# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt35, apt42, charmingcypress, phosphorus, ajax security team, tunnelvision, nemesiskitten, ta453, ta455, greencharlie, great rift, unc1549, unc4453, unc788, plaid rain, snailresin, wezrat, emennet pasargad, bellaciao

# Note: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-06-12 Charming Kitten waterhole)

jewishjournal.us
deutcshewelle.org
deutcshewelle.com
frostsullivan.org
ns1.deutcshewelle.com
ns2.deutcshewelle.com
mail.jewishjournal.us    
mx0.jewishjournal.us    
ns1.jewishjournal.us    
ns2.jewishjournal.us
win-ptf9aurtg8u.jewishjournal.us

# Reference: https://www.clearskysec.com/charmingkitten/
# Reference: https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
# Reference: https://www.virustotal.com/gui/file/d4375a22c0f3fb36ab788c0a9d6e0479bd19f48349f6e192b10d83047a74c9d7/detection
# Reference: https://www.virustotal.com/gui/file/971c5b5396ee37827635badea90d26d395b08d17cbe9e8027dc87b120f8bc0a2/detection
# Reference: https://www.virustotal.com/gui/file/2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f/detection
# Reference: https://www.virustotal.com/gui/file/734d9639fcfffef1a3c360269ccc1cda4f1d0e9dc857fa438f945e807b022c21/detection
# Reference: https://www.virustotal.com/gui/file/6618051ea0c45d667c9d9594d676bc1f4adadd8cb30e0138489fee05ce91a9cb/detection
# Reference: https://www.virustotal.com/gui/file/a6dea088c9e2c9191e4c2fc4ece7b7b7bd3f034f444362d35c8765f6ec4bd279/detection
# Reference: https://www.virustotal.com/gui/file/2b9c941150206d38a635620f2129660628f9b08dd2f674013cacda39bde7ae56/detection

58.158.177.102:5050
85.17.172.180:5050
012mail-net-uwclogin.ml
8ghefkwdvbfdsg3asdf1.com
account-customerservice.com
account-dropbox.net
account-google.co
account-login.net
account-logins.com
account-log-user-verify-mail.com
account-permission-mail-user.com
account-servicerecovery.com
accountservice.support
accounts-googelmail.com
accounts-googelmails.com
account-signin-myaccount-users.ga
accounts-logins.net
accountsrecovery.ddns.net
accounts-service.support
accountsservice-support.com
account-support-user.com
accounts-yahoo.us
accountts-google.com
account-user.com
account-user-permission-account.com
account-users-mail.com
account-user-verify-mail.com
acounts-qooqie-con.ml
addons-mozilla.download
aipak.org
aiqac.org
aol-mail-account.com
apache-utility.com
app-documents.com
app-facebook.co
araamco.com
archive-center.com
asus-support.net
asus-update.com
berozkhodro.com
book-archivecenter.bid
books-archivecenter.bid
books-archivecenter.club
books-google.books-archivecenter.bid
books-view.com
bootstrap.serveftp.com
britishnews.com.co
britishnews.org
broadcastbritishnews.com
brookings-edu.in
change-mail-accounting-register-single.com
change-mail-account-nodes-permision.com
change-permission-mail-user-managment.com
change-user-account-mail-permission.com
codeconfirm-recovery.bid
codeconfirm-recovery.club
com-account-login.com
com-accountrecovery.bid
com-accountsecure-recovery.name
com-accountsrecovery.name
com-archivecenter.work
com-customeradduser.bid
com-customerservice.bid
com-customerservice.name
com-customerservices.name
com-customersuperuser.bid
com-download.ml
com-manage-accountuser.club
com-messagecenter.bid
com-messengerservice.bid
com-messengerservice.work
com-microsoftonline.club
com-mychannel.bid
com-orginal-links.ga
com-recoversessions.bid
com-recoveryadduser.bid
com-recovery.com
com-recoveryidentifier.bid
com-recoveryidentifier.name
com-recoveryidentifiers.bid
com-recoverymail.bid
com-recoverysecureuser.club
com-recoverysecureusers.club
com-recoveryservice.bid
com-recoveryservice.info
com-recoverysessions.bid
com-recoverysubusers.bid
com-recoverysuperuser.bid
com-recoverysuperuser.club
com-recoverysuperuser.name
com-recoverysuperusers.bid
com-recoverysupport.bid
com-recoverysupport.club
com-servicecustomer.bid
com-servicecustomer.name
com-service.gq
com-servicemail.bid
com-service.net
com-servicerecovery.bid
com-servicerecovery.club
com-servicerecovery.info
com-servicerecovery.name
com-servicescustomer.name
com-serviceslogin.com
com-showvideo.ga
com-showvideo.gq
com-statistics.com
com-stats.com
com-video.net
com-videoservice.work
com-viewchannel.club
crcperss.com
cvcreate.org
digitalqlobe.com
display-error-runtime.com
display-ganavaro-abrashimchi.com
docs-google.co
documents-supportsharing.bid
documents-supportsharing.club
documents.sytes.net
document-supportsharing.bid
doc-viewer.com
download-link.top
drive-login.cf
drive-permission-user-account.com
drive-useraccount-signin-mail.ga
drop-box.vip
dropebox.co
embraer.co
emiartas.com
error-exchange.com
eursaia.org
fanderfart22.xyz
fardenfart2017.xyz
fb-login.cf
gle-mail.com
gmail-recovery.ml
gmal.cf
goo-gle.bid
goog-le.bid
goo-gle.cloud
google-mail.com.co
google-mail-recovery.com
googlemails.co
goo-gle.mobi
google-profile.com
google-profiles.com
google-setting.com
google-verification.com
google-verify.com
google-verify.net
group-google.com
help-recovery.com
hot-mail.ml
id-bayan.com
iforget-memail-user-account.com
iranianuknews.com
ir-owa-accountservice.bid
k2intelliqence.com
line-en.me
login-account-mail.com
login-account.net
login-again.ml
login-required.ga
login.loginto.me
mail-account-register-recovery.com
mails-account-signin-users-permssion.com
mailssender.bid
mail-yahoo.com.co
market-account-login.net
mehrnews.info
messageservice.bid
messageservice.club
microsoft-hotfix.com
microsoft-update.bid
microsoft-upgrade.mobi
microsoft-utility.com
msoffice-update.com
myaccount-login.net
mychannel.ddns.net
my-healthequity.com
my-mailcoil.ml
myscreenname.bid
news-onlines.info
nex1music.ml
notification-accountrecovery.com
nsdrive-phone.online
nvidia-support.com
nvidia-update.com
officialswebsites.info
official-uploads.com
onedrive-signin.com
onlinedocument.bid
onlinedocuments.org
onlinedrie-account-permission-verify.com
onlineserver.myftp.biz
online-supportaccount.com
orginal-links.com
outlook-livecom.bid
owa-insss-org-ill-owa-authen.ml
picofile.xyz
policy-facebook.com
privacy-facebook.com
privacy-gmail.com
privacy-yahoomail.com
profile-facebook.co
profiles-facebook.com
profile-verification.com
qet-adobe.com
radio-m.cf
raykiel.net
recoverycodeconfirm.bid
recovery-customerservice.com
recovery-emailcustomer.com
recoverysuperuser.bid
register-multiplay.ml
sadashboard.com
saudiarabiadigitaldashboards.com
saudi-government.com
saudi-haj.com
screen-royall-in-corporate.com
screen-shotuser-trash-green.com
security-supportteams-mail-change.ga
sers-login.com
service-accountrecovery.com
service-broadcast.com
servicecustomer.bid
service-logins.net
servicemailbroadcast.bid
service-recoveryaccount.com
set-ymail-user-account-permission-challenge.com
shared-access.com
shared-login.com
shared-permission.com
shorturlbot.club
show-video.info
slmkhubi.ddns.net
smstagram.com
sprinqer.com
support-aasaam.bid
support-aasaam.com
support-accountsrecovery.com
support-google.co
support-recoverycustomers.com
supports-recoverycustomers.com
support-verify-account-user.com
tadawul.com.co
tai-tr.com
team-speak.cf
teamspeak-download.ml
team-speak.ga
team-speak.ml
teamspeaks.cf
telagram.cf
token-ep.com
uk-service.org
update-checker.net
update-driversonline.bid
update-driversonline.club
update-finder.com
update-microsoft.bid
updater-driversonline.club
update-system-driversonline.bid
uploader.sytes.net
upload-services.com
uri.cab
usersettings.cf
users-facebook.com
users-login.com
users-yahoomail.com
utopaisystems.net
verify-account.services
verify-accounts.info
verify-facebook.com
verify-gmail.tk
video-youtube.cf
w3sch00ls.hopto.org
w3school.hopto.org
w3schools.hopto.org
w3schools-html.com
watch-youtube.org.uk
webmaiil-tau-ac-il.ml
webmail-tidhar-co-il.ml
windows-update.systems
xn--googe-q2e.ml
yahoo-proflles.com
yahoo-verification.net
yahoo-verification.org
yahoo-verify.net
youetube.ga
yourl.bid
youttube.ga
youttube.gq
youtubbe.cf
youtubbe.ml
youtube-com.watch
youtubee-videos.com
youtuebe.co
youtuobe.com.co
youutube.cf
yurl.bid

