Malware Persistence versus Early Detection: AutoIT and Dridex IoC Expansion Analysis

AutoIT-compiled malware¹ and Dridex² may have stood the test of time as far as threat lifespans go, but their resilience doesn’t make them invincible. Our IoC expansion analysis into the latest AutoIT³ and Dridex⁴ attacks just so happened to reveal 1,425 yet-undisclosed artifacts that may be able to help with mitigation, namely:

Sifting for Digital Breadcrumbs Related to the Latest Zoom Attack

Zoom has long been a prime cyber attack target, which isn’t surprising given that the platform accounts for 3.3 trillion meeting minutes each year.¹

Most recently, threat actors laced Zoom downloads with IceID malware designed to steal affected users’ credentials. Cyble researchers publicized three indicators of compromise (IoCs) so far,² we added more than 20,000 artifacts to that. Our IoC list expansion analysis specifically dug up:

Cloud Atlas May Hide Their Tracks but 1,800+ Unpublicized Artifacts Can Help Orgs Tag Them

All advanced persistent threat (APT) groups aim for detection evasion to enable lateral movement. But apart from tools, tactics, and procedures (TTPs) typically employed in targeted attacks, Cloud Atlas trailed its sights on targets in politically charged nations as an additional evasion tactic.

Despite the threat actors’ efforts to hide from investigators, though, Check Point Research (CPR) still managed to identify 10 indicators of compromise (IoCs) that WhoisXML API researchers expanded further to include 1,850 more artifacts.

Our deep dive into Cloud Atlas revealed:

Exposing Chat Apps Exploited for Supply Chain Attacks

The popularity of chat apps surged during the pandemic when companies had to turn to remote work to remain productive despite government-imposed lockdowns. The increased usage hasn’t died down post-pandemic since many organizations opted to make the hybrid work setup permanent.

Amid that backdrop, therefore, it’s not surprising for threat actors to trail their sights on vulnerable business chat apps to instigate destructive supply chain attacks. Trend Micro recently published a technical analysis related to this threat, listing nine command-and-control (C&C) server addresses as indicators of compromise (IoCs).¹

WhoisXML API researchers used the publicized IoCs as jump-off points for an expansion analysis that uncovered:

Uncovering Other DarkTortilla Threat Vectors

Cyble Research and Intelligence Labs (CRIL) recently performed an in-depth technical analysis of DarkTortilla, which they dubbed a “sophisticated phishing malware.”¹

WhoisXML API researchers used the indicators of compromise (IoCs) CRIL identified as jump-off points for an expansion analysis that led to the discovery of:

Supply Chain Security: A Closer Look at the IconBurst and Material Tailwind Attacks

ReversingLabs saw the volume of supply chain software attacks rise to unprecedented heights this year and predicts we’ll see more in 2023.¹ Their report cited two examples of such attacks—IconBurst² and Material Tailwind³—and urged npm and PyPI users to be wary of downloading packages from open-source repositories.

RedLine Stealer: IoC Analysis and Expansion

For US$100, threat actors can use RedLine Stealer to steal sensitive information, including saved credentials, bank details, and system data.

A CloudSEK technical analysis¹ of the threat inspired us to investigate over 900 publicly available RedLine Stealer IoCs. Our key findings include:

Own a Facebook Business? Beware of Ducktail

WithSecurity recently discovered malicious operation Ducktail targeting businesses that maintain Facebook pages and engage in Facebook advertising.¹ Their report identified 1,885 indicators of compromise (IoCs).²

Is Aurora as Stealthy as Its Operators Believe?

New kid on the data-stealing block Aurora is fast becoming a cybercriminal favorite due to its ability to fly under the radar.¹

SEKOIA.IO researchers published 51 indicators of compromise (IoCs) for Aurora so far.² We performed an IoC expansion exercise on the 28 IP addresses and eight domains in search of digital breadcrumbs.

Exposing the New Potential Ways Royal Ransomware Gets Delivered

A threat actor Microsoft dubbed “DEV-0569” found new ways to deploy Royal ransomware.¹ One is right up our alley, as the tactic involved using typosquatting domains.

Why Domain Seizure May Not Stop Money Mule Recruitment Campaigns

U.S. law enforcement agencies recently seized 18 domains believed to be part of money mule recruitment campaigns in a bid to put a stop to ongoing malware attacks. Bleeping Computer researchers published the indicators of compromise (IoCs) on their blog.¹

From Counties to Banks: Tracing the Footprint of Ransomware Attack IoCs

On 11 September 2022, a U.S. country announced that it fell prey to a cyber attack. SecurityScorecard believes the Cryxos trojan may be involved and published an in-depth analysis,¹ which included three IP addresses tagged as indicators of compromise (IoCs).

Watch Out, That Browser Extension Could Be Cloud9 in Disguise

Zimperium zLabs threat researchers recently reported the case of the Cloud9 Chrome Botnet, and rightly so. Using a malicious Chrome extension, the threat actors have stolen personal information stored in affected users’ browsers. Worse, they turned the infected computers into bots for more destructive attacks.¹

Is There More to the New Transparent Tribe TTPs?

