# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: santa stealer, nwhstealer

# Reference: https://x.com/solostalking/status/2000789219300794612
# Reference: https://x.com/volrant136/status/2001352399458652194
# Reference: https://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/
# Reference: https://www.virustotal.com/gui/file/0137e78cb20494b575089f0429ba0d101a86a64be48ef59e8720b2a19fc6a0d0/detection
# Reference: https://www.virustotal.com/gui/file/0f41e0bcf56804e9e6d8fb99c858de119594f9d96c2eac5e4c2701b1ba20e548/detection
# Reference: https://www.virustotal.com/gui/file/1a063d0f7ee5f3162f834b8a484f6249ad11165ed5892f451aec9c64038df597/detection
# Reference: https://www.virustotal.com/gui/file/26c3abc8bf32ff0f548adfa3c5fdf430c9bf061865512b83c4559553e668766c/detection
# TITLE-HOP/IP=SantaStealer | PANEL

http://31.57.38.244
http://80.76.49.228
31.57.38.119:6767
31.57.38.244:6767
80.76.49.114:6767
80.76.49.228:6767
stealer.su
asgqt215af.anondns.net
fash2fa.kozow.com
neomagic.kei.pl

# Reference: https://x.com/smica83/status/2026611259701948689
# Reference: https://www.virustotal.com/gui/file/f65b4f2c1eb104b54eecf17d0d838c8e7409844e2424fc93ddd6b5ea9ac7cdcd/detection
# Reference: https://www.virustotal.com/gui/file/ce10e9341a83d1e651b87af013e2a948b5e1abe98f27ffc83490271bd8851fde/detection
# BANNER_0_HASH-HOST=4a786e6d861dc2540ae5e2f3695c06b1
# BANNER_0_HASH-HOST=8551da9b3947592501a7ef4dd943c84d

angry-toaster.com
apps-measurement.com
dusty-comet-jazz.com
hungry-pixel.com
kernel-compass.com
laughing-octo.info
velvet-parrot.com

# Reference: https://github.com/hagezi/dns-blocklists/issues/9430
# Reference: https://app.any.run/tasks/33e7c283-1c8f-47e4-b6f4-76a011951ee4
# Reference: https://www.virustotal.com/gui/file/d0554c5e89232cab04f1e2987fbb9b56f4746204fa64baffe18035a4cc319bbd/detection
# Reference: https://www.virustotal.com/gui/file/fd34b46b47fd86440aff7383a94486673ecf37533a9b97daa7694a1e4bb85732/detection
# Reference: https://www.virustotal.com/gui/file/3d2e7029f2d78cac1e87c8e9176987735a7cecc5ffdd0b65978ec0ee9667748c/detection
# BANNER_0_HASH-HOST=8551da9b3947592501a7ef4dd943c84d
# BANNER_0_HASH-HOST=4a786e6d861dc2540ae5e2f3695c06b1

androidevents.com
androidevents.net
androidfirebases.net
androidservicesmng.net
androidsmsservice.com
blinkballpush.info
blinksmemorymain.xyz
booststat.click
bundlefirecubes.xyz
burningdicelogic.xyz
caml.cc
candyclashworld.xyz
clashball.info
cleenupstat.click
corvus-infra.cc
crispy-rusty.com
eduxegypt.com
effystat.click
fanestat.click
farmholland.live
getitstat.click
gggstatics.com
gggstatics.net
ggpht0.com
ggphto.com
hello-fuopla.icu
hindvstat.click
hvidstat.click
ifnoballbrawlmatch.xyz
likeatiger.xyz
luckysdrops.xyz
mazedroppush.info
mylinkinformation.pro
newproject-newworld.info
newworld-helloworld.icu
savemax.app
spindrop.info
store.caml.cc
superfootball.info
superfootbalsquare.xyz
tiberdealinfo.xyz
tigersluck.info
tofustat.click
windiagnosticpush.net
windownsnotification.net
wintaskmanagerservices.com
world-new-iope.cc

# Reference: https://www.virustotal.com/gui/file/12c978f6a88e1c3af898b834d866a64e03ee133ac4587e8c1cae8380929632af/detection
# BANNER_0_HASH-HOST=8551da9b3947592501a7ef4dd943c84d

bill-proof.cc
seall-vernous.com

# Reference: https://www.virustotal.com/gui/file/055d777c3d38269f07d454f07abc985dfa52493b669cd3cc687304a0a6425122/detection
# HEADER_HASH-HOST/IP=f1212eedcf55bafcf362

195.177.94.44:8443
80.76.49.102:8880
80.76.49.124:8880
80.76.49.240:8880
aolbiz.com
illillliilliliililliilllilliilllilliilililllii.li
programlarmshops.com
ruruurururururu.ru

# Reference: https://x.com/JAMESWT_WT/status/2044004653088579632
# Reference: https://tria.ge/260414-mr1j1sb14v/behavioral2
# HEADER_HASH-HOST/IP=f1212eedcf55bafcf362

178.16.55.36:8880

# Reference: https://www.malwarebytes.com/blog/threat-intel/2026/04/from-fake-proton-vpn-sites-to-gaming-mods-this-windows-infostealer-is-everywhere
# FAVICON_HASH-HOST=b8684628a5f9315b401be18ecdcc2de5

biogenvpn.com
cosmic-nebula.cc
freedomvpn.online
get-proton-vpn.com
gigvault.one
happy-vpn.com
meylisvpn.com
platform-hiveoss.lol
platform-hiveoss.shop
vpn-proton-setup.com
vpnforfiresticktv.com
vpnfree-windows.cc
1-9zf.pages.dev
proton.vpnfree-windows.cc
vpn-site-8xj.pages.dev
whale-ether.pro
