# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.fortinet.com/blog/threat-research/circle-of-the-fraud-more-information-about-bitcoin-orcus-rat-campaign.html

adobe.br.com
bitcolntalk.com
bitcolntalk.org
bltcointalk.com
bltcointalk.org
bltcolntalk.com
bltcolntalk.org
githvb.com
qithub.org
qunthy.org
wcx.nz
wex.ac.nz
wex.ms

# Reference: https://twitter.com/oguzpamuk/status/1165739004974817280
# Reference: https://app.any.run/tasks/bc90ea8c-24fd-43d1-a831-2246eca40e32/

65.49.81.174:1337

# Reference: https://twitter.com/JayTHL/status/1188666712813719552
# Reference: https://www.virustotal.com/gui/ip-address/176.227.191.12/relations
# Reference: https://www.virustotal.com/gui/file/ab27de99f9af5b25c51a452734624d275be3f375acb8e2e196753f58edd7ff61/detection

176.227.191.12:1337
176.227.191.12:8080
fbkw.tk
glared.ga
kekw.tk

# Reference: https://www.virustotal.com/gui/file/246ed49ede850eaafddff2794415bb71eca90238b8c3ef7969f2a2d9247761a5/detection

176.227.191.12:10134

# Reference: https://www.virustotal.com/gui/file/ba6ac57263f886ec57dbc7d91705bc997a6ee9e0e4753bb1e28036245fa5d954/detection

176.227.191.12:1564

# Reference: https://www.virustotal.com/gui/file/abbf1a3dc2074173f0679edbc25b7e835a799684151f4f5ceb2174515a30f2b6/detection

176.227.191.12:2002

# Reference: https://www.virustotal.com/gui/file/a83458a20fa9f2dd5f58d8bb0b08f9e3c64640b4898d14d4f1494130b9ef2357/detection

176.227.191.12:6666

# Reference: https://www.virustotal.com/gui/file/84a550cd5c0ab129a3e7ddf222e6e20b30e8126abf297d1765c17ef079c8ca9e/detection

176.227.191.12:7007

# Reference: https://twitter.com/JayTHL/status/1199555057513046017
# Reference: https://www.virustotal.com/gui/file/49bd78001249923b28dc30e6c52e121fea38fb58f29c15968379488b4de53c30/detection
# Reference: https://www.virustotal.com/gui/file/fc04d2256cdf30a4fcf5eba79c9d451e3e3d20ba01740edce82c0fe697ffa191/detection

6.6.6.6:5631
warfram3client.duckdns.org

# Reference: https://www.virustotal.com/gui/file/f1e09e33334341d3a91e93a1cf44d5c4d7ac420c5e7a1b7d608b6388174de1d0/detection

154.234.192.165:500

# Reference: https://twitter.com/JAMESWT_MHT/status/961905004960468992
# Reference: https://app.any.run/tasks/d8405f6a-e8a5-45e0-abd2-c7fa5ec899ec/

stinkletjet.me

# Reference: https://twitter.com/James_inthe_box/status/948880929342173184

88.150.189.98:9989

# Reference: https://twitter.com/James_inthe_box/status/913131729233133568

212.83.170.126:2325

# Reference: https://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html
# Reference: https://www.virustotal.com/gui/file/6554fabddabac2b14cb3209393a13471e7fe985750f1a9a8f030d1ebbc8dff35/detection

172.111.160.213:10134

# Reference: https://www.virustotal.com/gui/file/851f5ea787e9a287880c4a6d05c57e1014605e9a42bae5e3cf770fcd0fe8fb3a/detection

192.69.169.25:10132
ssniper.duckdns.org

# Reference: https://www.virustotal.com/gui/file/bf9bb8e1d8bf2de2b73ae7c8e8c5c58083ebe55b0981364e4b976260b3880350/detection

162.200.139.146:1337
voltaire.zapto.org

# Reference: https://www.virustotal.com/gui/file/14eb56236bfd39bd8f7cf62c1ec4d50aeaac64d1e17ebf6772a3c259959e0bbb/detection

162.200.139.146:1604

# Reference: https://www.virustotal.com/gui/file/a7d7820eb3ac86718b610030e814fc10da5bc9e5612f35a640e797e23fba6ca4/detection

mistervoltaire.duckdns.org

# Reference: https://www.virustotal.com/gui/file/11f1090f1ae7cf8bb9a811f7eb6e1f18d33bd44d639e06e031d0ba071eaabd23/detection

