# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt28, sednit, sofacy, fancy bear, pawn storm, SNAKEMACKEREL, STRONTIUM, zebrocy

# Reference: https://www.alienvault.com/open-threat-exchange/blog/from-russia-with-love-sofacy-sednit-apt28-is-in-town
# Reference: http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/22170
# Reference: http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf

adawareblock.com
adobeincorp.com
azureon-line.com
checkmalware.info
checkwinframe.com
check-fix.com
hotfix-update.com
microsofi.org
microsof-update.com
scanmalware.info
secnetcontrol.com
securitypractic.com
testservice24.net
testsnetcontrol.com
updatepc.org
updatesoftware24.com
windows-updater.com
checkmalware.org
adawareblock.com
adobeincorp.com
azureon-line.com
checkmalware.info
checkwinframe.com
check-fix.com
hotfix-update.com
microsofi.org
microsof-update.com
scanmalware.info
secnetcontrol.com
securitypractic.com
symanttec.org
testservice24.net
testsnetcontrol.com
updatepc.org
updatesoftware24.com
windows-updater.com
checkmalware.org
symanttec.org

# Reference: https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/

drivres-update.info
intelnetservice.com
intelsupport.net
softupdates.info

# Reference: https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf

b-of-americ.com
osce-military.org
bbcnewsweek.com
qov.hu.com
settings-yahoo.com
yovtube.co
googlesetting.com
cbiuaebn.com
cbiuaebank.com
techcruncln.com
un-unicef.org
royalbsuk.com
kwqx.us
middle-eastreview.org
unitednat.org
fbonlinelottery.com
fubnt.com
globeshippers.biz
globeshippers.net
gsandsc.com
gshippers.com
hesselawchambers.com
largefarm.net
regionsbnk.info
seatreasures.org
ssandsc.com
t-d-canadatrust.com
techielawfirms.com
togounoffice.com
ubagroupsgh.com
un-unicef.org
unicomba.com
universalcoba.com

# Reference: https://www.fireeye.com/resources/pdfs/apt28.pdf

standartnevvs.com
novinitie.com
n0vinite.com
qov.hu.com
q0v.pl
mail.q0v.pl
poczta.mon.q0v.pl

# Reference: http://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2014-110315-1233-99

scanmalware.info
malwarecheck.info
adawareblock.com
checkmalware.org

# Reference: https://www.tr1adx.net/intel/public/TIB-00001_IOC_Domain.txt

365msoffice.com
acccountverify.com
accgmail.com
account-close-status.com
accountsteam-en.com
accounts-updated.com
accountverify.com
accountverify.info
adobe-flash-updates.org
adobemainsecurity.com
akadns.info
akamaichecker.com
apple-assistance-localisation.com
apple-care-support.com
apple-cloud-connect.com
applecloudupdate.com
apple-iclouds.net
appleid-security-icloud.com
apple-id-service.com
apple-iphonesecurity-icloud.com
apple-iphone-services.com
apple-location-id.com
apple-security-support.info
apple-support-securityiphone.com
apps4updates.com
arghpxdge01-airgas.com
cavuslawfirm.com
checkfindmyiphone.com
cloud-apple-support.com
cloud-id-localisation.com
csert.net
dateosx.com
defenceglobaladviser.com
delivery-mail-service.com
diplomatscouncil.org
emailprovider.org
emails-aol.com
exchangetrusts.com
facebookonlinenotice.com
facebookservices.org
fbarticles.com
generalscaningcorp.org
generalsecuritycorp.org
generalsecurityscan.com
getwindowsupdates.com
globaldefencetalk.com
gmailservicegroup.com
gmailservices.org
gnpad-gh-gov.org
google-vservice.com
iadb-online.com
icloud-id-en.com
icloud-id-localisation.com
icloud-id-security.com
icloud-id-services.com
icloud-iphonesecurity.com
icloud-iphone-services.com
icloud-localisation-id.com
icloud-security-support.com
icloud-service-apple.com
icloud-support-id.com
identification-apple.com
identification-apple-id.com
identification-icloud-id.com
id-icloud-localisation.com
id-icloud-support.com
imf-eu.org
istoreapple.com
itune-app.com
itunes-helper.net
limited-resolution.com
limited-verification.com
localisation-apple.com
localisation-apple-id.com
localisation-apple-security.com
localisation-id-apple.com
localisation-id-icloud.com
localisation-security.com
localisation-support.com
login-resolve-limitations.com
login-security-center.com
login-security-notification.com
login-security-verifications.com
mailerfeed.net
mail-periodistas.net
microsoftdccenter.com
microsoftfont.com
microsoftofficeupdate.net
mobilehostsvc.com
msfontsrv.com
msmodule.net
msofficeinstall.com
nato-nevvs.org
netcorpscanprotect.com
nvidiagforceup.com
officefont.com
offlineupdates.com
politicsadvertisment.com
pressservices.net
privacy-ukr.net
protectingcorpind.com
proxysys-config.com
reinstate-account.com
reportscanprotecting.org
reservecorpind.com
rsshotmail.com
samsvung.com
secureconnectcompany.com
secure-remove-limitation.com
secure-verification-center.com
security-apple-id.com
security-icloud-apple.com
security-icloud-localisation.com
security-resolution-center.com
security-verification.net
security-verifications.com
shcserv.com
signin-icloudsupport.com
support-icloud-apple.com
support-icloud-localisation.com
support-localisation-icloud.com
support-security-icloud.com
support-svc.com
transfersevices.net
transworldpetroleum.com
twiterservices.org
update-adobe.com
updatepple.com
update-security-information.com
updatesrvx.net
us-facebook.com
windowsofficeupdate.com
winsystemsvc.net
wpadsettings.net
wsusconnect.com
xn--amazo-d8a.com
yuotubc.com

