coronavirus-covid-19-SARS-CoV-2
All the IoC's I have gathered which are used directly in coronavirus / covid-19 / SARS-CoV-2 cyber attack campaigns. All IOC's are provided "as-is", please use your own verification methodology before deploying them in production network.
Remember, architecture is the base and everything else is an additional layer. Stronger your systems security architecture, lesser the possiblity of undesired incidents.
APT36 has been known to use this pandemic to target. These have been include in the list.
DO NOT CLICK ON ANY URLs or VISIT IP Addresses, their current state is unknown and I have NOT masked (defaneg) all the URLs.
WHO has a WhatApp group for up-to-date information: http://bit.ly/who-covid19-whatsapp. Send a "hi" message to get started.
Wishing everyone good health and safety.
I will be deprecating IoC's part of this project. I want to thank everyone who helped me - Sanket Yeram, Jayendra Kadam, Krutika Potdar & Rohit Chaurasia.
I will remove the IoCs on 30th April 2021.
Total IoCs: 661,567 (IPs: 1335; Hashes: 9,114; URLs/domains/hostname: ~6,51,112; CVEs: 6)
Total IoCs: 661,567 (IPs: 1335; Hashes: 9,114; URLs/domains/hostname: ~6,51,112; CVEs: 6)
Total IoCs: 644,869 (IPs: 1336; Hashes: 9,114; URLs/domains/hostname: ~6,34,413; CVEs: 6) Removed hash: 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 as per request from twiiter. Source of the hash was IBM X-Force.
Total IoCs: 644,870 (IPs: 1336; Hashes: 9,115; URLs/domains/hostname: ~6,34,413; CVEs: 6)
Total IoCs: 623,560 (IPs: 1322; Hashes: 9,110; URLs/domains/hostname: ~6,13,122; CVEs: 6)
Total IoCs: 612,024 (IPs: 582; Hashes: 9,110; URLs/domains/hostname: ~6,02,326; CVEs: 6)
Total IoCs: 557,272 (IPs: 582; Hashes: 9,110; URLs/domains/hostname: ~5,47,628; CVEs: 6)
Total IoCs: 553,592 (IPs: 582; Hashes: 8,088; URLs/domains/hostname: ~5,44,916; CVEs: 6)
Total IoCs: 538,906 (IPs: 582; Hashes: 8,088; URLs/domains/hostname: ~5,30,230; CVEs: 6)
Total IoCs: 522,336 (IPs: 582; Hashes: 8,088; URLs/domains/hostname: ~5,13,660; CVEs: 6)
Total IoCs: 510,775 (IPs: 582; Hashes: 8,088; URLs/domains/hostname: ~5,02,099; CVEs: 6)
Total IoCs: 510,281 (IPs: 582; Hashes: 8,088; URLs/domains/hostname: ~5,016,05; CVEs: 6)
Total IoCs: 509,704 (IPs: 582; Hashes: 7,511; URLs/domains/hostname: ~5,016,05; CVEs: 6)
Total IoCs: 497,139 (IPs: 582; Hashes: 7,511; URLs/domains/hostname: ~4,89,040; CVEs: 6)
Total IoCs: 471,462 (IPs: 582; Hashes: 7,511; URLs/domains/hostname: ~4,53,363; CVEs: 6)
Total IoCs: 422,744 (IPs: 582; Hashes: 7,511; URLs/domains/hostname: ~4,14,645; CVEs: 6)
Total IoCs: 422,693 (IPs: 582; Hashes: 7,511; URLs/domains/hostname: ~4,14,594; CVEs: 6)
