# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: roamingmantis, xloader, fakespy, moqhao

# Reference: https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/

haoxingfu01.ddns.net
shaoye11.hopto.org

# Reference: https://securelist.com/roaming-mantis-part-iv/90332/
# Reference: https://otx.alienvault.com/pulse/5ca537055fe8d2200c37306e
# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/
# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/
# Reference: https://securityaffairs.co/wordpress/83317/breaking-news/xloader-6-twitter.html
# Reference: https://twitter.com/NaomiSuzuki_/status/1139099288682635264
# Reference: https://twitter.com/sepi140/status/1144053834894864387

ffakecg.com
files.spamo.jp
759383.com
711231.com
923525.com
923915.com
975685.com
1.169.203.48:28855
1.171.156.182:28844
104.160.191.190:8822
114.43.155.227:28855
118.168.130.236:28855
125.227.174.35:28855
220.136.39.1:28855
220.136.47.169:28855
220.136.49.137:28855
61.230.204.87:28833
61.230.204.87:28855
61.230.205.122:28833
61.230.205.122:28844
61.230.205.122:28855
61.230.205.132:28833
61.230.205.132:28844
61.230.205.132:28855
61.230.204.87:28844
61.230.210.228:28855
http://38.27.99.11/xvideo/

# Reference: https://twitter.com/ninoseki/status/1115061669929992192

softbank-b.com
id-auone.com

# Reference: https://twitter.com/naomisuzuki_/status/1104603448580833281

174.139.10.106:81

# Reference: http://vxcube.com/tools/domain/nttdocomo-ki.com/relate_iocs

softbank-c.com

# Reference: http://vxcube.com/tools/domain/softbank-c.com/relate_iocs

a-sagawa.com

# Reference: https://twitter.com/JayTHL/status/1145181603259387904
# Reference: https://twitter.com/NaomiSuzuki_/status/1144905331337768961
# Reference: https://www.virustotal.com/gui/ip-address/23.234.51.104/relations
# Reference: https://www.virustotal.com/gui/ip-address/104.143.94.206/relations
# Reference: https://twitter.com/NaomiSuzuki_/status/1145172884379193344
# Reference: https://www.virustotal.com/gui/ip-address/104.194.219.46/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.234.51.106/relations
# Reference: https://twitter.com/NaomiSuzuki_/status/1144461927193513985
# Reference: https://www.virustotal.com/gui/ip-address/104.143.94.203/relations
# Reference: https://www.virustotal.com/gui/ip-address/104.143.94.204/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.234.51.110/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.234.51.111/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.234.51.113/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.234.51.114/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.234.51.119/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.234.51.121/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.234.51.127/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.234.51.128/relations
# Reference: https://twitter.com/NaomiSuzuki_/status/1141595796762050560
# Reference: https://www.virustotal.com/gui/ip-address/66.11.117.67/relations
# Reference: https://www.virustotal.com/gui/ip-address/66.11.117.68/relations
# Reference: https://www.virustotal.com/gui/ip-address/66.11.117.69/relations
# Reference: https://www.virustotal.com/gui/ip-address/66.11.117.70/relations
# Reference: https://twitter.com/NaomiSuzuki_/status/1141332232214175744
# Reference: https://www.virustotal.com/gui/ip-address/45.58.61.5/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.234.51.253/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.234.51.75/relations
# Reference: https://twitter.com/NaomiSuzuki_/status/1140486071915962368
# Reference: https://www.virustotal.com/gui/ip-address/174.139.49.108/relations
# Reference: https://www.virustotal.com/gui/ip-address/67.229.196.130/relations
# Reference: https://www.virustotal.com/gui/ip-address/67.229.196.131/relations
# Reference: https://www.virustotal.com/gui/ip-address/67.229.196.132/relations
# Reference: https://www.virustotal.com/gui/ip-address/67.229.196.133/relations
# Reference: https://www.virustotal.com/gui/ip-address/67.229.196.134/relations
# Reference: https://www.virustotal.com/gui/ip-address/67.229.228.67/relations
# Reference: https://www.virustotal.com/gui/ip-address/67.229.228.68/relations
# Reference: https://www.virustotal.com/gui/ip-address/67.229.228.69/relations
# Reference: https://www.virustotal.com/gui/ip-address/67.229.228.70/relations
# Reference: https://www.virustotal.com/gui/ip-address/185.114.225.121/relations
# Reference: https://www.virustotal.com/gui/ip-address/192.236.200.43/relations
# Reference: https://www.virustotal.com/gui/ip-address/192.236.200.44/relations
# Reference: https://www.virustotal.com/gui/ip-address/192.236.200.46/relations
# Reference: https://twitter.com/NaomiSuzuki_/status/1145647256122482689
# Reference: https://twitter.com/NaomiSuzuki_/status/1145676619920470016
# Reference: https://twitter.com/NaomiSuzuki_/status/1147414997141577728
# Reference: https://twitter.com/NaomiSuzuki_/status/1147504563584294912
# Reference: https://twitter.com/NaomiSuzuki_/status/1150663929351135232
# Reference: https://twitter.com/NaomiSuzuki_/status/1150758062589743104
# Reference: https://twitter.com/NaomiSuzuki_/status/1132842777564180480
# Reference: https://twitter.com/NaomiSuzuki_/status/1151749950616698881
# Reference: https://twitter.com/NaomiSuzuki_/status/1151714965964906496

