# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt-04

# Reference: https://twitter.com/Sebdraven/status/1052864520522223616
# Reference: https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739
# Reference: https://www.virustotal.com/#/ip-address/185.106.120.43

heartissuehigh.win
webserv-redir.net

# Reference: https://twitter.com/Sebdraven/status/1140597344720830471
# Reference: https://app.any.run/tasks/d7ce191d-c04f-4eff-a13c-02cbe746c256/
# Reference: https://www.virustotal.com/gui/domain/cdn-dl.cn/relations
# Reference: https://pastebin.com/rccqdjNB

cdn-dl.cn
bd-gov.cdn-dl.cn
bdgov-mopa.cdn-dl.cn
biaa-org-bd.cdn-dl.cn
biaa-org.cdn-dl.cn
gov-cn.cdn-dl.cn
gov-pk.cdn-dl.cn
hostmaster.cdn-dl.cn
info-account.cdn-dl.cn
ministry-gov.cdn-dl.cn
ministry-interior-gov-pk.cdn-dl.cn
mod-gov.cdn-dl.cn
moe-gov.cdn-dl.cn
moi-nadra.cdn-dl.cn
mopa-bd.cdn-dl.cn
mopa-bdgov.cdn-dl.cn
mopa-govbd.cdn-dl.cn
nadra-interior.cdn-dl.cn
nadra-moi.cdn-dl.cn
narda-moi.cdn-dl.cn
neteease.cdn-dl.cn
newmake.pw
serve-dropbx-ap-east1.cdn-dl.cn
suodeshui.cdn-dl.cn
tiexue.cdn-dl.cn

# Reference: https://twitter.com/Timele9527/status/1147750939576586244 

http://167.86.116.39

# Reference: https://twitter.com/Timele9527/status/1147750939576586244

vidyasagaracademybrg.in/scripts/lnk/
vidyasagaracademybrg.in/scripts/am/

# Reference: https://twitter.com/Timele9527/status/1150597482310619136
# Reference: https://app.any.run/tasks/e15e1cd1-0c38-41b9-aa1e-a29562f17b3d/
# Reference: https://www.freebuf.com/articles/network/196788.html (Chinese)

ap12.ms-update-server.net
cdn-do.net
cdn-edge.net
cdn-list.net
fb-dn.net
google.com.d-dns.co
msftupdate.srv-cdn.com
nadra.gov.pk.d-dns.co
pmo.cdn-load.net
s2.cdn-edge.net
s12.cdn-apn.net
trans-pre.net
webserv-redir.net

# Reference: https://twitter.com/blackorbird/status/1160734383864610816

trans-can.net

# Reference: https://mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA

cdn-ps.net

# Reference: https://twitter.com/blackorbird/status/1189116884626493440

paknavy.gov.pk.ap1-port.net

# Reference: https://twitter.com/Timele9527/status/1195272502135549953
# Reference: https://www.virustotal.com/gui/domain/reawk.net/details

reawk.net

# Reference: https://twitter.com/ccxsaber/status/1195281985335201794

sd1-bin.net

# Reference: https://twitter.com/0xCARNAGE/status/1203882560176218113
# Reference: https://app.any.run/tasks/3abfc241-3ab0-4016-acbb-040b44199d52/

185.225.17.239:443

# Reference: https://twitter.com/RedDrip7/status/1206898954383740929

ap1-acl.net

# Reference: https://twitter.com/Timele9527/status/1211852764688478216
# Reference: https://app.any.run/tasks/c8469e19-96a0-4f2f-9765-72acf72dee05/

fincruitconsulting.in

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/
# Reference: https://otx.alienvault.com/pulse/5e133ac9f5eaf331885e74b4

aws-check.net
deb-cn.net
ms-db.net
ms-ethics.net

# Reference: https://github.com/blackorbird/APT_REPORT/tree/master/sidewinder

gov-pk.org

# Reference: https://mp.weixin.qq.com/s/L3dVwbkfTABtE4ZYtv5r4w
# Reference: https://otx.alienvault.com/pulse/5e206d8b77de0b2690b9946c