Total IoCs: 396,412 (IPs: 582; Hashes: 7,511; URLs/domains/hostname: ~3,88,313; CVEs: 6)
Total IoCs: 396,538 (IPs: 582; Hashes: 7,435; URLs/domains/hostname: ~3,88,515; CVEs: 6)
Total IoCs: 390,522 (IPs: 582; Hashes: 7,435; URLs/domains/hostname: ~3,82,499; CVEs: 6)
Total IoCs: 390,402 (IPs: 582; Hashes: 7,435; URLs/domains/hostname: ~3,82,379; CVEs: 6)
Total IoCs: 389,902 (IPs: 582; Hashes: 7,435; URLs/domains/hostname: ~3,81,879; CVEs: 6)
Total IoCs: 385,524 (IPs: 582; Hashes: 7,435; URLs/domains/hostname: ~3,77,501; CVEs: 6)
Total IoCs: 376,586 (IPs: 581; Hashes: 7,387; URLs/domains/hostname: ~3,68,612; CVEs: 6)
Total IoCs: 376,070 (IPs: 581; Hashes: 7,387; URLs/domains/hostname: ~3,68,096; CVEs: 6)
Total IoCs: 369,517 (IPs: 581; Hashes: 7,387; URLs/domains/hostname: ~3,61,543; CVEs: 6)
Total IoCs: 366,939 (IPs: 581; Hashes: 7,387; URLs/domains/hostname: ~3,58,965; CVEs: 6)
Total IoCs: 362,336 (IPs: 577; Hashes: 4,365; URLs/domains/hostname: ~3,57,388; CVEs: 6)
Total IoCs: 360,992 (IPs: 577; Hashes: 4,365; URLs/domains/hostname: ~3,56,044; CVEs: 6)
Total IoCs: 359,810 (IPs: 577; Hashes: 4,365; URLs/domains/hostname: ~3,54,862; CVEs: 6)
Total IoCs: 359,410 (IPs: 577; Hashes: 4,365; URLs/domains/hostname: ~3,54,468; CVEs: 6)
Total IoCs: 357,298 (IPs: 577; Hashes: 4,365; URLs/domains/hostname: ~3,52,350; CVEs: 6)
Total IoCs: 356,398 (IPs: 577; Hashes: 4,365; URLs/domains/hostname: ~3,51,450; CVEs: 6)
Total IoCs: 354,695 (IPs: 577; Hashes: 4,365; URLs/domains/hostname: ~3,49,747; CVEs: 6)
Total IoCs: 353,755 (IPs: 577; Hashes: 4,341; URLs/domains/hostname: ~3,48,831; CVEs: 6)
Total IoCs: 353,409 (IPs: 577; Hashes: 4,341; URLs/domains/hostname: ~3,48,485; CVEs: 6)
In this update I have checked top 1 million websites as per Alexa to remove any false positives which were introduced in 9.9 (removed in 10.) Interesting statistics to follow.
Total IoCs: 352,243 (IPs: 577; Hashes: 4,341; URLs/domains/hostname: ~3,47,316; CVEs: 6)
Emergency update to remove www.google.com and www.twitter.com
Total IoCs: 352,243 (IPs: 577; Hashes: 4,341; URLs/domains/hostname: ~3,47,319; CVEs: 6)
A vulnerability has been identified in the implementation of the Android version of Australia's COVIDSafe contact tracing app that may affect several other contact tracing apps that share a similar architecture, such as Singapore's TraceTogether and Alberta's ABTraceTogether. This issue is being tracked using the CVE ID CVE-2020-12856. The vulnerability allows for long term tracking of users of the affected apps, and possibly enables other bluetooth-based attack vectors.
