# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/

thlsystems.forfirst.cz
mafra.go.kr.jeojang.ga

# Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/?mid=1
# Reference: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf

34.214.99.20/view_style.php
137.74.41.56/board.php
kingkoil.com.sg/board.php
kingkoil.com.sg/query.php

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf
# Reference: https://twitter.com/bkMSFT/status/1093109336740642816

llpsearch.com
miphomanager.com

# Reference: https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/

071790.000webhostapp.com
7077.000webhostapp.com
881.000webhostapp.com
hanbosston.000webhostapp.com
vnik.000webhostapp.com
a7788.1apps.com
attach10132.1apps.com
bluemountain.1apps.com
filer1.1apps.com
s8877.1apps.com
files.000
ftp.byethost7.com
ftp.byethost10.com
webhost.com
webmail-koryogroup.com
61.14.210.72:7117

# Reference: https://twitter.com/blackorbird/status/1107214927402418176
# Reference: https://twitter.com/blackorbird/status/1107479347013672960

ddlove.kr/bbs/dta/1

# Reference: https://twitter.com/blackorbird/status/1082553543280680962

ago2.co.kr/bbs/data/dir

# Reference: https://twitter.com/blackorbird/status/1100691198346354688

46.29.163.222:9999

# Reference: https://otx.alienvault.com/pulse/5c9a457b3acc7f0eba431c81
# Reference: https://www.recordedfuture.com/scanbox-framework-campaign/

mailshield.ga
mail.mailshield.ga
monlamlt.com
oppo.ml
photogram.ga
tibct.net
tibct.org
tracking.dgip.gov.pk

# Reference: https://twitter.com/ClearskySec/status/1055404788635103232
# Reference: https://www.clearskysec.com/iec/

host-gv.appspot.com
journey-in-israel.com
iecr.co
iec-co-il.com
israelalerts.us
israelalert.us
pokemonisrael.yolasite.com
sourcefarge.net
users-management.com
ynetnewes.com

# Reference: https://twitter.com/ClearskySec/status/971454423548530688

baoin.baotintu.com
chinhtri.tourismas.com
kinhte.baotintu.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-12: Malicious Invoice of Telcel Mexican Telecommunication Company)

bambi.sytes.net

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-06: Iranian Greenbug targeting against Arab Emirates - Invoice-NO48935.doc)

acrobatverify.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-1-1: Campaign targeting Turkey with fake purchase order requests, drops low detection Java malware)

gorevleriyok.com

# Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/ (Chinese)

Jospubs.com

# Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/

digi-cert.org
somtelnetworks.com
geotrusts.com
secureclientupdate.com
digicertweb.com
sport-pesa.org
itaxkenya.com
businessdailyafrica.net
infotrak-research.com
nairobiwired.com
k-24tv.com

# Reference: https://twitter.com/blackorbird/status/1132884799310319616
# Reference: http://blogs.360.cn/post/APP_Plugin.html
# Reference: https://securelist.com/whos-who-in-the-zoo/85394/
# Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/24122414/ZooPark_for_public_final_edited.pdf

http://5.61.27.154
http://5.61.27.157
http://5.61.27.173
http://91.109.23.175
androidupdaters.com
adobeactiveupdates.com
adobeactiveupdate.com
adobeseupdater.com
dlgmail.com
dlstube.com
dlstubes.com
entekhab10.xp3.biz
googleupdators.com
rhubarb2.com
rhubarb3.com
solar64.xp3.biz

# Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/

# Aliases: brave prince, gold dragon, ghost419

eodo1.000webhostapp.com
follow_dai.000webhostapp.com
trydai.000webhostapp.com
followgho.byethost7.com
ink.inkboom.co.kr
nid-help-pchange.atwebpages.com

# Reference: https://twitter.com/jq0904/status/1137362044271730694

hellojames.sportsontheweb.net

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/advanced-targeted-attack-tools-used-to-distribute-cryptocurrency-miners/
# Reference: https://otx.alienvault.com/pulse/5d0276b98d2d7d679ed51fa2

tenchier.com
pilutce.com
miniast.com
boreye.com

# Reference: http://www.issuemakerslab.com/research2/index.html

pyeonta.com/board/news/board.asp
sdajunghwa.com/admin/data/admindata.asp
patentmall.net/goods/goods.asp
orentcar.com/rental/sub06.asp

# Reference: https://twitter.com/blackorbird/status/1141302473623105536

soportearus.com.co
/arus_collect.php

# Reference: https://twitter.com/DbgShell/status/1146012416968417280
# Reference: https://research.checkpoint.com/operation-tripoli/ (# Operation Tripoli)

aarasid.com/libya/index.html
clientstats.epss.org.ly
dexter-ly.com
dexter-ly.space
drpc.duckdns.org
forum.myvnc.com
kalifhaftar.blogspot.com
libyanews111.blogspot.com
libya-10.com.ly
sirtggp.com/libyanew/index.html

# Reference: https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018
# Reference: https://otx.alienvault.com/pulse/5d1e0531908ea7d506ce9839

loge.otzo.com
vvcxvsdvx.dynamic-dns.net

# Reference: https://otx.alienvault.com/pulse/5d23054ff45f6eb94e824460
# Reference: http://blog.ptsecurity.com/2019/07/ironpython-darkly-how-we-uncovered.html
# Reference: https://static.ptsecurity.com/phdays/presentations/phdays-9-ironpython-on-the-dark-side-the-silent-trio-from-croatia.pdf

http://198.46.182.158
176.105.255.59:8089
konzum.win
postahr.online
postahr.vip
posteitaliane.live
