# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.virustotal.com/gui/file/06e3abeed1bc98ed56d5587e9732c9d39ea41879c250dff68ce8815953fcf7ad/detection

196.217.98.188:8080
liouas.ddns.net

# Reference: https://www.virustotal.com/gui/file/ed91f9fee04d08dc613e56eedf98b8c56a6e1e6be8ff3f29360550a2ef98c886/detection

91.193.75.132:2343
2343.hopto.org

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-01-10%20XWorm%20IOCs
# Reference: https://www.virustotal.com/gui/file/a86d61c62ad71f43dc2ad27a876ddccffab8d038d1f8b70248f4d4586c64d1ea/detection

su1d.nerdpol.ovh

# Reference: https://twitter.com/c_APT_ure/status/1621579054888501249

147.185.221.223:30420

# Reference: https://www.virustotal.com/gui/file/e6bf87ec571628e096e6505ee87f617f594ed7664782bf4f82810be28028147b/detection
# Reference: https://www.virustotal.com/gui/file/e58026e101ae93162cbf114997a2a2c78a80adfb6e6469823dd0d90572cef140/detection

154.12.234.207:7000
207.244.236.205:7000
mywormtwon.ddns.net
wormxwar.ddns.net

# Reference: https://twitter.com/InQuest/status/1626758679843205120
# Reference: https://twitter.com/Gi7w0rm/status/1626763227643224064
# Reference: https://tria.ge/230218-b9ngmaad96/behavioral2

45.139.105.105:7000
stanthely2023.duckdns.org

# Reference: https://www.virustotal.com/gui/file/2b786b8895d814c5d825f4eac99b009eb6aa16f66f6e5191b023e4ebc99fda66/detection
# Reference: https://www.joesandbox.com/analysis/811606?idtype=analysisid#iocs

209.145.51.44:7000

# Reference: https://twitter.com/suyog41/status/1631191121660444674
# Reference: https://www.virustotal.com/gui/file/098c9ebce4811fd2bb86654911581f21eb473f7afd5d27f7c09db57d5bfc1b62/detection
# Reference: https://www.virustotal.com/gui/file/aca8bf1de89203e445270f3cc76b3eaf9190b57fa35ef0d4425528ee639366cb/detection

209.25.140.180:38979
209.25.141.180:38979
according-psp.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/a7c707d2409f0190693aa7a7223c2576262b5bcd9da42ff5c3b375826c32b222/detection

91.193.75.191:55443
vcmkpl.duckdns.org

# Reference: https://twitter.com/petrovic082/status/1638652084492070912
# Reference: https://app.any.run/tasks/500f883b-fe97-44e1-a87f-67101bd0c30c/

95.214.24.38:5000
updateccdata.duckdns.org
urlcallinghta6.blogspot.com

# Reference: https://twitter.com/ScumBots/status/1639388448967766016
# Reference: https://www.virustotal.com/gui/file/01407e324f0b8090467eded47a97acbdb3ef42d0f12820cd57b0bc5b87ffe510/detection

181.141.1.67:3737
wormsito.duckdns.org

# Reference: https://www.virustotal.com/gui/file/3964d69f2a321257a8a745aa9583eaed3cb53c070f79eba3945f6506dda0a2cb/detection

31.220.76.124:2137

# Reference: https://twitter.com/phage_nz/status/1653173706951397376
# Reference: https://www.virustotal.com/gui/file/5814ab23cf46820a0f911fac078dbe77a521ee36722ae2ac313c54c04e0c5601/detection

141.98.6.220:7001

# Reference: https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/
# Reference: https://otx.alienvault.com/pulse/64624bf528c55e0976f2bf71

kbowlingslaw.com

# Reference: https://twitter.com/suyog41/status/1671102046324269059
# Reference: https://www.virustotal.com/gui/file/22af50c2e5d1f1efcf96e317c22af9bbf6f31705c7575454e6314eaf7d131929/detection
# Reference: https://www.virustotal.com/gui/file/6671bd81d7714bbfd2189dd1642ae4c3789c02e06c5afaad1e26c3632974b124/detection

167.94.81.75:63434

# Reference: https://www.virustotal.com/gui/file/128a56ddbecc3d569646730bdccce1c045479122061f4d0feb8ec24670374eb2/detection

213.152.161.240:58538
notaire8081.duckdns.org

# Reference: https://twitter.com/suyog41/status/1678763978925932544
# Reference: https://www.virustotal.com/gui/file/331549b24c0e2eefd56c4dc74806aeaeab706fee5ddb019763330c811b6fb9e0/detection

194.59.31.105:7398
85.208.139.131:222

# Reference: https://threatfox.abuse.ch/ioc/1139291/

173.249.196.39:7092

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/

149.102.231.91:5000
20.125.118.35:7000
3.69.115.178:14042
zoer12.dns.army

# Reference: https://twitter.com/JAMESWT_MHT/status/1683405358272839680

stores-anytime.at.ply.gg

# Reference: https://twitter.com/g0njxa/status/1685615126412414976

51.107.0.117:4954

# Reference: https://twitter.com/ScumBots/status/1685849690221199360
# Reference: https://www.virustotal.com/gui/file/72ab332da034bd819d83d26272974048b24de773a3440d641202872161b3e514/detection
# Reference: https://www.virustotal.com/gui/file/a4ea9aac544248e1346d88e3c93fbc6973419ff7ce5266c7cb00be39518f1f11/detection

173.0.60.172:7000
dapperdesigns.for-better.biz

# Reference: https://www.virustotal.com/gui/file/52634ade55558807042eae35e2777894e405e811102e980a2e2b25d151fde121/detection

167.235.75.225:8895
momentmoney79.duckdns.org

# Reference: https://www.virustotal.com/gui/file/f03e6bd8d447536298483d8b57996e966c2a26baea8caa12fbca52300151edae/detection

108.62.118.133:9734

# Reference: https://twitter.com/AnFam17/status/1687723698273595393
# Reference: https://www.virustotal.com/gui/file/2951cb766b89f9e3e65902fec634ed924168629f2dd3a178ba753e66ce4be73f/detection

http://173.249.39.21
173.249.39.21:5000

# Reference: https://www.fortinet.com/blog/threat-research/malware-distributed-via-freezers-and-syk-crypter

http://95.214.27.17
154.53.51.50:7000
185.174.101.131:7000
185.174.101.90:7000
209.126.87.35:7000
31.220.99.254:7000
45.151.122.57:7000
82.197.65.12:7000
85.239.237.141:7000
89.117.73.168:7000
95.214.27.17:8972
churchxx.ddns.net
freshinxworm.ddns.net

# Reference: https://www.virustotal.com/gui/ip-address/179.13.3.110/relations

apploak.duckdns.org
datosinfomativos12.duckdns.org
desdetre.duckdns.org
estrenos12q.duckdns.org
fantasmas145.duckdns.org
misdominios2024.ddnsguru.com
misterios140.duckdns.org
mistersalsa12.duckdns.org
newera2011.duckdns.org
xwormejor12.duckdns.org

# Reference: https://www.virustotal.com/gui/file/3b5fc5f386c9dbbb93c2b1d5b33feaca132e9eb53744a495c75e76a6921c3ebc/detection

103.47.144.14:6644

# Reference: https://www.virustotal.com/gui/file/76e382de0ea4dbd364ac8d9878e0b419d6a8d3536de3b6ca36ee38d335e3446c/detection

209.25.140.212:48414
209.25.141.212:48414
209.25.142.212:48414
is-crawford.at.ply.gg

# Reference: https://twitter.com/Gi7w0rm/status/1694139192379334803
# Reference: https://tria.ge/230822-3m8ylahf9w/behavioral1

209.25.141.180:48892
209.25.141.181:40625
209.25.141.211:49826
209.25.141.223:45283
180.ip.ply.gg
miles-c.at.ply.gg
topics-junior.at.ply.gg

# Reference: https://twitter.com/suyog41/status/1694215167729598470
# Reference: https://www.virustotal.com/gui/file/dcc9780ce890c8caf79e5f3147cacd14b1f4e06c307e3bdfc8903ff2dfd90c19/detection

185.179.218.240:8081

# Reference: https://www.virustotal.com/gui/file/dc6f4ca2f9b7de5f3e7f9bb25dffd1d89043f1db95537908c0d59ae7e025d3d9/detection

83.143.112.45:7000

# Reference: https://twitter.com/petrovic082/status/1695718494451458242
# Reference: https://twitter.com/petrovic082/status/1695719606093054213
# Reference: https://app.any.run/tasks/3a32eeca-6c15-4100-b901-d8d92255f640/

88.229.76.29:8080

# Reference: https://www.virustotal.com/gui/file/0608af5ecb090af15ea0593e71b2f05d6594726915c91d92dd5e0dcebd60e492/detection

172.94.105.98:3000

# Reference: https://any.run/malware-trends/xworm

abom7md.duckdns.org
church-apr.gl.at.ply.gg
d7meyrat.ddns.net
https.myvnc.com
jajaovh.duckdns.org
kaught-53088.portmap.host
liveroman228-26531.portmap.host
please-co.gl.at.ply.gg
show-cottages.at.ply.gg
society-mastercard.at.playit.gg
test-theorem.gl.at.ply.gg
trial-pour.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/6e0df2a748927a28875f76eb917f71fe8ee2a9b2004c9b7d2742a654aae0238e/detection

34.227.114.203:7000
brasil.ddns.com.br

# Reference: https://www.virustotal.com/gui/file/888e076a0949bf1ab6297ebc9b089e8d1f926c7186b115dbbb44611f57b783c8/detection
# Reference: https://www.virustotal.com/gui/file/79750b3e59c64c381067d5dd07a174e746625b64f13cefe07671042676337185/detection

154.53.63.206:7000
185.111.156.133:7000
freshwarsmi.ddns.net

# Reference: https://www.virustotal.com/gui/file/fbb2f988d97221e62771f56ed0d7bb172c5738d1bbde76164d0ca830ed59e8af/detection

207.244.242.177:7000
mikexwormxxxyy.ddns.net

# Reference: https://www.virustotal.com/gui/file/b706aac7ee3800adff6df6bcd2ad3164ae34f71ab47399c1811daa664fdec247/detection
# Reference: https://www.virustotal.com/gui/file/0886ade2d19b2cb43c370190df382d3686c2364b246fc466ccf775b60a62c6a0/detection

154.53.51.233:7000
89.117.72.232:7000
secoundxwormm.ddns.net

# Reference: https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4

randall010.camdvr.org

# Reference: https://www.virustotal.com/gui/file/67de54a5271a2354b492bbaf5bbead07cc1e24fd5efa94bdac2fc30f0475db1a/detection

41.216.188.29:7000

# Reference: https://www.virustotal.com/gui/file/9198c970d6b61c1f22b6e2e4065fd99e8fd107c3bb8162c8aef56559459e9ff1/detection

217.229.108.168:1

# Reference: https://www.virustotal.com/gui/file/01856345569ffabd2504f9b9d102014c0119184660b25cea2c55db4d67c8c349/detection

147.185.221.16:12379
electric-desert.gl.at.ply.gg

# Reference: https://www.virustotal.com/gui/ip-address/2.59.254.205/relations

hotexworm.duckdns.org
newxworm.duckdns.org
xwormfresh.duckdns.org
xwormpeople.duckdns.org

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-09-15)

http://154.61.71.51
101.99.92.134:9008
103.187.4.59:62400
104.129.24.110:55226
109.195.94.247:7000
13.48.68.245:4449
139.59.42.121:49258
142.132.227.161:7000
142.202.240.88:253
147.185.221.15:10177
147.185.221.16:15294
147.185.221.16:18244
147.185.221.16:39035
147.185.221.180:36603
147.185.221.180:4310
15.204.37.12:5008
152.67.162.194:10001
154.127.53.162:7007
16.16.96.108:4449
162.251.123.54:1337
168.119.98.142:4100
172.111.138.90:2221
176.205.45.103:4782
185.169.1.59:42069
185.17.26.114:7000
185.179.219.117:5002
185.225.73.47:1111
185.225.73.47:2222
185.241.208.173:7000
193.161.193.99:35943
193.161.193.99:43625
193.42.33.22:5555
194.145.138.85:1604
194.145.138.88:1604
194.228.111.236:7000
194.87.151.125:7398
194.87.151.19:7077
199.66.93.150:1337
2.58.56.249:8000
20.0.32.252:7000
20.219.15.124:2239
20.25.157.149:1234
20.25.157.149:4567
20.56.93.201:1604
204.13.33.68:1338
206.189.139.209:20715
207.32.217.73:2048
208.115.223.202:12999
209.145.57.6:8081
209.25.140.223:18381
209.25.141.181:51957
209.25.141.181:52055
209.25.141.2:43784
212.154.51.245:90
23.227.198.214:7777
3.126.37.18:14586
3.7.61.252:2339
3.72.8.200:7000
44.201.221.153:7000
45.130.141.212:7000
45.145.166.131:666
45.61.130.7:1010
45.81.225.208:7000
45.88.67.75:3333
64.235.38.13:2911
66.94.101.239:8081
67.61.188.116:7777
67.61.188.116:8848
67.61.188.118:3232
77.248.111.83:2404
79.110.62.143:7000
81.161.229.202:6601
95.214.26.78:5566
95.214.27.226:7000
aid-poly.at.ply.gg
americanibombardano.ddns.net
amz-worm.ddns.net
an-encoding.at.ply.gg
ana1.con-ip.com
angmmox.con-ip.com
animals-sewing.at.ply.gg
apexcv.ddns.net
average-danish.at.ply.gg
awgaegsrgcs.duckdns.org
behind-him.at.ply.gg
big-stayed.at.ply.gg
box-byte.at.ply.gg
browser-bangladesh.at.ply.gg
bush-gain.at.ply.gg
caloi1920.ddns.net
channel-diane.at.ply.gg
comes-reasoning.at.ply.gg
common-pharmacies.craft.ply.gg
computers-directory.at.ply.gg
computers-ed.at.ply.gg
davizshadow.duckdns.org
default-official.at.ply.gg
dejvicek-52169.portmap.host
dejvicek-62577.portmap.io
deletedapo-46418.portmap.host
design-utilize.craft.ply.gg
display-trade.at.ply.gg
distance-key.at.ply.gg
documents-ultra.at.ply.gg
during-widespread.at.playit.gg
egleooogom.duckdns.org
either-puzzle.at.ply.gg
employees-spa.at.ply.gg
even-house.at.ply.gg
exops-31573.portmap.host
faculty-symbols.at.ply.gg
feel-herbal.at.ply.gg
flowers-ak.at.ply.gg
freed11231.duckdns.org
ftap-29332.portmap.host
german-sip.at.ply.gg
get-dig.at.ply.gg
gunitp.duckdns.org
h0x351.ddnsfree.com
harrypotta-35943.portmap.host
harrywilly.ddns.net
head-transit.at.ply.gg
herbet.ddns.com.br
history-periodically.at.ply.gg
hope-duck.at.ply.gg
house-induced.at.ply.gg
http202suspend-33946.portmap.host
ichbineinvogel2.duckdns.org
instruments-specials.at.ply.gg
jeanjaques.ddns.net
johnnew12.duckdns.org
johnny1234.duckdns.org
jxworm2ndport.duckdns.org
kids-abstract.at.ply.gg
killertype.ddns.net
leakportsnext.duckdns.org
license-donna.at.ply.gg
links-recovered.at.ply.gg
mary-classroom.at.ply.gg
master-flat.at.ply.gg
mean-garbage.at.ply.gg
members-path.at.ply.gg
microsoft2.ddns.net
models-issn.at.ply.gg
moonrdp1.duckdns.org
must-scores.at.ply.gg
mygame.serveftp.com
nabeelrats-21020.portmap.host
name-shadows.at.ply.gg
next-screening.at.ply.gg
no-sofa.at.ply.gg
opportunities-rendered.craft.ply.gg
option-trading.at.ply.gg
partner-enforcement.at.ply.gg
paul-positive.at.ply.gg
pavpaladmin9917.ddns.net
polki.anondns.net
pollofx-35076.portmap.host
port4000mobi.duckdns.org
property-gourmet.at.ply.gg
ready-somalia.at.ply.gg
related-regression.at.ply.gg
releases-connection.at.ply.gg
return-interpreted.at.ply.gg
safety-electronics.at.ply.gg
score-told.craft.ply.gg
sepatico.duckdns.org
share-divorce.at.ply.gg
share-scored.at.ply.gg
size-bills.at.ply.gg
slammer.cf
society-painted.at.ply.gg
spajkr.hopto.org
special-alpine.at.ply.gg
system-headed.at.ply.gg
there-carol.at.ply.gg
tienichxanh.vinaddns.com
title-weapons.at.ply.gg
top-ftp.at.ply.gg
unit-satisfactory.at.ply.gg
venom.giize.com
vfggfhd.servemp3.com
way-puppy.at.ply.gg
willbr77-52985.portmap.io
wniko1-39869.portmap.host
words-cells.at.ply.gg
xworms.ddns.net
xwrm.webredirect.org
y-enhancing.at.ply.gg
zlow11214.ddns.net

# Reference: https://twitter.com/James_inthe_box/status/1703779021694419195
# Reference: https://twitter.com/r3dbU7z/status/1703780891724841423
# Reference: https://www.virustotal.com/gui/file/96fa32da812662011588e77b75eb6bee3eb768f533533457c51f4d58ae8ee062/detection

194.180.49.181:443
194.180.49.181:7064
194.180.49.181:888
xm3.publicvm.com
xyoptotway.work.gd

# Reference: https://twitter.com/banthisguy9349/status/1783865107321155816
# Reference: https://www.virustotal.com/gui/file/b8bf4cf9e824badde4cbe7f3544c1102bfa926efd00cff2398a9d4ac17f80225/detection
# Reference: https://www.virustotal.com/gui/file/96fa32da812662011588e77b75eb6bee3eb768f533533457c51f4d58ae8ee062/detection
# Reference: https://www.virustotal.com/gui/file/8e99426fb98ad89057bd6af2bf2764fa080aaff3511fe72d96765e2f2b2f0411/detection
# Reference: https://www.virustotal.com/gui/file/75b4525f550304c38c76fcffc7362b57dccf049d69709b5dbef353bbb11c691b/detection
# Reference: https://www.virustotal.com/gui/file/01139ac5fafb901928078e69c4962a44a596310d96b12ffd68854bf1f94b021e/detection

194.180.49.181:7064
94.156.71.212:7064
91.92.249.198:443
91.92.249.198:7064
91.92.249.198:888
91.92.252.85:7064
94.156.66.40:7064

# Reference: https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/
# Reference: https://www.virustotal.com/gui/file/1073ff4689cb536805d2881988b72853b029040f446af5ced18d1bc08b2266e1/detection

3.66.38.117:13394
52.28.247.255:13394

# Reference: https://app.any.run/tasks/d3858744-f1b2-4a9b-8ef7-deccada2a160/

3.69.115.178:13394

# Reference: https://app.any.run/tasks/5fab7db5-267e-46f6-a374-0f42de1cb328/

147.185.221.16:15179

# Reference: https://twitter.com/Gi7w0rm/status/1706061724099457411
# Reference: https://www.virustotal.com/gui/file/9bd123cf9a41a9a9fd219fd8fcba7ba20543470d4b5c911ba07489b04fd74428/detection

79.110.62.151:1234

# Reference: https://tria.ge/230924-yzgbwsba28/behavioral1

2.59.254.205:7002

# Reference: https://tria.ge/230924-yzvjhsba39/behavioral1

79.110.62.151:7000

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-09-25)

141.98.6.196:7020
154.53.51.233:8909
191.101.130.18:8252
23.106.215.7:7007
50.114.203.104:7909
81.67.181.238:9033
88.11.59.100:8888
chikes17.duckdns.org
copy-marco.gl.at.ply.gg
floptuytonroyem.sytes.net
garden-event.at.ply.gg
graxe239-61522.portmap.host
xvskill.duckdns.org
youtubevideos.ddns.net

# Reference: https://twitter.com/Gi7w0rm/status/1706063680171860137

aakata123.duckdns.org
aakatabit1915.duckdns.org
aiminent2.duckdns.org

# Reference: https://twitter.com/doc_guard/status/1707018037428101360
# Reference: https://www.virustotal.com/gui/file/7fa4e361cf073d65ccbc49dc937a622965977ef995a0c199a4b4aa5fddd57d17/detection

138.201.189.141:4444

# Reference: https://twitter.com/r3dbU7z/status/1709147111567004129
# Reference: https://www.virustotal.com/gui/file/bfb5afd83e4c4962336f10655e191e0efc2b9fe968af9f37f7d84c845a27a075/detection
# Reference: https://www.virustotal.com/gui/file/008922a9bcd25e1cbf52234ea926306bba3d646bfcd087d6fc6c6f58ab8ac54a/detection

20.229.184.215:443
20.229.184.215:65350

# Reference: https://twitter.com/suyog41/status/1709524284169978094
# Reference: https://www.virustotal.com/gui/file/5b53d803d2c3d82de79a732a2f1737c7726415b2b056f7f43e74638e1df3fd8b/detection
# Reference: https://www.virustotal.com/gui/file/9d79c20d80eb9ded90a7e7f2ebdcd057bc29409084af3ecdd63c6ed072f103b0/detection

186.6.93.202:4444
telebyt.com
windowsmanagerhost.ddns.net

# Reference: https://twitter.com/naumovax/status/1711777764615802979
# Reference: https://tria.ge/230930-vqpp5aff65/behavioral1

147.185.221.16:54013

# Reference: https://twitter.com/suyog41/status/1712768941536522411
# Reference: https://twitter.com/suyog41/status/1725447282856968625
# Reference: https://www.virustotal.com/gui/file/0083a052767c5e651c36ce419a582c2ba5d81c0776ef1de765626958b4686b45/detection
# Reference: https://www.virustotal.com/gui/file/d18c4cde9bc83592187f8a90e3f138c871a35cda49d4a0078ca9eac04cfc961e/detection

104.243.32.185:7000
45.141.215.230:7000
normanisback.com

# Reference: https://twitter.com/suyog41/status/1715222348423721054
# Reference: https://www.virustotal.com/gui/file/e9148a15c8d96c389aaae6fbb04b5cd1ee587e2ded6193d47532885b84abd984/detection

147.185.221.16:18915

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-10-30)

101.99.92.161:7000
103.114.106.183:47074
139.99.153.82:8181
147.185.221.16:45753
147.185.221.16:56343
147.185.221.16:57012
147.185.221.16:57076
157.254.223.19:8000
163.5.215.212:1337
163.5.215.212:8072
193.161.193.99:61360
20.197.231.178:7000
216.230.73.215:6789
51.81.216.78:1111
51.89.158.83:7000
66.94.97.98:7000
95.164.18.46:2608
brightle.ddns.net
frostycheats-30646.portmap.host
graxe239-61522.portmap.host
jameshde18.duckdns.org
mike09-55168.portmap.host
pool-roman.at.ply.gg
registered-dt.at.ply.gg
releases-photos.at.ply.gg
rules-views.at.ply.gg
serverwindor.duckdns.org
testarosa.duckdns.org
xmsh.publicvm.com

# Reference: https://cert.pl/en/posts/2023/10/deworming-the-xworm/
# Reference: https://otx.alienvault.com/pulse/653a78a1b9c42ecf2ba3a591

blackid-48194.portmap.host
single-boulevard.at.ply.gg

# Reference: https://twitter.com/g0njxa/status/1721444417586778207
# Reference: https://app.any.run/tasks/c276c263-7b85-459b-b93c-d278e845e171/

206.189.20.127:6234

# Reference: https://twitter.com/karol_paciorek/status/1723024066112557542
# Reference: https://tria.ge/231110-t3mkvsca78/behavioral1

54.90.216.100:7001

# Reference: https://twitter.com/suyog41/status/1724726595578159178
# Reference: https://www.virustotal.com/gui/file/46ac8d1dba7668319574d2f459a54d8b8eb5606c027e393308ab395b7b5aa746/detection

103.47.147.196:1500

# Reference: https://www.virustotal.com/gui/file/4ca23c140f02ad3f9a8d0df97e57a6282faf8aa85433efd3f7c07a5ba8868da7/detection

15.228.235.93:7000

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-11-20)

147.185.221.16:40164
147.185.221.16:49975
15.228.35.69:5000
172.177.19.106:7000
188.148.105.135:2112
35.220.199.19:7000
62.233.57.160:6789
2freshinxworm2.ddns.net
antilol2113-61842.portmap.host
case-defines.gl.at.ply.gg
dizzywizzy-61490.portmap.host
espadadz.ddns.net
f8terat.ddns.net
goheg99417-59409.portmap.host
juandice-60636.portmap.io
kriz-nas.ddnss.de
lead-selections.gl.at.ply.gg
m0ney7.ddns.net
media-specified.gl.at.ply.gg
menu-webcam.gl.at.ply.gg
notfishvr55-32209.portmap.host
okaa0-25007.portmap.host
okaa0-35095.portmap.host
partner-juice.gl.at.ply.gg
q-grounds.gl.at.ply.gg
raven123.ddnsgeek.com
reference-tokyo.at.ply.gg
tarekfr77-41254.portmap.host
tcxerr.duckdns.org

# Reference: https://www.virustotal.com/gui/file/145c1ede38b85b82e5072f2d9c0c65aa8eb479bd2cf90d99d7d375c0c2e7c4ea/detection
# Reference: https://www.virustotal.com/gui/file/4229b3925fbd80f2316493b19c1c7fd23898507284bae4754e76c79a096f2133/detection

194.147.140.215:7463
37.139.129.85:6742
91.192.100.39:6742
kayamer.kozow.com

# Reference: https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/
# Reference: https://www.virustotal.com/gui/file/f58193da4f61b45e375f5aa2978b08908578b5151dc779dc4b566e6a941e802b/detection
# Reference: https://www.virustotal.com/gui/file/58d80cdaac096a9d8ba772a4e857a24db9c797d5b7913e54185c68e21c5526e6/detection

140.228.29.162:7900

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-11-21)

104.250.180.178:7061
147.185.221.17:24796
162.212.154.8:41589
185.183.34.34:7000
185.239.237.162:7000
194.15.216.233:4548
207.32.219.52:7771
216.107.136.195:7000
3.121.139.82:18925
3.121.139.82:5240
3.127.59.75:18925
3.127.59.75:5240
34.130.82.241:5010
46.183.221.28:7000
51.89.38.74:33966
52.28.112.211:18925
52.28.112.211:5240
52.91.10.228:7000
54.90.216.100:7000
65.0.80.77:7000
80.66.87.4:7000
87.172.204.140:7000
93.123.85.35:7000
2023navidad.duckdns.org
around-lite.gl.at.ply.gg
conditions-monthly.at.ply.gg
fgfdsnvisdnvijnsdvdssdsd.con-ip.com
frank4893.duckdns.org
house-rooms.gl.at.ply.gg
if-shuttle.gl.at.ply.gg
language-partnership.gl.at.ply.gg
newpossibility.duckdns.org
traffic-statewide.gl.at.ply.gg
viiper1337-29699.portmap.host
windowis11.com

# Reference: https://twitter.com/1ZRR4H/status/1729196411843985530
# Reference: https://www.virustotal.com/gui/file/850e60489a54f8a3307a124c19c80cfc46bc34b2b3b93bc74c2b764b667df09b/detection
# Reference: https://www.virustotal.com/gui/file/df501e6c611c658df919bbe959e54b1080da39511a7de35ab3b5146e32584728/detection

5.182.87.154:7000

# Reference: https://www.virustotal.com/gui/file/f1f72684f5813bd4a3932397edd7e2056c9d61421bf7e5248ae68f6e6d65d33d/detection

46.246.86.23:7000
rootfix.linkpc.net

# Reference: https://www.virustotal.com/gui/file/c861d69c8a9904c99ef947dcdca02995652fb6afbc8a0edb196921ac6f5dc14e/detection

212.237.116.158:7000

# Reference: https://www.virustotal.com/gui/file/33b2c62cad9fa6a203cca01285d1230bf92b38929b8f9ed07ec6187b2fe8fdf1/detection

212.237.116.163:7000

# Reference: https://twitter.com/1ZRR4H/status/1729713083004641491

46.246.80.17:7080
2023navidad.duckdns.org

# Reference: https://gist.github.com/silence-is-best/67adb7549211b3046f554044bcc5c151
# Reference: https://www.virustotal.com/gui/file/832d96e8996c618b21f649812a218c44d7fae08fa2081cdb34631cc2cdcbd6df/detection

194.107.126.61:1111

# Reference: https://www.virustotal.com/gui/file/976780197cc411fbed0105adc79a779e72ac2a802ca7f2a001334c0a37e046da/detection

46.246.84.13:7000

# Reference: https://www.virustotal.com/gui/file/eba007fec4ab29d205cf04ced605ec34b27dfa2733a5cccd50856bdf9ba66e42/detection

91.92.242.98:9
cpabuzus.duckdns.org

# Reference: https://twitter.com/karol_paciorek/status/1736689204279623733
# Reference: https://tria.ge/231218-lw7nfshhcn/
# Reference: https://www.virustotal.com/gui/file/9e5612cd0949cb21b3d12491294ebe173571c1a665014dbbce7f7ebb995d42d0/detection

http://45.88.77.20
45.88.77.20:7000

# Reference: https://twitter.com/SarlackLab/status/1737126329542123767
# Reference: https://www.virustotal.com/gui/file/fd478fb15b4976507f494e31f6cbe2a8d4d173026ae1bbcb4849685630cf9b19/detection
# Reference: https://www.virustotal.com/gui/file/f688fb7b4cf19a4760138e7625915815f4acc23732456a3540f76f39aed90417/detection

45.144.152.86:39001
45.144.152.86:44635
45.144.152.86:58001
78.135.67.111:56001
liveclouds.duckdns.org

# Reference: https://twitter.com/V3n0mStrike/status/1739854351022080487
# Reference: https://www.virustotal.com/gui/file/230a77727f9c8e701594ee34a22d5b2f7d8647295e749d3103d2322d8bce7eea/detection

http://31.172.83.170
31.172.83.170:7000

# Reference: https://www.virustotal.com/gui/file/5e1944524f2ae23724c8a9a593915266e18214a0038896f30ba37e1fd022caa2/detection

89.23.99.86:7000

# Reference: https://twitter.com/banthisguy9349/status/1744384627039518736
# Reference: https://twitter.com/banthisguy9349/status/1754145829076533416
# Reference: https://www.virustotal.com/gui/file/2df04f5f739f5b0daf925fe8553dfe2b58267be0e735d683ce834101f91b5e38/detection

http://91.92.253.171
91.92.253.171:443
91.92.253.171:888

# Reference: https://twitter.com/netresec/status/1744378756641288517

147.185.221.17:36499

# Reference: https://twitter.com/ShilpeshTrivedi/status/1744695359144923604
# Reference: https://www.virustotal.com/gui/file/ca791046eaf207a1bb8631263bf12e41802255a7114c48086dccd4ad1152766e/detection

147.185.221.17:61779

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2024-01-10)
# Reference: https://www.virustotal.com/gui/ip-address/91.92.240.61/relations

91.92.240.61:7000
lyamore-metal.com
taiwantradeglobal.com
open.lyamore-metal.com
open.taiwantradeglobal.com
opendomain.lyamore-metal.com
opendomain.taiwantradeglobal.com
wealthyblessed.duckdns.org

