# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: purelogs stealer, purerat, ghost crypt, resolverrat, purehvnc

# Reference: https://twitter.com/malwrhunterteam/status/1596269879824465922
# Reference: https://twitter.com/JAMESWT_MHT/status/1596438280903557141
# Reference: https://www.virustotal.com/gui/file/c620ce8ecbaa3ee3b92126091c7686e3bdfa23e188914f072ba2d90f05d18f9d/detection

http://195.201.23.210
download-files-pdf.de
sicherer-download-pdf.de
srv-fattureincloud.de
/ld9sja87s/dialogue/book
/ld9sja87s/dialogue/start
/ld9sja87s/dialogue/
/ld9sja87s/

# Reference: https://twitter.com/VirITeXplorer/status/1603321790490714113
# Reference: https://twitter.com/VirITeXplorer/status/1603322834046033923
# Reference: https://twitter.com/Gi7w0rm/status/1603381798343528450

195.201.23.210:5699
337727.seu2.cleverreach.com
downloadpdf-fattura.de

# Reference: https://blog.cluster25.duskrise.com/2022/12/22/an-infostealer-comes-to-town
# Reference: https://otx.alienvault.com/pulse/63a5b068e163450bbea073da
# Reference: https://www.virustotal.com/gui/file/d3aa8fca03e9eb9911bbb51302d703afa9c04ce94d94ce6c3cd5086999e49471/detection

http://116.203.19.97
service-fatturecloud.de
utente.service-fatturecloud.de

# Reference: https://twitter.com/VirITeXplorer/status/1612840654563860482
# Reference: https://twitter.com/VirITeXplorer/status/1612841897055195142

195.201.23.210:5200
lkvbb-lkvbb.de

# Reference: https://www.virustotal.com/gui/file/9bbd2fc484077da329ae3658122614fa1f9f9dfe9e3ebfb982a69d32fc55a66b/detection

chaifoomasho.foundation
eiseesaeheeg.fun

# Reference: https://www.virustotal.com/gui/file/38c45f56be6ea967ae74559abbc0eace9f0bd9d304b2cf918229366f2feb11fb/detection

puredating.top

# Reference: https://twitter.com/Racco42/status/1716498733183926306
# Reference: https://app.any.run/tasks/6d60a64e-7803-4d0c-8c2f-32ffbc62f745/
# Reference: https://www.virustotal.com/gui/file/4af6acc09b59a76cb72a04b55d20b029c29e069f2c8403677624bc8dee93132c/detection

51.75.154.192:62520

# Reference: https://twitter.com/Jane_0sint/status/1716519296489189405
# Reference: https://app.any.run/tasks/32eaf0c9-fec7-4fcb-89d0-c47cce096fa2/

86.106.87.133:62520

# Reference: https://twitter.com/g0njxa/status/1717474198480683418
# Reference: https://twitter.com/Jane_0sint/status/1717507470489194895
# Reference: https://app.any.run/tasks/9d36942e-c84e-4f92-becb-afb8289bbdf1/

185.138.164.41:7705

# Reference: https://twitter.com/AvastThreatLabs/status/1722953843208577257
# Reference: https://www.virustotal.com/gui/file/037d4c74e5ceda694755d7ff54d8e45f1c7d439262d7c5293a6751cf02872efd/detection

http://5.182.86.248
http://5.182.87.245

# Reference: https://twitter.com/James_inthe_box/status/1727060607109833165
# Reference: https://app.any.run/tasks/b7141b83-ab60-4072-b208-f6cbdeb224f2/

91.92.253.88:7702

# Reference: https://twitter.com/g0njxa/status/1729232608830394409
# Reference: https://www.virustotal.com/gui/file/0808202fc3bd5e570b2106a4f991de5beeee739960b1167a590da92727b813a6/detection

