# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/e_kaspersky/status/1481665686351106053
# Reference: https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/

http://163.25.24.44
http://45.238.25.2
163.25.24.44:443
45.238.25.2:443
118.70.116.154:8080
186.183.185.94:8080
66.181.166.15:8080
163qiye.top
abiesvc.com
abiesvc.info
abiesvc.jp.net
antcapital.us
atom.publicvm.com
att.gdrvupload.xyz
authenticate.azure-drive.com
azure-drive.com
azureprotect.xyz
azure-service.com
azureword.com
backup.163qiye.top
beenos.biz
bhomes.cc
bitcoinnews.mefound.com
bitflyer.team
blog.cloudsecure.space
bloomcloud.org
buidihub.com
chemistryworld.us
circlecapital.us
client.googleapis.online
cloud.azure-service.com
cloud.globalbrains.co
cloud.jumpshare.vip
cloudsecure.space
cloudshare.jumpshare.vip
cloud.venturelabo.co
coinbig.dev
coinbigex.com
coin-squad.co
deepmind.fund
dekryptcap.digital
devprocloud.com
dllhost.xyz
doconline.top
docs.azureword.com
docs.coinbigex.com
docs.gdriveshare.top
docs.goglesheet.com
docs.securedigitalmarkets.co
docstream.online
document.antcapital.us
document.bhomes.cc
document.fastercapital.cc
document.kraken-dev.com
document.lundbergs.cc
documentprotect.live
documentprotect.pro
documents.antcapital.us
document.skandiafastigheter.cc
docuserver.xyz
doc.venturelabo.co
doc.youbicapital.cc
domainhost.dynamic-dns.net
download.azure-safe.com
download.azure-service.com
download.gdriveupload.site
drives.googldrive.xyz
drives.googlecloud.live
driveshare.googldrive.xyz
dronefund.icu
drw.capital
eii.world
etherscan.mrslove.com
faq78.faqserv.com
fastdown.site
fastercapital.cc
filestream.download
file.venturelabo.co
foundico.mefound.com
galaxydigital.cc
galaxydigital.cloud
gdocsdown.com
gdriveshare.top
gdriveupload.info
gdrvupload.xyz
globalbrains.co
gmaildrive.site
goglesheet.com
googldrive.xyz
googleapis.online
googleauth.pro
googlecloud.live
googledocpage.com
googledrive.download
googledrive.email
googledrive.online
googledrive.publicvm.com
googleexplore.net
googleservice.icu
googleservice.xyz
googlesheetpage.org
googleupload.info
gsheet.gdocsdown.com
hiccup.shop
innoenergy.info
isosecurity.xyz
jack710.club
jumpshare.vip
kraken-dev.com
ledgerservice.itsaol.com
lemniscap.cc
lundbergs.cc
mail.gdriveupload.info
mail.gmaildrive.site
mail.googleupload.info
mclland.com
microstratgey.com
miss.outletalertsdaily.com
msoffice.qooqle.download
note.onedocshare.com
onlinedoc.dev
onlinedocpage.org
outletalertsdaily.com
page.googledocpage.com
product.onlinedoc.dev
protect.antcapital.us
protect.azure-drive.com
protectoffice.club
protect.venturelabo.co
pvset.itsaol.com
qooqle.download
qoqle.online
regcnlab.com
reit.live
securedigitalmarkets.ca
securedigitalmarkets.co
share.bloomcloud.org
sharebusiness.xyz
share.devprocloud.com
sharedocs.xyz
share.docuserver.xyz
share.stablemarket.org
signverydn.sharebusiness.xyz
sinovationventures.co
skandiafastigheter.cc
slot0.regcnlab.com
stablemarket.org
svr04.faqserv.com
tokenhub.mefound.com
tokentrack.mrbasic.com
twosigma.publicvm.com
updatepool.online
up.digifincx.com
upload.gdrives.best
venturelabo.co
verify.googleauth.pro
word.azureword.com
youbicapital.cc
devstar.dnsrd.com
fxbet.linkpc.net
lservs.linkpc.net
mmsreceive.linkpc.net
msservices.hxxps443.org
onlineshoping.publicvm.com
palconshop.linkpc.net
pokersonic.publicvm.com
press.linkpc.net
rubbishshop.linkpc.net
rubbishshop.publicvm.com
socins.publicvm.com
vpsfree.linkpc.net

