apt_turla.txt

# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: waterbug, snake, whitebear, venomous bear, kypton, storm-0156

# Reference: https://github.com/eset/malware-ioc/blob/master/turla/README.adoc

shoppingexpert.it/wp-content/gallery/
soheylistore.ir/modules/mod_feed/feed.php
tazohor.com/wp-includes/feed-rss-comments.php
jucheafrica.com/wp-includes/class-wp-edit.php
61paris.fr/wp-includes/ms-set.php
doctorshand.org/wp-content/about/
lasac.eu/credit_payment/url/

# Reference: https://www.welivesecurity.com/2018/01/09/turlas-backdoor-laced-flash-player-installer/

smallcloud.ga
fleetwood.tk
adstore.twilightparadox.com
bigpen.ga
ebay-global.publicvm.com
psychology-blog.ezua.com
agony.compress.to
gallop.mefound.com
auberdine.etowns.net
skyrim.3d-game.com
officebuild.4irc.com
sendmessage.mooo.com
robot.wikaba.com
tellmemore.4irc.com

# Reference: http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf

arctic-zone.bbsindex.com
cars-online.zapto.org
eunews-online.zapto.org
fifa-rules.25u.com
forum.sytes.net
franceonline.sytes.net
freeutils.3utilities.com
health-everyday.faqserv.com
nhl-blog.servegame.com
olympik-blog.4dq.com
pockerroom.servebeer.com
pressforum.serveblog.net
scandinavia-facts.sytes.net
sportmusic.servemp3.com
stockholm-blog.hopto.org
supernews.sytes.net
sweeden-history.zapto.org
tiger.got-game.org
top-facts.sytes.net
weather-online.hopto.org
wintersport.sytes.net
x-files.zapto.org
forum.4dq.com
forum.acmetoy.com
marketplace.servehttp.com
music-world.servemp3.com
newutils.3utilities.com
interesting-news.zapto.org
academyawards.effers.com
cheapflights.etowns.net
toolsthem.xp3.biz
softprog.freeoda.com
euassociate.6te.net
euland.freevar.com
communityeu.xp3.biz
swim.onlinewebshop.net
july.mypressonline.com
eu-sciffi.99k.org

# Reference: https://www.symantec.com/security-center/writeup/2014-011316-1921-99?tabid=2

nightday.comxa.com
sanky.sportsontheweb.net
tiger.netii.net
north-area.bbsindex.com

# Reference: http://artemonsecurity.com/snake_whitepaper.pdf

academyawards.effers.com
arctic-zone.bbsindex.com
cars-online.zapto.org
cheapflights.etowns.net
communityeu.xp3.biz
eu-sciffi.99k.org
euassociate.6te.net
euland.freevar.com
eunews-online.zapto.org
fifa-rules.25u.com
forum.4dq.com
forum.acmetoy.com
forum.sytes.net
franceonline.sytes.net
freeutils.3utilities.com
health-everyday.faqserv.com
interesting-news.zapto.org
july.mypressonline.com
marketplace.servehttp.com
music-world.servemp3.com
newutils.3utilities.com
nhl-blog.servegame.com
north-area.bbsindex.com
olympik-blog.4dq.com
pockerroom.servebeer.com
pressforum.serveblog.net
scandinavia-facts.sytes.net
softprog.freeoda.com
sportmusic.servemp3.com
stockholm-blog.hopto.org
supernews.sytes.net
sweeden-history.zapto.org
swim.onlinewebshop.net
tiger.got-game.org
toolsthem.xp3.biz
top-facts.sytes.net
weather-online.hopto.org
winter.site11.com
wintersport.sytes.net
x-files.zapto.org