# sinkholed by <sinkhole_sofacy.txt>

34564414564.com
645547657668787.com
access-google.com
account-microsoftonline.com
account-office365.com
accounts-googlc.com
accounts.rsshotmail.com
acledit.com
actblues.com
adfs-senate.email
adfs.senate.qov.info
adfs-senate.services
adobeincorp.com
adobeproduct.com
adobestatistic.com
adobestatistic.org
adobeupdater.org
adobeupdatetechnology.com
advpdxapi.com
akamaicachecdn.com
akamaisoftupdate.com
akamaitechnologysupport.com
akamaitechupdate.com
americanprogress-office365.com
americanprogress-outlook.com
apionedrive.com
apple-checker.org
applecloudupdate.com
apple-iclods.org
apple-iclouds.net
apple-search.info
apple-uptoday.org
app-submitcentre.com
autoupdater.org
bbcnewsweek.com
blacktivist.info
bonjourcheck.com
brookings.sharepoint.liveoffice365.me
changepassword-hotmail.com
checkmalware.info
checkmalware.org
checkwinframe.com
cleanphonetrksftware.com
cloudflarecdn.com
cloudmicrosoft365.com
cloudupgrade.org
dailyforeignnews.com
diplomatnews.org
dncvotebuilder.com
dotnetupdatechecker.com
drivers-update.info
driversupdate.info
dvsservice.com
dvsservice.net
easycache.net
egypressoffice.com
eservicesystems.net
evbrax.org
extad.info
extstat.info
fastcontech.com
faststoragefiles.org
finemagicball.org
generalsecuritycorp.org
globaltechresearch.org
gtranm.com
helpmicrosoft.net
help-msoutlook.com
hotfixmsupload.com
hotmail-monitor.com
hubsg.net
hudsonorg-my-sharepoint.com
info2t.com
inteldrv64.com
intelintelligence.org
intelmeserver.com
intelsupportcenter.com
intelsupportcenter.net
ipv6-microsoft.com
kenlynton.com
lgemon.org
linuxkrnl.net
livemicrosoft.net
liveoffice365.me
login.cloudmicrosoft365.com
login-on-live.com
log-in-osce.org
login-outlook.com
login-security-center.com
loqin-microsoftonline.com
lowprt.org
lucyonmail.org
malwarecheck.info
micoft.com
microsofi.org
microsoftcheckupdate.com
microsoftcorpstatistic.com
microsoftdccenter.com
microsoftdriver.com
microsoftdskservice.com
microsofthelpcenter.info
microsoftonlihe.com
microsoftsecurepolicy.org
microsoftsupp.com
microsoft-update-cdn.com
microsoft-updatecdn.com
microsof-update.com
miropc.org
mlidef.com
mscoresvw.com
ms-drivadptrwin.com
msmodule.com
msmodule.net
msnsupportcare.com
msofficeinstall.com
msoftonline.com
msrdr.com
msrwr.com
ms-update.info
ms-update.net
ms-updates.com
mvsband.com
my-iri.org
mymail-ukr.net
naoasch.com
natoexhibitionff14.com
natoint.com
ndsee.org
netcorpscanprotect.com
networkschecker.net
newfilmts.com
newsdailyworld.com
news.intelsupportcenter.com
nortonupdate.org
noticermk.com
notificationstatus.com
office365-account.com
office365-microsoft.com
office365-onedrive.com
officemicroupdate.com
officeupdater.com
onedrive365.com
onedrivemicrosoft365.com
onedrivemicrosoft.com
onedrive-office365.com
onedriveoffice365.com
one-drive.org
onedrive-outlook.com
outlook-security.org
petropershiyinukra.com
philcfo.org
pldtprv.net
privacy-hotmail.com
profile-hotmail.com
publishdollar.com
qov.info
remsupport.org
reportscanprotecting.org
researchcontinental.org
reservecorpind.com
rsshotmail.com
runssnetworks.com
runvercheck.com
scanmalware.info
sdhjjekfp4k.com
search-microsoft.com
secao.org
secnetcontrol.com
secure.actblues.com
securemicrosoftstatistic.com
securitysls.com
securityupdatereport.com
senate.group
senate.qov.info
seniorsecurityind.com
servicecorptech.com
service-hushmail.com
servicesecupdate.com
service-usa-tre.info
smtprelayhost.com
softwaresupportsv.com
soligro.com
spelns.com
sportszone71.com
supports-microsoft.com
symantecsupport.org
testservice24.net
transparency-office365.com
uber-mails.com
umizg.org
updatepc.org
updatesoftware24.com
updatesvcsys.com
updates-windows.com
updatesystem.info
updatesystems.net
uploader.sytes.net
vascothreatscan.org
webmail-saic.com
webmail-saic.net
whatsapp-in.com
win32support.com
windowofficeupdate.com
windowsappstore.net
windowscheckupdater.net
windowsofficeupdate.com
windowsupdater.net
windowsxupdate.com
winsyscheck.com
winsyschecks.com
winsystemsvc.net
winupdatesysmic.com
wmdmediacodecs.com
worldmilitarynews.org
worldpoliticsnews.org
wsusconnect.com
www.actblues.com
www.adobeupdater.org
www.dailyforeignnews.com
www.diplomatnews.org
www.info2t.com
www.microsoftdriver.com
www.microsofthelpcenter.info
www.mscoresvw.com
www.natoint.com
www.office365-onedrive.com
www.onedrive365.com
www.servicesecupdate.com
www.sportszone71.com
www.symantecsupport.org
www.windowscheckupdater.net
www.winupdatesysmic.com
www.worldmilitarynews.org

# Reference: http://researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/

adobeupgradeflash.com
akamaisoftupdate.com
appservicegroup.com
apptaskserver.com
globalresearching.org
globaltechresearch.org
joshel.com
postlkwarn.com
researchcontinental.org
securityprotectingcorp.com
uniquecorpind.com
versiontask.com

# Reference: http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/

munimonoce.com
wscapi.com
tabsync.net
storsvc.org
servicecdp.com

# Reference: http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor

azureon-line.com
mozilla-plugins.com
mozillaplagins.com

# Reference: http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/

msonlinelive.com
windows-updater.com
azureon-line.com

# Reference: http://pwc.blogs.com/files/cto-tib-20150420-01a.pdf

defencereview.net
brnlv-gv.eu
militaryobserver.net
netassistcache.com
asus-service.net
aolnets.com
natopress.org
natopress.com
defencereview.eu
intelsupport.net
globalnewsweekly.com
osce-oscc.org
enisa-europa.com
enisa-europa.org
techcruncln.com
nato-hq.com
iacr-tcc.org
nato-int.com
nato-info.com
bmlv-gv.eu
foreignreview.com
mediarea.org
osce-military.org
europeanda.com
softupdates.info
settings-yahoo.com
settings-live.com
delivery-yahoo.com
privacy-yahoo.com
privacy-live.com
westinqhousenuclear.com
webmail.westinqhousenuclear.com

