# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: sidecopy, falseflag

# Reference: https://twitter.com/Timele9527/status/1144069969845481474
# Reference: https://app.any.run/tasks/69351273-5fd3-4590-a5a5-da639f86f9ec/
# Reference: https://www.virustotal.com/gui/file/bf34be94275f5b05d82b3805bccb30f217020d88f501d156324f98b5eda9ba7e/detection
# Reference: https://www.virustotal.com/gui/file/071c2ac354452d484a37e7af15dd4685061dd4af93abad4308f41df673132ff0/detection

192.99.241.4:4915

# Reference: https://twitter.com/Timele9527/status/1130670958971215873
# Reference: https://www.virustotal.com/gui/file/386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef/detection
# Reference: https://vtbehaviour.commondatastorage.googleapis.com/386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef_Tencent%20HABO.html

95.168.176.141:4864
95.168.176.141:16672

# Reference: https://twitter.com/HONKONE_K/status/1122327639249698816
# Reference: https://www.freebuf.com/articles/network/197398.html

bdrive.club
bdrive.space
cloudserve.online
cynqms.com
data-backup.online
firebasebox.com
scan9t.com
tprlink.com

# Reference: https://twitter.com/Timele9527/status/1121607912676261890
# Reference: https://www.virustotal.com/gui/file/b80635fed8c7fce92385ddb66fb6f58337a8a150c4a1d158888adaa8db0cfebc/detection
# Reference: https://vtbehaviour.commondatastorage.googleapis.com/b80635fed8c7fce92385ddb66fb6f58337a8a150c4a1d158888adaa8db0cfebc_Tencent%20HABO.html

peechtrees.com

# Reference: https://twitter.com/HONKONE_K/status/1104951156730544128
# Reference: https://www.virustotal.com/gui/file/500f8798dd582b22928097f24d8516893beb84d155f5a2a6ebf30bbcf4d91dae/detection
# Reference: https://vtbehaviour.commondatastorage.googleapis.com/500f8798dd582b22928097f24d8516893beb84d155f5a2a6ebf30bbcf4d91dae_Tencent%20HABO.html

81.17.56.226:3864

# Reference: https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

178.238.228.113:7861
178.238.235.143:80
178.238.235.143:9001
193.37.152.28:9990
213.136.87.122:10001
5.189.143.225:11114
5.189.145.248:10032
5.189.145.248:1453
5.189.145.248:6318
62.4.23.46:1500
ad2.admart.tv
afgcloud7.com
avadhnama.com
bbmdroid.com
bbmsync2727.com
bhai123.no-ip.biz
bhai1.ddns.net
brooksidebiblefellowship.org
cdrfox.xyz
intribune.blogspot.com
lolxone.com
mvssync8767.com
ordering-checks.com
thefriendsmedia.com
sahirlodhi.com
sms.totalworthy.com
sudhir71nda.no-ip.org
winupdatess.no-ip.biz
comdtoscc.attachment.biz
ceengrmes.attachment.biz
email.attachment.biz
fileshare.attachment.biz

# Reference: https://twitter.com/Timele9527/status/1167626219916972032

kmcodecs.com

# Reference: https://twitter.com/Timele9527/status/1186816375857139712

isroddp.com
/rEmt1t_pE7o_pe0Ry/

# Reference: https://twitter.com/Arkbird_SOLG/status/1219769450989334528

198.46.177.73:6421
198.46.177.73:4920
198.46.177.73:10422
198.46.177.73:14823
198.46.177.73:16824

# Reference: https://twitter.com/_re_fox/status/1232402275181703169

185.136.163.197:4442

# Reference: https://twitter.com/_re_fox/status/1226344529046929408

awsyscloud.com
/E@t!aBbU0le8hiInks/
/H!pT0pNSc3nd/
/eNn!T5eals/
/Pon0N.php
/Cor2PoRJSet!On.php
/f3dlPr00f.php
/pR0T5o-Niums.php
/Dev3l2Nmpo7nt.php
/xwunThedic@t6.php

# Reference: https://twitter.com/spider_girl22/status/1246082462649683968
# Reference: https://twitter.com/teamcymru_S2/status/1382724143444004866
# Reference: https://www.virustotal.com/gui/file/94fc14e5c961c1dd8ff63330f0bdd11c8f5e1563468d7d35127ae486144c3dd2/detection
# Reference: https://www.virustotal.com/gui/file/736c9682399885ca1219cb10472b406d381ce66bd3a5cdc919cb28ee59b898fe/detection

