# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: FunnyDream, PrevailionKnows, Spyder

# Reference: https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/

api.goallbandungtravel.com
bugcheck.xigncodeservice.com
dump.gxxservice.com
nw.infestexe.com
checkin.travelsanignacio.com
/Common/Lib/Common_bsod.php
/Common/Lib/Common_Include.php

# Reference: https://www.symantec.com/security-center/writeup/2011-102716-2809-99

lp.apanku.com
ad.jcrsoft.com
rh.jcrsoft.com
bot.timewalk.me
b0t.meibu.com

# Reference: https://securelist.com/winnti-more-than-just-a-game/37029/

jp.xxoo.co
kr.xxoo.co
us.nhntech.com
newpic.dyndns.tv
lp.zzsoft.info
ru.gcgame.info
update.ddns.net
lp.gasoft.us
kr.jcrsoft.com
nd.jcrsoft.com
eya.jcrsoft.com
wm.ibm-support.net
cc.nexoncorp.us
ftpd.9966.org
fs.nhntech.com
kr.zzsoft.info
docs.nhnclass.com
as.cjinternet.us
wi.gcgame.info
rh.jcrsoft.com
ca.zzsoft.info
tcp.nhntech.com
wm.nhntech.com
sn.jcrsoft.com
ka.jcrsoft.com
wm.myxxoo.com
lp.apanku.com
my.zzsoft.info
ka.zzsoft.info
sshd.8866.org
jp.jcrsoft.com
ad.jcrsoft.com
ftpd.6600.org
su.cjinternet.us
my.gasoft.us
tcpiah.googleclick.net
vn.gcgame.info 	
rss.6600.org
ap.nhntech.com

# Reference: https://medium.com/@Sebdraven/winnti-uses-the-rtf-exploit-8-t-too-targets-vietnam-13300d432272
# Reference: https://securelist.com/apt-trends-report-q1-2020/96826/
# Reference: https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf (# FunnyDream, PrevailionKnows)
# Reference: https://twitter.com/500mk500/status/1328763000094924800
# Reference: https://otx.alienvault.com/pulse/5d3754868fc025df351b747e
# Reference: https://www.virustotal.com/gui/ip-address/58.64.184.209/relations
# Reference:https://www.virustotal.com/gui/file/a3f74b03b2b070c11b95515f7d12afc4021b8e680bd718f42313378bd049ce14/detection
# Reference: https://www.virustotal.com/gui/file/32cabf2952f88283251c36751e04a45bfa78cdb0835460619d4812b882795c03/detection
# Reference: https://www.virustotal.com/gui/file/feaba29072531b312e3bd0152b9c17c48901db7c8d31019944e453ca9b1572e2/detection

103.133.139.25:80
103.251.237.94:18198
154.216.2.135:80
154.220.2.235:80
58.64.184.147:80
58.64.184.201:80
58.64.184.203:443
58.64.184.203:80
58.64.184.209:80
58.64.209.83:443
58.64.209.83:8888
bitupdating.com
bkavutil.com
eofficeupdate.com
eofficeupdating.com
goog1eupdate.com
iatupdate.com
igfxpers.com
igfxsrvc.com
iumsvc.com
ksdeui.com
ksdeupdate.com
leapconfig.com
mdnsresponder.com
mfaupdate.com
mfaupdating.com
msseces.com
nissrv.com
osppsvc.com
realteke.com
unikeyupdate.com
unikeyupdating.com
updateui.com
winserverupdate.com
wmiprvse.com
ws2008update.com

# Reference: https://twitter.com/daphiel/status/1162875379872387075

google-searching.com

# Reference: https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf
# Reference: https://otx.alienvault.com/pulse/5da4528788ac7149ce4894b7

dns1-1.7release.com
ssl.dyn-dns.co
ssl.dyn-dns.com
svn-dns.ahnlabinc.com
xp101.dyn-dns.co
xp101.dyn-dns.com

