# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt-04

# Reference: https://twitter.com/Sebdraven/status/1052864520522223616
# Reference: https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739
# Reference: https://www.virustotal.com/#/ip-address/185.106.120.43

heartissuehigh.win
webserv-redir.net

# Reference: https://twitter.com/Sebdraven/status/1140597344720830471
# Reference: https://app.any.run/tasks/d7ce191d-c04f-4eff-a13c-02cbe746c256/
# Reference: https://www.virustotal.com/gui/domain/cdn-dl.cn/relations
# Reference: https://pastebin.com/rccqdjNB

cdn-dl.cn
bd-gov.cdn-dl.cn
bdgov-mopa.cdn-dl.cn
biaa-org-bd.cdn-dl.cn
biaa-org.cdn-dl.cn
gov-cn.cdn-dl.cn
gov-pk.cdn-dl.cn
hostmaster.cdn-dl.cn
info-account.cdn-dl.cn
ministry-gov.cdn-dl.cn
ministry-interior-gov-pk.cdn-dl.cn
mod-gov.cdn-dl.cn
moe-gov.cdn-dl.cn
moi-nadra.cdn-dl.cn
mopa-bd.cdn-dl.cn
mopa-bdgov.cdn-dl.cn
mopa-govbd.cdn-dl.cn
nadra-interior.cdn-dl.cn
nadra-moi.cdn-dl.cn
narda-moi.cdn-dl.cn
neteease.cdn-dl.cn
newmake.pw
serve-dropbx-ap-east1.cdn-dl.cn
suodeshui.cdn-dl.cn
tiexue.cdn-dl.cn

# Reference: https://twitter.com/Timele9527/status/1147750939576586244 

http://167.86.116.39

# Reference: https://twitter.com/Timele9527/status/1147750939576586244

vidyasagaracademybrg.in/scripts/lnk/
vidyasagaracademybrg.in/scripts/am/

# Reference: https://twitter.com/Timele9527/status/1150597482310619136
# Reference: https://app.any.run/tasks/e15e1cd1-0c38-41b9-aa1e-a29562f17b3d/
# Reference: https://www.freebuf.com/articles/network/196788.html (Chinese)

ap12.ms-update-server.net
cdn-do.net
cdn-edge.net
cdn-list.net
fb-dn.net
google.com.d-dns.co
msftupdate.srv-cdn.com
nadra.gov.pk.d-dns.co
pmo.cdn-load.net
s2.cdn-edge.net
s12.cdn-apn.net
trans-pre.net
webserv-redir.net

# Reference: https://twitter.com/blackorbird/status/1160734383864610816

trans-can.net

# Reference: https://mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA

cdn-ps.net

# Reference: https://twitter.com/blackorbird/status/1189116884626493440

paknavy.gov.pk.ap1-port.net

# Reference: https://twitter.com/Timele9527/status/1195272502135549953
# Reference: https://www.virustotal.com/gui/domain/reawk.net/details

reawk.net

# Reference: https://twitter.com/ccxsaber/status/1195281985335201794

sd1-bin.net

# Reference: https://twitter.com/0xCARNAGE/status/1203882560176218113
# Reference: https://app.any.run/tasks/3abfc241-3ab0-4016-acbb-040b44199d52/

185.225.17.239:443

# Reference: https://twitter.com/RedDrip7/status/1206898954383740929

ap1-acl.net

# Reference: https://twitter.com/Timele9527/status/1211852764688478216
# Reference: https://app.any.run/tasks/c8469e19-96a0-4f2f-9765-72acf72dee05/

fincruitconsulting.in

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/
# Reference: https://otx.alienvault.com/pulse/5e133ac9f5eaf331885e74b4

aws-check.net
deb-cn.net
ms-db.net
ms-ethics.net

# Reference: https://github.com/blackorbird/APT_REPORT/tree/master/sidewinder

gov-pk.org

# Reference: https://mp.weixin.qq.com/s/L3dVwbkfTABtE4ZYtv5r4w
# Reference: https://otx.alienvault.com/pulse/5e206d8b77de0b2690b9946c

