# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Generic detection for compromised WordPress CMS

# Reference: https://twitter.com/unmaskparasites/status/1355301566933213185

subl.net

# Reference: https://twitter.com/unmaskparasites/status/1367183133938831361

checklist.directory

# Reference: https://twitter.com/unmaskparasites/status/1369733061680586755
# Reference: https://twitter.com/unmaskparasites/status/1402047210343174146
# Reference: https://twitter.com/riper81/status/1404487096778170379

blameworthy.buzz
xn--80a1alg.xn--p1ai
xn--80a3afwhsk.xn--p1ai
xn--80aa4ce2a.xn--p1ai
xn--80ad2akx.xn--p1ai
xn--80adoej5a8h.xn--p1ai
xn--80ady8a.xn--p1ai
xn--80adzf.xn--p1ai
xn--80ae5bng4au.xn--p1ai
xn--80ahxth.xn--p1ai
xn--80aj4ae6d.xn--p1ai
xn--80aj6ah1a.xn--p1ai
xn--80amqk.xn--p1ai
xn--80azck0a.xn--p1ai
xn--90a7a4a.xn--p1ai
xn--90a8cf.xn--p1ai
xn--90achpp5d0c.xn--p1ai
xn--90aixnm.xn--p1ai
xn--b1axdhie3a.xn--p1ai
xn--b1ayb4b.xn--p1ai
xn--c1ab3awv.xn--p1ai
xn--c1ae0ahg.xn--p1ai
xn--c1aeyy.xn--p1ai
xn--c1alehkf5a3d.xn--p1ai
xn--c1anqe5e.xn--p1ai
xn--d1ad5e.xn--p1ai
xn--e1adtoj.xn--p1ai
xn--e1annge.xn--p1ai
xn--g1a1aom.xn--p1ai
xn--g1a2abr.xn--p1ai
xn--g1aehqp.xn--p1ai
xn--g1aey4a.xn--p1ai
xn--g1asqf.xn--p1ai
xn--h1aiml3a.xn--p1ai
xn--h1at3a.xn--p1ai
xn--i1abh6c.xn--p1ai
xn--i1aefi6c.xn--p1ai
xn--i1an6ab.xn--p1ai
xn--i1avf9a.xn--p1ai
xn--i1avu.xn--p1ai
xn--j1alm4a.xn--p1ai
xn--j1amtse.xn--p1ai
xn--k1akc5b.xn--p1ai
xn--k1aty.xn--p1ai
xn--o1aofd.xn--p1ai
xn--p1aldhp.xn--p1ai
xn--q1admt.xn--p1ai
xn--s1afb.xn--p1ai

# Reference: https://twitter.com/unmaskparasites/status/1370579966069383168

/SMILODON/index.php?view=

# Reference: https://twitter.com/unmaskparasites/status/1376690495477276674
# Reference: https://www.virustotal.com/gui/ip-address/194.61.25.77/relations

declarebusinessgroup.ga
dontkinhooot.tw
lovegreenpencils.ga
lowerthenskyactive.ga
strongcapitalads.ga
talkingaboutfirms.ga
travelfornamewalking.ga
travelinskydream.ga

# Reference: https://github.com/hardenedlinux/hardenedlinux-zeek-script/blob/master/scripts/frameworks/intel/OSINT/CYBERCRiME-03-03-19.txt

/SimplePie/Net/IPv5.php

# Reference: https://twitter.com/unmaskparasites/status/1394487078952398848

driverfortnigtly.ga

# Reference: https://twitter.com/unmaskparasites/status/1402346388617236481

digitalclimatestrike.net
assets.digitalclimatestrike.net

# Reference: https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/
# Reference: https://otx.alienvault.com/pulse/60be1d277d109b2b37060c4c

http://46.53.253.152
http://69.12.71.82
http://92.53.124.123

# Reference: https://twitter.com/rootprivilege/status/1470821225542742016
# Reference: https://lukeleal.com/research/posts/trainresistor-cc-mass-injection/
# Reference: https://www.virustotal.com/gui/ip-address/45.9.150.64/relations

belonnanotservice.ga
piterreceiver.ga
trainresistor.cc

# Reference: https://twitter.com/unmaskparasites/status/1458970080797073413

blngblngs.rocks

# Reference: https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins-from-accesspress-themes/
# Reference: https://www.virustotal.com/gui/domain/wp-theme-connect.com/detection

wp-theme-connect.com

# Reference: https://twitter.com/unmaskparasites/status/1494462138298953736

cartoonmines.com

# Reference: https://twitter.com/unmaskparasites/status/1499593717845348354
# Reference: https://twitter.com/unmaskparasites/status/1506671930425823234
# Reference: https://twitter.com/unmaskparasites/status/1506728492016185348
# Reference: https://twitter.com/unmaskparasites/status/1507038308789936150
# Reference: https://twitter.com/unmaskparasites/status/1513575167674355712
# Reference: https://www.virustotal.com/gui/domain/turnedpro.xyz/relations
# Reference: https://www.virustotal.com/gui/ip-address/107.150.37.202/relations
# Reference: https://www.virustotal.com/gui/ip-address/142.54.189.218/relations
# Reference: https://www.virustotal.com/gui/ip-address/188.213.5.130/relations
# Reference: https://www.virustotal.com/gui/ip-address/188.213.5.197/relations
# Reference: https://www.virustotal.com/gui/ip-address/192.187.109.122/relations
# Reference: https://www.virustotal.com/gui/ip-address/198.204.252.154/relations
# Reference: https://www.virustotal.com/gui/ip-address/198.13.55.89/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.67.230.136/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.77.133.32/relations
# Reference: https://www.virustotal.com/gui/ip-address/5.134.119.42/relations
# Reference: https://www.virustotal.com/gui/ip-address/74.91.31.50/relations
# Reference: https://www.virustotal.com/gui/domain/firstok.xyz/relations
# Reference: https://www.virustotal.com/gui/domain/officialservicejp.com/relations
# Reference: https://www.virustotal.com/gui/domain/flyingfishes.online/relations
# Reference: https://www.virustotal.com/gui/domain/runpenguin.online/relations
# Reference: https://www.virustotal.com/gui/domain/tophead.online/relations
# Reference: https://www.virustotal.com/gui/domain/walkdolphin.online/relations
# Reference: https://qna.habr.com/q/1058482 (Russian)

