server:
# Various telemetry endpoints (hosts and domains) used by mobile location tracking libraries
# Contact: mobiletrackers [at] protonmail.ch
# See: https://github.com/craiu/mobiletrackers/
# Version 1.46 - 2024-02-07
#
# xmodesocial - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
local-zone: "bin5y4muil.execute-api.us-east-1.amazonaws.com." always_nxdomain
# unknown, possibly xmodesocial - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
local-zone: "8balwalz1i.execute-api.us-east-2.amazonaws.com." always_nxdomain
# unknowns - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
local-zone: "api.smartechmetrics.com." always_nxdomain
local-zone: "ck-running-apps-700f1.firebaseio.com." always_nxdomain
local-zone: "pie.wirelessregistry.com." always_nxdomain
# unknowns - 010f7bb33f35cc650b7d6104b07102eb0dbaf79bcec1f1c6255fdcaffefe6b68 - com.davidsukhin.com.sukhin.snowdaycalculator.SnowDay
# URLs below stored as base64 and encrypted xor 0x09 ->
local-zone: "udata.elephantdata.net." always_nxdomain
local-zone: "atb.bearclod.com." always_nxdomain
#pDNS data for the IPs associated with atb.bearclod.com ->
local-zone: "alb.bearclod.com." always_nxdomain
local-zone: "aly.bearclod.com." always_nxdomain
local-zone: "alz.bearclod.com." always_nxdomain
local-zone: "bivitis.bearclod.com." always_nxdomain
local-zone: "brt.bearclod.com." always_nxdomain
local-zone: "brul.bearclod.com." always_nxdomain
local-zone: "hfstat.bearclod.com." always_nxdomain
local-zone: "hkn01.bearclod.com." always_nxdomain
local-zone: "ply.bearclod.com." always_nxdomain
local-zone: "zoo.bearclod.com." always_nxdomain
# crashlytics - 4711634730d5367756bba4d776d846b01b8d0373336ea877a2c20b1da0a95477 - com.sgiggle.production_5.2.229629_1538560344.apk
local-zone: "settings.crashlytics.com." always_nxdomain
local-zone: "e.crashlytics.com." always_nxdomain
# starbolt - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
local-zone: "sdk.starbolt.io." always_nxdomain
local-zone: "dmp.starbolt.io." always_nxdomain
local-zone: "devices.starbolt.io." always_nxdomain
# sense360 ? - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
local-zone: "android-quinoa-config-prod.sense360eng.com." always_nxdomain
local-zone: "survey-notify-event.sense360eng.com." always_nxdomain
local-zone: "quinoa-personal-identify-prod.sense360eng.com." always_nxdomain
# appmeasurement - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
local-zone: "app-measurement.com." always_nxdomain
# newrelic - 2d4c9c037db43704f52968c9c363cbdf382cbb6a4b9143825f6e8b523b7c0c01 - com.crowdcompass.appmQaIam3e7C.apk
local-zone: "mobile-collector.newrelic.com." always_nxdomain
local-zone: "mobile-crash.newrelic.com." always_nxdomain
# Xiao mi related telemetry endpoints - see https://twitter.com/hookgab/status/1255859289945780225
local-zone: "data.mistat.india.xiaomi.com." always_nxdomain
local-zone: "data.mistat.intl.xiaomi.com." always_nxdomain
local-zone: "data.mistat.rus.xiaomi.com." always_nxdomain
local-zone: "tracking.rus.miui.com." always_nxdomain
local-zone: "tracking.intl.miui.com." always_nxdomain
local-zone: "tracking.india.miui.com." always_nxdomain
# from https://twitter.com/cybergibbons/status/1256703550954057729
local-zone: "sa.api.intl.miui.com." always_nxdomain
local-zone: "sa.api.india.miui.com." always_nxdomain
local-zone: "sa.api.rus.miui.com." always_nxdomain
# new xmodesocial - from https://mobile.twitter.com/guardianiosapp/status/1262545645941874689
local-zone: "api.myendpoint.io." always_nxdomain
# aggressive advertisers - https://securelist.com/in-app-advertising-in-android/97065/
# 1eeda6306a2b12f78902a1bc0b7a7961 – com.android.ggtoolkit_tw_xd
# 134283b8efedc3d7244ba1b3a52e4a92  – com.xprodev.cutcam
# 3aba867b8b91c17531e58a9054657e10 – com.powerd.cleaner
local-zone: "ti.domainforlite.com." always_nxdomain
local-zone: "uu.domainforlite.com." always_nxdomain
# pDNS resolutions for uu.domainforlite.com, hosting on 47.252.80.195
local-zone: "adserver.hahamobi.com." always_nxdomain
local-zone: "analytics.hahamobi.com." always_nxdomain
local-zone: "analytics.salmonads.com." always_nxdomain
local-zone: "api.salmonads.com." always_nxdomain
local-zone: "dat.funheroic.com." always_nxdomain
local-zone: "lg.luckyforworlds.com." always_nxdomain
local-zone: "lg.requestads.com." always_nxdomain
local-zone: "lg.smardroid.com." always_nxdomain
local-zone: "log.adywind.com." always_nxdomain
local-zone: "log.mobpowertech.com." always_nxdomain
local-zone: "net.hahamobi.com." always_nxdomain
local-zone: "net.salmonads.com." always_nxdomain
local-zone: "us01.salmonads.com." always_nxdomain
# mobile ads, 2020-07-07, additions from https://securelist.com/pig-in-a-poke-smartphone-adware/97607/
local-zone: "www.ywupscsff.com." always_nxdomain
local-zone: "www.mzeibiyr.com." always_nxdomain
local-zone: "i151125.infourl.net." always_nxdomain
local-zone: "www.jueoxdr.com." always_nxdomain
local-zone: "ufz.doesxyz.com." always_nxdomain
local-zone: "htapi.getapiv8.com." always_nxdomain
local-zone: "stable.icecyber.org." always_nxdomain
local-zone: "404mobi.com." always_nxdomain
local-zone: "51ginkgo.com." always_nxdomain
local-zone: "lbjg7.com." always_nxdomain
local-zone: "bigdata800.com." always_nxdomain
local-zone: "apd1.warnlog.com." always_nxdomain
local-zone: "apd1.thunup.com." always_nxdomain
# mintegral, 2020-08-30, described at: https://snyk.io/research/sour-mint-malicious-sdk/
local-zone: "n.systemlog.me." always_nxdomain
local-zone: "setting.rayjump.com." always_nxdomain
local-zone: "analytics.rayjump.com." always_nxdomain
# from pDNS on n.systemlog.me ->
local-zone: "net.cleverjp.com." always_nxdomain
# from fake NEXTALIVE (moonfair) application - https://www.zdnet.com/article/google-removes-android-app-that-was-used-to-spy-on-belarusian-protesters/
local-zone: "arcpi.nextialive.roimaster.site." always_nxdomain
local-zone: "api.nextialive.roimaster.site." always_nxdomain
local-zone: "ws.nextialive.roimaster.site." always_nxdomain
local-zone: "nextialive.roimaster.site." always_nxdomain
local-zone: "api.dev.chat.roimaster.site." always_nxdomain
local-zone: "dev.chat.roimaster.site." always_nxdomain
