# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: shadowhammer, shadowpad, apt41, apt-c-41, double dragon, lowkey, AXIOMATICASYMPTOTE, RedEcho

# Reference: https://securelist.com/operation-shadowhammer/89992/

asushotfix.com

# Reference: https://twitter.com/ydklijnsma/status/1110220766778286080
# Reference: https://twitter.com/ydklijnsma/status/1110189880313692160

homeabcd.com
simplexoj.com

# Reference: https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

103.19.3.17:443
103.19.3.43:443
103.19.3.44:443
103.19.3.44:1194
117.16.142.9:443
23.236.77.175:443
23.236.77.177:443
infestexe.com

# Reference: https://content.fireeye.com/apt-41/rpt-apt41
# Reference: https://otx.alienvault.com/pulse/5d4ae9f31ae8a479422a17ab

agegamepay.com
ageofwuxia.com
ageofwuxia.info
ageofwuxia.net
ageofwuxia.org
bugcheck.xigncodeservice.com
byeserver.com
dnsgogle.com
gamewushu.com
gxxservice.com
ibmupdate.com
infestexe.com
kasparsky.net
linux-update.net
macfee.ga
micros0ff.com
micros0tf.com
notped.com
operatingbox.com
paniesx.com
serverbye.com
sexyjapan.ddns.info
symanteclabs.com
techniciantext.com
win7update.net

# Reference: https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
# Reference: https://www.virustotal.com/gui/ip-address/67.229.97.229/relations

http://67.229.97.229
67.229.97.229:5985
67.229.97.229:9999

# Reference: https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html
# Reference: https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/
# Reference: https://otx.alienvault.com/pulse/5da5eaab4516e8056a6d59fb

checkin.travelsanignacio.com

# Reference: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
# Reference: https://otx.alienvault.com/pulse/5e7b4a11d552fbcfce6c314d
# Reference: https://twitter.com/sysgoblin/status/1237054973579583489 (# CVE-2020-10189)

http://66.42.98.220
http://91.208.184.78
66.42.98.220:12345
74.82.201.8:12345
91.208.184.78:443
accounts.longmusic.com
dylerays.tk
exchange.dumb1.com

# Reference: https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/
# Reference: https://otx.alienvault.com/pulse/5e95c0d3d12068d29f538338
# Reference: https://www.virustotal.com/gui/ip-address/66.42.98.220/relations

http://66.42.98.220
66.42.98.220:12345
119.28.139.20:443
alibaba.zzux.com
exchange.longmusic.com

# Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/shadowpad-novaya-aktivnost-gruppirovki-winnti/ (Russian, # ShadowPad IOC)

ertufg.com
filename.onedumb.com
info.kavlabonline.com
ncdle.net
trendupdate.dns05.com
ttareyice.jkub.com
unaecry.zzux.com
yandex2unitedstated.dns04.com

# Reference: https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html
# Reference: https://otx.alienvault.com/pulse/5f650a34fabdf2c7bf7a7616

http://104.233.224.227

# Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 2)

ashcrack.freetcp.com
heatidc.com
infrast.ygto.com
notify.serveuser.com
platform.freetcp.com
reply.ygto.com
tripmerry.com

# Reference: https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf

arestc.net
icefirebest.com
mongolv.com
pneword.net

# Reference: https://blog.macnica.net/blog/2020/11/dtrack.html
# Reference: https://otx.alienvault.com/pulse/5fc12f0ec26699f8ccd97838

mail.gietriangle.org/public/src3.png
tastygoodness.net
ussainc.org

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf
# Reference: https://otx.alienvault.com/pulse/603d0dcc0a0f44e375d16c62/

escanavupdate.club
indrails.com
ixrails.com
ntpc-co.com
pandorarve.com
ptciocl.com
ubuntumax.com
websencl.com
indianrailway.hopto.org
indrra.ddns.net
inraja.ddns.net
modibest.sytes.net
railway.sytes.net
railways.hopto.org
astudycarsceu.net
indiasunsung.com
shipcardonlinehelp.com
smartdevoe.com

