# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: ta407, silent librarian, mabna institute, cobalt dickens

# Reference: https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities
# Reference: https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again
# Reference: https://otx.alienvault.com/pulse/5d78eaf37b37c503fb07d45a
# Reference: https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian
# Reference: https://otx.alienvault.com/pulse/5da4a7ab756627fcce84efcc

1edu.in
aill.cf
aill.nl
anvc.me
atll.tk
atna.cf
atti.cf
azll.cf
azll.tk
azlll.cf
aztt.tk
blibo.ga
cave.gq
ccli.cf
cill.ml
clll.cf
clll.nl
clll.tk
cllt.cf
cllt.tk
cnen.cf
cnma.cf
cntt.cf
crll.tk
csll.cf
ctll.tk
cvnc.ga
cvve.cf
czll.tk
cztt.tk
e-library.me
ebookfafa.com
eduv.icu
eill.cf
eill.ga
eill.nl
elll.cf
erta.ca
etll.cf
euca.cf
euce.in
euve.tk
ezll.tk
ezplog.in
ezproxy.tk
eztt.tk
fill.cf
flil.cf
flll.cf
iell.tk
ill.pro
illl.cf
ills.cf
itll.tk
iull.tk
izll.tk
jhbn.me
jlll.cf
lett.cf
lib-service.com
lib1.bid
lib1.pw
liba.gq
libb.ga
libdo.cf
libe.cf
libe.ga
libe.ml
libf.ga
libg.cf
libg.ga
libg.gq
libg.tk
libk.ga
libloan.xyz
libm.ga
libn.gq
libnicinfo.xyz
librarylog.in
libraryme.ir
librt.ml
libt.ga
libt.ml
libu.gq
libv.ml
libver.ml
libw.gq
lill.gq
lill.pro
llbt.tk
llib.cf
llib.ga
llic.cf
llic.tk
llif.cf
llii.cf
llii.xyz
llil.cf
llil.nl
llit.cf
llit.site
lliv.nl
lliv.tk
lliz.cf
lllf.nl
llli.cf
llli.nl
lllib.cf
lllt.cf
llse.cf
lzll.cf
mlib.cf
mlibo.ml
ncce.cf
ncll.tk
ncnc.cf
nctt.tk
necr.ga
nicn.gq
nika.ga
nimc.cf
nimc.ga
nimc.ml
nlib.ml
nlll.cf
nlll.tk
nsae.ml
ntil.cf
ntll.cf
ntll.tk
nuec.cf
nuec.ml
rill.cf
rnva.cf
rtll.tk
rvna.cf
savantaz.cf
sctt.cf
shibboleth.link
sitl.tk
sitt.cf
slli.cf
ssll.cf
stll.tk
till.cf
titt.cf
tlit.cf
tlll.cf
tlll.tk
tsll.cf
ttil.nl
ttit.cf
ttll.cf
uill.cf
uitt.tk
ulibe.ml
ulibr.ga
ulll.cf
ulll.tk
umlib.ml
umll.tk
uncr.me
uni-lb.com
unie.ga
unie.gq
unie.ml
unin.icu
unip.cf
unip.ga
unip.gq
unip.ml
unir.cf
unir.ga
unir.gq
unir.ml
unisv.xyz
univ.red
unll.tk
untc.ir
untc.me
untf.me
unts.me
unvc.me
utll.tk
venc.cf
visc.cf
vsre.cf
vtll.cf
web2lib.info
xill.cf
xill.tk
zedviros.ir
zill.cf
zlll.tk

# Reference: https://twitter.com/peterkruse/status/1312826103388667904
# Reference: https://www.virustotal.com/gui/ip-address/104.152.168.47/relations

idp3.it.gu.se.itlf.cf
login.ki.se.iftl.tk
raven.cam.ac.uk.iftl.tk
shib.york.ac.uk.iftl.tk
shibboleth.mcgill.ca.iftl.tk
sso.id.kent.ac.uk.iftl.tk
sso.acu.edu.au.itlib.me
itlf.cf
iftl.tk

# Reference: https://twitter.com/peterkruse/status/1312819332318146561
# Reference: https://twitter.com/peterkruse/status/1315556534546558977

cas.thm.de.itlib.me
cas.thm.de.servisedesk.me
itlib.me
servisedesk.me

# Reference: https://twitter.com/peterkruse/status/1313029599048208386

ntulearn.ntu.ninu.me
ninu.me

# Reference: https://twitter.com/cybershtuff/status/1315574181493444613

canvas.bham.vueu.me
owl.uwo.vueu.me
vueu.me

# Reference: https://twitter.com/ShadowChasing1/status/1315855394506330113

library.acu.edu.au.libit.me
libit.me

# Reference: https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/

library.adelaide.crev.me
signon.adelaide.edu.au.itlib.me
blackboard.gcal.crev.me
blackboard.stonybrook.ernn.me
blackboard.stonybrook.nrni.me
namidp.services.uu.nl.itlib.me
uu.blackboard.rres.me
librarysso.vu.cvrr.me
ole.bris.crir.me
idpz.utorauth.utoronto.ca.itlf.cf
raven.cam.ac.uk.iftl.tk
login.ki.se.iftl.tk
shib.york.ac.uk.iftl.tk
sso.id.kent.ac.uk.iftl.tk
idp3.it.gu.se.itlf.cf
login.proxy1.lib.uwo.ca.sftt.cf
login.libproxy.kcl.ac.uk.itlt.tk
idcheck2.qmul.ac.uk.sftt.cf
lms.latrobe.aroe.me
ntulearn.ntu.ninu.me
adfs.lincoln.ac.uk.itlib.me
cas.thm.de.itlib.me
libproxy.library.unt.edu.itlib.me
shibboleth.mcgill.ca.iftl.tk
vle.cam.ac.uk.canm.me
aroe.me
canm.me
crev.me
crir.me
cvrr.me
ernn.me
nrni.me
rres.me
sftt.cf

# Reference: https://twitter.com/ViriBack/status/1317216042263941120

blackboard.usc.caer.me
elearn.cuhk.caer.me
moodle.uni-ulm.caer.me
sierra-sso.aut.caer.me
caer.me
