# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: gulpix, dragonrank
# Note: https://securelist.com/plugx-malware-a-good-hacker-is-an-apologetic-hacker/74150/

# Reference: https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/plugx-goes-to-the-registry-and-india.pdf?la=en

freetimes.dns05.com
lucas1.dnset.com
supercat.strangled.net
nusteachers.no-ip.org
ruchi.mysq1.net
lucas1.freetcp.com
unisers.com
freemoney.ignorelist.com
sumy2012.jkub.com
dheeraj_gaurav.mooo.com
notebookhk.net
togolaga.com

# Reference: https://www.threatcrowd.org/listMalware.php?antivirus=plugx

hpservice.homepc.it
facebook.controlliamo.com
twititier.com
peaceful.linkpc.net
mongolia.regionfocus.com
shuimengluosuo.freetcp.com
ria-ru.xicp.net
itar-tass.xicp.net

# Reference: https://citizenlab.ca/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-2014-4114/

dnsupdate.dynamic-dns.net
good.wha.la

# Reference: https://citizenlab.ca/2015/10/targeted-attacks-ngo-burma/
# Reference: https://www.virustotal.com/#/file/365eeb1d5d8282188e5bbfadfda184e612eef61c2398b7c18cad4c31ce7225d1/detection

t1.mailsecurityservice.com
t2.mailsecurityservice.com
client.mailsecurityservice.com

# Reference: https://twitter.com/h4ckak/status/1163328926573137922

apple-net.com

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/plugx-rat-with-time-bomb-abuses-dropbox-for-command-and-control-settings/

bakup.firefox-sync.com
immi.firefox-sync.com
imm.heritageblog.org

# Reference: https://twitter.com/ClearskySec/status/968145266451894278

cisco-ipv4.com

# Reference: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx

dicemention.com
micrnet.net
rumiany.com
yandcx.com

# Reference: https://x.com/PrakkiSathwik/status/1900966617497936001
# Reference: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx
# Reference: https://www.virustotal.com/gui/file/899c2585e7afb81f3174d1462e68e56b4aaabb9278f07783f33126fbcdd79887/detection
# Reference: https://www.virustotal.com/gui/file/d9f2d2d3a7e8d6c6e420b7ee6546781c2b978e650827085c4918328ecc943b5a/detection
# Reference: https://www.virustotal.com/gui/file/ebc6012f61a0f3d8b621d72898156674cfb15b7f8ce4d7190c5f013bb5753fd0/detection

6wxx08idxglhg.click
bbo96dveep64.xyz
e7a0ehw8zt1.club
back.e7a0ehw8zt1.club
mega.bbo96dveep64.xyz
pay.6wxx08idxglhg.click
/zhero/hero/dq/recv.php

# Reference: https://twitter.com/killamjr/status/1190019855434563600
# Reference: https://app.any.run/tasks/8286e7e1-710a-4570-805d-8a03395caa31/

wouderfulu.impresstravel.ga

# Reference: https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html
# Reference: https://otx.alienvault.com/pulse/5dd2b17f1b7dcef51f0ed38d

steam.suspendedio.com
steams.microsoftdepot.com
update.google.com.updatesrvers.org

# Reference: https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
# Reference: https://otx.alienvault.com/pulse/5e42e25df089cc9cfb28d1d0

apple-net.com
freesmadav.com
infosecvn.com
lameers.com
mmfhlele.com
olk4.com

# Reference: https://app.any.run/tasks/d4e14bc3-7adb-41db-9998-ee6b7e2c21b3/
# Reference: https://www.circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

help.yahoo-upgrade.com
support.yahoo-upgrade.com
update.ayuisyahooapis.com
support.ayuisyahooapis.com
update.trendmicrosoft.co.in

# Reference: https://github.com/silence-is-best/c2db#plugx

185.239.226.61:8080

# Reference: https://twitter.com/kienbigmummy/status/1240559063479402497
# Reference: https://www.virustotal.com/gui/file/6a4224517d66e07707f5a18793dfb3dcecd79bf0e913f9571850637c22b13fe8/detection
# Reference: https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html

vietnam.zing.photos

# Reference: https://app.any.run/tasks/136824e2-885e-4b70-8b6b-20e982f82003/

hou.phimnoi.org

# Reference: https://twitter.com/pancak3lullz/status/1250158700909731845
# Reference: https://twitter.com/pancak3lullz/status/1250386060611391490
# Reference: https://pastebin.com/KdKsaAqV

103.127.157.9:443
103.127.157.9:80
103.136.40.141:443
103.136.40.141:80
103.148.244.59:443
103.148.244.59:80
103.192.226.44:443
103.192.226.44:80
103.193.149.26:443
103.193.149.26:80
103.200.97.150:443
103.200.97.150:80
103.212.223.125:443
103.212.223.125:80
103.213.244.203:443
103.213.244.203:80
103.230.15.155:443
103.230.15.155:80
103.51.147.227:443
103.51.147.227:80
103.56.16.231:443
103.56.16.231:80
103.56.55.69:443
103.56.55.69:80
103.59.165.87:443
103.59.165.87:80
103.79.76.205:443
103.79.76.205:80
104.148.13.252:443
104.148.13.252:80
104.192.80.102:443
104.192.80.102:80
104.199.131.72:443
104.199.131.72:80
104.238.188.213:443
104.238.188.213:80
107.150.112.250:443
107.150.112.250:80
107.179.8.66:443
107.179.8.66:80
112.121.187.178:443
112.121.187.178:80
112.121.187.179:443
112.121.187.179:80
112.121.187.180:443
112.121.187.180:80
112.121.187.181:443
112.121.187.181:80
112.121.187.182:443
112.121.187.182:80
112.196.204.151:443
112.196.204.151:80
112.213.109.32:443
112.213.109.32:80
114.29.253.26:443
114.29.253.26:80
121.127.232.67:443
121.127.232.67:80
13.234.145.7:443
13.234.145.7:80
136.244.102.157:443
136.244.102.157:80
137.59.18.183:443
137.59.18.183:80
139.28.37.102:443
139.28.37.102:80
144.202.50.219:443
144.202.50.219:80
149.248.62.83:443
149.248.62.83:80
149.28.137.203:443
149.28.137.203:80
149.28.150.210:443
149.28.150.210:80
149.28.239.88:443
149.28.239.88:80
149.28.93.163:443
149.28.93.163:80
15.164.104.227:443
15.164.104.227:80
152.32.162.250:443
152.32.162.250:80
152.32.211.67:443
152.32.211.67:80
154.210.12.8:443
154.210.12.8:80
154.215.13.149:443
154.215.13.149:80
154.223.167.105:443
154.223.167.105:80
154.83.13.105:443
154.83.13.105:80
167.179.86.140:443
167.179.86.140:80
167.88.177.191:443
167.88.177.191:80
167.88.178.4:443
167.88.178.4:80
167.88.180.151:443
167.88.180.151:80
167.88.180.32:443
167.88.180.32:80
167.88.180.5:443
167.88.180.5:80
172.245.86.123:443
172.245.86.123:80
172.93.220.201:443
172.93.220.201:80
178.236.44.58:443
178.236.44.58:80
18.138.29.108:443
18.138.29.108:80
185.133.40.223:443
185.133.40.223:80
185.133.42.6:443
185.133.42.6:80
185.161.209.234:443
185.161.209.234:80
185.172.112.212:443
185.172.112.212:80
185.211.246.203:443
185.211.246.203:80
185.225.19.115:443
185.225.19.115:80
185.231.245.119:443
185.231.245.119:80
185.239.226.28:443
185.239.226.28:80
185.239.226.38:443
185.239.226.38:80
185.239.226.53:443
185.239.226.53:80
185.239.226.65:443
185.239.226.65:80
185.243.114.68:443
185.243.114.68:80
185.243.41.200:443
185.243.41.200:80
192.169.7.189:443
192.169.7.189:80
207.148.68.124:443
207.148.68.124:80
211.62.228.141:443
211.62.228.141:80
213.159.202.41:443
213.159.202.41:80
213.252.246.141:443
213.252.246.141:80
27.102.101.52:443
27.102.101.52:80
27.102.130.30:443
27.102.130.30:80
27.255.64.75:443
27.255.64.75:80
3.6.50.223:443
3.6.50.223:80
34.80.27.200:443
34.80.27.200:80
34.92.251.135:443
34.92.251.135:80
35.229.151.34:443
35.229.151.34:80
37.157.245.38:443
37.157.245.38:80
42.99.117.95:443
42.99.117.95:80
43.228.125.9:443
43.228.125.9:80
43.251.118.79:443
43.251.118.79:80
45.115.236.22:443
45.115.236.22:80
45.147.228.131:443
45.147.228.131:80
45.248.87.217:443
45.248.87.217:80
45.251.241.25:443
45.251.241.25:80
45.32.149.253:443
45.32.149.253:80
45.76.153.250:443
45.76.153.250:80
45.76.53.241:443
45.76.53.241:80
45.77.34.128:443
45.77.34.128:80
45.77.60.116:443
45.77.60.116:80
45.81.10.9:443
45.81.10.9:80
45.91.26.140:443
45.91.26.140:80
60.169.81.26:443
60.169.81.26:80
66.42.38.60:443
66.42.38.60:80
66.42.41.140:443
66.42.41.140:80
66.42.48.186:443
66.42.48.186:80
69.171.72.232:443
69.171.72.232:80
91.229.79.226:443
91.229.79.226:80