# Joker download URLs / hosts as described by ZScaler - https://www.zscaler.com/blogs/security-research/joker-playing-hide-and-seek-google-play
local-zone: "2j1i9uqw.oss-eu-central-1.aliyuncs.com." always_nxdomain
local-zone: "blackdragon03.oss-ap-southeast-5.aliyuncs.com." always_nxdomain
local-zone: "blackdragon.oss-ap-southeast-5.aliyuncs.com." always_nxdomain
local-zone: "fgcxweasqw.oss-eu-central-1.aliyuncs.com." always_nxdomain
local-zone: "jk8681oy.oss-eu-central-1.aliyuncs.com." always_nxdomain
local-zone: "laodaoo.oss-ap-southeast-5.aliyuncs.com." always_nxdomain
local-zone: "n47n.oss-ap-southeast-5.aliyuncs.com." always_nxdomain
local-zone: "nineth03.oss-ap-southeast-5.aliyuncs.com." always_nxdomain
local-zone: "proxy48.oss-eu-central-1.aliyuncs.com." always_nxdomain
local-zone: "rinimae.oss-ap-southeast-5.aliyuncs.com." always_nxdomain
local-zone: "sahar.oss-us-east-1.aliyuncs.com." always_nxdomain
# Cerberus C2s as described by BitDefender - https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/
local-zone: "2fapass.club." always_nxdomain
local-zone: "androidradio.life." always_nxdomain
local-zone: "downdating.club." always_nxdomain
local-zone: "fitnessstrategy.xyz." always_nxdomain
local-zone: "groovefitness.xyz." always_nxdomain
local-zone: "loversfinder.xyz." always_nxdomain
local-zone: "positivefitness.club." always_nxdomain
local-zone: "safeyourdata.xyz." always_nxdomain
local-zone: "sport4ever.club." always_nxdomain
local-zone: "vipyoga.today." always_nxdomain
local-zone: "weatherclub.club." always_nxdomain
local-zone: "yoga4u.xyz." always_nxdomain
# unknown (?) telemetry receiving endpoints from:
# 066de93f181e9cbcb8611c675bbcb0fc - com.speedcamera.detector.radar.detector.direction
local-zone: "yqchpwxvbg.execute-api.us-east-1.amazonaws.com." always_nxdomain
local-zone: "pn8sm7rjuc.execute-api.us-east-1.amazonaws.com." always_nxdomain
# venntel / gravy analytics from https://github.com/sociam/PROWISH/blob/master/data/200appsdynamic.csv
# venntel / gravy analytics from https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf
# gravy analytics docs - http://developers.findgravy.com/products/gold-api/docs/index2.html
local-zone: "api.findgravy.com." always_nxdomain
local-zone: "nwzhmwux-api.findgravy.com." always_nxdomain
local-zone: "zmq5ytc1-api.findgravy.com." always_nxdomain
local-zone: "mtm1nwmx-api.findgravy.com." always_nxdomain
local-zone: "gravyanalytics.com." always_nxdomain
# 51ec8159efb88a852005b94f0fd9891016b75f4b40d24608ee8a5c8d34826a3e - com.usatoday.android.news
local-zone: "ws.findgravy.com." always_nxdomain
local-zone: "api.foozor.com." always_nxdomain
local-zone: "testapi.foozor.com." always_nxdomain
# potentially related hosts on top of findgravy.com
local-zone: "img01.findgravy.com." always_nxdomain
local-zone: "img02.findgravy.com." always_nxdomain
local-zone: "img03.findgravy.com." always_nxdomain
local-zone: "img04.findgravy.com." always_nxdomain
# 51ec8159efb88a852005b94f0fd9891016b75f4b40d24608ee8a5c8d34826a3e - com.usatoday.android.news
local-zone: "pushapi.localytics.com." always_nxdomain
local-zone: "analytics.localytics.com." always_nxdomain
local-zone: "profile.localytics.com." always_nxdomain
# cuebiq location sdk from ->
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
local-zone: "in.cuebiq.com." always_nxdomain
local-zone: "ingestion-api.kiwi.sand.cuebiq.ai." always_nxdomain
# nodle.io sdk from ->
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
local-zone: "dev.nodle.io." always_nxdomain
local-zone: "us-central1-production-242307.cloudfunctions.net." always_nxdomain
# unknown sdk from 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass possibly xmode related
# more crashlytics hosts from 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
local-zone: "firebase-settings.crashlytics.com." always_nxdomain
local-zone: "update.crashlytics.com." always_nxdomain
local-zone: "reports.crashlytics.com." always_nxdomain
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass ->
local-zone: "pixelprose.fr." always_nxdomain
# appsflyer from b8ce13566a048108b4321f5277e4d95a5d5743da4f082fbca30074439acf5a15 - com.unacademyapp
local-zone: "onelink.me." always_nxdomain
local-zone: "onelnk.com." always_nxdomain
local-zone: "app.aflink.com." always_nxdomain
local-zone: "t.appsflyer.com." always_nxdomain
# other various telemetry endpoints (not necessarily location related) from from b8ce13566a048108b4321f5277e4d95a5d5743da4f082fbca30074439acf5a15 - com.unacademyapp
local-zone: "api.mixpanel.com." always_nxdomain
local-zone: "decide.mixpanel.com." always_nxdomain
local-zone: "cdn.optimizely.com." always_nxdomain
local-zone: "logx.optimizely.com." always_nxdomain
local-zone: "outline.truecaller.com." always_nxdomain
local-zone: "api4.truecaller.com." always_nxdomain
local-zone: "c.webengage.com." always_nxdomain
local-zone: "p.webengage.com." always_nxdomain
local-zone: "api.branch.io." always_nxdomain
local-zone: "bnc.lt." always_nxdomain
local-zone: "cdn.branch.io." always_nxdomain
local-zone: "js.intercomcdn.com." always_nxdomain
local-zone: "mobile-sdk-api.intercom.io." always_nxdomain
# Clevertap's wzrkt.com - also see https://twitter.com/fs0c131y/status/977267255309463554
local-zone: "wzrkt.com." always_nxdomain
local-zone: "in.wzrkt.com." always_nxdomain
# subdomains from wzrkt.com - https://subdomainfinder.c99.nl/scans/2020-04-19/wzrkt.com
local-zone: "api.wzrkt.com." always_nxdomain
local-zone: "cb.wzrkt.com." always_nxdomain
local-zone: "eu1-spiky.wzrkt.com." always_nxdomain
local-zone: "eu1.alb.wzrkt.com." always_nxdomain
local-zone: "eu1.wzrkt.com." always_nxdomain
local-zone: "in.cb.wzrkt.com." always_nxdomain
local-zone: "in1-spiky.wzrkt.com." always_nxdomain
local-zone: "in1.alb.wzrkt.com." always_nxdomain
local-zone: "in1.wzrkt.com." always_nxdomain
local-zone: "sg1-spiky.wzrkt.com." always_nxdomain
local-zone: "sg1.cb.wzrkt.com." always_nxdomain
local-zone: "sg1.wzrkt.com." always_nxdomain
local-zone: "sk1-spiky.wzrkt.com." always_nxdomain
local-zone: "sk1-staging-1.wzrkt.com." always_nxdomain
local-zone: "sk1-staging-10.wzrkt.com." always_nxdomain
local-zone: "sk1-staging-2.wzrkt.com." always_nxdomain
local-zone: "sk1-staging-3.wzrkt.com." always_nxdomain
local-zone: "sk1-staging-4.wzrkt.com." always_nxdomain
local-zone: "sk1-staging-5.wzrkt.com." always_nxdomain
