# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt32, apt-c-32, oceanlotus, SectorF01, phantomlance

# Reference: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

24.datatimes.org
blog.docksugs.org
blog.panggin.org
contay.deaftone.com
check.paidprefund.org
datatimes.org
docksugs.org
economy.bloghop.org
emp.gapte.name
facebook-cdn.net
gap-facebook.com
gl-appspot.org
help.checkonl.org
high.expbas.net
high.vphelp.net
icon.torrentart.com
images.chinabytes.info
imaps.qki6.com
img.fanspeed.net
job.supperpow.com
lighpress.info
menmin.strezf.com
mobile.pagmobiles.info
news.lighpress.info
notificeva.com
nsquery.net
pagmobiles.info
paidprefund.org
push.relasign.org
relasign.org
share.codehao.net
seri.volveri.net
ssl.zin0.com
static.jg7.org
syn.timeizu.net
teriava.com
timeizu.net
tonholding.com
tulationeva.com
untitled.po9z.com
update-flashs.com
vieweva.com
volveri.net
vphelp.net
yii.yiihao126.net
zone.apize.net

# Reference: https://github.com/eset/malware-ioc/tree/master/oceanlotus

adineohler.com
aisicoin.com
alicervois.com
anessallie.com
antenham.com
arinaurna.com
arkoimmerma.com
aulolloy.com
avidilleneu.com
avidsontre.com
aximilian.com
biasatts.com
braydenhateaub.com
carosseda.com
chascloud.com
dreyoddu.com
dwarduong.com
eckenbaue.com
eighrimeau.com
errellawle.com
erstin.com
frahreiner.com
hieryells.com
hristophe.com
ichardt.com
icmannaws.com
iecopeland.com
irkaimboeuf.com
jamedalue.com
jamyer.com
jeanessbinder.com
jeffreyue.com
keoucha.com
laudiaouc.com
lbertussbau.com
loridanase.com
marrmann.com
meroque.com
moureuxacv.com
myolton.com
nasahlaes.com
ntjeilliams.com
omasicase.com
onnaha.com
onteagle.com
orinneamoure.com
orresto.com
orrislark.com
rackerasr.com
rcuselynac.com
sanauer.com
stopherau.com
tefanie.com
tefanortin.com
tephens.com
traveroyce.com
tsworthoa.com
ucaargo.com
ucairtz.com
urnage.com
venionne.com
virginiaar.com

# Reference: https://www.cybereason.com/blog/operation-cobalt-kitty-apt

food.letsmiles.org

# Reference: https://ti.360.net/blog/articles/oceanlotus-targets-chinese-university/

cctv.avidsonec.com
cert.opennetworklab.com
cloud.reneark.com
cloud.sicaogler.com
cnn.befmann.com
dieordaunt.com
dyndns.angusie.com
fox.ailloux.com
hotel.bookingshop.info
ipv6.uyllain.com
isp.cambodiadaily.org
login.ticketwitheasy.com
myaccount.philtimes.org
news.coleope.com
news.denekasd.com
news.exandre.com
ns1.cambodiadaily.org
ourkekwiciver.com
school.obertamy.com
straliaenollma.xyz
time.ouisers.com

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/
# Reference: https://www.virustotal.com/#/file/673ee7a57ba3c5a2384aeb17a66058e59f0a4d0cddc4f01fe32f369f6a845c8f/relations

ssl.arkouthrie.com
s3.hiahornber.com
widget.shoreoa.com

# Reference: https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/

theme.blogsite.org
cortana.homelinux.com
word.webhop.info
work.windownoffice.com
cortanasyn.com
e.browsersyn.com
syn.servebbs.com
service.windown-update.com
check.homeip.net
outlook.updateoffices.net
mail.fptservice.net
office.windown-update.com
cortanazone.com
beta.officopedia.com
videos.dyndns.org
service.serveftp.org
syn.browserstime.com
check.webhop.org
ristineho.com

