# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://securelist.com/muddywater/88059/

adibf.ae/wp-includes/js/main.php
benangin.com/wp-includes/widgets/main.php
ektamservis.com/includes/main.php
gtme.ae/font-awesome/css/main.php
hubinasia.com/wp-includes/widgets/main.php
www.adfg.ae/wp-includes/widgets/main.php
www.cankayasrc.com/style/js/main.php

# Reference: https://fortiguard.com/resources/threat-brief/2018/10/12/fortiguard-threat-intelligence-brief-october-12-2018

alibabacloud.dynamic-dns.net
alibabacloud.wikaba.com
alibabacloud.zzux.com
microsoftofice.zyns.com
microword.itemdb.com
moffice.mrface.com
muonline.dns04.com
office.otzo.com
offlce.dnset.com
online.ezua.com
muhacirder.com
muteciyar.info

# Reference: https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/

3cbc.net/dropbox/icon.icon
pazazta.com/app/icon.png
ohe.ie/cli/icon.png
ohe.ie/cp/icon.png
andreabelfi.com/main.php
andreasiegl.com/main.php
andresocana.com/main.php
amorenvena.com/main.php
amphira.com/main.php
amphibiblechurch.com/main.php

# Reference: https://twitter.com/360TIC/status/1108616188173520896
# Reference: https://otx.alienvault.com/pulse/5c939fbb22017040b7e47be4/

/serverScript/clientFrontLine/getCommand.php
/serverScript/clientFrontLine/helloServer.php
/serverScript/clientFrontLine/setCommandResult.php

# Reference: https://twitter.com/360TIC/status/1081080752438009856

getgooogle.hopto.org
shopcloths.ddns.net

# Reference: https://twitter.com/blackorbird/status/1072314411849797632
# Reference: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group
# Reference: https://twitter.com/blackorbird/status/1070911385368809472

ankara24saatacikcicekci.com

# Reference: https://twitter.com/HONKONE_K/status/1115513990594084864

tfu.ae/readme.txt

# Reference: https://otx.alienvault.com/pulse/5caf93777439561cb57d0e2c

googleads.hopto.org
orbe-fzc.com

# Reference: https://research.checkpoint.com/the-muddy-waters-of-apt-attacks/

http://185.117.75.116/tmp.php

# Reference: https://twitter.com/VK_Intel/status/1117673303332667392

http://185.162.235.182

# Reference: https://otx.alienvault.com/pulse/5cb4b3944f62ba0873339ee1

46.105.84.146:443

# Reference: https://twitter.com/HONKONE_K/status/1118406086925504512
# Reference: https://twitter.com/360TIC/status/1118430258451976192

plet.dk/css/
134.19.215.3:443

# Reference: https://twitter.com/ClearskySec/status/1118511605359304705
# Reference: https://app.any.run/tasks/17706fbe-8ac5-45df-b489-c766514cbe0a
# Reference: https://twitter.com/Arkbird_SOLG/status/1133472942661263362

http://185.185.25.175

# Reference: https://securelist.com/muddywaters-arsenal/90659/

78.129.222.56:8090 # LisfonService RAT
192.64.86.174:8980 # Python RAT
104.237.233.38:8085 # SSH Python script
104.237.233.40:7070 # Other stuff
78.129.139.134:8080

# Reference: https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html
# Reference: https://otx.alienvault.com/pulse/5ce2c36a67a0d63bbf18b120

136.243.87.112:3000
http://38.132.99.167/crf.txt
/serverScript/clientFrontLine/
/bcerrxy.php

# Reference: https://habr.com/ru/company/group-ib/blog/452540/ (Russian)
# Reference: https://app.any.run/tasks/04393751-072b-4753-9ab7-5dab2881dc1c/

gladiyator.tk

# Reference: https://twitter.com/Timele9527/status/1134291981176152064

http://185.244.149.218

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/
# Reference: https://otx.alienvault.com/pulse/5cfe6b9d0ecf65e404ef4f85

amazo0n.serveftp.com
shareliverpoolfc.co.uk
shopcloths.ddns.net
zstoreshoping.ddns.net

