# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: Yellow Cockatoo RAT, Polazert, solarmarker

# Reference: https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf
# Reference: https://redcanary.com/blog/yellow-cockatoo/
# Reference: https://otx.alienvault.com/pulse/5faf00679c90b876019cc653
# Reference: https://otx.alienvault.com/pulse/5fcab7a1accb28c015a5717d

blackl1vesmatter.org
gogohid.com
mixblazerteam.com
spacetruck.biz
vincentolife.com

# Reference: https://www.virustotal.com/gui/file/dbba731937d435681ed98af6e42ab52d53af4f9ebe8db955a2b4b9ab63b4b06c/detection

http://5.254.118.226

# Reference: https://www.virustotal.com/gui/file/38508585ab7911fa8c6475b14086e11db6e829c541b392634bcc921ae6cdda35/detection

http://216.230.232.134

# Reference: https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer
# Reference: https://www.virustotal.com/gui/file/e3680602deb66e1196bcffe531cdeeab32663efc62c5e16178a0f9f4df745007/detection
# Reference: https://www.virustotal.com/gui/file/8447b77cc4b708ed9f68d0d71dd79f5e66fe27fedd081dcc1339b6d35c387725/detection

http://37.120.237.251
http://45.42.201.248

# Reference: https://www.virustotal.com/gui/file/60c570bd5f5f0d8ea3760317f9becaa78a9be16b2fb2dc7399bf270ca855c0a1/detection

http://45.146.166.186

# Reference: https://twitter.com/th3_protoCOL/status/1488508291642626057
# Reference: https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/

http://104.223.123.7
http://146.70.24.173
http://146.70.41.157
http://149.255.35.179
http://167.88.15.115
http://185.244.213.64
http://188.241.83.61
http://192.121.87.53
http://216.230.232.134
http://23.29.115.175
http://37.120.237.251
http://37.221.114.23
http://45.146.165.221
http://45.42.201.248
http://46.102.152.102
http://5.254.118.226
http://69.46.15.151
http://91.241.19.110
http://92.204.160.110
http://92.204.160.233
abocomteamsd.site
chargraman.ml
passesleeson.site
pdfdocdownloadspanel.site
sseiatca.site
triplegnuise.site

# Reference: http://lists.emergingthreats.net/pipermail/emerging-sigs/2021-November/030492.html

noelfpar.com

# Reference: https://www.virustotal.com/gui/file/e2ee962de73184eb406a9b403a87b4a8b2d8dc2a2b048977748a0273d1f90ab6/detection

http://146.70.88.119

# Reference: https://unit42.paloaltonetworks.com/solarmarker-malware/

http://146.70.101.97
http://146.70.53.153
http://37.120.247.199
http://37.221.113.115
http://84.252.95.225
http://89.44.9.108
http://92.204.160.101
http://92.204.160.114

# Reference: https://twitter.com/SquiblydooBlog/status/1515345814314373123
# Reference: https://www.virustotal.com/gui/file/8aaf2a9920c23cbccf4ee9686679ad605ed3943685e80855192cdaf27913d9b7/detection

http://86.106.20.155

# Reference: https://tria.ge/220421-q74hdsbaan

http://37.120.247.120

# Reference: https://www.virustotal.com/gui/file/c884f80accda415c39632e495f11e1d143649d0439d6eecd8a9d4851d041c444/detection

http://146.70.71.174

# Reference: https://tria.ge/220706-15rqxshffj/behavioral2

http://146.70.124.83

# Reference: https://twitter.com/embee_research/status/1546735163996254208

http://194.15.216.126

# Reference: https://twitter.com/SquiblydooBlog/status/1552736298024243201
# Reference: https://tria.ge/220728-vv9k4ahfc8/behavioral1

http://37.120.198.209

# Reference: https://twitter.com/embee_research/status/1567905607943950341

http://85.17.9.107

# Reference: https://www.prodaft.com/m/reports/Solarmarker_TLPWHITEv2_FgRr3aN.pdf

http://176.113.115.125
http://45.135.232.131
http://45.155.204.139
digitalagencylks.com
hosthotelsshtus.com

