# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: artradownloader, splinter, TurtlePower

# Reference: https://github.com/pan-unit42/iocs/blob/master/bitter/iocs.csv

a.churchill91.com
aday.primeservices.mobi
aroundtheworld123.net
chinatel90.com
churchill91.com
confirm97.com
destiny91.com
font.jiangsuhost.com
frameworksupport.net
healthnewsone.com
hewle.kielsoservice.net
johnywalter.webatu.com
mappservworldvide.16mb.com
marvel89.com
marvellighter.com
medzone71.com
mob.wirelesssolutions.mobi
muzicwonder.com
nethosttalk.com
newmysticvision.com
nsiagenthoster.net
red5big.com
sound.muzicwonder.com
spring.tulipnetworks.net
sterling66.com
stingray91.com
styl.crrerc.com
styl.hairparker.com
thematrix.esy.es
thepandaservices.nsiagenthoster.net
tulipnetworks.net
victory1983.ddns.net
wills.hairparker.com
wingames2015.com
wirelesssolutions.mobi
woodwind71.com
xiovo416.net
zmwardrobe.com

# Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/ (Chinese)

khurram.com.pk
traxbin.com
wcnchost.ddns.net

# Reference: https://twitter.com/h4ckak/status/1147710998817542145

healthdevicetracker.co

# Reference: https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations
# Reference: https://cert.360.cn/report/detail?id=137867e159331b7a968aa45050502d13
# Reference: https://otx.alienvault.com/pulse/5d4d82f21a9bb34d2b0e65f7

btappclientsvc.net
cdaxpropsvc.net
v3solutions4all.com
v3solutions4all.org
wangluojiumingjingli.org
winmanagerservice.net
winmanagerservice.org

# Generic trails from https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/
# Reference: https://www.virustotal.com/gui/file/aecfa3879cd68b3a2ab0771638c0d649b007cbb6f28dddb56af4fb740b8e25a5/detection

/ergdfbd/
/healthne/
/ourtyaz/
/RguhsT/
/ergdfbd/wscspl
/healthne/accept.php
/healthne/regdl
/ourtyaz/dwnack.php
/ourtyaz/qwe.php
/ourtyaz/qwf.php

# Reference: https://twitter.com/Timele9527/status/1169430987832344576

gongzuosousuo.net

# Reference: https://twitter.com/blackorbird/status/1169925232255090689

aroundtheworld123.net

# Reference: https://twitter.com/James_inthe_box/status/1166128688175300608
# Reference: https://twitter.com/MeltX0R/status/1170183286712340482
# Reference: https://meltx0r.github.io/tech/2019/09/06/bitter-apt-not-so-sweet.html
# Reference: https://twitter.com/Timele9527/status/1169785910881218560

biocons.pk
gandharaart.org
maq.com.pk
netnsiservice.net
onlinejohnline99.org
sartetextile.com
zhongwenchuantongqiye.com
/kvs06v.php
/lax05u.php
/Mcx2svc.php
/ms2u1p.php

# Reference: https://twitter.com/RedDrip7/status/1170988245561294850
# Reference: https://twitter.com/MeltX0R/status/1171245112082481153

blth32serv.net
w32infinitisupports.net

# Reference: https://twitter.com/blackorbird/status/1182479754965876737

wangluojiumingjingli.org

# Reference: https://twitter.com/James_inthe_box/status/1183927764778274816

lmhostsvc.net

# Reference: https://twitter.com/blackorbird/status/1187662590224191489

nethostsupport.ddns.net
sysintservice.ddns.net

# Reference: https://twitter.com/ccxsaber/status/1192326844529422337

tvnservereventlog.net

# Reference: https://twitter.com/Timele9527/status/1201477767352553472
# Reference: https://twitter.com/Timele9527/status/1201477848852090881
# Reference: https://twitter.com/Timele9527/status/1201477876236701696

cloud-storage-service.com
kerbosim.com
noitfication-office-client.890m.com
office360-pub.16mb.com
quartzu.hol.es

# Reference: https://twitter.com/Rmy_Reserve/status/1224289465872502789

wbclientservice.ddns.net

# Reference: https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf

activemobistore.ddns.net
cbyxhuxo663.ddns.net
flashnewsservice.org
wdibitmapservice.net