185.101.92.3:1919

# Reference: https://www.virustotal.com/gui/file/05040a3af990ed78d087cbaa1e29220f2810b200ce6a0db37dfe869c93381379/detection

104.244.75.220:9340

# Reference: https://www.virustotal.com/gui/file/933dc2ab7637ebaa57187cd43b1ea700499ea53a0e2e5ef7c768b0d43833532b/detection

193.56.28.134:2222

# Reference: https://app.any.run/tasks/5308b1f1-fc1d-41df-9a51-36d9f209caba/

13.68.91.206:9337

# Reference: https://www.virustotal.com/gui/file/48be5ae5cb8e6155352d0936f4785d3da1c1e2a8d0f86f14b240627b378f3a56/detection

66.26.181.172:10134

# Reference: https://www.virustotal.com/gui/file/3fea35061269dd2ecfd1a3561d6490df0586584fd7273510da3602359128e9cf/detection

185.114.225.60:1337

# Reference: https://www.virustotal.com/gui/file/352d043e9d06d67fbc5250dd1183edf4b6b6efc72c86584ab1af183034e345c2/detection

104.128.234.104:1337
takethei.duckdns.org

# Reference: https://www.virustotal.com/gui/file/f456d4d5a9233fd787622e0827eeaf5a945e1a808de5312fb57fe4d8feaacecc/detection

45.76.57.32:1337

# Reference: https://www.virustotal.com/gui/file/906f097c2e91c5fafcc8a4d5b480e6cb89d45977d799615a68d6f0689e6c3a52/detection

185.198.26.245:1337

# Reference: https://www.virustotal.com/gui/file/65f750af58456ce7ff79936dba02c53bb4802f0c9acd81e7e37039a21ed06063/detection

206.189.192.66:1337

# Reference: https://www.virustotal.com/gui/file/802f6b02bcfe6cb847a055acdceb8ce3caf1cee6a42ea82baa13e510288bca0d/detection

185.198.26.245:1337
192.169.69.25:1337

# Reference: https://www.virustotal.com/gui/file/6df589eb6933aecc36c73ec13878188843ff7ea2754dc4e05906846524ee99d5/detection

51.68.92.105:1337
1337hax0rs.hopto.org

# Reference: https://www.virustotal.com/gui/file/72a9bcb559629c758cbc4da43d78ff0402eee8b1037534fd50d9c5c9435b8f67/detection

185.114.225.60:1337
51.68.81.247:1337

# Reference: https://www.threatcrowd.org/malware.php?md5=2777e5b529531cb2ce4dfaf51e029cc1

menusbyxarva.tk
menusbyxarva.ga
menusbyxarva.ml
menusbyxarva.cf

# Reference: https://twitter.com/abuse_ch/status/1233659527989325825

35.192.205.70:6969

# Reference: https://www.virustotal.com/gui/file/aa43e982c2852d515224124f835c5222895525d4dfba78215dfab38421448197/detection

196.89.40.35:3365

# Reference: https://www.virustotal.com/gui/file/713111b19f47264a55f126daeb8e0cdcfa477caad3c62dafceb6dfb726a9b858/detection

91.218.65.24:3333

# Reference: https://www.virustotal.com/gui/file/4491b49ec07c3c0cb02ce71fe84f42dc3f51e31d37d2773d81a64c27fa266076/detection

91.218.65.24:10134

# Reference: https://www.virustotal.com/gui/file/0f788b53c047325fa4478a4e35532547fb4e6f16c14d9b7bc6d7eb2606faa25e/detection

91.218.65.24:5634

# Reference: https://www.virustotal.com/gui/file/dd746a6d73f73034d24ae56938ad02370bbdade419c2bfe7cebba1efb9c29072/detection

91.218.65.24:1337

# Reference: https://www.virustotal.com/gui/file/10f9c60cae4b545950b7c92893d5c163f5a7d961346f2b3e9f3cc98069e509db/detection

91.218.65.24:7777

# Reference: https://www.virustotal.com/gui/file/edf5f9bb676e7108c411eed1c1cd1cd322621b7f874b67dc585828dc9d9c5214/detection