Transparent Tribe has been targeting Indian government entities since the start of the year. Believed to be part of the ongoing Pakistan-India conflict, only a few indicators of compromise (IoCs) have been published so far.¹

Nothing Funny or Romantic about These RomCom IoCs and Artifacts

Fake tools abound online, and one of those spreading them is RomCom. He has already been seen spoofing Keepass, Veeame, SolarWinds, Advanced IP Scanner, PDF Reader Pro, and other popular software.¹

Robin Banks May Be Robbing You Blind

Robin Banks, not a who but a what, is a phishing-as-a-service (PhaaS) platform that IronNet researchers discovered in March this year.¹ Many may have thought associated risks were done and over with when Cloudflare shut down pages connected to the threat in July. But that wasn’t the case since Robin Banks reemerged just this month.²

Investment-Related Cybersquatting: Another Way to Lose Money?

With a 98% chance of a global economic recession,¹ financial markets are giving off warning signs—one of which is increasing volatility.

Beware That Software Update, It Could Be Magniber in Disguise

Threat actors have long been using fake software updates to trick users into downloading malware. And the ongoing massive Magniber ransomware campaign is no different.¹

The Business of Cybercrime: Does Malicious Campaign Planning Take as Long as Legitimate Marketing Campaign Planning?

Targeting the potential buyers of the world’s most-awaited gadgets¹ is a cybercrime staple. But what you may not know is that much like legitimate businesses, the more convincing the malicious sites are, the greater their chances of success.

Dormant Colors IoC Expansion: Don’t Install Browser Extensions from These Domains

A malvertising campaign dubbed “Dormant Colors” has had more than 1 million malicious browser extension installs.¹ The threat actors can hijack web searches and inject affiliate links through these extensions.

The Inner Workings of Aleksei Belan’s Criminal Network

Aleksei Belan is part of the Federal Bureau of Investigation (FBI) Most Wanted List. He was charged for several cybercriminal activities connected to a massive Yahoo! database compromise involving at least 500 million user accounts.¹

Rogue Tor Browser: When Search for Anonymity Leads to Exposure Instead

Many users dream of browsing the Web without anyone’s prying eyes—something the Tor browser can help them accomplish.¹ So what happens then when they end up downloading a rogue installer, especially one that spies on them instead?²

Exposing Bulgaria’s Kyulev Data Leak Hacker

A Bulgarian data leaker managed to access and steal the sensitive data of several high-profile targets. To make matters worse, the hacker had been seen offering access to the compromised database.

To assist the cybersecurity community and law enforcement sector, WhoisXML API threat researcher Dancho Danchev analyzed the threat actor’s digital footprints.

Domain Shadowing IoC Expansion Led to Thousands of Possible Connections

Threat actors have been known to hide behind legitimate Internet services¹ to spread malware and lure victims to phishing sites and other malicious campaigns.

Uncovering a Large Footprint of Fake NordVPN Sites

NordVPN isn’t new to being the target of various scammers. Over the years, we’ve seen malicious campaigns that start with luring users to a fake NordVPN site.^{1, 2}

Anyone looking to subscribe to a VPN service could easily land on a fake site and get a malware infection.

Eternity’s LilithBot, Soon Available to Regular Internet Users?

Eternity has been wreaking havoc by making malware-as-a-service (MaaS) offerings available to any interested would-be cyber attacker since January 2022.¹ And at very low prices (US$70–90),² even novice hackers could launch destructive campaigns.

A Closer Look at Active Cyber Jihad Web Properties

Cyber jihad refers to the way extremist terrorists use the Internet to wage war against their enemies.¹ Typical targets include the U.S., Western European countries, and Israel.

Experts say waging war is no longer limited to the physical world but has crossed over to the virtual realm. And 67 domains identified as indicators of compromise (IoCs) to recent cyber jihad attacks prove that.

Behind the Flashpoint Intel Site Compromise

Back in 2019, the Flashpoint Intel site suffered from a zero-day attack that caused visitors with JavaScript enabled on their systems to be redirected to an external website with a malware-laced pop-up.¹

Alleviating BlackEnergy-Enabled DDoS Attacks

BlackEnergy was originally sold as a crimeware toolkit when it first surfaced in 2007. Since then, it has undergone modifications that have made it one of advanced persistent threat (APT) actors’ go-to attack tools. Used in the Ukraine power grid attack in 2015, the malware effectively used a distributed denial-of-service (DDoS) attack to hide their true goal—data stealing.¹ 

Insights into an Active Malicious Spam Domain Portfolio

Age clearly doesn’t matter when it comes to cyber threats, as proven by spam. Malicious spam emails cost businesses as much as US$20.5 billion a year.¹

Probing Networks of Cybercrime-Friendly Forums

Malicious actors may lurk inside online forums to learn and share tactics. Some may even publish the compromised data of their victims on cybercrime-tolerant forums.

Looking into these online platforms may help law enforcement agencies and the cybersecurity community investigate threat actor behaviors and trace their activities.

