# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt-04, apt-c-24

# Reference: https://twitter.com/Sebdraven/status/1052864520522223616
# Reference: https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739
# Reference: https://www.virustotal.com/#/ip-address/185.106.120.43

heartissuehigh.win
webserv-redir.net

# Reference: https://twitter.com/Sebdraven/status/1140597344720830471
# Reference: https://app.any.run/tasks/d7ce191d-c04f-4eff-a13c-02cbe746c256/
# Reference: https://www.virustotal.com/gui/domain/cdn-dl.cn/relations
# Reference: https://pastebin.com/rccqdjNB

cdn-dl.cn
bd-gov.cdn-dl.cn
bdgov-mopa.cdn-dl.cn
biaa-org-bd.cdn-dl.cn
biaa-org.cdn-dl.cn
gov-cn.cdn-dl.cn
gov-pk.cdn-dl.cn
hostmaster.cdn-dl.cn
info-account.cdn-dl.cn
ministry-gov.cdn-dl.cn
ministry-interior-gov-pk.cdn-dl.cn
mod-gov.cdn-dl.cn
moe-gov.cdn-dl.cn
moi-nadra.cdn-dl.cn
mopa-bd.cdn-dl.cn
mopa-bdgov.cdn-dl.cn
mopa-govbd.cdn-dl.cn
nadra-interior.cdn-dl.cn
nadra-moi.cdn-dl.cn
narda-moi.cdn-dl.cn
neteease.cdn-dl.cn
newmake.pw
serve-dropbx-ap-east1.cdn-dl.cn
suodeshui.cdn-dl.cn
tiexue.cdn-dl.cn

# Reference: https://twitter.com/Timele9527/status/1147750939576586244 

http://167.86.116.39

# Reference: https://twitter.com/Timele9527/status/1147750939576586244

vidyasagaracademybrg.in/scripts/lnk/
vidyasagaracademybrg.in/scripts/am/

# Reference: https://twitter.com/Timele9527/status/1150597482310619136
# Reference: https://app.any.run/tasks/e15e1cd1-0c38-41b9-aa1e-a29562f17b3d/
# Reference: https://www.freebuf.com/articles/network/196788.html (Chinese)

ap12.ms-update-server.net
cdn-do.net
cdn-edge.net
cdn-list.net
fb-dn.net
google.com.d-dns.co
msftupdate.srv-cdn.com
nadra.gov.pk.d-dns.co
pmo.cdn-load.net
s2.cdn-edge.net
s12.cdn-apn.net
trans-pre.net
webserv-redir.net

# Reference: https://twitter.com/blackorbird/status/1160734383864610816

trans-can.net

# Reference: https://mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA

cdn-ps.net

# Reference: https://twitter.com/blackorbird/status/1189116884626493440

paknavy.gov.pk.ap1-port.net

# Reference: https://twitter.com/Timele9527/status/1195272502135549953
# Reference: https://www.virustotal.com/gui/domain/reawk.net/details

reawk.net

# Reference: https://twitter.com/ccxsaber/status/1195281985335201794

sd1-bin.net

# Reference: https://twitter.com/0xCARNAGE/status/1203882560176218113
# Reference: https://app.any.run/tasks/3abfc241-3ab0-4016-acbb-040b44199d52/

185.225.17.239:443

# Reference: https://twitter.com/RedDrip7/status/1206898954383740929

ap1-acl.net

# Reference: https://twitter.com/Timele9527/status/1211852764688478216
# Reference: https://app.any.run/tasks/c8469e19-96a0-4f2f-9765-72acf72dee05/

fincruitconsulting.in

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/
# Reference: https://otx.alienvault.com/pulse/5e133ac9f5eaf331885e74b4

aws-check.net
deb-cn.net
ms-db.net
ms-ethics.net

# Reference: https://github.com/blackorbird/APT_REPORT/tree/master/sidewinder

gov-pk.org

# Reference: https://mp.weixin.qq.com/s/L3dVwbkfTABtE4ZYtv5r4w
# Reference: https://otx.alienvault.com/pulse/5e206d8b77de0b2690b9946c

110.10.176.193:4443

# Reference: https://twitter.com/Timele9527/status/1247325070520750080
# Reference: https://twitter.com/Timele9527/status/1247327952238284800
# Reference: https://twitter.com/Timele9527/status/1247376905956765697

ap-ms.net
d01fa.net
fdn-en.net
nrots.net

# Reference: https://twitter.com/ShadowChasing1/status/1252547080070914048

link-cdnl.net

# Reference: https://twitter.com/ccxsaber/status/1260775018306236416

au-edu.km01s.net

# Reference: https://twitter.com/Arkbird_SOLG/status/1260727623539404800

kat0x.net

# Reference: https://twitter.com/ShadowChasing1/status/1268214042637684738
# Reference: https://www.virustotal.com/gui/domain/chrom3.net/relations

chrom3.net
r0dps.net

# Reference: https://twitter.com/ccxsaber/status/1281413683013287936

gov-mil.cn

# Reference: https://twitter.com/ShadowChasing1/status/1284319235481538565

cdn-m1l.net
tar-gz.net

# Reference: https://twitter.com/cyber__sloth/status/1293183011916193793
# Reference: https://twitter.com/cyber__sloth/status/1293187616897028098
# Reference: https://twitter.com/Arkbird_SOLG/status/1293221669134372865
# Reference: https://app.any.run/tasks/e3501b33-28a2-4b7c-bc79-d20891c4832e/

