# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: MQsTTang, RedDelta, StatelyTaurus

# Reference: https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
# Reference: https://otx.alienvault.com/pulse/5d9c72d7e2efa3b5aa799b41

http://144.202.54.8
http://154.221.24.47
adobephotostage.com
airdndvn.com
apple-net.com
infosecvn.com
officeproduces.com
wbemsystem.com
yahoorealtors.com
update.olk4.com

# Reference: https://twitter.com/cyber__sloth/status/1229080836487540736

149.28.156.153:443

# Reference: https://twitter.com/hackingump1/status/1241760059543244805
# Reference: https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/
# Reference: https://www.virustotal.com/gui/ip-address/123.51.185.75/relations

http://123.51.185.75

# Reference: https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/
# Reference: https://otx.alienvault.com/pulse/5ed7c36c21ae174ca3acfaee

destroy2013.com
fitehook.com
miandfish.store

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf
# Reference: https://otx.alienvault.com/pulse/5f219067fd875a905691df22

cabsecnow.com
hostareas.com
jsquerys.net
ipsoftwarelabs.com
lameers.com
miscrosaft.com
systeminfor.com

# Reference: https://twitter.com/cyber__sloth/status/1296722004964409349

http://103.85.24.161

# Reference: https://twitter.com/IntezerLabs/status/1316384526323638274
# Reference: https://www.virustotal.com/gui/file/c0331d4dee56ef0a8bb8e3d31bdfd3381bafc6ee80b85b338cee4001f7fb3d8c/detection
# Reference: https://www.virustotal.com/gui/file/d0dd9c624bb2b33de96c29b0ccb5aa5b43ce83a54e2842f1643247811487f8d9/detection

flach.cn

# Reference: https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/

103.200.97.189:965
103.200.97.189:110
185.239.226.17:965
185.239.226.17:110

# Reference: https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html
# Reference: https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html
# Reference: https://drive.google.com/file/d/1OpPiT6ieub3_q0sLIxGt8iI85tInqjoU/view
# Reference: https://any.run/report/bbbeb1a937274825b0434414fa2d9ec629ba846b1e3e33a59c613b54d375e4d2/dd877b4d-8b36-48c0-af07-ce37fd9fee7b

vietnam.zing.photos

# Reference: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf
# Reference: https://otx.alienvault.com/pulse/6050e65d389812e02dfca3c3

159.138.84.217:81
buyonebuy.top
careerhuawei.net
huaweiyuncdn.com
cdn.update.huaweiyuncdn.com
cdn1.update.huaweiyuncdn.com
flash-update.buyonebuy.top
hr.careerhuawei.net
info.careerhuawei.net
infoadmin.update.huaweiyuncdn.com
update.careerhuawei.net
update.huaweiyuncdn.com
download.flach.cn
forum.flach.cn
info.flach.cn
m.flach.cn
mobile.flach.cn
terminal.flach.cn
update.flach.cn
/c0c00c0c/

# Reference: https://twitter.com/s1ckb017/status/1475621967160123395
# Reference: https://www.virustotal.com/gui/file/df84d6c284dd39c2bfed6f8eb26149a4154396c27de50595ed5d80b428930dcd/detection

http://103.15.28.208

# Reference: https://twitter.com/s1ckb017/status/1492069505803116546

http://202.58.105.38

# Reference: https://twitter.com/StillAzureH/status/1505823479945625604
# Reference: https://www.virustotal.com/gui/file/bb2990a1bbc417cfec40d5f1a6a8b22cac0ef21aed869dd8503e28573cf84401/detection

http://155.94.200.206
155.94.200.206:5008

# Reference: https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/
# Reference: https://www.virustotal.com/gui/file/0d154e036b4de53059b5a24a1677fb546e1c136d6d0aa37c21a878c24891ee2c/detection
# Reference: https://www.virustotal.com/gui/file/9170169ae732c3a843c871be73875ea1bc8081876db5f9bcfd5f05d792bcaef0/detection
# Reference: https://www.virustotal.com/gui/file/effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1/detection
# Reference: https://www.virustotal.com/gui/file/effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1/detection

http://103.56.53.120
http://154.204.27.181
http://185.207.153.208
http://43.254.218.42
http://45.131.179.179
http://92.118.188.78
103.56.53.120:8080
154.204.27.181:110
45.131.179.179:110
45.131.179.179:5938
92.118.188.78:443
coolboxpc.com
locvnpt.com
snova-tech.com
urmsec.com

