e438db9c1e6924/detection

106.14.45.61:15963
106.14.45.61:18566
106.14.45.61:19637
106.14.45.61:19931
106.14.45.61:19932
106.14.45.61:19934
106.14.45.61:25553
106.14.45.61:25563
106.14.45.61:29931
106.14.45.61:3654
113.28.187.169:15963
113.28.187.169:18566
113.28.187.169:19931
113.28.187.169:3654
123.129.224.185:15963
123.129.224.185:18882
123.129.224.185:18883
123.129.224.185:19931
123.129.224.185:19932
123.129.224.185:3654
129.28.23.76:81
221.229.207.145:19931
221.229.207.145:3654
221.7.12.156:19637
221.7.12.156:19931
221.7.12.156:19932
221.7.12.156:19934
221.7.12.156:25553
221.7.12.156:25563
221.7.12.156:29931
221.7.12.156:3654
23.101.115.41:18566
23.101.115.41:19931
23.101.115.41:3654
43.229.153.122:19931
43.229.153.122:3654
58.218.66.180:19931
58.218.66.180:3654
60.169.10.86:15963
60.169.10.86:19637
60.169.10.86:19931
60.169.10.86:19934
60.169.10.86:25553
60.169.10.86:25563
60.169.10.86:29931
60.169.10.86:3654
61.147.125.184:19931
61.147.125.184:3654
95.211.102.25:19931
95.211.102.25:3654
mdzz2019.noip.cn
yuankong.info

# Reference: https://twitter.com/lazyactivist192/status/1112449219653193736
# Reference: https://www.virustotal.com/gui/file/f1cd38bbb504b38d115b5c127afa913572cef4233395416b5b08aff5f718cfea/relations

z-hacker-y.win

# Reference: https://twitter.com/Jan0fficial/status/1102912998975434752
# Reference: https://twitter.com/lazyactivist192/status/1168582672752566279
# Reference: https://pastebin.com/D2pUSzcS
# Reference: https://app.any.run/tasks/1837b1d1-a62c-4e1b-9223-b6d40dc32d9f
# Reference: https://www.virustotal.com/gui/file/2fcc9c48d5d8a5c6889ca3302fcaa9f6296a9e36b167526033a0371172ab1693/detection

haohai.hopto.org
ip.yototoo.com
116.196.18.237:8082
122.114.192.241:8082
139.196.209.127:923
183.104.6.120:923

# Reference: https://twitter.com/malware_traffic/status/949057588250865665
# Reference: http://www.malware-traffic-analysis.net/2018/01/04/index.html

etybh.com

# Reference: https://twitter.com/JAMESWT_MHT/status/843829412370046977

45.125.17.15:443

# Reference: https://medium.com/@Sebdraven/chineses-actor-apt-target-ministry-of-justice-vietnamese-14f13cc1c906

nicetiss54.lflink.com

# Reference: https://blog.talosintelligence.com/2019/06/threat-roundup-0607-0614.html (# Win.Trojan.Gh0stRAT-6993126-0)
# Reference: https://otx.alienvault.com/pulse/5d074c94248332bdb80099af

278267882.f3322.org
850967012.f3322.org
a3328657.f3322.org
a678157.oicp.net
cfhx.f3322.org
ddos-cc.vicp.cc
guduyinan.gnway.com
guduyinan.gnway.net
jie0109.hackxd.net
linchen1.3322.org
q727446006.gicp.net
touzi1616.com
xm974192128.3322.org
xueyang22.gicp.net
y927.f3322.org
zy520.f3322.org
sweety2001.dating4you.cn
paleb.no-ip.org
honeypus.rusladies.cn
marina99.ruladies.cn
youwave932.no-ip.biz
x.93ne.com
ns1.helpchecks.at
ns1.helpchecks.by
ns1.helpchecks.com
ns1.helpchecks.eu
ns1.helpchecks.info
ns1.helpcheck1.com
ns1.helpcheck1.net
ns1.helpcheck1.org
mskgh.ddns.net
yeswecan.duckdns.org
sabridz.no-ip.biz
mskhe.ddns.net
karem.no-ip.org
cdn.zry97.com
dmar-ksa.ddns.net
alkhorsan2016.no-ip.biz
amiramir.noip.me
katarinasw.date4you.cn

# Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0712-0719.html (# Win.Trojan.Gh0stRAT-7059563-0)

79575465.f3322.net
chhacke.win
cx820329965.f3322.net
e2.luyouxia.net
guxiaosen.f3322.net
labixiaoxin.e2.luyouxia.net
mf123.f3322.net
mingyemo.3322.org
yaoyao.f3322.net

# Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0719-0726.html (# Win.Dropper.Gh0stRAT-7073937-0)

1321.f3322.org
254143.f3322.net
53ca.meibu.net
feng12763.3322.org
jwl520.xicp.net
pass.5sfox.com
pzss.f3322.org
pzss.foxdos.cc
separa.f3322.org
wfs2015.f3322.net

# Reference: https://twitter.com/P3pperP0tts/status/1157179581348163584

haohai.ddns.net

# Reference: https://twitter.com/dcTavvy/status/1168906154602373122

154.221.22.25:8080

# Reference: https://twitter.com/killamjr/status/1196089316986032128
# Reference: https://app.any.run/tasks/3d38cda0-3987-49e4-aa1c-d72ecd82e997/

106.54.57.80:8080

# Reference: https://www.virustotal.com/gui/file/89e9b8338dcf5e6fedee17b76dd2416dc83f3e2476f0cea77de9f0fa56754f2c/detection
# Reference: https://www.virustotal.com/gui/file/80b01aa49dd4812b5a4b9d15bc8800c4ee1eeaea6897f6475e00d680771ae703/detection

106.54.57.80:80
106.54.57.80:94

# Reference: https://blog.talosintelligence.com/2019/12/threat-roundup-1129-1206.html (# Win.Dropper.Gh0stRAT-7414189-0)

107.163.241.193:6520
107.163.56.251:6658
host123.zz.am

# Reference: https://twitter.com/pancak3lullz/status/743123575146586112

183.61.165.228:8000
243145432.f3322.org

# Reference: https://twitter.com/securiteoff/status/739622863485931520

qqqq374281.f3322.org

# Reference: https://twitter.com/pancak3lullz/status/739619999334031360

115.239.229.196:8090

# Reference: https://twitter.com/lazyactivist192/status/1214302017981702144

1j5p551644.iok.la

# Reference: https://www.virustotal.com/gui/file/b8d20eeb7bc3ec8451c72b69b4d2defd9c3981be6cc8b6ba6935a1a724e6d041/detection

218.94.148.242:2015
218.94.148.242:2554

# Reference: https://www.virustotal.com/gui/file/c29621bf50fb69d65de52b6e41a590eb6f804359008324936b94b4e7ec59d812/detection

61.142.176.23:2014

# Reference: https://app.any.run/tasks/2624d66e-c37e-4f50-a199-c5eddd8a1cf1/

xilongxi.net
45.138.209.61:8080

# Reference: https://blog.talosintelligence.com/2020/02/threat-roundup-0131-0207.html (# Win.Worm.Gh0stRAT-7571319-1)
# Reference: https://www.virustotal.com/gui/file/c3d1a51bc8f0bd2dca95900d274d575d3d2fd50cdb128f78877d25a5beba7fc9/detection

67.198.149.218:6720
67.198.149.220:8590

# Reference: https://twitter.com/Vishnyak0v/status/1226873846504075264
# Reference: https://www.virustotal.com/gui/file/f96adc9e046ecc6f22d3ba9cfea47a4af75bcba369f454b7a9c8d7ca3d423ac4/detection

192.225.226.217:80

# Reference: https://www.virustotal.com/gui/file/4a7cf906c8cc871176d0702245953eeee5065f9651186cd8ae594e6835b8a8eb/detection

192.225.226.217:8443

# Reference: https://www.virustotal.com/gui/file/ade0514ccb90c39a61ab8a4c16818fbcd352984e2a26b2ffcd92165975e07fd5/detection

192.225.226.217:443
192.225.226.217:53

# Reference: https://app.any.run/tasks/3987798b-6cbe-4236-955e-2413166ef9f9/

137.220.135.36:8000

# Reference: https://app.any.run/tasks/0611a18e-76be-468a-bfc3-d9491b8f9003/

vip38000a.com
30.554205.com

# Reference: https://app.any.run/tasks/12956eb4-d209-4449-9e63-09ee83a64714/

183.236.2.18:8888
haidishijie.3322.org

# Reference: https://twitter.com/wwp96/status/1232326236636090370
# Reference: https://otx.alienvault.com/pulse/5e526a70e6dc03c41340eceb

425rt.rapiddns.ru
ref.tbfull.com

# Reference: https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf
# Reference: https://otx.alienvault.com/pulse/5e5542330b83d1a8b5dc1f27

cloud.newsofnp.com
load.collegesmooch.com
ssl.newsofnp.com

# Reference: https://www.threatcrowd.org/malware.php?md5=55d149450d27b69d3ad00287a9164c02

chdvks88.dns0755.net

# Reference: https://www.virustotal.com/gui/file/60d7cae08475fb78cab77e09df43468cc0f6d2f01f847fc7582f56731672b0e8/detection

101.200.58.177:16233

# Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html (# Win.Trojan.Gh0stRAT-7603864-1)
# Reference: https://www.virustotal.com/gui/ip-address/210.222.25.223/relations
# Reference: https://www.virustotal.com/gui/ip-address/113.214.1.34/relations

113.214.1.34:52
117.78.50.197:333
210.222.25.223:7718
210.222.25.223:7748
cq52.top
w1464642840.f3322.org
xiaoxinzadan.gicp.net

# Reference: https://www.virustotal.com/gui/file/fe4625e54603f5c382ab06f0ed1b231e23cbf5bd84f5c30d62e7978217ccea84/detection

210.222.25.223:8562

# Reference: https://www.virustotal.com/gui/file/a67acdaf14970b6fc528707c959554dc76e3869d4d63001fe4f3862e1ad21a05/detection

107.163.56.243:18963
107.163.56.246:18530

# Reference: https://www.virustotal.com/gui/file/370b81561ce4692c46baaa8f64c06d65dad9f816fdda51261a69bedcf93586b7/detection

107.163.56.250:18963

# Reference: https://www.virustotal.com/gui/file/a0eca39b75b4d86e2d363c3200c5b8e0542da3a94ca0e06294c356fab5a5d1c9/detection

107.163.56.245:18963

# Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0320-0327.html (# Win.Keylogger.Gh0stRAT-7639975-0)
# Reference: https://www.virustotal.com/gui/file/0349a3917f7f5a79f7edb0b0573acefcda39e51db6ff44456e339e88f422c129/detection
# Reference: https://www.virustotal.com/gui/file/4228b03f92fecdd4333d791397ea6dcf109b78ebd518165e5c424028511434da/detection
# Reference: https://www.virustotal.com/gui/file/64e9703811f78071523f5f493b2ea39435dcd405a20f6bc1ee644cb83dfd8917/detection
# Reference: https://www.virustotal.com/gui/file/89346a8fbd4d9fd02887a508c02e4d3a0b1f45dfa43672cf8dff84efef316a3c/detection
# Reference: https://www.virustotal.com/gui/file/5789ece7e834c45289e85ec65358f422b4562635a3a918b18e22ed4a64daddf3/detection
# Reference: https://www.virustotal.com/gui/file/5789ece7e834c45289e85ec65358f422b4562635a3a918b18e22ed4a64daddf3/detection
# Reference: https://www.virustotal.com/gui/file/0f1efaaa2da0908afd3582e9bac7e9542f3acaac422f4d22c0145cd6a7748a73/detection
# Reference: https://www.virustotal.com/gui/file/e7502dfbc56b998b54e0944758b3fe7b2dd55b06043764b1ebf36f280cb92344/detection
# Reference: https://www.virustotal.com/gui/file/c1d7a774961bd01b96e4d8161632af09b97e3a6f85325dfcd08173282cc819b1/detection

106.9.144.132:7777
106.9.146.161:7777
116.62.168.250:24649
123.207.217.39:90
129.28.191.60:8000
129.28.191.60:99
174.128.255.252:8000
183.131.80.101:90
43.248.201.209:27268
49.232.147.19:8080
8686.f3322.net
ccidc.f3322.net
qqqqdddd.e2.luyouxia.net
qyefeng.vicp.net
wzbbk.com

# Reference: https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html (# Win.Trojan.Gh0stRAT-7737919-0)

1.93.49.73:2012
104.143.150.115:2012
142.4.97.105:2012
155604.f3322.org
182.91.107.168:2012
192.210.63.230:2012
198.74.98.230:2012
aa7899.f3322.org
j8666.f3322.org
jiuyin.f3322.org
kingsir.6600.org
linlinwoaini.f3322.org
q1299771210.f3322.org
qq0104.gicp.net
songkeliang.eicp.net
vves.3322.org
wuer1985.9966.org
xiaoxiannv.gnway.net
xiaozijun.f3322.org
xyllz.com
yangman520.f3322.net
youlanxiangyin.vicp.cc
yzc110110.meibu.net
zuoyi5201314.5166.info

# Reference: https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html
# Reference: https://otx.alienvault.com/pulse/5edfe5c18832f5af1aaf33e3

45.76.6.149:443
comcleanner.info
mlcrosoft.site

# Reference: https://www.virustotal.com/gui/file/3179a8de034c4547ed9b45898cf60a73816e8b6363e53c7e8aeda0fe17499f1d/detection

103.133.177.250:4563
quasa.ddns.net

# Reference: https://www.virustotal.com/gui/file/68844c9403b2b7357050755b9729b21fd22bb4986b5cbf627685a59413c0e1ab/detection

103.40.101.68:4563

# Reference: https://www.virustotal.com/gui/file/42ee8000ef9f2084b5ecffb1d2ca8889615ec58856785eccab3c8f87c53178ae/detection

43.248.11.151:4243
pclient.ddns.net

# Reference: https://app.any.run/tasks/b584a05c-2f6d-47cf-83e7-657b2e0cf4b1/

http://118.107.47.110
118.107.47.104:8000
118.107.47.104:8001

# Reference: https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html (# Win.Packed.Gh0stRAT-9776529-0)
# Reference: https://www.virustotal.com/gui/file/086a43e783b6301d5758f43bce59a71908c7beb9f31afd3c88bde7d89081db6b/detection

122.114.28.118:3522
xmrminer.f3322.net

# Reference: https://app.any.run/tasks/be0fe876-bcf2-4de7-9ff0-9df1935d0e3b/

103.74.173.145:6688
pc.8686dy.com

# Reference: https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html (# Win.Dropper.Gh0stRAT-9786931-0)

1x1elma7.xiaomy.net
22i5b37672.51mypc.cn
2313u080t2.imwork.net
232mr66094.iok.la
26k4593i06.51vip.biz
273o4d5660.wicp.vip
27ow345733.wicp.vip
2z213948z7.iask.in
a731940742.gicp.net
y2291815a1.51mypc.cn

# Reference: https://app.any.run/tasks/4d47550f-cc3b-4b49-8af8-0ccad1760a9e/

27.124.10.245:4753
syy.skt-one.com

# Reference: https://twitter.com/wwp96/status/1327897784213794816
# Reference: https://app.any.run/tasks/e5baf985-6f1d-48ac-bcf2-1302d4a3086d/

143.92.57.83:8001
143.92.57.83:8080

# Reference: https://www.virustotal.com/gui/file/99d47a61b580eedd39efa6d6c7fb9d13fa1fca3c9fe628cee0f49f1c8f97e8db/detection

xiaohai2013.f3322.org

# Reference: https://otx.alienvault.com/pulse/5fc0eb77569dc57d9686fb39

graceland777.ddns.net
mitty1.freemyip.com
williamz20.ddns.net

# Reference: https://otx.alienvault.com/pulse/5fc8d47bae040ead5cfc4767

cloudbase-init.pw
compprotect.com

# Reference: https://twitter.com/lazyactivist192/status/1216814092725506049

zjq1993.meibu.com

# Reference: https://twitter.com/_re_fox/status/1238188943587377155
# Reference: https://app.any.run/tasks/f2118744-26c3-4523-8e82-d7203e3bb1e4/

