# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: castlebot, castleloader, castlerat, castlestealer, tag-150

# Reference: https://x.com/JAMESWT_WT/status/1958947921598062796
# Reference: https://www.virustotal.com/gui/file/f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be/detection

programsbookss.com

# Reference: https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2
# Reference: https://raw.githubusercontent.com/eSentire/iocs/refs/heads/main/Nightshade/Nightshade-IoCs-09-01-2025.txt

102.135.95.102:33336
102.135.95.102:33337
102.135.95.102:7777
104.225.129.171:33336
104.225.129.171:33337
104.225.129.171:7777
107.158.128.45:33336
107.158.128.45:33337
107.158.128.45:7777
107.158.128.90:33336
107.158.128.90:33337
107.158.128.90:7777
170.130.165.28:33336
170.130.165.28:33337
170.130.165.28:7777
173.232.146.90:33336
173.232.146.90:33337
173.232.146.90:7777
178.17.57.102:33336
178.17.57.102:33337
178.17.57.102:7777
180.178.122.131:33336
180.178.122.131:33337
180.178.122.131:7777
180.178.189.17:33336
180.178.189.17:33337
180.178.189.17:7777
185.149.146.118:33336
185.149.146.118:33337
185.149.146.118:7777
185.149.146.1:33336
185.149.146.1:33337
185.149.146.1:7777
185.208.158.250:33336
185.208.158.250:33337
185.208.158.250:7777
195.201.108.189:33336
195.201.108.189:33337
195.201.108.189:7777
34.72.90.40:33336
34.72.90.40:33337
34.72.90.40:7777
45.11.180.174:33336
45.11.180.174:33337
45.11.180.174:7777
45.61.136.81:33336
45.61.136.81:33337
45.61.136.81:7777
5.35.44.176:33336
5.35.44.176:33337
5.35.44.176:7777
64.52.80.82:33336
64.52.80.82:33337
64.52.80.82:7777
77.238.241.203:33336
77.238.241.203:33337
77.238.241.203:7777
79.132.130.142:33336
79.132.130.142:33337
79.132.130.142:7777
91.202.233.132:33336
91.202.233.132:33337
91.202.233.132:7777
91.202.233.250:33336
91.202.233.250:33337
91.202.233.250:7777
91.202.233.251:33336
91.202.233.251:33337
91.202.233.251:7777
94.141.122.164:33336
94.141.122.164:33337
94.141.122.164:7777
tdbfvgwe456yt.com

# Reference: https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations

http://178.17.57.102
http://45.61.136.81
http://91.202.233.250
104.225.129.171:443
144.208.126.50:443
185.125.50.125:7777
185.196.10.8:7777
185.196.9.222:7777
185.196.9.80:7777
195.85.115.44:443
34.72.90.40:443
45.11.180.198:7777
45.144.53.62:7777
5.35.44.176:443
77.90.153.43:7777
79.132.131.200:7777
85.192.49.6:7777
87.120.93.167:7777
91.212.166.17:33334
teamsi.org
teamsio.com
teamsoftdigital.com

# Reference: https://x.com/PRODAFT/status/1948382357725024565
# Reference: https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview
# Reference: https://github.com/prodaft/malware-ioc/tree/master/CastleLoader
# Reference: https://www.virustotal.com/gui/file/05ecf871c7382b0c74e5bac267bb5d12446f52368bb1bfe5d2a4200d0f43c1d8/detection
# Reference: https://www.virustotal.com/gui/file/31493e6366d3e7275a1e01937a4a18b27db8e5ef21bc21df666690d455f2acaf/detection
# Reference: https://www.virustotal.com/gui/file/0d7a46cedeb866930ebe808a596b44c5cf8941e448b4f8012018283ea55ec309/detection
# Reference: https://www.virustotal.com/gui/file/6e11ec22fd31d9eb4bd6060711dbd5d3c7c05bd7dfaa20daaee2c2c8a4dcf524/detection
# Reference: https://www.virustotal.com/gui/file/3329d3011f8f4c3df16230a1e6ed3ffe3c3cffaa7dadf0238eb6b011a659c84f/detection

http://173.44.141.89
185.39.19.165:5354
buzzedcompany.com
lekuvam.com
polarcompany.org
rinasalleh.com
teamsapi.net