# Reference: https://otx.alienvault.com/pulse/5c9bb407e5a06b014da016e3

account-profile-users.info
accounts-apple.com
account-servicemanagement.info
account-servieemanagement.info
accounts-manager.info
accounts-support.services
accounts-web-maii.com
accounts-web-mail.com
account-verifiy.net
activities-recovery-options.info
activities-servicesnotification.info
activity-confirmationservice.info
activity-session-recovery.info
aeroconf2014.org
aerospace2014.org
appleid.com.co
attacker-domain.com
broadcastnews.pro
com-accountidentifier.info
com-identifier-servicelog.info
com-identifier-servicelog.name
comidentifier-servicelog.name
com-identifier-servlcelog.name
com-mailbox.com
com-microsoftonline.club
com-myaccuants.com
com-privacy-help.info
com-sessionidentifier.info
com-useraccount.info
com-users.net
confirmation-recoveryoptions.info
confirmation-service.info
confirmation-users-service.info
confirmation-users-servlee.info
confirm-identity.info
confirm-session-identification.info
confirm-sessionidentification.info
confirm-session-identifier.info
continue-session-identifier.info
continue-sesslon-identifier.info
customer-certificate.com
customer-recovery.info
customers-activities.info
customers-manager.info
customers-services.info
customize-identity.info
documentofficupdate.info
documentsfilesharing.cloud
documentsharing.info
download-teamspeak.info
elitemaildelivery.info
email-deiivery.info
email-delivery.info
eom-microsoftonline.club
eom-useraccount.info
eustomers-activities.info
giitials.tk
googledomalns.com
identifier-activities.info
identifier-services-sessions.info
identify-user-session.info
intel-update.com
intelupdate.com
login-gov.info
message-serviceprovider.info
microsoft-update.bid
microsoft-upgrade.mobi
mobile-messengerplus.network
mobile-sessionid.customize-identity.info
mobiles-sessionid.customize-identity.info
myaccount-services.net
notification-accountservice.com
notification-accountservice.info
notificationapp.info
notification-manager.info
notification-managers.info
notifications-center.info
notification-signal-agnecy.info
notificatlon-signal-agnecy.info
o5vdb.org
outlook-livecom.bid
outlook-verify.net
packctstormsccurity.com
plugin-adobe.com
privacy-google.com
recognized-activity.info
recover-customers-service.info
recovery-session-change.info
recoveryusercustomer.info
serverbroadcast.info
service-accountrecoverv.com
service-recovery-session.info
service-session-confirm.info
service-session-continue.info
services-issue-notification.info
services-sessionconfirmation.info
session-mail-customers.info
session-management.info
session-manager.info
session-managment.info
session-recovery-options.info
sessions-identifiermemberemailid.network
sessions-notification.info
session-users-activities.com
session-verify-user.info
shop-sellwear.info
supportmailservice.info
support.services
support-servics.com
support-servics.net
terms-service-notification.info
terms-service-notlfication.info
update-microsoft.bid
user-activity-issues.info
useridentity-confirm.info
user-profile-credentials.com
users-facebook.com
users-issue-services.info
verification-live.com
verificationlive.com
verification-llve.com
verifiy-account.net
verifv-linkedin.net
verify-linke.com
verify-linkedin.net
verify-user-session.info
vvincicivj-c-ssenrjais.tk
webemail.info
xn--facebook-06k.com
xn--google-yri.com
yahoomail.com.co
yahoo-verification.net
yahoo-verification.org
yahoo-verify.net

# Reference: https://www.clearskysec.com/the-kittens-are-back-in-town/
# Reference: https://otx.alienvault.com/pulse/5d7e61f9aa517862e977cbad

acconut-verify.com
drive-accounts.com
exnovin.org
isis-online.net
islamicemojimaker.com
leslettrespersanes.net
niaconucil.org
seisolarpros.org
skynevvs.com
unrisd.com
w3-schools.org
# gnldp.live        # Note: regular trackers
# gnldr.club
# gnldr.live
# gnldr.website
# gnldrp.live
# sgnl.live
# sgnl.network
# sgnldp.live
# sgnldr.live

# Reference: https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2.pdf
# Reference: https://otx.alienvault.com/pulse/5d9b7a71f31df0e33eefab04

bahaius.info
bailment.org
com-activities.site
com-identifier.site
com-session.site
com-verifications.site
customers-activities.site
customers-recovery.site
customers-reminder.info
document-sharing.online
documentsfilesharing.cloud
gomyfiles.info
home-access.online
identifier-activities.info
identifier-activities.online
identity-verification-service.info
inbox-drive.info
inbox-sharif.info
magic-delivery.info
microsoftinternetsafety.net
mobile-messengerplus.network
mobilecontinue.network
notification-accountservice.com
recovery-services.info
recoverysuperuser.info
see-us.info
sessions-identifier-memberemailid.network
smarttradingfast.com
system-services.site
telagram.net
uploaddata.info
verification-services.info

# Reference: https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/
# Reference: https://otx.alienvault.com/pulse/5e3acf325495b5e504f82abc

acconut-verify.com
accounts-drive.com
bahaius.info
cpanel-services.site
customers-activities.site
customers-service.ddns.net
drive-accounts.com
finance-usbnc.info
instagram-com.site
inztaqram.ga
isis-online.net
leslettrespersanes.net
malcolmrifkind.site
niaconucil.org
phonechallenges-submit.site
recovery-options.site
seisolarpros.org
service-activity-checkup.site
service-issues.site
skynevvs.com
software-updating-managers.site
system-services.site
two-step-checkup.site
unirsd.com
w3-schools.org
yah00.site

