# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: gulpix
# Note: https://securelist.com/plugx-malware-a-good-hacker-is-an-apologetic-hacker/74150/

# Reference: https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/plugx-goes-to-the-registry-and-india.pdf?la=en

freetimes.dns05.com
lucas1.dnset.com
supercat.strangled.net
nusteachers.no-ip.org
ruchi.mysq1.net
lucas1.freetcp.com
unisers.com
freemoney.ignorelist.com
sumy2012.jkub.com
dheeraj_gaurav.mooo.com
notebookhk.net
togolaga.com

# Reference: https://www.threatcrowd.org/listMalware.php?antivirus=plugx

hpservice.homepc.it
facebook.controlliamo.com
twititier.com
peaceful.linkpc.net
mongolia.regionfocus.com
shuimengluosuo.freetcp.com
ria-ru.xicp.net
itar-tass.xicp.net

# Reference: https://citizenlab.ca/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-2014-4114/

dnsupdate.dynamic-dns.net
good.wha.la

# Reference: https://citizenlab.ca/2015/10/targeted-attacks-ngo-burma/
# Reference: https://www.virustotal.com/#/file/365eeb1d5d8282188e5bbfadfda184e612eef61c2398b7c18cad4c31ce7225d1/detection

t1.mailsecurityservice.com
t2.mailsecurityservice.com
client.mailsecurityservice.com

# Reference: https://twitter.com/h4ckak/status/1163328926573137922

apple-net.com

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/plugx-rat-with-time-bomb-abuses-dropbox-for-command-and-control-settings/

bakup.firefox-sync.com
immi.firefox-sync.com
imm.heritageblog.org

# Reference: https://twitter.com/ClearskySec/status/968145266451894278

cisco-ipv4.com

# Reference: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx

dicemention.com
micrnet.net
rumiany.com
yandcx.com

# Reference: https://twitter.com/killamjr/status/1190019855434563600
# Reference: https://app.any.run/tasks/8286e7e1-710a-4570-805d-8a03395caa31/

wouderfulu.impresstravel.ga

# Reference: https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html
# Reference: https://otx.alienvault.com/pulse/5dd2b17f1b7dcef51f0ed38d

steam.suspendedio.com
steams.microsoftdepot.com
update.google.com.updatesrvers.org

# Reference: https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
# Reference: https://otx.alienvault.com/pulse/5e42e25df089cc9cfb28d1d0

apple-net.com
freesmadav.com
infosecvn.com
lameers.com
mmfhlele.com
olk4.com

# Reference: https://app.any.run/tasks/d4e14bc3-7adb-41db-9998-ee6b7e2c21b3/
# Reference: https://www.circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

help.yahoo-upgrade.com
support.yahoo-upgrade.com
update.ayuisyahooapis.com
support.ayuisyahooapis.com
update.trendmicrosoft.co.in

# Reference: https://github.com/silence-is-best/c2db#plugx

185.239.226.61:8080

# Reference: https://twitter.com/kienbigmummy/status/1240559063479402497
# Reference: https://www.virustotal.com/gui/file/6a4224517d66e07707f5a18793dfb3dcecd79bf0e913f9571850637c22b13fe8/detection
# Reference: https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html

vietnam.zing.photos

# Reference: https://app.any.run/tasks/136824e2-885e-4b70-8b6b-20e982f82003/

hou.phimnoi.org

# Reference: https://twitter.com/pancak3lullz/status/1250158700909731845
# Reference: https://twitter.com/pancak3lullz/status/1250386060611391490
# Reference: https://pastebin.com/KdKsaAqV