# Reference: https://twitter.com/malwrhunterteam/status/1745582580718543343
# Reference: https://www.virustotal.com/gui/file/1ae50087f5c0b05a9ac41362a2e7ed3d3c82fecda835aa7e5fcc5b5da5f44903/detection

http://139.99.114.151
139.99.114.151:7777

# Reference: https://www.virustotal.com/gui/file/4bb0daf6ad46380eb905da9f586d108f9a9e7bd83c31d7903824ebe3abd65fb0/detection
# Reference: https://www.virustotal.com/gui/file/0893cfe208c34030552ccd250f5e185d42423f4ebb5311a13f68e5bd96a1cad7/detection

147.185.221.16:33203
canadian-perspectives.gl.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/00a965b03bf3654df1c90725b114a8dfc49cdb522bf7a558d24f13e20e204fa9/detection

46.246.82.5:2525

# Reference: https://www.virustotal.com/gui/file/fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11/detection

191.233.27.50:5552
dzn.ddns.net

# Reference: https://www.virustotal.com/gui/file/0ccb60e63193c1bd24e82fee53094c54fdb1e3481601f1a6451dbf74a375185b/detection
# Reference: https://www.virustotal.com/gui/file/504bc01416f714ce0f77e87bae667573bee922c86708b2cadfaf7e4478673a30/detection

http://90.61.145.105
90.61.145.105:5485

# Reference: https://www.virustotal.com/gui/file/afb0a01f30aa1239f85e2eb465e374c49a274383caa52d3c8dd46c67b17be519/detection

91.92.253.187:7000

# Reference: https://www.virustotal.com/gui/file/7c7b4d01ce572fb5d63536aa53eff94be082e76127906d91c673bbb4e0d7b8e1/detection

94.156.65.113:8400
greatrackspace8400.duckdns.org

# Reference: https://www.virustotal.com/gui/file/4c291ba1cd60a0a9e4649067f2bcb3619bf8874b47f928ab7f2583b31d778678/detection

94.156.65.113:8300
restpeople8300.duckdns.org

# Reference: https://www.virustotal.com/gui/file/ab5a62c5f4e883afff61be9b7020ba1aa9d52565dc310cee06488ad22ca8f68f/detection

91.92.251.144:7001
xwv5group7001.duckdns.org

# Reference: https://www.virustotal.com/gui/file/d86408c32b0b7f7b43930cb33b99e472db2db4c429d4273d3133d7b8ad29712e/detection

23.95.11.218:8100
94.156.65.114:8100

# Reference: https://www.virustotal.com/gui/file/3224658a2fbf2a7a1adece92d8d2fb9e136898efb17b5bbffcf0ac39bce4afbb/detection

188.70.3.112:6666
sys666.ddns.net

# Reference: https://www.virustotal.com/gui/file/0e948e3d83e22df165afac4da052b45297f719a33f86c4c194958f59dad75a28/detection

192.99.190.119:7000

# Reference: https://twitter.com/K_N1kolenko/status/1752932027324637338

154.179.242.6:5552
196.154.211.81:5552
windowshelp.zapto.org

# Reference: https://twitter.com/Cyber0verload/status/1754913588748116080
# Reference: https://www.virustotal.com/gui/file/04095081ef5314ab278d6a89310224f4fb8b6c5579850f8a21446787373380aa/detection
# Reference: https://www.virustotal.com/gui/file/ca3eb918501c15e45c872627555cb04e033e11d43e0f0a31b41c493b9246bd69/detection
# Reference: https://www.virustotal.com/gui/file/949f78a60cbfc76dd8eb75e2d18203d565a14bdab35c2329e0acaccc84dcc57c/detection
# Reference: https://www.virustotal.com/gui/file/03ad54bf6d1c95613a1c05f492161ced8e5592b71105c9bc685b5b85798cb4db/detection

147.185.221.18:6104
a0917004.xsph.ru

# Reference: https://www.virustotal.com/gui/file/02a5c3519f2f01bfa8efc1908e3191c6ec100732481b639260764147862e437a/detection

65.0.50.125:22811

# Reference: https://www.virustotal.com/gui/file/1e83b42f7ffd019c8c56991b8625f25e0ee94f2034c447b701482839400c7cfd/detection

74.222.9.95:7000

# Reference: https://twitter.com/karol_paciorek/status/1755187835110400393
# Reference: https://www.virustotal.com/gui/file/9d2bde48e2ac646c62ca1455cde6d5c2242be0cb67a9904f81e0851743491ba2/detection

45.88.186.197:7008
45.88.186.197:8000
me-work.com

# Reference: https://www.virustotal.com/gui/file/4d64bbdbca232e9efbf8770386ed39562691793c678856d6e0c0fb1dc4af5219/detection

159.89.100.67:7000

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2024-02-12)

194.147.140.138:9090
janxworm9090.duckdns.org

# Reference: https://www.virustotal.com/gui/file/57f4c5126700392a7d6e6fa24d8c8f1c9efcf960e3019a84237ae1b54f9e9c69/detection

worknow.con-ip.com

# Reference: https://twitter.com/malwrhunterteam/status/1758829170384089446
# Reference: https://www.virustotal.com/gui/file/848020d2e8bacd35c71b78e1a81c669c9dc63c78dd3db5a97200fc87aeb44c3c/detection
# Reference: https://www.virustotal.com/gui/file/54f8cd32f62f341e893ddeda8d8ef2a91e7a087e0070fec77d07bd6a15dbe65c/detection

194.49.94.135:8080
45.61.139.51:8080
internal-liveapps.online

# Reference: https://www.virustotal.com/gui/ip-address/46.246.4.4/relations
# Reference: https://www.virustotal.com/gui/file/136a96a2413e45ad1cbfca37d510e22a9d252ad439a9435dcee29a8d053ba45d/detection

178.73.192.20:7000
188.126.90.14:7000
188.126.90.7:7000
46.246.12.24:7000
46.246.14.18:7000
46.246.14.5:7000
46.246.4.4:7000
46.246.4.6:7000
46.246.6.6:7000
46.246.84.12:7000
46.246.86.6:7000
62.201.242.201:7000
daddy.zapto.org
puerto2514.duckdns.org

# Reference: https://www.virustotal.com/gui/file/cbb2fa94f392846a09688fed1779cc8de202df22a1164add9834ea5ad25834d9/detection

178.73.218.9:5581
dfasdfasdgs.duckdns.org

# Reference: https://twitter.com/suyog41/status/1760989736490172735
# Reference: https://www.virustotal.com/gui/file/4f3b18db37af50fa8967dacfa9541e93d6f5a410ea940f2712ce86cfae13dd2b/detection

196.112.44.196:5555
drcamelston.sytes.net

# Reference: https://www.virustotal.com/gui/file/e9a7cae8d9cd49819e5365230f4e42848e3943ace5f160f5df4e48bcda249fea/detection

102.101.187.102:5555

# Reference: https://www.virustotal.com/gui/file/7ef2ec455625ed3cadf84defc1f8c6ad4e50ff570a8bc9399c183f1fb6db64ae/detection

196.112.147.229:5555

# Reference: https://tria.ge/240224-k7w6esfe55/behavioral2

45.128.96.133:7000

# Reference: https://www.virustotal.com/gui/file/0bbc93c764351e6d0179d5bfefba7e8e097df0eae1e6f2fea8869ad5ecb83358/detection

46.246.12.66:7000

# Reference: https://twitter.com/ScumBots/status/1761543361326874669
# Reference: https://www.virustotal.com/gui/file/3313a1b94dc054adbeb337332d60a54dbd9267216dffc2952a39c1cada45671c/detection

191.55.79.182:5553
nodetect.duckdns.org

# Reference: https://www.virustotal.com/gui/file/be01d0557c67f4a8de2b8c991bbb8239a2220f4815426fe8d3bb1b1e4af6dd54/detection
# Reference: https://www.virustotal.com/gui/file/567da51c564af8d8abe7576e19c0d8bd6c453fecf6988f01b6f31b8da208b849/detection

190.28.142.225:7000
xwormsssreload.duckdns.org

# Reference: https://twitter.com/suyog41/status/1763499809099682186
# Reference: https://www.virustotal.com/gui/file/1d515bccf06b6b7304860f705fe43a8f33f24a33a65617934ceb500f1440d207/detection

104.219.238.14:7000

# Reference: https://www.virustotal.com/gui/file/787e491b12bff499e46beb4433b144d9020da9bb26ef3bdd4e4bad21c99b8090/detection
# Reference: https://www.virustotal.com/gui/file/a68f76c530a51ddd6e3c6983f202054ae462530ab40fdd16ea44eff9af02d3c5/detection

http://107.175.3.10
107.175.3.10:443
/shellcodeAny_20240229085449462.bin
/shellcodeAny_20240229163131845.bin

# Reference: https://www.virustotal.com/gui/file/5ce080055262bb21798a99e83d370fab41b809ebd8d59bc083bdac2a49b2427e/detection

147.185.221.18:35608
points-detect.gl.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/444338339260d884070de53554543785acc3c9772e92c5af1dff96e60e67c195/detection
# Reference: https://www.virustotal.com/gui/file/9cbb0cf0e3c4896cd1916dd4330e77e6a66be46f0c631328414f89e0456f064b/detection

37.120.141.139:1111
37.120.141.139:1604
scamkiller.duckdns.org

# Reference: https://twitter.com/1ZRR4H/status/1766223253360574957

91.134.150.150:7000

# Reference: https://www.virustotal.com/gui/ip-address/12.202.180.134/relations

xwonsmolpsnsm.duckdns.org
xwortom.duckdns.org
xwrm966.duckdns.org
xwrmmomment.duckdns.org

# Reference: https://www.virustotal.com/gui/file/f506b4b1d861d9919dd3238d63ea3020fb05f42534e91a4e534bb5c248c291db/detection

102.89.41.40:7000
45.137.22.150:7000
fat221.ddns.net

# Reference: https://www.virustotal.com/gui/file/633a9be5fea8c29f5743e8309af533055ad2b398b69ba25368c82c4eb6c0e790/detection

51.195.192.51:7000

# Reference: https://www.virustotal.com/gui/file/9ec956dc7b5b323efc45b533cdb4b7017efc4bef05c341b18a0f90c0ea7df35f/detection

http://45.141.215.126
45.128.96.122:2449
45.128.96.122:5554

# Reference: https://malwarelab.eu/posts/stego-xworm/
# Reference: https://www.virustotal.com/gui/file/e30fd7cd7ff6ac140dfa8ed25e0a73d59b70564002099bf01570d59b17935b25/detection
# Reference: https://www.virustotal.com/gui/file/c148ccd6f7623a64d985d3bcc8e882879164b190211ba99661d26152c0dbc4dd/detection
# Reference: https://www.virustotal.com/gui/file/4a3ec6f4f6b79baeabd7d0c4a9f4e043693fa72062573e252d53b70ce3d929a4/detection
# Reference: https://www.virustotal.com/gui/file/15c1414b51b35a77c12be6119cde8c473eb4d5dd2a317f24bc1fa4e7a023e56d/detection

34.216.89.67:7000
34.216.89.67:7001
salif2201021.duckdns.org
xwormchina1203.duckdns.org

# Reference: https://www.virustotal.com/gui/file/ef644fcc2d9242631532474fee0d9bd7bf9d6f99fe099c95bdf00a5e117c011f/detection
# Reference: https://www.virustotal.com/gui/file/b56417ee728862c29f994e54f301fa0ac49237a2c3d9b5fbe88c4cfffbae52df/detection
# Reference: https://www.virustotal.com/gui/file/8a06ced3eb15f9e942b8e1359e04b50d2b0d83c4b688bf1d19ac25da0c898557/detection

109.131.125.140:8832
2.9.241.66:5123
85.201.185.117:8832
91.196.220.193:8832
xworm.ddns.net

# Reference: https://www.virustotal.com/gui/file/d452b6cbc3d6319242e1d0a8985e0ac4c1fc255b6a6a1209bd3f95ad393183b2/detection
# Reference: https://www.virustotal.com/gui/file/a6c51f3a262b88e994175a3c667923fa1f5f260aeef1044c34f31175308c5de1/detection

xworm.duckdns.org

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2024-03-24)

http://194.147.140.138
107.175.3.10:7536
171.247.47.66:4444
171.247.57.232:4444
91.92.242.57:8989
fvia.id.vn
marxrwo9090.duckdns.org

# Reference: https://www.virustotal.com/gui/file/e6f7963c726231571294a06e1e8b1f03b87684cad8383bb194b957fc685685c2/detection
# Reference: https://www.virustotal.com/gui/file/dde68755fa515158e01e3e8f2b90772dc86e25b7e2684fc5066a5e33ee22b614/detection

157.254.223.19:8081

# Reference: https://www.virustotal.com/gui/file/f11530348170183d1b09956284353c00b1bd7db111fbfc8faead8d17ba4dc626/detection
# Reference: https://www.virustotal.com/gui/file/bc7ff6e9fd8cc3ab6d0da0f02818629237bcd64cc8ed86a924d0325f0445a078/detection
# Reference: https://www.virustotal.com/gui/file/f11530348170183d1b09956284353c00b1bd7db111fbfc8faead8d17ba4dc626/detection

194.147.140.138:3615
persianremote.world
besty2023.sytes.net

# Reference: https://www.virustotal.com/gui/ip-address/194.147.140.138/relations

febxworm39090.duckdns.org
janmidd9300.duckdns.org
marxrwonew9090.duckdns.org

# Reference: https://twitter.com/suyog41/status/1772864180376191428
# Reference: https://www.virustotal.com/gui/file/d23c351c8e05de555878912735b555169864cf1b41c28d0bb065ec0ede32faaf/detection

172.94.125.164:2220
google-updater.duckdns.org

# Reference: https://twitter.com/r3dbU7z/status/1773480693487538583

rentcentral.online

# Reference: https://twitter.com/karol_paciorek/status/1775152923271405876
# Reference: https://tria.ge/240402-p8r1baag33/behavioral2

209.126.87.35:7000
209.126.87.35:8888

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2024-04-04%20XWorm%20IOCs

91.92.243.33:7000
dcxwq1.duckdns.org
reality-lauderdale-strengthen-condos.trycloudflare.com

# Reference: https://twitter.com/ShanHolo/status/1776550047120789901
# Reference: https://www.virustotal.com/gui/file/e761f2d9049734373c12c97aa557183081403e792b40028c410e4a6c0646c2b8/detection

http://210.246.215.36
210.246.215.36:5814

# Reference: https://twitter.com/ShanHolo/status/1774753351671906527
# Reference: https://www.virustotal.com/gui/file/9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b/detection

http://210.246.215.82
210.246.215.82:7000

# Reference: https://www.virustotal.com/gui/file/a1a8aa4165535f8af330c983f7bc4259bccac718288b59d10d21693f73d049a6/detection
# Reference: https://www.virustotal.com/gui/file/a13c9eeea3360eb429202e74b78c1664e2a14ef9182a9f9ff8399a91983be731/detection
# Reference: https://www.virustotal.com/gui/file/96cdff86a5e3d8aa60574a0a8a4fd01ebdd8d88b4ffc6fb0c34f1f01f2e56095/detection
# Reference: https://www.virustotal.com/gui/file/49c7cacd2736a505c370064f1c1ae2b6c8938385592c6c6da55a4c2354944135/detection

185.36.188.52:8896
28.140.73.191:8896
93.123.39.28:8896
xwormmom53.duckdns.org

# Reference: https://www.virustotal.com/gui/file/8bb96eab6ecce497a8df95bd2ea9b22c3f304f4d46b5c7f9064f1f953170f196/detection

147.185.221.16:41934

# Reference: https://www.virustotal.com/gui/file/8048406056b1a1a91b56725c1c0b89e3b8060bf5a45861484a73728d222ccbc2/detection

192.99.152.153:7001
xwormv5.duckdns.org

# Reference: https://www.virustotal.com/gui/file/574bbc258f00e8ef099184a763b7f03075218c56ebfcd90f0319250cb8cd82ae/detection

209.25.140.181:26193
kids-abstract.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/e80426f5e4fa58d66cb1658b470e5c46bb35524379ff192dda7eb7c87d66a27d/detection

137.184.94.195:7000

# Reference: https://www.virustotal.com/gui/file/3b97b6b5f8b17918239a303a735c9098e47ff49ec04fbb25f62d870e8ebd2183/detection

45.138.16.125:7000

# Reference: https://www.virustotal.com/gui/file/60bb0aae72a9ba2fdb141b497da0e4671c92a6a1bd825c72a8a8c2df4de08fbb/detection

146.190.57.132:7000

# Reference: https://www.virustotal.com/gui/file/bc1b38d36be44ff0b3f853d4cbfadc275bcf0898a9ca41607887b7d1eb2c124d/detection

20.197.229.216:26099
craxsr4t.duckdns.org

# Reference: https://www.virustotal.com/gui/file/8f9ac4eafd35f7b9f8e3fdbe1e9cce3b8ea6e5447b631949920dea27c86def1e/detection
# Reference: https://www.virustotal.com/gui/file/68c23de8564b113bf324bf9ba438a57cf4070a895134cbe28bdf0896efd9a5b1/detection
# Reference: https://www.virustotal.com/gui/file/4dc4cf85bff980888e41079167fe3290b766cdac49f9f93db655b6363315133d/detection

194.147.140.186:4004
myhost1.hopto.org

# Reference: https://www.virustotal.com/gui/file/d76e889cf2575622ca27fcb43a4bfd4df2dba3cfdd3175c28abdef00d541eaa3/detection
# Reference: https://www.virustotal.com/gui/file/84c6c519c17da179b5d9d969a57a67e710168b83323e7afe2a9dcda50979d9db/detection

91.92.253.147:7000
freed12.duckdns.org

# Reference: https://www.virustotal.com/gui/file/6045030af3412c4670b042c08f7fbf0e31b670e679724388b9192fb512a1e705/detection

179.13.0.175:7000
warzones12.duckdns.org

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2024-04-16%20XWorm%20IOCs
# Reference: https://www.virustotal.com/gui/file/bcfe8808e2702a5700a63b1e003e7c08a1039edcf9d9cd734b5e1937746a1af7/detection

12.221.146.138:8450
45.146.255.167:8500
aprilxrwo8450.duckdns.org
phv18mar8500.duckdns.org
phvnc8500.duckdns.org

# Reference: https://www.virustotal.com/gui/file/02a0598aeaf2d468baa017e649143581ae98be80c87bb0df6c38f44b593c0672/detection

78.137.82.251:7000

# Reference: https://www.virustotal.com/gui/file/a44c1de14da3e559ba63a470f5dfea8e9da7fd990ca33b9c57344d05eb293bd0/detection
# Reference: https://www.virustotal.com/gui/file/2e8bdb5b1d2d3c44e9d057075b629e31b630e704bed2e0f7ce0399b59fd31525/detection

185.249.197.248:9090
45.141.215.40:9090
google-api.webredirect.org

# Reference: https://twitter.com/1ZRR4H/status/1785825977035010503
# Reference: https://www.virustotal.com/gui/file/7657626481f9276d3ecd83ba73795bbb175af0c3738648bbb37613f8d52f0285/detection

45.88.90.74:1600

# Reference: https://twitter.com/karol_paciorek/status/1788556707620159734
# Reference: https://www.virustotal.com/gui/file/29841f038da6a26dac5df28f23b4adcb080f5b0a2312bf996c8073940849eef6/detection
# Reference: https://www.virustotal.com/gui/file/4eedc7ed6ade620eef8eb160d18518afc9c59eb262baf8a9fdbe758fb611b6f0/detection

45.61.150.201:1111
45.61.150.201:7000
45.88.186.125:1111
45.88.186.125:7000

# Reference: https://www.virustotal.com/gui/file/200bba6a058d55a892191225f864289198495df95c6e97dd841fe1d5d1e7673d/detection

141.11.109.151:7000

# Reference: https://www.virustotal.com/gui/file/d7e658f9bea1d189bcd15e7e424b4b9e0c21e3ac61d6c4ac9937bf3d734383ea/detection

147.185.221.19:30502
includes-wilderness.gl.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/bad5a4831a6ad23cefc0d207321fe07f2c74604313383d699fc750315b9dfeff/detection

147.185.221.19:45948
3.125.102.39:19677
marketdedamoroza.webhop.me
points-garcia.gl.at.ply.gg

# Reference: https://x.com/banthisguy9349/status/1795455659539902790

http://94.156.68.22
94.156.68.22:443

# Reference: https://cert-agid.gov.it/wp-content/uploads/2024/05/xworm_30-05-2024.json
# Reference: https://www.virustotal.com/gui/file/1a2e2e6fc6083d5f8e031e75d630f8b11812290542d6bea152d8d809680c3585/detection

134.255.233.93:7001
wall5tghf6fdg.api.opensourcesaas.org

# Reference: https://www.virustotal.com/gui/file/74dc2e2a9e6852c12f03dbaecd247fc525103374aa172e5c730abc272c69660b/detection

24.152.38.50:7500
translate99.duckdns.org

# Reference: https://x.com/karol_paciorek/status/1797594552758411301

12.202.180.134:8890
12.202.180.134:8896
57.128.129.21:8080
57.128.129.21:9222
xgmn934.duckdns.org
xvern429.duckdns.org

# Reference: https://x.com/1ZRR4H/status/1799205178194719228
# Reference: https://www.virustotal.com/gui/file/f2807e8e6061fd27347c9e4f94e84ae4db0f67b4afe89f013fb69419e8d56745/detection

hai1723sad-22118.portmap.host

# Reference: https://www.virustotal.com/gui/file/d533b3ac98afdd129d7302dbb9612ddcedecef05a5cf498f37fb18d116794792/detection

193.161.193.99:36059
aveer-36059.portmap.host

# Reference: https://www.virustotal.com/gui/file/365771facf4476f03189fbace015a962f6fd021650f4ebd61acd0c675bc85b77/detection

82.102.27.171:43831
yoda2024.sytes.net

# Reference: https://x.com/jcarndt/status/1800157970850078973
# Reference: https://www.virustotal.com/gui/file/528ddad4f68d4a7fc60157dea40eb1e3ad82231171bede0aa1b0e79b1a4c5031/detection

154.127.53.157:7000
89.117.145.5:7000
mayfixworm.ddns.net
stocks-army-malta-false.trycloudflare.com

# Reference: https://x.com/karol_paciorek/status/1802255896355000653
# Reference: https://www.virustotal.com/gui/ip-address/57.128.129.21/relations
# Reference: https://www.virustotal.com/gui/file/ef0c1ad56a105d2c20a1aa2eac9b49d483bfea41c301dcf314ada596969888f6/detection

12.202.180.114:8896
57.128.129.21:7332
ceeaapaint.xyz
josiekkatrstrunk.xyz
wickedasylum.tech
vxsrwrm.duckdns.org

# Reference: https://www.virustotal.com/gui/file/83037ad76ddddabca05efe07e731d65c5d9069ad889e46306b753cbc7561fa59/detection

200.9.155.204:7000

# Reference: https://www.virustotal.com/gui/file/b628182a47f7fd2c29c17862402dd36811524b58538996a2523d59920ffb6de8/detection

157.20.182.172:7000

# Reference: https://www.virustotal.com/gui/ip-address/12.187.175.72/relations
# Reference: https://www.virustotal.com/gui/file/bea7affbaaa5a7eb9616b48216450d1bec20fd5f43f4af3507017b4c5cdfd003/detection
# Reference: https://www.virustotal.com/gui/file/53c9ad3c72873bff784a6a47834f9e988b90366b541424eb19fcafea5cb17ff2/detection
# Reference: https://www.virustotal.com/gui/file/c000765aba0f4e91e28f24235c67f5c55474beeefc2146e77a69d59eb7d7ad6a/detection

12.187.175.72:8292
12.187.175.72:8520
12.187.175.72:9390
jkdvvs.duckdns.org
ncmomenthv.duckdns.org
rvxwrm5.duckdns.org
todfg.duckdns.org
ujhn.duckdns.org
welxwrm.duckdns.org

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2024-07-06)
# Reference: https://www.virustotal.com/gui/file/04a275ef1616f3f88d3b9904c7a4c97213fed00d9a11e813e62cd03408b4e4a2/detection

http://89.213.177.81
104.194.9.116:7000
147.185.221.17:14348
178.215.236.251:717
194.110.172.149:7705
194.48.251.9:8895
194.48.251.9:8896
195.2.75.12:7000
41.199.23.195:7000
45.74.8.236:5355
52.12.114.120:38977
57.128.155.22:8895
89.213.177.81:7000
91.92.252.220:7000
aprijs7250.duckdns.org
aprilxrwonew8450.duckdns.org
diditaxi.kro.kr
football-emily.gl.at.ply.gg
hvaprinew850.duckdns.org
june9402xw.duckdns.org
maynewxw9402.duckdns.org
mayxw9402.duckdns.org
proxy17.rt3.io
proxy22.rt3.io
reco8100may.duckdns.org
rem8000jun.duckdns.org
saveclinetsforme68465454711991.publicvm.com
surgical-farming-ca.com
xmay8000.duckdns.org
xwormay8450.duckdns.org

# Reference: https://www.virustotal.com/gui/file/3d5261b4d6b3c10a9a9e12fc65df89a794fdb65bb34699a7b794a114e5196135/detection

47.243.102.139:6667
91.208.240.157:881
al17.tk
guanlix.cn

# Reference: https://x.com/K_N1kolenko/status/1817827071936143534

103.54.153.156:5500
108.165.233.22:7000
147.185.221.18:9954
154.198.49.151:4456
185.254.97.15:1337
193.161.193.99:26586
217.164.105.143:1
45.83.246.140:30120
88.0.172.65:1603
91.92.242.131:7000
94.141.120.222:7000

# Reference: https://x.com/K_N1kolenko/status/1818172197325684795

103.245.237.11:8888
154.84.153.4:28976
188.212.101.97:3434

# Reference: https://x.com/ShanHolo/status/1818541500348707022
# Reference: https://tria.ge/240715-kmwn6axfpr

147.185.221.21:14154
schools-copper.gl.at.ply.gg

# Reference: https://x.com/K_N1kolenko/status/1818884432918450400

192.3.182.92:7006
195.2.78.105:7000
198.44.168.230:7000
51.77.223.168:7000

# Reference: https://x.com/K_N1kolenko/status/1819307047856316456

157.254.223.219:7000
85.209.133.150:6677

# Reference: https://www.virustotal.com/gui/file/2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce/detection

43.142.10.246:7000

# Reference: https://x.com/K_N1kolenko/status/1820417274169241928

154.197.69.148:8812
154.197.69.157:1433
154.197.69.161:5000

# Reference: https://x.com/K_N1kolenko/status/1820726909396754906

141.11.158.226:7000
194.59.30.23:6333

# Reference: https://x.com/karol_paciorek/status/1820759162348781734

51.89.199.99:9070
51.89.199.99:9270
momojojo.store
robshippings.cloud
trackingshipmentt.xyz
trackmyshipeng.site
trackmyshipwng.site
transformation-cage-keyboards-rural.trycloudflare.com

# Reference: https://x.com/K_N1kolenko/status/1821454155724038587

147.185.221.20:18563
185.252.232.158:7812
193.233.255.65:7000
194.59.30.91:4040
72.129.242.185:1177
89.213.177.108:7000
91.188.254.203:4449
92.38.186.26:7000

# Reference: https://x.com/r3dbU7z/status/1822608072822358145
# Reference: https://www.virustotal.com/gui/file/2e8c08abc070d55f30338ad1f69d6f9946fa7d31d069c3b4bc37b97053b569f5/detection
# Reference: https://www.virustotal.com/gui/file/a50376b1375f041a534a74ea0cecd6429b4e26747059a4a4c72ef91bb04d7080/detection

198.244.206.37:7000

# Reference: https://x.com/K_N1kolenko/status/1822947285514228151

136.175.8.54:7000
2.58.56.88:7000
45.138.16.57:1337
45.141.26.156:7000
67.215.224.135:3540
80.76.49.28:1111
95.98.144.201:2404

# Reference: https://www.virustotal.com/gui/file/b26f4df5de6919f4e1a54f1e51d2a743a0db3d3adb0bbf79f367d2f86135b67c/detection

46.246.6.65:7000

# Reference: https://www.virustotal.com/gui/file/f6c46140c960efda590ddd29f58558f51ac8b82b9c5ee07fb4e2d8614533b28d/detection

185.24.62.224:7000

# Reference: https://www.virustotal.com/gui/file/109495bf6873147f8f7dc7db0a2ce86e10306d391c62b7937b176c5094a9a421/detection

178.73.192.70:7000

# Reference: https://x.com/K_N1kolenko/status/1823622598346830071

157.66.26.208:8848
94.156.248.32:6543

# Reference: https://x.com/K_N1kolenko/status/1824332904651989003

37.1.208.55:7000
83.38.30.219:1603
91.92.242.138:7007

# Reference: https://www.virustotal.com/gui/file/d8b11b8b437f83a1ad55c954b4a80081abfaf3c29cbc922d57b76bc20745111a/detection

103.47.147.21:1500

# Reference: https://www.virustotal.com/gui/file/0ecbfa4d7167aaf8639c280e69334a850252f53d900fb389047ca5e9d2f48e01/detection
# Reference: https://www.virustotal.com/gui/file/bdd871d07948cf37690d3febde3c64abfaaacb87190284f793b39f610654850d/detection
# Reference: https://www.virustotal.com/gui/file/fee2f77cc601ffe34c72438c8649916d6ff6985e82bfcc3b6e68458323a1209d/detection

172.111.150.133:1500
197.210.54.182:1500
197.210.78.173:2000
cyberdon1.duckdns.org

# Reference: https://www.virustotal.com/gui/file/d36b328b0a8e92ee2413c88c54d4a1ac3cfe53dfbb4e738d23e5e925c04b52a1/detection

83.147.54.51:6677
serverss293x1.servegame.com

# Reference: https://x.com/RacWatchin8872/status/1829090911701111123
# Reference: https://www.virustotal.com/gui/file/95931b4531f538137929756d736735981e7d7bcf4d43a750fb1bb01c76b3219f/detection

191.96.207.180:50000
vecotr.viewdns.net

# Reference: https://www.virustotal.com/gui/file/07147233a30756c587b1ccc49da745fdff43b3682b72ad2c48ab54af442f2f68/detection
# Reference: https://www.virustotal.com/gui/file/eeaca254b1c2d447e14e492a81f0690b0cfcf50d15e2ad2664cff512ef2049a6/detection

103.77.240.73:7000
artemis.community

# Reference: https://any.run/malware-trends/xworm/

22.ip.gl.ply.gg
airlineagancy.casacam.net
c0mer.publicvm.com
exonic-hacks.com
grand-herbal.gl.at.ply.gg
manufacturer-rank.gl.at.ply.gg
microsoft-pro.zapto.org
momekxwrm.duckdns.org
national-models.gl.at.ply.gg
on-weighted.gl.at.ply.gg
version-try.gl.at.ply.gg
wide-bolt.gl.at.ply.gg
xwor3july.duckdns.org
xwram1.duckdns.org
xwrmmone.duckdns.org
xwrmsistem.duckdns.org
yolomesho.work.gd

# Reference: https://x.com/K_N1kolenko/status/1830542757888201204

103.54.153.49:7000
104.128.56.200:7000
143.198.208.124:1234
146.190.29.250:7812
154.197.69.165:7000
154.216.17.147:6677
158.220.102.17:5048
178.215.236.228:7000
193.233.112.215:7000
195.26.240.251:7000
207.32.218.15:537
212.87.213.208:7000
27.147.169.101:7070
45.156.30.9:1604
45.43.11.150:7000
45.59.112.248:7000
80.76.49.176:7000
80.76.49.178:7000
83.38.28.117:1603
92.42.46.224:7250

