# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: castlebot, castleloader, castlerat, tag-150

# Reference: https://x.com/JAMESWT_WT/status/1958947921598062796
# Reference: https://www.virustotal.com/gui/file/f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be/detection

programsbookss.com

# Reference: https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2
# Reference: https://raw.githubusercontent.com/eSentire/iocs/refs/heads/main/Nightshade/Nightshade-IoCs-09-01-2025.txt

102.135.95.102:33336
102.135.95.102:33337
102.135.95.102:7777
104.225.129.171:33336
104.225.129.171:33337
104.225.129.171:7777
107.158.128.45:33336
107.158.128.45:33337
107.158.128.45:7777
107.158.128.90:33336
107.158.128.90:33337
107.158.128.90:7777
170.130.165.28:33336
170.130.165.28:33337
170.130.165.28:7777
173.232.146.90:33336
173.232.146.90:33337
173.232.146.90:7777
178.17.57.102:33336
178.17.57.102:33337
178.17.57.102:7777
180.178.122.131:33336
180.178.122.131:33337
180.178.122.131:7777
180.178.189.17:33336
180.178.189.17:33337
180.178.189.17:7777
185.149.146.118:33336
185.149.146.118:33337
185.149.146.118:7777
185.149.146.1:33336
185.149.146.1:33337
185.149.146.1:7777
185.208.158.250:33336
185.208.158.250:33337
185.208.158.250:7777
195.201.108.189:33336
195.201.108.189:33337
195.201.108.189:7777
34.72.90.40:33336
34.72.90.40:33337
34.72.90.40:7777
45.11.180.174:33336
45.11.180.174:33337
45.11.180.174:7777
45.61.136.81:33336
45.61.136.81:33337
45.61.136.81:7777
5.35.44.176:33336
5.35.44.176:33337
5.35.44.176:7777
64.52.80.82:33336
64.52.80.82:33337
64.52.80.82:7777
77.238.241.203:33336
77.238.241.203:33337
77.238.241.203:7777
79.132.130.142:33336
79.132.130.142:33337
79.132.130.142:7777
91.202.233.132:33336
91.202.233.132:33337
91.202.233.132:7777
91.202.233.250:33336
91.202.233.250:33337
91.202.233.250:7777
91.202.233.251:33336
91.202.233.251:33337
91.202.233.251:7777
94.141.122.164:33336
94.141.122.164:33337
94.141.122.164:7777
tdbfvgwe456yt.com

# Reference: https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations

http://178.17.57.102
http://45.61.136.81
http://91.202.233.250
104.225.129.171:443
144.208.126.50:443
185.125.50.125:7777
185.196.10.8:7777
185.196.9.222:7777
185.196.9.80:7777
195.85.115.44:443
34.72.90.40:443
45.11.180.198:7777
45.144.53.62:7777
5.35.44.176:443
77.90.153.43:7777
79.132.131.200:7777
85.192.49.6:7777
87.120.93.167:7777
91.212.166.17:33334
teamsi.org
teamsio.com
teamsoftdigital.com

# Reference: https://x.com/PRODAFT/status/1948382357725024565
# Reference: https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview
# Reference: https://github.com/prodaft/malware-ioc/tree/master/CastleLoader
# Reference: https://www.virustotal.com/gui/file/05ecf871c7382b0c74e5bac267bb5d12446f52368bb1bfe5d2a4200d0f43c1d8/detection
# Reference: https://www.virustotal.com/gui/file/31493e6366d3e7275a1e01937a4a18b27db8e5ef21bc21df666690d455f2acaf/detection
# Reference: https://www.virustotal.com/gui/file/0d7a46cedeb866930ebe808a596b44c5cf8941e448b4f8012018283ea55ec309/detection
# Reference: https://www.virustotal.com/gui/file/6e11ec22fd31d9eb4bd6060711dbd5d3c7c05bd7dfaa20daaee2c2c8a4dcf524/detection
# Reference: https://www.virustotal.com/gui/file/3329d3011f8f4c3df16230a1e6ed3ffe3c3cffaa7dadf0238eb6b011a659c84f/detection

http://173.44.141.89
185.39.19.165:5354
buzzedcompany.com
lekuvam.com
polarcompany.org
rinasalleh.com
teamsapi.net

# Reference: https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation
# Reference: https://www.virustotal.com/gui/file/3329d3011f8f4c3df16230a1e6ed3ffe3c3cffaa7dadf0238eb6b011a659c84f/detection
# Reference: https://www.virustotal.com/gui/file/f31e9ef8a59bacda22d8310750b91841878e1f398270676718d3a0b4949880a2/detection
# Reference: https://www.virustotal.com/gui/file/4cd0a2eb8662b5bdacf7f5db62827dd29a0c75d2b3b3f28eefb584e44a1ef2a5/detection

http://107.158.128.45
http://107.158.128.90
http://45.11.180.174
45.11.180.174:6666