# Reference: https://twitter.com/G60930953/status/1507031738282909698
# Reference: https://www.virustotal.com/gui/file/887345540f1bf31c40755edcda2e3dd9fe640122fc9020f3873c895daa2378bf/detection

http://155.94.200.209
http://155.94.200.211
155.94.200.211:5008
155.94.200.212:443

# Reference: https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/
# Reference: https://otx.alienvault.com/pulse/6144875da41b403380a06521
# Reference: https://www.virustotal.com/gui/file/0198949a02fc4dcd65c29c028ba5f20365dc629d764f9e0a95721300b9fadbad/detection
# Reference: https://www.virustotal.com/gui/file/ab9324028bcc347040a058d41c079c0205398d200a63a6ed6cbe1df973634b2d/detection

http://103.231.14.134

# Reference: https://otx.alienvault.com/pulse/613914361364535ed5d60bc4

dodefoh.com
hidusi.com
joxinu.com
macuwuf.com
/e32c8df2cf6b7a16/
/e8c76295a5f9acb7/

# Reference: https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html

103.15.28.145:6666
110.42.64.64:24680
president-office.gov.mm

# Reference: https://twitter.com/kienbigmummy/status/1532305081676464128
# Reference: https://www.virustotal.com/gui/file/843709a59f12ff7aa06a5837be7a1a93fdf6f02f99936af6658c166e8abcaa2d/detection
# Reference: https://www.virustotal.com/gui/file/60ee19bb558d20c2591569ddb73fc90787dd47a07453e252a3afcaa222dde125/detection
# Reference: https://www.virustotal.com/gui/file/558cbbcb969fe2fa3f1c74c376e307efcdbe3bad7497095619927edd5762363a/detection

154.204.26.120:22
45.134.83.4:22
154.204.26.120:443
154.204.27.130:443
45.134.83.4:443
hilifimyanmar.com
myanmarnewsonline.org
download.hilifimyanmar.com
update.hilifimyanmar.com
images.myanmarnewsonline.org

# Reference: https://twitter.com/kienbigmummy/status/1544537348670881792
# Reference: https://www.virustotal.com/gui/file/8f32bebce3a4f35531de592ed57af7b63906d64565f36abe91298acc8ea3e93d/detection

64.34.205.41:443

# Reference: https://twitter.com/malwrhunterteam/status/1546857896755044358
# Reference: https://twitter.com/h2jazi/status/1546861105678524418
# Reference: https://www.virustotal.com/gui/file/a693b9f9ffc5f4900e094b1d1360f7e7b907c9c8680abfeace34e1a8e380f405/detection

http://98.142.251.29

# Reference: https://twitter.com/kienbigmummy/status/1549058500806197248
# Reference: https://www.virustotal.com/gui/file/1de88a2ad4fd1b16005558591fa2a385f2fe343162bbca328384600c167df721/detection
# Reference: https://www.virustotal.com/gui/file/563611caf1787441dcc12c5a77427224b5f1ac0d18efac4032ab67eed3a99928/detection

103.192.226.46:443
45.131.179.179:22
45.131.179.179:443
45.131.179.179:5938
/uVdjpZ

# Reference: https://twitter.com/kienbigmummy/status/1553737903398072320
# Reference: https://www.virustotal.com/gui/file/00fbfaf36114d3ff9e2c43885341f1c02fade82b49d1cf451bc756d992c84b06/detection

http://45.142.166.112
45.142.166.112:110
45.142.166.112:443

# Reference: https://twitter.com/kienbigmummy/status/1582217448731729920
# Reference: https://twitter.com/kienbigmummy/status/1582217473499140097
# Reference: https://www.virustotal.com/gui/file/becdb31a669676dac3e797fb6db482f9fd644853e73fc28eb0031bd58487d081/detection

107.181.160.16:443

# Reference: https://twitter.com/barberousse_bin/status/1594791243489345537
# Reference: https://www.virustotal.com/gui/file/e8357cacdccdb4670f6ae427a781f36a9c4b268907f83c1ce3502a0fd9ce2606/detection

http://158.255.2.63

# Reference: https://twitter.com/katechondic/status/1556940169483264000
# Reference: https://twitter.com/katechondic/status/1557031529141964801
# Reference: https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/IOCs-earth-preta-spear-phishing-since-march.txt
# Reference: https://www.virustotal.com/gui/file/c52828dbf62fc52ae750ada43c505c934f1faeb9c58d71c76bdb398a3fbbe1e2/detection

http://103.15.29.179
http://103.75.190.224
http://202.53.148.24
http://202.53.148.26
http://89.38.225.151

