# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt35, phosphorus, ajax security team

# Note: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-06-12 Charming Kitten waterhole)

jewishjournal.us
deutcshewelle.org
deutcshewelle.com
frostsullivan.org
ns1.deutcshewelle.com
ns2.deutcshewelle.com
mail.jewishjournal.us    
mx0.jewishjournal.us    
ns1.jewishjournal.us    
ns2.jewishjournal.us
win-ptf9aurtg8u.jewishjournal.us

# Reference: https://www.clearskysec.com/charmingkitten/
# Reference: https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf

012mail-net-uwclogin.ml
8ghefkwdvbfdsg3asdf1.com
account-customerservice.com
account-dropbox.net
account-google.co
account-login.net
account-logins.com
account-log-user-verify-mail.com
account-permission-mail-user.com
account-servicerecovery.com
accountservice.support
accounts-googelmail.com
accounts-googelmails.com
account-signin-myaccount-users.ga
accounts-logins.net
accountsrecovery.ddns.net
accounts-service.support
accountsservice-support.com
account-support-user.com
accounts-yahoo.us
accountts-google.com
account-user.com
account-user-permission-account.com
account-users-mail.com
account-user-verify-mail.com
acounts-qooqie-con.ml
addons-mozilla.download
aipak.org
aiqac.org
aol-mail-account.com
apache-utility.com
app-documents.com
app-facebook.co
araamco.com
archive-center.com
asus-support.net
asus-update.com
berozkhodro.com
book-archivecenter.bid
books-archivecenter.bid
books-archivecenter.club
books-google.books-archivecenter.bid
books-view.com
bootstrap.serveftp.com
britishnews.com.co
britishnews.org
broadcastbritishnews.com
brookings-edu.in
change-mail-accounting-register-single.com
change-mail-account-nodes-permision.com
change-permission-mail-user-managment.com
change-user-account-mail-permission.com
codeconfirm-recovery.bid
codeconfirm-recovery.club
com-account-login.com
com-accountrecovery.bid
com-accountsecure-recovery.name
com-accountsrecovery.name
com-archivecenter.work
com-customeradduser.bid
com-customerservice.bid
com-customerservice.name
com-customerservices.name
com-customersuperuser.bid
com-download.ml
com-manage-accountuser.club
com-messagecenter.bid
com-messengerservice.bid
com-messengerservice.work
com-microsoftonline.club
com-mychannel.bid
com-orginal-links.ga
com-recoversessions.bid
com-recoveryadduser.bid
com-recovery.com
com-recoveryidentifier.bid
com-recoveryidentifier.name
com-recoveryidentifiers.bid
com-recoverymail.bid
com-recoverysecureuser.club
com-recoverysecureusers.club
com-recoveryservice.bid
com-recoveryservice.info
com-recoverysessions.bid
com-recoverysubusers.bid
com-recoverysuperuser.bid
com-recoverysuperuser.club
com-recoverysuperuser.name
com-recoverysuperusers.bid
com-recoverysupport.bid
com-recoverysupport.club
com-servicecustomer.bid
com-servicecustomer.name
com-service.gq
com-servicemail.bid
com-service.net
com-servicerecovery.bid
com-servicerecovery.club
com-servicerecovery.info
com-servicerecovery.name
com-servicescustomer.name
com-serviceslogin.com
com-showvideo.ga
com-showvideo.gq
com-statistics.com
com-stats.com
com-video.net
com-videoservice.work
com-viewchannel.club
crcperss.com
cvcreate.org
digitalqlobe.com
display-error-runtime.com
display-ganavaro-abrashimchi.com
docs-google.co
documents-supportsharing.bid
documents-supportsharing.club
documents.sytes.net
document-supportsharing.bid
doc-viewer.com
download-link.top
drive-login.cf
drive-permission-user-account.com
