# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html

32player.com
appswonder.info
capsnit.com
hiltrox.com
hytechmart.com
ios-update-whatsapp.com
ios-certificate-update.com
metclix.com
nfinx.info
referfile.com
scrollayer.com
techwach.com
twitck.com
wpitcher.com

# Reference: https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf
# Reference: https://otx.alienvault.com/pulse/5f7dd394005536c84adbaf56

account-googie.com
accountvalidate.com
airfitgym.com
ambicluster.com
aspnet.dyndns.info
aspnet.dyndns.infoassurecom.info
assurecom.info
bulletinalerts.com
by4mode.com
cdn-icloud.co
cdn-icloud.cocelebsnightmares.com
celebsnightmares.com
citrusquad.com
classmunch.com
cloud-authorize.com
cocahut.com
cocelebsnightmares.com
cocoka.info
cocoka.infocrawloofle.com
cohealthclubfun.com
crawloofle.com
cyroonline.com
devicesupport-rnicrosoft.com
domforworld.com
electrobric.com
everification-session-load.com
flux2key.com
freepunjab2020.info
frexinq.com
gateway-yahoo.com
ghelp.co
ghelp.cohealthclubfun.com
healthclubfun.com
hypforever.com
i3mode.com
imging.site
imging.siteinlineirnage.com
infoassurecom.info
infocrawloofle.com
inlineirnage.com
justsikhthings.com
kannat.ns01.us
kannat.ns01.uskhalistanlehar.com
khalistanlehar.com
leastinfo.com
leelee.dnset.com
lizacorner.com
lobertica.info
login-private.com
logon-info-gsupport.com
logstrick.com
m0-rnaiil-siina-chn-reload.everification-session-load.com
mail-incc.com
mail-king.com
mail-validation.info
mail.techsprouts.com
mailinfo-bh.com
me-yahoo.com
medieczema.com
middleeastleaks.com
mideastleaks.com
mindcraftstore.com
musicbandfiles.com
myaccount-googie.com
myappie.comyfoodzone.net
myggl.ioo-auth.net
netonlinetokenid.com
netstring2me.com
onlinetokenid.com
opticscold.com
opticzstore.com
optusiy.com
orgyes2khalistanis.com
out-look-mail-bh.com
oyesterclub.info
passwordsaverr.com
poiusavid.com
portal549.com
privacylog.info
prontexim.com
regditogo.com
rhc-jo.com
risalaencryptor.com
rnaiill2-rnaill-slna-m0.everification-session-load.com
rnail-appld-oath-varfiction.everification-session-load.com
scan8t.comsecure-useraccount.com
service-authorization.com
setting-secure.com
shiaar-e-islam.com
signtabo.com
sikhforjustice.org
sikhforjustice.orgsimilerwork.netstring2me.com
similerwork.net
string2me.com
sync-tokens.com
tansyroof.com
techsprouts.com
techwach.com
thegogl.com
tierradom.com
timesofarab.com
toysforislam.com
trailhinder.com
traxbin.com
treemanic.com
trioganic.com
user-privacy.com
uskhalistanlehar.com
uyghuri.51vip.biz
uyghuri.51vip.bizuyghurie.51vip.bizuygur.5166.info
uyghurie.51vip.biz
uygur.5166.info
uygur.51vip.biz
uygur.51vip.bizuygur.eicp.netuygur.xicp.netvlprnaiill2-rnaill-slna.m0.everification-session-load.com
uygur.eicp.net
uygur.xicp.net
vlprnaiill2-rnaill-slna.m0.everification-session-load.com
weddnest.com
yes2khalistan.org
yes2khalistan.orgyes2khalistanis.com
yes2khalistanis.com
yfoodzone.netmyggl.ioo-auth.netonlinetokenid.com
zhqdgk.com

# Reference: https://twitter.com/bl4ckh0l3z/status/1321746458308128769
# Reference: https://www.virustotal.com/gui/file/cef4be533954e5bb901080cbca26976929d55692674f1bb9fefeca0c349c86db/detection
# Reference: https://www.virustotal.com/gui/file/4fd441183ffd576aea2cf50b19d263f6b07b7548ea24725a496a0a929daaf912/detection

procompass.org
voiceofislam.info

# Reference: https://twitter.com/Circuitous__/status/1377767299709550593
# Reference: https://pastebin.com/9U57CHZn

fastfiterzone.com
lobertica.info
memoadvicr.com
zovwelle.com

# Reference: https://twitter.com/m0br3v/status/1413076245152141316
# Reference: https://www.virustotal.com/gui/file/73b516a0a3996ec1c685ad3d8e26a7191e5d7698bfd98970afc27d5356003cac/detection

