# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: BumbleBee, Hisoka, Snugy, TriFive

# Reference: https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/
# Reference: https://github.com/pan-unit42/iocs/blob/master/xHunt/xHunt_IOCs.csv

google-update.com
learn-service.com
microsofte-update.com

# Reference: https://unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/
# Reference: https://twitter.com/Voulnet/status/1014951078364876801
# Reference: https://otx.alienvault.com/pulse/5da0d8dc27a2ad4cc8864283

firewallsupports.com
windows64x.com
winx64-microsoft.com
windows-updates.com

# Reference: https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/
# Reference: https://otx.alienvault.com/pulse/5fa97823e94863569cf1fdbe

sharepoint-web.com

# Reference: https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/
# Reference: https://otx.alienvault.com/pulse/5fa97823e94863569cf1fdbe

deman1.icu
hotsoft.icu
lidarcc.icu
uplearn.top

# Reference: https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
# Reference: https://otx.alienvault.com/pulse/5ffcbc5b19a30849ecd2ab78

142.11.211.79:8080
142.11.211.79:8081
192.119.110.194:8083
91.92.109.59:1234
91.92.109.59:1255
91.92.109.59:1288
91.92.109.59:1289
backendloop.online
bestmg.info
windowsmicrosofte.online