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#
# Reference: https://otx.alienvault.com/pulse/5e6ff05783c525e779904d69

myconnect-support.com

# Reference: https://twitter.com/ClearskySec/status/1258432745891680256

com-recovery.site
com-sessions.site
customer-identifier.site
customer-reminder.info
customers-activity.site
identifier-services-session.site
mobile-airbnb.site
mobile-uber.site
newspedia.ddns.net
radiofarda.site
recovery-option.site
safe-solution.site
scribdinc.site
travel-airbnb.site

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/
# Reference: https://www.virustotal.com/gui/domain/kia-customerservice.ddns.net/detection
# Reference: https://www.virustotal.com/gui/domain/recovery-service.site/detection

document-share.info
kia-customerservice.ddns.net
login-users-account.site
manage-accounts.info
recovery-service.site
us2-mail-login-profile.site

# Reference: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
# Reference: https://otx.alienvault.com/pulse/5f99808638696999cf7b109c

de-ma.online
g20saudi.000webhostapp.com
ksat20.000webhostapp.com

# Reference: https://twitter.com/kyleehmke/status/1328374352602144770

check-panel-account.icu
cover-home-panel.xyz
it-service.men
student-rank-number.icu

# Reference: https://twitter.com/kyleehmke/status/1334170023968051200

cover-home-page.xyz

# Reference: https://twitter.com/kyleehmke/status/1339602993814102016

home-reload-page.xyz

# Reference: https://twitter.com/kyleehmke/status/1346154845221384194

check-panel-live.icu
check-reload-page.xyz
front-cover-panel.xyz
front-home-panel.xyz
office-live-activity.icu
page-home-reload.xyz

# Reference: https://blog.certfa.com/posts/charming-kitten-christmas-gift/
# Reference: https://otx.alienvault.com/pulse/5fff52390820519347e5f2d3

agentappservice.ddns.net
archiverepositories.xyz
basementofdarkness.ddns.net
benefitsredington.ddns.net
bulk-approach.site
challengechampions.ddns.net
com-254514785965.site
com-3654623478192.site
com-5464825879854.site
com-apk-6712qw123asd8awf7.site
com-archive.site
com-posts6712qw12387.site
confirm-identity.site
customer-session.site
deepthinkingroom.ddns.net
differentintegrated.ddns.net
dynamiceventmanager.ddns.net
enhanceservicchecke.hopto.org
heisonhisway.ddns.net
hello-planet.com
homedirections.ddns.net
homeinspections.ddns.net
identifier-service-verify.site
identifier-session-recovery.site
identity-session-recovery.site
lonelymanshadow.ddns.net
mail-newyorker.com
minimumservicechek.ddns.net
mobile-activity-session.site
mobile-check-activity.site
patchtheschool.ddns.net
planet-labs.site
profilechangeruser.ddns.net
randomworldcity.ddns.net
recover-identity.site
recover-session-service.site
recovery-customer-service.site
recovery-session-service.site
recovery-session.site
reset-account.com
schoolofculture.ddns.net
securelogicalrepository.com
service-recovery.site
service-session-recovery.site
service-support.site
service-verification.site
session-confirmation.site
session-customer-activity.site
uniquethinksession.ddns.net
verify-session-service.site
wearefirefighters.ddns.net

# Reference: https://twitter.com/jfslowik/status/1347905935654539267

dhs-us.org
csm-group.org
procurement-inl-gov.us
procurements-inl-gov.us
ukborderhomeoffice-gov.org

# Reference: https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential
# Reference: https://otx.alienvault.com/pulse/6065f293e16c3e4e72044475

1drv.casa
1drv.cyou
1drv.icu
1drv.live
1drv.online
1drv.surf
1drv.xyz

# Reference: https://twitter.com/ChicagoCyber/status/1391819499872137225

log-in-dropbox.com

# Reference: https://twitter.com/BaoshengbinCumt/status/1423577884615081992
# Reference: https://mp.weixin.qq.com/s/oD1VQZBxgjL3rNeN72MJqg

jamaat-ul-islam.com
jamatapplication.com
jamaatforummah.com
jamaatforallah.com

# Reference: https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/

144.217.139.155:4444
54.38.49.6:21
0standavalue0.xyz
0storageatools0.xyz
0brandaeyes0.xyz

# Reference: https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage
# Reference: https://www.virustotal.com/gui/ip-address/91.214.124.143/relations
# Reference: https://www.virustotal.com/gui/file/ca4217b9d188cbe5fc6f4c7d5d696f93cc611dff1ffd323941f2a8b5e77284de/detection

http://162.55.136.233
http://162.55.137.20
169.51.60.221:1331
45.77.76.158:23643
onedriver-srv.ml
windows-driver.ml
google.onedriver-srv.ml
update.windows-driver.ml
/gadfTs55sghsSSS/phppost.php
/gadfTs55sghsSSS

# Reference: https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/
# Reference: https://otx.alienvault.com/pulse/620f76b08f1d06ea8646c0d3

microsoft-updateserver.cf
service-management.tk

# Reference: https://twitter.com/BaoshengbinCumt/status/1494478437960286208
# Reference: https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf

http://182.54.217.2
51.89.181.64:443
us‐nation‐ny.cf

# Reference: https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/

http://148.251.71.182
/ecp/auth/aspx_wkggiyvttmu.aspx
/aspx_wkggiyvttmu.aspx
/dhvqx.aspx

# Reference: https://twitter.com/ChicagoCyber/status/1562047469126656001
# Reference: https://www.shodan.io/host/173.209.51.54
# Reference: https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/ (# HYPERSCRAPE)

http://136.243.108.14
http://173.209.51.54
173.209.51.54:5985

# Reference: https://twitter.com/IronNetTR/status/1562913025350303744
# Reference: https://twitter.com/IronNetTR/status/1562913027951042561
# Reference: https://twitter.com/IronNetTR/status/1562913029620203520
# Reference: https://www.shodan.io/host/136.243.108.10
# Reference: https://www.shodan.io/host/136.243.108.11
# Reference: https://www.shodan.io/host/136.243.108.12
# Reference: https://www.shodan.io/host/136.243.108.13
# Reference: https://www.shodan.io/host/136.243.108.14
# Reference: https://www.shodan.io/host/136.243.108.9
# Reference: https://www.shodan.io/host/78.47.90.60

http://136.243.108.10
http://136.243.108.11
http://136.243.108.12
http://136.243.108.13
http://136.243.108.14
http://136.243.108.9
http://159.69.105.181
http://195.201.46.42
http://78.47.90.60
136.243.108.10:10000
136.243.108.10:22
136.243.108.10:25
136.243.108.10:4040
136.243.108.10:443
136.243.108.10:465
136.243.108.10:587
136.243.108.10:993
136.243.108.10:995
136.243.108.11:10000
136.243.108.11:22
136.243.108.11:25
136.243.108.11:4040
136.243.108.11:443
136.243.108.11:465
136.243.108.11:587
136.243.108.11:993
136.243.108.11:995
136.243.108.12:10000
136.243.108.12:22
136.243.108.12:25
136.243.108.12:4040
136.243.108.12:443
136.243.108.12:465
136.243.108.12:587
136.243.108.12:993
136.243.108.12:995
136.243.108.13:10000
136.243.108.13:22
136.243.108.13:25
136.243.108.13:4040
136.243.108.13:443
136.243.108.13:465
136.243.108.13:587
136.243.108.13:993
136.243.108.13:995
136.243.108.14:10000
136.243.108.14:22
136.243.108.14:25
136.243.108.14:4040
136.243.108.14:443
136.243.108.14:465
136.243.108.14:587
136.243.108.14:993
136.243.108.14:995
136.243.108.9:10000
136.243.108.9:22
136.243.108.9:25
136.243.108.9:4040
136.243.108.9:443
136.243.108.9:465
136.243.108.9:587
136.243.108.9:993
136.243.108.9:995
159.69.105.181:2082
159.69.105.181:2083
159.69.105.181:2086
159.69.105.181:2087
159.69.105.181:21
159.69.105.181:22
159.69.105.181:443
159.69.105.181:53
195.201.46.42:10000
195.201.46.42:22
195.201.46.42:25
195.201.46.42:443
195.201.46.42:465
195.201.46.42:587
195.201.46.42:993
195.201.46.42:995
78.47.90.60:10000
78.47.90.60:110
78.47.90.60:143
78.47.90.60:2082
78.47.90.60:2083
78.47.90.60:2086
78.47.90.60:2087
78.47.90.60:21
78.47.90.60:25
78.47.90.60:443
78.47.90.60:465
78.47.90.60:53
78.47.90.60:587
78.47.90.60:993
78.47.90.60:995