# Reference: https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
# Reference: https://www.virustotal.com/gui/file/f70d3601fb456a18ed7e7ed599d10783447016da78234f5dca61b8bd3a084a15/detection

http://103.192.226.87
http://104.42.43.178
http://185.80.201.4
http://194.124.227.90
http://43.254.218.128
http://45.147.26.45
http://45.32.101.7
http://62.233.57.49
http://64.34.216.44
http://64.34.216.50
5.34.178.156:443

# Reference: https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/
# Reference: https://www.virustotal.com/gui/file/ab62e351a56e0f749d36dc6ec6b1211f1becc52305478fa5653c6236a221a85e/detection

45.90.59.153:443

# Reference: https://twitter.com/StopMalvertisin/status/1610961056163311619
# Reference: https://www.virustotal.com/gui/ip-address/142.250.178.4/relations
# Reference: https://www.virustotal.com/gui/ip-address/5.34.182.68/relations
# Reference: https://www.virustotal.com/gui/file/0ac93ddc58e7666eae677812d3be93fe8f922ffc32baeee0f803109341dc1ea7/detection
# Reference: https://www.virustotal.com/gui/file/8964dce6ae40681a51226b7912728c589c33febba1a1547c351353fea6a6571c/detection

blogdirve.com
mashupdatabase.com
microsite-manager.com

# Reference: https://twitter.com/t3ft3lb/status/1620848769607806976
# Reference: https://www.virustotal.com/gui/file/48e2ebee3f8de80c4a50f1dd948e8e9a41509f4847a574f67a453c154d21ce60/detection

195.123.218.78:443

# Reference: https://twitter.com/Unit42_Intel/status/1626613722700472320
# Reference: https://www.virustotal.com/gui/file/e2a6a2b7a55d0d5cfb406a9ba941558a4b10a998f232e945ceaa79261aa05086/detection

3.228.54.173:1883
54.87.92.106:1883

# Reference: https://twitter.com/StopMalvertisin/status/1635620870214352901
# Reference: https://www.virustotal.com/gui/file/6d18906c49e213ca0db7b2ce28f1a20066c521367fc61caae0710bf0e10cfc9e/detection

45.90.59.39:443
midasconsilium.com

# Reference: https://twitter.com/t3ft3lb/status/1656194831830401024
# Reference: https://twitter.com/t3ft3lb/status/1656297883048505346
# Reference: https://www.virustotal.com/gui/file/3489955d23e66d6f34b3ada70b4d228547dbb3ccb0f6c7282553cbbdeaf168cb/detection
# Reference: https://www.virustotal.com/gui/file/ce308b538ff3a0be0dbcee753db7e556a54b4aeddbddd0c03db7126b08911fe2/detection

62.233.57.136:443
jcswcd.com

# Reference: https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
# Reference: https://otx.alienvault.com/pulse/64a5960b230e2e9a1bf9ec66

newsmailnet.com

# Reference: https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/
# Reference: https://www.virustotal.com/gui/file/c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1/detection

ivibers.com
meetvibersapi.com

# Reference: https://twitter.com/Cuser07/status/1748000699122958665
# Reference: https://www.virustotal.com/gui/file/a00673e35eaccf494977f4e9a957d5820a20fe6b589c796f9085a0271e8c380c/detection
# Reference: https://www.virustotal.com/gui/file/b7e042d2accdf4a488c3cd46ccd95d6ad5b5a8be71b5d6d76b8046f17debaa18/detection

openservername.com

# Reference: https://twitter.com/Jane_0sint/status/1750537878420295808
# Reference: https://www.virustotal.com/gui/file/dd261a5db199b32414c33136aed44c3ebe2ae55f18991ae3dc341fc43a1ef7f4/detection
# Reference: https://www.virustotal.com/gui/file/5afe21142999659a4050f6e038a6dab96cf4827f332497049a91cdb1a4d4828b/detection
# Reference: https://www.virustotal.com/gui/file/2a00d95b658e11ca71a8de532999dd33ddee7f80432653427eaa885b611ddd87/detection
# Reference: https://www.virustotal.com/gui/file/51d89afe0a49a3abf88ed6f032e4f0a83949fc44489fc7b45c860020f905c9d7/detection

103.159.132.80:443
103.249.84.137:443
123.253.32.15:443
91.245.253.46:443
militarytc.com