# Reference: https://blog.group-ib.com/colunmtk_apt41
# Reference: https://otx.alienvault.com/pulse/60c34510bd6707ce53355efc

colunm.tk
cs.colunm.tk
ns1.colunm.tk
ns2.colunm.tk
service.dns22.ml
server04.dns04.com
service04.dns04.com

# Reference: https://content.fireeye.com/apt41-jp/rpt-apt41-jp
# Reference: https://otx.alienvault.com/pulse/610cf675620c3a10851e62d0

backdoor.apt.photo

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/BB_APT41.json

isbigfish.xyz

# Reference: https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

dbhubspi.com
glbaitech.com
kinopoisksu.com
necemarket.com
dev.kinopoisksu.com
holdmem.dbhubspi.com
m.necemarket.com
mb.glbaitech.com
ns.glbaitech.com
st.kinopoisksu.com

# Reference: https://www.mandiant.com/resources/apt41-us-state-governments

milli-seconds.com
queryip.cf
time12.cf
viewdns.ml
winsproxy.com
work.viewdns.ml
workers.viewdns.ml
work.queryip.cf
cdn.ns.time12.cf
east.winsproxy.com
afdentry.workstation.eu.org
ns1.entrydns.eu.org
subnet.milli-seconds.com

# Reference: https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41
# Reference: https://otx.alienvault.com/pulse/615da9a8e2c277e1749757c3

assistcustody.xyz
chaindefend.bid
defendchain.xyz
isbigfish.xyz
mircosoftdoc.com
zalofilescdn.com
microsoftbooks.dns-dns.com
ns.mircosoftdoc.com

# Reference: https://www.mandiant.com/resources/apt41-us-state-governments

down-flash.com
microsoftfile.com
libxqagv.ns.dns3.cf

# Reference: https://www.mandiant.com/resources/mobileiron-log4shell-exploitation
# Reference: https://otx.alienvault.com/pulse/6244606893ddbc9a6a5bbdeb
# Reference: https://www.virustotal.com/gui/file/fb091547c42fcd5917283b3a79ee86e7388d57789327289d6d357e71ae28ddff/detection

103.224.80.44:8080
103.242.133.48:44322
103.242.133.48:8085
198.13.40.130:2222
note.down-flash.com
111111.note.down-flash.com
2f2640fb.dns.1433.eu.org
335b5282.dns.1433.eu.org
d5922235.dns.1433.eu.org

# Reference: https://twitter.com/0xrb/status/1509396448387153920
# Reference: https://www.virustotal.com/gui/file/536def339fefa0c259cf34f809393322cdece06fc4f2b37f06136375b073dff3/detection

43.129.188.223:10333
longlifetrump.com

# Reference: https://otx.alienvault.com/pulse/624ff0af271429d152b5a27e

greatsong.soundcast.me
supermarket.ownip.net
supership.dynv6.net

# Reference: https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf
# Reference: https://otx.alienvault.com/pulse/613b110f3e005c40fe57317d

dns224.com
mssetting.com
twitterproxy.com
microsofthelp.dns1.us
ns.cloud01.tk
ns.cloud20.tk
ns1.extrsports.ru

# Reference: https://twitter.com/AltShiftPrtScn/status/1519840040637157378
# Reference: https://www.virustotal.com/gui/file/d2d927e7cdb804c416e70e41290453a7902420894b5cb17fdb688e9ee7943b13/detection

138.68.61.82:444

# Reference: https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/
# Reference: https://otx.alienvault.com/pulse/6270f28cc2cfb0f83fe7b211

farisrezky.com
freewula.strangled.net
gfsg.chickenkiller.com
greenhugeman.dns04.com
pic.farisrezky.com
szuunet.strangled.net
final.staticd.dynamic-dns.net
