# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: castlebot, castleloader, castlerat, tag-150

# Reference: https://x.com/JAMESWT_WT/status/1958947921598062796
# Reference: https://www.virustotal.com/gui/file/f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be/detection

programsbookss.com

# Reference: https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2
# Reference: https://raw.githubusercontent.com/eSentire/iocs/refs/heads/main/Nightshade/Nightshade-IoCs-09-01-2025.txt

102.135.95.102:33336
102.135.95.102:33337
102.135.95.102:7777
104.225.129.171:33336
104.225.129.171:33337
104.225.129.171:7777
107.158.128.45:33336
107.158.128.45:33337
107.158.128.45:7777
107.158.128.90:33336
107.158.128.90:33337
107.158.128.90:7777
170.130.165.28:33336
170.130.165.28:33337
170.130.165.28:7777
173.232.146.90:33336
173.232.146.90:33337
173.232.146.90:7777
178.17.57.102:33336
178.17.57.102:33337
178.17.57.102:7777
180.178.122.131:33336
180.178.122.131:33337
180.178.122.131:7777
180.178.189.17:33336
180.178.189.17:33337
180.178.189.17:7777
185.149.146.118:33336
185.149.146.118:33337
185.149.146.118:7777
185.149.146.1:33336
185.149.146.1:33337
185.149.146.1:7777
185.208.158.250:33336
185.208.158.250:33337
185.208.158.250:7777
195.201.108.189:33336
195.201.108.189:33337
195.201.108.189:7777
34.72.90.40:33336
34.72.90.40:33337
34.72.90.40:7777
45.11.180.174:33336
45.11.180.174:33337
45.11.180.174:7777
45.61.136.81:33336
45.61.136.81:33337
45.61.136.81:7777
5.35.44.176:33336
5.35.44.176:33337
5.35.44.176:7777
64.52.80.82:33336
64.52.80.82:33337
64.52.80.82:7777
77.238.241.203:33336
77.238.241.203:33337
77.238.241.203:7777
79.132.130.142:33336
79.132.130.142:33337
79.132.130.142:7777
91.202.233.132:33336
91.202.233.132:33337
91.202.233.132:7777
91.202.233.250:33336
91.202.233.250:33337
91.202.233.250:7777
91.202.233.251:33336
91.202.233.251:33337
91.202.233.251:7777
94.141.122.164:33336
94.141.122.164:33337
94.141.122.164:7777
tdbfvgwe456yt.com

# Reference: https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations

http://178.17.57.102
http://45.61.136.81
http://91.202.233.250
104.225.129.171:443
144.208.126.50:443
185.125.50.125:7777
185.196.10.8:7777
185.196.9.222:7777
185.196.9.80:7777
195.85.115.44:443
34.72.90.40:443
45.11.180.198:7777
45.144.53.62:7777
5.35.44.176:443
77.90.153.43:7777
79.132.131.200:7777
85.192.49.6:7777
87.120.93.167:7777
91.212.166.17:33334
teamsi.org
teamsio.com
teamsoftdigital.com

# Reference: https://x.com/PRODAFT/status/1948382357725024565
# Reference: https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview
# Reference: https://github.com/prodaft/malware-ioc/tree/master/CastleLoader
# Reference: https://www.virustotal.com/gui/file/05ecf871c7382b0c74e5bac267bb5d12446f52368bb1bfe5d2a4200d0f43c1d8/detection
# Reference: https://www.virustotal.com/gui/file/31493e6366d3e7275a1e01937a4a18b27db8e5ef21bc21df666690d455f2acaf/detection
# Reference: https://www.virustotal.com/gui/file/0d7a46cedeb866930ebe808a596b44c5cf8941e448b4f8012018283ea55ec309/detection
# Reference: https://www.virustotal.com/gui/file/6e11ec22fd31d9eb4bd6060711dbd5d3c7c05bd7dfaa20daaee2c2c8a4dcf524/detection
# Reference: https://www.virustotal.com/gui/file/3329d3011f8f4c3df16230a1e6ed3ffe3c3cffaa7dadf0238eb6b011a659c84f/detection

http://173.44.141.89
185.39.19.165:5354
buzzedcompany.com
lekuvam.com
polarcompany.org
rinasalleh.com
teamsapi.net