107.175.1.103:14686
107.175.1.103:3268
107.175.1.103:5418
107.175.1.103:7646
107.175.1.103:9348

# Reference: https://twitter.com/ShadowChasing1/status/1250303709013147650
# Reference: https://www.virustotal.com/gui/file/3c7eb76db2a503d495d1332dc50acbcf511d56a6ff5a7f1a5f9c16c5efc10b5d/detection

64.188.25.205:3692

# Reference: https://twitter.com/ShadowChasing1/status/1257268847175860224
# Reference: https://twitter.com/KodaES/status/1257265452654497792
# Reference: https://app.any.run/tasks/250c2c2d-fdfb-4f46-8565-a9b2538c1ace/

107.175.64.251:6286

# Reference: https://twitter.com/_re_fox/status/1286826493335805953
# Reference: https://www.virustotal.com/gui/file/99b24003e4d5a19430653760db6492d920dfda94194ba8aaa9e82d2949aab740/detection

164.68.101.194:3312

# Reference: https://twitter.com/ShadowChasing1/status/1296988003911360516
# Reference: https://www.virustotal.com/gui/file/e91836bbf90b1eafd5cdcf8868408309470d4a06c5239dfee7dd74eca1a7f222/detection

64.188.12.126:4676

# Reference: https://securelist.com/transparent-tribe-part-2/98233/
# Reference: https://otx.alienvault.com/pulse/5f46861db7f081f8c83140dc

http://212.8.240.221
212.8.240.221:5987
sharemydrives.com
sharingmymedia.com
tryanotherhorse.com

# Reference: https://twitter.com/ShadowChasing1/status/1311590568674291712

servicesmail.site

# Reference: https://twitter.com/DeadlyLynn/status/1318006847949819912
# Reference: https://www.virustotal.com/gui/file/d4b36731cb37ad05b0b9678b568c10a56f2e84967b393b626afb19d2df41c9b9/detection

173.249.14.104:6630

# Reference: https://twitter.com/ShadowChasing1/status/1337000347810729984
# Reference: https://www.virustotal.com/gui/file/6257ab26547f390bfd67d60766a708a95998452eb487d6d7208a52dc3e9840e0/detection

198.12.90.116:3691

# Reference: https://twitter.com/ShadowChasing1/status/1338077086896963584
# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1338177112059088903
# Reference: https://www.virustotal.com/gui/file/2714b12d0c65cb6fe783571a2d103866c4059f40b2905f58a6cd5de80eefeb73/detection
# Reference: https://www.virustotal.com/gui/file/26a4d9bd2961d724ef07aaec5cbbd120891c600ab7932e5e4ddef38aa3ee9700/detection

89.249.65.206:4816
89.249.65.206:49483

# Reference: https://twitter.com/ShadowChasing1/status/1338507666373558273
# Reference: https://www.virustotal.com/gui/file/48f662986a80c5c73a878b0f46cd7e3a548e556ad9c3f76c4eb867968b240eaf/detection

172.217.15.110:4876

# Reference: https://twitter.com/ShadowChasing1/status/1360018043703762945
# Reference: https://www.virustotal.com/gui/file/86d43578ba26f02cf845f16a38ab29a48ad86c17f4a2ec3b69fc0d5fe82b4af7/detection

64.188.25.143:4586

# Reference: https://twitter.com/h2jazi/status/1367102521400053767
# Reference: https://twitter.com/h2jazi/status/1367105848544284676
# Reference: https://twitter.com/teamcymru_S2/status/1367436864941150208
# Reference: https://www.virustotal.com/gui/file/f6bec3c2d0503978f88734c6d52f2a01552c1d24b8e014ab835827ba3c9cc548/detection

23.254.119.118:11214
23.254.119.118:15822
23.254.119.118:17443
23.254.119.118:6128
23.254.119.118:8761

# Reference: https://twitter.com/InQuest/status/1368879546695618561
# Reference: https://twitter.com/ShadowChasing1/status/1368902119051325447
# Reference: https://www.virustotal.com/gui/file/d0a5ffa3b9c40eb1e4277e7c41a100b0836c9424b36fb9bbe281711c0b116883/detection