alltee.buzz
anonymousfox.co
anonymousfox.io
anonymousfox.is
anonymousfox.mx
anonymousfox.to
bigercari.buzz
createseo.xyz
gloryplan.club
golang666.xyz
golangtools.live
ezreal333.icu
firstguide.xyz
firstok.xyz
gloryday.work
hahaha666.xyz
hellodolly666.xyz
hellodolly777.xyz
hellodolly888.xyz
hellodolly999.xyz
ok2345678.xyz
turnedpro.xyz
officialservicejp.com
flyingfishes.online
pinkpigs.online
runpenguin.online
tophead.online
walkdolphin.online
wtp9999999.xyz
api.firstguide.xyz
b1.gloryday.work
hello.firstguide.xyz
hello.hahaha666.xyz
hello.hellodolly666.xyz
hello.hellodolly777.xyz
hello.hellodolly888.xyz
hello.hellodolly999.xyz
hello.ok2345678.xyz
t.createseo.xyz
s.createseo.xyz
s.golangtools.live
s63.createseo.xyz
seo.createseo.xyz
seo.gloryday.work
seo1.createseo.xyz
seo3.createseo.xyz
seo1.doim.com
seo2.gloryday.work
seo23.firstok.xyz
seo30-1.firstok.xyz
seo30-2.firstok.xyz
seo32.firstok.xyz
seo35-1.firstok.xyz
seo35-2.firstok.xyz
seo50-1.firstok.xyz
seo50-2.firstok.xyz
seo50-3.firstok.xyz
seo601-1.firstok.xyz
seo601-2.firstok.xyz
seo801-1.firstok.xyz
seo802-1.firstok.xyz
seo803-1.firstok.xyz
seo804-2.firstok.xyz
seo805-1.firstok.xyz
seo806-2.firstok.xyz
seo808-1.firstok.xyz
seo809-1.firstok.xyz
seo810-1.firstok.xyz
seo811-1.firstok.xyz
seo82.firstok.xyz
seo92.firstok.xyz
a.turnedpro.xyz
api.turnedpro.xyz
hello.turnedpro.xyz
mn.turnedpro.xyz
p1.gloryplan.club
p2.gloryplan.club
p3.gloryplan.club
seo.gloryplan.club
seo1.turnedpro.xyz
seo10.turnedpro.xyz
seo2.turnedpro.xyz
seo3.turnedpro.xyz
seo4.turnedpro.xyz
seo5.turnedpro.xyz
seo6.turnedpro.xyz
seo7.turnedpro.xyz
seo8.turnedpro.xyz
seo9.turnedpro.xyz
track.turnedpro.xyz
seo45.officialservicejp.com
seo74.officialservicejp.com
seo802-8.officialservicejp.com
seo808-4.officialservicejp.com
seo824-2.officialservicejp.com
seo825-1.officialservicejp.com
seo826-1.officialservicejp.com
seo86.officialservicejp.com
seob215.officialservicejp.com
seoc226.officialservicejp.com
seo806-7.flyingfishes.online
seo812-8.flyingfishes.online
seo36.pinkpigs.online
seo804-6.pinkpigs.online
seo809-7.pinkpigs.online
seo810-6.pinkpigs.online
seo811-7.pinkpigs.online
seo814-7.pinkpigs.online
seo816-5.pinkpigs.online
seoa256.pinkpigs.online
seoc246.pinkpigs.online
seoc256.pinkpigs.online
seo104.runpenguin.online
seo35.runpenguin.online
seo54.runpenguin.online
seo602-3.runpenguin.online
seo801-4.runpenguin.online
seo801-5.runpenguin.online
seo802-2.runpenguin.online
seo802-3.runpenguin.online
seo804-4.runpenguin.online
seo806-4.runpenguin.online
seo808-3.runpenguin.online
seo809-4.runpenguin.online
seo810-2.runpenguin.online
seo810-5.runpenguin.online
seo811-3.runpenguin.online
seo812-5.runpenguin.online
seo815-3.runpenguin.online
seo815-4.runpenguin.online
seo817-2.runpenguin.online
seo818-2.runpenguin.online
seo819-2.runpenguin.online
seo819-3.runpenguin.online
seo820-2.runpenguin.online
seo821-1.runpenguin.online
seo821-3.runpenguin.online
seo822-1.runpenguin.online
seo824-1.runpenguin.online
seo824-3.runpenguin.online
seo84.runpenguin.online
seoa224.runpenguin.online
seob244.runpenguin.online
seob255.runpenguin.online
seoc215.runpenguin.online
seoc224.runpenguin.online
seoc244.runpenguin.online
seoc245.runpenguin.online
test.runpenguin.online
seo25.walkdolphin.online
seo11.tophead.online
seo51.tophead.online
seo81.tophead.online
seoa21.tophead.online
seoa212.tophead.online
seoa22.tophead.online
seoa221.tophead.online
seoa23.tophead.online
seoa232.tophead.online
seoa24.tophead.online
seoa241.tophead.online
seoa242.tophead.online
seoa243.tophead.online
seoa253.tophead.online
seob21.tophead.online
seob213.tophead.online
seob22.tophead.online
seob233.tophead.online
seob251.tophead.online
seob253.tophead.online
seoc21.tophead.online
seoc212.tophead.online
seoc22.tophead.online
seoc221.tophead.online
seoc23.tophead.online
seoc233.tophead.online
seoc24.tophead.online
seoc251.tophead.online
seoc253.tophead.online
seo805-4.walkdolphin.online
seo819-1.walkdolphin.online
seo820-1.walkdolphin.online
seo94.walkdolphin.online
/seeolkxa/

# Reference: https://www.virustotal.com/gui/ip-address/192.151.146.162/relations

site.gloryday.work

# Reference: https://twitter.com/unmaskparasites/status/1499536320896507906
# Reference: https://twitter.com/unmaskparasites/status/1511076575537557505
# Reference: https://twitter.com/unmaskparasites/status/1524843022952804352
# Reference: https://www.virustotal.com/gui/ip-address/111.90.143.157/relations

classicpartnerships.com
legendarytable.com
specialadves.com
storerightdesicion.com
ads.specialadves.com
click.specialadves.com
links.specialadves.com
refer.specialadves.com
blame.storerightdesicion.com
brr.storerightdesicion.com
chess.storerightdesicion.com
glove.storerightdesicion.com
lin.storerightdesicion.com
line.storerightdesicion.com
store.storerightdesicion.com
avasripts.classicpartnerships.com
comjavasripts.classicpartnerships.com
comwalk.classicpartnerships.com
event.classicpartnerships.com
events.classicpartnerships.com
javascript.classicpartnerships.com
javascripts.classicpartnerships.com
javasripts.classicpartnerships.com
open.classicpartnerships.com
scripts.classicpartnerships.com
simple.classicpartnerships.com
thisisatest.classicpartnerships.com
walk.classicpartnerships.com
white.classicpartnerships.com
34trick.legendarytable.com
clip.legendarytable.com
clipj.legendarytable.com
clipjs.legendarytable.com
comprint.legendarytable.com
comtrick.legendarytable.com
jack.legendarytable.com
print.legendarytable.com
trick.legendarytable.com

