# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: cageychameleon, cryptomimic, ta444, wslink

# Reference: https://twitter.com/behindbreach/status/1287961015506927616
# Reference: https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf
# Reference: https://otx.alienvault.com/pulse/5ef36f8f63a7d8a11972ca54
# Reference: https://vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/
# Reference: https://vblocalhost.com/uploads/VB2020-Takai-etal.pdf
# Reference: https://vblocalhost.com/uploads/VB2020-18.pdf
# Reference: https://otx.alienvault.com/pulse/5f74bcb0be4abfe12d93d2bf

140.136.134.201:8080
41.85.145.164:8080
1driv.org
1drv.email
1drvmail.work
amazonaws1.info
amzonnews.club
blockchaintransparency.institute
bugscrowd.com
cloudfiles.club
cloudocs.space
cloudsecure.space
decurret.site
digifincx.com
drivegmail.top
drivegoogle.org
drivegooglshare.xyz
euprotect.net
fcloudshare.xyz
filecloud.website
financialmarketing.live
gdriverfileshare.com
gdrives.best
gdrives.top
gdriveshare.top
gdriveshareslink.xyz
gdriveupload.info
gdriveupload.site
gdrvauth.cloud
gdrvcheck.co
gdrvshare.site
gdrvup.xyz
gdrvupload.xyz
gmaildrive.info
gmaildrive.site
gmaildriver.info
gogleshare.xyz
goglesheet.com
googldocs.org
googldrive.xyz
googleapis.online
googleauth.pro
googlecloud.live
googleclouddrive.com
googlecstorage.com
googledrive.download
googledrive.email
googledrive.network
googledrive.online
googledriver.info
googledriver.net
googledriver.xyz
googledriveshare.com
googledrv.com
googleexplore.net
googlefiledrive.com
googlefileshare.com
googleshare.org
googleupload.info
krypitalvc.com
liveonedrvshare.xyz
microsoftapp.life
msupdatepms.xyz
navicheck.xyz
onedrivecloud.store
onedriveglobal.com
onedrivems.online
onedrivrshares.xyz
onedrvdn.co
onedrvfile.site
ownemail.me
privacyshield.services
provemail.net
secureshares.online
sendspace.buzz
sharedrivegght.xyz
sharegoogldrive.online
sharesdown.xyz
showprice.xyz
uploadsfiles.xyz
wechart.org
armzon.onmypc.org
blackwell.tekstar.us
btcprime.itsaol.com
chromeupdate.publicvm.com
coindeck.onmypc.org
coinnews.onmypc.org
coinomic.itsaol.com
connsec.publicvm.com
ddsvr.itsaol.com
drive.sharegoogldrive.online
drivegoogle.publicvm.com
drivegooogle.publicvm.com
esosv.itemdb.com
europegdprsec.onmypc.org
eusharesrv.onmypc.org
excinfo.itemdb.com
gdrive.onmypc.org
googledrive.dynu.net
googledrive.linkpc.net
googledrive.publicvm.com
googleupdate.publicvm.com
ledgerservice.itsaol.com
matrixpartners.theworkpc.com
mpksl.publicvm.com
mskpupdate.publicvm.com
msupdate.publicvm.com
onedriveupdate.publicvm.com
sevicebill.itemdb.com
termsofservice.onmypc.org
tokenomic.itsaol.com
twosigma.publicvm.com
vpset.onmypc.org
vpsfree.linkpc.net
windrvupdate.kozow.com

# Reference: https://twitter.com/_re_fox/status/1280138335214804995

twosigmateam.info

# Reference: https://twitter.com/_re_fox/status/1298281770597654529

drivegoogles.com

# Reference: https://twitter.com/_re_fox/status/1232320036834025472
# Reference: https://app.any.run/tasks/8d5e66c9-3942-4e00-bfdf-8f2c24054a92/

140.117.91.22:8080
blog.cloudsecure.space

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-12-19-v10199/212

prosec.ink
cloud.prosec.ink
cloudprotect.us.org

# Reference: https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds

autoprotect.com.de
autoprotect.gb.net
azurehosting.co
azureprotect.online
azureprotection.cloud
azuresecurity.online
azuresecurity.site
bankofamerica.offerings.cloud
careers.bankofamerica.nyc
careersbankofamerica.us
cloud.globiscapital.co
cloud.mufg.uk
cloud.tptf.ltd
cloud.wpic.ink
docs.azurehosting.co
globiscapital.co
hoststudio.org
ledgercloud.com
mufg.ink
mufg.uk
mufg.us.org
share.anobaka.info
tptf.fund
unchainedcapital.co
updatezone.org