# Reference: https://www.jigsawsecurityenterprise.com/single-post/2017/11/01/Malicious-Documents-Targeting-Security-Professionals
# Reference: https://app.any.run/tasks/8ac81174-d6d0-43d3-b2d2-c26e167a296b/

200200.duckdns.org
357.duckdns.org
ahr0cdovlzkyljiymi4ymdkundkvywn0a.0.d.255.adobeproduct.com
bonjourcheck.com
carlos88.ddns.net
d6231738c34.john-pc.c.mswordupdate17.com
d6238051c34.placehol-6f699a.c.mswordupdate17.com
d6238111c34.placehol-6f699a.c.mswordupdate17.com
d6238158c34.placehol-6f699a.c.mswordupdate17.com
d6238210c34.placehol-6f699a.c.mswordupdate17.com
d6261013c34.placehol-6f699a.c.mswordupdate17.com
d6261024c34.placehol-6f699a.c.mswordupdate17.com
d6261034c34.placehol-6f699a.c.mswordupdate17.com
elaxo.org
fastfileconverter.org
faststoragefiles.org
flashcontentdelivery.net
fsportal.net
googlea.net63.net
hhcghibvywzedwa2iyvsuzzhx8.2.d.255.adobeproduct.com
ikmtrust.com
ip113.ip-91-134-203.eu
jeremizo888.ddns.net
jflynci.com
maskulan.duckdns.org
maskulan.dynu.com
microsoftupdated.com
msoffice-cdn.comns3.cdnmsnupdate.com
myinvestgroup.com
n.3.f.255.adobeproduct.com
n.n.c.255.adobeproduct.com
n.n.c.26055.adobeproduct.com
n.n.c.303ff7b225c14f1498a2.cdnmsnupdate.com
networkschecker.net
ns1.cdnmsnupdate.com
ns2.cdnmsnupdate.com
ns2.ntpupdateserver.com
ns3.cdnmsnupdate.com
peacefund.eu
protectingsearch.com
runssnetworks.com
vascothreatscan.org
w9umi9wrvzsvlvstvfvslbumdfdvda5tl.1.d.255.adobeproduct.com
windows.mswordupdate17.com
windows81.duckdns.org
adobeproduct.com
cdnmsnupdate.com
sdhjjekfp4k.com

# Reference: https://www.threatconnect.com/blog/fancy-bear-leverages-blogspot/

access-apple-login-account.gq
account-activity-verification-login.ga
account-verify-comfirmation-info-login.ga
account-verify-comfirmation-info-login.gq
accountlogin-inc.ga
accountverify-disableinfo-login.gq
alert-new-login-com.ga
apple-realertlogin.gq
appleid-login-appleid.ga
appleid-manageaccountloginupdated.ga
appleidcustomer-servicess-com-loginaccount.ga
appleidcustomer-servicess-com-loginaccount.gq
browsersecurity.ga
change-password.gq
cleantarea-customerlogin-com.ga
clientareasecurity1.gq
clientareasecurity4.gq
com-recoverylogin.gq
com-supportlogin-adminverification.ga
darksecurity.ga
dns-sec-login-apple-invoice-confirmations.ga
dns-webapps-login-account-secure-servers.ga
documentation.gq
documentshandler.ga
emailloginerror.gq
facebook-login-page.gq
failure-login.ga
fileshelp.ga
fileshelp.gq
fileshelpprotut.ga
fileshelpprotut.gq
filestore.gq
goldsecurity.ga
info-apple-login-security.gq
jp-login.gq
locked-service-security.ga
login-bancochile-cl.ga
login-pap-web-access.ga
login-recovery.gq
login-sec-apple-secure-account-updated.ga
login-secure1-mobile.ga
login-unlock-account.ga
login-update-unlock.gq
loginapps-info.ga
loginpaypaas-securityuserid.ga
loginservice-maintanceserversecurity.gq
manage-login.gq
manage-logins.gq
mod-files.ga
mydocuments.gq
newaction-loginactivituresource.ga
newfiles.ga
ns-secures-login-accountjp-updates-community.gq
nursingdocumentation.gq
ourfiles.ga
pdf-document.ga
protector-files.ga
recoverylogin-access.ga
reset-password-com.ga
restore-login-account.gq
review-quilogin.ga
secure-bankofamerica--login-com.ga
secure-bankofamerica--login-com.gq
secure-login-helpid-locked.gq
secure-management-login-account-index-webpass.gq
secure-mobile-login1.gq
secure1-client-login.ga
secure1-client-login.gq
secure1-login-apps.gq
secure5647login-com.ga
security-login-information.gq
securitycenter.ga
securitymail.gq
service-account-home-login.gq
service-autoreset-password-youraccount.ga
service-login-apple-verify-account-locked.gq
servicelogin-access-failed.gq
services-loginaccount.ga
sharefiles.gq
signin-login-php.ga
smtprelayhost.com
srilankadocuments.ga
statement-login-update-info.ga
summary-loginconfirmation.ga
unsecured-login-attempt.ga
verify-login-account-iinformation.ga
verify-login-account-iinformation.gq
welcome-apple-protectyourpassword.gq
www-logined-apple-authsecure.ga

# Reference: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/
# Reference: https://app.any.run/tasks/54a21ac9-f915-4556-8800-6f384fbbc6be/
# Reference: https://app.any.run/tasks/50eb1524-d95b-481e-b9d1-766c0a1fda74/

nethostnet.com
hostsvcnet.com
etcrem.net
movieultimate.com
newfilmts.com
fastdataexchange.org
liveweatherview.com
analyticsbar.org
analyticstest.net
lifeofmentalservice.com
meteost.com
righttopregnantpower.com
kiteim.org
adobe-flash-updates.org
generalsecurityscan.com
globalresearching.org
lvueton.com
audiwheel.com
online-reggi.com
fsportal.net
netcorpscanprotect.com
mvband.net
mvtband.net
viters.org
treepastwillingmoment.com
sendmevideo.org
satellitedeluxpanorama.com
ppcodecs.com
encoder-info.tk
wmdmediacodecs.com
postlkwarn.com
shcserv.com
versiontask.com
webcdelivery.com
miropc.org
securityprotectingcorp.com
uniquecorpind.com
appexsrv.net
adobeupgradeflash.com

