# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: crypt ghouls, excobalt, shedding zmiy, facefish, hanthie

# Reference: https://x.com/RexorVc0/status/1798967613785354530
# Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/ex-cobalt-go-red-tehnika-skrytogo-tunnelya/

lib.rest
rosm.pro
rpm-bin.link
setup.mom
upd-rkn.net
amd64.rpm-bin.link
base.upd-rkn.net
bot.upd-rkn.net
chifa.rpm-bin.link
ci.rpm-bin.link
ci.upd-rkn.net
collect.net.in
get.rpm-bin.link
get.setup.mom
get.upd-rk.net
get.upd-rkn.net
leo.rpm-bin.link
lib.rpm-bin.link
mtp.upd-rk.net
mtp.upd-rkn.net
narwhal.rpm-bin.link
ops.rpm-bin.link
pkg.collect.net.in
rhl.rpm-bin.link
rls.upd-rkn.net
source.rpm-bin.link
src.setup.mom
sula.rpm-bin.link
trust.setup.mom
unicorn.rpm-bin.link
wired.setup.mom

# Reference: https://rt-solar.ru/solar-4rays/blog/4333/ (# shedding zmiy)
# Reference: https://www.virustotal.com/gui/file/c50bd9865ed65a9c298768f245d8eaff1baa410735ff5673a73d1411c425b7c6/detection

0bitcoins.com
avptp.com
backconnect.org
eu-debian.com
netstaticpoints.com
onexboxlive.com
stoloto.ai
techcname.com
wsdjcvfv.com

# Reference: https://x.com/malwrhunterteam/status/2044397336231624992
# Reference: https://x.com/smica83/status/2044398324132774027
# Reference: https://www.virustotal.com/gui/file/9b6140ae326a631302c76e07fca48dec99a8de4fa6a4b6b5fbfc55c20f74d44d/detection
# Reference: https://www.virustotal.com/gui/file/c627a70688b0f6e7c9951a9777c67f31a391f245c60bc7bfcbf0fbad963af63d/detection

kernelupdate.net

# Reference: https://blog.netlab.360.com/ssh_stealer_facefish_en/
# Reference: https://otx.alienvault.com/pulse/60b0b9c71621a0149fd3bc07
# Reference: https://www.virustotal.com/gui/file/c787e57a8077f0df838ae416cbf6dd38ecc670e532c3369bff2ef571cd94d36e/detection
# Reference: https://www.virustotal.com/gui/file/ab9cc4ee82aa6f57ba2a113aab905c33e278c969399db4188d0ea5942ad3bb7d/detection

http://176.111.174.26
176.111.174.26:443

# Reference: https://x.com/malwrhunterteam/status/1819483285330055491
# Reference: https://www.virustotal.com/gui/file/38720d0fd54cdb0e1224b5df4ea052f1303a1b0f17d971e1737f8acd8f6a2ae5/detection

91.92.250.69:443
humsters-db-dc001.ru

# Generic

/76523y4gjhasd6/
/sshins
