# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: konni, nokki

# Reference: https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/

/./pds/data/upload.php
/./pds/down/
/common/doc
/common/exe
/de/de_includes/mail/yandex.ru/donwload.php
/weget/upload.php
/weget/uploadtm.php

# Reference: https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/

kmbr1.nitesbr1.org

# Reference: https://twitter.com/bitsofbinary/status/1121356851759734786
# Reference: https://otx.alienvault.com/pulse/5cc2d732b9b05ddae2d59738

upgradesrv.890m.com

# Reference: https://blog.alyac.co.kr/2347 (Korean)

http://202.168.155.156
naiei-aldiel.16mb.com
naoei3-tosma.96.lt
upgradesrv.890m.com

# Reference: https://twitter.com/Timele9527/status/1139805856009035776

stream.nshc.net

# Reference: https://twitter.com/Timele9527/status/1149501545886519296
# Reference: https://otx.alienvault.com/pulse/5d2ca6c5e6be8b07f9099c55

http://194.124.34.62
http://193.148.16.45
attachment-download.net
download-daum.net
downloader-hanmail.net
downloader-naver.com
eazybilldelivery.com
eazybillkorea.com
filer-download.com
karachi-pk.com
karachi-tan.com
naver-download.com
naverservice.com
online-kor.com
standadbankgroup.com

# Reference: https://twitter.com/cyberwar_15/status/1166592637371060226

app-wallet.com

# Reference: https://blog.alyac.co.kr/2486 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d68ffff718c253183ab84f1

163-mail-vertify.com
attach-download.com
attach-download.net
attach-filedown.net
attachment-download.net
change-pw.com
corkmusicstation.com
down-error.com
download-daum.net
downloader-hanmail.net
downloader-naver.com
fighiting1013.org
filer-download.com
files-download.net
grnaeil.com
hanrnaii.net
intercasher.com
interpuber.com
karachi-pk.com
karachi-tan.com
mail-securiety.com
manage-download.com
manage-downloader.com
naerver.com
nidhelpnaver.com
nuaver.com
rnaeil.com
rnaii.com
rnail-163.com
rnail-inbox.com
rnailb.com
rnailm.com
rnailn.com
rnailo.com
rneail.com
seoulhobi.biz
tjustpassby.it
webrnail.com
webrnail.net

# Reference: https://twitter.com/h4ckak/status/1168524544107134977

upsrv.16mb.com

# Reference: https://blog.alyac.co.kr/2486

handicap.eu5.org

# Reference: https://twitter.com/Rmy_Reserve/status/1175989476155215878

panda2019.eu5.org

# Reference: https://asec.ahnlab.com/1251
# Reference: https://otx.alienvault.com/pulse/5d888b2d81bd27e2849f5054

down1-naver.com
filedownload2.com
tomasresult.com

# Reference: https://blog.alyac.co.kr/2535 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d8dd319bff875c7203a4ff1

clean.1apps.com

# Reference: https://blog.alyac.co.kr/2543 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d932f77c1b4106e0abc73e7

pelham-holles.com

# Reference: https://twitter.com/cyberwar_15/status/1205392858829619201

oaass-torrent.com

# Reference: https://twitter.com/cyberwar_15/status/1205393847372484608

http://2.56.151.8

# Reference: https://twitter.com/cyberwar_15/status/1205393076425875456

apksbank.com
ondownloadapk.com
freeapksapps.com
murratto.com

# Reference: https://blog.alyac.co.kr/2660 (Korean)
# Reference: https://asec.ahnlab.com/1277 (Korean)
# Reference: https://otx.alienvault.com/pulse/5df35c9471c37675f77f3d2a

down-error2.com
error-hanmail.net
error-naver.com
kan-smiko.com
mallesr.com
nottingham39483.com

# Reference: https://twitter.com/RedDrip7/status/1217662203022598144

firefox-plug.c1.biz
lookyes.c1.biz

# Reference: https://twitter.com/navSi16/status/1217743676455055360
# Reference: https://twitter.com/Timele9527/status/1217751641136304128
# Reference: https://www.virustotal.com/gui/file/107204043717ef14e2439eb938cd9b1e94b62827f772dbb2005773a9ee746b02/detection

win10-ms.c1.biz

# Reference: https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/
# Reference: https://otx.alienvault.com/pulse/5e29bc82175f51b3a3a75891

downplease.c1.biz
downyes.c1.biz

# Reference: https://twitter.com/WaChinYu1/status/1242394804337676288

docview.mygamesonline.org
phpview.mygamesonline.org

# Reference: https://twitter.com/ShadowChasing1/status/1265263606448324608
# Reference: https://twitter.com/ShadowChasing1/status/1265266076599726080

