DNS Analysis of the Keenadu Backdoor Network

A backdoor dubbed “Keenadu” has been identified in the firmware of certain Android devices, likely introduced through a malicious static library linked with libandroid_runtime.so during the firmware build process or delivered via compromised OTA updates. The malware acts as a multistage loader, enabling remote control of infected devices and supporting activities such as search hijacking and app monetization.

Securelist identified¹ several IoCs associated with the threat. Building on these, we analyzed 29 refined IoCs, leading to these findings:

A DNS Exploration of Operation Olalampo

MuddyWater has long been active in state-sponsored cyber operations. In its latest campaign, dubbed “Operation Olalampo,” the group targeted organizations and individuals primarily across the MENA region, leveraging geopolitical tensions. The attackers deployed new malware variants and used Telegram bots for command-and-control (C&C).

Group-IB identified¹ seven network IoCs associated with the activity. We analyzed all seven IoCs, comprising four domains and three IP addresses, and confirmed that none were tied to legitimate ownership. Using our homegrown tools to investigate the threat, we uncovered these findings:

DNS Deep Dive: LummaStealer + CastleLoader = Larger Threat

LummaStealer, an information-stealing malware family, continued operating despite a major law-enforcement disruption in 2025 by shifting hosting providers and adopting alternative loaders and delivery techniques such as ClickFix.

Bitdefender uncovered¹ a new LummaStealer campaign that used CastleLoader as its main delivery mechanism. After extracting domains from IoC-tagged subdomains and excluding those belonging to legitimate organizations, we analyzed 211 IoCs in all, comprising two subdomains, 180 domains, and 29 IP addresses. Using our homegrown tools to investigate the threat, we uncovered these findings:

A Look Back at 11 of the Red Report 2026 Featured Threats

Several state-sponsored and financially motivated threat actors leveraged widely used MITRE ATT&CK techniques identified in Picus Security’s Red Report 2026 to compromise target environments.

After reviewing the original materials, we analyzed 147 network-based IoCs¹ in total, comprising subdomains, domains, and IP addresses associated with 11 attacks linked to groups such as STATICPLUGIN, SadBridge Loader, XLoader, Operation BarrelFire, ClickFix, APT36, Chihuahua Stealer, Earth Ammit, PlushDaemon, and Earth Alux.

Using our homegrown tools to investigate the threat, we uncovered these findings:

A Close Look under the DNS Hood of CoolClient

Securelist recently reported¹ a HoneyMyte (also known as “Mustang Panda” or “Bronze President”) campaign using an updated version of the CoolClient backdoor. Active in cyber-espionage operations, the group has previously deployed tools such as ToneShell, PlugX, Qreverse, Tonedisk, and SnakeDisk.

The 2025 CoolClient update introduces additional capabilities, including browser credential stealers and scripts for reconnaissance and data exfiltration.

Researchers initially identified four CoolClient network IoCs. After extracting domains from subdomains and filtering legitimate infrastructure, we analyzed six IoCs in total—three domains, two subdomains, and one IP address. Domain ownership checks using the WhoisXML API MCP Server² confirmed that none of the domains were associated with legitimate entities.

Our investigation of the CoolClient IoCs led to these findings:

Probing the DNS Depths of PeckBirdy

Trend Micro recently reported on PeckBirdy, a JavaScript-based command-and-control (C&C) framework used by China-aligned APT actors since 2023. Designed to operate across multiple environments, PeckBirdy enables flexible deployment and has been linked to campaigns involving modular backdoors such as HOLODONUT and MKDOOR, along with Cobalt Strike payloads, stolen code-signing certificates, and exploitation of CVE-2020-16040.

The researchers identified 36 network IoCs¹ tied to the activity. After extracting unique domains from the subdomains flagged as IoCs, we analyzed 56 IoCs in total. Using our homegrown tools to investigate the threat, we uncovered these findings:

What Remains of Black Basta Now That Alleged Gang Leader Joined the Most Wanted List?