# Reference: https://x.com/ShanHolo/status/1831331301065891895
# Reference: https://www.virustotal.com/gui/file/0b142a5773fcd9ae5cbb967f748e8da9a89e74aa50a0e1cd52f3aaa313bc749d/detection
# Reference: https://www.virustotal.com/gui/file/4d53c18f9c35747419cc289b1da6998457cb6ff5aeaddc1e5e474586b739b1c7/detection

http://45.141.26.197
45.141.26.197:443
45.141.26.197:7000

# Reference: https://x.com/K_N1kolenko/status/1831975535389622601

156.238.224.69:8080
163.5.160.229:1234
188.212.101.246:8000
69.10.45.181:7000

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2024-09-08)

147.185.221.22:21310
185.196.9.46:2404
185.196.9.46:3333
193.161.193.99:63770
194.156.79.149:7000
2.45.246.38:6666
45.141.26.234:7000
79.110.49.123:80
79.110.49.169:18455
88.168.211.65:6004
89.213.177.100:7000
89.213.177.177:2233
89.213.177.93:7000
89.31.122.114:1488
91.92.241.104:4444
94.141.120.29:443
a-temple.gl.at.ply.gg
accessories-retrieve.gl.at.ply.gg
agency-lottery.gl.at.ply.gg
answers-rehabilitation.gl.at.ply.gg
aozepaokojfksdjfsk.ddns.net
apple-return.gl.at.ply.gg
application-motivation.gl.at.ply.gg
apply-ciao.gl.at.ply.gg
approach-stability.gl.at.ply.gg
article-ram.gl.at.ply.gg
arts-below.gl.at.ply.gg
availability-addition.gl.at.ply.gg
away-andrea.gl.at.ply.gg
baby-contracts.gl.at.ply.gg
been-adopt.gl.at.ply.gg
browse-brokers.gl.at.ply.gg
call-closest.gl.at.ply.gg
cars-controllers.gl.at.ply.gg
cd-characterized.gl.at.ply.gg
church-insight.gl.at.ply.gg
collection-belief.gl.at.ply.gg
comeback.ddnsgeek.com
court-petersburg.gl.at.ply.gg
dvd-ons.gl.at.ply.gg
elaablibeh.ddnsgeek.com
else-treatment.gl.at.ply.gg
field-retain.gl.at.ply.gg
filter-ec.gl.at.ply.gg
first-suffering.gl.at.ply.gg
florida-satisfied.gl.at.ply.gg
form-fly.gl.at.ply.gg
fund-personnel.gl.at.ply.gg
garden-tight.gl.at.ply.gg
george-continental.gl.at.ply.gg
grand-navigator.gl.at.ply.gg
hair-ment.gl.at.ply.gg
he-tower.gl.at.ply.gg
hill-java.gl.at.ply.gg
individual-katrina.gl.at.ply.gg
ireland-mercury.gl.at.ply.gg
italy-exhibitions.gl.at.ply.gg
item-suggesting.gl.at.ply.gg
japanese-longer.gl.at.ply.gg
joined-kenya.gl.at.ply.gg
korkos.now-dns.net
la-michael.gl.at.ply.gg
leading-sexuality.gl.at.ply.gg
locations-ff.gl.at.ply.gg
loss-gb.gl.at.ply.gg
lot-neon.gl.at.ply.gg
meet-ellis.gl.at.ply.gg
mini-jungle.at.ply.gg
mode-clusters.gl.at.ply.gg
model-monitors.gl.at.ply.gg
network-info.gl.at.ply.gg
never-villas.gl.at.ply.gg
numbers-fragrance.gl.at.ply.gg
offers-perspectives.gl.at.ply.gg
onlinesupportforroad.com
or-fail.gl.at.ply.gg
order-detail.gl.at.ply.gg
original-internal.gl.at.ply.gg
outside-sand.gl.at.ply.gg
owlcraft.playit.gg
pack-they.gl.at.ply.gg
paris-disciplinary.gl.at.ply.gg
paris-went.gl.at.ply.gg
proxzymosh.playit.gg
remove-coordination.gl.at.ply.gg
republic-mexican.gl.at.ply.gg
research-variations.gl.at.ply.gg
reviews-row.gl.at.ply.gg
richard-environmental.gl.at.ply.gg
right-learned.gl.at.ply.gg
running-locks.gl.at.ply.gg
sample-sperm.gl.at.ply.gg
score-thin.gl.at.ply.gg
security-sudan.gl.at.ply.gg
session-chief.gl.at.ply.gg
software-tradition.gl.at.ply.gg
spring-inner.gl.at.ply.gg
stage-von.gl.at.ply.gg
status-stack.gl.at.ply.gg
stop-identifying.gl.at.ply.gg
stop-largely.gl.at.ply.gg
summary-athletic.gl.at.ply.gg
super-nearest.gl.at.ply.gg
t-abc.gl.at.ply.gg
taraji111.duckdns.org
they-side.gl.at.ply.gg
third-cheque.gl.at.ply.gg
tr3.localto.net
uk1.localto.net
union-reviews.gl.at.ply.gg
very-aug.gl.at.ply.gg
w-killing.gl.at.ply.gg
watch-contests.gl.at.ply.gg
watch-ship.at.ply.gg
week-media.gl.at.ply.gg
where-dip.gl.at.ply.gg
which-anxiety.gl.at.ply.gg
would-between.gl.at.ply.gg
x5wo9402sep.duckdns.org
zip-connection.gl.at.ply.gg

# Reference: https://x.com/K_N1kolenko/status/1833028273778876876

147.50.240.203:7000
195.2.84.224:7000
202.55.134.194:6868
37.221.93.67:4545
77.232.132.25:4449
77.90.185.49:7000
82.147.88.10:7000

# Reference: https://www.virustotal.com/gui/file/e4b3a8461ef21d6e9e1dab285baa528f2d744eb643ed2b3dbcf870be4b6cc7e6/detection
# Reference: https://www.virustotal.com/gui/file/862e931d6a407871edd4077f6c633056554a9227782fb7c8a993c10d35037728/detection

213.142.151.240:2323

# Reference: https://x.com/karol_paciorek/status/1834532649236349137

216.173.64.63:4646
remember-humidity-floppy-choosing.trycloudflare.com

# Reference: https://x.com/K_N1kolenko/status/1834511338527195226

13.51.47.41:7772
139.99.25.159:6869
185.84.160.182:7000
91.108.240.63:7000

# Reference: https://x.com/K_N1kolenko/status/1838196091075908080

103.253.73.222:400
45.76.68.94:7000

# Reference: https://x.com/malwrhunterteam/status/1838518514644136030
# Reference: https://tria.ge/240924-l3x3lazgnl/behavioral2
# Reference: https://www.virustotal.com/gui/file/416a2a9c374574f8fcb7f90e775069e7d4606c0155f964886096e41f45d16548/detection

2.56.245.123:3501
bulletrdp.ru

# Reference: https://x.com/malwrhunterteam/status/1838877554867912765
# Reference: https://www.virustotal.com/gui/file/3658f44acb4d331fa89ab43d782bee2a97a48b2f425cad29939ee472c74bc62f/detection
# Reference: https://www.virustotal.com/gui/file/002045c91ab51c5715559c2bced3ccd8e699e130c6b3c5e668f29295690b7084/detection

135.224.23.113:5555
52.252.190.167:56001
rdoge.pro

# Reference: https://x.com/K_N1kolenko/status/1839226352571965501

103.182.103.206:24184
103.218.0.61:7000
103.77.246.154:5555
135.125.21.87:7000
154.12.30.42:7000
154.216.17.202:2324
45.137.22.114:7000

# Reference: https://www.virustotal.com/gui/file/b0f67744cfbcd7fdb2faa1e907b1637405ad47b1bea55a67466660d1d8d6ff1b/detection

45.94.31.88:7000

# Reference: https://www.netskope.com/blog/netskope-threat-labs-uncovers-new-xworms-stealthy-techniques
# Reference: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Malware/XWorm/IOCs

89.116.164.56:7000
ziadonfire.work.gd

# Reference: https://www.virustotal.com/gui/file/3b2b055027ab684ff8477eb80090e9c1bbaf7ad07059ecdf73b2d5a0eca8530c/detection

45.156.30.9:1604

# Reference: https://x.com/banthisguy9349/status/1842246259765088421
# Reference: https://www.virustotal.com/gui/file/b24e8948d314d492f4e1ae9fd78e8fcb41ee5c9adfd6e9ab7927fca7c333003c/detection

65.52.240.233:5555

# Reference: https://x.com/karol_paciorek/status/1843271345913925943

91.151.89.158:7000
adsphotoscape.com
pl-photoscape.com

# Reference: https://x.com/ValidinLLC/status/1843418095551164923

aawebot.com
ai-viso.com
createstudios.site
cryptofeedbank.com
flashloans.online
hamrah-tejarat.com
prntscrapp.com
s1-utorrent.com
y-utorrent.com

# Reference: https://x.com/K_N1kolenko/status/1846130209856057371

144.76.147.226:5335
15.235.205.1:7000
154.12.30.42:6514
172.214.220.82:5555
185.84.160.213:7000
194.26.192.177:6080
38.255.55.174:7000
45.141.26.180:7000
45.141.26.214:7000
45.145.41.251:9000
45.200.148.216:7000
94.241.141.124:1717

# Reference: https://www.virustotal.com/gui/file/c9d4a1aeb7471fd602f45ed7988256f06332fda7157955a76b15bcd6ae839d74/detection

144.172.122.67:7000

# Reference: https://x.com/malwrhunterteam/status/1846249160787259587
# Reference: https://www.virustotal.com/gui/file/f55b57ad9a8dd4dbc3e7cfa7d5ef258b32d6b3ebf940867540e10dc03482ae18/detection
# Reference: https://www.virustotal.com/gui/file/a147e48013408252e2883a23d99320e6568b6873fe4a4670c770c4553bab7dfa/detection
# Reference: https://www.virustotal.com/gui/file/77dc1dbb1604b5bccf931191be04126f4cabbfddb143fcacdde8064934da6eab/detection
# Reference: https://www.virustotal.com/gui/file/4dc5598144fa11e49ce5928b7fcbeaaeffbd35a325908036835668ad24f3c868/detection

188.93.233.239:443
excitingclips.online

# Reference: https://x.com/K_N1kolenko/status/1847223576480436628

106.53.60.197:9002

# Reference: https://x.com/malwrhunterteam/status/1848297261597409701
# Reference: https://www.virustotal.com/gui/file/dc70004c8c8423920146a0c3d6d8c792f714c45e05641a5f40d9cf2cf916f2fc/detection

193.34.212.14:443

# Reference: https://x.com/malwrhunterteam/status/1848283689190371692
# Reference: https://www.virustotal.com/gui/file/b41b17ecc842aa796e599d23fd61d48e9dabe12b51ea337e17ba181bed092cc0/detection

91.184.248.229:9000
smape.work.gd

# Reference: https://x.com/malwrhunterteam/status/1849381606026256654
# Reference: https://www.virustotal.com/gui/file/2e5cdb5e57179d31c0b393ff7f3a1defed0b7afe35128cf1ef5738373cab808a/detection

42.96.11.54:25209

# Reference: https://www.virustotal.com/gui/file/1190512fa5c9de81accb4bf1bb0406a7767b5c2f6e73d0cda010193ef7d67057/detection

78.186.196.68:1605

# Reference: https://www.virustotal.com/gui/file/0fe4467aabb9b849c5160efabb52cf0f03d78e3abdb7d647e0a56ea1e9a96c18/detection

23.84.85.170:3389

# Reference: https://cert-agid.gov.it/wp-content/uploads/2024/10/xworm-namirial-25-10-2024.json

michael-scanned-motherboard-reforms.trycloudflare.com
retailer-indicators-resume-key.trycloudflare.com
theme-crack-emissions-perspectives.trycloudflare.com

# Reference: https://x.com/StrikeReadyLabs/status/1850521792521150685
# Reference: https://www.virustotal.com/gui/file/9df5d2239d8ac1102963a463410ed1284afa71fdb386ca748188f06fee0b71d8/detection

147.185.221.23:35501
local-subsequent.gl.at.ply.gg

# Reference: https://x.com/malwrhunterteam/status/1850991679269949584
# Reference: https://www.virustotal.com/gui/file/fd9ae7bc3825e29801afa8cf7e78ed5f056e9bbf675bc86ad54429a272c6b832/detection

javaplugin.org

# Reference: https://x.com/Tac_Mangusta/status/1851949543320957113
# Reference: https://www.virustotal.com/gui/file/f1f6e5c43acf1fc01a408693c539b95ff327ec048a80b7e97418b16858e32a6b/detection

triangle-publications-tennessee-double.trycloudflare.com

# Reference: https://x.com/naumovax/status/1851901996770693416
# Reference: https://app.any.run/tasks/06197036-a73d-4a54-aa08-78cf9fa5115e

51.77.103.216:8292

# Reference: https://x.com/K_N1kolenko/status/1852259660490768787

103.230.121.36:6875
103.230.121.82:6875
159.223.206.14:7000
178.215.224.96:7886
185.84.161.76:7000
4.228.228.120:7000
45.130.145.59:4404
51.20.118.144:69
94.46.207.10:1177
devscripts.online

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2024-11-01)

http://103.252.89.37
http://154.197.69.165
103.216.158.119:7000
103.252.89.37:7000
110.164.203.191:7000
147.185.221.19:35896
147.185.221.21:4140
154.197.69.155:7000
154.197.69.165:443
188.134.71.71:4448
191.101.130.49:7000
193.233.255.34:7777
49.232.20.75:443
5.252.53.134:7000
80.85.152.13:7000
84.46.250.60:7000
94.141.120.3:7000
aarsallc.duckdns.org
basis-cheap.gl.at.ply.gg
boards-particular.gl.at.ply.gg
bush-granted.gl.at.ply.gg
can-h.gl.at.ply.gg
contact-staffing.gl.at.ply.gg
corporate-deemed.gl.at.ply.gg
distribution-between.gl.at.ply.gg
engine-gene.gl.at.ply.gg
europe-perception.gl.at.ply.gg
external-deutschland.gl.at.ply.gg
french-waters.gl.at.ply.gg
gifts-architecture.gl.at.ply.gg
ground-wisconsin.gl.at.ply.gg
leading-flashing.gl.at.ply.gg
maximum-driven.gl.at.ply.gg
mb-jonathan.gl.at.ply.gg
md-shade.gl.at.ply.gg
mind-loaded.gl.at.ply.gg
needs-conservation.gl.at.ply.gg
nichthaze1337.ddns.net
opportunities-against.gl.at.ply.gg
pay-nm.gl.at.ply.gg
pro-christian.gl.at.ply.gg
process-medieval.gl.at.ply.gg
publication-lucas.gl.at.ply.gg
re-fe.gl.at.ply.gg
section-payments.gl.at.ply.gg
stay-daughters.gl.at.ply.gg
than-companies.gl.at.ply.gg
three-updates.gl.at.ply.gg
toskaadmx.duckdns.org
university-organizations.gl.at.ply.gg
various-injury.gl.at.ply.gg
virginia-compute.gl.at.ply.gg
watch-viewer.gl.at.ply.gg
while-searched.gl.at.ply.gg
yourself-likes.gl.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/cbdda2ee7f374e8465e819faf34cd9af4505f9ebe85f01afc9938f3b068db31c/detection

37.60.252.188:7000
onlyforbackupsrd.ddns.net

# Reference: e677b04954d0927678a2352f48263295fbb876c928c033d512d715a8e00bc9a1
# Reference: https://www.virustotal.com/gui/file/e677b04954d0927678a2352f48263295fbb876c928c033d512d715a8e00bc9a1/detection

179.14.10.239:1887
carlossalazar.chickenkiller.com
danielaplayerlora09.chickenkiller.com
danielsanchez2.chickenkiller.com
jesusmachadolora09.chickenkiller.com
joseamayaaa.chickenkiller.com
marceloandresdosantolora09.chickenkiller.com
muguelsanchez.chickenkiller.com
neverasfires.chickenkiller.com

# Reference: https://app.validin.com/detail?find=xclient.exe&type=dom&ref_id=4725c822bff#tab=host_pairs

http://154.197.69.131
http://154.197.69.143
http://154.197.69.157
http://156.225.129.219
http://38.153.61.81
http://52.91.10.228
http://85.203.4.238
http://94.156.6.109

# Reference: https://www.virustotal.com/gui/file/77602b263506d07b53acbc34c40dac746d1431b0e4b8e299d1d9b9df7f9b5d0b/detection
# Reference: https://www.virustotal.com/gui/file/77602b263506d07b53acbc34c40dac746d1431b0e4b8e299d1d9b9df7f9b5d0b/detection
# Reference: https://www.virustotal.com/gui/file/35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e/detection
# Reference: https://www.virustotal.com/gui/file/343661ccc6bbe2653816c76b11e6e4b2fa3e2ff507d3ac426dd7b009d916aee7/detection

38.153.61.81:16384
38.153.61.81:16835
38.153.61.81:16386
38.153.61.81:16387
38.153.61.81:16390
exgaming.click
dentiste.zapto.org
xcu.exgaming.click
xcu5.exgaming.click

# Reference: https://x.com/RacWatchin8872/status/1854579674887729395
# Reference: https://tria.ge/241107-vwkncsypcm/behavioral2

111.90.143.143:7000

# Reference: https://www.virustotal.com/gui/file/12e612895d16dabb26aa5f5412da15f49e1ceb806aafb5b3c4dbe873794cbc3e/detection

ranchoboscardin.com.br

# Reference: https://www.virustotal.com/gui/file/18d6cb03aaa51e60509d37c28b01d36cfb9dc27cbf3824a194096756a779cf7b/detection

185.235.138.103:4030

# Reference: https://www.virustotal.com/gui/file/a6c66414c91dd5eb021ff8989028b12ab20f1be13b823cd785d019301d94cb9d/detection

186.169.92.58:7000
gotemburgoxm.duckdns.org

# Reference: https://x.com/ShanHolo/status/1860409424172495123
# Reference: https://www.virustotal.com/gui/file/9c113da0d913a9fd2a84c5c9a71da4338e3f16a62b8215ecb7a58d10ccab524f/detection

http://45.141.26.170
45.141.26.170:443
45.141.26.170:7000

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2024-11-24)

http://159.223.206.14
http://42.96.10.8
103.207.164.18:7010
104.154.53.10:7000
104.168.87.36:8000
104.234.114.133:1188
107.172.178.68:7000
15.235.130.195:7000
158.247.200.45:7033
159.223.206.14:443
162.230.48.189:8895
170.238.45.133:4781
176.9.162.125:4060
185.117.250.169:7000
185.147.124.40:4404
185.162.75.19:7000
193.70.26.61:5545
45.141.27.248:7777
8.217.170.22:8888
80.76.49.227:9999
85.203.4.149:7000
87.120.112.33:8398
87.120.116.179:1300
89.110.95.189:7000
89.40.31.232:1717
93.123.109.89:7000
93.123.109.97:334
kskskhhw.ddns.info

# Reference: https://x.com/JAMESWT_MHT/status/1861047971271352705
# Reference: https://www.virustotal.com/gui/file/6494baca6b375ea0e325947e94b20c9c3487b03c6ca1fe878c23662d4e547028/detection

89.40.31.232:1717

# Reference: https://x.com/ShanHolo/status/1861491733717979562
# Reference: https://www.virustotal.com/gui/file/0f504cead80baca0c4be82bd9342de07b0757b4c6e88e4554d867fd1249ac2f5/detection
# Reference: https://www.virustotal.com/gui/file/1df69a8a4a75bb701e7e4bd1216bbbcffb2f2d0fa9430687c70c68fe2b68c961/detection

103.230.121.124:7000
58.9.110.23:18063
nine.ddns.net

# Reference: https://x.com/malwrhunterteam/status/1862228732020134132
# Reference: https://www.virustotal.com/gui/file/fcc871140b8ebd0d5701ef62d569440ddd1099723c1c68ded1030d9440786a2a/detection
# Reference: https://www.virustotal.com/gui/file/4b9afa14e1ddcca27211941fd92f2976bf8b02025352ab76da802bf4c1224938/detection

http://87.120.112.47
87.120.116.99:7666
grabador675.duckdns.org
paratreex.duckdns.org
svhosterwindow11.duckdns.org

# Reference: https://www.virustotal.com/gui/ip-address/12.202.180.114/relations

bdxwrm.duckdns.org
jkswrm3.duckdns.org
jkwrm5.duckdns.org
ksjvenom.duckdns.org
momentvenom.duckdns.org
momenxwrm.duckdns.org
rvenom.duckdns.org
x5387400.duckdns.org
xwrmmoment.duckdns.org

# Reference: https://www.virustotal.com/gui/ip-address/12.187.175.72/relations

hnxwrm3.duckdns.org
hvncmomentpure.duckdns.org
jkvernm.duckdns.org
mvenommm.duckdns.org
myxwrm.duckdns.org
myxwrm5.duckdns.org
nanarchymomey.duckdns.org
newhvmo.duckdns.org
newxrm5.duckdns.org
nhvncpure.duckdns.org
sdanarchynd.duckdns.org
soasyncb.duckdns.org
yasynck642.duckdns.org
yvbhvnc.duckdns.org

# Reference: https://x.com/ShanHolo/status/1866768979727094008
# Reference: https://www.virustotal.com/gui/file/c89625e4304d4708308a8a4138af28b90d490e8bd29ccdf3bc1f567d9644a7d7/detection

115.69.183.222:37593

# Reference: https://x.com/JAMESWT_MHT/status/1869284991441813827

http://92.255.57.155
92.255.57.155:4411
extraguestreview.com
booking.extraguestreview.com

# Reference: https://x.com/K_N1kolenko/status/1870040754644758593

103.232.55.173:7777
103.82.26.162:7001
185.84.160.131:7000
208.110.72.182:8080
212.87.215.19:7000
38.110.228.43:7000
85.209.11.15:4404

# Reference: https://x.com/ShanHolo/status/1870780804076630377
# Reference: https://www.virustotal.com/gui/file/c2eed9aebbd39f068a21850985b371e6653ee035e3a7fd01669226e77a55a172/detection

45.200.148.216:8000

# Reference: https://x.com/JAMESWT_MHT/status/1873291659527745539
# Reference: https://app.any.run/tasks/257527bb-be33-4182-ac2f-b7f76c137915

http://92.255.57.155
guestquesionrewiews.com
recaptcha.icu
booking.guestquesionrewiews.com

# Reference: https://x.com/JAMESWT_MHT/status/1874365729832870023
# Reference: https://www.virustotal.com/gui/file/84e5e532e64c7d1e5ea2457249d651ccd4554cfb1badab3195a8a44458f3f23c/detection

http://176.113.115.170
176.113.115.170:4412

# Reference: https://x.com/banthisguy9349/status/1875652969154408690
# Reference: https://x.com/banthisguy9349/status/1875655623268053496
# Reference: https://www.virustotal.com/gui/file/3535c8e458b0503657511bdc7dfd059b3cf3eac1b59dc4218955c93d1ffa65dd/detection
# Reference: https://www.virustotal.com/gui/file/fc91e5e4c357d97b7fcba5d6fa69b869528056d2654e58a6d00a61e5cf942899/detection

http://94.156.167.30
91.92.246.60:7000
emptyservices.xyz
stattscheck.com
stattssuttcheck.com

# Reference: https://x.com/marsomx_/status/1875859954206494985
# Reference: https://tria.ge/241212-wpqrgatrbl/behavioral2

193.26.115.21:7007

# Reference: https://x.com/JAMESWT_MHT/status/1879203954573394172

antibot-fix.cfd
chekedpartrewiwes.com
booking.chekedpartrewiwes.com

# Reference: https://x.com/smica83/status/1879532889198723085
# Reference: https://app.any.run/tasks/121ef47f-50d0-4c43-863e-b88376e47646
# Reference: https://www.virustotal.com/gui/file/6133b095486178e20e11f97ab8d3efb1b9a51be55a0128d0280951954b7c897f/detection

102.90.44.27:1500
105.113.10.228:1500
172.111.189.20:1500
172.94.127.5:1500
090125.ngrok-free.app
cyberdon.duckdns.org

# Reference: https://www.virustotal.com/gui/file/ef29d3fa9ebc94767cc7e651f90221e3a0f52cf2041fdc6353ea41bb425b7249/detection

62.122.184.98:4412

# Reference: https://x.com/ViriBack/status/1881327750503665912
# Reference: https://app.any.run/tasks/2d0b8575-f31e-4caf-a8ee-721b6ba29f73

147.185.221.24:40432

# Reference: https://x.com/ShanHolo/status/1882050198773575690
# Reference: https://www.virustotal.com/gui/file/9dc579518e8d00546ce132209aee6f5c8eb78b22ed5828f316cdf0f81c720521/detection
# Reference: https://www.virustotal.com/gui/file/c11a3d0e04e33e083ffb071002c1e7d8d851bf1b05867f1d29ec9cdbb35e5ca4/detection

http://178.173.246.113
178.173.246.113:443
178.173.246.113:4444

# Reference: https://x.com/TIntel2255/status/1882499973327257774
# Reference: https://www.virustotal.com/gui/file/6d217281437ec6542d839a5f130e001c3df8aa9b20d47f48927600e10b4862d7/detection

194.59.31.174:5151

# Reference: https://x.com/JAMESWT_MHT/status/1882723100720308508

re-botcheck.com

# Reference: https://www.virustotal.com/gui/file/50bfc65f3fe6da315552cec46f02127ed91ddae075d6167f3c76606686cd1708/detection

176.113.115.225:4444

# Reference: https://x.com/solostalking/status/1884251494901506467
# Reference: https://www.virustotal.com/gui/file/2b6a50140eb45dec89e7301b8f01e03751aeb7c40fbbc2cde73be7059b865467/detection

http://92.255.85.34
92.255.85.34:4444

# Reference: https://x.com/JAMESWT_MHT/status/1885211956635750899
# Reference: https://www.virustotal.com/gui/file/98857bd6e2c53f8695bba76500c14649ad079b5715ca53658d6afe072ea73057/detection

http://185.7.214.54
185.7.214.54:4411
antibot-v2.com

# Reference: https://www.virustotal.com/gui/file/c73164d91bc07cd812b7897f7660ce5dba9b28dc2452569b8e94389008c7a393/detection

199.247.0.169:7000

# Reference: https://www.virustotal.com/gui/file/98bd8cbd9e794d66dd9bab25206b11d0eda127a343e49ddf25b2ecdbe56d24c1/detection

79.110.49.32:7000

# Reference: https://x.com/JAMESWT_MHT/status/1887403342134911070

barleyjack.com
caymanluxurycars.com
secureverifys.com
booking.secureverifys.com

# Reference: https://x.com/malwrhunterteam/status/1889280809690935475
# Reference: https://x.com/JAMESWT_MHT/status/1889313410187223253
# Reference: https://www.virustotal.com/gui/file/4e196693e5613b4585e4dd4ae694e21a0bf90854d916629e465ad2cfcc1e945a/detection

211.154.30.119:8889
bozatime.com
dageipp.com
inkipp.com
iploveipp.com
ippiboza.com
iptimeip.com
pinkippp.com

# Reference: https://x.com/JAMESWT_MHT/status/1889939320787837184
# Reference: https://www.virustotal.com/gui/file/53a2f686422f9f71b69d3a9699661c96dc1375d490ea188d5141bb1e8ae89029/detection

http://147.45.44.42
extrareviewshelps.com
userveriff02.com

# Reference: https://x.com/JAMESWT_MHT/status/1889982062813434365
# Reference: https://app.any.run/tasks/0820e1df-f515-4b0e-a647-ad58399f1044
# Reference: https://www.virustotal.com/gui/file/d8e3240539b9d124c081506af59cf87d47b89139e423894063ac9389697b49a2/detection

178.215.224.234:2627

# Reference: https://x.com/skocherhan/status/1890358780845592613

http://45.141.26.234

# Reference: https://www.virustotal.com/gui/file/128f3b5bbb0df4d1e5a7811fe67adfa050f57a1fa6ade372909cf3e42d82ce07/detection
# Reference: https://www.virustotal.com/gui/file/2664290d6524ba9f1f028091fb85437277216dc28f2a22f03019bd2cb3fe2213/detection

http://95.169.196.36
185.196.10.132:7004
hithitlwer.zapto.org

# Reference: https://x.com/James_inthe_box/status/1892608373763285320

jks2b.duckdns.org
kxwrmf.duckdns.org

# Reference: https://x.com/abuse_ch/status/1893992910640787846
# Reference: https://www.virustotal.com/gui/file/07253a1e6616775fcf3fa678512f2e18c0b557b043127b14b3446aa352e99d49/detection

185.7.214.108:4411

# Reference: https://x.com/JAMESWT_MHT/status/1893920341463798044
# Reference: https://x.com/JAMESWT_MHT/status/1893920341463798044

einfach-mieten.eu
idewgustarens.com
booking.idewgustarens.com

# Reference: https://x.com/ankit_anubhav/status/1895061182689747333
# Reference: https://www.trellix.com/blogs/research/old-loader-new-threat-exploring-xworm/
# Reference: https://www.virustotal.com/gui/file/97791eba8ac9745155cea4cc1a90e44765a97b840441220ec13c82f719c65f1a/detection
# Reference: https://www.virustotal.com/gui/file/0cb40d6d8632484701ae905790cecd199193e9d67c7dafb26a19537a7988bbc4/detection
# Reference: https://www.virustotal.com/gui/file/00278f7bf28ff1be14d9e60bc6f5c9c5a4f40890125de35281c189cdae90fc0a/detection

94.156.227.37:1888
abodeupdatenew.blogspot.com
adobeacrobateupdate2023.blogspot.com
adobeupdate2023.blogspot.com
updatepower2023.blogspot.com
updatingmsoffice.blogspot.com
urlintimacygoombguch.blogspot.com
zenova.duckdns.org

# Reference: https://x.com/JAMESWT_MHT/status/1895068571211903002
# Reference: https://www.virustotal.com/gui/file/2c83b873dd678cbf90c9344645d902ad31f5fd2d22c17bceda29e933986873af/detection

92.255.57.221:4414
capthumam.com
pagesparthnerinform.com

# Reference: https://www.virustotal.com/gui/file/df07b378a833528cca8012ec0bd65f06372ccf23262b9930c246d8758cef342a/detection

128.90.104.58:6161
128.90.107.225:6161
128.90.170.70:6161
128.90.59.193:6161
178.208.168.121:6161
178.208.168.166:6161
178.208.168.185:6161
178.208.168.188:6161
178.208.168.190:6161
178.208.168.201:6161
178.208.169.63:6161
ohsexoh.freeddns.org

# Reference: https://www.virustotal.com/gui/file/c5699ec6088f12d776edb4be4dec341a3b2653e56cc5c650be8dc231455460e8/detection

178.208.168.230:6161

# Reference: https://www.virustotal.com/gui/file/b2e678427428898f46899140fea44fcad52acf5a614427981d357b23d5f77607/detection

178.208.168.111:6161

# Reference: https://www.virustotal.com/gui/file/1d9a6edc55a547b9e522b3dd7f40aebc3f1c4761070294cc56e328800569fc45/detection

128.90.141.117:6161

# Reference: https://www.virustotal.com/gui/file/1791d00fbe569489f48cf5e56b9a2a9b71d3c17096df4982668f51d512b820c5/detection

