# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: cleversoar

# Reference: https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape
# Reference: https://www.virustotal.com/gui/ip-address/103.127.83.61/relations

51fapiaoyun.com
51faplao.com.cn
51yunfapiao.com.cn
51yunpiao.com
51yunpiao.com.cn
5lfapiao.cn
5lfapiao.com
appfapiao.cn
fapia0.com
fhyhdf.oss-cn-hangzhou.aliyuncs.com
zc1800.oss-cn-shenzhen.aliyuncs.com

# Reference: https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat

http://101.33.117.200
http://119.28.32.143
http://119.28.41.143
http://124.156.134.223
http://43.129.233.146
http://43.129.233.99
http://43.132.212.111
http://43.132.235.4
2024aasaf.oss-cn-hongkong.aliyuncs.com
2024fapiao.oss-cn-hongkong.aliyuncs.com
fpwenj.zhangyaodong5.com
abhjhs.com
bcgjhs.com
cxhshj.com
efyshs.com
gjhsgs.com
gjhsys.com
mbgjhs.com
scpgjhs.com
ysgjhs.com
wenjian2024.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.valley_rat/ (# 2025-01-02)

http://34.1.142.70
103.199.100.97:8080
110.42.33.174:6666
116.198.232.205:8888
118.107.44.112:18091
118.107.44.219:19091
121.37.140.40:6666
124.156.117.13:7777
134.122.134.93:9090
134.122.155.90:9091
154.198.49.151:6666
154.201.87.51:11111
154.39.239.95:1445
154.82.113.139:63701
154.82.85.79:18091
154.83.31.183:6666
154.84.19.161:6666
154.84.22.13:6666
154.85.10.206:6666
156.224.26.111:6666
156.224.26.128:6666
156.224.26.96:6666
178.128.222.24:6666
18.167.52.240:6666
192.238.134.113:4433
198.44.170.193:18091
202.79.172.47:7259
206.238.198.14:18852
206.238.198.14:9091
209.97.169.148:6666
23.226.57.67:4433
23.235.165.54:6666
27.124.34.140:6666
43.128.141.78:443
43.154.172.193:49731
43.250.172.42:17091
8.212.101.195:1122
8.218.163.62:6666
8.218.163.85:9091

# Reference: https://x.com/virusbtn/status/1880202036400304622
# Reference: https://intezer.com/blog/malware-analysis/weaponized-software-targets-chinese/
# Reference: https://www.virustotal.com/gui/file/08dad42da5aba6ef48fca27c783f78f06ab9ea7a933420e4b6b21e12e550dd7d/detection

156.247.33.53:8081
156.247.33.53:9000

# Reference: https://x.com/dimitribest/status/1886800176771105027
# Reference: https://www.virustotal.com/gui/file/c704bbe9cf209c6c3c3b93bbca2671805aeba4c6ff384ff1bf3ef31fe4ef39e0/detection

http://107.151.238.126
http://154.201.68.101
http://154.201.68.118
http://154.201.68.119
http://154.201.68.4
http://154.201.68.46
http://154.201.68.57
http://154.201.68.62
http://154.201.68.63
http://154.201.68.76
http://154.201.68.78
http://43.251.102.141
http://43.251.102.196
154.201.68.57:6666
154.201.68.57:8888
8.138.101.153:1234
nginxui.cc
web.nginxui.cc

# Reference: https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/
# Reference: https://app.validin.com/detail?find=5a41105f47cc24c8674ede1a59850b74&type=hash&ref_id=574a0cb5159#tab=host_pairs (# 2025-02-22)
# Reference: https://www.virustotal.com/gui/file/29163c8afb477b27f700e1c5eac694a6cbb816a86c8eadbbbac6ba5c034a9c96/detection
# Reference: https://www.virustotal.com/gui/file/5e1d7275b0abd484c15f186690db73c42e861311da3f5f048563636336933b4a/detection
# Reference: https://www.virustotal.com/gui/file/30111cde691ce2ebb29050c41aa388e70c88f3f68797b5efcae0aed16849c26b/detection
# Reference: https://www.virustotal.com/gui/file/d1d6e4a656bb155f33040a2d61309e42bebe3121d599dd204a0318c29790b3e0/detection
# Reference: https://www.virustotal.com/gui/file/a24371d3f10ab1001c52eaa18d5a8e50f85b7a9a77df80e2332a31130381c756/detection
# Reference: https://www.virustotal.com/gui/file/0babf502ec31bd5a03c856fc051726d217eca8730d4639900794f724f00a746c/detection
# Reference: https://www.virustotal.com/gui/file/311f2d4ef2598e4a193609c3cd47bf4ff5fb88907026946ecffe6b960d43d5b2/detection