103.127.157.9:443
103.127.157.9:80
103.136.40.141:443
103.136.40.141:80
103.148.244.59:443
103.148.244.59:80
103.192.226.44:443
103.192.226.44:80
103.193.149.26:443
103.193.149.26:80
103.200.97.150:443
103.200.97.150:80
103.212.223.125:443
103.212.223.125:80
103.213.244.203:443
103.213.244.203:80
103.230.15.155:443
103.230.15.155:80
103.51.147.227:443
103.51.147.227:80
103.56.16.231:443
103.56.16.231:80
103.56.55.69:443
103.56.55.69:80
103.59.165.87:443
103.59.165.87:80
103.79.76.205:443
103.79.76.205:80
104.148.13.252:443
104.148.13.252:80
104.192.80.102:443
104.192.80.102:80
104.199.131.72:443
104.199.131.72:80
104.238.188.213:443
104.238.188.213:80
107.150.112.250:443
107.150.112.250:80
107.179.8.66:443
107.179.8.66:80
112.121.187.178:443
112.121.187.178:80
112.121.187.179:443
112.121.187.179:80
112.121.187.180:443
112.121.187.180:80
112.121.187.181:443
112.121.187.181:80
112.121.187.182:443
112.121.187.182:80
112.196.204.151:443
112.196.204.151:80
112.213.109.32:443
112.213.109.32:80
114.29.253.26:443
114.29.253.26:80
121.127.232.67:443
121.127.232.67:80
13.234.145.7:443
13.234.145.7:80
136.244.102.157:443
136.244.102.157:80
137.59.18.183:443
137.59.18.183:80
139.28.37.102:443
139.28.37.102:80
144.202.50.219:443
144.202.50.219:80
149.248.62.83:443
149.248.62.83:80
149.28.137.203:443
149.28.137.203:80
149.28.150.210:443
149.28.150.210:80
149.28.239.88:443
149.28.239.88:80
149.28.93.163:443
149.28.93.163:80
15.164.104.227:443
15.164.104.227:80
152.32.162.250:443
152.32.162.250:80
152.32.211.67:443
152.32.211.67:80
154.210.12.8:443
154.210.12.8:80
154.215.13.149:443
154.215.13.149:80
154.223.167.105:443
154.223.167.105:80
154.83.13.105:443
154.83.13.105:80
167.179.86.140:443
167.179.86.140:80
167.88.177.191:443
167.88.177.191:80
167.88.178.4:443
167.88.178.4:80
167.88.180.151:443
167.88.180.151:80
167.88.180.32:443
167.88.180.32:80
167.88.180.5:443
167.88.180.5:80
172.245.86.123:443
172.245.86.123:80
172.93.220.201:443
172.93.220.201:80
178.236.44.58:443
178.236.44.58:80
18.138.29.108:443
18.138.29.108:80
185.133.40.223:443
185.133.40.223:80
185.133.42.6:443
185.133.42.6:80
185.161.209.234:443
185.161.209.234:80
185.172.112.212:443
185.172.112.212:80
185.211.246.203:443
185.211.246.203:80
185.225.19.115:443
185.225.19.115:80
185.231.245.119:443
185.231.245.119:80
185.239.226.28:443
185.239.226.28:80
185.239.226.38:443
185.239.226.38:80
185.239.226.53:443
185.239.226.53:80
185.239.226.65:443
185.239.226.65:80
185.243.114.68:443
185.243.114.68:80
185.243.41.200:443
185.243.41.200:80
192.169.7.189:443
192.169.7.189:80
207.148.68.124:443
207.148.68.124:80
211.62.228.141:443
211.62.228.141:80
213.159.202.41:443
213.159.202.41:80
213.252.246.141:443
213.252.246.141:80
27.102.101.52:443
27.102.101.52:80
27.102.130.30:443
27.102.130.30:80
27.255.64.75:443
27.255.64.75:80
3.6.50.223:443
3.6.50.223:80
34.80.27.200:443
34.80.27.200:80
34.92.251.135:443
34.92.251.135:80
35.229.151.34:443
35.229.151.34:80
37.157.245.38:443
37.157.245.38:80
42.99.117.95:443
42.99.117.95:80
43.228.125.9:443
43.228.125.9:80
43.251.118.79:443
43.251.118.79:80
45.115.236.22:443
45.115.236.22:80
45.147.228.131:443
45.147.228.131:80
45.248.87.217:443
45.248.87.217:80
45.251.241.25:443
45.251.241.25:80
45.32.149.253:443
45.32.149.253:80
45.76.153.250:443
45.76.153.250:80
45.76.53.241:443
45.76.53.241:80
45.77.34.128:443
45.77.34.128:80
45.77.60.116:443
45.77.60.116:80
45.81.10.9:443
45.81.10.9:80
45.91.26.140:443
45.91.26.140:80
60.169.81.26:443
60.169.81.26:80
66.42.38.60:443
66.42.38.60:80
66.42.41.140:443
66.42.41.140:80
66.42.48.186:443
66.42.48.186:80
69.171.72.232:443
69.171.72.232:80
91.229.79.226:443
91.229.79.226:80