http://111.229.73.84
202.58.104.100:81

# Reference: https://twitter.com/ShadowChasing1/status/1296710024643796992
# Reference: https://www.virustotal.com/gui/file/a89189f1c7c101c8d9c2637e571c4f8546df3ea557a576090cde7b75009981a9/detection

fqn-cloud.net

# Reference: https://twitter.com/ShadowChasing1/status/1297902086747598852

asw-edu.net
filesrvr.net

# Reference: https://twitter.com/cyber__sloth/status/1298187291295461376
# Reference: https://www.virustotal.com/gui/ip-address/185.141.25.136/relations

mil-pk.net

# Reference: https://twitter.com/ShadowChasing1/status/1308620752703299585

aws-pk.net
cdn-aws-s2.net

# Reference: https://twitter.com/ShadowChasing1/status/1316680709478604800
# Reference: https://twitter.com/mg2_tracy1/status/1316688407280586752
# Reference: https://www.virustotal.com/gui/file/280fb291d49f277067667838cdf30a940eaed9ed7712448158ea29e1ce6af86f/detection

cdn-sop.net

# Reference: https://twitter.com/ShadowChasing1/status/1324349418162720769
# Reference: https://twitter.com/ShadowChasing1/status/1324349684664528897
# Reference: https://www.virustotal.com/gui/domain/gov-pok.net/detection

gov-pok.net

# Reference: https://twitter.com/RedDrip7/status/1328639418110865409
# Reference: https://www.virustotal.com/gui/file/1cbec920afe2f978b8f84e0a4e6b757d400aeb96e8c0a221130060b196ece010/detection

cdn-edu.net
brep.cdn-edu.net

# Reference: https://twitter.com/mg2_tracy1/status/1331153718931177473
# Reference: https://www.virustotal.com/gui/file/7238f4e5edbe0e5a2242d8780fb58c47e7d32bf2c4f860c88c511c30675d0857/detection

ms-trace.net

# Reference: https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html
# Reference: https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742

185.225.19.46:4589
185.225.19.46:4875
gov-af.org
gov-np.org
mail-apfgavnp.hopto.org
mail-apfgovnp.ddns.net
mail-kmgcom.ddns.net
mail-mfagovcn.hopto.org
mail-mofagovnp.hopto.org
mail-mofagovnp.zapto.org
mail-mofgovnp.hopto.org
mail-ncporgnp.hopto.org
mail-nepalarmymilnp.duckdns.org
mail-nepalgovnp.duckdns.org
mail-nepalpolicegov.hopto.org
mail-nepalpolicegovnp.duckdns.org
mail-nrborg.hopto.org
mail-nscaf.myftp.org
mail-ntcnetnp.serveftp.com

# Reference: https://twitter.com/BaoshengbinCumt/status/1342297125141454848
# Reference: https://www.virustotal.com/gui/file/c59c6c18f529c88cf352883b23af36f829b8ae1d17daa0762f028184cba7199b/detection

cdn-re.net

# Reference: https://twitter.com/ShadowChasing1/status/1345559958796914694

gov-mail.net

# Reference: https://twitter.com/cyber__sloth/status/1346100925199478784

gov-af.net
gov-crt.net
gov-nadra.net
gov-pbs.net
gov-pmo.net

# Reference: https://www.virustotal.com/gui/domain/gov-cn.net/relations

gov-cn.net

# Reference: https://www.virustotal.com/gui/domain/gov-cnn.net/relations

gov-cnn.net

# Reference: https://www.virustotal.com/gui/domain/paknavy-gov.net/detection

paknavy-gov.net

# Reference: https://www.virustotal.com/gui/file/4b5e0ad20a8d143567cc424edf2010146e24a0b729de7ca0f66292141d363e57/detection

cdn-aws.net
cdn-src.net

# Reference: https://twitter.com/BaoshengbinCumt/status/1354270351702691843

del-ivery.net
trans-aws.net

# Reference: https://twitter.com/jfslowik/status/1362782587345727492

cdn-secure.net

# Reference: https://twitter.com/h2jazi/status/1363683531067715584
# Reference: http://hackdig.com/02/hack-280699.htm
# Reference: https://app.any.run/tasks/b88e935c-b17a-4429-acdc-65156804ad1c/
# Reference: https://otx.alienvault.com/pulse/6033e84e6fb8fc369323e8e3/

151.236.11.147:57670
alsalaf.info
gov-pk.info
govt-pk.org
gov-pak.org
pk-gov.org
attachments.gov-pk.info
nhsrcgovpk.servehttp.com
contact.gov-pak.org
onedrives.pk-gov.org
support.govt-pk.org
support.gov-pak.org
support-gov.myftp.org