# Reference: https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation
# Reference: https://www.virustotal.com/gui/file/3329d3011f8f4c3df16230a1e6ed3ffe3c3cffaa7dadf0238eb6b011a659c84f/detection
# Reference: https://www.virustotal.com/gui/file/f31e9ef8a59bacda22d8310750b91841878e1f398270676718d3a0b4949880a2/detection
# Reference: https://www.virustotal.com/gui/file/4cd0a2eb8662b5bdacf7f5db62827dd29a0c75d2b3b3f28eefb584e44a1ef2a5/detection

http://107.158.128.45
http://107.158.128.90
http://45.11.180.174
45.11.180.174:6666

# Reference: https://x.com/g0njxa/status/1980943290896630209
# BANNER_0_HASH-HOST=d5a7ef665ea2e5f9fd95ab665b149262

185-212-47-84.cprapid.com
45-11-183-165.cprapid.com
79.132.130.142.sslip.io
3vr3v3sdf.online
7hzhde.xyz
alafair.net
anotherproject.icu
baaredlead.com
bethschwier.com
campanyasoft.com
campuscedeco.ran.es
castlnetintel.com
cedeco.ran.es
chargerrlogistics.cam
cisco-webexxapp.xyz
criip.art
dperforms.info
estetic-online.com
ftroftrodro.top
funjobcollins.shop
gernlern.com
gghhjjkkuuywwfdf.space
higueruela.net
ippsadfx.icu
jeneeday.com
jeneeday.net
krefjkj.duckdns.org
lekuvam.com
loads.icu
loads.world
loadsplanning.com
megarstorei.store
mhousecreative.com
oldspicenotsogood.shop
oneyogasite.com
pittiadg.top
polarcompany.org
rinasalleh.com
shortstreet.net
st-hanbok.com
tattori.icu
vilaoaza.com
vvsgr.net
wereatwar.com

# Reference: https://x.com/drb_ra/status/1981031132247228884
# Reference: https://gist.github.com/drb-ra/ca579655912dd56acb2be6af301a55a9

107.158.128.26:443
170.130.165.201:443
172.86.90.58:443

# Reference: https://x.com/1ZRR4H/status/1986271204563452367
# Reference: https://www.linkedin.com/posts/jeromesegura_darkgate-malvertising-cometbrowser-activity-7383221467347476480-pVwV
# BANNER_0_HASH-HOST=490c066a6a6d63261339a7049fab6a86
# BANNER_0_HASH-HOST=d5a7ef665ea2e5f9fd95ab665b149262
# BODY_SHA1-HOST=e561b2cfc84bf7cd1443a6f5929c5e5a0e2c6b62

amnesiapidor.cfd
cometswift.com
digitaldoctor.uno
donttouchme.life
donttouchthisisuseless.icu
doyoureallyseeme.icu
dpeformse.com
fogverifer.us
icantseeyou.icu
nationnlahde.xyz
perplexity.page
protectedserversharedfile.com
rcpeformse.com
roject0.com
shareddirectprotected.com
sharedprotectedfileme.com
sharedprotectedmefile.xyz
sharedprotectedsharedfile.xyz
sharedriveprotected.com
speatly.com
touchmeplease.icu
vengermsk.icu
vpn847931076.softether.net

# Reference: https://x.com/1ZRR4H/status/1986271204563452367

castlppwnd.com

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-11-08)

http://107.158.128.26
http://170.130.165.201
http://172.86.90.58
45.134.26.69:443

# Reference: https://www.virustotal.com/gui/file/27f24adab8c696069e22233860851dd8654a846700483f6c4a9a8aa05f1b27db/detection
# Reference: https://www.virustotal.com/gui/file/7e5854134a25286ed9e94f0848127731bf3c78def80cb750b34f31f7b917435e/detection
# Reference: https://www.virustotal.com/gui/file/c99c06b15f4adc05f22ccd69ec0b34cdc9974b8b223c7db5a87eb912a1b52cbb/detection

185.121.234.141:443

# Reference: https://x.com/malwrhunterteam/status/1990726475394207815
# Reference: https://www.virustotal.com/gui/file/ea008ca5c04cb56a47b785609a0045f5ac0af82378f2dd097ba781feae921b2d/detection
# Reference: https://www.virustotal.com/gui/file/d1e661844e46ea11ac9169f7e71253a02db279b6bef4c6ffe144d298ca8db917/detection
# Reference: https://www.virustotal.com/gui/file/d1e661844e46ea11ac9169f7e71253a02db279b6bef4c6ffe144d298ca8db917/detection
# TITLE-HOST=Download Sphere Installer

