# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt23, apt-c-23, micropsia, pierogi

# Reference: https://www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-1
# Reference: https://www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2
# Reference: https://content.connect.symantec.com/sites/default/files/2018-08/APT-C-23%20IOCs.pdf (Appendix)

1jve.com
aamir-khan.site
accaunts-googlc.com
accountforusers.website
accountforuser.website
account-gocgle.com
account-googlc.com
accounts-gocgle.com
accounts-googlc.com
accountusers.website
accuant-googlc.com
activedardash.club
alain.ps
alisonparker.club
android-settings.info
apkapps.pro
apkapps.site
appchecker.us
appuree.info
arthursaito.club
aryastark.info
aslaug-sigurd.info
assets-acc.club
bbc-learning.com
bellamy-bob.life
bestbitloly.website
billy-bones.info
bitgames.world
black-honey.club
bob-turco.website
buymicrosft.com
camilleoconnell.website
caroline-nina.com
cassy-gray.club
cecilia-dobrev.com
cecilia-gilbert.com
cerseilannister.info
chat-often.com
christopher.fun
claire-browne.info
clarke-griffin.info
clarke-taylor.life
daario-naharis.info
dachfunny.club
dachfunny.us
dardash.club
dardash.fun
dardash.info
dardash.live
david-mclean.club
david-moris.website
davina-claire.xyz
davos-seaworth.info
debra-morgan.com
donna-paulsen.info
easyshow.fun
eleanor-guthrie.info
eleanorguthrie.site
engin-altan.website
esofiezo.website
everyservices.space
exvsnomy.club
ezofiezo.website
face-book-support.email
fasebcck.com
fasebock.info
fasebook.cam
fasebookvideo.com
fatehmedia.site
firesky.site
flirtymania.fun
freya.miranda-barlow.website
geny-wise.com
gmailservice.us
graceygretchen.info
hareyupnow.club
harper-monty.site
harrykane.online
harvey-ross.info
hayleymarshal.com
hazel-grace.info
hctmial.com
hcttmail.com
help-live.club
help-sec.club
heyapp.website
hitmesanjjoy.pro
hoopoechat.com
hotimael.com
hotmailme.website
italk-chat.com
italk-chat.info
jack-wagner.website
james-charles.club
jimmykudo.online
john-brown.website
jon-snow.pro
jorah-mormont.info
joycebyers.club
juana.fun
kaniel-outis.info
karenwheeler.club
kate-austen.info
katesacker.club
katie.party
kik-com.com
kristy-milligan.website
lagertha-lothbrok.info
leonard-kim.website
leslie-barnes.website
lets-see.site
lexi-branson.website
lincoln-blake.website
lindamullins.info
liz-keen.website
login-yohoo.com
lord-varys.info
lyanna-stark.info
mail-accout.club
mail-goog1e.com
mail-mofa-pna.com
mail-pmi-pna.com
mail-police-sec.com
mail-presidency.com
margaery-tyrell.info
maria-bouchard.website
marklavi.com
mary-crawley.com
masuka.club
matthew-stevens.club
mauricefischer.club
max-eleanor.info
maxlight.us
max-mayfield.com
mediauploader.info
meetme.cam
meet-me.chat
men-ana.fun
michael-keaton.info
miranda-barlow.website
miwakosato.club
mofa-help.site
moneymotion.club
myboon.website
mygift.site
mygift.website
namybotter.info
namyyeatop.club
natemunson.com
new.filetea.me
nightchat.fun
nightchat.live
nissour-beton.com
octavia-blake.world
olivia-hartman.info
oriential.website
ososezo.club
ososezo.site
parrotchat.co
pmi-pna.com
pml-help.site
pml-sac.info
pmo-gov.info
police-sec.club
police-sec.info
pure-talk.com
rachel-green.info
ragnar-lothbrok.info
ran-togomory.com
redirect-wa.com
rexkatsugeki.info
richard-hines.website
rocket-chat.com
rose-sturat.info
ross-gelller.info
sahemnews.dynamicdns.co.uk
sahem.pcanywhere.net
sanblitch.club
sanjynono.website
sapport-accounts.com
saratancredi.info
sec-acoaunt.com
sec-outluck.com
secureaccountes.com
selin-yilmaz.info
sendbird-chat.com
serv2.sandtengineers.info
shahrukh-khan.club
shailene-hazel.life
shailene-tris.xyz
sherlock-holmes.club
shortupload.com
show-me.fun
so-chat.org
sophie-deverau.xyz
sopotfile.website
spgbotup.club
sportliner.website
sybil-parks.info
tawjihi2018.site
tellme.site
top4up.website
tyrion-lannister.info
upload999.com
useraccount.website
usr-accounts-validation.pw
victor-stewart.info
wab-watzapp.com
wab-whtsap.com
wa-loading.com
websetting.me
web-wnatzapp.com
web-wtsapp.com
wes-gibbins.com
whatsaapp.us
whatsapps.cam
whatsusers.fun
whatzopp.com
whispers-talk.com
white-hony.online
whowatchyou.com
win-laive.com
winlife.host
world-cup-live-2018.stream
yahaoa.com
yohoa-users.com
youngmija.club
young-spencer.com
zachlieberman.club
zee-player.com
zee-player.website

