# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://blog.malwarebytes.com/threat-analysis/2018/09/mass-wordpress-compromises-tech-support-scams/

ads.voipnewswire.net/ad.js
drupalupdates.tk/check.js
cdn.allyouwant.online/main.js
ejyoklygase.tk
examhome.net
mp3menu.org
uustoughtonma.org

# Reference: https://twitter.com/bad_packets/status/1038967603048243200
# Reference: https://www.virustotal.com/#/file/d527ea936ab99a2e3a25cf8786c66c0e07fc509b9465d48dd26065f034795f19/relations

aster18cdn.nl/app.js
feesocrald.com/app.js
istlandoll.com/app.js
soodatmish.com/app.js
play.aster18cdn.nl/app.js
play.feesocrald.com/app.js
play.istlandoll.com/app.js
play.soodatmish.com/app.js

# Reference: https://blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/

/2131.js
/webmr.js
/webmr-2.js
/webmr-x7.js

# Reference: https://twitter.com/ViriBack/status/1035692468459720704

/r/6jHa5
/r/Lx4er

# Reference: https://www.virustotal.com/#/domain/coinhive.com
# Reference: https://twitter.com/bad_packets/status/1042627971368939521

/lib/captcha.min.js
/lib/ch2.min.js
/lib/coinhive.min.js
/lib/miner.min.js
/lib/worker-asmjs.min.js

# Reference: https://www.virustotal.com/#/url/e2887029795c19d1b0d7e97bcd6b29fd25988ea27e8f958ef9af6f9520f97b45/detection

coinimp.com/scripts/min.js

# Reference: https://twitter.com/malwrhunterteam/status/1044950859875012608

/perfekt/perfekt.js

# Reference: https://twitter.com/VK_Intel/status/1021453551975817217

wjcqsstycdujc.eu

# Reference: https://twitter.com/ps66uk/status/1036775592371384320
# Reference: https://twitter.com/ps66uk/status/1026391185953312768
# Reference: https://pastebin.com/izi6pDs8
# Reference: https://threats.kaspersky.com/en/threat/Trojan-Downloader.JS.SLoad/

