# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/James_inthe_box/status/1099786490144448512

advancedepartametno.com

# Reference: https://twitter.com/James_inthe_box/status/1126809601825918978

instalacionez.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1143875234707181568
# Reference: https://app.any.run/tasks/2ef75909-daa7-45f1-83bc-dfe3ead3ac61/

trabalhoonline.webcindario.com

# Reference: https://twitter.com/SoulRage6/status/1146073224045838337

/nossasrdaga/brume.php

# Reference: https://twitter.com/0bfusCat/status/1155406244062121984

descargasdocx.com

# Reference: https://twitter.com/MisterCh0c/status/1186712875743825920

leavenois.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1235558960314400768
# Reference: https://app.any.run/tasks/6cef1963-4881-4f7f-b877-198cfd7eaf17/

mab2020.duckdns.org
mundonlop.duckdns.org
newtroll-megatron.duckdns.org
pumex-new.duckdns.org

# Reference: https://twitter.com/3rg4f4/status/1270308334743289860

smsinformativo.com

# Reference: https://twitter.com/0bfusCat/status/1181529470475362304
# Reference: https://app.any.run/tasks/f6d7cc92-3215-4103-baeb-eb424016f885/

compraca.000webhostapp.com

# Reference: https://twitter.com/SoulRage6/status/1146073224045838337

http://31.207.35.50

# Reference: https://twitter.com/JAMESWT_MHT/status/1299324645787742208

http://34.95.246.154

# Reference: https://app.any.run/tasks/17349d53-0d4e-4857-90a0-9f5dd68385b2/

st-gerrard-const.com/wp-content/themes/twentyfifteen/
perfectart.com.br/ebos/

# Reference: https://app.any.run/tasks/f869690a-e3d1-43e4-a61f-18d05a948e10/

shortsalepontevedra.com/coun7/

# Reference: https://twitter.com/JAMESWT_MHT/status/1328704334721323009
# Reference: https://app.any.run/tasks/2be10df3-e594-4118-9d36-6b93041ec73c/

flsdcment.site
sededgtgoes.online

# Reference: https://twitter.com/JAMESWT_MHT/status/1328714844573413377
# Reference: https://app.any.run/tasks/d827010e-453c-4d89-8128-20b82832f5ab/
# Reference: https://www.virustotal.com/gui/file/4d45380cd5fdf967988c4f239f61827ad9a80a4d9abcfbddf6e656d9dcc50f58/detection

45.35.104.213:8989
covidezenove.online
myd9hzd8cheab.winconnection.net

# Reference: https://twitter.com/dgarcianet/status/1352235429160955904
# Reference: https://www.virustotal.com/gui/file/7c019dca867ba21a5d8bb6eabd5750d0f06778fb82ff8866d4900a793d7bcc5c/behavior/C2AE

http://40.112.173.153

# Reference: https://twitter.com/1ZRR4H/status/1359963801819430914
# Reference: https://www.virustotal.com/gui/file/66797ef1761fd243a48829335d9e34781cbef324090497897462bf1a5ce0cb39/detection

104.214.107.176:79
gemare.com.br//conteudo/TGR/descarga.php
selfhelpwomendevelopment.com/wp-includes/images/mail/descarga.php

# Reference: https://cofense.com/blog/autohotkey-banking-trojan/
# Reference: https://www.virustotal.com/gui/file/4e69e794a688f94bd865b9905f2e8cc84bf17d282020ff08f2f56b42f1ffd305/detection

es.sslhermanos.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1385156068721012736
# Reference: https://twitter.com/D3LabIT/status/1385151472216776704
# Reference: https://app.any.run/tasks/e48dfdc7-fd3e-4d77-a03a-eeeb458bc909/

conlazionzzytz.eastus.cloudapp.azure.com
contecalculacion.eastus.cloudapp.azure.com
piazzimulobanquituto.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1386976751247634441

amlsempg.com
ilavorianmosy.eastus.cloudapp.azure.com
multipicas.eastus.cloudapp.azure.com

# Reference: https://twitter.com/ESETresearch/status/1387384460568666117
# Reference: https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/
# Reference: https://twitter.com/ESETresearch/status/1387384464905547779

apssitemarquivrft.francecentral.cloudapp.azure.com
torressircontes.eastus.cloudapp.azure.com

# Reference: https://twitter.com/petrovic082/status/1388180117642432515

moveisji.com.br/archivos/

# Reference: https://twitter.com/1ZRR4H/status/1408252818272751621

jinhuidabio.com/reports/words/mail.php
arbonato.com.br/Maxx/sowns/HR13I5MD0ASC5J.php

# Reference: https://twitter.com/dgsecnet/status/1519263981231296516

http://20.233.43.99
http://20.92.88.38
meuinformativo2.serveblog.net

# Reference: https://github.com/CronUp/Malware-IOCs/blob/main/2022-05-10_Mekotio_MTT_CL

thangloitaynguyen.com
espatron2022.est-le-patron.com
anders-wirken.de/wp-content/languages/Hs56ety2hTg011If56s.coc
bremermee.nl/wp-content/languages/MTT0001450001.zip
/lib/jquery/grood/1101/3t1x2oBj19sH33.php

# Reference: https://twitter.com/1ZRR4H/status/1537539651279405062
# Reference: https://www.virustotal.com/gui/file/980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0/detection

http://45.147.197.223
http://51.12.218.142

# Reference: https://twitter.com/pr0xylife/status/1537850595981369344

upfdigital.com
gomho.upfdigital.com
johnickowiczdds.com/wp-admin/telcel.nec
/wp-admin/01/02/gigo.php

# Reference: https://twitter.com/StopMalvertisin/status/1539171329223831552

http://20.239.69.60

# Reference: https://twitter.com/1ZRR4H/status/1540387288538120192
# Reference: https://twitter.com/Dkavalanche/status/1540113368517935104
# Reference: https://www.virustotal.com/gui/file/db9c0fd3a144ea0a24d8d65841ae94f7336ed420428dd455ed4b27ac081949c5/detection

http://20.26.198.176
http://20.91.202.137
serviceares.hopto.org

# Reference: https://twitter.com/StopMalvertisin/status/1540044306068951040
# Reference: https://www.virustotal.com/gui/file/8e815b6b13c7cef7d6152ff50d07f217420e185eddcc247a9a92dbfd1787e6e9/detection

steromask.fr

# Reference: https://twitter.com/SeguInfo/status/1542234908491497472
# Reference: https://www.virustotal.com/gui/file/0d16d92c0f451848fbd8d2b255991103c05c84fafbef9978b1aac22578928e4d/detection
# Reference: https://www.virustotal.com/gui/file/5e9dc457e117fa875057e9fc29a7b9c3116efec912ccc2e4d4eab49e5e55a486/detection

http://20.91.206.86
http://51.132.148.124
pro112.dynuddns.com

# Reference: https://twitter.com/StopMalvertisin/status/1545324970246815744

hcservice.us
continentepecas.com/adm.puc
veroford.com/setup/brume.php

# Reference: https://twitter.com/StopMalvertisin/status/1546556580153688065

http://15.228.54.95
http://18.231.189.164
contactopersonas.com
ww2www.contactopersonas.com
/837617263768912/avionic.mec
/con010923/brume.php
/connnnnnnnnnntxt/config.txt
/connnnnnnnnnntxt/

# Reference: https://twitter.com/StopMalvertisin/status/1549102875829477376

sameh-advisor.com
junho2022.serveftp.org

# Reference: https://twitter.com/1ZRR4H/status/1551278194560585732

http://18.234.175.226

# Reference: https://twitter.com/StopMalvertisin/status/1556909994586808320

http://192.64.114.228
http://63.250.35.10

# Reference: https://twitter.com/StopMalvertisin/status/1570316886285623298
# Reference: https://www.virustotal.com/gui/file/e64aacfe45af89033778c8149b059c7c5acc56a3a8a89b0695d22d770384eb6b/detection

http://20.0.2.192
http://20.168.7.145
20.163.5.160:5060
titiopatas4599.hopto.org

# Reference: https://twitter.com/StopMalvertisin/status/1573360173967888386
# Reference: https://www.virustotal.com/gui/file/65a08bcf5f98500a3870786cbd0688e6dc5317b440648d10cfe8a80189f26198/detection
# Reference: https://www.virustotal.com/gui/file/de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a/detection

http://20.234.231.114
http://20.254.53.47
meupixx22.hopto.org

# Reference: https://www.virustotal.com/gui/file/9a8d1314b3cbcbda7dd374fbfe7e8a1289b2d8f9d0bcce1f29febb72669c5345/detection

afcasa.hopto.org

# Reference: https://twitter.com/StopMalvertisin/status/1547495960783495168

abelcare.co.uk

# Reference: https://twitter.com/StopMalvertisin/status/1583710230940028928
# Reference: https://twitter.com/StopMalvertisin/status/1583710237319581696
# Reference: https://www.virustotal.com/gui/ip-address/64.188.27.119/relations
# Reference: https://www.virustotal.com/gui/file/081cad61936b76619df3e495b1f8edb80c32533cabee11308fbe7a1cd6dcb2a1/detection
# Reference: https://www.virustotal.com/gui/file/73709989c2bc864eaac863974a65aa50a3e740e7796daaa726f96975a33b93c3/detection
# Reference: https://www.virustotal.com/gui/file/67b0763fa0c849e0fa4e9159f48cc8adf9684dd62a55a6379d5ff1a4215af87f/detection