Total IoCs: 351,940 (IPs: 577; Hashes: 4,341; URLs/domains/hostname: ~3,47,017; CVEs: 5)
Total IoCs: 350,495 (IPs: 577; Hashes: 4,341; URLs/domains/hostname: ~3,45,572; CVEs: 5)
Total IoCs: 350,627 (IPs: 575; Hashes: 4,147; URLs/domains/hostname: ~3,45,900; CVEs: 5)
Total IoCs: 348,845 (IPs: 575, Hashes: 4,147 URLs/domains/hostname: ~3,44,118 CVEs: 5)
Total IoCs: 347,445 (IPs: 575, Hashes: 3,853 URLs/domains/hostname: ~3,43,012 CVEs: 5)
Total IoCs: 342,210 (IPs: 573, Hashes: 3,853 URLs/domains/hostname: ~3,37,779 CVEs: 5)
Total IoCs: 342,250 (IPs: 573, Hashes: 3,583 URLs/domains/hostname: ~3,38,089 CVEs: 5)
Total IoCs: 3,41,343 (IPs: 573, Hashes: 3,583, URLs/domains/hostname: ~3,36,910 CVEs: 5)
Total IoCs: 44,055 (IPs: 573, Hashes: 3,581, URLs/domains/hostname: ~39,890 CVEs: 5)
Total IoCs: 44,055 (IPs: 573, Hashes: 3,581, URLs/domains/hostname: ~39,896 CVEs: 5)
Total IoCs: 43,292 (IPs: 568, Hashes: 3,584, URLs/domains/hostname: ~39,135 CVEs: 5)
Total IoCs: 42,400 (IPs: 568, Hashes: 3,584, URLs/domains/hostname: ~38,243 CVEs: 5)
Total IoCs: 42,043 (IPs: 568, Hashes: 3,584, URLs/domains/hostname: ~37,887 CVEs: 5)
Total IoCs: 41,270 (IPs: 568, Hashes: 3,584, URLs/domains/hostname: ~37,113 CVEs: 5)
Total IoCs: 40,804 (IPs: 568, Hashes: 3,584, URLs/domains/hostname: ~36,647 CVEs: 5)
Total IoCs: 40,098 (IPs: 564, Hashes: 3561, URLs/domains/hostname: ~35,968 CVEs: 5)
Total IoCs: 39,811 (IPs: 564, Hashes: 3561, URLs/domains/hostname: ~35,681 CVEs: 5)
Total IoCs: 38,908 (IPs: 564, Hashes: 3561, URLs/domains/hostname: ~34,778 CVEs: 5)
Total IoCs: 38,075 (IPs: 564, Hashes: 3561, URLs/domains/hostname: ~33,945 CVEs: 5)
Total IoCs: 35,243 (IPs: 564, Hashes: 3561, URLs/domains/hostname: ~31,113 CVEs: 5)
Total IoCs: 24,302 (IPs: 564, Hashes: 3560, URLs/domains/hostname: ~20,173 CVEs: 5)
There is a request to evaluate 23.227.38.65 and 23.227.38.32 and finetune them to URLs. I will be working on this. This request came via email. I will open an issue today for tracking.
Total IoCs: 24,262 (IPs: 561, Hashes: 3530, URLs/domains/hostname: ~20,166 CVEs: 5)
Total IoCs: 24,258 (IPs: 561, Hashes: 3530, URLs/domains/hostname: ~20,162 CVEs: 5)
Total IoCs: 23,567 (IPs: 561, Hashes: 3530, URLs/domains/hostname: ~19,471 CVEs: 5) Bumping to 6.5 due to large addition of URLs.
Emergency update to remove covid-19-sounds.org
Total IoCs: 20,763 (IPs: 550, Hashes: 3452, URLs/domains/hostname: ~16,756, CVEs: 5) Bumping to 6.0 due to large addition of URLs.
Total IoCs: 14,730 (IPs: 550, Hashes: 3433, URLs/domains/hostname: ~10742, CVEs: 5)
Total IoCs: 14,587 (IPs: 517, Hashes: 3337, URLs/domains/hostname: ~10728, CVEs: 5)
Total IoCs: 14,305 (IPs: 517, Hashes: 3215, URLs/domains/hostname: ~10568, CVEs: 5)
Total IoCs: 13,787 (IPs: 514, Hashes: 3124, URLs/domains/hostname: ~10144, CVEs: 5)
Total IoCs: 13,567 (IPs: 514, Hashes: 3124, URLs/domains/hostname: ~9924, CVEs: 5)
Total IoCs: 12,966 (IPs: 513, Hashes: 3191, URLs/domains/hostname: ~9257, CVEs: 5)
Emergency update to remove domain: coronavirus3d.org which was ingested from CERT-US notficaion. Now removed from all IoC files.