178.16.54.229:18191
185.177.239.92:443
xyz-ai.org
testwha.duckdns.org

# Reference: https://infosec.exchange/@netresec/115581320305095154
# Reference: https://www.virustotal.com/gui/file/adc2e9487e182672fc2a30783130162754e92b173800563bc34a275125a5e3b1/detection
# Reference: https://www.virustotal.com/gui/file/fa354cf29852573669bc468ea2dac0ea5e83a943315466c89dd8634b38cdb261/detection

cloudyape.com
finger.cloudyape.com

# Reference: https://x.com/SquiblydooBlog/status/2012146887680299303
# Reference: https://www.virustotal.com/gui/file/164421af114cb376d86e8c28d1b3749a3dbfa12328e928c22735930ff200aa28/detection
# BANNER_0_HASH-HOST=85ca83ae608dda69a48d744b392a6a01

144-31-191-35.cprapid.com
70-34-250-104.cpanel.site
84.200.192.206.sslip.io
autodiscover.creative-aqua-panther.70-34-250-104.cpanel.site
babayaga.icu
catalyst-ltd.net
cpanel.creative-aqua-panther.70-34-250-104.cpanel.site
cpcalendars.creative-aqua-panther.70-34-250-104.cpanel.site
cpcontacts.creative-aqua-panther.70-34-250-104.cpanel.site
creative-aqua-panther.70-34-250-104.cpanel.site
dallasgeneratorshop.com
damionta.com
dapala.net
dmtn-tv.net
domiannoname.bond
franksinatra.icu
gamebassok.icu
godblessaids.com
idrci.net
itlonspark.us
kilagogo.com
killianvoice.icu
koshei.icu
louisarmstrong.icu
mail.creative-aqua-panther.70-34-250-104.cpanel.site
mech-sequences.mechdna.net
mindspring.baby
mirtona.com
mtg-life.net
nineteenthirtyone.com
oblionts.com
old.nineteenthirtyone.com
ontartiss.com
ordermypussy.com
os-marketplace.com
postoconel.com
qlince.net
redirection-mr.com
soundmusic.baby
strangury.icu
test.account.nmakes.ai
totpwilth.com
tridontoq.com
truster.cc
veisteria.com
vpn.dx30.ru
webdisk.creative-aqua-panther.70-34-250-104.cpanel.site
webmail.creative-aqua-panther.70-34-250-104.cpanel.site
willgefle.com
willthecool.com
wordpress.mindspring.baby
wordpress.soundmusic.baby
zorroworms.mooo.com

# Reference: https://x.com/skocherhan/status/2019247676626190688

213-209-150-229.plesk.page
365bank-obnovy.com
365postovaobnovit.info
365renew.com
accessfiix-pak.com
aissaleptit.com
ananeono-netfilx.com
azuriranjenetfilx.com
bancochile-info.com
bancodechile-secure.com
bank365postova.com
clever-brahmagupta.213-209-150-229.plesk.page
deliverypk-info.com
forny-sundhedskort.com
idalpha-bnk.com
idhblpak.com
info365-postova.com
intesasp-info.com
isporuka-info.com
maltapostrack.com
mbh-renewal.com
megujitani-szamla.com
moncolis-relai.com
monsuivi-mrelay.com
mooneyit-info.com
myhermes-packet.com
neak-megujitani.com
netfiixpt-renewai.com
netfilx-megujitani.com
netfilxcr-renewai.com
netfilxmx-renewal.com
netfilxobnoviti.com
netfilxrs-renewai.com
obnovinalog.com
obnovitinetfilx.com
obnovy365banka.com
obnovypoistenca.com
obnovypostova365.com
pakfines-gov.com
pakpostrack.info
paktracking.com
payment-pkfines.com
pkpost-fast.com
postova365-info.com
postova365info.com
rendorsegportai-fizetes.com
renew365postova.com
renewai-sub.com
renewaipi.com
renewflix-pak.com
renewnetfilx.com
renewpostova365.com
sftp.sagargolf.com
smb.sagargolf.com
suivicolis-2025.com
szallitas-informacio.com
ultrafastcore.pro
umprogrammierung-paket.com
upsinfo-paquete.com
usernet-fiokot.info
usernet-fornya.com
usernet-frissites.com
usernet-pak.com
usernet-renovar.com
userpost-kaz.com
usrntsg.com
vubanka-idp.com
zse-obnovit.com
zse-obnovy.com
zse-platba.com