# Reference: https://twitter.com/unmaskparasites/status/1503550611756789760

32868.port0.org

# Reference: https://www.wordfence.com/blog/2022/03/increase-in-malware-sightings-on-godaddy-managed-hosting/

http://166.62.110.72
t-fish-ka.ru

# Reference: https://medium.com/@cirku17/wp-vcd-malware-analysis-7c5dbaad89c3
# Reference: https://github.com/CirKu17/wp-vcd-malware-sample
# Reference: https://twitter.com/BlackLotusLabs/status/1516415946587611137
# Reference: https://twitter.com/BlackLotusLabs/status/1516415948797976584
# Reference: https://twitter.com/BlackLotusLabs/status/1516415950396047380
# Reference: https://blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html
# Reference: http://web.archive.org/web/20200920003035/https:/blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html
# Reference: https://www.virustotal.com/gui/ip-address/94.156.175.170/relations
# Reference: https://otx.alienvault.com/pulse/596e1049fbe8a2174f3af765
# Reference: https://otx.alienvault.com/pulse/5e4d6c5790faacd62f7afed6
# Reference: https://www.virustotal.com/gui/file/cb8d693752fdcf84a77c486dfe04c3d53631cce4f97e5cccfc3c3486e5b10ebd/detection

24x7themes.top
aotson.com
arilns.com
batots.com
benos.cc
bomndo.com
bomndo.xyz
brilns.com
catots.pw
comndo.com
crilns.com
dacocs.com
darors.com
denom.cc
derna.cc
devata.icu
dlword.press
dolodos.top
dolsh.pw
domndo.com
download-freethemes.download
downloadfreenulled.download
downloadfreethemes.cc
downloadfreethemes.co
downloadfreethemes.download
downloadfreethemes.io
downloadfreethemes.pw
downloadfreethemes.space
downloadnulled.pw
drilns.pw
eatots.com
facocs.com
fapilo.com
farors.com
fatots.com
fomndo.com
fonjy.cc
freedownload.network
freenulled.top
freethemes.space
frilns.com
gacocs.com
gapilo.com
garors.com
gatots.com
gomnd.xyz
gomndo.com
gomndo.top
gomndo.xyz
grilns.com
hacocs.com
harors.com
hatots.com
hoxford.net
jarors.com
jatots.cc
jomndo.com
karors.com
katots.com
krilns.com
lanons.com
larors.com
latots.pw
linos.cc
lomndo.com
lomndo.top
lomndo.xyz
macocs.com
mapilo.net
marors.com
matots.com
medsource.top
merna.pw
mlimus.com
moxford.cc
mrilns.com
narors.com
natots.pw
null24.icu
null5.top
nulledzip.download
pacocs.com
panons.com
parors.com
patots.com
pervas.top
pharors.pw
phatots.com
piastas.gdn
piasuna.gdn
plimur.me
plimur.net
plimus.info
plimuz.me
poxford.com
premiumfreethemes.top
prilns.com
qarors.com
qatots.com
rarors.com
ratots.com
romndo.com
sarors.com
satots.com
semasa.icu
spekt.com
tanons.com
tarors.com
tdreg.icu
tdreg.top
themesdad.com
themesfreedownload.net
themesfreedownload.top
tomndo.com
tretas.top
trilns.com
uapilo.com
uarors.com
uatots.com
varors.com
vatots.com
vomndo.com
vosmas.icu
vrilns.com
vtoras.top
wacocs.com
warors.com
watots.com
womndo.com
wpfreedownload.press
wpmania.download
wrilns.com
wrilns.pw
xapilo.com
xarors.com
xatots.com
yapilo.pw
yarors.com
yatots.com
yomndo.com
zanons.com
zarors.com
zatots.com
zinos.cc
zomndo.com
zoxford.com
zrilns.com
zrilns.pw

# Reference: https://twitter.com/felixaime/status/1518527498929254401

ocamw.xyz
cdn.ocamw.xyz

# Reference: https://twitter.com/unmaskparasites/status/1524093794961960960

drakefollow.com
clocal.drakefollow.com
doggy.drakefollow.com
links.drakefollow.com
local.drakefollow.com
out.drakefollow.com
poll.drakefollow.com

# Reference: https://twitter.com/unmaskparasites/status/1526241349049077761

greengoplatform.com
creative.greengoplatform.com
column.greengoplatform.com
links.greengoplatform.com

# Reference: https://twitter.com/unmaskparasites/status/1530282235630235648

jj99.life

# Reference: https://twitter.com/unmaskparasites/status/1531307100709670912

brandonrestaurant.com

# Reference: https://twitter.com/unmaskparasites/status/1532112174411157504

transportgoline.com
back.transportgoline.com
front.transportgoline.com
track.transportgoline.com

# Reference: https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html

/wp-content/plugins/wp-dumpme/click.php
/wp-content/plugins/wp-dumpme/clock.php
/wp-content/plugins/wp-dumpme/tasty.pot
/wp-content/plugins/wp-pimple/click.php
/wp-content/plugins/wp-pimple/clock.php
/wp-content/plugins/wp-sp/class.php
/wp-content/plugins/wp-sps/class.php
/wp-content/plugins/wp-sps/simple.php
/wp-content/plugins/wp-dumpme/
/wp-content/plugins/wp-pimple/
/wp-content/plugins/wp-sp/
/wp-content/plugins/wp-sps/

# Reference: https://twitter.com/momika233/status/1529694086193508353 (# CVE-2022-1609 WordPress Weblizar Backdoor)
# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1536008762397544448

/wp-json/am-member/license

# Reference: https://twitter.com/unmaskparasites/status/1546896319037333504
# Reference: https://twitter.com/riper81/status/1559567645313142784
# Reference: https://www.virustotal.com/gui/ip-address/91.211.91.104/relations

bettershitecolumn.com
cofounderspecials.com
away.bettershitecolumn.com
beat.bettershitecolumn.com
best.bettershitecolumn.com
cdn.bettershitecolumn.com
click.bettershitecolumn.com
load.bettershitecolumn.com
loft.bettershitecolumn.com
scripts.bettershitecolumn.com
space.bettershitecolumn.com
wpz.cofounderspecials.com
fly.cofounderspecials.com
js.cofounderspecials.com
spectre.cofounderspecials.com

# Reference: https://www.virustotal.com/gui/ip-address/101.99.95.147/relations

brend.specialadves.com
call.greengoplatform.com
collect.greengoplatform.com
comcollect.greengoplatform.com
comtrack.greengoplatform.com
find.greengoplatform.com
flash.greengoplatform.com
front.greengoplatform.com
ftrack.greengoplatform.com
lnks.greengoplatform.com
local.specialadves.com
track.greengoplatform.com

# Reference: https://twitter.com/unmaskparasites/status/1615121524536795136
# Reference: https://www.virustotal.com/gui/ip-address/159.69.234.10/relations

specialblueitems.com
violetlovelines.com
cdn.violetlovelines.com
light.specialblueitems.com
track.violetlovelines.com
way.specialblueitems.com

# Reference: https://twitter.com/unmaskparasites/status/1552334638999228417

apigooglee.com

# Reference: https://twitter.com/tosscoinwitcher/status/1556698096813232129
# Reference: https://www.abuseipdb.com/check/51.142.175.104

http://20.254.121.118
http://51.142.175.104
51.142.175.104:52970
/a57bze8931.php
/savepng.php?location=a57bze8931.php