173.249.14.104:4568
templatesmanagersync.info

# Reference: https://twitter.com/modubyk/status/1215690858131066881
# Reference: https://www.virustotal.com/gui/file/3cbb07af5c85a539ba970bd831de6ad53473afe6d99b3cdbb963711e2b1ee9c3/detection
# Reference: https://www.virustotal.com/gui/file/fde8b0e2ce949e09070d6788194f63131070afab0ebd479bedd545091e7cc8aa/detection

cfrbackup.com
/P0urWa1t3_r!es/
/P0urWa1t3_r!es/iptonps.php

# Reference: https://twitter.com/h2jazi/status/1374754308676280323
# Reference: https://www.virustotal.com/gui/file/8bd2a1aa58cd9fb15ce499be7131e810abbdcc7770806ebfbd83b8e8f701c5e4/detection

75.119.139.169:4568

# Reference: https://twitter.com/ShadowChasing1/status/1374713010472685569

185.136.169.155:8761

# Reference: https://twitter.com/h2jazi/status/1385577616606961664
# Reference: https://www.virustotal.com/gui/file/f87d8b4376bdb341964801a836bb7ae4843351ded70801d401e951cbbe05d613/detection

167.160.166.177:4698

# Reference: https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/

134.119.181.15:6818
134.119.181.15:8561
134.119.181.15:8861
151.106.14.125:14618
151.106.14.125:16418
151.106.14.125:3468
151.106.14.125:8722
151.106.19.220:2682
172.245.247.112:11824
172.245.247.112:14624
172.245.247.112:8666
172.245.87.12:12447
172.245.87.12:18856
172.245.87.12:4586
172.245.87.12:8443
173.212.192.229:16564
173.249.22.30:10864
173.249.22.30:16582
173.249.22.30:4228
173.249.14.104:3312
173.249.14.104:9808
173.249.42.113:8148
185.136.169.155:11214
185.136.169.155:15882
185.136.169.155:17443
185.136.169.155:6128
185.174.102.105:54131
198.12.90.116:3691
198.12.90.116:4684
198.12.90.116:6582
23.254.119.11:3163
23.254.119.11:4828
23.254.119.11:5661
23.254.119.11:6614
45.32.151.155:11427
45.32.151.155:12835
45.77.246.69:16185
5.189.134.216:5156
64.188.12.126:12824
64.188.12.126:49747
64.188.12.126:9666
64.188.25.206:11422
64.188.25.206:16621
64.188.25.206:4125
64.188.25.206:6522
66.154.113.38:3878
66.154.113.38:8666

# Reference: https://twitter.com/ShadowChasing1/status/1385561727559864321
# Reference: https://www.virustotal.com/gui/file/fafcbb35db7cd2725d2f3f4268ffb32390f0e7602263841914fae72f37baca5b/detection

109.236.85.16:5987
myabcxyz1.ddns.net

# Reference: https://twitter.com/ShadowChasing1/status/1387357625013080064

167.86.89.53:1443
167.86.89.53:16688
167.86.89.53:24619
167.86.89.53:6118
167.86.89.53:8843

# Reference: https://twitter.com/cyber__sloth/status/1383394061965348867
# Reference: https://twitter.com/ShadowChasing1/status/1383217637853831169
# Reference: https://twitter.com/_re_fox/status/1383207625874083841
# Reference: https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf
# Reference: https://www.virustotal.com/gui/file/54759951089f44a3918e164b8bf29c8f388cfd41f9930f81b8103852947fed93/detection