# Reference: https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
# Reference: https://otx.alienvault.com/pulse/5c9255f84d2d890341e7f6a1
# Reference: https://twitter.com/vxsh4d0w/status/1109030685090680832
# Reference: https://pastebin.com/BiQKjQaK

aliexpresscn.net
andreagahuvrauvin.com
andreagbridge.com
aol.straliaenollma.xyz
beaudrysang.xyz
becreybour.com
byronorenstein.com
chinaport.org
christienoll.xyz
christienollmache.xyz
cloud.360cn.info
dieordaunt.com
dns.chinanews.network
illagedrivestralia.xyz
karelbecker.com
karolinblair.com
lauradesnoyers.com
ntop.dieordaunt.com
office.ourkekwiciver.com
ourkekwiciver.com
sophiahoule.com
stienollmache.xyz
straliaenollma.xyz
ursulapapst.xyz
villagedrivestralia.xyz

# Reference: https://twitter.com/blackorbird/status/1108687601475555328

office.allsafebrowsing.com

# Reference: https://twitter.com/blackorbird/status/1086186184768815104

outlook.officebetas.com

# Reference: https://twitter.com/blackorbird/status/1086188558413586432

outlook.betamedias.com

# Reference: https://twitter.com/blackorbird/status/1113328823947264001
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/aptnote0402
# Reference: https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html

kermacrescen.com
stellefaff.com
manongrover.com
background.ristians.com
enum.arkoorr.com
worker.baraeme.com
plan.evillese.com

# Reference: https://twitter.com/blackorbird/status/1113737430501212161

att.illagedrivestralia.xyz
clipboard.christienoll.xyz
snort.lauradesnoyers.com

# Reference: https://twitter.com/blackorbird/status/1115617606218727425
# Reference: https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/

daff.faybilodeau.com
sarc.onteagleroad.com
au.charlineopkesston.com
/dp/B074WC4NHW/

# Reference: https://twitter.com/blackorbird/status/1118396419595837440

load.updatetag.com

# Reference: https://twitter.com/blackorbird/status/1119232980801785856

nvidia.benjamiilliams.club
365.urielcallum.com

# Reference: https://twitter.com/Timele9527/status/1125941317689925632

load.newappssystems.com

# Reference: https://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/

163mailservice.com
api.blogdns.com
b.cortanazone.com
blog.artinhauvin.com
bluesky2018man.com
cdn.eworldship-news.com
cdn3.onlinesurveygorilla.com
dominikmagoffin.com
enormousamuses.com
eworldship-news.com
image.fontstaticloader.com
kingsoftcdn.com
mailserviceactivation.com
mappingpotentials.com
online.stienollmache.xyz
open.betaoffice.net
p12.alerentice.com
pong.dynathome.net
rio.imbandaad.com
stackbio.com
style.fontstaticloader.com
vnbizcom.com
web.dalalepredaa.com
zone.servehttp.com

# Reference: https://otx.alienvault.com/pulse/5cd5446ba9324bd2a35b3bd4

copy.byronorenstein.com
suricata.radeordaunt.com

# Reference: https://twitter.com/blackorbird/status/1128534704825618432

ps.andreagahuvrauvin.com

# Reference: https://twitter.com/RedDrip7/status/1130780807318999040

139.59.30.109:8090

# Reference: https://twitter.com/blackorbird/status/1131862769500737538
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/Oceanlotus-APK-sample.TXT

ckoen.dmkatti.com
jang.goongnam.com
mtk.baimind.com

# Reference: https://otx.alienvault.com/pulse/5cff85da279bf2ae275592c5

andreagahuvrauvin.com
mikus19201.ddns.net
msoffice-templates.info
playnetflix.com

# Reference: https://twitter.com/RedDrip7/status/1141598356113780737
# Reference: https://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/

udt.sophiahoule.com

# Reference: https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html

dns.domain-resolve.org
search.webstie.net
/cl_client_cmd.php
/cl_client_cmd_res.php
/cl_client_logs.php
/cl_client_online.php