4play4girls.com/.cabinet/29rf852359-package-updated
adetailimage.com/.customer/3G5QH49725-Your-receipt
alaxvong.com/.customer-area/pack-82AK376-updated
arenaofshrugs.com/.customer-area/package-3M516645-updated
asecretenergyofmiracles.com/.customer-area/pack-42X31841-updated
atlantaseedsmentoringforgirls.com/.customer/1OC358756-your-receipt
ayca.com/.customer/FW8149101-Your-receipt
bakerassistants.com/.safe/GD8JY47086-receipt
bekahwagner.com/.customer-area/package-1GHF7189-updated
beneaththeblackrainbow.com/.customer-area/pack-0VX2107-updated
beneaththeblackrainbow.com/.customer-area/pack-7WRS_214-updated
bettingmlb.com/.customer-area/package-919R-70321-updated
bleuhaven.com/.customer-area/package-79JK8_63195-updated
bollygupshup.com/.advicedetails/0235789168-details
bostonteleprompter.com/.advice-notification/86MZ71628-complete-details
browseright.com/.customer/TI1N01666-your-Receipt
bullcityapparel.com/.safetyarea/TNF4Z521816-order-receipt
buyinggoldhq.com/.customer-area/package-11U492-updated
buzznewscenter.com/.cabinet/2dgp641-package-updated
byxaru.com/.orderdetails/92EW-60267-confirmation
comocuidarme.com/omoc/darme
comunicazionecreativaconsapevole.com/.customer-area/pack-156Q3055-updated
cumbrecapital.com/.customer/6B1R003355-Your-receipt
cumbrecapital.com/.customer/A1K414064-your-Receipt
customers.breastandbodyguidemd.com/.productdetails/8P97438-status-updated
customers.delvecchiopastafresca.com/.personal/package-1XTY6521-updated
customers.golf-classifieds.com/.clientarea/delivery-status-updated
dasheriemagazine.com/.customer-area/pack-24CG4727-updated
db.agile-kanata.com/usernotice/35Z4760-status-update
db.avonbourne.com/usernotice/9RYK9707-status-update
db.bobwu.com/usernotice/71AX0842-notifications
db.boomer-angle.com/usernotice/8T3G41905-notifications
db.careerever.com/usernotice/93I5333-notifications
db.catalinaappraisalservice.com/usernotice/1RJ6972-notifications
db.catalinaappraisalservice.com/usernotice/69V1K3619-notifications
db.digitalwizards.com/usernotice/0CW618-notifications
db.disruptivedrama.com/.safe/66B_410-Receipt
db.falsefiddle.com/.safe/H3X837846-Receipt
db.flyingelephantstudios.com/usernotice/57K5X36453-notifications
db.glennwithrow.com/usernotice/69JY81993-notifications
db.hivetastic.com/usernotice/51X768973-notifications
db.honeycombbooks.net/usernotice/484J7970-notifications
db.icmeet.com/.safe/9L7235-Receipt
db.jclbioassay.com/.safe/S2JA10415-Receipt
db.nobuwrap.com/.safe/E9B3M049671-Receipt
db.nobuwrap.com/usernotice/6L6295-notifications
db.obimfresh.net/usernotice/8O551983-notifications
db.pakkaussuunnittelu.com/usernotice/47E67189-status-update
db.preciselysoftware.com/usernotice/79OE4365-notifications
db.replayrink.com/usernotice/68SEG85567-notifications
db.serendipidance.com/usernotice/9UKS3638-notifications
db.sextoysandmen.com/usernotice/91NRI363-notifications
db.stonyrundesign.com/.safe/CJ0YU149110-receipt
db.stonyrundesign.com/usernotice/81FI02058-notifications
db.strawberryshakemovie.com/usernotice/3485145-notifications
db.whiterivercountry.com/usernotice/1WNO3384-status-update
db.whiterivercountry.com/usernotice/64AW18330-notifications
db.woodenboatgallery.com/usernotice/6CPO02141-notifications
db.yellowstonebrewingcompany.com/usernotice/08CY772-notifications
db.yourfuturebeginshere.com/usernotice/33YHT45331-notifications
dflathmann.com/.customer-area/pack-652B619488-updated
districtframesph.com/.getyourticket/81365093-ticket
drjarad.com/.customer-area/package-5Z4015-updated
durolosangeles.com/.customer-area/package-15H85328-updated
dwiby.com/.customer/3I51694269-Your-Receipt
enataihomes.com/.advice-customers/order-complete-details
eventfish.com/.safetyadvicearea/01686431953-order-Receipt
farmersce.com/.safe/PYN9005J-476356-your-New-Receipt
fitnessdetail.com/.safe/1CUS794179-Receipt
flightcasefilms.com/.customer-area/package-0GZ77952-updated
flipsandals.com/.safetyadvice/36PU815683-Receipt
forsalekentucky.com/.safe/NIUFZ748379-Receipt
forsalemontana.com/.safe/SE-37885-Receipt
foundationtour.com/.customer-area/pack-77ER586-updated
foundationtour.com/.customer-area/package-01ZK1-8120-updated
freewaydeathsquad.com/.cabinet/5ihz6840-pack-updated
fromthedeskofashigeorgia.com/.advice-customers/order-complete-details
fruchile.com/.safe/QF8267H-99740-your-New-receipt
funtimefacepainting.com/.customer-area/pack-5OR7_4582-updated
gettingsecure.com/.safe/THK11097-receipt
goldmaggot.com/.safe/L65P912030-receipt
hercrush.com/.safe/EHR168605-Receipt
holtsberrydesign.com/.customer-area/package-19YY6241-updated
horseharmonyfarm.com/.safe/RDFN509606-Receipt
hoschtonhomesforless.com/.safetyarea/16O711723-order-Receipt
hotnewreads.com/.advicedetails/7XV777-details
howelladventures.com/.safetyadvice/87YA590-Receipt
identitygift.com/.safe/WPVWT808948-receipt