# Reference: https://twitter.com/malwrhunterteam/status/1602997656468754432
# Reference: https://www.virustotal.com/gui/file/41c83c80fa348d56ccb10fa48114bac52691c9778812547290d13b3214d98e8c/detection

gdriveshare.com
googledrive.services
wirexapp.app

# Reference: https://securelist.com/bluenoroff-methods-bypass-motw/108383/
# Reference: https://otx.alienvault.com/pulse/63ac10d2a4d29d94a7766d7a

abf-cap.co
abf-cap.com
angelbridge.capital
angelbridge.jp
anobaka.info
anobaka.jp
bankofamerica.nyc
bankofamerica.tel
bankofamerica.us.org
beyondnextventures.co
beyondnextventures.com
lno-prima.lol
mizuhogroup.us
offerings.cloud
perseus.bond
smbc-vc.com
smbc.ltd
smbcgroup.us
tptf.co
tptf.ltd
tptf.us
avid.lno-prima.lol
careers.mizuhogroup.us
cloud.beyondnextventures.co
vote.anobaka.info

# Reference: https://twitter.com/StopMalvertisin/status/1625402506737250304
# Reference: https://www.virustotal.com/gui/file/26e376fc80b090b2ee04e7d3104d308a150e58538580109a74f4ac49bf362423/detection

espcapital.pro
cloud.espcapital.pro

# Reference: https://twitter.com/craiu/status/1625408594886762496
# Reference: https://twitter.com/craiu/status/1625408647508402176

cloud.anobaka.info
cloud.dnx.capital
cloud.gpmtreit.co
cloud.j-ic.co
cloud.j-ic.com
cloud.mekongcapital.net
down.gpmtreit.co
down.gpmtreit.us
down.j-ic.com
down.tomming.us
gpmtreit.co
gpmtreit.us
internal.j-ic.co
j-ic.co
j-ic.com
mekongcapital.net
tet.dnx.capital
tomming.us

# Reference: https://twitter.com/StopMalvertisin/status/1625710611425554434
# Reference: https://www.virustotal.com/gui/file/864f2a624a58cf460689d805e271fbffe24266933cc10166f4342e65143e019f/detection

autoprotect.com.de

# Reference: https://twitter.com/souiten/status/1635210162805018624
# Reference: https://www.virustotal.com/gui/file/2c0a66c6370b4aa88ab3805d520e868cbc513b43119958257a72c9ff58ef241c/detection

share.dedesignanddev.com

# Reference: https://twitter.com/StopMalvertisin/status/1642450636875898880
# Reference: https://twitter.com/StopMalvertisin/status/1642450639618973696
# Reference: https://www.virustotal.com/gui/file/4d5efd08e66c394b025a57995a7065fcda45a982a16ded4cdfc4ed42bd142ea5/detection

jdshare.com.de
mufg.us.com

# Reference: https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/

31ventures.info
deck.31ventures.info

# Reference: https://twitter.com/k3yp0d/status/1650071119074844673
# Reference: https://www.virustotal.com/gui/file/ff8832355ae99ffd66d0fe9eda2d74efdf3ed87bb2a4c215b93ade93165f7c0b/detection
# Reference: https://www.virustotal.com/gui/file/3b6f30369a4ee8bf9409d141b6d1b3fb4286c34984b5de005ed7431df549b17e/detection

hedgehogvc.us
cloud.hedgehogvc.us
down.hedgehogvc.us
laos.hedgehogvc.us
pet.hedgehogvc.us
thai.hedgehogvc.us

# Reference: https://twitter.com/KSeznec/status/1678319191110082560

decentryk.online
protectsh.online
raizerverify.online
association.linkpc.net
c-money.linkpc.net
dma.linkpc.net
docsend.com-proapple.cloud.line.pm
longjourneycapital.publicvm.com
longjourneyfund.publicvm.com
longjourneyventure.publicvm.com
world.linkpc.net

# Reference: https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/
# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-08-10-v10391/855

autodynamics.work.gd
