# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt-c-35, donot, stealjob

# Reference: https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/
# Reference: https://community.riskiq.com/article/6f60db72

qwe.drivethrough.top
qwe.sessions4life.pw
aoc.sessions4life.pw
mon.sesions4life.pw
tes.sessions4life.pw
drivethrough.top
trendzs.club
sessions4life.club
sesions4life.pw
sessions4life.pw

# Reference: https://ti.360.net/blog/articles/analysis-of-donot-andriod-sample/

godspeed.geekgalaxy.com
jasper.drivethrough.top
drivethrough.top
geekgalaxy.com

# Reference: https://asert.arbornetworks.com/donot-team-leverages-new-modular-malware-framework-south-asia/

conf.serviceupdateres.com
upload.cloudsekurity.online
abodeupdater.com
qmails.org
serviceupdateres.com
serviceupports.com
thebangladeshtoday.net
sundayobserver.net

# Reference: https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/

databig.akamaihub.stream
bigdata.akamaihub.stream
unique.fontsupdate.com
akamaihub.stream
fontsupdate.com

# Reference: https://twitter.com/blackorbird/status/1111159128775249920
# Reference: https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading

account-sign-in-security.ga
account-update-com.tk
account-updates-team.ga
afd-gov-bd.gq
baf-mil-bd.tk
checkbox.gq
cyber-net-pk.cf
fwo-com.tk
g00gle-com.cf
googlemail-com.gq
live-com.gq
live-com.ml
live-service.cf
login-live-com.cf
login-yah00-com.tk
login-yahoo-com.ga
live-com-owa.gq
mail-account-security-com.cf
mail-accounts-verify-com.cf
mail-intl-ja-mail-about.gq
mail-nepalarmymil-np.gq
mail-ntc-net-pk.tk
mail-outlook-support-team.tk
mail-paf-gov.cf
mail-sign-alert-notification.cf
mail-updates-systems.ga
mail-update-task.ga
mail-update-team.ga
mail-yahoo-com.tk
mail-yahoo-task.tk
micorsoft-outlook-update.ml
mofa-gov-mm.ml
mofagov-np.cf
mofa-gov-np.cf
mofa-gov-pk.tk
molaw-gov-pk.cf
outlook-com.cf
outlook-livecom.cf
outlook-live-com.cf
outlook-live-com.ga
outlooklive-com.ml
outlook-live-com.tk
outlookmail-com.tk
paec-gov-pk.ga
paec-gov-pk-taskmail.tk
paecweb-gov.gq
paecwebmail.gq
paf-gov-pk.cf
paf-gov-pk.ga
paf-gov-pk.tk
paknavy-pk.gq
paecgov-pk.cf
pmo-gov-pk.tk
pnra-org.gq
pof-gov-pk.tk
rab-gov-bd.gq
sharepoint-google.ml
slaf-gov-lk.ml
sco-gov-pk.tk
super-net-pk.cf
super-net-pk.tk
test-updates.ga
yahoo-com.ga
yahoomail.cf
yahoomail-com.cf
yahoo-mail-com.ml

# Reference: https://twitter.com/blackorbird/status/1116263262524362753

unique.fontsupdate.com

# Reference: https://otx.alienvault.com/pulse/5cb620d626b619048ca7b344
# Reference: https://ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/

139.180.135.59:4233
bike.drivethrough.top
car.drivethrough.top
guide.domainoutlet.site
param.drivethrough.top
justin.drinkeatgood.space
genwar.drivethrough.top
alter.drivethrough.top
qwe.drivethrough.top
digest.drinkeatgood.space
jasper.drivethrough.top
ground.domainoutlet.site
help.domainoutlet.site
guild.domainoutlet.site
domainoutlet.site
drinkeatgood.space
drivethrough.top

