# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: oyster backdoor, oysterloader, vanilliatempest

# Reference: https://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure
# Reference: https://www.threatdown.com/blog/rhysida-using-oyster-backdoor-to-deliver-ransomware/
# Reference: https://www.virustotal.com/gui/file/0a7fd836d36ed8e8e9aa7bc41fdc9242333e8469059dec8886b7d935f3651679/detection

codeforprofessionalusers.com
dotnetisforchildren.com
firstcountryours.eu
postmastersoriginals.com
wherehomebe.com

# Reference: https://x.com/ShanHolo/status/1799015874042757386
# Reference: https://www.virustotal.com/gui/file/5c68fda16039ff29e9bf93c6dac11edbcd111dc8ec29fa499637c43b07039d92/detection

http://149.248.79.62
http://206.166.251.114
http://64.95.10.243
retdirectyourman.eu
supfoundrysettlers.us

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-08-24)

139.99.221.140:443
162.19.237.181:443
193.43.104.208:443
51.195.232.46:443
64.95.10.243:443

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-09-08)

http://67.217.228.225
67.217.228.225:443

# Reference: https://x.com/TRACLabs_/status/1864722713610457333
# Reference: https://www.virustotal.com/gui/ip-address/185.196.10.179/detection
# Reference: https://www.virustotal.com/gui/ip-address/91.236.230.11/relations

antifed.net
futurepathlabs.com
greensolutionshub.net
kisppy.net

# Reference: https://hunt.io/blog/oysters-trail-resurgence-infrastructure-ransomware-cybercrime

anumalisa.com
aramex.i-order.shop
aramex.o-blank.site
cloudignitetech.com
gemen.asia
gumtreever.i-order.shop
jfhgfh.duckdns.org
johnwest-cars.co.uk
lido.fi-nft.app
razer-boost.com
zojanink.pw

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-01-02)

http://174.136.231.104
http://176.111.218.251
http://185.196.10.179
http://185.221.133.114
http://193.109.120.240
http://23.227.196.123
http://46.183.25.224
http://5.181.159.140
http://91.236.230.11
http://95.169.180.141
176.111.218.251:443
185.196.10.179:443
185.221.133.114:443
193.109.120.240:443
23.227.196.123:443
5.181.159.140:443
91.236.230.11:443
95.169.180.141:443

# Reference: https://x.com/wbmmfq/status/1933308257260744915
# Reference: https://www.virustotal.com/gui/file/48556bd1863d9ee7172a539f1c3e6a3a31d770f21daba6096cc8eff852d26625/detection

http://185.196.8.217
http://185.28.119.113
185.196.8.217:443
185.28.119.113:443
/api/jgfnsfnuefcnegfnehjbfncejfh
/api/kcehc
/jgfnsfnuefcnegfnehjbfncejfh

# Reference: https://x.com/SquiblydooBlog/status/1938183299245215898
# Reference: https://x.com/thenecset/status/1938221474478768617
# Reference: https://www.virustotal.com/gui/file/80c8a6ecd5619d137aa57ddf252ab5dc9044266fca87f3e90c5b7f3664c5142f/detection

http://185.208.158.119
45.86.230.205:443
45.86.230.77:443
85.239.52.2:443

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-06-14)

http://168.100.10.165
http://185.196.8.155
http://185.196.8.77
http://193.149.129.58
http://206.71.148.110
http://216.245.184.116
http://45.61.136.160
http://64.52.80.96