# Reference: https://twitter.com/DeadlyLynn/status/1367746507974270981
# Reference: https://www.virustotal.com/gui/file/bb58796f79a913a985eb41f0d12446e7ae8fe99fd3f0d432d77d8d82f202bf5f/detection

cdn-pak.net
fqn-mil.net
mailmofagovpk.cdn-pak.net

# Refereence: https://twitter.com/BaoshengbinCumt/status/1369916500014821377

afd-bdmil.cdn-pak.net
fmprc.cdn-pak.net
ibn.cdn-pak.net
mofa.cdn-pak.net
oimc.cdn-pak.net
pakbj.cdn-pak.net
poly.cdn-pak.net
trgdte.cdn-pak.net

# Reference: https://www.virustotal.com/gui/domain/www-cdn.net/relations

www-cdn.net

# Reference: https://twitter.com/ShadowChasing1/status/1384743822953877505

afohs.mod-pak.co
fbr.mod-pak.co
shaheenfoundation.mod-pak.co
mod-pak.co

# Reference: https://twitter.com/BaoshengbinCumt/status/1384792855692988416
# Reference: https://www.virustotal.com/gui/ip-address/185.163.45.56/relations
# Reference: https://www.virustotal.com/gui/file/37a3855e05c63fdab773fdd39da021f2daf1961cc8137385db079960bdfa18c7/detection

edu-mil.cn
iugur.live
bmac.iugur.live
mofa.iugur.live

# Reference: https://twitter.com/BaoshengbinCumt/status/1387233200871673856
# Reference: https://mp.weixin.qq.com/s/GWVz02_jGaUt_n9JxB1OwQ

autodiscover.mofagov-pk.online
cpanel.mofagov-pk.online
cpcalendars.mofagov-pk.online
cpcontacts.mofagov-pk.online
dgmi-share-folder-nepalarmy-mil-np-coas-sambodhan-pdf.netlify.app
email-nepalarmy-mil-np-owa.netlify.app
imail.aop.gov.af.egateway.nsc-gov.com
mail-nepalarmy-mil-np-fsdafjsd.herokuapp.com
mail-nepalarmy-mil-np-login-download.netlify.app
mail-nepalarmy-mil-np-view.netlify.app
mail-nepalpolice-gov-np-loginn.herokuapp.com
mail-nscaf.hopto.org
mail-ntmail-ntcnetnp.serveftp.comcnetnp.serveftp.com
mail.mofagov-pk.online
medeclinic.ae
mil-pk.net
mod-cn.trans-del.net
mofagov-pk.naatlibrary.com
mofagov-pk.online
naatlibrary.com
nepalarmy.trans-del.net
nsc-gov.com
nsc-gov.net
polyinc-global.trans-del.net
trans-del.net
webdisk.mofagov-pk.online
webmail.mofagov-pk.online
www-punjabpolice-gov-pk-sopforsecurityofforeignersandchinese.trans-aws.net

# Reference: https://twitter.com/ShadowChasing1/status/1391976060472860675

paf-gov.com
img-google.paf-gov.com

# Reference: https://twitter.com/ShadowChasing1/status/1396809305194590211
# Reference: https://www.virustotal.com/gui/file/caaf44f16dcbee93071887ab6844ed79975ccd20f9008deb93c13bfdb436e0b0/detection

bahariafoundation.org
pmaesa.bahariafoundation.org

# Reference: https://twitter.com/ShadowChasing1/status/1397135889327804417

comsates.org
crisismanagementunit.comsates.org
mofa-gov-pk-wireless.comsates.org

# Reference: https://twitter.com/ShadowChasing1/status/1398171992554053632
# Reference: https://www.virustotal.com/gui/file/ff54e9228b7160f9272d67ad1423600d2cb7aa4d335412a28b11f63a517270fe/detection

cdn-gov.net

# Reference: https://twitter.com/Des00464472/status/1399969790471507968

paknavy-gov-cvic.fbise.org

# Reference: https://twitter.com/BaoshengbinCumt/status/1403292104671916032

cdn-in.net
punjabpolice.gov.pk.standingoperatingprocedureforemergencythreat.cdn-in.net

# Reference: https://twitter.com/ShadowChasing1/status/1412695070659153925
# Reference: https://twitter.com/0xrb/status/1412727167151005703

pakmarines.com
as.pakmarines.com
dsadsa.pakmarines.com
gov.pakmarines.com
jmicc-gov-pk.pakmarines.com
pmaesa.pakmarines.com
pnwc-gov-pk.pakmarines.com
pqa.gov.pakmarines.com

# Reference: https://twitter.com/ShadowChasing1/status/1420762840479109122
# Reference: https://twitter.com/ShadowChasing1/status/1420762846980308999
# Reference: https://www.virustotal.com/gui/file/468351924d611359fb181855331da98359bb1b926b5ce3ee8cd3330986d6e12c/detection
# Reference: https://www.virustotal.com/gui/file/84d5a31227eaa3be1134bb6f5a2f92c2621e738ee0c0c4f84758ae8d79d09526/detection

pak-web.com
fbr.pak-web.com

# Reference: https://twitter.com/malwrhunterteam/status/1109085127290900480

nitb.pk-gov.org

# Reference: https://mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ (Chinese)
# Note: APT-C-48

http://213.227.154.175
http://78.142.29.118
141.136.0.91:443
213.227.154.175:443
91.193.18.248:443
cert.pk-gov.org
dns1.pk-gov.org
nccs.pk-gov.org
ntc-pk.sytes.net
quwa-paf.servehttp.com
/F453457Pl_TMP347923592380/
/pl200_TMP2831474WDF.php

