# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: waterbug, snake, whitebear, venomous bear, kypton

# Reference: https://github.com/eset/malware-ioc/blob/master/turla/README.adoc

shoppingexpert.it/wp-content/gallery/
soheylistore.ir/modules/mod_feed/feed.php
tazohor.com/wp-includes/feed-rss-comments.php
jucheafrica.com/wp-includes/class-wp-edit.php
61paris.fr/wp-includes/ms-set.php
doctorshand.org/wp-content/about/
lasac.eu/credit_payment/url/

# Reference: https://www.welivesecurity.com/2018/01/09/turlas-backdoor-laced-flash-player-installer/

smallcloud.ga
fleetwood.tk
adstore.twilightparadox.com
bigpen.ga
ebay-global.publicvm.com
psychology-blog.ezua.com
agony.compress.to
gallop.mefound.com
auberdine.etowns.net
skyrim.3d-game.com
officebuild.4irc.com
sendmessage.mooo.com
robot.wikaba.com
tellmemore.4irc.com

# Reference: http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf

arctic-zone.bbsindex.com
cars-online.zapto.org
eunews-online.zapto.org
fifa-rules.25u.com
forum.sytes.net
franceonline.sytes.net
freeutils.3utilities.com
health-everyday.faqserv.com
nhl-blog.servegame.com
olympik-blog.4dq.com
pockerroom.servebeer.com
pressforum.serveblog.net
scandinavia-facts.sytes.net
sportmusic.servemp3.com
stockholm-blog.hopto.org
supernews.sytes.net
sweeden-history.zapto.org
tiger.got-game.org
top-facts.sytes.net
weather-online.hopto.org
wintersport.sytes.net
x-files.zapto.org
forum.4dq.com
forum.acmetoy.com
marketplace.servehttp.com
music-world.servemp3.com
newutils.3utilities.com
interesting-news.zapto.org
academyawards.effers.com
cheapflights.etowns.net
toolsthem.xp3.biz
softprog.freeoda.com
euassociate.6te.net
euland.freevar.com
communityeu.xp3.biz
swim.onlinewebshop.net
july.mypressonline.com
eu-sciffi.99k.org

# Reference: https://www.symantec.com/security-center/writeup/2014-011316-1921-99?tabid=2

nightday.comxa.com
sanky.sportsontheweb.net
tiger.netii.net
north-area.bbsindex.com

# Reference: http://artemonsecurity.com/snake_whitepaper.pdf

academyawards.effers.com
arctic-zone.bbsindex.com
cars-online.zapto.org
cheapflights.etowns.net
communityeu.xp3.biz
eu-sciffi.99k.org
euassociate.6te.net
euland.freevar.com
eunews-online.zapto.org
fifa-rules.25u.com
forum.4dq.com
forum.acmetoy.com
forum.sytes.net
franceonline.sytes.net
freeutils.3utilities.com
health-everyday.faqserv.com
interesting-news.zapto.org
july.mypressonline.com
marketplace.servehttp.com
music-world.servemp3.com
newutils.3utilities.com
nhl-blog.servegame.com
north-area.bbsindex.com
olympik-blog.4dq.com
pockerroom.servebeer.com
pressforum.serveblog.net
scandinavia-facts.sytes.net
softprog.freeoda.com
sportmusic.servemp3.com
stockholm-blog.hopto.org
supernews.sytes.net
sweeden-history.zapto.org
swim.onlinewebshop.net
tiger.got-game.org
toolsthem.xp3.biz
top-facts.sytes.net
weather-online.hopto.org
winter.site11.com
wintersport.sytes.net
x-files.zapto.org