110.10.176.193:4443

# Reference: https://twitter.com/Timele9527/status/1247325070520750080
# Reference: https://twitter.com/Timele9527/status/1247327952238284800
# Reference: https://twitter.com/Timele9527/status/1247376905956765697

ap-ms.net
d01fa.net
fdn-en.net
nrots.net

# Reference: https://twitter.com/ShadowChasing1/status/1252547080070914048

link-cdnl.net

# Reference: https://twitter.com/ccxsaber/status/1260775018306236416

au-edu.km01s.net

# Reference: https://twitter.com/Arkbird_SOLG/status/1260727623539404800

kat0x.net

# Reference: https://twitter.com/ShadowChasing1/status/1268214042637684738
# Reference: https://www.virustotal.com/gui/domain/chrom3.net/relations

chrom3.net
r0dps.net

# Reference: https://twitter.com/ccxsaber/status/1281413683013287936

gov-mil.cn

# Reference: https://twitter.com/ShadowChasing1/status/1284319235481538565

cdn-m1l.net
tar-gz.net

# Reference: https://twitter.com/cyber__sloth/status/1293183011916193793
# Reference: https://twitter.com/cyber__sloth/status/1293187616897028098
# Reference: https://twitter.com/Arkbird_SOLG/status/1293221669134372865
# Reference: https://app.any.run/tasks/e3501b33-28a2-4b7c-bc79-d20891c4832e/

http://111.229.73.84
202.58.104.100:81

# Reference: https://twitter.com/ShadowChasing1/status/1296710024643796992
# Reference: https://www.virustotal.com/gui/file/a89189f1c7c101c8d9c2637e571c4f8546df3ea557a576090cde7b75009981a9/detection

fqn-cloud.net

# Reference: https://twitter.com/ShadowChasing1/status/1297902086747598852

asw-edu.net
filesrvr.net

# Reference: https://twitter.com/cyber__sloth/status/1298187291295461376
# Reference: https://www.virustotal.com/gui/ip-address/185.141.25.136/relations

mil-pk.net

# Reference: https://twitter.com/ShadowChasing1/status/1308620752703299585

aws-pk.net
cdn-aws-s2.net

# Reference: https://twitter.com/ShadowChasing1/status/1316680709478604800
# Reference: https://twitter.com/mg2_tracy1/status/1316688407280586752
# Reference: https://www.virustotal.com/gui/file/280fb291d49f277067667838cdf30a940eaed9ed7712448158ea29e1ce6af86f/detection

cdn-sop.net

# Reference: https://twitter.com/ShadowChasing1/status/1324349418162720769
# Reference: https://twitter.com/ShadowChasing1/status/1324349684664528897
# Reference: https://www.virustotal.com/gui/domain/gov-pok.net/detection

gov-pok.net

# Reference: https://twitter.com/RedDrip7/status/1328639418110865409
# Reference: https://www.virustotal.com/gui/file/1cbec920afe2f978b8f84e0a4e6b757d400aeb96e8c0a221130060b196ece010/detection

cdn-edu.net

# Reference: https://twitter.com/mg2_tracy1/status/1331153718931177473
# Reference: https://www.virustotal.com/gui/file/7238f4e5edbe0e5a2242d8780fb58c47e7d32bf2c4f860c88c511c30675d0857/detection

ms-trace.net

# Reference: https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html
# Reference: https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742

185.225.19.46:4589
185.225.19.46:4875
gov-af.org
gov-np.org
mail-apfgavnp.hopto.org
mail-apfgovnp.ddns.net
mail-kmgcom.ddns.net
mail-mfagovcn.hopto.org
mail-mofagovnp.hopto.org
mail-mofagovnp.zapto.org
mail-mofgovnp.hopto.org
mail-ncporgnp.hopto.org
mail-nepalarmymilnp.duckdns.org
mail-nepalgovnp.duckdns.org
mail-nepalpolicegov.hopto.org
mail-nepalpolicegovnp.duckdns.org
mail-nrborg.hopto.org
mail-nscaf.myftp.org
mail-ntcnetnp.serveftp.com

# Reference: https://twitter.com/BaoshengbinCumt/status/1342297125141454848
# Reference: https://www.virustotal.com/gui/file/c59c6c18f529c88cf352883b23af36f829b8ae1d17daa0762f028184cba7199b/detection

cdn-re.net

# Reference: https://twitter.com/ShadowChasing1/status/1345559958796914694

gov-mail.net

# Reference: https://twitter.com/cyber__sloth/status/1346100925199478784

gov-af.net
gov-crt.net
gov-nadra.net
gov-pbs.net
gov-pmo.net

# Reference: https://www.virustotal.com/gui/domain/gov-cn.net/relations

gov-cn.net

# Reference: https://www.virustotal.com/gui/domain/gov-cnn.net/relations

gov-cnn.net

# Reference: https://www.virustotal.com/gui/domain/paknavy-gov.net/detection

paknavy-gov.net

# Reference: https://www.virustotal.com/gui/file/4b5e0ad20a8d143567cc424edf2010146e24a0b729de7ca0f66292141d363e57/detection

cdn-aws.net
cdn-src.net

# Reference: https://twitter.com/BaoshengbinCumt/status/1354270351702691843

del-ivery.net
trans-aws.net

# Reference: https://twitter.com/jfslowik/status/1362782587345727492

cdn-secure.net

# Reference: https://twitter.com/h2jazi/status/1363683531067715584
# Reference: http://hackdig.com/02/hack-280699.htm
# Reference: https://app.any.run/tasks/b88e935c-b17a-4429-acdc-65156804ad1c/
# Reference: https://otx.alienvault.com/pulse/6033e84e6fb8fc369323e8e3/

