# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: darknights, dknife, spellbinder, wizardnet

# Reference: https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/
# Reference: https://blog.talosintelligence.com/knife-cutting-the-edge/
# Reference: https://github.com/eset/malware-ioc/tree/master/thewizards
# Reference: https://github.com/Cisco-Talos/IOCs/blob/main/2026/02/knife-cutting-the-edge.txt

http://110.92.64.117
http://110.92.64.17
http://117.175.185.81
http://210.56.49.72
http://43.132.105.118
http://43.155.62.54
http://47.93.54.134
http://49.89.41.187
http://60.205.148.180
http://61.139.76.99
110.185.104.180:8000
117.175.185.81:8003
43.132.205.118:81
43.155.62.54:81
47.238.107.83:81
47.93.54.134:8001
47.93.54.134:8003
47.93.54.134:8005
49.89.41.187:8001
49.89.41.187:8002
49.89.41.187:8003
89.195.5.18:4553
assetsqq.com
mkdmcdn.com
ssl-dns.com
vv.ssl-dns.com

# Reference: https://x.com/skocherhan/status/2021067035447525705
# Reference: https://www.virustotal.com/gui/file/17a2dd45f9f57161b4cc40924296c4deab65beea447efb46d3178a9e76815d06/detection

110.92.64.177:8000