# Reference: https://twitter.com/SquiblydooBlog/status/1574669745651163137
# Reference: https://tria.ge/220926-xqpq8schej/behavioral2

http://146.70.53.146

# Reference: https://twitter.com/SquiblydooBlog/status/1578083067893252108
# Reference: https://www.virustotal.com/gui/file/e0f268e1bff8974b728315707386b2b2fe70fa1701047976f0911bc2622e8de0/detection

http://176.223.140.177

# Reference: https://twitter.com/SquiblydooBlog/status/1588965633752199168
# Reference: https://tria.ge/221105-wcz5dabbgj/behavioral2

http://146.70.147.41

# Reference: https://twitter.com/luke92881/status/1591149451472941058
# Reference: https://app.any.run/tasks/eb4e5142-4d0d-4a2f-86b2-4228410922d8/

http://85.17.9.32

# Reference: https://twitter.com/SquiblydooBlog/status/1598942566170652673

http://78.135.73.155

# Reference: https://twitter.com/SquiblydooBlog/status/1604494175956869122
# Reference: https://www.virustotal.com/gui/file/d5d9368aa2419cdecd951091cddfc9227ab49fb554e53099378a2ef7aae5a012/detection

http://185.73.202.88

# Reference: https://twitter.com/AnFam17/status/1613586031328071707

http://67.43.233.154

# Reference: https://twitter.com/SquiblydooBlog/status/1618570847719149568
# Reference: https://www.virustotal.com/gui/file/2bf0a64fe7aea262c96fc7d52b1e28486ff607caa9513fd88583e19454f9c500/detection

http://146.70.161.126

# Reference: https://www.virustotal.com/gui/file/a13278be27e4b0c38d7102496f3d4fcfb31cf710389edee244a4c5dd40055c4f/detection

http://91.206.178.144

# Reference: https://twitter.com/AnFam17/status/1679592168514637825

http://78.135.73.180

# Reference: https://twitter.com/SquiblydooBlog/status/1688885798890860544

http://193.29.56.179
http://91.206.178.106

# Reference: https://twitter.com/SquiblydooBlog/status/1690139830984814594

http://212.237.217.133
http://78.135.73.160

# Reference: https://twitter.com/SquiblydooBlog/status/1692485583250260204
# Reference: https://tria.ge/230818-lcavdaaa9w/behavioral2

http://146.70.40.228

# Reference: https://twitter.com/SquiblydooBlog/status/1695193593365877084

http://146.70.125.68
http://46.30.188.221

# Reference: https://threatfox.abuse.ch/browse/malware/win.solarmarker/

http://146.70.149.55
http://146.70.86.142
http://185.94.191.54
http://217.138.215.105
drumlinsecurity.com
fzthemes.site
nakamurav.com

# Reference: https://twitter.com/SquiblydooBlog/status/1699475399363657912
# Reference: https://tria.ge/230906-t5rycshg24/behavioral2

http://185.236.203.159
http://78.135.73.148

# Reference: https://twitter.com/SquiblydooBlog/status/1701636445977317474

http://37.120.198.226

# Reference: https://twitter.com/SquiblydooBlog/status/1703115443181863325
# Reference: https://tria.ge/230916-wmkgnsce5z/behavioral2
# Reference: https://www.virustotal.com/gui/file/13a1bead1187cbc6072c410501a417b812e82f1bbbf6a93deaab26ae5ea67628/detection

http://185.243.115.88
http://91.206.178.109

# Reference: https://twitter.com/SquiblydooBlog/status/1704903699863142748
# Reference: https://tria.ge/230921-tjd5dabc25/behavioral2

http://146.0.79.28

# Reference: https://twitter.com/SquiblydooBlog/status/1707428017906090325
# Reference: https://tria.ge/230928-r1yh8scb2t/behavioral2

http://146.70.92.153
http://2.58.14.246

# Reference: https://twitter.com/SquiblydooBlog/status/1709843190511980791
# Reference: https://www.virustotal.com/gui/file/b55b93ec2e7b962840adfacb4e6007c620f6e7fc9a1289825b44b1376a5cc081/detection

