# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt23, apt-c-23, micropsia, pierogi, AirdViper

# Reference: https://www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-1
# Reference: https://www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2
# Reference: https://content.connect.symantec.com/sites/default/files/2018-08/APT-C-23%20IOCs.pdf (Appendix)

1jve.com
aamir-khan.site
accaunts-googlc.com
accountforusers.website
accountforuser.website
account-gocgle.com
account-googlc.com
accounts-gocgle.com
accounts-googlc.com
accountusers.website
accuant-googlc.com
activedardash.club
alain.ps
alisonparker.club
android-settings.info
apkapps.pro
apkapps.site
appchecker.us
appuree.info
arthursaito.club
aryastark.info
aslaug-sigurd.info
assets-acc.club
bbc-learning.com
bellamy-bob.life
bestbitloly.website
billy-bones.info
bitgames.world
black-honey.club
bob-turco.website
buymicrosft.com
camilleoconnell.website
caroline-nina.com
cassy-gray.club
cecilia-dobrev.com
cecilia-gilbert.com
cerseilannister.info
chat-often.com
christopher.fun
claire-browne.info
clarke-griffin.info
clarke-taylor.life
daario-naharis.info
dachfunny.club
dachfunny.us
dardash.club
dardash.fun
dardash.info
dardash.live
david-mclean.club
david-moris.website
davina-claire.xyz
davos-seaworth.info
debra-morgan.com
donna-paulsen.info
easyshow.fun
eleanor-guthrie.info
eleanorguthrie.site
engin-altan.website
esofiezo.website
everyservices.space
exvsnomy.club
ezofiezo.website
face-book-support.email
fasebcck.com
fasebock.info
fasebook.cam
fasebookvideo.com
fatehmedia.site
firesky.site
flirtymania.fun
freya.miranda-barlow.website
geny-wise.com
gmailservice.us
graceygretchen.info
hareyupnow.club
harper-monty.site
harrykane.online
harvey-ross.info
hayleymarshal.com
hazel-grace.info
hctmial.com
hcttmail.com
help-live.club
help-sec.club
heyapp.website
hitmesanjjoy.pro
hoopoechat.com
hotimael.com
hotmailme.website
italk-chat.com
italk-chat.info
jack-wagner.website
james-charles.club
jimmykudo.online
john-brown.website
jon-snow.pro
jorah-mormont.info
joycebyers.club
juana.fun
kaniel-outis.info
karenwheeler.club
kate-austen.info
katesacker.club
katie.party
kik-com.com
kristy-milligan.website
lagertha-lothbrok.info
leonard-kim.website
leslie-barnes.website
lets-see.site
lexi-branson.website
lincoln-blake.website
lindamullins.info
liz-keen.website
login-yohoo.com
lord-varys.info
lyanna-stark.info
mail-accout.club
mail-goog1e.com
mail-mofa-pna.com
mail-pmi-pna.com
mail-police-sec.com
mail-presidency.com
margaery-tyrell.info
maria-bouchard.website
marklavi.com
mary-crawley.com
masuka.club
matthew-stevens.club
mauricefischer.club
max-eleanor.info
maxlight.us
max-mayfield.com
mediauploader.info
meetme.cam
meet-me.chat
men-ana.fun
michael-keaton.info
miranda-barlow.website
miwakosato.club
mofa-help.site
moneymotion.club
myboon.website
mygift.site
mygift.website
namybotter.info
namyyeatop.club
natemunson.com
new.filetea.me
nightchat.fun
nightchat.live
nissour-beton.com
octavia-blake.world
olivia-hartman.info
oriential.website
ososezo.club
ososezo.site
parrotchat.co
pmi-pna.com
pml-help.site
pml-sac.info
pmo-gov.info
police-sec.club
police-sec.info
pure-talk.com
rachel-green.info
ragnar-lothbrok.info
ran-togomory.com
redirect-wa.com
rexkatsugeki.info
richard-hines.website
rocket-chat.com
rose-sturat.info
ross-gelller.info
sahemnews.dynamicdns.co.uk
sahem.pcanywhere.net
sanblitch.club
sanjynono.website
sapport-accounts.com
saratancredi.info
sec-acoaunt.com
sec-outluck.com
secureaccountes.com
selin-yilmaz.info
sendbird-chat.com
serv2.sandtengineers.info
shahrukh-khan.club
shailene-hazel.life
shailene-tris.xyz
sherlock-holmes.club
shortupload.com
show-me.fun
so-chat.org
sophie-deverau.xyz
sopotfile.website
spgbotup.club
sportliner.website
sybil-parks.info
tawjihi2018.site
tellme.site
top4up.website
tyrion-lannister.info
upload999.com
useraccount.website
usr-accounts-validation.pw
victor-stewart.info
wab-watzapp.com
wab-whtsap.com
wa-loading.com
websetting.me
web-wnatzapp.com
web-wtsapp.com
wes-gibbins.com
whatsaapp.us
whatsapps.cam
whatsusers.fun
whatzopp.com
whispers-talk.com
white-hony.online
whowatchyou.com
win-laive.com
winlife.host
world-cup-live-2018.stream
yahaoa.com
yohoa-users.com
youngmija.club
young-spencer.com
zachlieberman.club
zee-player.com
zee-player.website

