# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: blackwidow, lactrodectus, unidentified111

# Reference: https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111
# Reference: https://threatfox.abuse.ch/browse/tag/Latrodectus/

146.19.143.113:443
151.236.9.226:443
185.106.102.82:443
185.123.53.150:443
185.123.53.208:443
185.36.143.155:443
185.99.133.228:443
185.99.133.77:443
193.168.141.104:443
193.168.141.27:443
193.168.143.133:443
194.110.247.73:443
213.232.235.220:443
45.129.199.163:443
45.129.199.165:443
45.129.199.23:443
45.155.120.130:443
45.155.121.157:443
45.155.121.203:443
45.59.118.118:443
5.101.44.49:443
5.181.202.164:443
5.230.41.133:443
5.230.42.207:443
5.230.68.180:443
5.230.74.51:443
5.231.0.38:443
5.231.1.213:443
5.255.113.34:443
5.255.113.36:443
5.255.116.158:443
5.255.126.243:443
85.239.34.138:443
85.239.34.69:443
91.235.234.194:443
antyparkov.site
saicetyapy.space
stratimasesstr.com
winarkamaps.com

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2024-02-13%20Latrodectus%20IOCs

45.140.146.156:445

# Reference: https://github.com/pr0xylife/Latrodectus/blob/main/Latrodectus_11.03.2024.txt

drifajizo.fun
durete.org
ginzbargatey.tech
minndarespo.icu
popfealt.one
qyjifia.org
scifimond.com

# Reference: https://www.virustotal.com/gui/ip-address/193.106.174.218/relations
# Reference: https://github.com/pr0xylife/Latrodectus/blob/main/Latrodectus_22.03.2024.txt

advancedtherapyservice.com
agaishop.org
bezizeo9.org
cabobao3.org
cajameu.org
carstop01.org
cemiwyi7.org
cuxu.org
defifya.org
deqytuu9.org
divajoa.org
drenlick.org
duwacua.org
dydxl.org
esitlow.org
etherfi.club
fazadoe.org
femuseu.org
fokeqi.org
fuwer.org
ganstaeraop.shop
gejyg.org
gihibml.org
gilasau.org
globalwam.org
gmsmwil.org
gotuqoa.org
grunzalom.fun
gyjyhyo8.org
hejoweo.org
hesekiu8.org
hofaty.org
hoqociy.org
horaot.org
hycoworldwide.info
intellipowerinc.com
jesebyy.org
jiwypiy9.org
junat.org
kaqan.org
kasnackamarch.info
lacejuy.org
lajuqao.org
lecexuo1.org
lmfpbpm.org
lufyfeo.org
lugotye1.org
luhuhu.org
lykireo.org
lyzupoy.org
malew.org
mapamui0.org
maramaravilha.com
marypopkinz.com
melon-type.org
mihalee.org
mimerou.org
mmtixmm.org
moxiroo.org
mypusau.org
nefolai.org
nevujo.org
niceburlat.me
niryjee1.org
nurunia.org
pabybiy6.org
pegumay.org
pisuxy.org
poxof.org
ppmpqii.org
pubmass.info
pubonao.org
pucak.org
pydypu.org
pykuhae.org
qazoryy.org
qehykyo.org
qeqady.org
qoroh.org
quwezui.org
qykusee.org
riwesi.org
roofsting.org
sabehey.org
sibunyu.org
simanay.org
sokingscrosshotel.com
somajea.org
sudukio5.org
sumorio6.org
sumuta.org
suzabyu.org
sytukoe8.org
tapyjya.org
ticava.org
tipenuu.org
tirymui5.org
titnovacrion.top
tyjexau.org
tyxoxoy.org
u41sal.org
vajosoo.org
venilios.org
vizewye.org
vlbmqpm.org
vopytei.org
vpdpkli.org
wabycui5.org
web3rse.com
wireoneinternet.info
wpmlvii.org
wygupua.org
xacygo.org
xirygiy.org
xmgpsmi.org
xufybyo.org
xuhyjoe5.org
zefecaa6.org
zefos.org
zehowyy.org
zixirml.org
zuwagie6.org

# Reference: https://twitter.com/1ZRR4H/status/1772973076172460383
# Reference: https://www.virustotal.com/gui/ip-address/84.32.84.32/relations

skinnyjeanso.com

# Reference: https://twitter.com/IronNetTR/status/1776321136751485019

http://45.140.146.156
http://45.95.11.134
45.140.146.156:445
45.95.11.134:445

# Reference: https://twitter.com/karol_paciorek/status/1780582512596566337

http://45.95.11.217
45.95.11.217:445

# Reference: https://github.com/pr0xylife/Latrodectus/blob/main/Latrodectus_25.04.2024.txt

http://45.95.11.217
188.40.202.44:20000
grizmotras.com
pewwhranet.com
wrankaget.site

