# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt23, apt-c-23, micropsia, pierogi

# Reference: https://www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-1
# Reference: https://www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2
# Reference: https://content.connect.symantec.com/sites/default/files/2018-08/APT-C-23%20IOCs.pdf (Appendix)

1jve.com
aamir-khan.site
accaunts-googlc.com
accountforusers.website
accountforuser.website
account-gocgle.com
account-googlc.com
accounts-gocgle.com
accounts-googlc.com
accountusers.website
accuant-googlc.com
activedardash.club
alain.ps
alisonparker.club
android-settings.info
apkapps.pro
apkapps.site
appchecker.us
appuree.info
arthursaito.club
aryastark.info
aslaug-sigurd.info
assets-acc.club
bbc-learning.com
bellamy-bob.life
bestbitloly.website
billy-bones.info
bitgames.world
black-honey.club
bob-turco.website
buymicrosft.com
camilleoconnell.website
caroline-nina.com
cassy-gray.club
cecilia-dobrev.com
cecilia-gilbert.com
cerseilannister.info
chat-often.com
christopher.fun
claire-browne.info
clarke-griffin.info
clarke-taylor.life
daario-naharis.info
dachfunny.club
dachfunny.us
dardash.club
dardash.fun
dardash.info
dardash.live
david-mclean.club
david-moris.website
davina-claire.xyz
davos-seaworth.info
debra-morgan.com
donna-paulsen.info
easyshow.fun
eleanor-guthrie.info
eleanorguthrie.site
engin-altan.website
esofiezo.website
everyservices.space
exvsnomy.club
ezofiezo.website
face-book-support.email
fasebcck.com
fasebock.info
fasebook.cam
fasebookvideo.com
fatehmedia.site
firesky.site
flirtymania.fun
freya.miranda-barlow.website
geny-wise.com
gmailservice.us
graceygretchen.info
hareyupnow.club
harper-monty.site
harrykane.online
harvey-ross.info
hayleymarshal.com
hazel-grace.info
hctmial.com
hcttmail.com
help-live.club
help-sec.club
heyapp.website
hitmesanjjoy.pro
hoopoechat.com
hotimael.com
hotmailme.website
italk-chat.com
italk-chat.info
jack-wagner.website
james-charles.club
jimmykudo.online
john-brown.website
jon-snow.pro
jorah-mormont.info
joycebyers.club
juana.fun
kaniel-outis.info
karenwheeler.club
kate-austen.info
katesacker.club
katie.party
kik-com.com
kristy-milligan.website
lagertha-lothbrok.info
leonard-kim.website
leslie-barnes.website
lets-see.site
lexi-branson.website
lincoln-blake.website
lindamullins.info
liz-keen.website
login-yohoo.com
lord-varys.info
lyanna-stark.info
mail-accout.club
mail-goog1e.com
mail-mofa-pna.com
mail-pmi-pna.com
mail-police-sec.com
mail-presidency.com
margaery-tyrell.info
maria-bouchard.website
marklavi.com
mary-crawley.com
masuka.club
matthew-stevens.club
mauricefischer.club
max-eleanor.info
maxlight.us
max-mayfield.com
mediauploader.info
meetme.cam
meet-me.chat
men-ana.fun
michael-keaton.info
miranda-barlow.website
miwakosato.club
mofa-help.site
moneymotion.club
myboon.website
mygift.site
mygift.website
namybotter.info
namyyeatop.club
natemunson.com
new.filetea.me
nightchat.fun
nightchat.live
nissour-beton.com
octavia-blake.world
olivia-hartman.info
oriential.website
ososezo.club
ososezo.site
parrotchat.co
pmi-pna.com
pml-help.site
pml-sac.info
pmo-gov.info
police-sec.club
police-sec.info
pure-talk.com
rachel-green.info
ragnar-lothbrok.info
ran-togomory.com
redirect-wa.com
rexkatsugeki.info
richard-hines.website
rocket-chat.com
rose-sturat.info
ross-gelller.info
sahemnews.dynamicdns.co.uk
sahem.pcanywhere.net
sanblitch.club
sanjynono.website
sapport-accounts.com
saratancredi.info
sec-acoaunt.com
sec-outluck.com
secureaccountes.com
selin-yilmaz.info
sendbird-chat.com
serv2.sandtengineers.info
shahrukh-khan.club
shailene-hazel.life
shailene-tris.xyz
sherlock-holmes.club
shortupload.com
show-me.fun
so-chat.org
sophie-deverau.xyz
sopotfile.website
spgbotup.club
sportliner.website
sybil-parks.info
tawjihi2018.site
tellme.site
top4up.website
tyrion-lannister.info
upload999.com
useraccount.website
usr-accounts-validation.pw
victor-stewart.info
wab-watzapp.com
wab-whtsap.com
wa-loading.com
websetting.me
web-wnatzapp.com
web-wtsapp.com
wes-gibbins.com
whatsaapp.us
whatsapps.cam
whatsusers.fun
whatzopp.com
whispers-talk.com
white-hony.online
whowatchyou.com
win-laive.com
winlife.host
world-cup-live-2018.stream
yahaoa.com
yohoa-users.com
youngmija.club
young-spencer.com
zachlieberman.club
zee-player.com
zee-player.website