local-zone: "sk1-staging-6.wzrkt.com." always_nxdomain
local-zone: "sk1-staging-7.wzrkt.com." always_nxdomain
local-zone: "sk1-staging-8.wzrkt.com." always_nxdomain
local-zone: "sk1-staging-9.wzrkt.com." always_nxdomain
local-zone: "sk1.wzrkt.com." always_nxdomain
local-zone: "us1-spiky.wzrkt.com." always_nxdomain
local-zone: "us1.cb.wzrkt.com." always_nxdomain
local-zone: "us1.wzrkt.com." always_nxdomain
# from cb9f6bb72a9766ba8c805c25769b47c46751052706bb41ed333db0b42cd586ff - 	com.byjus.thelearningapp
# also see https://digitalwatchdog.org/wp-content/uploads/2020/09/IDAC-Ed-Tech-Report_AppendixB_SensitiveData.pdf
local-zone: "api.tllms.com." always_nxdomain
local-zone: "marketing.tllms.com." always_nxdomain
# from 09f5bcadde3351eb3f509f5a471cbd7bb00536292da560bcf8ee59eb73116f00 - luo.speedometergps
# teragence ->
local-zone: "control.teragence.net." always_nxdomain
local-zone: "pfsense02-01.is-61194.teragence.net." always_nxdomain
# tutela ->
local-zone: "upload-tutelawest.s3-accelerate.amazonaws.com." always_nxdomain
local-zone: "reporting-util.tutelatechnologies.com." always_nxdomain
local-zone: "hail-reporting.tutelatechnologies.com." always_nxdomain
local-zone: "thepopulator.tutelatechnologies.com." always_nxdomain
# huq (also from 9c53a29a7e6a871f57b20097185a09afd2ff818455a42792d502f1eb8f2e3679) ->
local-zone: "api.huqindustries.co.uk." always_nxdomain
local-zone: "report.huqindustries.co.uk." always_nxdomain
local-zone: "charles.huqindustries.co.uk." always_nxdomain
# IOCs from https://www.whiteops.com/blog/somewhere-over-the-rainbowmix
local-zone: "api.pythonexample.com." always_nxdomain
# Predicio - from Funny Weather - pl.lawiusz.funnyweather.release.apk - 6d23151e69a57f67111d4969594316576577ae8a2015aff336ab6ef0fb2a07b4
# see https://www.vice.com/en/article/epdpdm/ice-dhs-fbi-location-data-venntel-apps
local-zone: "sdk.predic.io." always_nxdomain
# Kinesis endpoint from Funny Weather:
local-zone: "kinesis.ap-southeast-1.amazonaws.com." always_nxdomain
# Complementics endpoints from 4ba50272718c95af20940912c7968410d797fbc07dcce2bad8183b94887b0ab4
local-zone: "sdk-as.complementics.com." always_nxdomain
local-zone: "static.complementics.com." always_nxdomain
# Goontact from https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail
local-zone: "redvios.com." always_nxdomain
local-zone: "v-talk.top." always_nxdomain
local-zone: "v-talk.vip." always_nxdomain
local-zone: "ladysizi.top." always_nxdomain
local-zone: "mmbox.top." always_nxdomain
local-zone: "oncamera.top." always_nxdomain
local-zone: "oncast.top." always_nxdomain
local-zone: "mimibox.top." always_nxdomain
local-zone: "voicecontrol.top." always_nxdomain
local-zone: "signaltalk.top." always_nxdomain
local-zone: "oncamera.vip." always_nxdomain
local-zone: "dalbam.vip." always_nxdomain
local-zone: "mimimsg.net." always_nxdomain
local-zone: "signal-live.vip." always_nxdomain
local-zone: "tele-gram.vip." always_nxdomain
local-zone: "vtalk.vip." always_nxdomain
local-zone: "a-video.vip." always_nxdomain
local-zone: "livetalk.vip." always_nxdomain
local-zone: "livetalk.top." always_nxdomain
local-zone: "download-file.top." always_nxdomain
local-zone: "grd77.cn." always_nxdomain
local-zone: "mimicwt.net." always_nxdomain
local-zone: "super-voice.vip." always_nxdomain
local-zone: "mimi18s.top." always_nxdomain
local-zone: "momomsg.top." always_nxdomain
local-zone: "live-live.vip." always_nxdomain
local-zone: "zerobyte.top." always_nxdomain
local-zone: "zerobt.net." always_nxdomain
local-zone: "w-video.vip." always_nxdomain
local-zone: "ser-chat.com." always_nxdomain
local-zone: "tocast.vip." always_nxdomain
local-zone: "videosound.vip." always_nxdomain
local-zone: "twi-tter.vip." always_nxdomain
local-zone: "my-player.vip." always_nxdomain
local-zone: "voicesupport.vip." always_nxdomain
# Joker from https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/
local-zone: "gd-1301476296.cos.na-toronto.myqcloud.com." always_nxdomain
# Related to: https://github.com/greatsuspender/thegreatsuspender/issues/1175
# and: https://www.theregister.com/2021/01/07/great_suspender_malware/
local-zone: "cdn.owebanalytics.com." always_nxdomain
local-zone: "static.trckingbyte.com." always_nxdomain
local-zone: "static.trckpath.com." always_nxdomain
local-zone: "static.privacytrck.com." always_nxdomain
local-zone: "rctphvxwnjhx.pw." always_nxdomain
local-zone: "hanstrackr.com." always_nxdomain
# Postlo spyware - https://twitter.com/ESETresearch/status/1374889857403785218?s=20
local-zone: "api.mainrepo.org." always_nxdomain
# EvilEye malware C2s mentioned at https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/
local-zone: "anayurt.net." always_nxdomain
local-zone: "apkprue.info." always_nxdomain
local-zone: "geo2ipapi.org." always_nxdomain
local-zone: "gotossl.ml." always_nxdomain
local-zone: "icptime.com." always_nxdomain
local-zone: "istiqlaihaber.com." always_nxdomain
local-zone: "misran.org." always_nxdomain
local-zone: "newyorkingsite.com." always_nxdomain
local-zone: "playgoog1e.com." always_nxdomain
local-zone: "preservtyg.com." always_nxdomain
local-zone: "sslportservices.com." always_nxdomain
local-zone: "strunhvgpk.com." always_nxdomain
local-zone: "uhtpuerdfbnm.com." always_nxdomain
local-zone: "uyghur-news.com." always_nxdomain
local-zone: "uyghur-soft-market.com." always_nxdomain
local-zone: "uyghurhaber.com." always_nxdomain
local-zone: "www.apkhl.pw." always_nxdomain
local-zone: "apkhl.pw." always_nxdomain
local-zone: "www.apkpure.bz." always_nxdomain
local-zone: "apkpure.bz." always_nxdomain
# Xcodespy - https://labs.sentinelone.com/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/
local-zone: "www.liveupdate.cc." always_nxdomain
local-zone: "www.appmarket.co." always_nxdomain
local-zone: "www.recentnews.cc." always_nxdomain
local-zone: "www.truckrental.cc." always_nxdomain
local-zone: "www.everestnote.com." always_nxdomain
local-zone: "www.alinbox.co." always_nxdomain
local-zone: "www.suppro.co." always_nxdomain
# APKPure compromise by Triada malware - https://securelist.com/apkpure-android-app-store-infected/101845/
local-zone: "wcf.seven1029.com." always_nxdomain
local-zone: "foodin.site." always_nxdomain