# Reference: https://github.com/eset/malware-ioc/tree/master/turla

shoppingexpert.it/wp-content/gallery/
soheylistore.ir/modules/mod_feed/feed.php
tazohor.com/wp-includes/feed-rss-comments.php
jucheafrica.com/wp-includes/class-wp-edit.php
61paris.fr/wp-includes/ms-set.php
doctorshand.org/wp-content/about/
lasac.eu/credit_payment/url/
daybreakhealthcare.co.uk/wp-includes/themees.php
simplecreative.design/wp-content/plugins/calculated-fields-form/single.php
http://169.255.137.203/rss_0.php
outletpiumini.springwaterfeatures.com/wp-includes/pomo/settings.php
zerogov.com/wp-content/plugins.deactivate/paypal-donations/src/PaypalDonations/SimpleSubsribe.php
ales.ball-mill.es/ckfinder/core/connector/php/php4/CommandHandler/CommandHandler.php
dyskurs.com.ua/wp-admin/includes/map-menu.php
warrixmalaysia.com.my/wp-content/plugins/jetpack/modules/contact-form/grunion-table-form.php
http://217.171.86.137/config.php
http://217.171.86.137/rss_0.php
shinestars-lifestyle.com/old_shinstar/includes/old/front_footer.old.php
aviasiya.com/murad.by/life/wp-content/plugins/wp-accounting/inc/pages/page-search.php
baby.greenweb.co.il/wp-content/themes/san-kloud/admin.php
soligro.com/wp-includes/pomo/db.php
giadinhvabe.net/wp-content/themes/viettemp/out/css/class.php
tekfordummies.com/wp-content/plugins/social-auto-poster/includes/libraries/delicious/Delicious.php
kennynguyen.esy.es/wp-content/plugins/wp-statistics/vendor/maxmind-db/reader/tests/MaxMind/Db/test/Reader/BuildTest.php
sonneteck.com/wp-content/plugins/yith-woocommerce-wishlist/plugin-fw/licence/templates/panel/activation/activation.php
chagiocaxuanson.esy.es/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/templates/manage_gallery/gallery_preview_page_field.old.php
hotnews.16mb.com/wp-content/themes/twentysixteen/template-parts/content-header.php
zszinhyosz.pe.hu/wp-content/themes/twentyfourteen/page-templates/full-hight.php
weandcats.com/wp-content/plugins/broken-link-checker/modules/checkers/http-module.php
smallcloud.ga
fleetwood.tk
adstore.twilightparadox.com
bigpen.ga
ebay-global.publicvm.com
psychology-blog.ezua.com
agony.compress.to
gallop.mefound.com
auberdine.etowns.net
skyrim.3d-game.com
officebuild.4irc.com
sendmessage.mooo.com
robot.wikaba.com
tellmemore.4irc.com

# Reference: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf

eu-sciffi.99k.org
fifa-rules.25u.com
franceonline.sytes.net
greece-travel.servepics.com
hockey-news.servehttp.com
marketplace.servehttp.com
musicplanet.servemp3.com
music-world.servemp3.com
newutils.3utilities.com
nightday.comxa.com
north-area.bbsindex.com
olympik-blog.4dq.com
pokerface.servegame.com
pressforum.serveblog.net
sanky.sportsontheweb.net
softprog.freeoda.com
tiger.got-game.org
tiger.netii.net
toolsthem.xp3.biz
top-facts.sytes.net
weather-online.hopto.org
wintersport.sytes.net
world-weather.zapto.org
x-files.zapto.org
booking.etowns.org
easports.3d-game.com
cheapflights.etowns.net
academyawards.effers.com
te4step.tripod.com
scifi.pages.at
support4u.5u.com
eu-sciffi.99k.org
swim.onlinewebshop.net
winter.site11.com
july.mypressonline.com
soheylistore.ir
tazohor.com
jucheafrica.com
61paris.fr

# Reference: https://twitter.com/VK_Intel/status/1089959988116799491

northviewcanada.com/wp-content/galler/slider/
zycie-chotomowa.pl/wp-content/languages/index.php

# Reference: https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments

codewizard.ml
dubaiexpo2020.cf
markham-travel.com
microsoft.updatemeltdownkb7234.com
updatenodes.site
vision2030.cf
vision2030.tk
zebra.wikaba.com