iphone6backgrounds.com/.advicedetails/71PL2590-details
jennanorwood.com/.advice/delivered-status-notification
jvive.com/.customer-area/pack-3BM8_29302-updated
kentuckyinjuryaccident.com/.safe/2GN1356-Your-new-Receipt
kevinecotter.com/.safetyadvice/29K054-receipt
kivacopper.com/.cabinet/14zc_9521-pack-updated
kosmopolitanfinearts.com/.customer-area/package-8WE6996-updated
krcooking.com/.customer-area/package-54GWB-04521-updated
ladyfounder.com/.customer-area/package-830ZO_3159-updated
laibachmusic.com/.safetyarea/UVRN559091-order-receipt
laucacau.com/.safetyadvicearea/0814656528-order-Receipt
lifebyaileen.com/.advice-notification/order-complete-details
longbayhideaway.com/.safetyadvice/JO6OV00947-receipt
lonnielepp.com/.safetyarea/2VC41131-order-receipt
lonnielepp.com/.safetyarea/ENS9Y49504-order-receipt
loulouinhollywood.com/.customer/1P4FC280342-your-receipt
lrsresources.com/.safetyadvice/2MVK655933-Receipt
luchtefeld.com/.safe/CE-737941-Receipt
maloneandcompanyswededfilmfest.com/.safetyarea/003702712-order-Receipt
margotgarnick.com/.customer-area/package-6OF_22197-updated
megachief.com/.safetyadvice/77RUZ57184-Receipt
mjsmallbusinessservices.com/.safetyarea/74C56_2495-order-receipt
motomako.com/.safetyarea/EYGL699416-order-receipt
moveinmandalay.com/.cabinet/11sf_9124-pack-updated
myblagh.com/.safetyadvice/66YS2836-Receipt
northernlightssurvey.com/.productdetails/receipt-details-updated
norway2thailand.com/.customer-area/pack-60HX346-updated
norway2thailand.com/.customer-area/package-9GP_90045-updated
odedadali.com/.advicedetails/026052352956-details
okiostyle.com/.safetyarea/0409669990-order-Receipt
onenationhealing.com/.advicedetails/28MM_665-details
pacificrimbonsai.com/.advice-notification/order-complete-details
paperlovestudios.com/.advicedetails/078391277951-details
passportstatusonline.com/.orderdetails/69X99475-confirmation
pdxinjuryattorney.com/.customer-area/pack-8XD_2636-updated
perimenopausetherapy.com/.cabinet/23hu_5379-pack-updated
philasoup.com/.safetyarea/IVEU187436-order-Receipt
placeklaw.com/.advice/10HF81744-order-receipt
popnuvo.com/.safetyadvice/49RBX589238-receipt
qtheboat.com/.advicedetails/088641320452-details
rescuingchildrenhealingadults.com/.customer-area/pack-474TT-33472-updated
retroframing.com/.customer-area/pack-4RLJ0016-updated
rickyville.com/.customer-area/pack-52JT3992-updated
riideinc.com/.advice/delivered-status-notification
robdonato.com/.advice/91-673620-ticket
rontonsoup.com/.customer-area/pack-00ME-9651-updated
runningvillage.com/.advicedetails/0CQ265196-details
rynegrund.com/.customer-area/package-51QJ728660-updated
saragoldstein.com/.customer-area/pack-772M_3561-updated
saragoldstein.com/.customer-area/package-7FEQ5204-updated
sbicarolinas.com/.safetyadvice/EG778094-Receipt
scottad.com/.customer/1NNZN394864-your-receipt
seoandgrow.com/.safe/CBR00207-receipt
sethpgoldstein.com/.customer-area/package-22AX-42309-updated
sketcheleven.com/.customer-area/pack-5Z04750-updated
sketcheleven.com/.customer-area/package-7OUF_395-updated
smallscalelng.com/.customer/8JY41782-your-new-Receipt
smartglassesdataplans.com/.safe/PJ2B028923-receipt
smokeshopsinc.com/.customer-area/package-06FB3259-updated
solofront.com/.customer-area/pack-25P92664-updated
startabusinessinpa.com/.customer-area/pack-0YQM250-updated
sunandprasad.com/.safetyadvice/3XTV756223-receipt
theartofbridal.com/.customer-area/pack-315J713173-updated
theartofbridal.com/.customer-area/package-1P5212-updated
thefinancialcontrollers.com/.dXNlcLNTF7pUywsgZm5A1KDNHnNlc3ND1pBVMcjXgwhF735D0idpb/3ZG2038-receipt
thehowandwhy.com/.safetyarea/ODSW3456060-order-Receipt
thejunglejournal.com/.customer-area/package-2HH382-updated
thekindlesales.com/.customer/NGJ3494423-your-receipt
themeterminal.com/.safetyadvicearea/088432722890-order-Receipt
thepathlightcenter.com/.customer-area/pack-93IGG_25443-updated
thepynebros.com/.advice/delivered-status-notification
thequietcreatives.com/.customer-area/package-4699700-updated
theseamill.com/.safe/PDQVC123710-receipt
timharwoodmusic.com/.safe/U6N2P16610-Receipt
tinynaps.com/.advicedetails/7F25947-details
top-costumes.com/.safe/P9SVQ222688-Receipt
twobulletsleft.com/.safetyarea/ZNMP57074-order-Receipt
uberdragon.com/.safetyadvice/6O46703705-receipt
urban-meditations.com/.advice/03BEN7818-order-Receipt
valbridgetucson.com/.cabinet/98cg814-pack-updated
valbridgetucson.com/.cabinet/9d5080138-pack-updated
veterantruckingjobs.com/.customer-area/pack-8UVL_62500-updated
videosforwhatsapp.com/.safetyadvice/2LY9480-receipt
wewalk4you.com/.customer-area/pack-864O_5167-updated
whataresquingies.com/.safetyadvicearea/0405470695-order-receipt
wildhowlz.com/.advicedetails/027380256-details
yokosukadoula.com/.advicedetails/0864668306-detail
zenartfree.com/.advicedetails/1Z2-510491-details

