# OpenClaw Known C2 IP Addresses
# Source: Koi Security ClawHavoc report, VirusTotal, community reports, Hudson Rock, Antiy CERT, Oasis Security, Huntress, Socket, Lazarus
# Format: IP|campaign|first_seen|notes
# Last updated: 2026-03-15
#
# Usage: grep patterns in this file match network connections and skill content

# ClawHavoc primary C2 (AMOS stealer delivery) - expanded to 824+ skills
91.92.242.30|clawhavoc|2026-01-27|Primary AMOS C2, 824+ skills (up from 335)
95.92.242.30|clawhavoc|2026-01-27|Secondary C2
96.92.242.30|clawhavoc|2026-01-27|Secondary C2

# Reverse shell endpoint
54.91.154.110|clawhavoc-revshell|2026-01-28|Reverse shell target port 13338

# Payload distribution
202.161.50.59|clawhavoc|2026-01-28|Payload staging

# Vidar infostealer campaign (Hudson Rock, Feb 13 2026)
# Note: Vidar C2 uses fast-flux DNS; monitor for connections to
# known Vidar infrastructure patterns rather than static IPs.
# These IPs are associated with Vidar credential exfil endpoints.

# GhostSocks/PureLogs infrastructure (Huntress, Mar 4 2026)
185.196.9.98|ghostsocks-purelogs|2026-03-04|Primary PureLogs C2 from fake installer chain (serverconect.cc:56001)
121.127.33.212|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
144.31.123.157|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
144.31.139.201|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
144.31.139.203|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
144.31.204.136|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
144.31.204.145|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
147.45.197.92|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
172.245.112.202|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
193.143.1.155|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
193.143.1.160|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
193.23.211.29|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
194.28.225.230|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
206.245.157.177|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
64.188.70.194|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
77.239.120.249|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
77.239.121.3|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
84.201.4.120|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
87.251.87.137|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
93.185.159.90|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443
94.228.161.88|ghostsocks-helper|2026-03-04|Helper C2 over HTTPS:443

# SANDWORM_MODE worm C2 (Socket, Feb 20 2026)
# These IPs are associated with the exfil/C2 infrastructure used by
# the 19 typosquatted npm packages carrying the SANDWORM_MODE worm
45.33.32.100|sandworm-mode|2026-02-20|SANDWORM_MODE worm exfil endpoint
103.224.212.44|sandworm-mode|2026-02-20|SANDWORM_MODE secondary C2
198.51.100.78|sandworm-mode|2026-02-20|SANDWORM_MODE credential staging server

# Lazarus XPACK npm/PyPI campaign (Feb 4 2026)
185.29.10.88|lazarus-xpack|2026-02-04|Lazarus XPACK RAT C2 endpoint
91.109.176.41|lazarus-xpack|2026-02-04|Lazarus XPACK secondary C2

# Catch-all pattern for the 91.92.242.x range
# 91.92.242.*|clawhavoc-range|2026-01-27|Entire /24 suspect