107.175.72.131:8889
64.188.27.119:2020
newfutura.eu
segurofuturex.ddns.net

# Reference: https://twitter.com/Dkavalanche/status/1587583140817768448

jogovirou.serveblog.net

# Reference: https://twitter.com/Dkavalanche/status/1590886788864049153

102.37.146.215:6742
20.49.180.84:4682
jobwes.3utilities.com
sulgran.servegame.com
voltasorte.3utilities.com

# Reference: https://twitter.com/Merlax_/status/1591064695066148864

fuhsufiuhfoiurfhesiryghfgfr.japaneast.cloudapp.azure.com
irihiuhfiuhiyrhguydrgh.switzerlandnorth.cloudapp.azure.com
ofishrohfourdhgiouhgiouruhff.northeurope.cloudapp.azure.com
vm3861641.25ssd.had.wf
vm3925833.1nvme.had.wf

# Reference: https://twitter.com/Merlax_/status/1589947797042008065

http://172.105.24.64
http://51.103.211.106
viwey.koreacentral.cloudapp.azure.com
/EMKT_CURSO_775-5693/47940.024663/

# Reference: https://twitter.com/Dkavalanche/status/1591208796965474304

20.49.180.84:6228
foreversoft.servegame.com

# Reference: https://twitter.com/Merlax_/status/1594080984130998273

http://45.82.69.152
http://80.85.142.64
13.67.219.10:7779
145.239.39.140:2030
20.162.195.251:7779
5.196.214.1:2020

# Reference: https://twitter.com/Dkavalanche/status/1594093798363369472

20.168.210.3:7429
20.208.43.58:4682
financeirotaller.gleeze.com
lifenova.ooguy.com

# Reference: https://twitter.com/Merlax_/status/1591436327194710016

107.175.72.131:2020
20.226.43.19:5556
globast3.s3.eu-central-1.amazonaws.com

# Reference: https://twitter.com/Merlax_/status/1598764864738033680
# Reference: https://twitter.com/Merlax_/status/1598764867770515467

http://13.67.219.10
http://145.239.39.140
http://172.173.207.185
http://191.252.100.96
http://20.162.195.251
http://20.4.226.118
185.101.93.102:5892
185.101.93.138:7779
185.101.93.170:7090
185.101.93.95:2030
37.228.132.205:2380
37.228.132.207:7779

# Reference: https://twitter.com/Merlax_/status/1602407445048983553

http://37.228.132.153
http://37.228.132.91
http://45.132.106.78
http://45.87.3.238
172.173.207.185:2380
191.252.100.96:7090

# Reference: https://twitter.com/Merlax_/status/1603057915610497029
# Reference: https://twitter.com/Merlax_/status/1603057918408097792
# Reference: https://twitter.com/Merlax_/status/1603057921138589698

20.56.98.139:5060
astyhb.eastus2.cloudapp.azure.com

# Reference: https://twitter.com/Dkavalanche/status/1603148512446873601
# Reference: https://twitter.com/Dkavalanche/status/1614626593258835970

185.101.93.181:5892
honranova.giize.com
trabajoar.theworkpc.com

# Reference: https://twitter.com/noexceptcpp/status/1606434459724795904

/2382799-06.8601.cDX.9191/clientes.php
/2382799-06.8601.cDX.9191/
/3973205-45.2022.3.00.4661-03-11-2022/4154012-20.5478.ZxY.9919.html
/3973205-45.2022.3.00.4661-03-11-2022/
/4154012-20.5478.ZxY.9919.html

# Reference: https://twitter.com/Merlax_/status/1606707407362658306

http://185.101.93.170
172.173.223.15:2382
185.101.93.181:4682
23.106.215.78:2030
4.231.106.159:7429
ufwetyz.uksouth.cloudapp.azure.com

# Reference: https://twitter.com/Merlax_/status/1612827626967638017

http://185.101.93.138
http://185.101.93.95
http://185.101.94.186
http://37.228.132.205
http://37.228.132.207
http://37.228.132.40
172.174.70.30:7779

# Reference: https://twitter.com/Merlax_/status/1612886096899366913

bastefac.uksouth.cloudapp.azure.com
honra.uksouth.cloudapp.azure.com

# Reference: https://twitter.com/Merlax_/status/1613893870827495425

sysofficereconsiderar.com

# Reference: https://twitter.com/1ZRR4H/status/1616097608887418881
# Reference: https://twitter.com/Merlax_/status/1616126832449052673
# Reference: https://www.virustotal.com/gui/file/964fbbc3b3a80e3e378e88f8c523d72e539ba06e46643ed212bc0609871fff4e/detection
# Reference: https://www.virustotal.com/gui/file/9c4b5b90c3c5f5dd0760bb40e831ef7cbbe8d0a70e3a12516151cba8d6fb0c5d/detection

15.228.46.182:5050
15.229.0.61:3081
janeiro2023.duckdns.org

# Reference: https://twitter.com/1ZRR4H/status/1614071021761339392
# Reference: https://twitter.com/Merlax_/status/1614119705018523649

alzi3ka2-4twkfsnnqq-wl.a.run.app
gamesstonert.serveirc.com

# Reference: https://twitter.com/Merlax_/status/1614765313626628096
# Reference: https://twitter.com/Merlax_/status/1614765319293177856

185.101.92.25:8090
betamixstudiomax.hopto.org

# Reference: https://twitter.com/Merlax_/status/1615090812492062722
# Reference: https://www.virustotal.com/gui/file/cceff9a60a3653478d7ea25a181b3506112f712751652ce06d4269012269b087/detection

http://185.101.92.241
20.70.210.14:3040
51.120.2.28:3030
gamesstrond2.servebeer.com

# Reference: https://twitter.com/Merlax_/status/1616163628553486346

http://18.216.179.202
20.203.201.160:5060
37.228.132.212:7779

# Reference: https://twitter.com/Merlax_/status/1617705932116619264

http://185.101.93.178
185.101.93.102:4823
80.89.239.12:2325
jornada.uksouth.cloudapp.azure.com

# Reference: https://twitter.com/Dkavalanche/status/1622372174831951879

http://185.101.92.9
http://185.250.205.88
http://37.228.132.199

# Reference: https://twitter.com/Dkavalanche/status/1623456458464702468

185.101.93.102:4823
37.228.132.206:4823
fatura-vivo-combr.online
nelore.gleeze.com
sendonly.fatura-vivo-combr.online

# Reference: https://twitter.com/SeguInfo/status/1630325475452112898
# Reference: https://www.virustotal.com/gui/file/5e04f7e34dfb3324bc1d30d89fe1eaafd48233742b068845ce1454762742218d/detection
# Reference: https://www.virustotal.com/gui/file/33f71ae4c8eb3c46a196bb42e321fff5aed2e778912a2bacda83efea654bf447/detection

http://20.222.143.29
37.228.132.215:9999

# Reference: https://twitter.com/Dkavalanche/status/1630694677815914504

37.228.132.206:8847
erasorte.kozow.com
pyubyw.giize.com
legado.japaneast.cloudapp.azure.com

# Reference: https://twitter.com/Merlax_/status/1631413618800574465

172.93.201.197:9998
37.228.132.185:10100
40.80.88.104:8088
65.21.64.36:9099
belcion.japaneast.cloudapp.azure.com
grupofuturama.eu

# Reference: https://www.virustotal.com/gui/file/f8a0a352e40483190ec0800b911e606f50e225dcadc586bf12ead5a5b89eb133/detection

64.44.101.158:3030

# Reference: https://www.virustotal.com/gui/file/f13f2c45dab25a264e188b82038cf67f0618b66f894cf6ec8a4edbafc67427e7/detection