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2026-02-28)

152.53.82.239:3003
78.153.155.131:2096
78.153.155.131:8069

# Reference: https://x.com/malwrhunterteam/status/1987867312871936199
# Reference: https://www.virustotal.com/gui/file/b01290e662a174d1747926c180036ce772dea2ca31d2998c6795631740d4fd2d/detection

192.241.240.15:79
cloudmega.org
ecm-ip.com
finger.cloudmega.org

# Reference: https://x.com/FABO97662188/status/2028067290906767604
# BANNER_0_HASH-HOST=e57cefa10fb0981ae6bfe575f94d6f75
# BANNER_0_HASH-HOST=2a774b9d2f2224418f82c4b3fbf29d73
# BANNER_0_HASH-HOST=6f6c17ef8302f90df0ef7156f0a0bea8

170.130.165.40.sslip.io
1337.brightglaze.us
6n.meetingview.cfd
aadcdn.brightglaze.us
advath.meetingview.cfd
akamedmain.com
akameldak.com
akamemakake.com
akamenewlodak.com
akameseconddmain.com
apuanetflx.com
auth.meetingview.cfd
authpoint.usa.meetingview.cfd
autryjones.com
blogwissen.org
boosliaddayenro.click
brightglaze.us
buermeyer.eu
buermeyer.info
bvbvv.meetingview.cfd
bvn.meetingview.cfd
bvng.meetingview.cfd
clientflixapp-fr.com
crewlcrewlcrewl.com
crewldmainnew.com
crewllovekorps.com
digitaler-gewaltschutz.de
digitalergewaltschutz.de
dotfoods.meetingview.cfd
dritter-senat.de
elgatoconnect.com
evealexnunu.com
fair-trial.eu
florian-weber.info
funkzellenabfrage.at
funkzellenabfrage.ch
funkzellenabfrage.com
funkzellenabfrage.de
funkzellenabfrage.eu
funkzellenabfrage.net
funkzellenabfrage.org
fza-berlin.de
gabesworld.com
gemeinsam-ins-theater.de
gfc.meetingview.cfd
gff.legal
gff.social
gff.world
gfgfg.meetingview.cfd
goalie.meetingview.cfd
goldappinstock.com
grundrechte.net
hateaway.eu
hateaway.net
hateaway.org
heirfolioguide.com
hivemindeds.com
hotspotter.org
hrrs.de
hrrs.eu
id.meetingview.cfd
ieruslamindto.com
ip226.ip-51-81-161.us
iprserv.de
kicks-apps.gmbh
kicksapps.com
kicksapps.info
kicksapps.net
kicksapps.org
kulke.org
lage.social
lage.stream
lage.studio
lagedernation.com
lagedernation.net
lgberlin.de
liberty-litigation.org
litigation-alliance.org
live.brightglaze.us
makeup-dna.com
mapalarm.app
mapalarm.eu
meetingview.cfd
miteamss.com
mmn.meetingview.cfd
moncompte-securise.com
morgenlage.org
msfed.meetingview.cfd
nachalonachalo.com
nigol.meetingview.cfd
np.vu
o.meetingview.cfd
openstreets.eu
openstreets.fr
openstreets.io
opt-meli.info
outlook.brightglaze.us
palvelunetflx.com
pcrmp.online
podshows.at
podshows.ch
podshows.de
podshows.eu
podshows.net
podshows.org
podtours.at
podtours.ch
podtours.de
podtours.net
podtours.org
popopopopi.com
pos-fi-info.com
rueckschein.at
rueckschein.ch
rueckschein.com
rueckschein.eu
rueckschein.net
rueckschein.org
saymyname.me
sci.meetingview.cfd
secure.meetingview.cfd
smusxath.meetingview.cfd
snapmap.de
snapmap.info
sp.authpoint.usa.meetingview.cfd
staruxaproruha.com
stechlin.info
strategic-litigation.com
strategic-litigation.de
strategic-litigation.eu
strategic-litigation.info
strategic-litigation.net
strategic-litigation.org
strategische-prozesse.at
strategische-prozesse.ch
strategische-prozesse.com
strategische-prozesse.de
strategische-prozesse.eu
strategische-prozesse.info
strategische-prozesse.net
strategische-prozesse.org
strategische-prozessfuehrung.at
strategische-prozessfuehrung.ch
strategische-prozessfuehrung.com
strategische-prozessfuehrung.de
strategische-prozessfuehrung.eu
strategische-prozessfuehrung.info
strategische-prozessfuehrung.net
strategische-prozessfuehrung.org
subss.net
tdbfvgwe456yt.com
teamscloud.de
teamscloud.net
teamscloud.org
tryvaultsure.com
tukinetflx.com
tv-posfi.com
ulgroup.meetingview.cfd
usa.meetingview.cfd
vereinskonto.at
verfassungsbeschwerde.legal
verfassungsbeschwerde.net
verfassungsbeschwerde.org
vn3hg.meetingview.cfd
wesendahl.com
wesendahl.eu
wifispotter.de
wifispotter.org
x.tlpoe.com
xquirehdfh.meetingview.cfd
yojyojyoyo.com
ywnjb.meetingview.cfd
zolotoylodak.com

