# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/

http://100.26.189.49
http://18.219.52.4

# Reference: https://twitter.com/sirpedrotavares/status/1216016629835948032

http://18.217.136.142

# Reference: https://twitter.com/sirpedrotavares/status/1227957576047955971

http://13.59.112.88

# Reference: https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/

fucktheworld.s3.us-east-2.amazonaws.com
nothingcanstopus.s3.us-east-2.amazonaws.com
oiurx14x.s3.us-east-2.amazonaws.com
sdghsuidhoidoghsdc19c.s3.us-east-2.amazonaws.com
sdgsdbfabsfuhoiuhfosdpnfsdbc13c.s3.us-east-2.amazonaws.com
vrau-x.s3.us-east-2.amazonaws.com

# Reference: https://twitter.com/sirpedrotavares/status/1259980592009134082
# Reference: https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/

http://108.61.181.207

# Reference: https://www.joesandbox.com/analysis/211091/0/html
# Reference: https://www.virustotal.com/gui/file/f22f98a298133bc0498914ef99531ffa327e613886f311d5170dac93a0de617b/detection
# Reference: https://www.virustotal.com/gui/file/f43316cb743dee5a90bc351c6b8b702390b9f6fad94caf2af858c01b9f05c85e/detection

http://185.219.135.119
http://185.219.135.252

# Reference: https://securityaffairs.co/wordpress/105634/malware/new-release-lampion-trojan.html

5.188.9.28:9171

# Reference: https://twitter.com/pollo290987/status/1565249453468143618

aculpaedopt.s3.us-east-2.amazonaws.com

# Reference: https://twitter.com/noexceptcpp/status/1615832526466990080
# Reference: https://twitter.com/tosscoinwitcher/status/1615852040621813766
# Reference: https://tria.ge/230118-256qhsha8w/behavioral1

http://5.199.162.122
anydeskkapdo.info
casadosoftware.net
wwwwanydesky.com

# Reference: https://twitter.com/DonPasci/status/1635306470811238400
# Reference: https://twitter.com/DonPasci/status/1635308925762543616
# Reference: https://tria.ge/230313-ssrw6ada5t/behavioral2
# Reference: https://www.joesandbox.com/analysis/825605?idtype=analysisid#iocs
# Reference: https://www.virustotal.com/gui/file/25884495d9c27c8b120bfab40bd28b7f5255b4916c54c7fb74a90dd8000bf44e/detection
# Reference: https://www.virustotal.com/gui/file/fbcc321f10e8ed9fbda3e9d9ce6cc03ad1fa3c83578a2b22ec7f6fd853412750/detection
# Reference: https://www.virustotal.com/gui/file/cb6901ccc6c51ab46b327eb44c5dc7cc597e38c89a7584177e58d5d0f26fe45f/detection

http://103.117.141.91
anydeskremote.shop
downloadanydesk.info
/conta1/vem.php
/conta2/vem.php

# Reference: https://x.com/lontze7/status/1798242969579057536
# Reference: https://www.virustotal.com/gui/file/0a88eb89cc1c01986d06fceaf26a8a681e91d27737046194222aa71bb051cbe6/detection

http://103.117.141.64
app.massgra.online
ativar.gotdns.ch
chwinupdatewin22.ddns.net
gomesnetgingsm45.ddns.net
key-office.ddns.net
masgraves.ddns.net
massgra.site
massgravess.ddns.net
mywinappup08.ddns.net
offikey.ddns.net
servidorwhm.shop
update-pdfadobe202419.sytes.net
windoactveeendsdki.servehttp.com

# Generic

/PediuPraPostarPostou.php
/PostaEstaBosta.php
/PostaEstaMerda.php
/PostaEstaPorra.php
/VaiPostaProPai.php
/PT/painel.php
/PT/painelADM.php