drive-useraccount-signin-mail.ga
drop-box.vip
dropebox.co
embraer.co
emiartas.com
error-exchange.com
eursaia.org
fanderfart22.xyz
fardenfart2017.xyz
fb-login.cf
gle-mail.com
gmail-recovery.ml
gmal.cf
goo-gle.bid
goog-le.bid
goo-gle.cloud
google-mail.com.co
google-mail-recovery.com
googlemails.co
goo-gle.mobi
google-profile.com
google-profiles.com
google-setting.com
google-verification.com
google-verify.com
google-verify.net
group-google.com
help-recovery.com
hot-mail.ml
id-bayan.com
iforget-memail-user-account.com
iranianuknews.com
ir-owa-accountservice.bid
k2intelliqence.com
line-en.me
login-account-mail.com
login-account.net
login-again.ml
login-required.ga
mail-account-register-recovery.com
mails-account-signin-users-permssion.com
mailssender.bid
mail-yahoo.com.co
market-account-login.net
mehrnews.info
messageservice.bid
messageservice.club
microsoft-hotfix.com
microsoft-update.bid
microsoft-upgrade.mobi
microsoft-utility.com
msoffice-update.com
myaccount-login.net
mychannel.ddns.net
my-healthequity.com
my-mailcoil.ml
myscreenname.bid
news-onlines.info
nex1music.ml
notification-accountrecovery.com
nvidia-support.com
nvidia-update.com
officialswebsites.info
official-uploads.com
onedrive-signin.com
onlinedocument.bid
onlinedocuments.org
onlinedrie-account-permission-verify.com
onlineserver.myftp.biz
online-supportaccount.com
orginal-links.com
outlook-livecom.bid
owa-insss-org-ill-owa-authen.ml
picofile.xyz
policy-facebook.com
privacy-facebook.com
privacy-gmail.com
privacy-yahoomail.com
profile-facebook.co
profiles-facebook.com
profile-verification.com
qet-adobe.com
radio-m.cf
raykiel.net
recoverycodeconfirm.bid
recovery-customerservice.com
recovery-emailcustomer.com
recoverysuperuser.bid
register-multiplay.ml
sadashboard.com
saudiarabiadigitaldashboards.com
saudi-government.com
saudi-haj.com
screen-royall-in-corporate.com
screen-shotuser-trash-green.com
security-supportteams-mail-change.ga
sers-login.com
service-accountrecovery.com
service-broadcast.com
servicecustomer.bid
service-logins.net
servicemailbroadcast.bid
service-recoveryaccount.com
set-ymail-user-account-permission-challenge.com
shared-access.com
shared-login.com
shared-permission.com
shorturlbot.club
show-video.info
slmkhubi.ddns.net
smstagram.com
sprinqer.com
support-aasaam.bid
support-aasaam.com
support-accountsrecovery.com
support-google.co
support-recoverycustomers.com
supports-recoverycustomers.com
support-verify-account-user.com
tadawul.com.co
tai-tr.com
team-speak.cf
teamspeak-download.ml
team-speak.ga
team-speak.ml
teamspeaks.cf
telagram.cf
token-ep.com
uk-service.org
update-checker.net
update-driversonline.bid
update-driversonline.club
update-finder.com
update-microsoft.bid
updater-driversonline.club
update-system-driversonline.bid
uploader.sytes.net
upload-services.com
uri.cab
usersettings.cf
users-facebook.com
users-login.com
users-yahoomail.com
utopaisystems.net
verify-account.services
verify-accounts.info
verify-facebook.com
verify-gmail.tk
video-youtube.cf
w3sch00ls.hopto.org
w3school.hopto.org
w3schools.hopto.org
w3schools-html.com
watch-youtube.org.uk
webmaiil-tau-ac-il.ml
webmail-tidhar-co-il.ml
windows-update.systems
xn--googe-q2e.ml
yahoo-proflles.com
yahoo-verification.net
yahoo-verification.org
yahoo-verify.net
youetube.ga
yourl.bid
youttube.ga
youttube.gq
youtubbe.cf
youtubbe.ml
youtube-com.watch
youtubee-videos.com
youtuebe.co
youtuobe.com.co
youutube.cf
yurl.bid