# Reference: https://twitter.com/ShadowChasing1/status/1466001768765018116
# Reference: https://www.virustotal.com/gui/file/38853bf262979313483310502d14a78db147586880d34571edf4d90e4bf05eb1

mofa.live
aitkenspencelogistics.mofa.live
careitservices.mofa.live
dsfvgbh.mofa.live
paknavy.mofa.live

# Reference: https://twitter.com/ShadowChasing1/status/1466686780531363840
# Reference: https://www.virustotal.com/gui/file/92dbd7f4399bce8b75e2c248af855df498bbed7e342c2d98ff6fcf15b611c50e

webarchive-datacenter.herokuapp.com

# Reference: https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/

afghannewsnetwork.com
afrepublic.xyz
amsss.in
appsstore.in
eurekawatersolution.com
maajankidevisevasansthan.org
newsroom247.xyz
republicofaf.xyz
scouttable.xyz
securecheker.in
securedesk.one
scout.fontsplugins.com

# Reference: https://twitter.com/souiten/status/1467674804211777536
# Reference: https://twitter.com/souiten/status/1467689489145339915
# Reference: https://twitter.com/souiten/status/1467693133001486337
# Reference: https://www.virustotal.com/gui/file/04206a2217be8d09e6dc6989d2a2b9aae8623f8fac962e5e07d9fa1a1577998b/detection

173.212.242.43:57149
paryavaranindia.com/css/files/docs/Updated-Leave-Rules-Fourth-Edition/css
paryavaranindia.com/css/files/hulfz/

# Reference: https://twitter.com/h2jazi/status/1469399194435735553
# Reference: https://twitter.com/h2jazi/status/1469399196369313792
# Reference: https://www.virustotal.com/gui/file/2cf842ec2bac099d200c079375a4be7a4d0b3b5869dd739582b7df168e6c4fb6
# Reference: https://www.virustotal.com/gui/file/a7b52acc18ce7fd14b4a410019a1f0042a6743dcbe887e82d498130848ce195c/detection
# Reference: https://www.virustotal.com/gui/file/c02108f0b413ecdcb8fe48ff445cb75d45324bfd06734011409de57c7cfdeb73/detection
# Reference: https://www.virustotal.com/gui/file/4219de40e65c89ecba9bd392f744fa26b867cad82d1b994e1e9266482089d8f9/detection
# Reference: https://www.virustotal.com/gui/file/16467586cb1a11ce2e1ca81ae6fb490fbc8f5602245f883c14e940189dfd2b79/detection

http://62.171.172.199
62.171.172.199:443
62.171.172.199:81

# Reference: https://twitter.com/GGGGh0st/status/1471323446713864193
# Reference: https://www.virustotal.com/gui/file/1bf584616477e16b54d6be7ce4d69f7ea26ee7841ec9a17ed162f4d560ab125a/detection

62.171.187.53:43
62.171.187.53:44
62.171.187.53:45

# Reference: https://twitter.com/ShadowChasing1/status/1474901903418949636
# Reference: https://twitter.com/ShadowChasing1/status/1474901905474129922
# Reference: https://www.virustotal.com/gui/file/d3a0b7c5a1eafbf7d381b6ee064083496476163da5dfed53096fac36c2b30738/detection

bahariafoundation.live
compress.bahariafoundation.live
invitation.bahariafoundation.live
mohgovsg.bahariafoundation.live
pnwc.bahariafoundation.live

# Reference: https://twitter.com/ShadowChasing1/status/1435546349856907268
# Reference: https://www.virustotal.com/gui/file/da08044373bc9bd54fd2ead9705446917e8f6e53d32f0885854e720e601cdbef/detection

asw-sns.link
edu-cx.org
afd.edu-cx.org
f.edu-cx.org
fsfdsf.edu-cx.org
go.edu-cx.org
mofagovpk.edu-cx.org
paknavy.edu-cx.org
rkvisa200de.edu-cx.org
rrkvisa200de.edu-cx.org
yahoo.edu-cx.org

# Reference: https://twitter.com/ShadowChasing1/status/1433038639961804800
# Reference: https://www.virustotal.com/gui/file/8a1c9a28ba0c74bafd71705aa12128831d66bbae06536a81d680cd207e740a65/detection

ppra.live
nima.ppra.live

# Reference: https://twitter.com/ShadowChasing1/status/1427258373532119044
# Reference: https://www.virustotal.com/gui/file/66ddbdfe9328d6a3f49abbb814252617fce0e05934ceeef9813e8bd30385fe50/detection

ppinewsagency.live
behr.ppinewsagency.live

# Reference: https://twitter.com/h2jazi/status/1478496217789341698
# Reference: https://www.virustotal.com/gui/file/df0b09c9f359f2e086e5e6b78f6fc6f63c9be1c6023cc6ee1e698d6e0daba31b/detection

teckblog.live
ms.teckblog.live

# Reference: https://twitter.com/s1ckb017/status/1478750005594927109
# Reference: https://twitter.com/s1ckb017/status/1478750907827429380
# Reference: https://twitter.com/500mk500/status/1478758092611407876
# Reference: https://www.virustotal.com/gui/ip-address/164.68.108.153/relations
# Reference: https://www.virustotal.com/gui/file/88a174855020c69d7719779a09c9b1058ec6732aa0fb04343c1d82fe13ca2e6e/detection
# Reference: https://www.virustotal.com/gui/file/f4777f8751ed6818a693817513a5685f13a249803658d1f12190d7b1aa26079e/detection
# Reference: https://www.virustotal.com/gui/file/9abd42a9f2cc147db47d4bb9598870eab96a2094964e97a6cb231f58d4d4ada2/detection
# Reference: https://www.virustotal.com/gui/file/c401fc82d3ffdf118aac1bc247838fcd554b7faa3fd10aaa00ed83d80d00b87b/detection

