# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: pterodo

# Reference: http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/

admin-ru.ru
adobe.update-service.net
apploadapp.webhop.me
brokbridge.com
cat.gotdns.ch
check-update.ru
childrights.in.ua
conhost.myftp.org
docdownload.ddns.net
downloads.email-attachments.ru
downloads.file-attachments.ru
dyndownload.serveirc.com
e.muravej.ua
email-attachments.ru
file-attachments.ru
freefiles.myftp.biz
getmyfile.webhop.me
googlefiles.serveftp.com
grom56.ddns.net
grom90.ddns.net
hrome-update.ru
hrome-updater.ru
loaderskypetm.webhop.me
loadsoulip.serveftp.com
mail.file-attachments.ru
mails.redirectme.net
mars-ru.ru
msrestore.ru
oficialsite.webhop.me
parkingdoma.webhop.me
poligjong.webhop.me
polistar.ddns.net
proxy-spread.ru
rms.admin-ru.ru
samotsvety.com.ua
skypeemocache.ru
skypeupdate.ru
spbpool.ddns.net
spread-service.ru
spread-ss.ru
spread-updates.ru
stor.tainfo.com.ua
tortilla.sytes.net
ukrnet.serveftp.com
ukrway.galaktion.ru
umachka.ua
update-service.net
updatesp.ddns.net
updateviber.sytes.net
webclidie.webhop.me
win-restore.ru
winloaded.sytes.net
winupdateloader.ru
www.file-attachments.ru
www.win-restore.ru
yfperoliz.webhop.me

# Reference: https://arstechnica.com/information-technology/2018/11/ukraine-detects-new-pterado-backdoor-malware-warns-of-russian-cyberattack/

updates-spreadwork.pw
dataoffice.zapto.org
bitsadmin.ddns.net

# Reference: https://cert.gov.ua/news/46

natos-drp.ddns.net
nato-drp.ddns.net
ukraine-news.ddns.net
ukraina-drp.ddns.net
tovar-es.ddns.net
start-usb.ddns.net
sovetkirov.ddns.net
singles-office.ddns.net
single-office.ddns.net
yousister.ddns.net
wq03.ddns.net
wq02.ddns.net
wq01.ddns.net
werdikt.ddns.net
wareface.ddns.net
vnc-new.ddns.net
ut03.ddns.net
ut02.ddns.net
ut01.ddns.net
us03.ddns.net
us02.ddns.net
us01.ddns.net
topline.myftp.org
sushi-bar.ddns.net
po03.ddns.net
po02.ddns.net
po01.ddns.net
pk03.ddns.net
pk02.ddns.net
pk01.ddns.net
orizoh88.ddns.net
optima-se.ddns.net
new-club.ddns.net
mykarina.ddns.net
microsoft-single.ddns.net
metro-exodus.ddns.net
marishka.ddns.net
macdocs.ddns.net
karasto01.ddns.net
gr03.ddns.net
gr02.ddns.net
gr01.ddns.net
connect-updates.ddns.net
chrome-update.ddns.net

# Reference: https://blog.threatstop.com/russian-apt-gamaredon-group

splin-body.site
torrent-stel.space
torent-updates.ddns.net
torrent-updates.ddns.net
splin-upd.site
splin-upd1.site
torrent-supd.space