# Reference: https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html
# Reference: https://blog.sucuri.net/2022/09/new-malware-variants-serve-bogus-cloudflare-ddos-captcha.html
# Reference: https://www.virustotal.com/gui/ip-address/5.42.199.146/relations
# Reference: https://www.virustotal.com/gui/ip-address/5.42.199.148/relations
# Reference: https://www.virustotal.com/gui/file/7b72c022d506fc09a22d7721f6f50defd00297f52a89f1000b4f50b273d7f8ff/detection

adogeevent.com
colliderporn.at
confirmation.at
confirmation-process.at
gloogletag.com
luxury-limousine.com
skambio-porte.com
softlab-sport.com
trailerstrade.com
yaritsavodka.com
cheking.confirmation.at
gov.confirmation.at
irs.gov.confirmation.at
madeformade.confirmation.at
security-browser.colliderporn.at
verify.confirmation.at

# Reference: https://twitter.com/unmaskparasites/status/1254766052296122368
# Reference: https://www.virustotal.com/gui/domain/trackstatisticsss.com/relations
# Reference: https://www.joesandbox.com/analysis/399034/0/html
# Reference: https://www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/

adsforbusines.com
stivenfernando.com
ps.stivenfernando.com
ws.stivenfernando.com
trackstatisticsss.com
adware.trackstatisticsss.com
count.trackstatisticsss.com
fox.trackstatisticsss.com
ount.trackstatisticsss.com
stat.trackstatisticsss.com
trstat.trackstatisticsss.com

# Reference: https://twitter.com/unmaskparasites/status/1235190676838633477

collectfasttracks.com

# Reference: https://twitter.com/felixaime/status/1278600095538262017 (# WPScriptInjection)
# Reference: https://twitter.com/felixaime/status/1278602674401955846
# Reference: https://twitter.com/unmaskparasites/status/1280581176747601920
# Reference: https://www.virustotal.com/gui/ip-address/185.244.172.39/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.9.148.49/relations

letsmakeparty3.ga
lobbydesires.com
tlcweb.ml
wpctrl.ga
wpctrl.gq
wpctrl.ml

# Reference: https://twitter.com/unmaskparasites/status/1289272342837895171
# Reference: https://twitter.com/unmaskparasites/status/1303792031693778947
# Reference: https://twitter.com/unmaskparasites/status/1303792922140254215
# Reference: https://twitter.com/unmaskparasites/status/1293570769545580545
# Reference: https://www.virustotal.com/gui/ip-address/45.9.148.126/relations

declarebusinessgroup.ga
developerstatss.ga
donatelloflowfirstly.ga
lowerbeforwarden.ml
trendopportunityfollow.ga

# Reference: https://twitter.com/unmaskparasites/status/1329490824875282432
# Reference: https://www.virustotal.com/gui/ip-address/217.144.106.108/relations

lovegreenpencils.ga

# Reference: https://twitter.com/unmaskparasites/status/1291406328129298434
# Reference: https://blog.sucuri.net/2020/07/reverse-string-woocommerce-wordpress-credit-card-swiper.html

localhostnametable.com

# Reference: https://github.com/DoctorWebLtd/malware-iocs/tree/master/Linux.Backdoor.WordPressExploit.1

deliverygoodstrategies.com
gabriellalovecats.com
clon.collectfasttracks.com

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-01-03-v10210/246
# Reference: https://www.virustotal.com/gui/ip-address/188.127.229.63/relations

tommyforgreendream.icu
transadforward.icu

# Reference: https://twitter.com/unmaskparasites/status/1577797497581613056
# Reference: https://www.virustotal.com/gui/file/dc39ec37839473ae1ad0dd7875205876ee84743609d28f2f4f55716c7659557a/detection

helpotus.com
/old_source/G1exHX0rYyv/
/wp-admin/EBxbU7MlIhOM/
/EBxbU7MlIhOM/
/G1exHX0rYyv/

# Reference: https://twitter.com/r3dbU7z/status/1586146279167361024
# Reference: https://blog.sucuri.net/2020/11/alfa-team-shell-v4-1-tesla-a-feature-update-analysis.html

http://87.238.210.44

# Reference: https://twitter.com/unmaskparasites/status/1496246505099108352

effectivecpmgate.com
trustedcpmrevenue.com

# Reference: https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html

ois.is

# Reference: https://twitter.com/unmaskparasites/status/1593388212797382656
# Reference: https://www.virustotal.com/gui/ip-address/192.236.208.12/relations

i-io.io
i-s.is
t-o.to

# Reference: https://twitter.com/unmaskparasites/status/1600270751911014400

isn.is

# Reference: https://twitter.com/unmaskparasites/status/1600566768631967744

bitly.email

# Reference: https://twitter.com/unmaskparasites/status/1600578315659927552

cutlinks.pw

# Reference: https://twitter.com/unmaskparasites/status/1602374685278470144
# Reference: https://twitter.com/unmaskparasites/status/1603106867794022401
# Reference: https://twitter.com/unmaskparasites/status/1615091657858514944
# Reference: https://twitter.com/unmaskparasites/status/1618041405515132928
# Reference: https://www.virustotal.com/gui/ip-address/142.11.214.173/relations
# Reference: https://www.virustotal.com/gui/ip-address/172.96.189.69/relations
# Reference: https://www.virustotal.com/gui/ip-address/198.27.80.139/relations
# Reference: https://pastebin.com/raw/ffjAeK2L

012.bond
5pm.am
7la.la
b-i-t-l-y.co
b-i-t-l-y.net
bit-ly.mobi
bitly.gold
bitly.host
bitly.team
c-you.cyou
cc-z.cz
co-o.co
cr-7.cc
cutlinks.biz
cutlinks.ca
cutlinks.ch
cutlinks.mobi
cutlinks.org
cuturls.net
d-ev.dev
g-l.gl
g-y.gy
gob.co.il
gov-cn.cloud
h-air.hair
i-cu.icu
i-n-fo.info
ilc.lc
isx.sx
mvc.vc
obz.bz
oo-o.co
oo.coffee
qis.is
s-sh.sh
tiny-url.mobi
ufox.info
vms.ms
vv-vip.vip
w-me.me
w-ws.ws
wac.ac
wco.pw
webb-i-t-l-y.co
webb-i-t-l-y.net
webbit-ly.mobi
webbitly.email
webbitly.team
webcc-z.cz
webcutlinks.pw
webgov-cn.cloud
webufox.info
wst.st
b-i-t-l-y.co.b-i-t-l-y.net
bit-ly.mobi.b-i-t-l-y.net
bitly.eb-i-t-l-y.net
bitly.team.b-i-t-l-y.net
gov-cn.cloud.b-i-t-l-y.net

# Reference: https://twitter.com/unmaskparasites/status/1593690935959093248
# Reference: https://www.virustotal.com/gui/ip-address/89.22.228.250/relations

findtrustclicks.com
weatherplllatform.com
go.weatherplllatform.com
main.weatherplllatform.com
new.weatherplllatform.com
news.weatherplllatform.com
scripts.weatherplllatform.com
verify.weatherplllatform.com
record.findtrustclicks.com