The Hacker News recently reported¹ that alleged Black Basta ransomware leader Oleg Evgenievich Nefedov has been added to the EU Most Wanted and INTERPOL Red Notice lists. Over time, Black Basta² affiliates have relied on phishing and vulnerability exploitation for initial access, followed by double extortion—encrypting systems and exfiltrating sensitive data. Victims were instructed to contact operators via Tor-based .onion portals and typically given 10–12 days before data publication on the “Basta News” leak site.

Security researchers publicized 27 network IoCs³ tied to a recent campaign⁴. We analyzed 18 IoCs, including 15 IP addresses and three verified domains, to uncover additional infrastructure and connections.

Using our homegrown tools to investigate the threat, we uncovered these findings:

Top 10 Malware of Q4 2025: A DNS Deep Dive

On 29 January 2026, the Center for Internet Security (CIS) published¹ its list of the top 10 malware observed in Q4 2025, identifying network indicators of compromise (IoCs) for seven families: SocGholish, CoinMiner, Agent Tesla, Calendaromatic, ZPHP, VenomRAT, and ACR Stealer. After removing legitimate domains and refining the dataset with the WhoisXML API MCP Server², we analyzed 46 IoCs, comprising 32 domains and 14 subdomains.

Our deep dive into the 46 IoCs for seven of the top 10 malware of Q4 2025 led to these discoveries:

A Look Back at the Top Ransomware Attack Targeting the Salesforce Supply Chain

Several high-impact ransomware operations in 2025 leveraged SaaS supply chain access to infiltrate enterprise environments. Among them, the Salesforce SaaS supply chain attack stood out for its scale and cross-sector impact. Threat actors reportedly exploited trusted integrations and harvested OAuth tokens to pivot into downstream customer environments. The consequences included large-scale data exposure, CRM compromise, and multisector operational disruption.

Security researchers published^1,2 multiple IoCs tied to the campaign. After consolidating and validating the original lists, we analyzed 39 IoCs in total.

Our investigation led to these discoveries:

QakBot Named a 2026 Top Malware Threat: An IoC Analysis

An analysis¹ of QakBot, recently named one of the top malware threats to watch in 2026, highlighted its continued role as a highly effective access trojan and loader. Commonly delivered through phishing emails, QakBot is used to harvest credentials, maintain command-and-control access, move laterally across networks, and deploy secondary payloads, including ransomware. Its operations predominantly target enterprise environments with heavy email reliance, making it a persistent threat despite repeated takedown efforts.

The IoCs used in this analysis were sourced from a Trellix-published list², from which we extracted 929 unique domains. After removing legitimate but potentially compromised infrastructure, the dataset was reduced to 492 domains. We then focused on 125 domains and 19 subdomains, resulting in 144 IoCs analyzed.

Our investigation led to these discoveries:

Probing the DNS Depths of PHALT#BLYX

An analysis of stealthy campaign PHALT#BLYX that targeted the European hospitality sector revealed its use of click-fix social engineering, fake CAPTCHAs, and fake BSOD pages to trick users into downloading DCRat. All that so the threat actors could take full remote access to infected systems and drop secondary payloads. The researchers cited 11 original IoCs in their report.¹

We analyzed 12 IoCs in total—one URL, eight domains, and three IP addresses—after further scrutiny. Our investigation uncovered these findings:

Divulging the DNS Secrets of DarkSpectre

Koi Security has been monitoring a threat group known as DarkSpectre for more than a year. The group has been linked to multiple malware campaigns involving Zoom Stealer, ShadyPanda¹, and GhostPoster, impacting more than 8.8 million users over seven years.

In a newly identified campaign affecting 2.2 million users, DarkSpectre leveraged a GhostPoster-linked Opera browser extension with nearly 1 million installs as of December 2025. Koi Security identified 20 IoCs² tied to this activity. After filtering legitimate infrastructure using Jake AI, we analyzed 15 IoCs in total, leading to the following findings:

Analyzing Account Takeover Attacks Leveraging SquarePhish2 and Graphish

Several state-sponsored and financially motivated attacks enabled by SquarePhish2 and Graphish, among other phishing tools, tricked users into granting threat actors access to their Microsoft 365 accounts. The consequences included account takeover, data exfiltration, and others.

