GALLIUM APT Group and Other Threat Actors in DisguiseDownload PDF
Threat actors were observed taking advantage of legitimate services by creating subdomains and using them as command-and-control (C&C) domains1 and phishing site hosts2.
WhoisXML API researchers explored the subdomains of the services used in two different cyber attacks, yielding interesting findings. Below are a few key ones.
- We found 14,000+ subdomains belonging to four root domains used by threat actors, namely publicvm[.]com, glitch[.]me, famous[.]co, and amaze[.]co.
- About 63% of these subdomains were new glitch[.]me subdomains added on 1–20 June 2022.
- We discovered that 3% of the total sample has been flagged as malicious by various malware engines.
- Common text strings used in the malicious subdomains include those that invoke authority, such as “cpanel,” “cpcontacts,” “webdisk,” and “cpcalendars.”
- We found several subdomains hosting questionable content, such as login and look-alike pages.
Download a sample of the threat research materials now, or contact us to access the complete set of research materials.
-  https://unit42.paloaltonetworks.com/pingpull-gallium/#Indicators-of-Compromise
-  https://cybernews.com/news/facebook-login-scam-nets-fraudster-59-million/