193.203.215.52:2011
online.update--microsoft.com

# Reference: https://www.virustotal.com/gui/file/12d847b384f2aa42db19236178ccd18cf39feb4f18477e48b957816c537d854c/detection

104.149.136.66:2011
mail.update--microsoft.com

# Reference: https://www.virustotal.com/gui/file/b739076d107965600dfdb92536faa8638deb6d0dcfba5fc6e653ec12853c215c/detection

live.korearac.com

# Reference: https://www.virustotal.com/gui/file/4c652657944ba7f09a4dbeff95ea66d69f7d82c3bea44808e0428935c513273b/detection
# Reference: https://www.virustotal.com/gui/file/4ecc8864e91febef66a6efc6538749e29af715f1a61807b78cd25efebe372449/detection

107.175.137.138:59170
211.149.209.11:59170
lijiejie.nat123.cc

# Reference: https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html (# Win.Dropper.Gh0stRAT-9800485-0)

53074960.nat123.cc
bqcyyx.com
lht1361828085.3322.org
mingyemo.3322.org
seo.kfj.cc

# Reference: https://www.virustotal.com/gui/file/9b757b63b31061e0b77a31b5706911f223376283ace22140a415203cbe8040e3/detection

35084ea6.nat123.cc

# Reference: https://blog.talosintelligence.com/2020/12/threat-roundup-1204-1211.html (# Win.Dropper.Gh0stRAT-9802375-0)
# Reference: https://www.virustotal.com/gui/file/e347ced607de94a87801a27edc9b3faec0551829dbd78294748d93460e28346c/detection

118.193.233.10:7360
a13932873816.f3322.org
cescmouad.zapto.org

# Reference: https://twitter.com/wwp96/status/1337849110536347650
# Reference: https://app.any.run/tasks/8edcf322-5fba-49ea-a98e-dec554b3d9d0/

202.58.105.174:8000

# Reference: https://twitter.com/wato_dn/status/1356965355650863106
# Reference: https://twitter.com/kienbigmummy/status/1361965176451264517
# Reference: https://app.any.run/tasks/b91747ae-ea86-4875-9cbf-8a2b78487cc1/
https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html

103.255.177.138:8080

# Reference: https://www.virustotal.com/gui/file/2fadd1cb04e54811ca3d3538b9833c254a31db8b875a96794d44aa49db3faa60/detection

43.248.201.209:21922
yg484698405.e2.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/dba5987cbe9958bb86bd08eeccdb72999e0327b032821c0b2df4ea5b537c4072/detection

43.248.201.209:29719
xiaok66.e2.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/429cd23868b064297dd5c536ea420152394b2b5210d8b1f6f1802d353759e7a6/detection

43.248.201.209:32520
xiaoren234.e2.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/e407517a144c10e6946082afded7cf7f6afbf4beb4808894fd6b7ac170830a85/detection

43.248.201.209:27140
mmp224460.e2.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/f711c717473bb221b7f39a6f13d2c1aaa9403f7fcc5791dc53c38468efead20d/detection

43.248.201.133:28672
hax0fdafda.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/9eed6ad63fd1688c0e906ef294a1c6f0489cb6356c3736584c12a34ceea0ff0d/detection

43.248.201.133:27731
damm25969.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/09291140c7cd8b73219fa7a95564ec75c54bbfea92dd92cbccfb47c6a7699736/detection

222.186.170.35:29802
zhangjian123.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/23ad910aadc455b38b41446ba7425cb891d00f3791d64c7cf8b2c7b47ddf1fe7/detection

43.248.201.133:2021
yindixiang.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/130a026be6e1c01d23c3a94052db892950dd00cf2195cc7e54d7e3add19f6278/detection

43.248.201.133:21727
fxd9988019.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/0a80a258c199b864b1de65ed260b2cfed02934eb1e51a45e89ae192fb3afa787/detection

43.248.201.133:28316
q3088429300.e1.luyouxia.net

# Reference: https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html (# Win.Trojan.Gh0stRAT-9831483-1)

aka.f3322.net
gyxin1314.xicp.net
god_xinghe.f3322.org
ljwser.xicp.net
nt520.f3322.org

# Reference: https://app.any.run/tasks/67e24e08-584b-4cca-a8a1-b1ca12f70e95/

125.65.79.5:5522
103.119.1.139:1987

# Reference: https://twitter.com/wwp96/status/1368417388543180800
# Reference: https://app.any.run/tasks/39d974b3-6fe0-4278-8695-98684eb35c1f/

113.212.91.178:4753
six.skt-one.com

# Reference: https://www.virustotal.com/gui/file/32f2fe76ed68ffaa93baaf3e05ab0cabb058c48a431974e2f8312e2661849a93/detection

45.154.198.168:4753
sy.skt-one.com

# Reference: https://www.virustotal.com/gui/file/91c422b4d9d826ff83ba875f46091c5907b61dcac8a7829ad25aebe181bdc359/detection

45.154.198.160:4753
mm.skt-one.com

# Reference: https://www.virustotal.com/gui/file/fd77950eb7f104dfef6eb7f535a5d324069e8f7fb7cca7057e67e427d248f1ff/detection

202.5.23.125:4753
ss.skt-one.com

# Reference: https://www.virustotal.com/gui/file/90085f7de94a2ca42f3f534d628318854d7dea91d97a4527ca5b3545fe75094b/detection

27.124.10.245:4753
syy.skt-one.com

# Reference: https://www.virustotal.com/gui/file/a99f4c0c9653bb121c9d6875b756203adf3e4d9086f2111e0fe0243355f26e36/detection

73.23.200.124:44579

# Reference: https://www.virustotal.com/gui/file/7f8742297042b4da3914c65c79bec5608eb166fe2034fa054f3d108f7d4f8131/detection
# Reference: https://www.virustotal.com/gui/file/2d26ef7b55e8345369b4e6c184441197304532dcf0557022431e5689fd2e9552/detection

113.212.90.152:4753
113.212.91.215:4753
tmh.skt-one.com

# Reference: https://www.virustotal.com/gui/file/4359b20a9570083d6126fc013d74d5fb65de09a628a287ae291cd3b7335eb5e3/detection
# Reference: https://www.virustotal.com/gui/file/ad101c55122b9bd5be2d5a64d27de50b1826b5908741355e1a28cf38cde79b79/detection
# Reference: https://www.virustotal.com/gui/file/ae90ea48bb6a9501de26f6d2763ead816047dab1bed91e5565c477113c63ddef/detection

103.135.101.189:4753
ax.skt-one.com

# Reference: https://www.virustotal.com/gui/file/2d3d7817dfaf66265cf2db4a3b8a1806394b74530ae36e7d6d3ad0ba95a0606e/detection

27.124.10.245:4753
ssy.skt-one.com

# Reference: https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html (# Win.Keylogger.Gh0stRAT-9847918-1)

36ho560717.wicp.vip
cn-xz-bgp.sakurafrp.com
lolsb.cn

# Reference: https://twitter.com/wwp96/status/1385603503998095361
# Reference: https://app.any.run/tasks/8b366bb8-90d3-422c-bf28-c20fad648817/

122.114.68.46:1990
39.103.200.111:14996
qjy888.f3322.net
ref.tbfull.com

# Reference: https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html
# Reference: https://www.virustotal.com/gui/file/55ade218a34f3e727186c9e9c645265f161d7a9b7f55a721ba29e6ef5c3a12da/detection

download.adobe-air.com

# Reference: https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html (# Win.Dropper.Gh0stRAT-9871236-0)

gaoshouzaimimang.f3322.org

# Reference: https://twitter.com/wwp96/status/1409713019802710029
# Reference: https://app.any.run/tasks/9de5a384-d5aa-4e56-9ead-6a6e63a3731b/

192.250.240.130:8000

# Reference: https://twitter.com/wwp96/status/1410328605389905923

103.194.104.94:8080

# Reference: https://www.virustotal.com/gui/file/156673535edad847a0bfaa2e3ed0d641b912b7c9704a576c458a968c9d64bb35/detection

160.20.147.36:2019 
23.82.19.11:2019
cc.nainainainainainainainainainainai.com

# Reference: https://www.virustotal.com/gui/file/4c244d5aa5e534df85e0e56f4b7816029a9d03f26bbff03c1dbb4fec5366b8a4/detection

160.20.147.36:8888

# Reference: https://blog.talosintelligence.com/2021/07/threat-roundup-0716-0723.html (# Win.Malware.Gh0stRAT-9880225-1)

aaas0000.codns.com
adobeservice.codns.com
gkgk5421.codns.com
gkgk5544.codns.com
gmdals87.codns.com
guswns740.codns.com
sex5844.ddns.net
tmal44.codns.com
wldhr15.codns.com

# Reference: https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html (# Win.Trojan.Gh0stRAT-9882928-1)

zxl520.f3322.org

# Reference: https://www.virustotal.com/gui/file/f942f8d6fdc97692ed7f864732f4ef0a91f13116f85b56a651eab059f51e3fca/detection

bodyres.f3322.net
dahuilianglaile.f3322.net

# Reference: https://otx.alienvault.com/pulse/61c708f7de699b6b1d490dcd
# Reference: https://www.virustotal.com/gui/file/b70da60888ac5237fb74c6dd5fcbb4c4c1c0b26ab0ff5709339c629e54167a9a/detection

106.13.228.81:2025

# Reference: https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html (# Win.Dropper.Gh0stRAT-9892254-0)

107.183.41.149:3204

# Reference: https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html (# Win.Malware.Gh0stRAT-9893485-1)

qc4.pw
qqqzxc.win
tak9.win
tzzpt.win
wyx146.top

# Reference: https://www.virustotal.com/gui/file/85e4be57ce216b2123ba6ded2d65696bd7d6040ccf63fa7593fe4e2f64869e7a/detection

anonymousdzss.no-ip.biz
anonymousso.no-ip.biz
anonymousuhytsa.no-ip.biz
anonymusblack12.no-ip.biz
anthonycamis.no-ip.biz

# Reference: https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html (# Win.Dropper.Gh0stRAT-9899606-0)

110.34.174.66:8000

# Reference: https://blog.talosintelligence.com/2022/01/threat-roundup-1231-0107.html (# Win.Trojan.Gh0stRAT-9928675-1)

67.198.215.213:3204

# Reference: https://www.virustotal.com/gui/file/000a2ceaa0c6a10dadcece38e9b37f0b4e7adc0bb26936801f330ca1b7b56b1a/detection

107.163.241.197:12354
107.163.241.198:6520

# Reference: https://www.virustotal.com/gui/file/aeba2bd0382eb3e80387fdc5a0182175a50208922d6aab56f090968676e3b32f/detection
# Reference: https://www.virustotal.com/gui/file/c11430593fe348d7d2c6c2b5c38004af815e63c2ac87b1bcc09707499de5c160/detection

107.163.241.194:6520
107.163.241.195:12354

# Reference: https://www.virustotal.com/gui/file/a80c87e032a84b4a1df56f5a882b2da1f1f392208258648748277ddbe2749410/detection

107.163.241.191:16300
107.163.241.192:12354

# Reference: https://www.virustotal.com/gui/file/c2769cf66869f1207b0e1d498f541e66d47ba373306b8ff6728ed5ddaddd83d6/detection

107.163.241.189:12354
107.163.241.190:16300

# Reference: https://www.virustotal.com/gui/file/0debc35d129e03a8c856b14fba71671de04906b2de1546754396c63944a8ef00/detection

107.163.241.187:16300
107.163.241.188:12354

# Reference: https://www.virustotal.com/gui/file/09d56d1c1070532b70d5ea512849d432affe85e7e7a5d120e3c8a308e243b243/detection

107.163.241.185:16300
107.163.241.186:12354

# Reference: https://www.virustotal.com/gui/file/4f131307faa566c5780630e2f58beec65fef4f6e068d0834cdb0f6b99991ff9c/detection

107.163.241.183:16300
107.163.241.184:12354

# Reference: https://www.virustotal.com/gui/file/2b11428f8477dc1ab6e3aeafc8e8a4a749df748225ead91bcba07f946c8eae62/detection

107.163.43.143:12388
107.163.241.181:16300
107.163.241.182:12354

# Reference: https://www.virustotal.com/gui/file/72f947ca4affb5dc522b08c079fec7757412a3616abf333c73295f26e843ceeb/detection

107.163.241.179:16300
107.163.241.180:12354
107.163.56.110:18530

# Reference: https://www.virustotal.com/gui/file/c133d06d32d03a0a315455ecbc5845f242ee244068162fba160b63d614b6fc1c/detection

107.163.241.175:16300
107.163.241.176:12354

# Reference: https://www.virustotal.com/gui/file/04370baf78b59a171007f518b3eb4d5854637f8c036ad7022d078af4abef8980/detection

107.163.241.202:12354
krnaver.com

# Reference: https://twitter.com/honeymoon_ioc/status/1487546093911085070
# Reference: https://twitter.com/vinopaljiri/status/1487653340699844610
# Reference: https://tria.ge/220129-1rwgysaabj/behavioral1
# Reference: https://www.virustotal.com/gui/file/5c07770e22f6b69b150d3b43f2ef2145020f73738d3ba4610932189a0b62927e/detection

185.199.224.169:8145
185.199.224.169:9090
exiles.site

# Reference: http://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html (# Win.Packed.Gh0stRAT-9937867-1)

98.126.40.18:3204

# Reference: https://www.virustotal.com/gui/file/004744315ef2277a8bd1078173fe88080a97a91dbe0e37ff9fdea7701151f191/detection

107.163.56.241:18530
107.163.56.240:18963

# Reference: https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html
# Reference: https://otx.alienvault.com/pulse/615c2a13c152c6c325889282

tftpupdate.ftpserver.biz

# Reference: https://www.virustotal.com/gui/file/4cf08b61835581ebafacd5913eba5d5c743d500c005fe23238650e011ce180f7/detection
# Reference: https://www.virustotal.com/gui/file/7d080b7bcd89791afd112738c5d40af4d41a0ef84dde15a906cad764df8ef20b/detection

http://45.125.218.178
http://45.125.218.179
45.125.218.178:8000
45.125.218.179:8000

# Reference: https://blog.talosintelligence.com/2022/04/threat-roundup-0422-0429.html (# Win.Trojan.Gh0stRAT-9946565-1)

1sf.8800.org
black123.gnway.net
ddos.zhanglianlian.com
hao.2sqj.com
l.emp666.org
one2ada.f3322.org
senlin1996.3322.org
shiyong.8866.org
sszhuan.3322.org
vip.523sew.com
yangzihouyuanhui.6600.org
yplinfo.gnway.net

# Reference: https://twitter.com/1ZRR4H/status/1523791593278345217

154.23.191.157:5896
nishabii.live

# Reference: https://www.virustotal.com/gui/file/28114eb0261850e8d744be4605b506cd2058ca3acd7c2da7387464f038f4c438/detection

223.171.55.127:1999

# Reference: https://tria.ge/220423-hdggrsaha2/behavioral2

144.202.74.176:2012
asd1738402137.f3322.org

# Reference: https://tria.ge/220425-z1573sddd3/behavioral2

3.13.191.225:14136

# Reference: https://tria.ge/220427-bncs1afad6/behavioral2

171.38.77.97:42419
171.38.77.97:42420
171.38.77.97:42421
chaofeng1.f3322.org

# Reference: https://www.virustotal.com/gui/file/d9d1d2c440fffc40d5ac6abeb16bb83cc98267b0130637e54b8e79e22dce87e4/behavior/Microsoft%20Sysinternals