164.68.108.153:4142
164.68.108.153:5000
164.68.108.153:8062
digitalworldonline.net

# Reference: https://twitter.com/uslss_etr/status/1478784684452720646
# Reference: https://www.virustotal.com/gui/domain/paknvay-pk.net/relations
# Reference: https://www.virustotal.com/gui/ip-address/94.158.245.67/relations
# Reference: https://www.virustotal.com/gui/file/146e2c51cd7c904e0eeb641daa6ee956e80b48b198b9d2a9fd9b92b68399f9d1/detection
# Reference: https://www.virustotal.com/gui/file/e74be8bbad2fa8577b7383e6ad4dffd5d0cd44e75c0a7148a971c417d38d8ee7/detection

paknvay-pk.net
careitservices.paknvay-pk.net
dgpr.paknvay-pk.net
mofa.paknvay-pk.net

# Reference: https://www.virustotal.com/gui/domain/cdn-noc.net/relations

cdn-noc.net

# Reference: https://twitter.com/souiten/status/1474200802344386560
# Reference: https://www.virustotal.com/gui/file/ed4912f09e212479a319de1e95dd3e7d0e3574658be60782369c0e7a19ae0173/detection

62.171.172.199:88

# Reference: https://twitter.com/h2jazi/status/1479502335328112645
# Reference: https://www.virustotal.com/gui/ip-address/144.126.141.41/relations
# Reference: https://www.virustotal.com/gui/file/d15f76acb846b237956a6373bd6646ef804419dd9a9fd3c9501acc241fcddff9/detection
# Reference: https://www.virustotal.com/gui/file/947b81c1ecdb34533f7bc9c41d6678fa525c17eae5b8f383e89c6c66db0743c1/detection

afcat.xyz

# Reference: https://twitter.com/alex_lanstein/status/1479569375971713029
# Reference: https://pastebin.com/9HwieuS2

moma-pk.org
dfgrthy.moma-pk.org
mofa.moma-pk.org
sppc.moma-pk.org

# Reference: https://www.virustotal.com/gui/domain/cvix.live/relations

cvix.live
cn.cvix.live
cosmic.cvix.live
defencelk.cvix.live
mailaplf.cvix.live
mailmfagovnp.cvix.live
mailmofagoug.cvix.live
mailmofagovpk.cvix.live
mailoutlookcom.cvix.live
mailyahoocom.cvix.live

# Reference: https://twitter.com/ShadowChasing1/status/1481583143735808001
# Reference: https://www.virustotal.com/gui/file/cb933361cd6c26ca61c441a40da394a505086f572fd7e9bd425bf086adf50edc/detection

ministry-pk.net
cabinet-gov-pk.ministry-pk.net

# Reference: https://twitter.com/cyber__sloth/status/1485361081329631236

email-gov-in.digital
mailnic.info
indianarmy.mailnic.info
kavach.mailnic.info
mod.mailnic.info
passapp.mailnic.info

# Reference: https://twitter.com/uslss_etr/status/1489274205917044736
# Reference: https://www.virustotal.com/gui/file/85ab1c3ee01c5456eb45bf13c69dda88fa014a1dc5e832bdaa3e801a29d84ccd/detection

aeltron.xyz
incometaxreturn.aeltron.xyz
instructions.aeltron.xyz
rgdtyt.aeltron.xyz

# Reference: https://twitter.com/ShadowChasing1/status/1490984172797984770
# Reference: https://www.virustotal.com/gui/file/eeeb99f94029fd366dcde7da2a75a849833c5f5932d8f1412a89ca15b9e9ebb7/detection

mod-pk.com
dgmp-paknavy.mod-pk.com

# Reference: http://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html
# Reference: https://www.virustotal.com/gui/ip-address/45.153.240.66/relations

changeworld.hopto.org
mail-argaf.myftp.org
mail-meagovmv.hopto.org
mail-modaf.hopto.org
mail-modgav.hopto.org
mail-mofa.hopto.org
mail-mofagovpk.myftp.org
mail-mopitgovnp.hopto.org
mail-nepalpolgavnp.hopto.org
mail-nepalpolice.hopto.org
mail-opmcmgavnp.hopto.org
microsoft-winupdate.servehttp.com
teamchat.hopto.org
webmail-accbt.hopto.org
webmail-morrgovaf.hopto.org

# Reference: https://twitter.com/souiten/status/1491681294391992325
# Reference: https://www.virustotal.com/gui/file/44c720bc1adde78e11c202615260fb9e2e4301cf06edfefe06cde09a373a6c0e/detection

asianetnews.xyz
awww.asianetnews.xyz
mofa-gov-pk.asianetnews.xyz
ofa-gov-pk.asianetnews.xyz