http://161.97.142.96/htt_p
http://173.212.224.110/h_ttp
144.91.65.100:6102
144.91.91.236:6102
164.68.108.22:6102
173.212.224.110:6102
173.249.50.230:3245
drivetoshare.com
mailfourms.com
iiieyehealth.com
socialistfourm.com
updatedportal.com
mfahost.ddns.net
newsindia.ddns.net
tor-relay2.innonetlife.com
vmi192147.contaboserver.net
vmi268056.contaboserver.net
vmi296708.contaboserver.net
vmi312537.contaboserver.net
vmi314646.contaboserver.net
demo.smart-hospital.in/uploads/staff_documents/18/html/
demo.smart-hospital.in/uploads/staff_documents/18/h-xmlhttp/
demo.smart-hospital.in/uploads/staff_documents/19/Armed-Forces-Spl-Allowance-Order/html/
demo.smart-hospital.in/uploads/staff_documents/19/Defence-Production-Policy-2020/html/
demo.smart-hospital.in/uploads/staff_documents/19/Images/8534
demo.smart-hospital.in/uploads/staff_documents/19/IncidentReport/html/
demo.smart-hospital.in/uploads/staff_documents/19/ParaMil-Forces-Spl-Allowance-Order/html/
demo.smart-hospital.in/uploads/staff_documents/19/Req-Data/html
demo.smart-hospital.in/uploads/staff_documents/19/Sheet_Roll/html
demo.smart-school.in/uploads/staff_documents/9/Sheet_Roll/html
demo.smart-school.in/uploads/student_documents/12/css/
drivetoshare.com/mod.gov.in_dod_sites_default_files_Revisedrates/html
sparc.org.in/wp-content/uploads/2020/06/now/rt.rtf

# Reference: https://twitter.com/ShadowChasing1/status/1391680709207609347

londonkids.in/preschool/video/Emergency_Vaccination/css/

# Reference: https://twitter.com/KseProso/status/1392063980961734657
# Reference: https://www.virustotal.com/gui/file/2491caddf4445d9297404493c7707b54591c989b94fd4634a7afdf54c0d22e9c/detection

vmi433658.contaboserver.net

# Reference: https://twitter.com/KseProso/status/1392063980961734657
# Reference: https://www.virustotal.com/gui/file/871cab3256acdbc3c27650adde878658568a85b87e85d3e3c137bdeb4592fb2c/detection

173.249.14.104:6140

# Reference: https://twitter.com/KseProso/status/1392064101103378437
# Reference: https://www.virustotal.com/gui/file/c7dbca435039a6148dc25208f04b734465e8b7c92010ede1401d88f5f8003f2d/detection

173.249.14.104:5670

# Reference: https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html
# Reference: https://otx.alienvault.com/pulse/609d7a98443a742cd63c2784

7thcpcupdates.info
armypostalservice.com
clawsindia.com
isroddp.com
larsentobro.com
millitarytocorp.com
pmayindia.com
tprlink.com
awsyscloud.com
cloudsbox.net
datacyncorize.com
digiphotostudio.live
drivestransfer.com
emailhost.network
file-attachment.com
filelinks.live
filestudios.net
hostflix.live
maildrive.email
mediabox.live
mediaclouds.live
mediadrive.cc
mediafiles.live
mediaflix.net
medialinks.cc
mediashare.cc
onedrives.cc
servicesmail.site
shareboxs.net
shareflix.co
sharemydrives.com
shareone.live
sharingmymedia.com
studioflix.net
templatesmanagersync.info
urservices.net
bjorn111.duckdns.org
micrsoft.ddns.net
newsupdates.myftp.org
share.medialinks.cc
social.medialinks.cc
systemsupdated.duckdns.org
tgservermax.duckdns.org
vmd41059.contaboserver.net
vmi433658.contaboserver.net
email.gov.in.attachment.drive.servicesmail.site
email.gov.in.maildrive.email
india.gov.in.attachments.downloads.7thcpcupdates.info
mail.clawsindia.com
mail.isroddp.com
mailer.pmayindia.com
mailout.pmayindia.com

# Reference: https://tria.ge/210514-fsd2fkks9a/behavioral1

5.189.134.216:12538
5.189.134.216:7218
5.189.134.216:9686

# Reference: https://twitter.com/ShadowChasing1/status/1394229310911762434
# Reference: https://www.virustotal.com/gui/file/7f800784b00354dd15eee129317a63bd3f7bb25622e898c873603e5b142cbb09/detection

5-135-125-106.cinfuserver.com

# Reference: https://twitter.com/ShadowChasing1/status/1399012433520324617
# Reference: https://www.virustotal.com/gui/file/71a8e488b3d142bfdfcc4092ac35cf32e7d5e55b68acd262d16707f6a09f9321/detection

134.119.181.142:6672

# Reference: https://twitter.com/bofheaded/status/1399384209353969667
# Reference: https://www.virustotal.com/gui/file/cad6dcfe6942bb5ac648fb25b8aa3359f1d30b6671c132ce8c7c8c3cd08e8825/detection