# Reference: https://otx.alienvault.com/pulse/5c9bb407e5a06b014da016e3

account-profile-users.info
accounts-apple.com
account-servicemanagement.info
account-servieemanagement.info
accounts-manager.info
accounts-support.services
accounts-web-maii.com
accounts-web-mail.com
account-verifiy.net
activities-recovery-options.info
activities-servicesnotification.info
activity-confirmationservice.info
activity-session-recovery.info
aeroconf2014.org
aerospace2014.org
appleid.com.co
attacker-domain.com
broadcastnews.pro
com-accountidentifier.info
com-identifier-servicelog.info
com-identifier-servicelog.name
comidentifier-servicelog.name
com-identifier-servlcelog.name
com-mailbox.com
com-microsoftonline.club
com-myaccuants.com
com-privacy-help.info
com-sessionidentifier.info
com-useraccount.info
com-users.net
confirmation-recoveryoptions.info
confirmation-service.info
confirmation-users-service.info
confirmation-users-servlee.info
confirm-identity.info
confirm-session-identification.info
confirm-sessionidentification.info
confirm-session-identifier.info
continue-session-identifier.info
continue-sesslon-identifier.info
customer-certificate.com
customer-recovery.info
customers-activities.info
customers-manager.info
customers-services.info
customize-identity.info
documentofficupdate.info
documentsfilesharing.cloud
documentsharing.info
download-teamspeak.info
elitemaildelivery.info
email-deiivery.info
email-delivery.info
eom-microsoftonline.club
eom-useraccount.info
eustomers-activities.info
giitials.tk
googledomalns.com
identifier-activities.info
identifier-services-sessions.info
identify-user-session.info
intel-update.com
intelupdate.com
login-gov.info
message-serviceprovider.info
microsoft-update.bid
microsoft-upgrade.mobi
mobile-messengerplus.network
mobile-sessionid.customize-identity.info
mobiles-sessionid.customize-identity.info
myaccount-services.net
notification-accountservice.com
notification-accountservice.info
notificationapp.info
notification-manager.info
notification-managers.info
notifications-center.info
notification-signal-agnecy.info
notificatlon-signal-agnecy.info
o5vdb.org
outlook-livecom.bid
outlook-verify.net
packctstormsccurity.com
plugin-adobe.com
privacy-google.com
recognized-activity.info
recover-customers-service.info
recovery-session-change.info
recoveryusercustomer.info
serverbroadcast.info
service-accountrecoverv.com
service-recovery-session.info
service-session-confirm.info
service-session-continue.info
services-issue-notification.info
services-sessionconfirmation.info
session-mail-customers.info
session-management.info
session-manager.info
session-managment.info
session-recovery-options.info
sessions-identifiermemberemailid.network
sessions-notification.info
session-users-activities.com
session-verify-user.info
shop-sellwear.info
supportmailservice.info
support.services
support-servics.com
support-servics.net
terms-service-notification.info
terms-service-notlfication.info
update-microsoft.bid
user-activity-issues.info
useridentity-confirm.info
user-profile-credentials.com
users-facebook.com
users-issue-services.info
verification-live.com
verificationlive.com
verification-llve.com
verifiy-account.net
verifv-linkedin.net
verify-linke.com
verify-linkedin.net
verify-user-session.info
vvincicivj-c-ssenrjais.tk
webemail.info
xn--facebook-06k.com
xn--google-yri.com
yahoomail.com.co
yahoo-verification.net
yahoo-verification.org
yahoo-verify.net

# Reference: https://www.clearskysec.com/the-kittens-are-back-in-town/
# Reference: https://otx.alienvault.com/pulse/5d7e61f9aa517862e977cbad

acconut-verify.com
drive-accounts.com
exnovin.org
isis-online.net
islamicemojimaker.com
leslettrespersanes.net
niaconucil.org
seisolarpros.org
skynevvs.com
unrisd.com
w3-schools.org
# gnldp.live        # Note: regular trackers
# gnldr.club
# gnldr.live
# gnldr.website
# gnldrp.live
# sgnl.live
# sgnl.network
# sgnldp.live
# sgnldr.live

# Reference: https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2.pdf
# Reference: https://otx.alienvault.com/pulse/5d9b7a71f31df0e33eefab04

bahaius.info
bailment.org
com-activities.site
com-identifier.site
com-session.site
com-verifications.site
customers-activities.site
customers-recovery.site
customers-reminder.info
document-sharing.online
documentsfilesharing.cloud
gomyfiles.info
home-access.online
identifier-activities.info
identifier-activities.online
identity-verification-service.info
inbox-drive.info
inbox-sharif.info
magic-delivery.info
microsoftinternetsafety.net
mobile-messengerplus.network
mobilecontinue.network
notification-accountservice.com
recovery-services.info
recoverysuperuser.info
see-us.info
sessions-identifier-memberemailid.network
smarttradingfast.com
system-services.site
telagram.net
uploaddata.info
verification-services.info

