# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: smokedham

# Reference: https://medium.com/trac-labs/who-ordered-the-smokedham-backdoor-delicacies-in-the-wild-87f51e2e5bd2
# BANNER_0_HASH-HOST=0173bce3e88196b60c3015daf93f5ade
# BANNER_0_HASH-HOST=0ed538720824ecb68a7fb67c35f596d0
# BANNER_0_HASH-HOST=10e4e20e68955859b4eef28a47ca37bf
# BANNER_0_HASH-HOST=1b897b2241e500989cf1c986ff951f4a

cdn-server-1.xiren77418.workers.dev
cdn-server-2.wesoc40288.workers.dev
cdn-server-full.taros12579.workers.dev
cdn-web-server1.techserver01.workers.dev
cdn1.cowivat156.workers.dev
cdn1.poyag17470.workers.dev
crimson-unit-2561.kopis56799.workers.dev
dash-server.servertech03.workers.dev
ec2-server-noisy-band-0fe8.focapaj280.workers.dev
server-cd2.bipewi2747.workers.dev
server-cdn.jawigaw383.workers.dev
server-cdn.lafise2419.workers.dev
server-cdn.lecoc56350.workers.dev
server-cdn.sidoke9822.workers.dev
server-cdn.virej10913.workers.dev
server-cdn.xohahey822.workers.dev
server-web-cdn.detocim498.workers.dev
server-web-cdn.kagoli5215.workers.dev
server-web-cdn.nefixeg373.workers.dev
server-web-cdn.pixece7948.workers.dev
server-web-cdn.rojotoc516.workers.dev
server-web-cdn.vosax32455.workers.dev
server-web.sasex59966.workers.dev
soft-base-01.ginigiy117.workers.dev
soft-dns.sejilod748.workers.dev
web-app.larij21770.workers.dev
work-server-1.picalob750.workers.dev

# Reference: https://gist.github.com/drb-ra/179e8e9beca45bc10feba97cf8c5c7b1

app-cdn.celixi6266.workers.dev
cdn-app-server.vewojo9572.workers.dev
cdn-app-web.piniyi9484.workers.dev
ec2-app.lewoha7320.workers.dev
ec2-server.bayaj19162.workers.dev
ec2-server.gegodec527.workers.dev
ec2-server.milago3967.workers.dev
floral-paper-8eb1.pihara4672.workers.dev
keystore-explorer.com
mstore.framfarmers.co.uk
server-web-cdn.dones86497.workers.dev
server-web-cdn.mevame4224.workers.dev
server-web-cdn.ravebo3233.workers.dev
server-web-cdn.yevobod379.workers.dev
server-web-cdn1.gekod80409.workers.dev
web-app.dasik14289.workers.dev

# Reference: https://x.com/SquiblydooBlog/status/1993311260512075967
# Reference: https://app.any.run/tasks/a9391be5-4e71-4a95-9072-477f8afd906f/

bapiyat727.workers.dev
pofelal314.workers.dev
app.pofelal314.workers.dev
ssl.bapiyat727.workers.dev

# Reference: https://x.com/g0njxa/status/2010485906466394343
# Reference: https://x.com/g0njxa/status/2027082406847709524
# Reference: https://www.virustotal.com/gui/file/cbbe98e1b36eb68a7afe534c21055f9cc793c2a6a7ca63256d273020a096f7a7/detection
# Reference: https://www.virustotal.com/gui/file/30427b6732fea64c2cdc0b40c19695902f2bdea5f87dab16b4082bb3cf208557/detection
# BANNER_0_HASH-HOST=09dcb64ff33900abe8a52e527f81ffdd
# BANNER_0_HASH-HOST=272b145c05fa9de8e0d197dddab7d796
# BANNER_0_HASH-HOST=72aafbb72ed15fbfdfbd422cefc88bee
# BANNER_0_HASH-HOST=ec6f4705aac9ddc742662eb4ab2435ff
# FAVICON_HASH-HOST=72a8c7c419ad3849201c65c977dbc4c6

