# Copyright (c) 2014-2018 Miroslav Stampar (@stamparm)
# See the file 'LICENSE' for copying permission

# Reference: https://github.com/fideliscyber/indicators/blob/master/Blogs/New%20URSNIF%20Targeting%20Italy%20and%20US/url.csv

creatortherefore.cn
goinumder.su
goyanok.at
hothegivforsuffer.cn
hulivam.at
justiceseasfriends.cn
lopertopgo.su
mid100.at
nexpoo.at
noopex.at
outaplaceshave.cn
pergozip.at
therepalon.su
trepeatedandequal.cn

# Reference: https://www.forcepoint.com/blog/security-labs/many-faces-ursnif-email-hijacking-mailslots-and-insecure-servers

14ca1s5asc45.com
9qwe8q9w7asqw.com
asd5qwdqwe4qwe.com
d4q9d4qw9d4qw9d.com
dq9wq1wdq9wd1.com
dqowndqwnd.net
eq9we1qw1qw8.com
fqw4q8w4d1qw8.com
g98d4qwd4asd.com
gtqw5dgqw84.com
hhhasdnqwesdasd.com
hhjfffjsahsdbqwe.com
jjasdkeqnqweqwe.com
kkjkajsdjasdqwec.com
kkmmnnbbjasdhe.com
mmmnasdjhqweqwe.com
oiwerdnferqrwe.com
ooaisdjqiweqwe.com
oooiasndqjwenda.com
oooiawneqweasd.com
oqk4123613123.net
oyiyuarogonase.net
popopoqweneqw.com
ppoadajsqwenqw.com
ppoasdqnwesad.com
pqwoeasodiqwejes232.com
q5q1wdq41dqwd.com
qiwjesijdqweqs.com
qw6e54qwe54wq.com
qw8e78qw7e.com
qwd1q6w1dq6wd1.com
qwd1qw8d4q1wd.com
qwdohqwnduasndwjd212.com
qwe1q9we1qwe51.com
qwekasdqw8412.net
qweoiqwndqw.net
qwojdaisd1231.net
qwqw1e4qwe14we.com
qwqweqw4e1qwe.com
qwundqwjnd.net
r9qweq19w1dq.com
rqw1qwr8qwr.com
rrrradkqwdojnqwd.com
sdf5wer4wer.com
sdjqiweqwnesd.com
t8q79q8wdqw1d.com
tr8q4qwe41ewe.com
tttiweqwneasdqwe.com
uuasdjqwehnasd.com
uurty87e8rt7rt.com
uuyyhsdhasdbee.com
wdojqnwdwd.net
wdq9d5q18wd.com
yyjqnwejqnweqweq.com

# Reference: https://www.f-secure.com/v-descs/trojan_w32_ursnif.shtml

bergesoma.com
polinodara.com

# Reference: https://www.cert-pa.it/news?id=10536

werwaarogonase.net
fhjjndiasnew.net
axewansdownew.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1045682605662851073

d792jssk19usnskdxnsw.com
29uwuwousuw8wuwyuwie.com
ye8283yeiw283929wu2.com
h2812932937292sjshskz.com

# Reference: https://twitter.com/luc4m/status/1045671697268051968

h2812932937292sjshskz.com

# Reference: https://twitter.com/avman1995/status/1047018001810300928

382oiso10si8sowppdoiwpc.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1047414713850781697

/MXE/files/
/TOL/files/

# Generic callback

/nerkom.php
/pagioiu88.php
/transaction.php2

# Reference: https://twitter.com/Bank_Security/status/1049640177361186818
# Reference: https://pastebin.com/mkMfAf9Z

app.kartop.at
doc.dicin.at
app.avitoon.at
doc.avitoon.at
ops.twidix.at
xx.go10og.at
api.kartop.at
m1.fofon.at
cdn.kartop.at
api.tylron.at
chat.twidix.at
api.kaonok.at
chat.jimden.at
mahono.cn
/huonasdh.php
/opanskot.php

# Reference: https://twitter.com/luc4m/status/1050806471603224576

/pagjfut54.php

# Reference: https://twitter.com/ViriBack/status/1051565888212791296

hdiwuey872629hsgs18702837.com
k37aos82skd9nal92kamcdla.com

# Reference: https://twitter.com/mgiovamo/status/1051771811438964736

load.testmykickstarter.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1052469234159239168

37iwdmx103qlsmx.com
againstitudents.com
ey271psx8127301.com
woatinkwoo.com
/levond.php

# Reference: https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware

nesocina.com
tapertoni.com
/Flux/tst/

# dork: "/Flux/tst/"

tenicoriv.com
onkoloper.com
nidersona.com
maxigozo.com
nasodirom.com