On the Frontlines of the Syrian Electronic Army’s Digital Arsenal

Possibly one of the first public Internet armies, the Syrian Electronic Army is notorious for stealing user credentials to deface websites. Among their suspected victims are U.S. government websites, media outlets, PayPal, and eBay. Two of its members were indicted in 2018.¹

Selling Stolen Credit Cards Is Still a Thing

Monetary gain is a primary goal for almost any cybercriminal. And one of the ways they go about earning money without investing a dime is by stealing credit card details.¹ In fact, peddling stolen credit card numbers with their corresponding CVVs in underground markets can earn operators millions.²

The Inner Workings of the Russian Business Network

VeriSign dubbed the Russian Business Network (RBN) as “the baddest of the bad”¹ in a report. And the fact that it played host to sites owned by the most notorious spammers, malware operators, phishers, distributed denial-of-service (DDoS) attackers, and other cybercriminals proved that.²

Probing an Active Digital Trail of Iranian Hackers

The cybersecurity community and law enforcement agencies have been tracking the activities of Iran-based hackers for quite some time now.

Shedding Light on the Darkode Forum

The Darkode Forum, which started operating in 2007, was taken down through a global effort in 2015.¹ But the community came back online in 2019.²

Should We Consider the Maze Ransomware Extinct?

The Maze Ransomware Group announced in 2020 that it would shut down its operations after stealing and exposing sensitive data of several high-profile targets. But have they really ceased their operations?

Uncovering the Current Workings of Guccifer 2.0

Guccifer 2.0¹ is the person or group behind the now infamous Democratic National Committee (DNC) hack back in 2016.²

Who Could Be Behind the Latest GitHub-Hosted Malware Infrastructure?

While GitHub has built-in security measures¹ to prevent users from using its infrastructure to host malware code, wily cyber attackers may be looking for ways to bypass them. We’ve seen that happen with a cryptocurrency miner² and several malicious projects.³

What Is Anonymous International Up to Now

Anonymous International is infamous for launching much-publicized hacking attacks against political targets since 2006.¹ And they haven’t stopped to this day.²

URL Shortening Gone Wrong with GCHQ

In 2016, cybersecurity researchers discovered that British spies were using a free URL shortener to try gathering intelligence and influencing online activists during the protests in Iran since 2009.¹

Is the Bakasoftware Operation Still Up and Running?

In 2008, Bakasoftware reportedly made as much as US$5 million a year from scaring victims into downloading and installing their product to get rid of fake malware infections.¹ Many thought the operation had gone out the door yet WhoisXML API threat researcher Dancho Danchev may suggest otherwise. His findings include:

Tracing the Digital Footprint of Iran’s Mabna Hackers

The Mabna hackers victimized hundreds of organizations worldwide and were known to sell stolen sensitive information. After nine of its members were indicted¹ in the U.S., the elusive threat actors may have left breadcrumbs of their criminal activities in the form of DNS connections.

Exposing the Infrastructure Behind the Democratic National Committee System Intrusion

The high-profile cyberintrusion of the Democratic National Committee (DNC) computer system in 2015¹ disrupted the 2016 presidential election in the U.S. It remains one of the most popular cyber attacks, with top security firms performing different investigations.

Is Your Software a Top Impersonation Target?

Copycatting the world’s most popular software applications is a commonly used technique to lure users into visiting seemingly legitimate yet often malicious pages.

DIY Web Attacks Might Still Live on via WebAttacker

WebAttacker can be considered an aged threat, but it may not be out of the cybercrime game just yet.¹ While it has been in business since 2006, what WhoisXML API threat researcher Dancho Danchev discovered recently seems to indicate its operators could still be up to no good.

Exposing a Currently Active Ashiyane Digital Security Domain Infrastructure

An Iran-based hacker forum that was shut down in 2018 became active again last year.¹ While our initial investigation at that time uncovered 100+ digital properties related to the group, our most recent exploration exposes thousands more. 

The Current State of Malicious PPI Businesses and Affiliate Networks

Pay-per-install (PPI) and affiliate networks, which made headlines between 2008 and 2013, may not entirely be gone. Research by WhoisXML API threat researcher Dancho Danchev revealed that some of the domains registered using email addresses belonging to their operators remain active to this day.

From Counterfeiting to Phishing: Cybersquatting Properties Target Network Device Makers

Fake network devices are being sold online, some of which can bypass security functions.¹ Recently, a CEO was arrested for allegedly selling about a billion dollars’ worth of counterfeit Cisco devices.²

Is Monkeypox Following COVID-19’s (Digital) Footsteps?

Monkeypox was recently declared a public health emergency¹ so it’s bound to gain even more attention in the coming weeks or months. Even before then, it has already been used as a phishing campaign lure,² are we set to see more of this?

Have You Seen These Roaming Mantis Connected Artifacts Wandering into Your Phone?

Roaming Mantis may have stolen the credentials or infected the devices of hundreds of thousands of people. The threat group did that through a smishing campaign targeting Android and iOS users. According to SEKOIA-IO,¹ more than 90,000 unique IP addresses have requested XLoader from Roaming Mantis’s command-and-control (C&C) servers as of mid-July 2022.