# Reference: https://github.com/pr0xylife/Latrodectus/blob/main/Latrodectus_26.04.2024.txt
# Reference: https://www.virustotal.com/gui/file/4cf2b612939359977df51a32d2f63e2cb0c6c601e114b8e4812bd548d1db85fe/detection
# Reference: https://www.virustotal.com/gui/file/4e7ac0bdb516e983b3cab7f79850d8102d2bf4117bb343b68d0da73780cceb1a/detection

http://146.19.106.236
188.40.201.16:10000
jarinamaers.shop
startmast.shop

# Reference: https://github.com/pr0xylife/Latrodectus/blob/main/Latrodectus_29.04.2024.txt

http://185.219.220.149
144.76.231.240:10000
dimozti1.org

# Reference: https://twitter.com/akaclandestine/status/1786019075077910874
# Reference: https://www.virustotal.com/gui/ip-address/193.106.174.210/relations

1206jeans.com
adaletli.org
adzacrwlv5.org
akalindaslo.org
arrivingback.org
atqawa.org
bagkfao.org
bakrgmb.org
bestfiveweb.com
bewildering.org
blanketed.org
boldenslawncare.com
bwbmmwihost.org
cabalra.org
camera-optic.org
cardetailingshop.org
cataloguing.org
cazathusly.org
chei-krim.cc
classifiedtext.org
cojlbob.org
confabulation.org
coverstill.org
crdektvlab.org
cris-melodian.org
ctzedtlvd.org
danteshpk.com
dbxeqab.org
defllanna.com
discompose.org
drenlournase.com
driver-schedule.uk
e2gm.com
ellwtwlwa.org
entertainmenttron.org
ere-home.org
extranet-admin.com
extranetmanage.com
fagrzra.org
flfmxbm.org
fuligua.org
gazzkkznews.org
gebbcal.org
howsoever.org
hrlsgvir.org
hubswsu.org
hyundaitmvbbla1.org
incmediapress.org
interiourbydennis.com
jafoplt.org
jokso.org
jurofye.org
kimwap.org
korajla.org
kosukeshimura.com
kozmmkk.org
krd6.com
kungplfotao.org
labljas.org
lapaxmm.org
lazadrs.org
letsfpl.com
ljvnzal.org
lldbkar3.org
lvm514.com
malrgtrong.org
martialartshistory.org
mayanui.com
mebumau.org
meta-duocontacts.com
mexicos.in
mlzanrv2ii.org
mmqsrsl.org
mmsmvnm.org
mnsmsla.org
mvcpjotop.org
necrtlr4.org
nlqbgkl5.org
non-cryptographic.org
nppfsptpf0.org
osamcaf.org
paramountdubaihotels.com
paramounthotesldubaiae.com
personalsp.com
psix6pn.top
pytvzix.org
qbra7.com
qogmjlm.org
qsopdo.org
raydiumv.com
raydllumv.com
reauthorize.org
reredrb5.org
sapalb.org
sidipidi-child.org
simplyfitphilly.com
sizeloberslip.org
slock-download-us.org
slrehaa.org
sobopnm.org
soevirg3.org
suitablestandartcomfromdom.org
t77gp.com
tha285.com
tkcovmk.org
tlvanao.org
toryfya.org
tovkrro.org
turbotux-download.org
unanswerable.org
unmarred.org
unobtrusively.org
unpeopled.org
uq4oo4.personalsp.com
user-cancel-request.com
usprivatemoneylender.com
verifypersonal.online
vidiato.net
vnfmnmo.org
vrlanus.org
vyn7.com
wacallo.org
warriortechniques.org
wgf692.com
z5sg.com
zagmwla.org
zaimbel.site
zaplslm5w.org
zoom-usa.org
ztdltmk.org

# Reference: https://github.com/pr0xylife/Latrodectus/blob/main/Latrodectus_09.05.2024.txt

illoskanawer.com
workspacin.cloud

# Reference: https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus
# Reference: https://www.virustotal.com/gui/file/aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c/detection

aytobusesre.com

# Reference: https://x.com/SBousseaden/status/1792896014090682544

altynbe.com
boriz400.com
ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io
uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io

