Cybercriminals Launch a Typosquatting Campaign Impersonate Legitimate Cybercrime Researcher Brian Krebs Drop Malware - An Analysis | WhoisXML API

White Papers

Read other articles

Cybercriminals Launch a Typosquatting Campaign Impersonate Legitimate Cybercrime Researcher Brian Krebs Drop Malware - An Analysis

Cybercriminals Launch a Typosquatting Campaign Impersonate Legitimate Cybercrime Researcher Brian Krebs Drop Malware

We’ve recently became aware of a currently active RAT (Remote Access Tool) serving malicious software campaign that’s impersonating Brian Krebs in two of its C&C (Command and Control) servers. Thus, we decided to take a closer look at the campaign including its domain IP and network infrastructure for the purpose of providing actionable intelligence on its infrastructure potentially assisting security researchers and OSINT analysts by providing them with the necessary information to stay on top of such type of threats.

Sample screenshot of the botnet’s C&C infrastructure that is using a typosquatted domain impersonating Brian Krebs - 1

Sample screenshot of the botnet’s C&C infrastructure that is using a typosquatted domain impersonating Brian Krebs

Sample screenshot of the botnet’s C&C infrastructure that is using a typosquatted domain impersonating Brian Krebs - 2

Sample screenshot of the botnet’s C&C infrastructure that is using a typosquatted domain impersonating Brian Krebs

Sample screenshot of the botnet’s C&C infrastructure that is using a typosquatted domain impersonating Brian Krebs - 3

Sample screenshot of the botnet’s C&C infrastructure that is using a typosquatted domain impersonating Brian Krebs

Sample screenshot of the botnet’s C&C infrastructure that is using a typosquatted domain impersonating Brian Krebs - 4

Sample screenshot of the botnet’s C&C infrastructure that is using a typosquatted domain impersonating Brian Krebs

Sample botnet C&C server domains known to have been involved in the campaign:

  • hxxp://brian.krebsonsecurity[.]top
  • hxxp://brian-krebs-erectile-dysfunction[.]com

Sample malicious MD5s known to have been involved in the campaign:

9e840be4b4ab358bc3405e2c688f3ab1a9d286bd4fb9edb4468dc688962b4893
f556c9b4e5bb463be84dead45a9aedcf8bec41c1c2b503ea52719357943750e7

We’ll continue monitoring the campaign using WhoisXML API’s domain and IP reputation monitoring system and will post updates along with new developments.

Read other articles
To download the full article in PDF, please fill in the form.
I have read and agree to the Terms of Service and Privacy Policy
Please keep me updated on news, events, and offers.
Try our WhoisXML API for free
Get started
Have questions?

We are here to listen. For a quick response, please select your request type or check our Contact us page for more information. By submitting a request, you agree to our Terms of Service and Privacy Policy.

Or shoot us an email to