# Reference: https://cert.gov.ua/news/42

http://95.142.45.58
single-office.ddns.net

# Reference: https://cert.gov.ua/news/46

bitsadmin.ddns.net
dataoffice.zapto.org
updates-spreadwork.pw

# Reference: https://twitter.com/VK_Intel/status/1084955795358330880

spread-system.info

# Reference: https://twitter.com/VK_Intel/status/1080919080616439808

torrent-supd.space

# Reference: https://twitter.com/ClearskySec/status/1065267794474950657

chrome-update.ddns.net
connect-updates.ddns.net
gr01.ddns.net
gr02.ddns.net
gr03.ddns.net
karasto01.ddns.net
macdocs.ddns.net
marishka.ddns.net
metro-exodus.ddns.net
microsoft-single.ddns.net
mykarina.ddns.net
natos-drp.ddns.net
nato-drp.ddns.net
new-club.ddns.net
orizoh88.ddns.net
optima-se.ddns.net
pk01.ddns.net
pk02.ddns.net
pk03.ddns.net
po01.ddns.net
po02.ddns.net
po03.ddns.net
singles-office.ddns.net
single-office.ddns.net
sovetkirov.ddns.net
start-usb.ddns.net
sushi-bar.ddns.net
topline.myftp.org
tovar-es.ddns.net
ukraina-drp.ddns.net
ukraine-news.ddns.net
us01.ddns.net
us02.ddns.net
us03.ddns.net
ut01.ddns.net
ut02.ddns.net
ut03.ddns.net
vnc-new.ddns.net
wareface.ddns.net
werdikt.ddns.net
wq01.ddns.net
wq02.ddns.net
wq03.ddns.net
yousister.ddns.net

# Reference: https://twitter.com/CSIRTCV/status/1083420779486855169

errors-analyses.ddns.net
spr-files.ddns.net
spr-updates.ddns.net

# Reference: https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/

admin-ru.ru
adobe.update-service.net
apploadapp.webhop.me
brokbridge.com
cat.gotdns.ch
check-update.ru
childrights.in.ua
conhost.myftp.org
docdownload.ddns.net
downloads.email-attachments.ru
downloads.file-attachments.ru
dyndownload.serveirc.com
e.muravej.ua
email-attachments.ru
file-attachments.ru
freefiles.myftp.biz
getmyfile.webhop.me
googlefiles.serveftp.com
grom56.ddns.net
grom90.ddns.net
hrome-update.ru
hrome-updater.ru
loaderskypetm.webhop.me
loadsoulip.serveftp.com
mail.file-attachments.ru
mails.redirectme.net
mars-ru.ru
msrestore.ru
oficialsite.webhop.me
parkingdoma.webhop.me
poligjong.webhop.me
polistar.ddns.net
proxy-spread.ru
rms.admin-ru.ru
samotsvety.com.ua
skypeemocache.ru
skypeupdate.ru
spbpool.ddns.net
spread-service.ru
spread-ss.ru
spread-updates.ru
stor.tainfo.com.ua
tortilla.sytes.net
ukrnet.serveftp.com
ukrway.galaktion.ru
umachka.ua
update-service.net
updatesp.ddns.net
updateviber.sytes.net
webclidie.webhop.me
win-restore.ru
winloaded.sytes.net
winupdateloader.ru
yfperoliz.webhop.me

# Reference: https://twitter.com/ClearskySec/status/1065267790943268865

dropdrop.ddns.net
drop-new.ddns.net
drop-news.ddns.net
google-drive.ddns.net
google-drp.ddns.net
google-drop.ddns.net

# Reference: https://twitter.com/VK_Intel/status/1117303080545079296

winroutes.ddns.net

# Reference: https://twitter.com/h4ckak/status/1117234914158530560

winrouts.ddns.net

# Reference: https://twitter.com/h4ckak/status/1117789601765007360

lisingrout.ddns.net

# Reference: https://twitter.com/Timele9527/status/1118331760612388864

word-service.site

# Reference: https://twitter.com/Timele9527/status/1118343183971360769

libre4.space

# Reference: https://twitter.com/zlab_team/status/1121013394251948036
# Reference: https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/

bitwork.ddns.net
librework.ddns.net

# Reference: https://twitter.com/ThreatBookLabs/status/1123149311573815297
# Reference: https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=1417 (Chinese)
# Reference: https://otx.alienvault.com/pulse/5cc80eba055a4f569561dad5

