# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/malware_traffic/status/1574848307519754242
# Reference: https://github.com/brad-duncan/IOCs/blob/main/2022-09-27-TA569-Soc-Gholish-IOCs.txt

dotimewat.com

# Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-October/030770.html

pastukhova.com
profi-stom.com

# Reference: https://isc.sans.edu/diary/rss/29170
# Reference: https://otx.alienvault.com/pulse/6352a4f01abba547918c8a4d

skambio-porte.com

# Reference: https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond
# Reference: https://otx.alienvault.com/pulse/63fcc40dc61f21260d830fdb

ergpractice.com
luxurycompare.com
neashell1.com
neashell2.com
she32rn2.com
shetrn1.com
shetrn2.com
soendorg.top

# Reference: https://twitter.com/1ZRR4H/status/1637713807345582089
# Reference: https://twitter.com/1ZRR4H/status/1637713810017402880

jqueryj.com
jqueryns.com
jqscr.com

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-03-27-v10278/415

jsqur.com
jqueryh.org

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-03-30-v10281/420

xjquery.com

# Reference: https://www.virustotal.com/gui/ip-address/185.251.88.99/relations

devqeury.org
abc.jqueryh.org

# Reference: https://twitter.com/1ZRR4H/status/1646021980854910978

devcodejs.org

# Reference: https://twitter.com/threatcat_ch/status/1646799785423261697
# Reference: https://www.virustotal.com/gui/ip-address/47.90.178.252/relations

aeryqget.org
assistpayout.org
backendjs.org
debquery.org
deeptrickday.org
etaqeryg.org
getquery.org
greenpapers.org
jsviewdev.org
lemonicecold.org
metallife.org
neworderspath.org
quaryget.org
rygesqua.org
squaryge.org
tqeuryge.org
uaqryges.org
waterlinesheet.org
ygequary.org
120.75.backendjs.org
40.120.75.backendjs.org
75.backendjs.org
awmdm.greenpapers.org
client.greenpapers.org
emv1.getquery.org
h.greenpapers.org
ir.devqeury.org
l9j2sm5mxz.jqscr.com
mta-sts.bluegaslamp.org
portal.backendjs.org
topics.jqueryh.org
xkccowcfuqj.jsqur.com

# Reference: https://twitter.com/MBThreatIntel/status/1580283780350504960
# Reference https://www.virustotal.com/gui/ip-address/62.233.50.75/relations

jquery0.com
jquery01.com

# Reference: https://twitter.com/threatcat_ch/status/1660535867365105666
# Reference: https://www.virustotal.com/gui/ip-address/91.203.193.124/relations

cancelledfirestarter.org
dailytickyclock.org
visionofvivaldi.org
emv1.deeptrickday.org
emv1.jqueryj.com
ep-mimecast.dailytickyclock.org
mcid-6bb27bab-3815-40c3-996b-90b2c3bca7a7.ep-mimecast.dailytickyclock.org

# Reference: https://twitter.com/threatcat_ch/status/1668596702696054785
# Reference: https://www.virustotal.com/gui/ip-address/47.91.94.97/relations

libertader.org
linedgreen.org

# Reference: https://www.virustotal.com/gui/ip-address/91.103.253.14/relations

chestedband.org
drilledgas.org
sevenpunches.org
surelytheme.org
windowlight.org
tracker.drilledgas.org
transfer.drilledgas.org

# Reference: https://bazaar.abuse.ch/sample/f5f167423d31cdd7e742d6ae85d6170f26203ec7496d4e098f9e16f40e864c0a/
# Reference: https://www.virustotal.com/gui/ip-address/178.159.37.73/relations

google-analytiks.com
updateadobeflash.website
deepolis.google-analytiks.com
forexcash.google-analytiks.com
forexfr.google-analytiks.com
forexmax.google-analytiks.com
forexru.google-analytiks.com
forexua.google-analytiks.com
mail.google-analytiks.com
maxi.google-analytiks.com
med17.google-analytiks.com
mmc.google-analytiks.com
poluchit.google-analytiks.com

# Reference: https://threatfox.abuse.ch/ioc/1149035/

gstatick.com

# Reference: https://threatfox.abuse.ch/browse/tag/KeitaroTDS/ (# 2023-08-09)

biggreenlimes.org
bluegaslamp.org
deeplakes.org
greedyfines.org
limonpart.org
linedloop.org
slurpslimes.org
zdmserver.greedyfines.org

# Reference: https://twitter.com/0x6rss/status/1698615609234206994
# Reference: https://www.virustotal.com/gui/ip-address/178.159.37.25/relations

http://178.159.37.25
gctatick.com
googlestates.com

# Reference: https://www.virustotal.com/gui/ip-address/178.159.37.73/relations

analytics-google-x91.com
visionproject.website

# Reference: https://www.virustotal.com/gui/ip-address/194.169.175.229/relations

darkmansion.org
draggedline.org
machinetext.org
myowndpp.com
newcres.com
onsepp.com
redsnowynose.org
throatpills.org
biggreenlimes.surelytheme.org
emv1.draggedline.org
mail.jsviewdev.org
mta-sts.myowndpp.com
mta-sts.onsepp.com
sub.throatpills.org
t.throatpills.org
website.newcres.com
www2.throatpills.org

# Reference: https://www.virustotal.com/gui/ip-address/95.214.26.35/relations

climedballon.org
greedyclowns.org
whitedrill.org

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-10-30-v10452/1080

bigbricks.org
frightysever.org

# Reference: https://threatfox.abuse.ch/ioc/1197494/
# Reference: https://www.virustotal.com/gui/ip-address/162.55.189.218/relations

telemetry.africa

# Reference: https://www.virustotal.com/gui/ip-address/95.214.26.19/relations
# Reference: https://app.validin.com/axon?find=95.214.26.19&type=ip

confirmapply.org
daddygarages.org
froggysnow.org
limeerror.org
risenpeaches.org
socksboxes.org
treegreeny.org
vibedroom.org

# Reference: https://www.virustotal.com/gui/ip-address/193.37.197.24/relations

avto.throatpills.org
moda.throatpills.org
plant.linedgreen.org
ru.throatpills.org
seo.linedgreen.org
store.throatpills.org

# Reference: https://www.virustotal.com/gui/ip-address/107.191.98.93/relations

emperorplan.org

# Reference: https://www.virustotal.com/gui/ip-address/193.37.197.24/relations
# Reference: https://www.virustotal.com/gui/ip-address/80.66.64.220/relations

coajuneteenth.org
cosfjuneteenth.com
juneteenthcosf.com
juneteenthsf.org
modernneuropathy.org
onejuneteenth.org

# Reference: https://www.virustotal.com/gui/ip-address/193.106.174.174/relations
# Reference: https://app.validin.com/axon?source=DNS&type=ip&find=193.106.174.174

biggerfun.org
catsndogz.org
circuspride.org
frenchpies.org
nowordshere.org

# Reference: https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates
# Reference: https://www.virustotal.com/gui/ip-address/74.208.41.177/relations

informandoyformando.org
kairoscounselingmi.com
nathumvida.org

# Reference: https://www.virustotal.com/gui/ip-address/82.97.241.207/relations

cloudwebhub.pro

# Reference: https://www.virustotal.com/gui/ip-address/45.11.27.62/relations

codecruncher.pro
searchgear.pro
elk3xlxj.circuspride.org
it.whitedrill.org
ku1720.whitedrill.org
server.whitedrill.org

# Reference: https://www.virustotal.com/gui/ip-address/8.208.89.9/relations

shiningmoons.org

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2024-01-25-v10514/1322

mwasro.com