# Reference: https://x.com/k3yp0d/status/2028417699206857158
# Reference: https://www.virustotal.com/gui/file/a8c380b57cb7c381ca6ba845bd7af7333f52ee4dc4e935e98b48bb81facad72b/detection
# BANNER_0_HASH-HOST=1a5c568e66fd076abaf546e4fe68a23a

3muajf.datong163.com
444.datong163.com
4444.datong163.com
555.datong163.com
72.tiaozhuanma.com
8kiy269.datong163.com
aa.datong163.com
ai-like.net
awee.site
b3b3b3.datong163.com
b4.datong163.com
b4b4b4b4.datong163.com
b8.datong163.com
b8b8b8.datong163.com
bb.datong163.com
bestfriendshoop.com
bestporcheservice.com
bmwandretailshop.com
bokjojo.com
boxic.org
briskbeverage.com
c3c3.datong163.com
c8c8c8c8.datong163.com
c9c9.datong163.com
cnvjl1.cn
coinbaseapistatus.com
confirmationporscheadkvmc.com
cz.ledgeranswers.com
d.datong163.com
d2d2d2d2.datong163.com
d4d4d4d4.datong163.com
d7.datong163.com
datong163.com
domawe.net
donttouchpleasemodaf.com
e2e2e2.datong163.com
e5.datong163.com
e6e6.datong163.com
e9e9.datong163.com
eeee.datong163.com
exsi.top
f7f7.datong163.com
fc521.top
floridacambolashop.com
fntausd.datong163.com
globalzoology.org
grtrip.org
h5h5.datong163.com
handglove.site
hogjj.com
home.xiaomoerp.com
houstonshopglasses.com
huanxin.city
hw2f.datong163.com
hylll.club
i8i8i8.datong163.com
ihavenoidea.online
iii.datong163.com
j5.datong163.com
jgergregtew.awee.site
jiangsu.datong163.com
jianling.me
jkr.datong163.com
keranshobin.work
kkk.datong163.com
kkkk.datong163.com
lbosb7g.datong163.com
ledgeranswers.com
lll.datong163.com
lzv.cc
m.jianling.me
m3.datong163.com
m9r7t.datong163.com
mpfes.datong163.com
msncui.jianling.me
mysd122.datong163.com
nekjojo.com
nnnn.datong163.com
nyvionly.com
o3o3o3o3.datong163.com
o4o4o4o4.datong163.com
o5o5o5.datong163.com
o5o5o5o5.datong163.com
o8.datong163.com
p.datong163.com
p2p2.datong163.com
p6p6p6p6.datong163.com
pijuw.mobi
pppp.datong163.com
prokloneksl.com
proklthree.com
prokltwoo.com
q2.datong163.com
q3q3q3.datong163.com
q8.datong163.com
qqq.datong163.com
qryfg.datong163.com
reviewmanualdomain.com
shoptexasrealcomputer.com
shopretailbmw.com
sinjim.net
smprgd.datong163.com
sr5.datong163.com
t.datong163.com
t5.datong163.com
t5t5t5.datong163.com
tggwfe.datong163.com
tianchuang.xin
trezorwalletcare.com
u5u5u5.datong163.com
u7u7u7u7.datong163.com
uu.datong163.com
v1.datong163.com
v3v3.datong163.com
v5v5v5.datong163.com
vpn.ihavenoidea.online
w.jianling.me
w5w5w5.datong163.com
wss.aisproxy.com
www.awee.site
xian.datong163.com
xiaomoerp.com
y.datong163.com
y7l.datong163.com
yaami.org
z5.datong163.com
z5f2.datong163.com
zechen.ink
zhanyou.fun