Total IoCs: 12,594 (IPs: 513, Hashes: 3191, URLs/domains/hostname: ~8885, CVEs: 5)
Total IoCs: 12,595 (IPs: 513, Hashes: 3191, URLs/domains/hostname: ~8886, CVEs: 5)
Important cleanup for hashes. New Confidence script is initiated. ETA for completion 1700 IST on 14-04-2020.
Total IoCs: 12,375 (IPs: 510, Hashes: 3187, URLs/domains/hostname: ~8673, CVEs: 5)
Bumping to version 5 as we have massive ingestion from blocklist.cyberthreatcoalition.org/vetted/ && kind assistance of GitHub user - @ideaengine007 with twitter handle Nitesh (@ideaengine007 && https://twitter.com/ideaengine007).
hashes as part of this update are still being vetted at VirusTotal. A random audit has confirmed 100% (available) hashesh related to Covid-19 scams. Thank you.
Total IoCs: 12,419 (IPs: 510, Hashes: 3231, URLs/domains/hostname: ~8673, CVEs: 5)
Emergency update to remove domain: covid19map.us which was ingested from CERT-US notficaion. Now removed from all IoC files.
Total IoCs: 7382 (IPs: 512, Hashes: 1950, URLs/domains/hostname: ~4915, CVEs: 5)
Total IoCs: 7383 (IPs: 512, Hashes: 1950, URLs/domains/hostname: ~4916, CVEs: 5)
Total IoCs: 7199 (IPs: 511, Hashes: 1778, URLs/domains/hostname: ~4906, CVEs: 4) Refer https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs/tree/master/Printscreens for photos(printscreens) of the scam.
Total IoCs: 7073 (IPs: 472, Hashes: 1722, URLs/domains/hostname: ~4875, CVEs: 4) Refer https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs/tree/master/Printscreens for photos(printscreens) of the scam.
This update includes lists from US-CERT TLP:White shared here: https://www.us-cert.gov/ncas/alerts/aa20-099a && https://github.com/sophoslabs/covid-iocs
Total IoCs: 6586 (IPs: 454, Hashes: 1807, URLs/domains/hostname: ~4321, CVEs: 4) Refer https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs/tree/master/Printscreens for photos(printscreens) of the scam.
Closed issue wherein legitimate websites (coronavirusdatamap.com and californiacoronavirus.org) were included in domaintools_malicious_domain_list.
Please be advised that curated lists are : IP, Hashes, URLs and ALL IOCs. These are personally verified by me. All other lists should be tested before production use.
Total IoCs: 3762 (IPs: 454, Hashes: 1675, URLs/domains/hostname: ~1629, CVEs: 4)
Total IoCs: 3757 (IPs: 452, Hashes: 1673, URLs/domains/hostname: ~1628, CVEs: 4)
Total IoCs: 3738 (IPs: 450, Hashes: 1660, URLs/domains/hostname: ~1624, CVEs: 4)
In this udpdate newly registered domains have been updated until 03-05-2020. Newly registered domains have been pushed to VirusTotal.
Merge and duplicate removal Total IoCs: 3731 (IPs: 449, Hashes: 1660, URLs/domains/hostname: ~1618, CVEs: 4)
Merge and duplicate removal Total IoCs: 3592 (IPs: 439, Hashes: 1553, URLs/domains/hostname: ~1596, CVEs: 4)
A major update as I have now incorporated list by Anomali --> https://www.anomali.com/learn/covid19. Thank you very much to Anomali.
Total IoCs: 4073 (IPs:961, Hashes:1594, URLs/domains/hostname: ~1514, CVEs: 4)
Total IoCs: 949 (IPs:26, Hashes:514, URLs/domains/hostname: ~2530, CVEs: 4).
Total IoCs: 856 (IPs:26, Hashes:437, URLs/domains/hostname: ~390, CVEs: 3).
As of this update all URLs as aprt of "newly_registered_domains" have been submitted for VirusTotal. I want to thank Krutika Potdar (who provded 3 keys of VT & othre logistical support keeping the team in sync), Ankit Bose (who submitted 10,000 domains), Arun Kumar, & members of the greatest team ever: Jayendra Kadam, Sanket Yeram, Rohit Chaurasia.
