# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: cageychameleon, cryptocore, cryptomimic, ta444, wslink, RTV4, CoreKit, netchk, upl/tlgrm, NimDoor, unc1069

# Reference: https://twitter.com/e_kaspersky/status/1481665686351106053
# Reference: https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/

http://163.25.24.44
http://45.238.25.2
163.25.24.44:443
45.238.25.2:443
118.70.116.154:8080
186.183.185.94:8080
66.181.166.15:8080
163qiye.top
abiesvc.com
abiesvc.info
abiesvc.jp.net
antcapital.us
atom.publicvm.com
att.gdrvupload.xyz
authenticate.azure-drive.com
azure-drive.com
azureprotect.xyz
azure-service.com
azureword.com
backup.163qiye.top
beenos.biz
bhomes.cc
bitcoinnews.mefound.com
bitflyer.team
blog.cloudsecure.space
bloomcloud.org
buidihub.com
chemistryworld.us
circlecapital.us
client.googleapis.online
cloud.azure-service.com
cloud.globalbrains.co
cloud.jumpshare.vip
cloudsecure.space
cloudshare.jumpshare.vip
cloud.venturelabo.co
coinbig.dev
coinbigex.com
coin-squad.co
deepmind.fund
dekryptcap.digital
devprocloud.com
dllhost.xyz
doconline.top
docs.azureword.com
docs.coinbigex.com
docs.gdriveshare.top
docs.goglesheet.com
docs.securedigitalmarkets.co
docstream.online
document.antcapital.us
document.bhomes.cc
document.fastercapital.cc
document.kraken-dev.com
document.lundbergs.cc
documentprotect.live
documentprotect.pro
documents.antcapital.us
document.skandiafastigheter.cc
docuserver.xyz
doc.venturelabo.co
doc.youbicapital.cc
domainhost.dynamic-dns.net
download.azure-safe.com
download.azure-service.com
download.gdriveupload.site
drives.googldrive.xyz
drives.googlecloud.live
driveshare.googldrive.xyz
dronefund.icu
drw.capital
eii.world
etherscan.mrslove.com
faq78.faqserv.com
fastdown.site
fastercapital.cc
filestream.download
file.venturelabo.co
foundico.mefound.com
galaxydigital.cc
galaxydigital.cloud
gdocsdown.com
gdriveshare.top
gdriveupload.info
gdrvupload.xyz
globalbrains.co
gmaildrive.site
goglesheet.com
googldrive.xyz
googleapis.online
googleauth.pro
googlecloud.live
googledocpage.com
googledrive.download
googledrive.email
googledrive.online
googledrive.publicvm.com
googleexplore.net
googleservice.icu
googleservice.xyz
googlesheetpage.org
googleupload.info
gsheet.gdocsdown.com
hiccup.shop
innoenergy.info
isosecurity.xyz
jack710.club
jumpshare.vip
kraken-dev.com
ledgerservice.itsaol.com
lemniscap.cc
lundbergs.cc
mail.gdriveupload.info
mail.gmaildrive.site
mail.googleupload.info
mclland.com
microstratgey.com
miss.outletalertsdaily.com
msoffice.qooqle.download
note.onedocshare.com
onlinedoc.dev
onlinedocpage.org
outletalertsdaily.com
page.googledocpage.com
product.onlinedoc.dev
protect.antcapital.us
protect.azure-drive.com
protectoffice.club
protect.venturelabo.co
pvset.itsaol.com
qooqle.download
qoqle.online
regcnlab.com
reit.live
securedigitalmarkets.ca
securedigitalmarkets.co
share.bloomcloud.org
sharebusiness.xyz
share.devprocloud.com
sharedocs.xyz
share.docuserver.xyz
share.stablemarket.org
signverydn.sharebusiness.xyz
sinovationventures.co
skandiafastigheter.cc
slot0.regcnlab.com
stablemarket.org
svr04.faqserv.com
tokenhub.mefound.com
tokentrack.mrbasic.com
twosigma.publicvm.com
updatepool.online
up.digifincx.com
upload.gdrives.best
venturelabo.co
verify.googleauth.pro
word.azureword.com
youbicapital.cc
devstar.dnsrd.com
fxbet.linkpc.net
lservs.linkpc.net
mmsreceive.linkpc.net
msservices.hxxps443.org
onlineshoping.publicvm.com
palconshop.linkpc.net
pokersonic.publicvm.com
press.linkpc.net
rubbishshop.linkpc.net
rubbishshop.publicvm.com
socins.publicvm.com
vpsfree.linkpc.net

# Reference: https://twitter.com/malwrhunterteam/status/1602997656468754432
# Reference: https://www.virustotal.com/gui/file/41c83c80fa348d56ccb10fa48114bac52691c9778812547290d13b3214d98e8c/detection

gdriveshare.com
googledrive.services
wirexapp.app

# Reference: https://securelist.com/bluenoroff-methods-bypass-motw/108383/
# Reference: https://otx.alienvault.com/pulse/63ac10d2a4d29d94a7766d7a

abf-cap.co
abf-cap.com
angelbridge.capital
angelbridge.jp
anobaka.info
anobaka.jp
bankofamerica.nyc
bankofamerica.tel
bankofamerica.us.org
beyondnextventures.co
beyondnextventures.com
jp-aprime.info
lno-prima.lol
mizuhogroup.us
offerings.cloud
perseus.bond
smbc-vc.com
smbc.ltd
smbcgroup.us
tptf.co
tptf.ltd
tptf.us
avid.lno-prima.lol
careers.mizuhogroup.us
cloud.beyondnextventures.co
info.anobaka.info
vote.anobaka.info
word.anobaka.info
ww25.amazon.co.jp-aprime.info
ww25.co.jp-aprime.info
ww25.jp-aprime.info
ww25.login-service.amazon.co.jp-aprime.info
ww25.mail.jp-aprime.info
ww25.webmail.jp-aprime.info
ww38.jp-aprime.info

# Reference: https://twitter.com/StopMalvertisin/status/1625402506737250304
# Reference: https://www.virustotal.com/gui/file/26e376fc80b090b2ee04e7d3104d308a150e58538580109a74f4ac49bf362423/detection

espcapital.pro
cloud.espcapital.pro

# Reference: https://twitter.com/craiu/status/1625408594886762496
# Reference: https://twitter.com/craiu/status/1625408647508402176

cloud.anobaka.info
cloud.dnx.capital
cloud.gpmtreit.co
cloud.j-ic.co
cloud.j-ic.com
cloud.mekongcapital.net
down.gpmtreit.co
down.gpmtreit.us
down.j-ic.com
down.tomming.us
gpmtreit.co
gpmtreit.us
internal.j-ic.co
j-ic.co
j-ic.com
mekongcapital.net
tet.dnx.capital
tomming.us

# Reference: https://twitter.com/StopMalvertisin/status/1625710611425554434
# Reference: https://www.virustotal.com/gui/file/864f2a624a58cf460689d805e271fbffe24266933cc10166f4342e65143e019f/detection

autoprotect.com.de

# Reference: https://twitter.com/souiten/status/1635210162805018624
# Reference: https://www.virustotal.com/gui/file/2c0a66c6370b4aa88ab3805d520e868cbc513b43119958257a72c9ff58ef241c/detection

share.dedesignanddev.com

# Reference: https://twitter.com/StopMalvertisin/status/1642450636875898880
# Reference: https://twitter.com/StopMalvertisin/status/1642450639618973696
# Reference: https://www.virustotal.com/gui/file/4d5efd08e66c394b025a57995a7065fcda45a982a16ded4cdfc4ed42bd142ea5/detection

jdshare.com.de
mufg.us.com

# Reference: https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/

31ventures.info
deck.31ventures.info

# Reference: https://twitter.com/k3yp0d/status/1650071119074844673
# Reference: https://www.virustotal.com/gui/file/ff8832355ae99ffd66d0fe9eda2d74efdf3ed87bb2a4c215b93ade93165f7c0b/detection
# Reference: https://www.virustotal.com/gui/file/3b6f30369a4ee8bf9409d141b6d1b3fb4286c34984b5de005ed7431df549b17e/detection

hedgehogvc.us
cloud.hedgehogvc.us
down.hedgehogvc.us
laos.hedgehogvc.us
pet.hedgehogvc.us
thai.hedgehogvc.us