# Reference: https://twitter.com/ThreatBookLabs/status/1155815604332273666

get.freelicenses.net

# Reference: https://twitter.com/Arkbird_SOLG/status/1157319751238131717

195.12.50.172:46405

# Reference: https://twitter.com/RedDrip7/status/1162253139631730689

cloud.doomdns.org

# Reference: https://twitter.com/ccxsaber/status/1185104546332213248

cloud.chinatel.org
oa.chinarailways.net

# Reference: https://twitter.com/ItsReallyNick/status/1188639544528248832

background.ristians.com
plan.evillese.com
worker.baraeme.com
enum.arkoorr.com

# Reference: https://twitter.com/h4ckak/status/1115511637979553792

ls.andreagbridge.com

# Reference: https://twitter.com/spider_girl22/status/1192276923784691712

api.myddns.me

# Reference: https://twitter.com/ccxsaber/status/1187199752145752064

cdn.redirectme.net

# Reference: https://twitter.com/Rmy_Reserve/status/1200089355307536384
# Reference: https://www.google.com/search?q=%22jessicajoshua.com%22

jessicajoshua.com

# Reference: https://otx.alienvault.com/pulse/5de9067483d85294ef9e77b4

360skylar.host
baidu-search.net
cdnwebmedia.com
jcdn.jsoid.com
upgrade.coldriverhardware.com
us.melvillepitcairn.com
libjs.inquirerjs.com
ad.ssageevrenue.com
clip.shangweidesign.com
sys.genevrebreinl.com
tel.caitlynwells.com
news.shangrilaexports.com

# Reference: https://twitter.com/pancak3lullz/status/1204059496005488642

raffesla.idfnv.net
h61.p.ctrader.com
bmwthailand.org
huyndai-auto.com
bmw-corp.net
netsy.trutanner.com

# Reference: https://twitter.com/pancak3lullz/status/1204065037448613889

auth.lineage2ez.com

# Reference: https://twitter.com/ESETresearch/status/1208032053108850688
# Reference: https://otx.alienvault.com/pulse/5e063be1a6ed30bd243f100e

opengroup.homeunix.org

# Reference: https://app.any.run/tasks/b3612ff4-c8b2-409d-98d4-77c64c8a01cf/

libjs.inquirerjs.com
vitlescaux.com
vitlescaux.com

# Reference: https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf

aki.viperse.com
ckoen.dmkatti.com
game2015.net
gameandroid.taiphanmemfacebookmoi.info
itpk.mostmkru.com
jang.goongnam.com
ming.chujong.com
mokkha.goongnam.com
nhaccuatui.android.zyngacdn.com
quam.viperse.com
sadma.knrowz.com
taiphanmemfacebookmoi.info
ulse.chujong.com
science.tayenthflores.com
fp.rentwoylas.com
heal.lancebarkerwa.com
wand.gasharontomholt.com
term.ursulapaulet.com
inc.graceneufville.com
video.viodger.com
cloud.anofrio.com
traits.senapusmireault.com
status.elizongham.com
art.yfieldrainasch.com
doc.rainaschiffer.com

# Reference: https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html
# Reference: https://otx.alienvault.com/pulse/5ea052d6cc299691b6ed1480

topiccore.com
m.topiccore.com
inquirerjs.com
libjs.inquirerjs.com
libjss.inquirerjs.com
jcdn.jsoid.com
vitlescaux.com

# Reference: https://securelist.com/apt-phantomlance/96772/
# Reference: https://otx.alienvault.com/pulse/5ea84bfc21271700b46efeee

aki.viperse.com
anaehler.com
anofrio.com
api.anaehler.com
att.illagedrivestralia.xyz
bit.catalinabonami.com
ckoen.dmkatti.com
cloud.anofrio.com
cyn.ettebiermahalet.com
egg.stralisemariegar.com
file.log4jv.info
game2015.net
hr.halettebiermann.com
inc.graceneufville.com
itpk.mostmkru.com
jang.goongnam.com
log.osloger.biz
log4jv.info
mine.remaariegarcia.com
ming.chujong.com
mokkha.goongnam.com
mtk.baimind.com
news.sqllitlever.info
nhaccuatui.android.zyngacdn.com
osloger.biz
paste.christienollmache.xyz
ps.andreagahuvrauvin.com
quam.viperse.com
s3.hiahornber.com
sadma.knrowz.com
sqllitlever.info
ssl.arkouthrie.com
staff.kristianfiedler.club
taiphanmemfacebookmoi.info
term.ursulapaulet.com
us.jaxonsorensen.club
video.viodger.com
viodger.com
widget.shoreoa.com