# Reference: https://www.verfassungsschutz.de/de/oeffentlichkeitsarbeit/publikationen/pb-cyberabwehr/broschuere-2019-12-bfv-cyber-brief-2019-01
# Reference: https://twitter.com/hatr/status/1202870566413357056
# Reference: https://otx.alienvault.com/pulse/5dea7c18581fca35d1977514
# Reference: https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/

dick.mooo.com

# Reference: https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
# Reference: https://otx.alienvault.com/pulse/5e3404fe524c3e16fa0d416c

dnslookup.services
livehost.live

# Reference: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia
# Reference: https://otx.alienvault.com/pulse/5e4bbe896e6393eb79a1d2c9

185.173.92.141:33579
35.220.232.71:53
35.220.232.71:554
45.77.41.49:53
45.77.41.49:500
45.77.41.49:80
betwln520.com
dropboxbeta.com
facebooknavigation.com
googldevice.com
googlerenewals.net
ipv4-cisco.com
kkxx888666.com
microsoftbetastore.com
mircosofdevice.com
microsoftdnsdown.com
microsoftdnsupdate.com
pwdump.ac
safedog.co
shopingchina.net
updatesrvers.org

# Reference: https://twitter.com/cci_forensics/status/1230686753083707393
# Reference: https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/

139.28.37.102:443
185.161.208.28:443
185.161.209.234:53
185.161.211.188:53
185.161.211.97:443
185.236.78.15:443
185.236.78.28:443
80.82.67.6:443
91.235.128.90:443

# Reference: https://twitter.com/Sebdraven/status/1239853425594155008
# Reference: https://app.any.run/tasks/7c8751cc-15d5-48dd-a2bb-63299b459f06/
# Reference: https://otx.alienvault.com/pulse/5e70b90b7001067032f079b9

45.76.218.232:3010
brands.newst.dnsabr.com
exp100.strangled.net
ru.mst.dns-cloud.net
ux6p.strangled.net

# Reference: https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ (# PipeMon)

n8.ahnlabinc.com
owa.ahnlabinc.com
ssl2.ahnlabinc.com
www2.dyn.tracker.com
ssl2.dyn-tracker.com
client.gnisoft.com
nmn.nhndesk.com

# Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/shadowpad-novaya-aktivnost-gruppirovki-winnti/ (Russian, # Python Backdoor and # Related Domains chapters)
# Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 1)

agent.my-homeip.net
alombok.yourtrap.com
application.dns04.com
arjuna.dynamicdns.biz
arjuna.serveusers.com
artoriapendragon.itemdb.com
asagamifujino.dns05.com
backup.myftp.info
billythekid.x24hr.com
bluecat.mefound.com
bradamante.longmusic.com
cindustry.faqserv.com
cuchulainn.mrbonus.com
daum.pop-corps.com
daum.xxuz.com
david.got-game.org
depth.toh.info
describe.toh.info
developman.ocry.com
dnsdhcp.dhcp.biz
economics.onemore1m.com
ecoronavirus.almostmy.com
email_gov_mn.pop-corps.com
ereshkigal.longmusic.com
eshown.itemdb.com
facebook2us.dynamic-dns.net
facegooglebook.mrbasic.com
fackb00k2us.dynamic-dns.net
fergusmacroich.ddns.info
fornex.uacmoscow.com
frankenstein.compress.to
free2015.longmusic.com
freedomain.otzo.com
freemusic.xxuz.com
freemusic.zzux.com
gaiusjuliuscaesar.dynamicdns.biz
ggpage.jetos.com
gkonsultan.mrslove.com
gmarket.system-ns.org
goog1e_kr.dns04.com
googlewizard.ocry.com
hardenvscurry.my-router.de
help.kavlabonline.com
hosenw.ns02.info
host.adobe-online.com
hpcloud.dynserv.org
ibarakidoji.mrbasic.com
indian.authorizeddns.us
inthefa.bigmoney.biz
jaguarman.longmusic.com
jeannedarcarcher.zyns.com
letstweet.toh.info
lezone.jetos.com
likeme.myddns.com
medusa.americanunfinished.com
microsoft-update.pop-corps.com
microsoft_update.pop-corps.com
modibest.sytes.net
movie2016.zzux.com
msdn.ezua.com
myflbook.myz.info
mynews.myftp.biz
nadvocacy.mrbasic.com
nikolatesla.x24hr.com
nmbthg.com
notepc.ezua.com
npomail.ocry.com
nthere.ourhobby.com
ntripoli.www1.biz
odanobunaga.dns04.com
officescan_update.mypop3.org
point.linkpc.net
pop-corps.com
program.ddns.info
rama.longmusic.com
redfish.misecure.com
regulations.vizvaz.com
robinhood.longmusic.com
server.serveusers.com
serviceonline.otzo.com
siegfried.dynamic-dns.net
stade653.dns04.com
thebatfixed.zyns.com
tunnel.itsaol.com
uacmoscow.com
update.wmiprvse.com
videoservice.dnset.com
waswides.isasecret.com
webhost.2waky.com
webmail_gov_mn.pop-corps.com
xindex.ocry.com
yandex.mrface.com
yandex.pop-corps.com
yandex2unitedstated.2waky.com
yandex2us.dns04.com