178.208.169.139:6161

# Reference: https://www.virustotal.com/gui/file/6d912537a24dbae09f0f21bcdf3bce90b4c18a7e46bfb82740ce32ac9a64726b/detection
# Reference: https://www.virustotal.com/gui/file/3820ba1b904b190f6f81a23a4a03bfcbb3897bc6bcc4544ac909dfb9ee4652cb/detection

178.208.169.87:6161
boobs.ddnsfree.com

# Reference: https://www.virustotal.com/gui/file/0002b41ca7933e03cd6f70e789e0f677a623a84fac7f1e856fdfbfabfb864d4d/detection

179.118.199.252:5555
christcrucifiedinternational.store

# Reference: https://x.com/skocherhan/status/1896075970874130701
# Reference: https://www.virustotal.com/gui/file/1e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82/detection

147.185.221.19:47430
politics-fiber.gl.at.ply.gg

# Reference: https://x.com/James_inthe_box/status/1897703110233203123
# Reference: https://app.any.run/tasks/4be36a6c-15e4-4c50-99e7-d95eb48bd88a

147.185.221.25:57007
growth-screening.gl.at.ply.gg

# Reference: https://app.validin.com/detail?find=147.185.221.25&type=ip4#tab=resolutions (# 2025-03-06)

accessories-fame.gl.at.ply.gg
account-explosion.gl.at.ply.gg
across-guest.gl.at.ply.gg
activity-wax.gl.at.ply.gg
activity-weight.gl.at.ply.gg
administration-till.gl.at.ply.gg
after-sent.gl.at.ply.gg
against-generator.gl.at.ply.gg
airport-forums.gl.at.ply.gg
airport-reporter.gl.at.ply.gg
al-three.gl.at.ply.gg
allows-announces.gl.at.ply.gg
also-keeping.gl.at.ply.gg
also-nr.gl.at.ply.gg
america-depending.gl.at.ply.gg
amount-nightlife.gl.at.ply.gg
another-echo.gl.at.ply.gg
apply-sand.gl.at.ply.gg
are-though.gl.at.ply.gg
asked-jd.gl.at.ply.gg
audio-pending.gl.at.ply.gg
author-reflects.gl.at.ply.gg
awards-problem.gl.at.ply.gg
back-spots.gl.at.ply.gg
bad-motor.gl.at.ply.gg
battery-mercedes.gl.at.ply.gg
beautiful-microphone.gl.at.ply.gg
beginning-usually.gl.at.ply.gg
benefits-lift.gl.at.ply.gg
between-email.gl.at.ply.gg
bin-mud.gl.at.ply.gg
blog-competitive.gl.at.ply.gg
blood-pattern.gl.at.ply.gg
board-apartment.gl.at.ply.gg
board-kills.gl.at.ply.gg
board-tigers.gl.at.ply.gg
books-unless.gl.at.ply.gg
built-among.gl.at.ply.gg
bush-ana.gl.at.ply.gg
button-utah.gl.at.ply.gg
calendar-merely.gl.at.ply.gg
card-funny.gl.at.ply.gg
career-paperbacks.gl.at.ply.gg
categories-stockings.gl.at.ply.gg
category-tar.gl.at.ply.gg
certain-advanced.gl.at.ply.gg
change-harvest.gl.at.ply.gg
changes-collection.gl.at.ply.gg
chapter-soon.gl.at.ply.gg
children-timing.gl.at.ply.gg
cities-annex.gl.at.ply.gg
clear-honors.gl.at.ply.gg
cnet-prostores.gl.at.ply.gg
co-ar.gl.at.ply.gg
color-electric.gl.at.ply.gg
come-edmonton.gl.at.ply.gg
comment-barn.gl.at.ply.gg
common-instructional.gl.at.ply.gg
communication-machine.gl.at.ply.gg
compare-qualify.gl.at.ply.gg
conference-std.gl.at.ply.gg
considered-breast.gl.at.ply.gg
content-jaguar.gl.at.ply.gg
contract-released.gl.at.ply.gg
copy-llp.gl.at.ply.gg
corporate-nine.gl.at.ply.gg
cost-hughes.gl.at.ply.gg
council-boc.gl.at.ply.gg
county-organize.gl.at.ply.gg
cover-expanded.gl.at.ply.gg
cross-real.gl.at.ply.gg
cut-directory.gl.at.ply.gg
daily-sexually.gl.at.ply.gg
dance-accident.gl.at.ply.gg
data-save.gl.at.ply.gg
debt-milton.gl.at.ply.gg
degree-islands.gl.at.ply.gg
details-telescope.gl.at.ply.gg
discussion-ix.gl.at.ply.gg
discussion-levy.gl.at.ply.gg
display-outputs.gl.at.ply.gg
distance-shows.gl.at.ply.gg
doing-pupils.gl.at.ply.gg
door-bottom.gl.at.ply.gg
downloads-shown.gl.at.ply.gg
drive-barcelona.gl.at.ply.gg
drive-mens.gl.at.ply.gg
during-restriction.gl.at.ply.gg
dvd-crossword.gl.at.ply.gg
early-doll.gl.at.ply.gg
effect-parcel.gl.at.ply.gg
effect-weeks.gl.at.ply.gg
employees-jamaica.gl.at.ply.gg
enter-flowers.gl.at.ply.gg
entire-brick.gl.at.ply.gg
entire-seeker.gl.at.ply.gg
est-review.gl.at.ply.gg
et-computed.gl.at.ply.gg
europe-strange.gl.at.ply.gg
excellent-showcase.gl.at.ply.gg
exchange-syndicate.gl.at.ply.gg
experience-departmental.gl.at.ply.gg
family-floors.gl.at.ply.gg
fat-couple.gl.at.ply.gg
fax-compliant.gl.at.ply.gg
features-exclude.gl.at.ply.gg
feb-arrested.gl.at.ply.gg
federal-heads.gl.at.ply.gg
feedback-both.gl.at.ply.gg
feedback-dow.gl.at.ply.gg
fees-music.gl.at.ply.gg
find-soup.gl.at.ply.gg
flash-affordable.gl.at.ply.gg
flash-sans.gl.at.ply.gg
florida-guild.gl.at.ply.gg
force-impressed.gl.at.ply.gg
foreign-bit.gl.at.ply.gg
found-believe.gl.at.ply.gg
friday-thai.gl.at.ply.gg
friendly-nest.gl.at.ply.gg
front-trader.gl.at.ply.gg
fully-controversial.gl.at.ply.gg
fund-jacob.gl.at.ply.gg
fund-later.gl.at.ply.gg
furniture-tray.gl.at.ply.gg
game-es.gl.at.ply.gg
game-they.gl.at.ply.gg
general-hebrew.gl.at.ply.gg
general-vermont.gl.at.ply.gg
germany-animal.gl.at.ply.gg
gold-blackberry.gl.at.ply.gg
goods-burner.gl.at.ply.gg
google-su.gl.at.ply.gg
got-query.gl.at.ply.gg
great-printer.gl.at.ply.gg
greater-districts.gl.at.ply.gg
group-rats.gl.at.ply.gg
guide-carb.gl.at.ply.gg
hall-shine.gl.at.ply.gg
have-process.gl.at.ply.gg
have-stamps.gl.at.ply.gg
head-annoying.gl.at.ply.gg
heart-colleges.gl.at.ply.gg
high-suggesting.gl.at.ply.gg
higher-accessory.gl.at.ply.gg
homepage-radios.gl.at.ply.gg
homes-helps.gl.at.ply.gg
homes-lee.gl.at.ply.gg
hospital-donor.gl.at.ply.gg
house-jungle.gl.at.ply.gg
housing-balanced.gl.at.ply.gg
html-savage.gl.at.ply.gg
idea-computing.gl.at.ply.gg
if-eventually.gl.at.ply.gg
ii-aim.gl.at.ply.gg
images-hunting.gl.at.ply.gg
important-focal.gl.at.ply.gg
included-output.gl.at.ply.gg
income-couples.gl.at.ply.gg
inside-colored.gl.at.ply.gg
institute-asset.gl.at.ply.gg
internet-sally.gl.at.ply.gg
ip-nonprofit.gl.at.ply.gg
issues-sarah.gl.at.ply.gg
item-gnu.gl.at.ply.gg
its-definitely.gl.at.ply.gg
its-inch.gl.at.ply.gg
january-truly.gl.at.ply.gg
journal-maui.gl.at.ply.gg
kind-sofa.gl.at.ply.gg
known-php.gl.at.ply.gg
la-accreditation.gl.at.ply.gg
la-judgment.gl.at.ply.gg
lake-gui.gl.at.ply.gg
land-long.gl.at.ply.gg
language-you.gl.at.ply.gg
large-weak.gl.at.ply.gg
last-isa.gl.at.ply.gg
last-would.gl.at.ply.gg
late-outdoors.gl.at.ply.gg
latest-adjusted.gl.at.ply.gg
learning-concerned.gl.at.ply.gg
learning-n.gl.at.ply.gg
left-filled.gl.at.ply.gg
letter-diamonds.gl.at.ply.gg
library-villas.gl.at.ply.gg
linux-submissions.gl.at.ply.gg
live-heather.gl.at.ply.gg
located-java.gl.at.ply.gg
logo-kerry.gl.at.ply.gg
long-cg.gl.at.ply.gg
look-omega.gl.at.ply.gg
loss-justin.gl.at.ply.gg
lot-clothes.gl.at.ply.gg
love-whatever.gl.at.ply.gg
lower-seemed.gl.at.ply.gg
made-differential.gl.at.ply.gg
makes-triangle.gl.at.ply.gg
mar-contest.gl.at.ply.gg
match-os.gl.at.ply.gg
matter-sets.gl.at.ply.gg
meeting-bet.gl.at.ply.gg
memory-lottery.gl.at.ply.gg
methods-rats.gl.at.ply.gg
models-needed.gl.at.ply.gg
modified-begun.gl.at.ply.gg
names-copying.gl.at.ply.gg
need-grants.gl.at.ply.gg
needs-mba.gl.at.ply.gg
net-enable.gl.at.ply.gg
networks-vitamin.gl.at.ply.gg
never-ot.gl.at.ply.gg
new-ordinary.gl.at.ply.gg
news-cultures.gl.at.ply.gg
news-strict.gl.at.ply.gg
nice-otherwise.gl.at.ply.gg
nokia-leading.gl.at.ply.gg
numbers-insights.gl.at.ply.gg
object-gamecube.gl.at.ply.gg
offered-vendors.gl.at.ply.gg
ohio-chris.gl.at.ply.gg
oil-discipline.gl.at.ply.gg
only-desk.gl.at.ply.gg
organizations-acres.gl.at.ply.gg
organizations-swing.gl.at.ply.gg
original-structural.gl.at.ply.gg
other-little.gl.at.ply.gg
our-incidents.gl.at.ply.gg
our-sw.gl.at.ply.gg
overall-invisible.gl.at.ply.gg
package-foods.gl.at.ply.gg
package-mother.gl.at.ply.gg
partner-ferry.gl.at.ply.gg
pass-argue.gl.at.ply.gg
paul-nw.gl.at.ply.gg
paypal-emirates.gl.at.ply.gg
per-cassette.gl.at.ply.gg
per-techno.gl.at.ply.gg
perfect-ringtones.gl.at.ply.gg
person-mustang.gl.at.ply.gg
person-roland.gl.at.ply.gg
phone-trinidad.gl.at.ply.gg
please-circulation.gl.at.ply.gg
plus-improve.gl.at.ply.gg
points-challenges.gl.at.ply.gg
political-antivirus.gl.at.ply.gg
post-ton.gl.at.ply.gg
pre-celebration.gl.at.ply.gg
present-seeds.gl.at.ply.gg
president-update.gl.at.ply.gg
primary-organizing.gl.at.ply.gg
primary-tba.gl.at.ply.gg
printer-foundations.gl.at.ply.gg
prior-ks.gl.at.ply.gg
probably-fields.gl.at.ply.gg
profile-pixels.gl.at.ply.gg
programming-identifying.gl.at.ply.gg
programs-her.gl.at.ply.gg
projects-secretary.gl.at.ply.gg
properties-sight.gl.at.ply.gg
protection-ballot.gl.at.ply.gg
protein-ph.gl.at.ply.gg
provides-looksmart.gl.at.ply.gg
publication-glossary.gl.at.ply.gg
publications-electronic.gl.at.ply.gg
purpose-terror.gl.at.ply.gg
put-welfare.gl.at.ply.gg
questions-rendering.gl.at.ply.gg
quote-symposium.gl.at.ply.gg
range-coleman.gl.at.ply.gg
rated-obituaries.gl.at.ply.gg
rates-sir.gl.at.ply.gg
real-saw.gl.at.ply.gg
received-night.gl.at.ply.gg
recent-keywords.gl.at.ply.gg
records-spank.gl.at.ply.gg
regarding-states.gl.at.ply.gg
region-electron.gl.at.ply.gg
remove-proceedings.gl.at.ply.gg
request-mel.gl.at.ply.gg
required-mold.gl.at.ply.gg
required-willing.gl.at.ply.gg
resource-intensity.gl.at.ply.gg
respect-hits.gl.at.ply.gg
restaurants-stan.gl.at.ply.gg
result-genres.gl.at.ply.gg
richard-stuck.gl.at.ply.gg
rights-regime.gl.at.ply.gg
ring-cj.gl.at.ply.gg
safe-synopsis.gl.at.ply.gg
safe-tamil.gl.at.ply.gg
safety-h.gl.at.ply.gg
say-oops.gl.at.ply.gg
score-records.gl.at.ply.gg
sea-curves.gl.at.ply.gg
search-varies.gl.at.ply.gg
searches-jimmy.gl.at.ply.gg
sellers-spam.gl.at.ply.gg
sep-reseller.gl.at.ply.gg
server-belarus.gl.at.ply.gg
set-reduces.gl.at.ply.gg
shall-arranged.gl.at.ply.gg
should-reductions.gl.at.ply.gg
simply-exotic.gl.at.ply.gg
sites-ascii.gl.at.ply.gg
skin-remember.gl.at.ply.gg
smith-occurring.gl.at.ply.gg
so-pad.gl.at.ply.gg
so-trek.gl.at.ply.gg
social-decorative.gl.at.ply.gg
society-theology.gl.at.ply.gg
songs-excluding.gl.at.ply.gg
sony-duties.gl.at.ply.gg
soon-logical.gl.at.ply.gg
speed-janet.gl.at.ply.gg
sports-lows.gl.at.ply.gg
started-chelsea.gl.at.ply.gg
started-quotations.gl.at.ply.gg
state-franklin.gl.at.ply.gg
still-fwd.gl.at.ply.gg
storage-plugin.gl.at.ply.gg
stories-smtp.gl.at.ply.gg
story-blacks.gl.at.ply.gg
story-earthquake.gl.at.ply.gg
studio-teaching.gl.at.ply.gg
success-evans.gl.at.ply.gg
such-five.gl.at.ply.gg
such-suspect.gl.at.ply.gg
sunday-chronicle.gl.at.ply.gg
sunday-n.gl.at.ply.gg
support-mere.gl.at.ply.gg
surface-toolbox.gl.at.ply.gg
table-goals.gl.at.ply.gg
table-hon.gl.at.ply.gg
take-continually.gl.at.ply.gg
take-reporters.gl.at.ply.gg
talk-weights.gl.at.ply.gg
target-gonna.gl.at.ply.gg
teachers-caught.gl.at.ply.gg
technical-heart.gl.at.ply.gg
television-currently.gl.at.ply.gg
text-eh.gl.at.ply.gg
than-adaptation.gl.at.ply.gg
thanks-viewers.gl.at.ply.gg
theory-taught.gl.at.ply.gg
therefore-faced.gl.at.ply.gg
these-kick.gl.at.ply.gg
think-penn.gl.at.ply.gg
though-genome.gl.at.ply.gg
three-under.gl.at.ply.gg
thu-why.gl.at.ply.gg
thursday-ultram.gl.at.ply.gg
time-patient.gl.at.ply.gg
together-wanted.gl.at.ply.gg
tools-jam.gl.at.ply.gg
total-believed.gl.at.ply.gg
total-travelling.gl.at.ply.gg
trip-thesaurus.gl.at.ply.gg
trust-sri.gl.at.ply.gg
uk-satisfy.gl.at.ply.gg
uk-theory.gl.at.ply.gg
understand-drugs.gl.at.ply.gg
understand-shakira.gl.at.ply.gg
unit-iowa.gl.at.ply.gg
updates-aqua.gl.at.ply.gg
url-murphy.gl.at.ply.gg
usa-brands.gl.at.ply.gg
usb-transaction.gl.at.ply.gg
uses-charged.gl.at.ply.gg
version-katie.gl.at.ply.gg
very-stars.gl.at.ply.gg
video-josh.gl.at.ply.gg
warning-found.gl.at.ply.gg
wednesday-super.gl.at.ply.gg
weight-touched.gl.at.ply.gg
western-bright.gl.at.ply.gg
why-familiar.gl.at.ply.gg
wide-casting.gl.at.ply.gg
window-prize.gl.at.ply.gg
windows-animated.gl.at.ply.gg
wine-attractions.gl.at.ply.gg
without-affecting.gl.at.ply.gg
women-workshops.gl.at.ply.gg
wood-matches.gl.at.ply.gg
words-mandatory.gl.at.ply.gg
work-ian.gl.at.ply.gg
worldwide-serial.gl.at.ply.gg
xml-calculate.gl.at.ply.gg
yes-dec.gl.at.ply.gg
yet-involving.gl.at.ply.gg
you-cigarette.gl.at.ply.gg

# Reference: https://x.com/malwrhunterteam/status/1897994595734004178
# Reference: https://www.virustotal.com/gui/file/4f43e8d90f82a6556d354a707fcbd355528755c0089e254ad249694855f26047/detection
# Reference: https://www.virustotal.com/gui/file/b18ed93dd979c6233b1ce6e195338a57243f2a71e6147311aaf06fccea1d20c7/detection
# Reference: https://www.virustotal.com/gui/file/df2ffecdfecc6eec6cbb8f28d193257c99cf22a9204a95f2a6b7d4ca3504276d/detection
# Reference: https://www.virustotal.com/gui/file/e3f141aeea820a23216db5919e80573b1e5675e98a3c02a67d2e7b576ef269b5/detection

102.211.232.41:8843
193.32.177.63:6000
cf-prod-cap.cfd
meowycatty.ddns.net

# Reference: https://x.com/malwrhunterteam/status/1899461570314305955
# Reference: https://tria.ge/250312-kvh32atrt6/behavioral2
# Reference: https://www.virustotal.com/gui/file/4a95b7a4d61c0742311b8f82170380134663501eb4621c054676f6377b2ead35/detection
# Reference: https://www.virustotal.com/gui/file/1040de898c12d2e892f2cd06de55e293c6782ab5b571e0a5d23fb9b6fdabe141/detection

143.177.123.99:5937
79.110.49.92:5938
rushingnews.com
acehere.duckdns.org
acewashere.duckdns.org

# Reference: https://x.com/malwrhunterteam/status/1899437484087419034
# Reference: https://www.virustotal.com/gui/file/b080fde84370f5a8189e64acf70c9dc7e1a15f46eda1de089720ef660cbbac71/detection

185.111.159.87:7000

# Reference: https://x.com/ShanHolo/status/1899457637185364016
# Reference: https://www.virustotal.com/gui/file/9d1583f8d6ca37ad2111fb88d94c73170b9ef4afdc0c5941246c4f106ee81a41/detection

176.65.144.116:7232

# Reference: https://x.com/JAMESWT_MHT/status/1900198202864771090
# Reference: https://www.virustotal.com/gui/file/0d0da6dc9386f17c30a6d7fcc9ff7458cce2a7b1feef7b2329d49e61ddfda639/detection

http://92.255.85.66
92.255.85.66:7000
booklistingreserv.com
cpte-view.com

# Reference: https://x.com/malwrhunterteam/status/1900818097495269407
# Reference: https://www.virustotal.com/gui/file/88502ddda4ea16f7c1d8929e681902e67895cbee56f31ce2fc77c8420de0a8ac/detection

83.147.240.230:7000

# Reference: https://x.com/malwrhunterteam/status/1900848654631485592
# Reference: https://www.virustotal.com/gui/file/ba4a4b9fd3edf1c5cb615aa5785d1712d76d7a296809743ec96bc266a8c9240e/detection
# Reference: https://www.virustotal.com/gui/file/7ae46a3195e74ce00c80cec4233a4a5639b90524e012f72c66d3a613db39a178/detection

196.251.83.219:6666

# Reference: https://x.com/K_N1kolenko/status/1900495202210517408

146.103.11.190:7000
154.12.89.132:7000
160.191.244.26:7000
164.92.163.239:2382
172.245.191.79:3030
172.81.130.145:7000
18.219.166.140:7000
194.59.31.210:7000
45.125.216.54:7000
45.141.26.113:7000
45.61.133.198:4782
47.242.58.178:7000

# Reference: https://x.com/JAMESWT_MHT/status/1900453924051591352

guests-reservid.com
w19-seasalt.com
booking.guests-reservid.com

# Reference: https://x.com/JAMESWT_MHT/status/1901687319070953934
# Reference: https://www.virustotal.com/gui/file/3e07777e315c483cc11349729bece9710b14b4b46df8819bf51b46c69ef9f6c7/detection

http://92.255.85.2
92.255.85.2:4372
alt-check-v3.com
boxiesreservguste.com

# Reference: https://x.com/skocherhan/status/1902149134028587185
# Reference: https://www.virustotal.com/gui/file/e715bae35871a6de4310b1c3e523809c06178d10839243aee184ba96dafd121f/detection

147.185.221.25:64864

# Reference: https://www.virustotal.com/gui/file/0020d06753473779a42d5e23d08ca3078cb34524c0f2e4863626eee7b17dd8af/detection

147.185.221.26:16713
147.185.221.26:3601
develop-six.gl.at.ply.gg
else-howard.gl.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/005f2d7cc69474526b6e0a0f16b47ec0b10634da37ba9a0d5e38598590a653d8/detection

147.185.221.26:29882

# Reference: https://x.com/Jane_0sint/status/1902110126791631275

147.185.221.26:12171

# Reference: https://www.virustotal.com/gui/file/9ad39d4e8ac02831203198aaa982d01aba9ad6b5af04aa9d2caefdb635f97f83/detection

142.126.223.232:7000

# Reference: https://x.com/malwrhunterteam/status/1904157265424159213
# Reference: https://www.virustotal.com/gui/file/d24cf525214c3b9a331d03c99693d22cfd5e1af5da5b3f310dce9814876d2fbb/detection

83.147.240.230:7001
coprophile.bounceme.net

# Reference: https://x.com/malwrhunterteam/status/1904168577978052874
# Reference: https://app.validin.com/detail?find=45.154.98.138&type=ip4&ref_id=a2e8b275cb9#tab=resolutions
# Reference: https://www.virustotal.com/gui/file/7ee8506c982c0e86ffa495f432304e9c5b61bc4bdb0485bf99ea8bc4ce731966/detection

194.26.192.222:5939
legalcitation.online
onlyfans.fans
onlyfans.gift
onlyfans.ngo
onlyfans.ong
rugcheck.me
tritonaddon.pro
truetriton.online
zoomnews.net

# Reference: https://x.com/salmanvsf/status/1904442042228576653
# Reference: https://www.virustotal.com/gui/file/45c1a1ac2c11aa6159312ac93588c6faa46d58ca3995b3d6ac0d97ef385b9c25/detection

95.216.115.242:33333

# Reference: https://x.com/smica83/status/1905034031734862241
# Reference: https://tria.ge/250326-2yhecawqv2/behavioral1

45.55.35.48:5643

# Reference: https://x.com/skocherhan/status/1906550661681954857
# Reference: https://www.virustotal.com/gui/file/5377d9cb20da2b4ac916656368967b5ac6c37afd705c9fec78f83994c48b6535/detection

147.185.221.16:46358
final-species.gl.at.ply.gg

# Reference: https://x.com/smica83/status/1906413284942578016
# Reference: https://tria.ge/250330-w29ecatxby/behavioral2

147.185.221.21:26461
functions-pressing.gl.at.ply.gg

# Reference: https://x.com/malwrhunterteam/status/1907772488781627824
# Reference: https://www.virustotal.com/gui/file/4b73f071b37da9dc75fc66c196d7aabc2788ecde9041972d0a9599afdd7321c6/detection

http://195.82.147.81
103.167.91.129:7000
app-updater1.app

# Reference: https://www.virustotal.com/gui/file/5a30d16582045c0eebd0bd18f9072e0d96e6446a9f2e15eed812603bb8c81f06/detection

http://166.88.132.192
109.176.30.246:56002

# Reference: https://x.com/ShanHolo/status/1908820465067450612
# Reference: https://www.virustotal.com/gui/file/fe6b8895a77d58f352c158ce9915ef7abd1257acbc62495e8898174712c18c26/detection

54.255.78.234:55400
defender.servehttp.com

# Reference: https://x.com/solostalking/status/1912033455094845657
# Reference: https://www.virustotal.com/gui/file/792ca88d4dc2d4b6070e0cb738f6b9d466308bec6345a8fff23e45d1e229e4f8/detection

195.2.71.183:8081
195.2.71.183:8089
smithpropertysolutions.com
dontseekme.duckdns.org

# Reference: https://x.com/skocherhan/status/1911920748890927570
# Reference: https://www.virustotal.com/gui/file/a1f6e88d88b70aa9a76033732dc159475e06a2cb50af2f4a68de6f8a644cab27/detection