# Reference: https://twitter.com/KorbenD_Intel/status/1275542304351109120
# Reference: https://www.virustotal.com/gui/domain/subupdata.com/relations
# Reference: https://www.virustotal.com/gui/file/b2c6474f27c1beab3ba9a3e956c5e65d96db8aad686a99a6cc1f9c66bee82b29/detection

185.231.245.119:443
subupdata.com

# Reference: https://twitter.com/cyber__sloth/status/1304042505604861952

http://103.85.24.158

# Reference: https://twitter.com/XOR_Hex/status/1307233839425695744

103.56.53.46:80
103.56.53.46:110
103.56.53.46:443
103.56.53.46:5938

# Reference: https://twitter.com/XOR_Hex/status/1315367371268386817

45.251.240.55:443
45.251.240.55:8000
45.251.240.55:8080

# Reference: https://twitter.com/XOR_Hex/status/1333832546589749249
# Reference: https://twitter.com/noottrak/status/1334165739423608834
# Reference: https://otx.alienvault.com/pulse/5fcaa5df270f075f05c34204
# Reference: https://www.virustotal.com/gui/file/9699c3f5dd99345b04aaf5e7dc5002de7dbabf922e43125a10eb3f5fc574e51e/detection

43.254.217.165:110
43.254.217.165:80
45.248.87.217:8080
http://43.254.217.165

# Reference: https://twitter.com/James_inthe_box/status/1341422354589573120
# Reference: https://twitter.com/Arkbird_SOLG/status/1341479376035168256

caonimade.11i.me

# Reference: https://www.virustotal.com/gui/file/eb649c114f5e0edaf3dda0d4cb97dc06c3b0f437dca8803c0d315d997e273178/detection

39.98.228.46:2653
sdd34dfgfg.xyzs666.xyz

# Reference: https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz
# Reference: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/012/156/original/snort3-community-rules.tar.gz

microsoftsp3.com
java.ns1.name
wm1.ns01.us

# Reference: https://app.any.run/tasks/34ef8d2b-6e2c-4da6-9c34-1d73ecd4b040/

krmai1s.servehttp.com

# Reference: https://www.virustotal.com/gui/file/642c17be83f9e9f693990f43a65be25e99e69b245d38da627a3e19e0eb87d79d/detection
# Reference: https://app.any.run/tasks/b0d1f612-e69e-4e0b-9b4c-84e067ffd19a/

molnews.net
www2.molnews.net

# Reference: https://twitter.com/wwp96/status/1372553920942379014
# Reference: https://app.any.run/tasks/e001e6f3-0098-4c23-87d7-da31a7015528/

asmlbigip.com
sec.asmlbigip.com

# Reference: https://twitter.com/KorbenD_Intel/status/1374128386130522118
# Reference: https://www.virustotal.com/gui/file/bb0a3d73169882cc9f70a16692d67cc359ef5fee62f3719f819723cc677903f0/detection
# Reference: https://www.virustotal.com/gui/file/264f0a6d47f8c4578be602be1ea01dd634eace574afd7d44d854431721ffcabf/detection

cdn.6c18.com

# Reference: https://www.virustotal.com/gui/file/93d33626886e97abf4087f5445b2a02738ea21d8624b3f015625cd646e9d986e/detection

154.211.14.156:443
154.211.14.156:53
154.211.14.156:8080
rainydaysweb.com

# Reference: https://twitter.com/KorbenD_Intel/status/1398309439573315584
# Reference: https://twitter.com/James_inthe_box/status/1398310426832637956
# Reference: https://www.virustotal.com/gui/file/2cd18c340d412d1c09215c828190621ce558d8ea43ba0ad28e3365ff0619fe8b/detection

chromeserver-dns.com

# Reference: https://tria.ge/210615-gx3w14v8xn/behavioral1

gamegame.info
email.yg9.me
iw.gamegame.info

# Reference: https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html (# Win.Packed.Zusy-9878432-0)

vrthcobj.com
ol.gamegame.info
google.vrthcobj.com

# Reference: https://unit42.paloaltonetworks.com/thor-plugx-variant/
# Reference: https://otx.alienvault.com/pulse/61012d6562eb005d61c4a457

apple-net.com
cabsecnow.com
cqpeizi.com
destroy2013.com
emicrosoftinterview.com
fitehook.com
flashplayerup.com
indonesiaport.info
ixiaoyver.com
manager2013.com
mmfhlele.com
msdntoolkit.com
petalossccaf.com
quochoice.com
rainydaysweb.com
scbbgroup.com
systeminfor.com
tv-vn.com
ukbbcnews.com
detail.misecure.com
down.emicrosoftinterview.com
downloads.flashplayerup.com
hdviet.tv-vn.com
help.flashplayerup.com
index.flashplayerup.com
news.cqpeizi.com
news.petalossccaf.com
tools.scbbgroup.com
upload.ukbbcnews.com
web.flashplayerup.com

# Reference: https://www.virustotal.com/gui/file/cae7469e7f5dc88962b9993f4b415a46f60fcaeea494abb53d19b7d05f28525b/detection

dirfgame.com
by.dirfgame.com

# Reference: https://www.virustotal.com/gui/file/071231d29a8548be8cb0a8f48a4b23d12e08139fd8dba842781912a11dc7c5f6/detection

goatgame.co
goatgame.live
a.goatgame.co
live.goatgame.live

# Reference: https://twitter.com/xorhex/status/1422815329684758537
# Reference: https://www.virustotal.com/gui/file/e6ba5de3a9b0287291def0317789b871fa1984a11021d55d3a0371c6d65a872b/detection

http://45.134.83.41
45.134.83.41:443
45.134.83.41:8080

# Reference: https://twitter.com/BitsOfBinary/status/1422823721170087941
# Reference: https://twitter.com/BitsOfBinary/status/1422828937500037121

101.36.125.203:110
101.36.125.203:197
veitdannews.com

# Reference: https://www.virustotal.com/gui/file/34f907b9f543ecf0f4f99adb7e55963ab5bc1c8e6e64081a8fef9a06043828b7/detection

185.231.245.119:8080
brushupdata.com
sery.brushupdata.com

# Reference: https://www.virustotal.com/gui/file/986d19d75880a23917127bab92cd3a92cfec42b31be51e20718da761b1747cbc/detection

mirsoftcheckie.com
sery.mirsoftcheckie.com

# Reference: https://twitter.com/0xrb/status/1465558631454105603

blobimgybag.com
brushupdata.com
copaininfo.com
globnewsline.com
microsoftlab.club
nvidialab.us
twwtteer.com
user-update.com
apicon.nvidialab.us
apis.microsoftlab.club
cbn.copaininfo.com
dark.twwtteer.com
mail.globnewsline.com
sery.brushupdata.com
testmmm.blobimgybag.com

