# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: /utg-q-010

# Note: https://malpedia.caad.fkie.fraunhofer.de/actor/utg-q-010

# Reference: https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations
# Reference: https://www.virustotal.com/gui/ip-address/45.32.186.33/relations
# Reference: https://www.virustotal.com/gui/ip-address/139.59.46.154/relations
# Reference: https://www.virustotal.com/gui/ip-address/89.107.62.39/relations

139.59.46.154:80
139.59.46.154:3485
89.107.62.39:80
89.107.62.39:8080
89.107.62.39:13569
0x.com.ua
1000hp.club
banks.quasar.cc
blog.0x.com.ua
blog.quasar.cc
bot.quasar.cc
braizatravel.com
com-ho.me
compressor.quasar.cc
itworx.com-ho.me
kolibri.space
mci.com-ho.me
moh.com-ho.me
mol.com-ho.me
ntg-sa.com
quasar.cc
search.quasar.cc
shaula.space
shop.quasar.cc
trends.ukr.gift
ukr.gift
valakas.0x.com.ua
valakas.quasar.cc
vktg.quasar.cc
webp.quasar.cc
zyabra.com

# Reference: https://twitter.com/tadmaddad/status/1082846728435335168
# Reference: https://www.virustotal.com/gui/file/931f25b7fe4bf22c3383f2a011054852d0a1ea4bcd465d37bb6e8603a11bb085/detection

221.153.37.38:8080

# Reference: https://twitter.com/James_inthe_box/status/1062054609319940097
# Reference: https://www.virustotal.com/gui/ip-address/167.99.161.218/relations

167.99.161.218:443
167.99.161.218:4444
167.99.161.218:80
178.128.70.88:8080

# Reference: https://twitter.com/v0id_hunter/status/832578348744376320
# Reference: https://pastebin.com/MweLPX93

datinguppercrust.com
fattybraintoys.net
gigestate.com
theagingbusiness.com
tokopatria.com
twittergrandma.com

# Reference: https://app.any.run/tasks/0bb1b562-9d2b-4f8d-b64c-e2e3457b6236/

45.76.128.165:4443

# Reference: https://app.any.run/tasks/7048aaa6-0216-4d5f-8fc1-92f9fa4aa3f3/

142.11.215.153:443

# Reference: https://app.any.run/tasks/d59fd378-eeb5-44e2-aa64-e633a83fc3fe/

66.192.70.36:443

# Reference: https://twitter.com/r3dbU7z/status/1326994040831750151
# Reference: https://www.virustotal.com/gui/file/159b58cbc5994096019a322bc61432c2c04ab1b371b93cca64b818f0d1d8f0eb/detection
# Reference: https://www.virustotal.com/gui/file/27a38b3d3de594d0d32d8c171244616509a4747a6be311cfba27183d90b7d3dc/detection
# Reference: https://www.virustotal.com/gui/file/03ea8330969b98cce48f37c5c699e5c4a2f5c614bb31f99f48c59d7cafb90c8d/detection

185.232.31.2:11720
185.232.31.2:443
/Pupy.ps1
/pupy_cApXy4.cs
/pupy_XrUDIO.ps1
/pupy_tNv5B8.ps1
/pupyx64.Iyvrj2.exe

# Reference: https://www.virustotal.com/gui/file/c342cdce7cdc2fa915c124d3114cdf2d61ab441ce61ba68b34d3e0f4a16e5a77/detection
# Reference: https://www.virustotal.com/gui/file/b7db1b9c1d3ae7d2345c9d9670e8f504c21a6a692048b725637a2ea04f877fa8/detection
# Reference: https://www.virustotal.com/gui/file/065681acd95662e3a38aaf09c6cdad7d3fe0b8896c6c15be2d579e086936daa0/detection

ac1dbath.duckdns.org
forexlive.duckdns.org
postbox.serveftp.com

# Reference: https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/
# Reference: https://www.virustotal.com/gui/file/dec165ab6a15fa62409ccc0a5936097128cfd3148b1cc3cb89e89814665db958/detection