Profiling the Threat Actor Known as “Hagga” and His Work

The threat actor known as “Hagga,” first identified in the latter part of 2021,¹ has been using Agent Tesla to steal sensitive user information for some time now. Published reports have identified several indicators of compromise (IoCs)² believed to be part of Hagga’s criminal infrastructure.

Beauty and the Beast: Possible Vehicles for Cosmetic Products Counterfeiting

Fake beauty products have proliferated through illicit websites and social platforms¹, putting people and brands in danger. Counterfeit products may contain harmful products, and victims may end up suing the impersonated brands, according to Cosmetics Business².

Are Threat Actors Intercepting Your OTPs? These Cyber Resources Might Be Helping Them

A recently discovered banking Trojan¹ that can restart its malicious routine was delivered using two cybersquatting domains targeting BBVA, a Spanish multinational financial services firm. The malware is aptly named “Revive” and can intercept one-time passwords (OTPs) and all other messages received on the infected device.

KrotReal: Is the Koobface Bot Master Back in Business?

KrotReal, identified as the infamous Koobface Gang’s bot master, is seemingly back in business.¹ But instead of going after social media users, is he now targeting adult content viewers?

Luxury Jewelry, Anyone? Watch Out for Scams

Cartier recently decided to beef up its efforts in hopes of taking down sites and pages selling knock-offs of its products.¹

Are other luxury jewelers² and their customers at risk of the same threat? We sought to answer this and more with our in-depth analysis of potential look-alike domains and subdomains peddling counterfeit goods.

Koobface Makes a Comeback

The infamous Koobface Gang¹ is possibly causing malware mayhem again. After Facebook and cybersecurity researchers unmasked the perpetrators back in 2012, the gang members shut down their servers in a bid to avoid capture.²

NotPetya: Not Quite Dead, as Recent IoCs Show

NotPetya first saw light in June 2017, shortly after Petya’s emergence. NotPetya was believed to have caused organizations worldwide US$10 million in damages.¹

Unlike Its Namesake, Aoqin Dragon Isn’t Mythical

Aoqin Dragon may not be as foolproof as it seems. Despite evading discovery for almost a decade,¹ cybersecurity researchers shed some light on the advanced persistent threat (APT) group’s inner workings.

Conti Ransomware: Still Alive and Kicking

Despite the heightened lookout for key members of Wizard Spider given the huge reward offered by the U.S. government,¹ Conti ransomware continues to plague individuals and businesses worldwide.

Predator Surveillance Software May Not Be Lawful at All

Predator has been found to illegally spy on journalists and politicians the world over since December 2021.¹ But the threat the app poses may not have died down despite its exposure.

GALLIUM APT Group and Other Threat Actors in Disguise

Threat actors were observed taking advantage of legitimate services by creating subdomains and using them as command-and-control (C&C) domains¹ and phishing site hosts².

Exposing the “Haters” behind Patriot Front

Patriot Front is a well-known white supremacist group in the U.S.¹ Most recently, dozens of the group’s members disrupted a Pride event in Idaho, resulting in their arrest.²

Both Aged and New Domains Play a Role in the NDSW/NDSX Malware Campaign

The threat actors behind the NDSW/NDSX malware campaign¹ used both newly registered and aged domains, likely to get the best of both worlds. But the digital breadcrumbs they left behind could help investigators get a step closer to catching them.

Phishers Are Impersonating Maersk: What Other Container Shipping Companies Are Targeted?

The supply chain attack on Toyota¹ last February 2022 is only one example of how such an attack could be detrimental to an organization. Therefore, a phishing and impersonation campaign² targeting one of the largest container shipping lines is quite concerning.

Careful, the Next Premium SMS Offer You Subscribe to May Be Malicious

Avast recently reported that SMSFactory Android Trojan has affected around 165,000 users worldwide.¹ But so far, only a few digital properties have been publicized as indicators of compromise (IoCs).²

Father’s Day: Bad Guys’ Activities

Whois API researchers previously uncovered suspicious web properties related to Mother’s Day¹. Some of them were outright malicious, while others hosted questionable content. This Father’s Day, we detected a similar trend, indicating that the bad guys are also getting ready for the special occasion.

Exposing the Criminal Infrastructure of the Blood and Honor Hate Group

Blood and Honor is a well-known right wing extremist (RWE) group that originated from the U.K. founded in 1987. They began spreading their messages through music that supported their political ideology.¹

WhoisXML API security researcher Dancho Danchev used various OSINT tools to help law enforcement agents track the group members’ digital footprints. His investigation revealed:

In the Market for a New Car? Beware Not to Get on the Phishing Bandwagon

Anything sold on the market, especially necessities, are fair game to phishers as campaign hooks. And that’s just what we saw happening with an ongoing phishing campaign targeting German car dealership companies.¹

Online Shopping Danger? We Discovered 13K+ Cybersquatting Properties Targeting the Top E-Commerce Sites

Online shoppers have always been prone to cybercrime, such as financial scams, hacking, and credential theft. Domains and subdomains are common vehicles for these criminal activities, but more compelling are those that imitate major e-commerce sites.

