GALLIUM APT Group and Other Threat Actors Hide Behind Legitimate Sites | WhoisXML API

Threat reports

GALLIUM APT Group and Other Threat Actors in Disguise

Threat actors were observed taking advantage of legitimate services by creating subdomains and using them as command-and-control (C&C) domains1 and phishing site hosts2.

WhoisXML API researchers explored the subdomains of the services used in two different cyber attacks, yielding interesting findings. Below are a few key ones.

  • We found 14,000+ subdomains belonging to four root domains used by threat actors, namely publicvm[.]com, glitch[.]me, famous[.]co, and amaze[.]co.
  • About 63% of these subdomains were new glitch[.]me subdomains added on 1–20 June 2022.
  • We discovered that 3% of the total sample has been flagged as malicious by various malware engines.
  • Common text strings used in the malicious subdomains include those that invoke authority, such as “cpanel,” “cpcontacts,” “webdisk,” and “cpcalendars.”
  • We found several subdomains hosting questionable content, such as login and look-alike pages.

Download a sample of the threat research materials now, or contact us to access the complete set of research materials.

---

  • [1] https://unit42.paloaltonetworks.com/pingpull-gallium/#Indicators-of-Compromise 
  • [2] https://cybernews.com/news/facebook-login-scam-nets-fraudster-59-million/
Try our WhoisXML API for free
Get started