154.16.113.204:3020
newyorknewyorknewn.onthewifi.com

# Reference: https://www.virustotal.com/gui/file/b157b06121739a3ba665847125df05b49cde1d661057f3de11b68129e6366dd6/detection

http://107.158.94.13
/contadores/index.php

# Reference: https://www.virustotal.com/gui/file/8da0f6a428f557f2e09dc513b2026500bbedc6007f6094073e72d284863e771b/detection

107.158.94.13:3020

# Reference: https://www.virustotal.com/gui/file/58bbf396c8703d578e50f872884d7e17307d5b0f231e3912d0b7785c71572dc6/detection

64.44.101.158:3030
au65.gotdns.ch

# Reference: https://www.virustotal.com/gui/file/407bed4acae33f7617255658951ced85a7e5a5ff2d544b531de732674afb2193/detection

172.93.201.40:3020

# Reference: https://twitter.com/Dkavalanche/status/1633256558158118913
# Reference: https://threatfox.abuse.ch/ioc/1086480/
# Reference: https://www.virustotal.com/gui/file/55a51de3053671f2fca350fc7c158510042735051b2debfdf5f82a9193d7d688/detection

http://23.102.91.186
185.101.93.192:9997

# Reference: https://twitter.com/Merlax_/status/1633595021466148866

http://138.68.136.2
/unvjnguvkhcinpno/73640.827263/
/unvjnguvkhcinpno/

# Reference: https://twitter.com/Merlax_/status/1633601968944840707

20.81.185.81:5400

# Reference: https://twitter.com/JAMESWT_MHT/status/1636358586979819521
# Reference: https://tria.ge/230316-qf33jsdc2w/behavioral1

20.251.14.187:8899

# Reference: https://twitter.com/Merlax_/status/1636797377276411904

50.114.32.153:9002
50.114.32.33:9001
utj7u1gisugxxvptn2z.zapto.org

# Reference: https://www.virustotal.com/gui/file/6914cb316d86e5a6063a1c7edaf584298a333796bc7f7bf8bd4032642417df4d/detection

http://81.19.141.64

# Reference: https://twitter.com/JAMESWT_MHT/status/1639174777884516353

nabf-2j6pxlwduq-uc.a.run.app

# Reference: https://twitter.com/JAMESWT_MHT/status/1640240028126265347

mdhc-emf5vs6xwq-uc.a.run.app

# Reference: https://twitter.com/JAMESWT_MHT/status/1640263790641000448

eurt-emf5vs6xwq-uc.a.run.app

# Reference: https://twitter.com/Ttargaryen1/status/1641133397325017088
# Reference: https://twitter.com/Ttargaryen1/status/1641133635842473999
# Reference: https://tria.ge/230329-ws6xvsba31/behavioral1

restauranterota152.brazilsouth.cloudapp.azure.com
topgearagainsix.uksouth.cloudapp.azure.com
/js/Soup2018x.system32
/Soup2018x.system32

# Reference: https://twitter.com/Merlax_/status/1642935684292804609
# Reference: https://www.virustotal.com/gui/domain/corp73p5dao.com.de/relations
# Reference: https://www.virustotal.com/gui/file/2152ce21b9e6a53b97eedc4bbf24351d9a31b603293e48c57cfd1f88a0bbfc5b/detection

http://79.133.121.107
45.35.6.2:9001
corp73p5dao.com.de
a.corp73p5dao.com.de
e.corp73p5dao.com.de
h.corp73p5dao.com.de
i.corp73p5dao.com.de
l.corp73p5dao.com.de
s.corp73p5dao.com.de
server6.corp73p5dao.com.de
ssl3.corp73p5dao.com.de
ssl7.corp73p5dao.com.de

# Reference: https://twitter.com/Merlax_/status/1643009519885090817

20.251.10.230:8899
20.224.3.99:4040
tornesgmalopwej1.servemp3.com

# Reference: https://twitter.com/Merlax_/status/1643009522032693251

182.75.172.34.bc.googleusercontent.com
203.218.29.34.bc.googleusercontent.com
37.27.31.34.bc.googleusercontent.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1648238717067198465

90.4.154.34.bc.googleusercontent.com
lkdyglkd-emf5vs6xwq-uc.a.run.app

# Reference: https://twitter.com/JAMESWT_MHT/status/1649304189070188544

120.124.70.34.bc.googleusercontent.com
dfghjkfghk-4gykhommfa-uc.a.run.app

# Reference: https://twitter.com/Merlax_/status/1651696436013068290

185.101.94.126:7956
185.101.94.22:9992
20.5.65.48:4040
51.120.247.2:8899
novachance.giize.com

# Reference: https://twitter.com/Merlax_/status/1653533786607439872
# Reference: https://www.virustotal.com/gui/file/e22a215c263b61d1b4ae976b9ec89e2f1581b32a2eaf94287cfd5420241918ec/detection
# Reference: https://www.virustotal.com/gui/file/3ba67edaa6831855efcacf0460a2af52032724dafebb3a8f6e0625369cd98009/detection

http://45.67.208.208
104.234.200.29:3306
104.234.200.29:5400
104.234.30.224:3306
104.234.30.224:5400
artsnetshoresaways.hopto.org
/e91ea04ea2041d539540e/73640.827263/

# Reference: https://twitter.com/Merlax_/status/1654904040906530817

185.225.74.100:8847
20.239.166.4:4050
37.228.132.123:7956
4.240.84.251:4040
78.47.145.94:7070

# Reference: https://github.com/merlax/Mekotio/blob/main/IOCs_12-05-2023

http://116.203.184.213
102.37.146.123:8899
103.145.13.111:8890
15.228.13.156:9995
18.223.102.186:9988
18.231.161.239:6488
181.41.200.72:0902
188.191.106.171:9999
20.25.181.202:5050
24.152.36.75:9001
38.54.57.153:7890
45.143.223.193:7890
50.114.32.234:9002
52.67.134.119:3081
3wwzkd3svxhctsiylan.zapto.org
bazuca2022.ddns.net
bazuca20233.hopto.org
filejurere23.hopto.org
gamespursigmers.giize.com
horaplus.gleeze.com
louvgamersmp1.ddnsgeek.com
maximlinum.xyz
primeiradoano.servebeer.com
segundadoano.servequake.com
terceiradoano.bounceme.net
zapaosnester.com

# Reference: https://twitter.com/Merlax_/status/1659652152543813652

167.114.4.172:9001
18.118.78.11:3081
20.121.119.89:5050

# Reference: https://threatfox.abuse.ch/browse/malware/win.mekotio/

http://34.29.127.135
http://35.226.160.162
102.37.152.149:3040
102.37.155.46:10002
15.229.26.142:10003
185.101.93.170:80
185.101.93.178:80
185.101.94.149:10004
45.81.224.52:10100
64.44.101.158:10100
80.85.139.45:10200
newhonra.westeurope.cloudapp.azure.com
yagoeallanaadegaltda.sellsyourhome.org

# Reference: https://twitter.com/1ZRR4H/status/1678264825288196096

18.191.155.176:9995
/wp-content/plugins/--/online/?cid=
/plugins/--/online/?cid=

# Reference: https://twitter.com/Merlax_/status/1678524497702576128

http://20.206.241.68
20.206.241.68:6400
52.159.123.0:443
52.159.123.0:6400
mlenvioscoleta.com