# Reference: https://twitter.com/Timele9527/status/1138694954140594176

http://185.82.202.240

# Reference: https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf

104.237.233.38:1022
104.237.233.38:8080
104.237.233.40:8443
104.237.233.38:8080
104.237.255.212:443
78.129.139.134:8864
88.99.17.148:443
ciscoupdate2019.gotdns.ch
getgooogle.hopto.org
googleads.hopto.org
latvia-usa.org/wp-includes/customize/main.php
valis-ti.cl/assets/main.php

# Reference: https://twitter.com/HONKONE_K/status/1144438589230419968

http://104.237.255.195
http://91.132.139.196

# Reference: https://twitter.com/0xffff0800/status/1145408553479483392

iec56w4ibovnb4wc.onion

# Reference: https://twitter.com/Rmy_Reserve/status/1146388355162050561
# Reference: https://mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg

http://185.141.27.14
http://185.185.25.175
http://185.244.149.218
http://185.82.202.240
http://83.171.238.62
/ls.php?TOKEN=Pomy
/trjjmfnnv.php
/ttryeJte76.php

# Reference: https://twitter.com/RedDrip7/status/1115873829035835392
# Reference: https://twitter.com/RedDrip7/status/1108617989308309504

46.105.84.146:80
94.23.148.194:80

# Reference: https://twitter.com/blackorbird/status/1156778469960769536

http://46.166.176.242/main.php
instmech.uz/meryem.php

# Reference: https://twitter.com/Timele9527/status/1156762307965231104

http://89.33.246.82

# Reference: https://twitter.com/Rmy_Reserve/status/1170187955412992000
# Reference: https://app.any.run/tasks/150759b8-44c7-4fa8-b518-4e2562964663/

http://graphixo.net/wp-includes/utf8.php

# Reference: https://twitter.com/cyb3rops/status/1184759564656402432
# Reference: https://app.any.run/tasks/46cc133c-f3c6-4834-b139-0020ebed1c1e/

assignmenthelptoday.com

# Reference: https://twitter.com/HONKONE_K/status/1115117276565360641

cms.qa

# Reference: https://otx.alienvault.com/pulse/5dd691c33a60512b0675ee35

annapolisfirstlimo.com/editob.nvd
assignmenthelptoday.com/wp-includes/utf8.php
graphixo.net/wp-includes/utf8.php
ksahosting.net/wp-includes/utf8.php

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1198400038629781505

ampacindustries.com

# Reference: https://blog.prevailion.com/2020/01/summer-mirage.html
# Reference: https://otx.alienvault.com/pulse/5e1747ff614f5a153bbc1c08

accesemailaccount.tk
accounts-login.ga
accounts-login.gq
accountslogin.ga
apikeyallervice.business
apikeyallervice.com
login-accounts.gq
login-dc2-verifyaccounts.ga
login-dc2-verifyaccounts.tk
login-secure-account.cf
login-secure-account.gq
login-secure-account.ml
loginaccounts.cf
logind2-secure.tk
reauth92-services.sytes.net
roadtosultan1.org
secure-login-accounts.gq
service0auht-center.ddns.net
signin-secure.tk

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1218958514124722176

advanceorthocenter.com/wp-includes/editor.php

# Reference: https://app.any.run/tasks/733ad416-1e4d-455f-9236-b8cf2196f18b/

http://lalindustries.com/wp-content/upgrade/editor.php

# Reference: https://twitter.com/r00tten/status/1219900503032811520

foura.biz/js/elevatezoom-master/editor.php

# Reference: https://twitter.com/blackorbird/status/1248103015862525953
# Reference: https://docs.google.com/document/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXB85f6VL_Zm79wtTK59xADKh6MG0G7hSBZi8cPOiQVWAIie0/pub

http://185.24.233.19
robusted1020.chickenkiller.com

# Reference: https://twitter.com/xiaocaiccc/status/1249586935275778048
# Reference: https://www.virustotal.com/gui/file/bf696397784b22f8e891dd0627dce731f288d14d4791ac5d0a906bc1cbe10de6/detection