# Reference: https://twitter.com/0xrb/status/1468146226835034113

time4update.com
ns3.time4update.com

# Reference: https://twitter.com/0xrb/status/1469184108030955529

11i.me
daj8.me
fbi.am
nmb.bet
wy01.com
fuckeryoumm.nmb.bet
helloword.daj8.me
nitamade.11i.me
tcp.wy01.com
udp.wy01.com
windows.fbi.am

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_APT-C-23_MICROPSIA_Variant.json

freesmadav.com
update.freesmadav.com

# Reference: https://twitter.com/0xrb/status/1495646507110133761
# Reference: https://www.virustotal.com/gui/file/9857e40be1fb5b9b6db93dc03f96f6b3ff0ffab85af7944dddcac0e37775ab02/detection

103.26.79.150:9019

# Reference: https://twitter.com/0xrb/status/1496747426505531398
# Reference: https://www.virustotal.com/gui/file/0a2a64a36997777d3655b879aa6983bed02c1324cd5b243c014224f7f8c8a8af/detection
# Reference: https://www.virustotal.com/gui/file/4833fa5f75c3d8f76693b20eb90aa572d6d385640f88bc79b6ed9530450d0736/detection
# Reference: https://www.virustotal.com/gui/file/0bc0016dc58dc01276639b80392cc98f9910872ac6be1d6a6288df69b547814c/detection

45.195.67.64:8000
45.195.67.64:49000
c1c.ren
qq.c1c.ren

# Reference: https://twitter.com/0xrb/status/1499287458500194304

aoisudoisadn.kkb.tv

# Reference: https://twitter.com/0xrb/status/1499294678830960642
# Reference: https://twitter.com/0xrb/status/1499296288466436098
# Reference: https://www.virustotal.com/gui/file/8aacb0fd6ea3143d0e7a6b56f7b90c3be760bcc8abbbb29c4334b50f06e822f6/detection
# Reference: https://www.virustotal.com/gui/file/5a9468a87997f2363995e264505105f6a235b66543bb28635fb74f78704e9111/detection

202.182.115.238:13111
202.182.115.238:8080
apps.imangolm.com

# Reference: https://twitter.com/nao_sec/status/1501126308771733505
# Reference: https://www.virustotal.com/gui/file/bee9c438aced1fb1ca7402ef8665ebe42cab6f5167204933eaa07b11d44641bb/detection

http://107.178.71.211

# Reference: https://twitter.com/0xrb/status/1503983616321552384
# Reference: https://www.virustotal.com/gui/file/28d2fef9323884cc81b1a39f3c17734606a79e79786496c5a556e25e00bdf10a/detection

fuckeryoumm.nmb.bet

# Reference: https://www.virustotal.com/gui/ip-address/18.138.107.235/relations
# Reference: https://www.virustotal.com/gui/file/68feab7ef7a2bd4754620b3a5a511988d18384bbd42d100e528cc5b876a1d771/detection

47.242.146.213:8080
fuckyou.fbi.am
windows.fbi.am

# Reference: https://www.virustotal.com/gui/file/2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e/detection

182.255.60.82:81
whoamis.info
list.whoamis.info
mail.whoamis.info
poer.whoamis.info

# Reference: https://www.virustotal.com/gui/file/1d8cef17a8588c216a9e69f3b4acd55dad1b9c69b25b344452ade112eaa96cb5/detection

mmr.whoamis.info

# Reference: https://twitter.com/0xrb/status/1508330395250868229
# Reference: https://www.virustotal.com/gui/file/eeadacdfb1d0c571362ff86b34cd736a80531e635ad46f20b2e90ec862af36af/detection

45.249.245.35:8008
ntpserver.xyz

# Reference: https://tria.ge/220329-llf3rahafr/behavioral2

http://104.110.191.133

# Reference: https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/

http://45.86.162.135
45.86.162.135:443

# Reference: https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/
# Reference: https://otx.alienvault.com/pulse/61430c5741b154348534ae3f

http://185.161.211.97
center.asmlbigip.com
dnssery.brushupdata.com

# Reference: https://twitter.com/0xrb/status/1522474101826551809

http://156.247.10.118
http://34.92.30.54
http://43.230.161.70
http://43.230.161.71
http://43.230.161.83
http://43.242.34.12
http://43.242.34.30
http://45.76.153.100
http://47.75.177.15
http://52.203.216.120
http://66.154.111.63
http://92.38.178.133
http://94.198.40.21
156.247.10.118:443
34.92.30.54:443
43.230.161.70:443
43.230.161.71:443
43.230.161.83:443
43.242.34.12:443
43.242.34.30:443
45.76.153.100:443
47.75.177.15:443
52.203.216.120:443
66.154.111.63:443
92.38.178.133:443
94.198.40.21:443
156.247.10.118:8080
34.92.30.54:8080
43.230.161.70:8080
43.230.161.71:8080
43.230.161.83:8080
43.242.34.12:8080
43.242.34.30:8080
45.76.153.100:8080
47.75.177.15:8080
52.203.216.120:8080
66.154.111.63:8080
92.38.178.133:8080
94.198.40.21:8080

# Reference: https://twitter.com/0xrb/status/1524642728663187456
# Reference: https://www.virustotal.com/gui/file/e374c396735e4202dee76916d74d211a9e21f4956be6f6ef613e70b0489ba95c/detection

47.243.49.249:5050
qwer.asdf.zxcv.88tech.org

# Reference: https://twitter.com/kienbigmummy/status/1539550403465220096

http://69.90.190.110
69.90.190.110:443
69.90.190.110:8080

# Reference: https://twitter.com/kienbigmummy/status/1542454625781321728
# Reference: https://twitter.com/kienbigmummy/status/1542454634618437635
# Reference: https://www.virustotal.com/gui/file/c9f7248e64b531031822e3cda468bf52fcfe169ad15d7d8ddf379cb27ad8b63b/detection
# Reference: https://www.virustotal.com/gui/file/e99ce4fc9697335549cab26717d75abbaf75895c3cd0e77a844769fe9674e3bc/detection

185.239.226.5:108
185.239.226.5:111
185.239.226.5:236
185.239.226.5:438

# Reference: https://twitter.com/0xrb/status/1559764331612364801

103.27.108.77:443
118.107.45.21:443
118.107.45.31:443
118.107.45.33:443
118.194.239.178:443
139.5.200.6:443
152.32.153.134:443
158.247.222.2:443
159.65.188.162:443
198.13.56.122:443
http://103.27.108.77
http://118.107.45.21
http://118.107.45.31
http://118.107.45.33
http://118.194.239.178
http://139.5.200.6
http://152.32.153.134
http://152.32.211.67
http://158.247.222.2
http://159.65.188.162
http://185.243.41.200
http://198.13.56.122

# Reference: https://twitter.com/Metemcyber/status/1561570370993668096
# Reference: https://www.virustotal.com/gui/file/27b8e572902ffbdc746766e1d315721e282cfc470e98bc9218bec78f1046214c/detection

miscrosofts.gq
defender.miscrosofts.gq
windows.defender.miscrosofts.gq

# Reference: https://twitter.com/kienbigmummy/status/1610535062889717763
# Reference: https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware
# Reference: https://otx.alienvault.com/pulse/63dd6a44b4f337a53baa56fb

217.12.206.116:443
217.12.206.116:8088
45.134.83.29:443

# Reference: https://twitter.com/WhichbufferArda/status/1611006137112961027
# Reference: https://www.virustotal.com/gui/file/a9f7d06b9929be61853910876129318ef56efd1eaef168e9ac412a090a6f09da/detection