212.224.86.54:58001

# Reference: https://twitter.com/g0njxa/status/1729478226148307227
# Reference: https://app.any.run/tasks/1684165d-42ae-4777-a64e-da59320f9ef2/
# Reference: https://www.virustotal.com/gui/file/c36f73870a437275b512bdc8a70a249e77a1d836949dc4c79ece8dcd05d8a571/detection

95.214.25.73:58001
pornsworld.xyz
data.pornsworld.xyz

# Reference: https://twitter.com/k3yp0d/status/1729908135375020125
# Reference: https://www.virustotal.com/gui/file/ff0179442402fa306c85ba83a87df2cc46d13012a1e2819e73a6b3586c5c8dc3/detection
# Reference: https://www.virustotal.com/gui/file/9745eaca508255646d2039383150952955f49196767a160968fcf83130ad9a90/detection
# Reference: https://www.virustotal.com/gui/file/93988c13f8e6dc3cc6d9256992d417057e164785c1ad05f6984fc769af5b597a/detection
# Reference: https://www.virustotal.com/gui/file/5901691afd331944b38939588b1ac7480c1ea76ba32c703bb61af1be4c72bb50/detection

91.92.252.74:39001
91.92.252.74:58003

# Reference: https://www.virustotal.com/gui/file/39b10e16dcda487ccf77695191c4c5e45d7e3b1ca85099f4bd934f260dc7ef62/detection

91.92.120.119:62520

# Reference: https://twitter.com/suyog41/status/1733001612103397646
# Reference: https://www.virustotal.com/gui/file/a1d1b33e93188e94712b71b3fb7589eb6904af72e243d6dff3fb5c6ad917038a/detection
# Reference: https://www.virustotal.com/gui/file/6ead965d47c13610ac4796e9d3f9ace8bcdff14bbdd828176ef8eb702fa26c0d/detection

91.92.240.144:58001

# Reference: https://twitter.com/ViriBack/status/1734058092336148839
# Reference: https://www.virustotal.com/gui/file/eb084ed44cabbe60ecfcc565813ece7aec29b259d6ba029ee1749d6cd93bbed2/detection
# Reference: https://www.virustotal.com/gui/file/833b39e5d4b15f65b5a1792038178d6afa3a661c566682274bf1dde5716a4d3f/detection
# Reference: https://www.virustotal.com/gui/file/db0b9056105ec470e760eb9e9940ad871fdcd321e876dcccae3600d12e8ec38d/detection
# Reference: https://www.virustotal.com/gui/file/ed04d8ebbc30c39278f1e22d2442853ff704f97f0e494d069034dee2239bc43a/detection
# Reference: https://www.virustotal.com/gui/file/54cf52a9e70fd4c1451e174e177e1e085849b77ffba2e0949865aa69fc44b141/detection

5.188.159.44:39001
5.188.159.44:58001
51.255.78.213:39001
51.255.78.213:58001
51.255.78.213:7702

# Reference: https://www.virustotal.com/gui/file/035ae10badc5ae4db898cdf876da90e4aa8110b2f772e296cac0a0cc5cf3f7ee/detection

23.224.233.91:58001
23.224.233.91:7702

# Reference: https://www.virustotal.com/gui/file/1bb8f8ab59d0e9c8eec0366638f3d079cb2be52033346db80aff0badcf9e0aea/detection

58.220.33.199:7702

# Reference: https://www.virustotal.com/gui/file/68c0399ac81708d1bb12018df9779e3f505bec822d64e4e9a7d063962ae23c6a/detection

http://61.147.96.195
61.147.96.195:3131

# Reference: https://app.any.run/tasks/b67b0bf0-b145-4f47-b45d-cdcd068a05c8/

http://74.119.193.203

# Reference: https://www.virustotal.com/gui/file/0a65d5c09412040cf15bf2cca084741b4a1b386cbd0a88cd63c0cf867581b395/detection

89.39.106.35:1337
89.39.106.35:58004

# Reference: https://www.virustotal.com/gui/file/7367d9790fcd796386f0aa856ec3899f86102162e332bcdce0404b2d009bd903/detection