# Reference: https://twitter.com/IntezerLabs/status/1308740144120213506
# Reference: https://www.virustotal.com/gui/file/6a9f16440b9319f427825bb12d7a0cda89b101cf7b8b15ec7dd620b4d68db514/detection
# Reference: https://www.virustotal.com/gui/file/ae5c7cfd8bbfb38b38772083bae721c77ac5698b2339148605e46756f0619da0/detection

a.sqlyon.net
a.sqlyon.com
a.bingtok.com
bingtok.com
sqlyon.com
sqlyon.net

# Reference: https://github.com/DoctorWebLtd/malware-iocs/blob/master/APT_Spyder/README.adoc
# Reference: https://www.virustotal.com/gui/domain/koran.junlper.com/relations
# Reference: https://www.virustotal.com/gui/file/4cfb1243e8b9e64424f3de3d2144ee512dadd07ba921e0ced38e58e836347c7e/detection

sidc.everywebsite.us
snoc.hostingupdate.club
wntc.livehost.live
hccadkml89.dnslookup.services
koran.junlper.com
nted.tg9f6zwkx.icu
sidcfpprx14.in.ril.com
sidcfpprx01.in.ril.com
sidcfpprx25.in.ril.com
sidcfpprx10.in.ril.com
everywebsite.us
hostingupdate.club
livehost.live
junlper.com
tg9f6zwkx.icu

# Reference: https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/

gxxservice.com
infestexe.com
xigncodeservice.com

# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf
# Reference: https://www.virustotal.com/gui/domain/nslookup.club/relations

nslookup.club
3VnwTuq9s.ithome.house
lmogv.dnslookup.services
gavozelc9f.nslookup.club
smtp.nslookup.club
1dfpi2d8kx.wikimedia.vip
5NcNt6z1.wikimedia.vip
5s2zm07ao.wikimedia.vip
6czumi0fbg.symantecupd.com
7hln9yr3y6.symantecupd.com
bm2l41risv.livehost.live
mztfki9x.wikimedia.vip
o56n1tosy.livehost.live
ok3x377v3f.symantecupd.com
r1d3wg7xofs.livehost.live
yjij4bpade.nslookup.club
yjuq1jeab.nslookup.club

# Reference: https://twitter.com/r3dbU7z/status/1487167887248957449
# Reference: https://www.virustotal.com/gui/file/562c7815dd2bbe330531f3ba64f189b11669214fc94263cdf961ce5dc833d105/detection

