# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html

api.outlook.kz
api.fujitsu.org.kz
api.asus.org.kz
api.toshiba.org.kz
api.miria.kz
outlook.live.org.kz

# Reference: https://securityaffairs.co/wordpress/75793/cyber-crime/cobalt-campaign-russia-romania.html

apstore.info

# Reference: https://www.group-ib.com/blog/renaissance

kaspersky-security.com
foxsecit.com
ibm-notice.com
spamhuas.com
hoteltoren.com

# Reference: https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint

ibfseed.com
rietumu.me
click-alfa.com
activrt.com
/xaczkajeieypiarll

# Reference: https://www.zdnet.com/article/cobalt-threat-group-serves-up-spicyomelette-in-bank-attacks/

/DOC2018.js

# Reference: http://blog.morphisec.com/cobalt-gang-2.0

e-dropbox.biz
server.vestacp.kz

# Reference: https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/

alotile.biz
fundsxe.com
s3.sovereigncars.org.uk
safesecurefiles.com
document.cdn-one.biz
mail.halcyonih.com
transef.biz
arubrabank.com
outlook-368.com
usasecurefiles.com
safesecurefiles.com
ms-server838.com
msoffice-365.com
total-share.biz
bank-net.biz
cdn-one.biz
total-cloud.biz
web-share.biz
cloud-direct.biz
n-document.biz
my-documents.biz
firstcloud.biz
yourdocument.biz
xstorage.biz
safe-cloud.biz
via24.biz
zstorage.biz
webclient1.biz
bnet1.biz
firstcloud.biz
mycontent.biz
total7.biz
freecloud.biz
contents.bz
judgebin.bz

# Reference: https://www.symantec.com/blogs/threat-intelligence/african-financial-attacks

moneygram.servehttp.com

# Reference: https://twitter.com/James_inthe_box/status/1104730265442631680

89.105.202.62:1080

# Reference: https://twitter.com/ReaQta/status/1035512616121192448
# Reference: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/

mail.hotmail.org.kz
/owalanding/ajax.php

# Reference: https://twitter.com/VK_Intel/status/1112981694846586880

http://89.105.198.28/updates.rss
http://89.105.198.28/command.php
http://89.105.198.28/submit.php

# Reference: https://twitter.com/vxsh4d0w/status/1119241467216707584
# Reference: https://pastebin.com/DJkTEscy

dacinda.info

# Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ (# CobaltGoblin/EmpireMonkey)

riscomponents.pw
nlscdn.com
