# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/anyrun_app/status/1747624307541323795
# Reference: https://app.any.run/tasks/b30207fd-d690-425d-90f2-834a1e000e6b
# Reference: https://www.virustotal.com/gui/file/6d5f577a21297e41d2341e6ae029edb997d4b4feca6f40f9410e94e0e01ac8a4/detection

91.92.252.40:5050
94.156.64.213:5050
swiftwealth.ddns.net
wealthxeno.ddnsfree.com
wealthyman.ddnsfree.com

# Reference: https://app.any.run/tasks/4bf50208-0a9d-4c39-9a53-82a417ebac4d/
# Reference: https://app.any.run/tasks/efcd6fc0-75a4-4628-b367-9a17e4254834/
# Reference: https://www.virustotal.com/gui/file/2e178c46ca41da7fdfd9d26b66d2c33122dbc69455a16df76911109ee93fd2af/detection
# Reference: https://www.virustotal.com/gui/file/d7f7bfd471f21a91aad6bd2726cc3899440665c6fd6522374e8850bd1ef79a90/detection

185.104.184.43:45010
213.152.161.30:45010
213.152.186.168:45010
jctestwindows.airdns.org

# Reference: https://www.virustotal.com/gui/file/5dce4965a06ff99f96e200346282cf80746e08337447095a49ec69bd1c0db12a/detection

86.68.222.14:7011
dentiste.ddns.net

# Reference: https://asec.ahnlab.com/en/66429/
# Reference: https://www.virustotal.com/gui/file/facf3b40a2b99cc15eee7b7aee3b36a57f0951cda45931fcde311c0cc21cdc71/detection
# Reference: https://www.virustotal.com/gui/file/b8233fe9e903ca08b9b1836fe6197e7d3e98e36b13815d8662de09832367a98a/detection
# Reference: https://www.virustotal.com/gui/file/97ba8d30cf8393c39f61f7e63266914ecafd07bd49911370afb866399446f37d/detection
# Reference: https://www.virustotal.com/gui/file/44e492d5b9c48c1df7ef5e0fe9a732f271234219d8377cf909a431a386759555/detection
# Reference: https://www.virustotal.com/gui/file/0b8897103135d92b89a83093f00d1da845a1eae63da7b57f638bab48a779808e/detection

159.100.29.122:5885
159.100.29.122:8811
159.100.29.122:8989
159.100.29.122:9654

# Reference: https://x.com/suyog41/status/1804058160954581326
# Reference: https://www.virustotal.com/gui/file/5621cb1bf48b91330ab432ed40281f48dc40bc58d220fbe96b60e526ac6ceecb/detection
# Reference: https://www.virustotal.com/gui/file/02c6cba00aa332bf33e30f7afa7f8dc104f90249ce813b1744c5fecdf5c448dc/detection

91.92.248.167:1278
91.92.248.167:1280
busyestinglsv.site

# Reference: https://x.com/karol_paciorek/status/1808862180793569760
# Reference: https://www.virustotal.com/gui/file/58fdc1b6ce4744d6331f8e2efc4652d754e803cae4cc16101fc78438184995e6/detection
# Reference: https://www.virustotal.com/gui/file/4108c5096a62c0a6664eed781c39bb042eb0adf166fcc5d64d7c89139d525d4f/detection

http://95.164.86.148
95.164.86.148:9999

# Reference: https://www.virustotal.com/gui/file/8fbe734f092fe38ef0ad6fdffe8437560a8f5251a0839c019babd195d54eb10c/detection

172.93.222.33:35549
nanoshd.pro
nanoshield.pro
fusionmelonate.duckdns.org

# Reference: https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/
# Reference: https://www.virustotal.com/gui/file/8a4fbcdec5c08e6324e3142f8b8c41da5b8e714b9398c425c47189f17a51d07b/detection
# Reference: https://www.virustotal.com/gui/file/458641936e2b41c425161a9b892d2aa08d1de2bc0db446f214b5f87a6a506432/detection
# Reference: https://www.virustotal.com/gui/file/1ad43ddfce147c1ec71b37011d522c11999a974811fead11fee6761ceb920b10/detection
# Reference: https://www.virustotal.com/gui/file/148c69a7a1e06dc06e52db5c3f5895de6adc3d79498bc3ccc2cbd8fdf28b2070/detection

