[Add request] Malware

[JobcenterTycoon]

URL you wish to be added:

jnkms0zfueh.click
pjljo54uk.click
v1asy4ncr.click
p5tvhrlw30h.click
8narwi309.click
sbjjzdwqg41ps.click
9bghqk3avg2gnh.click
lrhxz60alkjtik.click
6t09fag307ep.click
tvbxrr4ym3.click
8ebtdbsjsu.click
eicxz6jfjaw.click
klwukospapf.click
uerqelim91ut.click
cr1nb0pw1r.click
4rf5tgfdfy.click
cloudviky201.one
cloudwaqas202.one
7ytgf23e.cfd
ji95rtg.cfd
aynrufw3.cfd
zqf9x95n.cfd
awnqkv5lz.cfd
kopjtu2w0.cfd
ki91qws.cfd
ed5tfdhjy.click
brfdkk45tf.click
zyxeajnlql2vi.click
s2dd1io1x.click
de2b8pzju0h.click
sa489zylbvg.click
rsurwhytjwbn.click
bdxlvputm1dzl.click
biexbksv.click
oobeelvjf8eck.click
o9z34qrorvoh.xyz
sonjvuic.xyz
l7xudlxz.cfd
kugcgwhvd.cfd
qpwboxbybv1.click

Why you believe this should be added: The domains just got created to spread malware and lead the user to open unwanted links. Example: https://v1asy4ncr.click/file/63ea0e6bc4c00/?source=2238&file=filezip&t=63ea0e6bc4c89 will lead the user to open a bit.ly link which redirect the user to the malware which are hosted on daily switching mega.nz and mediafire.com accounts.

Add to list: Malware.txt

Other info you think we should know:

[iam-py-test]

saw on a other site

Just curious; what site did you see these on?
Thank you.
Found a few more (https://app.any.run/tasks/7c582574-af37-4ca9-8a3b-f7b62d37d39e):

klwukospapf.click
uerqelim91ut.click

The first one has been around for at least a week or two, and the second one is over a month old and used on other websites.

[JobcenterTycoon]

The first links are from a redirect https://upshrink.com/nVmUQkx (the fake download buttons). To get the other link i did:

1. Going through the upshrink shortener until i reached the final upshrink page with the open uBO logger.
2. The final page contains scripts from .click domains. I searched for .click in the logger to get them.
3. I opened the request directly. Its a packed script. I unpacked with https://matthewfl.com/unPacker.html
4. I searched the script and saw more .click domains inside.

A small note: The bit.ly link and the mega.nz link changing every 10 - 20 minutes so its not worth to block them.

[JobcenterTycoon]

A regex could be useful to cover these cases by general.

All domains with the crap requests

crackedhere.com/protonvpn-cracked/ -> https://4rf5tgfdfy.click/?h=c74d97b01eae257e44aa9d5bade97baf&user=16

https://origincrack.com/nordvpn-crack-license-key/ -> https://cr1nb0pw1r.click/752394248142931677064973?s=300&g=33&q=NordVPN%207.14.1%20Crack%20+%20License%20Key%202023%20Download%20[Latest]

https://www.cracka2zsoft.com/protonvpn-crack/ -> https://uerqelim91ut.click/467023850376021677034329?s=2565&g=33&q=ProtonVPN%20Crack%C2%A02023%20With%20License%20Key%20Full%20Free%20Download

upshrink.com final page -> https://8ebtdbsjsu.click/782057047764731677065607?s=11&g=31&q=file.zip

https://topcracked.com/wintools-net-professional/ -> https://cloudviky201.one/?h=54d98a67cd4e6bea72a3f80ab42934e8&user=17

https://www.fullversionforever.com/what-is-car-insurance/ -> https://7ytgf23e.cfd/?h=43ec517d68b6edd3015b3edc9a11367b&user=81

https://licensekeysfree.org/folder-lock-back-2034-guarante-tream-vvideo/ -> https://ji95rtg.cfd/?h=34173cb38f07f89ddbebc2ac9128303f&user=30

The sorted requests:

https://cr1nb0pw1r.click/752394248142931677064973?s=300&g=33&q=NordVPN%207.14.1%20Crack%20+%20License%20Key%202023%20Download%20[Latest]
https://uerqelim91ut.click/467023850376021677034329?s=2565&g=33&q=ProtonVPN%20Crack%C2%A02023%20With%20License%20Key%20Full%20Free%20Download
https://8ebtdbsjsu.click/782057047764731677065607?s=11&g=31&q=file.zip
https://4rf5tgfdfy.click/?h=c74d97b01eae257e44aa9d5bade97baf&user=16
https://cloudviky201.one/?h=54d98a67cd4e6bea72a3f80ab42934e8&user=17
https://7ytgf23e.cfd/?h=43ec517d68b6edd3015b3edc9a11367b&user=81
https://ji95rtg.cfd/?h=34173cb38f07f89ddbebc2ac9128303f&user=30

Or even without regex (safe?):

.click/*?s=*&g=*&q=$script,3p
.click/?h=*&user=$script,3p
.one/?h=*&user=$script,3p
.cfd/?h=*&user=$script,3p

@Yuki2718

[Yuki2718]

I guess safe, can't imagine legitimate services to use these peculiar TLDs.

[spirillen]

surwhytjwbn.click = dead

The following records test reports can be found at My Privacy DNS:

Unfold to see links to all reports

Record	Report
4rf5tgfdfy.click	My Privacy DNS report 4
6t09fag307ep.click	My Privacy DNS report 18
7ytgf23e.cfd	My Privacy DNS report 15
8ebtdbsjsu.click	My Privacy DNS report 23
8narwi309.click	My Privacy DNS report 11
9bghqk3avg2gnh.click	My Privacy DNS report 5
awnqkv5lz.cfd	My Privacy DNS report 38
aynrufw3.cfd	My Privacy DNS report 49
bdxlvputm1dzl.click	My Privacy DNS report 87955
biexbksv.click	My Privacy DNS report 87958
brfdkk45tf.click	My Privacy DNS report 40
cloudviky201.one	My Privacy DNS report 1
cloudwaqas202.one	My Privacy DNS report 3
cr1nb0pw1r.click	My Privacy DNS report 13
de2b8pzju0h.click	My Privacy DNS report 87952
ed5tfdhjy.click	My Privacy DNS report 35
eicxz6jfjaw.click	My Privacy DNS report 9
ji95rtg.cfd	My Privacy DNS report 39
jnkms0zfueh.click	My Privacy DNS report 10
ki91qws.cfd	My Privacy DNS report 2
klwukospapf.click	My Privacy DNS report 25
kopjtu2w0.cfd	My Privacy DNS report 59
lrhxz60alkjtik.click	My Privacy DNS report 30
o9z34qrorvoh.xyz	My Privacy DNS report 87957
oobeelvjf8eck.click	My Privacy DNS report 87956
p5tvhrlw30h.click	My Privacy DNS report 7
pjljo54uk.click	My Privacy DNS report 8
rsurwhytjwbn.click	My Privacy DNS report 87953
s2dd1io1x.click	My Privacy DNS report 87951
sa489zylbvg.click	My Privacy DNS report 87954
sbjjzdwqg41ps.click	My Privacy DNS report 29
sonjvuic.xyz	My Privacy DNS report 90601
tvbxrr4ym3.click	My Privacy DNS report 19
uerqelim91ut.click	My Privacy DNS report 14
v1asy4ncr.click	My Privacy DNS report 24
zqf9x95n.cfd	My Privacy DNS report 22
zyxeajnlql2vi.click	My Privacy DNS report 52

[JobcenterTycoon]

Ok i see the project is dead.