178.238.229.192:11884
178.238.229.192:15285
178.238.229.192:3687
178.238.229.192:6782
178.238.229.192:8529

# Reference: https://twitter.com/ShadowChasing1/status/1402526383293624323

http://167.86.75.119
selforder.in/wp-content/uploads/wp-commerce/04/05/

# Reference: https://www.virustotal.com/gui/file/d228c1186003ae37e6c9e26222782291fa97580a254e77f290b46c2376b712e4/detection

185.136.169.155:15822

# Reference: https://twitter.com/ShadowChasing1/status/1406962468010614785
# Reference: https://www.virustotal.com/gui/file/907f594f49e498f0526684e03afd76e953b46b2c4947dd260f90f2665b7ff875/detection

afghannewsnetwork.com
dadsasoa.in/font/js/images/files/My-CV/css

# Reference: https://www.virustotal.com/gui/ip-address/144.91.65.100/relations
# Reference: https://www.virustotal.com/gui/file/1ac0288aaebbe07b6145f20dc3ba2c0107ab00b47a4fe90215a784c887bad35d/detection

mmfaa.ddns.net

# Reference: https://www.virustotal.com/gui/file/149b121b8f5755bc841ddd38f8dbcb6f857b00c8943b446ab85e1706e2216bde/detection

http://144.91.65.100

# Reference: https://blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/
# Reference: https://otx.alienvault.com/pulse/60d2f18dfd693f4314446f84
# Reference: https://twitter.com/0xrb/status/1409729774956597250

ankaraembassy.hopto.org
certindia.chickenkiller.com
certindia.ignorelist.com
coronavirusupdate.ddns.net
coronavirusupdate.ddnsking.com
defencecyberorg.myddns.me
frankooxyz2.ddns.net
minofdefence.mooo.com
minofdefenceindia.ddns.net
pmreference.ddnsking.com
iiieyehealth.com/fonts/times/files/Call-for-Proposal-DGSP-COAS-Chair-Excellance/css/
ikiranastore.com/images/files/ist/doc/i.php
londonkids.in/echoolz/assets/css/front/hwo/DATE-OF-NEXT-INCREMENT-ON-UP-GRADATION-OF-PAY-ON-01-JAN-AND-01-JUL/css
londonkids.in/preschool/video/Emergency_Vaccination/css/
minervacollege.co.in/fonts/plugins/mrt/Image-7563/css2

# Reference: https://twitter.com/h2jazi/status/1407788867260923908
# Reference: https://www.virustotal.com/gui/file/aadaa8d23cc2e49f9f3624038566c3ebb38f5d955b031d47b79dcfc94864ce40/detection

5.189.170.84:3901

# Reference: https://www.virustotal.com/gui/file/2bb2a640376a52b1dc9c2b7560a027f07829ae9c5398506dc506063a3e334c3a/detection
# Reference: https://www.virustotal.com/gui/file/d2113b820db894f08c47aa905b6f643b1e6f38cce7adf7bf7b14d8308c3eaf6e/detection

5.189.170.84:3312
iwestcloud.com
/Pick@Whatsoever/Mac.php
/Pick@Whatsoever/Qu33nRocQCl!mbing.php
/Pick@Whatsoever/S3r&eryvUed.php
/Pick@Whatsoever/
/Qu33nRocQCl!mbing.php
/S3r&eryvUed.php

# Reference: https://twitter.com/ShadowChasing1/status/1410157094343364609
# Reference: https://www.virustotal.com/gui/file/af5dec1a8eed98bbab9c03dd76a980edc987347c43798d726b0ca538376f27be/detection

drigablockszip.sytes.net
medizz.co/wp-content/base/phr/shareddocuments/Agenda

# Reference: https://twitter.com/BaoshengbinCumt/status/1411963177626046467
# Reference: https://www.virustotal.com/gui/file/c3e56af0c0a13e8ab4e6f2269d1c15586e72f9b7a90c22980f976e6786388a03/detection

185.233.202.230:44567
templateworkshop.site
/template_storage/normal_template/template48.dot

# Reference: https://twitter.com/ShadowChasing1/status/1411991006489112582
# Reference: https://www.virustotal.com/gui/file/49387b1a799944bb19f5b83cd5a05e421bcaff8ddc59750aba800ec03c447245/detection

