forked from stamparm/maltrail
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathapt_codoso.txt
106 lines (89 loc) · 2.91 KB
/
apt_codoso.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission
# Aliases: apt19, codoso, c0d0so0, codoso team, deep panda, sunshop group
# Reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html (Network Based Indicators (NBI))
http://104.236.77.169
http://138.68.45.9
http://162.243.143.145
autodiscover.2bunny.com
lyncdiscover.2bunny.com
tk-in-f156.2bunny.com
sfo02s01-in-f2.cloudsend.net
# Reference: https://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/
# Reference: https://www.domaintools.com/resources/blog/domaintools-101-the-art-of-tracking-threat-actors
http://210.181.184.64
http://218.54.139.20
http://42.200.18.194
microsoft-cache.com
supermanbox.org
jbossas.org
# Reference: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf
ameteksen.com
asconline.we11point.com
assso.net
capstoneturbine.cechire.com
caref1rst.com
careflrst.com
EmpireB1ue.com
extcitrix.we11point.com
facefuture.us
gifas.blogsite.org
gifas.cechire.com
healthslie.com
hrsolutions.we11point.com
icbcqsz.com
kaspersyk.com
me.we11point.com
mycitrix.we11point.com
myhr.we11point.com
oa.ameteksen.com
oa.technical-requre.com
oa.trustneser.com
polarroute.com
prennera.com
savmpet.com
sharepoint-vaeit.com
sinmoung.com
ssl-vaeit.com
ssl-vait.com
topsec2014.com
vipreclod.com
vpn.we11point.com
we11point.com
webmail.kaspersyk.com
webmail.vipreclod.com
wiki-vaeit.com
we11point.com
ysims.com
# Reference: https://attack.mitre.org/wiki/Group/G0009
# Reference: https://krebsonsecurity.com/wp-content/uploads/2015/02/FBI-Flash-Warning-Deep-Panda.pdf
googlewebcache.com
outlookssl.com
images.googlewebcache.com
smtp.outlookssl.com
# Reference: https://twitter.com/unpacker/status/1343143954007482369
# Reference: https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/
# Reference: https://www.virustotal.com/gui/file/8b0877209594dada522e606ebac60ce82ceaa31978e71e7772fd8ae0065d53de/detection
http://106.185.43.96/user/atv.html
google-dash.com
microsoft-cache.com
# Reference: https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits
# Reference: https://otx.alienvault.com/pulse/6245655996f5a1a01e2b5d94
# Reference: https://www.virustotal.com/gui/file/c0a2a3708516a321ad2fd68400bef6a3b302af54d6533b5cce6c67b4e13b87d3/detection
http://104.223.34.198
192.95.36.61:443
gnisoft.com
smi1egate.com
b.gnisoft.com
client.gnisoft.com
giga.gnisoft.com
svn1.smi1egate.com
vpn2.smi1egate.com
# Reference: https://www.cisa.gov/uscert/ncas/alerts/aa22-174a
# Reference: https://otx.alienvault.com/pulse/62b5767285717d7d3a45b2b8
104.223.34.198:443
# Generic
/example/McAltLib.dll
/lifeandstyle/marmalade-paddington-sales-up-making-drinking
/money/ofcom-fines-nuisance-calls
/world/video/shrien-dewani-arrives-uk-murder-trial-collapses-video