# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: myth stealer

# Reference: https://twitter.com/crep1x/status/1760068698088296718
# Reference: https://tria.ge/240220-ng26jaga36/behavioral2
# Reference: https://tria.ge/240220-1awrdsfb3v/behavioral2

http://20.127.165.86
stealit.onrender.com

# Reference: https://twitter.com/r3dbU7z/status/1771456213366005937
# Reference: https://twitter.com/r3dbU7z/status/1771456221549138137
# Reference: https://www.joesandbox.com/analysis/1411948/0/html
# Reference: https://www.virustotal.com/gui/file/8b63338eda21fab3d8f6962332c8ffe617bcb21287f623ababc9992e24be64eb/detection
# Reference: https://www.virustotal.com/gui/file/d7eabd0402fa1c6cd5de13a50d96978be63ffee9d8a0094b0d382fe860ed5923/detection
# Reference: https://www.virustotal.com/gui/file/ddad1649d171367b307aa77f14b10826d6a5ae1d1dc1656ef1a7ddbe6ca43af3/detection

canonato.tech
erareborn.shop
nonlyreklamcilik.online
stealit.online
nonly.nonlyreklamcilik.online

# Reference: https://x.com/SomeTestLeper/status/1817295211720261706
# Reference: https://x.com/JAMESWT_MHT/status/1817555134387269960
# Reference: https://app.any.run/tasks/356e47d4-5c5b-4076-a571-71c3efaeb6d8/
# Reference: https://www.virustotal.com/gui/file/45b9784d3d22c0e2b414c36124a909ca605a187a9709eb410cd312d388b12a4e/detection

20.199.16.17:443

# Reference: https://threatfox.abuse.ch/browse/tag/stealit/ (# 2024-08-25)

http://4.233.209.62
20.199.87.174:443
4.233.209.62:443
4.233.218.3:443
40.66.40.211:443
98.66.170.171:443
api.hellokittymeowmeow.xyz
api.ilovecats.life
deadlywarfare.com
hellokittymeowmeow.xyz
ilovecats.life
ip235.ip-192-95-20.net
kittycatmeow.xyz
lxny.xyz
ransomware.kittycatmeow.xyz
xrczy.xyz

# Reference: https://x.com/NDA0E/status/1827715428044714450

http://192.95.20.235
192.95.20.235:3000
192.95.20.235:443
192.95.20.235:8080

# Reference: https://x.com/Jane_0sint/status/1923302068208513418
# Reference: https://app.any.run/tasks/68dbab03-7ba3-4cff-b355-640267818d22

185.224.3.219:8080

# Reference: https://x.com/solostalking/status/1930638160221921720
# Reference: https://www.trellix.com/blogs/research/demystifying-myth-stealer-a-rust-based-infostealer/

185.224.3.219:443
82.153.138.221:7340
cocukporno.lol
plaquist-simulator.com
everlight-beta.netlify.app
luraka-game.github.io
myth.cocukporno.lol
yomiragame.blogspot.com

# Reference: https://x.com/AzakaSekai_/status/1931142768929435747
# Reference: https://www.virustotal.com/gui/file/ffdae1755f2fdb1b468610f58e31b04f82e2716d80020b4086148b057c079f40/detection
# Reference: https://www.virustotal.com/gui/file/b10fb3ca2dba2caf9f1bdc37421bf6d22930c7f9d4522d8e6c9bf160f44c37f4/detection

161.97.114.114:8080
dommenu.org
cakewindgame.blogspot.com
munalegames.blogspot.com
tumiyagame.blogspot.com

# Reference: https://x.com/Fact_Finder03/status/1964975980994589007
# Reference: https://app.validin.com/detail?find=Stealit&type=raw&ref_id=c5325fe5a71#tab=host_pairs (# 2025-09-08)
# Reference: https://www.fortinet.com/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application

emrebabakraladam.lol
fenaciksgodadamlar.lol
iloveanimals.shop
stealitpremium.lol
stealitpublic.lol
stealituptaded.lol
stealitware.lol
worldwars.xyz
api.fenaciksgodadamlar.lol
cloud.emrebabakraladam.lol
cloud.fenaciksgodadamlar.lol
cloud.stealitpremium.lol
cloud.stealitpublic.lol
cloud.stealituptaded.lol
cloud.stealitware.lol
root.emrebabakraladam.lol
root.fenaciksgodadamlar.lol
root.iloveanimals.shop
root.stealitpremium.lol
root.stealitpublic.lol
root.stealituptaded.lol
root.stealitware.lol
cloud.worldwars.xyz
root.worldwars.xyz

# Reference: https://x.com/Jane_0sint/status/1948058703716122835
# Reference: https://x.com/BlinkzSec/status/1948068951109292453
# Reference: https://app.any.run/tasks/25c854e2-cc28-4100-bff7-c9cebdacbcc3
# Reference: https://www.virustotal.com/gui/file/d133ab0dc7d8c4a6f0f48fa74a678c41739994601ec2f2f01d3f3d097a3a5777/detection
# Reference: https://www.virustotal.com/gui/file/443728f46919b6ebe021eec32c2e221ff7be9dbd350603247691447807970510/detection

mythstealer.win

# Reference: https://www.virustotal.com/gui/file/264c4a730a67ed4d7ac8f589fcb52619bb75a766969975eb34cb20322b447c02/detection

77.237.242.120:9999
kedi.mythstealer.win

# Reference: https://community.emergingthreats.net/t/games-and-myths-mythstealer-spotted-in-the-wild/2861

combatshell.com
combatsouls.com
pokettohiro.com

# Reference: https://x.com/solostalking/status/1965686151853076890

213.136.81.217:8080

# Reference: https://x.com/solostalking/status/1977578407186809250
# Reference: https://www.virustotal.com/gui/file/46203e8463db20107c38a7c11b00184ceaf76bd0320ef3c982a9ff6c2092691f/detection

213.136.82.168:8080

# Generic

/api/send/passwords
/ste4litgroup
