GALLIUM APT Group and Other Threat Actors Hide Behind Legitimate Sites | WhoisXML API

Threat reports

Read other reports

GALLIUM APT Group and Other Threat Actors in Disguise

Download PDF

Threat actors were observed taking advantage of legitimate services by creating subdomains and using them as command-and-control (C&C) domains1 and phishing site hosts2.

WhoisXML API researchers explored the subdomains of the services used in two different cyber attacks, yielding interesting findings. Below are a few key ones.

  • We found 14,000+ subdomains belonging to four root domains used by threat actors, namely publicvm[.]com, glitch[.]me, famous[.]co, and amaze[.]co.
  • About 63% of these subdomains were new glitch[.]me subdomains added on 1–20 June 2022.
  • We discovered that 3% of the total sample has been flagged as malicious by various malware engines.
  • Common text strings used in the malicious subdomains include those that invoke authority, such as “cpanel,” “cpcontacts,” “webdisk,” and “cpcalendars.”
  • We found several subdomains hosting questionable content, such as login and look-alike pages.

Download a sample of the threat research materials now, or contact us to access the complete set of research materials.

---

  • [1] https://unit42.paloaltonetworks.com/pingpull-gallium/#Indicators-of-Compromise 
  • [2] https://cybernews.com/news/facebook-login-scam-nets-fraudster-59-million/
Download PDF Read other reports
Try our WhoisXML API for free
Get started