154.23.182.128:8089

# Reference: https://www.virustotal.com/gui/file/cec8082b581df5a734ff3d6c6582c94fa1cb12f08c3bd3390a4c58960dd1de8f/behavior/VirusTotal%20Jujubox

23.224.97.111:5555

# Reference: https://www.virustotal.com/gui/file/f563029f4a88368711eed2b7acbdf244cc865027945407098c3bc7e2e504d2c6/behavior/VirusTotal%20Jujubox

134.175.141.126:2022

# Reference: https://www.virustotal.com/gui/file/39af9d875717c9a93fbe97fdd5f5b5da1d7dbb76cae14fdeeae4556da9827813/behavior/C2AE

216.83.45.203:7500

# Reference: https://www.virustotal.com/gui/file/f75d645400b91e9b1ea1f1f3f4806c1f59b378399684e1a499061b79724a0a68/behavior/Microsoft%20Sysinternals

110.186.58.114:9797

# Reference: https://www.virustotal.com/gui/file/a09ff60f0acaef699dc08ee06aac0bdc9a6ab4c1427b15dace33752ab753f92c/behavior/Microsoft%20Sysinternals

193.218.38.158:8080

# Reference: https://www.virustotal.com/gui/file/95e5988e40f7655cd95b70b5ae927ca25ac8ceb486117bd933fbfabe5456bf3e/behavior/VirusTotal%20Jujubox

43.248.201.133:21328
a798370668.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/a120d80235eccb05e995c3f6d72acf3c89e5b8809a72f366bc01171e40d69608/behavior/Dr.Web%20vxCube

103.194.104.10:8089

# Reference: https://blog.talosintelligence.com/2022/05/threat-roundup-0506-0513.html (# Win.Malware.Gh0stRAT-9949686-0)

1.15.252.63:3339

# Reference: https://blog.talosintelligence.com/2022/05/threat-roundup-0520-0527.html (# Win.Dropper.Gh0stRAT-9950358-1)
# Reference: https://www.virustotal.com/gui/file/05a9987be765d374c21143d6aa92ed0b6405e28bd96291375cf0d28f21a165ec/detection
# Reference: https://www.virustotal.com/gui/file/188328a03eafa8a5ab8e1fcd971e10eacb6fe4428741fb72e8a965cdda850f0d/detection
# Reference: https://www.virustotal.com/gui/file/388d77e4fa716c49dde738b8897b7ed13313a6800155de7d388e59cd23eebab7/detection

154.221.21.125:65004
nianqing.xyz
yckz.5453.top

# Reference: https://www.virustotal.com/gui/file/999e537d3fe2789a074121cee8f83d6858ca7d0baf7b54e6e24ed5f91a231444/detection

47.97.103.217:2012

# Reference: https://twitter.com/r3dbU7z/status/1624977660735528962
# Reference: https://www.virustotal.com/gui/file/12b71b648d7b07fcd01b954e2615e21548e7c818effa5748dfa20fbba08d2ef2/detection

182.92.235.68:1990

# Reference: https://otx.alienvault.com/pulse/63f361ef1a12fc11df419438

lanzuanpay.xyz

# Reference: https://twitter.com/wwp96/status/1627448220182872064
# Reference: https://app.any.run/tasks/33efb5a3-5668-44bb-a98d-e24ee0510a54/

114.96.97.0:1997

# Reference: https://twitter.com/wwp96/status/1630019574816182272
# Reference: https://app.any.run/tasks/8fb9ad39-57dc-444d-88d8-d71ac942cddc/

47.94.241.76:43

# Reference: https://twitter.com/wwp96/status/1630343778367344640
# Reference: https://app.any.run/tasks/93bad3ed-b2d5-4e2a-9c02-f1b8c9c3d889/

58.221.57.142:7777

# Reference: https://twitter.com/wwp96/status/1632152368178659328
# Reference: https://app.any.run/tasks/3bbe3ab0-33d4-4248-bd12-d52d368f804a/

39.109.113.141:7777

# Reference: https://twitter.com/0xToxin/status/1633009525530800131
# Reference: https://app.any.run/tasks/2d6ac745-bdbe-401b-9099-f5d1d5ee63d5/

http://124.220.35.63
103.127.83.43:8225

# Reference: https://twitter.com/JAMESWT_MHT/status/1633019264675241984
# Reference: https://www.virustotal.com/gui/file/05974133505a3e988edff7e6f12db30b978a7b1f222aa180bc37cae4fa235633/detection

124.220.35.63:8880

# Reference: https://www.virustotal.com/gui/file/79a46b45d026b26a52c76fd5729a7dbd43a3c3233300c0624122cd578dd6c0b8/detection

124.220.35.63:8081

# Reference: https://www.virustotal.com/gui/file/cb321addb3a80115ca704ce53d3d395ab9ff994863c8e04ad4e6082def455113/detection

124.220.35.63:8001

# Reference: https://twitter.com/pollo290987/status/1654581586342338560
# Reference: https://www.virustotal.com/gui/file/f1b2416eafb95e5e027569b21e575c5c19c8994b26c5be785c833d18c77488ed/detection

111.92.242.184:2200

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/

http://2.58.64.219
101.132.125.131:8000
101.43.124.250:16823
103.145.86.39:7777
103.145.86.6:7777
103.145.87.50:7777
103.163.46.120:10086
103.193.188.98:8000
103.193.192.90:8000
103.20.193.166:2015
103.21.117.137:7375
103.25.19.32:9735
103.37.1.131:443
103.45.138.180:1369
103.46.128.46:26098
103.99.63.138:8900
104.232.98.28:2222
107.175.50.207:20327
110.249.156.50:9522
110.76.158.75:11024
114.110.198.107:8886
114.110.198.107:8889
114.110.208.215:7747
115.231.218.18:12611
115.236.153.170:11302
115.28.142.7:2433
116.62.165.107:5555
118.121.184.235:8023
118.184.169.48:80
121.4.122.206:37936
123.160.10.39:60756
123.57.186.60:8088
123.99.198.201:12611
125.240.117.220:2221
125.65.79.5:7777
129.211.208.176:8000
13.58.157.220:16180
139.155.178.173:19060
150.242.98.19:29514
154.204.209.197:8008
154.221.18.47:7777
154.221.30.106:7777
154.39.66.37:18443
156.234.127.6:8000
171.38.76.144:42421
175.107.89.72:8287
18.189.106.45:10874
183.105.164.105:10798
183.236.2.18:1031
183.236.2.18:1212
183.236.2.18:12588
183.236.2.18:1300
183.236.2.18:1415
183.236.2.18:17
183.236.2.18:1980
183.236.2.18:1989
183.236.2.18:1994
183.236.2.18:1997
183.236.2.18:2007
183.236.2.18:2011
183.236.2.18:2222
183.236.2.18:2223
183.236.2.18:3565
183.236.2.18:44
183.236.2.18:4821
183.236.2.18:512
183.236.2.18:5408
183.236.2.18:6000
183.236.2.18:61
183.236.2.18:6666
183.236.2.18:7001
183.236.2.18:7308
183.236.2.18:7732
183.236.2.18:7740
183.236.2.18:800
183.236.2.18:8000
183.236.2.18:8001
183.236.2.18:8084
183.236.2.18:81
183.236.2.18:8181
183.236.2.18:83
183.236.2.18:8312
183.236.2.18:8686
183.236.2.18:8786
183.236.2.18:8787
183.236.2.18:9820
202.163.158.147:9735
210.97.234.97:13966
211.173.73.165:2333
219.153.12.4:8786
23.106.215.217:1017
23.225.73.110:8000
23.251.41.162:7777
3.134.125.175:14136
3.134.39.220:14136
3.14.182.203:14136
3.141.177.1:10874
3.142.81.166:16180
3.17.7.232:14136
3.22.30.40:14136
38.181.58.21:8000
38.47.204.154:7777
43.129.192.59:7777
43.142.38.153:8520
43.249.195.178:9595
43.255.241.176:1337
45.153.241.207:1016
47.112.163.50:8086
47.114.98.223:8888
58.138.234.82:9065
58.138.247.121:7745
58.138.247.121:8286
58.138.247.121:8287
58.138.247.121:8288
58.158.177.102:4116
58.221.72.142:7777
61.160.236.44:9015
188s.co
s7.188s.co

# Reference: https://twitter.com/sicehice/status/1689863652122255360
# Reference: https://www.virustotal.com/gui/file/21c3b30041dc16f6fb0fe758c4cd1767e272133ff45dd21aee22506e6d9199aa/detection

193.142.58.208:443
193.142.58.208:8888

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2023-08-23)

103.145.86.153:6000
88.218.195.109:60601

# Reference: https://threatfox.abuse.ch/ioc/1151937/

82.157.254.217:8000

# Reference: https://threatfox.abuse.ch/ioc/1151949/

123.99.198.201:20973

# Reference: https://threatfox.abuse.ch/ioc/1152213/

115.236.153.170:58669

# Reference: https://threatfox.abuse.ch/ioc/1152289/

115.236.153.181:41719

# Reference: https://threatfox.abuse.ch/ioc/1152321/

60.247.148.188:2023

# Reference: https://threatfox.abuse.ch/ioc/1155822/

115.236.153.170:41719

# Reference: https://twitter.com/naumovax/status/1703765086014152778
# Reference: https://twitter.com/naumovax/status/1704062570510877176
# Reference: https://www.virustotal.com/gui/file/e7eb91b0994a94a22d4a27f9cd85997d4570ffe2e1c02a690930e78486b7d43e/detection
# Reference: https://www.virustotal.com/gui/file/c161bedddebc92c399f6bd8edf0005e3e594c635a2ac6d072a46d4a0232251ec/detection

103.218.0.125:6000
124.222.139.41:6000
163.197.241.150:6000
27.124.3.48:6000
34.92.223.98:6000
38.55.186.235:6000
8.218.169.130:6000

# Reference: https://threatfox.abuse.ch/ioc/1164419/

47.111.82.157:53637

# Reference: https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape
# Reference: https://www.virustotal.com/gui/ip-address/103.59.103.99/relations
# Reference: https://www.virustotal.com/gui/file/2fd76b7c461cfa5d1cbc0a753cc408e9787df2f176407ac4ab7ad99733b44f06/detection
# Reference: https://www.virustotal.com/gui/file/1e792148cee06743f14b0e96d3cc3c2cc81353af5344b61294b64bd56dc35489/detection
# Reference: https://www.virustotal.com/gui/file/43e21ba4a2290cfedfce1acff67f6a14b8020a6a8672165bb8c235ccb8f81e1a/detection
# Reference: https://www.virustotal.com/gui/file/0ac2f42a2e07a6c5fd6e4f1272e714ef98f85ee8150ee705092df4a338aef24a/detection

http://103.145.22.215
http://178.236.42.11
http://27.124.12.21
http://45.119.52.243
103.105.23.34:3368
103.59.103.99:3366
27.124.12.2:3367
bitoke.top
bitokex.top
haoyun2.top
fakaka16.top
kakasone.top
rus3rcqtp.hn-bkt.clouddn.com
/5555/cdyxf.png
/5555/ty.txt
/6700/cdyxf.png
/6700/ty.txt
/7788/cdyxf.png
/7788/ty.txt

# Reference: https://app.any.run/tasks/a7d9af4e-7c0e-4bc1-844a-cef9b3ac3617/

bensonman-1318879887.cos.accelerate.myqcloud.com

# Reference: https://twitter.com/naumovax/status/1711430493822976216
# Reference: https://twitter.com/Jane_0sint/status/1711716833970020835
# Reference: https://app.any.run/tasks/38e0a2e7-fb09-4e3b-8c6a-081821e24a0d/

122.10.15.8:7060
164.88.140.82:7000
27.124.6.64:7700
38.165.9.247:7000
38.6.160.10:7000

# Reference: https://twitter.com/naumovax/status/1712461549494014420
# Reference: https://app.any.run/tasks/4f50dd6b-99a6-4b46-b0ee-40c9eb82ab07/
# Reference: https://www.virustotal.com/gui/file/9ee6e44f1d3444f3d17614273d11cd9e373f7bec152be4de262da9e8a3a07d07/detection

http://134.122.138.2
134.122.138.2:2023

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2023-10-13)

1.13.249.49:7070
103.148.245.125:999
106.52.216.65:999
106.55.28.59:5688
115.236.153.170:32592
116.63.35.42:12000
121.5.136.143:2012
123.99.198.130:12323
123.99.198.130:12611
124.222.227.63:12345
124.223.199.81:8808
124.248.67.83:12323
124.248.67.83:12611
125.229.22.79:3456
125.229.22.79:3458
144.202.74.176:81
180.97.238.254:8000
202.63.172.122:47779
202.95.8.183:8888
211.101.247.155:8000
222.222.106.47:8008
38.181.20.78:6000
47.111.82.157:42090
51.222.230.191:443
61.147.199.238:8000
85.214.255.25:53

# Reference: https://twitter.com/g0njxa/status/1715081804649046128
# Reference: https://app.any.run/tasks/1246e115-7cd2-4b91-8723-f61bd9bd5b8a/
# Reference: https://www.virustotal.com/gui/file/d565948a3b1b0d86166b62553864a7739284a292cc9c832fddf696bb274f8166/detection

195.130.202.155:450
195.130.202.232:8004

# Reference: https://threatfox.abuse.ch/ioc/1195820/

106.12.126.136:8086

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2023-11-01)

103.71.154.163:6000
121.22.243.241:47779
121.62.16.112:8000
156.224.27.167:8000
61.147.93.153:999
10-10.telecgram.com
10.cmananan.com
15.cmananan.com
17.cmananan.com
30.cmananan.com
3005.qmananan.com
3009.qmananan.com
3010.qmananan.com
3011.qmananan.com
3012.qmananan.com
3013.qmananan.com
3015.qmananan.com
3016.qmananan.com
4.cmananan.com
482e6192z0.goho.co
6.cmananan.com
6x514937w5.goho.co
6xj.telegramh.net
7001.aadaa1.cc
7002.aadaa1.cc
7003.aadaa1.cc
792c682w73.goho.co
a2.aadaa1.cc
aadaa1.cc
chao1323301.e1.luyouxia.net
cmananan.com
hdalulnc.e3.luyouxia.net
hei.xjbtv.com
hk.yunpingbao.com
kekn.asselst.com
knight114.e1.luyouxia.net
kyy1010.e1.luyouxia.net
lfh520.e1.luyouxia.net
lfh521.e1.luyouxia.net
lyh111.e3.luyouxia.net
nmslcnmsb1.e2.luyouxia.net
nzh995188.e2.luyouxia.net
op114514.e1.luyouxia.net
player1.e3.luyouxia.net
qmananan.com
rere.e3.luyouxia.net
sccwangluo.asselst.com
shaoshuai3.top
shengfutong-pay.com
t1492261251.e1.luyouxia.net
telecgram.com
telegramh.net
vb147258.e1.luyouxia.net
wangchenchao.e1.luyouxia.net
xy1.youjucan.com
zhj08.e2.luyouxia.net
zhodaji.com