# Reference: https://www.virustotal.com/gui/ip-address/94.249.192.182/relations

dropbox12.com
moscow.stransgroup.com

# Reference: https://www.virustotal.com/gui/ip-address/185.141.62.32/relations

http://185.141.62.32

# Reference: https://twitter.com/daphiel/status/1174324244127322115

dsme.info

# Reference: https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/

accessdest.strangled.net
bookstore.strangled.net
bug.ignorelist.com
cars-online.zapto.org
chinafood.chickenkiller.com
coldriver.strangled.net
developarea.mooo.com
downtown.crabdance.com
easport-news.publicvm.com
eurovision.chickenkiller.com
fifa-rules.25u.com
forum.sytes.net
goldenroade.strangled.net
greateplan.ocry.com
health-everyday.faqserv.com
highhills.ignorelist.com
hockey-news.servehttp.com
industrywork.mooo.com
leagueoflegends.servequake.com
marketplace.servehttp.com
mediahistory.linkpc.net
music-world.servemp3.com
new-book.linkpc.net
newgame.2waky.com
newutils.3utilities.com
nhl-blog.servegame.com
nightstreet.toh.info
olympik-blog.4dq.com
onlineshop.sellclassics.com
pressforum.serveblog.net
radiobutton.mooo.com
sealand.publicvm.com
securesource.strangled.net
softstream.strangled.net
sportacademy.my03.com
sportnewspaper.strangled.net
supercar.ignorelist.com
supernews.instanthq.com
supernews.sytes.net
telesport.mooo.com
tiger.got-game.org
top-facts.sytes.net
track.strangled.net
wargame.ignorelist.com
weather-online.hopto.org
wintersport.mrbasic.com
x-files.zapto.org

# Reference: https://otx.alienvault.com/pulse/57b4ad5cd19e030139028e28

knowledgetime.slyip.net
treesofter.mooo.com
archive-articles.linkpc.net
sendmessage.mooo.com
forumgeek.zzux.com
psychology-blog.ezua.com
priceline.publicvm.com
officebuild.4irc.com
bestfunc.slyip.net
newforum.chickenkiller.com
tellmemore.4irc.com
priceline.publicvm.com
trytowin.ignorelist.com
booking.strangled.net
ebay-global.publicvm.com
blackerror.ignorelist.com
ceremon.2waky.com
patherror.publicvm.com
tellmemore.4irc.com
worldlist.linkpc.net
ebay-global.publicvm.com
top100news.my-wan.de
patherror.publicvm.com
dellservice.publicvm.com
papperbell.effers.com
onlineshop.sellclassics.com
climbent.mooo.com
bestfunc.slyip.net
knowledgetime.slyip.net
badget.ignorelist.com
highhills.ignorelist.com
psychology-blog.ezua.com
wordlisten.mooo.com
dellservice.publicvm.com
profound.zzux.com
forumgeek.zzux.com
kersachi.ignorelist.com
worldlist.linkpc.net

# Reference: https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/
# Reference: https://otx.alienvault.com/pulse/5e6a1997e4301d0827885c98

http://37.59.60.199
134.209.222.206:15363
85.222.235.156:8000
adgf.am
aiisa.am/js/chatem/js_rA9bo8_O3Pnw_5wJXExNhtkUMdfBYCifTJctEJ8C_Mg.js
armconsul.ru/user/themes/ayeps/dist/js/bundle.0eb0f2cb2808b4b35a94.js
mnp.nkr.am/wp-includes/js/jquery/jquery-migrate.min.js
skategirlchina.com/wp-includes/data_from_db_top.php
skategirlchina.com/wp-includes/ms-locale.php

# Reference: https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/
# Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a
# Reference: https://github.com/eset/malware-ioc/tree/master/turla#turla-comrat-v4-indicators-of-compromise

arinas.tk
bedrost.com
branter.tk
bronerg.tk
celestyna.tk
crusider.tk
davilta.tk
deme.ml
dixito.ml
duke6.tk
elizabi.tk
foods.jkub.com
hofa.tk
hunvin.tk
lakify.ml
lindaztert.net
misters.ml
pewyth.ga
progress.zyns.com
sameera.gq
sanitar.ml
scrabble.ikwb.com
sumefu.gq
umefu.gq
vefogy.cf
vylys.com
wekanda.tk

