# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: nfcstealer, nfcrelay, phantomcard

# Reference: https://x.com/ThreatFabric/status/1955928448402100456
# Reference: https://www.threatfabric.com/blogs/phantomcard-new-nfc-driven-android-malware-emerging-in-brazil
# Reference: https://app.validin.com/detail?type=hash&find=41abee029cc040b434564cce6158aa48f79747c3 (# 2025-08-14)
# Reference: https://www.virustotal.com/gui/file/a78ab0c38fc97406727e48f0eb5a803b1edb9da4a39e613f013b3c5b4736262f/detection
# Reference: https://www.virustotal.com/gui/file/cb10953f39723427d697d06550fae2a330d7fff8fc42e034821e4a4c55f5a667/detection

http://154.205.156.112
http://154.205.156.19
http://154.90.60.209
http://154.90.60.99
http://185.228.72.77
http://38.60.134.196
http://38.60.209.168
http://38.60.209.69
http://43.157.161.175
http://43.157.171.245
154.205.156.112:8080
154.205.156.19:8080
154.90.60.209:8080
154.90.60.99:8080
185.228.72.77:443
38.60.134.196:8080
38.60.209.168:8080
38.60.209.69:8080
43.157.161.175:8080
43.157.171.245:8080

# Reference: https://app.validin.com/detail?find=Prote%C3%A7%C3%A3o%20de%20Cart%C3%B5es%20%E2%80%93%20Apps%20no%20Google%20Play&type=raw&ref_id=2ef4daeb2bb#tab=host_pairs (# 2025-08-14)
# Reference: https://app.validin.com/detail?find=fdb976c0876ccd0a6eaae41b2cf1c228&type=hash&ref_id=bfbce515b1d#tab=host_pairs (# 2025-08-14)

104-218-52-170.cprapid.com
appsegurocartao.com
caixadirectacomunicaropen.com
cartaoseguroapp.com
cashbackdepontos.info
fabrikabeta.online
ip60.ip-142-44-207.net
mathbeta.online
meucartaoprotegido.com
meucartaoseguro.com
minhaprotecao.info
minhaseguranca.info
monitoreseucartao.com
protecaocartao.com
protejaseucartao.com
protetordenfc.com
reservalocaliza.app
resgatarmeuspontos.info
resgateway.info
santandercomunicarcliente.com
securecard.online
segurancadocartao.info
segurancanfc.com
segurancanoseucartao.shop
segurocartaoapp.com
segurocartaoprotegido.com
seucartaoprotegido.com
seucartaoseguro.com
seupedidoshopee.com
sicurezza-nex1-nfc.site
sicurezza-nfc.site
sicurezza-nfc24h.site
app.segurancadocartao.info
qw26.liaoqazqq.com
staging-app.clientpulse.ai
staging-backend.clientpulse.ai

# Reference: https://x.com/johnk3r/status/1956014820743926090

nfc8886.com
brazil.nfc8886.com

# Reference: https://x.com/LukasStefanko/status/1826552355900317892
# Reference: https://www.welivesecurity.com/en/eset-research/ngate-android-malware-relays-nfc-traffic-to-steal-cash/
# Reference: https://github.com/eset/malware-ioc/tree/master/ngate
# Reference: https://www.virustotal.com/gui/file/7cb66683d8588059dd9fbacaded3b4d9a0061620515ec9d9f992697de270e07c/detection
# Reference: https://www.virustotal.com/gui/file/267a4d1db03284827668278a7be11af7999beac388ac902fcb268644d227369c/detection
# Reference: https://www.virustotal.com/gui/file/4d53ecb0f862054fa01c834d1fc21bf97c4884899e059131d982f90953b88768/detection
# Reference: https://www.virustotal.com/gui/file/e19a7c8e4994ea4ed680136c9e3a6fff7b82c72f5743952821a446b6cb830f06/detection
# Reference: https://www.virustotal.com/gui/file/95d906dca5a3be5cf066268662b3c953860e54e9cdcfcd427faf0aaa9cb62bad/detection
# Reference: https://www.virustotal.com/gui/file/1d126e5904dde3b46175a4aae89eec1fb8a6b80e35b1f473878e5dd288f8aae6/detection
# Reference: https://www.virustotal.com/gui/file/17a16f08108e25af1c8b058adbaca2cada6a93c2d38c9854148f9e9caac76ac3/detection
# Reference: https://www.virustotal.com/gui/file/162f8c6bafe0c343c37f173344c4f6880eaec0aea7b491565db874366b161784/detection

http://172.187.98.211
172.187.98.211:443
cryptomaker.info
george-bank-cz.online
mobil-csob-cz.eu
my-cz.site
play-secure.pro
raiffeisen-cz.eu
tbc-app.life
app.mobil-csob-cz.eu
client.nfcpay.workers.dev
csas.my-cz.site
csob-93ef49e7a.tbc-app.life
geo-4bfa49b2.tbc-app.life
george.tbc-app.life
nfc.cryptomaker.info
nfcpay.workers.dev
rb-62d3a.tbc-app.life
rb.2f1c0b7d.tbc-app.life