195.211.97.117:443

# Reference: https://www.virustotal.com/gui/file/2bf3e8bac1f5ecfb8f8ec07952e39608ca5567a9adcd4a651e71b6b1dcea663b/detection

auraann.p-e.kr
versioncheck.p-e.kr

# Reference: https://www.virustotal.com/gui/file/057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7/detection

45.116.161.95:8080
luckfafa.com
googleupdate.luckfafa.com

# Reference: https://www.virustotal.com/gui/file/c5402f8882960bb73a0fd7b1b4badcb12ca96791c189b430cc234fbd2965aa34/detection

216.83.59.185:15858
microsoftdefender.luckfafa.com

# Reference: https://www.virustotal.com/gui/file/7fa8231dc167ec6aa87874a10d3daf798407a37c11bb921efb05664dfafdb38f/detection

wpsupdate.luckfafa.com

# Reference: https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/ (#AmericanUSA, #HELLO_USA_PRISIDENT, #KilllSomeOne)
# Reference: https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html
# Reference: https://www.virustotal.com/gui/file/446a9176ab41fe9be895d1a34481ea3e0bb70a2d86bb9b6f0347efc9425302f7/detection

http://160.20.147.254
160.20.147.254:9999

# Reference: https://www.virustotal.com/gui/file/5307dac6f70b86c669c46741e5953a13db6920542fd81ce37650971511367ee6/detection

imango.ink
api.imango.ink
cdn.imango.ink
update.imango.ink

# Reference: https://threatfox.abuse.ch/browse/malware/win.plugx/

http://103.244.3.107
http://103.244.3.109
http://104.233.173.53
http://108.61.163.91
http://112.213.125.75
http://185.101.139.99
http://27.102.106.153
http://54.250.239.189
101.200.59.103:443
103.113.11.78:443
103.127.124.226:443
103.135.33.253:443
103.140.238.92:443
103.149.48.56:443
103.149.48.57:443
103.164.203.164:443
103.186.214.216:443
103.186.214.216:8080
103.194.187.147:443
103.194.187.148:443
103.194.187.148:8080
103.194.187.149:443
103.194.187.149:8080
103.218.243.167:443
103.244.3.107:8443
103.244.3.109:443
103.244.3.109:8443
103.27.108.158:443
103.27.109.130:443
103.27.109.130:8080
103.86.44.198:443
103.94.76.158:443
103.94.76.169:443
103.94.76.183:443
104.199.159.226:443
104.233.160.81:443
104.233.160.81:53
104.233.173.53:53
106.55.60.126:443
106.55.60.126:8080
107.148.14.49:443
107.150.124.43:443
107.150.124.43:8080
107.155.55.15:443
107.155.55.15:8080
107.155.56.134:8080
107.173.63.250:443
108.61.163.91:443
109.123.230.56:443
109.123.230.56:8080
110.50.48.222:8443
112.121.187.178:12345
112.196.204.141:443
112.196.204.141:8080
112.196.204.151:8080
112.213.109.35:443
112.213.109.47:443
114.29.254.126:443
114.29.254.126:8080
114.29.254.17:443
114.29.254.17:8080
114.29.254.201:443
114.29.254.201:8080
114.29.254.94:443
114.29.254.94:8080
124.223.102.72:8080
128.14.227.104:443
128.14.227.104:8080
139.180.215.111:443
139.180.215.111:8080
139.84.137.183:443
139.84.138.129:443
139.84.167.181:443
139.84.171.4:443
143.92.52.133:12345
143.92.52.133:53
143.92.52.137:12345
143.92.60.54:8088
143.92.60.75:8088
143.92.60.77:8088
149.28.130.206:443
149.28.25.119:443
150.129.52.95:443
152.32.164.67:443
152.32.164.67:8080
152.32.211.67:53
152.32.211.67:8080
154.204.24.243:65000
154.31.172.86:443
154.39.239.155:443
154.39.239.205:443
154.91.84.128:443
158.247.213.215:8443
158.247.222.2:8080
158.247.238.22:443
167.172.76.129:443
167.172.76.129:8080
167.179.109.96:443
172.111.244.164:21
172.93.167.211:443
172.93.167.227:443
18.179.5.105:443
18.179.5.105:8080
180.178.42.37:65000
180.235.137.85:443
180.235.137.85:8080
185.101.139.99:443
185.135.77.199:443
185.239.87.173:443
185.243.41.247:443
185.243.41.247:8080
193.22.152.56:443
198.13.36.205:443
202.182.115.238:53
206.119.75.253:443
207.148.103.108:443
207.148.103.108:53
207.148.105.154:443
207.148.97.160:443
209.250.241.189:443
210.68.108.46:443
23.224.239.44:12345
23.224.239.44:8000
27.102.118.76:446
3.112.45.157:443
3.112.45.157:53
3.112.45.157:8080
34.150.33.252:443
34.96.231.241:443
35.229.246.12:443
38.47.123.94:53
38.47.220.85:8000
38.54.40.60:443
38.54.76.128:443
43.135.1.200:21
43.154.29.157:443
43.248.133.54:443
43.255.28.190:443
43.255.28.201:443
45.120.55.154:443
45.120.55.162:443
45.134.82.191:443
45.142.166.65:443
45.32.119.152:443
45.32.34.154:443
45.63.41.197:443
45.64.184.248:443
45.76.213.19:53
45.76.80.13:443
45.77.157.245:53
45.77.172.61:443
45.77.172.61:8080
45.77.177.209:443
45.87.43.60:443
47.57.118.245:53
47.57.118.245:8443
5.255.88.185:443
54.249.142.61:443
54.249.142.61:53
54.250.239.189:443
54.250.239.189:8080
61.238.103.165:443
61.238.103.170:443
63.141.237.100:443
63.141.237.208:443
64.44.184.105:443
65.20.112.193:443
72.18.215.38:443
8.217.48.154:443
8.218.191.58:443
8.218.191.58:53
8.218.191.58:8080
8.218.201.52:443
8.218.234.216:53
8.218.242.93:443
8.218.37.29:443
8.218.37.29:8080
85.206.160.121:8080
87.121.52.23:443
87.121.52.23:8080
92.223.85.90:443
92.38.132.128:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.plugx/ (# 2023-10-26)

103.106.202.158:443
103.106.202.163:443
103.135.33.250:443
103.135.33.251:443
103.135.33.252:443
103.169.90.98:443
103.244.3.107:443
103.254.73.20:443
103.254.73.21:443
103.254.73.22:443
103.45.68.125:443
103.56.55.153:443
103.68.193.225:443
103.94.76.115:443
103.94.76.135:443
104.208.73.38:443
104.233.161.173:443
104.233.173.53:443
107.148.0.190:443
107.155.56.134:443
107.175.69.184:443
109.94.209.44:443
110.50.48.222:443
112.213.125.75:443
118.99.29.173:443
124.220.78.199:443
124.223.102.72:443
13.229.153.26:443
139.180.212.205:443
14.161.4.152:443
141.164.37.94:443
143.92.56.71:443
143.92.60.54:443
143.92.60.75:443
143.92.60.76:443
143.92.60.77:443
149.104.22.138:443
154.19.70.222:443
154.26.153.129:443
156.234.211.149:443
158.247.213.215:443
159.65.157.64:443
16.162.44.42:443
167.179.98.155:443
172.111.233.204:443
172.111.244.178:443
172.111.245.162:443
185.135.77.239:443
20.214.1.160:443
202.162.108.48:443
206.189.80.15:443
207.148.118.170:443
208.72.153.162:443
216.238.115.148:443
217.197.160.235:443
23.224.239.44:443
27.102.106.146:443
27.102.106.153:443
38.47.220.85:443
38.47.221.162:443
38.54.79.103:443
38.60.254.243:443
45.32.100.40:443
45.32.103.109:443
45.32.39.15:443
45.74.41.38:443
45.74.6.122:443
45.74.6.163:443
45.74.6.197:443
45.74.6.228:443
45.74.6.245:443
45.74.6.24:443
45.74.6.253:443
45.76.219.71:443
45.77.174.174:443
45.77.43.75:443
45.86.163.230:443
47.57.118.245:443
8.212.149.44:443
80.240.28.192:443
a-white.vn
americafirst3d.com
cahayashop.shop
cctv.liveonlin.com
google-inc.ltd
img.cdn.jsdblog.com
liveonlin.com
main.liveonlin.com
npgsql.liveonlin.com
public.liveonlin.com
tech.liveonlin.com
windows-sns2.dns-microsoft.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.plugx/ (# 2023-10-30)

http://103.192.226.100
http://103.56.53.106
101.36.106.114:8443
103.192.226.100:110
103.192.226.100:5938
103.192.226.100:8000
103.192.226.100:8080
103.56.53.106:110
103.56.53.106:443
103.56.53.106:5938

