# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: gamaredon, pterodo

# Reference: https://cert.gov.ua/news/42

http://95.142.45.58
single-office.ddns.net

# Reference: https://cert.gov.ua/news/46

bitsadmin.ddns.net
dataoffice.zapto.org
updates-spreadwork.pw

# Reference: https://twitter.com/VK_Intel/status/1084955795358330880

spread-system.info

# Reference: https://twitter.com/VK_Intel/status/1080919080616439808

torrent-supd.space

# Reference: https://twitter.com/ClearskySec/status/1065267794474950657

chrome-update.ddns.net
connect-updates.ddns.net
gr01.ddns.net
gr02.ddns.net
gr03.ddns.net
karasto01.ddns.net
macdocs.ddns.net
marishka.ddns.net
metro-exodus.ddns.net
microsoft-single.ddns.net
mykarina.ddns.net
natos-drp.ddns.net
nato-drp.ddns.net
new-club.ddns.net
orizoh88.ddns.net
optima-se.ddns.net
pk01.ddns.net
pk02.ddns.net
pk03.ddns.net
po01.ddns.net
po02.ddns.net
po03.ddns.net
singles-office.ddns.net
single-office.ddns.net
sovetkirov.ddns.net
start-usb.ddns.net
sushi-bar.ddns.net
topline.myftp.org
tovar-es.ddns.net
ukraina-drp.ddns.net
ukraine-news.ddns.net
us01.ddns.net
us02.ddns.net
us03.ddns.net
ut01.ddns.net
ut02.ddns.net
ut03.ddns.net
vnc-new.ddns.net
wareface.ddns.net
werdikt.ddns.net
wq01.ddns.net
wq02.ddns.net
wq03.ddns.net
yousister.ddns.net

# Reference: https://twitter.com/CSIRTCV/status/1083420779486855169

errors-analyses.ddns.net
spr-files.ddns.net
spr-updates.ddns.net

# Reference: https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/

admin-ru.ru
adobe.update-service.net
apploadapp.webhop.me
brokbridge.com
cat.gotdns.ch
check-update.ru
childrights.in.ua
conhost.myftp.org
docdownload.ddns.net
downloads.email-attachments.ru
downloads.file-attachments.ru
dyndownload.serveirc.com
e.muravej.ua
email-attachments.ru
file-attachments.ru
freefiles.myftp.biz
getmyfile.webhop.me
googlefiles.serveftp.com
grom56.ddns.net
grom90.ddns.net
hrome-update.ru
hrome-updater.ru
loaderskypetm.webhop.me
loadsoulip.serveftp.com
mail.file-attachments.ru
mails.redirectme.net
mars-ru.ru
msrestore.ru
oficialsite.webhop.me
parkingdoma.webhop.me
poligjong.webhop.me
polistar.ddns.net
proxy-spread.ru
rms.admin-ru.ru
samotsvety.com.ua
skypeemocache.ru
skypeupdate.ru
spbpool.ddns.net
spread-service.ru
spread-ss.ru
spread-updates.ru
stor.tainfo.com.ua
tortilla.sytes.net
ukrnet.serveftp.com
ukrway.galaktion.ru
umachka.ua
update-service.net
updatesp.ddns.net
updateviber.sytes.net
webclidie.webhop.me
win-restore.ru
winloaded.sytes.net
winupdateloader.ru
yfperoliz.webhop.me

# Reference: https://twitter.com/ClearskySec/status/1065267790943268865

dropdrop.ddns.net
drop-new.ddns.net
drop-news.ddns.net
google-drive.ddns.net
google-drp.ddns.net
google-drop.ddns.net

# Reference: https://twitter.com/VK_Intel/status/1117303080545079296

winroutes.ddns.net

# Reference: https://twitter.com/h4ckak/status/1117234914158530560

winrouts.ddns.net

# Reference: https://twitter.com/h4ckak/status/1117789601765007360

lisingrout.ddns.net

# Reference: https://twitter.com/Timele9527/status/1118331760612388864

word-service.site

# Reference: https://twitter.com/Timele9527/status/1118343183971360769

libre4.space

# Reference: https://twitter.com/zlab_team/status/1121013394251948036
# Reference: https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/

bitwork.ddns.net
librework.ddns.net

# Reference: https://twitter.com/ThreatBookLabs/status/1123149311573815297
# Reference: https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=1417 (Chinese)
# Reference: https://otx.alienvault.com/pulse/5cc80eba055a4f569561dad5

attach.website
bitsadmin.space
bitsadmin1.space
bitsadmin10.space
bitsadmin2.space
bitsadmin3.space
bitsadmin4.space
bitsadmin5.space
bitsadmin6.space
bitsadmin7.space
bitsadmin8.space
bitsadmin9.space
drivegoogle.site
dwn-files.site
google-drive.site
libre-360.site
libre-exel.site
libre-office.site
libre-ppt.site
libre-word.site
libre1.space
libre2.space
libre3.space
libre4.space
libre5.space
macros1.space
macros2.space
macros3.space
macros4.space
macros5.space
microsoft-analise.site
microsoft-bits.site
microsoft-macros.site
microsoft-office.site
microsoft-usb.site
ssu-gov.site
ssu-gov.website
word-checker.site
word-online.site
word-proxy.site
word-service.site
word-update.site
wordmacros.space
bitqueshions.ddns.net
gamework.ddns.net
telemetriya.hopto.org
torrent-videos.ddns.net
usbqueshions.ddns.net
wordqueshion.ddns.net
workan.ddns.net
workusb.ddns.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1131226380694413312

bitvers.ddns.net
tor-file.ddns.net
wincreator.ddns.net

# Reference: https://twitter.com/Timele9527/status/1139816501869871104

templates.hopto.org

# Reference: https://twitter.com/HONKONE_K/status/1143725710340587520

curt.hopto.org

# Reference: https://twitter.com/VK_Intel/status/1143696009261932544

bit-rnbo.ddns.net
rnbo-ua.ddns.net