# Reference: https://twitter.com/ShadowChasing1/status/1256036038331387904
# Reference: https://twitter.com/ShadowChasing1/status/1305879886473474048
# Reference: https://twitter.com/_re_fox/status/1305925337004601345

http://162.0.229.203
camncryptsvc.net
/RguhsT/
/RguhsT/accept.php

# Reference: https://twitter.com/MeltX0R/status/1258870289066319872
# Reference: https://www.virustotal.com/gui/ip-address/63.250.38.240/relations

http://63.250.38.240

# Reference: https://twitter.com/ccxsaber/status/1273442309816770560

usmservice.net

# Reference: https://twitter.com/Timele9527/status/1280315854094123008

liveways.pk

# Reference: https://twitter.com/Timele9527/status/1277843761318354944

mia.alkhaleejpk.info
tusdec.org.pk/ee
uniengrisb.com/img/rt.msi

# Reference: https://twitter.com/blackorbird/status/1295265067173163010
# Reference: https://twitter.com/ShadowChasing1/status/1303628547366350848
# Reference: https://twitter.com/ShadowChasing1/status/1306422911972958210
# Reference: https://twitter.com/Des00464472/status/1348964050076540928
# Reference: https://www.virustotal.com/gui/file/f45590dbb07e6a506c19f62b3f23b17a1aefbb6d8287f94a74c3ea707e6f4736/detection
# Reference: https://www.virustotal.com/gui/file/2ba30469c3cbe13aa02073ae6c48114d2902450c3745857946b30d811eff6e6d/detection

livevideosonlinepk.com
box.livevideosonlinepk.com
/RsdvgiMincSnyYu/
/tstRsdvgiMincSnyYutsphp/
/tstRsdvgiMincSnyYutspph/
/PerHyPfilbmiw1.php
/PerHyPfilbmiw2.php
/tstPerHyPfilbmiw1.php
/tstPerHyPfilbmiwts2t.php
/RsdvgiMincSnyYu/PerHyPfilbmiw1.php
/RsdvgiMincSnyYu/PerHyPfilbmiw2.php
/tstRsdvgiMincSnyYutsphp/tstPerHyPfilbmiw1.php
/tstRsdvgiMincSnyYutsphp/tstPerHyPfilbmiwts2t.php
/tstRsdvgiMincSnyYutspph/tstPerHyPfilbmiw1.php
/tstRsdvgiMincSnyYutspph/tstPerHyPfilbmiwts2t.php

# Reference: https://twitter.com/HONKONE_K/status/1297829657568407554
# Reference: https://www.virustotal.com/gui/file/0ce047bb77073990a8810f8d6f178dc0d4fc5257603790f80d3d84b0b2405a6c/detection
# Reference: https://www.virustotal.com/gui/file/ced29451faed4f5dfa9ce80e35469e3573a89f848d5a7f5b087ee62a62f5f89a/detection

oppak.com/one/opa
oppak.com/one/eths

# Reference: https://twitter.com/_re_fox/status/1301887287765225477
# Reference: https://twitter.com/ShadowChasing1/status/1304017919655858177
# Reference: https://app.any.run/tasks/383a15aa-63b0-48ee-9a90-2cb64da9134f/

jgcest.com/css/

# Reference: https://twitter.com/ShadowChasing1/status/1306858164277526528

alkhaleejpk.info
/PsehestyvuPw/F1l3estPhPInf1.php
/PsehestyvuPw/
/F1l3estPhPInf1.php
/F1l3estPhPInf2.php

# Reference: https://ti.qianxin.com/blog/articles/Blocking-APT:-Qianxin's-QOWL-Engine-Defeats-Bitter's-Targeted-Attack-on-Domestic-Government-and-Enterprises/
# Reference: https://otx.alienvault.com/pulse/5fd7a716e178ff014c630ecb
# Reference: https://www.virustotal.com/gui/file/6cb0c0a2f89d1e82653d2b0dd1389007543616d11f0709ff194a4db2d36865f7/detection
# Reference: https://www.virustotal.com/gui/file/820ab2458839688369906cee2a4c08b4694e2bddcb187358ce575e5d2063515e/behavior
# Reference: https://www.virustotal.com/gui/file/efeaadaa53ec033d224b58be109c0f5fde12c8775fc5603f51efa8e23bcd6fb2/detection

http://162.0.229.203
http://72.11.134.216
http://82.221.136.27
107.173.63.218:58370
pichostfrm.net