# Reference: https://threatfox.abuse.ch/browse/malware/win.plugx/ (# 2023-11-06)

http://13.229.238.49
http://156.234.211.149
http://18.163.46.232
http://185.189.241.155
http://185.189.241.208
http://43.136.245.27
http://45.76.219.71
http://47.242.189.104
http://8.212.149.44
http://80.240.28.192
101.36.106.114:12345
103.135.33.254:443
107.173.63.250:53
112.121.187.182:12345
113.160.186.153:8080
118.69.111.118:8080
118.99.29.173:65000
119.29.225.72:8080
13.229.238.49:443
149.104.22.138:21
149.104.22.138:8080
149.28.130.206:53
154.204.24.242:65000
154.204.24.246:65000
156.234.169.19:53
172.111.233.249:8443
18.163.46.232:443
18.163.46.232:53
185.189.241.155:443
185.189.241.208:443
20.2.65.28:443
23.225.71.115:8000
23.225.71.115:8080
38.47.116.103:53
38.47.220.85:12345
38.54.23.192:443
43.132.173.7:443
43.229.112.202:65000
43.229.112.205:65000
43.229.112.206:65000
43.231.113.62:443
45.32.148.180:443
45.74.6.240:21
45.74.6.9:443
47.117.177.231:443
47.242.189.104:443
47.242.189.104:8080
65.20.107.216:8080
78.141.208.113:8080
8.130.46.30:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.plugx/ (# 2023-11-16)

http://103.45.68.125
http://13.115.129.191
http://13.115.194.155
http://34.92.77.165
http://35.77.99.82
http://43.153.162.95
http://45.74.6.203
118.193.35.61:8443
13.115.129.191:443
13.115.194.155:443
13.115.194.155:8080
13.229.238.49:53
14.161.32.142:8443
154.204.24.245:65000
194.37.97.132:21
195.133.11.98:8080
216.83.41.111:53
216.83.41.113:53
217.197.160.235:8080
23.224.239.44:8080
23.225.71.115:443
35.77.99.82:443
35.77.99.82:8080
43.155.95.97:443
43.229.112.204:65000
45.74.6.168:8443
45.74.6.203:21
47.117.177.231:21
5.255.88.185:53
70.34.198.203:443

# Reference: https://www.virustotal.com/gui/ip-address/45.121.146.113/relations
# Reference: https://www.virustotal.com/gui/file/bebde82e636e27aa91e2e60c6768f30beb590871ea3a3e8fb6aedbd9f5c154c5/detection
# Reference: https://www.virustotal.com/gui/file/54be4a5e76bdca2012db45b1c5a8d1a9345839b91cc2984ca80ae2377ca48f51/detection
# Reference: https://www.virustotal.com/gui/file/3a6887963920c8bc1ae35fdca69af2c0865f8b5c6ef90b4db91fa152bc56050d/detection

http://45.121.146.113
45.121.146.113:443

# Reference: https://any.run/malware-trends/plugx (# 2024-02-02)

http://103.143.209.16
/poMdDDxDkOkkML/update.php
/poMdDDxDkOkkML/

# Reference: https://asec.ahnlab.com/ko/64073/

http://45.32.16.248

# Reference: https://twitter.com/Cyberteam008/status/1790951752528724122

1.94.50.14:800
119.3.126.15:800
121.36.203.84:800
123.60.48.78:800
123.60.80.229:800
47.104.14.198:800

# Reference: https://x.com/SBousseaden/status/1796167554592805257
# Reference: https://www.virustotal.com/gui/file/65f4208e7335b4a3c5f091a7801420b3e7b3fe5d774357dec2198200f369bc2a/detection
# Reference: https://www.virustotal.com/gui/file/51d38688ae91d2f1dd91a042861073491989b2cbcd4a85ab6ff92948c2d1ddf9/detection

buyinginfo.org

# Reference: https://x.com/nao_sec/status/1798697869106668011
# Reference: https://x.com/r0ny_123/status/1798739751815753869
# Reference: https://jp.security.ntt/tech_blog/controlplug
# Reference: https://threatfox.abuse.ch/browse/tag/OperationControlPlug/

7gzi.com
ankokunews.com
bkller.com
bramjtop.com
calgarycarfinancing.com
comparetextbook.com
dmfarmnews.com
epsross.com
flaworkcomp.com
glassdoog.org
goodrapp.com
gulfesolutions.com
indiinfo.com
iplanforamerica.com
jorzineonline.com
lebohdc.com
lifeyomi.com
londonisthereason.com
onmnews.com
profilepimpz.com
starlightstar.com
unixhonpo.com
versaillesinfo.com

# Reference: https://asec.ahnlab.com/ko/67509/

104.233.173.53:8080
185.173.93.167:13306
support.firewallsupportservers.com

# Reference: https://x.com/Huntio/status/1822923743410168113
# Reference: https://www.virustotal.com/gui/ip-address/156.245.13.9/relations
# Reference: https://www.virustotal.com/gui/ip-address/156.245.13.12/relations

googlewired.com
kasperskye.com
skypeinc.com
cf.kasperskye.com
cloud.google-inc.ltd
dns.skypeinc.com
update.googlewired.com
update.kasperskye.com

# Reference: https://x.com/malwrhunterteam/status/1826308741400273233
# Reference: https://x.com/smica83/status/1826315908014329996
# Reference: https://www.virustotal.com/gui/file/ee6febf6f1a088dd965ba800989fcf27e2392454c15370f3231a8cefd7934969/detection
# Reference: https://www.virustotal.com/gui/file/fbce6d143fac667ebbcd1c80102252f7baf678de7f575be76d4639acfeeef134/detection

http://85.90.196.19
85.90.196.19:443

# Reference: https://x.com/Cyberteam008/status/1830421848527409162
# Reference: https://www.virustotal.com/gui/ip-address/38.60.171.133/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.133.239.183/relations

bssn-gov.id

# Reference: https://x.com/Cyberteam008/status/1833338188808786059
# Reference: https://www.virustotal.com/gui/file/5f7c5c2f76ef97b94fd77d13fd03bf210a158ebf722d6371368f6e858a7b26ff/detection

http://23.227.203.181

# Reference: https://x.com/malwrhunterteam/status/1833579645528121742
# Reference: https://www.virustotal.com/gui/file/6c420bfa9f6b40ccc371a68df0a7f3e5d32ac2cf432696c338a9b4ace915004c/detection

http://23.227.196.31

# Reference: https://blog.talosintelligence.com/dragon-rank-seo-poisoning/
# Reference: https://github.com/Cisco-Talos/IOCs/blob/main/2024/09/DragonRank%2C%20a%20Chinese-speaking%20SEO%20manipulator%20service%20provider.txt

http://35.247.175.184
134.122.204.174:53
154.23.179.133:443
154.23.179.133:888
35.247.175.184:443
a.googie.pw
admin1.tttseo.com
b.googie.pw
ddos.tttseo.com
googie.pw
ig26.com
mail.tttseo.com
web.googie.pw
yx52.pw