110.10.176.193:4443

# Reference: https://twitter.com/Timele9527/status/1247325070520750080
# Reference: https://twitter.com/Timele9527/status/1247327952238284800
# Reference: https://twitter.com/Timele9527/status/1247376905956765697

ap-ms.net
d01fa.net
fdn-en.net
nrots.net

# Reference: https://twitter.com/ShadowChasing1/status/1252547080070914048

link-cdnl.net

# Reference: https://twitter.com/ccxsaber/status/1260775018306236416

au-edu.km01s.net

# Reference: https://twitter.com/Arkbird_SOLG/status/1260727623539404800

kat0x.net

# Reference: https://twitter.com/ShadowChasing1/status/1268214042637684738
# Reference: https://www.virustotal.com/gui/domain/chrom3.net/relations

chrom3.net
r0dps.net

# Reference: https://twitter.com/ccxsaber/status/1281413683013287936

gov-mil.cn

# Reference: https://twitter.com/ShadowChasing1/status/1284319235481538565

cdn-m1l.net
tar-gz.net

# Reference: https://twitter.com/cyber__sloth/status/1293183011916193793
# Reference: https://twitter.com/cyber__sloth/status/1293187616897028098
# Reference: https://twitter.com/Arkbird_SOLG/status/1293221669134372865
# Reference: https://app.any.run/tasks/e3501b33-28a2-4b7c-bc79-d20891c4832e/

http://111.229.73.84
202.58.104.100:81

# Reference: https://twitter.com/ShadowChasing1/status/1296710024643796992
# Reference: https://www.virustotal.com/gui/file/a89189f1c7c101c8d9c2637e571c4f8546df3ea557a576090cde7b75009981a9/detection

fqn-cloud.net

# Reference: https://twitter.com/ShadowChasing1/status/1297902086747598852

asw-edu.net
filesrvr.net

# Reference: https://twitter.com/cyber__sloth/status/1298187291295461376
# Reference: https://www.virustotal.com/gui/ip-address/185.141.25.136/relations

mil-pk.net

# Reference: https://twitter.com/ShadowChasing1/status/1308620752703299585

aws-pk.net
cdn-aws-s2.net

# Reference: https://twitter.com/ShadowChasing1/status/1316680709478604800
# Reference: https://twitter.com/mg2_tracy1/status/1316688407280586752
# Reference: https://www.virustotal.com/gui/file/280fb291d49f277067667838cdf30a940eaed9ed7712448158ea29e1ce6af86f/detection

cdn-sop.net

# Reference: https://twitter.com/ShadowChasing1/status/1324349418162720769
# Reference: https://twitter.com/ShadowChasing1/status/1324349684664528897
# Reference: https://www.virustotal.com/gui/domain/gov-pok.net/detection

gov-pok.net

# Reference: https://twitter.com/RedDrip7/status/1328639418110865409
# Reference: https://www.virustotal.com/gui/file/1cbec920afe2f978b8f84e0a4e6b757d400aeb96e8c0a221130060b196ece010/detection

cdn-edu.net

# Reference: https://twitter.com/mg2_tracy1/status/1331153718931177473
# Reference: https://www.virustotal.com/gui/file/7238f4e5edbe0e5a2242d8780fb58c47e7d32bf2c4f860c88c511c30675d0857/detection

ms-trace.net

# Reference: https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html
# Reference: https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742

185.225.19.46:4589
185.225.19.46:4875
gov-af.org
gov-np.org
mail-apfgavnp.hopto.org
mail-apfgovnp.ddns.net
mail-kmgcom.ddns.net
mail-mfagovcn.hopto.org
mail-mofagovnp.hopto.org
mail-mofagovnp.zapto.org
mail-mofgovnp.hopto.org
mail-ncporgnp.hopto.org
mail-nepalarmymilnp.duckdns.org
mail-nepalgovnp.duckdns.org
mail-nepalpolicegov.hopto.org
mail-nepalpolicegovnp.duckdns.org
mail-nrborg.hopto.org
mail-nscaf.myftp.org
mail-ntcnetnp.serveftp.com

# Reference: https://twitter.com/BaoshengbinCumt/status/1342297125141454848
# Reference: https://www.virustotal.com/gui/file/c59c6c18f529c88cf352883b23af36f829b8ae1d17daa0762f028184cba7199b/detection

cdn-re.net