# Reference: https://twitter.com/unmaskparasites/status/1595142301931941888
# Reference: https://urlscan.io/domain/watchvideo.pro
# Reference: https://www.virustotal.com/gui/ip-address/178.132.6.250/relations

adstracker.info
cleaner.computer
cleaner.digital
cleaner.support
date-now.org
datenow.date
virusscanner.to
watchvideo.cc
watchvideo.info
watchvideo.me
watchvideo.online
watchvideo.pro
winalert.computer
winalert.download
winalert.net
winalert.org
winalert.support
winalerts.computer
winalerts.download
winalerts.info
winalerts.live
winalerts.support
wincleaner.computer
wincleaner.digital
wincleaner.download
wincleaner.info
wincleaner.pro
wincleaner.support
yohoo.financial
yohoo.info
04qam.winalert.org
05imd.wincleaner.info
072gp.winalert.download
08evp.winalert.org
08geo.winalert.org
08nm7.watchvideo.pro
0airs.wincleaner.info
0am5g.winalert.net
0btrs.winalert.net
0dzgq.winalert.org
0f2w4.cleaner.computer
17quw.winalert.net
19800.winalert.net
1ce99.winalert.net
1gebm.winalert.net
1ggt3.winalert.net
1if2h.date-now.org
1oteb.winalert.net
1rvi3.date-now.org
1sg6d.winalert.net
1v2a4.winalert.net
26034.winalert.net
26z3b.winalert.net
27fdw.wincleaner.info
27gkd.winalert.net
286fv.winalert.org
2gqjs.winalerts.download
2kauk.wincleaner.info
2ltfx.watchvideo.cc
2lz8m.winalert.net
2m8a2.cleaner.computer
2quvq.winalert.net
2sl11.winalert.net
2v7wf.wincleaner.info
2wy27.wincleaner.info
32c6t.wincleaner.info
33jf4.watchvideo.cc
34t93.wincleaner.info
35k09.winalert.net
388n7.watchvideo.cc
3fqts.watchvideo.pro
3fw6n.wincleaner.info
3gn8r.watchvideo.online
3n2ou.winalert.org
3qmkf.wincleaner.info
3u7xr.winalert.net
3wc2l.winalert.org
3xuvx.winalert.net
3ypih.watchvideo.online
42zif.wincleaner.info
44lek.winalert.net
45lox.winalert.org
4b5nm.watchvideo.cc
4bq92.watchvideo.cc
4daxl.wincleaner.info
4en3r.winalert.org
4hb94.winalert.net
4iblu.wincleaner.info
4nug6.winalert.net
4p8p4.winalert.net
4rmys.cleaner.support
4sv9c.wincleaner.info
4u6f3.winalert.net
4w7f0.winalert.net
4z1s0.wincleaner.info
512qg.winalert.net
521j4.winalert.net
52v86.winalert.net
53uqc.wincleaner.info
5547e.winalert.net
57274.watchvideo.cc
5afea.cleaner.computer
5auky.watchvideo.online
5i8kr.winalert.net
5nzna.cleaner.support
5o9ft.winalert.net
5sw2r.date-now.org
5uydw.winalert.net
5z7f9.watchvideo.cc
67is8.watchvideo.cc
6b6a7.winalert.org
6cx6k.watchvideo.online
6faol.wincleaner.info
6he52.winalert.org
6kt6i.watchvideo.cc
6o7dv.watchvideo.cc
6r15a.wincleaner.info
6trfc.winalert.net
70n30.watchvideo.cc
7cdn6.winalert.net
7dulx.winalert.net
7ej61.winalert.net
7ibmf.wincleaner.info
7jgpt.watchvideo.cc
7pddp.wincleaner.info
7qfid.winalert.net
7sg7f.wincleaner.info
7u7ic.winalert.net
7udlx.wincleaner.info
7vr38.winalert.download
81ksn.wincleaner.info
8517k.watchvideo.cc
8bkdo.winalert.net
8fug9.cleaner.computer
8lbt2.winalert.net
8mtev.watchvideo.cc
8neih.wincleaner.info
8njbf.winalert.computer
8v7gk.wincleaner.info
90nxt.wincleaner.info
933j0.winalert.net
97caz.wincleaner.info
981t8.wincleaner.info
98xa8.winalert.org
9bty3.winalert.net
9fzjj.winalert.org
9h20w.winalert.net
9kja2.wincleaner.info
9mxe6.watchvideo.online
9ojn2.wincleaner.info
9pla9.winalert.net
9q97s.cleaner.computer
9ud06.winalert.org
9wjib.watchvideo.cc
9x9hg.cleaner.support
9y73y.watchvideo.pro
9zfqz.winalert.net
a266p.wincleaner.info
a29pj.wincleaner.info
a3afq.cleaner.computer
a612w.winalert.org
a8v9e.winalert.net
aabrr.watchvideo.online
ajeu5.winalert.org
ams4e.wincleaner.info
ar79g.watchvideo.cc
aympj.winalert.net
b0xrd.wincleaner.info
b4xam.watchvideo.cc
b5bgk.watchvideo.pro
bdme3.winalert.net
bff2u.winalert.net
bhscx.winalert.net
bi39h.wincleaner.info
bk23s.watchvideo.cc
bnw0p.winalert.org
bs07r.wincleaner.info
bskwp.winalert.net
bzhz2.wincleaner.info
bzszc.winalert.org
c0jmk.wincleaner.info
c2huq.cleaner.computer
ciwv4.wincleaner.info
ckpb5.winalert.net
crmv2.watchvideo.cc
ctbbg.winalert.org
cwh4x.watchvideo.cc
cxbbd.wincleaner.info
cxjh1.wincleaner.info
cxrja.watchvideo.cc
d2t3e.winalert.net
d5oru.winalert.net
d7htf.wincleaner.info
d7vke.cleaner.support
d8mo1.watchvideo.online
dcfs0.winalert.net
degh9.wincleaner.info
dfo6v.winalert.net
dg3ov.winalert.net
dobtj.winalert.net
e1bua.watchvideo.online
e26t3.winalert.net
e6je1.wincleaner.info
e6mrm.wincleaner.info
e8y40.winalert.net
eg74w.watchvideo.online
el46o.winalert.net
epfet.winalert.net
erus5.watchvideo.pro
esuse.wincleaner.info
eu7yd.watchvideo.online
exs5w.winalert.org
exwyd.watchvideo.pro
eyns6.winalert.net
f05t1.wincleaner.info
f481t.winalert.net
f7unt.wincleaner.info
fc380.cleaner.computer
fp3kr.watchvideo.cc
fpzck.winalert.download
frnpd.winalert.net
fu9ms.winalert.net
fuj9w.winalert.net
fv848.winalert.net
fzc0bj.watchvideo.online
g119g.winalert.net
g35kd.winalert.net
gblkg.wincleaner.info