# Reference: https://twitter.com/KorbenD_Intel/status/1275542304351109120
# Reference: https://www.virustotal.com/gui/domain/subupdata.com/relations
# Reference: https://www.virustotal.com/gui/file/b2c6474f27c1beab3ba9a3e956c5e65d96db8aad686a99a6cc1f9c66bee82b29/detection

185.231.245.119:443
subupdata.com

# Reference: https://twitter.com/cyber__sloth/status/1304042505604861952

http://103.85.24.158

# Reference: https://twitter.com/XOR_Hex/status/1307233839425695744

103.56.53.46:80
103.56.53.46:110
103.56.53.46:443
103.56.53.46:5938

# Reference: https://twitter.com/XOR_Hex/status/1315367371268386817

45.251.240.55:443
45.251.240.55:8000
45.251.240.55:8080

# Reference: https://twitter.com/XOR_Hex/status/1333832546589749249
# Reference: https://twitter.com/noottrak/status/1334165739423608834
# Reference: https://otx.alienvault.com/pulse/5fcaa5df270f075f05c34204
# Reference: https://www.virustotal.com/gui/file/9699c3f5dd99345b04aaf5e7dc5002de7dbabf922e43125a10eb3f5fc574e51e/detection

43.254.217.165:110
43.254.217.165:80
45.248.87.217:8080
http://43.254.217.165

# Reference: https://twitter.com/James_inthe_box/status/1341422354589573120
# Reference: https://twitter.com/Arkbird_SOLG/status/1341479376035168256

caonimade.11i.me

# Reference: https://www.virustotal.com/gui/file/eb649c114f5e0edaf3dda0d4cb97dc06c3b0f437dca8803c0d315d997e273178/detection

39.98.228.46:2653
sdd34dfgfg.xyzs666.xyz

# Reference: https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz
# Reference: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/012/156/original/snort3-community-rules.tar.gz

microsoftsp3.com
java.ns1.name
wm1.ns01.us

# Reference: https://app.any.run/tasks/34ef8d2b-6e2c-4da6-9c34-1d73ecd4b040/

krmai1s.servehttp.com

# Reference: https://www.virustotal.com/gui/file/642c17be83f9e9f693990f43a65be25e99e69b245d38da627a3e19e0eb87d79d/detection
# Reference: https://app.any.run/tasks/b0d1f612-e69e-4e0b-9b4c-84e067ffd19a/

www2.molnews.net

# Reference: https://twitter.com/wwp96/status/1372553920942379014
# Reference: https://app.any.run/tasks/e001e6f3-0098-4c23-87d7-da31a7015528/

asmlbigip.com
sec.asmlbigip.com

# Reference: https://twitter.com/KorbenD_Intel/status/1374128386130522118
# Reference: https://www.virustotal.com/gui/file/bb0a3d73169882cc9f70a16692d67cc359ef5fee62f3719f819723cc677903f0/detection
# Reference: https://www.virustotal.com/gui/file/264f0a6d47f8c4578be602be1ea01dd634eace574afd7d44d854431721ffcabf/detection

cdn.6c18.com

# Reference: https://www.virustotal.com/gui/file/93d33626886e97abf4087f5445b2a02738ea21d8624b3f015625cd646e9d986e/detection

154.211.14.156:443
154.211.14.156:53
154.211.14.156:8080
rainydaysweb.com

# Reference: https://twitter.com/KorbenD_Intel/status/1398309439573315584
# Reference: https://twitter.com/James_inthe_box/status/1398310426832637956
# Reference: https://www.virustotal.com/gui/file/2cd18c340d412d1c09215c828190621ce558d8ea43ba0ad28e3365ff0619fe8b/detection

chromeserver-dns.com

# Reference: https://tria.ge/210615-gx3w14v8xn/behavioral1

gamegame.info
email.yg9.me
iw.gamegame.info

# Reference: https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html (# Win.Packed.Zusy-9878432-0)

vrthcobj.com
ol.gamegame.info
google.vrthcobj.com

# Reference: https://unit42.paloaltonetworks.com/thor-plugx-variant/
# Reference: https://otx.alienvault.com/pulse/61012d6562eb005d61c4a457

apple-net.com
cabsecnow.com
cqpeizi.com
destroy2013.com
emicrosoftinterview.com
fitehook.com
flashplayerup.com
indonesiaport.info
ixiaoyver.com
manager2013.com
misecure.com
mmfhlele.com
msdntoolkit.com
petalossccaf.com
quochoice.com
rainydaysweb.com
scbbgroup.com
systeminfor.com
tv-vn.com
ukbbcnews.com
detail.misecure.com
down.emicrosoftinterview.com
downloads.flashplayerup.com
hdviet.tv-vn.com
help.flashplayerup.com
index.flashplayerup.com
news.cqpeizi.com
news.petalossccaf.com
tools.scbbgroup.com
upload.ukbbcnews.com
web.flashplayerup.com