# Reference: https://research.checkpoint.com/apt-attack-middle-east-big-bang/

exvsnomy.club
namyyeatop.club
spgbotup.club
lindamullins.info
namybotter.info
hitmesanjjoy.pro
ezofiezo.website
sanjynono.website

# Reference: https://twitter.com/ClearskySec/status/1022767002925129730
# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-07-27: APT-C-23 Infrastructure and Micropsia samples)

steve-harrington.com
sophie-deverau.xyz
shailene-tris.xyz
shailene-hazel.life
max-mayfield.com
mauricefischer.club
margaery-tyrell.info
alisonparker.club
young-spencer.com
dardash.club
joycebyers.club
harvey-ross.info
davina-claire.xyz
arthursaito.club

# Reference: https://twitter.com/ClearskySec/status/1067109104492134400
# Reference: https://blog.radware.com/security/2018/07/micropsia-malware/

samwinchester.club

# Reference: https://twitter.com/ClearskySec/status/984700415055925248

relationalsystems.net

# Reference: https://twitter.com/jeFF0Falltrades/status/1132684186446438405

katesalinas.icu

# Reference: https://twitter.com/VK_Intel/status/1142498510845202440
# Reference: https://twitter.com/P3pperP0tts/status/1142760589871259649
# Reference: https://pastebin.com/djxQAE08
# Reference: https://www.virustotal.com/gui/file/345b706ead4b917138c8e8aff0ca5526ee7738f67c19e0d9b2ab5487c90cf547/detection

nfstate.club
fasstt.space
powzip.club
gtmake.info
pre23sence.club

# Reference: https://unit42.paloaltonetworks.com/unit42-badpatch/

pal4u.net
pal2me.net
pay2earn.net
shop8d.net
ts4shope.net
pal4news.net

# Reference: https://www.fortinet.com/blog/threat-research/badpatch-campaign-uses-python-malware.html
# Reference: https://otx.alienvault.com/pulse/5db3616a90ebed5e230cb2d5

tstapi.pal4u.net

# Reference: https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor
# Reference: https://otx.alienvault.com/pulse/5e451c74a860e7f82bef4bc6

linda-callaghan.icu
nicoledotson.icu

# Reference: https://twitter.com/blackorbird/status/1229245744109850624
# Reference: https://www.virustotal.com/gui/file/d095f39823656a99b7bd7d9ad132d5aabbf59862a86253ce067329a491590d13/detection
# Reference: https://www.virustotal.com/gui/ip-address/68.65.121.44/relations
# Reference: https://www.virustotal.com/gui/ip-address/198.54.117.211/relations