94.156.71.237:58001

# Reference: https://twitter.com/malwrhunterteam/status/1761150913807331626
# Reference: https://www.virustotal.com/gui/file/fa12c39db075c3724509b82bbbb066475046fc87ddf034892d633dc184c2b8e5/detection
# Reference: https://www.virustotal.com/gui/file/e948e8b0b403304158c88996a03304f68b61bd3c1abb40e7434c5ca61b52523d/detection

88.80.145.97:2332
rustercoin.com

# Reference: https://www.virustotal.com/gui/file/a79fbf1f6682f02689ef3400ff89f2c960b595b7498af36fb1a418fa0e7e0549/detection

141.98.10.96:5888

# Reference: https://www.virustotal.com/gui/file/b3df220dc7edc143d630cd47300a4f5aa5c6d0ec4940209204084bf4880fa373/detection
# Reference: https://www.virustotal.com/gui/file/cfe4cc04b18ab58d324b44138720e565170298d7b5449114de2092144343123c/detection

http://51.81.115.20
http://51.81.115.24
http://51.81.115.28
185.196.10.233:39001
185.196.10.233:8383
insane.wang
wi-fi.rip
dksj.wi-fi.rip
gjhfhgdg.insane.wang

# Reference: https://www.virustotal.com/gui/file/06dbcee1c5c8b50c3a3c47660d0bdbb52181861bbc9edede1d8b1674e82d074e/detection

http://91.92.254.93
91.92.254.93:39001

# Reference: https://www.virustotal.com/gui/file/57055d1ebed3774ca8e1d6a6c6a3ed02d6769ad0771a42204cf8a8eac2ea73ab/detection

91.92.247.69:39001

# Reference: https://www.virustotal.com/gui/file/39e409462ae74342e5c926c8459c17f64ed491fc1dfa3169468a66de50070547/detection
# Reference: https://www.virustotal.com/gui/file/97175f477ed70cb8ab8e64165325586111a3946433bbae9e03b8273ac0602e3e/detection

87.120.84.140:7702

# Reference: https://twitter.com/banthisguy9349/status/1783055072227729540
# Reference: https://urlhaus.abuse.ch/browse/tag/pclient/

http://91.92.247.178
http://91.92.249.233
http://94.156.65.175
vertextech.buzz

# Reference: https://x.com/StrikeReadyLabs/status/1818461465214398612
# Reference: https://www.virustotal.com/gui/ip-address/94.154.172.166/relations
# Reference: https://www.virustotal.com/gui/file/04412dd87af692fd0a1c819da8bfc9cd57bc4ab619e214840f4a539086eba1f3/detection
# Reference: https://www.virustotal.com/gui/file/6a42d617616188ab84e93c396341086ed33c2a2af21f8d0011ae003bc18417f2/detection
# Reference: https://www.virustotal.com/gui/file/ace74890b732a42e4d481744266121b1bca84a36c730dc563813e26f781a7512/detection
# Reference: https://www.virustotal.com/gui/file/df822725545120d197a5feaef16dbd3734fd5b309af756d5ed60ff5bb75c422d/detection

http://94.154.172.166
111.90.145.132:7722
111.90.145.141:58001
41.216.183.3:56001
fallback-01-static.com
strang-01-static.com
relay-03-static.cloud
pdf-builder.theworkpc.com

# Reference: https://www.virustotal.com/gui/file/1d4968c61aedd4552733a1b64a7044a22cd9e036c9414c9e059536fa298684df/detection

undernamingtry.xyz

# Reference: https://threatfox.abuse.ch/browse/malware/win.purelogs/
# Reference: https://www.virustotal.com/gui/file/0cbccc76d0232d97d07385eacb8dccdffe69c82c8a8113f3f09b432b93e0714a/detection