beekeeperstudio-db.com
beekeeperstudio.cc
beekeeperstudio.co
beekeeperstudio.pro
beekeeperstudio.space
beekeeperstudio.tech
computerservicesource.com
database-lists.com
dbeaver-database.app
dbeaver-database.cc
dbeaver-database.cloud
dbeaver-database.co
dbeaver-database.com
dbeaver-database.org
dbeaver-database.pro
dbeaver-database.tech
dbeaver-database.us
deguercuernavaca.mx
harnetsecuriity.com
harnetsecurity.com
heidisql-enterprise.app
heidisql-enterprise.cc
heidisql-enterprise.cloud
heidisql-enterprise.co
heidisql-enterprise.com
heidisql-enterprise.ltd
heidisql-enterprise.org
heidisql-enterprise.pro
heidisql-enterprise.tech
heidisql-enterprise.us
heidisql.space
hornetsecuety.com
hornetseculty.com
hornetsecurety.com
hornetsecurty.com
hornetsecuty.com
horpetsecurity.com
nmap.space
rv-tools.eu
rv-tools.info
rvtoo1s.com
rvtoolaca.com
rvtoolaca.online
rvtoolacs.com
rvtoolas.com
rvtoolc.info
rvtooles.com
rvtooles.info
rvtooli.info
rvtoolis.com
rvtoolit.com
rvtoolls.info
rvtoollsa.com
rvtoollsi.com
rvtools-dev.com
rvtools-skillcamp.com
rvtools.link
rvtoolsac.com
rvtoolsacad.com
rvtoolsacs.com
rvtoolsai.com
rvtoolsax.com
rvtoolsbox.com
rvtoolse.info
rvtoolsed.com
rvtoolsen.com
rvtoolses.com
rvtoolseu.com
rvtoolsgo.com
rvtoolshq.com
rvtoolsi.info
rvtoolsio.com
rvtoolsit.com
rvtoolsl.com
rvtoolslab.com
rvtoolsmax.com
rvtoolsnet.com
rvtoolsnow.com
rvtoolsnt.com
rvtoolso.com
rvtoolson.com
rvtoolson.info
rvtoolsone.com
rvtoolspro.com
rvtoolspro.info
rvtoolspro.online
rvtoolsrun.com
rvtoolss.com
rvtoolsuk.com
rvtoolsun.com
rvtoolsup.com
rvtoolsus.com
rvtoolsusa.com
rvtootsacad.com
rvtouls.com
rvvtools.com
softwarep2p.com
vchekac.com
vchekacad.com
vmback.com
vmbacku.com
vmbackups.com
vmsbackup.com
vmware-rvtools.app
vmware-rvtools.cc
vmware-rvtools.cloud
vmware-rvtools.com
vmware-rvtools.ltd
vmware-rvtools.org
vmware-rvtools.pro
vmware-rvtools.tech
vmware-rvtools.us
vmwarevelocity.com
workbenche.com
workbencn.com
workbenech.com
workbeneh.com
aapanel34768.hostkey.in
app-cdn-software-gza4gebuf3cqd8h6.z03.azurefd.net
beekeeperstudio.softwarep2p.com
dbeaver.softwarep2p.com
download.rvtools-dev.com
download.rvtools-skillcamp.com
heidisql.database-lists.com
nmap.softwarep2p.com
rustore.rvtouls.com
rvtools.softwarep2p.com
rvtools.vmwarevelocity.com
update.rvtouls.com
update.rvvtools.com

# Reference: https://x.com/goldenjackel12/status/2013877434421072187
# Reference: https://www.virustotal.com/gui/file/3ebc0df2b92a39d1fb4491b7aaf6996425214ebe85e6243f443f1db087172f27/detection

groover.workers.dev
etherial.groover.workers.dev

# Reference: https://x.com/g0njxa/status/2031034087801012435

horizon-client-download.com
remote-console-vmware.com
rvtools-app.com
rvtools-cloud.com
rvtools-dell.com
rvtools-download-dell.com
rvtools-enterprise.com
rvtools-install.com
rvtools-inventory.com
rvtools-kit.com
rvtools-official.com
rvtools-vmware.com
rvtools-vsphere.com
vmware-programs.com
vmware-remote-console.com
vmware-vsphere.com
vmwarevsphere.com
vsphere-client.com
vsphere-client.org

