Uncovering Other DarkTortilla Threat Vectors | WhoisXML API

Threat reports

Uncovering Other DarkTortilla Threat Vectors

Cyble Research and Intelligence Labs (CRIL) recently performed an in-depth technical analysis of DarkTortilla, which they dubbed a “sophisticated phishing malware.”1

WhoisXML API researchers used the indicators of compromise (IoCs) CRIL identified as jump-off points for an expansion analysis that led to the discovery of:

  • Two IP addresses the domains resolved to
  • 300+ domains that shared the IoCs’ IP hosts, two of which were found malicious
  • 11,300+ domains that contained the strings Cisco, Grammarly, or Atomm and could be used for other malicious campaigns; only 4% of these domains seemingly belonged to the legitimate companies and 23 were found malicious

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://blog.cyble.com/2022/12/16/sophisticated-darktortilla-malware-spreading-via-phishing-sites/
  • [2] https://otx.alienvault.com/pulse/639c5f43c86da728cef904db
Try our WhoisXML API for free
Get started