attach.website
bitsadmin.space
bitsadmin1.space
bitsadmin10.space
bitsadmin2.space
bitsadmin3.space
bitsadmin4.space
bitsadmin5.space
bitsadmin6.space
bitsadmin7.space
bitsadmin8.space
bitsadmin9.space
drivegoogle.site
dwn-files.site
google-drive.site
libre-360.site
libre-exel.site
libre-office.site
libre-ppt.site
libre-word.site
libre1.space
libre2.space
libre3.space
libre4.space
libre5.space
macros1.space
macros2.space
macros3.space
macros4.space
macros5.space
microsoft-analise.site
microsoft-bits.site
microsoft-macros.site
microsoft-office.site
microsoft-usb.site
ssu-gov.site
ssu-gov.website
word-checker.site
word-online.site
word-proxy.site
word-service.site
word-update.site
wordmacros.space
bitqueshions.ddns.net
gamework.ddns.net
telemetriya.hopto.org
torrent-videos.ddns.net
usbqueshions.ddns.net
wordqueshion.ddns.net
workan.ddns.net
workusb.ddns.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1131226380694413312

bitvers.ddns.net
tor-file.ddns.net
wincreator.ddns.net

# Reference: https://twitter.com/Timele9527/status/1139816501869871104

templates.hopto.org

# Reference: https://twitter.com/HONKONE_K/status/1143725710340587520

curt.hopto.org

# Reference: https://twitter.com/VK_Intel/status/1143696009261932544

bit-rnbo.ddns.net
rnbo-ua.ddns.net

# Reference: https://twitter.com/VK_Intel/status/1147021849567617026

barathrum.space
zombieland.info

# Reference: https://thehackernews.com/2019/07/linux-gnome-spyware.html

clsass.ddns.net
kotl.space

# Reference: https://twitter.com/Timele9527/status/1154570300635303937
# Reference: https://www.virustotal.com/gui/ip-address/5.252.193.204/relations
# Reference: https://www.virustotal.com/gui/file/79fd962eb0c256f32786dab4d42cb416f6c1e6766bf0e2dcafdf5ffa2c5e61c1/detection
# Reference: https://otx.alienvault.com/pulse/5d3ac45e3bc2987b3b0031dc

advansed-template.site
bits-tor.fun
bits-tor.host
bits-tor.site
bits-tor.space
bits-tor.website
bitsadmin10.space
bitsadmin2.space
bitsadmin3.space
bitsadmin4.space
bitsadmin5.space
bitsadmin6.space
bitsadmin7.space
bitsadmin8.space
bitsadmin9.space
bitsbitsa.space
bitsbitsb.space
bitsbitsc.space
bitsbitsi.space
bitsbitsk.space
bitsbitsl.space
certificate-verif.ddns.net
cyberworld.host
cyberworld.website
dilana.space
drovka.space
fix-template.site
furion.space
gameland.space
gameland.website
gameworld.space
gameworld.website
haker.fun
haker.host
haker.space
haker.website
libda.site
libdab.site
libdac.site
libdad.site
libdade.site
libdadi.site
libdado.site
libdaf.site
libdag.site
libdah.site
libdak.site
libdal.site
libdam.site
libdan.site
libdas.site
libre-360.site
libre-exel.site
libre-office.site
libre-ppt.site
libre-word.site
libre1.space
libre2.space
libre3.space
libre4.space
libre5.space
librerty.space
libressimo.space
macros1.space
macros2.space
macros3.space
macros4.space
macros5.space
niam.space
orlean.space
overload.space
overload.website
overwatch.host
rainak.space
redict.ddns.net
riki.space
wayto.host
wifa.site
wifa.space
wifa.website
wifb.site
wifb.space
wifb.website
wifc.host
wifc.site
wifc.space
wifc.website
wifo.host
wifo.site
wifo.space
wifo.website
wifu.site
wifu.space
wifu.website
wifx.site
wify.space
wify.website
wordmacros.space
xakep.fun
xakep.website
zombieland.host
zombieland.info

# Reference: https://twitter.com/Timele9527/status/1157458188792262656

shell-create.ddns.net

# Reference: https://twitter.com/Timele9527/status/1158554492746383361
# Reference: https://www.virustotal.com/gui/file/96f9f7a5c6a7452f385727708c69bf158e2d9461ad1bc683ba9082306b210e0e/detection

libre-templates.ddns.net

# Reference: https://twitter.com/spider_girl22/status/1171262839295635457

office-constructor.ddns.net

# Reference: https://twitter.com/Rmy_Reserve/status/1174592994395054080

weeklite.ddns.net