# Reference: https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/
# Reference: https://otx.alienvault.com/pulse/5e3acf325495b5e504f82abc

acconut-verify.com
accounts-drive.com
bahaius.info
cpanel-services.site
customers-activities.site
customers-service.ddns.net
drive-accounts.com
finance-usbnc.info
instagram-com.site
inztaqram.ga
isis-online.net
leslettrespersanes.net
malcolmrifkind.site
niaconucil.org
phonechallenges-submit.site
recovery-options.site
seisolarpros.org
service-activity-checkup.site
service-issues.site
skynevvs.com
software-updating-managers.site
system-services.site
two-step-checkup.site
unirsd.com
w3-schools.org
yah00.site

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#
# Reference: https://otx.alienvault.com/pulse/5e6ff05783c525e779904d69

myconnect-support.com

# Reference: https://twitter.com/ClearskySec/status/1258432745891680256

com-recovery.site
com-sessions.site
customer-identifier.site
customer-reminder.info
customers-activity.site
identifier-services-session.site
mobile-airbnb.site
mobile-uber.site
newspedia.ddns.net
radiofarda.site
recovery-option.site
safe-solution.site
scribdinc.site
travel-airbnb.site

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/
# Reference: https://www.virustotal.com/gui/domain/kia-customerservice.ddns.net/detection
# Reference: https://www.virustotal.com/gui/domain/recovery-service.site/detection

document-share.info
kia-customerservice.ddns.net
login-users-account.site
manage-accounts.info
recovery-service.site
us2-mail-login-profile.site

# Reference: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
# Reference: https://otx.alienvault.com/pulse/5f99808638696999cf7b109c

de-ma.online
g20saudi.000webhostapp.com
ksat20.000webhostapp.com

# Reference: https://twitter.com/kyleehmke/status/1328374352602144770

check-panel-account.icu
cover-home-panel.xyz
it-service.men
student-rank-number.icu

# Reference: https://twitter.com/kyleehmke/status/1334170023968051200

cover-home-page.xyz

# Reference: https://twitter.com/kyleehmke/status/1339602993814102016

home-reload-page.xyz

# Reference: https://twitter.com/kyleehmke/status/1346154845221384194

check-panel-live.icu
check-reload-page.xyz
front-cover-panel.xyz
front-home-panel.xyz
office-live-activity.icu
page-home-reload.xyz

# Reference: https://blog.certfa.com/posts/charming-kitten-christmas-gift/
# Reference: https://otx.alienvault.com/pulse/5fff52390820519347e5f2d3

agentappservice.ddns.net
archiverepositories.xyz
basementofdarkness.ddns.net
benefitsredington.ddns.net
bulk-approach.site
challengechampions.ddns.net
com-254514785965.site
com-3654623478192.site
com-5464825879854.site
com-apk-6712qw123asd8awf7.site
com-archive.site
com-posts6712qw12387.site
confirm-identity.site
customer-session.site
deepthinkingroom.ddns.net
differentintegrated.ddns.net
dynamiceventmanager.ddns.net
enhanceservicchecke.hopto.org
heisonhisway.ddns.net
hello-planet.com
homedirections.ddns.net
homeinspections.ddns.net
identifier-service-verify.site
identifier-session-recovery.site
identity-session-recovery.site
lonelymanshadow.ddns.net
mail-newyorker.com
minimumservicechek.ddns.net
mobile-activity-site
mobile-check-activity.site
patchtheschool.ddns.net
planet-labs.site
profilechangeruser.ddns.net
randomworldcity.ddns.net
recover-identity.site
recover-session-service.site
recovery-customer-service.site
recovery-session-service.site
recovery-session.site
reset-account.com
schoolofculture.ddns.net
securelogicalrepository.com
service-recovery.site
service-session-recovery.site
service-support.site
service-verification.site
session-confirmation.site
session-customer-activity.site
uniquethinksession.ddns.net
verify-session-service.site
wearefirefighters.ddns.net

# Reference: https://twitter.com/jfslowik/status/1347905935654539267

dhs-us.org
csm-group.org
procurement-inl-gov.us
procurements-inl-gov.us
ukborderhomeoffice-gov.org

# Reference: https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential
# Reference: https://otx.alienvault.com/pulse/6065f293e16c3e4e72044475

1drv.casa
1drv.cyou
1drv.icu
1drv.live
1drv.online
1drv.surf
1drv.xyz

# Reference: https://twitter.com/ChicagoCyber/status/1391819499872137225

log-in-dropbox.com