# Reference: https://twitter.com/ShadowChasing1/status/1356412596430233603
# Reference: https://twitter.com/_re_fox/status/1301887287765225477
# Reference: https://app.any.run/tasks/383a15aa-63b0-48ee-9a90-2cb64da9134f/
# Reference: https://www.virustotal.com/gui/file/c2131a3906d97b5d7d697d16de15a8f704db1e6e4a8d3d7316c784d45716cffc/detection

vdsappauthservice.net
/taskshandlers/DBhandle/primary_main.php
/taskshandlers/DBhandle/secondary.php

# Reference: https://twitter.com/ShadowChasing1/status/1375227175226368006
# Reference: https://www.virustotal.com/gui/file/e07e8cbeeddc60697cc6fdb5314bd3abb748e3ac5347ff108fef9eab2f5c89b8/detection

snsrsvchost.com

# Reference: https://twitter.com/ShadowChasing1/status/1408579870230126592
# Reference: https://twitter.com/malwrhunterteam/status/1408491293207154696

mail-mfa-gov-cn-login.netlify.app

# Reference: https://twitter.com/ShadowChasing1/status/1408579947417927687

yuruhjforonjoigrvnbnrgoigoigoisannvmvnfnmkfd7.000webhostapp.com

# Reference: https://cloud.tencent.com/developer/article/1826900
# Reference: https://twitter.com/AnonySecAgency/status/1423510463212523521
# Reference: https://www.virustotal.com/gui/file/1ac7f4cee8b614359cb0997c1934e8b2e4cab0bbfddfa84bedb6d1b2f55e26f3/detection

gxwxtvonline.com
otx.gxwxtvonline.com
/OtPefhePbvw/datarcvoninfile.php
/OtPefhePbvw/nnodata3inf.php
/OtPefhePbvw/onlinedata1inf.php
/OtPefhePbvw/
/datarcvoninfile.php
/nnodata3inf.php
/onlinedata1inf.php

# Reference: https://ti.qianxin.com/blog/articles/%22operation-magichm%22:CHM-file-release-and-subsequent-operation-of-BITTER-organization/ (Chenese)

http://193.142.58.186
45.11.19.170:34318
bheragreens.com
msisspsvc.net
myprivatehostsvc.com
sartetextile.com
svc2mcxwave.net
w32timeslicesvc.net
wdisvcnotifyhost.com
webmailcgwip.com
windiagnosticsvc.net
youxiangxiezhu.com
/n9brCs21/
/n9brCs21/apprun
/UihbywscTZ/45Ugty845nv7rt.php
/UihbywscTZ/
/45Ugty845nv7rt.php

# Reference: https://twitter.com/ShadowChasing1/status/1438706652522303489
# Reference: https://www.virustotal.com/gui/file/a169156b0d307ca978d722cafbd3bc1d04c94e55f71bc9d16ba6fabb8140be83/detection

olmajhnservice.com

# Reference: https://twitter.com/HONKONE_K/status/1464090084349669382
# Reference: https://www.virustotal.com/gui/file/528c6bf7c0c32be26bc1e32df73fed73ca7312e1b6fdb2ca20d5f0c157b02256/detection
# Reference: https://www.virustotal.com/gui/file/499bf98bef84eeff781828932b16747a5aa03d3f70e15aabf4718cccd20a51a5/detection

snsrsvchost.net

# Reference: https://twitter.com/RedDrip7/status/1468420250245136390
# Reference: https://twitter.com/kyleehmke/status/1510958302800318467
# Reference: https://www.virustotal.com/gui/ip-address/172.93.201.143/relations
# Reference: https://www.virustotal.com/gui/file/25aeec4c58f740c62664c757987902981c9676d0f58f9337f852fa9dd8a874d9