36.50.135.167:5552

# Reference: https://x.com/smica83/status/1913380036389790176
# Reference: https://tria.ge/250418-3vsxcaysey/behavioral1

45.88.186.43:7232

# Reference: https://threatfox.abuse.ch/browse/tag/XWorm/ (# 2025-04-20)

http://156.238.253.131
http://157.230.124.55
http://185.100.157.105
http://185.100.157.52
http://196.251.80.109
http://20.229.103.183
http://38.49.40.130
http://38.49.42.212
http://45.204.217.248
http://87.120.84.32
http://89.213.248.62
101.99.94.250:7000
102.129.168.25:7000
103.68.109.212:5000
103.82.53.199:7000
104.168.56.77:3360
104.238.190.12:6000
104.250.169.3:18970
108.181.162.232:1177
109.231.31.129:2021
109.248.151.106:8078
110.74.212.221:5556
116.251.133.7:37593
134.122.128.37:7000
137.184.74.73:5000
137.184.74.73:7000
139.59.228.234:22693
144.126.151.243:7000
147.124.210.158:7000
147.124.212.231:6262
147.185.221.18:13143
147.185.221.19:11694
147.185.221.21:2226
147.185.221.21:4709
147.185.221.22:46682
147.185.221.24:15372
147.185.221.25:18007
147.185.221.25:19243
147.185.221.25:19298
147.185.221.25:20096
147.185.221.25:23913
147.185.221.25:24376
147.185.221.25:27113
147.185.221.25:40719
147.185.221.25:49242
147.185.221.25:51330
147.185.221.25:53264
147.185.221.25:55804
147.185.221.25:63018
147.185.221.25:7560
147.185.221.26:1316
147.185.221.26:19376
147.185.221.26:27770
147.185.221.26:32463
147.185.221.26:42069
147.185.221.26:46374
147.185.221.26:63713
147.185.221.27:29750
147.185.221.27:40331
147.185.221.27:7416
147.185.221.27:7522
147.45.47.222:3991
154.12.16.122:45682
154.176.157.95:8000
154.203.197.118:58661
154.216.16.200:1212
154.216.16.41:7000
154.29.79.29:7000
157.20.182.169:1515
159.100.20.246:6382
159.203.126.35:22279
166.88.185.67:5353
172.111.137.164:3911
172.111.137.167:3911
172.111.138.100:1336
172.245.135.145:7090
172.94.9.134:19700
173.214.167.139:7000
176.113.115.170:4413
176.221.16.167:7000
176.65.141.214:1111
176.65.144.22:1111
178.250.188.144:22635
18.156.13.209:17223
18.230.108.113:1533
185.12.130.161:7789
185.143.228.176:5876
185.172.175.125:999
185.172.175.147:5555
185.186.26.103:8000
185.196.10.213:7000
185.201.252.121:5555
185.208.156.62:9009
185.224.0.222:7000
185.241.208.215:7000
185.7.214.181:4417
185.84.161.65:7000
190.111.98.121:3000
192.187.127.3:443
193.161.193.99:20903
193.161.193.99:21122
193.161.193.99:21182
193.161.193.99:22770
193.161.193.99:24245
193.161.193.99:25195
193.161.193.99:26832
193.161.193.99:31577
193.161.193.99:31668
193.161.193.99:32310
193.161.193.99:34347
193.161.193.99:35188
193.161.193.99:35830
193.161.193.99:36182
193.161.193.99:36577
193.161.193.99:37631
193.161.193.99:37668
193.161.193.99:38554
193.161.193.99:38853
193.161.193.99:39109
193.161.193.99:41850
193.161.193.99:48477
193.161.193.99:61193
193.161.193.99:62208
193.233.113.143:7777
193.31.28.181:7000
194.26.192.127:5939
195.10.205.186:6699
195.177.95.145:6666
195.211.191.145:3911
196.251.113.81:7000
196.251.69.96:7789
196.251.70.152:5000
196.251.80.109:7722
196.251.89.42:2121
198.12.127.183:2020
198.7.115.133:7772
2.58.56.54:7771
20.229.103.183:443
206.123.152.101:3399
206.123.152.103:3911
206.123.152.36:3977
206.123.152.99:3399
207.174.40.240:7000
208.91.189.69:7000
213.136.90.188:8081
213.142.148.34:3162
23.226.129.25:5353
3.127.181.115:14267
3.147.52.12:7771
38.69.15.119:7000
42.117.80.199:1987
45.138.16.211:7000
45.138.16.245:7122
45.141.215.107:7000
45.141.26.16:7789
45.141.26.234:443
45.141.26.59:7000
45.141.26.59:8088
45.141.27.118:7777
45.145.43.244:1111
45.157.233.162:8345
45.200.149.15:7000
45.32.153.7:7005
45.88.91.108:7000
45.88.91.186:1000
46.153.249.193:443
47.76.212.233:7771
5.141.215.107:7000
5.180.155.29:6666
5.252.153.178:1488
51.89.253.21:1604
66.118.245.221:3333
77.105.164.175:7000
77.91.102.202:4566
77.93.28.66:2323
79.110.49.98:1223
85.17.23.153:3984
85.203.4.227:7000
87.120.114.42:7000
87.120.125.47:7000
87.247.158.212:4444
89.213.248.62:7777
89.23.102.30:1488
91.211.250.177:7000
91.212.166.86:7000
91.212.166.99:4404
91.217.77.77:7000
91.219.236.248:7000
91.92.255.111:1093
93.127.132.136:10003
93.95.119.225:2222
94.124.192.220:4443
94.228.117.59:8000
0xmicrosoft.duckdns.org
123123asd-39109.portmap.host
3skr.uncofig.com
aadcdn.onlineauth2-client4765445b-32c6-49b0-83e6-1d93765276.com
abobustsb-31029.portmap.host
aboltustimoha-43339.portmap.host
abuwire123.ddns.net
abuwire123h.ddns.net
access-expenses.gl.at.ply.gg
accommodation-cambridge.gl.at.ply.gg
accommodation-necessity.gl.at.ply.gg
ad-parallel.gl.at.ply.gg
ad-samoa.gl.at.ply.gg
ad-stayed.gl.at.ply.gg
adilfgilitter-22453.portmap.host
adilfgilitter-43126.portmap.host
administration-kinda.gl.at.ply.gg
adrianmoritoru-34347.portmap.io
again-general.gl.at.ply.gg
ak6-48477.portmap.host
ak8-20226.portmap.host
although-cholesterol.gl.at.ply.gg
argusishere.ddns.net
around-four.gl.at.ply.gg
asia-capabilities.gl.at.ply.gg
assistance-arbitration.gl.at.ply.gg
availability-population.gl.at.ply.gg
awedfwf-31577.portmap.host
awiero-42728.portmap.hosh
awiero-42728.portmap.host
baby.uncofig.com
bensgaming.scr
biwona3847-22770.portmap.host
blhwlxzgy.localto.net
booking.chekagustario.com
bragawhitx.duckdns.org
brkksylunm.duckdns.org
buy-diving.gl.at.ply.gg
cameras-happen.gl.at.ply.gg
cart-care.gl.at.ply.gg
chekagustario.com
choose-lamb.gl.at.ply.gg
ck1234-47763.portmap.host
clarkk-37631.portmap.host
client.fahrerscheinonlineholen.de
contract-releases.gl.at.ply.gg
control-studios.gl.at.ply.gg
coolguy12-30292.portmap.host
dalsksafksdlgskgdkhdfkfhdflhkdkkdrt.rodeo
database-victoria.gl.at.ply.gg
develop-enzyme.gl.at.ply.gg
developed-headline.gl.at.ply.gg
doberman-proper-bengal.ngrok-free.app
documents-johnny.gl.at.ply.gg
done-cashiers.gl.at.ply.gg
dwasf-31668.portmap.host
elfarbta3y.duckdns.org
english-finest.gl.at.ply.gg
eur-agriculture.gl.at.ply.gg
evolution007.hopto.org
expressblessingnow001.duckdns.org
extra-internationally.gl.at.ply.gg
ezlols-61193.portmap.host
faceit.teaminvitings.com
fax-costumes.gl.at.ply.gg
feb-travelers.gl.at.ply.gg
female-hills.gl.at.ply.gg
flame3135-44263.portmap.host
fpaul-nw.gl.at.ply.gg
freeetradingzone.duckdns.org
frenchy-59364.portmap.host
gamwtonxristo.ddns.net
german-kuwait.gl.at.ply.gg
ghostofleet-24245.portmap.host
ghostofleet-41401.portmap.host
ghostofleet-49120.portmap.host
girl-cheats.gl.at.ply.gg
gmt-sherman.gl.at.ply.gg
gotob67920-30070.portmap.host
grand-ad.gl.at.ply.gg
grebolugvtx.duckdns.org
h1nday-41851.portmap.host
hai1723rat.serveminecraft.net
hardware-proceeds.gl.at.ply.gg
herald12x-35830.portmap.host
heya12-35320.portmap.host
hiesa-56152.portmap.host
hink-ruth.gl.at.ply.gg
hodh009-62208.portmap.host
hosting10-38853.portmap.io
however-prairie.gl.at.ply.gg
hrggrevsdc-21182.portmap.io
human-epinions.gl.at.ply.gg
iii-single.gl.at.ply.gg
improve-gis.gl.at.ply.gg
imthat1guyfrfr-32310.portmap.host
imthat1guyfrfr-36577.portmap.host
independent-money.gl.at.ply.gg
indian-alternate.gl.at.ply.gg
interface-owners.gl.at.ply.gg
its-jam.gl.at.ply.gg
january-firm.gl.at.ply.gg
javv-35412.portmap.host
javv-46764.portmap.host
jeggawire.ddns.net
jenoks-52356.portmap.host
jerrytech.duckdns.org
jmvjpwl3o.localto.net
jvurrwti4.localto.net
kerevif648-40446.portmap.host
kiibo-38554.portmap.host
kinggggg123212-33699.portmap.host
language-apnic.gl.at.ply.gg
language-lose.gl.at.ply.gg
lavoslegend-45873.portmap.host
lesetim132-41456.portmap.host
levels-lcd.gl.at.ply.gg
likejunk-40343.portmap.host
local-subsidiary.gl.at.ply.gg
loud-states-matter.loca.lt
lovrsysytem-62393.portmap.host
makes-tonight.gl.at.ply.gg
match-charity.gl.at.ply.gg
maxbusinessworld.duckdns.org
me-teams.gl.at.ply.gg
memesense.xyz
monhostip.ddns.net
mortgage-ctrl.gl.at.ply.gg
mrkoko-25195.portmap.io
multi-referral.gl.at.ply.gg
myskibiditoilet.zapto.org
neevloss-45722.portmap.host
network-shakespeare.gl.at.ply.gg
nipoto-62948.portmap.host
november-cope.gl.at.ply.gg
o-sufficient.gl.at.ply.gg
onlineauth2-client4765445b-32c6-49b0-83e6-1d93765276.com
onlinegames.ddnsfree.com
onlyfans.so
operates-rna.with.playit.plus
park-meetup.gl.at.ply.gg
please-explore.gl.at.ply.gg
plhotacepl-35143.portmap.io
poker-dosage.gl.at.ply.gg
popaylar-28758.portmap.host
portal.onlineauth2-client4765445b-32c6-49b0-83e6-1d93765276.com
pppaa-51102.portmap.host
projects-sunny.gl.at.ply.gg
provides-reduces.gl.at.ply.gg
quotes-honduras.gl.at.ply.gg
redslide-36078.portmap.host
remember-convenient.gl.at.ply.gg
remnew25.duckdns.org
reported-kissing.gl.at.ply.gg
resources-legacy.gl.at.ply.gg
rizzing-64354.portmap.host
rndik-156-193-90-159.a.free.pinggy.link
roke213-25164.portmap.host
round-nonprofit.gl.at.ply.gg
s-turned.gl.at.ply.gg
sackedrai-44446.portmap.host
sazgig.ddns.net
scotwire.ddns.net
scrimoooo-20903.portmap.host
sell-doctor.gl.at.ply.gg
seoudy.duckdns.org
serverlumen.ddns.net
show-commentary.gl.at.ply.gg
shown-narrow.gl.at.ply.gg
showport2025iii-57523.portmap.host
slavisa-36618.portmap.io
slavisa-45970.portmap.host
sleepyyasian-37412.portmap.host
slitt-62494.portmap.host
smegmamuncher.duckdns.org
society-jun.gl.at.ply.gg
someone-manually.gl.at.ply.gg
song-direct.gl.at.ply.gg
south-warriors.gl.at.ply.gg
sponef159-35748.portmap.host
srlyxktyxm.duckdns.org
star-considerable.gl.at.ply.gg
stop-email.gl.at.ply.gg
string-cities.gl.at.ply.gg
synoacoustic-48269.portmap.host
sywaxeha-41850.portmap.host
tageya-49060.portmap.host
taken-ghana.gl.at.ply.gg
tcp.cloudpub.ru
tesifa-38287.portmap.io
test131-50314.portmap.host
them-hobbies.gl.at.ply.gg
things-gap.gl.at.ply.gg
ticket90867-33014.portmap.host
tips-topics.gl.at.ply.gg
together-min.gl.at.ply.gg
transportation-physically.gl.at.ply.gg
transporting-displays.with.playit.plus
tripplebanks.duckdns.org
trumpmelanie.duckdns.org
trusting-smoke-90361.pktriot.net
uokota.online
userxmorma-27072.portmap.host
vanechkin-51361.portmap.host
venom111-58719.portmap.host
via-driving.gl.at.ply.gg
w-bridal.gl.at.ply.gg
w3rtex-42879.portmap.host
washedbrain0002-21456.portmap.io
wednju7d.ddns.net
wfazwqf-36182.portmap.host
winaz5555-21166.portmap.host
winnoniport-26832.portmap.host
wooff-21122.portmap.host
would-perspectives.gl.at.ply.gg
xclient.fahrerscheinonlineholen.de
xml-processor.gl.at.ply.gg
xwormdnslogs.ddns.net
xwormnewlog.duckdns.org
xwormnotcreated.duckdns.org
xwormuncreated.duckdns.org
y3yy5434yg3y4y-35188.portmap.host
yzkp-32965.portmap.host

# Reference: https://x.com/ShanHolo/status/1914267841714434527
# Reference: https://www.virustotal.com/gui/file/09369aa4795fd585bef27c3652d1d5cb7d9062dc0e1cbef01e9cde1ce06deae4/detection
# Reference: https://www.virustotal.com/gui/file/01e9fbf3946a2a7b6098bc9431d9cdf3d997e65baad66b601a54b89e84b6ca25/detection

176.97.210.4:3050
176.97.210.4:505
sex.ksr.lol

# Reference: https://www.virustotal.com/gui/file/bbb255a48003ebf0b39f33c675a4ef164656abb54dd5e84ded6387f92f25b030/detection

45.144.212.172:7032

# Reference: https://x.com/malwrhunterteam/status/1912223772888952977
# Reference: https://www.virustotal.com/gui/file/34203c28e4356ea614820d09d268b67724dd6c21d49c09f9ce3467906ba0dcb5/detection

70.36.118.142:7000

# Reference: https://x.com/malwrhunterteam/status/1915119473176330417
# Reference: https://www.virustotal.com/gui/file/61e4bed8a1643dec5d2b7189ff911550fe6548d749239ad7cce16befc45d80df/detection
# Reference: https://www.virustotal.com/gui/file/8c5fe58495e0a861fadcbeb6c02024af7f33dde5972471e5ebccff34b6818fa0/detection
# Reference: https://www.virustotal.com/gui/file/e6080831030afaa7c809100041868ad1ab6d9f0071c7ff34148d76e2824b44ff/detection
# Reference: https://www.virustotal.com/gui/file/bcdfe141041133fae809c463bf32709876513fb2061677288e32e2c6ee8667e5/detection

193.161.193.99:48899
548963904.vercel.app
autumn-wave-474e.jasonardnet.workers.dev
fancy-hill-6aef.jasonardnet.workers.dev
paperclip4-48899.portmap.io

# Reference: https://x.com/UNP4CK/status/1917297281323200765
# Reference: https://tria.ge/250429-s17btatny8/behavioral1

146.103.25.63:2467
146.103.25.63:3389

# Reference: https://x.com/NullPwner/status/1919113969845108972
# Reference: https://www.virustotal.com/gui/file/fda2f3d8e7905cfcbc8deb708275638e4da02a7185314d70ff6b0851481b1033/detection
# Reference: https://www.virustotal.com/gui/file/94792d6a5b22d8526dadcffb8ab451b291db4c6eaa92d8c7707aba0da4a54b68/detection

45.154.98.252:7001
winservicesconsole.duckdns.org

# Reference: https://www.virustotal.com/gui/file/db381454ebcb1237c4d54d1fdd244de8a35f5e53397371a385c54291f155ad97/detection

118.107.42.246:7000

# Reference: https://www.virustotal.com/gui/file/cd0e2c74e02edaad840e87698b8c123eae1166e2242eee581fa7803827ae92fb/detection

194.26.192.61:7000

# Reference: https://www.virustotal.com/gui/file/b059b6af00a0208032fff8e374fa5d97450b370dec734cb99d2e8cb97598c924/detection

194.26.192.61:7001

# Reference: https://www.virustotal.com/gui/file/952a4182b92ac1d0ef08b0f5037d0ec9806cef3717dab06fdf9ff1a3c9b225e8/detection

45.94.31.70:7000

# Reference: https://www.virustotal.com/gui/file/675f59c91fa75e8a6614b484a6a899466014ad4136180484292eb58f044cf8bb/detection

45.154.98.252:7771

# Reference: https://www.virustotal.com/gui/file/5cc27fd76197757cf83563603941706f41b97ee4f11d545f295506441987848e/detection

193.26.115.115:7000

# Reference: https://x.com/ShanHolo/status/1919355876239970432
# Reference: https://www.virustotal.com/gui/file/224343df909265a37a08bf25e190b099e131db115407629f6a300ba584fc61ef/detection
# Reference: https://www.virustotal.com/gui/file/ff08b999d482457ab56193cc1dd87e4ade2e84b991f540853b98ec0ee02ead6a/detection

91.192.100.40:8485
newlifejob.click
dnsuo.ddns.net

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2025-05-06)

102.41.53.11:5505
103.17.38.43:7000
103.194.106.217:7000
103.217.111.54:7771
103.74.105.210:29525
103.78.0.137:5151
103.82.36.216:7000
104.168.32.88:1001
104.168.32.88:4479
104.194.144.105:7000
104.234.124.126:3360
104.248.232.25:7000
104.248.57.173:7812
104.28.212.228:2137
104.28.212.228:36691
104.28.244.231:63378
107.172.44.175:1889
107.172.44.175:4489
107.175.65.160:7000
108.181.199.16:7000
109.127.174.69:6458
109.61.108.172:8848
109.61.108.85:8848
134.175.85.30:8999
135.148.3.78:7001
140.245.40.189:4162
141.95.59.234:7000
142.147.96.74:7000
142.202.240.81:7232
142.93.39.159:8080
143.244.39.10:1234
144.217.187.1:7000
146.103.38.9:2467
147.185.221.16:11350
147.185.221.16:6258
147.185.221.18:39336
147.185.221.18:5059
147.185.221.18:55683
147.185.221.18:6000
147.185.221.19:13488
147.185.221.19:16347
147.185.221.19:6732
147.185.221.22:21456
147.185.221.22:40278
147.185.221.22:6666
147.185.221.23:26347
147.185.221.23:57797
147.185.221.23:7000
147.185.221.23:9841
147.185.221.24:53983
147.185.221.25:27380
147.185.221.25:30424
147.185.221.25:63795
147.185.221.26:14704
147.185.221.26:16031
147.185.221.26:20448
147.185.221.26:2121
147.185.221.26:23644
147.185.221.26:27759
147.185.221.26:29024
147.185.221.26:3333
147.185.221.26:4444
147.185.221.26:55201
147.185.221.26:57947
147.185.221.26:58041
147.185.221.26:60364
147.185.221.26:60731
147.185.221.26:62091
147.185.221.26:6222
147.185.221.27:10546
147.185.221.27:11106
147.185.221.27:1234
147.185.221.27:14606
147.185.221.27:16198
147.185.221.27:1742
147.185.221.27:17560
147.185.221.27:22489
147.185.221.27:24615
147.185.221.27:27180
147.185.221.27:2926
147.185.221.27:31149
147.185.221.27:37005
147.185.221.27:5300
147.185.221.27:58573
147.185.221.27:60199
147.185.221.27:60338
147.185.221.27:61136
147.185.221.27:63612
147.185.221.27:7252
147.185.221.27:7605
147.185.221.27:8888
147.185.221.27:9283
147.185.221.27:9893
147.185.221.27:9999
147.185.221.28:10537
147.185.221.2:5123
147.30.233.79:7000
147.45.78.193:9000
149.22.84.147:1255
15.235.154.205:1111
154.16.66.239:30121
154.201.68.225:7000
156.146.59.9:12975
156.146.59.9:9002
158.120.16.212:12975
16.ip.eu.ply.gg
167.160.91.250:1177
167.160.91.250:8080
174.89.92.252:5123
174.89.92.252:7000
176.100.37.238:7000
176.65.134.217:7011
176.65.134.56:1111
176.65.141.105:7232
176.65.142.234:1997
176.65.143.140:7232
176.65.144.26:7000
176.96.138.105:7000
176.97.210.4:999
178.173.236.10:7000
178.228.11.184:8090
18.192.14.241:9191
184.190.169.22:1989
185.196.8.50:7000
185.2.185.128:9000
185.208.156.210:7000
185.208.158.139:7000
185.241.208.97:7000
185.243.99.45:5000
185.254.97.125:7000
185.84.160.71:7000
191.101.51.5:7000
192.241.152.251:7000
192.3.101.149:3535
192.3.141.148:2020
192.3.141.148:4040
193.158.181.218:7000
193.161.193.99:14889
193.161.193.99:21764
193.161.193.99:24267
193.161.193.99:29924
193.161.193.99:33014
193.161.193.99:37612
193.161.193.99:49352
193.161.193.99:62551
193.161.193.99:64441
193.26.115.44:7000
194.59.30.200:1684
194.59.31.249:7000
194.59.31.36:7000
194.59.6.104:3334
194.67.193.36:7000
195.177.94.1:7000
195.177.94.22:6666
195.177.94.22:6969
195.177.94.6:7000
195.62.48.222:7000
195.88.218.126:40252
196.251.113.41:7000
196.251.115.101:5892
196.251.70.206:7000
196.251.80.109:6969
196.251.81.30:7000
196.251.84.191:1357
196.251.86.114:5050
196.251.92.5:1111
197.48.206.37:5505
198.23.219.24:5355
2.58.56.237:53
204.10.161.147:7081
206.119.52.249:6888
208.91.189.14:7000
209.38.129.48:7000
212.224.93.247:5605
216.219.83.116:7000
216.250.251.96:49916
217.195.153.81:50002
217.195.153.81:50004
217.195.153.81:50007
23.137.100.54:4281
23.84.85.170:1738
23.84.85.170:2311
23.95.63.196:7000
24.243.20.84:5383
24.243.20.84:59024
24.243.20.84:7000
25.13.127.84:12975
25.13.127.84:60382
25.13.127.84:62273
25.13.127.84:64629
25.13.127.84:64632
25.13.127.84:9002
26.51.16.201:45737
27.34.68.138:7070
3.17.160.56:7000
31.166.229.37:1252
31.57.97.8:3333
31.57.97.8:443
34.13.171.126:7000
37.1.210.16:5552
37.114.39.11:7777
37.235.156.47:1488
37.48.64.102:3960
38.49.42.212:80
38.68.49.121:7777
40.160.10.87:4291
41.250.150.18:9321
44.244.152.122:3989
45.125.216.17:7888
45.125.66.225:5290
45.133.251.174:9000
45.134.39.20:9000
45.137.201.27:2010
45.138.16.120:1298
45.138.16.71:1522
45.139.104.175:3703
45.141.215.33:7232
45.141.215.86:5823
45.141.215.87:7777
45.141.26.221:7000
45.141.27.117:1919
45.154.98.138:5938
45.154.98.79:9000
45.154.98.80:1604
45.201.0.219:1000
45.80.158.80:7000
45.88.91.14:2144
45.88.91.69:6969
46.197.220.52:1000
46.226.167.193:9000
46.8.194.222:4040
5.182.226.142:33991
50.158.201.249:4444
51.161.107.22:7000
51.79.203.148:1234
57.128.70.240:7000
61.69.170.155:1255
64.56.71.34:5000
67.207.161.237:1171
67.207.161.237:1177
67.207.161.237:1321
72.175.36.124:1212
74.12.129.6:7000
77.105.164.112:7000
77.83.242.113:2020
79.110.49.211:2727
80.46.100.166:2277
80.57.135.160:27137
80.57.135.160:4050
80.76.49.143:7546
80.76.49.172:6969
80.76.49.27:8891
80.76.49.30:420
80.76.49.46:1000
80.76.49.73:7542
80.85.154.131:2618
82.21.151.21:7000
82.23.183.50:8080
84.241.201.218:8090
84.67.89.127:7000
85.192.12.211:7000
85.203.4.241:7000
85.203.4.56:4444
86.110.169.38:1604
86.176.87.131:7000
87.121.79.75:7000
87.251.78.226:7000
89.117.49.234:4322
89.190.158.149:6666
89.190.158.16:443
89.23.100.148:4790
89.23.100.91:7174
89.39.121.169:9000
89.39.121.77:1497
90.243.213.4:7000
91.134.25.165:9001
91.202.25.209:5552
91.219.238.207:7000
92.119.178.3:52663
94.111.48.173:443
94.159.113.64:4411
94.26.90.81:6663
94.26.90.81:7771
94.26.90.81:7774
1231dasdsadasd-30978.portmap.io
127.0.0.1while-bishop.gl.at.ply.gg
2448-217-164-80-34.ngrok-free.app
3214r214r12412-50274.portmap.io
398whyfrufheutji-25824.portmap.host
9kbfitvdha-32409.portmap.io
hiraganadev-35044.portmap.host
plhotacepl-35143.portmap.io
a479-2603-8081-6a00-2328-1f9-4b54-9ee9-7461.ngrok-free.app
abaynda-26526.portmap.io
abayudna1-53489.portmap.host
abcdf.zapto.org
able-bt.gl.at.ply.gg
aboba2289091488-27481.portmap.io
activity-fraser.gl.at.ply.gg
activity-majority.gl.at.ply.gg
additional-sunset.gl.at.ply.gg
adsadsadsdasdasd-53010.portmap.io
adult-acquired.gl.at.ply.gg
agreement-uploaded.gl.at.ply.gg
al-attached.gl.at.ply.gg
albomboclat14881337.ddns.net
amazon-vegetarian.gl.at.ply.gg
american-escorts.gl.at.ply.gg
analysis-closure.gl.at.ply.gg
animal-adidas.gl.at.ply.gg
anongroup.duckdns.org
anonymoususer0101-42054.portmap.host
answer-enlargement.gl.at.ply.gg
anyad-60069.portmap.io
anyone-hardly.gl.at.ply.gg
anyone-their.gl.at.ply.gg
approach-af.gl.at.ply.gg
archives-yn.gl.at.ply.gg
areas-instrument.gl.at.ply.gg
as-ou.gl.at.ply.gg
assistance-arrangements.gl.at.ply.gg
associated-assessment.gl.at.ply.gg
australia-thehun.gl.at.ply.gg
authors-fitting.gl.at.ply.gg
availability-caution.gl.at.ply.gg
award-nz.gl.at.ply.gg
away-operates.gl.at.ply.gg
az-weights.gl.at.ply.gg
back-blogs.gl.at.ply.gg
background-estates.gl.at.ply.gg
bad-collector.gl.at.ply.gg
bad-motors.gl.at.ply.gg
bank-material.gl.at.ply.gg
base-see.gl.at.ply.gg
basic-continuity.gl.at.ply.gg
basis-gordon.gl.at.ply.gg
beautiful-exception.gl.at.ply.gg
because-deleted.gl.at.ply.gg
become-winners.gl.at.ply.gg
beginning-convenient.gl.at.ply.gg
better-starts.gl.at.ply.gg
bid-nova.gl.at.ply.gg
bin14.ydns.eu
bit-ring.gl.at.ply.gg
bixaji7275-24008.portmap.host
blog-inter.gl.at.ply.gg
blog-s.gl.at.ply.gg
bo56ab-21516.portmap.host
bo56ab-34628.portmap.host
bo56ab-45126.portmap.host
bobrohost.ddns.net
born-cultural.gl.at.ply.gg
bot2025.zapto.org
brand-freeware.gl.at.ply.gg
british-christine.gl.at.ply.gg
building-waves.gl.at.ply.gg
buinhatduy.duckdns.org
buinhatduy01.ddns.net
bush-jay.gl.at.ply.gg
business-door.gl.at.ply.gg
c-fortune.gl.at.ply.gg
c2.trollers.xyz
cable-inside.gl.at.ply.gg
cartomen-31558.portmap.host
cartomen-43567.portmap.host
centre-health.gl.at.ply.gg
centre-shake.gl.at.ply.gg
century-descriptions.gl.at.ply.gg
chat-poster.gl.at.ply.gg
china-fees.gl.at.ply.gg
china-limit.gl.at.ply.gg
christmas-correlation.gl.at.ply.gg
christmas-wendy.gl.at.ply.gg
church-converted.gl.at.ply.gg
city-impact.gl.at.ply.gg
click-vsnet.gl.at.ply.gg
clothing-contents.gl.at.ply.gg
club-request.gl.at.ply.gg
cmon2347-35906.portmap.io
com-additionally.gl.at.ply.gg
comments-championships.gl.at.ply.gg
common-interviews.gl.at.ply.gg
companies-eight.gl.at.ply.gg
companies-holdings.gl.at.ply.gg
compare-positioning.gl.at.ply.gg
computers-copied.gl.at.ply.gg
computers-opportunities.gl.at.ply.gg
consider-sensors.gl.at.ply.gg
copy-branches.gl.at.ply.gg
copy-love.gl.at.ply.gg
costs-cellular.gl.at.ply.gg
council-wars.gl.at.ply.gg
culture-collect.gl.at.ply.gg
d-flip.gl.at.ply.gg
daddy1621-37132.portmap.host
dane1c-30807.portmap.host
dark-wikipedia.gl.at.ply.gg
days-balance.gl.at.ply.gg
days-locations.gl.at.ply.gg
de-shopzilla.gl.at.ply.gg
deadbird8524-37163.portmap.io
defined-dx.gl.at.ply.gg
delivery-waiver.gl.at.ply.gg
design-shipped.gl.at.ply.gg
develop-oregon.gl.at.ply.gg
digital-powerful.gl.at.ply.gg
direct-accepting.gl.at.ply.gg
discussion-temp.gl.at.ply.gg
disease-tattoo.gl.at.ply.gg
distance-av.gl.at.ply.gg
distribution-rc.gl.at.ply.gg
dnsuo.ddns.net
do-sampling.gl.at.ply.gg
dokuru-32085.portmap.io
downloads-supplements.gl.at.ply.gg
dvd-washington.gl.at.ply.gg
e0c-154-178-139-119.ngrok-free.app
edit-obtaining.gl.at.ply.gg
education-platform.gl.at.ply.gg
effects-nfl.gl.at.ply.gg
electric-birds.gl.at.ply.gg
electronics-junk.gl.at.ply.gg
elias061010-46923.portmap.io
email-stronger.gl.at.ply.gg
employment-safari.gl.at.ply.gg
environment-greetings.gl.at.ply.gg
epicskillforge.com
especially-vegetables.gl.at.ply.gg
est-explore.gl.at.ply.gg
eur-norway.gl.at.ply.gg
even-angel.gl.at.ply.gg
evenkry75-23751.portmap.host
evidence-around.gl.at.ply.gg
exchange-grade.gl.at.ply.gg
expected-sega.gl.at.ply.gg
export1.duckdns.org
external-thanks.gl.at.ply.gg
face-projected.gl.at.ply.gg
fact-standings.gl.at.ply.gg
fanciful-gelato-78b95c.netlify.app
fastshopin-26131.portmap.io
father-deck.gl.at.ply.gg
feb-bit.gl.at.ply.gg
feko-42505.portmap.host
feylins-36255.portmap.host
field-alpha.gl.at.ply.gg
firsthiter-29408.portmap.host
fixed-stretch.gl.at.ply.gg
fixed-uh.gl.at.ply.gg
floor-steam.gl.at.ply.gg
flowers-christina.gl.at.ply.gg
flowers-discussing.gl.at.ply.gg
focus-burn.gl.at.ply.gg
focus-water.gl.at.ply.gg
for-org.gl.at.ply.gg
forum-management.gl.at.ply.gg
friend-paintball.gl.at.ply.gg
front-cad.gl.at.ply.gg
front-recommend.gl.at.ply.gg
fuckall11.zapto.org
fun-solomon.gl.at.ply.gg
function-orlando.gl.at.ply.gg
funds-zoning.gl.at.ply.gg
g574h9hd9.loseyourip.com
gallery-chevy.gl.at.ply.gg
garfield2-33988.portmap.io
garuda09.ddns.net
gas-representative.gl.at.ply.gg
gegesantx7.ddns.net
general-marriott.gl.at.ply.gg
girl-votes.gl.at.ply.gg
girls-res.gl.at.ply.gg
glebus666-49352.portmap.io
gmug.uncofig.com
goods-goods.gl.at.ply.gg
gousa-53644.portmap.io
group-linking.gl.at.ply.gg
hair-realtor.gl.at.ply.gg
half-started.gl.at.ply.gg
hall-pn.gl.at.ply.gg
have-inquiry.gl.at.ply.gg
he-tracks.gl.at.ply.gg
heart-essence.gl.at.ply.gg
hello1211-27655.portmap.host
homes-customized.gl.at.ply.gg
host-most.gl.at.ply.gg
hour-adidas.gl.at.ply.gg
hour-amplifier.gl.at.ply.gg
hours-rwanda.gl.at.ply.gg
however-canada.gl.at.ply.gg
hp-aggressive.gl.at.ply.gg
httpss.myvnc.com
httpss.ooguy.com
iemaiema-49611.portmap.host
il-greenhouse.gl.at.ply.gg
improve-volt.gl.at.ply.gg
inc-subdivision.gl.at.ply.gg
include-nose.gl.at.ply.gg
include-rim.gl.at.ply.gg
included-ram.gl.at.ply.gg
industrial-ll.gl.at.ply.gg
info-power.gl.at.ply.gg
insurance-browse.gl.at.ply.gg
insurance-favors.gl.at.ply.gg
internal-ending.gl.at.ply.gg
introduction-notre.gl.at.ply.gg
iraq-roses.gl.at.ply.gg
item-istanbul.gl.at.ply.gg
jameson1312313-49471.portmap.host
january-silence.gl.at.ply.gg
january-stored.gl.at.ply.gg
jersey-reviewer.gl.at.ply.gg
joined-coverage.gl.at.ply.gg
k-demonstrated.gl.at.ply.gg
kakaschkee-48307.portmap.io
keep-count.gl.at.ply.gg
kingsbkup1.ydns.eu
kirill121212-26976.portmap.host
kiwibobby-55937.portmap.io
klm22.zapto.org
kot4ikvuch-41573.portmap.io
ks-amk.ply.gg
ksadkaspwpqds.3utilities.com
kuknunumlu-25904.portmap.io
laleja4780-32500.portmap.host
larger-admission.gl.at.ply.gg
larger-blacks.gl.at.ply.gg
larger-pose.gl.at.ply.gg
left-exceptional.gl.at.ply.gg
leoleo707-33437.portmap.host
lin.yk99999.top
links-corpus.gl.at.ply.gg
loans-palace.gl.at.ply.gg
login-eye.gl.at.ply.gg
looking-brings.gl.at.ply.gg
looking-page.gl.at.ply.gg
love-illegal.gl.at.ply.gg
lukka-22869.portmap.host
lyrics-honor.gl.at.ply.gg
mac-visit.gl.at.ply.gg
major-europe.gl.at.ply.gg
management-entitled.gl.at.ply.gg
manufacturer-agencies.gl.at.ply.gg
many-bolivia.gl.at.ply.gg
mar9402xrw.duckdns.org
marc9402xrw.duckdns.org
marc9402xrww.duckdns.org
marcc9402xrwo.duckdns.org
march-amounts.gl.at.ply.gg
march9402xrwo.duckdns.org
markl.ddns.net
markmarko1978-25489.portmap.host
marrc9402xrwo.duckdns.org
martin-melbourne.gl.at.ply.gg
mary-manchester.gl.at.ply.gg
master-decor.gl.at.ply.gg
match-amounts.gl.at.ply.gg
mature-pressing.gl.at.ply.gg
maybe-nick.gl.at.ply.gg
me-loud.gl.at.ply.gg
me071949-22956.portmap.io
me98342-50929.portmap.host
media-triangle.gl.at.ply.gg
medicine-sports.gl.at.ply.gg
medo7as.duckdns.org
meet-germany.gl.at.ply.gg
mellowfishy-29478.portmap.host
men-tracking.gl.at.ply.gg
merkurez-64035.portmap.host
metherium-38960.portmap.host
metherium-57921.portmap.host
middle-regards.gl.at.ply.gg
mikey12325-48940.portmap.host
mikeykiller.ddns.net
min-telling.gl.at.ply.gg
minebot999-42830.portmap.host
minecraft.ieciqec.online
mnbjbh.com
mode-jerry.gl.at.ply.gg
month-bloomberg.gl.at.ply.gg
motorsport-pub.with.playit.plus
mounsir24-31804.portmap.host
moving-aims.gl.at.ply.gg
mrbean1-26210.portmap.io
mrn0name-46843.portmap.io
mrn0name-63570.portmap.host
mrxmrxking459-35024.portmap.host
my-yet.gl.at.ply.gg
najatif831-54659.portmap.host
nanai991-32051.portmap.io
nartixsxsxs.ddns.net
natural-steam.gl.at.ply.gg
near-obesity.gl.at.ply.gg
necessary-homepage.gl.at.ply.gg
necessary-sit.gl.at.ply.gg
neprobiesh-64818.portmap.host
neverdiedico.mypets.ws
newsletter-facility.gl.at.ply.gg
nitroxsenys-34948.portmap.host
non-bikes.gl.at.ply.gg
note-horizon.gl.at.ply.gg
nov-assumes.gl.at.ply.gg
numbers-probe.gl.at.ply.gg
nvdiemosole.broke-it.net
offers-discharge.gl.at.ply.gg
old-knight.gl.at.ply.gg
on-donors.gl.at.ply.gg
online-indian.gl.at.ply.gg
opportunities-limits.gl.at.ply.gg
opportunity-commitment.gl.at.ply.gg
or-city.gl.at.ply.gg
or-observed.gl.at.ply.gg
orders-nearby.gl.at.ply.gg
organization-host.gl.at.ply.gg
overview-force.at.ply.gg
owners-encryption.gl.at.ply.gg
paid-egypt.gl.at.ply.gg
panpoppo-25236.portmap.io
paper-again.gl.at.ply.gg
park-by.gl.at.ply.gg
partners-threads.gl.at.ply.gg
past-protected.gl.at.ply.gg
paxii-53773.portmap.host
payment-lunch.gl.at.ply.gg
paypal-korea.gl.at.ply.gg
pdfnmsal.freeddns.org
per-discount.gl.at.ply.gg
per-thanksgiving.gl.at.ply.gg
performance-coming.gl.at.ply.gg
phone-officer.gl.at.ply.gg
photos-translation.gl.at.ply.gg
php-saver.gl.at.ply.gg
picture-horn.gl.at.ply.gg
pictures-dealing.gl.at.ply.gg
pictures-replication.gl.at.ply.gg
pidoras123131-62949.portmap.host
pinis13f-46039.portmap.host
plant-ever.gl.at.ply.gg
players-retirement.gl.at.ply.gg
policy-native.gl.at.ply.gg
port-clone.gl.at.ply.gg
posts-creator.gl.at.ply.gg
potential-cia.gl.at.ply.gg
praisexenq-25483.portmap.host
present-wanna.gl.at.ply.gg
president-fuji.gl.at.ply.gg
prices-rats.gl.at.ply.gg
printer-lucky.gl.at.ply.gg
printer-refrigerator.gl.at.ply.gg
probably-giants.gl.at.ply.gg
products-badge.gl.at.ply.gg
programs-criticism.gl.at.ply.gg
property-send.gl.at.ply.gg
pu9sher-60638.portmap.host
puppyluv3r20091-62866.portmap.host
purchase-meat.gl.at.ply.gg
put-constant.gl.at.ply.gg
questions-when.gl.at.ply.gg
quotes-method.gl.at.ply.gg
r-exploring.gl.at.ply.gg
rated-worn.gl.at.ply.gg
rcraftstipaddrsrv17.duckdns.org
recently-distinguished.gl.at.ply.gg
record-mean.gl.at.ply.gg
red-ps.gl.at.ply.gg
register-resulting.gl.at.ply.gg
registration-ranger.gl.at.ply.gg
remember-gene.gl.at.ply.gg
rent-serial.gl.at.ply.gg
rentals-upgrade.gl.at.ply.gg
renzik-62271.portmap.host
republic-ambien.gl.at.ply.gg
republic-south.gl.at.ply.gg
request-busy.gl.at.ply.gg
required-algeria.gl.at.ply.gg
research-pour.gl.at.ply.gg
resources-sleeve.gl.at.ply.gg
results-denver.gl.at.ply.gg
reviews-respondent.gl.at.ply.gg
rexxontop-21196.portmap.io
right-lecture.gl.at.ply.gg
ring-staffing.gl.at.ply.gg
risk-illness.gl.at.ply.gg
road-suffer.gl.at.ply.gg
round-michael.gl.at.ply.gg
running-boating.gl.at.ply.gg
santifzm-51521.portmap.host
saw-painted.gl.at.ply.gg
say-bidding.gl.at.ply.gg
say-luxembourg.gl.at.ply.gg
say-mechanical.gl.at.ply.gg
schedule-considers.gl.at.ply.gg
search-prediction.gl.at.ply.gg
secure-whilst.gl.at.ply.gg
sekaira.duckdns.org
send-violations.gl.at.ply.gg
senior-bottles.gl.at.ply.gg
september-liverpool.gl.at.ply.gg
september-wireless.gl.at.ply.gg
sets-fatty.gl.at.ply.gg
sets-leather.gl.at.ply.gg
she-signals.gl.at.ply.gg
shopping-noted.gl.at.ply.gg
short-distances.gl.at.ply.gg
significant-washer.gl.at.ply.gg
similar-annotated.gl.at.ply.gg
since-vic.gl.at.ply.gg
site-gather.gl.at.ply.gg
slavisa-29163.portmap.io
smerttb-40118.portmap.host
smfcs1.ydns.eu
smfcs3.ydns.eu
smith-blind.gl.at.ply.gg
sound-kuwait.gl.at.ply.gg
sources-trap.gl.at.ply.gg
sowindresz-32912.portmap.host
spring-ieee.gl.at.ply.gg
ssa-gov-windows.us
startupsdata10.duckdns.org
state-commonwealth.gl.at.ply.gg
statuesque-praline-1be80d.netlify.app
stellar-gumption-ea9fd6.netlify.app
step-yr.gl.at.ply.gg
strategy-flexible.gl.at.ply.gg
street-aaron.gl.at.ply.gg
strong-wars.gl.at.ply.gg
stuff-spectacular.gl.at.ply.gg
sun-exterior.gl.at.ply.gg
super-crisis.gl.at.ply.gg
superaidol-42726.portmap.io
support-available.gl.at.ply.gg
systems-newer.gl.at.ply.gg
t-savings.gl.at.ply.gg
taking-oval.gl.at.ply.gg
team-yacht.gl.at.ply.gg
tech-charitable.gl.at.ply.gg
term-infrastructure.gl.at.ply.gg
test-calgary.gl.at.ply.gg
test-mineral.gl.at.ply.gg
testing-token.gl.at.ply.gg
texas-convention.gl.at.ply.gg
texas-websites.gl.at.ply.gg
thecoolboy123123-35227.portmap.host
think-hungarian.gl.at.ply.gg
third-gained.gl.at.ply.gg
through-necessary.gl.at.ply.gg
ticket90867-23675.portmap.host
tojdorx77bc9-36404.portmap.io
tr3xb1an-44771.portmap.host
trashy123-20554.portmap.host
travel-sellers.gl.at.ply.gg
treatment-judgment.gl.at.ply.gg
tree-tm.gl.at.ply.gg
trollers.xyz
trying-song.gl.at.ply.gg
tuesday-losses.gl.at.ply.gg
two-itunes.gl.at.ply.gg
types-reload.gl.at.ply.gg
typoi-53795.portmap.io
unit-wellness.gl.at.ply.gg
units-dispute.gl.at.ply.gg
unless-agreement.gl.at.ply.gg
unthinkable.ddns.net
unthinkable1.ddns.net
upon-hartford.gl.at.ply.gg
uses-royal.gl.at.ply.gg
vafob72392-38954.portmap.io
values-release.gl.at.ply.gg
vdtihjde7oo-57882.portmap.io
vehicle-numbers.gl.at.ply.gg
very-programming.gl.at.ply.gg
views-enables.gl.at.ply.gg
viniterov1-24267.portmap.host
visoxc-36626.portmap.host
visual-packs.gl.at.ply.gg
voice-pick.gl.at.ply.gg
w-gtk.gl.at.ply.gg
w-translations.gl.at.ply.gg
was-speech.gl.at.ply.gg
washedbrain0002-64745.portmap.io
washington-pix.gl.at.ply.gg
way-strategic.gl.at.ply.gg
werwa3rwe-31123.portmap.io
when-venture.gl.at.ply.gg
while-bishop.gl.at.ply.gg
win423.top
windows-std.gl.at.ply.gg
working-drain.gl.at.ply.gg
would-portland.gl.at.ply.gg
writing-adjustable.gl.at.ply.gg
written-read.gl.at.ply.gg
wrong-observations.gl.at.ply.gg
xakili2300-26390.portmap.host
xmen36917.duckdns.org
xofx.ddns.net
xrwor1111marc.duckdns.org
xv5600.duckdns.org
xxxjew-61335.portmap.io
xyxebet-37690.portmap.host
xyxebet-60479.portmap.host
yaxad-37531.portmap.host
yellow-animation.gl.at.ply.gg
yellow-improved.gl.at.ply.gg
york-beach.gl.at.ply.gg
your-properties.gl.at.ply.gg
yourself-medline.gl.at.ply.gg
zdwdwadzdwa-51598.portmap.io

