trails/static/malware/apt_darkhotel.txt

# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt06, apt-c-06, thinmon

# Reference: http://securelist.com/blog/research/66779/the-darkhotel-apt/

163pics.net
163services.com
42world.net
88dafa.biz
academyhouse.us
ackr.myvnc.com
acrobatup.com
adobearm.com
adobeplugs.net
adoberegister.flashserv.net
adobeupdates.com
albasrostga.com
alexa97.com
alphacranes.com
alphastros.com
amanity50.biz
anti-wars.org
applyinfo.org
auto2115.icr38.net
auto2116.phpnet.us
auto24col.info
autobaba.net84.net
autoban.phpnet.us
autobicy.yaahosting.info
autobicycle.20x.cc
autobicycle.freehostking.com
autobicyyyyyy.50gigs.net
autoblank.oni.cc
autobrown.gofreeserve.com
autocargo.100gbfreehost.com
autocash.000php.com
autocashhh.hostmefree.org
autocaze.crabdance.com
autocheck.000page.com
autochecker.myftp.biz
autocracy.phpnet.us
autocrat.comuf.com
autodoor.freebyte.us
autof888com.20x.cc
autofseven.freei.me
autogeremys.com
autoinsurance.000space.com
autojob.whostas.com
autoken.scienceontheweb.net
autolace.twilightparadox.com
automachine.servequake.com
automatic.waldennetworks.com
automation.000a.biz
automation.icr38.net
automobile.000a.biz
automobile.200gigs.com
automobile.freei.me
automobile.it.cx
automobile.megabyet.net
automobile.x4host.eu
automobiles.strangled.net
automotive.20x.cc
autonomy.host22.com
autopapa.noads.biz
autopara.oliwy.net
autoparts.phpnet.us
autopatch.createandhost.com
autopatch.verwalten.ch
autophile.00free.net
autopilot.verwalten.ch
autoplant.byethost11.com
autopsy.createandhost.com
autoreviews.dyndns.info
autorico.ignorelist.com
autosadeo.000php.com
autosail.ns01.biz
autoshop.hostmefree.org
autostart.waldennetworks.com
autotest.byethost4.com
autotree.freebyte.us
autoup.eu.pn
autoupdafree.my5gigs.com
autoupdate.eg.vg
autoupdate.freehostia.com
autoupdate.megabyet.net
autoupdate.zoka.cc
autoupdatefree.freehostia.com
autoupdatefree.verwalten.ch
autoupdatefree.waldennetworks.com
autoupdatefree.zoka.cc
autoupdatefreee.my5gigs.com
autoupdates.5gigs.net
autoupdatfreeee.coolwwweb.com
autoupgrade.awardspace.biz
autovita.xtreemhost.com
autovonmanstein.x10.mx
autoworld.serveblog.net
autozone.000space.com
begatrendsone.com
begatrials.com
bizannounce.com
blonze.createandhost.com
bluecat.biz.nf
bluemagazines.servegame.com
bokselpa.dasfree.com
checkingvirusscan.com
clus89.crabdance.com
codec.servepics.com
control.wrizx.net
cranseme.ignorelist.com
crazymand.twilightparadox.com
crendesting.strangled.net
dailybread.waldennetworks.com
dailyissue.net
dailynews.000page.com
dailypatch-rnr2008.net
dailysummary.net
dailyupdate.110mb.com
domainmanagemenet.com
donatewa.phpnet.us
downsw.onlinewebshop.net
dpc.servegame.com
ds505cam.com
ebizcentres.com
elibrarycentre.com
err.cloins.com
eztwt.com
fame.mooo.com
fashions.0fees.net
fenraw.northgeremy.info
fenrix.yaahosting.info
fenrmi.eu.pn
foreignaffair.org
gamepia008.my5gigs.com
genelousmanis.phpnet.us
generalemountina.com
genuinsman.phpnet.us
gigahermes.com
gigamiros.zyns.com
gigathread.itemdb.com
gigatrend.org
giveaway.6te.net
goathoney.biz
goizmi.ignorelist.com
goizmi.phpnet.us
goldblacktree.waldennetworks.com
gphpnet.phpnet.us
greatechangemind.com
greenlabelstud.000space.com
gurunichi.createandhost.com
halemdus.000space.com
heinzmarket.com
hotemup.icr38.net
humanforum.net
hummfoundation.org
individuals.sytes.net
infonetworks.biz
innewsmessenger.com
jackie311.byethost16.com
jandas.byethost7.com
javaupdate.flashserv.net
jonejokoss.byethost6.com
jonemaccane1.byethost7.com
jpnspts.biz
jpqueen.biz
kaoal.chickenkiller.com
laborsforum.org
lakers.jumpingcrab.com
limited.000space.com
lookasjames.000space.com
mansgepitostraig.com
mechanicalcomfort.net
microalba.serveftp.com
microblo5.mooo.com
microbrownys.strangled.net
microchiefs.twilightparadox.com
microchisk.mooo.com
microchsse.strangled.net
microdelta.crabdance.com
microgenuinsman.servebeer.com
microjonjokoss.jumpingcrab.com
microlilics.000space.com
microlilics.crabdance.com
micromacrarusn.com
micromacs.org
micromichi.ezua.com
micromps1.net
micronames.jumpingcrab.com
micronao.hopto.org
micronaoko.jumpingcrab.com
microos.jumpingcrab.com
microplants.strangled.net
microsoft-xpupdate.com
microyours.ignorelist.com
minshatopas12.org
msdn4updates.com
mshotfix.com
msupdates.com
myhome.serveuser.com
myphone.freei.me
nanogalsman.org
nanomicsoft.com
nanoocspos.com
nanosleepss.net
ncnbroadcasting.reportinside.net
neao.biz
neosilba.com
new.freecinemaworld.net
new.islamicawaken.com
newsagencypool.com
newsdailyinhk.com
newsups.000a.biz
nokasblog.agilityhoster.com
office-revision.com
online.usean.biz
outlookz.com
pb.enewslive.org
pb.qocp.net
pb.upinfo.biz
photo.eonlineworld.com
popin.0fees.net
private.neao.biz
proteingainer.biz
rainbowbbs.mywebcommunity.org
rayp.biz
re.policyforums.org
redblacksleep.createandhost.com
redlooksman.servehttp.com
reportinshop.com
reportinside.net
rootca.000space.com
sales.eu5.org
secureonline.net
self-makeups.com
self-makingups.com
sellingconnection.org
sens.humanforum.net
shndia.com
silverbell.000space.com
sipapals.servehalflife.com
smartappactiv.com
smartnewup.crabdance.com
sourcecodecenter.org
spotnews.com
st.cloins.com
stloelementry.200gigs.com
students.serveblog.net
support¬forum.org
terryblog.110MB.com
thenewesthta.mypressonline.com
thirdbase.bugs3.com
todaynewscentre.net
trade-inf.com
unknown12.ignorelist.com
updaairpush.ignorelist.com
updaily.biz.nf
updaily.phpnet.us
updaisin.net16.net
updalsim.freehostee.com
updarling.000a.biz
updatable.20x.cc
updateall.000a.biz
updatecache.net
updatefast.000a.biz
updateiphone.20x.cc
updateitunes.waldennetworks.com
updatejava.megabyet.net
updatepatch.icr38.net
updateschedule.verwalten.ch
updatesw.110mb.com
updatesw.zoka.cc
updatewell.freebyte.us
updatewifis.dyndns-wiki.com
updauganda.waldennetworks.com
updawn4you.net84.net
upgrade77.steadywebs.com
video.humorme.info
voicemailz.net
wein.isgreat.org
windowservices.net
world.issuetoday.net
world.uktimesnews.com
wowhome.byethost8.com
ww42.200gigs.com
appfreetools.com
digitalimagestudy.com
yellowleos.phpnet.us
ypiz.net

