# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt15, Ke3chang, Mirage, Vixen Panda, Royal APT, Playful Dragon

# Reference: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
# Reference: https://twitter.com/VK_Intel/status/976977927072985088

memozilla.org
news.memozilla.org
video.memozilla.org
run.linodepower.com
singa.linodepower.com
log.autocount.org
andspurs.com
micakiz.wikaba.org
cavanic9.net
ridingduck.com
zipcodeterm.com
dnsapp.info

# Reference: https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/

buy.healthcare-internet.com

# Reference: https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/
# Reference: https://otx.alienvault.com/pulse/5d3040c20c143e436cc113d8

compatsec.com
inicializacion.com
menorustru.com
buy.babytoy-online.com
center.nmsvillage.com
chart.healthcare-internet.com
control.mimepanel.org
cv.livehams.com
daily.huntereim.com
dream.zepotac.com
dsmanfacture.privatedns.org
dyname.europemis.com
finance.globaleducat.com
forcan.hausblow.com
grek.freetaxbar.com
info.audioexp.com
item.amazonout.com
items.babytoy-online.com
items.burgermap.org
login.allionhealth.com
misiones.soportesisco.com
newflow.babytoy-online.com
press.premlist.com
promise.miniaturizate.org
rain.nmsvillage.com
store.ufmsecret.org
support.slovakmaps.com
translate.europemis.com
upcv.inciohali.com
view.beleimprensa.org
wind.deltimesweb.com
www1.sanpaulostat.com

# Reference: https://twitter.com/MeltX0R/status/1174069208709312512
# Reference: https://www.virustotal.com/gui/file/b5db7cfe22de56d292c83ea9ffa25f28d1e126d16b14cb3734b7396dcf5a6e0c/detection

halimatoudi.com

# Reference: https://twitter.com/MeltX0R/status/1174442212412809216
# Reference: https://app.any.run/tasks/8d777de7-d51d-4c97-8e91-d0e54461fc2b/
# Reference: Reference: https://pastebin.com/qdDymcuy

tick.ondemand-sport.com

# Reference: https://twitter.com/in_threat/status/735472063247421440

goback.strangled.net

# Reference: https://www.virustotal.com/gui/domain/edit.centrozhlan.com/relations
# Reference: https://www.virustotal.com/gui/file/689f121c4a7309644c37141742abed0f111b6fa60632c54002a5ce898af36397/community

centrozhlan.com

# Reference: https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/
# Reference: https://otx.alienvault.com/pulse/5ec7f55daebc94b5857d69f1

thehuguardian.com
menu.thehuguardian.com

# Generic trails (From Reference: https://pastebin.com/qdDymcuy)

/wikipedia.aspx?content=
/feeyo.aspx?who=
/airliners.aspx?para=
/playlist.aspx?yf=
/pprune.aspx?yf=
/dutchops.aspx?yf=
/iTunes.aspx?e1=
/paidai.aspx?e1=
/shopmall.aspx?e1=