Blurring the Lines between APTs and Cybercrime: Cobalt Mirage Uses Ransomware to Target U.S. Organizations

Cobalt Mirage, a well-known APT group, recently took a page out of cybercriminals’ modus operandi—using ransomware—to go after targets earlier this month.¹ So far, only 11 domains and two IP addresses have been publicized as indicators of compromise (IoCs).²

A Look into Cybersquatting and Phishing Domains Targeting Facebook, Instagram, and WhatsApp

Meta’s infringement and cybersquatting case against Namecheap was dismissed¹ last 25 April 2022 following a settlement². While the details of the settlement were private, the registrar ended up transferring 61 domains to Meta. 

In line with this, WhoisXML API researchers decided to monitor the cybersquatting activity related to three Meta applications covered in the dismissed case—Facebook, Instagram, and WhatsApp. Our findings include:

Beware of Frappo and Related Cybersquatting Domains

Phishing-as-a-service (PaaS) solutions like the recently discovered Frappo,¹ make brand impersonation campaigns easy to instigate and automate. Among those targeted by the new toolkit were large companies in the financial, e-commerce, and entertainment sectors, namely, Amazon, ATB Financial, Bank of Montreal (BMO), Bank of America (BOA), Chase, CIBC, Citibank, Citizens Bank, Costco, Desjardins, M&T Bank, Netflix, Royal Bank of Canada (RBC), Rogers, Scotia Bank, Tangerine Bank, TD Canada Trust, Uber, and Wells Fargo.

Cardano Joins the List of Favored Crypto Scam Targets

It’s no longer unusual for cybercriminals to go after cryptocurrency owners. We’ve seen scams targeting Bitcoin¹ and Ethereum² owners before. This time, they’re going after Cardano coin owners³ with a supposed giveaway promo.

These DeFi Domains Might Be Risky to Investors

In addition to cryptocurrency wallets and non-fungible token (NFT) companies, malicious actors recently targeted decentralized financial (DeFi) platforms. They got away with US$90 million.¹ One way some NFT companies may be addressing the threat is by defensive domain registration.²

Website Defacement: Age-Old but Still Works as Ongoing Campaigns Show

Threat actors typically employ website defacement to further their political, environmental, or even personal agenda. Through SQL injection, cross-site scripting (XSS), and other initial compromise tactics, they replace the content of target sites to display their specially crafted messages.

Threat Actors Might Be Interested in Elon Musk’s Twitter Purchase Too

Threat actors often ride on the latest news and current events to lure users to their specially crafted malicious websites. We’ve seen that happen with the onset of the COVID-19 pandemic¹ and the birth of the Black Lives Matter movement.²

We may see that happen again given the hype surrounding Elon Musk’s recent purchase of Twitter.³

We Don’t Want to Spoil Mothers’ Day but These Domains Might

With Mothers’ Day just around the corner, threat actors may already be devising or have already deployed scams targeting mothers and children looking for Mothers’ Day gifts.

Sinkholing May Not Spell the End for Malware Hosts and Botnets

Sinkholing has long proven effective in taking down cybercriminal operations like WannaCry.¹ The process has, in fact, more recently employed by Microsoft to thwart Strontium cyber attacks targeting Ukrainians.²

Behind the Bylines of Fake News and Disinformation Pages

Fake news and disinformation campaigns pose real risks to nations worldwide as evidenced by research done by Statista.¹ Their peddlers’ motivation? Political and financial gain, according to some opinions.²

Through the Spyglass: NSO Group Spyware Pegasus in Focus

The NSO Group gained infamy for its proprietary spyware Pegasus. In 2021, in fact, Apple sued the company for its alleged ties to threats targeting its service and device users.¹

Expanding the Conti Ransomware IoCs Using WHOIS and IP Clues

Conti ransomware continues to gain traction via the ransomware-as-a-service (RaaS) business model, with threat actors launching more than 1,000 attacks against various organizations worldwide. In March 2022, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Conti ransomware alert page with close to 100 domain indicators of compromise (IoCs).¹

HermeticWiper: Another Threat Targeting Ukraine at Large

Ukraine users have reportedly been targeted by a malware known as HermeticWiper.¹ Known for wiping out data on victims’ computers, the malware has affected hundreds of systems since it emerged.

Operation Dream Job: Same Tactics, New Vulnerability and Domains?

Operation Dream Job is a threat group that takes advantage of people’s hope to improve their careers. Instead of finding their dream jobs, however, victims could find themselves vulnerable to remote code execution (RCE).¹

What Are the DNS Artifacts Associated with APT36 or Earth Karkaddan?