# Reference: https://x.com/skocherhan/status/1919745596736286994
# Reference: https://www.virustotal.com/gui/file/4be8dc384e1e58a929eb988881a3479174c363f47326485e4e79cf16511b53dd/detection

91.134.25.165:9000
zakkhanhomes.info
dirs.zakkhanhomes.info

# Reference: https://x.com/byrne_emmy12099/status/1920473640216285400
# Reference: https://www.virustotal.com/gui/file/813fb31a1e536d840d02583013fc16e7f81b960560fe9637851ea8b15978aa32/detection
# Reference: https://www.virustotal.com/gui/file/064bff65cd807be6570ecf5fafa486c59048b0f294b82af3e47bd9d3eac274c8/detection

http://31.58.169.110
31.58.169.110:7000

# Reference: https://x.com/skocherhan/status/1920665359490650421
# Reference: https://www.virustotal.com/gui/file/a1f6e88d88b70aa9a76033732dc159475e06a2cb50af2f4a68de6f8a644cab27/detection

36.50.135.167:5552

# Reference: https://x.com/rst_cloud/status/1921735230609661984
# Reference: https://www.morphisec.com/blog/new-noodlophile-stealer-fake-ai-video-generation-platforms/
# Reference: https://www.virustotal.com/gui/file/22c944563f02e9d2f1b035a0caa88d75661e59f9fbbbb2aae7291b196ea7d7cc/detection
# Reference: https://www.virustotal.com/gui/file/e04ada6271080f956f2fd7fe3b7bd8e818f6e997291467759ab08d05ccfb879b/detection
# Reference: https://www.virustotal.com/gui/file/e17c97744edfe90a54f77bd5c99c9652407881508acb4a1438cae0305c0fe30d/detection

103.232.54.13:25902
lumi.viewdns.net

# Reference: https://x.com/skocherhan/status/1923182388290445507
# Reference: https://www.virustotal.com/gui/file/795ca6d3915c335981d3b4b4d95a60c513e8b2f93f346bccd31938bb6cec454b/detection
# Reference: https://www.virustotal.com/gui/file/ef723a98f3c010484e8336c36e581a4ab2f767cc99db0ae26fcd54eb5ca4dd7e/detection

192.121.245.103:61292
192.121.245.8:61292
abdou54.ddns.net

# Reference: https://x.com/skocherhan/status/1924552339542642816
# Reference: https://www.virustotal.com/gui/file/6b3986793b6739ffd81299b50790615c812df04565c7acfa86c0802a4242e3d5/detection

196.251.80.4:4999
my-security-dashboard.com
usaa.my-security-dashboard.com

# Reference: https://x.com/skocherhan/status/1924968460834013547

147.185.221.27:33512
147.185.221.27:58977
dayzcheatcheck.online
allows-accomplish.gl.at.ply.gg
remove-aerospace.gl.at.ply.gg
/nbpxworm.php

# Reference: https://tria.ge/250521-2nva6ael6y/behavioral1

147.185.221.20:56274
pressure-creates.gl.at.ply.gg

# Reference: https://x.com/JAMESWT_WT/status/1928014587770671542
# Reference: https://x.com/JAMESWT_WT/status/1928014590492766422
# Reference: https://x.com/skocherhan/status/1928019472025084209
# Reference: https://x.com/Jane_0sint/status/1927835622217027735
# Reference: https://app.any.run/tasks/eb8770f8-47d1-41ac-8591-6887fcd3081c
# Reference: https://www.virustotal.com/gui/file/16ee20815e1320cc256e9a9fd22108613ddc06f773a0981197c8dbfdb0f064f2/detection

archivep75mbjunhxc6x4j5mwjmomyxb573v42baldlqu56ruil2oiad.onion
javascriptplugin.com
javascriptplugin.lovestoblog.com
rivalohelp.zendesk.com

# Reference: https://x.com/blackorbird/status/1927989991226986916
# Reference: https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
# Reference: https://www.virustotal.com/gui/file/c6400d90645e9791eef222fc1e6dface5fffd90e7548fbcb5145439a1fda2f19/detection
# Reference: https://www.virustotal.com/gui/file/a9f31f333944279231175313eda11198f43547ea2cbad3e4e580c78febdc6e9b/detection
# Reference: https://www.virustotal.com/gui/file/a0e75bd0b0fa0174566029d0e50875534c2fcc5ba982bd539bdeff506cae32d3/detection
# Reference: https://www.virustotal.com/gui/file/1a037da4103e38ff95cb0008a5e38fd6a8e7df5bc8e2d44e496b7a5909ddebeb/detection

101.99.91.138:25699
101.99.91.33:25699
172.86.82.124:25699
artisanaqua.ddnsking.com

# Reference: https://x.com/K_N1kolenko/status/1928392107787526391

103.82.23.218:7000
107.148.151.140:7000
172.245.21.144:1437
185.177.239.137:7000
192.159.99.123:7000

# Reference: https://x.com/malwrhunterteam/status/1931452131992563734
# Reference: https://www.virustotal.com/gui/file/3bbc57b4a9220df17c25e107579ec6ade2542c1e516f55aa68c646d73d302dcc/detection

5.189.168.52:6000
javasplugin.com

# Reference: https://www.virustotal.com/gui/file/ace5562cb154f79a019c1fc331a7dd39e2857b6d22dffe0986d6353cd5d2c5d3/detection

66.63.187.232:1111
abuwire123.duckdns.org

# Reference: https://x.com/K_N1kolenko/status/1933494117692043264

147.50.253.4:1150
160.250.134.143:7000
198.46.154.133:7000
3.208.18.126:7000
45.141.27.253:7777
82.23.183.125:8888

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2025-06-13)

http://115.187.41.77
http://154.53.41.5
http://85.203.4.56
104.168.32.88:5321
104.194.140.165:7000
104.234.124.55:3360
104.243.35.242:9090
104.37.174.204:5353
105.97.89.151:35679
107.172.255.51:7000
111.68.4.130:7030
115.187.41.77:7000
118.107.44.159:1818
132.145.75.68:6823
133.23.21.222:2321
141.98.157.249:1194
142.4.216.196:1177
143.198.219.181:5544
144.172.91.174:7867
146.19.9.211:7000
147.124.216.223:7000
147.185.221.23:10073
147.185.221.23:1337
147.185.221.25:43195
147.185.221.26:27800
147.185.221.27:52989
147.185.221.27:57939
147.185.221.28:22507
147.185.221.28:23258
147.185.221.28:23974
147.185.221.28:24405
147.185.221.28:27350
147.185.221.28:30810
147.185.221.28:31017
147.185.221.28:46531
147.185.221.28:47546
147.185.221.28:47641
147.185.221.28:47891
147.185.221.28:48048
147.185.221.28:50562
147.185.221.28:50679
147.185.221.28:52110
147.185.221.28:52682
147.185.221.28:58441
147.185.221.28:8000
147.185.221.28:9999
147.185.221.29:45266
147.50.253.15:7000
149.40.62.49:443
149.56.244.29:157
15.235.34.253:7000
151.243.218.133:7000
154.44.186.53:44101
154.53.41.5:1144
154.53.41.5:443
155.2.192.254:27222
158.178.201.63:1333
158.178.201.63:1366
158.178.201.63:3190
159.65.129.7:2882
162.250.188.82:7000
172.111.138.100:4446
172.111.224.98:3911
172.65.175.19:443
176.100.37.167:7000
176.65.134.119:7000
176.65.134.55:7000
176.65.142.99:5054
176.65.144.26:9000
176.97.118.132:7000
178.20.208.50:7304
178.250.188.29:7000
181.214.48.215:7000
182.69.12.190:443
185.160.30.39:7000
185.161.208.83:2829
185.167.61.11:3033
185.167.61.79:3933
185.174.102.173:7030
185.196.9.229:1100
185.221.23.213:7000
185.241.208.96:7000
185.255.4.191:49152
185.44.234.22:6789
185.91.127.173:999
188.27.117.233:8000
189.159.170.218:4000
191.101.130.17:3304
191.101.131.45:49152
191.96.207.230:7000
191.96.224.126:7000
191.96.224.175:7000
192.227.211.214:7000
192.238.129.9:6666
192.77.7.175:4545
193.161.193.99:27509
193.161.193.99:45540
193.161.193.99:46551
193.161.193.99:48419
193.161.193.99:60946
193.161.193.99:64972
193.233.126.36:7000
193.233.237.189:6775
193.68.89.191:8848
194.15.36.111:8080
194.15.36.199:1177
194.59.31.116:7000
196.251.115.1:5000
196.251.115.76:5000
196.251.117.107:1602
196.251.118.106:6060
196.251.70.182:1602
196.251.80.125:7000
196.251.81.123:7078
196.251.85.205:7000
196.251.85.241:7000
196.251.86.12:7077
196.251.86.52:8686
196.251.86.58:7000
196.251.87.81:7040
196.251.88.77:443
196.251.92.128:5804
197.48.183.244:5505
197.48.4.218:5505
197.48.68.33:5505
198.46.243.33:5353
2.56.165.114:5563
2.56.165.52:5564
200.9.155.128:7000
202.162.109.55:7000
202.79.175.52:6666
202.95.19.142:2024
209.54.101.183:5509
209.54.102.133:8078
212.23.222.28:6969
212.81.47.48:9191
213.209.150.210:2404
216.151.165.131:6000
216.250.251.217:8080
23.26.108.213:7864
31.53.134.69:7000
31.57.219.78:7000
31.57.97.7:187
31.57.97.84:2277
31.6.50.159:10
31.6.50.51:7855
37.120.156.182:2829
37.221.93.95:8080
38.180.109.29:56001
38.255.43.203:8398
4.233.216.36:8000
41.216.188.194:7000
43.251.102.8:7000
45.133.74.46:7000
45.137.201.64:502
45.138.16.192:7000
45.141.150.27:25565
45.141.26.186:7000
45.146.81.90:7000
45.148.244.81:7878
45.154.98.109:3232
45.158.8.231:7000
45.207.196.26:1818
45.207.211.159:1818
45.80.158.238:7000
45.87.174.206:3131
5.253.247.136:1177
51.38.140.81:7000
51.89.207.251:7899
54.93.49.23:7005
64.23.129.58:49644
66.63.187.157:7088
66.63.187.20:7027
68.11.200.38:8547
74.50.94.182:7000
78.142.218.142:5353
79.110.49.124:7000
79.110.49.174:7000
79.155.212.230:7000
82.23.183.60:6767
82.23.183.60:7771
82.23.183.60:7777
82.23.183.60:8777
82.26.74.114:1337
83.147.53.121:7000
85.203.4.56:443
87.120.165.239:1488
87.120.165.239:8848
88.198.34.216:45511
89.208.113.111:7000
89.226.99.63:7777
89.40.31.131:1718
91.210.2.90:1487
91.214.78.60:7000
94.26.90.81:2404
95.217.129.88:5921
0cfijurk6.localto.net
29.ip.gl.ply.gg
abo3skr-27041.portmap.io
abom7lawh-59247.portmap.io
above-ro.gl.at.ply.gg
addition-got.gl.at.ply.gg
ads-language.gl.at.ply.gg
aeteam.duckdns.org
already-reporting.gl.at.ply.gg
american-japan.gl.at.ply.gg
answer-prizes.gl.at.ply.gg
apply-orange.gl.at.ply.gg
art-albany.gl.at.ply.gg
asia-rows.gl.at.ply.gg
assistance-trash.gl.at.ply.gg
bay-parts.gl.at.ply.gg
beach-vhs.gl.at.ply.gg
beauty-factory.gl.at.ply.gg
believe-instrumentation.gl.at.ply.gg
better-political.gl.at.ply.gg
bid-pk.gl.at.ply.gg
boards-radical.gl.at.ply.gg
botangroup.crabdance.com
botangroup.duckdns.org
botangroup.freemyip.com
botangroupinc.duckdns.com
boys-october.gl.at.ply.gg
brands-morning.gl.at.ply.gg
brostoplookingformyc2-40217.portmap.io
brostoplookingformyc2-54254.portmap.io
brostoplookingformyc2-63185.portmap.io
building-confident.gl.at.ply.gg
businesstradings.duckdns.org
c-largely.gl.at.ply.gg
callxw2025.duckdns.org
cashoutways2025.duckdns.org
cdcnjewnfineiwjd-56509.portmap.io
check-fit.gl.at.ply.gg
christian-optimal.gl.at.ply.gg
click-jackets.gl.at.ply.gg
collection-faculty.gl.at.ply.gg
color-cope.gl.at.ply.gg
coming-taken.gl.at.ply.gg
condition-sealed.gl.at.ply.gg
conditions-task.gl.at.ply.gg
coolman192-25084.portmap.io
council-amp.gl.at.ply.gg
countries-concert.gl.at.ply.gg
countries-imaging.gl.at.ply.gg
country-lying.gl.at.ply.gg
create-mechanism.gl.at.ply.gg
cybersim-44901.portmap.io
department-monica.gl.at.ply.gg
detailed-oct.gl.at.ply.gg
details-possess.gl.at.ply.gg
discount-situated.gl.at.ply.gg
discussion-rss.gl.at.ply.gg
djksandjkandsa-58893.portmap.io
dlkjkoifdjewilkj-37923.portmap.io
document-parker.gl.at.ply.gg
double-lexington.gl.at.ply.gg
dpwekwpd-58261.portmap.io
dudn.xyz
dwyus3phj.localto.net
e3qieuj3qidwsa-60573.portmap.io
eaglett-36029.portmap.io
economic-rob.gl.at.ply.gg
editor-webster.gl.at.ply.gg
eg-huge.gl.at.ply.gg
ekosihere.duckdns.org
elromio-50314.portmap.io
event-told.gl.at.ply.gg
exyy.duckdns.org
features-ave.gl.at.ply.gg
feb-tiles.gl.at.ply.gg
fitness-membership.gl.at.ply.gg
focused-bush-41941.pktriot.net
for-agreed.gl.at.ply.gg
force-cylinder.gl.at.ply.gg
fuckedup-sales.duckdns.org
full-ebay.gl.at.ply.gg
function-intelligence.gl.at.ply.gg
get-charleston.gl.at.ply.gg
gets-surfaces.gl.at.ply.gg
gifts-tells.gl.at.ply.gg
given-area.gl.at.ply.gg
gorngooner10-24984.portmap.io
grade-wanting.gl.at.ply.gg
grahatfuckscammer.ddns.net
grayhatfuckscammer.ddns.net
greg12boy-54325.portmap.io
h-becomes.gl.at.ply.gg
hand-planner.gl.at.ply.gg
have-printing.gl.at.ply.gg
held-isle.gl.at.ply.gg
hi-nurses.gl.at.ply.gg
higher-sims.gl.at.ply.gg
hill-whale.gl.at.ply.gg
hostz.hopto.org
hyd2n-52638.portmap.io
hye87lws0.localto.net
i-tulsa.gl.at.ply.gg
iheatisreal.ddns.net
ilia1228-23580.portmap.io
image-quote.gl.at.ply.gg
institute-trademarks.gl.at.ply.gg
introduction-senior.gl.at.ply.gg
it-spas.gl.at.ply.gg
java-fioricet.gl.at.ply.gg
javv-36324.portmap.io
jazper-46551.portmap.io
jazperwashere69-51726.portmap.io
jerry2.duckdns.org
jjjjjjjujjj-55237.portmap.io
justarandomguy-26105.portmap.io
kill.myftp.biz
kiwibobby-35109.portmap.io
kiwibobby-46785.portmap.io
krasnov-20846.portmap.io
ksdhdkshsakdhdaih-45982.portmap.io
kypity-48419.portmap.io
latest-explosion.gl.at.ply.gg
leehoi01.duckdns.org
linda991.duckdns.org
lol.uncofig.com
lsdmetin2.duckdns.org
m-souls.gl.at.ply.gg
machack-45210.portmap.io
majoram-58877.portmap.io
mamuttt53-60020.portmap.io
marketing-trans.gl.at.ply.gg
matter-painful.gl.at.ply.gg
mb-angeles.gl.at.ply.gg
mcmaster.giize.com
medellin2029.duckdns.org
medical-omega.gl.at.ply.gg
member-sought.gl.at.ply.gg
microsofthaki.duckdns.org
microsofthaki2.duckdns.org
minimum-allowed.gl.at.ply.gg
mohamed1321-64972.portmap.io
move-forms.gl.at.ply.gg
movie-off.gl.at.ply.gg
mrmega-28915.portmap.io
msn-throwing.gl.at.ply.gg
mxsuname1.gotdns.ch
mylol-28375.portmap.io
mypopy.ddns.net
n-bend.gl.at.ply.gg
nembioom-30802.portmap.io
nnork.duckdns.org
nokego4678-61587.portmap.io
ntzljkg5d.localto.net
nufloo-60946.portmap.io
ohio-surgeon.gl.at.ply.gg
other-mesa.gl.at.ply.gg
other-status.gl.at.ply.gg
paltalkroom9.ddns.net
paper-improved.gl.at.ply.gg
photo-experience.gl.at.ply.gg
places-buys.gl.at.ply.gg
plus-sauce.gl.at.ply.gg
poker-venues.gl.at.ply.gg
policies-brook.gl.at.ply.gg
policies-fy.gl.at.ply.gg
poloza-24674.portmap.io
position-dated.gl.at.ply.gg
potential-newer.gl.at.ply.gg
previous-chess.gl.at.ply.gg
prior-automotive.gl.at.ply.gg
prior-organizational.gl.at.ply.gg
process-lips.gl.at.ply.gg
pronedot9.ddns.net
proportmapper04-35925.portmap.io
proportmapper04-43455.portmap.io
puppyluv645cmdoc-37214.portmap.io
purchase-securities.gl.at.ply.gg
r-declared.gl.at.ply.gg
raketa909-53062.portmap.io
ramsadaye.ddns.me
rated-issue.gl.at.ply.gg
really-laundry.gl.at.ply.gg
requirements-minus.gl.at.ply.gg
rfrfrf-60451.portmap.io
rock-layer.gl.at.ply.gg
rookie789-57503.portmap.io
rooms-doom.gl.at.ply.gg
rq3wfq3t3qtw-29855.portmap.io
run-basement.gl.at.ply.gg
rushgroup50.duckdns.org
s5r.uncofig.com
same-lasting.gl.at.ply.gg
sandbox-64001.portmap.io
sandlotkidsn.ddnsking.com
score-hormone.gl.at.ply.gg
scottfortune.duckdns.org
section-ala.gl.at.ply.gg
senmuxy-27509.portmap.host
shadow.steelpanman.com
sheetratios-38609.portmap.io
sillyshere-20975.portmap.io
skibidius-19401.portmap.io
snezze-47460.portmap.io
sniperalsnafe-53479.portmap.io
southern-monsters.gl.at.ply.gg
spaminhaler132-41437.portmap.io
spamvernascher-37029.portmap.io
spec.gl.at.ply.gg
sports-codes.gl.at.ply.gg
spring-looks.gl.at.ply.gg
stars-specification.gl.at.ply.gg
statistics-kennedy.gl.at.ply.gg
steelpanman.com
string-lanes.gl.at.ply.gg
strong-keyboards.gl.at.ply.gg
studies-license.gl.at.ply.gg
style-reveal.gl.at.ply.gg
subject-gently.gl.at.ply.gg
summary-juan.gl.at.ply.gg
surface-threaded.gl.at.ply.gg
swoafsfw-23626.portmap.io
sxngsom.ddns.net
system-exploring.gl.at.ply.gg
take-sherman.gl.at.ply.gg
tech-lotus.gl.at.ply.gg
this-prefer.gl.at.ply.gg
tool-curious.gl.at.ply.gg
tools-helicopter.gl.at.ply.gg
tools-runs.gl.at.ply.gg
toygamin-28778.portmap.io
triage-64292.portmap.io
umar050connect.kozow.com
under-economic.gl.at.ply.gg
union-retail.gl.at.ply.gg
unknown-7222-47030.portmap.io
unknowwealth2025.duckdns.org
update-dear.gl.at.ply.gg
uzlehalo.duckdns.org
validation.steelpanman.com
vefefgregwes-27320.portmap.io
vvvvvvase2314e214re21-22848.portmap.io
waren-29868.portmap.host
warrant764-45540.portmap.io
wealthytradesbanks.duckdns.org
which-boots.gl.at.ply.gg
wide-completion.gl.at.ply.gg
win-ks.gl.at.ply.gg
xrwo9402maynew.duckdns.org
xwom9402a.duckdns.org
xwom9402b.duckdns.org
xwom9402c.duckdns.org
xwom9402d.duckdns.org
xwom9402e.duckdns.org
xworm67.duckdns.org
ybyar-52464.portmap.host
years-springer.gl.at.ply.gg
yourmomishighoncrack-29827.portmap.io
zederfedz-40553.portmap.io
zwomo.duckdns.org
zylora-30517.portmap.io
webhook.site/40ea286d-8847-4674-879a-cd260372be9a

# Reference: https://x.com/skocherhan/status/1933899285822939147
# Reference: https://www.virustotal.com/gui/file/0609a63917db1f7dfab133cbbcd208114a16fef4caf8f35768cf894b711a4cad/detection

45.74.19.10:1096
forsondu92.duckdns.org

# Reference: https://x.com/smica83/status/1934414818863190463
# Reference: https://www.virustotal.com/gui/file/14eb11f4ad79fd63249b97ac3d66f56b360a5a83b5e7790e0cf8092cdf4a58b6/detection

87.120.186.37:32984

# Reference: https://x.com/smica83/status/1935292244665450519
# Reference: https://tria.ge/250618-mxlcaawr18/behavioral2
# Reference: https://www.virustotal.com/gui/file/a12cc29223bc2750b679d1256f28bb4dcc0fdedffb6427ae454acf07f86f05c6/detection

191.96.79.137:7000

# Reference: https://x.com/G60930953/status/1935329513312850103
# Reference: https://dmpdump.github.io/posts/Modified_Xworm_Distribution/
# Reference: https://www.virustotal.com/gui/file/37e42839ea6f1c97c7256eeec99e420e46e4d920bf629cb84aa260e78ee7f60f/detection

27.124.2.138:6000

# Reference: https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research/

nhvncpure.click
nhvncpure.sbs
nhvncpure.shop
nhvncpure.twilightparadox.com
nhvncpure1.strangled.net
nhvncpure2.mooo.com
nhvncpurekfl.duckdns.org
nhvncpureybs.duckdns.org

# Reference: https://x.com/K_N1kolenko/status/1935999229303873963

103.195.190.49:7771
107.150.0.86:3698
181.214.48.110:300
185.117.3.224:2235
192.159.99.144:7000
37.114.41.75:8080
45.88.9.205:444
66.63.187.164:8594
79.141.160.131:8787
85.203.4.126:7000