# Reference: https://app.validin.com/detail?find=moxing1&type=raw&ref_id=c155934b2f9#tab=host_pairs_v2

2pt.me
367z.vip
421.vc
976.vc
autofirst.cn
nf235.com
oxfam-th.cc
oxfam-th.com
oxfam-th.top
testnewline.com
tk315e47xu2w2bsn6.com
ad.oxfam-th.top
fn300mhk002.testnewline.com
mamnon.nguyendinhanh.com
vd.nguyendinhanh.com

# Reference: https://x.com/r0ny_123/status/1833949268291584249

govamazon.com

# Reference: https://x.com/r0ny_123/status/1835980018008080489
# Reference: https://www.virustotal.com/gui/file/c9c81a2a4866e858060fe91cda6085c8ea01295ef3e7dbe813d62ea48434195b/detection

103.238.225.248:443

# Reference: https://x.com/suyog41/status/1838192182378770546
# Referecne: https://www.virustotal.com/gui/file/976ffe00ca06a4e3d2482815c2770086e7283025eeecad0a750001dedaa2d16a/detection
# Reference: https://www.virustotal.com/gui/file/397afb74746b2fe01abc63789412b38f44ceb234a278a04b85b2bb5b4e64cc8c/detection

loginge.com
vabercoach.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.plugx/ (# 2024-09-24)

103.107.104.57:443
107.148.32.206:443
107.155.56.87:443
146.66.215.206:443
147.78.12.202:443
154.205.136.105:443
155.138.203.78:443
185.120.16.133:443
202.91.39.201:443
365officemail.com
38.180.75.197:443
45.133.239.183:443
45.135.119.132:443
abecopiers.com
abeparanormal.com
alphadawgrecords.com
alvinclayman.com
armzrace.com
atasensors.com
bangnightclub.com
bonuscuk.com
cloudsafeuae.com
cuanhuaanbinh.com
expertoenexcel.com
finasterideanswers.com
flfprlkgpppg.shop
getupdates.net
homeimageidea.com
instalaymantiene.com
irprofiles.com
kelownahomerenovations.com
myynzl.com
normalverkehr.com
nymsportsmen.com
pgfabrics.com
pinaylizzie.com
richwoodgrill.com
rpcgenetics.com
somlwebtactics.com
spencerinfo.net
tigermm.com
tophooks.org
trafikexperten.com
truckingaccidentattorneyblog.com
webdisk.psd2.info.87-121-52-23.cprapid.com
webmail.psd2.info.87-121-52-23.cprapid.com

# Reference: https://www.virustotal.com/gui/file/369e74a8e1f686896f82d92ee2467ca6736bc44b06faab9db9ea6473aef4c397/detection

103.43.18.19:433
103.43.18.19:53
117.18.14.20:443
117.18.14.20:53

# Reference: https://www.virustotal.com/gui/file/356ce79cd2da57824586ab26c4af440e21ea380f9ab1bcc880e060f4879d0a05/detection
# Reference: https://www.virustotal.com/gui/file/ac98f9e40966561c581bb7c79bdb617feba8daf323e9acdcf1c75f53431e91ad/detection

103.43.18.220:443
103.43.18.220:53

# Reference: https://www.virustotal.com/gui/file/81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9/detection

120.89.69.3:443
120.89.69.3:53

# Reference: https://www.virustotal.com/gui/file/354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379/detection

203.86.234.16:443
203.86.234.16:53

# Reference: https://www.virustotal.com/gui/file/cee3f10cff54cbc96abb17ceac88e69a00c3c2ef9267ccce7fc79ed59997d0b7/detection

117.18.14.22:443
117.18.14.22:53

# Reference: https://x.com/StrikeReadyLabs/status/1843246189325721607
# Reference: https://www.virustotal.com/gui/file/c25b566d99d55fe5cb1a19290748dac70845663fe0f8bf78f741fe4440055551/detection

103.238.227.183:443

# Reference: https://x.com/ShanHolo/status/1843953091508650421
# Reference: https://www.virustotal.com/gui/file/11ff4c15675f28a214bd7605edf652424e6a0ab9e2aea676485a7f6a6401fb41/detection
# Reference: https://www.virustotal.com/gui/file/3b10be6a48682b237de0e7f508d769b1caf42e92c3d85c9e3976efeba8b9d525/detection

111.90.146.158:20100
boolhong.duckdns.org
mokdo.n-e.kr

# Reference: https://threatfox.abuse.ch/ioc/1334806/

103.79.120.92:5000

# Reference: https://threatfox.abuse.ch/browse/malware/win.plugx/ (# 2024-10-23)

103.107.105.81:443
103.238.225.248:5000
103.79.120.69:5000
103.79.120.85:5000
103.79.120.92:10088
107.148.32.206:8090
107.155.56.15:443
107.155.56.4:443
116.206.178.34:443
116.206.178.34:5000
116.206.178.67:443
122.155.0.205:55555
149.104.12.64:5000
149.104.2.160:5000
149.202.250.174:443
155.138.203.78:5000
155.138.203.78:5983
176.31.217.137:443
185.120.16.133:10717
185.120.16.133:4399
202.91.36.213:5000
213.32.96.169:443
213.32.96.170:443
217.182.120.188:443
37.59.132.104:443
37.59.132.105:443
37.59.132.106:443
37.59.132.107:443
37.59.132.108:443
37.59.132.109:443
37.59.132.110:443
38.180.75.197:5000
38.54.85.112:5000
45.133.239.183:4433
45.133.239.188:5000
45.251.243.210:6000
45.32.105.184:8000
45.76.132.25:5000
45.76.132.25:5983
45.83.236.105:5000
45.83.236.105:5080
5.135.112.32:443
5.135.112.34:443
5.135.252.233:443
5.135.252.234:443
5.135.252.235:443
5.135.252.236:443
5.135.252.238:443
5.39.55.44:443
5.39.55.45:443
5.39.55.46:443
51.178.119.232:443
51.178.119.233:443
51.178.119.234:443
51.178.119.238:443
51.178.125.208:443
51.178.125.209:443
51.178.125.210:443
51.178.125.211:443
51.178.125.212:443
51.178.125.213:443
51.178.125.214:443
51.178.126.89:443
51.178.126.90:443
51.178.126.91:443
51.178.126.92:443
51.178.126.93:443
51.178.126.94:443
51.210.20.137:443
51.210.20.141:443
51.210.20.142:443
51.210.20.145:443
51.210.20.146:443
51.210.20.147:443
51.210.20.148:443
51.210.20.149:443
51.210.20.150:443
51.210.20.153:443
51.210.20.171:443
51.210.20.178:443
51.210.20.179:443
51.210.20.180:443
51.210.20.181:443
51.210.20.182:443
51.254.111.40:443
51.254.111.44:443
51.254.111.45:443
51.254.232.144:443
51.254.232.145:443
51.254.232.146:443
51.254.232.147:443
51.254.232.149:443
51.254.232.150:443
51.254.232.152:443
51.255.157.176:443
51.255.157.182:443
51.255.157.184:443
51.255.157.185:443
51.255.157.186:443
51.255.157.187:443
51.255.157.188:443
51.255.157.189:443
51.255.157.190:443
51.38.246.210:443
51.38.246.211:443
51.38.246.212:443
51.38.246.216:443
51.38.246.217:443
51.38.246.219:443
51.38.246.220:443
51.38.246.221:443
51.38.246.222:443
51.81.252.216:443
51.81.252.217:443
51.81.252.218:443
51.81.252.219:443
51.81.252.220:443
51.81.252.221:443
51.81.52.240:443
51.91.182.225:443
54.37.99.250:443
54.39.7.10:443
54.39.7.12:443
54.39.7.9:443
96.43.101.245:8090

# Reference: https://x.com/malwrhunterteam/status/1857876717970534547
# Reference: https://www.virustotal.com/gui/file/69eff40e40245c259fc60d2a33ad595748f0d0d36367621da876e61d6cb2a6ae/detection