167.88.173.173:9936
167.88.173.173:9966
45.87.153.79:9936
45.87.153.79:9966
45.95.11.52:9936
45.95.11.52:9966
80.71.157.55:3389
95.164.86.148:3389

# Reference: https://www.virustotal.com/gui/file/0c925ec360ee46fde6d755d23a8338a0859a7609290ee3ff9d17f9c498a274f4/detection

148.113.165.11:4444

# Reference: https://x.com/angel11VR/status/1830680013022056680

111.90.147.147:5652

# Reference: https://www.virustotal.com/gui/file/e9474dd93bab71fb65b860706a82ab9eaf856829fff8d6fde6d181a3b126a37c/detection
# Reference: https://www.virustotal.com/gui/file/1f5a96dccf8f699667be50423183c723e4412061fea603fcdb0d4889bb05d481/detection

45.66.231.24:1356
45.66.231.26:1356
roollingstonen.sytes.net

# Reference: https://x.com/Huntio/status/1838942583911063895
# Reference: https://www.virustotal.com/gui/file/f770b7e25d959f700c9119cb1d9a5ef444634a335ea9f230f06b51fdaa487ad1/detection
# Reference: https://www.virustotal.com/gui/file/c69792d8a8ef30f50d118949aee702a01be0cafb4e9f6c9b544a8bb193ea5994/detection
# Reference: https://www.virustotal.com/gui/file/31ea0b97393741bcea9df8e044162bc159209f61d71792452119791badf14322/detection

45.89.247.109:443
45.89.247.109:4444
45.89.247.109:5555
zenofs.zapto.org

# Reference: https://www.virustotal.com/gui/file/ea71c8c6797cef10459a9bc49c77b281500f4c2970dcacf3473ea93980681251/detection

31.220.90.137:4204

# Reference: https://x.com/d4rksystem/status/1873762326844989707
# Reference: https://www.virustotal.com/gui/file/ba4d63f154836009a4b415aabc26efcb9b0d2f6370c82047092a373bb8932e73/detection

147.185.221.22:31998

# Reference: https://www.virustotal.com/gui/file/16136678f701be73ebaf5b08fa6c1eaf09e207bbdb3a8edd4d5a81ecb0c2387b/detection
# Reference: https://www.virustotal.com/gui/file/e4d843e4d10fdec3d7a66c423ee6630f5be6e902fca442f1c49a6e810021c304/detection
# Reference: https://www.virustotal.com/gui/file/ce86b83622fc36aee39fc2a948ea42b8786199902b9e9a07f2599d90bfb531ef/detection
# Reference: https://www.virustotal.com/gui/file/c76ce6ece9ab0793d6179c60ffdcf524a9a2f27fbc5036113879a346dd5e7af3/detection
# Reference: https://www.virustotal.com/gui/file/c0f27697c1b67cd5ce4473e2b13885a4b55811e39ffe158fc20abdb9b50c4076/detection
# Reference: https://www.virustotal.com/gui/file/5e488705bed2a8cb15178080a22fd2951982d681e32ab94a978da09ea8633e4a/detection

190.134.105.91:25567
190.134.161.62:25565
190.134.167.15:25565
190.134.184.103:25565
190.133.22.252:25565
190.133.59.8:25566
cryptobro.duckdns.org

# Reference: https://x.com/skocherhan/status/1889958278681047247/history
# Reference: https://www.virustotal.com/gui/file/6e6fb112af15ad1f57fc85e1df49c2c833007a8c3345e3cc53325308b9770fa9/detection

147.185.221.23:58438
xenosploit.com

# Reference: https://x.com/malwrhunterteam/status/1891402914024882374
# Reference: https://www.virustotal.com/gui/file/8b41a4fe26ea38b13ea25ac063f72855e170449f20ec8153a5d1d9068089392b/detection