140.82.57.249:9876

# Reference: https://app.any.run/tasks/4348840b-74d2-4a36-8b4f-30f7c5c78ac4/

193.161.193.99:40601
nickman12-40601.portmap.io

# Reference: https://www.virustotal.com/gui/file/6610169683c653daa73ebbe240ab6aedbdf029cc1dec4b72e7573b2a6fda61c0/detection

116.39.19.117:3

# Reference: https://www.virustotal.com/gui/file/1110bec1dada5b6ed0042149c1941db248277f3b2b409f693f46e0930920f788/detection

121.130.181.73:3

# Reference: https://www.virustotal.com/gui/file/c65a4ac63d28c402afd57b79e12c6d61105d6d6a01860876bfa44efd797689dc/detection

141.255.154.37:1212
141.255.146.73:1212

# Reference: https://app.any.run/tasks/d334bd67-4079-452e-88be-d924ba7203cd/

89.208.221.195:14500

# Reference: https://www.virustotal.com/gui/file/4ef58d34d748aae0e1143faba71238eb9910cea26cbc530d8d3c125d8c60789e/detection

88.123.12.74:20030

# Reference: https://app.any.run/tasks/1e5abf39-f919-41c8-954d-d72874ce6a15/

144.202.9.121:101

# Reference: https://app.any.run/tasks/294f5e39-60d3-4f96-9fc0-65935ce602dd/

185.239.242.234:1738

# Reference: https://app.any.run/tasks/f34ccc3a-6b82-4aa0-867a-ebf3a9f669ae/

5.83.160.177:60011
82.228.72.90:60011
macronemmanuel.tk

# Reference: https://app.any.run/tasks/b25b2ef4-14cd-42c2-a59b-e336fcd05149/

178.150.186.188:7771
kirill2811.ddns.net

# Reference: https://app.any.run/tasks/ea5216eb-a0d4-4848-8c94-f613809f31a3/

13.58.162.35:8739
orcushack.ddns.net

# Reference: https://www.virustotal.com/gui/file/f02a7e84be2f16d0367b4f01781e6b10d6ff522c767d2294349b233e4c7195b1/detection

45.140.146.29:10134

# Reference: https://app.any.run/tasks/7adda6c1-ff18-4d63-9a17-b3a6941ba473/

193.161.193.99:27371
ParadoxZenon-27371.portmap.io

# Reference: https://twitter.com/petrovic082/status/1357973355165585408
# Reference: https://app.any.run/tasks/891171ac-402b-49ca-b121-b0e04560e90e/

193.161.193.99:51357
reqwah-51357.portmap.host

# Reference: https://app.any.run/tasks/2ff5f3ba-fb88-4abc-bec8-6f2e79cb59e8/

145.249.220.15:10134
skalede767.hopto.org

# Reference: https://app.any.run/tasks/64263906-2813-42a1-b04b-5a103e23738f/

3.128.190.178:1604
orcustop4ik.duckdns.org

# Reference: https://www.virustotal.com/gui/file/b2b168bf95857cebb26045f1c8f393aff09126a78f3030a172a160ac4854ccff/detection

31.220.4.216:55551

# Reference: https://www.virustotal.com/gui/file/5519951fbf86c9b18e4aee9ad22be8ca31bd84f5b4cccebf76b4aa47eb2c9ce2/detection

145.249.216.199:10134
danst9364.hopto.org

# Reference: https://www.virustotal.com/gui/file/ff9f613548004aa9b8fecf065df4e430300333ebb8f9f8797a2325c6200f01ab/detection

newgate.publicvm.com

# Reference: https://otx.alienvault.com/pulse/6093db7387777eeb731864eb

briaseynan.xyz
6yis.hyperfast.ru

# Reference: https://app.any.run/tasks/0d7bb251-7761-484b-a05f-3df038d36c3a/

109.108.78.4:6666
vertik.ddns.net

# Reference: https://otx.alienvault.com/pulse/60b22df3fe03195e2183cc9d

mehack1234567.ddns.net

# Reference: https://otx.alienvault.com/pulse/60bcb9f5d4b06e9237fc4c77

dbxzpalgedvrvpunalvkzafpwztssi-21177.portmap.io
stormy.webhop.me

# Reference: https://tria.ge/210712-c9zwaz3llj/behavioral2

3.137.146.78:6666

# Reference: https://tria.ge/210627-txnqrvge6e

3.143.239.116:10134

# Reference: https://tria.ge/210629-3betpwy4qj

74.201.28.60:4296

# Reference: https://www.virustotal.com/gui/file/e8038cddd13b772e9179b731d54685773013add7ae588ecf2aa88559cf075b9f/detection

http://178.5.71.180
nzxtsh.duckdns.org

# Reference: https://www.virustotal.com/gui/file/02612058d7fd3c873536b1d2fec693ccbc3b2fb74352bdad919a0d48654526a4/detection