http://103.79.76.40
103.79.76.40:8443

# Reference: https://twitter.com/Infoblox/status/1646595910758006785
# Reference: https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory/dog-hunt-finding-decoy-dog-toolkit-via-anomalous-dns-traffic/
# Reference: https://otx.alienvault.com/pulse/6446f6710c726af964606529

ads-tm-glb.click
allowlisted.net
atlas-upd.com
claudfront.ml
claudfront.net
hsdps.cc
wmssh.com
1ykaka9.hsdps.cc
3e4bae3b6d0addd08553fcbd8a2e2d24.mapdatamsnsdn.info
fqeel11q9.cbox4.ignorelist.com
jkq9.allowlisted.net
ping5.atlas-upd.com
qq.74lmth4.wmssh.com
rgk.74lmth4.wmssh.com
tzzjim3fv6dsgplfphfq9999.ouazdkj356dbfqeel11q9.cbox4.ignorelist.com
wua.40xhtgh.wmssh.com

# Reference: https://twitter.com/TLP_R3D/status/1654038602282565632

103.79.76.40:9001

# Reference: https://twitter.com/1ZRR4H/status/1654049500162318337

195.164.49.51:9000

# Reference: https://twitter.com/TLP_R3D/status/1654038822668075008

51.38.68.84:9000

# Reference: https://twitter.com/drb_ra/status/1654464074879475713

103.13.229.67:443
103.13.229.67:8443
103.13.231.34:443
104.156.232.19:443
104.156.232.19:9000
104.168.163.200:443
107.152.44.191:443
108.61.242.65:9050
111.9.220.114:9002
13.215.175.44:443
134.122.39.118:443
134.209.101.105:8443
134.209.101.105:9000
139.180.131.241:9000
143.42.74.25:443
143.42.74.25:9000
149.28.19.155:9000
154.202.59.107:443
157.245.155.179:443
157.245.155.179:8443
157.245.155.179:9000
172.104.122.152:8080
18.167.13.235:443
18.167.13.235:9000
181.215.68.173:8443
181.215.68.173:9000
199.247.24.153:9000
202.102.36.252:9002
202.182.106.252:9000
203.86.236.93:443
206.189.44.250:9000
212.115.55.53:8443
212.115.55.53:9000
217.195.153.13:9000
34.84.185.40:9000
35.201.196.246:443
35.220.154.238:443
35.241.106.118:443
39.98.206.63:8443
43.139.167.131:8443
43.139.167.131:9000
43.154.112.87:443
43.154.112.87:9000
43.155.117.195:8443
43.155.117.195:9000
45.77.41.141:443
45.79.134.104:9000
54.156.169.56:8443
8.210.107.120:8443
8.210.107.120:9000
8.210.141.104:8443
8.210.141.104:9000
95.216.206.17:443
95.216.206.17:9000