Proofpoint identified several IoCs¹ associated with the attacks. After a closer look at the original IoC list, we analyzed 46 IoCs in all comprising 21 subdomains (including four with multiple variations), 22 domains, one IP address, and two email addresses.

Using our homegrown tools to investigate the threat, we uncovered these findings:

DNS Spotlight: The Silver Fox in the Henhouse

Disguised as Russian threat actors, Chinese APT group Silver Fox managed to infiltrate well-protected targets. They used Cyrillic characters in their SEO poisoning campaign lures that deployed ValleyRAT¹ into target networks.

Silver Fox abused Microsoft Teams to install ValleyRAT into victims’ systems to conduct state-sponsored espionage for sensitive intelligence and engage in financial fraud and theft to fund their operations.²

ReliaQuest originally identified 41 IoCs comprising six domains, 17 subdomains, and 18 IP addresses after analyzing the cyber attack in great depth. We investigated the Silver Fox infrastructure further and jumping off 55 IoCs in total unearthed these discoveries:

An In-Depth Analysis of the Ashen Lepus AshTag-Enabled Attack

Palo Alto Networks’ Unit 42 has been tracking and monitoring Ashen Lepus’s cyber espionage campaign that leverages a new malware suite they dubbed “AshTag.” The researchers witnessed a tangible evolution in the group’s operational security and TTPs.

Unit 42 identified 12 subdomains as IoCs.¹ Upon further scrutiny, we extracted 10 unique domains from the subdomains, bringing the total of IoCs for our in-depth analysis to 22.

Our investigation of the 22 AshTag IoCs led to these discoveries:

Illuminating ShadyPanda DNS Infrastructure Facts

ShadyPanda launched a seven-year-long campaign that affected the browsers of 4.3 million Chrome and Edge users to date. The actor’s secret? Some malicious extensions were featured and verified by Google, resulting in instant trust and massive distribution.

Koi Security identified seven IoCs¹ comprising four domains and three subdomains. After extracting unique domains from the subdomains, we accumulated six domains and three subdomains for further analysis.

Mining for DNS Maxims: Top 10 Malware of Q3 2025

The Center for Internet Security (CIS) named the top 10 malware of Q3 2025 and identified 31 domains as IoCs for five of them.¹ After weeding out legitimate domains from their list with the help of the WhoisXML API MCP Server,² we were left with 26 domains for our study. Our in-depth analysis of the IoCs for SocGholish, Agent Tesla, ZPHP, Gh0st, and Lumma Stealer led to these discoveries:

Thumbing through the DNS Traces of TamperedChef

TamperedChef, a massive malvertising campaign, leveraged apps users commonly installed on their computers. Potential victims were tricked into downloading malicious scripts via clever social engineering ruses. Infections could lead to establishing and selling remote access for profit, stealing and monetizing sensitive credentials and healthcare data, preparing compromised systems for future ransomware deployment, and engaging in opportunistic espionage by exploiting access to high-value targets.

The Acronis TRU identified 58 IoCs comprising URLs and subdomains.¹ We extracted 58 unique domains from them and weeded out those that were legitimate. We were left with 46 domains for further analysis. Our in-depth investigation led to these discoveries:

Predicting ValleyRAT: Early Detection with First Watch

ValleyRAT is a multi-stage Remote Access Trojan (RAT) that primarily targets Chinese-speaking users and enterprises through coordinated phishing campaigns designed to gain complete control over infected systems and deploy additional malware. ValleyRAT was first discovered by Proofpoint researchers in 2023 and has since been observed in various campaigns.

According to research by Morphisec Threat Labs, the malware is distributed via malicious emails and websites. It comes disguised as legitimate software, such as Google Chrome, or as Microsoft Office documents. These files deliver a multi-component loader designed to bypass security measures.

DNS Spotlight: New MITRE ATT&CK Group Entrants as of October 2025

Nine new groups were listed on the MITRE ATT&CK October 2025 Updates¹ page under three categories—Enterprise, Mobile, and ICS. We collated a list of 144 IoCs comprising 108 domains, 31 IP addresses, and five email addresses after filtering out legitimate domains from sources MITRE listed for each group.