# Reference: https://research.cert.orangecyberdefense.com/smokedham/smoking_out_an_affiliate.pdf
# Reference: https://github.com/cert-orangecyberdefense/cti/blob/main/smokedham/iocs

angryipa.com
angryipac.com
angryipac.net
angryipsc.com
dbforges.com
devartc.com
devartes.com
devartos.com
devartq.com
devartsi.com
devolutions-rdm.com
devolutions.space
diskqenios.com
elasticsa.com
elasticse.com
elasticso.com
eliasic.com
emcocoftvare.com
emcosoftwr.com
feleasofit.com
feleasot.com
felenasofts.com
felenasoftse.com
ispyconect.com
ivms-4200.com
kibanal.com
robwaree.net
robwares.com
royaiapps.com
royaiaps.com
rv-tool.net
rv-toolls.com
rv-toolsa.com
rv-toolso.com
rvtoo1.com
rvtooik.com
rvtoois.com
rvtoolacs.online
rvtoole.com
rvtoolik.com
rvtoolsaq.com
rvtoolsme.com
rvtoolsv.com
rvtoolsz.com
rvtoolvm.com
rvtoolze.com
rvtootsad.com
s3bravser.com
s3brawser.com
s3brovser.com
s3brovvser.com
spyconect.com
thumaas.com
thumaos.com
vmback.com
vmbacku.com
vmbackups.com
vmsbackup.com
aapanel116864.hostkey.in
fastpanel116864.hostkey.in
admin.rvtoolacs.online
api.rvtoolacs.online
cdn-ae.azureedge.net
dev.rvtoolacs.online
server-software.azureedge.net
server-software-cdn.azureedge.net
za.rvtoolvm.com
08f0.proxy-edge-c5f.workers.dev
alert-router-b3a.workers.dev
api-gateway-a3f.workers.dev
app.sync-engine-d8b.workers.dev
calm-haze-cdae.test-runner-4b7.workers.dev
daniel-foster.workers.dev
dark-bar-d282.nina-alvarez.workers.dev
data-pipeline-9e4.workers.dev
db-proxy-9b2.daniel-foster.workers.dev
deram71445.workers.dev
dev-web-serv.noroho5002.workers.dev
dev1-server.sogal69343.workers.dev
disk-7133.identity-svc-9mz.workers.dev
divine-glitter-cfb4.elena-morales.workers.dev
edge-proxy-7kx.workers.dev
elena-morales.workers.dev
floral-grass-3c6f.cowivat156.workers.dev
identity-svc-9mz.workers.dev
ingress-ctrl-7c9.workers.dev
kaxij51156.workers.dev
kegemom113.workers.dev
little-frog-2e65.kaxij51156.workers.dev
lively-37b6.edge-proxy-7kx.workers.dev
log-ingest-f1d.nina-alvarez.workers.dev
mayisi1259.workers.dev
mud.alert-router-b3a.workers.dev
nina-alvarez.workers.dev
noroho5002.workers.dev
proxy-edge-c5f.workers.dev
rapid.data-pipeline-9e4.workers.dev
rem-cdn-server.mayisi1259.workers.dev
scan-engine-a2d.workers.dev
server-web-cdn.kegemom113.workers.dev
sogal69343.workers.dev
square-wave-65dd.api-gateway-a3f.workers.dev
sunset.vault-proxy-5d3.workers.dev
sync-engine-d8b.workers.dev
test-runner-4b7.workers.dev
vault-proxy-5d3.workers.dev
webapp.ingress-ctrl-7c9.workers.dev
webapp.scan-engine-a2d.workers.dev
young-tooth-5980.deram71445.workers.dev
