# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: castleloader, castlerat, tag-150

# Reference: https://x.com/JAMESWT_WT/status/1958947921598062796
# Reference: https://www.virustotal.com/gui/file/f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be/detection

programsbookss.com

# Reference: https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2
# Reference: https://raw.githubusercontent.com/eSentire/iocs/refs/heads/main/Nightshade/Nightshade-IoCs-09-01-2025.txt

102.135.95.102:33336
102.135.95.102:33337
102.135.95.102:7777
104.225.129.171:33336
104.225.129.171:33337
104.225.129.171:7777
107.158.128.45:33336
107.158.128.45:33337
107.158.128.45:7777
107.158.128.90:33336
107.158.128.90:33337
107.158.128.90:7777
170.130.165.28:33336
170.130.165.28:33337
170.130.165.28:7777
173.232.146.90:33336
173.232.146.90:33337
173.232.146.90:7777
178.17.57.102:33336
178.17.57.102:33337
178.17.57.102:7777
180.178.122.131:33336
180.178.122.131:33337
180.178.122.131:7777
180.178.189.17:33336
180.178.189.17:33337
180.178.189.17:7777
185.149.146.118:33336
185.149.146.118:33337
185.149.146.118:7777
185.149.146.1:33336
185.149.146.1:33337
185.149.146.1:7777
185.208.158.250:33336
185.208.158.250:33337
185.208.158.250:7777
195.201.108.189:33336
195.201.108.189:33337
195.201.108.189:7777
34.72.90.40:33336
34.72.90.40:33337
34.72.90.40:7777
45.11.180.174:33336
45.11.180.174:33337
45.11.180.174:7777
45.61.136.81:33336
45.61.136.81:33337
45.61.136.81:7777
5.35.44.176:33336
5.35.44.176:33337
5.35.44.176:7777
64.52.80.82:33336
64.52.80.82:33337
64.52.80.82:7777
77.238.241.203:33336
77.238.241.203:33337
77.238.241.203:7777
79.132.130.142:33336
79.132.130.142:33337
79.132.130.142:7777
91.202.233.132:33336
91.202.233.132:33337
91.202.233.132:7777
91.202.233.250:33336
91.202.233.250:33337
91.202.233.250:7777
91.202.233.251:33336
91.202.233.251:33337
91.202.233.251:7777
94.141.122.164:33336
94.141.122.164:33337
94.141.122.164:7777
tdbfvgwe456yt.com

# Reference: https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations

http://178.17.57.102
http://45.61.136.81
http://91.202.233.250
104.225.129.171:443
144.208.126.50:443
185.125.50.125:7777
185.196.10.8:7777
185.196.9.222:7777
185.196.9.80:7777
195.85.115.44:443
34.72.90.40:443
45.11.180.198:7777
45.144.53.62:7777
5.35.44.176:443
77.90.153.43:7777
79.132.131.200:7777
85.192.49.6:7777
87.120.93.167:7777
91.212.166.17:33334
teamsi.org
teamsio.com
teamsoftdigital.com