We analyzed the 144 IoCs and the results revealed:

Going DNS Deep Diving into GhostCall and GhostHire

BlueNoroff struck again, this time with interrelated campaigns GhostCall and GhostHire.¹ The actors went after tech company execs, venture capitalists, and Web3 developers, stealing personal information and other well-kept secrets.

Securelist identified 39 domains as IoCs, which we further analyzed. Our investigation led to these findings:

COLDRIVER’s MAYBEROBOT in the DNS Spotlight

The Google Threat Intelligence Group (GTIG) recently analyzed the evolution of Russia-affiliated threat group COLDRIVER’s homegrown malware NOROBOT. The tool has been redesigned into YESROBOT and now into MAYBEROBOT.¹

GTIG identified 14 indicators of compromise (IoCs) comprising 13 domains and one IP address related to the threat. WhoisXML API dove deeper into the IoCs and uncovered these findings:

Burrowing into the Beamglea Campaign DNS Infrastructure

Recently, researchers uncovered 175 malicious npm packages related to the widespread Beamglea phishing campaign. The threat actors targeted more than 135 industrial, technology, and energy companies worldwide. In addition, as of 9 October 2025, the packages have been downloaded more than 26,000 times.

Sixteen indicators of compromise (IoCs) comprising four subdomains, three domains, and nine email addresses were identified. We dove deeper into them. Our analysis revealed these findings:

Chasing After RacoonO365 IoCs Using DNS and Domain Intelligence

In September 2025, Cloudflare and Microsoft jointly disrupted RaccoonO365, a Phishing-as-a-Service (PhaaS) operation that had enabled cybercriminals to steal over 5,000 user credentials worldwide. Despite the takedown, traces of the infrastructure remain scattered across the internet.

In its threat brief, Cloudflare¹ listed numerous indicators of compromise (IoCs), including three cryptocurrency addresses, 21 subdomains, and 77 domain names. 

Our research team analyzed the domains tagged as IoCs, leading to the discovery of:

Spelunking into SVG Phishing: Amatera Stealer and PureMiner DNS Deep Dive

Phishing emails with image file attachments are not novel. But the images usually come as PNG or JPEG/JPG files. This time around, though, attackers laced SVG files with Amatera Stealer and/or PureMiner that took remote control of victims’ devices to collect sensitive information, hijack computing resources, and deliver additional malware.

FortiGuard Labs identified 26 IoCs comprising 25 domains and one IP address connected to the threat. Further investigation of the IoCs led to these discoveries:

Scouring the DNS for Traces of the Hiddengh0st and Winos SEO Poisoning Campaign

The recent Hiddengh0st and Winos search engine optimization (SEO) poisoning campaign targeted Chinese-speaking users. The attackers manipulated search rankings with SEO plug-ins and registered look-alike domains that closely mimicked legitimate software sites.

Fortinet identified 13 indicators of compromise (IoCs).¹ We analyzed eight IoCs—five domains and four IP addresses, and discovered:

Thumbing through the DNS Trail of the TAOTH Campaign

Trend Micro analyzed what they dubbed as the “TAOTH Campaign,” which primarily targeted users across Eastern Asia. The attackers used fake software update, cloud storage, and login pages to distribute malware and collect sensitive information.

We analyzed eight indicators of compromise (IoCs)—three domains and five IP addresses—from the list Trend Micro compiled. Our deep dive led to these discoveries:

Deep Dive: 3 Lazarus RATs Caught in Our DNS Trap

Fox-IT and the NCC Group investigated a Lazarus subgroup linked to AppleJeus, Citrine Sleet, UNC47363, and Gleaming Pisces and uses different remote access Trojans (RATs) known as “PondRAT5,” “ThemeForestRAT,” and “RemotePE.”

The researchers specifically analyzed the three RATs in great depth and identified 19 domains and two IP addresses as indicators of compromise (IoCs) in the process.