adobeevent.medianewsonline.com
authadobe.medianewsonline.com

# Reference: https://twitter.com/spider_girl22/status/1270933997900578820

resulview.com

# Reference: https://twitter.com/Xxx_8885/status/1272355090473480192
# Reference: https://www.virustotal.com/gui/file/e4656d6eec6fd339f50db2a01a6ab446903761b274afd3440b6d9bdb44cc226a/detection
# Reference: https://www.virustotal.com/gui/file/589c06f6a258a45501a7f1b9501f0c8113bfe1caf3eb5c502652bc62ee7cd3b0/detection
# Reference: https://www.virustotal.com/gui/ip-address/27.255.77.110/relations

http://27.255.77.110

# Reference: https://twitter.com/malwrhunterteam/status/1315978165446213634
# Reference: https://twitter.com/bl4ckh0l3z/status/1316763769582780418
# Reference: https://twitter.com/ShadowChasing1/status/1327102015395151873
# Reference: https://otx.alienvault.com/pulse/5fac5eb0940a159fcf19e139
# Reference: https://www.virustotal.com/gui/file/926eef860f8634c64496eaa6588242d87a81476f82c42d79e5fa2ee0d76a6ebb/detection
# Reference: https://www.virustotal.com/gui/file/87d54226eb67fef0a1e85f18c0ae3865e2184553eb564be3f5d0dbe694754811/detection

http://211.104.160.79
bignaver.com
cloudnaver.com
cloudsecurityservice.net
corper.be
dailycloudservice.com
daum-protect.com
delivernaver.com
delivers-security.com
delivers-security.net
down-error.com
midsecurity.org
naverdns.co
netsecurityservice.com
resetpolicy.com
resetprofile.com
rnaii.com
rneail.com
security-delivers.com
securitycounci1report.org
servicenaver.com
servicenidnaver.com
xfindphoneloc.com
zubamail.com

# Reference: https://twitter.com/m0br3v/status/1343567170027069441
# Reference: https://www.virustotal.com/gui/file/0a95154943ae08be64a564c61d1f64f31ca4b9c32d69c2871cdaeb883694cf45/detection

naversecurity.us

# Reference: https://twitter.com/ShadowChasing1/status/1374750091001491458
# Reference: https://twitter.com/ShadowChasing1/status/1376034727824531463
# Reference: https://www.virustotal.com/gui/file/fa3a2714d00dfde82f071f12099845a2e3dafa1c2b60b48ae0ede771783568f1/detection
# Reference: https://www.virustotal.com/gui/file/288c18e7ee88fbfa28ddb840333e787ef1146763c89e0f3e5a80c3dc4c1a5c4c/detection

222.118.183.131:8080
pronto-login.info
mid.pronto-login.info
statedept.pronto-login.info

# Reference: https://twitter.com/blackorbird/status/1375404040012492800
# Reference: https://mp.weixin.qq.com/s/pkCK1ryXvGWFuoHQk9Rahg

assuredshippings.com/wp-admin/css/colors/coffee/alive.php
assuredshippings.com/wp-admin/includes/1015/d.php
assuredshippings.com/wp-admin/includes/1023c/d.php
assuredshippings.com/wp-admin/includes/1023k/c.php
assuredshippings.com/wp-admin/includes/1023k/d.php
newspeers.com/000/wjb/cow.php
newspeers.com/000/wjb/expres.php
newspeers.com/000/wjb/upload.php
newwebsearcher.com/winmm/winmmnew.php
okbus.or.kr/libs/phpmailer/his.php

# Reference: https://twitter.com/Timele9527/status/1378196004097286147
# Reference: https://www.virustotal.com/gui/file/879b5fca0f4e3d1769e37e738f3b89ba6de81d0f5f34b8bba6267f905b85318a/detection

dragon-pig.onlinewebshop.net
little-dragon.mypressonline.com

# Reference: https://twitter.com/mg2_tracy1/status/1400009435817254913
# Reference: https://twitter.com/ShadowChasing1/status/1400013574257319936
# Reference: https://www.virustotal.com/gui/file/733632a89d65104631d0e4dbe98a36f62fbbbf24761626141d86d9b121a2480b/detection
# Reference: https://www.virustotal.com/gui/file/4fd43773079d146d31e2365ea76629d122b3b655131256fe530100e3721dab2f/detection

howwiki.1apps.com
knowhow.c1.biz
mywiky.c1.biz

# Reference: https://twitter.com/h2jazi/status/1420809029643812864
# Reference: https://www.virustotal.com/gui/file/d283a0d5cfed4d212cd76497920cf820472c5f138fd061f25e3cddf65190283f/detection

takemetoyouheart.c1.biz
taketodjnfnei898.ueuo.com

# Reference: https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/

lookplease.c1.biz

# Reference: https://twitter.com/360CoreSec/status/1421021172876025866
# Reference: https://www.virustotal.com/gui/file/fccad2fea7371ad24a1256b78165bceffc5d01a850f6e2ff576a2d8801ef94fa/detection