# Triada from https://securelist.com/triada-trojan-in-whatsapp-mod/103679/
# Trojan.AndroidOS.Triada.ef b1aa5d5bf39fee0b1e201d835e4dc8de
local-zone: "t1k22.c8xwor.com." always_nxdomain
local-zone: "dgmxn.c8xwor.com." always_nxdomain
# Tutela technologies - f9db002cbc6e5b6de37fb15aefaaf3934a700a7a2f9d5949f3cd6bb8c7dfc1bc - org.speedspot.speedanalytics
local-zone: "reporting.tutelatechnologies.com." always_nxdomain
local-zone: "video-url.tutelatechnologies.com." always_nxdomain
local-zone: "d3clybje3sun07.cloudfront.net." always_nxdomain
# speedspot - reports GPS location, other data - SpeedtestResultViews.java - inside f9db002cbc6e5b6de37fb15aefaaf3934a700a7a2f9d5949f3cd6bb8c7dfc1bc
local-zone: "api.speedspot.org." always_nxdomain
local-zone: "www.speedcheck.org." always_nxdomain
local-zone: "net.etrality.com." always_nxdomain
local-zone: "a2.etrality.com." always_nxdomain
local-zone: "a1.etrality.com." always_nxdomain
local-zone: "c4.etrality.com." always_nxdomain
local-zone: "b3.etrality.com." always_nxdomain
local-zone: "c3.etrality.com." always_nxdomain
local-zone: "b2.etrality.com." always_nxdomain
local-zone: "c2.etrality.com." always_nxdomain
local-zone: "b1.etrality.com." always_nxdomain
local-zone: "c1.etrality.com." always_nxdomain
local-zone: "wpc.a3cd.edgecastcdn.net." always_nxdomain
local-zone: "speedspot.speedspot.netdna-cdn.com." always_nxdomain
local-zone: "www.speedspot5.com." always_nxdomain
local-zone: "www.speedspot1.com." always_nxdomain
local-zone: "www.speedspot7.com." always_nxdomain
local-zone: "www.speedspot2.com." always_nxdomain
local-zone: "www.speedspot3.com." always_nxdomain
local-zone: "www.speedspot4.com." always_nxdomain
local-zone: "www.speedspot6.com." always_nxdomain
#Kochava endpoints, from rugabunda https://beta.pithus.org/report/844aa271ef47f7807ab3ccc63952e2215298701a6851857c22456317927f08fd
local-zone: "co.akisinn.info." always_nxdomain
local-zone: "co.dewrain.life." always_nxdomain
local-zone: "co.vaicore.site." always_nxdomain
local-zone: "co.vaicore.xyz." always_nxdomain
local-zone: "int.akisinn.info." always_nxdomain
local-zone: "int.akisinn.me." always_nxdomain
local-zone: "int.akisinn.site." always_nxdomain
local-zone: "int.dewrain.life." always_nxdomain
local-zone: "int.dewrain.site." always_nxdomain
local-zone: "int.dewrain.world." always_nxdomain
local-zone: "int.vaicore.site." always_nxdomain
local-zone: "int.vaicore.store." always_nxdomain
local-zone: "int.vaicore.xyz." always_nxdomain
local-zone: "int.vlancaa.site." always_nxdomain
local-zone: "int.vlancaa.fun." always_nxdomain
local-zone: "tok.vaicore.xyz." always_nxdomain
local-zone: "vaicore.xyz." always_nxdomain
local-zone: "web.ab-salute.com." always_nxdomain
local-zone: "smart.link." always_nxdomain
# Adeco and inappertising - see https://www.occrp.org/en/investigations/how-a-russian-mobile-app-developer-recruited-phones-into-a-secret-ad-watching-robot-army
# Ultimate-Mortal-Kombat-3-v1-1.apk - https://www.virustotal.com/gui/file/dc078b004830ff03a27371bbc1c4a7b5882d5a0fb577a8477c09e8b3bfe0d6d3/details
local-zone: "cfg.inappertising.org." always_nxdomain
local-zone: "stats.inappertising.org." always_nxdomain
local-zone: "app-stats.net2share.com." always_nxdomain
local-zone: "s.net2share.com." always_nxdomain
local-zone: "adeco.adecosystems.com." always_nxdomain
local-zone: "dd.adecosystems.com." always_nxdomain
# GriftHorse Android from - https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/
local-zone: "hotofecro.com." always_nxdomain
local-zone: "alaiblompass.com." always_nxdomain
local-zone: "heartratteandpulsetracker.com." always_nxdomain
local-zone: "icoonectedtrack.com." always_nxdomain
local-zone: "ospocatracker.com." always_nxdomain
local-zone: "laalaslirayeblection.com." always_nxdomain
local-zone: "iblompass.com." always_nxdomain
local-zone: "smalllcalllrecorder.com." always_nxdomain
local-zone: "anguaganslatast.com." always_nxdomain
local-zone: "oroscopemestry.com." always_nxdomain
local-zone: "blompascator.com." always_nxdomain
local-zone: "leunoon.com." always_nxdomain
local-zone: "arindocation.com." always_nxdomain
local-zone: "rooitor.com." always_nxdomain
local-zone: "mychattranslator.club." always_nxdomain
local-zone: "rulapptoplan.com." always_nxdomain
local-zone: "rportranslator.com." always_nxdomain
local-zone: "muslimasauda.com." always_nxdomain
local-zone: "martpolocator.com." always_nxdomain
local-zone: "wfupppx.com." always_nxdomain
local-zone: "scandocnotes.com." always_nxdomain
local-zone: "freecoupon21.com." always_nxdomain
local-zone: "ponyvideochat.com." always_nxdomain
local-zone: "ludamec.com." always_nxdomain
local-zone: "chat-transa.com." always_nxdomain
local-zone: "soulscanneryh.com." always_nxdomain
local-zone: "d3cameraplan.com." always_nxdomain
local-zone: "qibla-ultima.com." always_nxdomain
local-zone: "zoofanimalm.com." always_nxdomain
local-zone: "ciaolvc.com." always_nxdomain
local-zone: "heartrateproxhealthmonitor.com." always_nxdomain
local-zone: "bus-metrolis.com." always_nxdomain
local-zone: "truck-rouddrive.com." always_nxdomain
local-zone: "locatinfind.com." always_nxdomain
local-zone: "camerdentifier.com." always_nxdomain
local-zone: "locatorqiafindlocation.com." always_nxdomain
local-zone: "cocachar.com." always_nxdomain
local-zone: "squishyp.com." always_nxdomain
local-zone: "antranslaro.com." always_nxdomain
local-zone: "ftphotom.com." always_nxdomain
local-zone: "lockul.com." always_nxdomain
local-zone: "fingerprihanger.com." always_nxdomain
local-zone: "locatorshar.com." always_nxdomain
local-zone: "kfcwsa.com." always_nxdomain
local-zone: "gpsphonuetrackerfamilylocator.com." always_nxdomain
local-zone: "cailrecorder.com." always_nxdomain
local-zone: "tqiblacompas.com." always_nxdomain
local-zone: "kvprojectop.com." always_nxdomain
local-zone: "pikchoeditor.com." always_nxdomain
local-zone: "streetprocarsracingss.com." always_nxdomain
local-zone: "nemaeovies.com." always_nxdomain
local-zone: "aecodero.com." always_nxdomain
local-zone: "ivlewepapallrbkragonucd.com." always_nxdomain
local-zone: "heartrateandmealtracker.com." always_nxdomain
local-zone: "phonecontrolblockspamcalls.com." always_nxdomain
local-zone: "etcotater.com." always_nxdomain
local-zone: "canopoument.com." always_nxdomain