# Reference: https://twitter.com/DrunkBinary/status/1032706788678950914

unimarkstamp.com
tvopen.online
ndsee.org
lowprt.org
evbrax.org
fbcdn.store

# Reference: https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/

my-iri.org
hudsonorg-my-sharepoint.com
senate.group
adfs-senate.services
adfs-senate.email
office365-onedrive.com

# Reference: https://threatconnect.com/blog/using-fancy-bear-ssl-certificate-information-to-identify-their-infrastructure/
# Reference: https://app.any.run/tasks/516fee6f-1b98-40d2-8dd1-65b9c79bd05e/
# Reference: https://app.any.run/tasks/41b1658f-1bb2-4891-8053-9401706b3ff7/
# Reference: https://app.any.run/tasks/09da60cd-710f-4466-9942-c4eb4862e7fb/

webversionact.org
cdnverify.net
nomartung.org
mdcrewonline.com
supservermgr.com
europehistoricalmuseum.com
vermasterss.com
webviewres.net
funnymems.com
satellitedeluxpanorama.com
space-delivery.com
nanetsdeb.com
fastphotobucket.com
myinvestgroup.com
travelbern.com
rapidfileuploader.org
viters.org
mvtband.net
wmdmediacodecs.com
spelns.com
lgemon.org
lowprt.org
acrobatportable.com
evbrax.org
gtranm.com
reportscanprotecting.org
runvercheck.com
remsupport.org
noticermk.com
globaltechresearch.org
joshel.com
applecloudupdate.com
akamaisoftupdate.com
wsusconnect.com
apptaskserver.com
appservicegroup.com
ppcodecs.com
dateosx.com
dowssys.com
mvsband.com
microsoftstoreservice.com
microsoftdccenter.com
dvsservice.net
dvsservice.com
akamaitechupdate.com
adobeupdatetechnology.com


# Reference: https://www.virustotal.com/#/ip-address/52.28.203.25

updmanager.com
microsoftdriver.com
windowsappstore.net

# Reference: https://github.com/eset/malware-ioc/blob/master/sednit/part2.adoc

1oo7.net
akamaisoft.com
cloudflarecdn.com
driversupdate.info
kenlynton.com
microsoftdriver.com
microsofthelpcenter.info
nortonupdate.org
softwaresupportsv.com
symantecsupport.org
updatecenter.name
updatesystems.net
updmanager.com
windowsappstore.net
ciscohelpcenter.com
microsoftsupp.com
timezoneutc.com
inteldrv64.com
advpdxapi.com

# Reference: https://github.com/eset/malware-ioc/blob/master/sednit/part1.adoc

aljazeera-news.com
ausameetings.com
bbc-press.org
cnnpolitics.eu
dailyforeignnews.com
dailypoliticsnews.com
defenceiq.us
defencereview.eu
diplomatnews.org
euronews24.info
euroreport24.com
kg-news.org
military-info.eu
militaryadviser.org
militaryobserver.net
nato-hq.com
nato-news.com
natoint.com
natopress.com
osce-info.com
osce-press.org
pakistan-mofa.net
politicalreview.eu
politicsinform.com
reuters-press.com
shurl.biz
stratforglobal.net
thediplomat-press.com
theguardiannews.org
trend-news.org
unian-news.info
unitednationsnews.eu
virusdefender.org
worldmilitarynews.org
worldpoliticsnews.org
worldpoliticsreviews.com
worldpostjournal.com
swsupporttools.com
capisp.com
dataclen.org
mscoresvw.com
windowscheckupdater.net
acledit.com
biocpl.org
wscapi.com
tabsync.net
storsvc.org
winupdatesysmic.com

# Reference: https://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf

northropgrumman.org.uk
counterterorexpo.com
nato.nshq.in
bostondynamlcs.com
natoexhibitionff14.com
vice-news.com
world-oil-company.com
hushmali.com
mfanews.info
azureon-line.com
us-mg6mail-service.com
mail.telecharger-01.com
ns1.mfanews.org
updatepc.org
ya-support.com
changepassword-hotmail.com
mail.sofexjordanx.com
kavkazcentr.info
webmail.windows-updater.com
abbott-export.com
mfapress.com
www.eurosatory-2014.com
yavuz16.org
mfauz.com
mrthelp.org
egreetingsfrom.us
kitegacc.net
kitegacc.com
mail.rnil.am
hothookup.net
netschecker.com
webmail-saic.com
intuitstatistics.info
flickr-service.com
n0vinite.com
assaas.org
rnil.cl
helpfromhome.co
gdforum.net
set121.com
academl.com
changepassword-yahoo.com
greetingcardproject.com
adawareblock.com
securitypractic.com
rnil.am
ya-login.com
mx1.g0b.mx
product-update.com
memoinfo.ru
privacy-live.com
tolonevvs.com
us-westmail-undeliversystem.com
test.chmail.in
kakashka.chmail.in
gov.hu.com
us-mg6-transfermail-service.com
us-mg6-mailreport.com
aadexpo2014.co.za
www.gdforum.info
militaryinf.com
valuetable.hk
googlesetting.com
hotmail-monitor.com
junlper.net
www.ya-support.com
g-analytics.net
www.sofexjordanx.com
privacy-yahoo.com
yahoo.chmail.in
windous.kz
youtubeclip.org
aa.69.mu
qov.hu.com
vvorthyhands.org
dkvnz.com
mail.account-flickr.com
bulletin-center.com
yovtube.co
skidkaturag.com
defenceiq.us
mail-google.info
soft-storage.com
clickchekkker.com
intuitanalys.com
sofexjordanx.com
intuitstatistic.com
militaryexponews.com
caciltd.com
windows-updater.com
mail.securitypractic.com
www.surll.me
heidelberqcement.com
armypress.org
sweetcherry.org
account-flickr.com
setnewpass-yahoo.com
scanmalware.info
greetingcardsproject.com
q0v.pl
link-google.com
www.forsvaret.co
link-google.com
cubic.com.co
mail.mrthelp.org
www.us-mg7mail-transferservice.com
vvorthyhands.org
www.vljaihln.com
ifcdsc.org
smigroup-online.co.uk
100plusapps.com
pruintco.com
www.yahoo-monitor.com
www.chmail.in
litu.su
www.dkvnz.com
mail.yahoo-monitor.com
us-mg7mail-transferservice.com
evrosatory.com
wind0ws.kz
farnboroughair2014.com
mfa-gov.info
y-privacy.com
login-osce.org
helpmicrosoft.net
sofexjordan2014.com
malwarecheck.info
update-hub.com
mx3.set121.com
srv-yahoo.com
us-westmail-undeliversystem.com
bostondyn.com
aerospacesystem.us.com
eurosatary.com
telecharger-01.com
chmali.ir
privacy.google-settings.com
yandex-site.com
www.7daysinabudhabi.org
www.account-flickr.com
google-settings.com
ns1.greetingcardproject.com
eurosator.com
update-zimbra.com
asisonlline.org
mfapress.org
ya-login.com
stockliquidationgroup.com
pasport-yandex.com
konami-game.com
www.adawareblock.com
persa124.in
eurosatory-2014.com
clickchekker.com
al-wayi.com
molodirect.net
com-0cd.net
us-mg6mailyahoo.com
finance-reports.everyday.com-w13.net
apple-iclouds.com
unizg.net
mfanews.org
mail.ya-support.com
checkmalware.org
geaviations.com
flashsecurity.org
imperialc0nsult.com
cublc.com
evronaval.com
xuetue2013.com
www.valuetable.hk
mail.chmail.in
nshq.in
forsvaret.co
in-eternal-memory-of.com
www.us-westmail-undeliversystem.com
gdforum.info
sex-toy-shop.org
novinitie.com
yahoo-monitor.com
standartnevvs.com
pornforyou.in
mail.q0v.pl
mail.windows-updater.com
allcashin.com
changepassword-yahoo.com
arnf.bg
gpwpl.com
updateapi.longmusic.com
chmail.in
brokersads.com
testservice24.net
kavkazjlhad.com
livemicrosoft.net
surll.me
accesd-de-desjardins.com
mail.hushmali.com
sunmicrosystem.info
bytly.org
mx.rnil.cl
poczta.mon.q0v.pl
ns.mfanews.org
7daysinabudhabi.org
privacy-hotmail.com
ns1.al-wayi.com
ecards-yahoo.com
eurosatory2014.com
yahoo-analytics.com
www.srv-yahoo.com
set133.com