romanovawillkillyou.c1.biz

# Reference: https://twitter.com/360CoreSec/status/1455432285507883011
# Reference: https://www.virustotal.com/gui/file/2e40728c594ec81e4dada47fc7853799f71f74d716c0c076139ba3526209f8f3/detection

footballs.sportsontheweb.net

# Reference: https://cluster25.io/wp-content/uploads/2022/01/Konni_targeting_Russian_diplomatic_sector.pdf

455686.c1.biz
h378576.atwebpages.com
i758769.atwebpages.com

# Reference: https://www.virustotal.com/gui/file/01917368cfadc1122850df248ef2af67f818d88c0950617a6bb531048a04989f/detection
# Reference: https://www.virustotal.com/gui/file/0935706ab647637f2789fa7adbe4151f9e8bf479d43841b167a2f8956daa78f2/detection
# Reference: https://www.virustotal.com/gui/file/4e3f6f08966b264a096fdf137388b6c259aa72a9a151431955bfc5dc0cab5b68/detection

193.161.193.99:24933
h6466waygy.52http.tech
superboss.atwebpages.com

# Reference: https://blog.bushidotoken.net/2022/01/tracking-renewable-energy-intelligence.html
# Reference: https://otx.alienvault.com/pulse/61e6de4edebb498761384f2a

8xe3615-12-2019-up-date.eu3.org
activate-suport-up-date-321i.eu3.biz
activate-suport-up-date-i754.eu3.biz
adms-suport-up-datex8323.eu3.biz
i131dere-up-date.eu3.biz
jan-6543-up-date.eu3.biz

# Reference: https://twitter.com/JVPv5sIM3eFmGyi/status/1526803388381671424
# Reference: https://www.virustotal.com/gui/file/9e1cce595cf9f9bdb1357f9cce5bfc4807b61e2b5090b2b4bec0c313cdce7c8a/detection

ajoa.org/home/error/tmp/favicon.dotm
ajoa.org/home/error/error.php
ajoa.org/home/error/tmp/VV.tmp

# Reference: https://twitter.com/h2jazi/status/1539261879188586499
# Reference: https://www.virustotal.com/gui/file/552eb01204857771d3faef4caff34062bab0948ca42e5c35d4927cfb5b6d6ec2/detection

687964.c1.biz
968796.c1.biz

# Reference: https://twitter.com/cyber__sloth/status/1556400096916525057

newspeers.com/000/yun/cow.php

# Reference: https://twitter.com/ShadowChasing1/status/1568064494982823937
# Reference: https://www.virustotal.com/gui/file/eecb6e8990b825d7ea65320e7370484ac7a774f6bb4880b1e111355c605728cb/detection

rq7592.c1.biz

# Reference: https://twitter.com/Jup1a/status/1572540021642756099

3756298.c1.biz

# Reference: https://twitter.com/ShadowChasing1/status/1574770857540718593
# Reference: https://www.virustotal.com/gui/file/bf7a8d81315953cada61abcc34ea9241d07f2d44c1e445deb3f74f7fd842879e/detection

word2022.c1.biz

# Reference: https://www.virustotal.com/gui/file/593811e53cfa8aa655fc5bbf5e27c76e372e7d715b5b4e0e3f36f947d66a70f6/detection

http://92.38.160.152

# Reference: https://twitter.com/Jup1a/status/1586972570284617729

h987ft.c1.biz

# Reference: https://twitter.com/ginkgo_g/status/1600083325783527424
# Reference: https://www.virustotal.com/gui/file/9e916c4f58334aafcb033705e7fac6a217d8e2da131c8c1fd904edda7d026226/detection

4895750.c1.biz
5645780.c1.biz
k22012.c1.biz

# Reference: https://twitter.com/fr0s7_/status/1643647539860652033
# Reference: https://twitter.com/ShadowChasing1/status/1646805910491369472
# Reference: https://app.any.run/tasks/d85e27b4-52a8-45b9-bf03-5f4de19c468b/

centhosting.net
drive001.com
naver.drive001.com

# Reference: https://twitter.com/josh_penny/status/1647334687159775233
# Reference: https://twitter.com/josh_penny/status/1647343968785424384

downfiles.org
filedowns.net
files001.com
naver.downfiles.org
naver.files001.com
naver.filedowns.net