# Reference: https://twitter.com/KSeznec/status/1678319191110082560

decentryk.online
protectsh.online
raizerverify.online
association.linkpc.net
c-money.linkpc.net
dma.linkpc.net
docsend.com-proapple.cloud.line.pm
longjourneycapital.publicvm.com
longjourneyfund.publicvm.com
longjourneyventure.publicvm.com
world.linkpc.net

# Reference: https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/
# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-08-10-v10391/855

autodynamics.work.gd

# Reference: https://twitter.com/philofishal/status/1767951302607151351
# Reference: https://www.virustotal.com/gui/file/083f949e4708098b624dca017e2c0294a18e9a581f92baa8348836d7d9ba06c7/detection

atajerefoods.com

# Reference: https://twitter.com/MichalKoczwara/status/1783136320166023648
# Reference: https://www.virustotal.com/gui/ip-address/104.168.198.145/relations
# Reference: https://app.validin.com/detail?type=raw&find=herblin1112%40gmail.com#tab=host_pairs (# 2025-05-20)
# Reference: https://app.validin.com/detail?find=1d398e3b572e906ecca28cc6fadc0fa6dcb0bd20&type=hash&ref_id=575dd0e9111#tab=host_pairs (# 2025-05-23)
# Reference: https://www.virustotal.com/gui/file/c24bb2b28d322faee5a0162675c0c579a5224149874742acdd0bdf0157359756/detection

104.168.145.52:8080
104.168.151.70:8080
104.168.198.145:8080
23.254.202.223:8080
adiclas-nft.quest
automatic-update.online
autoupdate.store
checkdata.wiki
datauploader.online
datauploader.site
dropepe.cfd
firstfromsep.online
instant-update.online
koreaair.tattoo
longlastfor.online
ovalln.top
safeup.online
stabucksiren.fun
star-bucks.life
starbucksevent.pics
system-update.cloud
system-update.xyz
thefirststore.bond
appleupdate.datauploader.site
first.longlastfor.online
first.system-update.xyz
metamask.awaitingfor.site
real.automatic-update.online
root.system-update.cloud

# Reference: https://www.kandji.io/blog/todoswift-disguises-malware-download-behind-bitcoin-pdf

buy2x.com
/OcMySY5QNkY/ABcTDInKWw/4SqSYtx%2B/EKfP7saoiP/BcA%3D%3D
/OcMySY5QNkY/ABcTDInKWw/4SqSYtx%2B/EKfP7saoiP/
/4SqSYtx%2B/
/ABcTDInKWw/
/EKfP7saoiP/
/OcMySY5QNkY/

# Reference: https://x.com/TLP_R3D/status/1826545317229015078
# Reference: https://www.virustotal.com/gui/ip-address/23.254.253.75/relations
# Reference: https://app.validin.com/detail?type=dom&find=panda95sg.asia#tab=host_pairs_v2

cmt.ventures
dourolab.xyz
maelstromfund.org
panda95sg.asia
pixelmonmmo.net
pixleon.net
prismlab.xyz
sendmailed.com
tvdhoenn.net
yoannturp.xyz
mc.tvdhoenn.net

# Reference: https://x.com/Cyberteam008/status/1826585708376850744
# Reference: https://app.validin.com/detail?type=ip&find=45.61.140.26#tab=resolutions

45.61.140.26:3389
versionupdate.dns.army

# Reference: https://twitter.com/behindbreach/status/1287961015506927616
# Reference: https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf
# Reference: https://otx.alienvault.com/pulse/5ef36f8f63a7d8a11972ca54
# Reference: https://vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/
# Reference: https://vblocalhost.com/uploads/VB2020-Takai-etal.pdf
# Reference: https://vblocalhost.com/uploads/VB2020-18.pdf
# Reference: https://otx.alienvault.com/pulse/5f74bcb0be4abfe12d93d2bf

140.136.134.201:8080
41.85.145.164:8080
1driv.org
1drv.email
1drvmail.work
amazonaws1.info
amzonnews.club
blockchaintransparency.institute
bugscrowd.com
cloudfiles.club
cloudocs.space
cloudsecure.space
decurret.site
digifincx.com
drivegmail.top
drivegoogle.org
drivegooglshare.xyz
euprotect.net
fcloudshare.xyz
filecloud.website
financialmarketing.live
gdriverfileshare.com
gdrives.best
gdrives.top
gdriveshare.top
gdriveshareslink.xyz
gdriveupload.info
gdriveupload.site
gdrvauth.cloud
gdrvcheck.co
gdrvshare.site
gdrvup.xyz
gdrvupload.xyz
gmaildrive.info
gmaildrive.site
gmaildriver.info
gogleshare.xyz
goglesheet.com
googldocs.org
googldrive.xyz
googleapis.online
googleauth.pro
googlecloud.live
googleclouddrive.com
googlecstorage.com
googledrive.download
googledrive.email
googledrive.network
googledrive.online
googledriver.info
googledriver.net
googledriver.xyz
googledriveshare.com
googledrv.com
googleexplore.net
googlefiledrive.com
googlefileshare.com
googleshare.org
googleupload.info
krypitalvc.com
liveonedrvshare.xyz
microsoftapp.life
msupdatepms.xyz
navicheck.xyz
onedrivecloud.store
onedriveglobal.com
onedrivems.online
onedrivrshares.xyz
onedrvdn.co
onedrvfile.site
ownemail.me
privacyshield.services
provemail.net
secureshares.online
sendspace.buzz
sharedrivegght.xyz
sharegoogldrive.online
sharesdown.xyz
showprice.xyz
uploadsfiles.xyz
wechart.org
armzon.onmypc.org
blackwell.tekstar.us
btcprime.itsaol.com
chromeupdate.publicvm.com
coindeck.onmypc.org
coinnews.onmypc.org
coinomic.itsaol.com
connsec.publicvm.com
ddsvr.itsaol.com
drive.sharegoogldrive.online
drivegoogle.publicvm.com
drivegooogle.publicvm.com
esosv.itemdb.com
europegdprsec.onmypc.org
eusharesrv.onmypc.org
excinfo.itemdb.com
gdrive.onmypc.org
googledrive.dynu.net
googledrive.linkpc.net
googledrive.publicvm.com
googleupdate.publicvm.com
ledgerservice.itsaol.com
matrixpartners.theworkpc.com
mpksl.publicvm.com
mskpupdate.publicvm.com
msupdate.publicvm.com
onedriveupdate.publicvm.com
sevicebill.itemdb.com
termsofservice.onmypc.org
tokenomic.itsaol.com
twosigma.publicvm.com
vpset.onmypc.org
vpsfree.linkpc.net
windrvupdate.kozow.com

# Reference: https://twitter.com/_re_fox/status/1280138335214804995

twosigmateam.info

# Reference: https://twitter.com/_re_fox/status/1298281770597654529

drivegoogles.com

# Reference: https://twitter.com/_re_fox/status/1232320036834025472
# Reference: https://app.any.run/tasks/8d5e66c9-3942-4e00-bfdf-8f2c24054a92/

