# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: jointworm, phantomocx, phantomc2, phantomcorea

# Reference: https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/

wikipeldia.org

# Reference: https://twitter.com/_re_fox/status/1298268175927140353
# Reference: https://twitter.com/James_inthe_box/status/1298274439151251456
# Reference: https://app.any.run/tasks/e0845226-ee73-4e37-ab47-740cf0d3b757/

corpxtech.com
extrasectr.com
quotingtrx.com
trquotesys.com
veritechx.com
vvxtech.net

# Reference: https://app.any.run/tasks/42a70971-d057-4763-8541-5ebe9b842fcb/
# Reference: https://twitter.com/James_inthe_box/status/1280616037185024000
# Reference: https://twitter.com/_re_fox/status/1285579050241667078
# Reference: https://twitter.com/_re_fox/status/1280548111828561922
# Reference: https://twitter.com/Vishnyak0v/status/1300747696073039873

telefx.net
voipasst.com
voipreq12.com
voipssupport.com

# Reference: https://www.cybereason.com/hubfs/Evilnum%20IOCs.pdf
# Reference: https://otx.alienvault.com/pulse/5f5118e86e2b24d86310cd6d
# Reference: https://twitter.com/_re_fox/status/1273655899073187840

crm-domain.net
fxmt4x.com
leads-management.net
telecomwl.com
xlmfx.com

# Reference: https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf
# Reference: https://otx.alienvault.com/pulse/5f6b7988a48d50ae3e26381a

coinzre.website

# Reference: https://twitter.com/_re_fox/status/1316815091212390400
# Reference: https://app.any.run/tasks/5904a168-b4e4-45e6-bd6f-50ff80665bf9/
# Reference: https://www.virustotal.com/gui/file/da7d3ad1dc2f17b2d2387781e6486682f85d9980c115a10c7f38b3729e0fa273/detection

adsmachineio.com
api-pixtools.com
api-printer-spool.com
msft-cdn.cloud
windows-accs.live
windows-ddnl.com

# Reference: https://twitter.com/ShadowChasing1/status/1341358733817856000
# Reference: https://twitter.com/_pr4gma/status/1341439247384014849
# Reference: https://www.virustotal.com/gui/ip-address/185.161.209.8/relations
# Reference: https://www.virustotal.com/gui/file/3c7def980dfdebc0e03d8a3d3e2ee8367268ea676050e767e3c6ad77b8f9219e/detection

afftrackmedia.com
apple-cdrp.com
cdr-soft.com
community-approch.com
microsft-community.com
msftld.com

# Reference: https://twitter.com/_pr4gma/status/1343630971661332484
# Reference: https://www.virustotal.com/gui/ip-address/185.161.211.219/relations

driver-wds.com
flowerads.cloud
globaladdressbook.cloud

# Reference: https://twitter.com/ESETresearch/status/1360178612201218051
# Reference: https://otx.alienvault.com/pulse/6026ccc95d3a8be27100f687/

api-printsvc.co.in
appronto.in
canopustr.com
cloud-cdn.co.in
corpxtech.com
dn-mcrosoft.com
ecodll.com
eu-mcrosoft.com
extrasectr.com
freepbxs.com
hp-prints.com
imgncdn.online
mediadv.org
myhomelap.com
procyonstr.com
quotingtrx.com
sirius-market.com
ssl-certinfo.eu
trquotesys.com
trvol.com
trvolume.net
veritechx.com
vvxtech.net

# Reference: https://twitter.com/z0ul_/status/1388174332325662720
# Reference: https://www.virustotal.com/gui/file/d4b064c13bff1533a339bf6278ca7564577b7f8598be9caafb0ec3b41ea6d1eb/detection

jobsout.com
mail.jobsout.com

# Reference: https://twitter.com/ShadowChasing1/status/1396406910241316866
# Reference: https://www.virustotal.com/gui/ip-address/184.22.121.8/relations
# Reference: https://www.virustotal.com/gui/file/a7051dce028722fbadd198a9fd0481dd800f19b8ea35892d16f5d126d85d7e41/detection

ad-click.org
advclick.org
advuniverse.org
advworld.org

# Reference: https://twitter.com/ShadowChasing1/status/1396814490964873217
# Reference: https://www.virustotal.com/gui/file/8398b5f4654ca42b096d97e7151cf0c37ace65ea1584896218b49c99ef2910d4/detection

afflaf.com
azure-cld.com
azure-ns.com
ibm-hqr.com
microsft-ds.com
office-msf.com
printer-msdc.com
quanatomedia.com
steam-gaming.com

# Reference: https://twitter.com/ShadowChasing1/status/1399697694491254798
# Reference: https://twitter.com/z0ul_/status/1399717925834088462
# Reference: https://www.virustotal.com/gui/file/bc203f44b48c9136786891be153311c37ce74ceb7eb540d515032c152f5eb2fb/detection

amzn-services.com
applecloudnz.com
oauth-azure.com
oautho.com
orbiz.me

# Generic

/c?v=1&u=
/c?v=2&u=
/c?v=3&u=
/c?v=4&u=
/c?v=5&u=
/c?v=6&u=
/c?v=7&u=
/c?v=8&u=
/c?v=9&u=