# Reference: https://research.checkpoint.com/2022/check-point-research-exposes-an-iranian-phishing-campaign-targeting-former-israeli-foreign-minister-former-us-ambassador-idf-general-and-defense-industry-executives/

litby.us

# Reference: https://twitter.com/LukasStefanko/status/1569258418283905026
# Reference: https://www.mandiant.com/media/17826 (# apt42, crookedcharms)
# Reference: https://www.virustotal.com/gui/file/5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5/detection
# Reference: https://www.virustotal.com/gui/file/c2c1d804aeed1913f858df48bf89a58b1f9819d7276a70b50785cf91c9d34083/detection
# Reference: https://www.virustotal.com/gui/file/a8c062846411d3fb8ceb0b2fe34389c4910a4887cd39552d30e6a03a02f4cc78/detection
# Reference: https://www.virustotal.com/gui/file/90e5fa3f382c5b15a85484c17c15338a6c8dbc2b0ca4fb73c521892bd853f226/detection

137.184.212.205:4373
51.38.87.253:3535
cdsa.xyz
developer-app.xyz
hardship-management.com
office-updates.info

# Reference: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations

acconut-signin.com
account-signin.com
accounts-mails.com
accredit-validity.online
accurate-sprout-porpoise.glitch.me
admin-stable-right.top
admiscion.online
admit-roar-frame.top
advission.online
affect-fist-ton.online
aspenlnstitute.org
avid-striking-eagerness.online
azadlliq.info 
beaviews.online
besvision.top
bloom-flatter-affably.top
bq-ledmagic.online
briview.online
businesslnsider.org 
check-online-panel.live
check-pabnel-status.live
check-panel-status.live
check-short-panel.live
confirmation-process.top
connection-view.online
continue-recognized.online
coordinate.icu
cvisiion.online
d75.site
daemon-mailer.info
dloffice.buzz
dloffice.top
ecomonist.org
email-daemon.biz
email-daemon.biz.tinurls.com
email-daemon.online
email-daemon.online.tinurls.com
email-daemon.site
endorsement-services.online
eocnomist.com
foreiqnaffairs.com 
foreiqnaffairs.org
forieqnaffairs.com
fortune-retire-home.top
g-online.org
geaviews.site
glory-uplift-vouch.online
go-conversation.lol
go-forward.quest
gview.site
identifier-direction.site
indication-service.online
israelhayum.com
join-paneling.online
jpost.press 
jpostpress.com 
khaleejtimes.org 
khalejtimes.org 
last-check-leave.buzz
live-project-online.live
live-projects-online.top
loriginal.online
m85.online
maariv.net 
mailer-daemon.info
mailer-daemon.us
mccainlnstitute.org
mterview.site
myaccount-signin.com
nterview.site
online-access.live
panel-check-short.live
panel-live-check.online
panel-short-check.live
panel-view-short.online
panel-view.live
panel-view.online
panel-views-cheking.live
panelchecking.live
paneling-viewing.live
panels-views-ckeck.live
quomodocunquize.site
recognize-validation.online
reconsider.site
revive-project-live.online
s20.site
s51.online
s59.site
short-url.live
short-view.online
shortenurl.online
shorting-ce.live
shortingurling.live
shortlinkview.live
shortulonline.live
shoting-urls.live
signin-acconut.com
signin-accounts.com
signin-mail.com
signin-mails.com
signin-myaccounts.com
simple-process-static.top
status-short.live
stellar-roar-right.buzz
support-account.xyz
sweet-pinnacle-readily.online
tcvision.online
themedealine.org 
timesfisrael.com
title-flow-store.online
tnt200.mywire.org
twision.top
vanityfaire.org
verify-person-entry.top
view-cope-flow.online
view-panel.live
view-pool-cope.online
view-total-step.online
viewstand.online
viewtop.online
virtue-regular-ready.online
washinqtonpost.press 
we-transfer.shop
ynetnews.press 
youronlineregister.com
youtransfer.live

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-11-22-v10179/172

dnx.capital
sharedrive.ink
washingtonlnstitute.org

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-11-30-v10185/185
# Reference: https://twitter.com/ThreatBookLabs/status/1613825659582959617

cutly.biz
mailer-daemon.live
mailer-daemon.me
mailer-daemon.net
mailer-daemon.online
mailer-daemon.org
tinyurl.ink

# Reference: https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank
# Reference: https://otx.alienvault.com/pulse/638e5648107623c3429e8c21

continuetogo.me
mailer-daemon-message.co

# Reference: https://twitter.com/ET_Labs/status/1629278117071147008

compact-miracle-abounds.top
funeral-engineering-expression.top
node-dashboard.site
node-panel.site
stellar-stable-faith.top

# Reference: https://www.secureworks.com/blog/cobalt-illusion-masquerades-as-atlantic-council-employee

bonny-marvels-authentic.top
live-redirect-system.top
progress-captivate-amply.top
review-status-plan.online
sincerely-sensation-outdo.top

# Reference: https://twitter.com/k3yp0d/status/1650513653802708996
# Reference: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation

azadijobs.me
beparas.com
bilal1com.com
damavand-hr.me
damkahill.com
darakeh.me
dream-jobs.org
dream-jobs.vip
dreamy-job.com
dreamy-jobs.com
dreamycareer.com
golanjobs.me
hat-cast.com
irnjobs.me
joinoptimahr.com
jomehjob.com
kandovani.org
opthrltd.me
optima-hr.com
optimac-hr.com
optimax-hr.com
parasil.me
radabala.com
rostam-hr.vip
salamjobs.me
shirazicom.com
syrtime.me
titanium-hr.com
topiranjobs.me
topwor4u.com
trnjobs.me
vipjobsglobal.com
wazayif-halima.com
wazayif-halima.org
wehatcast.com
youna101.me
younamesh.com

# Reference: https://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/

deersharpfork.info
subinfralab.info
blackturtle.hopto.org

# Reference: https://businessinsights.bitdefender.com/unpacking-bellaciao-a-closer-look-at-irans-latest-malware
# Reference: https://otx.alienvault.com/pulse/64499283c56cf14e277f9063

mail-updateservice.info
maill-support.com
mailupdate.com
mailupdate.info
msn-center.uk
msn-service.co
twittsupport.com

