# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: FunnyDream, PrevailionKnows, Spyder

# Reference: https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/

api.goallbandungtravel.com
bugcheck.xigncodeservice.com
dump.gxxservice.com
nw.infestexe.com
checkin.travelsanignacio.com
/Common/Lib/Common_bsod.php
/Common/Lib/Common_Include.php

# Reference: https://www.symantec.com/security-center/writeup/2011-102716-2809-99

lp.apanku.com
ad.jcrsoft.com
rh.jcrsoft.com
bot.timewalk.me
b0t.meibu.com

# Reference: https://securelist.com/winnti-more-than-just-a-game/37029/

jp.xxoo.co
kr.xxoo.co
us.nhntech.com
newpic.dyndns.tv
lp.zzsoft.info
ru.gcgame.info
update.ddns.net
lp.gasoft.us
kr.jcrsoft.com
nd.jcrsoft.com
eya.jcrsoft.com
wm.ibm-support.net
cc.nexoncorp.us
ftpd.9966.org
fs.nhntech.com
kr.zzsoft.info
docs.nhnclass.com
as.cjinternet.us
wi.gcgame.info
rh.jcrsoft.com
ca.zzsoft.info
tcp.nhntech.com
wm.nhntech.com
sn.jcrsoft.com
ka.jcrsoft.com
wm.myxxoo.com
lp.apanku.com
my.zzsoft.info
ka.zzsoft.info
sshd.8866.org
jp.jcrsoft.com
ad.jcrsoft.com
ftpd.6600.org
su.cjinternet.us
my.gasoft.us
tcpiah.googleclick.net
vn.gcgame.info 	
rss.6600.org
ap.nhntech.com

# Reference: https://medium.com/@Sebdraven/winnti-uses-the-rtf-exploit-8-t-too-targets-vietnam-13300d432272
# Reference: https://securelist.com/apt-trends-report-q1-2020/96826/
# Reference: https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf (# FunnyDream, PrevailionKnows)
# Reference: https://twitter.com/500mk500/status/1328763000094924800
# Reference: https://otx.alienvault.com/pulse/5d3754868fc025df351b747e
# Reference: https://www.virustotal.com/gui/ip-address/58.64.184.209/relations
# Reference:https://www.virustotal.com/gui/file/a3f74b03b2b070c11b95515f7d12afc4021b8e680bd718f42313378bd049ce14/detection
# Reference: https://www.virustotal.com/gui/file/32cabf2952f88283251c36751e04a45bfa78cdb0835460619d4812b882795c03/detection
# Reference: https://www.virustotal.com/gui/file/feaba29072531b312e3bd0152b9c17c48901db7c8d31019944e453ca9b1572e2/detection

103.133.139.25:80
103.251.237.94:18198
154.216.2.135:80
154.220.2.235:80
58.64.184.147:80
58.64.184.201:80
58.64.184.203:443
58.64.184.203:80
58.64.184.209:80
58.64.209.83:443
58.64.209.83:8888
bitupdating.com
bkavutil.com
eofficeupdate.com
eofficeupdating.com
goog1eupdate.com
iatupdate.com
igfxpers.com
igfxsrvc.com
iumsvc.com
ksdeui.com
ksdeupdate.com
leapconfig.com
mdnsresponder.com
mfaupdate.com
mfaupdating.com
msseces.com
nissrv.com
osppsvc.com
realteke.com
unikeyupdate.com
unikeyupdating.com
updateui.com
winserverupdate.com
wmiprvse.com
ws2008update.com

# Reference: https://twitter.com/daphiel/status/1162875379872387075

google-searching.com

# Reference: https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf
# Reference: https://otx.alienvault.com/pulse/5da4528788ac7149ce4894b7

dns1-1.7release.com
ssl.dyn-dns.co
ssl.dyn-dns.com
svn-dns.ahnlabinc.com
xp101.dyn-dns.co
xp101.dyn-dns.com

# Reference: https://www.verfassungsschutz.de/de/oeffentlichkeitsarbeit/publikationen/pb-cyberabwehr/broschuere-2019-12-bfv-cyber-brief-2019-01
# Reference: https://twitter.com/hatr/status/1202870566413357056
# Reference: https://otx.alienvault.com/pulse/5dea7c18581fca35d1977514
# Reference: https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/

dick.mooo.com

# Reference: https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
# Reference: https://otx.alienvault.com/pulse/5e3404fe524c3e16fa0d416c

dnslookup.services
livehost.live

# Reference: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia
# Reference: https://otx.alienvault.com/pulse/5e4bbe896e6393eb79a1d2c9

185.173.92.141:33579
35.220.232.71:53
35.220.232.71:554
45.77.41.49:53
45.77.41.49:500
45.77.41.49:80
betwln520.com
dropboxbeta.com
facebooknavigation.com
googldevice.com
googlerenewals.net
ipv4-cisco.com
kkxx888666.com
microsoftbetastore.com
mircosofdevice.com
microsoftdnsdown.com
microsoftdnsupdate.com
pwdump.ac
safedog.co
shopingchina.net
updatesrvers.org

# Reference: https://twitter.com/cci_forensics/status/1230686753083707393
# Reference: https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/

