# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: APT29, Cozy Bear, The Dukes, WellMess, WellMail, SoreFang, PinchDuke, GeminiDuke, CosmicDuke, MiniDuke, CozyDuke, OnionDuke, SeaDuke, HammerDuke, CloudDuke

# Reference: https://otx.alienvault.com/pulse/55fae83567db8c6fb3518bcd/
# Reference: https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

nasdaqblog.net
nytunion.com
overpict.com
greencastleadvantage.com
sixsquare.net
oilnewsblog.com
grouptumbler.com
airtravelabroad.com
beijingnewsblog.net
ustradecomp.com
nestedmail.com
leveldelta.com
nostressjob.com
natureinhome.com
deervalleyassociation.com

# Reference: https://www.f-secure.com/weblog/archives/00002822.html

portal.sbn.co.th

# Reference: https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf
# Reference: https://otx.alienvault.com/pulse/5da83c7c104ff3553f418443

acciaio.com.br
bandabonga.fr
busseylawoffice.com
ceycarb.com
coachandcook.at
ecolesndmessines.org
fairfieldsch.org
fisioterapiabb.it
lorriratzlaff.com
ministernetwork.org
motherlodebulldogclub.com
powerpolymerindustry.com
publiccouncil.org
rulourialuminiu.co.uk
salesappliances.com
sistemikan.com
skagenyoga.com
varuhusmc.org
westmedicalgroup.net

# Reference: https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
# Reference: https://otx.alienvault.com/pulse/5f107c022dfb7a7c8fec7903

http://103.13.240.46
http://103.205.8.72
http://103.216.221.19
http://103.253.41.102
http://103.253.41.68
http://103.253.41.82
http://103.253.41.90
http://103.73.188.101
http://111.90.146.143
http://111.90.150.176
http://119.160.234.163
http://119.160.234.194
http://119.81.173.130
http://119.81.178.105
http://119.81.184.11
http://120.53.12.132
http://122.114.197.185
http://122.114.226.172
http://141.255.164.29
http://141.98.212.55
http://145.249.107.73
http://146.0.76.37
http://149.202.12.210
http://169.239.128.110
http://176.119.29.37
http://178.211.39.6
http://185.145.128.35
http://185.225.226.16
http://185.99.133.112
http://188.241.68.137
http://191.101.180.78
http://192.48.88.107
http://202.59.9.59
http://209.58.186.196
http://209.58.186.197
http://209.58.186.240
http://220.158.216.130
http://27.102.130.115
http://31.170.107.186
http://31.7.63.141
http://45.120.156.69
http://45.123.190.167
http://45.123.190.168
http://45.129.229.48
http://45.152.84.57
http://46.19.143.69
http://5.199.174.164
http://66.70.247.215
http://79.141.168.109
http://81.17.17.213
http://85.93.2.116

# Reference: https://twitter.com/IntezerLabs/status/1285487000091598863
# Reference: https://www.virustotal.com/gui/file/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2/detection

111.90.150.140:25

# Reference: https://twitter.com/ShadowChasing1/status/1288403929462530049
# Reference: https://www.virustotal.com/gui/file/95193266e37a3401a0becace6d41171ab2968ed5289d666043251d05552d02fc/detection

http://178.211.39.6
141.98.212.55:121

# Reference: https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/

monitor.syn.cn

# Reference: https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html

103.216.221.18:50031

# Reference: https://twitter.com/joakimkennedy/status/1303626343830167552
# Reference: https://www.virustotal.com/gui/file/ebfe9cc39dfdc1d1abe7fd4b1e248b16238234c5261610456de0317c2045555d/detection

103.253.41.102:8081

# Reference: https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/
# Reference: https://www.virustotal.com/gui/file/7c20ef1547da114c15da8dd617d22dfd5c7fb08bb9eb07e30df35834619b915a/detection

45.91.93.89:443
d1d66buv7blf1z.cloudfront.net
myrric-uses.singlejets.com
sendbits.m2stor4ge.xyz

# Reference: https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/
# Reference: https://otx.alienvault.com/pulse/60b689c652cd41240e77cfbe

74d6b7b2.app.giftbox4u.com
content.pcmsar.net
doggroomingnews.com
hanproud.com