# Reference: https://threatfox.abuse.ch/ioc/1198075/
# Reference: https://www.virustotal.com/gui/ip-address/20.96.151.88/detection

http://20.96.151.88

# Reference: https://www.virustotal.com/gui/ip-address/51.222.230.191/relations

http://51.222.230.191
51.222.230.191:443

# Reference: https://www.virustotal.com/gui/ip-address/146.59.220.235/relations

http://146.59.220.235
146.59.220.235:443

# Reference: https://www.virustotal.com/gui/ip-address/54.38.116.47/relations

http://54.38.116.47
54.38.116.47:443

# Reference: https://threatfox.abuse.ch/ioc/1199251/

http://211.149.226.68

# Reference: https://www.virustotal.com/gui/ip-address/184.73.185.248/detection

184.73.185.248:443

# Reference: https://www.virustotal.com/gui/ip-address/94.191.187.105/detection

http://94.191.187.105

# Reference: https://www.virustotal.com/gui/ip-address/46.32.37.132/detection

http://46.32.37.132

# Reference: https://www.virustotal.com/gui/ip-address/213.179.32.9/detection

http://213.179.32.9

# Reference: https://www.virustotal.com/gui/ip-address/222.190.108.207/detection

222.190.108.207:443

# Reference: https://www.virustotal.com/gui/ip-address/109.190.79.33/detection

http://109.190.79.33

# Reference: https://www.virustotal.com/gui/ip-address/149.210.20.118/detection

149.210.20.118:443

# Reference: https://www.virustotal.com/gui/ip-address/163.44.43.131/detection

http://163.44.43.131
163.44.43.131:443

# Reference: https://www.virustotal.com/gui/ip-address/180.184.71.135/detection

http://180.184.71.135

# Reference: https://www.virustotal.com/gui/ip-address/180.184.71.135/community

http://180.184.71.135
180.184.71.135:443

# Reference: https://www.virustotal.com/gui/ip-address/52.61.168.199/community

http://52.61.168.199

# Reference: https://www.virustotal.com/gui/ip-address/87.26.121.156/community

http://87.26.121.156

# Reference: https://www.virustotal.com/gui/ip-address/37.255.148.139/detection

http://37.255.148.139
37.255.148.139:443

# Reference: https://www.virustotal.com/gui/ip-address/149.210.4.170/community

149.210.4.170:443

# Reference: https://www.virustotal.com/gui/ip-address/220.90.135.156/community

220.90.135.156:443

# Reference: https://www.virustotal.com/gui/ip-address/149.210.74.229/community

149.210.74.229:443

# Reference: https://www.virustotal.com/gui/ip-address/114.35.162.47/community

http://114.35.162.47

# Reference: https://www.virustotal.com/gui/ip-address/54.233.162.122/community

http://54.233.162.122

# Reference: https://threatfox.abuse.ch/ioc/1204672/

43.248.137.153:8000

# Reference: https://threatfox.abuse.ch/ioc/1206321/

47.92.53.65:13155

# Reference: https://threatfox.abuse.ch/ioc/1206537/

yy3088429300.e2.luyouxia.net

# Reference: https://twitter.com/naumovax/status/1730567945862995981
# Reference: https://tria.ge/231125-paex4aba7y/behavioral1
# Reference: https://tria.ge/231127-snxxlshd37/behavioral1

103.216.155.149:44156
192.252.181.27:13150
xingxing.asselst.com

# Reference: https://www.virustotal.com/gui/ip-address/100.20.96.2/relations

http://100.20.96.2

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2023-12-10)

103.165.81.82:10086
103.45.128.143:8000
104.37.185.125:6543
107.151.244.80:6000
134.122.135.75:8000
134.122.135.81:8000
143.92.40.173:6108
149.88.73.191:8000
154.23.141.34:8000
154.55.135.102:6666
154.55.135.102:8888
163.181.92.82:1688
206.233.128.72:8899
43.136.78.18:8000
dlink.host
gettimi.top
book.cookielive.top
new.gettimi.top
q3472884397.e2.luyouxia.net

# Reference: https://twitter.com/naumovax/status/1734225709994803206
# Reference: https://tria.ge/231204-mefdbaae3w
# Reference: https://www.virustotal.com/gui/file/e847385dc200a5a101344a0912de4766cbd97aedfd7f4fa3a0c69e39025fd2fa/detection
# Reference: https://www.virustotal.com/gui/file/e1e94dd9014aa9707605fbde38d2e3753dc8b23da507344d45416ba9583da31e/detection
# Reference: https://www.virustotal.com/gui/file/9883f7808137667b448dbb4ce94c7202af626f4e34e021b581173e666ac6d8c8/detection

http://1.14.71.246
1.14.25.37:1443
1.14.25.37:1444
139.186.228.218:443

# Reference: https://www.virustotal.com/gui/ip-address/89.247.50.50/community

http://89.247.50.50

# Reference: https://www.virustotal.com/gui/ip-address/89.247.50.206/community

http://89.247.50.206

# Reference: https://twitter.com/naumovax/status/1738198104996774145
# Reference: https://www.virustotal.com/gui/ip-address/202.63.172.17/relations
# Reference: https://tria.ge/231212-kwqjhaabgj/behavioral2
# Reference: https://www.virustotal.com/gui/file/bf5a41c08bbc65bac437d651c7334a8ea6c2113a6fa20c817a1c5623124da047/detection

202.63.172.17:27100

# Reference: https://tria.ge/231205-qkdnfsbe87/behavioral1
# Reference: https://twitter.com/naumovax/status/1740305905990971642

http://38.54.25.23
http://49.129.12.59
1.14.70.108:8668
103.207.166.117:13842
206.238.199.226:8668
206.238.221.105:8668
38.60.204.65:53261
45.112.206.130:18496

# Reference: https://www.virustotal.com/gui/ip-address/18.136.0.29/community

http://18.136.0.29

# Reference: https://www.virustotal.com/gui/ip-address/106.38.221.252/relations

http://106.38.221.252

# Reference: https://www.virustotal.com/gui/ip-address/18.170.11.119/relations

http://18.170.11.119

# Reference: https://www.virustotal.com/gui/ip-address/34.211.241.194/community

http://34.211.241.194

# Reference: https://www.virustotal.com/gui/ip-address/83.22.228.184/community

http://83.22.228.184

# Reference: https://twitter.com/ShanHolo/status/1746848612120744282
# Reference: https://www.virustotal.com/gui/file/3a33ee8017eeb09a4e9d416370172d49691ddf1d2e2c9388de53a4816b78d25a/detection

http://45.150.67.155
http://64.176.37.64
http://8.219.91.175
http://80.92.205.55
45.150.67.155:443
64.176.37.64:443
8.219.91.175:443
80.92.205.55:443

# Reference: https://www.virustotal.com/gui/ip-address/54.200.228.98/community

http://54.200.228.98

# Reference: https://threatfox.abuse.ch/ioc/1231443/

129.204.53.10:8081

# Reference: https://www.virustotal.com/gui/ip-address/89.247.50.125/community

http://89.247.50.125

# Reference: https://www.virustotal.com/gui/ip-address/217.31.202.98/community

http://217.31.202.98

# Reference: https://www.virustotal.com/gui/ip-address/13.245.184.253/community

http://13.245.184.253

# Reference: https://www.virustotal.com/gui/ip-address/188.127.24.220/community

http://188.127.24.220

# Reference: https://www.virustotal.com/gui/ip-address/89.247.50.191/community

http://89.247.50.191

# Reference: https://www.virustotal.com/gui/ip-address/100.21.141.96/community

http://100.21.141.96

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2024-03-24)

http://175.203.14.166
http://221.159.15.231
1.92.90.232:8000
110.42.102.82:6688
111.67.195.90:6000
115.231.218.42:14363
123.99.198.201:20064
124.248.69.29:14363
156.236.72.163:8000
175.24.197.196:8001
18.158.249.75:14210
18.192.31.165:14210
198.44.174.170:10086
198.44.174.232:10086
216.83.40.187:7777
3.124.142.205:14210
3.125.223.134:14210
42.237.24.42:7899
42.237.25.52:7899
43.248.129.152:8000
8.130.11.62:8000
54412.e3.luyouxia.net
66ddjkr.e3.luyouxia.net
ad2916985983.e2.luyouxia.net
asjidoaiosdjo.e3.luyouxia.net
cn-he-plc-2.openfrp.top
fdsfhkjf.e3.luyouxia.net
gx121.e1.luyouxia.net
hfs666.top
i.wanna.see.20242525.xyz
kx5555.e3.luyouxia.net
latiao.ddns.net
996m2m2.top
xc091221.e2.luyouxia.net
xiaoyuwudi.e3.luyouxia.net
zxyhwww.top

# Reference: https://twitter.com/RacWatchin8872/status/1787150297049027027
# Reference: https://www.virustotal.com/gui/file/0b997cf73baa61d852212bd26044cbaaf5e7e366553043bc10b6d17f20d2df96/detection

http://60.204.249.34
60.204.249.34:8000

# Reference: https://twitter.com/naumovax/status/1787433507536384139
# Reference: https://tria.ge/240402-bd4hzaca7x/behavioral2
# Reference: https://www.virustotal.com/gui/file/fdf08d6b2e7283f7317a2a32a6ef8665d9e0f7c346c59867be407892bb165cb6/detection

154.12.85.161:3020

# Reference: https://x.com/ShanHolo/status/1792835827464282545
# Reference: https://www.virustotal.com/gui/file/677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f/detection

103.214.23.195:42534
119.81.27.109:42534
se1f.cc
dgz.se1f.cc

# Reference: https://www.virustotal.com/gui/file/6c01c1ddc969faaede15958721a1eab7cd4f79009235bde37b4087968be805f7/detection
# Reference: https://www.virustotal.com/gui/file/7e239cdc3d9598732c711475fb81f9ec40668668b9f20db60e4a7f5a68f723c3/detection

119.81.125.20:2082
148.66.129.146:2082
211.20.120.161:2082
51.79.160.233:2082
serv.se1f.cc
serv1.se1f.cc

# Reference: https://www.virustotal.com/gui/file/68fc0e714bd7982ac3e2cbfd00a4362f6a4daffe1be6a0efaa632064b7981a20/detection

103.147.186.4:2082
148.66.129.146:2082
works01.se1f.cc
works02.se1f.cc

# Reference: https://www.virustotal.com/gui/file/651fe4b8be23c8c42db4b85e69cef5a7bd5694476a49ea88d9c9ec93575ab398/detection

dl.se1f.cc
dow.se1f.cc
downer.se1f.cc

# Reference: https://x.com/SBousseaden/status/1795166821030543649
# Reference: https://www.virustotal.com/gui/file/8b24e43d325a556c6797cc7753f6a555d47b0c7f24bad99b2009baf8a0796065/detection
# Reference: https://www.virustotal.com/gui/file/7d5961b64d45bd62968eca15f2811c7aa1df243dcc57e5aafdf4de2f4f47c9c3/detection
# Reference: https://www.virustotal.com/gui/file/5d6539defb2a24752445dd1c4a3698253f7199e1a0c27af7c4feb7130809d6a9/detection

http://198.176.59.144
154.19.70.72:443
195.130.202.48:449
195.130.202.52:35
206.119.117.209:8001

# Reference: https://x.com/burp_heart/status/1799455219543404633
# Reference: https://www.virustotal.com/gui/file/a4b25c7a464cabbedef80a704ec8c7cd84a98073b055ddc42f2fb5b7d81ff250/detection

146.19.100.7:8000
154.201.91.59:44557

# Reference: https://www.virustotal.com/gui/file/39345b9dc44db0aec3ceb63efa9f4b0bb74753da4fa421745acff9835f50debc/detection

123.249.25.73:5653

# Reference: https://www.virustotal.com/gui/file/4997ad5623cd3aba8ad80c894482b69a3b5d51669bf6d02e5f393e4e1ecb6da1/detection

123.249.25.73:7830

# Reference: https://asec.ahnlab.com/ko/67509/

http://121.204.249.123
121.204.249.123:8077
154.201.87.185:999
164.155.205.99:999

# Reference: https://x.com/lontze7/status/1808764061288395023

http://122.51.183.116
122.51.183.116:443

# Reference: https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure

147.50.253.109:44119

# Reference: https://x.com/malwrhunterteam/status/1813892619170418949
# Reference: https://www.virustotal.com/gui/file/8fe382f79d4834a4dbc9abda1681a77187c08c087b704f9a5ad8af50f128c2ce/detection

http://206.238.196.148
206.238.196.148:6666

# Reference: https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat
# Reference: https://github.com/esThreatIntelligence/iocs/blob/main/Gh0stGambit_Gh0stRAT/Gh0stGambit_Gh0stRAT.txt

http://104.143.46.143
http://104.143.47.226
http://154.23.179.113
http://38.181.34.153
http://38.181.34.182
http://38.181.34.219
http://38.181.34.72
http://38.181.35.129
http://38.181.35.71
1683.org
asj658g.cyou
bb6575.cyou
bbnhh.icu
bngcp.icu
hzj66.vip
mk65yui45876.cyou
mm6695.cyou
nnnjkj.bond
pplilv.top
pplilvbest.cyou

# Reference: https://www.virustotal.com/gui/file/db4d47190376d2bd3f2a00c7433ddba94a3a09db4148a99aa920b92642f0aee9/detection

156.247.32.199:6666
156.247.32.199:8080
fadale.cc

# Reference: https://x.com/malwrhunterteam/status/1820498954104209643
# Reference: https://www.virustotal.com/gui/file/f0c3c3aff910d8790469b522a37c27a8bf084c70003aa94e4d4e153f9a9f47e3/detection
# Reference: https://www.virustotal.com/gui/file/38d506ff86e4fa113a7cfce2d8834be9769e5c6ec1c68bdc29428a052058cc69/detection

http://206.119.117.61
103.145.86.153:6666
43.156.96.21:8080
qaqbba.com
qaqbba.top

# Reference: https://www.virustotal.com/gui/file/a7bdd967748664c18c128920641d73669af8f9ad81c013f64d7709deeae6a78f/detection

benson-1318162842.cos.accelerate.myqcloud.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2024-08-18)

http://122.51.35.39
http://122.9.69.40
http://60.204.235.186
1.92.90.232:8080
103.158.37.147:443
103.44.246.66:8000
103.71.152.68:1000
115.231.218.42:10299
117.24.12.243:8888
12123das.f3322.net
122.199.186.108:6215
122.9.69.40:8000
123.99.198.130:10299
124.222.81.240:81
124.248.69.14:14363
12512.e3.luyouxia.net
137.220.137.85:24818
154.12.93.14:1153
154.12.93.14:13855
154.91.90.216:6666
171.38.43.209:42421
183.131.85.64:14363
202.63.172.119:47779
202.63.172.120:47779
206.233.240.70:5808
206.238.199.35:6000
206.238.220.206:7777
206.238.43.211:6666
24365426.e3.luyouxia.net
27.25.156.47:8000
36.212.238.69:8000
43.139.48.143:1450
47.111.82.157:14352
47.115.207.251:8006
47.120.59.37:6161
60.205.132.75:13155
62.234.90.4:8000
8.210.206.52:1725
8.210.22.92:6000
8.217.223.172:6000
U22.zgwl.eu.org
aiac.f3322.net
bj.caobibibi.com
honchengkeji.f3322.net
jjjj7371.e1.luyouxia.net
kinh.xmcxmr.com
microsoftel.com
newyk5.e3.luyouxia.net
nnmz.e3.luyouxia.net
q596110.3322.org
sy12311.e3.luyouxia.net
twrata.com
xisafjasfjip.u1.luyouxia.net
zhangkedong.u1.luyouxia.net
zxww.e3.luyouxia.net

# Reference: https://x.com/malwrhunterteam/status/1829810337350025447
# Reference: https://www.virustotal.com/gui/file/e05826b2375f069043fa220f92b8ae2dafa2f798930bfb56ca86251b6cbb7fc6/detection
# Reference: https://www.virustotal.com/gui/file/d1f4e345dbdb06016b682f5dd2ff9dc4f2206059e4b8b7baa9d7745b1ff2a5ae/detection
# Reference: https://www.virustotal.com/gui/file/c8d76cbe86dcbe77f983e85107c2a6f7367e3d0e82c8bf2b8fd1801da67d675c/detection
# Reference: https://www.virustotal.com/gui/file/2eee70c3f0da076439e680bd576302e073f71e9175952c1d8259b216762fc627/detection

103.158.36.181:8000
104.233.187.200:3000

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2024-09-22)

http://124.221.28.167
http://140.143.203.107
http://143.92.58.218
101.17.46.79:11631
103.199.101.81:1000
103.73.161.186:8080
115.230.124.27:7317
115.230.124.27:9026
116.62.193.113:222
221.10.93.196:2499
221.10.93.196:2500
27.155.132.108:23801
27.156.64.174:23801
27.156.64.88:23801
27.25.148.152:8080
8.146.204.76:8000