167.86.105.43:6588

# Reference: https://twitter.com/teamcymru_S2/status/1412397642286522368
# Reference: https://team-cymru.com/blog/2021/07/02/transparent-tribe-apt-infrastructure-mapping-2/

107.173.204.38:6576
107.173.204.38:8586

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt

digitalfilestores.com
filehubspot.com
freewindowssoftware.com
mailupdater.net
mfahost.ddns.net
mffatool.ddns.net
nscinfo.ddns.net
vmi240582.contaboserver.net
vmi281634.contaboserver.net
vmi312537.contaboserver.net
vmi369553.contaboserver.net
vmi388643.contaboserver.net
vmi420862.contaboserver.net
vmi475662.contaboserver.net
vmi489177.contaboserver.net
vmi512038.contaboserver.net
vmi532529.contaboserver.net

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt
# Reference: https://www.virustotal.com/gui/file/132870a1ae6a0bdecaa52c03cfe97a47df8786f148fa8ca113ac2a8d59e3624a/detection

173.249.50.230:1238
muzicmirchi.000webhostapp.com

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt
# Reference: https://www.virustotal.com/gui/file/71bbf2394fe4909a6ce0f7085ca41f21cf5e05e3d761620e4d7f307183fb1e1b/detection

167.86.70.194:9091

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt
# Reference: https://www.virustotal.com/gui/file/852612666095aec2e9f3456ec4f8a9566be2c690c8583aff6055d180507d5476/detection

167.86.70.194:9092

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt
# Reference: https://www.virustotal.com/gui/file/956f0f369082068ef24b76ec162cfc2119adbffda94e33e41b40f39d2f192ffe/detection

161.97.90.175:8080

# Reference: https://twitter.com/bofheaded/status/1420466901466030083
# Reference: https://twitter.com/teamcymru_S2/status/1423281518034575363
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt
# Reference: https://www.virustotal.com/gui/file/57466da1095f6c28d5d7c56d171417bb796b153f1c545e846fee1743cacc15fc/detection
# Reference: https://www.virustotal.com/gui/file/772bc22f6238eb368c47f4d34fb98db9124a44b8443cee92d73c6086609fd2f1/detection

http://149.248.52.61
/vpn-update/vpn-update.php
/weisenborn/aziroboro.php

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt

144.91.65.100:3245
144.91.65.100:4145
144.91.91.236:4140
144.91.91.236:4145
149.248.52.61:2323
149.248.52.61:5656
149.248.52.61:87
149.248.52.61:89
149.248.52.61:8989
161.97.90.175:6666
164.68.104.126:3245
164.68.104.126:4140
173.212.224.110:4140
173.212.224.110:4145
173.249.50.230:1144
173.249.50.230:1244
173.249.50.230:1245
173.249.50.230:1289
173.249.50.230:3245
173.249.50.230:4145

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SideCopy/Network_IOCs_list_for_coverage.txt

http://109.236.85.152
http://164.68.104.126
http://161.97.142.96
http://167.86.75.119
http://173.249.41.175

# Reference: https://twitter.com/Timele9527/status/1419853559860920320
# Reference: https://twitter.com/Timele9527/status/1419853918293544967
# Reference: https://www.virustotal.com/gui/file/8b20b81f05c0acebb97200b5cfa3bec23ddeb9f7307e47c9b942c6f9bee91b44/detection
# Reference: https://www.virustotal.com/gui/file/70fab64895bcfaf7e9bd713e3b3b4c354e19ff9d083285b791d43bb39c5d3253/detection
# Reference: https://www.virustotal.com/gui/file/670bf2bad23645b731a67e3299f4f1692da3bdaa711c588b17024ed916e55438/detection

122.166.149.57:8888
161.97.164.143:20121
161.97.164.143:2121
161.97.164.143:2123
161.97.164.143:2124
161.97.164.143:2122
161.97.164.143:2125
161.97.164.143:8011
161.97.164.143:9512
161.97.164.143:9515
182.188.181.224:2255
certindia.ignorelist.com
certindia.chickenkiller.com
defencecyberorg.myddns.me
email-govin.duia.eu
emailgov-in.sytes.net
kavachhost.ddns.net
nicindia.mywire.org
/005056A0A34C-X-061544/
/005056A052CF-X-445817/
/005056A05902-X-088753/
/005056A0A34C-X-061544/file.pdf
/005056A052CF-X-445817/fastag.jpg
/005056A05902-X-088753/fastag.jpg

