# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: ta407, silent librarian, mabna institute, cobalt dickens

# Reference: https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities
# Reference: https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again
# Reference: https://otx.alienvault.com/pulse/5d78eaf37b37c503fb07d45a
# Reference: https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian
# Reference: https://otx.alienvault.com/pulse/5da4a7ab756627fcce84efcc

1edu.in
aill.cf
aill.nl
anvc.me
atll.tk
atna.cf
atti.cf
azll.cf
azll.tk
azlll.cf
aztt.tk
blibo.ga
cave.gq
ccli.cf
cill.ml
clll.cf
clll.nl
clll.tk
cllt.cf
cllt.tk
cnen.cf
cnma.cf
cntt.cf
crll.tk
csll.cf
ctll.tk
cvnc.ga
cvve.cf
czll.tk
cztt.tk
e-library.me
ebookfafa.com
eduv.icu
eill.cf
eill.ga
eill.nl
elll.cf
erta.ca
etll.cf
euca.cf
euce.in
euve.tk
ezll.tk
ezplog.in
ezproxy.tk
eztt.tk
fill.cf
flil.cf
flll.cf
iell.tk
ill.pro
illl.cf
ills.cf
itll.tk
iull.tk
izll.tk
jhbn.me
jlll.cf
lett.cf
lib-service.com
lib1.bid
lib1.pw
liba.gq
libb.ga
libdo.cf
libe.cf
libe.ga
libe.ml
libf.ga
libg.cf
libg.ga
libg.gq
libg.tk
libk.ga
libloan.xyz
libm.ga
libn.gq
libnicinfo.xyz
librarylog.in
libraryme.ir
librt.ml
libt.ga
libt.ml
libu.gq
libv.ml
libver.ml
libw.gq
lill.gq
lill.pro
llbt.tk
llib.cf
llib.ga
llic.cf
llic.tk
llif.cf
llii.cf
llii.xyz
llil.cf
llil.nl
llit.cf
llit.site
lliv.nl
lliv.tk
lliz.cf
lllf.nl
llli.cf
llli.nl
lllib.cf
lllt.cf
llse.cf
lzll.cf
mlib.cf
mlibo.ml
ncce.cf
ncll.tk
ncnc.cf
nctt.tk
necr.ga
nicn.gq
nika.ga
nimc.cf
nimc.ga
nimc.ml
nlib.ml
nlll.cf
nlll.tk
nsae.ml
ntil.cf
ntll.cf
ntll.tk
nuec.cf
nuec.ml
rill.cf
rnva.cf
rtll.tk
rvna.cf
savantaz.cf
sctt.cf
shibboleth.link
sitl.tk
sitt.cf
slli.cf
ssll.cf
stll.tk
till.cf
titt.cf
tlit.cf
tlll.cf
tlll.tk
tsll.cf
ttil.nl
ttit.cf
ttll.cf
uill.cf
uitt.tk
ulibe.ml
ulibr.ga
ulll.cf
ulll.tk
umlib.ml
umll.tk
uncr.me
uni-lb.com
unie.ga
unie.gq
unie.ml
unin.icu
unip.cf
unip.ga
unip.gq
unip.ml
unir.cf
unir.ga
unir.gq
unir.ml
unisv.xyz
univ.red
unll.tk
untc.ir
untc.me
untf.me
unts.me
unvc.me
utll.tk
venc.cf
visc.cf
vsre.cf
vtll.cf
web2lib.info
xill.cf
xill.tk
zedviros.ir
zill.cf
zlll.tk

# Reference: https://twitter.com/peterkruse/status/1312826103388667904
# Reference: https://www.virustotal.com/gui/ip-address/104.152.168.47/relations

idp3.it.gu.se.itlf.cf
login.ki.se.iftl.tk
raven.cam.ac.uk.iftl.tk
shib.york.ac.uk.iftl.tk
shibboleth.mcgill.ca.iftl.tk
sso.id.kent.ac.uk.iftl.tk
sso.acu.edu.au.itlib.me
itlf.cf
iftl.tk