# Reference: https://x.com/RakeshKrish12/status/1851147705600315772
# Reference: https://www.virustotal.com/gui/file/d202ed020ed8e36bd8a0f5b571a19d386c12abecb2a28c989d50bbf92c78f54e/detection

121.182.174.27:3000
121.196.49.217:12358

# Reference: https://x.com/malwrhunterteam/status/1834902728633446807
# Reference: https://www.fortinet.com/blog/threat-research/threat-campaign-spreads-winos4-through-game-application
# Reference: https://www.virustotal.com/gui/file/c9817d415d34ea3ae07094dae818ffe8e3fb1d5bcb13eb0e65fd361b7859eda7/detection

ad59t82g.com

# Reference: https://x.com/malwrhunterteam/status/1859303181760557356
# Reference: https://www.virustotal.com/gui/file/9ce9057feff7a9e9c750eae2ab2e50a004e5a7beff471de7b2dc28a41b34bf6b/detection

8.210.144.166:443
boss.google.tw.cn

# Reference: https://x.com/banthisguy9349/status/1869370981737025813

aadww3.cc
nbdsnb2.top
qqdcc4.cc
yydsnb1.top
26.cmananan.com
a11.nbdsnb2.top
a11.yydsnb1.top
a15.nbdsnb2.top
a15.yydsnb1.top
a16.nbdsnb2.top
a16.yydsnb1.top
a17.aadww3.cc
a18.nbdsnb2.top
a18.yydsnb1.top
a3.nbdsnb2.top
a3.yydsnb1.top
a31.aadww3.cc
a31.qqdcc4.cc
a34.aadww3.cc
a34.qqdcc4.cc
a37.aadww3.cc
a37.qqdcc4.cc
a4.nbdsnb2.top
a4.yydsnb1.top
a40.aadww3.cc
a40.qqdcc4.cc
a5.aadww3.cc
a5.qqdcc4.cc
a11xxx1.oss-cn-hongkong.aliyuncs.com
a12xxx1.oss-cn-hongkong.aliyuncs.com
a15aaa1.oss-cn-hongkong.aliyuncs.com
a16eea1.oss-cn-hongkong.aliyuncs.com
a17rrr1.oss-cn-hongkong.aliyuncs.com
a18qqq1.oss-cn-hongkong.aliyuncs.com
a19ccc1.oss-cn-hongkong.aliyuncs.com
a23uuu1.oss-cn-hongkong.aliyuncs.com
a26bbb1.oss-cn-hongkong.aliyuncs.com
bbbitcoin.oss-cn-hongkong.aliyuncs.com

# Reference: https://x.com/x86rax/status/1871305149525938305
# Reference: https://www.virustotal.com/gui/file/2e8018f36f3e682f8c8f407448cb2c41e639707c251ae5877090d61286143ba4/detection

http://122.130.170.45
119.91.100.85:3510
us2.host.skybad.top

# Reference: https://x.com/James_inthe_box/status/1882526324834939379
# Reference: https://app.any.run/tasks/365f8969-106d-4fa0-8587-7d2593731a67

zlonline.oss-cn-shenzhen.aliyuncs.com

# Reference: https://x.com/skocherhan/status/1883288235507609768
# Reference: https://www.virustotal.com/gui/file/933d328fc61efbcf04430715d2c746c6a59290c8834d2eb40c40de7e448fa7b6/detection
# Reference: https://www.virustotal.com/gui/file/791d966495c683a455b24217ff94cab0dc3aeeb75ebffb5bfd134129e14550bb/detection
# Reference: https://www.virustotal.com/gui/file/f5674b7c5d6cc7fd5461ae27dbd573b428bac7cecb241b91d7271e42a11be9bd/detection

47.243.63.150:45
8.217.47.21:45
shunlilaicai.com
star1ine.com
wenxincehua.top
asi.wenxincehua.top
zhlc.star1ine.com

# Reference: https://x.com/skocherhan/status/1883296818718810416
# Reference: https://app.validin.com/detail?find=Telegram%E4%B8%AD%E6%96%87%E7%89%88-telegram%E4%B8%8B%E8%BD%BD-%E7%BA%B8%E9%A3%9E%E6%9C%BA%E4%B8%AD%E6%96%87%E7%89%88-Telegram%E5%AE%98%E7%BD%91%E4%B8%8B%E8%BD%BD&type=raw&ref_id=9efa793ea0a#tab=host_pairs (# 2025-01-26)
# Reference: https://www.virustotal.com/gui/file/12c887d191db87b8afd9dd3eb433b389b01ff8e0ba1b3a113ff25a2fae0ca61c/detection
# Reference: https://www.virustotal.com/gui/file/00a6efec3220a1d05cdff01e1d1c93efb03302863142d2b23b883bb47541adc4/detection

154.19.85.71:54
dirtelegram.com
telegrai.com
telegram-zh.cn
telegram0.com
telegram2.com
telegrames.org
telegramla.com
telegramo.cn
telegramrcn.org
telegramrm.org
telegramsit.com
telegramtee.com
telegramvs.com
telegramxx.com
telegramxx.org
telegramza.org
telegramzi.org
telegrarcn.com
telegrarm.org
telegrarnm.org
telegrasm.com
telegrm.net
telegrmce.org
telegrmea.org
telegrom.net
telegrpm.org
telegrrem.org
telegrrram.org
tnlegram.org
tplegram.org
adminuser.telegrm.net
bossex.app.tw.cn
free.down.tw
s1.star1ine.com
web.telegrpm.org
ww1.telegram0.com

# Reference: https://app.validin.com/detail?type=ip&find=38.55.144.167#tab=resolutions (# 2025-01-25)

0ray.cn
0xvpn.com
21vpn.com
29vpn.com
365vpn.net
520vpn.com
91ajs.vip
91vpn.net
92ajs.com
aiduo.cc
aiduotv.cc
aijiasu.me
ajs91.cn
ajs91.com
ajsapp.net
ajsk.net
ajsvpn.cc
ajsvpn.cn
aladdinvpn.com
androvpn.com
bestvpnsfor.com
cccvpn.com
cdnzj.com
cpjackvpn.com
cppotentvpn.com
cpvpnish.com
cxvpn.com
d-quick.com
divpn.com
downquick.com
exepressvpn.com
expressovpn.com
fesvpn.com
fjvpn.com
fkvpn.com
fqvpn.com
fxvpn.org
got-vpn.net
grammassecret.com
hidedown.com
hotelegram.com
htavpn.com
hxvpn.com
ipv6vpn.cn
isvpn.net
jackvpn.com
jdjsq.com
jisuvpn.com
jsgvpn.com
jsqfgs.com
juavpn.com
koproxy.com
kris.r2vpn.com
krvpn.com
kuailianvpns.com
lavpn.com
letsiovpn.com
letssvpn.icu
mayivpn.com
mvvpn.cn
neekvpn.com
nodeskvpn.com
notracevpn.com
okwallet.cn
opnevpn.com
opnvpn.org
opvpn.icu
potatoz.cn
potentvpn.com
poxyvpn.com
protonvvpn.com
q-vpn.com
qqvpn.com
quickqvpn.cyou
quickqvpn.icu
quickqvpn.me
quickqvpn.org
quickqvpn.top
quickqvpn.vip
quickvpn.net
r2vpn.com
sbvpn.com
starlinkvpn.cn
starlinkvpn.org
stylevpn.com
sulianvpn.com
surfsharkvpnapp.com
szquick.com
t-elegram.org
te-legram.org
telegra.vip
telegramle.com
telegramreg.net
telegran.org.cn
telegrp.com
telegrzm.com
teolegram.org
ticvpn.com
tipvpn.com
tntvpn.com
top10vpnservices.com
top2vpn.com
topcvpn.com
traneasy.org
trc.tw
trelegram.com
tzvpn.com
udunclod.com
umsvpn.com
unixvpn.com
v4vpn.com
visvpn.com
vitevpn.com
vpn-web.com
vpn11.cn
vpn169.com
vpn6.cn
vpncc.com
vpndoor.com
vpne.net
vpngg.com
vpngogogo.com
vpngrade.com
vpnh.cn
vpnhike.com
vpnic.com
vpnier.com
vpnint.com
vpnish.com
vpnkkk.com
vpnla.com
vpnlily.com
vpnnvs.cn
vpnprotego.com
vpnr.net
vpntx.com
vpnwc.com
vpnzh.com
vvvvpn.com
vxsvpn.com
weixiaovpn.com
whasapp.cn
whatsappd.com
whm.odvpn.com
whovpn.net
whstsaapp.com
whsvpn.com
wthasapp.cn
xhj-vpn.cn
xhj-vpn.com
xhjvpn.net
xiaohuojianvpn.org
xnvpn.com
xpvpn.net
xxnet.org
yaklang.org
yasvpn.net
yesvpn.net
yfcdn.com

# Reference: https://app.validin.com/detail?find=38.55.144.81&type=ip4&ref_id=9d1bcc0d7a3#tab=resolutions

88vpn.com
app.tw.cn
chvpn.com
obaby.net
odvpn.com
rsvpn.com

# Reference: https://x.com/skocherhan/status/1891381443399455029

http://69.165.65.24
69.165.65.24:8888

# Reference: https://x.com/malwrhunterteam/status/1892634169131356453
# Reference: https://www.virustotal.com/gui/file/b415eb69ca677ae41546bc7ff4b854ddc7b016cec1cc48b06b8669d5bc68d0bd/detection

27.124.17.49:4433
palaeentomology.s3.ap-east-1.amazonaws.com

# Reference: https://x.com/malwrhunterteam/status/1894137699990126853
# Reference: https://www.virustotal.com/gui/file/d29ba6bda577edd6a77e4c5e1c416b06d0c5e853af9a9c47c667f7ac2489ed12/detection

103.214.172.100:6745
td49t43g.com

# Reference: https://www.virustotal.com/gui/file/d025ce0fb9c6da7a80fa56cac8814f5a2c2a91fa208d38de86cf81b9eec4ad1b/detection
# Reference: https://www.virustotal.com/gui/file/bf201c1e5cd4898342b13f9adb4445ca10e0327376621ca1ac87bebbcb01a87a/detection
# Reference: https://www.virustotal.com/gui/file/4acf6fb040a622ed812ef184d965fe47395b57b85c2e566803a9c3a1ec5ed94b/detection

27.124.17.74:45
mi.ai89.me

# Reference: https://x.com/malwrhunterteam/status/1894518639035908148
# Reference: https://www.virustotal.com/gui/file/12ab07d75352c3c9d6b37175201b718fa8d754b6835f4692192559c811d39c98/detection

202.95.14.88:45
xcrsiss.icu
xcr.xcrsiss.icu

# Reference: https://x.com/malwrhunterteam/status/1905747239148122288
# Reference: https://www.virustotal.com/gui/file/455b4ba2fd6cee2144dd48a10a76c4bfd09a16de45033c512c2bcb9fab16c1c8/detection

154.82.85.30:45
mlcrosoft.cyou
xtssiss.icu
xt.xtssiss.icu
zhxt.mlcrosoft.cyou

# Reference: https://x.com/malwrhunterteam/status/1894810293357752435
# Reference: https://www.virustotal.com/gui/file/f471453cb4e6ff3ac0008cb15968e90caad2669bc107aa125034bd13ec33f634/detection

118.107.44.62:45
tuiguang168.top

# Reference: https://x.com/malwrhunterteam/status/1895416061178290521
# Reference: https://www.virustotal.com/gui/file/1f846658ba4a5328ca5c40d4d2018153e5a0c22612699b1f494e73773126cdf6/detection

154.82.84.154:45
xyssiss.icu
xy.xyssiss.icu

# Reference: https://x.com/malwrhunterteam/status/1895900110602846333
# Reference: https://www.virustotal.com/gui/file/c32554488f4f8bec19e32dd0d4e99ba2f0b8b36f7b7a51f07dc2b45c702d70f7/detection

206.238.115.18:6666
206.238.115.18:8888

# Reference: https://x.com/malwrhunterteam/status/1896558624509710803
# Reference: https://www.virustotal.com/gui/ip-address/47.243.64.137/relations
# Reference: https://www.virustotal.com/gui/file/82b44f0050e56f53f97bb95aa4ad9135422ca8948ff6b42b16ddac0bdfc0a6ce/detection

http://23.226.57.52
23.226.57.52:45
jinpaikeji338.top
jinpaisere.buzz
jksrszzx.top

# Reference: https://x.com/skocherhan/status/1896828031609741508
# Reference: https://www.virustotal.com/gui/file/fb54f1b9742bc5822b05437cc0b2dc64ddfa13a7546007621094d089d6fe96f2/detection

134.122.207.6:1080

# Reference: https://x.com/malwrhunterteam/status/1896864217460052352
# Reference: https://www.virustotal.com/gui/file/696a183a93ed8385b22afc8f428f8bf3eae535b085449d5603cef71658cfa491/detection

121.43.60.1:5252

# Reference: https://x.com/malwrhunterteam/status/1898084767830065500
# Reference: https://www.virustotal.com/gui/file/27704918683ead37ff245087d68d92c68a7a6228aa30b25c92ea4f9d23319713/detection
# Reference: https://www.virustotal.com/gui/file/4ca8ad80a83623177db3e8ed40ef7a8fe7371a764f1a3110745251d8ee60009a/detection

47.86.104.84:45
yossiss.icu
yo.yossiss.icu
googge1-1335747301.cos.ap-hongkong.myqcloud.com

# Reference: https://x.com/malwrhunterteam/status/1900590487431455025
# Reference: https://www.virustotal.com/gui/file/f34d4205c53455854899f755ad75e3014e57b9c5221e687494f7403d30bc9f4c/detection

206.238.115.224:4433
telegram--www.com

# Reference: https://x.com/malwrhunterteam/status/1900648279899029945
# Reference: https://www.virustotal.com/gui/file/d391016b69bd9b8f23412c16538e1527948375212014af88eb0be28738b5d6cb/detection

192.238.134.101:7777
8010.helloqu.com
homekitchenthings.com
matearestobar.com
iahdixoc.homekitchenthings.com

# Reference: https://x.com/malwrhunterteam/status/1901591934709232117
# Reference: https://www.virustotal.com/gui/file/7d02195796b79bbc59f0e1ba543f31df2cfbd40cc171bc29a0289d579fc0c200/detection

8.217.85.20:27955

# Reference: https://x.com/malwrhunterteam/status/1903079916150620405
# Reference: https://x.com/malwrhunterteam/status/1921900948001083765
# Reference: https://www.virustotal.com/gui/file/349b54f136e63904ed5a1b3921d8744d3815592690f9167aedd3ead075ced9a4/detection
# Reference: https://www.virustotal.com/gui/file/d8655cb920dff79d3fc2006247925cf66c198595ed3e496218a5b24c2bb1080f/detection

103.156.24.15:9918
43.224.224.15:9918
micro-windows.info
ggt-9918.micro-windows.info

# Reference: https://x.com/Unit42_Intel/status/1902754112988471537
# Reference: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-19-IOCs-for-Chinese-Language-trojanized-installers.txt