91.92.244.157:9817
91.92.255.61:9817
purfufu3flujs.duckdns.org

# Reference: https://www.virustotal.com/gui/file/0cbccc76d0232d97d07385eacb8dccdffe69c82c8a8113f3f09b432b93e0714a/detection

91.92.244.157:7702
91.92.255.61:7702
pukrilug.duckdns.org
stremasster.duckdns.org

# Reference: https://x.com/RussianPanda9xx/status/1829768223308362013
# Reference: https://www.virustotal.com/gui/file/08b40fedadf7d3aa7c3768c0f7a44d75393706f49f1aeb871c99da7590c3dfc0/detection

154.216.20.37:5888

# Reference: https://x.com/malwrhunterteam/status/1826546541986804006
# Reference: https://app.validin.com/detail?type=ip&find=91.92.240.9#tab=resolutions

relay-01-static.com
relay-02-static.com
adobeartsia.com
backend-server78.com

# Reference: https://www.virustotal.com/gui/file/0a997282b4b069043b235a93051e5bcb6eaab82f800098b51d55802493fedd43/detection

msdownloads.pro

# Reference: https://x.com/fam4r/status/1836497372454465628
# Reference: https://x.com/malwrhunterteam/status/1836498511598059879
# Reference: https://www.virustotal.com/gui/ip-address/185.208.159.43/relations
# Reference: https://www.virustotal.com/gui/file/10d4e15b63a07368299f2245661d7a4626cd1a91a9950a3cbed5b4276d2dc31f/detection
# Reference: https://www.virustotal.com/gui/file/d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207/detection
# Reference: https://www.virustotal.com/gui/file/5b09f7b95e50495b7f7179c03d72949a7a6f63efd213bfe5dc8884b056bd1e1f/detection
# Reference: https://www.virustotal.com/gui/file/62a1310e29465bda30fcba8f954d1a566c744ffec15490b22fd385fa056b74e7/detection

45.11.229.96:39001
45.11.229.96:39002
45.11.229.96:39003
45.11.229.96:56001
45.11.229.96:56002
strompreis.ru

# Reference: https://x.com/D3LabIT/status/1846912437905231940
# Reference: https://www.virustotal.com/gui/file/034a7ebb0029fd5dc9a7ba680240d61223b70f869a80bd7094be1dcd47687512/detection

193.187.91.208:50600
194.71.217.68:50600
89.238.176.21:50600
89.238.176.4:50600
89.238.176.5:50600
89.238.176.6:50600
puritylgs.duckdns.org

# Reference: https://x.com/DaveLikesMalwre/status/1859376108933873963
# Reference: https://app.any.run/tasks/a999e641-1b7a-410e-b526-672d51cbd581

38.240.56.253:7702

# Reference: https://www.virustotal.com/gui/file/5aadbf4040d7821fe13103773317f2424e0dc24e7685ff6f3334a283b874fdfa/detection
# Reference: https://www.virustotal.com/gui/file/c62e5618cf0da664429a3d035f221b9cacb3c6ac8ac73c9adf4061a3bc5ffdc1/detection

64.95.10.19:56001
64.95.10.19:56002
64.95.10.19:56003

# Reference: https://www.virustotal.com/gui/file/cf392a9a21950a00b3a26019c87348bb1f52a058a13f2400001208e498373659/detection

31.220.90.137:39001
31.220.90.137:39002
31.220.90.137:39003

# Reference: https://x.com/Jane_0sint/status/1904929255932518582
# Reference: https://app.any.run/tasks/7ffd75c7-0b3a-490a-8729-7036614cef22

15.204.0.108:5609

# Reference: https://x.com/Jane_0sint/status/1911844767186436550
# Reference: https://app.any.run/tasks/e1612143-9389-46c9-acd2-a1c5e878804d
# Reference: https://app.any.run/tasks/0cdb9235-a411-401a-a55c-89625dbabadb
# Reference: https://www.virustotal.com/gui/file/d75f845cd5523bd25846b962665a31740ec23e44010cd83743f4304240bc3b8b/detection
# Reference: https://www.virustotal.com/gui/file/afa26e223f8390edc24aa7d6a68bfa9c17a1d0acc094a4ea9b564318a514bebc/detection

