WhoisXML API threat researcher Dancho Danchev recently discovered a phishing operation seemingly amassing .top domains for their malicious cause. He collated 89 email addresses that he has dubbed indicators of compromise (IoCs) so far.
To uncover as many potentially connected artifacts as possible, the WhoisXML API research team scoured the DNS for domains and IP addresses the threat actors could weaponize for future attacks if they haven’t already and found:
- 4,284 domains that were registered using the email addresses identified as IoCs
- 71 IP addresses that played host to the email-connected domains, two of which turned out to be malicious based on malware checks
- 890 domains hosted on the same IP addresses as the email-connected domains
Download a sample of the threat research materials now or contact us to access the complete set of research materials.