Meduza Stealer – a stealer-class malware that is capable of exfiltrating a wide variety of data from the infected device and can infect servers – has been first discovered in June 2023 by the Uptycs research team. It has been gaining traction since then, with multiple versions released by its developer that remains pretty active on darknet forums and Telegram. It has since been analyzed by research teams from Splunk, Broadcom, and other organizations.

Meduza Stealer is distributed by their creators on a subscription model, so there are various threat actors running multiple campaigns that use Meduza Stealer as a payload.

On July 23, 2024, Fortinet published a research article about a campaign targeting a vulnerability in Microsoft Windows SmartScreen named CVE-2024-21412 and delivering Meduza Stealer. They identified 31 indicators of compromise (IoCs), including 13 hostnames.

The WhoisXML API research team hypothesized that the infrastructure used in this campaign might be broader. To illustrate that, we selected a handful of those IoCs in an attempt to identify more domain names used by the same threat actor using our First Watch Malicious Domains Data Feed. 

First Watch relies on information about newly registered domains, as well as DNS data, and a proprietary deep learning neural network predicts potentially malicious domains at the point of registration.

1. About the IoCs

We’ve studied 9 IoCs from Fortinet's article, picked because of their similarity between each other. 

Here is the selection:

pcvcf[.]xyz
pcvvf[.]xyz
pdddk[.]xyz
pdddj[.]xyz
pddbj[.]xyz
pbpbj[.]xyz
pbdbj[.]xyz
ptdrf[.]xyz
pqdrf[.]xyz

First, we checked whether these IoCs have been identified by our neural engine and were present in the First Watch data feed.

2. First Watch Detection Timeline

All 9 domain IoCs turned out to have been added to WhoisXML API’s First Watch Malicious Domains Data Feed on June 10, 2024. That is as much as 43 days earlier than Fortinet's research was published. 

3. Looking for Unreported Similar Artifacts

The studied IoCs share some similarities: they all have [.]xyz gTLD and all start with a letter “p”. All seem to be algorithmically generated domain names. Upon further investigation, we’ve discovered that similarities don’t end there: all of these domains were registered with the same registrar – Go Daddy – and have the same WHOIS server. 

Even more than that, all of them were registered almost at the same time: 15:24 of June 7, 2024, with mere seconds separating their registration time in the WHOIS data.

Using these patterns, we looked for more similar domains. In addition to those listed, FirstWatch Malicious Domains Data Feed also identified the 5 following domains:

psdrf[.]xyz
ptdseg[.]xyz
pumrf[.]xyz
puoqf[.]xyz
padrf[.]xyz

All of them share the same registrar and registration date and time – 15:24 of the same day. They also match the letter pattern used for the other 9 domains, indicating that they were very probably created using the same algorithm. These correlations suggest that it is highly likely that they all belong to the same threat actor behind the Meduza Stealer campaign that Fortinet described and are/were used for the same purpose.

4. Checking for Maliciousness of Unreported Artifacts

First Watch picks up domains that are likely to become malicious. That doesn’t mean that they already have been weaponized, but they are likely to be at some point, so they should be treated with caution. To prove our point, we used VirusTotal to identify if any of the cybersecurity vendors actually consider these domains to be malicious.

As of Jan 20, 2025, only three domains from this list above have been identified as malicious by at least one vendor on VirusTotal, with the two others being marked as suspicious, but only by one or two vendors.

5. Conclusion

In this article, we’ve provided an example of how First Watch Malicious Domain Data Feed can identify potentially malicious infrastructure before it is added to traditional threat intelligence feeds or other security solutions.

Based on the IoCs of the Meduza Stealer campaign described by Fortinet, First Watch added five more similar IoCs that clearly seem to belong to the same threat actor. Out of five, three were identified by other security vendors as malicious, with the other two not being identified as malicious by anybody, yet the likelihood of them being or having been weaponized is extremely high.

You can download a sample of the First Watch data feed here. We also recommend exploring our entire suite of predictive threat intelligence products that can help block potentially malicious or phishing domains before they get weaponized.

6. Additional IoCs Found

psdrf[.]xyz
ptdseg[.]xyz
pumrf[.]xyz
puoqf[.]xyz
padrf[.]xyz