140.117.91.22:8080
blog.cloudsecure.space

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-12-19-v10199/212

prosec.ink
cloud.prosec.ink
cloudprotect.us.org

# Reference: https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds

autoprotect.com.de
autoprotect.gb.net
azurehosting.co
azureprotect.online
azureprotection.cloud
azuresecurity.online
azuresecurity.site
bankofamerica.offerings.cloud
careers.bankofamerica.nyc
careersbankofamerica.us
cloud.globiscapital.co
cloud.mufg.uk
cloud.tptf.ltd
cloud.wpic.ink
docs.azurehosting.co
globiscapital.co
hoststudio.org
ledgercloud.com
mufg.ink
mufg.uk
mufg.us.org
share.anobaka.info
tptf.fund
unchainedcapital.co
updatezone.org

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-02-09-v10240/306

autoprotect.com.se

# Reference: https://twitter.com/C0ryInTheHous3/status/1630551018084737027

mufg.yokohama

# Reference: https://twitter.com/C0ryInTheHous3/status/1630991590176030738

doc-view.cloud
azure.doc-view.cloud

# Reference: https://twitter.com/C0ryInTheHous3/status/1633897592806408192

daiwa.ventures
cloud.daiwa.ventures

# Reference: https://twitter.com/C0ryInTheHous3/status/1646159776177324044
# Reference: https://twitter.com/C0ryInTheHous3/status/1646161233458999297
# Reference: https://www.virustotal.com/gui/ip-address/104.168.167.88/relations

arbordeck.co.in
shared-document.cloud
spirtblockchain.com
deck.arbordeck.co.in
safe.shared-document.cloud
arborventures.capital
autoupdatecheck.work.gd
companydeck.cloud
companydeck.online
contract-research.blog
contractresearch.blog
crypto.contract-research.blog
crypto.contractresearch.blog
deck.arbordeck.online
docs-send.cloud
docupload.site
file.docupload.site
file.myfirmdocument.cloud
file.myfirmdocument.online
gunosis.global
interalliancemediagroups.cloud
mx.interalliancemediagroups.cloud
myfirmdocument.cloud
myfirmdocument.online
safe.arborventures.capital
safe.gunosis.global
safe.job-description.online
safe.nextera.capital
safe.smart-contracts.blog
securesmtp.interalliancemediagroups.cloud
smtps.interalliancemediagroups.cloud
webhostwatto.work.gd

# Reference: https://storage.pardot.com/838563/1676629189Mljyft19/CTI_Advisory_Undetected_North_Korean_Malware_A_Looming_Threat_to_Finan.pdf

http://104.255.172.56
cloud.azurehosting.co
doc.gdocshare.one
down.espcapital.co
nbright.best
ns1.trytiponlineresult.com
ns2.trytiponlineresult.com
safe.doc-share.pro
safe.doc-share.top
site.siteshare.me
siteshare.me
trytiponlineresult.com

# Reference: https://twitter.com/TLP_R3D/status/1649147042680172571
# Reference: https://www.virustotal.com/gui/ip-address/104.255.172.52/relations

256ventures.us
aidpartners.org
altair-vc.co.uk
altair-vc.com
altair.linkpc.net
deck.altair-vc.co.uk
deck.altair-vc.com
deck.toyota-ai.org
deepcore.v.entures
doc.256ventures.us
docsend.me
down.aidpartners.org
down.protectedviewer.co
inter.gpmtreit.co
partner.deepcore.v.entures
protectedviewer.co
sarahbeery.docsend.me
toyota-ai.org

# Reference: https://twitter.com/C0ryInTheHous3/status/1661076239614918660

docupload.lat
docupload.store
getwebconnection.buzz
last-report.online
latest-report.cloud
deck.latest-report.cloud
file.docupload.lat
file.docupload.store
news.last-report.online
ok.docupload.store

# Reference: https://twitter.com/C0ryInTheHous3/status/1661075436783259649

docupload.bond
els.docupload.bond

# Reference: https://twitter.com/C0ryInTheHous3/status/1661756717355483137
# Reference: https://www.virustotal.com/gui/ip-address/104.168.167.88/relations

dontdie.cfd
getwebconnection.cfd
latest-report.online
file.latest-report.online
sts.interalliancemediagroups.cloud

# Reference: https://twitter.com/TLP_R3D/status/1664980484219084801
# Reference: https://www.virustotal.com/gui/ip-address/172.93.193.219/relations

developcore.org
gdrvcloud.com
app.developcore.org

# Reference: https://twitter.com/C0ryInTheHous3/status/1669422415309418496

downloadfile.icu
getfilefrom.site
getfilefrom.store
interalliancemediagroups.cloud

# Reference: https://twitter.com/TLP_R3D/status/1677617586349981696
# Reference: https://www.virustotal.com/gui/ip-address/192.119.64.43/relations

floriventurescapital.linkpc.net
floriventuresfinance.linkpc.net
floriventuresfund.linkpc.net

# Reference: https://www.virustotal.com/gui/file/0be79614938541a4cd85de1b6103f0fdeb3808aaba5856ba5bbd8ef6976cf8c3/detection

obituary2.redirectme.net
yorst.linkpc.net

# Reference: https://twitter.com/TLP_R3D/status/1685581711139102720
# Reference: https://www.virustotal.com/gui/ip-address/23.254.204.173/relations
# Reference: https://www.virustotal.com/gui/file/8949207761f3d09734aa716da1e6c182425bcde2a95dacb3320085f1fe66069c/detection

espcap.fun
pro-tokyo.top
docsend-cloud.espcap.fun
docsend.com-pro.apple.cloud.line.pm
group.pro-tokyo.top

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-09-05-v10410/921

cryptowave.capital
datasend.fun
internal-meeting.online
video-meet.xyz

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-09-20-v10421/970

tp-globa.xyz
pre.alwayswait.site
doc.apple.com.premienoe.aidl.eonw.line.pm

# Reference: https://twitter.com/TLP_R3D/status/1705211957941240212
# Reference: https://www.virustotal.com/gui/ip-address/172.86.121.198/relations

techopscentral.com

# Reference: https://twitter.com/greglesnewich/status/1717963704828915988

internal-document-he-gr-me.run.place
j-ic.co.internal-document-he-gr-me.run.place

# Reference: https://x.com/StrikeReadyLabs/status/1834588185835286571
# Referemce: https://www.virustotal.com/gui/file/5eb788aa33050c19c614a189949fd02ecf22656809f3c8e3ceffab5a0679ae8e/detection

imp-docs.digital
microsoft-rage.world
show-pdf-document.com
uploadfiles.website
uploadmefiles.site
uploadmefiles.space
uploadmefiles.tech
uploadmefiles.xyz
uploadmyfile.space
uploadmyfile.tech

# Reference: https://x.com/LabsSentinel/status/1854550940243702083
# Reference: https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/

analysis.arkinvst.com
ankanimatoka.com
appleaccess.pro
arkinvst.com
caladan.video
calendly.caladan.video
cardiagnostic.net
community.edwardcaputo.shop
community.kevinaraujo.shop
community.selincapital.com
customer-app.xyz
delphidigital.org
doc.solanalab.org
drogueriasanjose.net
edwardcaputo.shop
email.sellinicapital.com
frameworks.ventures
hananetwork.video
happyz.one
huspot.blog
hwsrv-1225327.hostwindsdns.com
info.ankanimatoka.com
info.customer-app.xyz
kevinaraujo.shop
maelstroms.fund
matuaner.com
meet.caladan.video
meet.hananetwork.video
meet.selinicapital.info
meet.sellinicapital.com
meeting.zoom-client.com
mg21.1056.uk
nodnote.com
online.selinicapital.info
online.zoom-client.com
selincapital.com
selinicapital.info
selinicapital.network
sendmailer.org
shh5.baranftw.xyz
solanalab.org
verify.selinicapital.info
xu10.1056.uk
zoom-client.com