# Reference: https://www.proofpoint.com/us/blog/threat-insight/welcome-new-york-exploring-ta453s-foray-lnks-and-mac-malware
# Reference: https://www.virustotal.com/gui/ip-address/144.217.129.176/relations

checkup.webredirect.org
filemanager.theworkpc.com
fuschia-rhinestone.cleverapps.io
library-store.camdvr.org

# Reference: https://twitter.com/blackorbird/status/1690994786415874048
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/Charming%20Kitten/2023-08-10-cyber-brief-no-01-2023.pdf

beape.live
beasze.live
beeasaze.top
check-control-panel.live
check-reload-page.live
direct-view-check.live
direct-view-panel.xyz
ksview.top
load-panel.online
panel-review-check.live
view-direct-panel.live
view-direct-panel.xyz
view-home-panel.xyz

# Reference: https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/

http://37.120.222.168

# Reference: https://app.validin.com/axon?find=58.158.177.102&type=ip

canvas-life.me
flash-adobe.org
lgupluscdn.com
manage-tech.club
channel-shop.manage-tech.club
helper.canvas-life.me

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-12-04-v10478/1178

igsecurity.email
metaemailsecurity.com
metaemailsecurity.net
metahelpservice.net
metasecurityemail.org
metasupportmail.co
metasupportmail.com
xn–metaspport-v43e.com

# Reference: https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2024-01-17-v10508/1292

cloud-document-edit.onrender.com
coral-polydactyl-dragonfruit.glitch.me
east-healthy-dress.glitch.me
epibvgvoszemkwjnplyc.supabase.co
kwhfibejjyxregxmnpcs.supabase.co
ndrrftqrlblfecpupppp.supabase.co

# Reference: https://twitter.com/MsftSecIntel/status/1747666342897963362
# Reference: https://twitter.com/G60930953/status/1747821766074863690
# Reference: https://www.virustotal.com/gui/file/e0ba0cedd8a8624c75af29965e5fa7ab754fc0fcddbb330bb548dab4f2be333f/detection

prism-west-candy.glitch.me

# Reference: https://twitter.com/billyleonard/status/1757556382176313624
# Reference: https://blog.google/technology/safety-security/tool-of-first-resort-israel-hamas-war-in-cyber/
# Reference: https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf
# Reference: https://github.com/google/threat-team/blob/main/2024/2024-02-14-tool-of-first-resort-israel-hamas-war-cyber/indicators.csv

bitly.org.il
businessservicesinc.net
cyberflood.io
daemon-mailer.co
fbmro.com
gamerocker.net
glorynewstoday.com
ifstate.page.link
isra-help.org
jennifercanti.com
kathleenhumphreystore.com
latest-tools.store
mailer-daemon.co
mailerdaemon.online
morecoreservises.com
myprofileface.page.link
ncgrassfed.com
pasmoiapp.com
ppmataro.com
shebacenter.online
shebacenter.org
solofansapp.page.link
stromectolonline.com

# Reference: https://twitter.com/k3yp0d/status/1764938541203612004
# Reference: https://twitter.com/k3yp0d/status/1764940785345089940
# Reference: https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/
# Reference: https://www.virustotal.com/gui/file/3226b3e7d7fdaebfe7d7f06bdaf0cad08ea9792cd32843d01e6023f67cd0c889/detection
# Reference: https://www.virustotal.com/gui/file/0e51029ba28243b0a6a071713c17357a8eb024aa4298d1ccc9e2c4ac8916df4d/detection

drive-file-share.site
worried-eastern-salto.glitch.me

# Reference: https://www.validin.com/blog/expanding-apt42-intelligence-with-validin/

3dauth.live
account-drive.com
account-siqnin.com
accredit-validity.ddns.net
accredit.network
africanblackwidow.ddns.net
atlanticconucil.org
atlanticcuoncil.com
businessinssider.org
centrallibrary.info
clarification.network
conferencecall.live
confirm-direction.ddns.net
confirm-integrity.ddns.net
confirm-validation.ddns.net
confirm-validation.mywire.org
confirm-validity.hopto.org
confirm-verify.servepics.com
confirmation-verify.hopto.org
continue-recognized.ddns.net
continue-recognized.hopto.org
digitalpufferfish.ddns.net
direction-check.online
direction-session-verify.site
direction-veracity.ddns.net
drive-acconut.com
drive-acconuts.com
drive-account.com
eatonthehotground.ddns.net
elated-supportive-exultation.top
flowerskindergarten.ddns.net
gatestonelnstitute.org
identifier-direct.ddns.net
identifier-service.ddns.net
identifier-verify.ddns.net
identity-session.ddns.net
jubilatesee.site
meeting-share.online
modification-check.online
modification-verify.ddns.net
oceanofinformation.ddns.net
ourredbucket.ddns.net
panel-status-join.live
paneling-check-live.live
paneling-cheking-df.live
permission-data.online
pnael-checking.live
products-services.network
recognize-validation.theworkpc.com
responsiblestatcraft.org
review-session.hopto.org
safeshortl.ink
schoolofpinkmice.ddns.net
session-review.hopto.org
short-modification.site
short-urling.live
shorting-urling.live
shortoni.live
shorturling.live
strainitiatives.ddns.net
thefireisburnt.ddns.net
validation-confirm.ddns.net
validity-accredit.ddns.net
verify-corroborate.ddns.net
web-getdata.site

https://community.emergingthreats.net/t/ruleset-update-summary-2024-05-06-v10590/1615

decorous-super-blender.glitch.me
wulpfsrqupnuqorhexiw.supabase.co

# Reference: https://twitter.com/k3yp0d/status/1572561485376950274
# Reference: https://www.mandiant.com/media/17826
# Reference: https://www.virustotal.com/gui/file/2be8c9591d9aab6d81e4dd4a7e04371c7b1577404fa9ead11372251afcd13059/detection

technical-updates.info

# Reference: https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/
# Reference: https://app.validin.com/detail?find=135.181.203.1&type=ip4&ref_id=7bb26af05d1#tab=resolutions
# Reference: https://app.validin.com/detail?find=212.162.152.151&type=ip4&ref_id=ea7526bb584#tab=resolutions
# Reference: https://app.validin.com/detail?find=38.180.121.133&type=ip4&ref_id=f79dde040dd#tab=resolutions
# Reference: https://app.validin.com/detail?find=66.151.40.83&type=ip4&ref_id=45cc7c174db#tab=resolutions
# Reference: https://app.validin.com/detail?find=66.151.40.84&type=ip4&ref_id=d413894d497#tab=resolutions
# Reference: https://www.virustotal.com/gui/file/f83e2b3be2e6db20806a4b9b216edc7508fa81ce60bf59436d53d3ae435b6060/detection
# Reference: https://www.virustotal.com/gui/file/f1819b6aed24b81e6432a6d738206a388c266f72dbde4a8f4a4b9b6e3c55e609/detection
# Reference: https://www.virustotal.com/gui/file/89c1d1b61d7f863f8a651726e29f2ae3de7958f36b49a756069021817947d06c/detection
# Reference: https://www.virustotal.com/gui/file/0180f4f29c550aa1ffaa21af51711b29de99fb1d7c932d008a0e9356ae8a7d60/detection