# Reference: https://www.symantec.com/security-center/writeup/2018-092007-1208-99
# Reference: https://www.virustotal.com/#/ip-address/212.109.222.157

# Generic callback detection

/js/altmanluggage.js
/js/aureliaskincare.js
/js/bluerooster.js
/js/bvibe.js
/js/caremax.js
/js/craftalley.js
/js/curediva.js
/js/deluxecomfort.js
/js/deroosbv.js
/js/dragonkayak.js
/js/gopestfree.js
/js/hello1010.js
/js/herbsnpuja.js
/js/horusrc.js
/js/indiamags.js
/js/justbuttons.js
/js/kitchenstuff.js
/js/labohemecafe.js
/js/lavignery.js
/js/mitoq.js
/js/mototorque.js
/js/notinshops.js
/js/probanners.js
/js/ramybrook.js
/js/rss_pt.js
/js/siamflorist.js
/js/simplygems.js
/js/singerstore.js
/js/sparxxrx.js
/js/storageshedsoutlet.js
/js/themotley.js
/js/thesingularbathroom.js
/js/totaram.js
/js/tradeplumbing.js
/js/ussi.js
/js/vladofootwear.js
/js/wallerbmx.js

# Reference: https://www.symantec.com/security-center/writeup/2018-092007-1208-99 (JSCoffe domains)

beachyripe.com
coffetea.org
energycoffe.org
energytea.org
lightbulbs-direct.org
teacoffe.net
ukcoffe.com

# Reference: https://twitter.com/unmaskparasites/status/1049723562746146816

/wp-load.js

# Reference: https://twitter.com/malware_traffic/status/1051999693780262912

/flashplayer_41.22_plugin.js

# Reference: https://twitter.com/securitydoggo/status/938750437913776128

/SexyHot19.js

# Reference: https://twitter.com/securitydoggo/status/919906367254728706

/chronopost-colis-suivi.js

# Reference: https://twitter.com/securitydoggo/status/856526428933943296

/Consulta FGTS.js

# Reference: https://blog.sucuri.net/2018/12/localization-and-customization-of-credit-card-stealing-malware.html

kinfirighbetted.host
sales4reason.com
greatwebstat.com

# Reference: https://twitter.com/bad_packets/status/1106430758179110912

blockchainanalyticscdn.com
5b0c4f7f0587346ad14b9e59704c1d9a.top
925e40815f619e622ef71abc6923167f.top

# Reference: https://www.group-ib.com/media/js-sniffer/

gmo.li

# Reference: https://twitter.com/VK_Intel/status/1104109897531224065

host.moresecurity.kz/host/info

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-06-12 Charming Kitten waterhole)

178.32.48.50:8443/node.js

# Reference: https://blog.attacker.net/a-new-wave-of-the-simpleoneline-malware

simpleoneline.online

# Reference: https://twitter.com/p5yb34m/status/1111707577685991424

givemejs.cc/jquery_ui.js

# Reference: https://twitter.com/natmchugh/status/1118851237351497734

so.youneverfind.com/statistics.js

# Reference: https://twitter.com/bad_packets/status/976677742862200832

/5992203285ab3219.3.n.2.1.l60.js

# Reference: https://twitter.com/jeromesegura/status/1121811483195633670
# Reference: https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/

/mage/master/mage.js

# Reference: https://securelist.com/muddywaters-arsenal/90659/

dzoz.us/js/js.js

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/tech-support-scam-employs-new-trick-by-using-iframe-to-freeze-browsers/
# Reference: https://otx.alienvault.com/pulse/5cc71ac7631c3a2f3c67ba7f

/assests/eng_edge_new.html

# Reference: https://twitter.com/gwillem/status/1127617495911804935
# Reference: https://twitter.com/CERTA_intNsec/status/1127849427572527104

assets.pcrl.co/js/jstracker.min.js

# Reference: https://twitter.com/gwillem/status/1127619061725241349

code.cloudcms.com/alpaca/1.5.17/bootstrap/alpaca.min.css

# Reference: https://twitter.com/gwillem/status/1127890329175244800

d20iczrsxk7wft.cloudfront.net/botwverified/badge.js

# Reference: https://twitter.com/_mmeltzer/status/1128311225228648449

cdn.ryviu.com/js/reviews.js
ww1-filecloud.com

# Reference: https://twitter.com/KorbenD_Intel/status/1133469852579106816

/thecry.js

# Reference: https://www.fortinet.com/blog/threat-research/payment-card-details-stolen-magecart.html
# Reference: https://www.virustotal.com/gui/ip-address/178.33.231.184/relations

/ausliebezumduft.js
/bigmusicshop.js
/brain-payment.js
/darussalam.js
/dotsport.js
/hepler.js
/iloveskininc.js
/kimon.js
/klarna.js
/mycigara.js
/relightdepot.js
/sanasafinaz.js
/stutterheim.js
/turtlecase.js
/whinkel.js