# Reference: https://x.com/ESETresearch/status/1887839381274161509
# Reference: https://www.virustotal.com/gui/file/ecf57b7c4a832cf9e22c76ffeab36c410979eeabac94e822bcc61b5229b48726/detection

38.180.222.230:5577

# Reference: https://x.com/malwrhunterteam/status/1915376762931875917
# Reference: https://www.virustotal.com/gui/file/3474a05a69f762394cc41d9dc90f224a54561f32b6933777f2d40f1f81ebb8eb/detection

38.47.195.208:8881

# Reference: https://x.com/malwrhunterteam/status/1931461670649622998
# Reference: https://www.virustotal.com/gui/file/61729bab8a31bb183fdeff0914324286b90f5a37adb55349796f2926df274150/detection

188.127.251.70:3050

# Reference: https://x.com/johnk3r/status/1938369399192461328
# Reference: https://x.com/johnk3r/status/1938369402619236837
# Reference: https://www.virustotal.com/gui/file/172f04d094513ddfa0790008d79a2ddb3961a3317574a9b00dc8cf931b6b4016/detection

45.88.91.119:15000
45.88.91.119:16001

# Reference: https://x.com/P4nd3m1cb0y/status/1968049145543119146
# Reference: https://www.virustotal.com/gui/file/25634ee2e67323c124ca86dff15d20de38f92731a104514f007e39129cedd16e/detection
# Reference: https://www.virustotal.com/gui/file/d79c24c70a0806514ed9b228afe795723ec88a212c2042eb0dd764dd403c4ba9/detection

181.41.200.116:1285
181.41.200.116:3000

# Reference: https://app.validin.com/detail?find=Aguardando%20Cart%C3%A3o&type=raw&ref_id=6a172e13cc4#tab=host_pairs (# 2025-09-17)
# Reference: https://www.virustotal.com/gui/file/859a231e39614851bbcfc65112330326dcf57b21f48c96d36bfb09b0beb89e32/detection
# Reference: https://www.virustotal.com/gui/file/b5ca3ef74699a6153a7827f8cde6038de3037f6a8064fee7e4b5605e639bca4f/detection
# Reference: https://www.virustotal.com/gui/file/52487721d134441967c7f34c81791258374d74d344df35477085336bf44c6281/detection

179.0.176.160:1285
179.0.176.160:3000
185.228.72.137:1285
185.228.72.137:3000
191.101.131.54:1285
191.101.131.54:3000

# Reference: https://zimperium.com/blog/tap-and-steal-the-rise-of-nfc-relay-malware-on-mobile-devices
# Reference: https://raw.githubusercontent.com/Zimperium/IOC/refs/heads/master/2025-10-NFCStealer/hosts.csv
# Reference: https://www.virustotal.com/gui/file/fc7cd47bb0b801b42c1e0b92b83e96a3fe8db6c722838dba532623e80a0cf6be/detection
# Reference: https://www.virustotal.com/gui/file/9a6b3ba5ee0845bc94f97cad9c1e5f0092f2dde9191ba086eee2e010c59f99ed/detection
# Reference: https://www.virustotal.com/gui/file/6539134c97157ef407913fdcfabe83d701a2d45a6ed45e001c814b5b7d16b292/detection
# Reference: https://www.virustotal.com/gui/file/64279037c81a57fa35012d37bc289881cc028bbbdff627bfa9a27071ac95bda5/detection
# Reference: https://www.virustotal.com/gui/file/63a489294c61b9b2aecf3cd5bb22c37e0c969193ba9d6bdb43873abefe664b65/detection
# Reference: https://www.virustotal.com/gui/file/5b196656c536504cd18d897c7e466b3b4b651a80a858cd1cc0679ba242fc0469/detection
# Reference: https://www.virustotal.com/gui/file/fe91c4d85d302d34e9555c8021d475132307ba32cfb2923858ddca2efcb53bd5/detection
# Reference: https://www.virustotal.com/gui/file/258f044046b11803f85bf8d8095897bcd2775fb6152877a2f5054f625d019386/detection