# Reference: https://assets.sentinelone.com/sentinellabs-apt/modified-elephant-apt

bbcworld-news.net
newsinbbc.com

# Reference: https://twitter.com/uslss_etr/status/1496118824944697345
# Reference: https://www.virustotal.com/gui/file/94214e83441e3a6a5cde971f6abe0d4bf226fd0750a0ad26d2241c085de9b604/detection

crclab-bahria.org
dbms.crclab-bahria.org

# Reference: https://twitter.com/__0XYC__/status/1502593457201811459

nationalhelpdesk.pk
pkgov.org
sngpl.org.pk
bok.pkgov.org
bop.pkgov.org
csd.pkgov.org
cybernet.pkgov.org
dawn.pkgov.org
energy.pkgov.org
fauji.pkgov.org
mail.pkgov.org
mofa.pkgov.org
myth.pkgov.org
nespak.pkgov.org
nitb.pkgov.org
nlc.pkgov.org
np.pkgov.org
nrlpak.pkgov.org
ns1.pkgov.org
ns2.pkgov.org
ntc.pkgov.org
ntdc.pkgov.org
ogdcl.pkgov.org
pakoil.pkgov.org
parco.pkgov.org
pmo.nationalhelpdesk.pk
pmsa.pkgov.org
ptcl.pkgov.org
ptv.pkgov.org
radio.pkgov.org
sco.pkgov.org
ssgc.pkgov.org
sui.nationalhelpdesk.pk
wapda.pkgov.org
web.sngpl.org.pk
whale.pkgov.org
email.nespak.pkgov.org
email.nitb.pkgov.org
email.nlc.pkgov.org
lotussrv01.fauji.pkgov.org
mail-corp.cybernet.pkgov.org
mail.bok.pkgov.org
mail.bop.pkgov.org
mail.csd.pkgov.org
mail.dawn.pkgov.org
mail.mofa.pkgov.org
mail.nrlpak.pkgov.org
mail.ntc.pkgov.org
mail.ntdc.pkgov.org
mail.ogdcl.pkgov.org
mail.pakoil.pkgov.org
mail.pkgov.org
mail.pmsa.pkgov.org
mail.ptv.pkgov.org
mail.radio.pkgov.org
mail.sco.pkgov.org
parchqwebmail.parco.pkgov.org
webmail.cybernet.pkgov.org
webmail.ssgc.pkgov.org
webmail.wapda.pkgov.org
zmail.ptcl.pkgov.org

# Reference: https://twitter.com/ShadowChasing1/status/1504347312838959106
# Reference: https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/
# Reference: https://www.virustotal.com/gui/domain/kpt-pk.net/relations
# Reference: https://otx.alienvault.com/pulse/624c29baad734a210134b02c
# Reference: https://www.virustotal.com/gui/file/f765b0b6e4a34eb95c6f0ddf058bc88d5ef9ec2b11a5f3504d1673f4f69aceca/detection

kpt-pk.net
awww.kpt-pk.net
job.kpt-pk.net
maritimepakistan.kpt-pk.net

# Reference: https://twitter.com/ShadowChasing1/status/1512011407838961664
# Reference: https://www.virustotal.com/gui/file/37baf7415c755688e1e89679130b5cfd713d662330734eb310089d1f2afd82b8/detection

ksew.org
srilankanavy.ksew.org

# Reference: https://twitter.com/ShadowChasing1/status/1518594904393355264
# Reference: https://www.virustotal.com/gui/file/5dfe303f04e3432101b676fa0f230667eb6c9bc1715d5b4042f99d9522aa00fe/detection

ksewpk.com
defrgthyj.ksewpk.com
mofabn.ksewpk.com

# Reference: https://twitter.com/botlabsDev/status/1522500574956109825
# Reference: https://www.virustotal.com/gui/file/b3caa7ce9a8de209d5a63ab95485c1181f7fca03346330fe92ff3c0a0a9c1040/detection

paknavy.live
awww.paknavy.live
dxfgbdfh.paknavy.live
pmsa.paknavy.live
yfghvjb.paknavy.live

# Reference: https://twitter.com/blackorbird/status/1526840629010894848
# Reference: https://mp.weixin.qq.com/s/qsGxZIiTsuI7o-_XmiHLHg
# Reference: https://otx.alienvault.com/pulse/6285048d921d21c8d9beaf1f
# Reference: https://www.virustotal.com/gui/domain/cssc.info/relations

cssc.info
job.cssc.info
mailcantonfair.cssc.info
mailcitifs.cssc.info
mailgu.cssc.info
mailmofa.cssc.info
mailturkmenembassy.cssc.info
mofa.cssc.info
rancher.cssc.info
sdgsfg.cssc.info