# Reference: https://github.com/eset/malware-ioc/tree/master/turla

shoppingexpert.it/wp-content/gallery/
soheylistore.ir/modules/mod_feed/feed.php
tazohor.com/wp-includes/feed-rss-comments.php
jucheafrica.com/wp-includes/class-wp-edit.php
61paris.fr/wp-includes/ms-set.php
doctorshand.org/wp-content/about/
lasac.eu/credit_payment/url/
daybreakhealthcare.co.uk/wp-includes/themees.php
simplecreative.design/wp-content/plugins/calculated-fields-form/single.php
http://169.255.137.203/rss_0.php
outletpiumini.springwaterfeatures.com/wp-includes/pomo/settings.php
zerogov.com/wp-content/plugins.deactivate/paypal-donations/src/PaypalDonations/SimpleSubsribe.php
ales.ball-mill.es/ckfinder/core/connector/php/php4/CommandHandler/CommandHandler.php
dyskurs.com.ua/wp-admin/includes/map-menu.php
warrixmalaysia.com.my/wp-content/plugins/jetpack/modules/contact-form/grunion-table-form.php
http://217.171.86.137/config.php
http://217.171.86.137/rss_0.php
shinestars-lifestyle.com/old_shinstar/includes/old/front_footer.old.php
aviasiya.com/murad.by/life/wp-content/plugins/wp-accounting/inc/pages/page-search.php
baby.greenweb.co.il/wp-content/themes/san-kloud/admin.php
soligro.com/wp-includes/pomo/db.php
giadinhvabe.net/wp-content/themes/viettemp/out/css/class.php
tekfordummies.com/wp-content/plugins/social-auto-poster/includes/libraries/delicious/Delicious.php
kennynguyen.esy.es/wp-content/plugins/wp-statistics/vendor/maxmind-db/reader/tests/MaxMind/Db/test/Reader/BuildTest.php
sonneteck.com/wp-content/plugins/yith-woocommerce-wishlist/plugin-fw/licence/templates/panel/activation/activation.php
chagiocaxuanson.esy.es/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/templates/manage_gallery/gallery_preview_page_field.old.php
hotnews.16mb.com/wp-content/themes/twentysixteen/template-parts/content-header.php
zszinhyosz.pe.hu/wp-content/themes/twentyfourteen/page-templates/full-hight.php
weandcats.com/wp-content/plugins/broken-link-checker/modules/checkers/http-module.php
smallcloud.ga
fleetwood.tk
adstore.twilightparadox.com
bigpen.ga
ebay-global.publicvm.com
psychology-blog.ezua.com
agony.compress.to
gallop.mefound.com
auberdine.etowns.net
skyrim.3d-game.com
officebuild.4irc.com
sendmessage.mooo.com
robot.wikaba.com
tellmemore.4irc.com

# Reference: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf

eu-sciffi.99k.org
fifa-rules.25u.com
franceonline.sytes.net
greece-travel.servepics.com
hockey-news.servehttp.com
marketplace.servehttp.com
musicplanet.servemp3.com
music-world.servemp3.com
newutils.3utilities.com
nightday.comxa.com
north-area.bbsindex.com
olympik-blog.4dq.com
pokerface.servegame.com
pressforum.serveblog.net
sanky.sportsontheweb.net
softprog.freeoda.com
tiger.got-game.org
tiger.netii.net
toolsthem.xp3.biz
top-facts.sytes.net
weather-online.hopto.org
wintersport.sytes.net
world-weather.zapto.org
x-files.zapto.org
booking.etowns.org
easports.3d-game.com
cheapflights.etowns.net
academyawards.effers.com
te4step.tripod.com
scifi.pages.at
support4u.5u.com
eu-sciffi.99k.org
swim.onlinewebshop.net
winter.site11.com
july.mypressonline.com
soheylistore.ir
tazohor.com
jucheafrica.com
61paris.fr

# Reference: https://twitter.com/VK_Intel/status/1089959988116799491

northviewcanada.com/wp-content/galler/slider/
zycie-chotomowa.pl/wp-content/languages/index.php

# Reference: https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments

codewizard.ml
dubaiexpo2020.cf
markham-travel.com
microsoft.updatemeltdownkb7234.com
updatenodes.site
vision2030.cf
vision2030.tk
zebra.wikaba.com