# Reference: https://twitter.com/drb_ra/status/1654921328867115010

34.92.235.56:443

# Reference: https://twitter.com/drb_ra/status/1655283653952380928

45.8.159.245:9002

# Reference: https://twitter.com/drb_ra/status/1655567773265797124

103.51.145.45:9000

# Reference: https://twitter.com/drb_ra/status/1655567799228530695

139.84.140.110:5432

# Reference: https://twitter.com/drb_ra/status/1656008527960317964

http://41.147.195.62

# Reference: https://twitter.com/drb_ra/status/1656008553860145174

49.233.9.106:9000

# Reference: https://twitter.com/drb_ra/status/1656008584176582656

154.202.59.194:9000

# Reference: https://twitter.com/drb_ra/status/1656370929742540806

103.27.186.185:443

# Reference: https://twitter.com/drb_ra/status/1656370956317650947

165.22.185.138:443

# Reference: https://twitter.com/drb_ra/status/1656370967218647067

168.100.11.126:9000

# Reference: https://twitter.com/drb_ra/status/1656370979830919201

192.169.7.17:443

# Reference: https://twitter.com/drb_ra/status/1656370990450896899

195.80.151.57:443

# Reference: https://twitter.com/drb_ra/status/1656733482347888640

103.140.187.137:9002

# Reference: https://twitter.com/drb_ra/status/1656733509442994190

154.202.59.194:443

# Reference: https://twitter.com/drb_ra/status/1657095884935421960

149.248.34.178:8443

# Reference: https://twitter.com/drb_ra/status/1657095898642407429

154.202.59.148:443

# Reference: https://twitter.com/drb_ra/status/1657095912949178379

165.232.160.68:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.pupy/

http://102.248.4.140
http://154.3.34.146
http://41.147.196.64
http://41.147.198.27
http://41.147.198.28
http://41.147.199.163
http://41.147.203.18
1.12.69.102:9000
103.27.186.185:9001
103.51.145.45:443
111.230.42.99:8443
111.231.2.20:8443
116.204.126.15:8443
119.3.224.30:443
120.46.87.61:5053
120.55.170.180:443
121.37.191.11:8443
124.221.75.139:8443
134.209.101.105:443
134.209.101.105:7443
136.244.65.241:443
136.244.98.14:9000
137.184.219.41:8443
139.180.188.45:9000
139.84.140.157:443
139.84.142.187:443
139.84.142.38:443
139.84.172.30:443
14.19.159.105:8443
154.202.59.107:9001
154.202.59.148:9001
154.202.59.51:443
16.162.91.105:443
16.163.43.4:443
16.163.43.4:9000
162.243.167.87:443
168.100.11.126:8443
172.105.35.56:8443
18.163.105.206:443
18.163.105.206:9000
18.163.180.135:443
18.163.180.135:9000
18.167.37.204:443
207.148.99.121:9000
38.54.40.25:443
39.107.32.219:9000
45.156.185.125:40400
45.32.14.224:443
45.77.68.13:443
45.79.134.104:47185
45.8.159.245:9443
46.36.219.181:443
47.102.87.85:53
49.233.9.106:8444
52.70.252.57:8443
54.179.188.121:443
62.234.185.105:8090
62.234.32.192:9000
64.176.36.50:443
65.20.66.221:443
66.42.59.191:8443
92.118.189.178:443
92.118.189.178:9001
93.90.72.13:8443
93.90.72.13:9000

# Reference:  https://threatfox.abuse.ch/browse/malware/win.pupy/ (# 2023-08-01)

101.37.18.245:8443
146.190.52.2:8443
174.138.26.174:443
34.92.11.248:443
65.20.73.21:443
8.210.170.39:443

# Reference: https://twitter.com/drb_ra/status/1690074543077924866

34.150.43.70:443

# Reference: https://threatfox.abuse.ch/ioc/1149874/

65.20.84.238:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.pupy/ (# 2023-08-15)

139.224.203.214:443
139.224.203.214:53

# Reference: https://twitter.com/drb_ra/status/1692066843001839999

95.179.155.128:8443

# Reference: https://threatfox.abuse.ch/browse/malware/win.pupy/ (# 2023-09-18)

101.132.227.62:53
114.115.129.32:18443
121.40.112.84:53
123.57.187.54:53
139.180.199.249:53
139.84.134.80:8443
139.84.134.80:8445
14.19.144.23:8443
18.163.102.74:443
185.218.3.113:443
206.189.87.191:443
206.189.87.191:8443
34.23.170.100:8443
34.96.194.162:443
43.198.25.218:443
47.98.62.87:443
47.98.62.87:53
51.195.29.38:8443
65.20.66.21:443
65.20.84.122:443

# Reference: https://www.bleepingcomputer.com/news/security/mysterious-decoy-dog-malware-toolkit-still-lurks-in-dns-shadows/
# Reference: https://otx.alienvault.com/pulse/64c12c7ccbf6b2e988374eda

ads-tmglb.click
maxpatrol.net

# Reference: https://threatfox.abuse.ch/browse/malware/win.pupy/ (# 2023-09-12)

54.251.184.244:443
91.149.239.53:443
92.118.189.197:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.pupy/ (# 2023-09-20)

j2update.cc
nsdps.cc
rcmsf100.net

# Reference: https://threatfox.abuse.ch/browse/malware/win.pupy/ (# 2023-09-22)

106.75.24.63:8443
141.164.39.232:54
16.162.91.105:53
185.117.75.168:443
62.234.32.192:8781
65.20.82.227:443
65.20.84.68:443
77.91.101.173:443
91.149.203.236:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.pupy/ (# 2023-11-01)

