# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/

http://100.26.189.49
http://18.219.52.4

# Reference: https://twitter.com/sirpedrotavares/status/1216016629835948032

http://18.217.136.142

# Reference: https://twitter.com/sirpedrotavares/status/1227957576047955971

http://13.59.112.88

# Reference: https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/

fucktheworld.s3.us-east-2.amazonaws.com
nothingcanstopus.s3.us-east-2.amazonaws.com
oiurx14x.s3.us-east-2.amazonaws.com
sdghsuidhoidoghsdc19c.s3.us-east-2.amazonaws.com
sdgsdbfabsfuhoiuhfosdpnfsdbc13c.s3.us-east-2.amazonaws.com
vrau-x.s3.us-east-2.amazonaws.com

# Reference: https://twitter.com/sirpedrotavares/status/1259980592009134082
# Reference: https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/

http://108.61.181.207

# Reference: https://www.joesandbox.com/analysis/211091/0/html
# Reference: https://www.virustotal.com/gui/file/f22f98a298133bc0498914ef99531ffa327e613886f311d5170dac93a0de617b/detection
# Reference: https://www.virustotal.com/gui/file/f43316cb743dee5a90bc351c6b8b702390b9f6fad94caf2af858c01b9f05c85e/detection

http://185.219.135.119
http://185.219.135.252

# Reference: https://securityaffairs.co/wordpress/105634/malware/new-release-lampion-trojan.html

5.188.9.28:9171

# Reference: https://twitter.com/pollo290987/status/1565249453468143618

aculpaedopt.s3.us-east-2.amazonaws.com

# Reference: https://twitter.com/noexceptcpp/status/1615832526466990080
# Reference: https://twitter.com/tosscoinwitcher/status/1615852040621813766
# Reference: https://tria.ge/230118-256qhsha8w/behavioral1

http://5.199.162.122
anydeskkapdo.info
casadosoftware.net
wwwwanydesky.com

# Reference: https://twitter.com/DonPasci/status/1635306470811238400
# Reference: https://twitter.com/DonPasci/status/1635308925762543616
# Reference: https://tria.ge/230313-ssrw6ada5t/behavioral2
# Reference: https://www.joesandbox.com/analysis/825605?idtype=analysisid#iocs
# Reference: https://www.virustotal.com/gui/file/25884495d9c27c8b120bfab40bd28b7f5255b4916c54c7fb74a90dd8000bf44e/detection
# Reference: https://www.virustotal.com/gui/file/fbcc321f10e8ed9fbda3e9d9ce6cc03ad1fa3c83578a2b22ec7f6fd853412750/detection
# Reference: https://www.virustotal.com/gui/file/cb6901ccc6c51ab46b327eb44c5dc7cc597e38c89a7584177e58d5d0f26fe45f/detection

http://103.117.141.91
anydeskremote.shop
downloadanydesk.info
/conta1/vem.php
/conta2/vem.php

# Reference: https://x.com/lontze7/status/1798242969579057536
# Reference: https://www.virustotal.com/gui/file/0a88eb89cc1c01986d06fceaf26a8a681e91d27737046194222aa71bb051cbe6/detection

http://103.117.141.64
app.massgra.online
ativar.gotdns.ch
chwinupdatewin22.ddns.net
gomesnetgingsm45.ddns.net
key-office.ddns.net
masgraves.ddns.net
massgra.site
massgravess.ddns.net
mywinappup08.ddns.net
offikey.ddns.net
servidorwhm.shop
update-pdfadobe202419.sytes.net
windoactveeendsdki.servehttp.com