193.233.254.162:5555

# Referebce: https://www.virustotal.com/gui/file/9ae0181d52bb1f6fbd4143e7aa6aa4d1f0ded970397dae076ba6a5fc4cd9ebf9/detection
# Reference: https://www.virustotal.com/gui/file/374c270caa42b3ba1a0b31c33a47fe590c38ef8997845d48ae3fb8a575f7d608/detection

185.39.17.222:56001
185.39.17.222:56002
185.39.17.222:56003

# Reference: https://www.virustotal.com/gui/file/475d33e7694eb0bd66231d242a27abd4ceec807bbcb155a636ee4e1e80d0be38/detection

84.38.132.39:7702

# Reference: https://x.com/skocherhan/status/1924676298808434713
# Reference: https://www.virustotal.com/gui/file/5d6fa8670f6b5f4492e1d15c34a8cb002f70b006b37bde8f96a2656b1921d6ae/detection

176.65.134.71:39001

# Reference: https://x.com/skocherhan/status/1902485145984106851
# Reference: https://thehackernews.com/2025/05/purerat-malware-spikes-4x-in-2025.html
# Reference: https://securelist.ru/purerat-attacks-russian-organizations/112619/
# Reference: https://www.virustotal.com/gui/file/02e19ffa90593715448b8051ba70c893fe5ec56caa3ec754e66f53bc1d99af2c/detection
# Reference: https://www.virustotal.com/gui/file/045656f83862d913e471b01a73d6282cd453cca78c25f70d2210b1b9a2f2635a/detection
# Reference: https://www.virustotal.com/gui/file/6f57a0a69fb161475ab0e066c750195e7c2fe6f5a8859cdd2ba04a7b3d55b81b/detection

195.26.227.209:23075
195.26.227.209:56001
195.26.227.209:7702
apstori.ru
bussines-131.online
coinchange.world
downloadbussines.ru

# Reference: https://x.com/skocherhan/status/1935548546138190083
# Reference: https://www.virustotal.com/gui/file/acb0251cf908ee1bb0fdde94d301f3af5fa93d55edbd87d774d37c203d83f461/detection

176.65.144.169:7705
aasyad.com
avsglobalssupply.com
besiktasshlpyard.com
elli0tt-turbo.com
halcheungchina.com
hapc-s.com
jmb-q.com
lnayatmoosa.com
pearlpolyurrethane.com
pwccgroup.com
secpt.com
slcamsrl.com
swlssway.pro
tachshipman.com
mxcnss.dns04.com

# Reference: https://www.virustotal.com/gui/file/4de8ed2c599cafc4aec2170f13a63e50bebb7e96b20128a219c5467b76d18cb0/detection
# Reference: https://www.virustotal.com/gui/file/e6e368cabd5517ffb203bd312211f0863bd118b91cee065fc00945d60aa9f3e8/detection

181.71.216.106:3009
20220242024dominio2024.duckdns.org

# Refererence: https://www.virustotal.com/gui/file/00cf8d8162b0c37baf224e8ff90070d8be5e324b74ceae39522ded1ffa3169ab/detection

139.99.87.31:7702

# Reference: https://www.virustotal.com/gui/file/3026298bf8eb036c65520d208cea4c8b403ae5a2a9f142125f3ad35373af7b32/detection

95.214.54.172:7705
ttsroma.com

# Reference: https://www.virustotal.com/gui/file/0befea8f405084446679e9d98e00cdc7bc4db91150c1df4e1137c956a40d8dd5/detection

196.251.114.11:5438
galilaospa.com

# Reference: https://app.validin.com/detail?type=ip&find=185.249.198.213#tab=host_responses
# Reference: https://www.virustotal.com/gui/file/4164a1628762775603fc98cd4def34cdffa4abe76fee1b3804f8e965bbcbbf56/detection