# Reference: https://twitter.com/eComscan/status/1136181192796061697

/baypre.js
/cashionrods.js
/dans.js

# Reference: https://twitter.com/Racco42/status/1136621446053150720

/0001.js

# Reference: https://twitter.com/rootsrv1/status/1136763516285702146

jqueryextd.at

# Reference: https://twitter.com/jeromesegura/status/1137087208630833152

jquers.com
jqueres.com

# Reference: https://twitter.com/luc4m/status/1138430833533104128

/tkeezwbzpl.js

# Reference: https://twitter.com/Racco42/status/1139461501113311232

/urgente.js

# Reference: https://twitter.com/marcelmalware/status/1140723183584272386
# Reference: https://www.virustotal.com/gui/domain/jquery.su/relations

jquery.su

# Reference: https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/

/mhtexp.js

# Reference: https://twitter.com/david_jursa/status/1148199946618732544

/add5.js

# Reference: https://twitter.com/JayTHL/status/1149055957256802307

click.clickanalytics208.com

# Reference: https://thehackernews.com/2019/07/magecart-amazon-s3-hacking.html
# Reference: https://www.zscaler.com/blogs/research/magecart-activity-and-campaign-enhancements

/js/decor.js

# Reference: https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices

/zaqedcvfr.js
/zaqwsxcde.js

# Reference: https://decoded.avast.io/threatintel/router-exploit-kits-an-overview-of-routercsrf-attacks-and-dns-hijacking-in-brazil/

/alfuncsync.js
/fingerprint_db.js
akibanoticias.com
tharbadir.com

# Reference: https://twitter.com/James_inthe_box/status/1150794193494630401

/sharing_buttons.js

# Reference: https://twitter.com/adrian__luca/status/1151393084380459009
# Reference: https://app.any.run/tasks/61147c70-2def-4d72-aa32-4b1e45da1180/

/k55qtf704vukk11a8r24riuuoc.js
/pe0gecpi4ins56vi9kfrnh7kbs.js

# Reference: https://blog.sucuri.net/2019/07/fake-google-domains-used-in-evasive-magento-skimmer.html
# Reference: https://otx.alienvault.com/pulse/5d3f2283df812ea7458e98f8

/3f5cf4657d5d9.js
/5d32125dab5ee.js

# Reference: https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/
# Reference: https://otx.alienvault.com/pulse/5d40766ecabf3f345b3811db

/e1cuqrhmik66gu7pr90qk9v3p8.js
/ftp22vfljscml2370rsritui9g.js
/tinyjs.min.js

# Reference: https://twitter.com/smica83/status/1156485272617570304

/factura.js

# Reference: https://twitter.com/ScumBots/status/1157875582765535232

http://156.236.102.78

# Reference: https://twitter.com/securitydoggo/status/1158370884899495936

/2019-National-Intelligence-Coordinating-Agency-Survey-Questionnaire.js

# Reference: https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/

boobahbabies.com
eventsbysteph.com
query.network
connect.clevelandskin.net
connect.clevelandskin.org
track.amishbrand.com
track.positiverefreshment.org
link.easycounter210.com
click.clickanalytics208.com
/s_code.js?cid=

# Reference: https://twitter.com/James_inthe_box/status/1159917575301582848

/JFd0mx.js
/rKPcLW.js

# Reference: https://twitter.com/VK_Intel/status/1162434460731813893

cloudflara.org


# Reference: https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
# Reference: https://www.virustotal.com/gui/ip-address/67.229.97.229/relations

/pass_sqzr.jsp

# Reference: https://twitter.com/JAMESWT_MHT/status/1164140106095177731
# Reference: https://app.any.run/tasks/0c5278c0-d505-4873-b612-9318dbbc2733/

/ajwngsj.js

# Reference: https://twitter.com/JAMESWT_MHT/status/1167096432236650497

/0f.js
/1f.js
/2f.js
/3f.js
/4f.js
/5f.js
/6f.js
/7f.js
/8f.js
/9f.js

# Reference: https://twitter.com/StopMalvertisin/status/1167121250847580162

/msg_frr_w3.js
/myjs28_frr_c1.js
/myjs28_frr_s37.js

# Reference: https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html

/r2.js

# Reference: https://twitter.com/killamjr/status/1171122456528150528

tut-64.com
yourservice.live
0wnpr0m0.com

# Reference: https://twitter.com/shotgunner101/status/1174324923499765760

/5d7c50e85111d.js

# Reference: https://www.ibm.com/downloads/cas/O3W1LZAZ

/advnads20.js
/test1ccf.js
/test1try.js
/test2try.js
/test3ccf.js
/test3try.js
/test4ccf.js
/test4try.js
/tongji.js

# Reference: https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/

/01sall.js
/02sall.js
/03sall.js
/04sall.js
/05sall.js
/06sall.js
/07sall.js
/08sall.js
/09sall.js
/1566444384.js

# Reference: https://twitter.com/killamjr/status/1178030065486974976

allyouwant.online

# Reference: https://twitter.com/killamjr/status/1178019676653146112

/js/google.analytics.min.js

# Reference: https://www.virustotal.com/gui/ip-address/162.222.213.20/relations

/ikandej.js

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2010/2010-01-14-more-details-on-operation-aurora/more-details-on-operation-aurora.csv