local-zone: "locxfindxlocx.com." always_nxdomain
local-zone: "mnesytrlatr.com." always_nxdomain
local-zone: "huntcontactz.com." always_nxdomain
local-zone: "intelgenttran.com." always_nxdomain
local-zone: "facenalyer.com." always_nxdomain
local-zone: "fnbdeiegpslocoiatntcrkaer.com." always_nxdomain
local-zone: "trcalluecodr.com." always_nxdomain
local-zone: "qrreaderpro.com." always_nxdomain
local-zone: "itranstxtvoicepht.com." always_nxdomain
local-zone: "qiberiblaon.com." always_nxdomain
local-zone: "iconylc.com." always_nxdomain
local-zone: "lsepeanitor.com." always_nxdomain
local-zone: "fxkwboard.com." always_nxdomain
local-zone: "dehcoveanager.com." always_nxdomain
local-zone: "tickeakhatsp.com." always_nxdomain
local-zone: "phoneboster.com." always_nxdomain
local-zone: "phonfinbyclap.com." always_nxdomain
local-zone: "aralaper.com." always_nxdomain
local-zone: "qibdirctiowa.com." always_nxdomain
local-zone: "islsrickers.com." always_nxdomain
local-zone: "feartranslator.com." always_nxdomain
local-zone: "vpnzfep.com." always_nxdomain
local-zone: "snaplens-pt.com." always_nxdomain
local-zone: "qiblassirection.com." always_nxdomain
local-zone: "easyvshow.com." always_nxdomain
local-zone: "qibla-quran.com." always_nxdomain
local-zone: "qrcodesscan.com." always_nxdomain
local-zone: "hoolives.com." always_nxdomain
local-zone: "burivingsim.com." always_nxdomain
local-zone: "coupongiftsnstashop.com." always_nxdomain
local-zone: "fingdefend.com." always_nxdomain
local-zone: "projectormp.com." always_nxdomain
local-zone: "forzahmobile.com." always_nxdomain
local-zone: "artateulseonitor.com." always_nxdomain
local-zone: "sslasmr.com." always_nxdomain
local-zone: "bagscaner.com." always_nxdomain
local-zone: "phonecallerscreen.com." always_nxdomain
local-zone: "datingappswmt.com." always_nxdomain
local-zone: "lifeel-scan.com." always_nxdomain
local-zone: "colorizerset.club." always_nxdomain
local-zone: "expresscreditcash.com." always_nxdomain
local-zone: "ccallerx.com." always_nxdomain
local-zone: "transatitonneap.com." always_nxdomain
local-zone: "lasouncherio.com." always_nxdomain
local-zone: "claptfindzmphone.com." always_nxdomain
local-zone: "mirrorscreencasttvv.com." always_nxdomain
local-zone: "ircleocatinder.com." always_nxdomain
local-zone: "mobleingsder.com." always_nxdomain
local-zone: "proocallerr.com." always_nxdomain
local-zone: "frecalwolwid.com." always_nxdomain
local-zone: "allelpcoonmber.com." always_nxdomain
local-zone: "faspulhearratmoni.com." always_nxdomain
local-zone: "fincconttact.com." always_nxdomain
local-zone: "uncherdroid.com." always_nxdomain
local-zone: "iveilembercker.com." always_nxdomain
local-zone: "lepamcker.com." always_nxdomain
local-zone: "lockaaocker.com." always_nxdomain
local-zone: "onarchbylap.com." always_nxdomain
local-zone: "secontranslatpr.com." always_nxdomain
local-zone: "tgscontakcs.com." always_nxdomain
local-zone: "callwhozdine.com." always_nxdomain
local-zone: "perargero.com." always_nxdomain
local-zone: "mylocatorplus.club." always_nxdomain
local-zone: "comclap.club." always_nxdomain
local-zone: "callerids.club." always_nxdomain
local-zone: "instantspeechtranslation.club." always_nxdomain
local-zone: "photoeditorbest.club." always_nxdomain
local-zone: "piction.club." always_nxdomain
local-zone: "driveriders.club." always_nxdomain
local-zone: "skycoachgg.club." always_nxdomain
local-zone: "ffitnesstrainer.club." always_nxdomain
local-zone: "racerscardriver.club." always_nxdomain
local-zone: "fitnessdias.club." always_nxdomain
local-zone: "meetingonlinechat.club." always_nxdomain
local-zone: "fitnessgymup.club." always_nxdomain
local-zone: "editsbackground.club." always_nxdomain
local-zone: "cutcutpro.club." always_nxdomain
local-zone: "drivingexpiriencesimulator.club." always_nxdomain
local-zone: "clipbuddy.club." always_nxdomain
local-zone: "horoscopefortune.club." always_nxdomain
local-zone: "ludospeakeasy.club." always_nxdomain
local-zone: "fitnesspoint.club." always_nxdomain
local-zone: "wallvoluminousfourk.club." always_nxdomain
local-zone: "cvectorart.club." always_nxdomain
local-zone: "ludospeakv2.club." always_nxdomain
local-zone: "callrecordpro.club." always_nxdomain
local-zone: "carracer.club." always_nxdomain
local-zone: "slimesimulator.club." always_nxdomain
local-zone: "offroaderssurvive.club." always_nxdomain
local-zone: "lending-online.club." always_nxdomain
local-zone: "controlcenterios.club." always_nxdomain
local-zone: "streetracingg.club." always_nxdomain
local-zone: "checkheart.club." always_nxdomain
local-zone: "keyboardthemes.club." always_nxdomain
local-zone: "whatsmesticker.club." always_nxdomain
local-zone: "batterychargingeffect.club." always_nxdomain
local-zone: "luxoreditor.club." always_nxdomain
local-zone: "lionflix.club." always_nxdomain
local-zone: "amazingvideoeditor.club." always_nxdomain
local-zone: "zodiachand.club." always_nxdomain
local-zone: "zeusalmighty.club." always_nxdomain
local-zone: "pharaohsadventure.club." always_nxdomain
local-zone: "batterylivewallpaperhd.club." always_nxdomain
local-zone: "comqubla.club." always_nxdomain
local-zone: "safelock.club." always_nxdomain
local-zone: "heartrhythm.club." always_nxdomain
local-zone: "easybassbooster.club." always_nxdomain
local-zone: "comphotolab.club." always_nxdomain
# GriftHorse Second-Stage Domain
local-zone: "678ikmbtui.com." always_nxdomain
# GriftHorse Third-Stage Domains
local-zone: "safe-link.mobi." always_nxdomain
local-zone: "at.gogameportal.club." always_nxdomain
local-zone: "activate-your-account-now.com." always_nxdomain
local-zone: "continue-to-get-content-now.com." always_nxdomain
local-zone: "your-access-here.com." always_nxdomain
local-zone: "app.buenosocial.club." always_nxdomain
local-zone: "join.crazymob.co." always_nxdomain
local-zone: "vl.denrok.space." always_nxdomain
local-zone: "www.timpromos.com.br." always_nxdomain
local-zone: "campaignmanager.fun.moobig.com." always_nxdomain
local-zone: "get-your-access-now.com." always_nxdomain
local-zone: "v.mobzones.com." always_nxdomain
local-zone: "mt2-sdp4.mt-2.co." always_nxdomain
local-zone: "go.whatabookmark.com." always_nxdomain
local-zone: "lp.shoopadoo.com." always_nxdomain
local-zone: "es.mobiplus.me." always_nxdomain
