# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: artradownloader

# Reference: https://github.com/pan-unit42/iocs/blob/master/bitter/iocs.csv

a.churchill91.com
aday.primeservices.mobi
aroundtheworld123.net
chinatel90.com
churchill91.com
confirm97.com
destiny91.com
font.jiangsuhost.com
frameworksupport.net
healthnewsone.com
hewle.kielsoservice.net
johnywalter.webatu.com
mappservworldvide.16mb.com
marvel89.com
marvellighter.com
medzone71.com
mob.wirelesssolutions.mobi
muzicwonder.com
nethosttalk.com
newmysticvision.com
nsiagenthoster.net
red5big.com
sound.muzicwonder.com
spring.tulipnetworks.net
sterling66.com
stingray91.com
styl.crrerc.com
styl.hairparker.com
thematrix.esy.es
thepandaservices.nsiagenthoster.net
tulipnetworks.net
victory1983.ddns.net
wills.hairparker.com
wingames2015.com
wirelesssolutions.mobi
woodwind71.com
xiovo416.net
zmwardrobe.com

# Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/ (Chinese)

khurram.com.pk
traxbin.com
wcnchost.ddns.net

# Reference: https://twitter.com/h4ckak/status/1147710998817542145

healthdevicetracker.co

# Reference: https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations
# Reference: https://cert.360.cn/report/detail?id=137867e159331b7a968aa45050502d13
# Reference: https://otx.alienvault.com/pulse/5d4d82f21a9bb34d2b0e65f7

btappclientsvc.net
cdaxpropsvc.net
v3solutions4all.com
v3solutions4all.org
wangluojiumingjingli.org
winmanagerservice.net
winmanagerservice.org

# Generic trails from https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/
# Reference: https://www.virustotal.com/gui/file/aecfa3879cd68b3a2ab0771638c0d649b007cbb6f28dddb56af4fb740b8e25a5/detection

/ergdfbd/
/healthne/
/ourtyaz/
/RguhsT/
/ergdfbd/wscspl
/healthne/accept.php
/healthne/regdl
/ourtyaz/dwnack.php
/ourtyaz/qwe.php
/ourtyaz/qwf.php

# Reference: https://twitter.com/Timele9527/status/1169430987832344576

gongzuosousuo.net

# Reference: https://twitter.com/blackorbird/status/1169925232255090689

aroundtheworld123.net

# Reference: https://twitter.com/James_inthe_box/status/1166128688175300608
# Reference: https://twitter.com/MeltX0R/status/1170183286712340482
# Reference: https://meltx0r.github.io/tech/2019/09/06/bitter-apt-not-so-sweet.html
# Reference: https://twitter.com/Timele9527/status/1169785910881218560

biocons.pk
gandharaart.org
maq.com.pk
netnsiservice.net
onlinejohnline99.org
sartetextile.com
zhongwenchuantongqiye.com
/kvs06v.php
/lax05u.php
/Mcx2svc.php
/ms2u1p.php

# Reference: https://twitter.com/RedDrip7/status/1170988245561294850
# Reference: https://twitter.com/MeltX0R/status/1171245112082481153

blth32serv.net
w32infinitisupports.net

# Reference: https://twitter.com/blackorbird/status/1182479754965876737

wangluojiumingjingli.org

# Reference: https://twitter.com/James_inthe_box/status/1183927764778274816

lmhostsvc.net

# Reference: https://twitter.com/blackorbird/status/1187662590224191489

nethostsupport.ddns.net
sysintservice.ddns.net

# Reference: https://twitter.com/ccxsaber/status/1192326844529422337

tvnservereventlog.net

# Reference: https://twitter.com/Timele9527/status/1201477767352553472
# Reference: https://twitter.com/Timele9527/status/1201477848852090881
# Reference: https://twitter.com/Timele9527/status/1201477876236701696

cloud-storage-service.com
kerbosim.com
noitfication-office-client.890m.com
office360-pub.16mb.com
quartzu.hol.es

# Reference: https://twitter.com/Rmy_Reserve/status/1224289465872502789

wbclientservice.ddns.net

# Reference: https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf

activemobistore.ddns.net
cbyxhuxo663.ddns.net
flashnewsservice.org
wdibitmapservice.net

