# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: bisonal, tonto

# Reference: https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/

euiro8966.organiccrap.com
games.my-homeip.com
jennifer998.lookin.at
kted56erhg.dynssl.com
hosting.tempors.com

# Reference: https://twitter.com/Vishnyak0v/status/1216689015035977730

etude.servemp3.com

# Reference: https://docs.google.com/spreadsheets/d/1lDzylI6Jymz7EE0agRVUsL3kwmJSRDjXYjr5l5MUOEk/edit#gid=127522608 (# Bisonal)

svyaztulaya.dynamic-dns.net
uacmoscow.com

# Reference: https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html

0906.toh.info
21kmg.my-homeip.net
agent.my-homeip.net
amanser951.otzo.com
applejp.myfw.us
dds.walshdavis.com
dnsdns1.passas.us
emsit.serveirc.com
etude.servemp3.com
euiro8966.organiccrap.com
faceto.uglyas.com
games.my-homeip.com
hansun.serveblog.net
hosting.tempors.com
indbaba.myfw.us
jennifer998.lookin.at
kazama.myfw.us
kfsinfo.byinter.net
kreng.bounceme.net
kted56erhg.dynssl.com
mycount.mrslove.com
navego.serveblog.net
nayana.adultdns.net
shinkhek.myfw.us
since.qpoe.com
usababa.myfw.us
v3net.rr.nu
wew.mymom.info

# Reference: https://asec.ahnlab.com/1298
# Reference: https://twitter.com/vigilantbeluga/status/1235496629811077121
# Reference: https://otx.alienvault.com/pulse/5e612f6d1dadda20c4314b21

imbc.onthewifi.com

# Reference: https://twitter.com/nao_sec/status/1273209439764406272
# Reference: https://app.any.run/tasks/4c751168-358a-49c9-b751-e5b4aad9b060/

offices-update.com

# Reference: https://securitykitten.github.io/2014/11/25/curious-korlia.html
# Reference: https://www.virustotal.com/gui/ip-address/61.90.202.198/relations
# Reference: https://www.virustotal.com/gui/file/dc9f17c87397428089e70aeea5af47f5588460b4ae5b8effb5370dc742eff1cf/detection

http://61.90.202.198
japanbaba.myfw.us
koreamama.myfw.us

# Reference: https://www.virustotal.com/gui/file/13c5eb2c8deaf1b4b51eac782cc1f1a7c64e2ee8a9a12d37c25b45b09524c354/detection

shinkhw.myfw.us

# Reference: https://www.virustotal.com/gui/file/98c59d682da617f993f3d57bb9e3ff076caa7469ddb0701c46715c25c9c0453d/detection

nancyxi.gotdns.org
nothree.myfw.us

# Reference: https://www.virustotal.com/gui/file/80f8c3c2f44dc514500b49adc31b9b4e269ea2604fc09a94d7e4c6bce18223a1/detection

webmaff.dns05.com

# Reference: https://www.virustotal.com/gui/file/83231d8e25f1c8d74aa9eb07f18dca9154323e0f372b29d89a2ce2dcbfad6cf8/detection

shinkhw.organiccrap.com

# Reference: https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/

http://154.223.175.115/chapter1/user.html/
http://154.95.17.145/chapter1/user.html/