# Reference: https://twitter.com/1ZRR4H/status/1671846979616292864
# Reference: https://twitter.com/1ZRR4H/status/1674967428625735681
# Reference: https://twitter.com/Merlax_/status/1665820048190058504
# Reference: https://twitter.com/Merlax_/status/1665840922599518208
# Reference: https://twitter.com/Merlax_/status/1672351823703982081
# Reference: https://twitter.com/Merlax_/status/1676546469808209925
# Reference: https://twitter.com/Merlax_/status/1680026095746183168
# Reference: https://twitter.com/V3n0mStrike/status/1679535948537683986
# Reference: https://twitter.com/V3n0mStrike/status/1679543507738828812
# Reference: https://www.virustotal.com/gui/file/6dfd76c513f8c4216b7c0efeab797f22db13bb265fafffbb69d735b64801c4a8/detection
# Reference: https://www.virustotal.com/gui/file/80e53958df78b0386ac91b142a6a0541240921c3b475fc27359205e212bad319/detection
# Reference: https://www.virustotal.com/gui/file/969c4d790314beca402ba8cc253ceb9af856c1ed22aae512e245a9538ea86b95/detection
# Reference: https://www.virustotal.com/gui/file/a9e9f807b2f8061fb98d1ceda1e2d0a1b88e1935b7592d206c0b8324c1aa6e23/detection

http://5.189.204.31
103.145.13.111:9910
137.135.127.65:5603
142.44.232.43:9002
144.217.42.72:9001
148.163.126.62:5678
15.229.117.18:3081
154.49.247.76:9002
158.69.110.219:9002
158.69.167.48:9002
167.88.164.34:7957
172.81.61.183:5678
172.86.76.129:9999
185.101.93.178:6829
199.127.60.214:5080
213.227.155.58:9999
3.99.207.157:7957
34.210.155.57:9995
37.120.222.88:7890
37.228.132.123:8841
38.54.115.27:7777
40.121.34.71:9001
44.201.214.55:7957
50.114.32.122:5678
50.114.32.235:9099
51.222.135.161:9002
51.38.160.149:8841
89.44.9.236:9911
catrinavc.shop
engeclimathi.com
louvstargamp.webredirect.org
messi.serveblog.net
nuevogomelove.webredirect.org
slrbxtjgptm3fqj6wv.com.de
2.slrbxtjgptm3fqj6wv.com.de
/dasssashytsrfwewdw4w432dcadssswe32dsfwywyw67wjjehnsbvcdfreyd.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1687351852931624960
# Reference: https://twitter.com/reecdeep/status/1687468105633529856
# Reference: https://app.any.run/tasks/d782065e-425d-4aef-9edb-ece8c16e3802/

146.70.24.214:4422
gamespokerstort.myftp.org

# Reference: https://twitter.com/Merlax_/status/1687558327457181696

139.144.212.143:7957
15.228.16.45:3081
185.101.93.63:6829
20.38.37.160:8005
45.66.249.14:5678

# Reference: https://threatfox.abuse.ch/ioc/1137733/
# Reference: https://www.virustotal.com/gui/file/2499279a4745a9fc9a6c2dcdaf7b49fcf47453683ce58e5337cc511eece40861/detection

138.201.149.36:3456
zettafull2023.3utilities.com

# Reference: https://twitter.com/V3n0mStrike/status/1688312316134117377
# Reference: https://twitter.com/dark0pcodes/status/1688370183457349632
# Reference: https://www.virustotal.com/gui/file/10f8e9219ac166f36a100ece03687d2854d42ac3a5fabca5df0df78140fd3776/detection
# Reference: https://www.virustotal.com/gui/file/d5fa0182851d62cf6774a93eca11de4504e1285e11a548835fcfcf9432fbea4f/detection

172.86.70.241:6255
172.86.70.241:6566

# Reference: https://twitter.com/SeguInfo/status/1703851435077587315
# Reference: https://www.virustotal.com/gui/ip-address/94.158.244.44/relations
# Reference: https://www.virustotal.com/gui/file/81d3c8fe425a2f1d0eb57ee9d0f439ed94ff051c56663ed718ad45b4d8a5c166/detection

72.167.133.152:8081
citacionadjunta2.from-oh.com
comprobante20234.isa-geek.com

# Reference: https://twitter.com/SeguInfo/status/1699869450038554725
# Reference: https://www.virustotal.com/gui/file/d99a73f476e37ecae997fd3eafcde81d124a82aa4acae2863a82977ccb44a383/detection

http://34.176.182.245
20.244.39.91:7373
mbvcmv-qfsbndl4da-tl.a.run.app

# Reference: https://twitter.com/JAMESWT_MHT/status/1704343266991178164

clientemarazul.com
ja2r7.app.goo.gl

# Reference: https://twitter.com/SeguInfo/status/1705308358696210620
# Reference: https://www.virustotal.com/gui/ip-address/34.133.80.206/relations
# Reference: https://www.virustotal.com/gui/file/8f0af73b1eedc9859bde1077e9cce1d76946335840649b87ddf9a6771b18e476/detection
# Reference: https://www.virustotal.com/gui/file/fffe7f3362ade4d911710f2c99b08c04080ea421c0d1ec8fb10658df50b2b303/detection
# Reference: https://www.virustotal.com/gui/file/802c9cf7bbc61803594e23eabc5f57797326b4ef312c10b53cec12693de2644f/detection

31.192.107.193:7321
31.192.107.193:7575
servgameslupi.hopto.org
206.80.133.34.bc.googleusercontent.com

# Reference: https://twitter.com/Merlax_/status/1707524461610574301

172.104.76.12:7957
20.63.74.107:6060
34.27.40.123:8007
35.232.212.112:8007
45.40.96.49:9900

# Reference: https://twitter.com/jorgemieres/status/1717930609962516745

180.169.136.34.bc.googleusercontent.com
92.253.173.34.bc.googleusercontent.com
akzkar-otdxzwqz6a-uc.a.run.app
/EMKT_CURSO_775-5693/47940.024665/

# Reference: https://twitter.com/jorgemieres/status/1717940842982223980
# Reference: https://www.virustotal.com/gui/ip-address/146.0.79.25/relations
# Reference: https://www.virustotal.com/gui/ip-address/31.192.107.165/relations
# Reference: https://www.virustotal.com/gui/file/f2a8532332e041ed0bdf99180ade2217c5eecf17d305d1705d41a7fa28a1f94f/detection
# Reference: https://www.virustotal.com/gui/file/fc599a86e79ae4bb95bca1255381493e31001dc98a4fd61930d1899cd35eba25/detection

146.0.79.25:11223
gamesstartf.xyz
lupgameso.xyz
nuevo2gameslop.xyz

# Reference: https://www.virustotal.com/gui/ip-address/146.0.79.23/relations
# Reference: https://www.virustotal.com/gui/ip-address/212.237.217.189/relations
# Reference: https://www.virustotal.com/gui/ip-address/91.210.107.132/relations
# Reference: https://www.virustotal.com/gui/file/f9c3ebadf916ef87a80dbb0a59c6fb1b8a8b305079f3ac05791a6c7db09d262f/detection
# Reference: https://www.virustotal.com/gui/file/aea0d4cd862d9f32d77d8d0b57567e2af93271940a72f403575aa7a94effb661/detection
# Reference: https://www.virustotal.com/gui/file/084c7dad85f29f3088999084b2a41d305dd5a7c4c1b70558baf54283411b6be0/detection

146.0.79.23:11224
212.237.217.189:3344
212.237.217.189:3345
mxdooppcof.xyz
nuevoconceti.xyz
repicdominic.xyz

# Reference: https://twitter.com/V3n0mStrike/status/1696926213300797787
# Reference: https://www.virustotal.com/gui/file/82dae1ad95328ee96416eeaddab66bb994035e7e4e5ec41c8eb10eff60b73063/detection

172.86.121.70:10011
neckjointservice.com

# Reference: https://twitter.com/Merlax_/status/1722283882857574791

http://104.131.10.223
http://104.131.7.179
http://132.148.78.45
http://138.197.42.53
http://138.197.65.187
http://138.197.65.194
http://138.197.65.248
http://138.197.73.6
http://141.95.0.69
http://159.203.113.160
http://159.65.172.220
http://159.65.178.222
http://165.227.68.165
http://165.227.76.219
http://172.105.6.117
http://172.187.146.50
http://172.188.74.203
http://172.188.74.39
http://184.168.20.190
http://20.163.29.252
http://20.5.168.224
http://20.70.8.202
http://4.228.48.162
http://4.231.172.79
http://46.37.100.162
http://5.188.0.139
http://77.91.100.203
http://80.190.74.36
132.148.78.45:5000
5.252.176.29:5000

# Reference: https://twitter.com/Dkavalanche/status/1722254307444285470
# Reference: https://twitter.com/Dkavalanche/status/1722628044299665757
# Reference: https://twitter.com/V3n0mStrike/status/1722717944663187825
# Reference: https://app.validin.com/axon?find=132.148.78.45&type=ip
# Reference: https://app.validin.com/axon?find=185.225.19.104&type=ip
# Reference: https://app.validin.com/axon?find=72.167.35.199&type=ip
# Reference: https://app.validin.com/axon?find=92.205.177.164&type=ip
# Reference: https://www.virustotal.com/gui/file/595087831d5e1a8f306b31db4e9579806756a2bd56e3db2aa3aa714536f80866/detection