# Reference: https://threatfox.abuse.ch/browse/malware/win.unidentified_111/ (# 2024-06-22)

http://91.194.11.64
104.129.20.167:443
104.129.20.71:443
104.129.20.98:443
104.129.21.231:443
104.129.21.246:443
104.129.21.52:443
104.36.229.104:443
104.36.229.16:443
116.202.14.187:443
146.19.143.134:443
146.19.143.84:443
162.19.135.156:443
176.123.1.221:443
176.124.32.55:443
184.174.96.179:443
185.164.163.79:443
185.73.125.157:443
185.73.125.7:443
185.93.221.101:443
185.93.221.108:443
185.93.221.118:443
190.211.254.153:443
190.211.254.187:443
192.153.57.136:443
192.236.160.230:443
193.168.141.153:443
193.168.141.62:443
193.168.141.64:443
193.168.143.169:443
193.168.143.173:443
193.168.143.17:443
194.26.141.31:443
198.244.224.83:443
213.139.205.137:443
38.114.102.6:443
45.129.199.127:443
45.129.199.246:443
45.86.86.29:443
46.249.58.101:443
5.230.34.68:443
5.230.45.229:443
5.230.54.39:443
5.255.108.187:443
5.255.108.56:443
5.255.113.173:443
5.255.115.172:443
5.255.116.222:443
5.255.117.240:443
5.255.117.46:443
5.255.123.240:443
5.42.221.10:443
64.227.147.74:443
64.7.198.158:443
66.63.188.141:443
66.63.188.21:443
66.63.189.102:443
74.119.193.200:443
77.83.196.180:443
83.147.17.46:443
85.239.33.247:443
85.239.33.54:443
85.239.61.165:443
87.251.67.74:443
87.251.67.95:443
91.149.219.102:443
91.194.11.183:443
91.235.234.121:443
91.235.234.149:443
91.235.234.195:443
91.242.163.63:443
92.249.48.43:443
92.249.48.6:443
94.232.41.106:443
94.232.46.11:443
95.164.68.73:443
anikvan.com
aplihartom.com
drendormedia.com
fasestarkalim.com
frotneels.shop
ganowernis.com
ggrastyal.live
goalcempiz.com
grebiunti.top
jertacco.com
kalopvard.com
kokcheez.website
kokmausrest.online
krestaop.com
lastaflirtely.me
lettecoft.com
loolsena.shop
lustrafeel.com
mastgonzo.com
pirkomagar.com
postolwepok.tech
pumcarcheto.red
qaliharsit.tech
riscoarchez.com
sluitionsbad.tech
trasenanoyr.best
ultroawest.com
wikistarhmania.com
zumkoshapsret.com

# Reference: https://x.com/Threatlabz/status/1804918852528357791
# Reference: https://x.com/1ZRR4H/status/1804959121596158388

http://193.32.177.192
http://85.208.108.63
manclinoste.website
prufkespotr.com
shopboksret.com
tristgodfert.com

# Reference: https://x.com/Threatlabz/status/1805268196989243406

filomeranta.com

# Reference: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-06-25-IOCs-from-Latrodectus-activity.txt

barsman.biz
bibidj.biz
finjuiceer.com
garunt.biz
meakdgahup.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.lactrodectus/ (# 2024-08-11)

103.117.141.168:443
103.117.141.59:443
103.117.141.96:443
104.168.135.67:443
141.94.122.24:443
151.236.9.25:443
166.1.22.133:443
167.114.90.208:443
172.96.137.155:443
176.31.29.67:443
179.43.141.216:443
184.174.96.80:443
185.196.11.114:443
185.196.11.28:443
185.208.158.218:443
185.73.124.47:443
185.81.114.243:443
190.211.254.112:443
190.211.254.176:443
193.138.195.41:443
193.42.36.60:443
213.139.205.162:443
217.195.153.167:443
217.195.153.181:443
217.195.153.204:443
23.227.202.187:443
23.227.203.161:443
23.254.201.238:443
23.254.230.8:443
45.143.166.161:443
45.143.166.190:443
45.143.166.66:443
45.143.166.85:443
45.143.166.95:443
46.105.141.52:443
5.149.248.166:443
5.181.159.53:443
5.255.101.33:443
5.8.47.86:443
51.91.35.153:443
62.106.66.243:443
62.106.66.46:443
84.32.41.225:443
84.32.41.24:443
87.121.61.37:443
87.121.61.48:443
87.251.67.218:443
89.150.57.186:443
91.193.18.185:443
91.242.163.172:443
94.158.244.32:443
94.232.41.95:443
94.232.46.205:443
godfaetret.com
spikeliftall.com

