# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: BotSh1zoid, deerstealer, xfiles stealer

# Reference: https://twitter.com/3xp0rtblog/status/1473323635469438978
# Reference: https://www.virustotal.com/gui/file/0cb794f429667056b02e71ff9a1e919f8f238f52762b8c6460fd4adefbb78945/detection

xfilesebetreadline.online

# Reference: https://twitter.com/h2jazi/status/1476292943027871755
# Reference: https://www.virustotal.com/gui/file/f47310b82f31d55c5f41a9ce336c3d4ee94990272e1ac970a0dbdfcd171c28f8/detection

xfilesebetreadline.ru

# Reference: https://twitter.com/fr0s7_/status/1478700349636681732
# Reference: https://app.any.run/tasks/275cfd12-2a32-4895-b35c-ad7ec8613f25/

f0616231.xsph.ru

# Reference: https://twitter.com/Finch39487976/status/1488890401369083909

u02280uiqwiteloxs0si.ru

# Reference: https://www.virustotal.com/gui/file/b8e39666c3fb80249063428e1269695a2aeb71794d504b84f14216b4c3170d4e/detection

a0612650.xsph.ru

# Reference: https://www.virustotal.com/gui/file/ff7c17bdb5b61439e8d7daed154e559bd3bf20b13662b3bd58a557b175d691e0/detection

a0621954.xsph.ru

# Reference: https://www.virustotal.com/gui/file/deb63e343b2cb5fbdf761b6950b9130ed289d908ce90f006be5cb3792570a970/detection

a0635111.xsph.ru

# Reference: https://www.virustotal.com/gui/file/d53216d1d830557c0fad80f886074cd2aa7c545cc684bb0d0bff29fb0da5b2d1/detection

a0608494.xsph.ru

# Reference: https://twitter.com/malwrhunterteam/status/1521830471591776258
# Reference: https://twitter.com/malwrhunterteam/status/1521894032930217991
# Reference: https://www.virustotal.com/gui/file/7abf85ad78b521bcc31f6066ab2e0b1e6ad9672b952ef426a1d93c3d3f267f57/detection

gdsjagdsgknj34engdsnmmgnds.com
u02280uiqwiteloxs0si.online

# Reference: https://www.virustotal.com/gui/file/8847c7f6c02cf108353281e81185ece895950311b77a2a482a1fc35a8f220011/detection

a0648113.xsph.ru

# Reference: https://www.virustotal.com/gui/file/006196df92b8a5a0a313dd975d602d9459849ee8048bda28cb460e2ad67ca22b/detection

f0647713.xsph.ru

# Reference: https://twitter.com/James_inthe_box/status/1600953579988475904
# Reference: https://app.any.run/tasks/5fc6c192-5698-4940-ba3a-c41de8d44215/

xfilesreborn.ru

# Reference: https://twitter.com/suyog41/status/1754460428640665818
# Reference: https://www.virustotal.com/gui/file/df035dbf1a32469699c8c8b3c04b49ab8aad5ced1e874a1c21b918e1c606d797/detection

api-watch-films.space
bflow-musico.fun

# Reference: https://x.com/crep1x/status/1818923295086973076
# Reference: https://www.malwarebytes.com/blog/news/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator
# Reference: https://www.virustotal.com/gui/ip-address/81.19.137.133/relations
# Reference: https://www.virustotal.com/gui/ip-address/91.215.85.8/relations
# Reference: https://www.virustotal.com/gui/file/5d1e3b113e15fc5fd4a08f41e553b8fd0eaace74b6dc034e0f6237c5e10aa737/detection

authenficatorgoogle.com
authentficator-google.com
authenticator-googl.com
authenticattor-googl.com
authentifficatiion-google.com
authentifficator-googl.com
authentifficator-google.com
authentifficator-jp.com
authentifficatorgogle.com
authentifficcatorgogle.com
authentific-googl.com
authentificate-gooogle.com
authentificator-gogle.com
authentificator-googl.com
authentificatorgogle.com
authentificatorgoogle.com
authentificcate-google.com
authentificcatorgoolgle.com
authentificcatorgoolglte.com
authentificcatorgootgle.com
authentificcatorgotgle.com
authentificgoogle.com
authetificator-googl.com
cenpos-apps.com
chromeweb-authenticator.com
chromeweb-authenticators.com
chromeweb-authenticators.oix.wtf
chromeweb-authenticatr.com
chromstore-authentificator.com
googl-aunthetificate.com
googl-authentificator.com
googleathentific.com
googleathentificat.com
googleathentificator.com
gooogle-authentic.com
gujgleautent.site
tmdr7.mom
vaniloin.fun
vcczen.eu

# Reference: https://www.virustotal.com/gui/ip-address/212.192.31.181/relations

filezliza.site
notpadd-plus-pulse.site
opnvppn.site

# Reference: https://www.virustotal.com/gui/ip-address/31.41.44.252/relations

adeltie.site
bluerocks.top
boxett.site
cbyresocre.site
chrageeri.site
crptymosu.site
ebzichagre.site
gimrcachnts.site
golbalpyaents.site
ichkegtaeway.site
omsie.site
pyable.site
pyatarce.site
pysfae.site
storegom.com
turtqe.site
tysys.site