167.99.165.142:8012
rawrxdd.duckdns.org

# Reference: https://app.any.run/tasks/5ff6bb0f-acc1-4d81-9bda-92f140b3d833/

209.209.113.53:1900

# Reference: https://app.any.run/tasks/d52d1285-d1a2-41a8-b934-51046efa2745/

3.19.130.43:19001
adenere.duckdns.org
alabay22212.ddns.net
asdasdsaads.ddns.net
biiilasks.ddns.net
cehitop.ddns.net
drakaaa.ddns.net
fevertoxs.duckdns.org
googleapis2m.duckdns.org
iadalbaebidaun.ddns.net
javaservices.ddns.net
laserhost.ddns.net
mehack1234567.ddns.net
meowlin.duckdns.org
nnnnssss123.ddns.net
soda1234.ddns.net
WindowsAuthentication324-49629.portmap.host
yrayra.hopto.org

# Reference: https://www.virustotal.com/gui/file/0da086f1094a7cb89a1f1046fb4b70d291e305dfa94c842ab03b1c129c0d2694/detection

213.183.58.24:6318
servicesone.duckdns.org

# Reference: https://www.virustotal.com/gui/file/5002a9dc45ff0997c96b0ede268dc9dce7764a3eb1245486f2049d6bebf452b2/detection

2.99.226.190:10134
quack11.ddns.net

# Reference: https://www.virustotal.com/gui/file/86d82d0589be7238b9b50a7bdc9a5316588e4adfaa98b573fad179d37b813deb/detection

maks5554378.zapto.org

# Reference: https://otx.alienvault.com/pulse/6241a471e7789affc7863540
# Reference: https://www.virustotal.com/gui/file/653265698129dc5ef061e964f35dbe0bc28c367aa0b1697c48c74105ec4acd0c/detection
# Reference: https://www.virustotal.com/gui/file/5920b674bf1462108adb923ca041f10408833f8f2be2207140d651de4c3567cc/detection

25.20.118.185:10134
79.105.117.169:10134

# Reference: https://www.virustotal.com/gui/file/560f386039cad5c2d9c3b21537f7fc0001d8bd3974f752b9d2b409defda45fb5/detection

3.141.177.1:11897

# Reference: https://www.virustotal.com/gui/file/11ca697e07adf990a5e1b84685ef12a11805a6f37d9515daf2519f3728b06270/detection

158.58.172.55:43586
dexx12.ddns.net

# Reference: https://www.virustotal.com/gui/file/d7d9cd6cc6d2becd8e0d2526b9cf22a82582c0e06970788fe5d9a0f44297e520/detection

79.176.141.253:1604
79.178.241.165:1604
xeirz.ddns.net

# Reference: https://www.virustotal.com/gui/file/389b36c46d4bd5a2227d7dc65230536cb318e71a9c591878e9a6c319665f5917/detection

128.59.46.86:3456
orcus.nyashteam.ml

# Reference: https://www.virustotal.com/gui/file/26d8398a40af0e5d8d6502e761cdc57d0b83f14a55c453b373211d392df4b619/detection

96.81.132.123:7007
sr.fbkw.ru

# Reference: https://www.virustotal.com/gui/file/1e9fa3fe7ea9623548f0bb27b43f3cf7edbbd8d86611995caed3e85d6bb45baa/detection

176.227.191.12:2002
s0.kekw.ru

# Reference: https://www.virustotal.com/gui/file/1e5baed9725fdd5f257faee6822f2abe6bcc3835f4d34798047f6dd42ac30950/detection

176.227.191.12:1564
s1.kekw.tk

# Reference: https://www.virustotal.com/gui/file/84a550cd5c0ab129a3e7ddf222e6e20b30e8126abf297d1765c17ef079c8ca9e/detection

176.227.191.12:7007

# Reference: https://www.virustotal.com/gui/file/4191e8e2d78daa7f7dd3dd728e4a284e6dd217be80b71c5215839a447952ce2a/detection
# Reference: https://www.vmray.com/analyses/_vt/4191e8e2d78d/report/network.html