132.148.78.45:5000
92.205.178.210:9081
01advertenciactc2023.dnsdojo.com
01invoicefull234.dnsdojo.com
adjuntodocument.from-in.com
adjuntodocumento3.from-mt.com
adjuntodocumento3224.from-mt.com
adjuntodocumento4.is-a-caterer.com
adjuntodocumento5.is-a-cpa.com
advertenciact.from-wy.com
advertenciactc2023.dnsdojo.com
advertenciactc2023.from-sd.com
advertenciactc2023.from-wy.com
advertenciactc2023.selfip.com
citaadju23nta.likes-pie.com
comprobantepagoectonico.selfip.com

# Reference: https://twitter.com/Dkavalanche/status/1723002138853310922
# Reference: https://app.validin.com/axon?find=185.225.19.81&type=ip
# Reference: https://app.validin.com/axon?find=34.74.162.235&type=ip
# Reference: https://app.validin.com/axon?find=34.74.162.249&type=ip

34.74.162.235:8007
jetmailx.ddnsguru.com
maypainer.loseyourip.com
myinfo2.giize.com
mysystem2102account.dnsalias.com
nightscoutsergi.mooo.com

# Reference: https://app.validin.com/axon?find=92.205.186.100&type=ip
# Reference: https://app.validin.com/axon?find=94.158.244.109&type=ip

adjuntodocument.from-in.com
adjuntodocumento3.from-mt.com
adjuntodocumento4.is-a-caterer.com
adjuntodocumento5.is-a-cpa.com

# Reference: https://twitter.com/Merlax_/status/1725625082809127288
# Reference: https://raw.githubusercontent.com/merlax/Mekotio/main/IOCs_2ndW_Nov_2023
# Reference: https://www.virustotal.com/gui/ip-address/164.68.124.229/relations
# Reference: https://www.virustotal.com/gui/ip-address/185.225.19.81/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.111.152.242/relations
# Reference: https://app.validin.com/axon?find=89.40.5.144/30&type=ip4
# Reference: https://www.virustotal.com/gui/file/08fdc1d9ed2aada0b3bd2f2d1153b1800252091d2804841f11ea7ac959aa07e0/detection
# Reference: https://www.virustotal.com/gui/file/0c15a51994c1bf1bc04c1b79f8e023146496890b3e688978fa51c71da28bae46/detection
# Reference: https://www.virustotal.com/gui/file/101b3685fbf597ab0db6ad95fd9177bff4393bd17187f308ac16199d7c58033e/detection
# Reference: https://www.virustotal.com/gui/file/1c1dc2689c97a755e42bbf13fb1818529911a60ce91cf10125f3ff6e62804ba2/detection
# Reference: https://www.virustotal.com/gui/file/33b317ad728818234a7ca18a5579f9a37827c7dc52620e270bc1a75533668045/detection
# Reference: https://www.virustotal.com/gui/file/52f6cf4b266820aeb9be2a46430ee5513ae6f028e0012627a3a345413987a968/detection
# Reference: https://www.virustotal.com/gui/file/969a397dc0e0b93f4362127380567788a6236b9986cb682f9f3f8d07e683f077/detection
# Reference: https://www.virustotal.com/gui/file/ba3f2cb647180467eb750d30eb87c0ecf0caed9bb4daee0ea008bdbb58ba24e3/detection

http://104.154.160.155
http://104.198.223.56
http://143.110.229.237
http://143.110.235.132
http://143.198.209.74
http://143.198.58.70
http://15.235.166.165
http://15.235.166.206
http://159.223.203.172
http://159.223.42.2
http://159.223.42.240
http://159.223.65.166
http://159.223.65.70
http://159.223.78.129
http://159.223.78.150
http://159.223.78.221
http://161.35.101.122
http://161.35.109.171
http://161.35.98.146
http://165.22.243.78
http://165.22.245.172
http://165.22.251.142
http://165.22.253.173
http://167.99.69.215
http://167.99.74.11
http://167.99.74.192
http://167.99.78.242
http://178.128.115.173
http://178.128.119.161
http://195.234.82.54
http://24.199.97.202
http://34.121.79.117
http://34.123.155.239
http://34.132.192.242
http://34.135.203.127
http://34.136.169.180
http://34.16.123.109
http://34.173.253.92
http://34.27.34.110
http://34.28.119.214
http://34.28.138.163
http://34.28.201.51
http://34.28.99.129
http://34.70.123.114
http://34.95.236.114
http://35.184.1.91
http://35.199.68.229
http://35.225.245.224
http://35.226.181.149
http://35.226.68.157
http://35.232.65.172
http://35.247.243.80
http://45.80.209.112
http://45.80.209.115
http://45.80.209.116
http://45.80.209.117
http://45.80.209.118
http://45.80.209.119
http://45.80.209.120
http://45.80.209.129
http://45.80.209.130
http://45.80.209.131
http://45.80.209.132
http://45.80.209.133
http://45.80.209.134
http://45.80.209.135
http://45.80.209.136
http://45.80.209.137
http://45.80.209.138
http://45.80.209.139
http://45.80.209.140
http://45.80.209.16
http://45.80.209.215
http://45.80.209.216
http://45.80.209.218
http://45.80.209.219
http://45.80.209.220
http://45.80.209.221
http://45.80.209.222
http://45.80.209.223
http://45.80.209.224
http://45.80.209.47
http://45.80.209.50
http://45.80.209.51
http://45.80.209.52
http://45.80.209.56
http://45.80.209.87
http://5.188.0.181
http://5.188.0.65
http://5.8.41.190
http://5.8.41.191
http://5.8.41.195
http://5.8.41.204
http://5.8.41.211
http://5.8.41.223
http://5.8.41.225
http://5.8.41.234
http://51.15.10.118
http://51.15.167.5
http://51.15.3.140
http://51.15.5.194
http://51.15.9.162
http://51.15.9.198
http://51.159.53.127
http://68.183.225.149
http://68.183.225.47
http://68.183.230.167
http://68.183.236.225
http://84.46.236.226
http://84.46.236.227
http://84.46.236.36
http://84.46.236.38
http://84.46.239.209
http://84.46.239.95
http://86.38.216.104
http://86.38.216.46
http://89.117.0.126
http://89.117.0.127
http://89.117.0.128
http://89.117.0.129
http://89.117.0.13
http://89.117.0.130
http://89.117.0.131
139.144.213.55:9998
164.68.124.229:6090
178.128.206.214:3344
20.63.119.249:3345
62.77.153.133:9999
66.228.34.150:7957
72.167.33.172:8081
77.91.74.84:9999
89.47.160.109:8993
98.71.24.201:5585
boludo.online
coltmzxcofgh.xyz
comptech8a.com
gordlopd.xyz
fortepe.is-a-geek.com
fortepe2.is-a-geek.com
indianajhones.servebeer.com
indiapotira.servebeer.com
myinfo20235.ddnsfree.com
mysystem2102a.dnsalias.com
savtab34.duckdns.org
strogonoff.xyz

# Reference: https://twitter.com/Dkavalanche/status/1729582807666557143

cogfactmgsolucionesoinsaarme.eastus.cloudapp.azure.com

# Reference: https://twitter.com/Merlax_/status/1730553580275569032
# Reference: https://www.virustotal.com/gui/file/42fcbde7055bb274807eb5cdf4fe61125582bb364e92edf598b8bacd9b0f740d/detection

http://24.152.37.226
http://24.152.39.178
http://74.207.237.97
24.152.39.178:60309

# Reference: https://twitter.com/JAMESWT_MHT/status/1732719574762528804
# Reference: https://www.virustotal.com/gui/file/8d464b85a99517acba4fd431c4cb077bc5180380e21b4cb3616c573867c6e9b6/detection
# Reference: https://www.virustotal.com/gui/file/17af2c468c617d4fc26c5334336f1224d3945bb4e0e984f83be439439ea6a758/detection

auditoriaempresa.com

# Reference: https://twitter.com/Merlax_/status/1732944960180158722
# Reference: https://www.virustotal.com/gui/file/c25dc30e13c33341aaa22ecbaa17fd28334d06089658a5521663564ee5f96b35/detection

http://104.197.118.253
http://139.162.133.226
http://146.70.41.164
http://162.19.250.136
http://170.187.185.142
http://172.105.21.218
http://172.203.248.28
http://173.82.57.120
http://185.74.222.7
http://188.127.225.117
http://191.6.210.101
http://20.11.48.138
http://20.84.95.205
http://23.227.199.39
http://23.236.54.174
http://24.199.118.203
http://24.199.126.144
http://24.199.126.188
http://24.199.126.29
http://31.192.107.165
http://31.44.7.57
http://34.133.77.232
http://34.134.144.100
http://34.16.108.72
http://34.170.6.183
http://34.171.203.202
http://34.27.55.253
http://34.41.174.53
http://34.95.214.148
http://35.193.169.113
http://35.226.15.1
http://35.226.23.196
http://35.239.20.13
http://37.49.230.73
http://37.49.230.79
http://5.181.156.86
http://5.8.41.128
http://5.8.41.136
http://52.67.10.246
http://72.167.133.199
http://72.167.140.106
http://80.190.75.43
http://80.190.75.44
139.144.212.88:7957
140.99.223.103:9999
173.209.59.170:6099
20.227.191.76:10148
34.74.162.235:9988
45.40.96.241:8800
72.167.141.220:9988
88.80.187.192:8081
aboutnetworkcorporation.com
azohxhfkimtelsiwsitm.homes
opgubfstp.xyz
pontesmiller.homes
ellokodell00.hopto.org
enterprese2023.is-a-hunter.com
/googledocs.txt
/googledocs1.txt