# Reference: https://twitter.com/blackorbird/status/1122493860859432960

data-backup.online

# Reference: https://twitter.com/sudosev/status/1123303891062460419

mystrylust.pw
new.listenmusic.pw

# Reference: https://twitter.com/Timele9527/status/1130673924193128448

servicejobs.life

# Reference: https://twitter.com/blackorbird/status/1132951652896350208

rightapps.net/sms//images/files/nbp_request.php

# Reference: https://twitter.com/sudosev/status/1143562610492760064
# Reference: https://github.com/faisalusuf/ThreatIntelligence/blob/main/APT%20DONOT%20TEAM/Tracking-DONOT-IOCs.csv

new.transportfun.pw
strings.guitarshop.space
transportfun.pw

# Reference: https://twitter.com/RedDrip7/status/1145539943323717632

151.236.11.222:50240

# Reference: https://twitter.com/RedDrip7/status/1170896437229445120

mangasiso.top

# Reference: https://mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA

ezeescan.com

# Reference: https://m.threatbook.cn/detail/1924
# Reference: https://otx.alienvault.com/pulse/5d7f7deb8cdf93013777cbad
# Reference: https://www.secrss.com/articles/13726
# Reference: https://otx.alienvault.com/pulse/5d93295e8526be516a05f369
# Reference: https://twitter.com/ArielJT/status/1183064542869381121

bsodsupport.icu
en-content.com
mscheck.icu
msplugin.icu
windowserver.site
worldupdate.live

# Reference: https://twitter.com/RedDrip7/status/1188662662734893056

officeupdater.org

# Reference: https://twitter.com/ccxsaber/status/1195175943087616000

stylesheet.xyz

# Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/issleduem-aktivnost-kibergruppirovki-donot-team/ (Russian)

burningforests.com
cloud-storage-service.com
skillsnew.top

# Reference: https://twitter.com/Rmy_Reserve/status/1206596674920972288

full.newcontest.xyz

# Reference: https://twitter.com/ccxsaber/status/1213050724403167238

mimestyle.xyz

# Reference: https://twitter.com/Arkbird_SOLG/status/1214146144177197058

comodo.world

# Reference: https://twitter.com/Arkbird_SOLG/status/1214146146563698689
# Reference: https://app.any.run/tasks/2907c2bd-a00d-4742-9467-01b8058e734a/

testypoha.top

# Reference: https://twitter.com/Timele9527/status/1253165991351119872

supportsession.live

# Reference: https://twitter.com/Youngs0xff/status/1254959731338178560

rythemsjoy.club

# Reference: https://twitter.com/ShadowChasing1/status/1260881015133753345

spectronet.pw

# Reference: https://twitter.com/AnonySecAgency/status/1263046236652728324

mailsession.online

# Reference: https://twitter.com/ShadowChasing1/status/1267834418942492672

advancesearch.xyz

# Reference: https://twitter.com/Timele9527/status/1271098267590221824

covidpk.uno
datasecure.icu
filepage.icu
meflying.xyz
remindme.top
yourcontents.xyz

# Reference: https://twitter.com/ccxsaber/status/1274978583463649281

dnsresolve.live

# Reference: https://twitter.com/ccxsaber/status/1275611268192145408

tampotrust.top

# Reference: https://twitter.com/ccxsaber/status/1279958779388297216

securecon.top

# Reference: https://twitter.com/ShadowChasing1/status/1287039040038952960

coronotest.xyz
filedata.top

# Reference: https://twitter.com/ShadowChasing1/status/1289083580514107394
# Reference: https://twitter.com/500mk500/status/1289100860254027776
# Reference: https://www.virustotal.com/gui/file/f5432e3a4184baf3957035ded89916310f3a7f791b3bcf3e2e92c3dba4682d26/detection
# Reference: https://www.virustotal.com/gui/file/124f2f71d658fdbeacaf648ec6811589ef01b4154471378839724a79de0edd48/detection

sparc.org.in/wp-content/uploads/2020/06/now/rt.rtf
http://164.68.108.22
164.68.108.22:4140
164.68.108.22:6102
/cruisers/beacon.php

