# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://securelist.com/muddywater/88059/

adibf.ae/wp-includes/js/main.php
benangin.com/wp-includes/widgets/main.php
ektamservis.com/includes/main.php
gtme.ae/font-awesome/css/main.php
hubinasia.com/wp-includes/widgets/main.php
www.adfg.ae/wp-includes/widgets/main.php
www.cankayasrc.com/style/js/main.php

# Reference: https://fortiguard.com/resources/threat-brief/2018/10/12/fortiguard-threat-intelligence-brief-october-12-2018

alibabacloud.dynamic-dns.net
alibabacloud.wikaba.com
alibabacloud.zzux.com
microsoftofice.zyns.com
microword.itemdb.com
moffice.mrface.com
muonline.dns04.com
office.otzo.com
offlce.dnset.com
online.ezua.com
muhacirder.com
muteciyar.info

# Reference: https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/

3cbc.net/dropbox/icon.icon
pazazta.com/app/icon.png
ohe.ie/cli/icon.png
ohe.ie/cp/icon.png
andreabelfi.com/main.php
andreasiegl.com/main.php
andresocana.com/main.php
amorenvena.com/main.php
amphira.com/main.php
amphibiblechurch.com/main.php

# Reference: https://twitter.com/360TIC/status/1108616188173520896
# Reference: https://otx.alienvault.com/pulse/5c939fbb22017040b7e47be4/

/serverScript/clientFrontLine/getCommand.php
/serverScript/clientFrontLine/helloServer.php
/serverScript/clientFrontLine/setCommandResult.php

# Reference: https://twitter.com/360TIC/status/1081080752438009856

getgooogle.hopto.org
shopcloths.ddns.net

# Reference: https://twitter.com/blackorbird/status/1072314411849797632
# Reference: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group
# Reference: https://twitter.com/blackorbird/status/1070911385368809472

ankara24saatacikcicekci.com

# Reference: https://twitter.com/HONKONE_K/status/1115513990594084864

tfu.ae/readme.txt

# Reference: https://otx.alienvault.com/pulse/5caf93777439561cb57d0e2c

googleads.hopto.org
orbe-fzc.com

# Reference: https://research.checkpoint.com/the-muddy-waters-of-apt-attacks/

http://185.117.75.116/tmp.php

# Reference: https://twitter.com/VK_Intel/status/1117673303332667392

http://185.162.235.182

# Reference: https://otx.alienvault.com/pulse/5cb4b3944f62ba0873339ee1

46.105.84.146:443

# Reference: https://twitter.com/HONKONE_K/status/1118406086925504512
# Reference: https://twitter.com/360TIC/status/1118430258451976192

plet.dk/css/
134.19.215.3:443

# Reference: https://twitter.com/ClearskySec/status/1118511605359304705
# Reference: https://app.any.run/tasks/17706fbe-8ac5-45df-b489-c766514cbe0a
# Reference: https://twitter.com/Arkbird_SOLG/status/1133472942661263362

http://185.185.25.175

# Reference: https://securelist.com/muddywaters-arsenal/90659/

78.129.222.56:8090 # LisfonService RAT
192.64.86.174:8980 # Python RAT
104.237.233.38:8085 # SSH Python script
104.237.233.40:7070 # Other stuff
78.129.139.134:8080

# Reference: https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html
# Reference: https://otx.alienvault.com/pulse/5ce2c36a67a0d63bbf18b120

136.243.87.112:3000
http://38.132.99.167/crf.txt
/serverScript/clientFrontLine/
/bcerrxy.php

# Reference: https://habr.com/ru/company/group-ib/blog/452540/ (Russian)

gladiyator.tk

# Reference: https://twitter.com/Timele9527/status/1134291981176152064

http://185.244.149.218

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/
# Reference: https://otx.alienvault.com/pulse/5cfe6b9d0ecf65e404ef4f85

amazo0n.serveftp.com
shareliverpoolfc.co.uk
shopcloths.ddns.net
zstoreshoping.ddns.net

# Reference: https://twitter.com/Timele9527/status/1138694954140594176

http://185.82.202.240

# Reference: https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf

104.237.233.38:1022
104.237.233.38:8080
104.237.233.40:8443
104.237.233.38:8080
104.237.255.212:443
78.129.139.134:8864
88.99.17.148:443
ciscoupdate2019.gotdns.ch
getgooogle.hopto.org
googleads.hopto.org
latvia-usa.org/wp-includes/customize/main.php
valis-ti.cl/assets/main.php

# Reference: https://twitter.com/HONKONE_K/status/1144438589230419968

http://104.237.255.195
http://91.132.139.196

# Reference: https://twitter.com/0xffff0800/status/1145408553479483392

iec56w4ibovnb4wc.onion

# Reference: https://twitter.com/Rmy_Reserve/status/1146388355162050561
# Reference: https://mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg

http://185.141.27.14
http://185.185.25.175
http://185.244.149.218
http://185.82.202.240
http://83.171.238.62
/ls.php?TOKEN=Pomy
/trjjmfnnv.php
/ttryeJte76.php

# Reference: https://twitter.com/RedDrip7/status/1115873829035835392
# Reference: https://twitter.com/RedDrip7/status/1108617989308309504

46.105.84.146:80
94.23.148.194:80

# Reference: https://twitter.com/blackorbird/status/1156778469960769536

http://46.166.176.242/main.php
instmech.uz/meryem.php

# Reference: https://twitter.com/Timele9527/status/1156762307965231104

http://89.33.246.82

# Reference: https://twitter.com/Rmy_Reserve/status/1170187955412992000
# Reference: https://app.any.run/tasks/150759b8-44c7-4fa8-b518-4e2562964663/

http://graphixo.net/wp-includes/utf8.php

# Reference: https://twitter.com/cyb3rops/status/1184759564656402432
# Reference: https://app.any.run/tasks/46cc133c-f3c6-4834-b139-0020ebed1c1e/

assignmenthelptoday.com

# Reference: https://twitter.com/HONKONE_K/status/1115117276565360641

cms.qa