139.28.37.102:443
185.161.208.28:443
185.161.209.234:53
185.161.211.188:53
185.161.211.97:443
185.236.78.15:443
185.236.78.28:443
80.82.67.6:443
91.235.128.90:443

# Reference: https://twitter.com/Sebdraven/status/1239853425594155008
# Reference: https://app.any.run/tasks/7c8751cc-15d5-48dd-a2bb-63299b459f06/
# Reference: https://otx.alienvault.com/pulse/5e70b90b7001067032f079b9

45.76.218.232:3010
brands.newst.dnsabr.com
exp100.strangled.net
ru.mst.dns-cloud.net
ux6p.strangled.net

# Reference: https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ (# PipeMon)

n8.ahnlabinc.com
owa.ahnlabinc.com
ssl2.ahnlabinc.com
www2.dyn.tracker.com
ssl2.dyn-tracker.com
client.gnisoft.com
nmn.nhndesk.com

# Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/shadowpad-novaya-aktivnost-gruppirovki-winnti/ (Russian, # Python Backdoor and # Related Domains chapters)
# Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 1)

agent.my-homeip.net
alombok.yourtrap.com
application.dns04.com
arjuna.dynamicdns.biz
arjuna.serveusers.com
artoriapendragon.itemdb.com
asagamifujino.dns05.com
backup.myftp.info
billythekid.x24hr.com
bluecat.mefound.com
bradamante.longmusic.com
cindustry.faqserv.com
cuchulainn.mrbonus.com
daum.pop-corps.com
daum.xxuz.com
david.got-game.org
depth.toh.info
describe.toh.info
developman.ocry.com
dnsdhcp.dhcp.biz
economics.onemore1m.com
ecoronavirus.almostmy.com
email_gov_mn.pop-corps.com
ereshkigal.longmusic.com
eshown.itemdb.com
facebook2us.dynamic-dns.net
facegooglebook.mrbasic.com
fackb00k2us.dynamic-dns.net
fergusmacroich.ddns.info
fornex.uacmoscow.com
frankenstein.compress.to
free2015.longmusic.com
freedomain.otzo.com
freemusic.xxuz.com
freemusic.zzux.com
gaiusjuliuscaesar.dynamicdns.biz
ggpage.jetos.com
gkonsultan.mrslove.com
gmarket.system-ns.org
goog1e_kr.dns04.com
googlewizard.ocry.com
hardenvscurry.my-router.de
help.kavlabonline.com
hosenw.ns02.info
host.adobe-online.com
hpcloud.dynserv.org
ibarakidoji.mrbasic.com
indian.authorizeddns.us
inthefa.bigmoney.biz
jaguarman.longmusic.com
jeannedarcarcher.zyns.com
letstweet.toh.info
lezone.jetos.com
likeme.myddns.com
medusa.americanunfinished.com
microsoft-update.pop-corps.com
microsoft_update.pop-corps.com
modibest.sytes.net
movie2016.zzux.com
msdn.ezua.com
myflbook.myz.info
mynews.myftp.biz
nadvocacy.mrbasic.com
nikolatesla.x24hr.com
nmbthg.com
notepc.ezua.com
npomail.ocry.com
nthere.ourhobby.com
ntripoli.www1.biz
odanobunaga.dns04.com
officescan_update.mypop3.org
point.linkpc.net
pop-corps.com
program.ddns.info
rama.longmusic.com
redfish.misecure.com
regulations.vizvaz.com
robinhood.longmusic.com
server.serveusers.com
serviceonline.otzo.com
siegfried.dynamic-dns.net
stade653.dns04.com
thebatfixed.zyns.com
tunnel.itsaol.com
uacmoscow.com
update.wmiprvse.com
videoservice.dnset.com
waswides.isasecret.com
webhost.2waky.com
webmail_gov_mn.pop-corps.com
xindex.ocry.com
yandex.mrface.com
yandex.pop-corps.com
yandex2unitedstated.2waky.com
yandex2us.dns04.com

# Reference: https://twitter.com/IntezerLabs/status/1308740144120213506
# Reference: https://www.virustotal.com/gui/file/6a9f16440b9319f427825bb12d7a0cda89b101cf7b8b15ec7dd620b4d68db514/detection
# Reference: https://www.virustotal.com/gui/file/ae5c7cfd8bbfb38b38772083bae721c77ac5698b2339148605e46756f0619da0/detection

a.sqlyon.net
a.sqlyon.com
a.bingtok.com
bingtok.com
sqlyon.com
sqlyon.net

# Reference: https://github.com/DoctorWebLtd/malware-iocs/blob/master/APT_Spyder/README.adoc
# Reference: https://www.virustotal.com/gui/domain/koran.junlper.com/relations
# Reference: https://www.virustotal.com/gui/file/4cfb1243e8b9e64424f3de3d2144ee512dadd07ba921e0ced38e58e836347c7e/detection

sidc.everywebsite.us
snoc.hostingupdate.club
wntc.livehost.live
hccadkml89.dnslookup.services
koran.junlper.com
nted.tg9f6zwkx.icu
sidcfpprx14.in.ril.com
sidcfpprx01.in.ril.com
sidcfpprx25.in.ril.com
sidcfpprx10.in.ril.com
everywebsite.us
hostingupdate.club
livehost.live
junlper.com
tg9f6zwkx.icu
