# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: confucius, patchwork

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/
# Reference: https://twitter.com/shotgunner101/status/1084111296746921986
# Reference: https://otx.alienvault.com/pulse/5c3c8199888d403ecee5e463

kielsoservice.net
frameworksupport.net

# Reference: https://twitter.com/blackorbird/status/1119518720794058752
# Reference: https://www.virustotal.com/gui/file/e94659941847dac6e5483df31d6429c9bfb339a013079f41ea52e7fe86d7f061/detection
# Reference: https://s.tencent.com/research/report/711.html (Chinese)

crowcatcher.net
global-news.center
useraccount.co
188.241.58.60:21
188.241.58.61:21

# Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/
# Reference: https://brica.de/alerts/alert/public/1215663/new-confucius-malware-campaign-has-links-to-patchwork-cybergang/

errorfeedback.com

# Reference: https://twitter.com/h4ckak/status/1161208604566966272

http://139.28.38.231

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confucius-cyberespionage-operations/
# Reference: https://documents.trendmicro.com/assets/appendix-deciphering-confucius-cyberespionage-operations.pdf

http://199.101.187.54
http://45.63.43.29
http://45.76.33.53
http://46.165.207.108
http://5.135.73.109
http://5.135.73.109
http://91.210.107.104
http://94.242.219.205
46.165.249.223:80
5.199.163.51:4343
91.210.107.106:80
91.210.107.109:80
91.210.107.110:80
adhath-learning.com
freeintrnet.com
mfone.net
mofu.tech
simplechatpoint.ddns.net
truth786.com
tweetychat.com
/android_connect/insert_account.php
/android_connect/insert_contacts.php
/android_connect/insert_file_list.php
/android_connect/insert_sms.php
/android_connect/upload_file_content.php

# Reference: https://twitter.com/RedDrip7/status/1184099910892670976

yetwq.twilightparadox.com

# Reference: https://twitter.com/spider_girl22/status/1172044630512164864

192.250.236.76:80

# Reference: https://twitter.com/Rmy_Reserve/status/1172016149971619841

upgrading-office-content.esy.es