# Reference: https://research.checkpoint.com/apt-attack-middle-east-big-bang/

exvsnomy.club
namyyeatop.club
spgbotup.club
lindamullins.info
namybotter.info
hitmesanjjoy.pro
ezofiezo.website
sanjynono.website

# Reference: https://twitter.com/ClearskySec/status/1022767002925129730
# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-07-27: APT-C-23 Infrastructure and Micropsia samples)

steve-harrington.com
sophie-deverau.xyz
shailene-tris.xyz
shailene-hazel.life
max-mayfield.com
mauricefischer.club
margaery-tyrell.info
alisonparker.club
young-spencer.com
dardash.club
joycebyers.club
harvey-ross.info
davina-claire.xyz
arthursaito.club

# Reference: https://twitter.com/ClearskySec/status/1067109104492134400
# Reference: https://blog.radware.com/security/2018/07/micropsia-malware/

samwinchester.club

# Reference: https://twitter.com/ClearskySec/status/984700415055925248

relationalsystems.net

# Reference: https://twitter.com/jeFF0Falltrades/status/1132684186446438405

katesalinas.icu

# Reference: https://twitter.com/VK_Intel/status/1142498510845202440
# Reference: https://twitter.com/P3pperP0tts/status/1142760589871259649
# Reference: https://pastebin.com/djxQAE08
# Reference: https://www.virustotal.com/gui/file/345b706ead4b917138c8e8aff0ca5526ee7738f67c19e0d9b2ab5487c90cf547/detection

nfstate.club
fasstt.space
powzip.club
gtmake.info
pre23sence.club

# Reference: https://unit42.paloaltonetworks.com/unit42-badpatch/

pal4u.net
pal2me.net
pay2earn.net
shop8d.net
ts4shope.net
pal4news.net

# Reference: https://www.fortinet.com/blog/threat-research/badpatch-campaign-uses-python-malware.html
# Reference: https://otx.alienvault.com/pulse/5db3616a90ebed5e230cb2d5

tstapi.pal4u.net

# Reference: https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor
# Reference: https://otx.alienvault.com/pulse/5e451c74a860e7f82bef4bc6

linda-callaghan.icu
nicoledotson.icu

# Reference: https://twitter.com/blackorbird/status/1229245744109850624
# Reference: https://www.virustotal.com/gui/file/d095f39823656a99b7bd7d9ad132d5aabbf59862a86253ce067329a491590d13/detection
# Reference: https://www.virustotal.com/gui/ip-address/68.65.121.44/relations
# Reference: https://www.virustotal.com/gui/ip-address/198.54.117.211/relations