# Reference: https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
# Reference: https://otx.alienvault.com/pulse/55346adeb45ff536ca3ffd2c/

updatecenter.name
securitypractic.com
pass-google.com
drivers-update.info
nato-press.com

# Reference: https://www.symantec.com/security_response/writeup.jsp?docid=2016-031520-4610-99&tabid=2

azureon-line.com
mozilla-plugins.com
mozillaplagins.com

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/

microsoftstoreservice.com
servicetlnt.net
windowsdefltr.net
appexsrv.net
securityprotectingcorp.com
uniquecorpind.com
versiontask.com

# Reference: https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf

secao.org
ikmtrust.com
sysanalyticweb.com
lxwo.org
jflynci.com
remotepx.net
rdsnets.com
rpcnetconnect.com
webstp.com
elaxo.org

# Reference: https://twitter.com/Bank_Security/status/1048113406597910528
# Reference: https://www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf

bbcweather.org
beststreammusic.com
brownvelocity.org
bulgariatripholidays.com
coindmarket.com
creekcounty.net
daysheduler.org
escochart.com
fnbcorporate.co.za
fundseats.com
genericnetworkaddress.com
georgia-travel.org
globaltechengineers.org
iboxmit.com
loungecinemaclub.com
malaytravelgroup.com
moderntips.org
moldtravelgroup.com
narrowpass.net
picturecrawling.com
pointtk.com
politicweekend.com
powernoderesources.com
protonhardstorage.com
thepiratecinemaclub.org
topcinemaclub.com
truefashionnews.com
virtsvc.com
worldimagebucket.com

# Reference: https://twitter.com/Jan0fficial/status/1053227074792706048
# Reference: https://pastebin.com/44bJm0Gf

185.203.118.198/en_action_device/center_correct_customer/drivers-i7-x86.php
45.124.132.127/action-center/centerforserviceandaction/service-and-action.php

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/

adfs.senate.group
adfs-senate.email
adfs-senate.services
adfs.senate.qov.info
chmail.ir.udelivered.tk
webmail-ibsf.org
fil-luge.com
biathlovvorld.com
mail-ibu.eu
fisski.ca
iihf.eu

# Reference: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/

188.241.58.170/local/s3/filters.php
188.241.58.170/live/owa/office.dotm
200.122.181.25/catalog/products/books.php

# Reference: https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/

188.241.58.170/local/s3/filters.php
185.203.118.198/en_action_device/center_correct_customer/drivers-i7-x86.php
145.249.105.165/resource-store/stockroom-center-service/check.php
109.248.148.42/agr-enum/progress-inform/cube.php

# Reference: https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/

photopoststories.com

# Reference: https://asert.arbornetworks.com/lojax-fancy-since-2016/

elaxo.org
hp-apps.com
jflynci.com
moldstream.md
msfontserver.com
ntpstatistics.com
oiagives.com
oiatribe.com
peacefund.eu
regvirt.com
remotepx.net
sysanalyticweb.com
treckanalytics.com
unigymboom.com
visualrates.com
vsnet.co
webstp.com

# Reference: https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf

photopoststories.com
proposalprogram.com

# Reference: https://twitter.com/kyleehmke/status/1105151293486710785

radioplaymusicus.com
servertest123.tk

# Reference: https://threatconnect.com/finding-nemohost-fancy-bear-infrastructure/
# Note: SSL certificate f27c4270b9b9291f465ba5962c36ce38f438377acff300b5c82b3b145f0c9e94

90update.com
aljazeera-news.com
ambcomission.com
ckgob.com
connectsmd.net
cryptokind.com
deshcoin.com
dmsclock.org
dochardproofing.com
driverfordell.com
ebramka.info
fes-auth.com
hello76.com
hostedopenfiles.net
hostsvcnet.com
intelstatistics.com
kiteim.org
knightconsults.com
kremotevn.net
lasarenas.lt
lopback.com
megauploadfiles.org
ndsee.org
nemaskalitnium.com
neoderb.com
netcorpscanprotect.com
nethostnet.com
networkfilehosting.com
networkxc.net
news-almasirah.net
newsfromsource.com
perfect-remote-service.com
platnosci.biz
postmarksmtp.com
probenet.eu
remnet.org
remonitor.net
remotemanagesvc.net
remsvc.net
rhfcoin.com
sa7efa.com
searchbrain.net
serbview.com
showitem.lt
societyatcuriousteacher.com
spelns.com
startthedownload.com
systemfromcuriousmoment.com
unisecproper.org
unitedprosoftcompany.org
uploadsforyou.com
wintwinbtc.com
wmiapp.com
zpfgr.com