# Reference: https://twitter.com/__0XYC__/status/1528616671103131649
# Reference: https://www.virustotal.com/gui/ip-address/92.118.190.165/relations
# Reference: https://www.virustotal.com/gui/file/fedc3b7cdb07f7b6f5a6bc85720528057297282bfae7960b3d33001ab34a51d6/detection

govpk-mail.net
csd.govpk-mail.net
finance.govpk-mail.net

# Reference: https://twitter.com/__0XYC__/status/1529707301979947009
# Reference: https://twitter.com/0xrb/status/1529709439808602113
# Reference: https://www.virustotal.com/gui/domain/interior-pk.org/relations
# Reference: https://www.virustotal.com/gui/file/6f4e89fce6a490d619cad9078079c6f6694b2798fc875288faa92b721f25d3cb/detection

comsats.xyz
interior-pk.org
awww.interior-pk.org
mofa-gov.interior-pk.org
punjab.interior-pk.org
paknavy.comsats.xyz

# Reference: https://twitter.com/virqdroid/status/1532094635170238464
# Reference: https://twitter.com/ReBensk/status/1532245757322924032
# Reference: https://www.virustotal.com/gui/ip-address/2.56.245.21/relations

pakgov.net
covid.pakgov.net
csd.pakgov.net
dvdbhjk.pakgov.net
finance.pakgov.net
financial.pakgov.net
flix.pakgov.net
hajj.pakgov.net
ji.pakgov.net
nadra.pakgov.net
ncoc.pakgov.net
nhsrc.pakgov.net
pt.pakgov.net
vpn.pakgov.net
wsde.pakgov.net
ww2.pakgov.net

# Reference: https://blog.group-ib.com/sidewinder-antibot
# Reference: https://otx.alienvault.com/pulse/62987c8eafd38f2088986035

bahariafoundation.org
bbcnew.cn
bitlyy.me
cdn-pak.net
cloud-apt.net
cr20g.org
csd-pk.co
cvix.live
dawnpk.org
docuserve.ltd
edu-cx.org
fdn-trace.net
fileserve.work
gov-mail.net
gov.pakmarines
govpk-mail.net
iugur.live
kdf-mail.com
kpt-pk.net
krlwin.org
ksew.org
mod-pk.com
mohp-gov.org
moma-pk.org
paf-gov.net
pafwa.info
pak-gov.com
pak-web.com
pakgov.net
pakgov.org
pakmarines.com
paknvay-pk.net
pkrepublic.org
ppinewsagency.live
tin-url.com
vpn-secure.co
api.vpn-secure.co
as.pakmarines.com
askari.bitlyy.me
askaribank.bitlyy.me
bangladeshmarineacademylibrary.ppinewsagency.live
bb.kdf-mail.com
china.bbcnew.cn
covid.bbcnew.cn
covid.pakgov.net
covid.pkrepublic.org
covid19.mohp-gov.org
csd.bitlyy.me
csd.pakgov.net
dasds.pak-gov.com
dasdsadsa.pak-gov.com
dawn.pakgov.org
defencelk.cvix.live
dgmp-paknavy.mod-pk.com
dgpr.paknvay-pk.net
dha.pakgov.org
dsadsa.pakmarines.com
dsasa.cr20g.org
faujifoundation.bitlyy.me
fbr.pak-web.com
fdscv.tin-url.com
finance.govpk-mail.net
finance.pakgov.net
financial.pakgov.net
flix.pakgov.net
hajj.pakgov.net
hajjplanner.bitlyy.me
hajjplanner.tin-url.com
hbl.pakgov.org
hpupdate.csd-pk.co
ibn.cdn-pak.net
independenceday.pafwa.info
islamabadclub.docuserve.ltd
islamicfinder.bitlyy.me
ji.pakgov.net
jp.pkrepublic.org
karachishipyard.krlwin.org
ltd.cdn-pak.net
luckydraw.csd-pk.co
mail.paf-gov.net
mail.pak-gov.com
mailmofagovpk.cdn-pak.net
mailoutlookcom.cvix.live
maritimepakistan.kpt-pk.net
meet.kdf-mail.com
min.tin-url.com
ministryofinterior.fileserve.work
mofa-gov-pk.fdn-trace.net
mofa.iugur.live
mofa.paknvay-pk.net
nadra.pakgov.net
ncoc.pakgov.net
news.bitlyy.me
news.dawnpk.org
news.kdf-mail.com
news.pakgov.org
news.pkrepublic.org
nhsrc.pakgov.net
niims.pakgov.org
paf.gov-mail.net
pafroa.pak-gov.com
paknavy.edu-cx.org
pk.kdf-mail.com
pkflix.bitlyy.me
pkflix.tin-url.com
pmaesa.bahariafoundation.org
pqa.gov.pakmarines.com
pt.pakgov.net
sbp.pakgov.org
sec-vpn.bitlyy.me
secp.pakgov.org
secure.tin-url.com
shoprex.bitlyy.me
smstest.kdf-mail.com
sppc.moma-pk.org
srilankanavy.ksew.org
t.bitlyy.me
telemart.bitlyy.me
ubl.pakgov.org
vim.kdf-mail.com
vpn.pakgov.net
vpn.tin-url.com
wsde.pakgov.net
wsed.pkrepublic.org
ww2.pakgov.net
xyz.kdf-mail.com