ge380.winalert.net
gfwcc.winalert.net
gjvdr.watchvideo.cc
gt3jq.winalert.net
gtub6.winalert.org
gzyoi.watchvideo.cc
h2aw7.cleaner.support
h46ht.winalert.net
h4fkl.wincleaner.info
hadaz.winalerts.download
has5w.winalert.net
hidsz.winalert.org
hw4dx.winalert.net
i9r8e.wincleaner.info
icrkn.winalert.net
idbkb.wincleaner.info
ihgty.watchvideo.online
ik9c2.watchvideo.cc
ikdzc.wincleaner.info
it0ga.wincleaner.info
it3ea.wincleaner.info
its5j.winalert.computer
j3nou.date-now.org
j3pda.watchvideo.online
j7k9a.winalert.net
j7nir.watchvideo.cc
j7p2p.wincleaner.info
j7qdo.winalert.net
j88q4.wincleaner.info
jbkef.wincleaner.info
jerzw.winalert.net
jfjf1.winalert.net
jfupd.wincleaner.info
jp021.watchvideo.pro
jqq34.winalert.net
jrw1y.wincleaner.info
jsk7n.watchvideo.online
jszar.winalert.net
k7u6p.wincleaner.info
khxsc.wincleaner.info
kiph6.winalert.download
kk9rh.winalert.net
kkrqg.wincleaner.info
kp1ye.watchvideo.cc
kpz5j.watchvideo.online
ks45c.winalert.net
kwews.wincleaner.info
kzquq.watchvideo.cc
kzttt.winalert.net
l4zb2.watchvideo.pro
l5gux.wincleaner.info
l62wa.winalert.net
l9031.winalert.net
lcz95.winalert.org
le7oh.winalert.net
lhot3.winalert.net
lnfa8.wincleaner.info
lofxn.watchvideo.cc
lrg96.wincleaner.info
lxn3h.wincleaner.info
m0mx3.winalert.net
m4p2q.winalert.net
ma9aj.winalert.net
mabr1.cleaner.computer
mcft4.wincleaner.info
mev9h.winalert.net
mffye.winalert.org
mmq5y.winalert.org
mvnae.watchvideo.online
mzphe.cleaner.computer
n22ry.winalert.org
n34d9.watchvideo.pro
n73wf.cleaner.support
n8d6g.winalert.net
na7f7.cleaner.computer
nchm0.winalerts.download
njt8x.winalert.net
nk7c4.watchvideo.cc
nlox1.watchvideo.cc
npz55.winalert.net
nvnvm.watchvideo.pro
o54xw.watchvideo.cc
o9svp.winalert.org
o9z7f.winalert.net
ofpy5.cleaner.support
ol04k.watchvideo.cc
olkg9.wincleaner.info
osb35.winalert.net
otx8p.watchvideo.cc
ow4zk.winalert.net
p3p8k.watchvideo.cc
p4cyf.winalert.net
p5o9u.winalert.org
p8ujw.winalerts.download
peyj7.winalert.net
pndys.watchvideo.online
psfew.watchvideo.online
psn9f.winalert.net
pv6hx.wincleaner.info
pvd0h.wincleaner.info
py8rq.winalert.net
q1i35.wincleaner.info
qfz58.watchvideo.cc
qhjik.watchvideo.online
qi7gg.winalert.net
qm8h7.wincleaner.info
qprmq.winalert.net
qu1m0.winalert.net
quet7.winalert.net
qvrrq.cleaner.computer
qy7kb.watchvideo.cc
r0cyu.wincleaner.info
r1s20.winalert.net
r4zhb.cleaner.computer
r575z.cleaner.support
ratgh.wincleaner.info
rccih.winalert.org
rk9tk.wincleaner.info
rmeoc.wincleaner.info
rp49y.wincleaner.info
rry22.winalert.net
ru4lx.watchvideo.online
rw5ut.watchvideo.cc
rz7qn.winalert.net
s0bnk.cleaner.support
s308l.winalert.net
s3d0c.cleaner.computer
s63jf.winalert.org
s67de.winalert.net
s8bx6.watchvideo.online
s8h6e.winalert.net
sb4is.winalert.net
sh6dw.wincleaner.info
smywt.watchvideo.cc
ssewr.wincleaner.info
sszf0.winalert.org
sudns.winalert.net
sw9kh.watchvideo.cc
t0686.watchvideo.cc
t1v97.winalert.net
t5sc2.wincleaner.info
talej.cleaner.computer
tf2k3.winalert.net
tfthn.winalert.net
tfu6j.watchvideo.cc
thdra.winalert.net
tiwam.wincleaner.info
tjjkm.winalert.org
tq1cp.winalert.net
tzada.winalert.net
u58jr.winalert.net
u5wdz.wincleaner.info
u8v3r.wincleaner.info
ubj98.wincleaner.info
ufkh2.wincleaner.info
uhlk.winalert.net
ul27t.winalerts.download
uru8s.watchvideo.cc
uwpuy.watchvideo.cc
v3ynj.winalert.net
vd3vi.winalert.net
veeek.watchvideo.pro
vfjg4.winalert.net
vif5m.winalert.net
vkzig.winalert.org
vmwsm.winalert.org
vnagw.winalert.net
vo47j.watchvideo.cc
voaz2.winalert.org
vy79r.watchvideo.online
w2n7o.cleaner.computer
wc0jg.watchvideo.online
wcbsf.wincleaner.info
wcfl7.wincleaner.info
wm96e.winalert.net
wt177.cleaner.computer
wt8fy.winalert.net
wugrk.cleaner.support
ww1ig.winalert.org
wxifm.winalert.org
wykbp.winalert.net
x1r7i.winalert.net
x69js.watchvideo.cc
x8hob.winalert.net
xhvos.wincleaner.info
xlj5v.wincleaner.info
xnpv9.winalert.net
xp10k.watchvideo.cc
xqe15.winalert.net
xqhv7.wincleaner.info
xra4x.watchvideo.cc
xt3hf.watchvideo.online
xtj5c.wincleaner.info
xukbz.winalert.net
xvtqv.winalert.net
y1uc8.winalert.net
y3yex.wincleaner.info
y6rys.wincleaner.info
y8oo5.watchvideo.cc
y8qws.winalert.org
yag9m.watchvideo.cc
ybz2c.winalert.net
ygm57.winalert.org
yis3d.winalert.net
yl9ln.winalerts.download
ynckp.watchvideo.cc
ynv1c.watchvideo.cc
yohsx.winalert.net
ysxmsl.watchvideo.cc
ytcig.winalert.computer
yvgqe.date-now.org
yyirk.wincleaner.info
z2swm.wincleaner.info
z5wyt.winalert.net
zc0bj.watchvideo.online
zfrqo.winalert.org
zg7cg.winalerts.download
zgjnb.winalert.net
zgwq9.watchvideo.pro
zhecc.winalert.net
zj7h7.cleaner.computer
zju6f.wincleaner.info
zos6z.winalert.net
zr38i.winalert.net
zsg7s.winalert.net
zt7q6.winalert.net
ztk09.wincleaner.info
zumvv.winalert.net
zvddr.winalert.net
zw1ll.wincleaner.info
zzylv.winalert.net