http://8.217.244.40
8.217.244.40:443
103.183.3.10:17093
103.183.3.10:17094
103.183.3.10:18852
202.146.222.208:18852
202.146.222.208:9091
202.146.222.208:9092
afugics.com
afugige.com
afugiml.com
afugitw.com
afugizs.com
anizom.com
bodomsa.com
comdatez.com
cuznjkc.com
dhujgduv.com
dxjjcqsg.com
gyautxdl.com
hlpphpcf.com
iyxytmsk.com
karlost.club
nzkcop.com
oivmjzt.com
phfchuop.com
piugicb.com
piugijc.com
piuginn.com
piugire.com
piugitw.com
qaiovcc.com
rgjsrpbf.com
sopovkc.com
sqjtygeh.com
tnvklnqe.com
xnpvwbby.com
yudzmv.com
ziiiofon.com

# Reference: https://www.virustotal.com/gui/file/30111cde691ce2ebb29050c41aa388e70c88f3f68797b5efcae0aed16849c26b/detection
# Reference: https://www.virustotal.com/gui/file/5e1d7275b0abd484c15f186690db73c42e861311da3f5f048563636336933b4a/detection

www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com
wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
wwwgetget-1328031368.cos.ap-guangzhou.myqcloud.com
wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com

# Reference: https://www.virustotal.com/gui/file/6ed466a2a6eeb83d1ff32ba44180352cf0a9ccc72b47e5bd55c1750157c8dc4c/detection

wwwget11111-1328031368.cos.ap-chengdu.myqcloud.com
get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.valley_rat/ (# 2025-03-18)

http://211.159.148.197
1.15.156.66:7777
101.201.68.35:8080
103.101.178.170:448
103.215.212.130:6666
103.36.221.195:6661
103.40.253.231:2435
103.85.190.202:6688
103.97.176.68:8181
103.97.176.69:443
104.219.214.206:8008
107.148.47.186:433
110.92.64.105:27973
110.92.64.183:4433
111.173.106.115:25502
111.173.106.115:25512
111.173.106.115:25602
111.173.106.18:25507
111.180.203.230:25603
111.180.203.230:6666
111.231.5.58:3307
111.231.5.58:443
111.68.8.194:1218
112.213.116.91:18096
117.72.91.212:6666
121.62.16.160:25505
121.62.16.173:25505
121.62.23.192:25505
134.122.135.95:4433
134.122.155.39:15091
137.220.229.26:18091
137.220.229.61:9091
149.115.250.62:8088
15.197.64.127:443
150.138.72.39:3307
154.207.55.235:8765
154.23.176.39:4433
154.23.184.30:10443
154.23.186.124:6688
154.37.213.53:99
154.37.220.109:5858
154.38.118.126:6688
154.40.44.82:18211
154.44.8.39:443
154.82.85.107:15091
154.9.252.143:443
154.91.90.234:4433
156.224.26.29:8888
156.234.7.37:10443
156.234.7.37:4433
156.238.238.83:3883
156.251.17.243:17093
161.248.87.218:10443
171.35.163.120:88
192.140.163.10:6666
192.238.132.117:4433
192.238.134.52:4433
202.79.172.37:4433
202.95.22.2:4433
202.95.8.138:6666
202.95.8.53:6666
206.238.114.225:443
206.238.114.98:4433
206.238.220.50:4433
206.238.42.151:17091
211.159.148.197:443
23.235.165.5:443
27.124.21.211:4433
27.124.4.60:4433
27.124.42.200:6666
27.25.158.108:6666
38.181.20.23:9091
43.128.141.78:8888
43.226.125.44:9091
45.192.168.10:4433
45.192.168.4:4433
45.192.169.99:27972
45.192.208.132:7777
45.192.209.55:8849
45.204.194.212:4212
45.204.194.231:443
45.204.197.28:443
45.204.197.44:443
45.204.213.195:4677
45.207.211.42:6666
47.239.197.97:443
47.243.116.8:6666
47.76.197.205:4433
69.165.65.231:6661
8.217.85.20:9091
8.217.85.20:9092
91.208.240.194:4563
ddosme.twilight.zip
qq.ouyang7770.com