# Reference: https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation
# Reference: https://www.virustotal.com/gui/file/3329d3011f8f4c3df16230a1e6ed3ffe3c3cffaa7dadf0238eb6b011a659c84f/detection
# Reference: https://www.virustotal.com/gui/file/f31e9ef8a59bacda22d8310750b91841878e1f398270676718d3a0b4949880a2/detection
# Reference: https://www.virustotal.com/gui/file/4cd0a2eb8662b5bdacf7f5db62827dd29a0c75d2b3b3f28eefb584e44a1ef2a5/detection

http://107.158.128.45
http://107.158.128.90
http://45.11.180.174
45.11.180.174:6666

# Reference: https://x.com/g0njxa/status/1980943290896630209
# BANNER_0_HASH-HOST=d5a7ef665ea2e5f9fd95ab665b149262

185-212-47-84.cprapid.com
45-11-183-165.cprapid.com
79.132.130.142.sslip.io
3vr3v3sdf.online
7hzhde.xyz
alafair.net
anotherproject.icu
baaredlead.com
bethschwier.com
campanyasoft.com
campuscedeco.ran.es
castlnetintel.com
cedeco.ran.es
chargerrlogistics.cam
cisco-webexxapp.xyz
criip.art
dperforms.info
estetic-online.com
ftroftrodro.top
funjobcollins.shop
gernlern.com
gghhjjkkuuywwfdf.space
higueruela.net
ippsadfx.icu
jeneeday.com
jeneeday.net
krefjkj.duckdns.org
lekuvam.com
loads.icu
loads.world
loadsplanning.com
megarstorei.store
mhousecreative.com
oldspicenotsogood.shop
oneyogasite.com
pittiadg.top
polarcompany.org
rinasalleh.com
shortstreet.net
st-hanbok.com
tattori.icu
vilaoaza.com
vvsgr.net
wereatwar.com

# Reference: https://x.com/drb_ra/status/1981031132247228884
# Reference: https://gist.github.com/drb-ra/ca579655912dd56acb2be6af301a55a9

107.158.128.26:443
170.130.165.201:443
172.86.90.58:443

# Reference: https://x.com/1ZRR4H/status/1986271204563452367
# Reference: https://www.linkedin.com/posts/jeromesegura_darkgate-malvertising-cometbrowser-activity-7383221467347476480-pVwV
# BANNER_0_HASH-HOST=490c066a6a6d63261339a7049fab6a86
# BANNER_0_HASH-HOST=d5a7ef665ea2e5f9fd95ab665b149262
# BODY_SHA1-HOST=e561b2cfc84bf7cd1443a6f5929c5e5a0e2c6b62

amnesiapidor.cfd
cometswift.com
digitaldoctor.uno
donttouchme.life
donttouchthisisuseless.icu
doyoureallyseeme.icu
dpeformse.com
fogverifer.us
icantseeyou.icu
nationnlahde.xyz
perplexity.page
protectedserversharedfile.com
rcpeformse.com
roject0.com
shareddirectprotected.com
sharedprotectedfileme.com
sharedprotectedmefile.xyz
sharedprotectedsharedfile.xyz
sharedriveprotected.com
speatly.com
touchmeplease.icu
vengermsk.icu
vpn847931076.softether.net

# Reference: https://x.com/1ZRR4H/status/1986271204563452367

castlppwnd.com

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-11-08)

http://107.158.128.26
http://170.130.165.201
http://172.86.90.58
45.134.26.69:443