# Reference: https://twitter.com/ShadowChasing1/status/1257615428588732417

letsme.gotdns.com

# Reference: https://twitter.com/ShadowChasing1/status/1268200526564343809

summerevent.webhop.net

# Reference: https://twitter.com/cyber__sloth/status/1272470254141288450

http://167.88.180.198
systeminfor.com

# Reference: https://twitter.com/ccxsaber/status/1277183467889942528
# Reference: https://twitter.com/Arkbird_SOLG/status/1312380799514284032
# Reference: https://app.any.run/tasks/2a8d467c-65e4-417f-a747-b6e59bf037ba/
# Reference: https://www.virustotal.com/gui/file/dbde2b710bee38eb3ff1a72b673f756c27faa45d5c38cbe0f8a5dfccb16c18ba/detection

mentosfontcmb.com
tripplekill.mentosfontcmb.com

# Reference: https://twitter.com/batrix20/status/1289066669109780480
# Reference: https://www.virustotal.com/gui/file/86cebd189cfdcfb6e76cba7a258d7f90a3ec353348611378c48fa28740bebd98/detection
# Reference: https://www.virustotal.com/gui/file/7709b376ea5b388e1b415a93fc618c1febddfbd977254cc63e3e8d2daa5fb3c9/detection

accounts.getmyip.com

# Reference: https://twitter.com/ShadowChasing1/status/1289502558948491265
# Reference: https://www.virustotal.com/gui/file/3547f3e8f7c5aec3f507d75e7d3d254224d02a29290bf54945b29299950b94b2/detection

feeder.blogdns.com

# Reference: https://twitter.com/ShadowChasing1/status/1296249969507069952
# Reference: https://app.any.run/tasks/92bbc70b-02a6-4b4d-bbb0-2a4922ef204d/
# Reference: https://www.virustotal.com/gui/file/ffaf7e81f2334fd2e1ccc21d6b861c819b5652e5662e0723c096561460d69e3e/detection

202.59.10.170:46405
salebusinesend.com
beautifull-font.salebusinesend.com

# Reference: https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
# Reference: https://otx.alienvault.com/pulse/5f7c8a82c21d00312155d28a

asia-kotoba.net
yourrighttocompensation.com

# Reference: https://twitter.com/ShadowChasing1/status/1315679227757305856
# Reference: https://twitter.com/ShadowChasing1/status/1315683463983366149

bucket.serveftp.net
gacha.knowsitall.info

# Reference: https://twitter.com/ShadowChasing1/status/1318499224170852353
# Reference: https://www.virustotal.com/gui/file/a030435018a67c07747751766132eb30a9a6bb6af161df225a27c0ec57156b61/detection

43.254.132.212:46405
insappstaticanalyze.com
dns.insappstaticanalyze.com

# Reference: https://twitter.com/ShadowChasing1/status/1319238163227815937
# Reference: https://www.virustotal.com/gui/file/47ba92dc8c9302b2f70db70a0d46fef0ee2972edc3e1c4b637d5c76b4141c7a0/detection

43.254.132.117:46405
bussinesappinstant.com
cloud.bussinesappinstant.com

# Reference: https://twitter.com/ShadowChasing1/status/1321320009054871554
# Reference: https://www.virustotal.com/gui/file/68cfaca326fd8953be4a3ece8161c3d30e5bc5b4ffec8f5f7e30f8ea2608fa1b/detection