fril-jp.xyz
a-sagawa.cn
r-softbank.com
s-softbank.com
t-softbank.com
u-softbank.com
w-softbank.com
y-softbank.com
z-softbank.com
104.143.94.203:81
104.143.94.204:81
104.143.94.205:81
104.143.94.206:81
104.194.219.43:81
104.194.219.44:81
104.194.219.45:81
104.194.219.46:81
137.175.79.26:81
174.139.49.108:81
174.139.49.109:81
185.114.225.121:81
192.236.200.42:81
192.236.200.43:81
192.236.200.44:81
192.236.200.46:81
45.12.206.233:81
45.58.61.5:81
45.83.140.132:81
51.68.251.30:81
66.11.117.67:81
66.11.117.68:81
66.11.117.69:81
66.11.117.70:81
67.229.165.163:81
67.229.196.130:81
67.229.196.131:81
67.229.196.132:81
67.229.196.133:81
67.229.196.134:81
67.229.228.67:81
67.229.228.68:81
67.229.228.69:81
67.229.228.70:81
89.35.39.233:81

# Reference: https://twitter.com/NaomiSuzuki_/status/1148443453438611456
# Reference: https://twitter.com/NaomiSuzuki_/status/1149671856288305152
# Reference: https://twitter.com/NaomiSuzuki_/status/1150281094308044800
# Reference: https://twitter.com/NaomiSuzuki_/status/1190135139260518400

securityana-ale.top
security[a-z]{3}\-apple\.top
security[a-z]{3}\-[a-z]{3}\.top

# Reference: https://twitter.com/NaomiSuzuki_/status/1142112093765697536

softbank-if.com

# Reference: https://twitter.com/NaomiSuzuki_/status/1147844385448456197
# Reference: https://twitter.com/mentalCIANE/status/1148857589658034176
# Reference: https://www.virustotal.com/gui/ip-address/66.79.174.113/relations

mydocomo[a-z-]+\.com

# Reference: https://www.virustotal.com/gui/domain/myau-it.com/relations

myau-it.com

# Reference: https://twitter.com/u_ma66/status/1134356655225810945

nttdocomo\-[a-z]{3}\.com

# Reference: https://twitter.com/NaomiSuzuki_/status/1152594740681924608

sagawa.online

# Reference: https://twitter.com/ninoseki/status/1153560258385600513

myau-pk.com

# Reference: https://twitter.com/papa_anniekey/status/1153275407107416064

id-securitys.com
myauaz.com

# Reference: https://twitter.com/ninoseki/status/1145972713242021888

sasekr\-[a-z]{3}\.top

# Reference: https://twitter.com/NaomiSuzuki_/status/1115537295048826880
# Reference: https://twitter.com/papa_anniekey/status/1115521152871329792

maisa\-[a-z]{3}\.com

# Reference: https://twitter.com/ninoseki/status/1154187270443769856

myau-tk.com
mysoftbank-yd.com

# Reference: https://twitter.com/ninoseki/status/1155341234933682177

myau-iv.com

# Reference: https://twitter.com/ninoseki/status/1156053482400432129

myau-iej.com

# Reference: https://twitter.com/ninoseki/status/1158253859388526594

220.136.221.176:28866
220.136.221.176:38876

# Reference: https://twitter.com/ninoseki/status/1160454983885574145

starspacegames.com

# Reference: https://twitter.com/ninoseki/status/1160459178449625088

lhbd666.com
六合宝典666.com
xn--666-xw1e1b58vhor.com

# Reference: https://twitter.com/NaomiSuzuki_/status/1160890581180014595

a.bb-bb.top

# Reference: https://twitter.com/NaomiSuzuki_/status/1164491384939696128

a111a.top

# Reference: https://twitter.com/ninoseki/status/1165139382166147073

6666.sk
hd7669.com
jx668.com
bnbnyou.com
98238001.com
gqs1.com
yhkjjm.com

# Reference: https://twitter.com/NaomiSuzuki_/status/1166964963501432832

a12c.top

# Reference: https://twitter.com/NaomiSuzuki_/status/1167721457251569666

a12b.top

# Reference: https://twitter.com/ninoseki/status/1167670614968164355

88mu.cc
5975h.cc

# Reference: https://twitter.com/papa_anniekey/status/1171239626205302784
# Reference: https://twitter.com/NaomiSuzuki_/status/1168455483767738368
# Reference: https://twitter.com/NaomiSuzuki_/status/1168782925057290240
# Reference: https://twitter.com/NaomiSuzuki_/status/1169158271141326850
# Reference: https://twitter.com/papa_anniekey/status/1169138764033265674
# Reference: https://twitter.com/NaomiSuzuki_/status/1169520889152425984
# Reference: https://twitter.com/NaomiSuzuki_/status/1169885475089203201
# Reference: https://twitter.com/NaomiSuzuki_/status/1170316840851005441
# Reference: https://twitter.com/NaomiSuzuki_/status/1170624787258867712
# Reference: https://twitter.com/NaomiSuzuki_/status/1170943660994654208
# Reference: https://twitter.com/NaomiSuzuki_/status/1171333123168059392
# Reference: https://twitter.com/papa_anniekey/status/1171239629447520263
# Reference: https://twitter.com/NaomiSuzuki_/status/1154324406413352960