68.65.121.44:1883
68.65.121.44:443
198.54.117.211:1883
198.54.117.217:1883
198.54.117.215:1883
198.54.117.212:1883
198.54.117.218:1883

# Reference: https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/
# Reference: https://otx.alienvault.com/pulse/5e4a58ac2cf3129eb287becc

catchansee.com

# Reference: https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/

cecilia-gilbert.com
david-gardiner.website
digital-apps.store
javan-demsky.website
linda-gaytan.website

# Reference: https://twitter.com/malwrhunterteam/status/1314253545982525440
# Reference: https://twitter.com/ShadowChasing1/status/1314490418516508673
# Reference: https://www.virustotal.com/gui/file/d2724090e873775aeb0eb0e12c2d65ac43a7e6e608fdc4f3d74fa79ca85e468f/detection

whispers-talk.site

# Reference: https://twitter.com/ShadowChasing1/status/1314530949770559489
# Reference: https://www.virustotal.com/gui/file/2d03ff4e5d4d72afffd9bde9225fe03d6dc941982d6f3a0bbd14076a6c890247/detection
# Reference: https://www.virustotal.com/gui/file/2b70045d4878a20b8fca568c0b3414f2d255f3b2a7dfed85c84cf88d1b2f4e74/detection

ruthgreenrtg.live

# Reference: https://twitter.com/malwrhunterteam/status/1316365476042338306
# Reference: https://twitter.com/LukasStefanko/status/1316395809055944704
# Reference: https://twitter.com/ShadowChasing1/status/1316706683108782080
# Reference: https://www.virustotal.com/gui/file/8c63a7d1f7d24ce40dcb751ac066d27ed19e0d3ee3f0071ea5984ab204c765f6/detection

brian-garcia.work
darrell-ferris.site
tommy-swope.site

# Reference: https://twitter.com/ShadowChasing1/status/1318564724062130176
# Reference: https://www.virustotal.com/gui/file/db1c2482063299ba5b1d5001a4e69e59f6cc91b64d24135c296ec194b2cab57a/detection

krasil-anthony.icu

# Reference: https://twitter.com/ShadowChasing1/status/1329090011766038531
# Reference: https://www.virustotal.com/gui/file/0d65b9671e51baf64e1389649c94f2a9c33547bfe1f5411e12c16ae2f2f463dd/detection
# Reference: https://www.virustotal.com/gui/file/3da95f33b6feb5dcc86d15e2a31e211e031efa2e96792ce9c459b6b769ffd6a4/detection

judystevenson.info

# Reference: https://www.virustotal.com/gui/file/32eb4f92c8e82d3f401078725115d0604f9283ff8d9a088e7afbc150e08df295/detection

http://198.54.115.130

# Reference: https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign
# Reference: https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf
# Reference: https://www.virustotal.com/gui/file/f323a150d7597f46d29eb3a3c56f74e11d18caf164f9176c8c1b2fa0031cc729/detection

artlifelondon.com
brooksprofessional.com
exchangeupdates.com
forextradingtipsblog.com

# Reference: https://team-cymru.com/blog/2020/12/16/mapping-out-aridviper-infrastructure-using-augurys-malware-addon/

angeladeloney.info
jack-fruit.club
lordblackwood.club
overingtonray.info

# Generic (callback) path

/api/hazard/oneo
/api/white_walkers/
/debby/weatherford/
/debby/weatherford/Yortysnr
/debby/weatherford/Ekspertyza
/debby/weatherford/Zavantazhyty
/debby/weatherford/Vydalyty
/vcapicv/vchivmqecv/
/vchivmqecv/vbqsrot
/xqgjdxa/yhhzireha/
/enterprise/Senterprise.php
/enterprise/Wenterprise.php
/AhmedMajdalani.php
/Hamas.php
/hamas_internal_elections.rar
/SaudiRecognitionofIsrael.php

# APK

/MyGramIM.signed.apk