142.126.195.122:10134
mvncentral.zapto.org

# Reference: https://any.run/cybersecurity-blog/orcus-rat-malware-analysis/
# Reference: https://app.any.run/tasks/55dce88d-b52c-4a51-b3c8-b8e6dcff0b13/
# Reference: https://www.virustotal.com/gui/file/6e4a1ceaa4080025f7993880cd650a10283555d8bae65c0db421b539e5450517/detection
# Reference: https://www.virustotal.com/gui/file/258a75a4dee6287ea6d15ad7b50b35ac478c156f0d8ebfc978c6bbbbc4d441e1/detection

209.25.140.180:52932
209.25.141.180:52932
katana.lol
fire-possibility.at.playit.gg
joe.katana.lol

# Reference: https://asec.ahnlab.com/ko/45153/ (Chinese)

minecraftrpgserver.com

# Reference: https://www.virustotal.com/gui/file/9c55028fbc8ff81990e3cb7040fd196acbd24c3753f7583cac02b0295b323fba/detection

147.185.221.223:5433
209.25.141.223:5433
been-david.at.playit.gg

# Reference: https://www.virustotal.com/gui/file/372f3033e983a5a4a1f862382f8545ef68ac514a870c8cb44b8c426a86a724df/detection

185.65.135.178:56406

# Reference: https://twitter.com/Gi7w0rm/status/1652641640593408006
# Reference: https://www.virustotal.com/gui/file/796ba530098b895341962be8f2c0de6acc18a3edcc5ed9dd2fac7867c0047fe1/detection
# Reference: https://www.virustotal.com/gui/file/9a719d2a58ba7b9d2579cf439de6ab66561d940a9a230c05af2690633c299420/detection
# Reference: https://www.virustotal.com/gui/file/9c776fd6ea5b02869f9ad5f5a7c74dcfe4d215de1b07d192f67216118e75938a/detection

45.66.230.222:6547
astaroth.gleeze.com
slava3256.ddns.net
slava3257.ddns.net

# Reference: https://www.virustotal.com/gui/file/7b137c1e9aaa4503a7fa5d3450b9260f6eadf11166ab4ac9c600bd08e0ae68c3/detection

87.225.125.214:2466
rdpread.dynnamn.ru

# Reference: https://twitter.com/James_inthe_box/status/1702051656400355468
# Reference: https://app.any.run/tasks/c7677991-3e52-41be-9659-b50d0f1b2296/

147.185.221.16:43179

# Reference: https://www.virustotal.com/gui/file/07b742c9303e04be588f20f51d68828cae04a1af02cb6d09a9d935007dbb4906/detection

86.105.9.67:5650
realitygaming.us
sellygg.tk
ab.realitygaming.us
blog.sellygg.tk

# Reference: https://www.virustotal.com/gui/ip-address/31.44.184.200/relations
# Reference: https://www.virustotal.com/gui/file/0eeea482e545c545cb0d2cb997f637799b97b2b29548afd9ef93519eac72cbe9/detection

sudorat.ru
sudorat.top
api.sudorat.top
client.sudorat.top
lk.sudorat.top
10135.client.sudorat.top
27976.client.sudorat.top
40004.client.sudorat.top
40005.client.sudorat.top

# Reference: https://threatfox.abuse.ch/ioc/1165776/

116.122.117.97:8081

# Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2023-10-11)

http://154.244.248.129
http://154.245.216.63
1.54.107.38:4444
116.103.214.233:1024
116.103.214.233:21
116.103.214.233:42132
116.103.214.233:8080
116.103.214.233:9025
138.197.66.62:22169
150.107.2.102:8080
16.170.253.123:10134
163.5.215.221:10134
164.68.126.53:1111
164.68.126.53:4444
164.68.126.53:8888
164.68.126.53:8899
164.68.126.53:9999
185.217.1.136:49411
188.27.189.65:8080
199.195.249.36:25535
2.58.56.242:3306
202.95.14.178:9993
210.6.234.3:2053
27.124.4.200:6606
52.59.165.93:10134
81.161.229.20:6969
85.209.176.26:1337
86.126.5.18:8080
89.208.105.120:4242
95.142.46.208:10134

# Reference: https://threatfox.abuse.ch/ioc/1191761/

88.119.171.56:443

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Orcus_Rat/orcus_c2s_initial_collection.txt