Total IoCs: 781 (IPs:20, Hashes:378, URLs/domains/hostname: ~380, CVEs: 3).
List by Domaintools seems to have legitimate websites too. PLEASE USE IT WITH ADDITIONAL CAUTION. URLs listed under "URL" are validated as part of being used in malicious covid-19 / coronavirus campaign.
New: Domain tools list is incorporated: https://www.domaintools.com/resources/blog/free-covid-19-threat-list-domain-risk-assessments-for-coronavirus-threats#download
Total IoCs: 81,766 (IPs:20, Hashes:378, URLs/domains/hostname: ~380, CVEs: 3).
List by Domaintools seems to have legitimate websites too. PLEASE USE IT WITH ADDITIONAL CAUTION. URLs listed under "URL" are validated as part of being used in malicious covid-19 / coronavirus campaign.
New: Domain tools list is incorporated: https://www.domaintools.com/resources/blog/free-covid-19-threat-list-domain-risk-assessments-for-coronavirus-threats#download
hmrc-cov19.payment.estrodev.com -- Found to be actively used as part of text message (SMS) based phishing.
Total newly registered domains now stands at 36,994 having keyword - covid / corona. Date of registration is post 1st February 2020.
Total IoCs: 81,766 (IPs:20, Hashes:378, URLs/domains/hostname: ~380, CVEs: 3). New: Domain tools list is incorporated: https://www.domaintools.com/resources/blog/free-covid-19-threat-list-domain-risk-assessments-for-coronavirus-threats#download hmrc-cov19.payment.estrodev.com -- Found to be actively used as part of text message (SMS) based phishing. Total newly registered domains now stands at 36,994 having keyword - covid / corona. Date of registration is post 1st February 2020.
Total IoCs: 712 (IPs:19, Hashes:354, URLs/domains/hostname: ~356, CVEs: 3). hmrc-cov19.payment.estrodev.com -- Found to be actively used as part of text message (SMS) based phishing. Total newly registered domains now stands at 34,891 having keyword - covid / corona. Date of registration is post 20th March 2020.
Total IoCs: 711 (IPs:19, Hashes:354, URLs/domains/hostname: ~355, CVEs: 3). Total newly registered domains now stands at 34,891 having keyword - covid / corona. Date of registration is post 20th March 2020.
THERE ARE SOME CORRECTIONS IN THE URL FILE. PLEASE UPDATE. Total IoCs: 711 (IPs:19, Hashes:354, URLs/domains/hostname: ~355, CVEs: 3). Total newly registered domains now stands at 13,752 having keyword - covid / corona. Date of registration is post 20th March 2020.
Total IoCs: 711 (IPs:19, Hashes:334, URLs/domains/hostname: ~355, CVEs: 3). Total newly registered domains now stands at 11,660 having keyword - covid / corona. Date of registration is post 20th March 2020.
Total IoCs: 599 (IPs:18, Hashes:333, URLs/domains/hostname:245, CVEs: 3). Total newly registered domains now stands at 11,660 having keyword - covid / corona. Date of registration is post 20th March 2020.
Total IoCs: 557 (IPs:18, Hashes:304, URLs/domains/hostname:234, CVEs: 3). This update has a new list - newly registered domanins.There are total of 9595 newly registered domains between 20th March to 24th March 2020.
Total IoCs: 552 (IPs:18, Hashes:304, URLs/domains/hostname:229, CVEs: 3). This update contains - #Part of APT36 and not directly connected to purpose of this IoC list.
Total IoCs: 549 (IPs:18, Hashes:302, URLs/domains/hostname:226, CVEs: 3).
Total IoCs: 520 (IPs: 18, Hashes: 283, URLs/domains/hostname: 219).
Confidence file uploaded. All hash IoCs are verified.
Adding: Confidence score for attached IoCs. (Starting with hash).
Added: 1 file hash. Total now stands at: 431.
Total IoCs: 39 URLs (Most of these are defanged.) Total now stands at: 430.
Spell check and combined all IoCs under "All IoC" file.
Initial commit has 391 IoCs - 282 hashes, 93 URLs, and 16 IPs.