# Reference: https://www.virustotal.com/gui/ip-address/94.249.192.182/relations

dropbox12.com
moscow.stransgroup.com

# Reference: https://www.virustotal.com/gui/ip-address/185.141.62.32/relations

http://185.141.62.32

# Reference: https://twitter.com/daphiel/status/1174324244127322115

dsme.info

# Reference: https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/

accessdest.strangled.net
bookstore.strangled.net
bug.ignorelist.com
cars-online.zapto.org
chinafood.chickenkiller.com
coldriver.strangled.net
developarea.mooo.com
downtown.crabdance.com
easport-news.publicvm.com
eurovision.chickenkiller.com
fifa-rules.25u.com
forum.sytes.net
goldenroade.strangled.net
greateplan.ocry.com
health-everyday.faqserv.com
highhills.ignorelist.com
hockey-news.servehttp.com
industrywork.mooo.com
leagueoflegends.servequake.com
marketplace.servehttp.com
mediahistory.linkpc.net
music-world.servemp3.com
new-book.linkpc.net
newgame.2waky.com
newutils.3utilities.com
nhl-blog.servegame.com
nightstreet.toh.info
olympik-blog.4dq.com
onlineshop.sellclassics.com
pressforum.serveblog.net
radiobutton.mooo.com
sealand.publicvm.com
securesource.strangled.net
softstream.strangled.net
sportacademy.my03.com
sportnewspaper.strangled.net
supercar.ignorelist.com
supernews.instanthq.com
supernews.sytes.net
telesport.mooo.com
tiger.got-game.org
top-facts.sytes.net
track.strangled.net
wargame.ignorelist.com
weather-online.hopto.org
wintersport.mrbasic.com
x-files.zapto.org

# Reference: https://otx.alienvault.com/pulse/57b4ad5cd19e030139028e28

knowledgetime.slyip.net
treesofter.mooo.com
archive-articles.linkpc.net
sendmessage.mooo.com
forumgeek.zzux.com
psychology-blog.ezua.com
priceline.publicvm.com
officebuild.4irc.com
bestfunc.slyip.net
newforum.chickenkiller.com
tellmemore.4irc.com
priceline.publicvm.com
trytowin.ignorelist.com
booking.strangled.net
ebay-global.publicvm.com
blackerror.ignorelist.com
ceremon.2waky.com
patherror.publicvm.com
tellmemore.4irc.com
worldlist.linkpc.net
ebay-global.publicvm.com
top100news.my-wan.de
patherror.publicvm.com
dellservice.publicvm.com
papperbell.effers.com
onlineshop.sellclassics.com
climbent.mooo.com
bestfunc.slyip.net
knowledgetime.slyip.net
badget.ignorelist.com
highhills.ignorelist.com
psychology-blog.ezua.com
wordlisten.mooo.com
dellservice.publicvm.com
profound.zzux.com
forumgeek.zzux.com
kersachi.ignorelist.com
worldlist.linkpc.net

# Reference: https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/
# Reference: https://otx.alienvault.com/pulse/5e6a1997e4301d0827885c98

http://37.59.60.199
134.209.222.206:15363
85.222.235.156:8000
adgf.am
aiisa.am/js/chatem/js_rA9bo8_O3Pnw_5wJXExNhtkUMdfBYCifTJctEJ8C_Mg.js
armconsul.ru/user/themes/ayeps/dist/js/bundle.0eb0f2cb2808b4b35a94.js
mnp.nkr.am/wp-includes/js/jquery/jquery-migrate.min.js
skategirlchina.com/wp-includes/data_from_db_top.php
skategirlchina.com/wp-includes/ms-locale.php

# Reference: https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/
# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a
# Reference: https://github.com/eset/malware-ioc/tree/master/turla#turla-comrat-v4-indicators-of-compromise

arinas.tk
bedrost.com
branter.tk
bronerg.tk
celestyna.tk
crusider.tk
davilta.tk
deme.ml
dixito.ml
duke6.tk
elizabi.tk
foods.jkub.com
hofa.tk
hunvin.tk
lakify.ml
lindaztert.net
misters.ml
pewyth.ga
progress.zyns.com
sameera.gq
sanitar.ml
scrabble.ikwb.com
sumefu.gq
umefu.gq
vefogy.cf
vylys.com
wekanda.tk

# Reference: https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/
# Reference: https://otx.alienvault.com/pulse/5f0e0247a1f88359cebcccb2

newshealthsport.com

# Reference: https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
# Reference: https://otx.alienvault.com/pulse/5f99a34fe3c5a08a4093e54d

balletmaniacs.com/wp-includes/fonts/icons/
berlinguas.com/wp-content/languages/index.php
polishpod101.com/forum/language/en/sign/
bombheros.com/wp-content/languages/index.php
simplifiedhomesales.com/wp-includes/images/index.php
mtsoft.hol.es/wp-content/gallery/

# Reference: https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/
# Reference: https://otx.alienvault.com/pulse/5fc7b28bd5c07b0b777106b9

ethdns.mywire.org
highcolumn.webredirect.org
hotspot.accesscam.org
theguardian.webredirect.org

# Reference: https://twitter.com/rnaksyrn/status/1097522490111418368
# Reference: https://www.virustotal.com/gui/file/5b4ed1dc85f5551f070693cf1faf801f76a92b7b624bd402e7a6ca42bc8486fa/detection

worldnews.ath.cx