1nationnews.com/wp-admin/includes/wp-config-ini.php
24newstube.com/wp-config-ini.php
2mseng.com/wp-config-ini.php
3axis.co/wp-admin/includes/wp-config-ini.php
3darch.net/modules/wp-config-ini.php
92pizza.pk/wp-content/plugins/wp-config-ini.php
9newshd.com/wp-config-ini.php
aahung.org/assets/wp-config-ini.php
aboutbodybuildingworkout.com/wp-config-ini.php
aboutduvetcovers.com/Seller/wp-config-ini.php
addictdkp.com/wp-config-ini.php
advcadsys.com/wp-config-ini.php
afikapower.com/wp-config-ini.php
afikaquadpro.com/wp-config-ini.php
afrogeo.com/wp-config-ini.php
ahsanfarooqui.xyz/wp/wp-config-ini.php
ahsfoundation.co.uk/wp-config-ini.php
ahworld.com.pk/wp-config-ini.php
aimalproduction.com/wp-admin/wp-config-ini.php
aimsagro.com/wp-admin/includes/wp-config-ini.php
aimswelfare.org/wp-admin/includes/wp-config-ini.php
albedogida.com/Eski_web/wp-config-ini.php
alessioborzuola.com/downloads/wp-config-ini.php
allsporthealthandfitness.com/wp-config-ini.php
almaqsd.com/wp-includes/wp-config-ini.php
amazingtour.pk/wp-config-ini.php
ancoeng.co.za/wp-config-ini.php
andrebruton.com/wp-config-ini.php
andrew-snyder.net/TemplateData/wp-config-ini.php
anubandh.in/wp-config-ini.php
arabelaholdings.com/wp-config-ini.php
aresebetseng.co.za/wp-config-ini.php
astrumtechnologies.co.za/templates/wp-config-ini.php
azadpattanhpp.com/wp-config-ini.php
balaateen.co.za/less/wp-config-ini.php
bartabee.com/wp-config-ini.php
batthiqbal.com/sagenda/webroot/wp-config-ini.php
bestencouragementwords.com/wp-config-ini.php
bhg-tech.com/wp-config-ini.php
bhsmusic.net/wp-config-ini.php
biglickentertainment.com/wp-config-ini.php
biljum.com/wp/wp-includes/wp-config-ini.php
billielaw.com/wp-config-ini.php
biondi.co/wp-config-ini.php
bitsym.com/wp-content/plugins/duplicate-page/wp-config-ini.php
bitteeth.com/docbank/wp-config-ini.php
blackgoldoilserv.com/wp-config-ini.php
blackstar.com.pk/wp-includes/wp-config-ini.php
blackwolfco.com/wp-config-ini.php
blattoamsterdam.com/wp-config-ini.php
bluefor.com/magento/wp-config-ini.php
blushagency.com/wp-config-ini.php
bmasokaprojects.co.za/wp-config-ini.php
bntlaminates.com/wp-config-ini.php
boardaffairs.com/wp-config-ini.php
breathehope4maira.com/wp-config-ini.php
bridgepakistan.org/wp-config-ini.php
britishofficefitout.com/wp-config-ini.php
broadstone.com.pk/wp-config-ini.php
buhlebayoacademy.com/wp-config-ini.php
burgeystikihut.com/wp-config-ini.php
burlesonlelas.com/wp-config-ini.php
buttarandbuttars.com/wp-config-ini.php
buzzfeedhealth.com/wp-config-ini.php
cafeliquiteria.pk/wp-config-ini.php
cafeperrin.com/wp-config-ini.php
cazochem.co.za/cazochem/wp-config-ini.php
cemsolutions.org/wp-config-ini.php
centuriongsd.co.za/wp-config-ini.php
centuryacademy.co.za/css/wp-config-ini.php
chrishanicdc.org/wpimages/wp-config-ini.php
constructionsolutions.info/wp-includes/wp-config-ini.php
cosmeticsurgeryisb.pk/wp-includes/wp-config-ini.php
coverpixs.com/wp-config-ini.php
craigslistadsposting.com/wp-includes/wp-config-ini.php
createch.solutions/wp-includes/wp-config-ini.php
creativenex.com/wp-includes/wp-config-ini.php
creativetiers.com/wp-config-ini.php