68.65.121.44:1883
68.65.121.44:443
198.54.117.211:1883
198.54.117.217:1883
198.54.117.215:1883
198.54.117.212:1883
198.54.117.218:1883

# Reference: https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/
# Reference: https://otx.alienvault.com/pulse/5e4a58ac2cf3129eb287becc

catchansee.com

# Reference: https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/

cecilia-gilbert.com
david-gardiner.website
digital-apps.store
javan-demsky.website
linda-gaytan.website

# Reference: https://twitter.com/malwrhunterteam/status/1314253545982525440
# Reference: https://twitter.com/ShadowChasing1/status/1314490418516508673
# Reference: https://www.virustotal.com/gui/file/d2724090e873775aeb0eb0e12c2d65ac43a7e6e608fdc4f3d74fa79ca85e468f/detection

whispers-talk.site

# Reference: https://twitter.com/ShadowChasing1/status/1314530949770559489
# Reference: https://www.virustotal.com/gui/file/2d03ff4e5d4d72afffd9bde9225fe03d6dc941982d6f3a0bbd14076a6c890247/detection
# Reference: https://www.virustotal.com/gui/file/2b70045d4878a20b8fca568c0b3414f2d255f3b2a7dfed85c84cf88d1b2f4e74/detection

ruthgreenrtg.live

# Reference: https://twitter.com/malwrhunterteam/status/1316365476042338306
# Reference: https://twitter.com/LukasStefanko/status/1316395809055944704
# Reference: https://twitter.com/ShadowChasing1/status/1316706683108782080
# Reference: https://www.virustotal.com/gui/file/8c63a7d1f7d24ce40dcb751ac066d27ed19e0d3ee3f0071ea5984ab204c765f6/detection

brian-garcia.work
darrell-ferris.site
tommy-swope.site

# Reference: https://twitter.com/ShadowChasing1/status/1318564724062130176
# Reference: https://www.virustotal.com/gui/file/db1c2482063299ba5b1d5001a4e69e59f6cc91b64d24135c296ec194b2cab57a/detection

krasil-anthony.icu

# Reference: https://twitter.com/ShadowChasing1/status/1329090011766038531
# Reference: https://www.virustotal.com/gui/file/0d65b9671e51baf64e1389649c94f2a9c33547bfe1f5411e12c16ae2f2f463dd/detection
# Reference: https://www.virustotal.com/gui/file/3da95f33b6feb5dcc86d15e2a31e211e031efa2e96792ce9c459b6b769ffd6a4/detection

judystevenson.info

# Reference: https://www.virustotal.com/gui/file/32eb4f92c8e82d3f401078725115d0604f9283ff8d9a088e7afbc150e08df295/detection

http://198.54.115.130

# Reference: https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign
# Reference: https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf
# Reference: https://www.virustotal.com/gui/file/f323a150d7597f46d29eb3a3c56f74e11d18caf164f9176c8c1b2fa0031cc729/detection

artlifelondon.com
brooksprofessional.com
exchangeupdates.com
forextradingtipsblog.com

# Reference: https://team-cymru.com/blog/2020/12/16/mapping-out-aridviper-infrastructure-using-augurys-malware-addon/

angeladeloney.info
jack-fruit.club
lordblackwood.club
overingtonray.info

# Reference: https://twitter.com/malwrhunterteam/status/1354457854833549316
# Reference: https://www.virustotal.com/gui/file/144ba7c6090acbd2bc35411a815ccf801fd49abc5dde327b03f207ed868cdd6e/detection

apps-market.site

# Reference: https://twitter.com/malwrhunterteam/status/1356955845406449666
# Reference: https://twitter.com/bl4ckh0l3z/status/1357066148102221829
# Reference: https://www.virustotal.com/gui/file/53545abc493e3628fe352bb4d4baf72975bcf1dc25b834a8222680493dd2094c/detection

amanda-hart.website

# Reference: https://twitter.com/Timele9527/status/1358750034389422080
# Reference: https://twitter.com/ShadowChasing1/status/1358757750050754560