# Reference: https://x.com/smica83/status/1966107477084115364
# Reference: https://x.com/blackorbird/status/1983554153634033777
# Reference: https://www.bitsight.com/blog/brazil-love-new-tactics-lampion
# Reference: https://www.virustotal.com/gui/file/f923b0328ee554f561786ad191bde6e3feb41f60264448607c76ff472506a056/detection
# Reference: https://www.virustotal.com/gui/file/0f97e480b161a69d5be0757297610f157fdb35616fa787486bac051313995e21/detection
# Reference: https://www.virustotal.com/gui/file/28b63bdf38debd7a2157a5fa14496c6030d200a1bed6b575e12650b0e78a61f7/detection
# Reference: https://www.virustotal.com/gui/file/39ad440793031f3940b78de07db91b1939829146f2680215a0f223d761144bc1/detection
# Reference: https://www.virustotal.com/gui/file/43ae7ceeffbfdad00a0403ca7d158ca3fee63850dc9f07cdde9c3c30113eebf8/detection
# Reference: https://www.virustotal.com/gui/file/47d71b3cb701dedb904ddf3982a11f25efd4ad1f34fb5afe740255751c9a2f0f/detection
# Reference: https://www.virustotal.com/gui/file/486935a47fbbff02ae9796a73029c60430515bd1aba17f1e54144279a2134bf6/detection
# Reference: https://www.virustotal.com/gui/file/4a37dc314cbab306d03c7309ba082ad82c868aac5ecc1318c2e9507320fdd409/detection
# Reference: https://www.virustotal.com/gui/file/4c510bf711c34e51e0cfffc57bedd6b59245e94db15b4bd4b4fb4cbd6d24f53f/detection
# Reference: https://www.virustotal.com/gui/file/71bd115560ff11f812f43054bf0a09a6a5eaf326fa0f274ef7653c2a4d976f89/detection
# Reference: https://www.virustotal.com/gui/file/f762996390fe28608b7cba99639e1988579222c7faed04a53824f10f1f51fe12/detection
# Reference: https://www.virustotal.com/gui/file/ee133d2b90ff4232d44aec26dd1638d258f0dd8e51e92c99fe2e809b185ab5c4/detection
# Reference: https://www.virustotal.com/gui/file/e7e77f74b464a0e4ca55c77898099b3053e1223ca5779cc747a837054cbee1aa/detection
# Reference: https://www.virustotal.com/gui/file/e62403cc687e624d63c1f0ea3a160f2a3998bd2cd444785d6dd3c909f48a4850/detection
# Reference: https://www.virustotal.com/gui/file/e44a989cd9baaf1e8910e9444bbf0177d9a6dc60edbd35952b36de1fc87ef5b5/detection
# Reference: https://www.virustotal.com/gui/file/dd2bc1e19068d6e6a44bfdf4ff683e04c174029edc153802aff52e2f3c41e2e0/detection
# Reference: https://www.virustotal.com/gui/file/d8a72b9089870f33c2fd99b2d8360f194325ef3ab3d8364890bbe763b1f0c248/detection
# Reference: https://www.virustotal.com/gui/file/d7baaf973cc81dcf44ece7951c0cca434b72721ea5fcc1ce4c9640b19254c072/detection
# Reference: https://www.virustotal.com/gui/file/cc3836043b8d93f786c3ed24de56e049083439642195a5f4426e9b9dd737b289/detection
# Reference: https://www.virustotal.com/gui/file/c95a23327088470145080ba1be35c14cd4bfa2d47390fb2ab1e5d1be725ad4f3/detection
# Reference: https://www.virustotal.com/gui/file/b96f45b26450c7afdae07f66f71f84c09b61b4e20af02f9d0e13923cb3536254/detection
# Reference: https://www.virustotal.com/gui/file/9a4f32591e1e887ddaf2f9765769f4f15a3e17821a2fb34d61bc6e272b7d5989/detection
# Reference: https://www.virustotal.com/gui/file/76c981c7dd88c647dabe6fca780ef6dfa2419f949b5e7be6636be1a74f1c90ca/detection
# Reference: https://www.virustotal.com/gui/file/757c49b2496acf938d5b69c2dc1223ea7030063ed239c9fca492fec6b02e4a27/detection
# Reference: https://www.virustotal.com/gui/file/754e5a0ba5a031d63600495adbe3bb72fe49ba5cf1c19414d6c56877170f7bb8/detection
# Reference: https://www.virustotal.com/gui/file/7082f7a3fa388f56addad6f44b9dcee2f613017e57186e1aa3a55cdf24e42b3e/detection
# Reference: https://www.virustotal.com/gui/file/6ef5b898d95e96415ff8159c495d802d9b47b5a9726f0a3b1d2e0ffa12594241/detection
# Reference: https://www.virustotal.com/gui/file/5f185ba431e3a8037f78d77884dc5112d7c32d4955f82c184030260e0d01fed0/detection
# Reference: https://www.virustotal.com/gui/file/334dfbaefbf7e6301d2385f95d861eb6dae9018c48fb298a2cbf5f364fbcdb2d/detection
# Reference: https://www.virustotal.com/gui/file/2141d5521dbf28c3dcbfa25d9639d56949e1a6ebaac19ee9c5c0b02b7da0c1de/detection
# Reference: https://www.virustotal.com/gui/file/1681c3b88ed315543ac1bf07d258d560cf2f85bfd26c10471d71700eaeb57fb3/detection
# Reference: https://www.virustotal.com/gui/file/11de5317e59464ef9f8a92b41502b4931adc66aa8c61babe7a9b0983ec42ec9e/detection
# Reference: https://www.virustotal.com/gui/file/08eb58f939cf8e741426b38e23b71ea06cf0a968b1884d5a34a722280d4034dd/detection