# Passive DNS for sofacy sinkhole 52.45.178.122 (on 2019-03-13)

1oo7.net
34564414564.com
5thelementq8.com
645547657668787.com
access-google.com
acledit.com
adobeincorp.com
adobeproduct.com
adobeupdater.org
advpdxapi.com
akamaicachecdn.com
akamaisoftupdate.com
apple-checker.org
applecloudupdate.com
apple-iclods.org
apple-search.info
apple-uptoday.org
app-submitcentre.com
autoupdater.org
blacktivist.info
bonjourcheck.com
brownvelocity.org
cdnmsnupdate.com
checkmalware.info
checkmalware.org
checkwinframe.com
cleanphonetrksftware.com
cloudflarecdn.com
dateosx.com
decisionoverpregnantroad.com
dncvotebuilder.com
drivers-update.info
driversupdate.info
dvsservice.net
ecitcom.net
egypressoffice.com
eservicesystems.net
evbrax.org
extad.info
extstat.info
fastdataexchange.org
fastfileconverter.org
faststoragefiles.org
fbcdn.store
fsportal.net
generalsecuritycorp.org
globaltechresearch.org
gtranm.com
hubsg.net
iboxmit.com
iforgot-verification.com
intelmeserver.com
jflynci.com
kenlynton.com
legacydiner.org
lgemon.org
linuxkrnl.net
log-in-osce.org
login-security-center.com
lowprt.org
malwarecheck.info
meteost.com
micoft.com
microsofi.org
microsoftupdated.com
miropc.org
mlidef.com
msrdr.com
msrwr.com
mswordupdate17.com
mvband.net
mvsband.com
mvtband.net
nanetsdeb.com
naoasch.com
natoexhibitionff14.com
ndsee.org
netcorpscanprotect.com
networkschecker.net
newfilmts.com
nortonupdate.org
noticermk.com
petropershiyinukra.com
pldtprv.net
pointtk.com
rapidfileuploader.org
rdsnets.com
remsupport.org
reportscanprotecting.org
reservecorpind.com
rpcnetconnect.com
runssnetworks.com
runvercheck.com
satellitedeluxpanorama.com
scanmalware.info
sdhjjekfp4k.com
secao.org
secnetcontrol.com
securitysls.com
securityupdatereport.com
servicecorptech.com
servicesecupdate.com
servicetlnt.net
service-usa-tre.info
smtprelayhost.com
soft-storage.com
softwaresupportsv.com
softwaresupportsv.name
soligro.com
space-delivery.com
spelns.com
statisticsnetworks.com
supservermgr.com
svit-zer.com
tablebeforehelpfulperson.com
testservice24.net
treckanalytics.com
treepastwillingmoment.com
tvopen.online
uber-mails.com
um10eset.net
umizg.org
unimarkstamp.com
updatepc.org
updatesoftware24.com
updatesvcsys.com
updatesystem.info
updatesystems.net
vascothreatscan.org
vermasterss.com
viters.org
watertolargeprice.com
webstp.com
windowsdefltr.net
wmdmediacodecs.com
wsusconnect.com

# Passive DNS for sofacy sinkhole 52.45.178.122 (on 2020-01-14)

1oo7.net
acledit.com
adobeincorp.com
adobeupdater.org
akamaisoftupdate.com
ambcomission.com
analyticsrequest.com
appservicegroup.com
as23-updater-symantec.org
bbcweather.org
brownvelocity.org
cdnverify.net
cgna.info
checkmalware.info
checkmalware.org
cmdswitch.xyz
coindmarket.com
docs77.com
drivers-update.info
driversupdate.info
dxtveuux.com
eservicesystems.net
esetsmart.org
eskvortsov.com
experiencewithweakkid.com
extstat.info
fastfileconverter.org
faststoragefiles.org
ikmtrust.com
intelmeserver.com
kenlynton.com
linuxkrnl.net
malwarecheck.info
meteost.com
ministernetwork.org
miropc.org
msrwr.com
mvband.net
mysent.org
nanetsdeb.com
netcorpscanprotect.com
nethostnet.com
newfilmts.org
nomartung.org
ntpstatistics.com
pandadefender.com
powerpolymerindustry.com
ppcodecs.com
rapidfileuploader.org
rdsnets.com
reasonwithusefulpolicy.com
reservecorpind.com
rpcnetconnect.com
scanmalware.info
servicetlnt.net
soft-storage.com
softwaresupportsv.name
soligro.com
sourcerepolist.org
statisticsnetworks.com
streetunderrelevantpeople.com
svit-zer.com
systembeforeniceparent.com
tablebeforehelpfulperson.com
testservice24.net
thepiratecinemaclub.org
treepastwillingmoment.com
umizg.org
unimarkstamp.com
updatesoftware24.com
updatesystems.net
varuhusmc.org
virtsvc.com
watertolargeprice.com

# Reference: https://twitter.com/VK_Intel/status/1092324957772750848

/company-device-support/values/correlate-sec.php

# Reference: https://twitter.com/Mao_Ware/status/1092797858301034496

/action-center/centerforserviceandaction/service-and-action.php

# Reference: https://twitter.com/VK_Intel/status/1088145389356806146

/locale/protocol/volume.php

# Reference: https://twitter.com/VK_Intel/status/1076912689119748096

/technet-support/library/online-service-description.php

# Reference: https://twitter.com/VK_Intel/status/1075307666434600960

/advanced/portable_version/service.php

# Reference: https://twitter.com/blackorbird/status/1107593605252677633

appleupdate.org 

# Reference: https://twitter.com/kyleehmke/status/1105151293486710785

radioplaymusicus.com
servertest123.tk

# Reference: https://twitter.com/dewan202/status/1107348923826491392
# Reference: https://www.virustotal.com/gui/ip-address/104.171.117.216/relations

http://104.171.117.216
goldenbuckz.com
zoomailer.org

# Reference: https://unit42.paloaltonetworks.com/unit42-sofacy-uses-dealerschoice-target-european-government-agency/

ndpmedia24.com

# Reference: https://twitter.com/kyleehmke/status/1113085089909440513

historicalfilms720hd.com
jazzradiostream.com
rockradiostream.com
msofficelab.com
onlineubersplit.com
renodesmart.com