# Reference: https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/
# Reference: https://otx.alienvault.com/pulse/5f0e0247a1f88359cebcccb2

newshealthsport.com

# Reference: https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
# Reference: https://otx.alienvault.com/pulse/5f99a34fe3c5a08a4093e54d

balletmaniacs.com/wp-includes/fonts/icons/
berlinguas.com/wp-content/languages/index.php
polishpod101.com/forum/language/en/sign/
bombheros.com/wp-content/languages/index.php
simplifiedhomesales.com/wp-includes/images/index.php
mtsoft.hol.es/wp-content/gallery/

# Reference: https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/
# Reference: https://otx.alienvault.com/pulse/5fc7b28bd5c07b0b777106b9

ethdns.mywire.org
highcolumn.webredirect.org
hotspot.accesscam.org
theguardian.webredirect.org

# Reference: https://twitter.com/rnaksyrn/status/1097522490111418368
# Reference: https://www.virustotal.com/gui/file/5b4ed1dc85f5551f070693cf1faf801f76a92b7b624bd402e7a6ca42bc8486fa/detection

worldnews.ath.cx

# Reference: https://lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server/
# Reference: https://thehackernews.com/2022/04/researchers-uncover-new-android-spyware.html
# Reference: https://otx.alienvault.com/pulse/624c2c7f9f25362f604a9606
# Reference: https://www.virustotal.com/gui/file/e0eacd72afe39de3b327a164f9c69a78c9c0f672d3ad202271772d816db4fad8/detection

http://82.146.35.240
da.anythinktech.com
d3hdbjtb1686tn.cloudfront.net

# Reference: https://otx.alienvault.com/pulse/6272996039678903e0b73dd5

jadlactnato.webredirect.org
wkoinfo.webredirect.org

# Reference: https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/
# Reference: https://otx.alienvault.com/pulse/628ba3b7c4e0efc200be0582
# Reference: https://www.virustotal.com/gui/ip-address/45.153.241.162/relations
# Reference: https://www.virustotal.com/gui/ip-address/79.110.52.218/relations

baltdefcol.webredirect.org
jadlactnato.webredirect.org
wkoinfo.webredirect.org

# Reference: https://twitter.com/billyleonard/status/1545461166377508865
# Reference: https://twitter.com/billyleonard/status/1545461171456729090
# Reference: https://www.virustotal.com/gui/file/3c62b24594ec3cacc14bdca068a0277e855967210e92c2c17bcf7c7d0d6b782a/
# Reference: https://www.virustotal.com/gui/file/745e8c90a8e76f81021ff491cbc275bc134cdd7d23826b8dd23e58297fd0dd33/detection

cyberazov.com
/CyberAzov.apk

# Reference: https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/

stopwar.pro

# Reference: https://twitter.com/sekoia_io/status/1554086468104196096

cyberazov.tk

# Reference: https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/
# Reference: https://otx.alienvault.com/pulse/64469f924625bdef62b1debc

crane.mn/wp-content/plugins/jetpack/modules/photon-cdn/
telegram.akipress.news/lsasss.rar
mail.mfa.uz.webmails.info

# Reference: https://cert.gov.ua/article/5213167 (# UAC-0024, UAC-0003)

adelaida.ua/plugins/vmsearch/wp-config-plugins.php
adelaida.ua/plugins/vmsearch/wp-config-themes.php
adelaida.ua/plugins/vmsearch/wp-file-script.js
atomydoc.kg/src/open_center/
aleimportadora.net/images/slides_logo/
octoberoctopus.co.za/wp-includes/sitemaps/web/
sansaispa.com/wp-includes/images/gallery/
pierreagencement.fr/wp-content/languages/index.php
mail.aet.in.ua/outlook/api/logon.aspx
mail.kzp.bg/outlook/api/logon.aspx
mail.numina.md/owa/scripts/logon.aspx
mail.aet.in.ua/outlook/api/logoff.aspx
mail.arlingtonhousing.us/outlook/api/logoff.aspx
mail.kzp.bg/outlook/api/logoff.aspx
mail.lechateaudelatour.fr/microsoft.exchange.mailboxreplicationservice.proxyservice/rpcwithcert/sync
mail.lebsack.de/microsoft.exchange.mailboxreplicationservice.proxyservice/rpcwithcert/sync
/microsoft.exchange.mailboxreplicationservice.proxyservice/rpcwithcert/sync
/microsoft.exchange.mailboxreplicationservice.proxyservice/rpcwithcert/
/microsoft.exchange.mailboxreplicationservice.proxyservice/