# Reference: https://www.virustotal.com/gui/file/27f24adab8c696069e22233860851dd8654a846700483f6c4a9a8aa05f1b27db/detection
# Reference: https://www.virustotal.com/gui/file/7e5854134a25286ed9e94f0848127731bf3c78def80cb750b34f31f7b917435e/detection
# Reference: https://www.virustotal.com/gui/file/c99c06b15f4adc05f22ccd69ec0b34cdc9974b8b223c7db5a87eb912a1b52cbb/detection

185.121.234.141:443

# Reference: https://x.com/malwrhunterteam/status/1990726475394207815
# Reference: https://www.virustotal.com/gui/file/ea008ca5c04cb56a47b785609a0045f5ac0af82378f2dd097ba781feae921b2d/detection
# Reference: https://www.virustotal.com/gui/file/d1e661844e46ea11ac9169f7e71253a02db279b6bef4c6ffe144d298ca8db917/detection
# Reference: https://www.virustotal.com/gui/file/d1e661844e46ea11ac9169f7e71253a02db279b6bef4c6ffe144d298ca8db917/detection
# TITLE-HOST=Download Sphere Installer

178.16.54.229:18191
185.177.239.92:443
xyz-ai.org
testwha.duckdns.org

# Reference: https://infosec.exchange/@netresec/115581320305095154
# Reference: https://www.virustotal.com/gui/file/adc2e9487e182672fc2a30783130162754e92b173800563bc34a275125a5e3b1/detection
# Reference: https://www.virustotal.com/gui/file/fa354cf29852573669bc468ea2dac0ea5e83a943315466c89dd8634b38cdb261/detection

cloudyape.com
finger.cloudyape.com

# Reference: https://x.com/SquiblydooBlog/status/2012146887680299303
# Reference: https://www.virustotal.com/gui/file/164421af114cb376d86e8c28d1b3749a3dbfa12328e928c22735930ff200aa28/detection
# BANNER_0_HASH-HOST=85ca83ae608dda69a48d744b392a6a01

gamebassok.icu
itlonspark.us
killianvoice.icu

# Reference: https://x.com/skocherhan/status/2019247676626190688

213-209-150-229.plesk.page
365bank-obnovy.com
365postovaobnovit.info
365renew.com
accessfiix-pak.com
aissaleptit.com
ananeono-netfilx.com
azuriranjenetfilx.com
bancochile-info.com
bancodechile-secure.com
bank365postova.com
clever-brahmagupta.213-209-150-229.plesk.page
deliverypk-info.com
forny-sundhedskort.com
idalpha-bnk.com
idhblpak.com
info365-postova.com
intesasp-info.com
isporuka-info.com
maltapostrack.com
mbh-renewal.com
megujitani-szamla.com
moncolis-relai.com
monsuivi-mrelay.com
mooneyit-info.com
myhermes-packet.com
neak-megujitani.com
netfiixpt-renewai.com
netfilx-megujitani.com
netfilxcr-renewai.com
netfilxmx-renewal.com
netfilxobnoviti.com
netfilxrs-renewai.com
obnovinalog.com
obnovitinetfilx.com
obnovy365banka.com
obnovypoistenca.com
obnovypostova365.com
pakfines-gov.com
pakpostrack.info
paktracking.com
payment-pkfines.com
pkpost-fast.com
postova365-info.com
postova365info.com
rendorsegportai-fizetes.com
renew365postova.com
renewai-sub.com
renewaipi.com
renewflix-pak.com
renewnetfilx.com
renewpostova365.com
sftp.sagargolf.com
smb.sagargolf.com
suivicolis-2025.com
szallitas-informacio.com
ultrafastcore.pro
umprogrammierung-paket.com
upsinfo-paquete.com
usernet-fiokot.info
usernet-fornya.com
usernet-frissites.com
usernet-pak.com
usernet-renovar.com
userpost-kaz.com
usrntsg.com
vubanka-idp.com
zse-obnovit.com
zse-obnovy.com
zse-platba.com

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2026-02-28)

