# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: castlebot, castleloader, castlerat, tag-150

# Reference: https://x.com/JAMESWT_WT/status/1958947921598062796
# Reference: https://www.virustotal.com/gui/file/f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be/detection

programsbookss.com

# Reference: https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2
# Reference: https://raw.githubusercontent.com/eSentire/iocs/refs/heads/main/Nightshade/Nightshade-IoCs-09-01-2025.txt

102.135.95.102:33336
102.135.95.102:33337
102.135.95.102:7777
104.225.129.171:33336
104.225.129.171:33337
104.225.129.171:7777
107.158.128.45:33336
107.158.128.45:33337
107.158.128.45:7777
107.158.128.90:33336
107.158.128.90:33337
107.158.128.90:7777
170.130.165.28:33336
170.130.165.28:33337
170.130.165.28:7777
173.232.146.90:33336
173.232.146.90:33337
173.232.146.90:7777
178.17.57.102:33336
178.17.57.102:33337
178.17.57.102:7777
180.178.122.131:33336
180.178.122.131:33337
180.178.122.131:7777
180.178.189.17:33336
180.178.189.17:33337
180.178.189.17:7777
185.149.146.118:33336
185.149.146.118:33337
185.149.146.118:7777
185.149.146.1:33336
185.149.146.1:33337
185.149.146.1:7777
185.208.158.250:33336
185.208.158.250:33337
185.208.158.250:7777
195.201.108.189:33336
195.201.108.189:33337
195.201.108.189:7777
34.72.90.40:33336
34.72.90.40:33337
34.72.90.40:7777
45.11.180.174:33336
45.11.180.174:33337
45.11.180.174:7777
45.61.136.81:33336
45.61.136.81:33337
45.61.136.81:7777
5.35.44.176:33336
5.35.44.176:33337
5.35.44.176:7777
64.52.80.82:33336
64.52.80.82:33337
64.52.80.82:7777
77.238.241.203:33336
77.238.241.203:33337
77.238.241.203:7777
79.132.130.142:33336
79.132.130.142:33337
79.132.130.142:7777
91.202.233.132:33336
91.202.233.132:33337
91.202.233.132:7777
91.202.233.250:33336
91.202.233.250:33337
91.202.233.250:7777
91.202.233.251:33336
91.202.233.251:33337
91.202.233.251:7777
94.141.122.164:33336
94.141.122.164:33337
94.141.122.164:7777
tdbfvgwe456yt.com

# Reference: https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations

http://178.17.57.102
http://45.61.136.81
http://91.202.233.250
104.225.129.171:443
144.208.126.50:443
185.125.50.125:7777
185.196.10.8:7777
185.196.9.222:7777
185.196.9.80:7777
195.85.115.44:443
34.72.90.40:443
45.11.180.198:7777
45.144.53.62:7777
5.35.44.176:443
77.90.153.43:7777
79.132.131.200:7777
85.192.49.6:7777
87.120.93.167:7777
91.212.166.17:33334
teamsi.org
teamsio.com
teamsoftdigital.com

# Reference: https://x.com/PRODAFT/status/1948382357725024565
# Reference: https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview
# Reference: https://github.com/prodaft/malware-ioc/tree/master/CastleLoader
# Reference: https://www.virustotal.com/gui/file/05ecf871c7382b0c74e5bac267bb5d12446f52368bb1bfe5d2a4200d0f43c1d8/detection
# Reference: https://www.virustotal.com/gui/file/31493e6366d3e7275a1e01937a4a18b27db8e5ef21bc21df666690d455f2acaf/detection
# Reference: https://www.virustotal.com/gui/file/0d7a46cedeb866930ebe808a596b44c5cf8941e448b4f8012018283ea55ec309/detection
# Reference: https://www.virustotal.com/gui/file/6e11ec22fd31d9eb4bd6060711dbd5d3c7c05bd7dfaa20daaee2c2c8a4dcf524/detection
# Reference: https://www.virustotal.com/gui/file/3329d3011f8f4c3df16230a1e6ed3ffe3c3cffaa7dadf0238eb6b011a659c84f/detection

http://173.44.141.89
185.39.19.165:5354
buzzedcompany.com
lekuvam.com
polarcompany.org
rinasalleh.com
teamsapi.net

# Reference: https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation
# Reference: https://www.virustotal.com/gui/file/3329d3011f8f4c3df16230a1e6ed3ffe3c3cffaa7dadf0238eb6b011a659c84f/detection
# Reference: https://www.virustotal.com/gui/file/f31e9ef8a59bacda22d8310750b91841878e1f398270676718d3a0b4949880a2/detection
# Reference: https://www.virustotal.com/gui/file/4cd0a2eb8662b5bdacf7f5db62827dd29a0c75d2b3b3f28eefb584e44a1ef2a5/detection

http://107.158.128.45
http://107.158.128.90
http://45.11.180.174
45.11.180.174:6666

# Reference: https://x.com/g0njxa/status/1980943290896630209
# BANNER_0_HASH-HOST=d5a7ef665ea2e5f9fd95ab665b149262

185-212-47-84.cprapid.com
45-11-183-165.cprapid.com
79.132.130.142.sslip.io
3vr3v3sdf.online
7hzhde.xyz
alafair.net
anotherproject.icu
baaredlead.com
bethschwier.com
campanyasoft.com
campuscedeco.ran.es
castlnetintel.com
cedeco.ran.es
chargerrlogistics.cam
cisco-webexxapp.xyz
criip.art
dperforms.info
estetic-online.com
ftroftrodro.top
funjobcollins.shop
gernlern.com
gghhjjkkuuywwfdf.space
higueruela.net
ippsadfx.icu
jeneeday.com
jeneeday.net
krefjkj.duckdns.org
lekuvam.com
loads.icu
loads.world
loadsplanning.com
megarstorei.store
mhousecreative.com
oldspicenotsogood.shop
oneyogasite.com
pittiadg.top
polarcompany.org
rinasalleh.com
shortstreet.net
st-hanbok.com
tattori.icu
vilaoaza.com
vvsgr.net
wereatwar.com

# Reference: https://x.com/drb_ra/status/1981031132247228884
# Reference: https://gist.github.com/drb-ra/ca579655912dd56acb2be6af301a55a9

107.158.128.26:443
170.130.165.201:443
172.86.90.58:443