http://91.107.150.184
accredit-navigation.online
accredit.validity.werifcattion.info
app-engage-station.help
boundary.cfd
brookings.email
cdn-workspacestudio.redirectme.net
check-fa-pane.live
checking-paneling.live
click-choose-figured.cfd
click-manage-room.cfd
complete-telecom-operation.top
confirrnation.info
continueworkflow.onthewifi.com
correction.verify.rsession.site
duuuumpy.click
dynamicroute.serveirc.com
essential-guide.serveirc.com
essentialeditor.serveirc.com
expandprocess.serveblog.net
filecloudmanager.site
flow-exulltation-uplift.top
green-light.bond
happened.fun
host-bulk-stack.cfd
house-server-digital.xyz
interconnected-equipment-buildings.buzz
make-host-solution.buzz
makeit.lat
meetroomonlin1925.w3spaces.com
modification-control.online
nail-forward-valid.lol
overviewstatus.redirectme.net
panel-check-live.live
panel-status-joining.live
paneling-checke.live
program-indipendent-system.buzz
re-brandly.store
real-vision.redirectme.net
recognize.site
rectification.info
recursivedns.site
rendercomponents.site
request-human-received.xyz
review-continue-entered.cfd
review.validation.recognize.site
rsession.site
s3api.shop
s4api.shop
sharedrive.webredirect.org
shooort.site
shooourt.click
shoring-live.live
short-ion-per.live
short-jg934hw.live
short-rigf.live
smaaaal.cfd
submissiveness.online
taskprocess.viewdns.net
teams.webredirect.org
umberella.icu
understandingthewar.org
validation.recognize.site
validity.werifcattion.info
verify.rsession.site
visioneditor.loseyourip.com
webdirecthost.site
werifcattion.info
wysebeyond.gotdns.ch
youtransfer.online
/Gallery/Ref/FSaEM5gG
/Gcollection/Ref/CkliPwaM
/Ref/CkliPwaM
/CkliPwaM
/Lcollection/Ref/F53OQQkE
/Ref/F53OQQkE
/F53OQQkE
/aliasauthG/autoref/vNSX6c2m
/autoref/vNSX6c2m
/vNSX6c2m

# Reference: https://x.com/RecordedFuture/status/1825867926043312398
# Reference: https://go.recordedfuture.com/hubfs/reports/cta-ir-2024-0820.pdf

activeeditor.info
admin.cheap-case.site
api.cheap-case.site
api.overall-continuing.site
app.cheap-case.site
backend.cheap-case.site
callfeedback.duia.ro
carservices.dns-dynamic.net
chatsynctransfer.info
cheap-case.site
cloudarchive.info
cloudregionpages.info
cloudtools.duia.eu
coldwarehexahash.dns-dynamic.net
configtools.linkpc.net
contentpreview.redirectme.net
continue.duia.eu
continueresource.forumz.info
currentpageeditor.dns-dynamic.net
demo.cheap-case.site
destinationzone.duia.eu
dev.cheap-case.site
directfileinternal.info
doceditor.duckdns.org
documentcloudeditor.ddnsgeek.com
dynamicrender.line.pm
dynamictranslator.ddnsgeek.com
editioncloudfiles.dns-dynamic.net
entryconfirmation.duckdns.org
fileeditiontools.linkpc.net
filereader.dns-dynamic.net
finaledition.redirectme.net
highlightsreview.line.pm
hugmefirstddd.ddns.net
icegelato.ddns.net
icenotebook.ddns.net
itemselectionmode.info
joincloud.duckdns.org
joincloud.mypi.co
lineeditor.001www.com
lineeditor.32-b.it
lineeditor.mypi.co
linereview.duia.eu
longlivefreedom.ddns.net
messagepending.info
minascs.ddns.net
mobiletoolssdk.dns-dynamic.net
nextbox.line.pm
nextcloud.duia.us
nextcloudzone.dns-dynamic.net
onetimestorage.info
onlinecalendar.ddnsgeek.com
onlinecloudzone.info
onlinereader.linkpc.net
overall-continuing.site
overflow.duia.eu
pagerender.duckdns.org
pagerendercloud.linkpc.net
pageviewer.linkpc.net
personalcloudparent.info
personalstoragebox.linkpc.net
personalwebview.info
pkglessplans.xyz
preparingdestination.fixip.org
proceeddestination.dns-dynamic.net
projectdrivevirtualcloud.co.uk
readquickarticle.dns-dynamic.net
realcloud.info
realpage.redirectme.net
researchdocument.info
reviewedition.duia.eu
rozetka.dyndns.org
s1vega.dyndns.org
searchstatistics.duckdns.org
selfpackage.info
servicesfiledrop.theworkpc.com
sharestoredocs.theworkpc.com
smartview.dns-dynamic.net
softservicetel.ddns.net
sourceusedirection.mypi.co
splitviewer.linkpc.net
storageprovider.duia.eu
streaml23.duia.eu
synctimezone.dns-dynamic.net
termsstatement.duckdns.org
testecs48.ddns.net
thisismyapp.accesscam.org
thisismydomain.chickenkiller.com
timelinepage.dns-dynamic.net
timezone-update.duckdns.org
towerreseller.dns-dynamic.net
tracedestination.duia.eu
translatorupdater.dns-dynamic.net
uptime-timezone.dns-dynamic.net
uptimezonemetadta.run.place
vector.kozow.com
vegas777.dyndns.org
viewdestination.vpndns.net
webviewerpage.info
worldstate.duia.us

# Reference: https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering
# Reference: https://app.validin.com/detail?find=6d7b0b16f0cbad033ee08e6b414f02fd&type=hash&ref_id=015842d48f4#tab=host_pairs_v2
# Reference: https://www.virustotal.com/gui/ip-address/54.39.143.120/relations

deepspaceocean.info
pinnaclegen.com
hoticecream.ddns.net
pencilbrush.ddns.net

# Reference: https://www.virustotal.com/gui/file/c67cd544a112cab1bb75b3c44df4caf2045ef0af51de9ece11261d6c504add32/detection

http://190.2.150.50
190.2.150.50:443

# Reference: https://x.com/k3yp0d/status/1828699405056180664
# Reference: https://www.virustotal.com/gui/ip-address/38.180.111.244/relations
# Reference: https://app.validin.com/detail?find=38.180.111.244&type=ip4&ref_id=86db3c91efa#tab=resolutions

cspvpn.duckdns.org
em-payments-bot.duckdns.org
empaymentsbot.duckdns.org
vpncsp.duckdns.org

# Reference: https://app.validin.com/detail?find=38.180.111.246&type=ip4&ref_id=c6b5b76ecdb#tab=resolutions

zedisdead.duckdns.org

# Reference: https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/

autoupdate.uk
mail-update.info
servicepackupdate.info
systemupdate.info
servicesupdate.info
servicechecker.top
ns2.servicechecker.top
freeheadlines.top
ns2.freeheadlines.top

# Reference: https://x.com/blackorbird/status/1840667306583572653
# Reference: https://www.ic3.gov/Media/News/2024/240927.pdf
# Reference: https://www.resecurity.com/blog/article/iranian-cyber-actors-irgc-targeting-the-2024-us-presidential-election