# Reference: https://x.com/anylink20240604/status/1904905991738810739
# Reference: https://www.rapid7.com/blog/post/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/

8848.twilight.zip

# Reference: https://x.com/malwrhunterteam/status/1907109469139423416
# Reference: https://www.virustotal.com/gui/file/eefb11e7bb1c352d6ba64795e35ce958efa2c9c520621b9209c28e89adac5c0e/detection
# Reference: https://www.virustotal.com/gui/file/9e78f89ffa70b6426595e1007db89bc2bd9fd39600d659a347f4689c5a1e67ad/detection
# Reference: https://www.virustotal.com/gui/file/4f13d4a71a5c335c0f3cf15b31dcbdd42cf9298ceb63be0bf1846233150ecea7/detection

47.236.171.20:10000
47.236.171.20:20000

# Reference: https://x.com/malwrhunterteam/status/1912827057433612420
# Reference: https://www.virustotal.com/gui/file/46ab0ae94391dc299a352312f1aca5aac5965f0c4aee751d65dbe2f267cbe4b3/detection

fribblery.s3.ap-east-1.amazonaws.com

# Reference: https://x.com/1ZRR4H/status/1916077192095711571
# Reference: https://www.virustotal.com/gui/file/62f413c582ee9d7b169e31d3bb408472d22a847a5d073bddfc18f5f861ac817f/detection
# Reference: https://www.virustotal.com/gui/file/b71c1f32f0df9fe346faa312b3b9ef6a9abc415693f003691404340e478e7fc7/detection

103.68.181.217:1688
107.149.241.28:6000
svip8.org
vip7.org

# Reference: https://x.com/skocherhan/status/1925215619374317992
# Reference: https://www.virustotal.com/gui/file/9c0f551fa5e93c3f30c90d89f49d811296f84cdb17c45c005559125c275fb7b7/detection

