# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/plugx-goes-to-the-registry-and-india.pdf?la=en

freetimes.dns05.com
lucas1.dnset.com
supercat.strangled.net
nusteachers.no-ip.org
ruchi.mysq1.net
lucas1.freetcp.com
unisers.com
freemoney.ignorelist.com
sumy2012.jkub.com
dheeraj_gaurav.mooo.com
notebookhk.net
togolaga.com


# Reference: https://www.threatcrowd.org/listMalware.php?antivirus=plugx

hpservice.homepc.it
facebook.controlliamo.com
twititier.com
peaceful.linkpc.net
mongolia.regionfocus.com
shuimengluosuo.freetcp.com
ria-ru.xicp.net
itar-tass.xicp.net

# Reference: https://citizenlab.ca/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-2014-4114/

dnsupdate.dynamic-dns.net
good.wha.la

# Reference: https://citizenlab.ca/2015/10/targeted-attacks-ngo-burma/
# Reference: https://www.virustotal.com/#/file/365eeb1d5d8282188e5bbfadfda184e612eef61c2398b7c18cad4c31ce7225d1/detection

t1.mailsecurityservice.com
t2.mailsecurityservice.com
client.mailsecurityservice.com

# Reference: https://twitter.com/h4ckak/status/1163328926573137922

apple-net.com

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/plugx-rat-with-time-bomb-abuses-dropbox-for-command-and-control-settings/

bakup.firefox-sync.com
immi.firefox-sync.com
imm.heritageblog.org

# Reference: https://twitter.com/ClearskySec/status/968145266451894278

cisco-ipv4.com

# Reference: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx

dicemention.com
micrnet.net
rumiany.com
yandcx.com

# Reference: https://twitter.com/killamjr/status/1190019855434563600
# Reference: https://app.any.run/tasks/8286e7e1-710a-4570-805d-8a03395caa31/

wouderfulu.impresstravel.ga

# Reference: https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html
# Reference: https://otx.alienvault.com/pulse/5dd2b17f1b7dcef51f0ed38d

steam.suspendedio.com
steams.microsoftdepot.com
update.google.com.updatesrvers.org

# Reference: https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
# Reference: https://otx.alienvault.com/pulse/5e42e25df089cc9cfb28d1d0

apple-net.com
freesmadav.com
infosecvn.com
lameers.com
mmfhlele.com
olk4.com

# Reference: https://app.any.run/tasks/d4e14bc3-7adb-41db-9998-ee6b7e2c21b3/
# Reference: https://www.circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

help.yahoo-upgrade.com
support.yahoo-upgrade.com
update.ayuisyahooapis.com
support.ayuisyahooapis.com
update.trendmicrosoft.co.in

# Reference: https://github.com/silence-is-best/c2db#plugx

185.239.226.61:8080

# Reference: https://twitter.com/kienbigmummy/status/1240559063479402497
# Reference: https://www.virustotal.com/gui/file/6a4224517d66e07707f5a18793dfb3dcecd79bf0e913f9571850637c22b13fe8/detection
# Reference: https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html

vietnam.zing.photos

# Reference: https://app.any.run/tasks/136824e2-885e-4b70-8b6b-20e982f82003/

hou.phimnoi.org

# Reference: https://twitter.com/pancak3lullz/status/1250158700909731845
# Reference: https://twitter.com/pancak3lullz/status/1250386060611391490
# Reference: https://pastebin.com/KdKsaAqV