103.45.64.91:53

# Reference: https://www.virustotal.com/gui/file/05689200aea4e7ca40edddecb00f253d696b903ac9fe3e39d760c7a8be1aef94/detection

103.45.64.91:1999
103.45.64.91:443

# Reference: https://www.virustotal.com/gui/file/9d842f5a96486c5f9606f15c6bbdce6b9729d0b80f86eca108dd5484ac31257b/detection
# Reference: https://www.virustotal.com/gui/file/a2304d1a5142947d3109a568bf99ace3cf4b191e9443be40fa73bd99fe054418/detection

http://103.45.64.91

# Reference: https://www.virustotal.com/gui/file/d22875d805ef74b59e0e2835d6590a8f314d350320a259b5f41acf6f44013b2f/detection

153.251.133.220:8000
accountingrecovery.net
japan.accountingrecovery.net

# Reference: https://www.virustotal.com/gui/file/f98f1aa93dcebd227365c1c1278c74a043a1a1f24b056e6f99645b9f1b75d873/detection

153.251.133.220:443

# Reference: https://www.virustotal.com/gui/file/9c4c4c770a018612b780162bd046fd713e6347a72a5176ed0ee3e51b11823534/detection

jjpan.accountingrecovery.net
kkorea.accountingrecovery.net

# Reference: https://www.virustotal.com/gui/file/172d602fddedba85d180b2877a972c1298749cfaa039ff555cd1b1574242bfee/detection
# Reference: https://www.virustotal.com/gui/file/a4494cf703f6b539b01e952cbed40484dfc92b23e8e12f80bad9b15337eb7b7d/detection

153.148.125.190:27815
minavgmax.dynamic-dns.net
sinkhole.dynu.net

# Reference: https://hunt.io/blog/darkpeony-certificate-patterns

councilofwizards.com
kentscaffolders.com
smldatacenter.com
thelocaltribe.com

# Reference: https://app.validin.com/detail?find=153.234.67.222&type=ip4&ref_id=d4329fdcf8a#tab=resolutions
# Reference: https://www.virustotal.com/gui/file/20fd8bb27046068cf1b2e6bec8cd5fc37537518a6eb86429893368547248d507/detection
# Reference: https://www.virustotal.com/gui/file/c14152a4473e978a7f65cedb271ef52ec2ce8c3fbb167703dbabdbf98537695e/detection
# Reference: https://www.virustotal.com/gui/file/638c13fba454fb2aa92be5badcc0d89e75bb6bb1ffd9248240b0dfa7f04f604d/detection
# Reference: https://www.virustotal.com/gui/file/481f6a7a8eb78ebdb982ebac0b4a4a1a0bbd2ccd85b81b22eb3c8ffb932c605f/detection

153.148.116.131:3128
bz3appstore.info
sg3appstore.net
storageareas.net
us3appstore.net

# Reference: https://app.validin.com/detail?find=153.234.67.222&type=ip4&ref_id=d4329fdcf8a#tab=resolutions
# Reference: https://www.virustotal.com/gui/file/0e317e0fee4eb6c6e81b2a41029a9573d34cebeabab6d661709115c64526bf95/detection
# Reference: https://www.virustotal.com/gui/file/8fd22c18051244df7da58994b3235abd341954679ba374d1edea2e9c0510c2a0/detection

1t.russkoeumea.com
211141.russkoeumea.com
2379386.russkoeumea.com
287.russkoeumea.com
2c8b3f19-0325-4acc-a3dd-31a918e4dbf5.random.seahatin.com
2ipjp.com
4998788.russkoeumea.com
599.russkoeumea.com
65wy.russkoeumea.com
6prc.com
778613.russkoeumea.com
8pjejaz.russkoeumea.com
8qg6isg.russkoeumea.com
91music.servemp3.com
986369.3utilities.com
986369.myftp.biz
accounts.serveftp.com
acefinance.asia
aconitumn.com
admin.airtoairmis.top
admin.demo.xiaoyunim.com
admin.uchat.xiaoyunim.com
adobecenter.org
adv138mail.com
agtcinc.com
airtoairmis.top
amslupdata.com
apiniitiative.org
app.seahatin.com
asutralianmorningnews.com
avoxgbghfn.com
b.russkoeumea.com
backend.6prc.com
bbs.zuesinfo.com
beta.6prc.com
btg.mynetav.net
cartmilonline.servequake.com
cc.openmd5.com
cdnsdomains.com
cfg.smt.https-mail-smt-docomo-ne-jp.ns01.info
cg1.xpjpz400.com
cg2.xpjpz400.com
cg3.xpjpz400.com
checkupdate.mirrorstorage.org
citilink.dsmtp.com
ckts.mynetav.net
clientarea.sytes.net
cnckdokaqwrfoli.com
cpcalendars.cdnsdomains.com
cpcalendars.jp-aprime.info
daphneodore.com
ddwc.russkoeumea.com
demo.xiaoyunim.com
deutschepd.com
dev.lidjogsum.com
dev.seahatin.com
dmsz.org
dns.adv138mail.com
dnshost.dns05.com
domcon.microtrendsoft.com
dpcicxtw.russkoeumea.com
dsfwerfwe223.4pu.com
dvnxuhikpxvtoaze.com
economy.serveuser.com
egtf.russkoeumea.com
eks.yukiheya.com
ekxdjkoedcbz.com
eonceo.flower-show.org
erc.acefinance.asia
ericgoodman.serveblog.net
eset.live-macfee.com
etnew.network-sec.net
flower-show.org
foxvsun.com
freesharecenter.com
ftp.webserver.freetcp.com
fuckchina.govnb.com
ghome.mefound.com
gm1.network-sec.net
gncltksqghlm.com
godie.usdagroup.com
googlespeedtest33.com
googleupdatesrv.com
govnb.com
greta.ikwb.com
h0n5f1.russkoeumea.com
hq.dsmtp.com
https-mail-smt-docomo-ne-jp.ns01.info
https-www-nipponkaigi-org.ssl443.org
iantoan.com
ibvfjsutslijgmex.com
icekkk.net
id.smt.https-mail-smt-docomo-ne-jp.ns01.info
image.laoscript.org
japanese.accountingrecovery.net
jcfiec.org
jlpbx.russkoeumea.com
jnfl.org
jocicpavfrnga.com
jtech66.org
kws.russkoeumea.com
laoscript.org
laravel.6prc.com
lidjogsum.com
lingm.flower-show.org
live-macfee.com
lovetrick2014.redirectme.net
ltev.russkoeumea.com
luxyries.com
m.assmio.com
mail.cdnsdomains.com
mail.lidjogsum.com
mail.russkoeumea.com
mail.seahatin.com
mail.smt.https-mail-smt-docomo-ne-jp.ns01.info
microsoft.acmetoy.com
microsoft.dynssl.com
microsoft.proxydns.com
mirrorstorage.org
mozrbw.russkoeumea.com
mx.mailsecurityservice.com
mx.usdagroup.com
network-sec.net
nkrme.flower-show.org
nnya.russkoeumea.com
ns1.cdnsdomains.com
ns1.laoscript.org
ns2.cdnsdomains.com
office-save.mefound.com
opensslv971.ssl443.org
owa.ns01.us
ppstw.com
psbm11025.network-sec.net
ptvymr.russkoeumea.com
qf.laoscript.org
qhp.russkoeumea.com
random.seahatin.com
russell01.servebeer.com
russiaboy.ssl443.org
rwujp.russkoeumea.com
saraosting.com
sce.hopto.org
seahatin.com
service.smt.https-mail-smt-docomo-ne-jp.ns01.info
setup.mirrorstorage.org
sgo.russkoeumea.com
share.accountingrecovery.net
smt.https-mail-smt-docomo-ne-jp.ns01.info
soft.epac.to
space.airtoairmis.top
srv.cdnsdomains.com
starpay.xiaoyunim.com
stertopog.com
store.saraosting.com
sunsharp.net
syesv.qpoe.com
symantec-product.com
syslog.mirrorstorage.org
tasrcenter.com
test.6prc.com
tibetexpress.zapto.org
torrent.serveblog.net
traco.live-macfee.com
trainingdays.ssl443.org
trc.acefinance.asia
trendupdate.org
uchat.xiaoyunim.com
uipisa.ssl443.org
unixee.org
update.kavlabonline.com
update.live-macfee.com
update.symantec-product.com
usdagroup.com
uyghur.epac.to
vaseline.dumb1.com
vatgla.com
vpn.ssl443.org
vtfraznzdcns.myvnc.com
w8.russkoeumea.com
wakay-public.org
watson.misecure.com
web-oauth.com
web.zuesinfo.com
webadmin.mirrorstorage.org
webmail.lidjogsum.com
webmail.seahatin.com
webserver.dynssl.com
webserver.fartit.com
webserver.freetcp.com
whoi.usdagroup.com
windows.ssl443.org
windxpro.com
wuaxnfsbtvmicyoew.com
ww12.acefinance.asia
ww12.seahatin.com
wwa.russkoeumea.com
xdaqjs.com
xfesgljgqbjadrm.saraosting.com
xh.russkoeumea.com
xiaoyunim.com
xpjpz400.com
yeojsnrmacvtr.com
yours.microtrendsoft.com
yukiheya.com
yum.luxyries.com
z88.russkoeumea.com
zn314zi.russkoeumea.com
zuesinfo.com