3dconfirrnation.com
accesscheckout.online
accessverification.online
accunt-loqin.ml
accurateprivacy.online
atlantic-council.com
boom-boom.ga
bytli.us
continue-to-your-account.000webhostapp.com
covi19questionaire.000webhostapp.com
covid19questionnaire.freesite.vip
css-ethz.ch
cutly.vip
daemon-mailer.com
direct-access.info
discovery-protocol.ml
docfileview.org
doctransfer.online
dr-sup.live
email-protection.online
file-access.com
filetransfer.club
freahman.online
freshconnect.live
gdrive-files.com
gettogether.quest
gl-sup.online
gm-sup.com
idccovid19questionaire.000webhostapp.com
ipsss.000webhostapp.com
linkauthenticator.online
lovetoflight.com
lst-accurate.com
ltf.world
mailer-daemon.site
mailer-support.online
mailerdaemon.info
mfa-ic.ae
mofa-ic.ae
private-file-sharing.000webhostapp.com
qmaiil.ml
reactivate-disabled-accuonts.000webhostapp.com
redirect-drive.online
shared-files-access.live
sharefilesonline.live
summit-files.com
tinyurl.co.il
tinyurl.live
uani.us
verificationservice.online
workstation2020.000webhostapp.com
www-myaccounts-support.000webhostapp.com

# Reference: https://x.com/k3yp0d/status/1840762048826728893
# Reference: https://app.validin.com/detail?type=ip&find=38.180.91.211#tab=resolutions
# Reference: https://www.gov.il/BlobFolder/reports/alert_1803/he/ALERT-CERT-IL-W-1803.pdf

cloudviewer.site
directpathfellow.zapto.org
formcloud.redirectme.net
launchmeetprofile.servehttp.com

# Reference: https://app.validin.com/detail?find=38.180.91.195&type=ip4&ref_id=96da503d30d#tab=resolutions

cloudcomputing.webredirect.org
matchtomeet.ddns.net
mycloudhosting.redirectme.net
zoomcloud.redirectme.net

# Reference: https://app.validin.com/detail?find=38.180.91.193&type=ip4&ref_id=96da503d30d#tab=resolutions

navigationtools.site
flashpointfarm.gotdns.ch
main-packages.strangled.net

# Reference: https://app.validin.com/detail?find=38.180.91.206&type=ip4&ref_id=96da503d30d#tab=resolutions

entrydirect.ddns.net

# Reference: https://app.validin.com/detail?find=38.180.91.175&type=ip4&ref_id=96da503d30d#tab=resolutions

sublimetxtcontent.serveblog.net
virtual-notes.gotdns.ch
workspaceconsole.servehttp.com

# Reference: https://app.validin.com/detail?find=38.180.91.195&type=ip4&ref_id=96da503d30d#tab=resolutions

cloudcomputing.webredirect.org
matchtomeet.ddns.net
mycloudhosting.redirectme.net
zoomcloud.redirectme.net

# Reference: https://app.validin.com/detail?find=38.180.91.193&type=ip4&ref_id=96da503d30d#tab=resolutions

navigationtools.site
flashpointfarm.gotdns.ch
main-packages.strangled.net

# Reference: https://app.validin.com/detail?find=38.180.91.190&type=ip4&ref_id=96da503d30d#tab=resolutions

pagerenderstatus.info
destinationreferrer.serveirc.com
essential-overview.sytes.net
featurespace.ooguy.com
featurespace.serveblog.net
usabilitystatus.servehttp.com

# Reference: https://app.validin.com/detail?find=38.180.91.184&type=ip4&ref_id=96da503d30d#tab=resolutions

realcdnworker.site
hardbookshelf.ooguy.com
myselfdatahistory.serveirc.com

# Reference: https://x.com/HostileSpectrum/status/1722628312013660665
# Reference: https://x.com/k3yp0d/status/1852051018181452143
# Reference: https://www.virustotal.com/gui/ip-address/45.143.167.87/relations
# Reference: https://www.ic3.gov/CSA/2024/241030.pdf
# Reference: https://research.checkpoint.com/2024/wezrat-malware-deep-dive/
# Reference: https://www.virustotal.com/gui/file/4431b2a4d7758907f81fb1a0c1e36b2ce03e08d43123b1c398487770afd20727/detection
# Reference: https://www.virustotal.com/gui/file/e37b95bb9bee64cc0313eaad8a0269493745f89413bd78b58bb3b479b36084ae/detection
# Reference: https://www.virustotal.com/gui/file/a624768f28ca66e82cb5d157e5ddd427644e903476099ef0d155ab1f426da8a3/detection
# Reference: https://www.virustotal.com/gui/file/84366a894120d4a8c83411925ef04de52fa56da6fad0023a71f71a9bf21259ad/detection

http://45.143.167.87
http://194.11.226.9
http://194.4.49.175
194.11.226.9:443
194.4.49.175:443
45.143.167.87:443
46.249.58.136:4444
46.249.58.136:8080
cybercourt.io
gamershotel.pro
il-cert.net
onlinelive.info
pro-today.org
rgud-group.com
rgud-group.net
zeusistalking.com
zeusistalking.io
zeusistalking.net

# Reference: https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf
# Reference: https://otx.alienvault.com/pulse/624f0d6039be61f29b5f463c
# Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-April/030630.html

alharbitelecom.co
apply-jobs.com
applytalents.com
appslocallogin.online
archery.dedyn.io
bnt2.live
careers-finder.com
cloudgoogle.co
cortanaservice.com
cortanaupdate.co
defenderupdate.ddns.net
edge-cloudservices.com
elecresearch.org
enerflex.ddns.net
enerflex.org
etisalatonline.com
exprogroup.org
freechess.live
funnychess.online
getadobe.ddns.net
getadobe.net
globaltalent.in
googleservices.co
googleupdate.co
helpdesk-product.com
kavkazru.press
khaleejtimes.co
latinoamericareporta.com
librarycollection.org
linkedinz.me
listen-books.com
localadmin.online
localadmin.ru
lukoil.in
market.dedyn.io
market.vinam.me
mastergatevpn.com
microsoftcdn.co
microsoftdefender.info
microsoftedgesh.info
mideasthiring.com
monitor-ua.com
office-shop.me
onedrivelive.me
onedriveupdate.net
online-audible.com
online-chess.live
outlookde.live
outlookdelivery.com
politica.in.ua
remgrogroup.com
revistadcr.com
saipem.org
sauditourismguide.com
savemoneytrick.com
sharepointnotify.com
signin.dedyn.io
sparrowsgroup.org
supportskype.com
talent-recruitment.org
talktalky.azurewebsites.net
thefreemovies.net
ukraine2day.com
updateddns.ddns.net
updatedefender.net
updatedns.ddns.net
updateservices.co

# Reference: https://x.com/StrikeReadyLabs/status/1851438224834433154
# Reference: https://x.com/ClearskySec/status/1856268257734410647
# Reference: https://x.com/asdasd13asbz/status/1851513587967078410
# Reference: https://www.clearskysec.com/wp-content/uploads/2024/11/Iranian-Dream-Job-ver1.pdf
# Reference: https://www.virustotal.com/gui/file/4e27556432464375a9016a410b6eef586f3a27377424ffc09f40eb252af144a2/detection
# Reference: https://www.virustotal.com/gui/file/918e70e3f5fdafad28effd512b2f2d21c86cb3d3f14ec14f7ff9e7f0760fd760/detection

careers2find.com
xboxapicenter.com
cdn.careers2find.com
quiz.careers2find.com

# Reference: https://twitter.com/malwrhunterteam/status/1762813636001570980
# Reference: https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
# Reference: https://www.virustotal.com/gui/file/5aa317d3682ff127e1e92d2016c08f94be60937a1b8a210876d931d072386336/detection