# Reference: https://x.com/vmray/status/1823762654156018020
# Reference: https://www.vmray.com/analyses/_vt/5cecb26a3f33/report/network.html
# Reference: https://www.virustotal.com/gui/file/5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8/detection

agrahusrat.com
minrezviko.com

# Reference: https://hunt.io/blog/latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims

103.144.139.189:443
coolarition.com
stripplasst.com
worlpquano.com

# Reference: https://x.com/karol_paciorek/status/1829447674623410387
# Reference: https://app.validin.com/detail?find=lokodoko.zip&type=dom&ref_id=4ce06dee5c3#tab=host_pairs_v2

/lokodoko.zip

# Reference: https://threatfox.abuse.ch/browse/malware/win.lactrodectus/ (# 2024-09-09)

104.168.165.91:443
179.43.134.189:443
185.196.10.151:443
194.14.208.217:443
213.139.205.246:443
45.143.166.23:443
51.161.207.175:443
87.251.67.228:443
peronikilinfer.com
restoreviner.com

# Reference: https://x.com/k3dg3/status/1834322310557282727
# Reference: https://tria.ge/240912-yvd1zasanm/behavioral1
# Reference: https://www.virustotal.com/gui/file/e7fc51310e3318c7220b4373e81d42357e9e6c073bb87d1a18e88ac81a6b4587/detection
# Reference: https://www.virustotal.com/gui/file/b54fa96edd93e7a1c4def6962829ebff010c3195068ab3d97472fd335cef169b/detection
# Reference: https://www.virustotal.com/gui/file/19e02dd879498330e06612f53d1d2a887aea7548a992eda7336d4ee8dc346cdd/detection
# Reference: https://www.virustotal.com/gui/file/0c281abf4ce958882aad9f7a63b90d9ba8a4d892c51a2b36414d6c002294a081/detection

http://193.203.203.40
isomicrotich.com
rilomenifis.com

# Reference: https://github.com/pr0xylife/Latrodectus/blob/main/Latrodectus_18.09.2024.txt
# Reference: https://www.virustotal.com/gui/file/1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa/detection
# Reference: https://www.virustotal.com/gui/file/5c7a3bd2baa8303354d8098b8d5961f111e467002bb0c6fee120825b32798228/detection

193.124.185.116:8041
193.124.185.117:8041
92.118.112.130:8041
bazarunet.com
greshunka.com
tiguanin.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.latrodectus/ (# 2024-09-24)

klemanzino.net
krinzhodom.com
leroboy.com
mazinom.com

# Reference: https://x.com/albertzsigovits/status/1839037992293503120
# Reference: https://www.joesandbox.com/analysis/1518616#iocs

finilamedima.com
pomaspoteraka.com

# Reference: https://github.com/pr0xylife/Latrodectus/blob/main/Latrodectus_03.10.2024.txt

opewolumeras.com

# Reference: https://www.virustotal.com/gui/file/3b86c9516bd5d57758ab976e32af2d7873d7ad0b0e063a49ee13c168f2c1e980/detection

http://194.54.156.91
185.106.92.54:8041
82.115.223.39:8041
82.115.223.40:8041

# Reference: https://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus

http://188.119.113.152
http://45.14.244.124
eniloramesta.com

# Reference: https://github.com/pr0xylife/Latrodectus/blob/main/Latrodectus_19.11.2024.txt

bestmarsgood.com
cerwintifed.com
reateberam.com

# Reference: https://github.com/pr0xylife/Latrodectus/blob/main/Latrodectus_02.12.2024.txt
# Reference: https://www.virustotal.com/gui/file/658b8c47d7193c7c31a2540b2f54fcdfb9298d8346a4ad3be7e684ef946f57a5/detection

asrcloudonline.sbs
dogirafer.com

# Reference: https://github.com/pr0xylife/Latrodectus/blob/main/Latrodectus_17.12.2024.txt
# Reference: https://www.virustotal.com/gui/file/bfa5a8096421376038689c94a1bdd758b422f4b0fda06dbb3bf373bd30b1086f/detection

cloudlsk.sbs
proliforetka.com
syncme.life
aureonline.cloudlsk.sbs

# Reference: https://x.com/smica83/status/1884533319926259752
# Reference: https://bazaar.abuse.ch/sample/adf05622d174be0d74cf9a19fb33b6c3bc0491dd32b71693487d0f1c36f14388/
# Reference: https://tria.ge/250129-lbwqfstpcz/behavioral1