# Reference: https://research.checkpoint.com/apt-attack-middle-east-big-bang/

exvsnomy.club
namyyeatop.club
spgbotup.club
lindamullins.info
namybotter.info
hitmesanjjoy.pro
ezofiezo.website
sanjynono.website

# Reference: https://twitter.com/ClearskySec/status/1022767002925129730
# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-07-27: APT-C-23 Infrastructure and Micropsia samples)

steve-harrington.com
sophie-deverau.xyz
shailene-tris.xyz
shailene-hazel.life
max-mayfield.com
mauricefischer.club
margaery-tyrell.info
alisonparker.club
young-spencer.com
dardash.club
joycebyers.club
harvey-ross.info
davina-claire.xyz
arthursaito.club

# Reference: https://twitter.com/ClearskySec/status/1067109104492134400
# Reference: https://blog.radware.com/security/2018/07/micropsia-malware/

samwinchester.club

# Reference: https://twitter.com/ClearskySec/status/984700415055925248

relationalsystems.net

# Reference: https://twitter.com/jeFF0Falltrades/status/1132684186446438405

katesalinas.icu

# Reference: https://twitter.com/VK_Intel/status/1142498510845202440
# Reference: https://twitter.com/P3pperP0tts/status/1142760589871259649
# Reference: https://pastebin.com/djxQAE08
# Reference: https://www.virustotal.com/gui/file/345b706ead4b917138c8e8aff0ca5526ee7738f67c19e0d9b2ab5487c90cf547/detection

nfstate.club
fasstt.space
powzip.club
gtmake.info
pre23sence.club

# Reference: https://unit42.paloaltonetworks.com/unit42-badpatch/

pal4u.net
pal2me.net
pay2earn.net
shop8d.net
ts4shope.net
pal4news.net

# Reference: https://www.fortinet.com/blog/threat-research/badpatch-campaign-uses-python-malware.html
# Reference: https://otx.alienvault.com/pulse/5db3616a90ebed5e230cb2d5

tstapi.pal4u.net

# Reference: https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor
# Reference: https://otx.alienvault.com/pulse/5e451c74a860e7f82bef4bc6

linda-callaghan.icu
nicoledotson.icu

# Reference: https://twitter.com/blackorbird/status/1229245744109850624
# Reference: https://www.virustotal.com/gui/file/d095f39823656a99b7bd7d9ad132d5aabbf59862a86253ce067329a491590d13/detection
# Reference: https://www.virustotal.com/gui/ip-address/68.65.121.44/relations
# Reference: https://www.virustotal.com/gui/ip-address/198.54.117.211/relations

68.65.121.44:1883
68.65.121.44:443
198.54.117.211:1883
198.54.117.217:1883
198.54.117.215:1883
198.54.117.212:1883
198.54.117.218:1883

# Reference: https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/
# Reference: https://otx.alienvault.com/pulse/5e4a58ac2cf3129eb287becc

catchansee.com

# Generic (callback) path

/api/hazard/oneo
/api/white_walkers/