# Reference: https://ti.360.net/blog/articles/analyzing-attack-of-cve-2018-8373-and-darkhotel/
# Reference: https://researchcenter.paloaltonetworks.com/2018/09/unit42-traps-prevents-wild-vbscript-zero-day-exploit-internet-explorer/

windows-updater.net

# Reference: https://blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html (Japanese)
# Reference: https://otx.alienvault.com/pulse/5cee9ffe72473a4c259773b7

pwsmbx.com
reuqest-userauth.com
vgmtx.com

# Reference: https://twitter.com/ximo2006/status/1142983148893954048
# Reference: https://s.tencent.com/research/report/741.html (Chinese)

193.29.187.178:51217
193.29.187.178:51218
91.235.116.147:9782
100100011100.com
779999977.com
banilasky.com
game-service.org
offices-support.com
office-update-checker.com
star--co.net
/584e3411-14a7-41f4-ba1d-e203609b0471/6126.php
/7cdeb7fe-6efd-4459-be2f-1eb0e0088a60/21147.php
/banila/config.php

# Reference: https://twitter.com/blackorbird/status/1178491520518770688

autocheck.000page.com
automobile.freei.me
autocargo.100gbfreehost.com

# Reference: https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/
# Reference: https://otx.alienvault.com/pulse/5dbc5ca2e4310e29af9612e3

behindcorona.com

# Reference: https://twitter.com/blackorbird/status/1245597745403969544

cnnmedia.servepics.com
tax-lab.net

# Reference: https://twitter.com/blackorbird/status/1263843202311663616
# Reference: https://www.antiy.cn/research/notice&report/research_report/20200522.html (Chinese)

email-126.net
find-image.com
service-security-manager.com
win-api-essentials.com

# Reference: https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/
# Reference: https://otx.alienvault.com/pulse/5f34088f58d80664ae9fbd1c

static-cdn1.com

# Reference: https://mp.weixin.qq.com/s/nyxZFXgrtm2-tBiV3-wiMg

http://134.119.220.118
http://185.198.56.191
account163-mail.com
apple-onlineservice.com
onlineservice.bounceme.net
/recommend/ascfree.php

# Reference: http://blog.nsfocus.net/darkhotel-3-0908/
# Reference: https://www.virustotal.com/gui/file/6048f17c1271c0f946225ec6a3d1f4b84c4df098f854dbce139b858795485836/detection

bigfile-download.net
fenrmi.eu.pn
fenrix.yaahosting.info
fenraw.northgeremy.info
/html/docu.php
/maro7/article//000C29014444/article_service.html
/maro7/live1.php

# Reference: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html
# Reference: https://www.virustotal.com/gui/file/f699f5c8ea766afe9cffcff198d13550027e5a311f4a9618a804a585088ff8db/detection

fsm-gov.com

# Reference: https://www.virustotal.com/gui/file/da0c905ab56f598c50573495085657b80b76557d12f9416fd4a4a96632a000e1/detection

myboxofficebox.com

# Reference: https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink (Japanese)
# Reference: https://otx.alienvault.com/pulse/627b9aa3b3842d989f57bfe6

differentfor.com
disknxt.com
mbusabc.com
officehoster.com
spffusa.org
sseekk.xyz
youmiuri.com