# Reference: https://x.com/g0njxa/status/1980943290896630209
# BANNER_0_HASH-HOST=d5a7ef665ea2e5f9fd95ab665b149262

185-212-47-84.cprapid.com
45-11-183-165.cprapid.com
79.132.130.142.sslip.io
3vr3v3sdf.online
7hzhde.xyz
alafair.net
anotherproject.icu
baaredlead.com
bethschwier.com
campanyasoft.com
campuscedeco.ran.es
castlnetintel.com
cedeco.ran.es
chargerrlogistics.cam
cisco-webexxapp.xyz
criip.art
dperforms.info
estetic-online.com
ftroftrodro.top
funjobcollins.shop
gernlern.com
gghhjjkkuuywwfdf.space
higueruela.net
ippsadfx.icu
jeneeday.com
jeneeday.net
krefjkj.duckdns.org
lekuvam.com
loads.icu
loads.world
loadsplanning.com
megarstorei.store
mhousecreative.com
oldspicenotsogood.shop
oneyogasite.com
pittiadg.top
polarcompany.org
rinasalleh.com
shortstreet.net
st-hanbok.com
tattori.icu
vilaoaza.com
vvsgr.net
wereatwar.com

# Reference: https://x.com/drb_ra/status/1981031132247228884
# Reference: https://gist.github.com/drb-ra/ca579655912dd56acb2be6af301a55a9

107.158.128.26:443
170.130.165.201:443
172.86.90.58:443

# Reference: https://x.com/1ZRR4H/status/1986271204563452367
# Reference: https://www.linkedin.com/posts/jeromesegura_darkgate-malvertising-cometbrowser-activity-7383221467347476480-pVwV
# BANNER_0_HASH-HOST=490c066a6a6d63261339a7049fab6a86
# BANNER_0_HASH-HOST=d5a7ef665ea2e5f9fd95ab665b149262
# BODY_SHA1-HOST=e561b2cfc84bf7cd1443a6f5929c5e5a0e2c6b62

amnesiapidor.cfd
cometswift.com
digitaldoctor.uno
donttouchme.life
donttouchthisisuseless.icu
doyoureallyseeme.icu
dpeformse.com
fogverifer.us
icantseeyou.icu
nationnlahde.xyz
perplexity.page
protectedserversharedfile.com
rcpeformse.com
roject0.com
shareddirectprotected.com
sharedprotectedfileme.com
sharedprotectedmefile.xyz
sharedprotectedsharedfile.xyz
sharedriveprotected.com
speatly.com
touchmeplease.icu
vengermsk.icu
vpn847931076.softether.net

# Reference: https://x.com/1ZRR4H/status/1986271204563452367

castlppwnd.com

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-11-08)

http://107.158.128.26
http://170.130.165.201
http://172.86.90.58
45.134.26.69:443

# Reference: https://www.virustotal.com/gui/file/27f24adab8c696069e22233860851dd8654a846700483f6c4a9a8aa05f1b27db/detection
# Reference: https://www.virustotal.com/gui/file/7e5854134a25286ed9e94f0848127731bf3c78def80cb750b34f31f7b917435e/detection
# Reference: https://www.virustotal.com/gui/file/c99c06b15f4adc05f22ccd69ec0b34cdc9974b8b223c7db5a87eb912a1b52cbb/detection

185.121.234.141:443

# Reference: https://x.com/malwrhunterteam/status/1990726475394207815
# Reference: https://www.virustotal.com/gui/file/ea008ca5c04cb56a47b785609a0045f5ac0af82378f2dd097ba781feae921b2d/detection
# Reference: https://www.virustotal.com/gui/file/d1e661844e46ea11ac9169f7e71253a02db279b6bef4c6ffe144d298ca8db917/detection
# Reference: https://www.virustotal.com/gui/file/d1e661844e46ea11ac9169f7e71253a02db279b6bef4c6ffe144d298ca8db917/detection
# TITLE-HOST=Download Sphere Installer

178.16.54.229:18191
185.177.239.92:443
xyz-ai.org
testwha.duckdns.org

# Reference: https://infosec.exchange/@netresec/115581320305095154
# Reference: https://www.virustotal.com/gui/file/adc2e9487e182672fc2a30783130162754e92b173800563bc34a275125a5e3b1/detection
# Reference: https://www.virustotal.com/gui/file/fa354cf29852573669bc468ea2dac0ea5e83a943315466c89dd8634b38cdb261/detection

cloudyape.com
finger.cloudyape.com

# Reference: https://x.com/SquiblydooBlog/status/2012146887680299303
# Reference: https://www.virustotal.com/gui/file/164421af114cb376d86e8c28d1b3749a3dbfa12328e928c22735930ff200aa28/detection
# BANNER_0_HASH-HOST=85ca83ae608dda69a48d744b392a6a01

gamebassok.icu
itlonspark.us
killianvoice.icu

# Generic

/keya.bin?nocache=
/testa.bin?nocache=