crystaltidings.co.za/wp-config-ini.php
cybercraft.biz/dist/wp-config-ini.php
debnoch.com/image/wp-config-ini.php
diegemmerkat.co.za/wp-config-ini.php
duotonedigital.co.za/wp-config-ini.php
ecs-consult.com/wp-config-ini.php
edgeforensic.co.za/wp-config-ini.php
elemech.com.pk/wp-config-ini.php
evansmokaba.com/evansmokaba.com/thabiso/wp-config-ini.php
fgpcw-kr.edu.pk/wp-admin/includes/wp-config-ini.php
funeralbusinesssolution.com/email_template/wp-config-ini.php
getcord.co.za/wp-config-ini.php
gilforsenate.com/wp-config-ini.php
h-u-i.co.za/heiren/wp-config-ini.php
habibtextiles.pk/wp-config-ini.php
heritagetravelmw.com/wp-config-ini.php
hisandherskennels.co.za/php/wp-config-ini.php
hmholdings360.co.za/wp-config-ini.php
humorcarbons.com/wp-config-ini.php
iancullen.co.za/wp-config-ini.php
icsswaziland.com/wp-config-ini.php
ihlosiqs-pm.co.za/wp-config-ini.php
indiba-africa.co.za/wp-config-ini.php
laraibgroup.com/plugins/system/redirect/wp-config-ini.php
loansonhomes.co.za/wp-config-ini.php
luxconprojects.co.za/wp-config-ini.php
mgamule.co.za/oldweb/wp-config-ini.php
mukhtarfeeds.com/wp-config-ini.php
mumtazandbrohi.com/coughingdish/93grahammiller/wp-config-ini.php
mumtazandbrohi.com/wp-includes/wp-config-ini.php
myhealthmedical.ae/old/includes/wp-config-ini.php
mzansicompanies.co.za/wp-config-ini.php
nbscorporation.co.za/wp-config-ini.php
neomfarming.com/wp-config-ini.php
oc.tsfengineering.com/wp-config-ini.php
odcpkintranet.org/wp-admin/includes/wp-config-ini.php
organisejournalise.co.za/wp-config-ini.php
oursort.co.za/timothyowenauthor/wp-config-ini.php
pamudzi.co.za/wp-config-ini.php
penisdevelopmentcentre.co.za/wp-config-ini.php
pgkhi.com/css/wp-config-ini.php
phoenix.zar.cc/wp-config-ini.php
pkproud.com/roshitrust/wp-config-ini.php
plantconsultants.co.za/wp-config-ini.php
prestbusiness.co.za/wp-config-ini.php
promechtransport.co.za/scripts/wp-config-ini.php
quikteam.com/scripts/contrib/wp-config-ini.php
rashidalinawabshahi.com/ranwp/db-config-ini.php
saacma.co.za/wp-admin/wp-config-ini.php
seismicfactory.co.za/wp-config-ini.php
servicebox.co.za/wp-config-ini.php
shullen.co.za/wp-config-ini.php
sikanderajam.com/wp-config-ini.php
sinebar.co.za/wp-config-ini.php
sirketcv.com/admin/_islemler/wp-config-ini.php
sonafoundation.org.pk/wp-config-ini.php
tanati.co.za/wp-config-ini.php
thebedspace.com/wp-includes/pomo/wp-config-ini.php
theguitarstudio.co.za/wp-includes/wp-config-ini.php
themotoringcalendar.co.za/wp-config-ini.php
ventronics.co.za/wp-config-ini.php
vhupo-tours.com/wp-config-ini.php
waohost.com/wp-includes/wp-config-ini.php
wicloud.pk/store/wp-config-ini.php
willpowerpos.co.za/wp-config-ini.php
winagainstebola.com/wp-config-ini.php
wmcpk.org/wp/wp-config-ini.php

# Reference: https://twitter.com/iamwinstonm/status/1276804076534034433
# Reference: https://www.virustotal.com/gui/file/1f38eea8caf63ff911fa97f2a20328796a62fc760f24c7e6347753e8112bf92d/detection
# Reference: https://www.virustotal.com/gui/file/92cb75c15da69fd6ef9368c03fd5001778d5fa1f7b024d63c84c13f501d5acd5/detection

http://185.244.149.202
enreji.gov.tr