176.65.139.51:6969

# Reference: https://www.virustotal.com/gui/file/1d7b0211ea0939519cc08b95065f17f0d939e150539e2e1c87eeac1ec1433da5/detection

191.96.166.73:5000

# Reference: https://www.enki.co.kr/en/media-center/tech-blog/dissecting-kimsuky-s-attacks-on-south-korea-in-depth-analysis-of-github-based-malicious-infrastructure
# Reference: https://www.virustotal.com/gui/file/5eff43fd925eb71cc9a96725ee769a0abb1a89a70e735c2a18915908604871da/detection

45.61.161.103:443

# Reference: https://www.enki.co.kr/en/media-center/tech-blog/dissecting-kimsuky-s-attacks-on-south-korea-in-depth-analysis-of-github-based-malicious-infrastructure
# Reference: https://www.virustotal.com/gui/file/a987762487db0d1535973e66f399f9b326effa2813178b9353188113caa416a6/detection
# Reference: https://www.virustotal.com/gui/file/f72e23a8de6af3d76fe205a18817c4988e0a8e0196a87afc5ee2929693d726de/detection

http://118.194.249.201

# Reference: https://www.enki.co.kr/en/media-center/tech-blog/dissecting-kimsuky-s-attacks-on-south-korea-in-depth-analysis-of-github-based-malicious-infrastructure

http://139.99.36.158
139.99.36.158:443

# Reference: https://www.enki.co.kr/en/media-center/tech-blog/dissecting-kimsuky-s-attacks-on-south-korea-in-depth-analysis-of-github-based-malicious-infrastructure
# Reference: https://www.virustotal.com/gui/file/3ea6e80b3190859a1044b1015cb8390b6aa81d16ba989b59aba513425836eebf/detection
# Reference: https://www.virustotal.com/gui/file/d185c71b58b1ebed730feb8bbb6568d80542d2b8228b2777d280a7a4b114fdd0/detection

141.164.41.17:443

# Reference: https://www.enki.co.kr/en/media-center/tech-blog/dissecting-kimsuky-s-attacks-on-south-korea-in-depth-analysis-of-github-based-malicious-infrastructure
# Reference: https://app.validin.com/detail?find=8493f7f619daa37a8bd3d4b0fe2452de2f977657dc72fa132e7940d1a3370533&type=hash&ref_id=36302954df8#tab=host_pairs (# 2025-06-21)
# Reference: https://www.virustotal.com/gui/file/d35b01fed4a359f81bd4e866d080e9b9a2462fb2997a24d088cbce7d9bb28efe/detection

http://158.247.202.109
http://165.154.52.210
158.247.202.109:443
165.154.52.210:443

# Reference: https://www.enki.co.kr/en/media-center/tech-blog/dissecting-kimsuky-s-attacks-on-south-korea-in-depth-analysis-of-github-based-malicious-infrastructure

165.154.78.9:443

# Reference: https://www.enki.co.kr/en/media-center/tech-blog/dissecting-kimsuky-s-attacks-on-south-korea-in-depth-analysis-of-github-based-malicious-infrastructure
# Reference: https://www.virustotal.com/gui/file/3f816153a7a468406ebcd3b8e0686633047c4682f6d9266598eba4092e127f36/detection

http://216.244.74.115

# Reference: https://x.com/netresec/status/1958519565178057003
# Reference: https://www.virustotal.com/gui/file/3869f3a8278ff182b585dda292e07fa7485932d437fe094759056ab17056d3d6/detection
# Reference: https://www.virustotal.com/gui/file/c496313ad238522297b09b3430a362dbf21db8825e0e306bbd5840c12129a376/detection

147.185.221.30:54661
193.161.193.99:24727

# Reference: https://www.virustotal.com/gui/file/6947dc1c5a2bc28eb7dc2ef49f3ee0b3565a22a9f4b4d5f1c6ce5e63387cf63d/detection

178.16.53.106:4444

# Reference: https://x.com/smica83/status/1973487373662183696
# Reference: https://www.virustotal.com/gui/file/5afa05ce180cb24c5f5ed0dea4126556a056212549ec6c8485b318cd1f344182/detection

http://193.233.84.146
193.233.84.146:5000