/GDSRScripts.js

# Reference: https://twitter.com/0xFrost/status/1181153730382716928

s04.hostcontent.live
hostingcloud.racing
/Iit5.js

# Reference: https://otx.alienvault.com/pulse/5d9cadcab8eefffbac23367a
# Reference: https://blog.sucuri.net/2017/05/fake-wordprssapi-stealing-cookies-and-hijacking-sessions.html
# Reference: https://www.scmagazineuk.com/cookie-monster-malware-steals-cookies-hijacks-wordpress-sessions/article/1474671

1.newor.net
2.api.viralheadlines.net
3.newor.net
a01.u-ad.info
abtrcking.com
adrenalinecdn.com
agrkings.com
airjss.com
andrewandjack.com
api.behavioralmailing.com
b.nwcdn.xyz
beatchucknorris.com
blozoo.net
bwinpoker24.com
c.radxcomm.com
caphyon-analytics.com
cdn.adpoints.media
cdn.avrti.xyz
cdn.echoenabled.com
cdn.inaudium.com
cdn.jquery.tools
cdn.muse-widgets.ru
cdn.owlcdn.com
cfs.u-ad.info
chat-client-js.firehoseapp.com
cleantds.in
code.jguery.org
con1.sometimesfree.biz
connect.f1call.com
d0.histats.12mlbe.com
da.adsvcs.com
daljarrock.hurlinesswhitchurch.com
dcts.pw
dezaula.com
dup.baidustatic.pw
e.e708.net
earsham.pontypriddcrick.com
flipdigital.ru
frompariswithhate.org
gamescale.vio.rocks
getsocialbuttons.xyz
hmailserver.in
hosted-oswa.org
i.omeljs.info
i.rfgdjs.info
i.selectionlinksjs.info
i3.putags.com
ijquery9.com
infinite-2.tcs3.co.uk
infinite-3.tcs3.co.uk
java.sometimesfree.biz
jquery.im
js.nster.net
js.sn00.net
js.trafficanalytics.online
js2.sn00.net
kanpianjs.top
keit.kristofer.ga
livestats.us
log.widgetstat.net
m.free-codes.org
m.xfanclub.ru
mediros.ru
narnia.tcs3.co.uk
nstracking.com
oasagm82wioi.org
onlinemarketplace.top
ournet-analytics.com
parts.kuru2jam.com
pipardot.com
rarstats.com
s.orange81safe.com
s1.omnitor.ru
sbdtds.com
script.affilizr.com
sdb.dancewithme.biz
seo101.net
spartan-ntv.com
src.dancewithme.biz
srv1.clk-analytics.com
st.segpress.io
st.stadsvc.com
stablemoney.ru
stat.botthumb.com
stat.rolledwil.biz
static.bh-cdn.com
tag.imaginaxs.com
takoashi.net
themes.affect.lt
trafficapi.nl
traffictrade.life
upgraderservices.cf
upskirt-jp.net
w5983.lb.wa-track.com
webstats.xcellenzy.com
widgets.wowzio.net
yourmsrp.com
yys1982.com
zirve100.com

# Reference: https://twitter.com/david_jursa/status/1181925512798773249
# Reference: https://app.any.run/tasks/14d9b5a2-d8d3-41f4-9557-f21aec01fa32/

/xGpmLMHiaqCy-agu1ud6fHqKiTo.js

# Reference: https://twitter.com/david_jursa/status/1183728660710338561

/p8anm0bn388i8bg6sqcv0smlto.js
/uqff1t6racoanqj092dg2q5bg8.js

# Reference: https://twitter.com/MBThreatIntel/status/1184531791102857216

/umbro.js

# Reference: https://twitter.com/tkanalyst/status/1184840339070148609

/5j76hga6tnpo7levlgmhrosuhs.js

# Reference: https://twitter.com/killamjr/status/1185376383180136448

/media/si.js

# Reference: https://twitter.com/GroupIB_GIB/status/1185230751769468928

/js/mirasvit/

# Reference: https://twitter.com/Placebo52510486/status/1141619924512792583

12js.org
12lib.org
16js.org
16lib.org
22js.org
lib0.org
wp11.org

# Reference: https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain:-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/

info-stat.ws

# Reference: https://cyberweek.ae/materials/D4%20TRACK%202%20-%20APT%20Attacks%20On%20Crypto%20Exchange%20Employees%20-%20Heungsoo%20Kang.pdf

analyticsfit.com

# Reference: https://twitter.com/EKFiddle/status/1187034052227784704

/lsdioss612ns.js

# Reference: https://twitter.com/unmaskparasites/status/1181651764921155584
# Reference: https://www.virustotal.com/gui/domain/humsoolt.net/relations

humsoolt.net

# Reference: https://twitter.com/tkanalyst/status/1190975614766833664

/bootstrap.minfc4a.js
/ghost-sdk.minfc4a.js
/highlight.packfc4a.js
/jflickrfeed.minfc4a.js
/jquery.fitvidsfc4a.js
/mainfc4a.js