# Reference: https://twitter.com/ShadowChasing1/status/1289198158669443078

apifile.xyz

# Reference: https://twitter.com/ShadowChasing1/status/1286504871416360961

filecopying.xyz

# Reference: https://threatconnect.com/blog/research-roundup-recent-probable-charming-kitten-infrastructure/
# Reference: https://otx.alienvault.com/pulse/5f2c73733fc6956731644a7d
# Reference: https://twitter.com/kyleehmke/status/1290613021992255488

accounts.googel.email
app-view-support.club
cmailco.xyz
cnnnews-app.xyz
control-user-activity.club
control-view-sharing.club
cover-home-page.site
email-checker.xyz
fatservice.site
g-shorturl.com
gmail-com.xyz
googel.email
hinbox-drive.info
inbox-drive.info
login-gov.info
mail-instgram.com
mailco.xyz
mailerdaemon.me
name-file-support.best
on-dr.com
page-support-view.club
preview-control-support.club
reload-cover-page.live
reload-page-cover.site
support-following-page.club
support-myservice.com
support-viewing-page.club
verify-identity-service.best
verifychecking.com
view-control-page.club
view-control-support.club
view-external-page.best
view-panel-control.club

# Reference: https://twitter.com/ShadowChasing1/status/1292286043874455552
# Reference: https://www.virustotal.com/gui/file/addf78fe59b2b0f45c3c448caee35c206ecae5a51a5c0e0f71ef361ea5fae6e0/detection

142.93.12.211:4233

# Reference: https://twitter.com/ShadowChasing1/status/1302882266910253056

checkinternet.icu

# Reference: https://twitter.com/ShadowChasing1/status/1304968566114975745

msfonts.live
word-dnld.com

# Reference: https://s.tencent.com/research/report/951.html
# Reference: https://community.riskiq.com/article/6f60db72
# Reference: https://twitter.com/voodoodahl1/status/1267571622732578816
# Reference: https://otx.alienvault.com/pulse/5f74ce39f8419e27addbd726

advancesearch.xyz
apkfreeware.xyz
appie.host
bitiy.info
brightnew.xyz
bulk.fun
carefile.icu
covidapp.icu
dnsrevanche.xyz
domainoutlet.site
drivethrough.top
fiddaz.club
inapfirst.top
inapscnd.top
inapturst.top
lowlilght.xyz
mangasiso.top
mimestyle.xyz
mimeversion.top
myappshare.xyz
mypersonaldrive.icu
n9cl.xyz
newbulb.xyz
phovonel.icu
ppadaolnwod.xyz
qwertykeypad.host
rythemsjoy.club
seahome.top
spectronet.pw
trakfind.buzz
verisign.monster
whynotworkonit.top

# Reference: https://twitter.com/malwrhunterteam/status/1314236986018988035
# Reference: https://twitter.com/bl4ckh0l3z/status/1314252380867899393
# Reference: https://www.virustotal.com/gui/file/70df22a25cbb8715f1d3dd693123ac92203b3a27dfc6c7fa0e48239cf15cbf02/detection

45.147.229.93:4233
joy-trends.xyz
qwertykeypad.host
trendsjoy.biz
webchat.life

# Reference: https://twitter.com/_re_fox/status/1315388450414227467
# Reference: https://twitter.com/RedDrip7/status/1320568526730477571
# Reference: https://www.virustotal.com/gui/file/19321da02763a73eda1cdff7d073f7da18b5f32121fbddcee8eab60ac13d418a/detection
# Reference: https://www.virustotal.com/gui/file/c9c2f68074bafb0885c8f3ace3e3188f38471e0710caefa50192ecd05edecac2/detection

soundvista.club

# Reference: https://blog.talosintelligence.com/2020/10/donot-firestarter.html
# Reference: https://otx.alienvault.com/pulse/5f9ad41f97b945d0a6797baa

apkv6.endurecif.top
bulk.fun
fif0.top
inapturst.top
seahome.top

# Reference: https://twitter.com/ShadowChasing1/status/1324694029620006913
# Reference: https://www.virustotal.com/gui/file/ab6c34abe0d42dc0b93213661e24257b504b8d8973f4f5993d64e6631bd1358d/detection

createlist.xyz

# Reference: https://twitter.com/malwrhunterteam/status/1325782688062693376
# Reference: https://www.virustotal.com/gui/file/449979f1b1a9db98dad92de3f3af7045f0dc470085b9640b77f27675feaeefd8/detection