APT36 or Earth Kardakkan has been targeting government entities, most especially in India, for a couple of years now. But so far, only a few digital properties have been publicized as indicators of compromise (IoCs).^{1, 2}

Be Wary of Bogus Web Properties This Tax Season

The tax season is not only for taxpayers. Threat actors also flock to the Internet, baiting individuals and entities through different types of tax frauds.¹ WhoisXML API trailed their sights on possible vehicles for malicious activities this tax season by uncovering domains and subdomains that contain tax-related terms.

Behind the Innovative Marketing Rogue Scareware Distribution Network

Innovative Marketing made waves as a rogue scareware operator more than a decade ago.¹ But while law enforcement authorities successfully thwarted its large-scale business, its owners have yet to be captured.^{2, 3}

Danchev and WhoisXML API’s research team sought to determine if the company left digital breadcrumbs behind using Maltego and various WhoisXML API tools. He uncovered an expansive list of domains, IP addresses, and other web properties that could help the cybersecurity industry finally put an end to Innovative Marketing.

OSINT Analysis of the World’s Biggest Cybercriminal Infrastructures

WhoisXML API maintains a list of the most prominent cybercriminal groups around the globe in an effort to help fellow researchers and vendors and the authorities enrich their actionable threat intelligence.

Are Cybersquatters Going After the Car Manufacturing Sector?

The recent supply chain attack¹ causing Toyota to halt production for days and lose 13,000 in car outputs underscores how wide an organization’s attack surface can be. It also proves how scattered threat vectors can be—from insider mistakes, third-party vulnerabilities, and many others.

Digital Spillovers of Russia’s Invasion Of Ukraine

The war between Ukraine and Russia has become a global crisis like no other. The situation has spillovers beyond humanitarian, physical, and economic effects, including increased activity on the Domain Name System (DNS).

From Fake News Proliferation to Data Theft: Tracing the Red Cross Hack to a Misinformation Network

The cyber attack against the International Committee of the Red Cross (ICRC) exposed the data belonging to more than 500,000 people worldwide.¹ While no indicators of compromise (IoCs) have been publicized so far, an interesting link to a fake news network was revealed by security researcher Brian Krebs.²

Under the Hood of the Infraud Organization Cybercriminal Operation

While 36 alleged Infraud Organization members were recently captured and indicted¹, the incident may not spell the end of woes related to the gang.

We took a closer look at published indicators of compromise (IoCs) related to Infraud Organization, specifically 11 domains, six IP addresses, and three email addresses, which were used as jump-off points to uncover more potential artifacts and IoCs.

The Oscars and Suspicious Web Activity: What's the Link?

Hollywood’s popularity extends beyond providing entertainment. Like last year¹, threat actors seemingly used sites dedicated to this year’s Oscar nominees² as malware hosts. We looked at thousands of domains and subdomains containing the best picture titles and best actor/actress names to identify how many of them are actually malicious.

Exposing Void Balaur’s Internet-Connected Infrastructure

Void Balaur is a cybercriminal gang, believed to be operating from Latvia, that has been launching typosquatting and spear phishing attacks targeting users worldwide.

WhoisXML API researcher Dancho Danchev recently dove deep into the perpetrators’ campaigns aided by current and historical WHOIS records to find actionable intelligence for cybersecurity and law enforcement purposes.

2022 Olympic Winter Games: Prime Ground for Phishing Lures?

Major sporting events, such as the Olympic Games, have always gained the attention of threat actors. A noteworthy example is the OlympicDestroyer malware¹ that targeted the 2018 Winter Olympics.

DHL Was the Most-Phished Company in 2021, Will That Be True in 2022, Too?

Checkpoint research revealed that DHL was the most-phished brand in 2021,¹ which led us to wonder if the same will hold for 2022. We scoured the Web for domains and subdomains containing “dhl” and subjected these to further scrutiny to identify more connected artifacts.

An OSINT Analysis of Infraud Organization and Its Cybercriminal Infrastructure

WhoisXML API researcher Dancho Danchev recently delved deep into the Infraud Organization’s cybercriminal infrastructure. Infraud Organization is well-known for maintaining a cybercriminal forum that provides threat actors tons of stolen credit card information.¹ Danchev used WHOIS, IP, and DNS tools to identify more artifacts connected to the threat.

Web Search Results Reveal a Suspicious Network of Domains

Search engine scams continue to increase in volume despite the security efforts of major search engine services. The persistent effectiveness of blackhat SEO techniques and the growing list of suspicious or unwanted search results are just some of the pressing concerns that plague Internet users.

Malicious Valentine: Uncovering Thousands of Domains Connected to Romance-Themed Campaigns

Romance-themed campaigns have several faces—some pose as online dating sites¹ while others as fake applications.² These campaigns occur year-round, but Valentine’s Day could make more people vulnerable. In line with this, WhoisXML API researchers gathered and analyzed the IoCs of romance or Valentine-themed campaigns. Among our key findings are:

The Irony: Data Privacy Sites Bring Risks Instead of Protection

It’s ironic to think that sites hinting at promoting data privacy awareness and/or protection are serving malware instead, but that’s a sad truth. We found thousands of web properties through WHOIS, IP, and DNS searches to identify malicious data privacy-related sites.