Cross-Examining the CAPTCHAgeddon Brought on by ClickFix

Guardio analyzed the ClickFix stealer, an evolved version of fake browser updates. It used fake CAPTCHA pages that enabled it to evade detection and beat popular anti-bot solutions. As a result, it exfiltrated victims’ account credentials and other data from their computers.

The company identified 172 indicators of compromise (IoCs) comprising 156 domains and 16 IP addresses.¹

WhoisXML API analyzed the IoCs further. Our deep dive led to these discoveries:

A Deep Dive into the GreedyBear Attack

The GreedyBear crypto theft campaign actors have already reportedly amassed more than US$1 million. According to Koi Security, the attackers used 150 weaponized Firefox extensions, close to 500 malicious executables, and dozens of phishing sites.

The company identified 18 domains as indicators of compromise (IoCs).¹ WhoisXML API dove deeper into the attack in a bid to uncover more information and new artifacts. Our in-depth analysis of the IoCs led to these discoveries:

Into the Deep DNS Sea with the JSCEAL Campaign

Check Point Research (CPR) reported on the JSCEAL campaign targeting crypto app users.¹ The threat actors used malicious ads to trick victims into installing fake versions of nearly 50 of the most popular crypto trading apps. In the first half of 2025 alone, they released around 35,000 malicious ads that have been viewed at least a few million times in the European Union (EU) alone. The apps the users downloaded were, of course, masked variants of JSCEAL.

Spilling the Beans on Multiplatform Cryptominer Soco404

Wiz analyzed the Soco404 campaign that exploited cloud environment vulnerabilities and misconfigurations to deploy cryptominers.¹ Soco404 payloads were embedded in fake 404 HTML pages hosted on websites built using Google Sites. Note, however, that Google has taken down the sites since they were reported.

The researchers identified nine domains as indicators of compromise (IoCs), which WhoisXML API further analyzed. Our deep dive led to these discoveries:

RomCom and TransferLoader IoCs in the Spotlight

Proofpoint’s “10 Things I Hate about Attribution: RomCom vs. TransferLoader”¹ detailed connections between RomCom and TransferLoader. WhoisXML API further analyzed the campaign infrastructures, specifically the domains used in the attacks, to spot even more similarities and uncover new artifacts in a two-part investigation.

The first part covers our search for typosquatting domain groups (with an IoC and look-alike domains) and unraveling similarities. We found:

Risk Alert: "Black Cat" Cybercriminal Group Targeted Attack Campaign

Published by: China National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT) and DBAPPSecurity Co., Ltd. (https://www.dbappsecurity.com.cn/content/details4756_46730.html)

(Translated / Summarized by WXA Deep Research) 

Top 10 Malware of Q2 2025: A Deep Dive into the IoCs

The Center for Internet Security (CIS) Cyber Threat Intelligence (CTI) Team recently published “Top 10 Malware Q2 2025”¹ that not only listed the malware families that took centerstage during the quarter but also their corresponding indicators of compromise (IoCs).

The report identified 62 IoCs for nine of the malware comprising 53 domains and nine IP addresses.

Our in-depth analysis of the current IoCs led to these discoveries:

A DNS Exploration of the Latest Educated Manticore Attack

The Iranian threat group Educated Manticore recently launched a spearphishing attack targeting Israeli journalists, high-profile cybersecurity experts, and computer science professors from leading Israeli universities.

Victims who engaged with the attackers were led to fake Gmail login pages or Google Meet invitations. And the credentials they entered on phishing pages? These were sent to the attackers, letting them intercept passwords and 2FA codes and gain unauthorized access to their accounts.

Check Point Research identified 141 IoCs in their report.¹ We analyzed these in greater depth and uncovered:

Beneath the Belly of the Latest BlueNoroff Attack: A DNS Investigation

The latest BlueNorroff attack used a malicious Zoom extension in the guise of a Calendly meeting invite from a supposed contact sent via Telegram. Instead of a Google Meet page as the link hinted, however, users ended up on a threat actor-controlled fake Zoom domain. That triggered the download of a malicious AppleScript whose final payload was the malware, a keylogger.¹

The researchers identified four domains and three URLs as indicators of compromise (IoCs). We derived seven domains from the IoCs for further analysis. Our bid to uncover more potentially connected artifacts, led to the discovery of:

Rounding Up DNS Facts about Operation RoundPress

Additions made to the Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog¹ on 9 June 2025 CVE-2025-32433² and CVE-2024-42009³ were reportedly abused by APT28 to hack government webmail servers⁴ in an operation dubbed “RoundPress.”

