# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt37, apt-c-37, geumseong121, group123, redeyes, scarcruft, Red Eyes, Venus 121, Thallium

# Reference: https://otx.alienvault.com/pulse/5d4456d289603cc548ddbc92
# Reference: https://blog.alyac.co.kr/2453 (Korean)
# Reference: https://fortiguard.com/resources/threat-brief/2019/08/09/fortiguard-threat-intelligence-brief-august-09-2019

price365.co.kr/abbi/head0.jpg
price365.co.kr/abbi/json/openssl.php
price365.co.kr/abbi/tail0.jpg
darvishkhan.net/wp-content/uploads/2017/06/update3.dat
darvishkhan.net/wp-content/uploads/2017/06/update6.dat

# Reference: http://blogs.360.cn/post/analysis-of-apt-c-37.html
# Reference: https://otx.alienvault.com/pulse/5d7916e3f619df83fd65778e

adamnews.for.ug
btcaes2.duckdns.org
da3da3.duckdns.org
israanews.zz.com.ve
mmksba.dyndns.org
mmksba.simple-url.com
samd1.duckdns.org
samd2.duckdns.org
sorry.duckdns.org
webhoptest.webhop.info

# Reference: https://twitter.com/blackorbird/status/1188726162928758784
# Reference: https://mp.weixin.qq.com/s/Wnb-r7SWbGGN-XuQ8fW_jw

artmuseums.or.kr/swfupload/fla/1.jpg
casaabadia.es/wp-content/uploads/2018/06/null/
fjtlephare.fr/wp-content/uploads/2018/05/null/

# Reference: https://twitter.com/blackorbird/status/1112904229495042049
# Reference: https://blog.alyac.co.kr/2226 (Korean)

/skin15/include/bin/forlab.php
/ct/data/icon/files/goal.php

# Reference: https://twitter.com/navSi16/status/1066296138498629637

padosori.co.kr
/_controller/admin/upload_sec/down.php

# Reference: https://twitter.com/cyberwar_15/status/1122692430262706178
# Reference: https://blog.alyac.co.kr/2281 (Korean)

youngs.dgweb.kr
/skin15/include/bin/home.php

# Reference: https://ti.qianxin.com/blog/articles/anatomy-of-moonLight-attack-on-the-middle-east/ (Chinese)

http://72.21.245.117
martnews.aba.ae
mslove.mypressonline.com

# Reference: https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU
# Reference: https://malpedia.caad.fkie.fraunhofer.de/actor/apt37
# Reference: https://twitter.com/jfslowik/status/1212097943550873600
# Reference: https://otx.alienvault.com/pulse/5e0b9895c5ed003a85210202 (# Thallium)
# Reference: https://pastebin.com/ScaPd18W

ahooc.com
app-wallet.com
bigwnet.com
bitwoll.com
cexrout.com
change-pw.com
checkprofie.com
cloudwebappservice.com
com-change.pw
com-serviceround.info
ctquast.com
dataviewering.com
dauurn.net
day-post.com
dialy-post.com
doc-view.work
documentviewingcom.com
dounn.net
dovvn-mail.com
down-error.com
drivecheckingcom.com
drog-service.com
encodingmail.com
files-download.net
filinvestment.com
fixcool.net
foldershareing.com
golangapis.com
graphwin.com
grnaeil.com
gstaticstorage.com
hanrnaii.net
helpnaver.com
hotrnall.com
iinaver.com
imap-login.com
inbox-yahoo.com
lh-logins.com
lh-logs.com
login-sec.com
login-use.com
mai1.info
mail-down.com
maingoogie.com
maingoogle.com
matmiho.com
mihomat.com
mofako.com
naerver.com
natwpersonal-online.com
navuor.com
nid-login.com
nidlogon.com
office356-us.org
office365-us.org
phlogin.com
pieceview.club
pw-change.com
reader.cash
reviewer.mobi
rnaii.com
rnailm.com
rnicrosoft.com
sec-live.com
secrityprocessing.com
securitedmode.com
security-lnfo.com
securytingmail.com
seoulhobi.biz
set-login.com
smtper.org
usrchecking.com
wallet-vahoo.com
yalnoo.com
yrnall.com

# Reference: https://twitter.com/kyleehmke/status/1212119523077349378

lnfo-master.com

# Reference: https://twitter.com/kyleehmke/status/1217486993871056899

security-acount.info

# Reference: https://otx.alienvault.com/pulse/5e206c7aef589acc3f96cb79
# Reference: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/

blockochain.info
files-downloader.net
webmail-googie.com
webmail-gooqle.com

# Reference: https://twitter.com/cyberwar_15/status/1313379907926335489 (Korean)

busyday.atwebpages.com

# Reference: https://twitter.com/ShadowChasing1/status/1344266120413384705
# Reference: https://www.virustotal.com/gui/file/7820bc1aa19ed61d035a2b7efb315ddb8b73cdf4df6ca41c365ce60ec160e713/detection
# Reference: https://www.virustotal.com/gui/file/9d58a6920db59a06e513cf077597a8e1848892ad2cf0ec9e3de8fd677efbfedd/detection

hz11.cn/jquery-ui-1.10.4/tests/unit/widget/doc/pu.php

# Reference: https://blog.alyac.co.kr/3489 (Korean)

frog.smtper.co/frog/
park.smtper.co/frogstock/

# Reference: https://blog.alyac.co.kr/3536 (Korean)
# Reference: https://www.virustotal.com/gui/ip-address/23.106.160.32/relations

factorgpu.com
greenulz.com

# Reference: https://twitter.com/cyberwar_15/status/1362413268472655877

klsa.onlinewebshop.net

# Reference: https://twitter.com/C0ryInTheHous3/status/1364275034638942210

down-drive.me

# Reference: https://twitter.com/cyberwar_15/status/1392459596069961734

nid-naver.servepics.com

# Refereence: https://twitter.com/cyberwar_15/status/1392488563309105155
# Reference: https://www.virustotal.com/gui/file/1136ba6837a18a39b430cd8d2a7ff276dbaddf813060c47725c7c629dbab7ce5/detection

ahnlab.check.pe.hu

# Reference: https://twitter.com/cyberwar_15/status/1392469490592411651

daum.sytes.net
enolja.com
naver.servemp3.com
nid-naver.servehttp.com