# Reference: https://www.virustotal.com/gui/file/cae7469e7f5dc88962b9993f4b415a46f60fcaeea494abb53d19b7d05f28525b/detection

dirfgame.com
by.dirfgame.com

# Reference: https://www.virustotal.com/gui/file/071231d29a8548be8cb0a8f48a4b23d12e08139fd8dba842781912a11dc7c5f6/detection

goatgame.co
goatgame.live
a.goatgame.co
live.goatgame.live

# Reference: https://twitter.com/xorhex/status/1422815329684758537
# Reference: https://www.virustotal.com/gui/file/e6ba5de3a9b0287291def0317789b871fa1984a11021d55d3a0371c6d65a872b/detection

http://45.134.83.41
45.134.83.41:443
45.134.83.41:8080

# Reference: https://twitter.com/BitsOfBinary/status/1422823721170087941
# Reference: https://twitter.com/BitsOfBinary/status/1422828937500037121

101.36.125.203:110
101.36.125.203:197
veitdannews.com

# Reference: https://www.virustotal.com/gui/file/34f907b9f543ecf0f4f99adb7e55963ab5bc1c8e6e64081a8fef9a06043828b7/detection

185.231.245.119:8080
brushupdata.com
sery.brushupdata.com

# Reference: https://www.virustotal.com/gui/file/986d19d75880a23917127bab92cd3a92cfec42b31be51e20718da761b1747cbc/detection

mirsoftcheckie.com
sery.mirsoftcheckie.com

# Reference: https://twitter.com/0xrb/status/1465558631454105603

blobimgybag.com
brushupdata.com
copaininfo.com
globnewsline.com
microsoftlab.club
nvidialab.us
twwtteer.com
user-update.com
apicon.nvidialab.us
apis.microsoftlab.club
cbn.copaininfo.com
dark.twwtteer.com
mail.globnewsline.com
sery.brushupdata.com
testmmm.blobimgybag.com

# Reference: https://twitter.com/0xrb/status/1468146226835034113

time4update.com
ns3.time4update.com

# Reference: https://twitter.com/0xrb/status/1469184108030955529

11i.me
daj8.me
fbi.am
nmb.bet
wy01.com
fuckeryoumm.nmb.bet
helloword.daj8.me
nitamade.11i.me
tcp.wy01.com
udp.wy01.com
windows.fbi.am

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_APT-C-23_MICROPSIA_Variant.json

freesmadav.com
update.freesmadav.com

# Reference: https://twitter.com/0xrb/status/1495646507110133761
# Reference: https://www.virustotal.com/gui/file/9857e40be1fb5b9b6db93dc03f96f6b3ff0ffab85af7944dddcac0e37775ab02/detection

103.26.79.150:9019

# Reference: https://twitter.com/0xrb/status/1496747426505531398
# Reference: https://www.virustotal.com/gui/file/0a2a64a36997777d3655b879aa6983bed02c1324cd5b243c014224f7f8c8a8af/detection
# Reference: https://www.virustotal.com/gui/file/4833fa5f75c3d8f76693b20eb90aa572d6d385640f88bc79b6ed9530450d0736/detection
# Reference: https://www.virustotal.com/gui/file/0bc0016dc58dc01276639b80392cc98f9910872ac6be1d6a6288df69b547814c/detection

45.195.67.64:8000
45.195.67.64:49000
c1c.ren
qq.c1c.ren

# Reference: https://twitter.com/0xrb/status/1499287458500194304

aoisudoisadn.kkb.tv

# Reference: https://twitter.com/0xrb/status/1499294678830960642
# Reference: https://twitter.com/0xrb/status/1499296288466436098
# Reference: https://www.virustotal.com/gui/file/8aacb0fd6ea3143d0e7a6b56f7b90c3be760bcc8abbbb29c4334b50f06e822f6/detection
# Reference: https://www.virustotal.com/gui/file/5a9468a87997f2363995e264505105f6a235b66543bb28635fb74f78704e9111/detection