# Reference: https://wordpress.org/support/topic/malware-infected-file-wordpress-core-wp-includes-wp-tmp-php/
# Reference: https://twitter.com/unmaskparasites/status/1181651764921155584

/afu.php?zoneid=
/apu.php?zoneid=

# Reference: https://www.virustotal.com/gui/ip-address/104.151.24.95/relations
# Reference: https://www.virustotal.com/gui/ip-address/128.14.150.144/relations

/index_files/analytics.js
/index_files/matc.js

# Reference: https://twitter.com/xuy1202/status/1195701523797303296

adsnet.work

# Reference: https://twitter.com/killamjr/status/1198093080966115330

boot-uprenewedintenselyproduct.icu

# Reference: https://twitter.com/xuy1202/status/1199347607920734208

ask-us.pro
askus.mobi
cheofaabridri.gq
forumdownloadforall.mobi
mykeitonly.info

# Reference: https://twitter.com/xuy1202/status/1199595200949059584

/js/jquery/advListRotator.js

# Reference: https://twitter.com/nullcookies/status/1200576466150477824

/js/faker_secrets.js

# Reference: https://twitter.com/xuy1202/status/1201778263271436289

cdn.buycongestion.com
top.worldtraffic.com

# Reference: https://twitter.com/gwillem/status/1201647716352380929

sequracdn.net
live.sequracdn.net
/modrrnize.js

# Reference: https://twitter.com/JCyberSec_/status/1201850074822778880

/5c3a398f10058.js

# Reference: https://twitter.com/JCyberSec_/status/1201850062994903045

/jquery_noconflict.js

# Reference: https://www.getastra.com/blog/911/how-magecart-attackers-are-continuing-to-affect-e-commerce-platforms/

/js/everlast.js
/js/mage.js

# Reference: https://twitter.com/JCyberSec_/status/1202575691365191680
# Reference: https://www.virustotal.com/gui/domain/marketplace-magento.com/relations
# Reference: https://www.virustotal.com/gui/ip-address/181.214.86.150/relations
# Reference: https://www.virustotal.com/gui/domain/phplib.net/relations

/authoriz-getway.js
/authorizenet-getway.js
/BancesellaGetway.js
/bancasella-getway.js
/braintree-getway.js
/direct-getway.js
/gestpaypro-getway.js
/PaymentGetway.js

# Reference: https://twitter.com/gwillem/status/1202602117510451200

2chat.top

# Reference: https://twitter.com/JCyberSec_/status/1202903192192901120

/js/AuthorizenetMagento.js

# Reference: https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html

/vmartgo.js

# Reference: https://twitter.com/xuy1202/status/1204778227517935616

/2RuLm5ldHdvcmsx.js
/9nRYFAGehAFJJ7u.js
/klei53Wl6dT2bSF6S.js

# Reference: https://twitter.com/ninoseki/status/1204971169658523649
# Reference: https://www.virustotal.com/gui/ip-address/1.171.162.250/relations

/user_info_uploader

# Reference: https://twitter.com/JCyberSec_/status/1206919450802438144
# Reference: https://twitter.com/JCyberSec_/status/1206919471597850624

/5c117b7b019cb.js
/5c12fffeea71e.js
/5c21f3dbf01e0.js
/5c3a398f10058.js
/5c13086d94587.js
/5d94c29e12536.js
/5d2c953326774.js

# Reference: https://twitter.com/killamjr/status/1207685407229526023

sgamno.com

# Reference: https://twitter.com/tkanalyst/status/1210663918953123841

/3pik20j30ri0f17q37u2s4mkms.js

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1213878934514864128

site-great.xyz

# Reference: https://twitter.com/JayTHL/status/1214207517590511616
# Reference: https://twitter.com/JayTHL/status/1214240539563966465

static.srcspot.com
/libs/carlos.js
/libs/darrel.js
/libs/galindo.js

# Reference: https://twitter.com/aglongo/status/1214575812646752259

/js/b76dadb06c3582b7f598111d60f2f944.js
/js/ee497bb12cf272d333449cd79582c289.js
/js/34dbc8a61ab0c8e3f7fc444d83b8a3d4.js

# Reference: https://twitter.com/ScumBots/status/1218627885579362304
# Reference: https://twitter.com/pmelson/status/1218655235205451777

149.248.1.128:443
149.248.1.128:80

# Reference: https://twitter.com/unmaskparasites/status/1219611201891708928

admarketresearch.xyz
adsformarket.com

# Reference: https://twitter.com/matr0cks/status/1220418827751763969

/jqueryprivatesecurity.js
/onloadsecurityvalidate.js

# Reference: https://twitter.com/unmaskparasites/status/1206662128213594117

whoisloookup.com

# Reference: https://twitter.com/benkow_/status/1222457832810991616
# Reference: https://www.virustotal.com/gui/domain/bamblbee.store/relations

bamblbee.store

# Reference: https://twitter.com/pjcampbe11/status/1222556092242317315
# Reference: https://www.helpnetsecurity.com/2019/09/24/cve-2019-1367/
# Reference: https://otx.alienvault.com/pulse/5e32f827509fbbbeb2d3ee2a

