# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/MichalKoczwara/status/1601324821614194688

165.22.30.136:3000
165.22.30.136:4000
165.227.198.201:3000
165.227.198.201:4000
20.172.22.144:3000
20.172.22.144:4000
23.99.193.156:3000
23.99.193.156:4000
46.101.184.179:3000
46.101.184.179:4000

# Reference: https://twitter.com/MichalKoczwara/status/1602582437648908289

78.141.195.16:1337

# Reference: https://twitter.com/MichalKoczwara/status/1634155939585482754

143.198.32.165:4000
167.71.190.181:4000

# Reference: https://www.virustotal.com/gui/ip-address/209.97.137.33/relations

evilginx-test.ddns.net
okta.evilginx-test.ddns.net
login.okta.evilginx-test.ddns.net

# Reference: https://twitter.com/banthisguy9349/status/1736660660405039482

13.56.179.221:4000
143.198.43.83:4000
178.62.209.220:4000
54.219.177.74:4000
67.207.82.103:4000
foofficel.com
microssofttonline.nl

# Reference: https://threatfox.abuse.ch/browse/tag/EvilGinx/

143.198.138.173:4000
159.65.47.249:4000
185.224.139.32:2053
195.74.86.44:8443
20.98.48.148:2002
45.56.92.137:443
5.42.64.70:2096
68.219.200.71:4000
aa.aeromexico.foundation
account.avenueconsulting.co
account.trabede.com
ads.customerportalverify.store
adsmanager-graph.eyardimgov.org
adsmanager.eyardimgov.org
api.qantas.aeromexico.foundation
apis.customerportalverify.store
autologon.huenumilla.cl
avenueconsulting.co
b.stats.paypal.secureapp.tools
bank.customerportalverify.store
bfp.usaa.website
bitcdemo-com.huenumilla.cl
blogger.customerportalverify.store
book.qantas.aeromexico.foundation
brannptonbrick.com
browser.huenumilla.cl
business.eyardimgov.org
c6.customerportalverify.store
cdn.aa.aeromexico.foundation
clix.usaa.website
collector.logins.services
content.customerportalverify.store
customerportalverify.store
documentsigningonline.com
drive.google.secureapp.tools
employees.carlsberg.site
fc.customerportalverify.store
foremostsgroup.com
fusion.os.gov.aisp.ps
fusion.ps.gov.aisp.ps
gettymefondeploy.online
github.logins.services
global.customerportalverify.store
graph.eyardimgov.org
isf.gov.lb.gov.aisp.ps
jebmefals.com
live.huenumilla.cl
lms.usaa.website
login-us.huenumilla.cl
login.avenueconsulting.co
login.factset.company
login.microsoft.fom-dev1.bloemer-net.de
login.recruiterteams.com
login.trabede.com
logs.customerportalverify.store
m.customerportalverify.store
mail.carlsberg.site
mail.mod.gov.eg.gov.aisp.ps
mail10.email.gov.aisp.ps
mcasproxy.huenumilla.cl
microsoft.huenumilla.cl
mobile2.usaa.website
myaccount.customerportalverify.store
myaccount.google.secureapp.tools
notifications.google.secureapp.tools
objects.usaa.website
office365.huenumilla.cl
ogs.customerportalverify.store
okta.outlook.nerdwriter.com
omns.customerportalverify.store
outlook-1.huenumilla.cl
outlook-us.huenumilla.cl
outlook.avenueconsulting.co
outlook.trabede.com
passwords.dordaa.at
paxful.usaa.website
play.customerportalverify.store
portal.carlsberg.site
potomac-clickstream.usaa.website
qantas.aeromexico.foundation
recruiterteams.com
secure.duevolostore.com
secure07c.usaa.website
sensors.usaa.website
sessions.usaa.website
smetrics.aa.aeromexico.foundation
smetrics.customerportalverify.store
smtc.qantas.aeromexico.foundation
ssl.google.secureapp.tools
sso.drivevvyze.com
sso.outlook.nerdwriter.com
static.customerportalverify.store
static.facebook.secureapp.tools
static.qantas.aeromexico.foundation
stats.customerportalverify.store
sts.securedocumentservices.ca
t.customerportalverify.store
us.azureauth-duo.factset.company
w1.avenueconsulting.co
webdisk.avenueconsulting.co

# Reference: https://threatfox.abuse.ch/browse/tag/EvilGinx/ (# 2024-01-23)

http://192.119.110.233
143.198.64.151:4000
15.207.223.179:443
188.166.209.186:4000
192.119.110.233:5000
account.deenpel.com
cpanel.dnl-l.ooguy.com
cpcalendars.dnl-l.ooguy.com
cpcontacts.dnl-l.ooguy.com
dnl-l.ooguy.com
expedia-realtime.expeida.net
expedia-rest.expeida.net
expeida.net
hwsrv-1125909.hostwindsdns.com
login.deenpel.com
mediaim.expeida.net
oms.expeida.net
onboarding.expeida.net
outlook.deenpel.com
pay.expeida.net
redirect-r1.pay.expeida.net
static.pay.expeida.net
vap.expeida.net
webmail.dnl-l.ooguy.com