103.254.75.216:3221
s2.yk.hyi8mc.top

# Reference: https://twitter.com/r3dbU7z/status/1493628319245520897
# Reference: https://www.virustotal.com/gui/file/3b81ba82d75eeb7369e43a7c4aa5f58fa4e9f0d8b7ee841b1216172ba380f552/detection
# Reference: https://www.virustotal.com/gui/file/495475cdc7d8e86647967b5bff18409bc9645e162ad9ec6c42edc49939c4375d/detection

http://91.85.153.94
114.132.246.103:520
82.156.28.253:520
wuxi.tanxinyu.cn

# Reference: https://twitter.com/0xrb/status/1512382655635292162
# Reference: https://www.virustotal.com/gui/file/e52efc2f927893fef285243df66c3b3b146867a3e816b2a947bca72bc10fa689/detection

http://160.251.42.252
204.15.78.131:3220
skybad.top
host.skybad.top
us.host.skybad.top

# Reference: https://www.virustotal.com/gui/file/f8e4705b2f5d1fcc9aba13075b7ec401e5e6ae6a3e0d1c8338b1ae21597f8232/detection

204.15.78.131:2767

# Reference: https://www.virustotal.com/gui/file/5a8baf7d7dbd2a7d7905db4da8493f2bdfb538d417c808bd526b9c34ede14dfe/detection

204.15.78.131:6681
v8.ter.tf

# Reference: https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/
# Reference: https://otx.alienvault.com/pulse/6125f6945294f006dbc4b0c4/

facebookint.com

# Reference: https://twitter.com/0xrb/status/1518886603913310208
# Reference: https://www.virustotal.com/gui/file/ac1b378f8477373ead4d963382c446c9e00c284e42cd6189a373a520dabcaf45/detection

http://150.158.27.38
204.15.78.131:3510
us2.host.skybad.top

# Reference: https://twitter.com/0xrb/status/1524994405249462274

http://118.27.3.39

# Reference: https://twitter.com/r3dbU7z/status/1561096493762748418
# Reference: https://www.virustotal.com/gui/file/44ae5d2173ef2de82335e4f8c206deaf754f8d413c24c983fa66711baeabffc3/detection

http://110.42.176.243
wuxi.tanxinyu.cn

# Reference: https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/
# Reference: https://otx.alienvault.com/pulse/6019b7d8f25640334bd72d00/

boshiamys.com
cloudfronte.com
cloudfronter.com
cloudistcdn.com
cdn.cloudfronter.com
update.boshiamys.com

# Reference: https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis
# Reference: https://www.virustotal.com/gui/ip-address/139.59.113.146/relations
# Reference: https://www.virustotal.com/gui/file/18674af22c11e365de9698786e1d7293bfe067229e9ae8817a4b67dc3f883ffe/detection

784kjsuj.dynamic-dns.net
beautygirl.dynamic-dns.net
frontbeauty.dynamic-dns.net
myhost.camdvr.org
nonamegirls.dynamic-dns.net
cdn.cloudistcdn.com
q.cloudistcdn.com

# Reference: https://twitter.com/r3dbU7z/status/1566868451171385346
# Reference: https://www.virustotal.com/gui/file/8c210c79c2b7c4ea35fa08d0c994a3ab26f50ee639c497f341b20da965cfbd1b/detection
# Reference: https://www.virustotal.com/gui/file/cad291a2df541313c6d296dcb798f5565ce591ca94f4649c21bc0e8b7e7a86eb/detection
# Reference: https://www.joesandbox.com/analysis/697799?idtype=analysisid#iocs

http://150.242.98.207
http://175.178.55.215
baojie666.buzz
gd.baojie666.buzz

# Reference: https://twitter.com/r3dbU7z/status/1575866368620216323

187.189.55.151:8080

# Reference: https://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html
# Reference: https://github.com/carbonblack/active_c2_ioc_public/blob/main/winnti40/winnti40_202210.tsv