103.201.130.11:443
106.14.147.179:53
107.152.44.183:443
130.51.20.64:443
139.84.162.47:443
154.202.59.98:443
159.203.124.88:1233
176.123.8.153:49802
18.162.214.171:443
18.162.58.174:443
18.167.84.209:443
192.119.68.243:443
192.46.227.201:443
212.192.12.156:443
34.92.143.66:443
37.59.239.17:445
38.147.188.28:443
38.147.188.61:443
38.147.189.173:443
38.147.189.199:443
43.154.65.199:8443
45.150.198.25:443
45.150.198.36:443
45.150.198.47:443
45.76.145.241:443
5.188.228.15:443
5.188.228.224:443

# Reference: https://twitter.com/drb_ra/status/1721419236361265464

14.19.159.171:8443

# Reference: https://threatfox.abuse.ch/ioc/1201289/

3.93.54.41:8443

# Reference: https://asec.ahnlab.com/ko/64073/

86.cdn-api.848820.com
86.cdn-api.848820.com.bk1233.com
angc.blinktron.com
angc.blinktron.com.bk1233.com
api.api-alipay.com
api.api2-cdn.com
blinktron.com.bk1233.com
cache.cacti.api-cloudflare.com
cacti.api-cloudflare.com
cdn-api.848820.com
cdn-api.848820.com.bk1233.com
cdn-image.microsoft-shop.com
cdn-image.microsoft-shop.com.bk1233.com
lw.cdn-image.microsoft-shop.com
lw.cdn-image.microsoft-shop.com.bk1233.com
microsoft-shop.com.bk1233.com
pyq-pro.update.microsoft-shop.com
pyq-pro.update.microsoft-shop.com.bk1233.com
ue20.angc.blinktron.com
ue20.angc.blinktron.com.bk1233.com
update.microsoft-shop.com
update.microsoft-shop.com.bk1233.com
/kworker0ytj
/kworker37yu
/kworker54c8
/kworker9t8b
/kworkergo79
/kworkerqxnz
/kworkers0id

# Reference: https://twitter.com/banthisguy9349/status/1780998858446659588

103.201.130.11:8443
103.79.76.40:443
106.75.66.128:53
16.163.57.246:443
38.147.189.149:443
91.108.105.80:443

# Reference: https://twitter.com/IronNetTR/status/1782393212121829507

38.147.189.149:9000
45.150.198.25:9000

# Reference: https://twitter.com/banthisguy9349/status/1786314871094624467
# Reference: https://www.virustotal.com/gui/file/a799d1b1f7239a7bc7fadf0a8a1c7d50c62e144a107458ac3cb08ea63b27b3aa/detection

http://45.13.199.132

# Reference: https://threatfox.abuse.ch/browse/malware/win.pupy/ (# 2024-06-22)

http://96.9.213.175
103.79.76.166:8443
138.197.56.161:9001
14.1.98.189:443
14.19.144.236:8443
141.164.48.82:8443
154.82.65.35:8443
155.138.128.220:443
16.163.52.26:443
172.104.172.74:443
172.206.49.104:8443
185.216.68.100:8443
192.53.174.141:443
193.42.25.233:443
206.206.123.220:443
207.148.17.169:9000
23.27.52.110:443
34.92.143.66:8443
38.145.202.153:443
38.147.189.157:443
38.6.177.93:443
41.147.196.189:80
43.198.137.245:443
45.136.15.139:53
45.141.84.135:54183
45.150.198.28:443
45.77.177.125:2053
65.20.79.2:443
82.157.173.114:8443
92.38.176.164:443

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv

http://41.147.201.250
104.168.146.71:443
139.84.132.161:443
139.84.139.135:443
18.163.129.171:443
193.56.255.242:443
206.206.77.77:443
34.30.185.227:443
43.198.114.188:443
64.176.180.215:443
97.74.92.239:443