185.249.198.213:5888
185.249.198.213:8088

# Reference: http://x.com/netresec/status/1940383546042147198
# Reference: https://www.netresec.com/?page=Blog&month=2025-07&post=PureLogs-Forensics
# Reference: https://www.joesandbox.com/analysis/1718460/0/html

147.124.219.201:65535
216.250.252.231:2080
91.92.120.101:65535
91.92.120.101:7705

# Reference: https://x.com/marsomx_/status/1940391900999303372
# Reference: https://www.virustotal.com/gui/file/04aa294cbbdadf2bd8854a5b3dd36aee2f0f3f2a55ea4f116b54ec1ef2e46367/detection
# Reference: https://www.virustotal.com/gui/file/186f2e8050a7770d1e334a75570701dd24d3f69a917d9291642a62045ad9a8b2/detection
# Reference: https://www.virustotal.com/gui/file/1d63cfd0acba7bff2b61878132a0dc646e4321e540de69b2c3b8bf9b98f5ce80/detection

http://193.34.212.113
http://198.12.83.79
http://91.223.3.167
212.23.222.56:20341
212.23.222.56:22003

# Reference: https://www.virustotal.com/gui/file/28dc2040674053f3787ad4ab8c991f332bc960ab49dc040da8488f31700d114f/detection

144.172.91.41:56001

# Reference: https://x.com/JAMESWT_WT/status/1946172962316374137
# Reference: https://app.any.run/tasks/cf21531d-f036-46a9-9ed0-8c9073be4478

104.243.32.185:22109

# Reference: https://www.esentire.com/blog/ghost-crypt-powers-purerat-with-hypnosis
# Reference: https://github.com/eSentire/iocs/blob/main/PureRAT/PureRAT_IOCs_27-06-2025.txt
# Reference: https://www.virustotal.com/gui/file/f3d98823fb6cdc226414bedc49b94e86060fcc511cc50867d63f7c989fe54aed/detection

176.65.144.123:56002
196.251.88.111:56002
fax-greenry.myhome-server.de

# Reference: https://x.com/netresec/status/1947344364734153168

144.172.91.74:7709
192.30.240.242:62520
45.141.233.100:7708
62.60.235.100:9100
65.108.24.103:62050
91.92.120.102:62050

# Reference: https://x.com/netresec/status/1945574287533875237
# Reference: https://x.com/skocherhan/status/1951065171423571995
# Reference: https://www.netresec.com/?page=Blog&month=2025-07&post=PureLogs-Forensics

vastkupan.com/wp-admin/js/

# Reference: https://www.virustotal.com/gui/file/03e2fa3ea4fe23d4f3aa5dd11b89e28fd9ce2ca0874cbbdde1f00debddffcb8c/detection

prelogs.duckdns.org

# Reference: https://x.com/netresec/status/1955297343860822391
# Reference: https://www.netresec.com/?page=Blog&month=2025-08&post=PureRAT-ResolverRAT-PureHVNC

139.99.83.25:56001
193.26.115.125:8883
45.74.10.38:56001
purebase.ddns.net

# Reference: https://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/
# Reference: https://www.virustotal.com/gui/file/ec189b7ce68cb308139f6a5cf93fd2dc91ccf4432dc09ccaecb9de403a000c73/detection
# Reference: https://www.virustotal.com/gui/file/6c054f9013c71ccb7522c1350995066ef5729371641a639a7e38d09d66320bf4/detection
# Reference: https://www.virustotal.com/gui/file/9be93f01785368f96c2a5823c2aefd3c28108fe2dd21442dcf9f416697d55e30/detection