# Reference: https://twitter.com/VK_Intel/status/1115080282221293568

/supptech18i/suppid.php
/fdfd_iunub_hhert_ps.php

# Reference: https://twitter.com/Bank_Security/status/1115130011160383488
# Reference: https://pastebin.com/atN2w5SE
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-05-ioc-mark.txt
# Reference: https://otx.alienvault.com/pulse/5cab3bf39e861d5e97554699

beatguitar.com
/agr-enum/progress-inform/cube.php
/local/s3/filters.php
/zx-system/core/main-config.php
/en_action_device/center_correct_customer/drivers-i7-x86.php
/db-module/version_1594/main.php
/Verifica-El-Lanzamiento/Ayuda-Del-Sistema/obtenerId.php
/action-center/centerforserviceandaction/service-and-action.php
/company-device-support/values/correlate-sec.php
/SupportA91i/syshelpA774i/viewsupp.php
/technet-support/library/online-service-description.php
/resource-store/stockroom-center-service/check.php
/technet-support/library/online-service-description.php
/advance/portable_version/service.php
/pkg/image/do.php

# Reference: https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals/

functiondiscovery.net

# Reference: https://otx.alienvault.com/pulse/5ce65ec381f415c7dc794d41

/action-center/centerforserviceandaction/service-and-action.php

# Reference: https://www.virustotal.com/#/file/b40909ac0b70b7bd82465dfc7761a6b4e0df55b894dd42290e3f72cb4280fa44/community
# Reference: https://otx.alienvault.com/pulse/5cefdae12f7645afa995961e

experiencewithweakkid.com
maylaytravelgroup.com
reasonwithusefulpolicy.com
schooltillhungryprocess.com
streetunderrelevantpeople.com
systembeforeniceparent.com

# Reference: https://securelist.com/zebrocys-multilanguage-malware-salad/90680/

http://94.156.189.120
rammatica.com
raveston.com
/manual/current/symphony.php

# Reference: https://twitter.com/ClearskySec/status/1139160272755744774

fatherinfriendlyroad.com
guytillintelligentposition.com
networkcentrals.com
newstyleradio.net

# Reference: https://community.riskiq.com/projects/8b14d778-99be-d744-af06-36ffc0937b38

sportever.org

# Reference: https://community.riskiq.com/projects/47b45f6d-3b11-2082-0c04-dd8720fd3b67

bulgariaholidays.bg
escochartzone.com
thesocialstrategies.com
tripadvicecommunity.com
worldchanneltour.com

# Reference: https://community.riskiq.com/projects/6290b968-d907-d5fb-c31e-9b7bf830ec2c

golivecamp.net

# Reference: https://twitter.com/VK_Intel/status/1145270462559195137

 http://213.252.245.32/ControllerReset/view/register/comid/sid.php

# Reference: https://twitter.com/daphiel/status/1148128770014011392

onedrv-live.com
onedrive-sharedfile.com
microsoft-onthehub.com
my-sharepoints.com
my-sharefile.com

# Reference: https://www.vice.com/en_us/article/vvaxy8/evidence-linking-russian-hackers-fancy-bear-to-macron-phishing

accounts-office.fr
en-marche.co
mail-en-marche.fr
onedrive-en-marche.fr
portal-office.fr

# Reference: https://twitter.com/kyleehmke/status/1150834700069552130
# Reference: https://otx.alienvault.com/pulse/5d2db9cc8e1eb4d4d4be15e5

office365-osf.am
office365-osi.am
osfam.events
osfam.team
soros-my-sharepoint.com

# Reference: https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/

128.199.199.187:443
167.114.153.55:443
31.220.61.251:443
82.118.242.171:443
94.237.37.28:443

# Reference: https://medium.com/@rsatter/decoding-the-gru-indictment-bfb2c08fe362
# Reference: https://otx.alienvault.com/pulse/5d88c12375a272432c4cd9ec

cyb3rc.com
electionleaks.com
linuxkrnl.net

# Reference: https://twitter.com/pancak3lullz/status/1176856452780179456

http://185.221.202.35/software-protection/app.php

# Reference: https://threatconnect.com/blog/how-to-investigate-incidents-in-threatconnect/

office365-microsoft.com
syrianhrc.org
aljazeera-news.com
unian-news.info
mastconf.com
farele.co
mofa.farele.co
yandex-control.ru
pentestinglab.com
accountgooogle.com
accounts-gooogl.com
accountsgooglemail.com
afghanistanmfa.net
webmail.afghanistanmfa.net
akragames.net
pus.akragames.net
cloudmicrosoft365.com
cryptogo.net
dcleaks.com
gooogle-login.com
gov-kw.com
mail.kuwaitarmy.gov-kw.com
live-settings.com
login-one.com
mail-hurriyet.com
mailtransferservice.com
newsweekadviser.com
posta-hurriyet.com
smtprelayhost.com
unrightswire.org
mx.unrightswire.org
mail.unrightswire.org
privacy-yandex.ru
emailyandex.ru
action-yandex.ru
report-yandex.ru
yandex-report.ru
service-yandex.ru
activity-yandex.ru
settinqs-yandex.ru
mail-service-yandex.ru
int-live.com
mailsettings-yandex.ru
yandex-report.ru
yandex-control.ru
e-mail-supports.com
team-google.com
accounts-qooqle.com
google-password.com
drive-google.ga
google-login.ml
google-password.ml
top-total.com
drive-auth.com
password-google.com
account.password-google.com
ftp.password-google.com
redirect.screenameaol.com
myaccountgoogle.ga
markburgston.com
service-yandex.ru
delivery-yandex.ru
settinqs-yandex.ru
yandex-site.com
pasport-yandex.com
gdforum.net
gdforum.info
google-passwd.com
hurriyet.org.uk