# Reference: https://x.com/malwrhunterteam/status/1816753473649614965
# Reference: https://www.virustotal.com/gui/file/7369d96378701f0ff78aee190558a86e598ab68d610366712718d033876d03f0/detection

165.22.101.200:8080

# Reference: https://x.com/rabbitinfosec/status/1817537219172897043

167.179.103.233:53
167.179.103.233:8080

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-08-03)

http://206.119.167.197
139.180.209.232:8080
165.22.101.200:53
43.138.226.252:443
45.11.77.101:443
5.180.96.219:443
5.180.96.233:443

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-08-24)

103.118.253.95:443
16.162.86.228:443
208.117.85.9:53
65.20.74.235:443
65.20.91.83:443
67.217.228.199:8443
91.92.243.223:443

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-09-15)

http://66.42.50.189
121.199.15.10:8443
18.167.72.248:443
206.166.251.183:443
64.95.10.93:53
66.42.62.138:8443
71.19.146.64:443
95.179.197.59:443

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-10-15)

108.61.127.94:53
140.82.63.209:8443
172.104.181.84:443
34.92.11.148:443
34.92.11.148:8443

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-01-02)

http://91.242.241.144
103.118.253.84:8443
139.84.170.181:443
193.53.126.12:443
35.78.32.135:443
43.199.62.116:443
45.11.77.60:8443
45.141.84.135:54184
45.76.163.248:443
5.180.96.152:443
5.180.96.233:8099
52.37.79.138:443
66.42.43.204:53
66.42.98.90:53
91.242.241.144:8080
92.118.9.61:8443

# Reference: https://x.com/skocherhan/status/1876040726716559434

142.202.82.250:9000

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-07-26)

103.215.216.174:443
103.56.19.86:8443
103.79.76.40:8444
106.14.2.243:443
139.180.136.101:53
139.180.222.187:53
142.93.15.10:5000
142.93.15.10:50000
144.172.96.219:443
150.109.126.200:8080
158.247.215.42:443
158.247.215.42:53
164.132.247.190:443
165.154.236.59:443
178.157.61.161:443
207.148.96.97:8888
207.254.31.224:8443
23.106.133.239:443
35.220.139.126:8443
35.220.140.248:443
35.220.140.248:8443
35.241.90.34:443
35.241.90.34:8443
35.247.182.150:443
38.54.23.241:443
45.63.1.46:443
45.78.63.125:443
47.129.171.26:443
47.83.124.77:443
5.199.166.10:443
5.199.166.185:443
5.199.166.188:443
5.199.166.3:443
5.199.166.5:443
64.190.113.45:443
65.20.82.213:443
66.42.44.50:53
67.217.228.199:443
70.34.242.59:443
78.141.212.135:443
84.32.23.56:443
84.32.23.6:443
84.32.23.8:443
95.174.93.233:8443
95.181.213.98:8443

# Reference: https://ti.qianxin.com/blog/articles/utg-q-010-supply-chain-attacks-strike-directly-at-the-heart-of-hongkongs-financial-market-en/
# Reference: https://www.virustotal.com/gui/file/5783f7132604665edd69b3acb4f738057214897e5bc2cdd62970e468333dea08/detection
# BANNER_0_HASH-HOST=5173d8d61bf3944032bd55da410ad2ee
# BANNER_0_HASH-HOST=536ceb01fc1f8b170b4a209e6cfbdf99

cloudcenter.top
rkx.center
mail.rkx.center

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-10-05)

http://41.147.193.221
103.215.216.166:443
103.56.19.86:443
108.61.217.205:53
149.28.70.98:443
162.33.177.115:443
162.33.179.12:8443
18.167.174.198:443
192.144.23.109:443
2.57.241.36:443
206.190.236.171:443
209.250.227.127:443
216.128.136.39:443
216.128.136.39:8443
45.141.84.139:443
45.141.84.139:54184
45.141.84.189:443
45.141.84.27:443
45.141.84.5:443
45.141.84.5:54184
45.141.84.73:443
45.141.84.73:54184
91.231.186.68:443