1stemployer.com
airconnectionapi.azurewebsites.net
airconnectionsapi.azurewebsites.net
airconnectionsapijson.azurewebsites.net
airgadgetsolution.azurewebsites.net
airgadgetsolutions.azurewebsites.net
altnametestapi.azurewebsites.net
answerssurveytest.azurewebsites.net
apphrquestion.azurewebsites.net
apphrquestions.azurewebsites.net
apphrquizapi.azurewebsites.net
arquestions.azurewebsites.net
arquestionsapi.azurewebsites.net
audiomanagerapi.azurewebsites.net
audioservicetestapi.azurewebsites.net
birngthemhomenow.co.il
blognewsalphaapijson.azurewebsites.net
blogvolleyballstatus.azurewebsites.net
blogvolleyballstatusapi.azurewebsites.net
boeisurveyapplications.azurewebsites.net
browsercheckap.azurewebsites.net
browsercheckingapi.azurewebsites.net
browsercheckjson.azurewebsites.net
cashcloudservices.com
changequestionstypeapi.azurewebsites.net
changequestionstypejsonapi.azurewebsites.net
changequestiontypes.azurewebsites.net
changequestiontypesapi.azurewebsites.net
checkapicountryquestions.azurewebsites.net
checkapicountryquestionsjson.azurewebsites.net
checkservicecustomerapi.azurewebsites.net
coffeeonlineshop.azurewebsites.net
coffeeonlineshoping.azurewebsites.net
connectairapijson.azurewebsites.net
connectionhandlerapi.azurewebsites.net
countrybasedquestions.azurewebsites.net
customercareservice.azurewebsites.net
customercareserviceapi.azurewebsites.net
emiratescheckapi.azurewebsites.net
emiratescheckapijson.azurewebsites.net
engineeringrssfeed.azurewebsites.net
engineeringssfeed.azurewebsites.net
exchtestcheckingapi.azurewebsites.net
exchtestcheckingapihealth.azurewebsites.net
flighthelicopterahtest.azurewebsites.net
helicopterahtest.azurewebsites.net
helicopterahtests.azurewebsites.net
helicoptersahtests.azurewebsites.net
hiringarabicregion.azurewebsites.net
homefurniture.azurewebsites.net
hrapplicationtest.azurewebsites.net
humanresourcesapi.azurewebsites.net
humanresourcesapijson.azurewebsites.net
humanresourcesapiquiz.azurewebsites.net
iaidevrssfeed.centralus.cloudapp.azure.com
iaidevrssfeed.centrualus.cloudapp.azure.com
iaidevrssfeed.cloudapp.azure.com
iaidevrssfeedp.cloudapp.azure.com
identifycheckapplication.azurewebsites.net
identifycheckapplications.azurewebsites.net
identifycheckingapplications.azurewebsites.net
ilengineeringrssfeed.azurewebsites.net
integratedblognewfeed.azurewebsites.net
integratedblognews.azurewebsites.net
integratedblognewsapi.azurewebsites.com
integratedblognewsapi.azurewebsites.net
intengineeringrssfeed.azurewebsites.net
intergratedblognewsapi.azurewebsites.net
javaruntime.azurewebsites.net
javaruntimestestapi.azurewebsites.net
javaruntimetestapi.azurewebsites.net
javaruntimeversionchecking.azurewebsites.net
javaruntimeversioncheckingapi.azurewebsites.net
jupyternotebookcollection.azurewebsites.net
jupyternotebookcollections.azurewebsites.net
jupyternotebookcollections.com
jupyternotebookscollection.azurewebsites.net
logsapimanagement.azurewebsites.net
logsapimanagements.azurewebsites.net
logupdatemanagementapi.azurewebsites.net
logupdatemanagementapijson.azurewebsites.net
manpowerfeedapi.azurewebsites.net
manpowerfeedapijson.azurewebsites.net
marineblogapi.azurewebsites.net
notebooktextchecking.azurewebsites.net
notebooktextcheckings.azurewebsites.net
notebooktextcheckings.com
notebooktexts.azurewebsites.net
onequestions.azurewebsites.net
onequestionsapi.azurewebsites.net
onequestionsapicheck.azurewebsites.net
openapplicationcheck.azurewebsites.net
optionalapplication.azurewebsites.net
personalitytestquestionapi.azurewebsites.net
personalizationsurvey.azurewebsites.net
qaquestionapi.azurewebsites.net
qaquestions.azurewebsites.net
qaquestionsapi.azurewebsites.net
qaquestionsapijson.azurewebsites.net
queryfindquestions.azurewebsites.net
queryquestions.azurewebsites.net
questionsapplicationapi.azurewebsites.net
questionsapplicationapijson.azurewebsites.net
questionsapplicationbackup.azurewebsites.net
questionsdatabases.azurewebsites.net
questionsurveyapp.azurewebsites.net
questionsurveyappserver.azurewebsites.net
quiztestapplication.azurewebsites.net
refaeldevrssfeed.centralus.cloudapp.azure.com
regionuaequestions.azurewebsites.net
registerinsurance.azurewebsites.net
roadmapselector.azurewebsites.net
roadmapselectorapi.azurewebsites.net
sportblogs.azurewebsites.net
surveyappquery.azurewebsites.net
surveyonlinetest.azurewebsites.net
surveyonlinetestapi.azurewebsites.net
technewsblogapi.azurewebsites.net
teledyneflir.com.de
testmanagementapi1.azurewebsites.net
testmanagementapis.azurewebsites.net
testmanagementapisjson.azurewebsites.net
testquestionapplicationapi.azurewebsites.net
testtesttes.azurewebsites.net
tiappschecktest.azurewebsites.net
tnlsowki.westus3.cloudapp.azure.com
tnlsowkis.westus3.cloudapp.azure.com
turkairline.azurewebsites.net
uaeaircheckon.azurewebsites.net
uaeairchecks.azurewebsites.net
vscodeupdater.azurewebsites.net
vsliveagent.com
workersquestions.azurewebsites.net
workersquestionsapi.azurewebsites.net
workersquestionsjson.azurewebsites.net
xboxplayservice.com

# Reference: https://x.com/Cyberteam008/status/1866677248587337914
# Reference: https://x.com/ValidinLLC/status/1867193831612985822
# Reference: https://en.fofa.info/result?qbase64=dGl0bGU9PSJVUkwgU2hvcnRlbmVyIiAmJiBpY29uX2hhc2g9IjE5MDgxNDcxMjEi

allocationwithour.info
conveniente-sharefile.info
filterfiletransfer.hopto.org
filtertransferfile.online
loss-modification.site
recognizedshare.site
transfer-filterless.ddns.net
viewfileitems.info
emv1.allocationwithour.info
ns2.allocationwithour.info
transfer.loss-modification.site

# Reference: https://x.com/Cyberteam008/status/1868875414510485876

dash.shortoni.live
emv1.short-jg934hw.live
emv1.short-rigf.live
emv1.statuss-short-join.live
fazadi.info
ftur-sher.online
live-join-short.online
mrz.fazadi.info
redirect-b.online
redirect-c.live
redirect-d.online
redirect-k.online
redirect-l.online
redirect-m.live
redirect-o.online
redirect-p.online
redirect-q.online
redirect-r.online
redirect-s.online
redirect-t.online
redirect-u.online
room-meet-url.live
sh-tro.live
sho-flu.live
shor-erier-f.xyz
shor-fg.live
shor-trv.live
short-join-live.online
short-redirect.online
short-view-url.online
shr-r4yr93d.live
sht-rgtio9.live
statuss-short-join.live
url-room-meet.live
visit-site-online.online

# Reference: https://www.bitdefender.com/en-us/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware

http://88.80.148.162
188.165.174.199:18080