# Reference: https://blog.sucuri.net/2023/01/massive-campaign-uses-hacked-wordpress-sites-as-platform-for-black-hat-ad-network.html

chestishugli.com
duhestyce.com
dusyguri.com
fujonusy.com
ginepija.com
heglosuty.com
hydothera.com
hyxumuta.com
interestmoments.com
jefashivy.com
kawunimy.com
ladyphapty.com
laluvygy.com
lebinaphy.com
psihimapto.com
similarwebline.com
thirawogla.com
tuleceti.com
vozastane.com
wholegrady.com
whujyfali.com
whychymithy.com
files.findtrustclicks.com
long.interestmoments.com
short.interestmoments.com
similar.similarwebline.com
template.interestmoments.com

# Reference: https://twitter.com/unmaskparasites/status/1620156750723973121

firstblackphase.com
dns.firstblackphase.com

# Reference: https://twitter.com/unmaskparasites/status/1623407097949077504

dofollowgreenline.com
sortyellowapples.com
back.firstblackphase.com
come.sortyellowapples.com
get.firstblackphase.com
get.sortyellowapples.com
goaway.dofollowgreenline.com
scripts.dofollowgreenline.com
shop.similarwebline.com
step.firstblackphase.com
store.firstblackphase.com
track.firstblackphase.com

# Reference: https://www.virustotal.com/gui/ip-address/194.135.30.40/relations

away.firstblackphase.com
away.similarwebline.com
final.similarwebline.com
first.interestmoments.com

# Reference: https://twitter.com/unmaskparasites/status/1628475618290700289
# Reference: https://www.virustotal.com/gui/ip-address/194.135.30.210/relations

statisticline.com
check.statisticline.com
for.firstblackphase.com
pista.violetlovelines.com
trac.violetlovelines.com

# Reference: https://twitter.com/unmaskparasites/status/1636765304062881792

wensbol.site
google-analytics.workers.dev
static.google-analytics.workers.dev

# Reference: https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html

accongestion.com
actraffic.com
admarketlocation.com
adsrequestbest.com
adtrafficjam.com
backrocklondon.com
balanceformoon.com
balanceforsun.com
balantfromsun.com
becausenightisbetter.com
becauseshineisbetter.com
beforwardplay.com
belaterbewasthere.com
belazyelephant.com
belighterservice.com
bluelabelmoscow.com
bullgoesdown.com
buyittraffic.com
carlbendergogo.com
cdn.statisticline.com
chatwithgreenbar.com
costsimpleplay.com
createrelativechanging.com
cuttraffic.com
dancewithlittleredpony.com
deliverblackjohn.com
denzzzelwashington.com
destinyfernandi.com
dexterfortune.com
donaldbackinsky.com
followmyfirst1.com
generallocationgo.com
giantttraffic.com
globallyreinvation.com
gotosecond2.com
greenlabelfrancisco.com
greenrelaxfollow.com
importtraffic.com
jockersunface.com
letsmakesomechoice.com
lightversionhotel.com
littleandbiggreenballlon.com
main.travelfornamewalking.ga
makesomethird3.com
port.transandfiestas.ga
postertraffic.com
primarylocationgo.com
privacylocationforloc.com
puttraffic.com
redfunchicken.com
redlabellondon.com
redrelaxfollow.com
requestfor4.com
resolutiondestin.com
slow.destinyfernandi.com
speakwithjohns.com
specialthankselsa.com
startrafficc.com
talktofranky.com
toupandgoforward.com
trafficlmedia.com
transandfiestas.ga
trasnaltemyrecords.com
traveltoscount.com
verybeatifulantony.com
wiilberedmodels.com
worldctraffic.com
yellowlabeltokyo.com
/wp-clearlineee/
/wp-resortpack/
/wp-resortpack/clock.php
/wp-resortpack/tasty.pot

# Reference: https://blog.malwarebytes.com/threat-analysis/2018/09/mass-wordpress-compromises-tech-support-scams/

drupalupdates.tk
ejyoklygase.tk
examhome.net
mp3menu.org
uustoughtonma.org
voipnewswire.net
ads.voipnewswire.net
cdn.allyouwant.online

# Reference: https://otx.alienvault.com/pulse/5d9cadcab8eefffbac23367a
# Reference: https://blog.sucuri.net/2017/05/fake-wordprssapi-stealing-cookies-and-hijacking-sessions.html
# Reference: https://www.scmagazineuk.com/cookie-monster-malware-steals-cookies-hijacks-wordpress-sessions/article/1474671

1.newor.net
12mlbe.com
2.api.viralheadlines.net
3.newor.net
a01.u-ad.info
abtrcking.com
adpoints.media
adrenalinecdn.com
adsvcs.com
affect.lt
affilizr.com
agrkings.com
airjss.com
andrewandjack.com
api.behavioralmailing.com
api.viralheadlines.net
avrti.xyz
b.nwcdn.xyz
baidustatic.pw
beatchucknorris.com
behavioralmailing.com
bh-cdn.com
blozoo.net
botthumb.com
bwinpoker24.com
c.radxcomm.com
caphyon-analytics.com
cdn.adpoints.media
cdn.avrti.xyz
cdn.echoenabled.com
cdn.inaudium.com
cdn.jquery.tools
cdn.muse-widgets.ru
cdn.owlcdn.com
cfs.u-ad.info
chat-client-js.firehoseapp.com
cleantds.in
clk-analytics.com
code.jguery.org
con1.sometimesfree.biz
connect.f1call.com
d0.histats.12mlbe.com
da.adsvcs.com
daljarrock.hurlinesswhitchurch.com
dancewithme.biz
dcts.pw
dezaula.com
dup.baidustatic.pw
e.e708.net
e708.net
earsham.pontypriddcrick.com
echoenabled.com
f1call.com
firehoseapp.com
flipdigital.ru
free-codes.org
frompariswithhate.org
gamescale.vio.rocks
getsocialbuttons.xyz
histats.12mlbe.com
hmailserver.in
hosted-oswa.org
hurlinesswhitchurch.com
i.omeljs.info
i.rfgdjs.info
i.selectionlinksjs.info
i3.putags.com
ijquery9.com
imaginaxs.com
inaudium.com
infinite-2.tcs3.co.uk
infinite-3.tcs3.co.uk
java.sometimesfree.biz
jguery.org
jquery.im
jquery.tools
js.nster.net
js.sn00.net
js.trafficanalytics.online
js2.sn00.net
kanpianjs.top
keit.kristofer.ga
kristofer.ga
kuru2jam.com
lb.wa-track.com
livestats.us
log.widgetstat.net
m.free-codes.org
m.xfanclub.ru
mediros.ru
muse-widgets.ru
narnia.tcs3.co.uk
newor.net
nstracking.com
nwcdn.xyz
oasagm82wioi.org
omeljs.info
omnitor.ru
onlinemarketplace.top
orange81safe.com
ournet-analytics.com
owlcdn.com
parts.kuru2jam.com
pipardot.com
pontypriddcrick.com
putags.com
radxcomm.com
rarstats.com
rfgdjs.info
rolledwil.biz
s.orange81safe.com
s1.omnitor.ru
sbdtds.com
script.affilizr.com
sdb.dancewithme.biz
segpress.io
selectionlinksjs.info
seo101.net
sn00.net
sometimesfree.biz
spartan-ntv.com
src.dancewithme.biz
srv1.clk-analytics.com
st.segpress.io
st.stadsvc.com
stablemoney.ru
stadsvc.com
stat.botthumb.com
stat.rolledwil.biz
static.bh-cdn.com
tag.imaginaxs.com
takoashi.net
tcs3.co.uk
themes.affect.lt
trafficanalytics.online
trafficapi.nl
traffictrade.life
tsometimesfree.biz
u-ad.info
upgraderservices.cf
upskirt-jp.net
viralheadlines.net
w5983.lb.wa-track.com
wa-track.com
webstats.xcellenzy.com
widgets.wowzio.net
widgetstat.net
wowzio.net
xcellenzy.com
xfanclub.ru
yourmsrp.com
yys1982.com
zirve100.com