# Reference: https://twitter.com/teamcymru_S2/status/1420446957961625602
# Reference: https://www.virustotal.com/gui/file/67a225feedc5ce4adf75acb41e8b0e746e7daaec779225cd72f860a263b92a6e/detection

191.101.172.44:11422
191.101.172.44:14624
191.101.172.44:16621
191.101.172.44:4125
191.101.172.44:6522
64.188.25.206:3389

# Reference: https://www.virustotal.com/gui/ip-address/104.227.146.200/relations

http://104.227.146.200
/KingEfulefu/
/KingEfulefu/login.php

# Reference: https://twitter.com/ShadowChasing1/status/1422452244079779841
# Reference: https://twitter.com/360CoreSec/status/1422403743354482692
# Reference: https://www.virustotal.com/gui/file/8554b5cace52a0fdf0fd3378e4df6606efb45b8ee686ed5b3c1657633405eb85/detection
# Reference: https://www.virustotal.com/gui/file/f5e7b8dddd4137ac008186a4c5e9cb644dc1bbddb61612c29c2087b1efe48974/detection
# Reference: https://www.virustotal.com/gui/file/bc3ff3fb73736649a9aad6ccb811819a912c03aaa9ec81c6fa733f1459e66af9/detection
# Reference: https://www.virustotal.com/gui/file/640ffa981ef531f5ceb98c59cfa1c65a9da9a088dc3157f78ffa0fa6cd5e8e02/detection
# Reference: https://www.virustotal.com/gui/file/72950c1a7d26f9bb6acc0e33d1cd65310db31f5b03c3b3e722ce216bb20f12fe/detection
# Reference: https://www.virustotal.com/gui/file/bc3ff3fb73736649a9aad6ccb811819a912c03aaa9ec81c6fa733f1459e66af9/detection

66.154.112.206:6188

# Reference: https://twitter.com/ShadowChasing1/status/1422914152381616134
# Reference: https://otx.alienvault.com/pulse/610baec1825b7a6f14ae8c21
# Reference: https://www.virustotal.com/gui/file/dc9002bc8fec5e678ae60285dd9fc303e87a9ea15b037be76285e41b50f62f8b/detection

149.248.52.61:91
149.248.52.61:92
149.248.52.61:93
bsnlplots.com/css/css/

# Reference: https://twitter.com/ShadowChasing1/status/1423194120512688133
# Reference: https://www.virustotal.com/gui/file/460c098565a7f5866bb96281ebada37d8e3a7f9e4112de663a05bba470e27929/detection

pafwa.info
independenceday.pafwa.info

# Reference: https://twitter.com/ShadowChasing1/status/1460614611200217093
# Reference: https://www.virustotal.com/gui/file/f79445105ab2dc3c3be899c1e1fd1adca60723f613c242ce4e0b95ee835ac82a/detection

isteandhrapradesh.in/NewSite/Admin/try/b/

# Reference: https://twitter.com/h2jazi/status/1460744936635224064
# Reference: https://twitter.com/h2jazi/status/1460744939105669132
# Reference: https://www.virustotal.com/gui/file/9836cfb7c54febcbbf2b252414dbdc95784ed429c228a363b65b7586ffcc3b0c/detection

194.233.67.90:6785
securedesk.one

# Reference: https://twitter.com/0xrb/status/1460900779175276550
# Reference: https://www.virustotal.com/gui/file/df87afed0b9bef37d4ff79b0065e95b65cb3ffd320dc258548a229720e4bf99f/detection
# Reference: https://www.virustotal.com/gui/file/ac80eb10f16f3da1651b8fcb7dbc714255f4ec9719e922baeeb3499d9bd89e23/detection

mojochamps.com
assessment.mojochamps.com

# Generic

/h_ttp
/h_tt_p
/htt_p
/h_t_t_p
/h-xmlhttp/
/classics/abnormal.php
/classifieds/classifieds.php
/classification/updatecs.php
/Armed-Forces-Spl-Allowance-Order/
/Defence-Production-Policy-2020/
/ParaMil-Forces-Spl-Allowance-Order/
/mod.gov.in_dod_sites_default_files_Revisedrates/