# Reference: https://twitter.com/StopMalvertisin/status/1661031694055665664
# Reference: https://www.virustotal.com/gui/file/b97e12807dcde2a8fd53d7f8e74336442d0cf8dbed19c0a44fcef359160bdd77/detection

gg1593.c1.biz

# Reference: https://twitter.com/StopMalvertisin/status/1664897645037625349
# Reference: https://www.virustotal.com/gui/file/ff66730462c98776fb8611ff3a1e909200abe657d864b9a744489e66155fef0d/detection

drvcast.com
naver.down001.com

# Reference: https://twitter.com/ShadowChasing1/status/1679504352736845824
# Reference: https://twitter.com/Jane_0sint/status/1679869903652765696
# Reference: https://www.virustotal.com/gui/ip-address/88.119.169.8/relations
# Reference: https://app.any.run/tasks/b9c826de-d80a-4445-9c41-909c138917ac/
# Reference: https://www.virustotal.com/gui/file/9d6dcf8370dae9902df5493a127446b3fe4cdf73e688726f8a7d4ef394812e90/detection

cachecast001.com
elinline.com

# Reference: https://twitter.com/StopMalvertisin/status/1680839012712611840
# Reference: https://www.virustotal.com/gui/file/1990263f41702ce40a3de5081f9b35f7bf85136e8b90b5f171ad6c1f3966ffa7/detection

headsity.com

# Reference: https://twitter.com/fr0s7_/status/1696811738761445626
# Reference: https://twitter.com/StopMalvertisin/status/1696865211318403173
# Reference: https://www.virustotal.com/gui/file/bb08e2d0ec978cceef8804657a5d5ed9dd57ea787f333c2ad361d410f6bf44d8/detection
# Reference: https://www.virustotal.com/gui/file/afc742412c9071d0a989aaa94dbf439882c1ebc19b095588989489006ecbe7df/detection

anrun.kr

# Reference: https://twitter.com/lightC07379408/status/1697077350595461324
# Reference: https://twitter.com/ginkgo_g/status/1697145272785322232
# Reference: https://www.virustotal.com/gui/file/778e46f8f3641a92d34da68dffc168fdc936841c5ad3d8b44da62a7b2dfe2ee1/detection

serviceset.net

# Reference: https://twitter.com/fr0s7_/status/1697506531724419277
# Reference: https://www.virustotal.com/gui/ip-address/88.119.169.96/relations
# Reference: https://www.virustotal.com/gui/file/e63082cf4db94f06d583a6313e48353366b44ce07b7ffceacc5bc4db88bd8810/detection

ttzcloud.com

# Reference: https://twitter.com/watx_6833/status/1699602315685376116
# Reference: https://www.virustotal.com/gui/ip-address/198.187.31.163/relations
# Reference: https://www.virustotal.com/gui/file/21559a1de48120143d6c9f7b5b622d17a203ad7eb5328974c026e1cae8bf26ad/detection
# Reference: https://www.virustotal.com/gui/file/9fd5094447ff48e7ec032ced663717c99a164a5e8f4222d8f9cc708e24d3bc4d/detection

chainilnk.site
getcode-friend.site

# Reference: https://twitter.com/Des00464472/status/1702278352323989867
# Reference: https://www.virustotal.com/gui/file/d0068a7c62bafd0078829a0597fa5cca1637b28f7273ffc18f79504a9714f445/detection

e9f0dkd.c1.biz
ske9dhn.c1.biz

# Reference: https://twitter.com/DCSO_CyTec/status/1714246570760163672
# Reference: https://github.com/DCSO/Blog_CyTec/blob/main/2023_10__spravik_backdoor/spravik_backdoor_c2.txt

0c3qyu.c1.biz
53qb7q.c1.biz
5l0lw0.c1.biz
6wq8ci.c1.biz
a8ng1x.c1.biz
afrcoh.c1.biz
hsjzzf.c1.biz
j5p841.c1.biz
m6d8s5.c1.biz
nn2s21.c1.biz
olhugh.c1.biz
p1hkta.c1.biz
psr76y.c1.biz
rcox0j.c1.biz
rvnrjj.c1.biz
s3erh6.c1.biz
skjq5w.c1.biz
sqp811.c1.biz
ykcchu.c1.biz
z7ibqa.c1.biz

# Reference: https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
# Reference: https://otx.alienvault.com/pulse/655c6eaa8ef60c5fccee9ff6

3897lb.c1.biz
3pl0y5.c1.biz
558ga9.c1.biz
6e2nbc.c1.biz
7qnbae.c1.biz
9b31n8.c1.biz
aocsff.c1.biz
b91stf.c1.biz
bg5pl1.c1.biz
caoy9n.c1.biz
dpgbep.c1.biz
ewqqa4.c1.biz
glws5m.c1.biz
kmdqj1.c1.biz
m2jymd.c1.biz
ouvxu2.c1.biz
pm90p1.c1.biz
pxyunf.c1.biz
rziju6.c1.biz
vqt9i1.c1.biz