Exploring BlackTech IoCs Reveals Hundreds of Artifacts in 2022

The BlackTech APT Group struck again, this time with the new FlagPro malware and IoCs. Since the group used the same C&C servers and infrastructure for multiple campaigns in the past, WhoisXML API analyzed the new IoCs together with those reported in the past two years. We uncovered artifacts and possible domain and IP connections. Our analysis includes:

REvil Ransomware: What Can We Learn from Published IoCs in 2022?

REvil has been one of the biggest ransomware threats in 2021, pushing the U.S. Department of State to post a US$10 million reward to anyone who can identify and locate the gang’s leaders.¹ AlienVault made headway in identifying REvil-hosting domains.² We subjected these web properties to IP and DNS searches to identify more connected artifacts.

Illegally Streaming “Spider-Man: No Way Home” Could Be Hazardous to Your Computer

While watching ‘Spider-Man: No Way Home’ in movie theaters could pose health risks considering the ongoing pandemic, downloading torrents of or illegally streaming the movie can be hazardous to your computer’s health too. Researchers discovered that torrent files could be XMR Miner malware in disguise¹.

65,000+ NFT-Related Domains and Subdomains: Possible Vehicles for NFT Scams?

As non-fungible tokens (NFTs) become increasingly popular and valuable, related scams are also on the rise. Since these scams utilize domain names and websites, WhoisXML API examined the registration of NFT-related domain names, fortifying our findings with WHOIS and IP intelligence. Our analysis revealed:

New Zloader Campaign: Where Do IoCs Lead Us?

A new Zloader campaign has been detected. It is believed to be the work of the MalSmoke cybercrime group. More than 2,000 unique victim IP addresses have downloaded the malware, which exploits a vulnerability in Microsoft’s digital signature verification method.

Gift Cards, Anyone? Watch Out for Fraud and Malware Hosts

The Federal Trade Commission (FTC) maintains a page dedicated to gift card scams¹, and there’s a good reason for that. Each year, consumers who succumb to lures end up losing thousands² instead of getting gifts for their loved ones. We found thousands of web properties through IP and DNS searches to identify IoCs and other artifacts possibly tied to gift card scams and phishing.

Log4j Vulnerability: What Do the IoCs Tell Us So Far?

A new vulnerability called “CVE-2021-44228” or “Log4Shell” was detected on 9 December 2021, alerting the cybersecurity community to possible remote code execution (RCE) attacks. WhoisXML API analyzed initial IoC lists to shed light on possible artifacts and connections. Among our findings are:

“Nickel” APT Group: What We Found Out About Microsoft’s Latest Domain Seizure

Microsoft recently seized 42 domains attributed to the China-based Nickel APT group.¹ We subjected these web properties to WHOIS queries to find more information.

Are Mypressonline[.]com’s Free Subdomain Hosting Services Being Abused?

We were alerted to the ongoing mypressonline[.]com phishing campaign¹ and sought to uncover the site’s complete domain footprint and potential evidence of hosting abuse.

Digging Up Zombie Domains: What WHOIS History Reveals about 3,800+ Verified Phishing Hosts

As phishing remains an imminent attack vector leading to costly and damaging campaigns, WhoisXML API researchers dug up the WHOIS history of 3,800+ domain names and subdomains associated with verified phishing URLs. We present our key findings and analyses in a white paper and associated threat research materials covering:

Telcos Are on Phishers’ Radar, Who Is at Risk?

The telecommunications sector has been identified by PhishLabs as phishers’ top 3 target in a November 2021 report.¹ We looked at the newly registered domains (NRDs) and subdomains containing the strings “broadband,” “mobile,” and “telecom” to determine who among the 10 biggest telcos in the world are at risk of getting phished.

Locky Ransomware: Still a Threat as List of IoCs Grows

Despite its age, Locky ransomware, which first made headlines in 2016,¹ is still making the rounds. We obtained 61 IP addresses connected to the threat and used these as jump-off points to uncover other web properties that users need to avoid accessing.²

Uncovering Signs of Internet Fraud with WHOIS, DNS, and IP Data

The FTC Consumer Sentinel Network¹ reported US$3.5 billion in losses due to different types of fraud as of the third quarter of 2021. Clearly, fraud is an imminent threat that needs to be detected and prevented as early as possible to avoid further losses to individuals and the global economy.

Facebook Is Now Meta, Will Threat Actors Ride the Wave?

Company rebranding efforts are always a big deal, as they usually translate to expanding a known brand’s portfolio. That’s why many such events are announced during some of the world’s biggest conferences. The same could be said of Mark Zuckerberg’s introduction of Meta in Connect 2021.¹

Are Banks and Their Customers Once Again at Risk of Typosquatting Woes?

Banks and other financial institutions have always been a top-of-mind attack target.¹ We analyzed an ongoing cybersquatting campaign targeting U.S. Bancorp using four malicious domains and their corresponding IP resolutions that IBM X-Force Exchange identified.²

Insurance Companies Are The Target of Recent Cybersquatting Campaigns

We analyzed an ongoing cybersquatting campaign targeting MetLife, Inc., using 12 malicious domains that IBM X-Force Exchange identified.¹

Are Cybersquatting Campaigns Targeting Airlines Taking Off?