# Reference: https://x.com/K_N1kolenko/status/1938560697342042522

147.50.253.6:8847
161.35.18.98:5803
172.245.21.143:5638
8.217.170.22:5531

# Reference: https://x.com/skocherhan/status/1939457279088304208
# Reference: https://www.virustotal.com/gui/file/840553c7424cf74b32f1a91ab8fed5464b1af1d64d8a0dd99a7bc05f90e8e522/detection

185.244.155.97:7777
45.74.15.163:7777
45.74.15.99:7777
zzzaaaaa.ddns.net

# Reference: https://www.virustotal.com/gui/file/60f7b8e8f9679b75094b8b4ca39ae814315446094df8a18149a03d37e7f3bfc6/detection

91.92.120.101:62520

# Reference: https://x.com/smica83/status/1940359022873637300
# Reference: https://x.com/IdaNotPro/status/1940362495971184756
# Reference: https://www.virustotal.com/gui/file/751e4cb54be13998e9b263fd5e550def33fe308f4204cd4716ecc6fb2d701579/detection
# Reference: https://www.virustotal.com/gui/file/c867725f20f9b1895c4af4c103e7b44483de22c1df4de389bb497484f858ea65/detection

213.152.161.107:26841
server-data-client-lntl.cloud
wilderland.server-data-client-lntl.cloud

# Reference: https://www.virustotal.com/gui/file/e6a3cf198a41476755ad49b64559f2aa1faa033ef310699cf5e9f8c19c93e150/detection

154.22.5.243:2424

# Reference: https://www.virustotal.com/gui/file/0d2ccb31613eb9d4362a14e3255c2598c9c6cd857caf58dfd585db98fbea50bb/detection

91.219.238.230:7000

# Reference: https://x.com/K_N1kolenko/status/1941105024463200459

185.100.157.217:7000
188.212.158.75:7000
198.12.126.169:8780
45.156.87.204:8080
54.233.70.171:6000
83.143.112.163:4444
85.203.4.232:7000

# Reference: https://www.virustotal.com/gui/file/0c493fc4f0be85073e5087cd3a990da53bd96245e952585f01c9ef8be24e492e/detection

185.196.11.88:7000
securefilepr0.com.ng
xev.securefilepr0.com.ng

# Reference: https://www.virustotal.com/gui/file/8b1fef963e352dc39a6f83717df5898e05ab1bece49e83dee3ce4d330cc62d24/detection

196.251.115.238:1313
hciagriitec.ddns.net

# Reference: https://x.com/smica83/status/1942516595500155028
# Reference: https://www.virustotal.com/gui/file/8f270daf747833bf4f3bc7df7096dbd20cd8abf91d7ba8604626d282750e51bb/detection
# Reference: https://www.virustotal.com/gui/file/4761bd325587c2b7d21b008db0f5d8764d100ed149a3caafb5705161830039bc/detection
# Reference: https://www.virustotal.com/gui/file/230456cb1ef613572f9c3b4b7eb73164ab0ad168e93b254e0abb34f89b60decc/detection
# Reference: https://www.virustotal.com/gui/file/1e21e82c8c423f4b77cc9e47c977bdadbd887033dee00db5be07fe10ef5e4eaa/detection

cpajuner17.blogspot.com

# Reference: https://x.com/K_N1kolenko/status/1943632099526791430

144.172.105.184:7777
146.70.87.178:7031
167.160.161.3:4404
176.97.212.251:3390
192.3.198.13:6000
31.57.97.126:111
31.57.97.217:2322
31.57.97.31:2020
45.74.10.206:6000

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2025-07-13)

101.99.92.189:8080
102.129.138.116:7000
103.82.26.162:7000
103.97.128.77:8808
104.194.147.14:7000
104.249.26.240:9090
105.102.150.178:35678
105.102.75.91:35678
107.173.62.143:7000
107.174.42.72:2556
107.175.148.91:8085
107.175.34.68:3360
107.189.20.81:7000
108.165.179.106:2330
118.107.46.74:8081
120.156.65.2:7000
128.199.132.98:1177
136.0.157.47:8083
138.199.38.150:49443
141.98.6.53:7000
144.172.100.183:8040
144.172.122.24:8080
146.190.110.91:3389
147.124.215.254:7000
147.185.221.17:22365
147.185.221.18:7000
147.185.221.18:7400
147.185.221.20:21790
147.185.221.22:47930
147.185.221.23:25607
147.185.221.24:50035
147.185.221.25:38208
147.185.221.27:6351
147.185.221.28:11317
147.185.221.28:65045
147.185.221.29:22580
147.185.221.29:23782
147.185.221.29:27718
147.185.221.29:30965
147.185.221.29:31610
147.185.221.29:32655
147.185.221.29:3290
147.185.221.29:43885
147.185.221.29:54417
147.185.221.29:60301
147.185.221.29:62389
147.185.221.29:6969
147.185.221.29:9241
147.185.221.30:1616
147.185.221.30:7877
147.50.253.17:9569
150.109.120.102:15151
150.109.120.102:23368
151.243.218.201:6000
154.38.180.2:3000
154.40.47.26:8099
155.94.155.213:1888
156.252.60.146:8890
159.223.120.36:8069
164.132.75.20:7000
172.111.139.111:7000
172.245.152.216:2829
173.249.29.108:4145
176.160.157.96:8887
185.174.101.218:6000
185.175.58.109:7000
185.176.94.34:3373
185.178.208.179:443
185.196.10.251:7000
185.196.8.239:7000
185.216.214.217:443
189.159.170.218:4444
191.101.130.236:8398
193.161.193.99:24111
193.187.91.220:56687
193.222.96.100:5555
193.26.115.138:1337
194.156.79.202:5647
194.62.248.177:7000
195.177.94.52:5959
195.186.208.193:3033
196.251.115.238:2244
196.251.117.170:66
196.251.66.225:7000
196.251.70.143:1603
197.48.19.78:5505
198.12.126.169:8823
198.135.49.116:7000
198.135.49.79:4190
198.55.98.119:8780
2.56.165.114:5561
2.56.246.52:7001
200.9.155.157:6853
204.77.232.110:7771
206.238.114.162:7000
209.54.101.190:8888
211.211.45.214:7000
212.3.131.253:7771
213.209.150.147:6000
213.209.150.171:5010
216.250.252.224:36465
217.64.151.184:9779
26.126.244.181:942
27.147.169.101:7000
3.138.102.104:7000
31.57.219.244:6820
31.57.38.63:4200
31.57.38.63:5552
37.120.208.37:57625
38.180.203.11:1010
38.244.198.20:7099
38.91.118.226:5531
41.250.151.246:9321
43.155.4.35:15151
43.155.4.35:23368
43.159.199.184:15151
43.159.199.184:23368
45.137.201.64:187
45.141.26.147:7000
45.141.27.119:7000
45.146.81.196:5552
45.148.244.181:4545
45.155.37.24:50002
45.201.0.222:1000
45.87.120.8:8846
45.88.186.30:1717
45.88.9.32:7874
46.246.12.3:49780
46.246.6.4:49780
5.175.234.115:2030
5.189.125.76:5552
5.42.80.2:7000
64.225.75.165:8069
67.21.33.92:7000
67.223.119.69:9333
68.11.200.38:8081
68.221.200.89:4321
77.105.166.57:7000
77.221.152.146:7000
84.38.129.46:1012
85.203.4.158:5000
85.203.4.68:5000
85.209.128.97:5001
86.29.59.189:7877
86.38.225.54:5353
87.120.113.179:7000
88.180.187.70:20000
89.144.60.15:8080
94.143.231.21:1111
94.154.173.151:7000
94.26.90.227:7000
95.211.186.231:7812
2tuff-33336.portmap.io
30.ip.gl.ply.gg
add-adolescent.gl.at.ply.gg
ads-teachers.gl.at.ply.gg
afatibrahimove.duckdns.org
along-rid.gl.at.ply.gg
american-simulations.gl.at.ply.gg
andre21.ydns.eu
angelflying555.duckdns.org
any-arctic.gl.at.ply.gg
apple-go.gl.at.ply.gg
approach-connection.gl.at.ply.gg
archives-cnet.gl.at.ply.gg
archives-msgstr.gl.at.ply.gg
backupjs.ddns.net
beenpaidwoo-29303.portmap.host
beenpaidwoo-61863.portmap.host
behind-welcome.gl.at.ply.gg
better-allan.gl.at.ply.gg
bill-wav.gl.at.ply.gg
bit-bathrooms.gl.at.ply.gg
blog-attitudes.gl.at.ply.gg
bobawo2587-64007.portmap.io
built-punch.gl.at.ply.gg
c-cure.gl.at.ply.gg
calendar-background.gl.at.ply.gg
cd-checking.gl.at.ply.gg
cell-submitted.gl.at.ply.gg
chernobyl.webhop.me
council-its.gl.at.ply.gg
counterstrike2-cheats.com
country-suggesting.gl.at.ply.gg
ctdt.ddns.net
current-clip.gl.at.ply.gg
dariusfanxwomrskiddedaahh-40602.portmap.host
develop-francis.gl.at.ply.gg
developer1.ydns.eu
district-graphical.gl.at.ply.gg
dsasinject-58214.portmap.io
educational-scores.gl.at.ply.gg
elysianstanmore.org
employees-churches.gl.at.ply.gg
enter-sierra.gl.at.ply.gg
fat-changes.gl.at.ply.gg
federal-jewel.gl.at.ply.gg
fee-lu.gl.at.ply.gg
fierdevivre.duckdns.org
fivemgame.me
football-wonder.gl.at.ply.gg
format-associations.gl.at.ply.gg
free-educational.gl.at.ply.gg
game-charleston.gl.at.ply.gg
garden-enable.gl.at.ply.gg
goodhost.work.gd
hacking702-35743.portmap.io
half-exhibit.gl.at.ply.gg
held-lobby.gl.at.ply.gg
held-prozac.gl.at.ply.gg
hi-auto.gl.at.ply.gg
imagoatlowk-58420.portmap.io
includes-au.gl.at.ply.gg
income-suggests.gl.at.ply.gg
jjnfs-61366.portmap.io
junie15.duckdns.org
kalitest.ddns.net
kids-indeed.gl.at.ply.gg
knowledge-compatible.gl.at.ply.gg
late-starting.gl.at.ply.gg
leading-calculator.gl.at.ply.gg
lespencer.duckdns.org
lifehod833-44653.portmap.host
lnpntkd9vth0tup2.rest
loans-holding.gl.at.ply.gg
location-caring.gl.at.ply.gg
lohoainam2008-36048.portmap.io
lyrics-ships.gl.at.ply.gg
magazine-tattoo.gl.at.ply.gg
martin-servers.gl.at.ply.gg
members-aye.gl.at.ply.gg
mhzlhtools77-42857.portmap.io
models-diesel.gl.at.ply.gg
ms-pupils.gl.at.ply.gg
nadine21347-42251.portmap.io
names-compatibility.gl.at.ply.gg
natural-profit.gl.at.ply.gg
nil.group.found
nnnnssss-64548.portmap.io
nomorelife29-46869.portmap.io
not-sized.gl.at.ply.gg
nsxauth.duckdns.org
ok-sense.gl.at.ply.gg
original-do.gl.at.ply.gg
other-mins.gl.at.ply.gg
overall-bachelor.gl.at.ply.gg
pa-speech.gl.at.ply.gg
package-gardens.gl.at.ply.gg
page4work.mywire.org
partner-expedia.gl.at.ply.gg
people-climbing.gl.at.ply.gg
problem-cooperative.gl.at.ply.gg
put-ladder.gl.at.ply.gg
quotes-blair.gl.at.ply.gg
rates-north.gl.at.ply.gg
reason-tribal.gl.at.ply.gg
regional-evaluate.gl.at.ply.gg
regone.dnsframe.com
request-bosnia.gl.at.ply.gg
return-aug.gl.at.ply.gg
rockstar.dnsframe.com
rookie789-22310.portmap.io
screen-squad.gl.at.ply.gg
season-clothes.gl.at.ply.gg
second-spyware.gl.at.ply.gg
secured1040online.duckdns.org
security-territory.gl.at.ply.gg
senior-biology.gl.at.ply.gg
shopping-bundle.gl.at.ply.gg
significant-storage.gl.at.ply.gg
small-bend.gl.at.ply.gg
solutions-samsung.gl.at.ply.gg
something-newfoundland.gl.at.ply.gg
something-relation.gl.at.ply.gg
sound-vietnam.gl.at.ply.gg
source-determination.gl.at.ply.gg
sssssoj9u99uy-54788.portmap.io
standard-suited.gl.at.ply.gg
standards-heights.gl.at.ply.gg
subjects-cookie.gl.at.ply.gg
superwx.duckdns.org
table-proposal.gl.at.ply.gg
talk-chief.gl.at.ply.gg
thanks-volvo.gl.at.ply.gg
themew.zapto.org
too-retired.gl.at.ply.gg
units-jewish.gl.at.ply.gg
updates.tplinkdns.com
useful-bookings.gl.at.ply.gg
w-grant.gl.at.ply.gg
waohsfs-48136.portmap.io
we-referring.gl.at.ply.gg
website-md.gl.at.ply.gg
weight-q.gl.at.ply.gg
wickpinto.duckdns.org
winter-criminal.gl.at.ply.gg
workingmiracles.3utilities.com
would-pepper.gl.at.ply.gg
xm.lnpntkd9vth0tup2.rest
xw.lnpntkd9vth0tup2.rest
xwor1528.duckdns.org
yellow-humanities.gl.at.ply.gg
yourmomishighoncrack-26691.portmap.io
yourself-snowboard.gl.at.ply.gg
zenforexpvtltd.hopto.org

# Reference: https://x.com/K_N1kolenko/status/1946183383450562596

156.227.236.210:1777
167.160.161.247:8594
18.130.231.213:7008
185.228.72.104:1337
45.118.146.156:7010
45.141.26.199:8000
45.141.26.28:5000
47.122.38.193:7000
79.110.49.104:6363

# Reference: https://x.com/skocherhan/status/1947291358151979270

30.ip.gl.joinmc.link
act-rating.gl.at.ply.gg
address-scholar.gl.at.ply.gg
ads-victor.gl.at.ply.gg
agents-changing.gl.at.ply.gg
agents-k.gl.at.ply.gg
agents-thumbnails.gl.at.ply.gg
ago-outstanding.gl.at.ply.gg
air-thai.gl.at.ply.gg
al-butterfly.gl.at.ply.gg
all-deutsch.gl.at.ply.gg
allows-city.gl.at.ply.gg
almost-earliest.gl.at.ply.gg
already-ibm.gl.at.ply.gg
another-potatoes.gl.at.ply.gg
apple-brings.gl.at.ply.gg
approved-fathers.gl.at.ply.gg
april-kansas.gl.at.ply.gg
area-selection.gl.at.ply.gg
art-ur.gl.at.ply.gg
artist-presentations.gl.at.ply.gg
artists-amendments.gl.at.ply.gg
australia-restored.gl.at.ply.gg
auto-mpg.gl.at.ply.gg
b-probably.gl.at.ply.gg
baby-technological.gl.at.ply.gg
band-gods.gl.at.ply.gg
bay-butterfly.gl.at.ply.gg
because-constitutional.gl.at.ply.gg
before-montana.gl.at.ply.gg
being-chapter.gl.at.ply.gg
bill-compaq.gl.at.ply.gg
bit-making.gl.at.ply.gg
black-pet.gl.at.ply.gg
blood-food.gl.at.ply.gg
board-yet.gl.at.ply.gg
books-editorial.gl.at.ply.gg
british-hip.gl.at.ply.gg
california-peninsula.gl.at.ply.gg
can-organisations.gl.at.ply.gg
can-peaceful.gl.at.ply.gg
canadian-speaking.gl.at.ply.gg
card-colleagues.gl.at.ply.gg
career-finite.gl.at.ply.gg
career-geek.gl.at.ply.gg
carnivorex.tv
cd-tied.gl.at.ply.gg
chat.pinehub.co
chicago-mit.gl.at.ply.gg
child-soc.gl.at.ply.gg
children-sapphire.gl.at.ply.gg
china-center.gl.at.ply.gg
choice-verse.gl.at.ply.gg
class-km.gl.at.ply.gg
class-point.gl.at.ply.gg
classes-flour.gl.at.ply.gg
classic-copied.gl.at.ply.gg
click-gis.gl.at.ply.gg
cnet-households.gl.at.ply.gg
code-viking.gl.at.ply.gg
come-refugees.gl.at.ply.gg
command-respondent.gl.at.ply.gg
commission-kirk.gl.at.ply.gg
communication-modifications.gl.at.ply.gg
communications-regime.gl.at.ply.gg
companies-week.gl.at.ply.gg
computer-oklahoma.gl.at.ply.gg
conditions-supplied.gl.at.ply.gg
corporate-retro.gl.at.ply.gg
country-blade.gl.at.ply.gg
court-beef.gl.at.ply.gg
create-mem.gl.at.ply.gg
credit-oct.gl.at.ply.gg
cross-lead.gl.at.ply.gg
current-december.gl.at.ply.gg
custom-happened.gl.at.ply.gg
dark-offers.gl.at.ply.gg
date-andale.gl.at.ply.gg
david-jordan.gl.at.ply.gg
death-flush.gl.at.ply.gg
decision-beer.gl.at.ply.gg
designed-explaining.gl.at.ply.gg
detailed-discussed.gl.at.ply.gg
developed-silent.gl.at.ply.gg
digital-decade.gl.at.ply.gg
disease-scratch.gl.at.ply.gg
door-classical.gl.at.ply.gg
downloads-argued.gl.at.ply.gg
downloads-strongly.gl.at.ply.gg
effective-psychological.gl.at.ply.gg
electric-titanium.gl.at.ply.gg
else-sentences.gl.at.ply.gg
employees-culture.gl.at.ply.gg
entertainment-gr.gl.at.ply.gg
environmental-belle.gl.at.ply.gg
environmental-projection.gl.at.ply.gg
etc-inc.gl.at.ply.gg
everyone-paintball.gl.at.ply.gg
except-assets.gl.at.ply.gg
extra-failures.gl.at.ply.gg
f-thickness.gl.at.ply.gg
fall-decline.gl.at.ply.gg
feb-wife.gl.at.ply.gg
feed-rio.gl.at.ply.gg
fees-boys.gl.at.ply.gg
feet-copy.gl.at.ply.gg
feet-puzzle.gl.at.ply.gg
few-add.gl.at.ply.gg
finance-demonstrates.gl.at.ply.gg
first-spring.gl.at.ply.gg
fitness-locking.gl.at.ply.gg
five-conditional.gl.at.ply.gg
floor-east.gl.at.ply.gg
focus-navigation.gl.at.ply.gg
four-albania.gl.at.ply.gg
four-phpbb.gl.at.ply.gg
free-appeal.gl.at.ply.gg
french-nasdaq.gl.at.ply.gg
french-ten.gl.at.ply.gg
friday-incoming.gl.at.ply.gg
front-hall.gl.at.ply.gg
fun-basketball.gl.at.ply.gg
fun-wrestling.gl.at.ply.gg
fund-hugh.gl.at.ply.gg
garden-died.gl.at.ply.gg
general-quantum.gl.at.ply.gg
george-pirates.gl.at.ply.gg
go-modems.gl.at.ply.gg
going-documents.gl.at.ply.gg
good-sight.gl.at.ply.gg
government-recovered.gl.at.ply.gg
growth-expenditure.gl.at.ply.gg
hands-want.gl.at.ply.gg
held-sample.gl.at.ply.gg
her-quest.gl.at.ply.gg
here-draw.gl.at.ply.gg
hill-speed.gl.at.ply.gg
hope-valves.gl.at.ply.gg
house-touring.gl.at.ply.gg
huge-expressed.gl.at.ply.gg
huge-preservation.gl.at.ply.gg
icypiston.run.place
id-slightly.gl.at.ply.gg
image-crossing.gl.at.ply.gg
important-coaching.gl.at.ply.gg
important-neither.gl.at.ply.gg
increase-psi.gl.at.ply.gg
increased-hill.gl.at.ply.gg
independent-precious.gl.at.ply.gg
instead-extremely.gl.at.ply.gg
interface-polymer.gl.at.ply.gg
introduction-fog.gl.at.ply.gg
introduction-plays.gl.at.ply.gg
ireland-crowd.gl.at.ply.gg
isbn-fits.gl.at.ply.gg
japanese-antarctica.gl.at.ply.gg
jun-processors.gl.at.ply.gg
k-marc.gl.at.ply.gg
king-enquiries.gl.at.ply.gg
king-operating.gl.at.ply.gg
l-integrate.gl.at.ply.gg
law-conditioning.gl.at.ply.gg
letter-pierre.gl.at.ply.gg
letter-shell.gl.at.ply.gg
life-rhode.gl.at.ply.gg
line-limited.gl.at.ply.gg
lines-belongs.gl.at.ply.gg
live-cooperation.gl.at.ply.gg
lyrics-detector.gl.at.ply.gg
magazine-thompson.gl.at.ply.gg
mahouneko.moe
mail-eco.gl.at.ply.gg
man-worm.gl.at.ply.gg
management-beef.gl.at.ply.gg
manager-americans.gl.at.ply.gg
many-simply.gl.at.ply.gg
market-validation.gl.at.ply.gg
match-bikini.gl.at.ply.gg
mc.zap-games.net
medical-principles.gl.at.ply.gg
membership-foam.gl.at.ply.gg
men-hack.gl.at.ply.gg
menu-elder.gl.at.ply.gg
mgcorp.lat
minepolio.xyz
mode-downloaded.gl.at.ply.gg
move-emerging.gl.at.ply.gg
move-motivated.gl.at.ply.gg
moving-indigenous.gl.at.ply.gg
my-cleaner.gl.at.ply.gg
name-undo.gl.at.ply.gg
names-jelsoft.gl.at.ply.gg
news-jurisdiction.gl.at.ply.gg
no-testimonials.gl.at.ply.gg
none-knows.gl.at.ply.gg
normal-train.gl.at.ply.gg
northern-dust.gl.at.ply.gg
notpaffy.com
november-most.gl.at.ply.gg
number-textile.gl.at.ply.gg
oct-eco.gl.at.ply.gg
offer-cn.gl.at.ply.gg
ohio-usgs.gl.at.ply.gg
online-event.gl.at.ply.gg
opinion-sheets.gl.at.ply.gg
opportunity-males.gl.at.ply.gg
orders-acts.gl.at.ply.gg
orders-extract.gl.at.ply.gg
organization-utah.gl.at.ply.gg
original-sisters.gl.at.ply.gg
otherwise-banks.gl.at.ply.gg
our-ukraine.gl.at.ply.gg
pa-mastercard.gl.at.ply.gg
painelgamer.duckdns.org
paper-norwegian.gl.at.ply.gg
particular-beds.gl.at.ply.gg
partner-aquarium.gl.at.ply.gg
party-security.gl.at.ply.gg
password-billing.gl.at.ply.gg
percent-flower.gl.at.ply.gg
perfect-needle.gl.at.ply.gg
perfect-pas.gl.at.ply.gg
person-consumer.gl.at.ply.gg
person-maintenance.gl.at.ply.gg
person-vc.gl.at.ply.gg
phentermine-introduced.gl.at.ply.gg
photo-painting.gl.at.ply.gg
photo-stranger.gl.at.ply.gg
photos-unlike.gl.at.ply.gg
physical-duck.gl.at.ply.gg
pics-craft.gl.at.ply.gg
planning-kick.gl.at.ply.gg
planning-sas.gl.at.ply.gg
playing-ad.gl.at.ply.gg
playing-happiness.gl.at.ply.gg
playit.aky.dedyn.io
points-uses.gl.at.ply.gg
policy-liabilities.gl.at.ply.gg
policy-url.gl.at.ply.gg
post-finished.gl.at.ply.gg
posted-gently.gl.at.ply.gg
potential-pools.gl.at.ply.gg
prices-acts.gl.at.ply.gg
process-gradually.gl.at.ply.gg
product-franchise.gl.at.ply.gg
product-martha.gl.at.ply.gg
products-curtis.gl.at.ply.gg
programme-brands.gl.at.ply.gg
programs-stevens.gl.at.ply.gg
project-televisions.gl.at.ply.gg
properties-float.gl.at.ply.gg
purposes-one.gl.at.ply.gg
q-guatemala.gl.at.ply.gg
receive-olympics.gl.at.ply.gg
recommended-accounting.gl.at.ply.gg
region-una.gl.at.ply.gg
released-relationship.gl.at.ply.gg
remote-principles.gl.at.ply.gg
repair-constructed.gl.at.ply.gg
requirements-carey.gl.at.ply.gg
research-trivia.gl.at.ply.gg
resolution-discuss.gl.at.ply.gg
response-mai.gl.at.ply.gg
run-associate.gl.at.ply.gg
run-happen.gl.at.ply.gg
run-trainer.gl.at.ply.gg
running-gst.gl.at.ply.gg
s-crown.gl.at.ply.gg
san-ordinance.gl.at.ply.gg
says-brochures.gl.at.ply.gg
school-square.gl.at.ply.gg
searches-lauderdale.gl.at.ply.gg
see-immediately.gl.at.ply.gg
select-soma.gl.at.ply.gg
sellers-mounts.gl.at.ply.gg
sep-needs.gl.at.ply.gg
sep-philips.gl.at.ply.gg
server-podcast.gl.at.ply.gg
set-wood.gl.at.ply.gg
ship-brochure.gl.at.ply.gg
significant-cooperative.gl.at.ply.gg
silver-valve.gl.at.ply.gg
smarteventplanner.coreone.work
so-locale.gl.at.ply.gg
social-flag.gl.at.ply.gg
solution-dare.gl.at.ply.gg
sony-barbara.gl.at.ply.gg
sound-halloween.gl.at.ply.gg
special-belkin.gl.at.ply.gg
sports-stick.gl.at.ply.gg
spring-argument.gl.at.ply.gg
stars-any.gl.at.ply.gg
started-music.gl.at.ply.gg
state-certificates.gl.at.ply.gg
statement-barn.gl.at.ply.gg
still-ie.gl.at.ply.gg
stock-geographic.gl.at.ply.gg
storage-mistress.gl.at.ply.gg
storage-postcards.gl.at.ply.gg
student-philippines.gl.at.ply.gg
studies-integrated.gl.at.ply.gg
studio-descending.gl.at.ply.gg
style-playz.eu
table-endorsed.gl.at.ply.gg
table-inflation.gl.at.ply.gg
tax-found.gl.at.ply.gg
technologies-rid.gl.at.ply.gg
television-al.gl.at.ply.gg
tell-mainland.gl.at.ply.gg
term-cats.gl.at.ply.gg
than-aol.gl.at.ply.gg
that-paxil.gl.at.ply.gg
that-weblog.gl.at.ply.gg
things-con.gl.at.ply.gg
this-x.gl.at.ply.gg
thought-diego.gl.at.ply.gg
tickets-lesson.gl.at.ply.gg
time-menus.gl.at.ply.gg
together-stars.gl.at.ply.gg
together-well.gl.at.ply.gg
tools-perfectly.gl.at.ply.gg
topics-steel.gl.at.ply.gg
transportation-jacob.gl.at.ply.gg
transportation-x.gl.at.ply.gg
trial-industries.gl.at.ply.gg
try-disorders.gl.at.ply.gg
tue-rating.gl.at.ply.gg
tx-citizenship.gl.at.ply.gg
types-dozen.gl.at.ply.gg
unique-society.gl.at.ply.gg
unit-recognize.gl.at.ply.gg
united-introduce.gl.at.ply.gg
up-providence.gl.at.ply.gg
us-ddr.gl.at.ply.gg
use-coin.gl.at.ply.gg
v-funny.gl.at.ply.gg
vacation-joint.gl.at.ply.gg
virginia-efficiently.gl.at.ply.gg
war-shadows.gl.at.ply.gg
way-endif.gl.at.ply.gg
we-michelle.gl.at.ply.gg
weather-democracy.gl.at.ply.gg
were-eye.gl.at.ply.gg
west-nba.gl.at.ply.gg
which-isle.gl.at.ply.gg
white-edited.gl.at.ply.gg
whole-egyptian.gl.at.ply.gg
will-combinations.gl.at.ply.gg
will-just.gl.at.ply.gg
william-acceptance.gl.at.ply.gg
william-numerical.gl.at.ply.gg
windows-minutes.gl.at.ply.gg
with-harris.gl.at.ply.gg
works-copyrighted.gl.at.ply.gg
writing-operate.gl.at.ply.gg
x-rehab.gl.at.ply.gg
x-tamil.gl.at.ply.gg
yahoo-conventions.gl.at.ply.gg
year-mental.gl.at.ply.gg
yes-efficiently.gl.at.ply.gg
yet-experiences.gl.at.ply.gg
york-pavilion.gl.at.ply.gg
young-end.gl.at.ply.gg
youth-mac.gl.at.ply.gg

# Reference: https://x.com/galkofahi/status/1947990984580567097
# Reference: https://www.virustotal.com/gui/file/d0cecd8f7352cfffe4428d472a00572f9a455c5161e66708d62592de75c21b89/detection

220.158.233.40:8080
hoteljuly8.blogspot.com

# Reference: https://x.com/K_N1kolenko/status/1948714425940127993

103.42.30.170:7000
139.99.17.177:56001
147.124.215.237:7000
204.12.203.92:7000
85.203.4.232:22

# Reference: https://www.virustotal.com/gui/file/f49bd3933eb55e7f7280486545ba184a46c4d5431ace0e6bbd9ac8cbd23b939c/detection