local-zone: "af.to.123games.club." always_nxdomain
local-zone: "be.startdownload.mobi." always_nxdomain
local-zone: "za.startdownload.mobi." always_nxdomain
local-zone: "n.appspool.net." always_nxdomain
local-zone: "wap.trend-tech.net." always_nxdomain
local-zone: "fr.chillaxgames.mobi." always_nxdomain
local-zone: "tracking.hexilo.com." always_nxdomain
# Suspected GriftHorse from pDNS 	185.255.179.131 / 185.255.179.132 ->
local-zone: "1g7kvrv.xyz." always_nxdomain
local-zone: "2fnoqifq.com." always_nxdomain
local-zone: "2g8cvdii.com." always_nxdomain
local-zone: "2oafxcbq.xyz." always_nxdomain
local-zone: "5rfvbnji9.com." always_nxdomain
local-zone: "7lc6jc.xyz." always_nxdomain
local-zone: "7nvdx0.xyz." always_nxdomain
local-zone: "8sghnct.xyz." always_nxdomain
local-zone: "berf4o.xyz." always_nxdomain
local-zone: "blfnf9y.com." always_nxdomain
local-zone: "brlyp4pg.com." always_nxdomain
local-zone: "chulahfi.xyz." always_nxdomain
local-zone: "cmvkvncsse.xyz." always_nxdomain
local-zone: "cophico.pw." always_nxdomain
local-zone: "cwkjravqsj.xyz." always_nxdomain
local-zone: "dhfvbsihjf.com." always_nxdomain
local-zone: "dsfhskln.com." always_nxdomain
local-zone: "eksndtpf.org." always_nxdomain
local-zone: "emraiyz.xyz." always_nxdomain
local-zone: "eok8wd5v.net." always_nxdomain
local-zone: "erbfzk.com." always_nxdomain
local-zone: "ersokbkj.com." always_nxdomain
local-zone: "fdfjhks.com." always_nxdomain
local-zone: "ffnbafc.xyz." always_nxdomain
local-zone: "hrvxkxq.xyz." always_nxdomain
local-zone: "il0baz.com." always_nxdomain
local-zone: "jduzuyd.com." always_nxdomain
local-zone: "jsdfbhsa.com." always_nxdomain
local-zone: "jydfoafcaf.xyz." always_nxdomain
local-zone: "kgr0aixa.xyz." always_nxdomain
local-zone: "krkmyvlmdg.xyz." always_nxdomain
local-zone: "lgdzbch.com." always_nxdomain
local-zone: "liahkhe.xyz." always_nxdomain
local-zone: "lljmbbk.com." always_nxdomain
local-zone: "lmbbnrhiuj.xyz." always_nxdomain
local-zone: "lwvurdsjk.org." always_nxdomain
local-zone: "lxghjoxzns.com." always_nxdomain
local-zone: "mnfbodivbv.com." always_nxdomain
local-zone: "mt5vsuf1.net." always_nxdomain
local-zone: "nfrmg1y.xyz." always_nxdomain
local-zone: "nwluoodzct.xyz." always_nxdomain
local-zone: "ocheyhv.xyz." always_nxdomain
local-zone: "okjojihgv.com." always_nxdomain
local-zone: "olimob.net." always_nxdomain
local-zone: "ortn13der.xyz." always_nxdomain
local-zone: "poiuwhejgr.com." always_nxdomain
local-zone: "pwtgnp.pw." always_nxdomain
local-zone: "qtwjhuj.com." always_nxdomain
local-zone: "rfjdhxbz.com." always_nxdomain
local-zone: "sjkfsdkg.com." always_nxdomain
local-zone: "trfvbnji7.com." always_nxdomain
local-zone: "urtyhfds.com." always_nxdomain
local-zone: "v9czaci.xyz." always_nxdomain
local-zone: "vortnomade.net." always_nxdomain
local-zone: "w9x7itu.xyz." always_nxdomain
local-zone: "www.mnfbodivbv.com." always_nxdomain
local-zone: "www.okjojihgv.com." always_nxdomain
local-zone: "y0vvbm.xyz." always_nxdomain
local-zone: "yq0z3d.xyz." always_nxdomain
# additional suspected GriftHorse from pDNS - 2021-10-21
local-zone: "down.tracksz.co." always_nxdomain
local-zone: "go.creativemobilemarketing.com." always_nxdomain
local-zone: "go.fastfinderworld.com." always_nxdomain
local-zone: "go.grandprizewinners.com." always_nxdomain
local-zone: "go.interlinkinternet.com." always_nxdomain
local-zone: "go.protectyoursearch.com." always_nxdomain
local-zone: "go.trackitalltheway.com." always_nxdomain
local-zone: "go.trackiteazy.com." always_nxdomain
local-zone: "go.watchwiser.com." always_nxdomain
# TangleBot domains, research based on - https://www.cloudmark.com/en/blog/mobile/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19
local-zone: "covid19-ca.link." always_nxdomain
local-zone: "hydro-ca.link." always_nxdomain
local-zone: "sock.godforgiveuss.live." always_nxdomain
local-zone: "sock.hhhhrkanandda.xyz." always_nxdomain
local-zone: "sock.nmnmnmfsamsfan.xyz." always_nxdomain
local-zone: "socktest.ankatras.xyz." always_nxdomain
local-zone: "vaccine-appointment.link." always_nxdomain
# Donot / Origami Elephant / APT-C-35 IOCs from Amnesty - https://github.com/AmnestyTech/investigations/blob/master/2021-10-07_donot/domains.txt
local-zone: "bulk.fun." always_nxdomain
local-zone: "apkv5.ppadaolnwod.xyz." always_nxdomain
local-zone: "apkv6.endurecif.top." always_nxdomain
local-zone: "getelements.xyz." always_nxdomain
local-zone: "fiddaz.club." always_nxdomain
local-zone: "lif0.top." always_nxdomain
local-zone: "fif0.top." always_nxdomain
local-zone: "chipp.pw." always_nxdomain
local-zone: "mimestyle.xyz." always_nxdomain
local-zone: "mangasiso.top." always_nxdomain
local-zone: "and.retardrattle.website." always_nxdomain
local-zone: "help.domainoutlet.site." always_nxdomain
local-zone: "whynotworkonit.top." always_nxdomain
local-zone: "spectronet.pw." always_nxdomain
local-zone: "full.naturalpercent.life." always_nxdomain
local-zone: "mimeversion.top." always_nxdomain
local-zone: "rythemsjoy.club." always_nxdomain
local-zone: "lowlight.xyz." always_nxdomain
local-zone: "inapturst.top." always_nxdomain
local-zone: "auth.forwardtoken.website." always_nxdomain
local-zone: "accounts.loginshare.info." always_nxdomain
local-zone: "seahome.top." always_nxdomain
local-zone: "imageview.xyz." always_nxdomain
local-zone: "flickry.xyz." always_nxdomain
local-zone: "apkv2.qwertykeypad.host." always_nxdomain
local-zone: "userauthen.pw." always_nxdomain
local-zone: "join.officeframe.work." always_nxdomain
local-zone: "zumba.tampotrust.agency." always_nxdomain
local-zone: "image.loadingmessage.info." always_nxdomain
# AbstractEmu hosts from https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign
local-zone: "jobs.illaewinstralinc.com." always_nxdomain
local-zone: "outline.abunddhighett.com." always_nxdomain
local-zone: "tags.illaryboucnc.com." always_nxdomain
local-zone: "cloud.nathompsstra.com." always_nxdomain
local-zone: "store.dianmpsoathom.com." always_nxdomain
local-zone: "fluency.ryboucoathom.com." always_nxdomain
local-zone: "csa.naaronegya.com." always_nxdomain
local-zone: "tips.ghetaldhighe.com." always_nxdomain
local-zone: "color.joarteauxelb.com." always_nxdomain
