# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://securelist.com/muddywater/88059/

adibf.ae/wp-includes/js/main.php
benangin.com/wp-includes/widgets/main.php
ektamservis.com/includes/main.php
gtme.ae/font-awesome/css/main.php
hubinasia.com/wp-includes/widgets/main.php
www.adfg.ae/wp-includes/widgets/main.php
www.cankayasrc.com/style/js/main.php

# Reference: https://fortiguard.com/resources/threat-brief/2018/10/12/fortiguard-threat-intelligence-brief-october-12-2018

alibabacloud.dynamic-dns.net
alibabacloud.wikaba.com
alibabacloud.zzux.com
microsoftofice.zyns.com
microword.itemdb.com
moffice.mrface.com
muonline.dns04.com
office.otzo.com
offlce.dnset.com
online.ezua.com
muhacirder.com
muteciyar.info

# Reference: https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/

3cbc.net/dropbox/icon.icon
pazazta.com/app/icon.png
ohe.ie/cli/icon.png
ohe.ie/cp/icon.png
andreabelfi.com/main.php
andreasiegl.com/main.php
andresocana.com/main.php
amorenvena.com/main.php
amphira.com/main.php
amphibiblechurch.com/main.php

# Reference: https://twitter.com/360TIC/status/1108616188173520896
# Reference: https://otx.alienvault.com/pulse/5c939fbb22017040b7e47be4/

/serverScript/clientFrontLine/getCommand.php
/serverScript/clientFrontLine/helloServer.php
/serverScript/clientFrontLine/setCommandResult.php

# Reference: https://twitter.com/360TIC/status/1081080752438009856

getgooogle.hopto.org
shopcloths.ddns.net

# Reference: https://twitter.com/blackorbird/status/1072314411849797632
# Reference: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group
# Reference: https://twitter.com/blackorbird/status/1070911385368809472

ankara24saatacikcicekci.com

# Reference: https://twitter.com/HONKONE_K/status/1115513990594084864

tfu.ae/readme.txt

# Reference: https://otx.alienvault.com/pulse/5caf93777439561cb57d0e2c

googleads.hopto.org
orbe-fzc.com

# Reference: https://research.checkpoint.com/the-muddy-waters-of-apt-attacks/

http://185.117.75.116/tmp.php

# Reference: https://twitter.com/VK_Intel/status/1117673303332667392

http://185.162.235.182

# Reference: https://otx.alienvault.com/pulse/5cb4b3944f62ba0873339ee1

46.105.84.146:443

# Reference: https://twitter.com/HONKONE_K/status/1118406086925504512
# Reference: https://twitter.com/360TIC/status/1118430258451976192

plet.dk/css/
134.19.215.3:443

# Reference: https://twitter.com/ClearskySec/status/1118511605359304705
# Reference: https://app.any.run/tasks/17706fbe-8ac5-45df-b489-c766514cbe0a

http://185.185.25.175/tr.php

# Reference: https://securelist.com/muddywaters-arsenal/90659/

78.129.222.56:8090 # LisfonService RAT
192.64.86.174:8980 # Python RAT
104.237.233.38:8085 # SSH Python script
104.237.233.40:7070 # Other stuff
78.129.139.134:8080