piloferstaf.com
ypredoninen.com

# Reference: https://x.com/smica83/status/1885323270318117083
# Reference: https://tria.ge/250131-qz8r5syqgr

vivaforevew.com
wersogkiwgow.com

# Reference: https://x.com/malwrhunterteam/status/1887476274852987197
# Reference: https://tria.ge/250206-qxf94syjgr
# Reference: https://www.virustotal.com/gui/file/e6cd0dde6cacb65177d316907059d883933ec7033cd2b913af577fee1f1d07ed/detection

apworsindos.com
reminasolirol.com

# Reference: https://x.com/MsftSecIntel/status/1903174779856883903

forefilarem.com
horetimodual.com

# Reference: https://x.com/malwrhunterteam/status/1910012632007946659
# Reference: https://www.virustotal.com/gui/file/3ebab9121aef087c075e8f79e67473c39331943e650f55dc11da764bf1cd1b23/detection

porelinofigoventa.com
rofleratom.com

# Reference: https://x.com/malwrhunterteam/status/1912430590453825922
# Reference: https://www.virustotal.com/gui/file/aef5c150cfe8154ed290b293e30d552cfb9b40b3552369345c7c2f135b63aac4/detection

architrata.com
carflotyup.com
cesf.live

# Reference: https://x.com/malwrhunterteam/status/1921142763350860149
# Reference: https://www.virustotal.com/gui/file/5f84809a778841f1dc64bc43d6bb1a822d6aa04a3ae65c5f9ad31a7fcb2cbca9/detection

daringdesigners.com
topguningit.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.latrodectus/ (# 2025-05-11)

castpshost.com
digitalflwr.com
dpard.live
formenista.com
fvlc.live
fyyl.live
grazafnulp.com
intellisense.live
lofiramegi.com
p.dpard.live
pikchestop.com
reidenhetic.com
remustarofilac.com
tolefarma.com
trapgnistro.com
trymeakafr.com
tynifinilam.com
ugive.live
umatblog.top
xiolewarentiom.com

# Reference: https://x.com/wbmmfq/status/1928511287874445724

higtwebgenis.com
safewithusres.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.latrodectus/ (# 2025-06-15)

domtrst455.com
dqrdbv.com
pros0512.com
prot12-05.com
valifoprofsto.com
visafropik.com

# Reference: https://x.com/SquiblydooBlog/status/1942538885717975430
# Reference: https://www.virustotal.com/gui/file/b97cd404ceab09bdd92003599566d946cead1d5d5dba528327821fe4f18108ec/detection

aliondrifdions.com
gorahripliys.com

# Reference: https://x.com/vmray/status/1943638986255147103
# Reference: https://www.vmray.com/analyses/Latrodectus-version-2-2-Whenasked/report/network.html
# Reference: https://www.virustotal.com/gui/file/5ec37444f9ead97f89b74b0b0ee6707bd67a61cb1ad1aa7f5ba85613b722cf4a/detection

iondrivinos34.com
rolkdsgwasagt.com

# Reference: https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/

btco.live
byjs.live
decr.live
diab.live
heyues.live
izan.live
lexip.live
mailam.live
mhbr.live
netluc.live
rimz.live
veuwb.live
webbs.live
k.mailam.live
k.veuwb.live
r.netluc.live

# Reference: https://x.com/ShadowOpCode/status/1966144101289701608
# Reference: https://www.virustotal.com/gui/ip-address/178.16.54.218/relations
# Reference: https://app.any.run/tasks/15f308f6-e74b-4258-a66e-b3293a10955e

sigdalokanolkas.com

# Reference: https://x.com/FarghlyMal/status/1971166552054772071
# Reference: https://www.virustotal.com/gui/file/dc25dd8cc1ce53da33777c82b6acfb820ede522e894093386349538e0b58d86c/detection

daestfestifalkrlon.com
mbkes.com

# Reference: https://x.com/1ZRR4H/status/1971300450537222596

adsqwiolkuerkom.com
alfryudabikuta.com
asakusubinitohas.com
basokilometrsdo.com
blaksdioklery.com
darklousdirupas.com
dasrilkosdirosado.com
djkloyfarelbister.com
dlinofinopasster.com
dorevilokpadjghs.com
doskaevriakjoilo.com
fadoklismokley.com
faryshopkleyskipi.com
fikysandroisder.com
ganstopliomalifas.com
gasrobariokley.com
hdflksgreklams.com
jojikloertoys.com
kasldericoname.com
kutakdokliurio.com
kwestgidokudiojek.com
kwjfalvalkloun.com
laghuirtinosdek.com
lalasisifuryglap.com
lilikutliputsdf.com
lounfaslkijsdf.com
signamoykloysd.com
sisadfriolkdle.com
sistoronykastadro.com