103.127.157.9:443
103.127.157.9:80
103.136.40.141:443
103.136.40.141:80
103.148.244.59:443
103.148.244.59:80
103.192.226.44:443
103.192.226.44:80
103.193.149.26:443
103.193.149.26:80
103.200.97.150:443
103.200.97.150:80
103.212.223.125:443
103.212.223.125:80
103.213.244.203:443
103.213.244.203:80
103.230.15.155:443
103.230.15.155:80
103.51.147.227:443
103.51.147.227:80
103.56.16.231:443
103.56.16.231:80
103.56.55.69:443
103.56.55.69:80
103.59.165.87:443
103.59.165.87:80
103.79.76.205:443
103.79.76.205:80
104.148.13.252:443
104.148.13.252:80
104.192.80.102:443
104.192.80.102:80
104.199.131.72:443
104.199.131.72:80
104.238.188.213:443
104.238.188.213:80
107.150.112.250:443
107.150.112.250:80
107.179.8.66:443
107.179.8.66:80
112.121.187.178:443
112.121.187.178:80
112.121.187.179:443
112.121.187.179:80
112.121.187.180:443
112.121.187.180:80
112.121.187.181:443
112.121.187.181:80
112.121.187.182:443
112.121.187.182:80
112.196.204.151:443
112.196.204.151:80
112.213.109.32:443
112.213.109.32:80
114.29.253.26:443
114.29.253.26:80
121.127.232.67:443
121.127.232.67:80
13.234.145.7:443
13.234.145.7:80
136.244.102.157:443
136.244.102.157:80
137.59.18.183:443
137.59.18.183:80
139.28.37.102:443
139.28.37.102:80
144.202.50.219:443
144.202.50.219:80
149.248.62.83:443
149.248.62.83:80
149.28.137.203:443
149.28.137.203:80
149.28.150.210:443
149.28.150.210:80
149.28.239.88:443
149.28.239.88:80
149.28.93.163:443
149.28.93.163:80
15.164.104.227:443
15.164.104.227:80
152.32.162.250:443
152.32.162.250:80
152.32.211.67:443
152.32.211.67:80
154.210.12.8:443
154.210.12.8:80
154.215.13.149:443
154.215.13.149:80
154.223.167.105:443
154.223.167.105:80
154.83.13.105:443
154.83.13.105:80
167.179.86.140:443
167.179.86.140:80
167.88.177.191:443
167.88.177.191:80
167.88.178.4:443
167.88.178.4:80
167.88.180.151:443
167.88.180.151:80
167.88.180.32:443
167.88.180.32:80
167.88.180.5:443
167.88.180.5:80
172.245.86.123:443
172.245.86.123:80
172.93.220.201:443
172.93.220.201:80
178.236.44.58:443
178.236.44.58:80
18.138.29.108:443
18.138.29.108:80
185.133.40.223:443
185.133.40.223:80
185.133.42.6:443
185.133.42.6:80
185.161.209.234:443
185.161.209.234:80
185.172.112.212:443
185.172.112.212:80
185.211.246.203:443
185.211.246.203:80
185.225.19.115:443
185.225.19.115:80
185.231.245.119:443
185.231.245.119:80
185.239.226.28:443
185.239.226.28:80
185.239.226.38:443
185.239.226.38:80
185.239.226.53:443
185.239.226.53:80
185.239.226.65:443
185.239.226.65:80
185.243.114.68:443
185.243.114.68:80
185.243.41.200:443
185.243.41.200:80
192.169.7.189:443
192.169.7.189:80
207.148.68.124:443
207.148.68.124:80
211.62.228.141:443
211.62.228.141:80
213.159.202.41:443
213.159.202.41:80
213.252.246.141:443
213.252.246.141:80
27.102.101.52:443
27.102.101.52:80
27.102.130.30:443
27.102.130.30:80
27.255.64.75:443
27.255.64.75:80
3.6.50.223:443
3.6.50.223:80
34.80.27.200:443
34.80.27.200:80
34.92.251.135:443
34.92.251.135:80
35.229.151.34:443
35.229.151.34:80
37.157.245.38:443
37.157.245.38:80
42.99.117.95:443
42.99.117.95:80
43.228.125.9:443
43.228.125.9:80
43.251.118.79:443
43.251.118.79:80
45.115.236.22:443
45.115.236.22:80
45.147.228.131:443
45.147.228.131:80
45.248.87.217:443
45.248.87.217:80
45.251.241.25:443
45.251.241.25:80
45.32.149.253:443
45.32.149.253:80
45.76.153.250:443
45.76.153.250:80
45.76.53.241:443
45.76.53.241:80
45.77.34.128:443
45.77.34.128:80
45.77.60.116:443
45.77.60.116:80
45.81.10.9:443
45.81.10.9:80
45.91.26.140:443
45.91.26.140:80
60.169.81.26:443
60.169.81.26:80
66.42.38.60:443
66.42.38.60:80
66.42.41.140:443
66.42.41.140:80
66.42.48.186:443
66.42.48.186:80
69.171.72.232:443
69.171.72.232:80
91.229.79.226:443
91.229.79.226:80

# Reference: https://twitter.com/KorbenD_Intel/status/1275542304351109120
# Reference: https://www.virustotal.com/gui/domain/subupdata.com/relations
# Reference: https://www.virustotal.com/gui/file/b2c6474f27c1beab3ba9a3e956c5e65d96db8aad686a99a6cc1f9c66bee82b29/detection

185.231.245.119:443
subupdata.com