# Reference: https://twitter.com/MichalKoczwara/status/1752446013359403109

miicrossofftonline.nl

# Reference: https://x.com/AvastThreatLabs/status/1806720963205107787

xpfdoc0365090.com
apps.xpfdoc0365090.com

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-09-22)

103.47.226.152:3333
134.209.32.59:3333
137.184.38.108:3333
137.184.53.6:3333
138.197.133.22:4000
147.182.133.204:3333
161.35.232.141:4000
167.71.81.157:3333
170.64.224.234:4000
212.111.43.6:3333

# Reference: https://threatfox.abuse.ch/browse/tag/EvilGinx/ (# 2024-09-22)

account.driddex.shop
amazon.testfish.dosoos.com
apis.accountonline.live
events.api.georgicaautoholding.com
jobsprogress.pro
login.monmt.com
mailsession.com
monmt.com
mrdiy.diy
mrdyi.store
newscom.today
o365.zicar.info
outlook.adminstream.org
outlook.mailsession.com
perfectogruop.net
session.mailsession.com

# Reference: https://threatfox.abuse.ch/browse/tag/EvilGinx/ (# 2024-10-13)

134.209.32.140:3333
134.209.40.17:3333
137.184.83.183:4000
161.35.11.78:4000
161.35.4.145:4000
165.22.185.225:3333
167.99.145.60:3333
46.105.63.11:3333
62.84.102.226:3333
85.119.82.36:3333

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-01-02)

142.93.165.129:3333
143.110.149.242:4000
146.19.254.74:3333
154.213.187.9:4444
159.223.245.31:3333
161.35.67.226:3333
163.5.160.51:443
18.117.79.177:4444
192.34.59.54:3333
194.62.167.248:3333
209.127.255.68:3333
23.94.148.18:443
34.71.33.30:3333
45.56.69.210:3333
93.95.228.242:3333

# Reference: https://x.com/MichalKoczwara/status/1926722005199470620

mlcrosofft.com
ads.mlcrosofft.com
sso.mlcrosofft.com
ssoo.mlcrosofft.com

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-06-14)

101.32.60.83:4000
104.248.117.30:3333
104.248.167.114:3333
107.161.24.157:3000
119.28.223.139:4000
123.57.143.3:3333
13.60.69.8:3333
137.184.89.150:3333
138.197.25.162:3333
139.59.170.92:3333
143.110.253.93:9000
143.198.105.117:3333
144.172.104.45:3333
146.70.158.214:4000
148.163.80.27:3333
154.58.204.91:9000
156.238.230.148:3333
156.238.230.224:3333
158.160.18.227:3333
159.100.6.112:9000
159.100.9.105:3333
159.65.128.86:3333
159.65.130.32:3333
160.119.251.40:8443
161.35.194.66:3333
164.92.72.96:4000
167.88.164.138:3333
167.99.42.160:4000
172.245.152.21:4000
174.136.229.54:3333
176.111.216.82:3333
176.123.1.151:9000
176.123.2.185:9000
176.126.103.125:4000
176.126.103.251:4000
176.126.103.64:4000
178.62.29.13:3333
18.177.125.151:9000
18.217.106.242:4444
185.101.23.248:3333
185.101.23.252:3333
185.146.232.235:4000
185.193.125.249:4000
185.238.2.142:9000
188.166.199.174:3333
193.56.23.80:3333
194.180.158.14:80
194.195.251.227:4000
194.233.76.207:443
194.62.166.165:3333
194.62.167.215:3333
196.251.114.4:4000
20.83.181.241:443
209.38.202.104:4000
209.38.96.47:4000
209.74.88.128:4000
212.224.86.224:9000
216.176.190.164:3333
217.114.43.122:4000
217.114.43.234:4000
217.114.43.53:4000
23.137.104.78:4000
23.137.105.217:4000
23.227.199.88:443
3.141.231.53:3333
3.145.74.158:3333
31.172.87.193:4000
35.87.129.75:443
37.221.111.94:3333
38.146.27.131:4000
38.146.28.166:4000
43.160.207.83:3333
45.61.160.127:3333
45.86.86.49:9000
52.62.100.83:3333
52.78.43.89:9000
57.182.91.111:4000
62.60.187.68:3333
63.133.220.145:3333
64.23.243.220:3333
77.92.145.20:9000
79.133.51.132:8443
81.0.247.170:143
81.0.247.170:25
81.0.247.170:443
81.0.247.170:993
81.0.247.170:995
84.200.17.247:4000
84.200.24.88:443
84.32.131.104:3333
84.32.131.163:3333
85.239.33.253:9000
87.251.78.217:4000
87.251.78.239:4000
87.251.78.30:4000
87.251.78.37:4000
88.216.68.32:3333
91.209.135.198:4000
91.209.135.199:4000
91.209.135.202:4000
91.209.135.229:4000
91.209.135.231:4000
91.209.135.233:4000
91.209.135.252:4000
91.209.135.71:4000
91.209.135.84:4000
91.209.135.88:4000
93.177.109.20:3333

# Generic

/evilginx-linux-amd64.tar.gz