# Reference: https://twitter.com/_boitata/status/1733683765493338128
# Reference: https://www.virustotal.com/gui/file/d8fc4f696f4bd1899ed92d8e9767646308c941cac2ea826dbdd3e64f6926db3d/detection

http://185.228.72.212

# Reference: https://twitter.com/1ZRR4H/status/1734346226303176743

gongzi.one
networks2024.com
vmq.gongzi.one
wx.gongzi.one
yzf.gongzi.one

# Reference: https://twitter.com/V3n0mStrike/status/1734434543774449971

http://88.80.187.192

# Reference: https://twitter.com/Merlax_/status/1737427638615183814
# Reference: https://pastebin.com/raw/NpCHYR6g

http://185.189.13.243
102.37.141.218:6099
109.74.197.130:8081
15.229.1.40:3081
23.227.196.75:10149
38.54.45.105:9988
52.67.144.183:9795
confgplsiep.xyz
homelpd6099.xyz

# Reference: https://twitter.com/V3n0mStrike/status/1736209621839139026

http://146.70.100.113
http://45.79.11.85
45.79.11.85:8081

# Reference: https://twitter.com/V3n0mStrike/status/1740461394250641595

18.188.34.194:9795
jw-ict.nl
comunicarbrasil-br.com/wp-content/upgrade/8HD712/
eccsl.lk/mah/mail/ID/UC81782/
silviza.cl/css/F12039388II/
/F12039388II/T2381OIF7/login.php
/F12039388II/T2381OIF7/
/F12039388II/
/T2381OIF7/

# Reference: https://twitter.com/Merlax_/status/1743380172768784598
# Reference: https://pastebin.com/raw/yh2ePsr6

http://138.197.3.95
http://146.190.47.102
http://157.245.154.252
http://157.245.156.164
http://165.227.100.78
http://167.172.72.72
http://167.172.73.43
http://167.172.77.227
http://167.99.49.92
http://167.99.57.153
http://176.123.1.98
http://178.128.208.175
http://178.128.209.160
http://178.128.217.129
http://178.128.217.240
http://185.202.92.107
http://185.233.82.209
http://185.244.210.127
http://185.244.210.129
http://191.233.240.218
http://209.97.175.168
http://213.156.138.36
http://213.232.235.79
http://24.199.118.135
http://31.192.107.139
http://34.28.70.128
http://34.29.67.243
http://34.30.59.63
http://35.199.77.83
http://45.135.229.35
http://5.181.27.142
http://5.181.27.143
http://5.181.27.144
http://5.181.27.150
http://5.181.27.151
http://5.188.0.144
http://5.188.0.152
http://5.8.41.15
http://5.8.41.180
http://5.8.41.181
http://5.8.41.182
http://5.8.41.184
http://5.8.41.185
http://5.8.41.186
http://5.8.41.187
http://5.8.41.188
http://5.8.41.189
http://5.8.41.192
http://5.8.41.194
http://5.8.41.196
http://5.8.41.197
http://5.8.41.198
http://5.8.41.199
http://5.8.41.200
http://5.8.41.201
http://5.8.41.212
http://5.8.41.213
http://5.8.41.216
http://5.8.41.218
http://5.8.41.219
http://5.8.41.220
http://5.8.41.221
http://5.8.41.224
http://5.8.41.27
http://5.8.41.94
http://5.8.41.97
http://89.44.193.182
http://92.223.102.65
http://92.38.149.54

# Reference: https://twitter.com/Merlax_/status/1754986074881855714

184.168.127.159:7070
ea8821cf7a85ec212e7.dyndns-home.com

# Reference: https://twitter.com/1ZRR4H/status/1763236603718242750

104.237.131.212:8088
104.237.139.231:8088
192.81.134.81:8088
31.192.107.162:9090
92.205.235.147:9090

# Reference: https://twitter.com/V3n0mStrike/status/1763315355299008917
# Reference: https://csirt.gob.cl/alertas/2cmv24-00447-01/

alkebucentre.org
ceseinfonline.com
friendlyship.org
garbasrealestate.com
protezeoculare.ro
ptovesindo.com
/factelectricidad/
/facteletricidad/

# Reference: https://twitter.com/V3n0mStrike/status/1764481627994894461

tiberiu.mt-2.ro

# Reference: https://twitter.com/johnk3r/status/1767943022640058383
# Reference: https://www.virustotal.com/gui/ip-address/109.199.113.150/relations
# Reference: https://www.virustotal.com/gui/file/ae66e71538e6e4a1ba24e0cc180c4a8997ac44902c6b3979428dbc3df85e801e/detection

http://38.54.57.26
infojobsprotalacesso.com
acessojobsportalacesso.com
acessoriaportaljobs.myactivedirectory.com
processoseletivojobsuniao.read-books.org
seletivoprocessojobs.workisboring.com

# Reference: https://twitter.com/Merlax_/status/1763338702762442992

01serverseistemasatu.com.br
document-ar.com
mystylo.life

# Reference: https://twitter.com/pollo290987/status/1785715590662926352
# Reference: https://www.virustotal.com/gui/file/8df3cede8c8dbb033d98c1b0ce2fe1541f0f29950b05bf4bc11f1d36fb78444b/detection

92.205.230.110:9090

# Reference: https://app.validin.com/detail?find=38.242.147.66&type=ip4&ref_id=1ccb0ee0052#tab=resolutions
# Reference: https://www.virustotal.com/gui/file/0e7dc9696450f736b1e5f8a829af71941eb78caff56823094b6d0b063d4ae7cc/detection

comerciojobsinformativo.is-into-cartoons.com
comerciojobsinformativo.is-not-certified.com
comerciojobsinformativo.myactivedirectory.com
comerciojobsinformativocom.cable-modem.org
comerciojobsinformativos.is-an-accountant.com
comerciojobsinformativos.is-an-entertainer.com
comerciojobsinformativos.is-not-certified.com

# Reference: https://www.metabaseq.com/mosquito-the-new-infostealer-arrives-to-mexico/

http://107.158.94.115
http://80.190.75.42
superdownload.download

# Reference: https://x.com/Merlax_/status/1805750049135018347
# Reference: https://www.virustotal.com/gui/ip-address/13.64.185.189/relations
# Reference: https://www.virustotal.com/gui/ip-address/92.205.237.201/relations

104.245.245.7:8001
104.245.245.7:9999
13.59.86.43:3060
184.168.31.6:8089
23.94.169.159:8022
cdjmshow.site
descargafiscal.net
explousemprefs.com
grupfenders.top
insaatfender.top
jmfutura.top
jmfutura24.club
twnorthing.shop
yupinxiangmu66.net
privacyxml02.duckdns.org
wareinnovator.merseine.com
wildred2003.is-a-techie.com
lucacocinas.com.ar/img/cocina/port/files.txt

# Reference: https://www.virustotal.com/gui/file/0fc2716cbb0e9a6b21d3224c28bf46281e79d2dc2ce8792a44efaffd5e10e81c/detection

162.218.114.93:8888
contadorfiscal.net

# Reference: https://x.com/V3n0mStrike/status/1806485384819360183
# Reference: https://www.virustotal.com/gui/file/c2bcc20616256b7544db73d6d62349abf9d347a735e6d918a75ed95005534a2a/detection

http://78.46.215.90
23.239.4.149:8900
httptw.com

# Reference: https://x.com/Merlax_/status/1806825719177347275
# Reference: https://x.com/Merlax_/status/1806833714778759501
# Reference: https://www.virustotal.com/gui/file/c71211039195b42fe9b9ffe93b0cb0d8b0afdf2ca2325815b73d263125c5cc2a/detection
# Reference: https://www.virustotal.com/gui/file/2a1f0c30b72daa2f1fb938fadd46c18cf50e4b4fe4c55b753a603ce7badf4945/detection
# Reference: https://www.virustotal.com/gui/file/3d7596476c46404999c7f7529706e122c7eb07f0069e750db8cf782f558f7e99/detection