# Reference: https://www.virustotal.com/gui/ip-address/45.61.157.78/relations

hanagroup.video
meet.hanagroup.video

# Reference: https://x.com/TLP_R3D/status/1665014879151960065
# Reference: https://www.virustotal.com/gui/file/66916b0dfd9956b4b74640a4feb9459ea7986b056b2cecd361e4402d44a445a1/detection

werfaultserver.com

# Reference: https://x.com/JRehbergCSK/status/1877800515871936822
# Reference: https://x.com/cosmonaut_joon/status/1879435681547858086
# Reference: https://x.com/tayvano_/status/1879611039953924592
# Reference: https://www.virustotal.com/gui/ip-address/216.107.136.11/relations

twosigmavc.capital
twosigmaventures.us
zoom-sdk.com
jobs.twosigmavc.capital
jobs.twosigmaventures.us
meet.twosigmavc.capital
meet.twosigmaventures.us
api.zoom-sdk.com

# Reference: https://x.com/cyberoverdrive/status/1879616942040125648
# Reference: https://www.virustotal.com/gui/ip-address/5.230.44.79/relations

baiduweb.pro
daiwa-v.com
dunamuventures.com
in-zoom.us
mzweb3.fund
playgroundvc.capital
playgroundventures.capital
saisoncapital.net
app.baiduweb.pro
daiwa.in-zoom.us
dunamu.in-zoom.us
meet.baiduweb.pro
meet.daiwa-v.com
meet.dunamuventures.com
meet.mzweb3.fund
meet.playgroundvc.capital
meet.playgroundventures.capital
meet.saisoncapital.net
newtribe.in-zoom.us
updatecheck.v6.rocks

# Reference: https://x.com/birchb0y/status/1935436678602055682
# Reference: https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis

productnews.online
readysafe.xyz
safefor.xyz
safeupload.online
us05web-zoom.biz
us05web-zoom.space
support.us05web-zoom.biz

# Reference: https://x.com/TLP_R3D/status/1935782157454078277
# Reference: https://x.com/TLP_R3D/status/1935782161757749475
# Reference: https://x.com/IstaPee/status/1935788234468213130
# CERT_FINGERPRINT-HOST=f97de120b3067e2a223a15f610d8dc9aea6514f3

autoupdate.online
awaitingfor.online
betterfun.space
check-address.xyz
clearit.sbs
ezqrn.top
flashstore.sbs
image-support.xyz
safefor.xyz
safeup.store
secondshop.online
signsafe.site
signsafe.xyz
tastebuds.buzz
update-assist.org
upload-test.xyz
usecrowdpay.xyz
web3-support.xyz
zerodev.pro
api.betterfun.space
api.clearit.sbs
api.flashstore.sbs
api.zerodev.pro
bots.autoupdate.online
cron-stage.usecrowdpay.xyz
neptune.tastebuds.buzz

# Reference: https://x.com/ValidinLLC/status/1943648048401244489
# Reference: https://www.validin.com/blog/zooming_through_bluenoroff_pivots/
# Reference: https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/
# Reference: https://github.com/rtkwlf/wolf-tools/blob/main/threat-intelligence/bluenoroff-fake-zoom-clickfix/Bluenoroff_Appendix_items.md
# Reference: https://www.virustotal.com/gui/ip-address/147.79.103.251/relations

02usweb.us
05usweb.us
aleslosev.workers.dev
bigbrain.group
bizmeeting.online
bizwebmeet.com
bli.us06we.us
businesstalks.site
cn-zoom.us
communicationhub.vip
datatabletemplate.shop
deliverypost.cloud
dexalot.w03zoom.us
doc-bridge.com
drmariamaly.com
em-oujuit78ytserve.com
em-oujuit78ytserve.net
ftp.uswe05.us
google.xn--80aagm.beauty
kanga.us05we.us
laserdigital.xyz
mail.w06zoom.us
mediazoom.us
meet-client.xyz
meet.drmariamaly.com
meeting-hub.team
meeting-zone.team
meetup-room.online
meetuphub.online
mughalfan.xyz
mylingocoin.com
newfromjune.shop
newfromjune.site
newwebapi.us
nexologin.xyz
online-conference.online
online-conference.pro
online-conference.site
online-conference.store
online-conference.xyz
online-meets.cloud
online-meets.store
onlinemeet.video
parafi.w03zoom.us
parafi.wbzoom.us
piprotocol.w03zoom.us
republicrypto.vc
room-meeting.online
rwa.wbzoom.us
rxamia.com
sdk.w22zoom.us
secure-meeting.cloud
secure-meeting.xyz
sendhosting.pro
sg05web.us
sidezoom.us
singular.w03zoom.us
singulardex.wbzoom.us
support-gmeet.com
support-google.co.im
support-google.co.in
support-google.us
support-google.ws
support-zoom.us
team-meets.cloud
team-meets.online
team-meets.site
team-meets.store
team-meets.xyz
techevent.us
thriddata.com
twosigmacap.com
ukweb08.us
us-playground.vc
us001web.us
us004web.us
us02web-zoom.com
us02www-zoom.us
us03web-zoom.cc
us03web-zoom.com
us03www-zoom.us
us04wezoom.us
us05-zoom.com
us05-zoom.uk
us05biz-zoom.us
us05we.us
us05web-zoom.click
us05web-zoom.cloud
us05web-zoom.forum
us05web-zoom.info
us05web-zoom.ink
us05web-zoom.pro
us05web-zoom.site
us05web-zoom.store
us05web-zoom.uk
us05web-zoom.xyz
us05www-zoom.us
us05zoom.com
us05zoom.us.com
us06we.us
us06web-zoom.cc
us06web-zoom.xyz
us07web-zoom.cc
us50webzoom.us
uswe01.us
uswe03.us
uswe04.us
uswe05.us
uswe06.us
uswe07.us
uswe08.us
uswe20.us
usweb0.us
usweb005.us
usweb01.us
usweb04.com
usweb08.us
usweb09.us
venture-meeting.online
video-conference.cloud
video-conference.pro
video-conference.site
video-conference.store
video-conference.xyz
video-meeting.store
videotalks.xyz
vipocapital.com
w03zoom.us
w06zoom.us
w07zoom.us
w12zoom.us
w21zoom.us
w22zoom.us
w41zoom.us
wbzoom.us
web01zoom.com
web02zoom.us
web031zoom.us
web041zoom.us
web06zoom.us
web071zoom.us
web082zoom.us
web091zoom.us
web21zoom.us
web3fund.us
webmeetapi.us
webmeetoffice.us
webus04.us
webus05.us
xn--80aagm.beauty
zm-meeting.com
zoom-support.com
zoom-tech.us
zoom.02usweb.us
zoom.05usweb.us
zoom.us05we.us
zoom.uswe04.us
zoom.uswe05.us
zoom.uswe06.us
zoom.uswe07.us
zoom.uswe08.us
zoom.uswe20.us
zoom.usweb0.us
zoom.usweb04.com
zoom.webus04.us
zoomweb.uswe05.us
app.republicrypto.vc

