# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: sparkrat

# Reference: https://twitter.com/r3dbU7z/status/1591314417857466368
# Reference: https://www.virustotal.com/gui/file/ee58e44e285e6838c4172404338305d864969ad19b0d1e40287fc4b1e0443e42/detection

http://139.177.196.67
139.177.196.67:8000

# Reference: https://twitter.com/suyog41/status/1608776330543509505
# Reference: https://twitter.com/suyog41/status/1608779676721504256
# Reference: https://www.virustotal.com/gui/ip-address/141.164.47.246/relations
# Reference: https://www.virustotal.com/gui/file/53ad5aacd50d63623e924042b7e637355f68071ccb267eb51265dd68bef68fa3/detection
# Reference: https://www.virustotal.com/gui/file/49b8058f80e43f7271a8433ff1f42db5938e1acf083776e9d9d66ffee1212005/detection

134.122.186.155:8000
193.161.193.99:33373
duskland.xyz
sleep.duskland.xyz
ssh.duskland.xyz
hellwoun12-33373.portmap.io

# Reference: https://twitter.com/nahamike01/status/1643587575851126784

103.213.246.4:8000
104.156.149.58:8000
104.168.64.173:8000
120.26.87.12:8000
121.4.140.182:8000
129.152.13.80:8000
129.226.92.121:8000
139.84.138.232:8000
142.93.96.248:8000
164.90.179.76:8000
180.76.143.173:8000
20.187.85.45:8000
20.243.208.23:8000
202.95.1.24:8000
23.94.169.102:8000
47.93.7.75:8000
5.45.83.109:8000
51.91.100.41:8000
8.210.81.164:8000
81.169.241.63:8000

# Reference: https://twitter.com/suyog41/status/1655524692164214784
# Reference: https://www.virustotal.com/gui/file/f252274a873b52ec33625b8f8ddb77dcdf9dfc8781585d22461f11c9d337b39d/detection

130.185.238.251:7777

# Reference: https://twitter.com/r3dbU7z/status/1658465420138123271
# Reference: https://www.virustotal.com/gui/file/80ef5b531e2e8cb19403a8f06cfa1d6743900957ebf24d84f63211ae04d6bc1f/detection

23.108.57.242:443
23.108.57.242:8000

# Reference: https://asec.ahnlab.com/en/52899/

59.22.167.217:34646
webull.day
gwekekccef.webull.day

# Reference: https://twitter.com/malwrhunterteam/status/1681940382798471169
# Reference: https://www.virustotal.com/gui/file/fa4410eb44904c8943cc69bd6aed17aa7c92bb53d9211d37af63f683a62d7247/detection

http://175.27.236.90
175.27.236.90:8081

# Reference: https://twitter.com/suyog41/status/1693563144617206147
# Reference: https://www.virustotal.com/gui/file/56479d0648c051460e0cc6f4daa6d558c346bd5c5b2fab89585255719e4c595e/detection

175.27.190.149:8000

# Reference: https://twitter.com/suyog41/status/1698930626735595614
# Reference: https://www.virustotal.com/gui/file/59188156c4cd7d7bcee7e0ed2df638d76a799012a8faa0b5754a43c29329672f/detection

43.138.103.138:8000

# Reference: https://twitter.com/suyog41/status/1699325964906602576
# Reference: https://www.virustotal.com/gui/file/2943c7dfcff2192243ef29d65e2eed011009c4c3686ba3a4f146217f6a1657c8/detection

43.140.252.169:8000

# Reference: https://x.com/malwrhunterteam/status/1821809688477941832
# Reference: https://www.virustotal.com/gui/file/65f90426e53a0ab33c3c052e26adf5e11775c691fc7909079b6a8016d61654a0/detection
# Reference: https://www.virustotal.com/gui/file/bc326bb6a590f0da6942cd80b922838deb31be11e0c6d0339df1010b89b77c37/detection