# Cynos hosts from https://vms.drweb.com/virus/?i=24972842 - 46bc4c6c87fcb519a8f315c0010b949d682ac3abee62b33bd624b251a3521b19
local-zone: "dns1.sdkbalance.com." always_nxdomain
local-zone: "dns2.sdkbalance.com." always_nxdomain
local-zone: "dns3.sdkbalance.com." always_nxdomain
local-zone: "sdk.sdkbalance.com." always_nxdomain
local-zone: "mg.sdkbalance.com." always_nxdomain
# PhoneSpy hosts from https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/ and pDNS related
local-zone: "acd.kcpro.ga." always_nxdomain
local-zone: "aki.kcpro.ga." always_nxdomain
local-zone: "arr.kcpro.tk." always_nxdomain
local-zone: "b.freespy1.ml." always_nxdomain
local-zone: "b.freespy1.tk." always_nxdomain
local-zone: "c.freespy1.ml." always_nxdomain
local-zone: "c.freespy1.tk." always_nxdomain
local-zone: "cef.kcpro.tk." always_nxdomain
local-zone: "cfs.kcpro.ga." always_nxdomain
local-zone: "d.freespy1.ml." always_nxdomain
local-zone: "d.freespy1.tk." always_nxdomain
local-zone: "dto.kcpro.ga." always_nxdomain
local-zone: "e.freespy1.ml." always_nxdomain
local-zone: "ejn.kcpro.ga." always_nxdomain
local-zone: "ern.kcpro.ga." always_nxdomain
local-zone: "f.freespy1.ml." always_nxdomain
local-zone: "f.freespy1.tk." always_nxdomain
local-zone: "freespy.cf." always_nxdomain
local-zone: "g.freespy1.ml." always_nxdomain
local-zone: "g.freespy1.tk." always_nxdomain
local-zone: "h.freespy1.ml." always_nxdomain
local-zone: "h.freespy1.tk." always_nxdomain
local-zone: "hxg.kcpro.ga." always_nxdomain
local-zone: "i.freespy1.ml." always_nxdomain
local-zone: "i.freespy1.tk." always_nxdomain
local-zone: "j.freespy1.ml." always_nxdomain
local-zone: "j.freespy1.tk." always_nxdomain
local-zone: "k.freespy1.ml." always_nxdomain
local-zone: "k.freespy1.tk." always_nxdomain
local-zone: "koreavopi.kro.kr." always_nxdomain
local-zone: "l.freespy1.ml." always_nxdomain
local-zone: "l.freespy1.tk." always_nxdomain
local-zone: "m.freespy1.ml." always_nxdomain
local-zone: "m.freespy1.tk." always_nxdomain
local-zone: "mda.kcpro.ga." always_nxdomain
local-zone: "mgo.kcpro.ga." always_nxdomain
local-zone: "n.freespy1.ml." always_nxdomain
local-zone: "n.freespy1.tk." always_nxdomain
local-zone: "o.freespy1.ml." always_nxdomain
local-zone: "o.freespy1.tk." always_nxdomain
local-zone: "oso.kcpro.ga." always_nxdomain
local-zone: "p.freespy1.ml." always_nxdomain
local-zone: "p.freespy1.tk." always_nxdomain
local-zone: "pql.kcpro.ga." always_nxdomain
local-zone: "wvv.kcpro.ga." always_nxdomain
local-zone: "ydc.kcpro.ga." always_nxdomain
local-zone: "zqn.kcpro.ga." always_nxdomain
local-zone: "zsx.kcpro.ga." always_nxdomain
# https://blog.appcensus.io/2022/04/06/the-curious-case-of-coulus-coelib/
local-zone: "mobile.measurelib.com." always_nxdomain
local-zone: "measurelib.com." always_nxdomain
local-zone: "ami0wned.com." always_nxdomain
local-zone: "amiowned.com." always_nxdomain
local-zone: "arduous.work." always_nxdomain
local-zone: "attorney-client-privileged.com." always_nxdomain
local-zone: "attorney-client.org." always_nxdomain
local-zone: "attorneyclientprivileged.com." always_nxdomain
local-zone: "beachhackerspace.com." always_nxdomain
local-zone: "cloudwatchtower.com." always_nxdomain
local-zone: "consilio.lawyer." always_nxdomain
local-zone: "consiliolaw.com." always_nxdomain
local-zone: "darknetinfo.com." always_nxdomain
local-zone: "dataillusionist.com." always_nxdomain
local-zone: "easycalea.com." always_nxdomain
local-zone: "extremeexploits.com." always_nxdomain
local-zone: "extremeexploits.org." always_nxdomain
local-zone: "fraudpreventionsys.com." always_nxdomain
local-zone: "gleancorp.com." always_nxdomain
local-zone: "idme.org." always_nxdomain
local-zone: "indelibleblue.net." always_nxdomain
local-zone: "indelibleblueinc.net." always_nxdomain
local-zone: "internetcartography.com." always_nxdomain
local-zone: "internetcartography.net." always_nxdomain
local-zone: "internetcartography.org." always_nxdomain
local-zone: "littoralventures.com." always_nxdomain
local-zone: "marketinfo.tips." always_nxdomain
local-zone: "measurementsys.com." always_nxdomain
local-zone: "mxout.net." always_nxdomain
local-zone: "myaddress.today." always_nxdomain
local-zone: "ndagri.com." always_nxdomain
local-zone: "networkcartography.com." always_nxdomain
local-zone: "networkcartography.net." always_nxdomain
local-zone: "networkcartography.org." always_nxdomain
local-zone: "newdulcina.com." always_nxdomain
local-zone: "opensourcecontext.com." always_nxdomain
local-zone: "oppleman.org." always_nxdomain
local-zone: "oscontext.com." always_nxdomain
local-zone: "pathanalyzer.com." always_nxdomain
local-zone: "pathanalyzerpro.com." always_nxdomain
local-zone: "precise.fit." always_nxdomain
local-zone: "pwhois.net." always_nxdomain
local-zone: "pwhois.org." always_nxdomain
local-zone: "quietquell.com." always_nxdomain
local-zone: "trustcor.co." always_nxdomain
local-zone: "vbchs.com." always_nxdomain
local-zone: "vbchs.org." always_nxdomain
local-zone: "vbhacker.space." always_nxdomain
local-zone: "vbhackerspace.com." always_nxdomain
local-zone: "vbhackerspace.org." always_nxdomain
local-zone: "vostrom.ventures." always_nxdomain
local-zone: "whoisanalyzer.com." always_nxdomain
local-zone: "whoisanalyzerpro.com." always_nxdomain
local-zone: "mobile.fra2.measurelib.com." always_nxdomain
local-zone: "mobile.ams2.measurelib.com." always_nxdomain
# Telematicsdirect - from al-moazin-lite-prayer-times.apk - dcb56dc7b817dd65a1f5ebfe81cf36b85ad523990b8e4f69a4a1654d1cc8277c
local-zone: "nav.telematicsdirect.com." always_nxdomain
# SafeGraph / OpenLocate
# https://github.com/pablobaxter/openlocate-android
# https://www.vice.com/en/article/m7vymn/cdc-tracked-phones-location-data-curfews
local-zone: "api.safegraph.com." always_nxdomain
# daily-scratchers.apk / 22a80df1084af11129baef89bce0bafad0aaae41e58dc2bb6e7c27fd3f4bac49 /	me.actv8.tvwallet
local-zone: "actv8technologies.com." always_nxdomain
local-zone: "api-production-v4.actv8technologies.com." always_nxdomain
local-zone: "sonar.actv8technologies.com." always_nxdomain
# Joker - RelaxingMusicSootheYourBody_signed.apk - 14c35d1158cc47cfb605fdd686603b0929d38c046dce03fd6033fb8a31433798
local-zone: "novasdk.oss-cn-beijing.aliyuncs.com." always_nxdomain