# Reference: https://twitter.com/greglesnewich/status/1729268138804646358

fd98hs4.c1.biz

# Reference: https://asec.ahnlab.com/ko/59625/

gjdow.atwebpages.com

# Reference: https://twitter.com/lightC07379408/status/1732600913469292944
# Reference: https://www.virustotal.com/gui/file/4f6398451c95cfc39995794f20e8fdd8aa7f910fea73f977516b4482dbbf36cf/detection
# Reference: https://www.virustotal.com/gui/file/f4597f0c55c37e6c371d57c85c9f11b1c72a2c22acc3e08241bde3fc3b5395ca/detection

shaira1885.com/wp-admin/includes/class-wp-release-data.php

# Reference: https://twitter.com/lazarusholic/status/1736725544539238596
# Reference: https://mp.weixin.qq.com/s/bdAb1Bbgtd3amuziu2_Tsw
# Reference: https://www.virustotal.com/gui/file/ec8d50b7cfd7c2b95e9ebdddc13ea38d59fbacfc463577937ab931ca275b3907/detection

bgfile.com
cldservice.net
downwarding.com
drives001.com
file.drives001.com

# Reference: https://twitter.com/malwrhunterteam/status/1724552369839505452
# Reference: https://twitter.com/lightC07379408/status/1740547181566960054
# Reference: https://www.virustotal.com/gui/file/da79eea1198a1a10e2ffd50fd949521632d8f252fb1aadb57a45218482b9fd89/detection
# Reference: https://www.virustotal.com/gui/file/fd47c8418d9f8ed39f2f746042c982ac53a788cace370ae8906aecc8c228deeb/detection

niscarea.com

# Reference: https://twitter.com/lightC07379408/status/1735129637507006522
# Reference: https://www.virustotal.com/gui/ip-address/5.255.127.177/relations
# Reference: https://www.virustotal.com/gui/file/fbdc74e4a2733561fa077873a008e9aba4cf1415af1c6aaea2d8cb3ab435ddad/detection

aufildeseaux.com/wp-admin/includes/main/read/get.php
ddsdata.net
skeanserver.com

# Reference: https://twitter.com/lazarusholic/status/1742886154909983048
# Reference: https://wezard4u.tistory.com/6699
# Reference: https://www.virustotal.com/gui/ip-address/84.32.131.104/relations
# Reference: https://www.virustotal.com/gui/file/5c6f205437132821e4c79ab723ec6dc045a9b9e0a7f81c41be2ecc26dd01669a/detection
# Reference: https://www.virustotal.com/gui/file/4dcad5842255051edd5c39212092569c906ad420ab1fc2cfa4a5cc9db9339f0c/detection
# Reference: https://www.virustotal.com/gui/file/44365e0bcd77f1721d061dc03dd3c1728ad36671ad294ec7b2cf088b1bbefd23/detection
# Reference: https://www.virustotal.com/gui/file/28d8b150f499e0cd83f293c1f2f2bfc9248c94aa9115f24f94e825c384b5f526/detection

documentoffice.club
app.documentoffice.club
/salt_view_doc_words
/salt_view_doc_words?user=

# Reference: https://twitter.com/asdasd13asbz/status/1755106180924612781
# Reference: https://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3
# Reference: https://www.virustotal.com/gui/file/58bcd90f6f04c005c892267a3dfe91d1154d064482b07715ad5802f57c1ea32d/detection
# Reference: https://www.virustotal.com/gui/file/9339eaf1d77bb0324e393a08a6180fe0658761fc0cd20ba25081963286dfb9c7/detection
# Reference: https://www.virustotal.com/gui/file/b60dc12833110098f5eec9a51749d227db7a12d4e91a100a4fd8815695f1093f/detection

24ev0apa.scienceontheweb.net
3cym4ims.medianewsonline.com
5s6bqbea.sportsontheweb.net
694qf6w8.scienceontheweb.net
88zr7cua.atwebpages.com
99695njd.myartsonline.com
c6cdg4su.sportsontheweb.net
cor8xcib.getenjoyment.net
g66nzt8q.mygamesonline.org
j1p75639.medianewsonline.com
jbkza9h7.atwebpages.com
mbfasq54.mypressonline.com
mhhnv7s9.myartsonline.com
p593d8g9.mygamesonline.org
p8tebfel.getenjoyment.net
t8nptw2h.mywebcommunity.org
tl2j38w9.mypressonline.com
victory-2020.atwebpages.com
victory-2024.mywebcommunity.org
w9uzs9la.mywebcommunity.org
zcvbm1zv.onlinewebshop.net
zomfaa9a.onlinewebshop.net