# Reference: https://app.validin.com/lookalikes?lookback=90&depth=2&find=%2Fus%5B0-9%5D%7B2%7D%5Ba-z%5D%7B3%7D-zoom%5C.%5Ba-z%5D%7B2%2C5%7D%2F (# 2025-06-20)

us00web-zoom.us
us01web-zoom.cloud
us01web-zoom.com
us01web-zoom.info
us01web-zoom.org
us01web-zoom.site
us01web-zoom.store
us01web-zoom.xyz
us02biz-zoom.us
us02cam-zoom.us
us02web-zoom.info
us02web-zoom.live
us02web-zoom.org
us02web-zoom.xyz
us03biz-zoom.us
us03web-zoom.biz
us03web-zoom.info
us03web-zoom.org
us03web-zoom.site
us03web-zoom.store
us03web-zoom.top
us03web-zoom.xyz
us04web-zoom.info
us04web-zoom.live
us04web-zoom.org
us04web-zoom.xyz
us04www-zoom.us
us05ad-zoom.us
us05cc-zoom.us
us05pro-zoom.us
us05vip-zoom.us
us05web-zoom.cc
us05web-zoom.fun
us05web-zoom.guru
us05web-zoom.help
us05web-zoom.live
us05web-zoom.org
us05web-zoom.top
us05web-zoom.watch
us05web-zoom.work
us06web-zoom.info
us06web-zoom.live
us06web-zoom.org
us06web-zoom.space
us06www-zoom.us
us07biz-zoom.us
us07web-zoom.biz
us07web-zoom.com
us07web-zoom.live
us08web-zoom.cc
us08web-zoom.online
us08www-zoom.us
us09web-zoom.live
us09www-zoom.us
us12web-zoom.us
us17web-zoom.us

# Reference: https://github.com/hagezi/dns-blocklists/issues/6545

cdnkit.io
static.cdnkit.io

# Reference: https://fieldeffect.com/blog/zoom-doom-bluenoroff-call-opens-the-door
# Reference: https://www.virustotal.com/gui/ip-address/191.96.235.88/relations
# CERT_FINGERPRINT_SHA256-HOST=6128c3fe2552369180528284d7d0b8cf1bf39c7bfbe8c7a4c7198c43921c56fd

ajayplamingo.com
app-wechat.xyz
bluewhale7.xyz
bluyy.com
devlab.locker
doc-secure.it.com
doc-secure.me
hanaconference.xyz
honavolae.xyz
pacificyouth.club
rentyourmac.xyz
securetech.fun

# Reference: https://x.com/ValidinLLC/status/1937089880439329047
# Reference: https://app.validin.com/detail?type=hash&find=23c501daff7991f82a93d94a4f14bd68fb5f61d9#tab=host_pairs (# 2025-06-23)

join-meets.com
suweb05.us
us01web.com
us07office.us
us007web.us
web08zoom.us
refogevc.web08zoom.us
reforgevc.web08zoom.us
silver.web08zoom.us
zoom.join-meets.com
zoom.suweb05.us
zoom.us01web.com
zoom.us07office.us
zoom.us007web.us

# Reference: https://app.validin.com/detail?find=One%20platform%20to%20connect%20%7C%20Zoom&type=raw&ref_id=ea83c6e2c8d#tab=host_pairs

us4web.us
usweb5.us
zoom.us4web.us

# Reference: https://x.com/AlvieriD/status/1938253401868976404

us05-zoom.forum
us05-zoom.us
us06-zoom.forum
us06-zoom.uk
us06-zoom.us
us06www-zoom.com

# Reference: https://darkatlas.io/blog/bluenoroff-apt38-live-infrastructure-hunting

gost.run
nicrft.site
socialsuport.com

# Reference: https://huntability.tech/threat-note-2025-04-23-nk-zoom/
# Reference: https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/

dataupload.store
us06web-zoom.online
writeup.live
gumi-cryptos.us05web-zoom.pro
support.us05web-zoom.cloud
support.us05web-zoom.forum
support.us05web-zoom.pro
support.us06web-zoom.online

# Reference: https://app.validin.com/detail?find=%3A%3A%22twitter%3Asite%22%3A%3A%22%40zoom%22&type=raw&ref_id=1a212fb7b37#tab=host_pairs (# 2025-07-07)

us05webzoom.link

# Reference: https://www.validin.com/blog/pivots_revisited/#bluenoroff
# CERT_FINGERPRINT_SHA256-HOST=b54b7c159ce837348aee9ead3a81a47980188302c4e1e8c0558cd9a68fd424b7

app.thorwsap.finance
remoteorder.shop
teams-meet.us
thorwsap.finance
us004zoom.com
us005zoom.com
us04web.com
web3insider.forum
web3journal.io
web3journal.xyz
web3signal.xyz
webthreefinance.club
whisperroom.forum
ww1.us04web.com
ww12.web3journal.io

# Reference: https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/

awaitingfor.site
chkactive.online
chkstate.online
cloud-server.store
datatabletemplate.xyz
face-online.world
file-server.store
filedrive.online
flashserve.store
real-update.xyz
secondshop.store
security-update.xyz
systemupdate.cloud
urgent-update.cloud
check.datatabletemplate.shop
download.datatabletemplate.xyz
download.face-online.world
root.chkstate.online
root.security-update.xyz
second.awaitingfor.online
second.systemupdate.cloud

# Reference: https://x.com/moonlock_lab/status/1996304740410347890
# Reference: https://x.com/moonlock_lab/status/1996305744598110500
# Reference: https://www.virustotal.com/gui/ip-address/192.64.119.54/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.254.226.83/relations
# Reference: https://www.virustotal.com/gui/file/9135fb9e74bdb39828bfecf7919430062ce482a523999bd7ff1a368038f32371/detection
# Reference: https://www.virustotal.com/gui/file/14aba88b5f87ab9415bbca855d24abc3f151b819302930897e71e2626e823271/detection
# Reference: https://www.virustotal.com/gui/file/81c4ce82fe26e333a46e8a3d876e35b39725bda0a47f9c37ffc956d37da2d8fa/detection

ms-live.com
ms-meet.live
onedrive.ms-live.com
suport.ms-live.com
support.ms-live.com
support.ms-meet.live
team-live.us.com
teams-live.cn.com
teams-live.us.com
teams.ms-meet.live

# Reference: https://app.validin.com/detail?find=One%20platform%20to%20connect%20%7C%20Zoom&type=raw&ref_id=da1dd79bcfb&os.sortcol=3&res.sortcol=4&res.headers_a=Key&res.headers_a=Type&res.headers_a=Value&res.headers_a=First+Seen&res.headers_a=Last+Seen&atr.sortcol=4&sub.sortcol=0&dns.sortcol=4&dns.headers_a=Key&dns.headers_a=Type&dns.headers_a=Value&dns.headers_a=First+Seen&dns.headers_a=Last+Seen&hp.pagesize=1000&hp.filters.Value.text_search.prefix_match=&hp.filters.Value.text_search.suffix_match=%21.zoom.us%2C%21.zoom.com&hp.filters.Value.text_search.contains=&hp.filters.Type.types.Type_a=TITLE-HOST&hr.sortcol=5&hr.headers_a=Host%2FIP&hr.headers_a=Port&hr.headers_a=Response%2FPath&hr.headers_a=Bytes+Received&hr.headers_a=Title&hr.headers_a=Response+Date&crts.sortcol=4&rdap.sortcol=2&rdap.headers_a=Domain&rdap.headers_a=Registrar&rdap.headers_a=Registered&rdap.headers_a=Expires&rdap.headers_a=Changed&rdap.headers_a=Updated&rdap.headers_a=Count#tab=host_pairs

