# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: calisto, ta446

# Reference: https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/

drive-share.live
protect-link.online
protection-office.live
proton-viewer.com

# Reference: https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign/

cache-docs.com
cloud-docs.com
docs-cache.com
docs-drive.online
docs-info.com
documents-cloud.com
documents-cloud.online
documents-pdf.online
drive-docs.com
file-milgov.systems
hypertextteches.com
office-protection.online
pdf-cloud.online
pdf-docs.online
pdf-shared.online
protectionmail.online
proton-docs.com
proton-view.online

# Reference: https://twitter.com/h2jazi/status/1538940189015429122
# Reference: https://www.virustotal.com/gui/file/7b95747eeea196c1485d089fa47a06bacb07d06399603d3a4fa153c21ce0a9ba/detection

cache-pdf.com

# Reference: https://otx.alienvault.com/pulse/6272996039678903e0b73dd5

cache-dns.com
docs-shared.com
documents-forwarding.com
documents-preview.com
protection-link.online
webresources.live

# Reference: https://twitter.com/r0ny_123/status/1549751626004500481

cache-pdf.online
documents-cloud.online
pdf-cache.online
pdf-forwarding.online
storage-service.online

# Reference: https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/

cache-dns-forwarding.com
cache-dns-preview.com
cache-services.live
cloud-drive.live
cloud-mail.online
cloud-storage.live
docs-forwarding.online
docs-info.online
docs-shared.online
docs-view.online
document-forwarding.com
document-online.live
document-preview.com
document-share.live
document-view.live
documents-online.live
documents-view.live
goo-link.online
mail-docs.online
office365-online.live
officeonline365.live
online-document.live
online-storage.live
online365-office.com
onlinecloud365.live
pdf-cache.com
protection-checklinks.xyz
proton-pdf.online
proton-reader.com
relogin-dashboard.online
safe-connection.online
safelinks-protect.live
secureoffice.live
word-yand.live
y-ml.co
yandx-online.cloud

# Reference: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html

goo-ink.online
hypertexttech.com
accounts.hypertexttech.com

# Reference: https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support/
# Reference: https://otx.alienvault.com/pulse/6390ecc150d6fda9ab97c604

access-confirmation.com
allow-access.com
antibots-service.com
apicomcloud.com
as-mvd.ru
attach-docs.com
attach-update.com
blueskynetwork-drive.com
blueskynetwork-shared.com
botguard-checker.com
botguard-web.com
challenge-identifier.com
challenge-share.com
checker-bot.com
cija-docs.com
cija-drive.com
cloud-safety.online
cloud-us.online
default-dns.online
disk-previewer.com
dns-cache.online
dns-challenge.com
dns-cookie.com
dns-mvd.ru
docs-cache.online
docs-collector.com
docs-storage-ltd.com
docs-viewer.online
docs-web.online
document-guard.com
document-sender.com
drive-control.com
drive-defender.com
drive-global-ordnance.com
drive-globalordnance.com
drive-information.com
drive-previewer.com
drive-us.online
dtgruelle-drive.com
dtgruelle-us.com
encompass-drive.com
encompass-shared.com
filter-bot.com
global-ordnance-drive.com
goweb-protect.com
goweb-service.com
guard-checker.com
hd-centre-drive.com
hd-docs-share.com
hypertextttech.com
land-of-service.com
live-identifier.com
mvd-cloud.ru
mvd-redir.ru
network-storage-ltd.com
nonviolent-conflict-service.com
nonviolent-conflict-storage.com
online-word.com
preview-docs.com
preview-docs.online
protectedshields-storage.com
protection-web-app.com
proxycrioisolation.com
redir-document.com
response-collector.com
response-filter.com
response-mvd.ru
response-redir.com
safe-proof.com
sangrail-ltd.com
sangrail-share.com
selector-drafts.online
share-drive-ua.com
soaringeagle-drive.com
threatcenterofreaserch.com
threatcenterofresearch.com
transfer-dns.com
transfer-record.com
umo-drive.com
umopl-drive.com
umopl.com
webview-service.com

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-08-09-v10390/852

bittechllc.net
centeritdefcity.com
checkscreenit.com
cloudcpanelhost.com
clouddefsystems.com
cloudrootstorage.com
commandentrance.com
computertechdirectsystems.com
computingtechstudio.com
configuregatewayglobal.com
controlgatestorage.com
controlsstoragedirect.com
controlstoragesolutions.com
cryptdatagate.com
cryptotechdirect.com
cryptothistech.com
datagatellc.com
datagatewayglobal.com
datastoragecrypto.com
definform.com
deskactivitygm.com
directdocumentgate.com
directdocumentgateway.com
directexpressgateway.com
directstoragegate.com
docsinfogate.com
documentdirectllc.com
documentdirectto.com
entrywaycenter.com
gateblurbrepository.com
gatecryptospace.com
gateinfosecure.com
gatestoragetech.com
gatewaydocsint.com
gatewayitsol.com
gatewayrecord.com
gawecryptoinfosolutions.com
getinfostarter.com
incappcloud.com
infocryptogate.com
infogatestorage.com
informationcoindata.com
informationswitchsystems.com
infostorageroute.com
intelligencerepository.com
itgatestorage.com
itinfogate.com
keepitlabgroup.com
managercodepro.com
meshgoin.com
myitappnext.com
myittechnext.com
networkgoin.com
oneinformationcrypto.com
pdfdirectglobal.com
pdfsecxcloudroute.com
po.vatangate.com
prodefendme.com
prokeeperit.com
protectedviews.com
protectordocumentcenter.com
realeasyconfiguregateway.com
realitsolutionprimary.com
safetydocsgateway.com
secureglobaltele.com
serverguarditweb.com
shielditlabel.com
shortinfoonline.com
skycithereforeit.com
solutionsseccloud.com
sourcedoorway.com
sourcedoorways.com
stateinfospace.com
storagecryptogate.com
storagecryptoweb.com
storageinfogate.com
storagekeeperinfopro.com
storagekeeperinfotech.com
storagerootconnect.com
storagetruncservices.com
storagewarden.com
suppdatacent.com
truncstorage.com
vatangate.com
webgateway.ru
webgatewayenter.com
webinterstellar.com
yourdirectinfospace.com
yourspaceprotector.com

# Reference: https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/ (# SPICA backdoor)
# Reference: https://www.virustotal.com/gui/file/37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9/detection

45.133.216.15:3000