167.99.190.44:8090
latertime.icu

# Reference: https://twitter.com/ShadowChasing1/status/1328980811102654465
# Reference: https://twitter.com/midnight_comms/status/1329043473635307522
# Reference: https://www.virustotal.com/gui/file/8885752384e54f65c7bd94982fadfa016f906960e9a53492a908eda12335f5aa/detection

45.138.172.7:4233
pvtchat.live

# Reference: https://twitter.com/cyberwar_15/status/1331490166473519106

hometaxcenter.web.app

# Reference: https://twitter.com/malwrhunterteam/status/1336980863272308742

namearch.xyz
yourlsd.xyz

# Reference: https://twitter.com/ShadowChasing1/status/1336997657865175040

sportfunk.xyz

# Reference: https://twitter.com/ShadowChasing1/status/1337256313831604225

instantinfo.buzz

# Reference: https://twitter.com/malwrhunterteam/status/1348575001109286913
# Reference: https://twitter.com/bl4ckh0l3z/status/1348575976196866048
# Reference: https://www.virustotal.com/gui/file/f1772de5062571ab63518595a36daf12203bcbc13f530a10ebc382e89220c840/detection

167.99.130.191:8090
transp.link

# Reference: https://twitter.com/ShadowChasing1/status/1359479141146365952
# Reference: https://www.virustotal.com/gui/ip-address/5.135.199.23/detection
# Reference: https://www.virustotal.com/gui/file/18cfe54cf4a92d1757ee471cd09c20b5aea8578b9db660239de5ba8208cc8be8/detection

networkspeed.live
resolverequest.live

# Reference: https://twitter.com/malwrhunterteam/status/1359512197911699457
# Reference: https://twitter.com/bl4ckh0l3z/status/1360157297734004739
# Reference: https://www.virustotal.com/gui/file/c5c50a2a600c6372e8757f9371fe475a7041d448a96f7361c0eda1b9951301d2/detection

135.181.198.146:8099
fatchinfo.xyz
mobilelink.buzz

# Reference: https://twitter.com/ShadowChasing1/status/1364448144323342338
# Reference: https://twitter.com/ShadowChasing1/status/1368945187230257154
# Reference: https://twitter.com/ShadowChasing1/status/1369944378584690688
# Reference: https://www.virustotal.com/gui/file/dc1bd94c1941dcfa69c5561959cec64c3f5b1c3c0738f66a33c320c0c4217030/detection
# Reference: https://www.virustotal.com/gui/file/03730cdc23a3d10c8752ad1464ff2e68a64c69f8310b0ceea4d52b1db0215dfc/detection
# Reference: https://www.virustotal.com/gui/file/e82a17c9c0936de0c50267a296b801d1d7073293ad93b444eb63f336ebb46330/detection

tplinkupdates.space
firm.tplinkupdates.space
/8ujdfuyer8d8f7d98jreerje
/8ujdfuyer8d8f7d98jreerje.doc
/8ujdfuyer8d8f7d98jreerje.dot
/bikuyteftgyheujdike11ygeyg
/bikuyteftgyheujdike11ygeyg.doc
/bikuyteftgyheujdike11ygeyg.dot
/ujhsygdhgtsygbuehdthd
/ujhsygdhgtsygbuehdthd.doc
/ujhsygdhgtsygbuehdthd.dot