103.181.134.138:8080
deep-seek.app
deep-seek.art
deep-seek.asia
deep-seek.band
deep-seek.bar
deep-seek.bio
deep-seek.biz
deep-seek.blog
deep-seek.bond
deep-seek.bot
deep-seek.cfd
deep-seek.chat
deep-seek.click
deep-seek.cloud
deep-seek.club
deep-seek.cyou
deep-seek.dev
deep-seek.fan
deep-seek.fit
deep-seek.fun
deep-seek.fyi
deep-seek.group
deep-seek.help
deep-seek.icu
deep-seek.info
deep-seek.ink
deep-seek.lat
deep-seek.life
deep-seek.link
deep-seek.live
deep-seek.love
deep-seek.ltd
deep-seek.net
deep-seek.one
deep-seek.org
deep-seek.plus
deep-seek.pro
deep-seek.qpon
deep-seek.rest
deep-seek.run
deep-seek.sale
deep-seek.sbs
deep-seek.shop
deep-seek.site
deep-seek.store
deep-seek.team
deep-seek.tech
deep-seek.top
deep-seek.uno
deep-seek.video
deep-seek.wang
deep-seek.wiki
deep-seek.work
deep-seek.world
deep-seek.xin
deep-seek.xyz
i4toolsearch.vip
i4toolssaana.top
i4toolssaand.top
i4toolssaanf.top
i4toolssaang.top
i4toolssaanh.top
i4toolssaanj.top
i4toolssaank.top
i4toolssaanl.top
i4toolssaanq.top
i4toolssaans.top
i4toolssaasa.top
i4toolssaasd.top
i4toolssaasf.top
i4toolssaasg.top
i4toolssaash.top
i4toolssaasj.top
i4toolssaask.top
i4toolssaasl.top
i4toolssaasm.top
i4toolssaasn.top
i4toolssaave.top
i4toolssaavi.top
i4toolssaavo.top
i4toolssaavp.top
i4toolssaavq.top
i4toolssaavr.top
i4toolssaavt.top
i4toolssaavu.top
i4toolssaavw.top
i4toolssaavy.top
i4toolssaaxa.top
i4toolssaaxd.top
i4toolssaaxf.top
i4toolssaaxg.top
i4toolssaaxh.top
i4toolssaaxj.top
i4toolssaaxk.top
i4toolssaaxl.top
i4toolssaaxs.top
i4toolssaaxz.top
i4toolssaaze.top
i4toolssaazi.top
i4toolssaazo.top
i4toolssaazp.top
i4toolssaazq.top
i4toolssaazr.top
i4toolssaazt.top
i4toolssaazu.top
i4toolssaazw.top
i4toolssaazy.top
i4toolssddna.top
i4toolssddnd.top
i4toolssddnf.top
i4toolssddng.top
i4toolssddnh.top
i4toolssddnj.top
i4toolssddnk.top
i4toolssddnl.top
i4toolssddnq.top
i4toolssddns.top
i4toolssddsa.top
i4toolssddsd.top
i4toolssddsf.top
i4toolssddsg.top
i4toolssddsh.top
i4toolssddsj.top
i4toolssddsk.top
i4toolssddsl.top
i4toolssddsm.top
i4toolssddsn.top
i4toolssddve.top
i4toolssddvi.top
i4toolssddvo.top
i4toolssddvp.top
i4toolssddvq.top
i4toolssddvr.top
i4toolssddvt.top
i4toolssddvu.top
i4toolssddvw.top
i4toolssddvy.top
i4toolssddxa.top
i4toolssddxd.top
i4toolssddxf.top
i4toolssddxg.top
i4toolssddxh.top
i4toolssddxj.top
i4toolssddxk.top
i4toolssddxl.top
i4toolssddxs.top
i4toolssddxz.top
i4toolssddze.top
i4toolssddzi.top
i4toolssddzo.top
i4toolssddzp.top
i4toolssddzq.top
i4toolssddzr.top
i4toolssddzt.top
i4toolssddzu.top
i4toolssddzw.top
i4toolssddzy.top
i4toolssffna.top
i4toolssffnd.top
i4toolssffnf.top
i4toolssffng.top
i4toolssffnh.top
i4toolssffnj.top
i4toolssffnk.top
i4toolssffnl.top
i4toolssffnq.top
i4toolssffns.top
i4toolssffsa.top
i4toolssffsd.top
i4toolssffsf.top
i4toolssffsg.top
i4toolssffsh.top
i4toolssffsj.top
i4toolssffsk.top
i4toolssffsl.top
i4toolssffsm.top
i4toolssffsn.top
i4toolssffve.top
i4toolssffvi.top
i4toolssffvo.top
i4toolssffvp.top
i4toolssffvq.top
i4toolssffvr.top
i4toolssffvt.top
i4toolssffvu.top
i4toolssffvw.top
i4toolssffvy.top
i4toolssffxa.top
i4toolssffxd.top
i4toolssffxf.top
i4toolssffxg.top
i4toolssffxh.top
i4toolssffxj.top
i4toolssffxk.top
i4toolssffxl.top
i4toolssffxs.top
i4toolssffxz.top
i4toolssffze.top
i4toolssffzi.top
i4toolssffzo.top
i4toolssffzp.top
i4toolssffzq.top
i4toolssffzr.top
i4toolssffzt.top
i4toolssffzu.top
i4toolssffzw.top
i4toolssffzy.top
i4toolssggna.top
i4toolssggnd.top
i4toolssggnf.top
i4toolssggng.top
i4toolssggnh.top
i4toolssggnj.top
i4toolssggnk.top
i4toolssggnl.top
i4toolssggnq.top
i4toolssggns.top
i4toolssggsa.top
i4toolssggsd.top
i4toolssggsf.top
i4toolssggsg.top
i4toolssggsh.top
i4toolssggsj.top
i4toolssggsk.top
i4toolssggsl.top
i4toolssggsm.top
i4toolssggsn.top
i4toolssggve.top
i4toolssggvi.top
i4toolssggvo.top
i4toolssggvp.top
i4toolssggvq.top
i4toolssggvr.top
i4toolssggvt.top
i4toolssggvu.top
i4toolssggvw.top
i4toolssggvy.top
i4toolssggxa.top
i4toolssggxd.top
i4toolssggxf.top
i4toolssggxg.top
i4toolssggxh.top
i4toolssggxj.top
i4toolssggxk.top
i4toolssggxl.top
i4toolssggxs.top
i4toolssggxz.top
i4toolssggze.top
i4toolssggzi.top
i4toolssggzo.top
i4toolssggzp.top
i4toolssggzq.top
i4toolssggzr.top
i4toolssggzt.top
i4toolssggzu.top
i4toolssggzw.top
i4toolssggzy.top
i4toolsshhna.top
i4toolsshhnd.top
i4toolsshhnf.top
i4toolsshhng.top
i4toolsshhnh.top
i4toolsshhnj.top
i4toolsshhnk.top
i4toolsshhnl.top
i4toolsshhnq.top
i4toolsshhns.top
i4toolsshhsa.top
i4toolsshhsd.top
i4toolsshhsf.top
i4toolsshhsg.top
i4toolsshhsh.top
i4toolsshhsj.top
i4toolsshhsk.top
i4toolsshhsl.top
i4toolsshhsm.top
i4toolsshhsn.top
i4toolsshhve.top
i4toolsshhvi.top
i4toolsshhvo.top
i4toolsshhvp.top
i4toolsshhvq.top
i4toolsshhvr.top
i4toolsshhvt.top
i4toolsshhvu.top
i4toolsshhvw.top
i4toolsshhvy.top
i4toolsshhxa.top
i4toolsshhxd.top
i4toolsshhxf.top
i4toolsshhxg.top
i4toolsshhxh.top
i4toolsshhxj.top
i4toolsshhxk.top
i4toolsshhxl.top
i4toolsshhxs.top
i4toolsshhxz.top
i4toolsshhze.top
i4toolsshhzi.top
i4toolsshhzo.top
i4toolsshhzp.top
i4toolsshhzq.top
i4toolsshhzr.top
i4toolsshhzt.top
i4toolsshhzu.top
i4toolsshhzw.top
i4toolsshhzy.top
i4toolssjjna.top
i4toolssjjnd.top
i4toolssjjnf.top
i4toolssjjng.top
i4toolssjjnh.top
i4toolssjjnj.top
i4toolssjjnk.top
i4toolssjjnl.top
i4toolssjjnq.top
i4toolssjjns.top
i4toolssjjsa.top
i4toolssjjsd.top
i4toolssjjsf.top
i4toolssjjsg.top
i4toolssjjsh.top
i4toolssjjsj.top
i4toolssjjsk.top
i4toolssjjsl.top
i4toolssjjsm.top
i4toolssjjsn.top
i4toolssjjve.top
i4toolssjjvi.top
i4toolssjjvo.top
i4toolssjjvp.top
i4toolssjjvq.top
i4toolssjjvr.top
i4toolssjjvt.top
i4toolssjjvu.top
i4toolssjjvw.top
i4toolssjjvy.top
i4toolssjjxa.top
i4toolssjjxd.top
i4toolssjjxf.top
i4toolssjjxg.top
i4toolssjjxh.top
i4toolssjjxj.top
i4toolssjjxk.top
i4toolssjjxl.top
i4toolssjjxs.top
i4toolssjjxz.top
i4toolssjjze.top
i4toolssjjzi.top
i4toolssjjzo.top
i4toolssjjzp.top
i4toolssjjzq.top
i4toolssjjzr.top
i4toolssjjzt.top
i4toolssjjzu.top
i4toolssjjzw.top
i4toolssjjzy.top
xiaobaituziha.com
xiazailianjieoss.com
youdaohhna.top
youdaohhnd.top
youdaohhnf.top
youdaohhng.top
youdaohhnh.top
youdaohhnj.top
youdaohhnk.top
youdaohhsa.top
youdaohhsd.top
youdaohhsf.top
youdaohhsg.top
youdaohhsh.top
youdaohhsj.top
youdaohhsk.top
youdaohhve.top
youdaohhvi.top
youdaohhxa.top
youdaohhxd.top
youdaohhxf.top
youdaohhxg.top
youdaohhxh.top
youdaohhxj.top
youdaohhxk.top
youdaohhze.top
youdaohhzi.top
fs-im-kefu.7moor-fs1.com

# Reference: https://x.com/malwrhunterteam/status/1904143434098557373
# Reference: https://www.virustotal.com/gui/file/779ca615925a9a6a4db8f9b0f7b50c149ffbbb60a7832520b2f4257a5a7d6199/detection
# Reference: https://www.virustotal.com/gui/file/fac8d4e726208cb64b70e61a538c4567c4c1e467d4d1fc329a109315594c9004/detection

47.86.28.28:10861
47.86.28.28:10862
47.86.28.28:18852
47.86.28.28:18853
47.86.28.28:8852

# Reference: https://x.com/malwrhunterteam/status/1905736742168326303
# Reference: https://www.virustotal.com/gui/file/b560f76f7603e3ec88a874085f15499ec043917d93e306b3b0fb7a913b54f287/detection

118.107.46.162:5650
liuddiase1li.com
mee333.com
zhanas1fa32.com
a87.mee333.com
a88.mee333.com
a99.mee333.com
api.mee333.com
lc.liuddiase1li.com
lc.zhanas1fa32.com

# Reference: https://x.com/Jane_0sint/status/1907491246341501368
# Reference: https://www.virustotal.com/gui/file/528049345279a58dc71a5c3aca9cfdb3b9d4b92dd998979f9e631bb0681e1b2a/detection
# Reference: https://www.virustotal.com/gui/file/c00b5e1626215154c153fb4fe6c9ddf89cbd34528ad9e63cf032ed9763a62dc6/detection

http://103.148.186.142
http://195.130.202.44
http://206.119.117.165
103.148.186.142:16660
195.130.202.44:16123
206.119.117.165:16123
haoandwei.xyz
apiv3.haoandwei.xyz
bloges.haoandwei.xyz
info.haoandwei.xyz

# Reference: https://x.com/malwrhunterteam/status/1907156909800448265
# Reference: https://www.virustotal.com/gui/file/ca05f31b3e84f5607514d50e78e50a2af90a6b745b1466879031475c1c9bfdc6/detection

104.143.33.39:45
mlcrosoft.bond
telegramzw.org
boss.telegramzw.org
zzhy.mlcrosoft.bond

# Reference: https://www.virustotal.com/gui/file/946e6e1b31fa15a9d1bec79aa9d2b525536c6d2f8fad48dc8685cb915e96eea0/detection

47.238.66.85:7777
helloqu.com
8008.helloqu.com

# Reference: https://www.virustotal.com/gui/file/782da477d93b6be61b926b97ad2eeaf025718ab762962be3d3a7ef01c3bd01eb/detection

206.238.115.149:7777
8009.helloqu.com

# Reference: https://x.com/malwrhunterteam/status/1909601624969855075
# Reference: https://www.virustotal.com/gui/file/f81b621991e38e4c33bb0b2dc966d3c45c806b38686730f79cc270e245c89da5/detection

202.95.8.53:45
kksiss.icu
ku.kksiss.icu
lets-1348336590.cos.ap-hongkong.myqcloud.com
zhkunk.mlcrosoft.cyou

# Reference: https://x.com/malwrhunterteam/status/1909883117713707305
# Reference: https://www.virustotal.com/gui/file/bbd68e2e5e172b7ab3131fab87eb3c25542a935f99279bf05f1d35a7214ba04a/detection

43.230.171.42:45
cassiss.icu
ca.cassiss.icu
zhca.mlcrosoft.cyou

# Reference: https://x.com/malwrhunterteam/status/1910078946525225390
# Reference: https://www.virustotal.com/gui/file/db15f45f69f863510986fb2198a8a6b3d55d8ccc8a2ed4bb30bc27bdd1bf151c/detection
# Reference: https://www.virustotal.com/gui/file/748a23a108733fcaddf6f0ce646cbd44ea229c6bd7358410aba8557e3649416c/detection
# Reference: https://www.virustotal.com/gui/file/2cc26e957de0679d49066d03672b2a03bf672125df5fe0bdb10628731b163b7c/detection

206.238.115.207:16888
206.238.115.207:18088
206.238.115.207:443
sanyww10.com
no207.sanyww10.com

# Reference: https://x.com/AzakaSekai_/status/1910908257759367241
# Reference: https://github.com/Still34/malware-lab/tree/main/reworkshop/2025-04-12

line-china.com
tendernesss.com
ucsenta.com
yythender.com
api.tendernesss.com
api.ucsenta.com
api.yythender.com

# Reference: https://x.com/malwrhunterteam/status/1912059681930948747
# Reference: https://www.virustotal.com/gui/file/8a0b1bf8ef261c836a4aff04beffd1f74c8d54f7d7c92eb994f573b73d8dded0/detection

8.210.169.221:45
lpnsiss.icu
lpn.lpnsiss.icu
kuailian0001.cdn.bcebos.com

# Reference: https://x.com/malwrhunterteam/status/1912416512452727124
# Reference: https://www.virustotal.com/gui/file/bcb3a39d7339370a539ad601944eec205515df3411f6a38654ccdf257f87d45c/detection

192.238.129.9:7777
ldxwpedf.cn
td.ldxwpedf.cn

# Reference: https://x.com/malwrhunterteam/status/1912803759383588964
# Reference: https://www.virustotal.com/gui/file/087a4d732b26237cdf561bc1148162209739074fd47e2465831b68d3fa15fd2c/detection

8.217.221.239:45
t7a8t1xr.com
am.t7a8t1xr.com
pub-cde06bcbe3a3479296fa21daf4bb5af3.r2.dev
zham.mlcrosoft.cyou

# Reference: https://x.com/malwrhunterteam/status/1912840893205275102
# Reference: https://www.virustotal.com/gui/file/6b73b97249d860414a6974ac7496d734bf9b58076d5b0f2d91a59dd619284d7a/detection

154.55.135.69:45
xcfsiss.icu
xxfc.xcfsiss.icu
zhxfc.mlcrosoft.cyou

# Reference: https://x.com/malwrhunterteam/status/1912920263118745678
# Reference: https://www.virustotal.com/gui/file/6fb67dee97abfe8fdac607b64f5c660000f37b938f1cd1a844b81c7d478b827d/detection