# Reference: https://blog.talosintelligence.com/tinyturla-next-generation/
# Reference: https://www.virustotal.com/gui/file/267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b/detection
# Reference: https://www.virustotal.com/gui/file/d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40/detection

caduff-sa.ch/wordpress/wp-includes/rss.old.php
hanagram.jp/wp/wp-content/themes/hanagram/rss-old.php
jeepcarlease.com/wp-includes/blocks/rss.old.php
thefinetreats.com/wp-content/themes/twentyseventeen/rss-old.php

# Reference: https://blog.talosintelligence.com/tinyturla-full-kill-chain/

buy-new-car.com
carleasingguru.com
chjeepcarlease.com
jpthefinetreats.com
caduff-sa.chjeepcarlease.com
hanagram.jpthefinetreats.com

# Reference: https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/
# Reference: https://github.com/eset/malware-ioc/tree/master/turla#network-indicators

http://169.255.137.203
http://217.171.86.137
61paris.fr/wp-includes/ms-set.php
ales.ball-mill.es/ckfinder/core/connector/php/php4/CommandHandler/CommandHandler.php
aviasiya.com/murad.by/life/wp-content/plugins/wp-accounting/inc/pages/page-search.php
baby.greenweb.co.il/wp-content/themes/san-kloud/admin.php
chagiocaxuanson.esy.es/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/templates/manage_gallery/gallery_preview_page_field.old.php
daybreakhealthcare.co.uk/wp-includes/themees.php
doctorshand.org/wp-content/about/
dyskurs.com.ua/wp-admin/includes/map-menu.php
giadinhvabe.net/wp-content/themes/viettemp/out/css/class.php
hotnews.16mb.com/wp-content/themes/twentysixteen/template-parts/content-header.php
jucheafrica.com/wp-includes/class-wp-edit.php
kennynguyen.esy.es/wp-content/plugins/wp-statistics/vendor/maxmind-db/reader/tests/MaxMind/Db/test/Reader/BuildTest.php
lasac.eu/credit_payment/url/
outletpiumini.springwaterfeatures.com/wp-includes/pomo/settings.php
shinestars-lifestyle.com/old_shinstar/includes/old/front_footer.old.php
shoppingexpert.it/wp-content/gallery/
simplecreative.design/wp-content/plugins/calculated-fields-form/single.php
soheylistore.ir/modules/mod_feed/feed.php
soligro.com/wp-includes/pomo/db.php
sonneteck.com/wp-content/plugins/yith-woocommerce-wishlist/plugin-fw/licence/templates/panel/activation/activation.php
tazohor.com/wp-includes/feed-rss-comments.php
tekfordummies.com/wp-content/plugins/social-auto-poster/includes/libraries/delicious/Delicious.php
warrixmalaysia.com.my/wp-content/plugins/jetpack/modules/contact-form/grunion-table-form.php
weandcats.com/wp-content/plugins/broken-link-checker/modules/checkers/http-module.php
zerogov.com/wp-content/plugins.deactivate/paypal-donations/src/PaypalDonations/SimpleSubsribe.php
zszinhyosz.pe.hu/wp-content/themes/twentyfourteen/page-templates/full-hight.php

# Reference: https://x.com/BushidoToken/status/1791484308693086437
# Reference: https://www.virustotal.com/gui/ip-address/185.206.180.130/relations
# Reference: https://www.virustotal.com/gui/file/d2fad779289732d1edf932b62278eb3090eb814d624f2e0a4fbbc613495c55e8/detection

avmaster.dns-cloud.net
av.master.dns-cloud.net
thedarktower.av.master.dns-cloud.net
mentionedthedarktower.av.master.dns-cloud.net
in.thedarktower.av.master.dns-cloud.net

# Reference: https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/

connectotels.net
hostelhotels.net