a.mylkc.cloudns.ch
admin.unitpowergeneration.top
algozzoom.us006web.us
apizoom.myfanshu.com
bigbrain.w04zoom.us
bli.us02we.us
blockstreet.w02zoom.us
blockstreet.w04zoom.us
blockstreet.w05zoom.us
carriebrigham-c.com
craftiq.cloud
defactor.us002web.us
dg01web.zoomconnector.com
drainer.bot
edgetunnel.leungkc.eu.org
gosats.us02we.us
goweb.zoomconnector.com
httpscalm-morning-viber.comhmirihansa909workersdev.workers.dev
johnmichaelsesay.com
meet.w02zoom.us
ortjc.com
periqi.com
reforge.w02zoom.us
reforge.web099zoom.us
solana.w05zoom.us
solayer.us002web.us
teams-live-meet.carriebrigham-c.com
thanhthienai.com
unitpowergeneration.top
us002web.us
us005office.us
us006web.us
us02we.us
us02web.zoomconnector.com
us04web.buszoom.us
us05web.buszoom.us
us05web.us
us06web.zoomconnector.com
us07web.zoomconnector.com
vless.goowen-f5e.workers.dev
vps-7880c010.vps.ovh.ca
w02zoom.us
w04zoom.us
w05zoom.us
web099zoom.us
wesco-distributors.com
zoom-meet-live.carriebrigham-c.com
zoom-ru.github.io
zoom.us002web.us
zoom.us005office.us
zoom.us006web.us
zoom.us02we.us
zoom.us05web.us
zoommeetplace.com
zoomus05web.com
zoonn-platform.com

# Reference: https://x.com/malwrhunterteam/status/1992990780521124298
# Reference: https://x.com/malwrhunterteam/status/1992991375604781075
# Reference: https://www.virustotal.com/gui/file/9135fb9e74bdb39828bfecf7919430062ce482a523999bd7ff1a368038f32371/detection
# Reference: https://www.virustotal.com/gui/file/ed705e5bab5da0f62ddfca9eb3e91ade284355ced3ed0efb366d7c3b892065c6/detection
# BANNER_0_HASH-HOST=bba099c3a38d5bbb3a9b2ac33df96378
# BANNER_0_HASH-HOST=5f74213fa2ae405340d089d1d49adf4f
# Regex=/^u[a-z]{1}[0-9]+webzoom\.us$/

ms-live.us
ms-live.xyz
quick-meeting.online
teams-live.biz
teams-live.org
teams-live.us
teams-meet.us
uc04webzoom.us
uc05webzoom.us
uc07webzoom.us
ue01webzoom.us
ue03webzoom.us
ue04webzoom.us
ue05webzoom.us
ue06webzoom.us
ue07webzoom.us
ue08webzoom.us
ue09webzoom.us
uk01webzoom.us
uk02webzoom.us
uk03webzoom.us
uk04webzoom.us
uk05webzoom.us
uk06webzoom.us
uk07webzoom.us
um05webzoom.us
um06webzoom.us
ur05webzoom.us
us004zoom.us
us005zoom.us
us10webzoom.us
us11webzoom.us
us12webzoom.us
us13webzoom.us
us14webzoom.us
us15webzoom.us
us17webzoom.us
us19webzoom.us
us21webzoom.us
us24webzoom.us
us25webzoom.us
us26webzoom.us
us60webzoom.us
uz01webzoom.us
uz02webzoom.us
uz04webzoom.us
uz05webzoom.us
uz06webzoom.us
uz07webzoom.us
e.ms-live.xyz
m.ms-live.xyz
support.ms-live.us
support.teams-live.org
support.teams-live.us

# Reference: https://github.com/motuariki/IOCs/blob/main/DPRK%20Tracking/04-12-2025-DPRK-Fake-Meeting-Infrastructure

163.5.254.70:3000
ua02webzoom.us
ua05webzoom.us
uc02webzoom.us
ue02webzoom.us
um02webzoom.us
um04webzoom.us
un02webzoom.us
un04webzoom.us
us27webzoom.us
us28webzoom.us
us45webzoom.us
us51webzoom.us
us53webzoom.us
ux02webzoom.us
ux04webzoom.us
ux05webzoom.us
webus06.us

# Reference: https://x.com/L0Psec/status/2014100649391137165
# Reference: https://x.com/moonlock_lab/status/2015857322963173657
# Reference: https://www.virustotal.com/gui/file/755cc133ae0519accbcfdd5f8f0d9fe1aa08cbcb306c3e5f29ebcb6ac12d9323/detection
# Reference: https://www.virustotal.com/gui/file/9a778d2b7919717e95072e4dec01c815a5fd81f574b538107652d73d8dc874b6/detection
# Reference: https://www.virustotal.com/gui/file/2fbd34eed9dbf57a44cf1540941fb43a793be27e13e937299167b2b67cb84d6b/detection

us05-web.us
us07-web.us
zoom.us05-web.us
zoom.us07-web.us

# Reference: https://x.com/TMJ0x/status/2014582284125421571
# Reference: https://www.virustotal.com/gui/ip-address/188.227.196.252/relations
# Reference: https://www.virustotal.com/gui/ip-address/188.227.197.32/relations
# BANNER_0_HASH-HOST=541252a80826f8810f1fb1731ced441f
# BANNER_0_HASH-HOST=d3356a876018882ecc05833bceb5fc68