185.117.75.3:9610

# Reference: https://x.com/malwrhunterteam/status/1822216943656476779
# Reference: https://www.virustotal.com/gui/file/dd18e5e1d11f80b3b254c800b208d9b9a1dc5503d85ea2a4dee87d695c9939d9/detection
# Reference: https://www.virustotal.com/gui/file/afe431ce8759752483a3ea1d99f0c4f364095debf10a9101b3ea7a2ceca17a21/detection
# Reference: https://www.virustotal.com/gui/file/8427ba4d636802a888e9378dc6cc18b4c932706b9fddf972c77a85314a42a195/detection
# Reference: https://www.virustotal.com/gui/file/5deaca343c0d00ab02bd1588157c598d1844228def14e2bc8077498a2fa59378/detection
# Reference: https://www.virustotal.com/gui/file/328a6608c2ffb96b08a0bab9405fb03a11ccd9cf25496f9b5d3ac9cab2c53b7d/detection
# Reference: https://www.virustotal.com/gui/file/2da4b6ce67b66d177457e42ea7870ac48015d436b3c47dc684482ce2d6206c26/detection

185.56.139.92:63311
185.56.139.92:8000
185.56.139.92:8001
185.56.139.92:8006
185.56.139.92:9998
185.56.139.92:9999
188966347.xyz
microsoft.188966347.xyz

# Reference: https://x.com/malwrhunterteam/status/1846624521253511542
# Reference: https://www.virustotal.com/gui/file/aaff0c76b5f5255aecdcb838d5fcdf3f3e5142e040f00ea6683c0d5535213f5f/detection
# Reference: https://www.virustotal.com/gui/file/43b828ac4517aafead8841d2f8965bceb1204534b95cbacf34c6df3ddd8f6e06/detection

203.3.112.131:8909
jackte.us.kg
c2.jackte.us.kg

# Reference: https://x.com/malwrhunterteam/status/1848621446378987709
# Reference: https://www.virustotal.com/gui/ip-address/154.205.137.66/relations
# Reference: https://www.virustotal.com/gui/file/6c8b6781c895a90a5b114c01381c17fa54cb76e8bf8861ad705ba681542ce109/detection

docker.cab
update-1.docker.cab
update-2.docker.cab
upgrade.docker.cab

# Reference: https://x.com/SecureSh3ll/status/1849938989370741143

149.28.149.218:58888
38.60.221.32:58888
column.mrbasic.com
/zdevzczlrq/qjgiiwqlbb
/zdevzczlrq/
/qjgiiwqlbb

# Reference: https://x.com/malwrhunterteam/status/1859131634642985255
# Reference: https://www.virustotal.com/gui/file/32b8ac4b491b0d1be1f27c4e2531c4117aa928551b2ade3c0152c27808fedb2f/detection

msecnd.cc
vo.msecnd.cc

# Reference: https://x.com/malwrhunterteam/status/1860978864509391339
# Reference: https://www.virustotal.com/gui/ip-address/118.194.249.40/relations
# Reference: https://www.virustotal.com/gui/file/5802d266c6fd8f45323b7d86d670059f1bd98de42a173fbc2ac66399b9783713/detection

37.230.62.73:8000
gholoerkolw.fun
gjioedflkvdfesvd.shop
gjioierasdnvjdfheaxvkde.shop

# Reference: https://x.com/dyingbreeds_/status/1861700273980244435
# Reference: https://app.validin.com/detail?type=ip&find=118.194.248.130#tab=resolutions

ghuioervm.cfd
gmmkioedsa.cyou
gmnmoiupom.sbs
gnmrmons.cfd
hcxcvcxfowrb.cloud
nahopiusw.site
nkolopiop.site
nmoplopeew.cyou

# Reference: https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections

http://15.235.130.160
http://152.32.138.108
67.217.62.106:4443
67.217.62.106:8000
ggnmcomas.site
gmcomamz.site
gmnormails.site
gmonmle.sbs
gmoocsoom.site
gmoonsom.site
gmoosomnoem.site
gnmoommle.space
gomncomow.site
gooczmmnc.site
goomlnme.cyou
gsoonmann.site
mncomgom.site
namerowem.site
nasanecesoi.site
one68.top
updatetiker.net
henho247.net
remote.henh247.net

# Reference: https://x.com/malwrhunterteam/status/1886879783377605078
# Reference: https://www.virustotal.com/gui/file/149a7273a9717ae1cd80bc6aa5ae6c4412b43bc0f5349e93a5c308342df1cd20/detection

kkuczewski.xyz
files.kkuczewski.xyz
openwebui.kkuczewski.xyz
trolaz.kkuczewski.xyz

# Reference: https://x.com/malwrhunterteam/status/1904142516540100900
# Reference: https://www.virustotal.com/gui/file/5c3193488ce4d3b01dc3a7b12af4830102933defe51b7f8e35bfe68994f39ef7/detection

104.245.240.20:8000
mexalzregele.hopto.org