http://146.70.145.224

# Reference: https://threatfox.abuse.ch/browse/malware/win.solarmarker/ (# 2023-10-15)

http://146.70.104.173
http://146.70.157.224
http://146.70.86.140

# Reference: https://twitter.com/SquiblydooBlog/status/1717464614403735562

http://146.70.71.135

# Reference: https://twitter.com/SquiblydooBlog/status/1719319531305206184

http://146.70.121.88

# Reference: https://twitter.com/SquiblydooBlog/status/1720425728171192445
# Reference: https://tria.ge/231103-nhx8zabe67/behavioral2

http://146.70.80.79
http://212.237.217.136
http://91.206.178.109

# Reference: https://twitter.com/SquiblydooBlog/status/1721960346468958442
# Reference: https://www.virustotal.com/gui/file/5abc14737cb65a1e645bd5a2e3301b0e3e1e861a184034a6cc67ce57ee38f448/detection

http://78.135.73.176

# Reference: https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
# Reference: https://otx.alienvault.com/pulse/654a4773d937d004abd51d9a

http://146.70.101.83
http://185.243.112.60

# Reference: https://twitter.com/SquiblydooBlog/status/1724534553350398338

http://146.70.104.176
http://146.70.80.66

# Reference: https://twitter.com/SquiblydooBlog/status/1727439342627607028
# Reference: https://tria.ge/231122-t1eggadf67/behavioral1

http://185.73.202.68
http://2.58.14.183
http://91.206.178.109

# Reference: https://www.esentire.com/blog/solarmarker-to-jupyter-and-back
# Reference: https://otx.alienvault.com/pulse/655e0d4bc019edf8513f0b15
# Reference: https://www.virustotal.com/gui/file/e4a5e529975f1beb46b2d6d30fc4bc52f77ce3dfdec1186aca45b2c8e3e50251/detection

http://146.70.169.170
http://23.29.115.186

# Reference: https://www.virustotal.com/gui/file/a07b1cf78a54dae125dd8a0bde61dd58f4efcf7a798172613e951ba3a180f2e9/detection

http://217.138.215.85

# Reference: https://twitter.com/SquiblydooBlog/status/1730602235824836815
# Reference: https://tria.ge/231201-q923caac6v/behavioral2

http://193.29.104.25

# Reference: https://twitter.com/SquiblydooBlog/status/1736449300870176925

http://2.58.15.214
http://67.43.234.48

# Reference: https://twitter.com/SquiblydooBlog/status/1740129178190778571
# Reference: https://www.virustotal.com/gui/file/a31d955304360eade30679137269659a9c7b1e53aecb2eb7e616a4ad0f91c655/detection

http://146.70.145.242
http://78.135.73.165

# Reference: https://twitter.com/luke92881/status/1747241778883748186
# Reference: https://www.virustotal.com/gui/file/6c89c09213a79a917a97f4531b9ef01da8feee805d2d3b7de92a831dbec9a7e6/detection
# Reference: https://www.virustotal.com/gui/file/c34b7f29d9f7b8031d8dd86730473753e616644323a634167fbf853a6e5fc704/detection

http://146.70.92.187

# Reference: https://twitter.com/luke92881/status/1751968350689771966
# Reference: https://www.virustotal.com/gui/file/5a2fb6d7bc028fc8d4cd5933acb8f85bffe7358372171a9f1598b478e65673e8/detection
# Reference: https://www.virustotal.com/gui/file/59b22f656ce9285f837706d3a2ca952c6008524d8f26c16cfdc36a06ddfe1368/detection

http://146.70.161.15

# Reference: https://twitter.com/SquiblydooBlog/status/1765169390369046597
# Reference: https://tria.ge/240305-3hsqtace5s/behavioral1

http://52.142.223.178

# Reference: https://x.com/SquiblydooBlog/status/1792955144516121099
# Reference: https://x.com/RussianPanda9xx/status/1793497137465938430
# Reference: https://www.virustotal.com/gui/file/9fcdb329122b918110be82e8040386798f1a0c28ad1d103bf06e5df6ec820aca/detection

http://139.60.161.78
http://146.70.80.83
http://2.58.15.118