http://185.161.209.87
http://185.161.210.162
http://192.46.209.208
http://5.252.176.40
http://88.119.170.217
http://91.235.128.120
http://91.235.128.197
http://91.235.128.67
http://91.235.129.63
103.129.97.182:443
103.171.45.193:443
139.28.36.81:443
139.28.37.224:443
149.3.170.183:443
172.105.126.208:443
172.105.51.169:443
176.10.125.69:443
179.43.151.200:443
185.161.208.118:443
185.161.208.135:443
185.161.208.202:443
185.161.208.28:53
185.161.209.87:443
185.161.210.162:443
185.161.211.44:443
185.236.78.3:443
192.46.209.208:443
194.195.113.220:443
194.61.233.56:443
194.99.22.177:443
195.54.163.30:443
37.120.247.137:443
5.252.176.40:443
80.240.19.29:443
80.82.67.165:443
86.107.197.182:443
88.119.170.142:443
88.119.170.217:443
88.119.171.197:443
89.38.131.141:443
91.235.128.120:443
91.235.128.197:443
91.235.128.67:443
91.235.129.63:443

# Reference: https://twitter.com/0xrb/status/1493845556753756161

http://81.168.105.154

# Reference: https://blog.exatrack.com/melofee/
# Reference: https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a

173.209.62.186:443
173.209.62.188:443
yuanta.dev
dev.yuanta.dev
test.yuanta.dev

# Reference: https://twitter.com/StopMalvertisin/status/1650772102285500422
# Reference: https://twitter.com/StopMalvertisin/status/1650772108635684865

global.detektorgps.com/ext/images/img1
global.detektorgps.com/ext/images/img2

# Reference: https://twitter.com/nahamike01/status/1689878795988402178
# Reference: https://www.virustotal.com/gui/file/3dfde7cef3e40c56f6e88ce2a8a95b8307a380bb9b8588bddf7b2034de9e9d3a/detection

67.205.143.19:9966

# Reference: https://x.com/naumovax/status/1792902386295394629
# Reference: https://www.virustotal.com/gui/file/bb56e088739b281c9f56b4fa3fa4d285e45b32c4f9f06b647d7e8cb916054e1a/detection
# Reference: https://www.virustotal.com/gui/file/161344ae61278e09eacb1c76508cda45555eee109e6d6a031716a096ab5c84f3/detection

linuxrelease.org
in3cl1p7hj657ifb.linuxrelease.org

# Reference: https://www.virustotal.com/gui/file/74b5ac6d6cae6478b462d62f6b55685ccecdad7fd6e7134898d6e330581d6b03/detection

91.109.190.7:8521
kicmxznvx.duckdns.org

# Reference: https://x.com/TuringAlex/status/1896172610008047705
# Reference: https://www.virustotal.com/gui/ip-address/47.76.118.67/relations
# Reference: https://app.validin.com/detail?type=dom&find=webtechnovelty.com#tab=host_pairs
# Reference: https://app.validin.com/detail?find=KAP320%20Login&type=raw&ref_id=d70241f666b#tab=host_pairs (# 2025-03-02)
# Reference: https://www.virustotal.com/gui/file/a73e50c83e9e7f791af4130ff1295b876f7389e8da90a23dff57d60ce33e1819/detection

webtechnovelty.com
sshc.webtechnovelty.com

# Reference: https://x.com/TuringAlex/status/1918667466810798335
# Reference: https://www.virustotal.com/gui/file/de155feb28a98a18ae7962ed321c262d80e332b646da6fe8af65d0708167faef/detection
# Reference: https://www.virustotal.com/gui/file/c83e768f3020119dc44392a46f587366c3ef70659592fbafb6cf94f08676bf3b/detection

tklolasi.com
linux.tklolasi.com
rk.tklolasi.com
win.tklolasi.com

# Reference: https://x.com/TuringAlex/status/1963233575051960501
# Reference: https://www.virustotal.com/gui/file/45890fd2fd5824772a2aa81f1ba20f1bac801a42f5c9ffc9d1fcd0fbfba324d9/detection

rknew-e0b8b76e4a35b76a.elb.ap-east-1.amazonaws.com