# Reference: https://x.com/blackorbird/status/2032101653470724117
# Reference: https://www.threatdown.com/blog/castlerat-cyber-attack-is-the-first-to-abuse-deno-javascript-runtime-to-evade-enterprise-security/
# Reference: https://www.virustotal.com/gui/file/1fd01d13d9ef5463bd7ca0e6f72df806fa684d0bf49ba927aa5432f7a7ad4f02/detection

http://172.86.123.222
23.94.145.120:9999
1-apaylo.com
1stlosstrading.com
78-153-140-17.cprapid.com
9jaarenaxtra.com
a6.appstartlabs.com
aabq.info
aabstone.com
abum.info
abzs.info
acaringtouchseniorservice.com
accountingandfinancejobs.com
acube-contract.com
ad633dfa41b3a8465b7f195bf5b185a2.appliancerefrigeration.co.za
ager-stp.org
ahdaratlegalservices.com
almanastar.com
api-gateway-prod.com
api-gateway-softupdate.io
api.hayesmed.com
app.hayesmed.com
appistartes.com
appstartlabs.com
articlehaul.com
atagkeukentechniek.com
audvidfisher.com
aurekh.com
babao.info
bammi.info
bdstop.net
breakbulkconf.com
bugdroid.xyz
bullabs.info
carkva.info
carsaggregator.com
catalog-telegram.com
cerumo.shop
charlyetmax.com
citamx-online.com
citamxpass.com
citamxpass.social
codeframe.digital
codexa.best
cpcontacts.appstartlabs.com
d3691308f2a4c2f6983f2880d32e29c84.everest-hcg.com
databui.cfd
depretory.com
detailingoff.com
devarch.sbs
devsdiamonds.com
dmors.com
doclinebox.com
dreambigworkharddomore.com
dssence.net
egyptinfo.shop
ersh.info
essayajewelry.com
exteddex.com
fluxnet.life
gateway001kir.com
globalwork.best
go.citamxpass.com
go.tramites-mexico.net
gobmx-online.com
goonus.xyz
gooogle.today
hayesmed.com
honorai.com
imata.info
interactiveportraits.com
ip55.ip-135-125-255.eu
ipkdh.com
islat.info
ivyz.info
jariosos.com
jkershaw.info
kadmecnp-643laolmd.com
keyiwl.info
koleknor.com
laishishi.com
lbimuseum.org
lepaniermagic.com
luminer.work
lwsirxr.info
maslovdisign.com
masoretgames.com
mastluner.club
mbml-writer-info.info
mecmatica.digital
microsoft-tools.com
millersteel.digital
mmdis-worls.com
mwsiik.info
myloyaldoggy.com
mymarathilearning.com
mymexico.social
mysoretgames.club
mytkart.com
nastilka.com
ncdxbk.com
ncwlwtd.info
nevv-mmc.com
new--mmc.com
northcroft.digital
nuvilifeglobal.com
oirac.info
oqsxv.info
orkneygateway.com
owab.info
pagedit.shop
pass.gooogle.today
perrine90-deltajohnsons.com
pinimg.ru
pkrou.info
pmkdds.info
publisherresolution.com
remnett.shop
rencaihuainan.com
scooplacrosse.com
searchmscon.com
seoanalitics.marketing
ses6.getsdeal.com
shaavrty.xyz
shape-paiement.com
sistemablackatz.com
skob.info
solidactivate.com
sslgateway001.com
syhmen.com
sysora.life
tel.orkneygateway.com
tokio-sallys.net
tramites-mexico.net
tramites.today
tranzed.org
twicegrand.com
tyspnnx.info
uipvme.info
uktaxiservice.com
uohiu.info
vehu.info
vmgarage.work
vstoki.com
wideresearcher.com
www-zinia-consumers.tenacityprop.co.za
www-zinia-customer.filipintoucheu.eu
www-ziniacuonsumer.pouipoer.com
www-ziniastumers.bazfalao.com
yourboggbag.us
youtuberu.lol
zoomnutrition.appstartlabs.com