msofficeupdates.ddns.net
windowtemplates.info

# Reference: https://twitter.com/ShadowChasing1/status/1474005551818313729
# Reference: https://www.virustotal.com/gui/file/6b475078aca28ef7c8b162065b562e61670aceea1602715f53d64d81e7023a2a/detection

epapbuizhost.net

# Reference: https://twitter.com/ShadowChasing1/status/1478259210110775297
# Reference: https://www.virustotal.com/gui/file/9a8b201eb2bebe309d15c7b0ab5a6dcde460b84b035bb3575d4a0ec6af51a37e/detection

tomcruefrshsvc.com
sbss.com.pk
cpcalendars.tomcruefrshsvc.com
cpcontacts.tomcruefrshsvc.com
mail.tomcruefrshsvc.com
subscribe.tomcruefrshsvc.com
viewz.tomcruefrshsvc.com
webdisk.tomcruefrshsvc.com
webmail.tomcruefrshsvc.com
/VcvNbtgRrPopqSD/SzWvcxuer/userlog.php
/VcvNbtgRrPopqSD/SzWvcxuer/
/VcvNbtgRrPopqSD/
/SzWvcxuer/

# Reference: https://twitter.com/ShadowChasing1/status/1479641732169932801
# Reference: https://www.virustotal.com/gui/file/f7ed5eec6d1869498f2fca8f989125326b2d8cee8dcacf3bc9315ae7566963db/detection

slrpnlcontrlintrface.com

# Reference: https://twitter.com/ShadowChasing1/status/1480193191299084288

autodefragapp.com
care.autodefragapp.com
evert.autodefragapp.com
helpdesk.autodefragapp.com
mail.autodefragapp.com
newdesk.autodefragapp.com
support.autodefragapp.com

# Reference: https://twitter.com/ShadowChasing1/status/1480853604609126403
# Reference: https://www.virustotal.com/gui/file/4e0824b6c9c4e53a7caeda78c8b60bf1dc20670e58955ad1e2e9f89fdf22029c/detection

gpcpsvclog.net

# Reference: https://www.virustotal.com/gui/file/1b60ef6900dc790f2565e4fd27b14742ed6bec53252e3b142f0af6a246d94837/detection

comnmsgwrapsvc.net
/jsprc.php?h=

# Reference: https://twitter.com/k3yp0d/status/1490994886338027527
# Reference: https://www.virustotal.com/gui/file/15a58d7223761f8386c902ae2d55a1313b4744e543f8f228851d0376dce721fe/detection

/dFFrt3856ByutTs/xnb/data1.php
/dFFrt3856ByutTs/

# Reference: https://twitter.com/RedDrip7/status/1493905786354892801
# Reference: https://www.virustotal.com/gui/file/a4afaa41383f447d96d0ebb1e2e50721af080e951d40754a836215fb2c3f0660/detection

45.86.163.212:49920
snapsvcvirtual.net

# Reference: https://twitter.com/h2jazi/status/1499501002743062539
# Reference: https://www.virustotal.com/gui/file/eaa013b863bda3bd76c6f6073cc304002d1a9f317c8fba9c362534aff7dd1b0b/detection

diyefosterfeeds.com

# Reference: https://www.virustotal.com/gui/file/34182232200718be91a1b683112f8e44c1ee75bf3b11e2c055de68d990e0dd92/detection

http://45.11.19.170

# Reference: https://twitter.com/h2jazi/status/1509636768504717313
# Reference: https://www.virustotal.com/gui/file/9fca7eeb6a7c3591492ddb7693b9d7b2349acc3240cc46710f91fb79d8a8deb6/detection

coerciondigital.com

# Reference: https://twitter.com/GGGGh0st/status/1512002541370097664
# Reference: https://www.virustotal.com/gui/file/195682cc8a6318d3eb2af83faaff76dc925e3e382b13729b9e03cf6d8f5435b0/detection

lltdifslogsvc.net

# Reference: https://twitter.com/blackorbird/status/1520688352286052352

zhaodaolajiankang.com

# Reference: https://twitter.com/ShadowChasing1/status/1521401317360513025
# Reference: https://www.virustotal.com/gui/file/a979c76afd0e9d2e135ca64a215e1af270222d059d806e7028022060e8cbe72c/detection