# Joker - https://github.com/DoctorWebLtd/malware-iocs/tree/master/Android.Joker
# Note: domain offline since Feb 2022
local-zone: "ad.mobnv.com." always_nxdomain
# pDNS for 	161.117.252.102
local-zone: "app.mobnv.com." always_nxdomain
local-zone: "aff.fortunnecat.com." always_nxdomain
# WhatsApp mod distributed through legitimate apps:
# https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/?utm_source=everyonesocial&utm_medium=partner&utm_campaign=us_NA-newsletter_en0177&utm_content=sm-post&utm_term=us_everyonesocial_organic_an17748oyfteksz&es_id=cfde1a3994
local-zone: "wa.zcnewy.com." always_nxdomain
local-zone: "av2wg.rt14v.com." always_nxdomain
local-zone: "g1790.rt14v.com." always_nxdomain
# xnspy - 578a880848bc52bed83b2be817a148187fde129cc8ad50db49630c0ebf59102c - xnspyappv2.apk
# https://techcrunch.com/2022/12/12/xnspy-stalkerware-iphone-android/
local-zone: "alert.xiz4me.com." always_nxdomain
local-zone: "asset.xiz4me.com." always_nxdomain
local-zone: "sync.xiz4me.com." always_nxdomain
local-zone: "xiz4me.com." always_nxdomain
local-zone: "mydwnd.com." always_nxdomain
local-zone: "brilliant-flame-585.firebaseio.com." always_nxdomain
local-zone: "brilliant-flame-585.appspot.com." always_nxdomain
# xnspy - 7e3930771370ed111cdb83397a04fa7ee89f1ea35b7f5306bb1522b82bc6d38d
local-zone: "sync.bk128.com." always_nxdomain
local-zone: "alert.bk128.com." always_nxdomain
local-zone: "asset.bk128.com." always_nxdomain
local-zone: "bk128.com." always_nxdomain
# xnspy - 9114e561c42ea19b183ef5d8a36e743f2b873874e43d805b11e3753035c7900d
local-zone: "true-truck-86810.firebaseio.com." always_nxdomain
local-zone: "true-truck-86810.appspot.com." always_nxdomain
# Fleckpe - from https://securelist.com/fleckpe-a-new-family-of-trojan-subscribers-on-google-play/109643/
local-zone: "ac.iprocam.xyz." always_nxdomain
local-zone: "ad.iprocam.xyz." always_nxdomain
local-zone: "ap.iprocam.xyz." always_nxdomain
local-zone: "b7.photoeffect.xyz." always_nxdomain
local-zone: "ba3.photoeffect.xyz." always_nxdomain
local-zone: "f0.photoeffect.xyz." always_nxdomain
local-zone: "m11.slimedit.live." always_nxdomain
local-zone: "m12.slimedit.live." always_nxdomain
local-zone: "m13.slimedit.live." always_nxdomain
local-zone: "ba.beautycam.xyz." always_nxdomain
local-zone: "f6.beautycam.xyz." always_nxdomain
local-zone: "f8a.beautycam.xyz." always_nxdomain
local-zone: "ae.mveditor.xyz." always_nxdomain
local-zone: "b8c.mveditor.xyz." always_nxdomain
local-zone: "d3.mveditor.xyz." always_nxdomain
local-zone: "fa.gifcam.xyz." always_nxdomain
local-zone: "fb.gifcam.xyz." always_nxdomain
local-zone: "fl.gifcam.xyz." always_nxdomain
local-zone: "a.hdmodecam.live." always_nxdomain
local-zone: "b.hdmodecam.live." always_nxdomain
local-zone: "l.hdmodecam.live." always_nxdomain
local-zone: "vd.toobox.online." always_nxdomain
local-zone: "ve.toobox.online." always_nxdomain
local-zone: "vt.toobox.online." always_nxdomain
local-zone: "t1.twmills.xyz." always_nxdomain
local-zone: "t2.twmills.xyz." always_nxdomain
local-zone: "t3.twmills.xyz." always_nxdomain
local-zone: "api.odskguo.xyz." always_nxdomain
local-zone: "gbcf.odskguo.xyz." always_nxdomain
local-zone: "track.odskguo.xyz." always_nxdomain
#AhRat - see https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/
local-zone: "order.80876dd5.shop." always_nxdomain
#AhRat - b2c1517e4b0e0b3286a5cde06310b2277da7333f5ab3c2828f08272e3f85b260 - iRecorder - Screen Recorder_2.0_apkcombo.com.apk
local-zone: "config.unityads.unity3d.com." always_nxdomain
local-zone: "config.unityads.unitychina.cn." always_nxdomain
local-zone: "init.supersonicads.com." always_nxdomain
local-zone: "logs.supersonic.com." always_nxdomain
local-zone: "outcome-ssp.supersonicads.com." always_nxdomain
local-zone: "supersonicads.com." always_nxdomain
# uBlock telemetry endpoint - adblock-stats.js  inside a01ff7dac823f3666e7f38527739802e5a7ce3cb539b6a390ca99d423b5c9779
# data sent even if telemetry is disabled
local-zone: "ublocker-chrome.com." always_nxdomain
# Cytrox Predator domains, see - https://citizenlab.ca/2023/09/predator-in-the-wires-ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions/
local-zone: "almal-news.com." always_nxdomain
local-zone: "chat-support.support." always_nxdomain
local-zone: "cibeg.online." always_nxdomain
local-zone: "notifications-sec.com." always_nxdomain
local-zone: "wa-info.com." always_nxdomain
local-zone: "whatssapp.co." always_nxdomain
local-zone: "wts-app.info." always_nxdomain
local-zone: "sec-flare.com." always_nxdomain
local-zone: "verifyurl.me." always_nxdomain
local-zone: "c.betly.me." always_nxdomain
local-zone: "betly.me." always_nxdomain
local-zone: "web.whatssapp.co." always_nxdomain
local-zone: "whatspp.wa-info.com." always_nxdomain
local-zone: "notifications.wa-info.com." always_nxdomain
local-zone: "t-bit.me." always_nxdomain
# PEACHPIT and BADBOX, extended infrastructure (expansion by @craiu), see - https://www.humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf
local-zone: "adbsc.flyermobi.com." always_nxdomain
local-zone: "adbsc.ikmytech.com." always_nxdomain
local-zone: "adbsdk.flyermobi.com." always_nxdomain
local-zone: "admin.dofunapps.com." always_nxdomain
local-zone: "ads.dofunapps.com." always_nxdomain
local-zone: "ads.flyermobi.com." always_nxdomain
local-zone: "apkcar.com." always_nxdomain
local-zone: "ats.flyermobi.com." always_nxdomain
local-zone: "ats.ikmytech.com." always_nxdomain
local-zone: "cbphe.com." always_nxdomain
local-zone: "cbpheback.com." always_nxdomain
local-zone: "dcylog.com." always_nxdomain
local-zone: "flyermobi.com." always_nxdomain
local-zone: "n1.flyermobi.com." always_nxdomain
local-zone: "sdk.dofunapps.com." always_nxdomain
local-zone: "www.apkcar.com." always_nxdomain
local-zone: "www.flyermobi.com." always_nxdomain
local-zone: "ycxrl.com." always_nxdomain
local-zone: "ymex.apkcar.com." always_nxdomain
local-zone: "ymlog.apkcar.com." always_nxdomain
local-zone: "ymsdk.apkcar.com." always_nxdomain
# Unityads from https://github.com/Unity-Technologies/unity-ads-ios
local-zone: "scar.unityads.unity3d.com." always_nxdomain
local-zone: "webviewbridge.unityads.unity3d.com." always_nxdomain
local-zone: "unityads.unity3d.com." always_nxdomain
local-zone: "gateway.unityads.unity3d.com." always_nxdomain