144.172.117.86:7000

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2025-07-30)

http://37.193.56.178
http://77.81.142.4
http://8.210.41.102
103.59.160.219:7000
107.172.172.225:9981
138.124.183.163:7000
144.172.117.159:7000
144.172.117.86:7000
147.185.221.16:65157
147.185.221.22:24961
147.185.221.24:30232
147.185.221.26:27450
147.185.221.28:31675
147.185.221.29:19701
147.185.221.29:40945
147.185.221.29:58500
147.185.221.29:8081
147.185.221.30:13153
147.185.221.30:13258
147.185.221.30:13486
147.185.221.30:14829
147.185.221.30:15896
147.185.221.30:17602
147.185.221.30:18491
147.185.221.30:2368
147.185.221.30:24959
147.185.221.30:26979
147.185.221.30:27736
147.185.221.30:28761
147.185.221.30:29267
147.185.221.30:29438
147.185.221.30:30154
147.185.221.30:30317
147.185.221.30:34037
147.185.221.30:34773
147.185.221.30:34941
147.185.221.30:36171
147.185.221.30:38013
147.185.221.30:38215
147.185.221.30:39456
147.185.221.30:4545
147.185.221.30:55718
147.185.221.30:62304
147.185.221.30:6704
147.78.241.56:1002
154.219.109.235:7000
155.2.192.143:17172
157.90.209.107:7000
162.159.128.233:39102
167.160.161.140:1012
172.94.127.2:4000
178.173.244.230:6000
18.198.77.177:10992
185.117.249.43:7000
185.194.175.132:5000
190.111.98.100:3000
191.96.39.232:7000
192.159.99.85:6000
193.111.117.146:7000
193.142.146.158:7878
193.161.193.99:21519
193.161.193.99:27222
193.161.193.99:33300
193.161.193.99:38874
193.161.193.99:40602
193.161.193.99:41990
193.161.193.99:61863
193.181.41.17:66
193.233.113.45:6000
194.87.218.119:1985
195.177.94.216:22050
196.117.89.7:1515
196.251.118.54:1603
196.251.66.200:2024
196.251.86.104:7000
196.251.86.155:8059
196.251.88.52:66
196.251.92.97:7575
198.135.49.199:7071
2.59.133.45:7001
202.95.8.64:1688
206.123.145.172:7676
212.11.64.13:6000
216.250.249.182:4040
216.9.225.51:7000
23.95.206.253:7000
3.126.37.18:10320
3.127.59.75:10992
3.142.129.56:13961
31.56.79.71:7000
34.226.83.255:423
37.120.208.36:59482
37.120.208.37:59482
37.120.208.40:57625
38.240.61.187:1111
38.92.47.211:5353
45.134.142.6:57489
45.137.201.142:4444
45.137.98.69:111
45.141.26.115:7000
45.141.26.28:7000
45.141.26.28:9000
45.192.218.158:443
45.74.15.131:7000
45.88.186.227:7474
45.93.8.18:7493
45.93.8.18:9475
45.93.8.241:6743
45.93.8.241:9352
47.239.1.95:26868
5.101.81.65:8080
5.181.187.10:1337
5.8.19.3:8080
52.184.82.90:4449
62.108.211.197:8080
66.175.239.149:7000
73.179.34.234:5141
8.218.33.116:56122
83.143.112.30:3096
83.147.53.138:50000
83.229.17.54:1846
85.208.84.22:6000
86.52.147.40:6000
89.40.31.128:1111
91.219.239.22:7000
91.92.120.133:8467
92.222.100.197:7777
ageillaxnv.a.pinggy.link
alcapulco.duckdns.org
allinline.localto.net
alternative-corporate.gl.at.ply.gg
animal-expressions.gl.at.ply.gg
another-expedia.gl.at.ply.gg
anti-hardware.gl.at.ply.gg
beblbdzjhs.a.pinggy.link
below-activation.gl.at.ply.gg
between-tank.gl.at.ply.gg
body-conclusion.gl.at.ply.gg
british-perfectly.gl.at.ply.gg
browser-kansas.gl.at.ply.gg
button-genres.gl.at.ply.gg
carolina-collections.gl.at.ply.gg
cell-membership.gl.at.ply.gg
ch36efcnia2ct5.duckdns.org
children-hughes.gl.at.ply.gg
client-unusual.gl.at.ply.gg
comprovantt.ddns.net
crrypte-23119.portmap.io
cya8dfhb72hbgc2.dedyn.io
daily-iraqi.gl.at.ply.gg
database-bio.gl.at.ply.gg
desktop-gvd3u7o-nj.at.remote.it
dfsfdgsfgdsffdsg-20559.portmap.host
drglockz-48262.portmap.io
electronics-peaceful.gl.at.ply.gg
entertainment-remembered.gl.at.ply.gg
etc-probe.gl.at.ply.gg
existing-vincent.gl.at.ply.gg
facilities-queen.gl.at.ply.gg
fee-largest.gl.at.ply.gg
flyrbeengeek-25127.portmap.io
fpvxzvrzz-58282.portmap.host
geekyamir-60013.portmap.io
girls-projection.gl.at.ply.gg
graphics-discussions.gl.at.ply.gg
grayhatx69back.ddns.net
hotels-eq.gl.at.ply.gg
is-gas.gl.at.ply.gg
jazper-21519.portmap.host
jersey-marked.gl.at.ply.gg
jptech202.ddnsking.com
jun-assist.gl.at.ply.gg
kitchen-english.gl.at.ply.gg
kocorex-46341.portmap.io
line-pressing.gl.at.ply.gg
machine-resume.gl.at.ply.gg
mareczek123-27222.portmap.host
memory-julia.gl.at.ply.gg
mentirosaputa5-27719.portmap.host
modified-rebecca.gl.at.ply.gg
mrowx.gaclassics.com
myth0249-43397.portmap.io
n-colony.gl.at.ply.gg
nanoemailing-46446.portmap.host
notes-congress.gl.at.ply.gg
nov-transport.gl.at.ply.gg
photography-tools.gl.at.ply.gg
police-turkish.gl.at.ply.gg
prakashjadhav74738.ddns.net
prior-notification.gl.at.ply.gg
profile-indians.gl.at.ply.gg
program-neutral.gl.at.ply.gg
pulsarrr-33300.portmap.io
quick-corner.gl.at.ply.gg
realdot.ddns.net
release-deficit.gl.at.ply.gg
released-domain.gl.at.ply.gg
responsibility-occasion.gl.at.ply.gg
ripakslool.ddns.net
rndge-2a00-102a-506d-54c6-34d9-4f5e-8f2a-2e91.a.free.pinggy.link
sale-annie.gl.at.ply.gg
sirlegacy.duckdns.org
sirlegacy1.duckdns.org
sixx.hopto.org
started-brunswick.gl.at.ply.gg
states-jc.gl.at.ply.gg
take-reseller.gl.at.ply.gg
there-prozac.gl.at.ply.gg
thread-realistic.gl.at.ply.gg
troia23.ddns.net
updates-seal.gl.at.ply.gg
usa-objectives.gl.at.ply.gg
visa.identity-shield.org
wedding-camps.gl.at.ply.gg
windows-hold.gl.at.ply.gg
wisk43.top
zulo88.ddns.net
zxcmisha5963-26454.portmap.host

# Reference: https://x.com/skocherhan/status/1951998006686839018
# Reference: https://www.virustotal.com/gui/file/350e5eb84386300aa9320221b7d7ea036feab3e8222a1808cbff626abb364b11/detection

104.168.34.186:3058

# Reference: https://x.com/skocherhan/status/1952144284599321014
# Reference: https://www.virustotal.com/gui/file/b0e478c5ecb986d0ac03176f0e3cbcf06dc154e01c19b8302dff7e6662a10cd4/detection

http://104.233.236.65
137.220.229.14:8000
27.124.12.33:8000

# Reference: https://www.virustotal.com/gui/file/abf5666aa725d6bdc0931b8712d1e80bc2802363f4fdd2a67cd20c112226b7e6/detection

13.49.57.111:7000

# Reference: https://x.com/c_APT_ure/status/1958938566228418692
# Reference: https://www.virustotal.com/gui/file/19933bc6faa988772009db62b2e785ab07312fc815e32a7bb577bcd060c017c6/detection

193.187.90.27:61447

# Reference: https://x.com/smica83/status/1960629916317147556
# Reference: https://tria.ge/250827-k116ssap8w/behavioral1

147.185.221.31:28599
look-polo.gl.at.ply.gg

# Reference: https://x.com/smica83/status/1961333553888739808
# Reference: https://www.virustotal.com/gui/file/28e0dadc0dc36ecec05d62f4e61857e6c9ef1214fdbd1bee05f13ce258eff93c/detection
# Reference: https://www.virustotal.com/gui/file/6e90193b3a1993b1d37ce7fdddc4e1d86ccdf033a906afa5438e4f7601b047a7/detection
# Reference: https://www.virustotal.com/gui/file/9355d8a7f16b30b48156a5af9716bb9e80faaafe19cbb68fea943e5f43c49a13/detection
# Reference: https://www.virustotal.com/gui/file/9d31157fe6fa7213d4748532e5bbaeba3a2d64f9e7492f7632f5a4dc1fa0bca7/detection

152.249.49.176:7000
191.96.224.156:100
g100cf.ddns.net
g100jvcf.com.br

# Reference: https://x.com/smica83/status/1961332600213000620
# Reference: https://tria.ge/250829-jfksmstmx7/behavioral1

107.189.18.107:6000

# Reference: https://x.com/smica83/status/1961545293503381929
# Reference: https://www.virustotal.com/gui/file/275ec9cfb15d02fb150eafe5e173682ef7497ace5914f25826b428426f9019d6/detection
# Reference: https://www.virustotal.com/gui/file/a50b25cc57f43fa89aae0fe4689fe4da49aad0c7a0b64eb68740202fd5f648ec/detection
# Reference: https://www.virustotal.com/gui/file/14ab7e48a9658f0177003bfc52466d1219df32d375c5947a79a961a5aeec1f23/detection

147.45.216.236:1131
147.45.220.29:1131
185.250.181.34:1131
195.62.49.30:1131
5.101.152.161:1131
80.253.251.135:1131
fuckrat.ru
fuckrat.store

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2025-08-30)

http://100.42.176.116
http://190.111.98.100
http://54.36.174.140
100.28.201.155:8654
100.42.176.116:443
100.42.176.116:7000
103.133.109.20:5000
103.167.90.238:7000
103.186.64.206:54546
103.245.164.58:5045
103.246.106.129:7000
103.253.73.222:405
103.59.160.219:1337
103.74.105.147:2509
104.161.16.249:6000
104.168.32.88:12351
104.37.174.143:1111
107.150.0.5:6000
107.150.0.72:59012
107.174.34.147:6000
107.175.88.73:8085
108.181.154.141:5555
109.195.166.184:7777
121.54.190.51:7000
13.60.76.198:4449
13.60.76.8:7000
142.171.168.59:4441
143.14.44.222:505
143.14.44.97:505
143.179.70.221:4444
144.126.149.221:7000
144.172.102.103:6000
144.172.103.202:7000
146.103.41.2:7000
146.70.100.227:9779
146.70.127.215:9779
147.185.221.16:53143
147.185.221.19:11441
147.185.221.19:13063
147.185.221.19:18563
147.185.221.19:41037
147.185.221.20:24966
147.185.221.21:48812
147.185.221.23:24149
147.185.221.23:52320
147.185.221.23:65363
147.185.221.24:27521
147.185.221.27:61588
147.185.221.28:38949
147.185.221.28:45960
147.185.221.28:55400
147.185.221.28:56993
147.185.221.29:19921
147.185.221.29:22667
147.185.221.29:39431
147.185.221.29:40748
147.185.221.30:12498
147.185.221.30:1284
147.185.221.30:21479
147.185.221.30:29235
147.185.221.30:33370
147.185.221.30:33667
147.185.221.30:35161
147.185.221.30:35600
147.185.221.30:38998
147.185.221.30:39226
147.185.221.30:39982
147.185.221.30:43956
147.185.221.30:44183
147.185.221.30:4444
147.185.221.30:47053
147.185.221.30:49118
147.185.221.30:49235
147.185.221.30:49308
147.185.221.30:49848
147.185.221.30:50178
147.185.221.30:51135
147.185.221.30:51343
147.185.221.30:51495
147.185.221.30:52795
147.185.221.30:53227
147.185.221.30:54204
147.185.221.30:54440
147.185.221.30:55213
147.185.221.30:55790
147.185.221.30:56685
147.185.221.30:56803
147.185.221.30:57375
147.185.221.30:57741
147.185.221.30:58103
147.185.221.30:60177
147.185.221.30:60258
147.185.221.30:61961
147.185.221.30:61997
147.185.221.30:62724
147.185.221.30:64035
147.185.221.30:65365
147.185.221.30:6666
147.185.221.30:8080
147.185.221.31:10642
147.185.221.31:11257
147.185.221.31:12480
147.185.221.31:1333
147.185.221.31:13755
147.185.221.31:14210
147.185.221.31:14757
147.185.221.31:15503
147.185.221.31:15788
147.185.221.31:15923
147.185.221.31:16174
147.185.221.31:17264
147.185.221.31:17862
147.185.221.31:17951
147.185.221.31:20015
147.185.221.31:20703
147.185.221.31:23052
147.185.221.31:27604
147.185.221.31:33672
147.185.221.31:3884
147.185.221.31:5862
147.185.221.31:5929
147.185.221.31:6306
147.185.221.31:7788
147.185.221.31:9191
147.45.210.191:7000
147.50.253.17:9723
147.50.253.3:44784
147.93.177.187:35000
147.93.177.187:45500
152.249.16.126:7000
155.2.192.143:27322
155.94.155.42:6000
157.97.11.134:5500
160.250.132.204:7000
165.154.184.65:443
169.150.231.246:57744
172.245.21.131:3594
172.94.95.227:57843
173.208.138.247:7000
173.249.196.177:1111
174.138.185.97:25144
176.100.36.138:3389
176.100.36.138:8080
176.210.69.195:7777
178.156.190.164:6000
178.250.187.92:53569
178.255.148.204:66
178.255.148.229:66
178.255.148.247:66
18.153.198.123:11056
18.192.31.30:11056
18.192.31.30:15466
18.197.239.109:18211
18.198.77.177:13396
181.216.32.18:6000
181.41.200.38:6677
184.174.20.240:4782
184.75.208.58:6624
185.157.160.198:57744
185.157.162.101:1111
185.157.162.114:1111
185.157.163.136:57143
185.163.204.65:49257
185.196.8.31:6000
185.208.159.141:7000
185.208.159.143:6000
185.208.159.143:7879
185.241.208.142:6000
192.121.102.225:66
192.121.82.111:9779
192.121.82.11:9779
192.121.82.45:9779
192.121.82.48:9779
192.121.82.74:9779
192.159.99.244:1023
192.159.99.244:8080
192.169.69.26:6677
192.169.69.26:8989
192.241.251.248:7000
192.3.108.238:7000
193.111.117.146:6002
193.161.193.99:20172
193.161.193.99:23835
193.161.193.99:24280
193.161.193.99:27544
193.161.193.99:29763
193.161.193.99:29884
193.161.193.99:35702
193.161.193.99:41399
193.161.193.99:47328
193.161.193.99:50723
193.161.193.99:53109
193.161.193.99:53471
193.161.193.99:56365
193.161.193.99:61717
193.161.193.99:63091
193.161.193.99:64048
193.187.91.114:60875
193.187.91.217:60875
193.187.91.237:1111
193.19.207.241:8080
193.23.219.180:26504
193.23.3.121:4072
194.182.85.154:6262
194.26.192.155:443
195.177.94.248:4096
196.178.110.122:6000
196.251.115.86:1602
196.251.71.112:6000
196.251.73.126:23500
196.251.81.90:7000
197.167.45.118:4444
198.135.49.120:3281
198.135.50.224:9000
198.23.227.212:6000
2.56.165.179:51667
210.246.215.161:7000
212.11.64.130:3004
212.162.149.164:4018
213.209.150.111:24680
213.209.150.144:2483
23.27.98.151:3248
23.95.62.27:9090
26.253.244.81:65363
27.124.12.33:441
27.50.63.9:441
3.121.139.82:13396
3.127.253.86:13396
3.137.60.53:18452
3.64.4.198:12027
3.69.115.178:18211
3.69.157.220:18211
3.71.225.231:15466
3.74.27.83:15466
3.74.27.83:17355
3.78.28.71:17355
31.13.190.2:26842
31.56.48.161:5555
31.6.50.184:7000
34.41.139.193:31166
35.158.159.254:13396
35.198.17.120:6000
35.247.211.6:6000
38.18.229.238:0147
38.18.229.238:147
4.227.176.96:6000
41.185.18.178:7000
43.249.33.236:6631
44.201.126.95:1177
45.11.229.51:8080
45.134.140.68:53569
45.137.98.176:111
45.137.98.178:1234
45.138.183.59:7000
45.141.215.14:1488
45.141.26.133:5000
45.141.26.47:7000
45.148.18.44:57489
45.200.148.216:7001
45.204.214.131:6666
45.45.237.43:4782
45.61.149.6:7777
45.77.91.238:11452
45.83.207.35:7000
45.83.31.116:7000
45.93.8.18:5873
46.183.187.211:7108
46.246.14.3:49780
47.239.1.95:16868
49.228.131.165:2426
49.228.131.165:2429
5.101.81.65:31166
5.141.88.140:7565
5.175.234.28:7000
5.231.25.213:7000
52.57.120.10:15466
52.57.120.10:17355
56.125.150.97:21072
58.9.110.23:18067
62.199.104.186:7777
66.118.245.210:6522
66.63.187.176:6464
67.21.33.179:6000
72.14.201.229:3000
74.249.9.7:6000
75.56.172.215:7000
78.140.240.104:5555
78.190.135.102:6000
79.110.49.180:8765
79.110.49.49:6262
81.115.92.172:6000
82.115.211.253:1111
82.26.74.39:1212
82.26.74.39:7000
83.136.210.100:963
83.136.210.73:963
84.17.43.238:41
85.223.115.251:4444
87.242.106.13:54193
89.213.177.113:52039
89.213.177.246:7000
89.40.31.246:1111
89.40.31.59:1111
91.196.35.130:6000
91.199.42.157:7000
91.219.238.142:7000
92.108.104.148:4444
92.113.146.251:9944
93.149.216.26:6000
93.183.72.95:8080
94.141.122.240:6000
94.154.35.71:2025
94.19.26.210:5000
95.99.191.85:4444
23.ip.gl.ply.gg
304af9c5bac4.ngrok-free.app
3zoz.duckdns.org
6mzdf1z0w.localto.net
ability-vb.gl.at.ply.gg
access.skaparade.com
account-reached.gl.at.ply.gg
activities-essays.gl.at.ply.gg
age-restriction.gl.at.ply.gg
airport-lottery.gl.at.ply.gg
an-schema.gl.at.ply.gg
and-build.gl.at.ply.gg
antique-proper-prizes-civilian.trycloudflare.com
anything-desired.gl.at.ply.gg
applications-designer.gl.at.ply.gg
approved-ccd.gl.at.ply.gg
arch.wsf-steel.com
artist-singing.gl.at.ply.gg
assistance-commissions.gl.at.ply.gg
association-fairfield.gl.at.ply.gg
august-ibm.gl.at.ply.gg
australia-additionally.gl.at.ply.gg
author-pine.gl.at.ply.gg
authors-recall.gl.at.ply.gg
bbyus.ooguy.com
bckstark54.duckdns.org
been-club.gl.at.ply.gg
beginning-chancellor.gl.at.ply.gg
berlin101.com
besrrt345-28765.portmap.io
bigwso.playit.love
both-windsor.gl.at.ply.gg
break-analytical.gl.at.ply.gg
businesses-extensive.gl.at.ply.gg
cable-aged.gl.at.ply.gg
case-physically.gl.at.ply.gg
casino-truth.gl.at.ply.gg
categories-figure.gl.at.ply.gg
center-everything.gl.at.ply.gg
channel-expectations.gl.at.ply.gg
choice-copyrighted.gl.at.ply.gg
club-argue.gl.at.ply.gg
co-homeless.gl.at.ply.gg
condition-furniture.gl.at.ply.gg
conditions-ripe.gl.at.ply.gg
countries-degree.gl.at.ply.gg
course-admission.gl.at.ply.gg
credit-destroyed.gl.at.ply.gg
cross-editor.gl.at.ply.gg
dc-historic.gl.at.ply.gg
dead-weblogs.gl.at.ply.gg
design-jordan.gl.at.ply.gg
discussion-announcement.gl.at.ply.gg
documents-here.gl.at.ply.gg
domain-canon.gl.at.ply.gg
duskesthostplug.duckdns.org
edpisblacklmfao-38234.portmap.host
either-occurs.gl.at.ply.gg
engine-decide.gl.at.ply.gg
engineering-consensus.gl.at.ply.gg
english-decimal.gl.at.ply.gg
enterprise-confirm.gl.at.ply.gg
expected-sleeps.gl.at.ply.gg
ezlolsrealisgood-64048.portmap.host
facilities-arizona.gl.at.ply.gg
female-ebay.gl.at.ply.gg
few-mines.gl.at.ply.gg
fewafef-61686.portmap.host
finance-over.gl.at.ply.gg
flipbaker-35783.portmap.host
florida-enquiries.gl.at.ply.gg
focus-princeton.gl.at.ply.gg
follow-absent.gl.at.ply.gg
form-saver.gl.at.ply.gg
format-joining.gl.at.ply.gg
francisco-play-it-reai.play.it.gg
friendly-mercy.gl.at.ply.gg
friends-optional.gl.at.ply.gg
fucktheworlds.duckdns.org
gmt-prevention.gl.at.ply.gg
gnggyurfucked-32857.portmap.host
googlei.zapto.org
hardware-planned.gl.ply.gg
he-purchased.gl.at.ply.gg
heart-hunger.gl.at.ply.gg
hexa.dnsframe.com
heyguyswelcomebacktoanotheryoutubevideo-23337.portmap.host
hospital-harvest.gl.at.ply.gg
hostermasterplug.duckdns.org
hosterphobic.duckdns.org
however-extends.gl.at.ply.gg
image-advantage.gl.at.ply.gg
inc-changes.gl.at.ply.gg
items-ana.gl.at.ply.gg
its-nil.gl.at.ply.gg
itzprocabal.ddns.net
jacknourssss.duckdns.org
job-danish.gl.at.ply.gg
jynx404-53109.portmap.host
kakarik-32070.portmap.host
larger-farmers.gl.at.ply.gg
laserjet-32220.portmap.host
last-get.gl.at.ply.gg
late-researcher.gl.at.ply.gg
least-revised.gl.at.ply.gg
lines-clothes.gl.at.ply.gg
lines-jordan.gl.at.ply.gg
linux-seminars.gl.at.ply.gg
lk7799.duckdns.org
longlife.theworkpc.com
looking-harley.gl.at.ply.gg
love-interpreted.gl.at.ply.gg
mar-cant.gl.at.ply.gg
may-steering.gl.at.ply.gg
maybe-declared.gl.at.ply.gg
md-mean.gl.at.ply.gg
mflo2t-24280.portmap.host
million-sanyo.gl.at.ply.gg
monstr.ddns.net
morning-divorce.gl.at.ply.gg
mr-fold.gl.at.ply.gg
msi.tail65a1e3.ts.net
multi-designing.gl.at.ply.gg
needed-otherwise.gl.at.ply.gg
newstark54.duckdns.org
ngdgbedgtw-35702.portmap.host
ngdgbedgtw-61717.portmap.host
noniggersallowed.ddns.net
nonononon-23162.portmap.host
normal-cheese.gl.at.ply.gg
notes-creates.gl.at.ply.gg
now-sight.gl.at.ply.gg
numbers-sally.gl.at.ply.gg
official-ol.gl.at.ply.gg
only-standing.gl.at.ply.gg
open-tyler.gl.at.ply.gg
opinion-stolen.gl.at.ply.gg
optimra.ddns.net
owners-nevada.gl.at.ply.gg
oxford-sri-fast-eve.trycloudflare.com
paris-cds.gl.at.ply.gg
phentermine-institute.gl.at.ply.gg
privatedns.jiahouse.com
programme-newspaper.gl.at.ply.gg
programs-realty.gl.at.ply.gg
public-radios.gl.at.ply.gg
pvpz-th.com
qwerty1223.ddns.net
rat.kvlar.my.id
rattix01228-28247.portmap.host
really-disease.gl.at.ply.gg
regional-around.gl.at.ply.gg
releases-nitrogen.gl.at.ply.gg
reply-suits.gl.at.ply.gg
resolution-onto.gl.at.ply.gg
responsible-hostel.gl.at.ply.gg
restaurant-do.gl.at.ply.gg
restaurants-colonial.gl.at.ply.gg
richard-down.gl.at.ply.gg
river-kentucky.gl.at.ply.gg
rule-passport.gl.at.ply.gg
say-domains.gl.at.ply.gg
schedule-pci.gl.at.ply.gg
school-everyday.gl.at.ply.gg
search-shuttle.gl.ply.gg
series-segments.gl.at.ply.gg
shadow2515.duckdns.org
ship-miscellaneous.gl.at.ply.gg
should-medications.gl.at.ply.gg
similar-meta.gl.at.ply.gg
simple-commerce.gl.at.ply.gg
single-peninsula.gl.at.ply.gg
sl1qmc-46509.portmap.host
snfers-56365.portmap.host
snxppyz.ddns.net
sqcorporation-40357.portmap.host
st-yea.gl.at.ply.gg
stage-edinburgh.gl.at.ply.gg
standard-seas.gl.at.ply.gg
started-knives.gl.at.ply.gg
stop-butterfly.gl.at.ply.gg
structure-nov.gl.at.ply.gg
stubbb.airdns.org
studentessaywriting.org
study-leasing.gl.at.ply.gg
suezax50.ddns.net
svhost56.duckdns.org
system63.linkpc.net
technical-harder.gl.at.ply.gg
technical-multi.gl.at.ply.gg
term-dimension.gl.at.ply.gg
therefore-nothing.gl.at.ply.gg
things-uses.gl.at.ply.gg
third-threaded.gl.at.ply.gg
thomas-giant.gl.at.ply.gg
thought-geology.gl.joinmc.link
told-accomplished.gl.at.ply.gg
too-decorating.gl.at.ply.gg
trabalhoescolar7.ddns.net
type-modules.gl.at.ply.gg
union-victor.gl.at.ply.gg
unit-consultancy.gl.at.ply.gg
usa-kruger.gl.at.ply.gg
vmi2025279.contaboserver.net
vxnishhisbacl-53480.portmap.host
w3hhhhh-44281.portmap.host
waitdriverupdating.sytes.net
wealthyblessed.minhaempresa.tv
wedding-outputs.gl.at.ply.gg
well-interface.gl.at.ply.gg
when-assumed.gl.at.ply.gg
where-pleasure.gl.at.ply.gg
whiteshadow1-47388.portmap.host
windowsmanager-53471.portmap.host
xfini900.duckdns.org
xmbless25.duckdns.org
xvskill6.duckdns.org
xworm.webredirect.org
xworm7.duckdns.org
xwormblast6.duckdns.org
xwormlogs8.duckdns.org
xwormlover69-40917.portmap.host
xwormv7.duckdns.org
yet-format.gl.at.ply.gg
ync9i5fv1.localto.net
zdqxdcj7s.localto.net
zvvyf9zn8.localto.net

# Reference: https://x.com/FalconFeedsio/status/1962494410471739490
# Reference: https://www.virustotal.com/gui/file/a625424940d852f1f895abb71a4da54742f06de957212e069073708a76bb0bb7/detection
# Reference: https://www.virustotal.com/gui/file/9627773e29b0bdc974c5646a581e9c7b9f9877b827c075228d0927d3bf5e6291/detection
# Reference: https://www.virustotal.com/gui/file/32f5cf83ba26d06856b595a75e791c5716357a69320c2d3d045fa1eca4b686bb/detection

computers-favorite.gl.at.ply.gg

# Reference: https://x.com/FalconFeedsio/status/1962494410471739490
# Reference: https://www.virustotal.com/gui/file/3fa8e871235bff7f1d610abf1ea839e089feb3d458e25c4b1f51cf234baffad8/detection

80.98.145.41:7777
rat.varrisdom.uk

# Reference: https://x.com/1ZRR4H/status/1965218219616350544
# Reference: https://www.virustotal.com/gui/file/dd02a90046f25dc155dbf80cbfabea52453c9ea377eb14a0590217a55bbe2c03/detection

178.156.139.48:7000

# Reference: https://x.com/K_N1kolenko/status/1966463004431495468

13.62.18.15:1607
2.58.113.45:1099
23.254.138.236:4090
31.57.97.188:666
45.153.34.31:7000
51.20.130.172:6000
77.83.207.225:4404
77.90.153.251:8808
85.208.84.90:4413

# Reference: https://x.com/K_N1kolenko/status/1966462955253309858

107.175.214.47:5555
164.92.197.38:1478
192.227.246.79:2121
193.233.112.145:7000
92.118.235.112:3004
94.141.122.169:8081

# Reference: https://www.virustotal.com/gui/file/0cb55e92ae62be03f9809e072b5e073ec653351c3cea0e3b5df229177d465031/detection

193.161.193.99:61544
let12345-61544.portmap.io

# Reference: https://www.virustotal.com/gui/file/1f8d4b3d3ea61920bfcb36cb68054d754be5230967ca63d536ed4b7bb8081faa/detection

105.116.10.241:26820
xworm6.ddns.net

# Reference: https://www.virustotal.com/gui/file/b3741c629723b9dc0da8fa86ab9af776d04ff59b8a6f3f5c3e4b3be5f054b70e/detection

185.34.101.217:6000
porna.shop
pubshierstext.top

# Reference: https://x.com/skocherhan/status/1966885839352516720
# Reference: https://www.virustotal.com/gui/file/d9690c21f5caaa11d87645fbfbf35abaf2a65f21613afcd78b41b25bd2e1878d/detection

193.161.193.99:46701
193.161.193.99:49720
193.161.193.99:49721
omnizplsr-46701.portmap.host

# Reference: https://www.virustotal.com/gui/file/abb2f9bdd57bf8ea4e09f93845e6e72fe963832fa3a82f089031c952c7e897e0/detection

178.16.53.106:8585

# Reference: https://x.com/K_N1kolenko/status/1968956469765628336

178.16.53.106:2323
191.101.30.34:7000
191.96.225.213:8510
192.227.246.80:2020
193.124.205.25:9896
196.251.71.73:1177
206.0.29.48:1337

# Reference: https://x.com/smica83/status/1970597567814680968
# Reference: https://tria.ge/250923-z1v24swmv7/behavioral1

8.208.101.138:10640
1.tcp.eu.cpolar.io

# Reference: https://www.virustotal.com/gui/file/78c61b373368f0550880b2dcbffb0b2bb1469f3dc79fc51545debfb2f814857f/detection

147.185.221.211:43317
resources-formerly.gl.at.ply.gg

# Reference: https://x.com/smica83/status/1973293685757686147
# Reference: https://www.virustotal.com/gui/ip-address/91.195.240.123/relations
# Reference: https://www.virustotal.com/gui/file/121bd4dd983fa1b5e88d9d5be06d0cc4bd3db22a59c469225e1bc67d42585784/detection
# Reference: https://www.virustotal.com/gui/file/84694e71590ad7c37f1fb6a4b7503b8862b1ebed807a27922f4b23fe597df24c/detection

45.88.186.166:15000
winsupport.life
winsupport.lol
killkill.myftp.biz

# Reference: https://www.virustotal.com/gui/ip-address/193.233.113.101/relations
# Reference: https://www.virustotal.com/gui/file/78936695fbf715ee3ff8601a276ca1bfb94e64e4f5f7d7d078cae06b812dd18f/detection

193.233.113.101:6000
193.233.113.101:7000

# Reference: https://x.com/K_N1kolenko/status/1975821842930933797

107.172.135.10:4231
107.174.142.123:3344
146.19.168.205:6000
151.244.72.52:900
154.61.76.233:7000
216.250.253.99:2478
216.9.227.107:1122
5.226.191.150:6000
91.92.242.128:7000
91.92.242.148:1070
96.44.154.196:7000

# Reference: https://x.com/ShanHolo/status/1976552034372551068
# Reference: https://www.virustotal.com/gui/file/1ec9f265393c0426e0adf8b4b0297799d2cc15275e613e6d6ade15464402a256/detection
# Reference: https://www.virustotal.com/gui/file/0e1e4b2ccb59786d3de92778fea244332199424ceac75ce2a59b8ff9188ae175/detection

196.251.70.87:2799
5.253.59.191:7765
speculabilder.online

# Reference: https://x.com/smica83/status/1978527113603948754
# Reference: https://x.com/JAMESWT_WT/status/1978794960225718730
# Reference: https://www.virustotal.com/gui/file/55f0282a2ae7452df3beab54739db21f2be705206295627ad23cfa4e115e44bb/detection

192.64.119.150:3991
196.251.72.179:3991
196.251.73.253:3991
5.253.59.191:5815
5.253.59.191:6691
medicoolpart.com
quicolozada.online

# Generic

/XWorm%20V3.1/
/XWorm%20V3.1.7z
/XWorm%20V5.4rar
/Xworm-V5.6/
/XClient.exe
/samninja666/
/samninja666/test1/