118.107.40.62:45
dz7.mlcrosoft.bond

# Reference: https://x.com/malwrhunterteam/status/1913357644494000161
# Reference: https://www.virustotal.com/gui/file/a6dcb1ed5ae73227811a88e26db992f13fbc95aa2e94b6a35fa97071ba440f8a/detection

ksdcks.org
xk1.ksdcks.org

# Reference: https://x.com/anylink20240604/status/1913319908274037213
# Reference: https://www.virustotal.com/gui/ip-address/143.92.32.224/relations
# Reference: https://www.virustotal.com/gui/file/3d70d7c48fc0254fdd1b43be74bbd6a30f681803f4a81d84bf200cd02ccbe1b7/detection
# Reference: https://www.virustotal.com/gui/file/3a8d9826d898938c91867af2b389fb7108d4c685001d7a365f662b633c24149c/detection
# Reference: https://www.virustotal.com/gui/file/d616ca15bdb81ab90f1a93e09767eb254a2a264adc81d23eecf6d5f68d7bb0f1/detection

143.92.32.224:45
202.79.173.107:45
2015baofu.top
msksxym.top
yulanfan.top
chrome.yulanfan.top
hk.msksxym.top
hr.2015baofu.top
nmw.2015baofu.top

# Reference: https://x.com/malwrhunterteam/status/1914257799330099468
# Reference: https://www.virustotal.com/gui/file/b0fa846e8dfc50a7557a55ad8a65f8263927467b7111c49d56e47eaf403ace42/detection

38.46.10.130:54
bossex.trc.tw
s1.mlcrosoft.bond

# Reference: https://x.com/malwrhunterteam/status/1914405186686345265
# Reference: https://www.virustotal.com/gui/file/7d7c2c4e0db8b36c944e13607243fece8dfd6c6ae437c8eda9a91a632f3408ec/detection

192.238.128.204:45
gtrsiss.icu
gtr.gtrsiss.icu
gtrx.mlcrosoft.cyou

# Reference: https://x.com/malwrhunterteam/status/1914403113802387921
# Reference: https://www.virustotal.com/gui/file/98b20d90bd1366766b2f8c0d7334fcfb67e7a14456c595ce6e268a824dd3b533/detection

189.1.243.84:45
gah566w6wefbhawo.top
tuiguang168.top
tl2.mlcrosoft.bond

# Reference: https://x.com/malwrhunterteam/status/1914605676417974357
# Reference: https://www.virustotal.com/gui/file/b317d54c684f06347b97475a41e2ba64cc98b3b8571109169c30d40c3f3a3929/detection
# Reference: https://www.virustotal.com/gui/file/8f76e210f1a41698b08767d4a2c867edb8c5bd748fb55886c6fc5d7a2d184336/detection
# Reference: https://www.virustotal.com/gui/file/276d223fc902039f0ee24160c846c7a30b4894beebe0a8cbb36712a216ce1edf/detection

23.133.4.98:10443
23.133.4.98:4433

# Reference: https://x.com/malwrhunterteam/status/1915030381683773696
# Reference: https://www.virustotal.com/gui/file/f5e6efaae52ab1650d92d5f7ac9dbbf76b43f5fabef5171663ec817d4ec53899/detection
# Reference: https://www.virustotal.com/gui/file/b40e66fb3cf48d9ddbad2a98eff614da3be5cf83f3272130332ad90583c0eacb/detection

154.82.92.185:33360
154.82.92.185:442
/api/d/e58948

# Reference: https://x.com/malwrhunterteam/status/1915345171606065318
# Reference: https://www.virustotal.com/gui/file/c7e6a88d4fddc3cc873a1ebd6ed37199a0a41e031b9b80e98a1ac990c4416467/detection

8.213.213.32:6010
8.213.213.32:6020
601019.xyz
10.601019.xyz

# Reference: https://x.com/malwrhunterteam/status/1915431720314171533
# Reference: https://www.virustotal.com/gui/file/57dc5c86afdc7864ea3725e8b41ef02519a160fe2312d4fefbbc42bb1323b84e/detection

156.251.16.74:442
/api/d/vfkakr

# Reference: https://x.com/malwrhunterteam/status/1915866710747582508
# Reference: https://www.virustotal.com/gui/file/5757cd3364e6efd97c21e0d903c16f010d1d594d5a712dd383efbec596296ce6/detection

154.91.64.236:442

# Reference: https://x.com/malwrhunterteam/status/1915866258391941261
# Reference: https://www.virustotal.com/gui/ip-address/47.76.121.113/relations
# Reference: https://www.virustotal.com/gui/file/3b9bb6e7a819e1a1c1f944a414becd049cdbdedaad6b77e3fa4a2cf07cdfa05d/detection

43.154.105.244:442
ajsdg.com
klasdg.com
pasdhx.com
pgryd.group
ppashdg.com

# Reference: https://x.com/malwrhunterteam/status/1916239542417330646
# Reference: https://www.virustotal.com/gui/file/a565b9d60415fdaf100044c7cddb232a5422003c7edf656e6314c3e934c56b07/detection

23.133.4.4:6666
23.133.4.4:7777

# Reference: https://x.com/malwrhunterteam/status/1917178513322320288
# Reference: https://www.virustotal.com/gui/file/87ba75fa5bf4e0e8df441e1252ca66c42cde87741aae212095395befcde063cc/detection

154.91.90.72:45
xcsiss.icu
xc.xcsiss.icu
zhxc.mlcrosoft.cyou

# Reference: https://x.com/malwrhunterteam/status/1917546155535393062
# Reference: https://www.virustotal.com/gui/ip-address/216.250.105.98/relations
# Reference: https://www.virustotal.com/gui/file/336f12dc8d280cb9e860daf51ee661f3dcaa0826e4d7d09e35014dc0b64d8466/detection

154.211.90.30:442
swcx001.cn
swcxoas.cn
swleoas.cn

# Reference: https://x.com/malwrhunterteam/status/1917682539835122064
# Reference: https://www.virustotal.com/gui/file/a00da4373d0607eea9cd3008a8284ff31b38f8ae4751778db0666f2ad8667f9e/detection
# Reference: https://www.virustotal.com/gui/file/2ed53b3936a60537abce947d3f6e2e058579a57ef834c29097e62f6843de4f12/detection
# Reference: https://www.virustotal.com/gui/file/2e9837cdac825f524dce0ae37db418e7c537f0f382c6804e25acf4a05c869793/detection

45.192.217.152:10443
45.192.217.152:4433

# Reference: https://x.com/malwrhunterteam/status/1918419478536167670
# Reference: https://www.virustotal.com/gui/file/bca88b1473cf1524a4facea3ba7f5e6d33653d98dadc9408a9734785fe15f7cd/detection
# Reference: https://www.virustotal.com/gui/file/9a1bcac81e4501f71c6781ff7e7025a637f7d0948c98ce27e5d24d9d4398ef7a/detection

154.91.90.224:6688
uuulai.icu

# Reference: https://x.com/malwrhunterteam/status/1919380522809036949
# Reference: https://www.virustotal.com/gui/file/1ef2d5cce9011e45574e9f9acab4d4bedd2c0dbcab40d65c62dad2b6a5f642ac/detection

http://110.173.50.42
110.173.50.42:443
bbd333.s3.ap-southeast-1.amazonaws.com

# Reference: https://x.com/malwrhunterteam/status/1920051665442419177
# Reference: https://www.virustotal.com/gui/file/18332eb2631bdc0d2f1c3636da1458c7bcb3b56cdff4b19b13c772983bc90bd8/detection

43.99.244.219:443
xk2.ksdcks.org

# Reference: https://x.com/malwrhunterteam/status/1920081092226306311
# Reference: https://www.virustotal.com/gui/file/fce03ce264669a264220d2bc0101b64773225fce363be5534efe79cf22f0aa8b/detection

206.238.115.163:954
ghergfdg-1352644795.cos.ap-shanghai.myqcloud.com

# Reference: https://x.com/malwrhunterteam/status/1920057943665283284
# Reference: https://www.virustotal.com/gui/file/3adb80969574bcab2511b3b1632fc4dfa41b90c6c2fb4acea6c944c80218df63/detection

47.86.161.22:45
aotssiss.icu
apt.aotssiss.icu
zhatm.mlcrosoft.cyou

# Reference: https://x.com/malwrhunterteam/status/1920056940840751611
# Reference: https://www.virustotal.com/gui/file/c740d973b33f6c7e9fe570f27f4a55b2f72da4584c0e1dd7a80c52f3300d5951/detection

43.132.216.81:635

# Reference: https://x.com/skocherhan/status/1920875472298102876
# Reference: https://www.virustotal.com/gui/file/af8b6ac45918bc87d2a164fae888dab6e623327cba7c2409e4d0ef1dde8d1793/detection

27.124.45.228:45
fcssiss.icu
xfc.fcssiss.icu

# Reference: https://x.com/malwrhunterteam/status/1921895566927081583
# Reference: https://www.virustotal.com/gui/file/b9af67d7123d30401ffdcb7c7c2b60a180806523dfed0501611728504d9bf4a7/detection

23.133.4.102:27982
flyingforest.sbs

# Reference: https://x.com/malwrhunterteam/status/1921929648637718807

jobkorea.3gaofax.com

# Reference: https://x.com/smica83/status/1922256883340963993
# Reference: https://www.joesandbox.com/analysis/1688869#iocs

202.79.172.16:8880

# Reference: https://www.virustotal.com/gui/file/20ac793388397dc77290a489a76b7ebe295beee954d1e1ae2588674d488f4186/detection

38.46.13.82:27997

# Reference: https://x.com/malwrhunterteam/status/1921898499622248531
# Reference: https://www.virustotal.com/gui/file/1e2a4152efe0d82eb31f95097d77e60f60458f87e01d6abdf99bbc83ff71b19d/detection

118.107.46.23:27979

# Reference: https://x.com/malwrhunterteam/status/1922758554882027699
# Reference: https://x.com/malwrhunterteam/status/1927352162125832236
# Reference: https://www.virustotal.com/gui/file/f210615ed4dbc36a530a82fb76d074c7e61e9cebd0c887dde85fddd0b49cc3fb/detection
# Reference: https://www.virustotal.com/gui/file/5e4aa8db1fb8cf7462a91f5d606de0dd72ada74864e51e16ee904101d902c9e4/detection

preech.top
hm.preech.top
masike.preech.top
masike2.preech.top

# Reference: https://x.com/malwrhunterteam/status/1923292905424179672
# Reference: https://www.virustotal.com/gui/file/139466a8596fe3e2f172b28e5a7437a400fba6c5b6d85d83359101ed68e95a5f/detection

8.210.193.196:7777
fvsrchps.cn
dsh.fvsrchps.cn

# Reference: https://www.virustotal.com/gui/file/a231625c0dd26c9a28cc1ffd3aa3b62472a56b261f55efe2c0cac70afb73b651/detection

47.83.164.89:7777
nbpmmkrb.cn
wps.nbpmmkrb.cn

# Reference: https://x.com/malwrhunterteam/status/1924568228069589476
# Reference: https://www.virustotal.com/gui/file/a46b53ba2a6ece79628fd5e5bc401b21a13d01b30eb33bc31319a4a06b086282/detection
# Reference: https://www.virustotal.com/gui/file/543e3044bda967e91175cfdf925c8f6e7907999b62af1b7e0c4f3b32a7b81bff/detection

156.245.27.224:443

# Reference: https://x.com/malwrhunterteam/status/1925147096207810972
# Reference: https://www.virustotal.com/gui/file/e5aa061d3a3f2ccfd348e7b67889c776ce062657999bd4edb9386379e1f4f60c/detection

23.133.4.5:10443
23.133.4.5:4433

# Reference: https://x.com/skocherhan/status/1926556842492150221
# Reference: https://www.virustotal.com/gui/file/a5c6338b23af21cdcf5d04c6fc30d29983abcb8111ed8c9729ce36e09a8ad81f/detection

http://27.124.21.204
27.124.21.204:443

# Reference: https://app.validin.com/detail?find=%7B%7Btitle%7D%7D-%E5%85%8D%E8%B4%B9%E7%94%B5%E8%84%91%E8%BD%AF%E4%BB%B6%E4%B8%8B%E8%BD%BD%20&type=raw&ref_id=e2b7b0c08f4#tab=host_pairs (# 2025-05-25)

acmdkr.cn
aidahai.wenxinwl.top
bmga.fgttdf.cn
bmgg.fgttdf.cn
bmgs.fgttdf.cn
cdhove.cn
chrome.gxfclb.xin
chsr.podlwf.cn
dfys.djkfkv.cn
djkfkv.cn
dkhf.yjkkld.cn
dkhn.ghyufo.cn
dkkd.ejfiwf.cn
efwreh.cn
ehfhnc.cn
ejfiwf.cn
fgttdf.cn
fy1.wenxinwl.top
fy2.wenxinwl.top
fy3.wenxinwl.top
fy4.wenxinwl.top
fy5.wenxinwl.top
fyf.wenxincehua.top
fyf1.wenxincehua.top
fyx1.wenxinwl.top
ggux.wenxinwl.top
ghyb.ghyufo.cn
gikd.ejfiwf.cn
goo.yexinch.top
gool.yuelangjs.top
gxfclb.xin
gxy2.wenxinwl.top
gzas.efwreh.cn
gzsg.efwreh.cn
gzwl.iufdgi.cn
hjjy.ehfhnc.cn
hsjdye.cn
htdlxx.cn
iufdgi.cn
jieya.space
keukj.xyz
klny.efjfio.cn
kualian.fun
lcwa.sdjfsg.cn
lcwb.sdjfsg.cn
lcwd.sdjfsg.cn
lcwe.sdjfsg.cn
lcwf.sdjfsg.cn
mqwa.iufdgi.cn
mqwc.iufdgi.cn
mqwd.iufdgi.cn
mqwe.iufdgi.cn
mqwf.iufdgi.cn
msfa.ejfiwf.cn
njrm.yjkkld.cn
podlwf.cn
sdjfsg.cn
sogg.keukj.xyz
tjqmdjnydt10.icu
todesk.fun
tzkj.cdhove.cn
tzwl.cdhove.cn
ujskdr.cn
wenxinwl.top
wgbh.ehfhnc.cn
whffjf.top
wingdsdf.top
wlke.sdjfsg.cn
wlkj.sdjfsg.cn
wlkk.sdjfsg.cn
wlks.sdjfsg.cn
xgkj.hsjdye.cn
xhua.acmdkr.cn
xiazaiaa.top
xygz.sliwpf.cn
xyht.htdlxx.cn
yasu.nunbae.cn
yd.wenxincehua.top
yexinch.top
yjkkld.cn
ymfy.ehfhnc.cn
ymss.ehfhnc.cn
ymyd.ehfhnc.cn
youdada.wenxinwl.top
youdaolwfa.top
youdaorgyww.icu
youdaoruun.icu
youdaosunwi.top
youdaouakw.icu
yuelangjs.top
yukm.ehfhnc.cn
yx.wenxincehua.top
yx1.wenxincehua.top

# Reference: https://x.com/malwrhunterteam/status/1927410721031111085
# Reference: https://www.virustotal.com/gui/file/59705a69a421900734a8653fbf1e0a3bdfeaa3ec3b831ba7135166c91757df75/detection

202.162.100.6:53618

# Reference: https://x.com/malwrhunterteam/status/1928742687953297695
# Reference: https://www.virustotal.com/gui/file/5c253bc5b53ab7bfa7d60ce90d9562b73c74876dec40d8c7a1842096be5f1357/detection

103.68.181.196:6000
c0mcom.com
oneihmdo.com
quickqnew.com

# Reference: https://x.com/malwrhunterteam/status/1929892737945354246
# Reference: https://www.virustotal.com/gui/file/f3b68f39cbb3250b5f3c5db458cc46e5a6287d11e1708176f553a7734f7ab55f/detection
# Reference: https://www.virustotal.com/gui/file/d57452081e3b8a818f160646a238a26ea7608acdf2ffcc3c5b712b618b550c5e/detection