202.122.128.28:80
largeurlcache.com

# Reference: https://twitter.com/david_jursa/status/1223740643912093696

/fc1i4iicca17n7p0h8mrsb0jfs.js
/lhglbfj4if5d1hisd2iuha1670.js

# Reference: https://twitter.com/FaLconIntel/status/1229004752312078336

/veugi45pre97c4koiurgjg0ar0.js

# Reference: https://www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/

coolbrowsering.xyz
alfapromo.info
archivepoisk-zone.info
onlinemobsoft.ru
anyaaplanet.info
decentsite.xyz
archivepoisk.info
sympleplace.info
adsmeneger.club

# Reference: https://twitter.com/felixaime/status/1236196571928236037

scriptcdn.info

# Reference: https://twitter.com/unmaskparasites/status/1235190676838633477

collectfasttracks.com

# Reference: https://twitter.com/unmaskparasites/status/1241068775157510144
# Reference: https://publicwww.com/websites/%22scriptalicious.info%22/

scriptalicious.info

# Reference: https://twitter.com/blackorbird/status/1245597745403969544

/t0uch/tou64.js
/t0uch/tou86.js

# Reference: https://twitter.com/d09r_/status/1245306272175419392

/o93jak2nm1k2.js

# Reference: https://twitter.com/unmaskparasites/status/1250469460617637891
# Reference: https://www.virustotal.com/gui/domain/stivenfernando.com/relations

stivenfernando.com

# Reference: https://twitter.com/fahadsoror/status/1251638383245475840

underthebreach.com/breach-protection

# Reference: https://www.kitploit.com/2020/04/flux-keylogger-modern-javascript.html

/42963187845881.js

# Reference: https://unit42.paloaltonetworks.com/how-cybercriminals-prey-on-the-covid-19-pandemic/

coronamasksupply.com
coronavirusinrealtime.com
coronashirts.store

# Reference: https://sansec.io/labs/2018/08/30/magentocore.net_skimmer_most_aggressive_to_date/

/19303817.js

# Reference: https://twitter.com/unmaskparasites/status/1254766052296122368
# Reference: https://www.virustotal.com/gui/domain/trackstatisticsss.com/relations
# Reference: https://www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/

adsforbusines.com
stivenfernando.com
ps.stivenfernando.com
ws.stivenfernando.com
trackstatisticsss.com
stat.trackstatisticsss.com

# Reference: https://www.virustotal.com/gui/domain/crisgrey.com/relations

crisgrey.com

# Reference: https://www.virustotal.com/gui/domain/cdn-js.net/detection

cdn-js.net

# Reference: https://twitter.com/unmaskparasites/status/1260542044747059200

digestcolect.com
css.digestcolect.com
js.digestcolect.com

# Reference: https://www.virustotal.com/gui/ip-address/51.15.20.78/relations

go1news.biz
lodder.info
lodders.club
news98.biz
newtext.club
noorotin.biz
report3.biz
retoore.biz
solo8.biz
vinuser6.biz
w1sercher.biz
wwserch41.biz

# Reference: https://twitter.com/CERT_Polska_en/status/1270623116931317760
# Reference: https://pastebin.com/raw/Ap38Fr7e
# Reference: https://pastebin.com/raw/YyYs8Her

/myjs28_frr_b7.js
/myjs28_frr_c1.js
/myjs28_frr_j2.js
/myjs28_frr_n01.js
/myjs28_frr_n02.js
/myjs28_frr_s17.js
/myjs28_frr_s20.js
/myjs28_frr_s21.js
/myjs28_frr_s22.js
/myjs28_frr_s23.js
/myjs28_frr_s29.js
/myjs28_frr_s30.js
/myjs28_frr_s31.js
/myjs28_frr_s33.js
/myjs28_frr_s35.js
/myjs28_frr_s36.js
/myjs28_frr_s37.js
/myjs28_frr_s38.js
/myjs28_frr_s39.js
/myjs28_frr_s4.js
/myjs28_frr_s45.js
/myjs28_frr_s47.js
/myjs28_frr_s48.js
/myjs28_frr_s49.js
/myjs28_frr_s50.js
/myjs28_frr_s51.js
/myjs28_frr_s52.js
/myjs28_frr_s55.js
/myjs28_frr_s7.js
/myjs28_frr_w1.js

# Reference: https://twitter.com/ScumBots/status/1271482475546660864

141.255.154.194:1666
fivemmods222.ddns.net

# Reference: https://twitter.com/xuy1202/status/1272842659183255553

hellokity.in

# Reference: https://twitter.com/ScumBots/status/1274497302628098048

91.153.0.57:1556