104.158.167.45:10134
104.248.32.109:22998
107.182.128.18:3030
109.134.115.180:1746
109.171.5.62:7139
111.90.146.85:1730
122.186.23.243:10134
128.59.46.185:10832
128.59.46.185:1707
128.59.46.185:20954
128.59.46.185:44657
128.59.46.185:50272
128.59.46.185:58101
134.122.63.65:2000
135.125.148.130:10134
136.144.41.171:10134
138.2.146.162:3544
146.70.143.176:81
147.185.221.16:18245
147.185.221.229:56094
149.154.69.124:2010
168.61.96.29:25565
176.107.177.67:10134
178.209.51.192:2777
179.43.176.20:5555
18.221.17.220:1604
180.92.195.68:25565
183.80.186.171:4444
185.163.47.163:10134
185.204.3.21:10134
185.205.239.197:13666
185.209.23.119:10134
185.217.1.185:911
185.231.155.9:39747
185.41.154.105:587
185.68.21.102:1738
185.94.29.170:10134
188.227.85.44:6969
193.111.248.239:10134
193.124.57.113:10134
193.124.67.212:10134
193.138.195.211:10134
193.161.193.99:47693
193.161.193.99:57974
193.161.193.99:58729
193.169.255.152:6969
193.242.166.48:1234
194.233.31.117:4444
194.26.192.209:1920
194.87.18.67:2004
195.128.126.234:10134
195.154.226.17:1338
195.2.78.34:10134
20.185.191.252:2021
20.89.177.186:21245
209.25.141.181:28100
209.25.141.181:31468
209.25.141.181:40489
216.250.97.121:50721
217.114.43.29:1268
23.227.201.233:10134
23.95.231.205:7077
25.34.63.249:10134
27.124.18.69:6606
31.173.170.243:7777
31.214.245.166:1738
31.214.245.229:3399
35.241.200.200:10112
35.241.200.200:10120
35.241.200.200:10122
35.241.200.200:10129
37.19.221.138:59263
37.252.7.150:7776
37.46.150.253:1337
40.125.65.33:10134
45.132.105.122:10134
45.146.253.103:420
45.81.39.83:3456
46.35.26.183:41763
5.187.49.231:1339
5.249.161.198:10134
5.83.161.4:10134
51.161.61.86:10134
51.79.39.250:10134
51.89.228.214:10134
52.88.36.247:50679
67.242.2.35:10134
68.219.181.16:443
68.40.140.30:10134
78.135.85.3:10134
78.198.121.158:5555
79.112.157.89:1337
84.200.206.239:7667
84.201.188.25:5566
84.201.188.25:7007
84.201.188.25:8621
84.21.172.55:1339
84.211.45.112:1085
84.211.45.238:1085
87.255.6.145:1577
88.123.101.135:1610
88.14.71.230:10134
91.121.185.43:5075
91.211.248.213:11134
91.218.65.24:6178
92.222.72.160:2341
92.240.245.63:10134
93.108.180.0:4444
93.180.147.254:10134
94.103.87.238:10135
94.60.124.63:4444
95.181.157.49:1738
98.229.214.124:10134
6012.punkdns.pw
betadns.phatbois.biz
cbm.adenz.top
cedricklegends.ddns.net
client1111.ddns.net
colorfuldreams.hopto.org
cuveehackedurpc.ddns.net
distance-deutsche.at.ply.gg
dololow.ddns.net
dontreachme2.ddns.net
eta.ne.virus.ne.trogaj.mena.kstati.putinso.site
flutrdp.duckdns.org
gaygolovorez.chickenkiller.com
gerkadas.ddns.net
gethack.ddns.net
glukozer.go.ro
i-stole-your.pw
icontrolyou.servepics.com
iknowyoumissme.ddnsfree.com
isnadsknsbs-38398.portmap.host
jewstew.hopto.org
kisliycorporait.hopto.org
microsoftupdateserver1.ga
mistyyy.hopto.org
myvpsvps.ddns.net
orcusratanondomain.sytes.net
owo-whats-this.duckdns.org
ozones.ddns.net
powerdirector.store
putinso.site
raiday.ml
rat.i-stole-your.pw
richhost.ddns.net
s1.putinso.site
s7vety-47169.portmap.host
s7vety-64001.portmap.io
satanishere-48375.portmap.io
server-cheatchard.ddns.net
serverguedin.ddns.net
sinistar.visigradstats.xyz
solution-fiscal.at.ply.gg 
sonkalicloud.ddns.net
tcp.access.ly
tecster.cloudns.cx
teen-harvest.at.playit.gg
texeshserver.ddns.net
tokyonights.pdns.stream
tools.3utilities.com
vacation-family.at.ply.gg
vosal78394-35496.portmap.io
warframeclient.duckdns.org

# Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2023-11-22)

http://154.245.132.20
104.168.163.193:8080
183.80.187.20:4444
27.124.6.248:6606
42.114.153.115:4444

# Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2023-12-17)

http://154.243.252.14
http://154.244.157.117
http://154.245.225.202
http://197.119.113.44
1.54.172.244:4444
146.235.217.116:1268
15.235.3.1:2000
18.192.31.165:11009
185.196.10.32:6004
194.26.192.11:10137
206.84.153.217:8888
206.84.154.119:8888
213.57.235.107:10134
216.170.120.141:42069
27.124.3.19:6606
31.44.184.52:11426
31.44.184.52:30202
31.44.184.52:41931
31.44.184.52:49810
31.44.184.52:51799
31.44.184.52:51972
31.44.184.52:61946
39.44.128.21:8888
45.204.82.103:6606
45.204.82.82:6606
46.55.218.169:1337
46.8.52.208:49160
5.78.108.0:10134
61.92.130.64:2053
91.92.244.15:6969
91.92.246.10:10134
SATANishere-48375.portmap.io
dfwfdsfsdasd.project-nightfall.com
groups-opportunity.at.ply.gg
living-progressive.at.ply.gg

# Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2024-01-24)

http://154.244.175.192
http://154.245.115.235
http://197.119.135.90
188.27.189.141:8080
42.114.153.12:4444
58.187.115.100:4444

# Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2024-02-04)

http://197.119.141.49
http://20.163.19.3
http://20.240.201.149
154.212.146.81:6606
188.26.86.131:8080
39.38.245.19:8888
45.94.31.205:6969
73.3.46.163:4855
77.246.110.208:1337
77.246.110.208:8888

# Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2024-02-12)

http://154.245.7.231
http://154.245.89.99
http://197.119.85.192
103.13.210.210:8080
123.206.29.183:10134
134.255.254.225:5051
188.27.175.18:8080
86.126.4.236:8080
94.156.64.66:8080

# Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2024-08-10)
# Reference: https://www.virustotal.com/gui/file/ab64d9f42b9e764fe4f7a61f6a378bb79cf7f1d05e2c431bdc1d6c6f337bd22c/detection