# Reference: https://twitter.com/peterkruse/status/1312819332318146561
# Reference: https://twitter.com/peterkruse/status/1315556534546558977

cas.thm.de.itlib.me
cas.thm.de.servisedesk.me
itlib.me
servisedesk.me

# Reference: https://twitter.com/peterkruse/status/1313029599048208386

ntulearn.ntu.ninu.me
ninu.me

# Reference: https://twitter.com/cybershtuff/status/1315574181493444613

canvas.bham.vueu.me
owl.uwo.vueu.me
vueu.me

# Reference: https://twitter.com/ShadowChasing1/status/1315855394506330113

library.acu.edu.au.libit.me
libit.me

# Reference: https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/

library.adelaide.crev.me
signon.adelaide.edu.au.itlib.me
blackboard.gcal.crev.me
blackboard.stonybrook.ernn.me
blackboard.stonybrook.nrni.me
namidp.services.uu.nl.itlib.me
uu.blackboard.rres.me
librarysso.vu.cvrr.me
ole.bris.crir.me
idpz.utorauth.utoronto.ca.itlf.cf
raven.cam.ac.uk.iftl.tk
login.ki.se.iftl.tk
shib.york.ac.uk.iftl.tk
sso.id.kent.ac.uk.iftl.tk
idp3.it.gu.se.itlf.cf
login.proxy1.lib.uwo.ca.sftt.cf
login.libproxy.kcl.ac.uk.itlt.tk
idcheck2.qmul.ac.uk.sftt.cf
lms.latrobe.aroe.me
ntulearn.ntu.ninu.me
adfs.lincoln.ac.uk.itlib.me
cas.thm.de.itlib.me
libproxy.library.unt.edu.itlib.me
shibboleth.mcgill.ca.iftl.tk
vle.cam.ac.uk.canm.me
aroe.me
canm.me
crev.me
crir.me
cvrr.me
ernn.me
nrni.me
rres.me
sftt.cf

# Reference: https://twitter.com/ViriBack/status/1317216042263941120

blackboard.usc.caer.me
elearn.cuhk.caer.me
moodle.uni-ulm.caer.me
sierra-sso.aut.caer.me
caer.me

# Reference: https://twitter.com/TeamDreier/status/1331940216811233288
# Reference: https://twitter.com/TeamDreier/status/1331941213184856065

auth.bath.ac.uk.ctit.tk
auth.bath.ac.uk.titt.ml
login.e.bibl.liu.se.ctit.tk
login.manchester.ac.uk.ctit.tk
shib-idp.ucl.ac.uk.trtt.tk
ctit.cf
ctit.tk
titt.ml
trtt.tk
ztit.cf

# Reference: https://twitter.com/TeamDreier/status/1335877271593377792

milngavie.cent.gla.ac.uk.titt.gq
titt.gq

# Reference: https://twitter.com/TeamDreier/status/1321197043784843267

login.e.bibl.liu.se.titt.ga
titt.ga

# Reference: https://twitter.com/TeamDreier/status/1320993672566050817

sts.sydney.ediun.me
ediun.me

# Reference: https://twitter.com/TeamDreier/status/1320654814750138377

shib-idp.ucl.ac.uk.vctt.cf
vctt.cf

# Reference: https://twitter.com/TeamDreier/status/1320475288996880387

learn.snnu.me
snnu.me

# Reference: https://twitter.com/andsyn1/status/1320315221253259265
# Reference: https://twitter.com/TeamDreier/status/1320295132164390912
# Reference: https://twitter.com/andsyn1/status/1319744139303571457

ilias.uni-marburg.edunm.me
libproxy.unm.eduin.me
shibboleth.mcgill.edliu.me
edliu.me
eduin.me
edunm.me

# Reference: https://twitter.com/TeamDreier/status/1320068459934482438
# Reference: https://twitter.com/TeamDreier/status/1319219638966849536

canvas.sydney.sunu.me
monucp.u-cergy.sunu.me
sunu.me

# Reference: https://twitter.com/TeamDreier/status/1319501314079031297
# Reference: https://twitter.com/TeamDreier/status/1319219638966849536

learn.polyu.sncu.me
lms.unb.sncu.me
sncu.me

# Reference: https://twitter.com/TeamDreier/status/1319284609612312576
# Reference: https://twitter.com/TeamDreier/status/1318073712621608960

cuhk.edu.hk.itlf.cf
shib.dur.ac.uk.stit.cf
sts.cuhk.edu.hk.itlf.cf
itlf.cf
stit.cf