WhoisXML API expanded the list of 19 indicators of compromise (IoCs)⁵ ESET researchers identified related to Operation RoundPress to uncover more potentially connected artifacts. Our analysis led to the discovery of:

Baring the DNS Traces of the Slow Pisces Attack on Cryptocurrency Developers

Slow Pisces gained renown for stealing billions of dollars from the cryptocurrency sector in various countries since 2023. It is up to no good again as it recently trailed its sights on cryptocurrency developers, engaging with them on LinkedIn in their 2025 campaign.¹

Palo Alto Unit 42 reported on the attack and identified 54 indicators of compromise (IoCs) in the process. WhoisXML API expanded the current list of IoCs and uncovered other potentially connected artifacts comprising:

Uncovering the DNS Underbelly of UNC5174: The Shift from SNOWLIGHT to VShell

Chinese-sponsored group UNC5174, known for using the open-source reverse shell tool SUPERSHELL, struck again. At the start of 2025, they used a new open-source tool and command-and-control (C&C) infrastructure dubbed “SNOWLIGHT.” In this attack, they began using another tool dubbed “VShell.”

Sysdig disclosed their findings about UNC5174’s latest campaign, including 25 indicators of compromise (IoCs) comprising 13 domains and 12 IP addresses. WhoisXML API expanded the current list of IoCs, which led to the discovery of these new artifacts:

Down the DNS Funnel and into the Funnull Infrastructure

The Federal Bureau of Investigation (FBI) issued a FLASH report to disseminate indicators of compromise (IoCs) related to Funnull.¹ Threat actors used them to manage cryptocurrency investment fraud scams between October 2023 and April 2025. The report provided links to two lists.^{2, 3}

WhoisXML API analyzed the threat in two parts. First, we looked at the 277,779 domains using several of our tools, which allowed us to gather these findings:

Framing the AkiraBot Framework Under the DNS Lens

SentinelLABS recently discovered the AkiraBot framework that threat actors crafted to spam website chats and contact forms to users. All that to promote a low-quality search engine optimization (SEO) service since September 2024. The bot uses OpenAI to generate custom outreach messages matching the target sites’ purpose.¹

The researchers identified 34 domains as AkiraBot indicators of compromise (IoCs). WhoisXML API expanded the list through a DNS deep dive and, in the process, uncovered:

Shining the DNS Spotlight on Lumma Stealer

On 19 May 2025, the U.S. Department of Justice seized 114 domains connected to a major information-stealing campaign utilizing Lumma Stealer.¹ The Cybersecurity and Infrastructure Security Agency (CISA) published the list of indicators of compromise (IoCs) on the same date.²

WhoisXML API analyzed the IoCs in great depth to uncover more artifacts and other information. Take a look at a summary of our findings below.

A DNS Examination of the Phishing Campaign Targeting Japanese Brokerage Firms

Yahoo! News Japan reported about tons of cases of securities account hijacking in May 2025.¹ Cybercriminals were said to have sold stocks without their rightful owners’ permission. And between January and April 2025, more than 3,500 fraudulent transactions have already been recorded. Worse? Affected stock owners have already lost ¥300+ billion.

A report on the possible tool used to phish the stock owners identified seven domains as indicators of compromise (IoCs). We used this data, along with other information from various reports on similar phishing campaigns to identify more connected artifacts and other pertinent information.

A DNS Deep Dive into the LabHost PhaaS Infrastructure

The Federal Bureau of Investigation (FBI) warned the public about the LabHost phishing-as-a-service (PhaaS) campaign that threatened the security of users worldwide.¹ They published a massive list of related indicators of compromise (IoCs) that WhoisXML API analyzed in depth through a DNS deep dive.