# Reference: https://x.com/SquiblydooBlog/status/2044931586701881839
# Reference: https://www.virustotal.com/gui/file/62a6e64a7233f4a756d01c54840ff703a620a416929d57eebc0bdac3b9ed2019/detection
# Reference: https://www.virustotal.com/gui/file/001a10b946d41f8794c110f97cd46b961fea0c0d50c92efaef1d166adaffe8b8/detection
# Reference: https://www.virustotal.com/gui/file/5a5563568c7e2dbb8a1657483fa886353f10aa39bfea3c0c92633b19ae7378ba/detection
# Reference: https://www.virustotal.com/gui/file/5f55c1e837b6fbe5d81d93983166f34f3471a7f20af28ff527b9f140a601ce2d/detection
# Reference: https://www.virustotal.com/gui/file/82ac2ceaa0ac18a96da9a1f21235282b6026d1c91d4f991bf66ad949026a2b5d/detection
# Reference: https://www.virustotal.com/gui/file/f8e78a1a7a6a6b6c40ad5f2d72d2eac1814af01efe96a13e4b9bf7dce2ed438f/detection
# Reference: https://www.virustotal.com/gui/file/56bca6e25247fa64f8cb0a865890cf719c6319f8d3c9bc008e24884203ab6283/detection
# Reference: https://www.virustotal.com/gui/file/82ac2ceaa0ac18a96da9a1f21235282b6026d1c91d4f991bf66ad949026a2b5d/detection
# BANNER_0_HASH-HOST=60a494f135a5ec8a07136fb2fb04b0de

139.60.162.23:6969
31.214.157.207:34068
159.100.22.71.sslip.io
170-130-165-179.cprapid.com
170-130-55-168.cprapid.com
173-44-141-13.cprapid.com
213.109.147.89.sslip.io
31-214-157-198.cprapid.com
1c.jinhuoye.mobi
2358i.cn
anixart.top
api.bugubugu.info
asve.fyi
atlantaprepair.com
autodiscover.thezxedvb.xyz
azarbaycancloud.com
bigondo.com
bitochekpervii.com
bmwservicebestik.com
bobjojo.com
brionter.com
bugubugu.info
cashbackcostco.us
closedtodayornever.icu
cnw2ty.cn
commingforte.com
dallasbaseproduct.com
dangeonbest.com
dfiflin.com
drefing.com
drefling.com
dsbadsf656563.site
dungershoptexas.com
eaglestatepetshop.com
fillenmore.com
fitprotrainer.giize.com
floridashopcomputergaming.com
gemdict.org
gerraka.com
gsrgsrheeee.online
hogll.com
hojoook.com
hotelmiranixongreg.com
ihealth365.mobi
imaginesmydomisn.click
imgfuab.com
imgfya.com
jinhuoye.mobi
johnmacroskgf.com
junyu168.com
jz.bugubugu.info
loadcons.com
logjojo.com
luchengtianxia.club
mazafakadadscomeone.com
modafabiches.info
mofakaniggas.info
monome.net
newmemorystarter.com
newpayerforhomies.com
osnovaksll.com
phallusingens.info
pixelloom.nl
qschou.club
qwxls.junyu168.com
running-snail.site
sgs33dedasfg.store
shopcoloradocambodjo.com
srv22248035.ultasrv.net
srv49063158.ultasrv.net
testing.sale
thezxedvb.xyz
totpwill.com
trindastal.com
vahmanstone.com
vip101.sefidclup.shop
vip199.sefidclup.shop
vpn.badizland.ir
vpn179866235.softether.net
wecolista.com
wetinola.com
wm4.dnssitting.ch
xoryndexal.space

# Reference: https://x.com/malwrhunterteam/status/2049068289607737541
# Reference: https://x.com/malwrhunterteam/status/2049069126254030995
# CERT_FINGERPRINT_SHA256-HOST=9341ae19d6f59eeed18481d24a13f0d34a320df32fc4880b5d7acdc9968d139e
# TITLE-HOST=Chopi — Monitoring Dashboard

70.34.205.43:3000
70.34.205.43:8080
fabolouspanels.xyz
paysolutions.ink
screenly.cam
xtrafftrck.net

# Reference: https://x.com/RussianPanda9xx/status/2049842468674326541
# Reference: https://www.huntress.com/blog/clickfix-castleloader-backgroundfix
# Reference: https://www.virustotal.com/gui/file/55951c6983d6d82b7612d926de0bdac52e1712f151d8291f471f3c3bdba6ae19/detection

173.211.70.83:33185
38.146.28.30:22989
cheeshomireciple.com

# Generic

/keya.bin?nocache=
/testa.bin?nocache=