# Reference: https://wordpress.org/support/topic/website-hacked-index-php-totally-changed/
# Reference: https://www.virustotal.com/gui/domain/bingstyle.com/relations

bingstyle.com
saleforyou.org

# Reference: https://twitter.com/unmaskparasites/status/1650944399969513472
# Reference: https://twitter.com/unmaskparasites/status/1653124417596329985
# Reference: https://twitter.com/unmaskparasites/status/1656024953249218560
# Reference: https://www.virustotal.com/gui/ip-address/194.135.30.210/relations
# Reference: https://www.virustotal.com/gui/ip-address/2.59.222.113/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.9.148.27/relations

beatylines.com
descriptionscripts.com
dofollowgreenline.com
firstblackphase.com
sortyellowapples.com
specialblueitems.com
statisticline.com
trackersline.com
violetlovelines.com
weatherplllatform.com
ack.firstblackphase.com
away.firstblackphase.com
ay.specialblueitems.com
back.firstblackphase.com
block.descriptionscripts.com
cdn.statisticline.com
cdn.violetlovelines.com
check.statisticline.com
comcdn.statisticline.com
come.sortyellowapples.com
comtrack.violetlovelines.com
cripts.dofollowgreenline.com
dns.firstblackphase.com
e.sortyellowapples.com
far.statisticline.com
fire.descriptionscripts.com
for.firstblackphase.com
for.sortyellowapples.com
get.firstblackphase.com
get.sortyellowapples.com
goaway.dofollowgreenline.com
light.specialblueitems.com
line.beatylines.com
main.weatherplllatform.com
pista.violetlovelines.com
rack.violetlovelines.com
reway.specialblueitems.com
script.dofollowgreenline.com
scripts.dofollowgreenline.com
select.sortyellowapples.com
shop.similarwebline.com
stat.descriptionscripts.com
stats.statisticline.com
stay.trackersline.com
step.descriptionscripts.com
step.firstblackphase.com
stock.statisticline.com
store.firstblackphase.com
trac.violetlovelines.com
track.firstblackphase.com
track.violetlovelines.com
way.specialblueitems.com

# Reference: https://twitter.com/daniel_sloof/status/1658109542108917761
# Reference: https://www.virustotal.com/gui/ip-address/194.135.30.210/relations
# Reference: https://www.virustotal.com/gui/ip-address/2.59.222.113/relations
# Reference: https://www.virustotal.com/gui/ip-address/2.59.222.122/relations
# Reference: https://app.validin.com/axon?type=dom&limit=100&find=*.scriptsplatform.com

scriptsplatform.com
away.scriptsplatform.com
cdn.scriptsplatform.com
come.scriptsplatform.com
get.scriptsplatform.com
statistic.scriptsplatform.com
statistics.scriptsplatform.com
top.scriptsplatform.com

# Reference: https://twitter.com/unmaskparasites/status/1660440128207327233

clickandanalytics.com
cdn.clickandanalytics.com
click.clickandanalytics.com
come.clickandanalytics.com
put.clickandanalytics.com

# Reference: https://www.virustotal.com/gui/ip-address/91.238.104.193/relations
# Reference: https://www.virustotal.com/gui/ip-address/2.59.222.119/relations
# Reference: https://www.virustotal.com/gui/ip-address/2.59.222.122/relations

linestoget.com
away.linestoget.com
collect.clickandanalytics.com
get.linestoget.com
go.linestoget.com
lists.clickandanalytics.com
spot.scriptsplatform.com
stay.linestoget.com

# Reference: https://www.virustotal.com/gui/file/eedb020cff479ebcb511376b902825a0e35e5549346462548c0bca8d6ecd7ac3/detection

111.90.148.245:3503
/LIboibne3ru6sighe6urpcsgo/checkquit
/LIboibne3ru6sighe6urpcsgo/get
/LIboibne3ru6sighe6urpcsgo/set
/LIboibne3ru6sighe6urpcsgo/

# Reference: https://www.virustotal.com/gui/file/21bfc6439c7c750846a8e6a337621f49843dea714e4ce5f9dc72908f09f513c0/detection

111.90.148.245:3319

# Reference: https://www.virustotal.com/gui/file/c3afe8bee1512205bbd01ea486679de547ff61c697f13220c833d3b0f5117e75/detection

111.90.148.245:3411

# Reference: https://www.virustotal.com/gui/file/b0588dd8bba4a3e098176834f98cb9ecfd447614a06e56b34eba144674c66f7d/detection

111.90.148.245:3491

# Reference: https://www.virustotal.com/gui/file/998622fd0e64534704c699b7a91639e036623af28ad6f37b4abe4af0523ada7d/detection

111.90.148.245:3457

# Reference: https://www.virustotal.com/gui/file/66733ed1a4eb310f3f3026170a240d952b7464505ff8bbff394122f16b3bf81b/detection

111.90.148.245:3467

# Reference: https://www.virustotal.com/gui/file/5f9d59f33f5fe45de008c134585f682261f2498ce298fa082d047ed5c5d6638e/detection

111.90.148.245:3431

# Reference: https://www.virustotal.com/gui/file/51233d54c17ee49323bbc50a230a2904d91241e54f1ddd036c3bae1fd47990ff/detection

111.90.148.245:3429

# Reference: https://blog.sucuri.net/2023/02/bogus-url-shorteners-redirect-thousands-of-hacked-sites-in-adsense-fraud-campaign.html

filestack.live
0-4.top
77w.pw
99pw.pw
9ge.ge
b-d.bond
b-ly.link
b-y.by
bit-ly.is
bitly.best
bitly.network
c-lick.click
fco.to
fmo.fm
gov.co.ve
icx.cx
ii-ii.ru
j-e.je
l-o.loan
l-ol.lol
lbz.bz
m-n.mn
n-g.ng
n-z.nz
psu.su
s-b.sb
s-k.sk
sy-s.systems
u-mu.mu
uxe.luxe
vvg.vg
w-tw.tw
wci.ci
xx-yz.xyz
