TONResolver Malware Campaign IoCs
====================================================================================================================================================
Indicator								Detection name			Description
====================================================================================================================================================
TONRESOLVER
5ec231d3d07530dd4e72127aeed10482d53a9fa6162624b9244ecd7418b73d4c	Trojan.PS1.TONRESOLVER.A
9a75e798a71c2541f17102128f7c546288bbd3eb30b6b2b4948b17e73873a510	TrojanSpy.JS.TONRESOLVER.A

====================================================================================================================================================
URLs
====================================================================================================================================================
Initial payload distribution servers
photo-2773041[.]cfd
photo-1773041[.]cfd
photo-4773041[.]cfd
photo-3773041[.]cfd
photo-1777041[.]cfd
photo-2777041[.]cfd
photo-3777041[.]cfd
photo-4777041[.]cfd
photo-1642054[.]cfd
photo-11642054[.]cfd
photo-21642054[.]cfd
photo-31642054[.]cfd
photo-41642054[.]cfd
photo-5142054[.]cfd
photo-5242054[.]cfd
photo-5342054[.]cfd
photo-5442054[.]cfd
photo-5542054[.]cfd
photo-5642054[.]cfd
photo-1643254[.]cfd
photo-1642254[.]cfd
photo-1613954[.]cfd
photo-1623954[.]cfd
photo-1633954[.]cfd
photo-1633254[.]cfd
photo-1633154[.]cfd
photo-2633254[.]cfd
photo-2623254[.]cfd
photo-2613254[.]cfd
photo-2632254[.]cfd
photo-2631254[.]cfd
photo-2632454[.]cfd
photo-1632454[.]cfd
photo-3632454[.]cfd
photo-6632454[.]cfd
photo-4632454[.]cfd
photo-7632454[.]cfd
photo-8632454[.]cfd
photo-332454[.]cfd
photo-132454[.]cfd
photo-432454[.]cfd
photo-232454[.]cfd
photo-532454[.]cfd
photo-22454[.]cfd
photo-52454[.]cfd
photo-32454[.]cfd
photo-62454[.]cfd
photo-12454[.]cfd
photo-23454[.]cfd
photo-24454[.]cfd
photo-21454[.]cfd
photo-26454[.]cfd
photo-26554[.]cfd
photo-26254[.]cfd
photo-26654[.]cfd
photo-26154[.]cfd
photo-26652[.]cfd
photo-26653[.]cfd
photo-26656[.]cfd
photo-26657[.]cfd
photo-27657[.]cfd
photo-27757[.]cfd
photo-dekor[.]xyz
photo-22425[.]xyz
photo-12425[.]xyz
photo-32425[.]xyz
photo-225[.]xyz
photo-125[.]xyz
photo-4425[.]xyz
photo-1425[.]xyz
photo-33425[.]xyz
photo-2425[.]xyz
photo-24625[.]xyz
photo-14625[.]xyz
photo-34625[.]xyz
photo-54625[.]xyz
photo-51473[.]xyz
photo-31473[.]xyz
photo-41473[.]xyz
photo-21473[.]xyz
photo-4512473[.]xyz
photo-1512473[.]xyz
photo-5512473[.]xyz
photo-2512473[.]xyz
widjssij728dj[.]com
kdslkdkdf932dsf[.]com
sdlaksdfk391sla[.]com
ajdoqwkd932sak[.]com
bsaakdk293sgh[.]com
airekcjk832kds[.]com
bjsdaklska283saik[.]com
hagfids922sa[.]com
hafksoawi925ds[.]com
havasssj291sld[.]com
haddjskak827sja[.]com
haskakwo291sa[.]com
hakdsiwqs281ks[.]com
jsdakksd283ksl[.]com
dsjkaksfks324das[.]com
photoguestadm[.]pro
bookphotogrou[.]pro
photbookguest[.]pro
guestphotobook[.]pro
photoguestbook[.]pro
bookfrophoto[.]pro
photoforbook[.]pro
admbooked[.]pro
bookedadmpanel[.]pro
photoguesthis[.]pro
guestphotohot[.]pro
photochanelbook[.]pro
bookphotohot[.]pro
bookphotoreserv[.]pro
photobook-reserv[.]pro
bookreservphoto[.]pro
reservebookphot[.]pro
bokphotofromguest[.]pro
guestphotob[.]pro
bookaboutphoto[.]pro
aboutbookphoto[.]pro

Dead drop resolver block chain URL
hxxps://tonapi[.]io/v2/blockchain/accounts/0:c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9/methods/get_domain

Resolved websocket C2 URL
wss://zloapobikahy23[.]bond
wss://tonajukbhuakpo2[.]shop