# Reference: https://x.com/crep1x/status/1818923301986554200

legiongirls.fun
paradiso4.fun

# Reference: https://x.com/salmanvsf/status/1901517210260062360
# Reference: https://x.com/salmanvsf/status/1901520075565498445
# Reference: https://app.validin.com/detail?find=0e2e30ccc5a5e8513aae68b957180a52&type=hash&ref_id=bbd3013c31f#tab=host_pairs
# Reference: https://www.virustotal.com/gui/file/d4e60f44103331275740326b4e6016a5f9f84ee2cfb0c2149f9b90530b21e6ef/detection
# Reference: https://www.virustotal.com/gui/file/b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91/detection

http://107.189.17.168
http://176.65.134.142
http://176.65.134.143
http://176.65.134.144
arbitrum-exciusive.info
tastedata.shop
jolly-payne.194-87-216-96.plesk.page

# Reference: https://x.com/malwrhunterteam/status/1912819400664612885
# Reference: https://www.virustotal.com/gui/file/48857dbcabc6c25c542d2fbfd7c26d37bf1f9de2fe54e18c9c26ddcfd51aca6a/detection
# Reference: https://www.virustotal.com/gui/file/19f29c5e50a244773bab0cc04075d0fbb1e6a808f00d34bcc30ea4f7f0955604/detection
# Reference: https://www.virustotal.com/gui/file/ffe66044c635128e96b5117b819c3dcfce28242f2ea5cf9059df56252445211c/detection

cdnnode-01.cfd
clarmodq.top
glimmer-cdn.cfd
moteev-biznis-man.shop
shubanorka22.shop
sonorous-horizon-cfd.cfd

# Reference: https://x.com/malwrhunterteam/status/1920461132730429768
# Reference: https://www.virustotal.com/gui/file/a5c2cd0db95e87a627f59f7c0b66753969a6a036744e21e437ead5074b9a30a3/detection

adamnukj.sbs
debianlist.cfd

# Reference: https://x.com/malwrhunterteam/status/1925922299980529763
# Reference: https://www.virustotal.com/gui/file/b04580facd601a97cafaa4605e71caf9183576724edf51db0e88e67a5f83d3c6/detection

byte-13.cfd
edgepush.sbs

# Reference: https://x.com/skocherhan/status/1925143346881728581

airflysales.shop
cachepeak.cfd
cdnjet.sbs
inktreenodes.shop
streamfast.cfd
sync-9g.cfd
unositescdn.buzz

# Reference: https://app.validin.com/detail?find=d400248c84a4a4cbdf61&type=hash&ref_id=83fdaed2c59#tab=host_pairs (# 2025-05-24)

10direct-git-cdn.cfd
31415926271828.cfd
aetheria-shop.cfd
byte-13.cfd
cdn.lukeu.cfd
cdn05-server-optimize.cfd
cdnedgen.cfd
cdnlinkup.cfd
cdnmanager.cfd
cnpay.cfd
cyclamen.cfd
dongge.cfd
envoycloud.cfd
eucdn4.cfd
fastcdn-server.cfd
harmonious-9code.cfd
host8-grid.cfd
infflux.cfd
losmok.cfd
lovexd.cfd
lukeu.cfd
mesh-5x.cfd
mystic-horizon.cfd
nodes-servers1.cfd
plov-erth-jems.cfd
proxcluster.cfd
quitarlosi.cfd
sciecdn.cfd
server-1a.cfd
speed-cdn-servers.cfd
speed-sprocket.cfd
stardustcdn.cfd
testsvless.cfd
tvsite-02.cfd
up1-c-dn.cfd
upcdnnodes.cfd
updownupcdn.cfd
vxnet.cfd
walhawe34.cfd
wds88.cfd
xianrenqiu.cfd
xings.cfd
xoiu0721.cfd
yukisakuna.cfd

# Reference: https://www.virustotal.com/gui/file/591ffe7ef58214b0b82d5d68930d7c0efc68048fb97ac05c069969a6f3b2830e/detection

nodestack.sbs

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2025-04-14-v10904/2625

buildit-right.buzz
cdn-upload-files.buzz
colidt-frend-cheap.cfd
foggy-doggy.site
go-cars-cheaprest.cfd
sonorous-horizon-cfd.cfd
tenacious-axiom-8.cfd
uno-cdn-update.buzz
velvet5nssrv.shop
world-of-guides.buzz

# Reference: https://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis
# Reference: https://github.com/eSentire/iocs/blob/main/DeerStealer/DeerStealer-IoCs-06-03-2025.txt

cloused-flow.site
servicesmesh.pro
soft-metal-software.cfd
uplink-mirrors.shop

# Reference: https://github.com/prodaft/malware-ioc/tree/master/CastleLoader

basishost.pro
bytehub.asia
eightroutes.shop
vanservernode.pro

# Reference: https://www.virustotal.com/gui/file/f8ffbb9bf5aaa664db9a5fbcdccbd282d1813eee582e181f619ccd3ba2046b2d/detection

95.164.55.176:5554
inchoateacc.pro

# Reference: https://x.com/JAMESWT_WT/status/1950817121128058889
# Reference: https://www.virustotal.com/gui/file/58b80c51e15d7671911e897767d011c2160c526a328b71d418b09d2c5cfb5886/detection

84.21.189.133:5053
duskenspire.pro

# Reference: https://www.virustotal.com/gui/file/95e67c6a167544dbc4c8f6ea75d3f438eb0851dd235cf162abcd834194d38920/detection

opalinewave-cdn.pro

# Reference: https://x.com/FalconFeedsio/status/1962824775765762514

loadinnnhr.today
telluricaphelion.com

# Generic

/ReadLineS0SAT.exe