http://43.153.97.44
154.44.26.235:9898
178.20.45.80:3003
178.255.126.110:3005
178.255.126.119:3005
178.255.126.124:3002
178.255.126.12:3005
178.255.126.143:3005
178.255.126.177:3005
178.255.126.66:3005
185.130.251.159:3050
185.130.251.172:3050
185.196.10.50:3050
185.209.30.41:3002
185.214.74.210:3002
185.242.247.252:3001
185.244.181.229:1337
185.39.206.108:3005
185.39.206.124:3005
185.39.206.30:3004
185.39.206.41:3002
185.39.206.41:3004
185.39.206.58:3005
185.39.206.59:3005
185.39.206.60:3005
185.75.135.183:3001
188.127.225.174:3050
188.127.225.195:3050
188.127.225.40:3050
188.127.225.54:3050
188.127.225.91:3050
188.127.227.15:3050
188.127.227.21:3050
188.127.227.7:3050
188.127.235.150:3050
188.127.239.39:3050
188.127.239.41:3050
188.127.240.103:3050
188.127.240.104:3050
188.127.240.13:3050
188.127.240.141:3050
188.127.240.31:3050
188.127.240.37:3050
188.127.240.39:3050
188.127.240.43:3050
188.127.240.47:3050
188.127.240.53:3050
188.127.240.58:3050
188.127.240.63:3050
188.127.240.72:3050
188.127.240.91:3050
188.127.249.214:3050
188.127.249.230:3050
188.127.249.236:3050
188.127.249.238:3050
188.127.249.239:3055
188.127.249.245:3050
188.127.249.247:3050
188.127.249.252:3050
188.127.251.10:3050
188.127.251.11:3050
188.127.251.15:3050
188.127.251.172:3050
188.127.251.18:3050
188.127.251.27:3050
188.127.251.31:3050
188.127.251.36:3050
188.127.251.54:3050
188.127.251.56:3050
188.127.251.61:3050
188.127.251.62:3050
188.127.251.64:3050
188.127.251.66:3050
188.127.251.6:3050
188.127.251.73:3050
188.127.251.74:3050
188.127.251.77:3050
188.127.251.85:3050
188.127.251.89:3050
188.127.251.8:3050
188.127.254.108:3050
188.127.254.113:3050
188.127.254.154:3050
188.127.254.15:3050
188.127.254.5:3050
188.127.254.89:3050
188.127.254.92:3050
193.233.48.173:1337
195.2.70.144:3005
195.2.84.77:3002
195.200.18.166:3004
195.200.30.244:3004
195.66.27.94:3050
198.44.168.63:5555
212.34.142.55:3001
212.34.142.55:3005
212.67.17.100:3005
212.67.17.106:3001
212.67.17.107:3002
212.67.17.107:3003
212.67.17.108:3005
212.67.17.110:3005
212.67.17.118:3005
212.67.17.140:3002
212.67.17.194:3005
212.67.17.243:3001
212.67.17.43:3005
212.67.17.84:3005
31.177.108.161:3001
31.177.108.161:3004
31.177.108.169:3005
31.177.108.208:3005
31.177.108.225:3003
31.177.109.213:3005
31.177.110.122:3003
31.177.110.124:3001
31.177.110.141:3003
31.177.110.199:3004
31.177.110.19:3001
31.57.38.153:16001
38.181.23.36:9989
43.154.125.108:9898
62.113.119.37:3002
62.84.97.240:3003
77.105.138.194:3002
77.232.39.57:1337
80.253.251.184:3005
80.253.251.191:3004
84.54.47.213:3001
84.54.47.213:3003
84.54.47.213:3004
84.54.47.222:3001
85.208.208.86:7000
87.121.47.104:3002
87.121.47.2:3003
88.210.34.99:3003
88.210.34.99:3004
88.210.34.99:3005
89.110.96.31:3004
89.110.98.138:3003
89.23.100.239:3001
89.23.100.92:3005
89.23.101.51:3002
89.23.102.120:3003
89.23.102.138:3005
89.23.102.196:3001
89.23.102.196:3004
89.23.102.196:3005
89.23.102.198:3002
89.23.102.1:3005
89.23.102.212:3001
89.23.102.233:3005
89.23.102.70:3001
89.23.98.229:5566
89.23.99.126:3005
89.23.99.12:3001
91.142.74.163:3004
91.142.78.216:1337
91.84.108.198:3005
91.84.111.33:3005
aa.qpyx888.com
allista.digiveri.site
app-bbva.cc
app.nfuenglish2025.com
app.nfuenglish2026.com
appguanjun0922.com
digiveri.site
genwindle.com
lafandos.shop
mhm99.tk
nfc.nfu829.com
nfcappnew.com
nfu.rc888.uk
nfu20050909.shop
nfu20050910.shop
nfu829.com
nfuenglish2025.com
nfuenglish2026.com
rc888.appguanjun0922.com
rc888.uk
rucbk.click
signalnfc.com
sofiy.top
woldersterpe.shop
xxnfc.com

# Generic

/baxi/b/index-C80Dmdnl.js
/baxi/b/index-CT0URlgY.css