ca05web.com
ua03webzoom.us
ua04webzoom.us
ua06webzoom.us
uc01webzoom.us
uc03webzoom.us
uc06webzoom.us
ui01webzoom.us
ui02webzoom.us
ui03webzoom.us
ui04webzoom.us
ui05webzoom.us
ui06webzoom.us
ui07webzoom.us
um03webzoom.us
un01webzoom.us
un03webzoom.us
un05webzoom.us
un06webzoom.us
uo01webzoom.us
uo02webzoom.us
uo03webzoom.us
uo04webzoom.us
uo05webzoom.us
uo06webzoom.us
uq01webzoom.us
uq02webzoom.us
uq03webzoom.us
uq05webzoom.us
uq06webzoom.us
uq08webzoom.us
ur01webzoom.us
ur02webzoom.us
ur03webzoom.us
ur04webzoom.us
ur06webzoom.us
us005webzoom.us
us01webzoom.us
us02webs.us
us02webzoom.us
us04webs.us
us04webzoom.us
us05webs.com
us05webzoom.us
us06webs.us
us06webzoom.us
us07webs.us
us07webzoom.us
us08webs.us
us09webzoom.us
us15web.com
us15webs.us
us16webzoom.us
us22webzoom.us
us25webs.us
us29webzoom.us
us30webzoom.us
us31webzoom.us
us41webzoom.us
us52webzoom.us
us54webzoom.us
us55web.com
us57webzoom.us
us72webzoom.us
us81webzoom.us
us95webs.us
usa01webzoom.us
usa02webzoom.us
usa05webzoom.us
uso1webzoom.us
uso3webzoom.us
uso7webzoom.us
ut01webzoom.us
ut02webzoom.us
ut03webzoom.us
ut04webzoom.us
ut05webzoom.us
ut06webzoom.us
uu01webzoom.us
uu02webzoom.us
uu03webzoom.us
uv01webzoom.us
uv02webzoom.us
uv03webzoom.us
uv04webzoom.us
uv05webzoom.us
uv06webzoom.us
uv07webzoom.us
uw01webzoom.us
uw02webzoom.us
uw03webzoom.us
uw04webzoom.us
uw05webzoom.us
uw06webzoom.us
ux01webzoom.us
ux03webzoom.us
ux06webzoom.us
uy01webzoom.us
uy02webzoom.us
uy04webzoom.us
uz03webzoom.us
zoom.ca05web.com
zoom.ua03webzoom.us
zoom.ua04webzoom.us
zoom.ua06webzoom.us
zoom.uc01webzoom.us
zoom.uc03webzoom.us
zoom.uc06webzoom.us
zoom.ui01webzoom.us
zoom.ui02webzoom.us
zoom.ui03webzoom.us
zoom.ui04webzoom.us
zoom.ui05webzoom.us
zoom.ui06webzoom.us
zoom.ui07webzoom.us
zoom.um03webzoom.us
zoom.un01webzoom.us
zoom.un03webzoom.us
zoom.un05webzoom.us
zoom.un06webzoom.us
zoom.uo01webzoom.us
zoom.uo02webzoom.us
zoom.uo03webzoom.us
zoom.uo04webzoom.us
zoom.uo05webzoom.us
zoom.uo06webzoom.us
zoom.uq01webzoom.us
zoom.uq02webzoom.us
zoom.uq03webzoom.us
zoom.uq05webzoom.us
zoom.uq06webzoom.us
zoom.uq08webzoom.us
zoom.ur01webzoom.us
zoom.ur02webzoom.us
zoom.ur03webzoom.us
zoom.ur04webzoom.us
zoom.ur06webzoom.us
zoom.us005webzoom.us
zoom.us01webzoom.us
zoom.us02webs.us
zoom.us02webzoom.us
zoom.us04webs.us
zoom.us04webzoom.us
zoom.us05webs.com
zoom.us05webzoom.us
zoom.us06webs.us
zoom.us06webzoom.us
zoom.us07webs.us
zoom.us07webzoom.us
zoom.us08webs.us
zoom.us09webzoom.us
zoom.us15web.com
zoom.us15webs.us
zoom.us16webzoom.us
zoom.us22webzoom.us
zoom.us25webs.us
zoom.us29webzoom.us
zoom.us30webzoom.us
zoom.us31webzoom.us
zoom.us41webzoom.us
zoom.us52webzoom.us
zoom.us54webzoom.us
zoom.us55web.com
zoom.us57webzoom.us
zoom.us72webzoom.us
zoom.us81webzoom.us
zoom.us95webs.us
zoom.usa01webzoom.us
zoom.usa02webzoom.us
zoom.usa05webzoom.us
zoom.uso1webzoom.us
zoom.uso3webzoom.us
zoom.uso7webzoom.us
zoom.ut01webzoom.us
zoom.ut02webzoom.us
zoom.ut03webzoom.us
zoom.ut04webzoom.us
zoom.ut05webzoom.us
zoom.ut06webzoom.us
zoom.uu01webzoom.us
zoom.uu02webzoom.us
zoom.uu03webzoom.us
zoom.uv01webzoom.us
zoom.uv02webzoom.us
zoom.uv03webzoom.us
zoom.uv04webzoom.us
zoom.uv05webzoom.us
zoom.uv06webzoom.us
zoom.uv07webzoom.us
zoom.uw01webzoom.us
zoom.uw02webzoom.us
zoom.uw03webzoom.us
zoom.uw04webzoom.us
zoom.uw05webzoom.us
zoom.uw06webzoom.us
zoom.ux01webzoom.us
zoom.ux03webzoom.us
zoom.ux06webzoom.us
zoom.uy01webzoom.us
zoom.uy02webzoom.us
zoom.uy04webzoom.us
zoom.uz03webzoom.us

# Reference: https://x.com/malwrhunterteam/status/2014611676042039493
# Reference: https://x.com/L0Psec/status/2014695975789691342
# Reference: https://x.com/L0Psec/status/2019773636647768330
# Reference: https://www.virustotal.com/gui/file/952d0a1bf4a8e474ad043258e238d47753a5bb8ca138ed79d11e4cbd555d5fec/detection
# Reference: https://www.virustotal.com/gui/file/3e4d35903c51db3da8d4bd77491b5c181b7361aaf152609d03a1e2bb86faee43/detection
# CERT_FINGERPRINT_SHA256-HOST=fc0d4e11862dd6717c32702f3ab93ba4ffd4ebc834dc082e2b316bff5d737d98
# CERT_FINGERPRINT_SHA256-HOST=959ee6a371ada69cc098d008ce667d3effe2729838b48507f558d54ecfdd05d7

prvservice.com
sevrrhst.com
stomcs.com
tattomc.com

# Reference: https://x.com/JohnHultquist/status/2020952923082195374
# Reference: https://x.com/silentpush/status/2021453755808731140
# Reference: https://www.virustotal.com/gui/ip-address/134.45.83.95/relations
# Reference: https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering?e=48754805

breakdream.com
build-dream.com
cmailer.pro
dreamdie.com
sendbrevo.com
supportzm.com
zmsupport.com

# Reference: https://x.com/L0Psec/status/2034379795635548484
# Reference: https://www.virustotal.com/gui/file/61b56c8c2df374861c8b23e6c555456f34e17e5638ea9965f721c3ffe77f57ca/detection
# Reference: https://www.virustotal.com/gui/file/9526d8b337a176a76d960867b281bba06310e3ef58056904591c510e51d90839/detection

ecoferros.com/wp-content/plugins/elementor/core/page-assets/captcha/controller.php

# Reference: https://x.com/L0Psec/status/2036815031283671284
# Reference: https://www.virustotal.com/gui/file/02fdd3fd9d8f70ab1c3796617296bec8e2b7e3796fd2e2c220ddaa8625081230/detection
# Reference: https://www.virustotal.com/gui/file/7d2c8ccbbb60dc340811b641abfe2cda4e7e9fc5a4eca1c703d07b86bc1263ba/detection

calltan.com

# Reference: https://x.com/Cyberteam008/status/2040979630480638398
# Reference: https://x.com/Merlax_/status/2044597897853825158

06ukweb.uk
06usweb.us
07usweb.site
account-googlemeet.com
bycomsender.publicvm.com
ccx.capital
chaincapx.com
chainverve.com
coinairbit.com
config-update.online
config-update.site
databox.linkpc.net
databoxes.linkpc.net
ddrive.publicvm.com
drivebox.publicvm.com
driveboxitem.publicvm.com
g-call.net
g-call.net.wildnextcard.com
gassist.publicvm.com
gassists.run.place
gdrive.sharemailcontents.com
gdriveemail.publicvm.com
gdriveshare.publicvm.com
gmeet-private.com
gmeet1.xyz
goog1e.us-meet.com
googe-video-call.xyz
googie.us-gmeet.com
googie.us-meet.com
google-meet-live.com
google-meet.joins-video-call.com
google-meet.video-call-now.live
google-meeting.com
google-meets-view.7-vs.com
google-meets.2mydns.net
google.meet21web.com
googlemeet-account.com
googlemeett.com
gooqle-meet-live.my.id
gooqle-meet-lives.f-a1.com
gooqle-meet-lives.my.id
gooqle-meet-lives.s-41.com
gooqle-meet-online.com
gooqle-meet-online.com.wildnextcard.com
gooqle-meet.my.id
gooqle-view.com
invite-meet-call.com
invite-meet-call.com.wildnextcard.com
joins-video-call.com
live-call.net
live-call.net.wildnextcard.com
live-video-call.me
live-video-call.me.panelize.cloud
livemeetgooogle.com
lodashmap.online
managedoc.us
meejgoogle.com
meelgoogle.com
meet-call.com
meet-call.com.wildnextcard.com
meet-googie.com
meet-google.app
meet-google.me
meet-google.me.myprocloud.online
meet-google.me.proxnginx.com
meet-google.ru
meet-live.me
meet-live.me.wildnextcard.com
meet-qoogle.com
meet-video-call.com
meet-video-chat.online
meet-video-chat.online.wildnextcard.com
meet.coinairbit.com
meet.gmeet1.xyz
meet.gooqle-view.com
meet.play-goog1es.com
meet.video-livechat.com
meet21web.com
meetgoogje.com
meetgooglc.com
meeting-chat.com
meetingnow-goo-gle.com
meets-qoogle.com
meettgoogle.com
minhhieu.xyz
mymeetgoogle.com
mymeetgooogle.com
mymeetinglive.com
mymeetingnow.com
mymeetingtoday.com
mymeetlive.com
node.minhhieu.xyz
play-goog1es.com
sendcontents.linkpc.net
sharemailcontents.publicvm.com
solidbitcapital.xyz
tele-app.minhhieu.xyz
usdxchange.org
video-call-now.live
video-call.0-1h.com
video-chat-live.one
video-chat-live.online
video-chat-live.online.devto.cloud
video-livechat.com
videocall.bloomup.app
w3bitcapital.com
walleyecapital.org
walleyecapital.xyz
walleyevc.capital
zoom.06ukweb.uk
zoom.06usweb.us
zoom.07usweb.site

