Peering into Midnight Blizzard’s DNS Footprint
WhoisXML API found 160 artifacts that could be connected to Midnight Blizzard. Download the threat research materials now.
Continue reading Download reportGALLIUM APT Group and Other Threat Actors in Disguise
Threat actors were observed taking advantage of legitimate services by creating subdomains and using them as command-and-control (C&C) domains1 and phishing site hosts2.
WhoisXML API researchers explored the subdomains of the services used in two different cyber attacks, yielding interesting findings. Below are a few key ones.
- We found 14,000+ subdomains belonging to four root domains used by threat actors, namely publicvm[.]com, glitch[.]me, famous[.]co, and amaze[.]co.
- About 63% of these subdomains were new glitch[.]me subdomains added on 1–20 June 2022.
- We discovered that 3% of the total sample has been flagged as malicious by various malware engines.
- Common text strings used in the malicious subdomains include those that invoke authority, such as “cpanel,” “cpcontacts,” “webdisk,” and “cpcalendars.”
- We found several subdomains hosting questionable content, such as login and look-alike pages.
Download a sample of the threat research materials now, or contact us to access the complete set of research materials.
---
- [1] https://unit42.paloaltonetworks.com/pingpull-gallium/#Indicators-of-Compromise
- [2] https://cybernews.com/news/facebook-login-scam-nets-fraudster-59-million/