# Reference: https://twitter.com/ShadowChasing1/status/1364536619353575429
# Reference: https://www.virustotal.com/gui/file/79b6fd53fc676089d691ddbbf54da0855abd23d91c2325555d258eaca2c1dfb6/detection

flickry.xyz

# Reference: https://twitter.com/ShadowChasing1/status/1365304023775989761
# Reference: https://www.virustotal.com/gui/file/c1aa62da6cbb8656741d88a4c30c9620188b7045d0b0d271065464fdfbcab76f/detection

printerupdates.online
info.printerupdates.online

# Reference: https://twitter.com/ShadowChasing1/status/1366672088241606658
# Reference: https://twitter.com/ShadowChasing1/status/1366688956088131584

requireplugin.xyz
worxbox.xyz
/AaTCm1uhEJlKxjeAvwltK5pkzRasnhXo
/AaTCm1uhEJlKxjeAvwltK5pkzRasnhXo.dat
/AaTCm1uhEJlKxjeAvwltK5pkzRasnhXo.doc
/AaTCm1uhEJlKxjeAvwltK5pkzRasnhXo.dot

# Reference: https://twitter.com/malwrhunterteam/status/1366839536890900482
# Reference: https://twitter.com/bl4ckh0l3z/status/1366866811455684612
# Reference: https://www.virustotal.com/gui/file/80151e5971821b1f0abb13b049efb0eeb9b1626b2f5501fc9ac21918935a6c3e/detection

shortler.xyz

# Reference: https://twitter.com/malwrhunterteam/status/1370400639155589132
# Reference: https://www.virustotal.com/gui/file/680681423d5007030bd3fe577b88f4c5df6dc423cdaa6aa415ecae01bd83b0d7/detection

178.63.172.2:4233
bismi.club

# Reference: https://twitter.com/ShadowChasing1/status/1379048935969316871

paperflies.buzz
worldfronts.xyz
/h9i341lDMiztxAqrWsaOwHfUkSrAFWuI
/h9i341lDMiztxAqrWsaOwHfUkSrAFWuI.dat
/h9i341lDMiztxAqrWsaOwHfUkSrAFWuI.doc
/h9i341lDMiztxAqrWsaOwHfUkSrAFWuI.dot

# Reference: https://twitter.com/ShadowChasing1/status/1380555450433728513
# Reference: https://www.virustotal.com/gui/file/f18aba837e86025dfb9bd3fd2c4bf161f679ff1f3d10e7a480d682178051a9b9/detection

instadownload.buzz

# Reference: https://twitter.com/ShadowChasing1/status/1384825247061331980
# Reference: https://www.virustotal.com/gui/file/81b4a8f6ff2489e01f6b09126583673d3df922a0bbf7ff2cbcef2bcf6102b951/detection

loadingmessage.info

# Reference: https://twitter.com/ShadowChasing1/status/1387026581453893635
# Reference: https://www.virustotal.com/gui/file/e82d1f4f2960aef4142c32d7920b97700f2b5957bb4807bfcd59e586e71a33c0/detection

nextra.buzz

# Reference: https://twitter.com/ShadowChasing1/status/1387309759217365000
# Reference: https://twitter.com/ShadowChasing1/status/1387309762132336647
# Reference: https://www.virustotal.com/gui/file/694d433a729b65993dae758e862077c2d82c92018e8e310e121e1fa051567dba/detection

idmquick.xyz
wserves.xyz
/IvGRnMiDzgderQQteqNjNgKoIYqaLW6C
/IvGRnMiDzgderQQteqNjNgKoIYqaLW6C.dat
/IvGRnMiDzgderQQteqNjNgKoIYqaLW6C.doc
/IvGRnMiDzgderQQteqNjNgKoIYqaLW6C.dot

# Referenc: https://twitter.com/fuuuing_/status/1387958339569479683
# Reference: https://www.virustotal.com/gui/file/edd590c343570f7576aca83da58967e058585c6ba861682dca2fc987c713ee3a/detection

edgevista.live
files.edgevista.live
/abjhdueuhkuclli78jfkdfj
/abjhdueuhkuclli78jfkdfj.dat
/abjhdueuhkuclli78jfkdfj.doc
/abjhdueuhkuclli78jfkdfj.dot