202.182.115.238:13111
202.182.115.238:8080
apps.imangolm.com

# Reference: https://twitter.com/nao_sec/status/1501126308771733505
# Reference: https://www.virustotal.com/gui/file/bee9c438aced1fb1ca7402ef8665ebe42cab6f5167204933eaa07b11d44641bb/detection

http://107.178.71.211

# Reference: https://twitter.com/0xrb/status/1503983616321552384
# Reference: https://www.virustotal.com/gui/file/28d2fef9323884cc81b1a39f3c17734606a79e79786496c5a556e25e00bdf10a/detection

fuckeryoumm.nmb.bet

# Reference: https://www.virustotal.com/gui/ip-address/18.138.107.235/relations
# Reference: https://www.virustotal.com/gui/file/68feab7ef7a2bd4754620b3a5a511988d18384bbd42d100e528cc5b876a1d771/detection

47.242.146.213:8080
fuckyou.fbi.am
windows.fbi.am

# Reference: https://www.virustotal.com/gui/file/2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e/detection

182.255.60.82:81
whoamis.info
list.whoamis.info
mail.whoamis.info
poer.whoamis.info

# Reference: https://www.virustotal.com/gui/file/1d8cef17a8588c216a9e69f3b4acd55dad1b9c69b25b344452ade112eaa96cb5/detection

mmr.whoamis.info

# Reference: https://twitter.com/0xrb/status/1508330395250868229
# Reference: https://www.virustotal.com/gui/file/eeadacdfb1d0c571362ff86b34cd736a80531e635ad46f20b2e90ec862af36af/detection

45.249.245.35:8008
ntpserver.xyz

# Reference: https://tria.ge/220329-llf3rahafr/behavioral2

http://104.110.191.133

# Reference: https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/

http://45.86.162.135
45.86.162.135:443

# Reference: https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/
# Reference: https://otx.alienvault.com/pulse/61430c5741b154348534ae3f

http://185.161.211.97
center.asmlbigip.com
dnssery.brushupdata.com

# Reference: https://twitter.com/0xrb/status/1522474101826551809

http://156.247.10.118
http://34.92.30.54
http://43.230.161.70
http://43.230.161.71
http://43.230.161.83
http://43.242.34.12
http://43.242.34.30
http://45.76.153.100
http://47.75.177.15
http://52.203.216.120
http://66.154.111.63
http://92.38.178.133
http://94.198.40.21
156.247.10.118:443
34.92.30.54:443
43.230.161.70:443
43.230.161.71:443
43.230.161.83:443
43.242.34.12:443
43.242.34.30:443
45.76.153.100:443
47.75.177.15:443
52.203.216.120:443
66.154.111.63:443
92.38.178.133:443
94.198.40.21:443
156.247.10.118:8080
34.92.30.54:8080
43.230.161.70:8080
43.230.161.71:8080
43.230.161.83:8080
43.242.34.12:8080
43.242.34.30:8080
45.76.153.100:8080
47.75.177.15:8080
52.203.216.120:8080
66.154.111.63:8080
92.38.178.133:8080
94.198.40.21:8080

# Reference: https://twitter.com/0xrb/status/1524642728663187456
# Reference: https://www.virustotal.com/gui/file/e374c396735e4202dee76916d74d211a9e21f4956be6f6ef613e70b0489ba95c/detection

47.243.49.249:5050
qwer.asdf.zxcv.88tech.org

# Reference: https://twitter.com/kienbigmummy/status/1539550403465220096

http://69.90.190.110
69.90.190.110:443
69.90.190.110:8080

# Reference: https://twitter.com/kienbigmummy/status/1542454625781321728
# Reference: https://twitter.com/kienbigmummy/status/1542454634618437635
# Reference: https://www.virustotal.com/gui/file/c9f7248e64b531031822e3cda468bf52fcfe169ad15d7d8ddf379cb27ad8b63b/detection
# Reference: https://www.virustotal.com/gui/file/e99ce4fc9697335549cab26717d75abbaf75895c3cd0e77a844769fe9674e3bc/detection

185.239.226.5:108
185.239.226.5:111
185.239.226.5:236
185.239.226.5:438
