# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: BumbleBee, Hisoka, Snugy, TriFive, huntxspy

# Reference: https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/
# Reference: https://github.com/pan-unit42/iocs/blob/master/xHunt/xHunt_IOCs.csv
# Reference: https://www.virustotal.com/gui/file/892d5e8e763073648dfebcfd4c89526989d909d6189826a974f17e2311de8bc4/detection

google-update.com
learn-service.com
microsofte-update.com
woxmma.microsofte-update.com

# Reference: https://unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/
# Reference: https://twitter.com/Voulnet/status/1014951078364876801
# Reference: https://otx.alienvault.com/pulse/5da0d8dc27a2ad4cc8864283

firewallsupports.com
windows64x.com
winx64-microsoft.com
windows-updates.com

# Reference: https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/
# Reference: https://otx.alienvault.com/pulse/5fa97823e94863569cf1fdbe

sharepoint-web.com

# Reference: https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/
# Reference: https://otx.alienvault.com/pulse/5fa97823e94863569cf1fdbe

deman1.icu
hotsoft.icu
lidarcc.icu
uplearn.top

# Reference: https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
# Reference: https://otx.alienvault.com/pulse/5ffcbc5b19a30849ecd2ab78

142.11.211.79:8080
142.11.211.79:8081
192.119.110.194:8083
91.92.109.59:1234
91.92.109.59:1255
91.92.109.59:1288
91.92.109.59:1289
backendloop.online
bestmg.info
windowsmicrosofte.online

# Reference: https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/
# Reference: https://github.com/pan-unit42/tweets/blob/master/2022-04-05-IOCs-for-Bumblebee-and-Cobalt-Strike.txt

192.236.198.63:443
23.82.19.208:443
45.147.229.177:433

# Reference: https://twitter.com/r0ny_123/status/1515939792034230272

108.62.12.12:443

# Reference: https://twitter.com/Max_Mal_/status/1516352309311246339

199.80.55.44:443
209.141.59.96:433
23.106.160.120:433

# Reference: https://twitter.com/k3dg3/status/1516819204200091655
# Referecne: https://tria.ge/220420-t3m7dsechn/behavioral2

184.29.205.132:443

# Reference: https://twitter.com/phage_nz/status/1519207039968313344

104.168.236.99:443
172.241.29.169:443
23.82.141.184:443
messerota.com

# Reference: https://twitter.com/Max_Mal_/status/1519323650062753792

108.62.118.56:443
185.33.87.53:443
28.11.143.222:443
49.12.241.35:443
71.1.188.122:443
89.222.221.14:443

# Reference: https://tria.ge/220428-tx94zafbc7

209.141.59.96:443
23.106.160.120:443