a123a.top
b123b.top
c123c.top
d123d.top
e123.top
e123e.top
f123f.top
g123g.top
h123h.top
i123i.top
j123j.top
k123k.top
l123l.top
m123m.top
n123n.top
o123o.top
p123p.top
q123q.top
r123r.top
s123t.top
t123t.top
u123u.top
v123v.top
w123w.top
x123x.top
y123y.top
z123z.top

# Reference: https://twitter.com/ninoseki/status/1168498290859507713
# Reference: https://twitter.com/ninoseki/status/1168692529937567744

http://172.247.209.5
http://23.224.190.99

# Reference: https://twitter.com/ninoseki/status/1172412415834611713

myaccount-w.com

# Reference: https://twitter.com/NaomiSuzuki_/status/1174222105141010437

a234a.top
b234b.top
c234c.top
d234d.top
e234e.top
f234f.top
g234g.top
h234h.top
i234i.top
j234j.top
k234k.top
l234l.top
m234m.top
n234n.top
o234o.top
p234p.top
q234q.top
r234r.top
s234t.top
t234t.top
u234u.top
v234v.top
w234w.top
x234x.top
y234y.top
z234z.top

# Reference: https://twitter.com/NaomiSuzuki_/status/1177142538022477824

a345a.top
b345b.top
c345c.top
d345d.top
e345e.top
f345f.top
g345g.top
h345h.top
i345i.top
j345j.top
k345k.top
l345l.top
m345m.top
n345n.top
o345o.top
p345p.top
q345q.top
r345r.top
s345t.top
t345t.top
u345u.top
v345v.top
w345w.top
x345x.top
y345y.top
z345z.top

# Reference: https://twitter.com/NaomiSuzuki_/status/1185808968980938752

a456a.top
b456b.top
c456c.top
d456d.top
e456e.top
f456f.top
g456g.top
h456h.top
i456i.top
j456j.top
k456k.top
l456l.top
m456m.top
n456n.top
o456o.top
p456p.top
q456q.top
r456r.top
s456t.top
t456t.top
u456u.top
v456v.top
w456w.top
x456x.top
y456y.top
z456z.top

# Reference: https://twitter.com/NaomiSuzuki_/status/1189438789845782529

a567a.top
b567b.top
c567c.top
d567d.top
e567e.top
f567f.top
g567g.top
h567h.top
i567i.top
j567j.top
k567k.top
l567l.top
m567m.top
n567n.top
o567o.top
p567p.top
q567q.top
r567r.top
s567t.top
t567t.top
u567u.top
v567v.top
w567w.top
x567x.top
y567y.top
z567z.top
a678a.top
b678b.top
c678c.top
d678d.top
e678e.top
f678f.top
g678g.top
h678h.top
i678i.top
j678j.top
k678k.top
l678l.top
m678m.top
n678n.top
o678o.top
p678p.top
q678q.top
r678r.top
s678t.top
t678t.top
u678u.top
v678v.top
w678w.top
x678x.top
y678y.top
z678z.top
a789a.top
b789b.top
c789c.top
d789d.top
e789e.top
f789f.top
g789g.top
h789h.top
i789i.top
j789j.top
k789k.top
l789l.top
m789m.top
n789n.top
o789o.top
p789p.top
q789q.top
r789r.top
s789t.top
t789t.top
u789u.top
v789v.top
w789w.top
x789x.top
y789y.top
z789z.top

# Reference: https://twitter.com/NaomiSuzuki_/status/1181460727422275584

pkn3.com
yas89.com

# Reference: https://twitter.com/papa_anniekey/status/1183609041374703616

appp.men

# Reference: https://twitter.com/NaomiSuzuki_/status/1187619101914451968

kma28.com

# Reference: https://twitter.com/NaomiSuzuki_/status/1188356983881007104

cmp357.com

# Generic trails

^[a-z]{1}\-[a-z]{1,3}\.top$
^[a-z]{2}\-[a-z]{2,3}\.top$
www\.[a-z]{1}\-[a-z]{1,3}\.top
www\.[a-z]{2}\-[a-z]{2,3}\.top
apple\-icloud\.[a-z]{3}\-japan\.com
jppost\-[a-z]{2,}\.(co|com|top)
nittsu\-[a-z]{2,}\.(com|top)
mailsa\-[a-z]{2,}\.(com|top)
sagawa\-[a-z]{2,}\.(cn|com|top)
yamato\-[a-z]{2,}\.(com|top)
myau\-[a-z]{2,}\.com

# APK trails

/DHL_Paket.apk
/jppost.apk
/sagawa.apk
/sguard.apk
/smartcat.apk
/chrome1.0.7.apk
/yamato.apk
