# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apachestealer, confucius, patchwork, sneepy

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/
# Reference: https://twitter.com/shotgunner101/status/1084111296746921986
# Reference: https://otx.alienvault.com/pulse/5c3c8199888d403ecee5e463

kielsoservice.net
frameworksupport.net

# Reference: https://twitter.com/blackorbird/status/1119518720794058752
# Reference: https://www.virustotal.com/gui/file/e94659941847dac6e5483df31d6429c9bfb339a013079f41ea52e7fe86d7f061/detection
# Reference: https://s.tencent.com/research/report/711.html (Chinese)

crowcatcher.net
global-news.center
useraccount.co
188.241.58.60:21
188.241.58.61:21

# Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/
# Reference: https://brica.de/alerts/alert/public/1215663/new-confucius-malware-campaign-has-links-to-patchwork-cybergang/

errorfeedback.com

# Reference: https://twitter.com/h4ckak/status/1161208604566966272

http://139.28.38.231

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confucius-cyberespionage-operations/
# Reference: https://documents.trendmicro.com/assets/appendix-deciphering-confucius-cyberespionage-operations.pdf

http://199.101.187.54
http://45.63.43.29
http://45.76.33.53
http://46.165.207.108
http://5.135.73.109
http://5.135.73.109
http://91.210.107.104
http://94.242.219.205
46.165.249.223:80
5.199.163.51:4343
91.210.107.106:80
91.210.107.109:80
91.210.107.110:80
adhath-learning.com
freeintrnet.com
mfone.net
mofu.tech
simplechatpoint.ddns.net
truth786.com
tweetychat.com
/android_connect/insert_account.php
/android_connect/insert_contacts.php
/android_connect/insert_file_list.php
/android_connect/insert_sms.php
/android_connect/upload_file_content.php

# Reference: https://twitter.com/RedDrip7/status/1184099910892670976

yetwq.twilightparadox.com

# Reference: https://twitter.com/spider_girl22/status/1172044630512164864

192.250.236.76:80

# Reference: https://twitter.com/Rmy_Reserve/status/1172016149971619841

upgrading-office-content.esy.es

# Reference: https://twitter.com/Arkbird_SOLG/status/1225014088755044353

185.193.38.24:443

# Reference: https://www.cymmetria.com/wp-content/uploads/2017/10/Unveiling-Patchwork.pdf

163-cn.org
81-cn.net
aaskmee.com
alfred.ignorelist.com
annchenn.com
asiandefnetwork.com
blingblingg.com
chinastrat.com
chinastrats.com
climaxcn.com
cndailynetwork.info
dailychina.news
epg-cn.com
expatchina.info
extremebolt.com
extrememachine.org
extremerebolt.com
eyescreem.com
greatdexter.com
haiwaipengyou.com
info81.com
junshiyuehui.com
letsgetclose.com
lujunxinxi.com
majidalfuttaiim.com
matrixrevolt.com
militaryworkerscn.com
milresearchcn.com
miltechcn.com
miltechweb.com
modgovcn.com
mozarting.com
nduformation.com
newsnstat.com
nextraload.com
nudtcn.com
numeronez.com
nutcn.com
office-rb-support.com
outlookkz.com
pizzahomez.com
qqgroups.info
revoltmax.com
securematrixx.com
sinodefprog.info
socialfreakzz.com
symantecz.com
telemediaz.com
webworldreq.com
wikifedia.space
xbladezz.com
xmachinez.com
you-yisi.com
yue-lao.info

# Reference: https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/
# Reference: https://www.virustotal.com/gui/file/33c061dcf59d17c950fc450593cb4c3df1ee755f3a6a216eafc9717e76bc0858/behavior/VirusTotal%20Cuckoofork

130dozen.com
adhath-learning.com
avtofrom.us
b3autybab3s.com
bookerstream.com
breachframework.com
breachframework.website
chucknorr.com
com-account-jfnjkr.xyz
cooperednews.info
couchypotatoes.com
cutedazzle.com
didlynews.info
fierybarrels.com
fullhalfempty.com
gallopingroses.com
gomadweb.com
greatleonidas.com
jupanto.com
little-nuts.com
magzinehog.com
mysugarbin.com
neistovo.com
news-letters-4u.com
newsscrapper.com
newstodayreviews.com
nophoz.com
onepickle.com
purple-banana.com
romanrugby.com
roseauster.com
sechshun8.com
softwares-free.com
speedeagles.com
stepontheroof.com
stilletowheels.com
tangyball.com
teens3xweb.com
teensechs.com
templetom.com
transseksualov.com
tumblebin.com
twigreader.com
uchitel-nitsa.com
wetcottonballs.com
wond3rfulworld.com
younghogs.com
your3x.com
zadnitsa.com
znaniye-onlayn.com
http://95.211.38.135/search1.php
/ipimp.txt

# Reference: https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf

nowhatsapp.com
web.nowhatsapp.com
myrocketchat.com
tweetychat.com
secretchatpoint.com
simplechatpoint.ddns.net
android-helper.info
chatit.club
chaton.life
chaton.live
kahmir-n.com
kashmir-n.com
philionschat.com
sync.chatit.club

# Reference: https://twitter.com/malwrhunterteam/status/1273581262750593030
# Reference: https://twitter.com/JAMESWT_MHT/status/1273583949646893056
# Reference: https://twitter.com/Arkbird_SOLG/status/1273627959170121734
# Reference: https://www.virustotal.com/gui/file/977c81bfab432eaeb119167b5342468918645636aa3dc94bdb993667c2e96693/detection
# Reference: https://www.virustotal.com/gui/file/628172ab0dc7360ebc49ec15f6197d7f26f6e06c370aad9c55e5e87542bcb4ec/detection
# Reference: https://app.any.run/tasks/21e6efb4-751f-4135-9f8d-e3f4a9624c5b/
# Reference: https://app.any.run/tasks/0901274f-49ff-41a4-919d-759a68e79685/

http://185.29.10.117
http://94.156.35.204
185.29.10.117:443
altered.twilightparadox.com

# Generic

/4sVKAOvu3D/
/e3e7e71a0b28b5e96cc492e636722f73/
/ABDYot0NxyG.php
/BDYot0NxyG.php
/UYEfgEpXAOE.php