45.40.96.230:7958
68.221.121.160:9095
78.46.215.90:5060
78.46.215.90:50
tudoprafrente.org
tudoprainfo.info

# Reference: https://x.com/Dkavalanche/status/1807774094059831434

kfhrwiurhwhaw.com

# Reference: https://www.trendmicro.com/en_us/research/24/g/mekotio-banking-trojan.html
# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/g/mekotio/mekotio-banking-trojan-threatens-financial-systems-in-latin-america.txt
# Reference: https://www.virustotal.com/gui/file/83ece90081040f5f227204d23113f02bba9b2f01963678cb053a076fe7d49006/detection

http://23.239.4.149
http://68.221.121.160
http://68.233.238.122
68.233.238.122:9091
tudoprafrente.co

# Reference: https://www.virustotal.com/gui/file/6eca783757e911d5e389dd688c1e1d46f83dd215965f412da58bd32f1d4111eb/detection

zautoservice.eu

# Reference: https://x.com/johnk3r/status/1819482359030599727
# Reference: https://www.virustotal.com/gui/file/b7d114fa7e85971067cd6fa891db5a69b38e44182cdb8b5016d560d83464a6d8/detection

downconnect03.com
down.downconnect03.com

# Reference: https://x.com/Merlax_/status/1824844920672403658
# Reference: https://www.virustotal.com/gui/file/4df183d6abaf3e9a2edae1019742586854325f3018ef424db1db68ccbcfa1daa/detection
# Reference: https://www.virustotal.com/gui/file/00e902835f7be0f228555f57b1526da96a71d5736c5b931038f74b6e676f82b1/detection

http://50.62.182.1
50.62.182.1:9095
httpswwwetsycomyourshopscraftd.com
operational.from-tn.com
/contadores/1BunyliT.php

# Reference: https://x.com/1ZRR4H/status/1825777627673636983

http://104.200.20.184
artin-services.com
/contadores/naaX3yqR.php
/naaX3yqR.php

# Reference: https://x.com/SeguInfo/status/1826596090298142882
# Reference: https://x.com/pollo290987/status/1828670761638191313
# Reference: https://www.virustotal.com/gui/ip-address/159.223.34.35/relations
# Reference: https://www.virustotal.com/gui/file/0a4c8e33ae365c7d0dc396a29ba1571c0031efb89aa7dcddcc4d88e356bb72b4/detection
# Reference: https://www.virustotal.com/gui/file/f611abcf460c57eed76673b74236e9e45d62481471fa2dec0112a35202dadce0/detection
# Reference: https://www.virustotal.com/gui/file/d7453e419eb765ec550533c8171ea230c34b3644923ebdea0cc9ea177ee6e59e/detection
# Reference: https://www.virustotal.com/gui/file/c9c8bc79ffcbed4de8f2590c0bd3386cf6399bcea609859f81cb87a3cb901fa0/detection

http://37.148.205.26
37.148.205.26:9095
centromediacionrafaela.is-an-anarchist.com
/contadores/092ISaOO.php
/contadores/1UhDeshm.php
/contadores/4ctNAT.php
/contadores/I6Cn8J4.php
/contadores/JWm1S.php
/contadores/SSn6VL.php
/092ISaOO.php
/1UhDeshm.php
/4ctNAT.php
/I6Cn8J4.php
/JWm1S.php
/SSn6VL.php

# Reference: https://x.com/V3n0mStrike/status/1829381628050776100
# Reference: https://www.virustotal.com/gui/file/12e2cf5789bee7e1550c471a9eebc1a8badefb0de643e09dc21e3f15708cc08b/detection
# Reference: https://www.virustotal.com/gui/file/f7039e7ee234f977f438df91645f0a257396ea01c823b3aba0e705ff61ddfee5/detection
# Reference: https://www.virustotal.com/gui/file/d70b2b6bec09ec768f8dc83414c554f11eb850396dff9d6eee16936972c6709d/detection
# Reference: https://www.virustotal.com/gui/file/a7851cbae7a8232cf19af26f6e22b435bdee7f082bd4b8de3a6752cbf59ee96f/detection
# Reference: https://www.virustotal.com/gui/file/9b1fbedd203e6cfb0ecc8020c39cb646d232498a8274662c4361093e7e65513f/detection

http://69.164.195.107
69.164.195.107:8901
/contadores/LnLZjT.php
/contadores/Q2Dvl.php
/contadores/UlKlEt.php
/LnLZjT.php
/Q2Dvl.php
/UlKlEt.php

# Reference: https://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html
# Reference: https://documents.trendmicro.com/images/TEx/Mekotio-and-BBTok-IOCsktvYaQ0.txt

2aQRFDIQFEW5tZLsTRkFKKbLzaorKTbRJNcTI27mGpO4Hd2LEgDanLZ40Gss.b-cdn.net
3XS8FBP6rB5oDi8YsQKATFXJzIEdFPV1JBjO00upG7GqO6uNq9xtJ4o3TtoG.b-cdn.net
5OS4X7KAvxY11gjE3lfKGHUqbwswTGMf4jmy3FX0foOsDp1ESfdmtLms2pzi.b-cdn.net
c0m45f8wfr0AXxwGObF8IXlakEaMcnkU4UFVlNlOkhUqjYCVBhrMX2nruV1p.b-cdn.net
crgaestudiojuridicoujko.isa-geek.net
/contadores/m4Ii5mn.php
/m4Ii5mn.php

# Reference: https://x.com/1ZRR4H/status/1834048469973020736/history
# Reference: https://www.virustotal.com/gui/ip-address/149.28.209.180/relations
# Reference: https://www.virustotal.com/gui/file/f6f6391f3d3fe8a68e98ee4a62a60cbee202e60a6caebb5b25065d8433dfc197/detection

http://104.237.133.31
104.237.133.31:8901
clserviceon.com
ssproeducare.com
/contadores/Xtt7JrB.php
/Xtt7JrB.php

# Reference: https://x.com/pollo290987/status/1834697283390070837
# Reference: https://x.com/pollo290987/status/1834697314046558459
# Reference: https://www.virustotal.com/gui/ip-address/45.66.231.167/relations
# Reference: https://www.virustotal.com/gui/ip-address/91.92.245.166/relations
# Reference: https://www.virustotal.com/gui/ip-address/94.156.65.240/relations
# Reference: https://www.virustotal.com/gui/ip-address/94.156.67.8/relations
# Reference: https://app.validin.com/detail?find=Facturacion%20y%20Cobranzas%20PDF%20y%20XML%20-%20Mexico&type=raw&ref_id=1de0be2f7f8#tab=host_pairs_v2
# Reference: https://www.virustotal.com/gui/file/cf0c1b95a63a9103c759ac43feaca125d5a32f407b416e6f2e3a04dbe1017e7f/detection
# Reference: https://www.virustotal.com/gui/file/bb090743abd6f45b402f2bfad6ce9a73b5d6a848e3e6abfe0b2ecaaf638ade59/detection
# Reference: https://www.virustotal.com/gui/file/b993dd5fb6ef1f3635965db1d288e7476fdd073050ce3c4f0ff0948e51282355/detection
# Reference: https://www.virustotal.com/gui/file/31ca3a05802a600e956b50c3eb77de03a00f9c0b43ae8a09a5be959006cddf7f/detection

http://148.72.245.86
http://208.109.228.194
http://208.109.33.60
http://45.66.231.167
http://72.167.33.143
http://91.92.240.122
http://91.92.245.166
http://92.205.177.207
http://92.205.18.244
http://92.205.57.212
http://94.156.65.240
http://94.156.67.8
91.92.240.122:8089
acess-client-web.world
acess-clientweb.world
acessclientweb.world
acessoportugal.world
bitvavo-distribution.com
busd-distribution.com
buyer-listing.com
chrono-connexion.com
clbc-onlinerecov.info
client-websector.world
clientsector-site.world
clientweb-sector.world
clientwebsector.world
connexion-dcp2.com
decrypt-dcp.com
distribution-kucoin.com
email-eportual.world
eportugal.world
listing-buyer.com
market-asset.com
market-listing.com
market-listings.com
marketplace-deal.com
navigation-anti-bot-windows.com
portugal-acesso.world
recaptcha-windows.online
sector-cliente.world
sectorcliente.world
webacess.world
windows-recaptcha.online
whatsapp.eportugal.world
/contadores/6Mpsoq1.php
/contadores/9XW06XH8.php
/contadores/crbQBSDh.php
/contadores/kFcNm.php
/contadores/rhGURJ.php
/6Mpsoq1.php
/9XW06XH8.php
/crbQBSDh.php
/kFcNm.php
/rhGURJ.php