# Reference: https://twitter.com/ShadowChasing1/status/1256036038331387904
# Reference: https://twitter.com/ShadowChasing1/status/1305879886473474048
# Reference: https://twitter.com/_re_fox/status/1305925337004601345

http://162.0.229.203
camncryptsvc.net
/RguhsT/
/RguhsT/accept.php

# Reference: https://twitter.com/MeltX0R/status/1258870289066319872
# Reference: https://www.virustotal.com/gui/ip-address/63.250.38.240/relations

http://63.250.38.240

# Reference: https://twitter.com/ccxsaber/status/1273442309816770560

usmservice.net

# Reference: https://twitter.com/Timele9527/status/1280315854094123008

liveways.pk

# Reference: https://twitter.com/Timele9527/status/1277843761318354944

mia.alkhaleejpk.info
tusdec.org.pk/ee
uniengrisb.com/img/rt.msi

# Reference: https://twitter.com/blackorbird/status/1295265067173163010
# Reference: https://twitter.com/ShadowChasing1/status/1303628547366350848
# Reference: https://twitter.com/ShadowChasing1/status/1306422911972958210
# Reference: https://www.virustotal.com/gui/file/f45590dbb07e6a506c19f62b3f23b17a1aefbb6d8287f94a74c3ea707e6f4736/detection
# Reference: https://www.virustotal.com/gui/file/2ba30469c3cbe13aa02073ae6c48114d2902450c3745857946b30d811eff6e6d/detection

livevideosonlinepk.com
/RsdvgiMincSnyYu/
/tstRsdvgiMincSnyYutsphp/
/tstRsdvgiMincSnyYutspph/
/PerHyPfilbmiw1.php
/PerHyPfilbmiw2.php
/tstPerHyPfilbmiw1.php
/tstPerHyPfilbmiwts2t.php
/RsdvgiMincSnyYu/PerHyPfilbmiw1.php
/RsdvgiMincSnyYu/PerHyPfilbmiw2.php
/tstRsdvgiMincSnyYutsphp/tstPerHyPfilbmiw1.php
/tstRsdvgiMincSnyYutsphp/tstPerHyPfilbmiwts2t.php
/tstRsdvgiMincSnyYutspph/tstPerHyPfilbmiw1.php
/tstRsdvgiMincSnyYutspph/tstPerHyPfilbmiwts2t.php

# Reference: https://twitter.com/HONKONE_K/status/1297829657568407554
# Reference: https://www.virustotal.com/gui/file/0ce047bb77073990a8810f8d6f178dc0d4fc5257603790f80d3d84b0b2405a6c/detection
# Reference: https://www.virustotal.com/gui/file/ced29451faed4f5dfa9ce80e35469e3573a89f848d5a7f5b087ee62a62f5f89a/detection

oppak.com/one/opa
oppak.com/one/eths

# Reference: https://twitter.com/_re_fox/status/1301887287765225477
# Reference: https://twitter.com/ShadowChasing1/status/1304017919655858177
# Reference: https://app.any.run/tasks/383a15aa-63b0-48ee-9a90-2cb64da9134f/

jgcest.com/css/

# Reference: https://twitter.com/ShadowChasing1/status/1306858164277526528

alkhaleejpk.info
/PsehestyvuPw/F1l3estPhPInf1.php
/PsehestyvuPw/
/F1l3estPhPInf1.php
/F1l3estPhPInf2.php

# Reference: https://ti.qianxin.com/blog/articles/Blocking-APT:-Qianxin's-QOWL-Engine-Defeats-Bitter's-Targeted-Attack-on-Domestic-Government-and-Enterprises/
# Reference: https://otx.alienvault.com/pulse/5fd7a716e178ff014c630ecb
# Reference: https://www.virustotal.com/gui/file/6cb0c0a2f89d1e82653d2b0dd1389007543616d11f0709ff194a4db2d36865f7/detection
# Reference: https://www.virustotal.com/gui/file/820ab2458839688369906cee2a4c08b4694e2bddcb187358ce575e5d2063515e/behavior
# Reference: https://www.virustotal.com/gui/file/efeaadaa53ec033d224b58be109c0f5fde12c8775fc5603f51efa8e23bcd6fb2/detection

http://162.0.229.203
http://72.11.134.216
http://82.221.136.27
107.173.63.218:58370
pichostfrm.net

# Reference: https://twitter.com/ShadowChasing1/status/1356412596430233603
# Reference: https://twitter.com/_re_fox/status/1301887287765225477
# Reference: https://app.any.run/tasks/383a15aa-63b0-48ee-9a90-2cb64da9134f/
# Reference: https://www.virustotal.com/gui/file/c2131a3906d97b5d7d697d16de15a8f704db1e6e4a8d3d7316c784d45716cffc/detection

vdsappauthservice.net
/taskshandlers/DBhandle/primary_main.php
/taskshandlers/DBhandle/secondary.php

# Reference: https://twitter.com/ShadowChasing1/status/1375227175226368006
# Reference: https://www.virustotal.com/gui/file/e07e8cbeeddc60697cc6fdb5314bd3abb748e3ac5347ff108fef9eab2f5c89b8/detection

snsrsvchost.com

# Reference: https://twitter.com/ShadowChasing1/status/1408579870230126592
# Reference: https://twitter.com/malwrhunterteam/status/1408491293207154696

mail-mfa-gov-cn-login.netlify.app

# Reference: https://twitter.com/ShadowChasing1/status/1408579947417927687

yuruhjforonjoigrvnbnrgoigoigoisannvmvnfnmkfd7.000webhostapp.com
