# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: artradownloader

# Reference: https://github.com/pan-unit42/iocs/blob/master/bitter/iocs.csv

a.churchill91.com
aday.primeservices.mobi
aroundtheworld123.net
chinatel90.com
confirm97.com
destiny91.com
font.jiangsuhost.com
frameworksupport.net
healthnewsone.com
hewle.kielsoservice.net
johnywalter.webatu.com
mappservworldvide.16mb.com
marvel89.com
marvellighter.com
medzone71.com
mob.wirelesssolutions.mobi
nethosttalk.com
newmysticvision.com
red5big.com
sound.muzicwonder.com
spring.tulipnetworks.net
sterling66.com
stingray91.com
styl.crrerc.com
styl.hairparker.com
thematrix.esy.es
thepandaservices.nsiagenthoster.net
victory1983.ddns.net
wills.hairparker.com
wingames2015.com
woodwind71.com
xiovo416.net
zmwardrobe.com

# Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/ (Chinese)

khurram.com.pk
traxbin.com
wcnchost.ddns.net

# Reference: https://twitter.com/h4ckak/status/1147710998817542145

healthdevicetracker.co

# Reference: https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations
# Reference: https://cert.360.cn/report/detail?id=137867e159331b7a968aa45050502d13
# Reference: https://otx.alienvault.com/pulse/5d4d82f21a9bb34d2b0e65f7

btappclientsvc.net
cdaxpropsvc.net
v3solutions4all.com
v3solutions4all.org
wangluojiumingjingli.org
winmanagerservice.net
winmanagerservice.org

# Generic trails from https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/

/ergdfbd/wscspl
/healthne/accept.php
/healthne/regdl
/ourtyaz/dwnack.php
/ourtyaz/qwe.php

# Reference: https://twitter.com/Timele9527/status/1169430987832344576

gongzuosousuo.net

# Reference: https://twitter.com/blackorbird/status/1169925232255090689

aroundtheworld123.net

# Reference: https://twitter.com/James_inthe_box/status/1166128688175300608
# Reference: https://twitter.com/MeltX0R/status/1170183286712340482
# Reference: https://meltx0r.github.io/tech/2019/09/06/bitter-apt-not-so-sweet.html
# Reference: https://twitter.com/Timele9527/status/1169785910881218560

biocons.pk
gandharaart.org
maq.com.pk
netnsiservice.net
onlinejohnline99.org
sartetextile.com
zhongwenchuantongqiye.com
/kvs06v.php
/lax05u.php
/Mcx2svc.php
/ms2u1p.php

# Reference: https://twitter.com/RedDrip7/status/1170988245561294850
# Reference: https://twitter.com/MeltX0R/status/1171245112082481153

blth32serv.net
w32infinitisupports.net

# Reference: https://twitter.com/blackorbird/status/1182479754965876737

wangluojiumingjingli.org

# Reference: https://twitter.com/James_inthe_box/status/1183927764778274816

lmhostsvc.net

# Reference: https://twitter.com/blackorbird/status/1187662590224191489

nethostsupport.ddns.net
sysintservice.ddns.net

# Reference: https://twitter.com/ccxsaber/status/1192326844529422337

tvnservereventlog.net

# Reference: https://twitter.com/Timele9527/status/1201477767352553472
# Reference: https://twitter.com/Timele9527/status/1201477848852090881
# Reference: https://twitter.com/Timele9527/status/1201477876236701696

cloud-storage-service.com
kerbosim.com
noitfication-office-client.890m.com
office360-pub.16mb.com
quartzu.hol.es

# Reference: https://twitter.com/Rmy_Reserve/status/1224289465872502789

wbclientservice.ddns.net

# Reference: https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf

activemobistore.ddns.net
cbyxhuxo663.ddns.net
flashnewsservice.org
wdibitmapservice.net

# Reference: https://twitter.com/ShadowChasing1/status/1256036038331387904

camncryptsvc.net
/RguhsT/accept.php

# Reference: https://twitter.com/MeltX0R/status/1258870289066319872
# Reference: https://www.virustotal.com/gui/ip-address/63.250.38.240/relations

http://63.250.38.240

# Reference: https://twitter.com/ccxsaber/status/1273442309816770560

usmservice.net