23.94.40.171:8081

# Reference: https://x.com/malwrhunterteam/status/1929993935356596460
# Reference: https://www.virustotal.com/gui/file/21d8662707c7faddc28a041489d01fbda9253ac13494d99491e3a5d285d50903/detection

moneycome.me

# Reference: https://x.com/malwrhunterteam/status/1930502628804301155
# Reference: https://www.virustotal.com/gui/file/9adb94bfd1232c1d15ae7a2c2c48a2650a8f2fc78c90493b88d33d7471d5fdeb/detection
# Reference: https://www.virustotal.com/gui/file/c0df924c1d71b02152da6f58121cd349129b3504e3ac91253d46f3a0ab011784/detection

14.18.180.112:18000
156.234.228.112:6666
156.234.228.112:8852
156.234.228.112:18853
43.154.240.161:8080

# Reference: https://x.com/malwrhunterteam/status/1931254532689785229
# Reference: https://www.virustotal.com/gui/file/42c7f4f0aef68e7de2b06dd7c8409b9248550419c2330a8097cc35c006722f2c/detection

23.235.165.126:443

# Reference: https://x.com/skocherhan/status/1941006498592969099

154.82.85.102:8083
154.82.85.160:8083
xiaoshihou1.top
xiaoshihou13.top
ffsup-s42.oduuu.com

# Reference: https://x.com/1nt3l_hunt/status/1941886322995556520
# Reference: https://app.validin.com/detail?find=45.204.215.42&type=ip4&ref_id=39357d17357#tab=resolutions
# Reference: https://www.virustotal.com/gui/file/57f0888ec2f3eb3643c91761e5ca62fd9cad22ea3f029826c935e07ff3aa8344/detection

chromebot.top
i4cotr.top
siguapov.top
youdaopll.top
youdaopot.top
youdaopota.top
youdaopotc.top
youdaopotd.top
youdaopote.top
youdaopotg.top
youdaopoth.top
youdaopoti.top
youdaopotk.top
youdaopotl.top
youdaopotn.top
youdaopoto.top
youdaopotp.top
youdaopotq.top
youdaopotr.top
youdaopots.top
youdaopotu.top
youdaopotv.top
youdaopotw.top
youdaopotx.top
youdaopoty.top
youdaopotz.top
youdaoptya.top
youdaoptyb.top
youdaoptyc.top
youdaoptyd.top
youdaoptye.top
youdaoptyg.top
youdaoptyh.top
youdaoptyi.top
youdaoptyj.top
youdaoptyk.top
youdaoptyl.top
youdaoptyo.top
youdaoptyp.top
youdaoptyq.top
youdaoptyqw.top
youdaoptyr.top
youdaoptyv.top
youdaoptyx.top
youdaoptyy.top
youdaoptyz.top
youdaovoka.top
youdaovokb.top
youdaovokc.top
youdaovokd.top
youdaovoke.top
youdaovokg.top
youdaovokh.top
youdaovoki.top
youdaovokj.top
youdaovokk.top
youdaovokl.top
youdaovokm.top
youdaovokn.top
youdaovoko.top
youdaovokp.top
youdaovokq.top
youdaovokr.top
youdaovoks.top
youdaovokt.top
youdaovoku.top
youdaovokv.top
youdaovokw.top
youdaovokx.top
youdaovoky.top
youdaovokz.top
youdaovra.top
youdaovre.top
youdaovri.top
youdaovro.top
youdaovroxb.top
youdaovroxc.top
youdaovroxd.top
youdaovroxj.top
youdaovroxk.top
youdaovroxl.top
youdaovroxm.top
youdaovroxn.top
youdaovroxp.top
youdaovroxt.top
youdaovroxv.top
youdaovroxw.top
youdaovroxx.top
youdaovroxz.top
youdaovrp.top
youdaovrq.top
youdaovrr.top
youdaovrs.top
youdaovrt.top
youdaovru.top
youdaovrw.top
youdaovry.top
youdayybplot.top
youdayylopt.top
zwbvosy.top

# Reference: https://www.virustotal.com/gui/file/0211c040edcbe0bfcc4b021e1a6304c359e46540e2a1ca53e6a30f6e3ed2d52a/detection

http://45.204.199.40
43.199.235.160:6628

# Reference: https://x.com/skocherhan/status/1942414925764165899
# Reference: https://www.virustotal.com/gui/file/fdb8c01abb486b1119b4b28164129b223d8d1e7cd1fcabe5dd012478b583d3b6/detection

148.66.11.10:5555
fi0xl05.top
roykdw53.top
wss.fi0xl05.top
wss.roykdw53.top

# Reference: https://x.com/skocherhan/status/1942421506165813271
# Reference: https://www.virustotal.com/gui/ip-address/156.251.30.116/relations

waeokxw456.icu
waxoemis3.icu
wbcueajx50v.icu
wcakeolx3.icu
wcneuaokz7.icu
wcneuxkaoc.icu
wcoameikx6.shop
wcuaowkx6.icu
whaiqpae1x0.icu
whamxiokl.shop
wharuom1.icu
whasoxpem.shop
whaspopm.icu
whatsjpwjr236.shop
whatspkoel1.icu
whatsplepp.shop
whatsplms.shop
whatwpps5.icu
whaueiks85.icu
whaueonxa2.icu
whaueoslx6.shop
whaueoxk2.icu
whaueoxka8.icu
whaueqkxz5.icu
whaueyn25.icu
whauiso2.shop
whauoeklnn.shop
whauoxok8.shop
whaxokel.shop
whsuaolx2.shop
whsueoakx1.icu
whsueoamx8.shop
whuaeksx.shop
wnaienxo6.icu
wnaozle93.icu
wnauehklx582.icu
wnaueoqk3.icu
wnaueoqlx365.icu
wnaueoxka6.icu
wnaueoxkaz4.icu
wnciolkkis40.icu
wncoaplx78.icu
wncueoam2.icu
wncueoaz4x.icu
wnqiaopl9.icu
wnqiaoxkek6.icu
wnqoamei7.icu
wnquaozw8.icu
wnuwoajx75.icu
wnxeokpps28.icu
wnxuekak8x.icu
wnxueoakx9.icu
wnxueoanm35.icu
wnxueom85k.icu
wqnaiomzw9.icu
wsuxoam0.icu
wsxnumi8.shop
wuaieolx8.shop
wuaoemxz12.icu
wuwanueaivou.qpon
wvvuwkopp1.icu
wwqnai1m0.icu
wxniklmxsp.shop
wxnkosl23x.icu
wxuoklmxaq.icu
uaa.whaiqpae1x0.icu
uaa.wnciolkkis40.icu
waa.whatwpps5.icu
waa.whauiso2.shop
waa.whuaeksx.shop
wat.wbcueajx50v.icu
wat.wnxueoanm35.icu
wkk.whaxokel.shop
wkk.wnauehklx582.icu
wkk.wnaueoxkaz4.icu
wkk.wqnaiomzw9.icu
wks.wnxueom85k.icu
wll.whatsplms.shop
wsk.wuaoemxz12.icu
wss.whaspopm.icu
wss.whaueqkxz5.icu
wvv.wvvuwkopp1.icu
wwa.wcneuxkaoc.icu
wwa.whatspkoel1.icu
wwa.whatsplepp.shop
wwa.whaueonxa2.icu
wwa.whsueoamx8.shop
wwa.wnaueoqlx365.icu
wwa.wnquaozw8.icu
wwa.wsuxoam0.icu
wwa.wsxnumi8.shop
wwa.wxuoklmxaq.icu
wwb.whamxiokl.shop
wwb.wncueoaz4x.icu
wwb.wnxeokpps28.icu
wwc.wnaozle93.icu
wwd.wnqoamei7.icu
wwg.wnxuekak8x.icu
wwi.waeokxw456.icu
wwi.wnaienxo6.icu
wwi.wnaueoxka6.icu
wwk.wcoameikx6.shop
wwk.wcuaowkx6.icu
wwk.whasoxpem.shop
wwk.whatsjpwjr236.shop
wwk.whaueoslx6.shop
wwk.whaueoxka8.icu
wwk.whsuaolx2.shop
wwk.whsueoakx1.icu
wwk.wncueoam2.icu
wwk.wnqiaoxkek6.icu
wwk.wnuwoajx75.icu
wwm.whauoxok8.shop
wwo.wncoaplx78.icu
wwq.waxoemis3.icu
wws.wcakeolx3.icu
wws.wharuom1.icu
wws.whaueiks85.icu
wws.whaueoxk2.icu
wws.whauoeklnn.shop
wws.wnqiaopl9.icu
wws.wxnkosl23x.icu
wwt.wcneuaokz7.icu
wwt.whaueyn25.icu
wwt.wnxueoakx9.icu
wwt.wuaieolx8.shop
wwt.wxniklmxsp.shop
wwu.wnaueoqk3.icu
wwu.wwqnai1m0.icu
wxw.wuwanueaivou.qpon

# Reference: https://x.com/skocherhan/status/1942760237167202457
# Reference: https://www.virustotal.com/gui/file/fdd0c56781c81e423b8af358596636afa72333d948113718650f48f163c7834f/detection

latesclsnitr.com

# Reference: https://x.com/smica83/status/1952730422212727181
# Reference: https://www.virustotal.com/gui/file/e104c98fe9b9fc4473018a88b37d9c1029aa444ff74315d5e469aa6db964eb94/detection

47.83.171.202:9650
47.83.171.202:9750
47.83.171.202:9850

# Reference: https://x.com/smica83/status/1953392224219111867
# Reference: https://x.com/skocherhan/status/1953399063354728558

47.239.99.114:8379
8.210.41.205:7036
feetifu.net
iualef.net
osuyet.net
poaeur.net
uyahcn.net
yuwesq.net
2025so.oss-cn-beijing.aliyuncs.com
25nm.oss-cn-hangzhou.aliyuncs.com
2ao2my.oss-cn-beijing.aliyuncs.com
5oss.oss-cn-hangzhou.aliyuncs.com
67yao4.oss-cn-qingdao.aliyuncs.com
6yuyyh.oss-cn-beijing.aliyuncs.com
755owo.oss-cn-beijing.aliyuncs.com
7997cs.oss-cn-shenzhen.aliyuncs.com
8ae6tt.oss-cn-shenzhen.aliyuncs.com
ae86dr.oss-cn-shenzhen.aliyuncs.com
bbyy44.oss-cn-shenzhen.aliyuncs.com
eg9eg9.oss-cn-beijing.aliyuncs.com
er1er1.oss-cn-beijing.aliyuncs.com
ewewbl.oss-cn-shenzhen.aliyuncs.com
ewewbs.oss-cn-shenzhen.aliyuncs.com
f11uw9.oss-cn-beijing.aliyuncs.com
f3rf3r.oss-cn-beijing.aliyuncs.com
fay5oh.oss-cn-shenzhen.aliyuncs.com
he99eh.oss-cn-beijing.aliyuncs.com
id29tg.oss-cn-beijing.aliyuncs.com
ll6yy6.oss-cn-beijing.aliyuncs.com
lldwt-oss.oss-cn-beijing.aliyuncs.com
nm25.oss-cn-hangzhou.aliyuncs.com
oss3333.oss-cn-shanghai.aliyuncs.com
qqssll.oss-cn-shenzhen.aliyuncs.com
qqyyss.oss-cn-shenzhen.aliyuncs.com
qs1qs1.oss-cn-shenzhen.aliyuncs.com
s13s13.oss-cn-beijing.aliyuncs.com
sc-2k7t.cn-hangzhou.oss-adns.aliyuncs.com
sd2h2p.oss-cn-beijing.aliyuncs.com
shi5ce.oss-cn-shenzhen.aliyuncs.com
upitem.oss-cn-hangzhou.aliyuncs.com
w4geu2.oss-cn-beijing.aliyuncs.com
w5u9yy.oss-cn-beijing.aliyuncs.com
wjkk59.oss-cn-beijing.aliyuncs.com
wu3wu3.oss-cn-beijing.aliyuncs.com
wuy535.oss-cn-beijing.aliyuncs.com
wywwyw.oss-cn-beijing.aliyuncs.com
xho7x7.oss-cn-shenzhen.aliyuncs.com
xy8xy8.oss-cn-beijing.aliyuncs.com
yr22ry.oss-cn-beijing.aliyuncs.com

# Reference: https://x.com/smica83/status/1957150632093057227

103.204.79.114:448
103.204.79.118:448
5201314999.com

# Reference: https://x.com/1ZRR4H/status/1960776566432256081
# Reference: https://www.virustotal.com/gui/file/adc570474b594eb4323605c804e4a7a875763895f56d00b571d9ebc4e0fc3f0e/detection

kingmi2.ag.ink
pub-86da01ef5dcc48a5835da89640b8232a.r2.dev

# Reference: https://www.virustotal.com/gui/file/feda1267241d2399297681e81cfd04f9e418989f0d198c9c11dbb4574d59fb42/detection
# Reference: https://www.virustotal.com/gui/file/d0349507c9d95b5ddc447406eb80d77d3fb450ba6af05aa0668fdab7acb8ffb8/detection
# Reference: https://www.virustotal.com/gui/file/cf368705c5cd6cd0f824d5ca8b5f187488fbd4d436a93a60f57f8cfd6a004398/detection

27.124.43.13:27956
symptomatic.quest

# Reference: https://x.com/zoomeye_team/status/1964997872937771343
# Reference: https://app.validin.com/detail?type=raw&find=Facebook+%E6%A1%8C%E9%9D%A2%E7%89%88#tab=host_pairs (# 2025-09-08)

badzhmr.cn
bqyd.opghfy.cn
cbd.qefodim.cn
cdsfewf.cn
cfya.idshia.cn
cgwc.ohvhfe.cn
cqo.zhsnw.cn
dmymbva.cn
faseboko.life
fbls.ytynjx.cn
fbvv.yzjiy.cn
fdodgp.cn
fengyiyewl.cn
hzaa.sfyurv.cn
idshia.cn
jbb.badzhmr.cn
junyiw.cn
key.whjiayide.cn
kpxd.fdodgp.cn
lpk.junyiw.cn
ohvhfe.cn
opghfy.cn
qefodim.cn
sfyurv.cn
tgb.ziywl.top
whjiayide.cn
wpkf.cdsfewf.cn
xci.dmymbva.cn
xhs.fengyiyewl.cn
ytynjx.cn
yzjiy.cn
zhsnw.cn
ziywl.top
zzs.whjiayide.cn

# Reference: https://www.virustotal.com/gui/file/0ce9d0a4fa6044c11ae72beece8b9aedc35b0fdb28eba1997216831aee490c4b/detection

http://47.242.144.180
47.242.144.180:4433
dftuchu.oss-cn-beijing.aliyuncs.com

# Reference: https://x.com/malwrhunterteam/status/1969292383809400865
# Reference: https://www.virustotal.com/gui/file/117919943eda9082aaf4ba89b0a32411c1959d46b01484406ecb07766b5c200c/detection

microsoft001.oss-cn-hangzhou.aliyuncs.com

# Reference: https://x.com/malwrhunterteam/status/1969296139791798358
# Reference: https://www.virustotal.com/gui/file/28c1575ef28fc5e3b5eb4a63327bec10b399ce17bd65ea1b2e53562cfcd7e8a4/detection

150.5.145.84:443

# Reference: https://www.huntress.com/blog/nezha-china-nexus-threat-actor-tool
# Reference: https://www.virustotal.com/gui/file/7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958/detection
# TITLE-IP=默认页面-最美诗词提示
# CLASS_0_HASH-IP=d47b8ca005d031689e03014b62769945
#CLASS_0_HASH-HOST=d47b8ca005d031689e03014b62769945

107.172.234.17:53762
124.221.113.254:53762
156.226.172.249:53762
157.254.178.135:53762
45.207.220.12:53762
47.79.92.244:53762
74.48.213.222:53762
bj2.xyz
cx0.cc
np-prob.xyz
okoka.icu
coal.np-prob.xyz
gd.bj2.xyz
hkg-v1.cx0.cc
w.okoka.icu