152.53.82.239:3003
78.153.155.131:2096
78.153.155.131:8069

# Reference: https://x.com/malwrhunterteam/status/1987867312871936199
# Reference: https://www.virustotal.com/gui/file/b01290e662a174d1747926c180036ce772dea2ca31d2998c6795631740d4fd2d/detection

192.241.240.15:79
cloudmega.org
ecm-ip.com
finger.cloudmega.org

# Reference: https://x.com/FABO97662188/status/2028067290906767604
# BANNER_0_HASH-HOST=e57cefa10fb0981ae6bfe575f94d6f75
# BANNER_0_HASH-HOST=2a774b9d2f2224418f82c4b3fbf29d73
# BANNER_0_HASH-HOST=6f6c17ef8302f90df0ef7156f0a0bea8

170.130.165.40.sslip.io
akamedmain.com
akameldak.com
akameseconddmain.com
apuanetflx.com
autryjones.com
blogwissen.org
boosliaddayenro.click
buermeyer.eu
buermeyer.info
clientflixapp-fr.com
crewldmainnew.com
digitaler-gewaltschutz.de
digitalergewaltschutz.de
dritter-senat.de
elgatoconnect.com
fair-trial.eu
florian-weber.info
funkzellenabfrage.at
funkzellenabfrage.ch
funkzellenabfrage.com
funkzellenabfrage.de
funkzellenabfrage.eu
funkzellenabfrage.net
funkzellenabfrage.org
fza-berlin.de
gabesworld.com
gemeinsam-ins-theater.de
gff.legal
gff.social
gff.world
goldappinstock.com
grundrechte.net
hateaway.eu
hateaway.net
hateaway.org
heirfolioguide.com
hivemindeds.com
hotspotter.org
hrrs.de
hrrs.eu
ieruslamindto.com
ip226.ip-51-81-161.us
iprserv.de
kicks-apps.gmbh
kicksapps.com
kicksapps.info
kicksapps.net
kicksapps.org
kulke.org
lage.social
lage.stream
lage.studio
lagedernation.com
lagedernation.net
lgberlin.de
liberty-litigation.org
litigation-alliance.org
makeup-dna.com
mapalarm.app
mapalarm.eu
miteamss.com
moncompte-securise.com
morgenlage.org
nachalonachalo.com
np.vu
openstreets.eu
openstreets.fr
openstreets.io
opt-meli.info
palvelunetflx.com
pcrmp.online
podshows.at
podshows.ch
podshows.de
podshows.eu
podshows.net
podshows.org
podtours.at
podtours.ch
podtours.de
podtours.net
podtours.org
popopopopi.com
pos-fi-info.com
rueckschein.at
rueckschein.ch
rueckschein.com
rueckschein.eu
rueckschein.net
rueckschein.org
saymyname.me
snapmap.de
snapmap.info
stechlin.info
strategic-litigation.com
strategic-litigation.de
strategic-litigation.eu
strategic-litigation.info
strategic-litigation.net
strategic-litigation.org
strategische-prozesse.at
strategische-prozesse.ch
strategische-prozesse.com
strategische-prozesse.de
strategische-prozesse.eu
strategische-prozesse.info
strategische-prozesse.net
strategische-prozesse.org
strategische-prozessfuehrung.at
strategische-prozessfuehrung.ch
strategische-prozessfuehrung.com
strategische-prozessfuehrung.de
strategische-prozessfuehrung.eu
strategische-prozessfuehrung.info
strategische-prozessfuehrung.net
strategische-prozessfuehrung.org
subss.net
tdbfvgwe456yt.com
teamscloud.de
teamscloud.net
teamscloud.org
tryvaultsure.com
tukinetflx.com
tv-posfi.com
vereinskonto.at
verfassungsbeschwerde.legal
verfassungsbeschwerde.net
verfassungsbeschwerde.org
wesendahl.com
wesendahl.eu
wifispotter.de
wifispotter.org
zolotoylodak.com

# Generic

/keya.bin?nocache=
/testa.bin?nocache=