onlinedomain.link

# Reference: https://www.virustotal.com/gui/file/815466ec21c59f7704f094a0e4cfc4f817c8b98231d10fe01919b6bd60eca64e/detection

lepze.com

# Reference: https://www.virustotal.com/gui/domain/ie-settings.com/detection

ie-settings.com

# Reference: https://twitter.com/m0br3v/status/1502262179390758913
# Reference: https://www.virustotal.com/gui/file/c921363c790c2eb82ab009f94ac0961164690d795c4ae87bed61897cc80fb33f/detection

datahost.click
/jkRt5e/check.php
/jkRt5e/

# Reference: https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=zh-CN
# Reference: https://otx.alienvault.com/pulse/625591f0fdef5bd852d84afe

5iw68rugwfcir37uj8z3r6rfaxwd8g8cdcfcqw62.de
h94xnghlldx6a862moj3.de
freesexvideos.ch
securechatnow.com

# Reference: https://twitter.com/malwrhunterteam/status/1539985809184641024
# Reference: https://twitter.com/malwrhunterteam/status/1540332848577667073
# Reference: https://www.virustotal.com/gui/ip-address/193.23.161.164/relations
# Reference: https://www.virustotal.com/gui/file/1084b7ff4758b5d13dcfc4f9167b16e6b834bfff2032b540e74959ceb18a5b1e/detection

172.64.168.30:2053
172.64.168.30:8443
193.23.161.164:8443
gkcx6ye4t4zafw8ju2xdr5na5.de
iminglechat.de
fjasfjfas89e.gkcx6ye4t4zafw8ju2xdr5na5.de

# Reference: https://twitter.com/malwrhunterteam/status/1549125906416943108
# Reference: https://www.virustotal.com/gui/file/be1593bd1f1d5a4d05217f0492832e13bddd61281d8e109668ea5c64920fe9b2/detection

dutchvideochatting.com

# Reference: https://twitter.com/Des00464472/status/1552146340515561472
# Reference: https://www.virustotal.com/gui/ip-address/5.249.160.136/relations

ay3a9j7pc3.de
yu27izuchc.de

# Reference: https://twitter.com/Des00464472/status/1567097126999703553
# Reference: https://www.virustotal.com/gui/ip-address/5.249.160.150/relations

32e6dwbbpg.de

# Reference: https://twitter.com/m0br3v/status/1570415612014530562
# Reference: https://www.virustotal.com/gui/file/c5f29fcb69ffaaac4568b0607d94bce55641ab5e7c6279393cd9605d14be0311/detection

newshostpoint.co

# Reference: https://twitter.com/malwrhunterteam/status/1595141450177871872
# Reference: https://twitter.com/midnight_comms/status/1596156830363029504
# Reference: https://twitter.com/midnight_comms/status/1596566303598182401
# Reference: https://www.virustotal.com/gui/file/45a6a0b2b02a9d288afba1ff41c689be9b9bd40ee862aa4bd6b036e3f0a4c3ab/detection
# Reference: https://www.virustotal.com/gui/file/a2abdf1d3439c9598f76c3732770b98725315efd32db322d926207ed28edf0db/detection

45.156.84.129:3000
14.16.88.35:5000
104.21.36.64:2096
104.21.46.84:2096
172.64.80.1:2096
172.67.136.254:2096
172.67.186.194:2096
194.156.88.235:5000
45.156.85.161:2096
96r1yh643o.de
cdw1ir0dc9g3dwl5oh1y.de

# Reference: https://twitter.com/malwrhunterteam/status/1504892577975259141
# Reference: https://twitter.com/midnight_comms/status/1596563852035903488
# Reference: https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/
# Reference: https://otx.alienvault.com/pulse/63809fb03dacd453ae69d37b
# Reference: https://www.virustotal.com/gui/file/a40c7cabf874517f5d3d069e0377fa9348e10344000e39717c1a6571939ba7c0/detection
# Reference: https://www.virustotal.com/gui/file/a71290070f826292c0ce907f21280e46cb4b800163ca3b81301c75710387ff1b/detection

ft8hua063okwfdcu21pw.de
thesecurevpn.com

# APK

/Kashmir-Youth.apk
/Kashmir.apk
/ChatService_master.apk
/securechatnow_v1_0_6.apk
/securechatnow_v1_0_7.apk