# Reference: https://twitter.com/kyleehmke/status/1186114823341400064

ovhsec.com

# Reference: https://meltx0r.github.io/tech/2019/10/24/apt28.html
# Reference: https://otx.alienvault.com/pulse/5db2cff18faf1f1d826cd074

pavlodar.news
/modules/Contact/Includes/1c.php
/modules/Contact/Includes/2c.php

# Reference: https://twitter.com/LastlineLabs/status/1022865021343330305

secao.com

# Reference: https://twitter.com/Vishnyak0v/status/1197129423830626318

http://37.120.140.215
http://79.142.70.106

# Reference: https://cdn.area1security.com/reports/Area-1-Security-PhishingBarismaHoldings.pdf
# Reference: https://otx.alienvault.com/pulse/5e1da5a3ca48088035ce6c5a
# Reference: https://twitter.com/kyleehmke/status/1207779048086286336
# Reference: https://twitter.com/kyleehmke/status/1216905172305227776

cubenergy-my-sharepoint.com
dpkshodnya-mysharepoint.com
hudsonorg-my-sharepoint.com
esco-plvnlch.com
kub-gas.com
kvatral95.com
minjust-gov-ua.com
my-ukr.net
soros-my-sharepoint.com

# Reference: https://twitter.com/ydklijnsma/status/1218599851669233666

184.95.51.172
liveserviceonedrive.com     # pDNS
78.142.19.114
photosyncdrive.com          # pDNS
80.255.3.116
gecurrenttime.com           # pDNS
193.70.80.214
aeroservicemax.com          # pDNS
185.141.63.103
scalingreserve.com          # pDNS
109.169.15.73
ovhsec.com                  # pDNS
178.32.251.98
placeuntilknownparent.com   # pDNS

# Reference: https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed
# Reference: https://blog.angelalonso.es/2017/10/hunting-apt28-cve-2017-11292-flash.html?m=0
# Reference: https://www.virustotal.com/gui/file/362a8297a0ff603553e992626a8e28c0aa19d038557da82fe6f4526988601be7/behavior/Tencent%20HABO

blackpartshare.com
mountainsgide.com
contentdeliverysrv.net
space-delivery.com

# Reference: https://doc.emergingthreats.net/bin/view/Main/2023662

gpufps.com

# Reference: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/probing-pawn-storm-cyberespionage-campaign-through-scanning-credential-phishing-and-more
# Reference: https://otx.alienvault.com/pulse/5e736669fcc47a29220ce3f0

0x4fc271.tk
0xf4a5.tk
0xf4a54cf56.tk
546874.tk
change-password.ml
id24556.tk
id451295.com
id6589.com
yahoo-change-password.com

# Reference: http://www.hexcapes.com/sofacy-in-poland/

picturecrawling.com
popdancestream.com
webchartzone.com

# Reference: https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html

http://89.37.226.123/advance/portable_version/service.php

# Reference: https://documents.trendmicro.com/assets/appendix_looking-into-a-cyber-attack-facilitator-in-the-netherlands.pdf
# Reference: https://vxcube.com/recent-threats-ioc/5c74c73ca39bb5786f9664d3/detail

aijazeera.org
blu172maillive.com
catholicsinaliance.org
cc-yahoo-inc.org
defensenews.org
edit-mail-yahoo.com
e-post.byegm.web.tr
eservicesystems.net
euroreport24.com
help-yahoo-service.com
int-live.com
iraqinews.info
itunes-helper.net
live-settings.com
loqin-yandex.ru
mail.byegm.web.tr
mail.g0v.me
mailhost.university-tartu.info
mailhost-ut.ee
mail-hurriyet.com
mail-justus.com.ua
mail.kuwaitarmy.gov-kw.com
mailmil.ae
mail.mofa.g0v.qa
mail-navy.ro
mail.rsaf.qov.sa.com
mail.teiecomitalia.it
mfagreece.com
military-info.eu
mobile-sanoma.net
mycloud-mail.ru
nato-news.com
options-mail.ru
osce-info.com
osce-press.com
pasport-yandex.ru
poczta.mon-gov.pl
posta-hurriyet.com
privacy-facebook.me
privacy-yahooservice.com
redirect2app.cf
reuters-press.com
rn-mail.ru
service-ukr.net
service-yahoo.com
setting-mail.ru
tbmm.qov.web.tr
unbulletin.com
webmail-gov.me
webmail-mil.gr
webmail.mofa.qov.ae
worldpoliticsreviews.com
wsjworld.com
yahoo.securepassword.info

# Reference: https://www.vkremez.com/2019/01/lets-learn-progression-of-apt28-autoit.html
# Reference: https://www.virustotal.com/gui/ip-address/145.249.106.198/relations
# Reference: https://www.virustotal.com/gui/ip-address/185.236.203.53/relations
# Reference: https://www.virustotal.com/gui/file/5b52bc196bfc207d43eedfe585df96fcfabbdead087ff79fcdcdd4d08c7806db/detection
# Reference: https://www.virustotal.com/gui/file/384c9a19dd6f0f73bee575e54801f9608883ae31db1b399a28b8cc5f7aa9a26c/detection

http://80.255.6.5
http://185.236.203.53
http://194.187.249.126
http://220.158.216.127
145.249.106.198:443
185.236.203.53:443

# Reference: https://twitter.com/ShadowChasing1/status/1251164774982795266

bohack51.ddns.net

# Reference: https://twitter.com/dewan202/status/1255582744110862345
# Reference: https://www.virustotal.com/gui/file/7edacdf35900e722b798dbc891159cf1ede9f6d671a86b0f01f9ef802202aa73/detection
# Reference: https://www.virustotal.com/gui/ip-address/185.77.129.152/relations
# Reference: https://www.virustotal.com/gui/ip-address/93.115.38.132/relations

http://185.77.129.152
http://93.115.38.132
/wwpydsmrulkdp/arpz/

# Reference: https://twitter.com/Vishnyak0v/status/1257606954085646337

http://185.221.202.36
/overstock/brand.php

# Reference: https://www.virustotal.com/gui/ip-address/23.227.196.215/relations

http://23.227.196.215

# Reference: https://twitter.com/Vishnyak0v/status/1269651391980736513

http://185.234.52.168
/categories/buildings.php

# Reference: https://app.any.run/tasks/0f0eb583-abcf-4e0f-a803-2b1d3bfdfe47/

http://89.37.226.148