45.63.123.237:46405

# Reference: https://twitter.com/ShadowChasing1/status/1323438687296790528
# Reference: https://www.virustotal.com/gui/file/133e629b27bae2309ca9fd39a78b070c9fc5852c1e31c30ee278e184828119c1/detection

clouds.onthewifi.com

# Reference: https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/
# Reference: https://otx.alienvault.com/pulse/5fa570762d4ac937ddf1fdbe

andreagahuvrauvin.com
arbenha.com
baodachieu.com
baomoivietnam.com
dance-til-dawn.podzone.net
fontloading.com
gservice.reviews
gusercontent.com
hmacount.com
hypepodscase.com
khmer-livenews.com
khmerleaks.com
kmernews.com
laostimenews.com
laotiantimes.com
ledanvietnam.org
malaynews.org
nhansudaihoi13.org
outlook-client.com
philiippinesnews.net
serrvice.net
summerevent.webhop.net
thamcungbisu.org
theme.blogwix.com
tinmoivietnam.com
tinmoivietnam.net
tocaoonline.org
viewerservice.com
yhsetting.com

# Reference: https://twitter.com/virusbtn/status/1333383787737214977
# Reference: https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
# Reference: https://otx.alienvault.com/pulse/5fc69d3770679c907b87aea3

idtpl.org
mihannevis.com
mykessef.com

# Reference: https://twitter.com/blackorbird/status/1337225399177150464

facebookdeck.com

# Reference: https://twitter.com/GroupIB_GIB/status/1338816922687770624
# Reference: https://twitter.com/GroupIB_GIB/status/1338817396069593088
# Reference: https://www.virustotal.com/gui/ip-address/45.61.139.211/relations

45.61.139.211:443
cbo.group

# Reference: https://twitter.com/ShadowChasing1/status/1355866180729245696
# Reference: https://twitter.com/ShadowChasing1/status/1355871333192634376
# Reference: https://www.virustotal.com/gui/file/f0a05aaed382f667c49f74f005a754cf50852cbc9b33a9546469cd6db26b8ece/detection

apiservice.webhop.net

# Reference: https://www.amnesty.org/en/latest/research/2021/02/click-and-bait-vietnamese-human-rights-defenders-targeted-with-spyware-attacks/
# Reference: https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam
# Reference: https://otx.alienvault.com/pulse/603d189d3e938ff6555b68c8/

api.ciscofreak.com
art.guillermoespana.com
coco.cechire.com
delicalo.dnsalias.net
land.rellecharlessper.com
node.podzone.org
s3.hiahornber.com
ssl.arkouthrie.com
tips.jasperpfeiffer.com
widget.shoreoa.com

# Reference: https://twitter.com/ShadowChasing1/status/1370003071560863744
# Reference: https://www.virustotal.com/gui/file/aa331051db461ff1dc760616f23770293a91257087fd079e2e76c122db7c0561/detection

services.serveftp.net

# Reference: https://twitter.com/360Netlab/status/1390297734981246978
# Reference: https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/
# Reference: https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/

eduelects.com
mirror-codes.net
thaprior.net
sublineover.net
blog.eduelects.com
cdn.mirror-codes.net
news.thaprior.net
status.sublineover.net

# Reference: https://twitter.com/ShadowChasing1/status/1397057243946774528
# Reference: https://www.virustotal.com/gui/domain/dinefilly.com/detection
# Reference: https://www.virustotal.com/gui/file/c2abe7c37c2fb5ac50b1039bb03f3bdae66587bdb235c81fd5d8c379d48f1e96/detection

dinefilly.com
dangky.dinefilly.com
tintuc.dinefilly.com

# Reference: https://twitter.com/ShadowChasing1/status/1397560527929307139
# Reference: https://www.virustotal.com/gui/domain/kginfocom.com/relations
# Reference: https://www.virustotal.com/gui/file/489fca69a622195328302e64e29b6183feac90826dce198432d603202ca4d216/detection

kginfocom.com
infodocs.kginfocom.com
ousync.kginfocom.com