# Reference: https://x.com/SquiblydooBlog/status/1939279021008900295
# Reference: https://www.virustotal.com/gui/file/b3294e5ec5031e623f57a6857f83c7ab1436bb69b0d6d40364d3d762ebe6079d/detection

http://85.239.52.99

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-07-26)

http://185.196.11.182
http://85.239.52.249

# Reference: https://cybersecuritynews.com/bing-ads-deploy-weaponized-putty/
# Reference: https://www.virustotal.com/gui/file/4b45c6aa53e5976d2752f262c15cf74915b26754533e5e6ee4ae5f01f7c9f681/detection
# Referecne: https://www.virustotal.com/gui/file/94ba23a8d20e5c81f03fc5b914176cb32ce463923fea46a5650de32e575c4749/detection
# Reference: https://www.virustotal.com/gui/file/31d338eb9ee30f6d7b14b8e59bd9a9976d8dbec65b557f5cdf6cb9c84f5c9233/detection
# Reference: https://www.virustotal.com/gui/file/03012e22602837132c4611cac749de39fb1057a8dead227594d4d4f6fb961552/detection

http://185.208.159.119
144.217.207.26:443
194.213.18.89:443
heartlandenergy.ai

# Reference: https://x.com/roo7cause/status/1971453273862176887
# Reference: https://x.com/suyog41/status/1971563584007069974
# Reference: https://www.virustotal.com/gui/file/169157f51c05aafda68eb367219a826ecdc90e941e4397da20021b0f4ee2ae14/detection

cybersavvynetwork.com
nickbush24.com
techwisenetwork.com

# Reference: https://www.virustotal.com/gui/file/07251b9dd774e7dc598899239701d289893bd36b1a464bb569bd7835b9d3cf25/detection

cyberneticodyssey.com
daringdatadaredevils.com
datadrivendreamers.com
funkyfirmware.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.broomstick/ (# 2025-09-27)

http://135.125.241.45
http://185.28.119.228
http://198.244.224.69
http://45.66.249.68
http://51.222.96.108
http://51.222.96.69
http://85.239.53.66
135.125.241.45:443
185.28.119.228:443
198.244.224.69:443
45.66.248.249:443
45.66.249.68:443
51.222.96.108:443
51.222.96.69:443
85.239.53.66:443
bjxqd.com
daniellaurel.tv
macsimizers.com
microsoft-teams-download.com
netsuite.strangled.net
pont-express.com
ruben.findinit.com

# BODY_SHA1-HOST=0c90ad9910cfb37c9969e14388707ef765ef5e73

85.239.53.66.sslip.io
cdnstatic.space
copy-tradings.com
ip108.ip-51-222-96.net
ip45.ip-135-125-241.eu

# Reference: https://www.virustotal.com/gui/file/380062843cd4315228debc57bc3f9c89ac79492d241f76f342d157c899e53a40/detection

149.248.79.62:443
yourserenahelpcustom.uk

# Reference: https://x.com/MalasadaTech808/status/1972448316865798269
# TITLE=dream-me.com

800discountclub.com
aliments-ed.com
andyhampers.com
baxrate.online
burobourse.com
cleancarcatalog.com
collierspm.com
compaq-computers.com
domainpricermain.com
dream-me.com
eastridge-infotech.com
ehill-intl.com
epstradex.co
essexglazing.com
florida-grower.com
forms-apps.com
gross-rhode.com
immigrationlawhotline.com
lechatexotique.com
mce-associates.com
msaonl.com
ns1.forms-apps.com
ns2.forms-apps.com
pebblebeachca.com
physicianreportcard.com
prgmhq.com
ransonmotor.com
sdccomp.com
server.epstradex.co
steamypussy.com
sumbeam.com
summithilllaboratories.com
tellmeaboutcrime.com
venetafuni.com
witherspoon-law.com
xxxpuzzles.com

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-10-05)

http://185.28.119.228
http://45.66.249.68
http://51.222.96.108
http://51.222.96.69
http://85.239.53.66
http://91.236.230.156
http://91.236.230.205
135.125.241.45:443
185.28.119.228:443
198.244.224.69:443
45.66.249.68:443
51.222.96.108:443
51.222.96.69:443
85.239.53.66:443

# Reference: https://x.com/naumovax/status/1975520883256012910
# Reference: https://x.com/SquiblydooBlog/status/1975576144083886186
# Reference: https://x.com/G60930953/status/1975617128436056230
# Reference: https://www.virustotal.com/gui/file/f21483536cbd1fa4f5cb1e996adbe6a82522ca90e14975f6172794995ed9e9a2/detection

peach-preorder.com