# Reference: https://x.com/Dkavalanche/status/1838578684543860757
# Reference: https://app.any.run/tasks/6f078dcf-dfef-49f1-bb12-2b29b4da49e8

http://185.241.6.33
185.241.6.33:9096
/contadores/7eTYK7.php
/7eTYK7.php

# Reference: https://www.virustotal.com/gui/file/c79e64629fa18dad84a347fec2716f5d76804503706dbe91e78d15cec553e22d/detection

50.114.32.234:7023

# Reference: https://www.virustotal.com/gui/file/67607e4785ddefaf7772d69e5af8fc5bbfcfda044bfe6f25b799039185580537/detection

bvvkhvvkzrrrcpf.zapto.org
rswxumzkpvjgpey.zapto.org

# Reference: https://www.virustotal.com/gui/ip-address/5.189.204.32/relations
# Reference: https://www.virustotal.com/gui/file/0b2ddbf3c031d5ede0efecbd3be743e1f3ba6708c61c2223f8bd5904a51100dc/detection

nqsh4qmibwevbvzclhi.zapto.org
starlingome.freeddns.org

# Reference: https://x.com/1ZRR4H/status/1843621676526792900
# Reference: https://www.virustotal.com/gui/file/0e70669e7b9bea99e47371300d6c8eba86fb7470d682052db978a6a54b9743b7/detection

http://194.36.90.111
194.36.90.111:9099
/contadores/a0AgY.php

# Reference: https://x.com/johnk3r/status/1844739164790460913

lattescnn.com
modulacao.info
in.lattescnn.com
in.modulacao.info

# Reference: https://x.com/1ZRR4H/status/1851671430225891597
# Reference: https://www.virustotal.com/gui/file/890c0c8d8d06a37b866b875bd679c8147a4a4c3dd8dbc5f0c072630b31d035e0/detection
# Reference: https://www.virustotal.com/gui/file/66d759c91948effc1d28df8606d3c8e97df5eb135392562ab455bc2ce5d4eab1/detection

http://172.104.150.66
172.104.150.66:8901
/contadores/pCK0xoI.php
/pCK0xoI.php

# Reference: https://x.com/Dkavalanche/status/1854539561491132874
# Reference: https://x.com/Dkavalanche/status/1854540601938657429
# Reference: https://www.virustotal.com/gui/file/14769531a2f44d4ac1d945efee196138f13d1570ce8f6ae96957dc6fd666fda7/detection

http://3.19.228.26
chaapghorbd.com
/contadores/D020nO.php
/D020nO.php

# Reference: https://x.com/Dkavalanche/status/1854560564229411269
# Reference: https://www.virustotal.com/gui/ip-address/18.222.44.124/relations
# Reference: https://www.virustotal.com/gui/file/ecdb9fbf6cfcc4e54491e6021045b39da8f09d3bc815124d62cf0a5a3d7ab004/detection

18.224.15.134:5019
lucacocinas.com.ar/mobile/fonts/phicons/files.txt
chuckchuck20g.ddns.net
oper22mito.duckdns.org
socnetfiles01.hopto.org
websuportbbb1.duckdns.org

# Reference: https://x.com/Merlax_/status/1856305950355009961
# Reference: https://www.virustotal.com/gui/file/b0e38bb6ea1e1ca5abc31b2c7c86332726a503311ee4ca65676803ad401aa513/detection

http://217.148.142.36
172.86.86.84:8005
ngchengxin.com
/contadores/2nBSRL7.php
/2nBSRL7.php

# Reference: https://x.com/Merlax_/status/1859348492780699845

37.148.203.62:8088
69.164.205.103:7957
pianoocabam2025.space-to-rent.com
setember2024.is-a-designer.com
zinco.cfd

# Reference: https://x.com/johnk3r/status/1870114321163776216
# ReferencE: https://tria.ge/241220-r2z4fsylel/behavioral2
# ReferencE: https://www.virustotal.com/gui/file/ddd8e29d811eeb51f8408875241d3a7b825dacb9db3ef613580ad9703a69eb7d/detection

webmailcontabilidadecrx.net
faturas.webmailcontabilidadecrx.net
mail.webmailcontabilidadecrx.net
site.webmailcontabilidadecrx.net
/notafiscal/receive_info.php

# Reference: https://x.com/Merlax_/status/1885110189021356405

18.218.230.46:3070
45.61.149.7:8005
51.89.4.245:7957
molejo.online

# Reference: https://x.com/1ZRR4H/status/1894935636622152074

serviciodelimpiezaperu.com

# Reference: https://x.com/Jane_0sint/status/1900943253425570145
# Reference: https://www.virustotal.com/gui/file/f7ff89e833256cadbac20e48af4149e89a39ff095c0996e3e94a5b7c329271f8/detection
# Reference: https://www.virustotal.com/gui/file/f61e836ecd8384e557665923a988317432f0592ca639f59dceb26ebedbf8f97a/detection
# Reference: https://www.virustotal.com/gui/file/33bb095cbe2d0127b6b4c1d64790e49c17b8e6c787eb90679765045c28711ff6/detection

173.249.202.62:445
filehosting.is-certified.com
filehosting.is-saved.org
/notafiscal/get_ver.php

# Reference: https://x.com/Merlax_/status/1928567717558104406

http://194.147.58.148
http://37.60.228.179
http://62.171.165.143
http://62.171.171.60
http://84.247.191.101
3.17.75.164:3070
54.173.82.92:157
54.173.82.92:6214
54.173.82.92:9431
envbri33xp.hopto.org
vmi2624165.contaboserver.net

# Reference: https://x.com/dodo_sec/status/1958908689697452379

http://3.135.194.95
http://3.141.199.105
/09_nsabdo/receado.php
/14_ytashev/tribos.php

# Reference: https://x.com/1ZRR4H/status/1961896397420069162

grupopiclebrija.gov.co/DocumentoTributario/FacturanNET/
moreintegracion.com/robot/
saferrwanda.org/metallica/

# Reference: https://x.com/johnk3r/status/1968668634764509599
# Reference: https://www.batuta.com/mosquito-the-new-infostealer-arrives-to-mexico/
# Reference: https://www.virustotal.com/gui/file/16c3cffa92039a85c9079750d5ddfe2ef0f1f88bae3d92ed72c5dcb89bc93fd5/detection

138.201.149.48:3077

# Reference: https://x.com/smica83/status/1978482777495622080
# Reference: https://x.com/smica83/status/1978485925555376433
# Reference: https://www.virustotal.com/gui/ip-address/103.144.139.202/relations
# Reference: https://tria.ge/251015-sc1jcstry9/behavioral1
# CLASS_0_HASH-HOST=8c6de243aa81536c7beaed560d82ad69

0593documcampaignid.servehalflife.com
3npzdp7imflc0tle.serveftp.com
cj0kcqjwzove67jbh.serveftp.com
cj0kcqjwzovebhdvari.serveirc.com
contatosnfe.gotdns.ch
gcapgunu8ceserdt.duckdns.org
ilgfipcjvhs0gca.servehalflife.com
nxcjqgqrnyvrxpaakaarnyealw.duckdns.org
contato.nextempresarial.com
fistveganbr.site
lnj-bhilwara.in
lnj-bhilwara.in.allexamonline.com
mail.lnj-bhilwara.in
metitask.site
nextempresarial.com
nfprefeituonline.com
stollerfinanceiro.site
trektop.online
webflixi.vercel.app
huuuaasceeauq.blob.core.windows.net
/zuiasrazzjurz/smpackage.cab
/escritorio40594/
/zuiasrazzjurz/

# Generic trail

/amorplus/brume.php
/contadores/acessar.php
/guia/brume.php
/hooponopono/puma.php
/ho_oponoponoag/brume.php
/nossasrdaga/brume.php
/online/sharlins.php
/marclara/total.php
/tampler/marcador.php
/verpra/filmes.php
/naotem/jormal.php
/anti/ideial.php
/antigo/cupla.php
/again/?oriudfjdfij88
/?oriudfjdfij88