http://154.243.121.19
http://154.243.176.5
http://154.244.6.141
http://154.245.141.251
http://197.119.237.124
http://197.119.238.232
http://197.119.48.109
http://197.119.73.234
http://38.145.202.143
http://41.97.204.61
1.54.107.33:4444
1.54.12.82:4444
103.106.203.165:443
103.155.214.134:443
103.155.214.203:443
103.155.214.72:443
104.250.175.179:1756
107.175.178.6:30030
109.195.6.203:10134
115.79.199.11:4444
13.53.37.168:777
134.122.84.252:10134
135.148.12.151:10134
147.185.221.16:46469
147.185.221.17:54772
147.185.221.17:59285
147.185.221.17:64220
147.185.221.18:43279
147.185.221.18:52251
147.185.221.18:56901
147.185.221.19:4747
147.78.103.228:10134
154.19.164.108:446
154.212.149.59:446
154.212.149.63:446
158.247.250.127:10134
162.244.82.93:10134
172.94.54.88:1756
173.44.50.82:4433
174.93.198.242:10134
176.58.61.217:10134
178.154.244.45:1
178.154.244.45:2
178.154.244.45:666
178.154.244.45:777
178.20.45.159:7777
178.200.180.146:10134
179.61.251.127:4768
18.117.142.49:2
180.214.239.242:10134
183.81.81.92:4444
184.144.200.107:10134
185.154.14.217:10134
185.175.56.98:50721
188.119.113.64:1604
188.25.164.217:8080
188.25.165.189:8080
188.25.167.44:8080
188.27.165.223:8080
188.27.166.233:8080
188.27.167.94:8080
188.27.189.235:8080
191.101.34.192:58038
193.124.65.108:10134
193.161.193.99:35081
193.32.219.170:10134
193.34.77.154:10134
194.110.112.45:54956
194.33.87.67:50010
194.33.87.67:7707
197.82.164.175:4444
199.195.253.181:50721
2.56.245.124:10134
20.224.165.182:25565
207.246.79.58:4443
209.25.140.180:10569
209.25.141.180:10569
209.25.141.180:60302
209.25.141.212:49446
209.25.142.180:10569
213.142.159.91:10134
26.122.164.110:10110
26.65.233.242:10135
26.98.233.13:4433
3.129.187.220:16788
3.133.207.110:16788
3.137.146.78:777
31.220.90.137:10134
31.44.184.52:10996
31.44.184.52:13642
31.44.184.52:19705
31.44.184.52:23303
31.44.184.52:29613
31.44.184.52:32154
31.44.184.52:34332
31.44.184.52:36598
31.44.184.52:40772
31.44.184.52:43660
31.44.184.52:54431
31.44.184.52:56938
31.44.184.52:58029
31.44.184.52:58576
31.44.184.52:61815
31.44.184.52:63367
31.44.184.52:64770
31.44.184.52:65246
35.157.61.186:10134
36.68.21.159:1134
37.115.42.57:12332
38.145.202.143:8080
39.114.81.81:10134
40.113.117.114:1337
42.117.36.184:4444
45.157.69.156:443
45.88.91.213:4443
46.17.44.143:1194
47.37.131.144:10134
5.180.106.95:1337
5.42.92.89:10134
51.254.186.98:10134
58.172.73.190:10134
59.174.112.119:10134
59.174.113.38:10134
59.174.210.205:10134
59.175.125.86:10134
59.175.126.120:10134
59.175.126.222:10134
59.175.127.180:10134
61.69.245.176:42069
74.118.139.67:10134
74.208.235.52:27016
77.105.161.143:1268
77.99.80.4:10134
78.101.85.87:4444
79.134.225.92:9030
79.139.133.118:10134
80.80.130.104:350
80.85.140.103:10134
84.145.55.225:5061
84.201.188.187:666
84.32.231.109:10134
89.190.226.232:10134
91.109.186.2:1194
91.151.89.167:1208
92.223.106.203:12134
92.240.245.161:8010
93.139.76.3:49411
93.157.168.72:27667
94.103.83.231:1379
94.156.10.119:443
94.156.66.77:8080
94.156.8.26:10134
95.165.149.124:4444
95.217.123.5:10134
Conflicker-35081.portmap.host
General5555-46584.portmap.host
LaraLoveU-49133.portmap.host
alternative-residents.gl.at.ply.gg
anime.ddnsking.com
asd1ad2.duckdns.org
bambuvn.webhop.info
bigtitties.hopto.org
binaryassassins2.online
femboy.serveminecraft.net
growtopiagame1.ddns.net
kissmyasshole.myddns.me
kmoukoun.ddns.net
ligeon.ddns.net
live-promotions.gl.at.ply.gg
loocarpoint.duckdns.org
malwaretest.ddns.net
medicine-pushing.gl.at.ply.gg
nanonana24.ddns.net
nonamedc.mcv.kr
obfuscated.us
riskama.online
s7vety-47274.portmap.host
search-mrs.gl.at.ply.gg
sulumantest.duckdns.org
title-connectors.gl.at.ply.gg
try-belly.gl.at.ply.gg
uhhusk.duckdns.org
us-dux-53.pointtoserver.com
user5698921.ddns.net
vam0vsem0pizda.ddns.net

# Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2024-08-25)

http://154.243.104.88
http://154.243.7.239
http://197.119.242.60
http://197.119.39.237
178.211.130.175:10134
189.38.106.100:123
2.132.9.108:2083
77.232.132.25:10111
91.92.242.128:888

# Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2024-09-08)

1.55.111.183:4444
188.25.165.218:8080
42.113.142.177:4444
89.232.195.236:7777
voidsystems.duckdns.org

# Reference: https://x.com/James_inthe_box/status/1854986778517950904
# Reference: https://app.any.run/tasks/19a21b20-bebb-4fa6-810e-27aa86681bea

147.185.221.23:38265
virginia-evil.gl.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/de0abb05a3ab58a6d7347837f219f7dbc84814d553eb2e28a393a2ebac90b565/detection

89.23.102.157:7452