43.248.173.193:10501
43.248.173.193:18852
pniu.fun

# Reference: https://threatfox.abuse.ch/browse/malware/win.valley_rat/ (# 2025-06-29)

http://103.207.68.55
http://103.46.185.44
http://116.204.184.226
http://154.21.201.41
http://160.202.233.78
http://202.95.15.37
http://206.238.220.103
http://27.124.2.240
http://27.124.44.132
http://38.181.35.237
http://43.100.117.240
http://43.100.118.243
http://45.192.169.23
101.126.157.9:6666
101.32.209.51:446
103.12.149.123:8080
103.124.106.21:28001
103.156.25.10:6666
103.174.96.104:2028
103.176.197.21:9721
103.176.197.37:443
103.176.197.6:1976
103.176.197.6:1977
103.176.197.6:1978
103.199.100.130:8181
103.214.143.199:6060
103.215.78.152:6666
103.215.78.152:8888
103.215.78.176:53
103.233.11.134:6666
103.233.11.221:8888
103.42.30.29:8090
103.68.181.196:1688
103.68.181.215:1688
103.68.194.28:6666
103.84.89.9:429
107.148.239.231:9001
107.149.241.28:1688
111.170.150.18:8888
111.92.242.137:2137
112.121.172.10:6666
116.213.43.39:6666
118.107.32.151:5200
118.107.43.178:6688
119.28.6.84:5555
119.28.6.84:6666
120.89.71.130:9090
120.89.71.226:9090
121.36.94.149:8888
123.57.24.157:6666
123.57.24.157:9999
123.99.198.201:20759
124.156.147.33:446
129.226.170.223:95
129.226.72.96:9527
134.122.128.241:27989
137.220.135.67:6064
137.220.205.195:5050
14.128.63.6:6666
143.92.40.241:9091
143.92.49.209:443
143.92.60.22:9568
148.66.11.10:4433
148.66.11.18:6666
150.109.48.238:5899
154.12.21.225:6666
154.12.29.244:443
154.12.60.75:6667
154.198.50.7:14747
154.205.7.126:394
154.205.7.126:395
154.207.55.13:13320
154.212.128.80:6060
154.23.178.208:8880
154.23.184.57:4433
154.44.29.229:433
154.82.93.8:442
154.91.84.54:9865
154.91.85.70:6680
154.94.232.120:9090
154.94.233.67:9090
156.234.58.194:52110
156.240.108.32:6666
156.241.144.66:52139
156.245.12.129:443
156.251.19.84:7777
166.88.61.235:6666
178.255.245.115:2135
18.162.247.93:443
18.163.37.253:9094
182.16.26.210:56104
182.16.26.210:56105
182.16.26.82:443
182.16.78.242:443
182.16.87.154:10241
182.16.89.234:443
192.238.128.242:6666
192.238.134.139:6072
192.252.183.39:4433
192.253.234.36:433
193.112.101.108:6908
202.79.170.130:1111
202.79.172.16:10443
202.79.172.16:6666
202.79.172.185:4433
202.79.174.117:9090
202.91.32.145:6666
202.95.14.159:6666
202.95.22.2:6081
202.95.8.144:7081
206.233.130.199:6666
206.233.132.50:14392
206.238.115.30:55231
206.238.115.30:55232
206.238.196.177:55131
206.238.196.177:55132
206.238.196.92:6689
206.238.199.91:5555
206.238.199.91:7777
206.238.220.24:7777
211.149.175.185:20801
23.133.4.25:27978
23.133.4.2:4433
23.248.217.151:4433
23.249.28.126:8126
23.249.28.155:53
23.249.28.223:53
23.249.28.223:8223
23.249.28.80:2881
23.249.29.117:5555
23.249.29.117:8888
23.249.29.68:2968
27.124.17.227:466
27.124.34.85:1020
27.124.47.10:443
27.124.6.233:4433
34.96.239.40:9090
38.181.22.44:9090
38.181.22.7:27981
38.181.35.237:443
38.181.35.83:6628
38.45.122.163:5539
38.46.14.202:27987
38.49.41.196:6666
38.49.43.40:443
38.57.129.243:5539
38.91.114.214:6666
43.100.18.182:6666
43.132.216.81:498
43.132.216.81:499
43.136.46.42:3083
43.225.58.178:6666
43.243.73.197:9090
43.248.117.220:6666
43.248.117.220:8888
43.250.174.151:6666
43.250.174.49:8848
43.250.174.49:8850
45.192.168.9:7777
45.192.217.104:4433
45.192.99.209:6666
45.194.36.156:8880
45.204.10.15:653
45.204.192.36:6666
45.204.194.199:6666
45.204.197.207:6668
45.204.197.88:1991
45.204.199.73:7777
45.204.199.79:6718
45.204.201.143:33891
45.204.214.201:3006
45.207.207.167:8001
45.207.38.115:6666
45.207.38.115:8888
45.207.39.37:8003
45.207.39.37:8004
45.207.39.37:8888
46.8.122.64:1555
46.8.122.64:2555
47.238.146.37:8001
47.238.146.37:8002
47.238.152.36:7777
47.239.119.126:7777
47.239.129.136:6666
47.239.166.247:6666
47.239.197.97:52116
47.243.111.238:9090
47.243.111.238:9091
47.243.112.74:8080
47.254.94.54:8866
47.76.200.151:5555
47.83.15.102:7777
47.83.194.149:27965
47.98.195.230:2222
62.234.169.145:8888
69.165.70.166:6666
8.140.28.101:3432
8.210.244.14:7777
8.212.56.13:53
8.213.236.2:4441
8.213.236.2:4448
8.213.236.2:4449
8.213.236.2:6666
8.213.236.2:8888
8.217.38.238:8888
8.218.198.125:442
8.218.198.125:6666
8.218.93.187:7777
6001.baidu787.com
8004.helloqu.com
8007.helloqu.com
ddddddddguashjdka.top
ttkks.cc