# Reference: https://twitter.com/r3dbU7z/status/1388510523579305988
# Reference: https://twitter.com/r3dbU7z/status/1388937495677743104
# Reference: https://www.virustotal.com/gui/file/08d7ec323925fa1de26d49c0dc414acb8ef3f876fd4b173673895465a27eda46/detection

66.23.225.108:8001

# Reference: https://twitter.com/Circuitous__/status/1390290226090754058
# Reference: https://www.virustotal.com/gui/file/3d63156060c7568b2c3065820f698fdadb6e48910ec82593a61c306c13f5692c/detection

venturelabo.co
cloud.venturelabo.co

# Reference: https://twitter.com/ShadowChasing1/status/1391383866347331590
# Reference: https://www.virustotal.com/gui/file/89d357d9731a046d4ba671e67bf0b4b300302a137a76e1e7ab3675fcd5b922ac/detection

icuttly.buzz

# Reference: https://twitter.com/ShadowChasing1/status/1393718569507069953
# Reference: https://www.virustotal.com/gui/file/7e8a0f71d52ce23e2ac0bb23795df7bc56d9166eb39f042d75226f01b4203749/detection

imageview.xyz

# Reference: https://twitter.com/ShadowChasing1/status/1397892294599081988
# Reference: https://www.virustotal.com/gui/file/ea5cff131dda16855a4a6f89e25728ac970ee342df9f496ab616c646f8e7b433/detection

webservice.buzz

# Reference: https://twitter.com/malwrhunterteam/status/1398672382626304006
# Reference: https://twitter.com/ShadowChasing1/status/1398800211988803586
# Reference: https://www.virustotal.com/gui/file/41322bfef851e2ff973be411fa8cb5360a95b1dbc9004d96c19b62419810d138/detection

yoururl.icu

# Reference: https://twitter.com/360CoreSec/status/1400726492389146625
# Reference: https://twitter.com/ShadowChasing1/status/1402417052426522626

credmg.xyz
frontcheck.buzz
getsr.xyz
nelog.buzz
plugindownload.buzz
solutionsroof.xyz
/YsiNqNecL9cNFZv144OWCjioAQukPtyy
/YsiNqNecL9cNFZv144OWCjioAQukPtyy.dat
/YsiNqNecL9cNFZv144OWCjioAQukPtyy.doc
/YsiNqNecL9cNFZv144OWCjioAQukPtyy.dot

# Reference: https://twitter.com/ShadowChasing1/status/1404610201194360832
# Reference: https://www.virustotal.com/gui/file/a3c020bf50d39a58f5345b671c43d790cba0e2a3f631c5182437976adf970633/detection

microsoft-updates.servehttp.com

# Reference: https://twitter.com/ShadowChasing1/status/1407636259367899138
# Reference: https://www.virustotal.com/gui/file/0a456bd773d6eb0a479f3bb43fe88e7b781dae310e56dbe001eaa68273e326ee/detection

winxpo.live

# Reference: https://twitter.com/fuuuing_/status/1409327487985745920
# Reference: https://www.virustotal.com/gui/ip-address/51.195.211.91/relations
# Reference: https://www.virustotal.com/gui/file/a59195a5a87b6d6e4275e01a2360003bf55bcc72772e92b07f22e59aaa7b3cad/detection

biteupdates.site
dataupdates.live
/BcX21DKixeXs44skdqqD
/BcX21DKixeXs44skdqqD.dat
/BcX21DKixeXs44skdqqD.doc
/BcX21DKixeXs44skdqqD.dot

# Reference: https://twitter.com/ShadowChasing1/status/1410030175362850818
# Reference: https://www.virustotal.com/gui/file/aadaf88e315592aae5c2255ad9acbc175a6b5eec5c69ab0c81099b84e66e04f8/detection

nextgent.top

# Reference: https://twitter.com/ShadowChasing1/status/1410930643446353924
# Reference: https://www.virustotal.com/gui/file/b7b3a3a9274541246e8a3f330b8a2e594fadf5281652c4490b68f4e5f77e8858/detection

domhub.live

# APK

/Bride-Fun.apk
/Conion_Pro_V2q.apk
/Zak_m.apk