# Reference: https://x.com/Cyberteam008/status/1876819353611411963
# Reference: https://app.any.run/tasks/bea68de9-8a8f-458c-8ca7-f5e7e9832d05/
# Reference: https://www.virustotal.com/gui/file/e5e475db5076e112f69b61ccb36aaedfbb7cac54a03a4a2b3c6a4a9317af2196/detection

47.243.194.21:443
8.210.201.184:443
googleapi.computer
gservicesaccount.com
cloud.googleapi.computer
cloud.gservicesaccount.com
cloudservices.gservicesaccount.com
compute.gservicesaccount.com

# Reference: https://x.com/virusbtn/status/1877664337986285914
# Reference: https://www.recordedfuture.com/research/reddelta-chinese-state-sponsored-group-targets-mongolia-taiwan-southeast-asia

103.107.104.4:443
103.79.120.92:443
115.61.168.143:443
115.61.168.170:443
115.61.168.229:443
115.61.169.139:443
115.61.170.105:443
115.61.170.70:443
116.206.178.68:443
144.76.60.136:443
149.104.2.160:443
154.90.47.123:443
161.97.107.93:443
167.179.100.144:443
182.114.108.91:443
182.114.108.93:443
182.114.110.11:443
182.114.110.170:443
202.91.36.213:443
207.246.106.38:443
223.26.52.208:443
45.128.153.73:443
96.43.101.245:443
alicevivianny.com
aljazddra.com
antioxidantsnews.com
artbykathrynmorin.com
crappienews.com
createcopilot.com
erpdown.com
financialextremed.com
globaleyenews.com
hajjnewsbd.com
hisnhershealthynhappy.com
howtotopics.com
importsmall.com
infotechtelecom.com
inhller.com
itduniversity.com
kerrvillehomeschoolers.com
linkonmarketing.com
looksnews.com
maineasce.com
mexicoglobaluniversity.com
mobilefiledownload.com
mojhaloton.com
mrytlebeachinfo.com
newslandtoday.net
oncalltechnical.com
quickoffice360.com
redactnews.com
reformporta.com
riversidebreakingnews.com
sangkayrealnews.com
techoilproducts.com
tigernewsmedia.com
truff-evadee.com
tychonews.com
usedownload.com
vopaklatinamerica.com
windowsfiledownload.com
xxmodkiufnsw.shop
edupro4.z13.web.core.windows.net

# Reference: https://x.com/Cyberteam008/status/1883764240739434968
# Reference: https://search.censys.io/hosts/43.230.9.230
# Reference: https://www.virustotal.com/gui/file/360a90f4e24859ade78351e58c5c3fc4a54beba94d031ec12b598bda590ea7ef/detection
# Reference: https://www.virustotal.com/gui/file/883c97df8c1e6f310ae655c0dff076dbb845b67df1499e746f63c951c842d6fb/detection
# Reference: https://www.virustotal.com/gui/file/38428e93bfa1d4130b948826b763806a3fb06cf9323a960fded41fe60cd18057/detection

43.230.9.230:443
43.230.9.230:52588
43.230.9.230:53
43.230.9.230:8080
cisco.893yakuza.com

# Reference: https://x.com/DaveLikesMalwre/status/1888691487061282943
# Reference: https://app.validin.com/detail?type=ip&find=34.224.90.25#tab=resolutions
# Reference: https://www.virustotal.com/gui/file/3d105f10dc248d2b5d9857bf88505862a2f3dc8ea276df5700cdacd432b2ff2b/detection

http://34.224.90.25
34.224.90.25:445
byrne1933.health
cochran.training
eojohnson.health
konami.community
myticketbenefits.com
netskope.charity
slack.codes
collection.netskope.charity
telemetry.netskope.charity

# Reference: https://www.security.com/threat-intelligence/chinese-espionage-ransomware

http://154.223.18.123
http://158.247.213.167
154.223.18.123:443
158.247.213.167:443
158.247.213.167:8080
158.247.213.167:8443
caco.blueskyanalytics.net
plugins.jetbrians.net
police.tracksyscloud.com

# Reference: https://x.com/malwrhunterteam/status/1914229179001827660
# Reference: https://www.virustotal.com/gui/file/2e888ffd9d7ab1a210b4165f4f2aa34b1e42e7c4eed79dd9c9f310659c59f10d/detection

45.32.144.34:443

# Reference: https://x.com/malwrhunterteam/status/1914296264889352277
# Reference: https://www.virustotal.com/gui/file/0230cf0545b5ffc76c1797fcf8de85163ee00146348b40e30390c9534b0f612e/detection

23.224.194.47:443

# Reference: https://x.com/malwrhunterteam/status/1917863429186150802
# Reference: https://app.validin.com/detail?find=G-PTEFQ9DHVX&type=raw&ref_id=aafa163975e#tab=host_pairs (# 2025-05-01)
# Reference: https://www.virustotal.com/gui/file/548f177f0fb543ea66382c104806e48c1f0ad8e949b8d4956870c84abb46ff22/detection

maneholding.com
ngonnguhoc.com

# Reference: https://x.com/Thisism23567356/status/1937770301082800230
# Reference: https://www.virustotal.com/gui/file/71b6317c7ea29a9ad6ede0856d4963dca2e0c16185e7bb5cced47045017ede77/detection

cnrelojes.com/images/upload/zfvheqc
/images/upload/zfvheqc

# Reference: https://x.com/Cyberteam008/status/1947884358272008309
# Reference: https://www.virustotal.com/gui/file/16953a202265db5655b3dd972b855619728da76545a2f94bcbb6c43262f48d5b/detection
# Reference: https://www.virustotal.com/gui/file/cde62c26214196caf8ba18ab92a0c214f84d5e99697fde54c44281917fdef112/detection

149.104.2.7:443

# Reference: https://x.com/malwrhunterteam/status/1973799013720994065
# Reference: https://x.com/smica83/status/1973808591351214585
# Reference: https://www.virustotal.com/gui/file/bb491248bb8f6067af39e196b11f4e408a7a3885704cadbd4266db52ae4b03e2/detection
# BANNER_0_HASH-HOST=889a3e35c69101fd7956c2a1570fa2f7
# BANNER_0_HASH-HOST=554ab8ea15a874381d7db6dd0c7cdf4b

buzzurro.net
cseconline.org
dorareco.net
napasbdc.org
naturadeco.net
paquimetro.net
racineupci.org
thecamco.net

# Reference: https://x.com/N3wbound/status/1973815053892948323

canaisdetv.net
crossfitolathe.com
harrietmwelch.com
premegalithic.com