# Reference: https://twitter.com/asdasd13asbz/status/1761984854621855880
# Reference: https://www.virustotal.com/gui/ip-address/67.211.213.224/relations
# Reference: https://www.virustotal.com/gui/file/552f88c88112956a0c8c5ba26a7e1915b016124dd4ffcfe8e44311c7b406a01f/detection
# Reference: https://www.virustotal.com/gui/file/b472002c9e0d79c50d5e4018c98da26c3039e72f6223cb026d96539a8562f014/detection
# Reference: https://www.virustotal.com/gui/file/57d6577614d98b7af1c11fb457dd55b797ede00430b3e3c7558b2c748c6aea2b/detection

molklib.online
ranujos.online
wimcwpo.online

# Reference: https://twitter.com/bestriv2/status/1762024898636181611

thictu.sportsontheweb.net

# Reference: https://twitter.com/ShadowChasing1/status/1765701435298328580
# Reference: https://www.virustotal.com/gui/file/27cd090cf83877750416d37dc6ddd8ff319b4854414e4275d67f96652376bcf0/detection

goosess.com
stuckss.com

# Reference: https://twitter.com/JangPr0/status/1768177619206656258
# Reference: https://www.virustotal.com/gui/file/88b901dc2d5df59f54f02b248c24a4426796ded81ff06cd309d4c54c94a13df9/detection

oryzanine.com
settlores.com

# Reference: https://twitter.com/lazarusholic/status/1772979429360472334
# Reference: https://zhuanlan.zhihu.com/p/689051421

nasions.com
settlors.com
shakuss.com

# Reference: https://twitter.com/lazarusholic/status/1787822253687878125
# Reference: https://wezard4u.tistory.com/6806

jethropc.com/wp-admin/css/temp/hurry/

# Reference: https://x.com/byrne_emmy12099/status/1809488333573353981
# Reference: https://x.com/JangPr0/status/1879752596090708351
# Reference: https://x.com/byrne_emmy12099/status/1879796001499947125
# Reference: https://www.virustotal.com/gui/file/7887cea2962c954ccb60d005da03abcf68962517d1b3e3d2a472f5d952a03f8e/detection
# Reference: https://www.virustotal.com/gui/file/d0544a045aae0e316380b57a7319ec54f7f0979a7882f33a15839311c7e29888/detection

executivedaytona.com/wp-admin/js/widgets/hurryup/
meditationsecretsforwomen.com/wp-admin/js/widgets/hurryup/
osbrankoradicevickm.com/wp-admin/js/widgets/hurryup/
/wp-admin/js/widgets/hurryup/

# Reference: https://x.com/JangPr0/status/1797420016478113874
# Reference: https://www.virustotal.com/gui/file/0329bb5b3a450b0a8f148a57e045bf6ed40eb49a62e026bd71b021a2efc40aed/detection
# Reference: https://www.virustotal.com/gui/file/5ea09247ad85915a8d1066d1825061cc8348e14c4e060e1eba840d5e56ab3e4d/detection

phasechangesolutions.com/wp-admin/css/colors/coffee/hurryup/

# Reference: https://x.com/JangPr0/status/1791363964531839342
# Reference: https://www.virustotal.com/gui/file/20a9f78a9aabdb464766160a21fd46504682f00f7a7ac147e59d6672c907cb5a/detection

statusf.com

# Reference: https://x.com/JangPr0/status/1800408976187871646
# Reference: https://www.virustotal.com/gui/ip-address/176.97.64.174/relations
# Reference: https://www.virustotal.com/gui/file/6d901221cb5162c190cce720726889ccb1f8435f5d71fb05614672497425e931/detection
# Reference: https://www.virustotal.com/gui/file/183fb85fc915017104cd473f8f3ad515a54603e38fd4463214adcbf84b421183/detection

radionaranjalstereo.com
samariums.com
scolites.com
shrecs.com
shroggs.com
shutss.com
sibbss.com
stvse.com

# Reference: https://www.virustotal.com/gui/ip-address/5.255.97.53/relations

scbsu.com
seduceres.com
sergsa.com
sessas.com
spherals.com
staurion.com
storkse.com

# Reference: https://x.com/OpenSecCopilot/status/1809074836175511797
# Reference: https://secai.ai/share?threadId=03f44b0812e6417080e7a9778bc06f0c
# Reference: https://www.virustotal.com/gui/file/0082bee15f4e09b58d05ea45d2627c4a5798336b21592630e668f11fc657538c/detection

ka174f.scienceontheweb.net

# Reference: https://x.com/byrne_emmy12099/status/1811743051079127324
# Reference: https://www.virustotal.com/gui/file/078b09edbdff0f13ddcc0a5049960306d5b9d42e82dd6a48ccc2604db4e92c72/detection

samosol.com/wp-admin/css/colors/hurryup/

# Reference: https://x.com/byrne_emmy12099/status/1813909282263605358
# Reference: https://www.virustotal.com/gui/file/f24737934ccceff333b3db464ffc159e439927f5e010fd22fc005752c1f49d66/detection

thevintagegarage.com/plugins/content/src/inc/get.php

# Reference: https://x.com/cyberwar_15/status/1818444275593388274
# Reference: https://www.virustotal.com/gui/file/0aaec376904434197bae4f1a10ecfe8d4564d95fdfa8236ea960535710661c5f/detection
# Reference: https://www.virustotal.com/gui/file/ba59f1ece68fa051400fd46467b0dc0a5294b8644c107646e75d225a45fff015/detection

cammirando.com/wp-admin/css/temp/movement/
cavasa.com.co/webpyp/wp-includes/images/crystal/hurryup/