192.30.241.106:56003
38.54.6.120:56001
38.54.6.120:56002
38.54.6.120:56003

# Reference: https://www.fortinet.com/blog/threat-research/purehvnc-deployed-via-python-multi-stage-loader
# Reference: https://wazuh.com/blog/detecting-purehvnc-malware-with-wazuh/
# Reference: https://www.virustotal.com/gui/file/16a4de0540181bab7c5d25fcdf90838a28f2dff4ed9e0e37de3f5f1ab20afe0a/detection

float-suppose-msg-pulling.trycloudflare.com

# Reference: https://x.com/JAMESWT_WT/status/1955060839569870991
# Reference: https://x.com/netresec/status/1956097873000460658
# Reference: https://app.any.run/tasks/35618d39-0189-4eec-87f0-ce918ecf95f4

45.144.53.137:57666
updatessoftware.b-cdn.net

# Referecne: https://x.com/smica83/status/1957119460462010874
# Reference: https://www.joesandbox.com/analysis/1758629#iocs

base64txtdownload.xyz
kalelsianoass.dynuddns.net

# Reference: https://www.virustotal.com/gui/file/0450fe4ee8e1dcafbba426e36628c565688c6ef973cf9d651b73d39d5349edc8/detection

213.209.143.43:58002
213.209.143.43:7705
jojo.ath.cx

# Reference: https://www.virustotal.com/gui/file/136861cb2f12a1a992c4dfa7c9ee425c1fc071d96a727ad5e56bdeb4800a0a27/detection

213.209.143.50:7702

# Reference: https://www.virustotal.com/gui/file/012dbebf770b111ccd9dbabd97e6c990bc56712718d47f341e700bd78203f214/detection

http://167.160.161.37
157.20.182.12:39000
jofilesjo.com

# Reference: https://www.virustotal.com/gui/file/9b18fac62ea6d14f3c415e4b474d69bfba9b78668010ec921457f8ee597daf7e/detection

213.209.143.159:56001
koko.ath.cx

# Reference: https://www.virustotal.com/gui/file/09065910ccbbf93f18a7f6681997ce1928fe8180271297f886ff58e86bbf0548/detection

http://66.63.187.245
213.209.143.50:58002
blue.ath.cx

# Reference: https://www.virustotal.com/gui/file/02a86fcac03b4c392039ba49e5c018486ef2f19201d5e96079507c5b6faa7c26/detection

89.39.106.35:58001

# Reference: https://x.com/JAMESWT_WT/status/1961650667266699661
# Reference: https://app.any.run/tasks/1688a379-2663-41d6-ad41-9879d2b57345

85.208.84.94:56001
85.208.84.94:56002
85.208.84.94:56003

# Reference: https://x.com/JAMESWT_WT/status/1963657070764593628
# Reference: https://app.any.run/tasks/e48e3de8-d94f-42e8-91ab-afb52675888d

5.183.129.11:56001
5.183.129.11:56002
5.183.129.11:56003

# Reference: https://www.virustotal.com/gui/file/ebc3a6999612cc73ab2162c2e461018967748245cd150798c268c5821f8af10b/detection

162.218.115.218:56001
166.0.184.127:7705
bestsaleshoppingday.com
logs.bestsaleshoppingday.com
mh2.bestsaleshoppingday.com

# Reference: https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/
# Reference: https://www.virustotal.com/gui/file/2e9dc929b715bb8d92e84a4f25525528d09e9120ee9fbb13cbd6c968005eebab/detection
# Reference: https://www.virustotal.com/gui/file/77e7177415de68ea8e6ac9f6b4f0f449052d69d1b5093a06ca0696078f66be6f/detection

54.197.141.245:443
54.197.141.245:4443
dndhub.xyz
dsgnfwd.xyz
mktblend.monster
stategiq.quest
stathub.quest

# Reference: https://x.com/smica83/status/1976961752710647921
# Reference: https://www.virustotal.com/gui/file/06e7a4a63f8c01eb78c25613f51a563c6dc25c3950681d20b7b2098daf7833b8/detection

74.50.82.6:56001