193.142.58.38:34905

# Reference: https://twitter.com/SethKingHi/status/1522867750481408001
# Reference: https://www.virustotal.com/gui/file/14986da600df26fdb4e435cf01b6be4e5fffcc001059609070a2de701496bdde/detection

wmbwowxsvc.com

# Reference: https://twitter.com/SethKingHi/status/1523592393249136640
# Reference: https://www.virustotal.com/gui/file/471b384ca81a9d804992d4e4693ab3d42d419a2e2690ebb146671407fe0809d8/detection

levarisnetqlsvc.net

# Reference: https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html

185.141.25.244:33324
urocakpmpanel.com
/updateReqServ10893x.php

# Reference: https://twitter.com/k3yp0d/status/1525508775980957698
# Reference: https://www.virustotal.com/gui/file/dbd72490ce2642721ba8919b27a5f4854d2a8199132e9c4bb08f54b48282febc/detection

nymedsvcsystems.com

# Reference: https://twitter.com/k3yp0d/status/1527656133837594624
# Reference: https://www.virustotal.com/gui/file/91ddbe011f1129c186849cd4c84cf7848f20f74bf512362b3283d1ad93be3e42/detection

emshedulersvc.com
huandocimama.com
han.huandocimama.com
log.huandocimama.com
m.huandocimama.com

# Reference: https://twitter.com/__0XYC__/status/1501847173864083458
# Reference: https://twitter.com/__0XYC__/status/1501852899491852288
# Reference: https://twitter.com/blackorbird/status/1534373342446202881
# Reference: https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg (Chinese)

botanoolifeapp.net
deliverymailserver.com
ekoconect.com
epapbuizhost.net
maildataserver.com
pnptrafcroutsvc.net
rurushophoogtypnl.com
svc2mcxwave.net

# Reference: https://twitter.com/RedDrip7/status/1536987661939773440
# Reference: https://twitter.com/RedDrip7/status/1536989979229835265
# Reference: https://www.virustotal.com/gui/file/6f5ce57dce03d9456657ad872766ee8f78b1b6c258a8b99c7658bc0590813d4d/detection
# Reference: https://www.virustotal.com/gui/file/55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396/detection

64.44.131.109:33638
wizbizkidshow.biz

# Reference: https://twitter.com/binlmmhc/status/1539094292064784384
# Reference: https://www.virustotal.com/gui/file/cfd883237a56a1a59c2882b9c7e11272ab32b76b35bbf69358c1168e82aae278/detection

mynewellowstore.com
login.mynewellowstore.com
star.mynewellowstore.com
/OibytDsERt.php

# Reference: https://twitter.com/binlmmhc/status/1529782539199868928
# Reference: https://www.virustotal.com/gui/file/3037f41f422033a11ed86871ea7f6dbba8b910dbee3212eb33165e488eecde14/detection

51.255.3.62:48152

# Reference: https://twitter.com/binlmmhc/status/1485545135882784768
# Reference: https://www.virustotal.com/gui/file/9ca64c2672258e72d297dbf0d2d7a57d92d6011e75ac08ba4feb01e8a975cf09/detection

185.117.73.195:59600
plprasvchost.net

# Reference: https://twitter.com/binlmmhc/status/1437704326789488642
# Reference: https://www.virustotal.com/gui/file/73f3a0d2d93c36276e1ecc7ebe64bede9c5adcfd01c5bebc89be75dc5b70111e/detection

fdcx32hostlaunchsvc.com

# Reference: https://twitter.com/binlmmhc/status/1377080167881924608
# Reference: https://www.virustotal.com/gui/file/fdc7cff892b890cb46c3c6d9fd3e8a62bb3059caaf034d63ba7d615342f17f70/detection

vercplsupport.net
/taskshandlers/DBhandle/primary_main.php

# Reference: https://twitter.com/h2jazi/status/1551980359990104064
# Reference: https://www.virustotal.com/gui/file/fec00455734451b722f3037e0a668c280c5ddbec1d905c647bf1a7f153856860/detection

novaoutletclub.com