Any company that serves thousands if not millions of users is considered ripe for threat actor picking. Threats and attacks often start with the simple act of typosquatting. Such was the case for an ongoing cybersquatting campaign targeting Turkish Airlines.¹

Exposing the Connection between a Most Wanted Cybercriminal and the BlackEnergy DDoS Attack

Oleksandr Vitalyevich Ieremenko¹ is a Ukrainian national charged with several fraud-related and cybercrime cases in August 2015. Barely a year after the allegation, Ieremenko joined a cybercrime group led by Artem Viacheslavovich Radchenko and gained unauthorized entry into the U.S. Securities and Exchange Commission (SEC) network.

A Most Wanted Cybercriminal Runs a Profitable Android Malware Enterprise

Danil Potekhin,¹ a Russian national, managed to steal approximately US$17 million from users of several digital currency exchange platforms by defrauding several cryptocurrency exchange sites. Potekhin was then indicted² in September 2020 for conspiracy to commit computer fraud, unauthorized access to a protected computer, and aggravated identity theft, among other crimes.

Exposing Hundreds of Rogue VPN Domains Potentially Connected to the NSA

WhoisXML API DNS Threat Researcher Dancho Danchev identified domain intelligence related to several bogus free VPN service providers. Those bogus entities could seemingly be traced back to the National Security Agency (NSA) as part of an effort to monitor the online activities of suspicious Iran-based users. 

IoC Report Exposing an Active WannaCry Ransomware Domain Portfolio

WannaCry ransomware made waves as part of a global cyber attack detected in 2017, which resulted in around US$4 billion¹ in financial losses. The ransomware campaign targeted organizations in various industries, including the telecommunications, airline, and medical services sectors.

IoC Report Exposing a Currently Active Cyber Jihad Campaign’s Domain Portfolio

Cyber jihad, a term that loosely describes using the Internet as a communication, fundraising, recruitment, training, and planning tool in cyber attacks^[1], gained traction over the years. It has become a force to reckon with for many government institutions tasked to battle cyberterrorism. In fact, at the end of 2020 alone, three cyber-enabled campaigns targeting government institutions worldwide were brought down^[2].

Exposing Thousands of Active Kaseya Ransomware C&C Domains

About 1,500 small and medium-sized businesses (SMBs)¹ may have been affected by the ransomware attack targeting Kaseya, an IT solutions developer catering to managed service providers (MSPs) and enterprises. The attack, which occurred in July 2021, exploited a vulnerability in the company’s remote monitoring and management software. The threat actors behind the attack reportedly asked for US$70 million² in exchange for a decryption tool.

Domain Squatting Analysis of the Gaming Industry: Thousands of Online Gaming-Related Web Properties

The video gaming industry is among the highest-earning entertainment sectors, outperforming¹ the movie industry in the past year. It has also become a favorite of cyber attackers.

We analyzed thousands of gaming-related domains and subdomains to see how prevalent threats are in the industry. Aside from analyzing the overall e-sports sector, our analysis targeted four of the most popular gaming companies—Bandai Namco, Epic Games, Electronic Arts, and Ubisoft.

CEO Impersonation Alert: A Look into the Top 100 CEOs of 2021

Total losses from BEC scams and CEO impersonation are estimated at tens of US$billion^[1][2] over the past years. In 2021, Elon Musk’s impersonators were able to amass about US$2 million^[3] from numerous victims. 

A Look at Thousands of Credential Phishing-Related Domain Names

Cofense researchers found that more than half of the millions of emails they analyzed were credential phishing emails.¹ To see how prevalent these are in the domain world, we extracted domains that contain account-related text strings, such as “login,” “signin,” and “password.” When used alongside popular company names like PayPal and Amazon, these account-related text strings can make phishing emails appear more credible.

Exposing 1,100+ NSO Spyware Group’s Domains, IP Addresses, and MD5 Hashes

The NSO Spyware Group’s spyware dubbed “Pegasus” is known for its ability to be covertly installed on mobile phones running different versions of Android and iOS and spy on their owners’ activities.

Exposing 100+ Domains Possibly Belonging to the Ashiyane Digital Security Team

The Ashiyane Digital Security Team is known to be a gray hat network security company based in Iran.¹ It has been allegedly connected to several state-sponsored attacks against various countries over the years. 

IoC Report Exposing Potential Actors behind the Conficker Botnet

Conficker, which infected millions of systems in its heyday in 2008, continues to infect tens of thousands of devices. Dubbed as the “worm that nearly ate the Internet¹,” Conficker targets computers running on Microsoft operating systems (OSs), creating a colossal botnet that can be used to launch large-scale cyber attacks.

Analyzing “Brian Krebs” Typosquatting Domains to Spread Malware

Brian Krebs¹, an American journalist and investigative reporter, is best known for his coverage of cybercrime & cybersecurity news—notably through his blog KrebsOnSecurity.com.