151.236.11.147:57670
alsalaf.info
gov-pk.info
govt-pk.org
gov-pak.org
pk-gov.org
attachments.gov-pk.info
nhsrcgovpk.servehttp.com
contact.gov-pak.org
onedrives.pk-gov.org
support.govt-pk.org
support.gov-pak.org
support-gov.myftp.org

# Reference: https://twitter.com/DeadlyLynn/status/1367746507974270981
# Reference: https://www.virustotal.com/gui/file/bb58796f79a913a985eb41f0d12446e7ae8fe99fd3f0d432d77d8d82f202bf5f/detection

cdn-pak.net
fqn-mil.net
mailmofagovpk.cdn-pak.net

# Refereence: https://twitter.com/BaoshengbinCumt/status/1369916500014821377

afd-bdmil.cdn-pak.net
fmprc.cdn-pak.net
ibn.cdn-pak.net
mofa.cdn-pak.net
oimc.cdn-pak.net
pakbj.cdn-pak.net
poly.cdn-pak.net
trgdte.cdn-pak.net

# Reference: https://www.virustotal.com/gui/domain/www-cdn.net/relations

www-cdn.net

# Reference: https://twitter.com/ShadowChasing1/status/1384743822953877505

afohs.mod-pak.co
fbr.mod-pak.co
shaheenfoundation.mod-pak.co
mod-pak.co

# Reference: https://twitter.com/BaoshengbinCumt/status/1384792855692988416
# Reference: https://www.virustotal.com/gui/ip-address/185.163.45.56/relations
# Reference: https://www.virustotal.com/gui/file/37a3855e05c63fdab773fdd39da021f2daf1961cc8137385db079960bdfa18c7/detection

edu-mil.cn
iugur.live
bmac.iugur.live
mofa.iugur.live

# Reference: https://twitter.com/BaoshengbinCumt/status/1387233200871673856
# Reference: https://mp.weixin.qq.com/s/GWVz02_jGaUt_n9JxB1OwQ

autodiscover.mofagov-pk.online
cpanel.mofagov-pk.online
cpcalendars.mofagov-pk.online
cpcontacts.mofagov-pk.online
dgmi-share-folder-nepalarmy-mil-np-coas-sambodhan-pdf.netlify.app
email-nepalarmy-mil-np-owa.netlify.app
imail.aop.gov.af.egateway.nsc-gov.com
mail-nepalarmy-mil-np-fsdafjsd.herokuapp.com
mail-nepalarmy-mil-np-login-download.netlify.app
mail-nepalarmy-mil-np-view.netlify.app
mail-nepalpolice-gov-np-loginn.herokuapp.com
mail-nscaf.hopto.org
mail-ntmail-ntcnetnp.serveftp.comcnetnp.serveftp.com
mail.mofagov-pk.online
medeclinic.ae
mil-pk.net
mod-cn.trans-del.net
mofagov-pk.naatlibrary.com
mofagov-pk.online
naatlibrary.com
nepalarmy.trans-del.net
nsc-gov.com
nsc-gov.net
polyinc-global.trans-del.net
trans-del.net
webdisk.mofagov-pk.online
webmail.mofagov-pk.online
www-punjabpolice-gov-pk-sopforsecurityofforeignersandchinese.trans-aws.net

# Reference: https://twitter.com/ShadowChasing1/status/1391976060472860675

paf-gov.com
img-google.paf-gov.com

# Reference: https://twitter.com/ShadowChasing1/status/1396809305194590211
# Reference: https://www.virustotal.com/gui/file/caaf44f16dcbee93071887ab6844ed79975ccd20f9008deb93c13bfdb436e0b0/detection

bahariafoundation.org
pmaesa.bahariafoundation.org

# Reference: https://twitter.com/ShadowChasing1/status/1397135889327804417

comsates.org
crisismanagementunit.comsates.org
mofa-gov-pk-wireless.comsates.org

# Reference: https://twitter.com/ShadowChasing1/status/1398171992554053632
# Reference: https://www.virustotal.com/gui/file/ff54e9228b7160f9272d67ad1423600d2cb7aa4d335412a28b11f63a517270fe/detection

cdn-gov.net

# Reference: https://twitter.com/Des00464472/status/1399969790471507968

paknavy-gov-cvic.fbise.org

# Reference: https://twitter.com/BaoshengbinCumt/status/1403292104671916032

cdn-in.net
punjabpolice.gov.pk.standingoperatingprocedureforemergencythreat.cdn-in.net