# Reference: https://twitter.com/GroupIB_GIB/status/1532651046111023104
# Reference: https://www.virustotal.com/gui/file/e089dc65af44ff334304e52c29755c96460691d93cfd4e4ab75f75bc6078993e/detection
# Reference: https://www.virustotal.com/gui/file/42b828e187e4b7f1ca5d774553c8b85c1fed204a2a5a8c50fd4c7e9a491fb118/detection

almighty-allah.com
supremeallah.world
api.almighty-allah.com
api.supremeallah.world

# Reference: https://twitter.com/GroupIB_GIB/status/1532651049776865280
# Reference: https://www.virustotal.com/gui/domain/srvapp.co/relations
# Reference: https://www.virustotal.com/gui/ip-address/185.225.19.142/relations
# Reference: https://www.virustotal.com/gui/file/c17cbe229e743df8993b96f2887393b2565ae355f3ba61d09c901e552e7ee4d1/detection

srvapp.co
awww.srvapp.co
discount.srvapp.co
localhost.srvapp.co
register.srvapp.co

# Reference: https://twitter.com/blackorbird/status/1534373342446202881
# Reference: https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg (Chinese)

afg-refugee.net
brwse.co
civix.live
crclab-bahria.org
cssc.info
cvix.live
dawnpk.org
docusserve.cc
docusserve.ltd
doken.xyz
fdn-mac.net
filedownload.work
gov-pk.net
kpt-pk.net
ministry-pk.net
mod-pk.com
mofa-pk.co
nationpk.org
norter.xyz
paf-gov.net
paf-mail.com
pak-gov.net
pakgov.net
pakgov.org
paknavy.live
pkrepublic.org
slap-games.club
trik.live
watch-earn.live

# Reference: https://twitter.com/h2jazi/status/1536330475656171520
# Reference: https://www.virustotal.com/gui/file/cf79ecafd3e1ae354fcf9cf33acdb06b6b64dc9a8128656a9d27ff94e154f9c4/detection

bahriafoundation.live
pnwc.bahriafoundation.live

# Reference: https://otx.alienvault.com/pulse/62a864daa688835ed774c449

srvapp.co
register.srvapp.co

# Reference: https://twitter.com/h2jazi/status/1536707820799807489
# Reference: https://www.virustotal.com/gui/ip-address/5.230.71.95/relations
# Reference: https://www.virustotal.com/gui/file/4bad3e34a192a8f305e188538b4370ea835446cc6ba32fe046d9a5f2bc3df172/detection

jmicc.xyz
navy.jmicc.xyz
navy-mil-bd.jmicc.xyz

# Reference: https://twitter.com/malwareforme/status/1540037682314629120
# Reference: https://www.virustotal.com/gui/ip-address/5.230.69.153/relations
# Reference: https://www.virustotal.com/gui/file/ee77e136f7df758c2ab9092529dc5c6b64b35bc9f4d2c16c65bcd05965ccd92a/detection

alit.live
bdmil.alit.live
mailmofa.alit.live
mailh.alit.live

# Reference: https://twitter.com/BaoshengbinCumt/status/1545247231938244610

mail-mofa-gov-pk-satellite-proposal-for-pakistan-files-ops.netlify.app

# Reference: https://twitter.com/Malwar3Ninja/status/1545376308196147200

mofa-pk.org
br.mofa-pk.org
mofa.g0v.cq.cn

# Reference: https://blog.checkpoint.com/2022/07/13/a-hit-is-made-suspected-india-based-sidewinder-apt-successfully-cyber-attacks-pakistan-military-focused-targets/
# Reference: https://otx.alienvault.com/pulse/62cffda72568807d4e9a9f2e
# Reference: https://www.virustotal.com/gui/ip-address/5.230.67.73/relations
# Reference: https://www.virustotal.com/gui/file/898513123f0f0342b1c47a4a65c88a60f895f90a9d0fa5fc5928c26dfab622b0/detection

bgevin.live
eterplicity.live
polvcrit.info
cdn.bgevin.live
cdn.polvcrit.info
/W6taHcwqKwhgzWGWr7ElpRAfWA7JcsXC0A2a4eFv/

# Reference: https://twitter.com/h2jazi/status/1549762807624880128
# Reference: https://www.virustotal.com/gui/file/cd1a9ae4a3968643a6fb41b36b67838d952dac83ad63c63ce4ad3c672fac31b8/detection

kpt-gov.org
discount.kpt-gov.org
ksew.kpt-gov.org

# Reference: https://twitter.com/h2jazi/status/1550524741202726919
# Reference: https://www.virustotal.com/gui/file/a28a5417d707ecae61313bd5b7c53736d40afba2280cd7ae673963075ae37072/detection

paf-gov.org
awww.paf-gov.org
summer.paf-gov.org
finance.paf-gov.org

# Reference: https://twitter.com/Des00464472/status/1550064523964338176
# Reference: https://www.virustotal.com/gui/ip-address/5.230.72.15/relations

ghaflah.top
cdn.ghaflah.top

# Reference: https://twitter.com/Des00464472/status/1548924681008590853

mawazna.info

# Reference: https://twitter.com/Des00464472/status/1531519247293513728

bluket.live

# Reference: https://twitter.com/Des00464472/status/1528935733888970753
# Reference: https://www.virustotal.com/gui/ip-address/185.234.72.188/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.138.172.23/relations

balcon.live
greploc.live
cdn.greploc.live
tray.balcon.live
treaty.balcon.live