# Reference: https://x.com/OpenSecCopilot/status/1822822028174557299
# Reference: https://search.censys.io/hosts/185.231.154.22

185.231.154.22:3389

# Reference: https://x.com/byrne_emmy12099/status/1826314855055565174
# Reference: https://www.virustotal.com/gui/file/3a37c34e5b677b4388176fdcb41ce5c8971f6dc82116adc99309ca744c58ba66/detection

http://2.58.56.124

# Reference: https://x.com/ginkgo_g/status/1847207560237215841
# Reference: https://www.virustotal.com/gui/file/a7664de4aa6ce85c1461cf323c9e128824b1361f591b9149b9a54f89442767db/detection
# Reference: https://www.virustotal.com/gui/file/edda7b0e2b076c08b50f51164d910591e972e9e282fd9786cef8c35a4f53f53f/detection

9z0ld8.mypressonline.com
m1gm0j.onlinewebshop.net

# Reference: https://x.com/byrne_emmy12099/status/1870277742056657321
# Reference: https://x.com/DaveLikesMalwre/status/1870227186088558935
# Reference: https://www.virustotal.com/gui/file/c94e58f134c26c3dc25f69e4da81d75cbf4b4235bcfb40b17754da5fe07aad0a/detection
# Reference: https://www.virustotal.com/gui/file/3172eb8283a3e82384e006458265b60001ba68c7982fda1b81053705496a999c/detection

64.227.161.158:22
64.227.161.158:8080
hradvanceportal.com
vdch79w0-8000.inc1.devtunnels.ms
up1035rwa5zk.prodemadoutorado.org
youfirst.hradvanceportal.com

# Reference: https://x.com/SecAI_AI/status/1872122260913623446
# Reference: https://i.secai.ai/research/f3jtm7ns-80.inc1.devtunnels.ms

f3jtm7ns-80.inc1.devtunnels.ms

# Reference: https://x.com/0xmh1/status/1887055475814146301
# Reference: https://www.virustotal.com/gui/ip-address/23.137.249.245/relations
# Reference: https://app.validin.com/detail?find=ssdru.info&type=dom&ref_id=91ca5d5c81e#tab=host_pairs (# 2025-02-05)
# Reference: https://app.validin.com/detail?find=0b0f09b9589645525df48d3407247d755e4cf0b3&type=hash&ref_id=f71e8dfcd82#tab=host_pairs
# Reference: https://www.virustotal.com/gui/file/25be3f75c52413ab6fc9739f3551d99d77bd9d117dd65b6b075be72b2cca9c9d/detection

http://23.137.248.183
ampgacorbegete.com
angelspizza.site
appdev.asia
asdjitu.online
asdjitu.xyz
beo138-rtp.xyz
ertepe.best
fooddeliveryph.site
rajawin.online
ssdru.info
strows.info
supertragics.com

# Reference: https://x.com/SecAI_AI/status/1889293166869922252
# Reference: https://www.virustotal.com/gui/file/060f2208be86e098bc6da0b46a4eb437142b26915e1cc756e36c379ba8edd33e/detection
# Reference: https://www.virustotal.com/gui/file/060f2208be86e098bc6da0b46a4eb437142b26915e1cc756e36c379ba8edd33e/detection

forum.flasholr-app.com/wp-admin/src/list.php
forum.flasholr-app.com/wp-admin/src/upload.php
marymount.pixelflyte.com/wp-admin/js/src/list.php
marymount.pixelflyte.com/wp-admin/js/src/upload.php

# Reference: https://x.com/byrne_emmy12099/status/1894052101170315770

katekasoft.com/wp-admin/js/widgets/hurryup/

# Reference: https://x.com/byrne_emmy12099/status/1895380496722600292
# Reference: https://www.virustotal.com/gui/file/2dcb83b80eef4018e85d56c2e19fd176b2a77042239d730aac055fc74a6aaba9/detection

teamfuels.com/modules/inc/get.php

# Reference: https://x.com/suyog41/status/1895422655001694713
# Reference: https://www.virustotal.com/gui/file/b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543/detection

roofcolor.com/wp-includes/js/src/list.php
roofcolor.com/wp-includes/js/src/upload.php

# Reference: https://x.com/malwrhunterteam/status/1899506528719175704
# Reference: https://www.virustotal.com/gui/file/fe5f15b15020ca286b79061578b3a0f85607500ce64ce27e4f77bcb06c0f697f/detection
# Reference: https://www.virustotal.com/gui/file/7047878f4fbea323148f6554afe616991eb56cc327653972c4213a9017c5e66b/detection
# Reference: https://www.virustotal.com/gui/file/0117b5dc4a8d3f40d81ab7e531ffcfa7983ceabd3a45f0fd0df94131766a22d4/detection

noreplymail.space

# Reference: https://x.com/byrne_emmy12099/status/1899693460887888055

nailemkosmetik.de/wp-admin/js/widgets/hurryup/
topledgrowlights.malapascuaisland.com/wp-admin/js/widgets/hurryup/
trendhapp.com/wp-admin/js/widgets/hurryup/