# Reference: https://threatfox.abuse.ch/browse/malware/win.valley_rat/ (# 2025-07-13)

http://134.122.155.138
http://134.122.173.67
http://134.122.189.56
http://206.119.174.101
http://23.249.28.80
http://39.108.160.153
1.13.249.217:9528
1.32.249.198:8091
1.32.249.198:8092
1.32.249.198:8093
103.112.99.62:6000
103.112.99.62:6666
103.176.197.24:53
103.176.197.24:90
103.176.197.40:53
103.176.197.40:90
103.215.77.197:2233
103.42.31.157:6666
103.46.185.183:443
104.143.46.155:6666
104.143.46.155:8888
118.107.44.10:7060
118.107.44.10:7061
118.107.44.10:7062
119.28.193.118:561
119.28.6.84:4444
121.54.191.52:3110
124.156.101.47:8888
134.122.155.138:6666
134.122.155.138:8888
134.122.173.67:6666
134.122.173.67:8888
134.122.176.24:8880
134.122.189.56:6666
134.122.189.56:8888
134.122.196.71:9090
137.220.224.108:10891
137.220.224.108:10892
137.220.224.108:10893
143.92.32.68:9090
143.92.32.68:9091
143.92.32.68:9092
143.92.49.230:10921
143.92.49.230:10922
154.222.24.47:668
154.222.24.47:866
154.37.214.53:1123
154.37.214.53:4080
154.37.214.53:4090
154.82.92.181:6689
154.91.226.8:8880
154.91.84.54:3657
154.94.232.213:6666
154.94.232.213:8888
154.94.232.242:6666
154.94.232.242:8888
156.234.58.194:52111
156.245.198.64:6871
156.251.16.99:6628
156.251.18.221:6628
156.251.19.36:20208
156.251.19.36:21208
156.253.9.161:892
161.248.87.240:8877
18.162.151.228:443
18.163.212.208:6666
183.90.187.173:52137
192.140.163.67:8006
202.79.173.94:9090
202.95.11.152:8880
202.95.22.109:443
206.119.174.101:443
206.119.174.101:8080
206.119.178.103:8080
206.119.178.103:8081
206.119.82.192:8880
206.238.114.178:55637
206.238.114.178:55638
206.238.114.217:7777
206.238.114.75:32211
206.238.114.75:32212
206.238.179.199:5568
206.238.196.123:5568
206.238.221.17:4433
208.87.200.129:6666
208.87.200.129:8888
222.186.174.16:6666
23.249.28.153:53
23.249.28.153:90
23.249.28.155:443
23.249.28.155:90
23.249.28.223:90
23.249.28.80:53
23.249.28.80:90
23.249.29.124:53
23.249.29.124:90
23.249.29.68:2966
23.249.29.68:2967
23.249.29.68:90
27.124.3.175:9091
27.124.3.175:9092
27.124.3.175:9093
27.124.45.87:6060
27.124.46.112:8880
38.45.122.106:1188
38.45.122.106:4756
38.45.124.50:1688
38.57.129.243:5536
39.108.160.153:8001
39.108.160.153:8002
43.100.117.240:443
43.100.117.240:801
43.132.214.133:40110
43.133.39.217:6666
43.198.149.5:6628
43.199.113.11:6666
43.224.226.100:9090
43.224.226.100:9091
43.224.226.100:9092
43.225.58.132:9527
43.248.173.147:3011
43.248.173.17:10451
43.248.173.17:10452
43.248.173.17:10453
43.250.174.49:1989
45.192.210.19:1688
45.204.211.171:7891
45.204.211.171:8888
45.204.211.223:7891
45.204.221.233:7891
45.207.38.115:8001
45.207.38.115:8002
45.207.39.135:6666
45.207.39.135:8888
47.239.68.50:9194
47.239.68.50:9195
47.239.68.50:9196
47.76.115.9:443
47.76.202.30:6666
47.82.113.47:3010
8.217.127.64:12020
8.218.231.88:8080
8.218.231.88:8181
8.220.182.237:9011
91.204.224.232:6666
a.zqycftmex.cn
ak1.ksdcks2.org
job2.fdwehzitx.cn
laiu.org
masike4.preech.top
risk.preech.top
yk.ggdy.com

# Reference: https://x.com/smica83/status/1961315089027367061
# Reference: https://tria.ge/250829-g8vr7sy1gt/behavioral2
# Reference: https://www.virustotal.com/gui/file/04be2ddf8cc9ecc63783955be120013e66a70dafde6b1aba655a77532c858d18/detection

kkstrc.com
tnuuu.com

# Reference: https://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/

1.13.249.217:9527
156.241.144.66:52160
47.239.197.97:52117