# Reference: https://twitter.com/TeamDreier/status/1318073179621986311

moodle.uni-ulm.de.librm.me
librm.me

# Reference: https://twitter.com/TeamDreier/status/1318072706068320256

q.utoronto.vrev.me
vrev.me

# Reference: https://twitter.com/TeamDreier/status/1321725647153233920

weblogon.ltu.se.ztit.cf

# Reference: https://twitter.com/TeamDreier/status/1322301000963805184

innsida.ntnu.snnu.me

# Reference: https://twitter.com/TeamDreier/status/1322431397257191424

canvas.ucdavis.snnu.me

# Reference: https://twitter.com/TeamDreier/status/1329822320471515143

auth.bath.ac.uk.ztit.cf

# Reference: https://twitter.com/andsyn1/status/1331321796226846721

auth.bath.ac.uk.ctit.cf

# Reference: https://twitter.com/TeamDreier/status/1332964881537114115

shibboleth3.liv.ac.uk.sitl.tk

# Reference: https://twitter.com/TeamDreier/status/1336251373097267202

proxylogin.nus.edu.sg.vitl.ml
vitl.ml

# Reference: https://twitter.com/TeamDreier/status/1336273839148441602

proxylogin.nus.edu.sg.cett.cf
cett.cf

# Reference: https://twitter.com/TeamDreier/status/1337664630219550722

login.ezproxy.uws.edu.au.vitt.ga
login.simsrad.net.ocs.mq.edu.au.vitt.ga
uon.okta.com.vitt.ga
vitt.ga

# Reference: https://twitter.com/TeamDreier/status/1338977587977129992
# Reference: https://twitter.com/TeamDreier/status/1338979116855554056
# Reference: https://twitter.com/TeamDreier/status/1339231776900853760

mylibrary.bu.ulibr.xyz
mylibrary.ebu.ulibr.xyz
onesearch.library.wwu.edu.ulibr.xyz
ulibr.xyz

# Reference: https://twitter.com/TeamDreier/status/1351094101341515777

ezproxy.hkr.se.liblog.info
liblog.info

# Reference: https://twitter.com/TeamDreier/status/1351479481668661249
# Reference: https://twitter.com/TeamDreier/status/1351797305926676480

login.proxy1.dom1.nhtv.nl.liblog.info
rps.hva.nl.liblog.info

# Reference: https://twitter.com/TeamDreier/status/1351465253641596932

innsida.ntnu.srrn.me
srrn.me

# Reference: https://twitter.com/TeamDreier/status/1351960402503098368

shibboleth.mcgill.nlib.ml

# Reference: https://twitter.com/TeamDreier/status/1383377868114206722

edadfed.ed.ac.uk.ucnv.me
edadfed.ed.ac.ukns.me
ucnv.me
ukns.me

# Reference: https://twitter.com/TeamDreier/status/1383436461974835212

auth.bath.ac.uk.ukns.me

# Reference: https://twitter.com/TeamDreier/status/1384079500737011714
# Reference: https://twitter.com/TeamDreier/status/1384092560281391108

auth.bath.ac.uk.ncev.me
bath.ac.uk.ncev.me
oskicatp.berkeley.edu.ncev.me
ncev.me

# Reference: https://twitter.com/TeamDreier/status/1400360529579941889
# Reference: https://www.virustotal.com/gui/ip-address/185.51.201.112/relations

liblog.info
ezp2.imu.edu.my.liblog.info
ezproxy.um.edu.my.liblog.info
hiof.no.liblog.info
login.libezp2.utar.edu.my.liblog.info

# Reference: https://twitter.com/TeamDreier/status/1401790878092611587

tarcez.tarc.edu.my.liblog.info

# Reference: https://twitter.com/TeamDreier/status/1401807769880215553

login.libezp.utar.edu.my.liblog.info

# Reference: https://twitter.com/TeamDreier/status/1402918680846114816

ezproxy.yu.edu.jo.liblog.info

# Reference: https://twitter.com/TeamDreier/status/1403275407420440577

ezproxy.vid.no.liblog.info

# Reference: https://twitter.com/TeamDreier/status/1410141072920125447

login.datubazes.lanet.lv.liblog.info