http://16.171.23.221
http://18.116.63.61
http://18.118.151.132
http://18.191.234.137
http://18.216.19.212
http://18.216.206.166
http://18.217.122.187
http://18.219.75.181
http://18.216.78.94
http://18.226.150.56
http://18.216.229.168
http://3.12.155.9
http://3.128.172.139
http://3.133.160.140
http://3.138.101.180
http://3.138.36.108
http://3.141.44.186
http://3.142.40.36
http://3.143.108.123
http://3.144.37.134
http://3.145.157.180
http://3.17.187.152
http://34.238.115.205
http://44.203.132.140
http://44.204.79.28
http://54.147.44.233
http://83.242.96.159
at-portal-das-financas.com
at-portaldasfinancas-pt.com
at-portaldasfinancas-pt.org
at-portaldasfinancas.com
at-portaldasfinancas.org
atportal-das-financas.com
autoridade-tributaria-gov.com
autoridade-tributaria-pt.com
autoridade-tributaria-pt.org
autoridade-tributaria.com
autoridade-tributaria.org
autoridadetributaria-pt.org
autoridadetributaria.org
comprovativos-amazon.s3.us-east-2.amazonaws.com
doc-fat.s3.us-east-2.amazonaws.com
factura-12.s3.us-east-2.amazonaws.com
fat-dezembro1.s3.us-east-2.amazonaws.com
fat-doc-online.com
inde-faturas.com
indebt-faturas.com
ld-05-07-zxjhvjds-p.s3.us-east-2.amazonaws.com
ld-18-06-jnxbdf-g.s3.us-east-2.amazonaws.com
ld-2403-p.s3.us-east-2.amazonaws.com
ld-25-06-jbasdfiu-p.s3.us-east-2.amazonaws.com
ld-bsjdiwer-30-06.s3.us-east-2.amazonaws.com
ld-dsbjnfgiw-14-07-p.s3.us-east-2.amazonaws.com
ld-g-06-10-nfdsgsjhk.s3.us-east-2.amazonaws.com
ld-g-23-10-hsdiwbep.s3.us-east-2.amazonaws.com
ld-sbdgosew-20-07-p.s3.us-east-2.amazonaws.com
ld-sbdjiepd-09-06-g.s3.us-east-2.amazonaws.com
ld-sdhgsoe-03-07-p.s3.us-east-2.amazonaws.com
ld-sdiend-11-02-g.s3.us-east-2.amazonaws.com
ld-sdknei-30-06-p.s3.us-east-2.amazonaws.com
ld-sdknlwies-28-07-p.s3.us-east-2.amazonaws.com
ld-sndwoe-18-06-p.s3.us-east-2.amazonaws.com
ld-uiwesdlei-23-07-g.s3.us-east-2.amazonaws.com
lg-1002-g.s3.us-east-2.amazonaws.com
likeg.s3.us-east-2.amazonaws.com
portal-das-financas-at.com
portal-das-financas-pt.com
portal-das-financas-pt.org
portal-das-financas.org
portaldasfinancas-at.com
portaldasfinancas-pt.org
portaldasfinancas.org

# Generic

/PediuPraPostarPostou.php
/PostaEstaBosta.php
/PostaEstaMerda.php
/PostaEstaPorra.php
/VaiPostaProPai.php
/PT/painel.php
/PT/painelADM.php