nancy-mulligan.live

# Reference: https://twitter.com/ShadowChasing1/status/1359722828870787073
# Reference: https://twitter.com/bl4ckh0l3z/status/1360664043271426055
# Reference: https://www.virustotal.com/gui/file/649977c22c82c200e9fb9771982e682e684ba7f686bf470c9b65151484a0c519/detection

stevensmalley.pro

# Reference: https://twitter.com/IntezerLabs/status/1374020933132939271
# Reference: https://analyze.intezer.com/files/e32dcca3d5771823c83d017d30ed49dc05428f1024f8a619b50ffa8c4a7b4688
# Reference: https://www.virustotal.com/gui/file/e32dcca3d5771823c83d017d30ed49dc05428f1024f8a619b50ffa8c4a7b4688/detection
# Reference: https://www.virustotal.com/gui/file/7b9087d91a31d03dd2c235d8debf8ed10f4b82c430a236d159e06e7fb47464a9/detection
# Reference: https://www.virustotal.com/gui/file/aa507bbe5d2a32f6e1e3f311c1baf93fd4707def8596083f26683e85972f5ac0/detection

nicholasuhl.website

# Reference: https://twitter.com/ShadowChasing1/status/1374947562310995970
# Reference: https://www.virustotal.com/gui/file/b6ed0833d4a19d2eca5f6f856c595d5329532ff116163047ed4e3a27c9f8bd69/detection
# Reference: https://www.virustotal.com/gui/file/9a513ccf750527a2e24fb1b69d98f871bc265a21213a052b9bcec3ffb9546e4c/detection

jamesmontano.life

# Reference: https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt
# Reference: https://otx.alienvault.com/pulse/606cb1ee2db0eb990bdb1227

adamnews.for.ug
formore.for-more.biz
mmksba.dyndns.org
mmksba.simple-url.com
new2019.mine.nu
postmail.website
webhoptest.webhop.info

# Reference: https://twitter.com/blackorbird/status/1385120225260015616
# Reference: https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/
# Reference: https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf

accounts-goog-le.com
advanced-files.club
alishatnixon.site
alttaeb.info
amanda-hart.website
amyacunningham.us
anna-sanchez.online
ansonwhitmore.live
app-market.online
apps-download.store
apps-store.online
autlook.live
beauty-msg.com
belcherjacky.info
bourneliam.info
calculator-1e016.appspot.com
calculator-1e016.firebaseio.com
cathy-seliver.icu
chad-jessie.info
charmainellauzier.host
chat-14bb1.appspot.com
chat-14bb1.firebaseio.com
chat-update.live
claytoniosep.live
cynthiaecook.club
darrell-ferris.site
dash-chat-c02b3.appspot.com
dash-chat-c02b3.firebaseio.com
dash-chat.site
day-on.site
digital-apps.store
donnamfelton.club
drivesuplouders.000webhostapp.com
enough-hamas.000webhostapp.com
enti5abat.pw
es-last-telegram.appspot.com
es-last-telegram.firebaseio.com
fasbcaok.com
fasebaak.com
faseback.com
fasebaok.co
fasebaok.com
fasebaook.com
fasebcak.co
fasebcak.com
fasebcck.com
fasebcoki.com
fasibauik.co
fasitoak.com
fast-download.pro
fcaibaak.com
fecolooklegon.000webhostapp.com
files-store.host
fire-upload.host
frowtisice.club
gallant-william.icu
gifts-store.net
goerge-amper.website
goo-ply-download.com
gp-market.com
hadfnews.000webhostapp.com
hamas31.000webhostapp.com
hannah-parsons.info
heidi-minaya.host
herman-poore.info
hidden-chat-e58d7.appspot.com
hidden-chat-e58d7.firebaseio.com
hidden-chat.online
hookupdating.club
hookupmsg.club
iklood.co
ikoad.co
irenewansley.icu
isaac-rowland.space
jayboyadams.club
jennifer-marler.pw
jeremy-tanner.live
jodiecarey.live
joe-rumley.pw
judystevenson.info
julie-parker.top
katesalinas.icu
kentporter.site
kevin-good.top
kimberlycamp.club
krasil-anthony.icu
leticialittle.pro
lets-msger.fun
linda-callaghan.icu
log-yoahao.co
log-yoheo.info
lonakodas.club
lordblackwood.club
loyronald.site
magic-smile.co
magic-smile.fun
magic-store.online
magic4smile.com
magicchat-1f275.firebaseio.com
magicsmile.fun
marty-colvard.top
marwapetersson.info
melissa-garcia.site
melissa-gonzalez.com
mikkelbourke.pro
mix-store.online
moggfelicio.info
moi-pna.pw
moone-b9497.appspot.com
moone-b9497.firebaseio.com
nachat-152615.appspot.com
nachat-152615.firebaseio.com
networkmiddleast.net
nicoledotson.icu
norayowell.info
overingtonray.info
palpolice.icu
paulycongalton.pro
play-store-51182.appspot.com
play-store-51182.firebaseio.com
power-messenger.com
products-office.online
pure-talk.site
putanything.com
randy-severs.info
richardbeman.info
robert-conley.space
robertking.site
rythergannon.info
samehnew-10a7c.appspot.com
samehnew-10a7c.firebaseio.com
sandra-franklin.fun
scorerabbate.site
sha-talk.co
shortesly.website
side-talk.com
skelly-chester.icu
smart-messenger.online
social-store.online
spartacuscrixus.club
stacks-zadar.website
stand-by-97c5c.appspot.com
stand-by-97c5c.firebaseio.com
stand-by.site
stevenfloyd.icu
stevensmalley.pro
stikerscloud.com
telegrom.org
tim-jordan.info
tommy-swope.site
touch.ps
ubanks.icu
uri-ready.website
url-redirect.website
vedioplayers2020.000webhostapp.com
vickeryduncan.site
vista-chat.com
wab-wahtsapp.com
wannameet.co
wendy-johnston.pw
whispers-talk.site
williedvazquez.club
wine-talk.online
winetalk-9ff2d.appspot.com
winetalk-9ff2d.firebaseio.com

# Reference: https://twitter.com/Timele9527/status/1399178504634134528
# Reference: https://www.virustotal.com/gui/file/d82e23359a756affdadc194b0a4271bf8a05c1a5755185567a4595bed6bd8106/detection

haleymartinez.me

# Reference: https://twitter.com/BaoshengbinCumt/status/1401841701501603840
# Reference: https://www.virustotal.com/gui/file/823bf27b1e559d6607f5224ab99de1c83bb5d36e2ed0e6644d551e94ec45d248/detection
# Reference: https://www.virustotal.com/gui/file/49f368a61f5fbd49742b561786507a39a1d7594fa55b426288f90de0f448fb6c/detection
# Reference: https://www.virustotal.com/gui/file/33442300d37af4b5f1dcfbefab206907e2c67d3105e065e493a1916543c6b0b3/detection

lxsecurity.com
peterabernathy.online

# Reference: https://twitter.com/ClearskySec/status/1405169392602726406
# Reference: https://www.virustotal.com/gui/file/5322543a3c5abd01a7853f061beeccb98296bc2e537f29d2368123967f13f336/detection

howard-maria.me

# Generic (callback) path

/Alyanak/check
/Alyanak/mehro
/api/hazard/oneo
/api/white_walkers/
/debby/weatherford/
/debby/weatherford/Yortysnr
/debby/weatherford/Ekspertyza
/debby/weatherford/Zavantazhyty
/debby/weatherford/Vydalyty
/vcapicv/vchivmqecv/
/vchivmqecv/vbqsrot
/xqgjdxa/yhhzireha/
/enterprise/Senterprise.php
/enterprise/Wenterprise.php
/AhmedMajdalani.php
/Hamas.php
/hamas_internal_elections.rar
/SaudiRecognitionofIsrael.php

# APK

/MyGramIM.signed.apk