# Reference: https://x.com/_SEAL_Org/status/2040974920973197511
# Reference: https://x.com/_SEAL_Org/status/2041289021503005128

microscell.com
onlivemeet.com
uk05live.us
teams.microscell.com
teams.onlivemeet.com

# Reference: https://x.com/_SEAL_Org/status/2041673724764569896
# Reference: https://www.virustotal.com/gui/ip-address/83.136.210.87/relations

32.ww-live.online
3f.teams-meet.xyz
5q.ms-meets.online
live-us.com
micrusoft.us
ms-meets.online
ms-teams.live
ms-teams.us.com
rd.ww-live.uk
teams-live.com.co
teams-meet.online
teams-meet.us.com
teams-meet.xyz
tu.live-us.com
ww-live.com
ww-live.online
ww-live.uk

# Reference: https://radar.securityalliance.org/advisory-on-dprk-unc1069-fake-microsoft-teams-and-zoom-calls/

annaelsa.xyz
callshere.com
dencall.xyz
inmsed.com
join-uk.com
lievec.com
liivoe.com
linelive.us
liue.us
liues.us
liuesus.com
liueus.com
live-meet.online
livehuddle01.us
livescall.us
livescall.xyz
livesmeet.us
livesmeets.us
micrlive.online
microb.click
microc.click
microca11.com
microcal1.com
microcall.us
microcodf.com
microcoll.com
microe.click
microg.click
microh.click
microi.click
micromeet.us
microp.click
micror.click
microsall.com
microscalls.com
microschats.com
microsdb.com
microselt.com
microshen.com
microshlop.com
microsinfos.com
microsmeet.com
microsomeet.com
microsout.com
microsslcheck.com
microszlt.com
microt.click
micstmeet.com
ms-live.site
ms-live.team
ms-meet.xyz
ms-meeting.us
ms-meets.us.com
ms-meets.xyz
ms-teams.xyz
mslivecall.com
mslivecall.us
mslivemeet.com
msmeet.us
msquickcall.com
msteamcall.com
nicrosofm.com
nicrosolf.com
nicrosolt.com
nisrosodf.com
olafsven.xyz
oneasu.com
onlivecall.com
onmsed.com
onreallive.com
os-live.com
os-live.online
os-live.us
os-live.xyz
outms.com
premuims.live
reallivecall.us
renaworkshard.xyz
teams-us.live
teamsiiwe.com
teamslivc.com
teamsliveo.com
teamslivex.com
teamslivos.com
teamslivs.com
teamsliwe.com
teamsync.live
teemsliivc.com
teemslive.com
teemslivo.com
uae04webzoom.us
uc01web.us
uc02web.us
uc02websoom.us
uc03web.us
uc04web.us
uc05websoom.us
uc06web.us
uco4webzoom.us
uco5webzoom.us
uco6webzoom.us
ucweb05.us
ue01web.us
ue02web.us
ue03web.us
ue04web.us
ue06web.us
ueo4webzoom.us
un01web.us
uo01web.us
uo05web.us
us02websoom.us
us03live.com
us03websoom.us
us03webuoom.us
us05web.site
us05websoom.us
us05webszoom.us
us05webxoom.us
us06websoom.us
us07web.me
us0lwebzoom.us
usa04webzoom.us
usa06webzoom.us
use05webzoom.us
uso04webzoom.us
uso05webzoom.us
uso06webzoom.us
uso4web.us
usobweb.us
usweb0b.us
usweb0l.us
uswebob.com
uswebob.us
ux01web.us
ux02web.us
ux03web.us
uz01web.us
uz03web.us
web-meet.live
web-zoom.uk
web05us.online
web22n.us
ww-live.us
ww-live.xyz
www-live.us
www-live.xyz

# Reference: https://x.com/_SEAL_Org/status/2041926956183076951

live05ms.us
miscruft.us

# Reference: https://www.validin.com/blog/i_cant_hear_you_unc1069/

109.248.163.127:3000
139.150.73.123:3000
38.110.228.52:3000
45.61.129.29:3000
45.61.157.248:3000
59.152.103.205:3000
02euweb.us
02room.us
02web-zoom.us
02webzoom.us
05meet.us
05uk.us
05ukweb.uk
05usweb.zoom.meet-05.sbs
05web.us
05webus.meet.05uk.us
07-web.us
07web.zoom.uk07.pro
07webus.zoom.us07.sbs
app.zm-web.uno
cdsx.capital
dengmt.us
dentmt.us
eu.web02meet.com
godlike-visit.online
gogoschip.online
google.us-meet.com
inteams.us
meet-05.sbs
meet-app.cc
meet-web.us
meet-web3.eu
meet.05uk.us
meet.app.zm-web.uno
meet05.sbs
meetingapp.us
megabitcapital.com
microsmeet.xyz
premium-business.live
teams.web-lives.com
teamsupport.live
uk07.pro
uk07.us
update-teams.live
us-meet.com
us.web02meet.com
us02.us
us02web.zoom.us02.us
us03.meet-web.us
us03.zoom.meet-web.us
us05.sbs
us05.us
us05.web.meet05.sbs
us05.zoom.web04.us
us05web.zoom.us05.us
us05zoom.meet-web3.eu
us07.sbs
us07zoom.meetingapp.us
usweb.02room.us
usweb.05meet.us
usweb.07-web.us
usweb.zoom.us05.sbs
usweb05.us
walleyeventure.xyz
web-lives.com
web.meet05.sbs
web02meet.com
web02teams.com
web04.us
web04meet.top
web04zoom.us
web05meet.us
web07.premium-business.live
web07.zoom.meet-app.cc
web07us.uk07.us
web07zoom.us
web12teams.com
web21zoom.com
web2meet.net
web3meet.live
web3meet.xyz
web3zoom.xyz
web71meet.shop
web86meet.shop
weventure.capital
zm-web.uno
zoom-web07.meet-app.cc
zoom.02euweb.us
zoom.05ukweb.uk
zoom.05web.us
zoom.meet-05.sbs
zoom.meet-app.cc
zoom.meet-web.us
zoom.uk07.pro
zoom.us02.us
zoom.us05.sbs
zoom.us05.us
zoom.us07.sbs
zoom.usweb.05meet.us
zoom.web02meet.com
zoom.web04.us
zoom.web05meet.us
zoom.web07.premium-business.live

# Reference: https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/

104.145.210.107:6783
83.136.208.246:6783
83.136.208.48:443
83.136.209.22:8444
83.136.210.180:5202
check02id.com

# Reference: https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/

http://172.86.91.195
144.172.114.220:443
172.86.91.195:443
livemicrosft.com

# Reference: https://x.com/L0Psec/status/2052143672204906568
# Reference: https://www.virustotal.com/gui/file/d235741256f05ad8ceb44c469f4471f17c6a669dbf192e9ccf8d11d99a6800ef/detection

woodcastpro.com