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-02-09-v10240/306

autoprotect.com.se

# Reference: https://twitter.com/C0ryInTheHous3/status/1630551018084737027

mufg.yokohama

# Reference: https://twitter.com/C0ryInTheHous3/status/1630991590176030738

doc-view.cloud
azure.doc-view.cloud

# Reference: https://twitter.com/C0ryInTheHous3/status/1633897592806408192

daiwa.ventures
cloud.daiwa.ventures

# Reference: https://twitter.com/C0ryInTheHous3/status/1646159776177324044
# Reference: https://twitter.com/C0ryInTheHous3/status/1646161233458999297
# Reference: https://www.virustotal.com/gui/ip-address/104.168.167.88/relations

arbordeck.co.in
shared-document.cloud
spirtblockchain.com
deck.arbordeck.co.in
safe.shared-document.cloud
arborventures.capital
autoupdatecheck.work.gd
companydeck.cloud
companydeck.online
contract-research.blog
contractresearch.blog
crypto.contract-research.blog
crypto.contractresearch.blog
deck.arbordeck.online
docs-send.cloud
docupload.site
file.docupload.site
file.myfirmdocument.cloud
file.myfirmdocument.online
gunosis.global
interalliancemediagroups.cloud
mx.interalliancemediagroups.cloud
myfirmdocument.cloud
myfirmdocument.online
safe.arborventures.capital
safe.gunosis.global
safe.job-description.online
safe.nextera.capital
safe.smart-contracts.blog
securesmtp.interalliancemediagroups.cloud
smtps.interalliancemediagroups.cloud
webhostwatto.work.gd

# Reference: https://storage.pardot.com/838563/1676629189Mljyft19/CTI_Advisory_Undetected_North_Korean_Malware_A_Looming_Threat_to_Finan.pdf

http://104.255.172.56
cloud.azurehosting.co
doc.gdocshare.one
down.espcapital.co
nbright.best
ns1.trytiponlineresult.com
ns2.trytiponlineresult.com
safe.doc-share.pro
safe.doc-share.top
site.siteshare.me
siteshare.me
trytiponlineresult.com

# Reference: https://twitter.com/TLP_R3D/status/1649147042680172571
# Reference: https://www.virustotal.com/gui/ip-address/104.255.172.52/relations

256ventures.us
aidpartners.org
altair-vc.co.uk
altair-vc.com
altair.linkpc.net
deck.altair-vc.co.uk
deck.altair-vc.com
deck.toyota-ai.org
deepcore.v.entures
doc.256ventures.us
docsend.me
down.aidpartners.org
down.protectedviewer.co
inter.gpmtreit.co
partner.deepcore.v.entures
protectedviewer.co
sarahbeery.docsend.me
toyota-ai.org

# Reference: https://twitter.com/C0ryInTheHous3/status/1661076239614918660

docupload.lat
docupload.store
getwebconnection.buzz
last-report.online
latest-report.cloud
deck.latest-report.cloud
file.docupload.lat
file.docupload.store
news.last-report.online
ok.docupload.store

# Reference: https://twitter.com/C0ryInTheHous3/status/1661075436783259649

docupload.bond
els.docupload.bond

# Reference: https://twitter.com/C0ryInTheHous3/status/1661756717355483137
# Reference: https://www.virustotal.com/gui/ip-address/104.168.167.88/relations

dontdie.cfd
getwebconnection.cfd
latest-report.online
file.latest-report.online
sts.interalliancemediagroups.cloud

# Reference: https://twitter.com/TLP_R3D/status/1664980484219084801
# Reference: https://www.virustotal.com/gui/ip-address/172.93.193.219/relations

developcore.org
gdrvcloud.com
app.developcore.org

# Reference: https://twitter.com/C0ryInTheHous3/status/1669422415309418496

downloadfile.icu
getfilefrom.site
getfilefrom.store
interalliancemediagroups.cloud

# Reference: https://twitter.com/TLP_R3D/status/1677617586349981696
# Reference: https://www.virustotal.com/gui/ip-address/192.119.64.43/relations

floriventurescapital.linkpc.net
floriventuresfinance.linkpc.net
floriventuresfund.linkpc.net

# Reference: https://www.virustotal.com/gui/file/0be79614938541a4cd85de1b6103f0fdeb3808aaba5856ba5bbd8ef6976cf8c3/detection

obituary2.redirectme.net
yorst.linkpc.net

# Reference: https://twitter.com/TLP_R3D/status/1685581711139102720
# Reference: https://www.virustotal.com/gui/ip-address/23.254.204.173/relations
# Reference: https://www.virustotal.com/gui/file/8949207761f3d09734aa716da1e6c182425bcde2a95dacb3320085f1fe66069c/detection

espcap.fun
pro-tokyo.top
docsend-cloud.espcap.fun
docsend.com-pro.apple.cloud.line.pm
group.pro-tokyo.top

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-09-05-v10410/921

cryptowave.capital
datasend.fun
internal-meeting.online
video-meet.xyz

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-09-20-v10421/970

tp-globa.xyz
pre.alwayswait.site
doc.apple.com.premienoe.aidl.eonw.line.pm

# Reference: https://twitter.com/TLP_R3D/status/1705211957941240212
# Reference: https://www.virustotal.com/gui/ip-address/172.86.121.198/relations

techopscentral.com

# Reference: https://twitter.com/greglesnewich/status/1717963704828915988

internal-document-he-gr-me.run.place
j-ic.co.internal-document-he-gr-me.run.place
