# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: shadowhammer, shadowpad, apt41, apt-c-41, double dragon, lowkey

# Reference: https://securelist.com/operation-shadowhammer/89992/

asushotfix.com

# Reference: https://twitter.com/ydklijnsma/status/1110220766778286080
# Reference: https://twitter.com/ydklijnsma/status/1110189880313692160

homeabcd.com
simplexoj.com

# Reference: https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

103.19.3.17:443
103.19.3.43:443
103.19.3.44:443
103.19.3.44:1194
117.16.142.9:443
23.236.77.175:443
23.236.77.177:443
infestexe.com

# Reference: https://content.fireeye.com/apt-41/rpt-apt41
# Reference: https://otx.alienvault.com/pulse/5d4ae9f31ae8a479422a17ab

agegamepay.com
ageofwuxia.com
ageofwuxia.info
ageofwuxia.net
ageofwuxia.org
bugcheck.xigncodeservice.com
byeserver.com
dnsgogle.com
gamewushu.com
gxxservice.com
ibmupdate.com
infestexe.com
kasparsky.net
linux-update.net
macfee.ga
micros0ff.com
micros0tf.com
notped.com
operatingbox.com
paniesx.com
serverbye.com
sexyjapan.ddns.info
symanteclabs.com
techniciantext.com
win7update.net

# Reference: https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
# Reference: https://www.virustotal.com/gui/ip-address/67.229.97.229/relations

http://67.229.97.229
67.229.97.229:5985
67.229.97.229:9999

# Reference: https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html
# Reference: https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/
# Reference: https://otx.alienvault.com/pulse/5da5eaab4516e8056a6d59fb

checkin.travelsanignacio.com

# Reference: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
# Reference: https://otx.alienvault.com/pulse/5e7b4a11d552fbcfce6c314d
# Reference: https://twitter.com/sysgoblin/status/1237054973579583489 (# CVE-2020-10189)

http://66.42.98.220
http://91.208.184.78
66.42.98.220:12345
74.82.201.8:12345
91.208.184.78:443
accounts.longmusic.com
dylerays.tk
exchange.dumb1.com

# Reference: https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/
# Reference: https://otx.alienvault.com/pulse/5e95c0d3d12068d29f538338
# Reference: https://www.virustotal.com/gui/ip-address/66.42.98.220/relations

http://66.42.98.220
66.42.98.220:12345
119.28.139.20:443
alibaba.zzux.com
exchange.longmusic.com