# Reference: https://x.com/SecAI_AI/status/1900156272638619968

joepezzulo.com/wp-admin/js/inc/
joepezzulo.com/wp-admin/js/inc/get.php

# Reference: https://x.com/ShanHolo/status/1901213759621706184
# Reference: https://tria.ge/250206-wttnxstreq
# Reference: https://www.virustotal.com/gui/file/25be3f75c52413ab6fc9739f3551d99d77bd9d117dd65b6b075be72b2cca9c9d/detection

support.aeondg.com/include/read/get.php

# Reference: https://x.com/0xmh1/status/1904097297958596662
# Reference: https://x.com/byrne_emmy12099/status/1910281714678530171
# Reference: https://x.com/byrne_emmy12099/status/1910302447136059562
# Reference: https://x.com/byrne_emmy12099/status/1910608788681613409
# Reference: https://www.virustotal.com/gui/file/0c0c6af0f5d8a8e9478fcfe472cc8d02ee71a4cc93cb89655140e3f4b5b57059/detection
# Reference: https://www.virustotal.com/gui/file/0505ee144d9445a0f50d577352b694e1d762bd6c34897c5100d8d0f7d6332729/detection
# Reference: https://www.virustotal.com/gui/file/2138f0837da8bb930cb15c7b587ff5a43e20708ec214963b66ba06322969ba39/detection

64.20.59.148:6688
64.20.59.148:6699
64.20.59.148:8855

# Reference: https://x.com/ThreatBookLabs/status/1907807048617619881

techtorev.com/wp-admin/js/widgets/hurryup/

# Reference: https://www.genians.co.kr/blog/threat_intelligence/konni_disguise
# Reference: https://www.virustotal.com/gui/file/8597d5efc09e4f9912448995ed2360dcbb378590cb535790111c226019e1ae9b/detection

aabbe.shop/wp-admin/js/widgets/town/

# Reference: https://x.com/adqewrsf/status/1910574921803325841
# Reference: https://www.virustotal.com/gui/file/401f5a93a9496262fc83ea4cf557e4e9c15e4d2befacf475beba897986752d88/detection

ausbildungsbuddy.de/modules/mod_mail/inc/get.php
ausbildungsbuddy.de/modules/mod_mail/inc/list.php
ausbildungsbuddy.de/modules/mod_mail/inc/upload.php

# Reference: https://x.com/skocherhan/status/1920395822086189559
# Reference: https://www.virustotal.com/gui/file/7d997e913766c9b9d163405ce4572bae462020982f1243f9107597d73d565101/detection

213.145.86.223:9005
64.20.59.148:7711
64.20.59.148:9966

# Reference: https://x.com/skocherhan/status/1926197987702648842
# Reference: https://www.virustotal.com/gui/file/95fc3891ce910f34080d4781bc7641be323ba6b761ec48ef50ab2f0b74f5a5b7/detection
# Reference: https://www.virustotal.com/gui/file/acaea1e59f796e3d48e356650221f14389dcc4a278f1bc977116c4aa5d0eb049/detection

174.138.186.157:5511
174.138.186.157:7788
174.138.186.157:9558

# Reference: https://x.com/blackorbird/status/1930609428002492417

fra-works.com/wp-includes/js/src/get.php
fra-works.com/wp-includes/js/src/list.php
fra-works.com/wp-includes/js/src/upload.php
fupo.org/wp-includes/js/src/get.php
fupo.org/wp-includes/js/src/list.php
fupo.org/wp-includes/js/src/upload.php

# Reference: https://x.com/ThreatBookLabs/status/1950708064346403126
# Reference: https://www.virustotal.com/gui/file/8d9d5a21d75e14410cc30e15176ecae45d17221c654ccdb94d99d131c14de6e9/detection

mrtech-solutions.com/dashboard/storage/app/inc/get.php
mrtech-solutions.com/dashboard/storage/app/src/list.php
mrtech-solutions.com/dashboard/storage/app/src/upload.php

# Reference: https://x.com/ThreatBookLabs/status/1961263021361435000

ideal-bau.de/wp-admin/js/widgets/hurryup/
sanjivanihospitalpune.com/wp-admin/js/widgets/hurryup/

# APK
# Note: https://blog.alyac.co.kr/3390 (Korean)

/BithumbProtect_v1.0.5.apk
/CapMarket.apk
/DaumProtect.apk
/NaverProtect.apk
/QKSMS.apk
/json.apk
/refund.apk