The FBI identified 42,515 LabHost PhaaS campaign IoCs.² We analyzed 42,401 domains after excluding duplicates and non-domain entries. To these, we added 1,661 net new typosquatting domains akin to the IoCs on the FBI list. Our investigation of the joint list of 44,062 domains led to these findings and enrichments:

New MITRE ATT&CK Groups for 2025: A DNS Deep Dive

The MITRE Corporation typically updates its ATT&CK page by listing the new groups it monitors for malicious activity twice a year—generally in April and October. The latest Updates - April 2025¹ advisory listed seven new groups with corresponding lists of indicators of compromise (IoCs).

WhoisXML API dove deep into the seven groups’ DNS footprints and uncovered connected artifacts that have not yet been publicized. We specifically found:

Hunting for DNS Traces of Hundreds of Malicious Google Play Apps

Bitdefender uncovered a large-scale ad fraud campaign involving hundreds of malicious apps available for download in Google Play.¹ According to the researchers, the apps have been downloaded more than 60 million times. When installed, they displayed out-of-context ads and persuaded victims to give away their credentials and credit card information via phishing.

The security researchers identified 428 URLs as indicators of compromise (IoCs) that we extracted 197 unique domains from. Our expansion analysis of the 197 domains tagged as IoCs led to the discovery of:

Exploring the DNS Flipside of SideWinder

The SideWinder advanced persistent threat (APT) group, active since 2012 and known for targeting government, military, and business entities throughout Asia, primarily Pakistan, China, Nepal, and Afghanistan,¹ changed gears. They not only updated their toolset and created new infrastructure but also significantly increased attacks against maritime and logistics companies notably in Djibouti and Egypt and nuclear power plants in South Asia and Africa.

Researchers identified 35 domains as indicators of compromise (IoCs),² which we expanded to find more connected artifacts. We uncovered:

Unlocking the DNS Strongbox of BADBOX 2.0

BADBOX 2.0 has reportedly infected more than 1 million consumer devices as of March 2025. And the subsequent attacks (e.g., click fraud, account takeovers [ATOs], distributed denial-of-service [DDoS] attacks, etc.) that may ensue aided by the botnet may affect millions more.¹

WhoisXML API analyzed 109 indicators of compromise (IoCs) related to the threat and found more domains and IP addresses that could be part of the BADBOX 2.0 network. Our DNS deep dive led to the discovery of:

Tempering Tax Season Troubles with DNS Intel

Another year, another chance to take advantage of U.S. taxpayers paying their dues. Despite the fact that tax day—15 April 2025—has passed, WhoisXML API believes threat actors can continue to prey on potential victims who filed for extension up to 15 October 2025.²

Microsoft cybersecurity researchers identified 11 domains and one IP address as indicators of compromise (IoCs) related to ongoing tax-themed phishing campaigns.³ WhoisXML API expanded the current IoC list and uncovered potentially connected artifacts, namely:

Unearthing the DNS Roots of the Latest Lotus Blossom Attack

Lotus Blossom launched several cyber espionage campaigns targeting government, manufacturing, telecommunications, and media organizations using Sagerunex and other hacking tools.¹

Cisco Talos identified several indicators of compromise (IoCs), including 10 domains and 28 IP addresses, which WhoisXML API expanded through a DNS deep dive.² Our analysis led to the discovery of:

Rounding Up the DNS Traces of RA World Ransomware

Threat actors typically come in two types. They are either cybercriminals who are in it for profit or advanced persistent threat (APT) group members in it for ideology.

There are times, though, when actors get involved in both attack types. Case in point? Researchers recently reported that a threat actor who has been involved in installing backdoors in the systems of target government institutions instigated an RA World ransomware attack.¹ The actor used the same tools as those involved in China-linked espionage campaigns.

Decrypting the Inner DNS Workings of EncryptHub

Rising cybercriminal entity EncryptHub seems to have unknowingly exposed elements of its malicious enterprise. An Outpost24 investigation unveiled new aspects of the group’s infrastructure, tools, and behavioral patterns.

The security researchers were able to take a peek into the threat actors’ stealer logs, malware executables, PowerShell scripts, and Telegram bot configurations. These errors shed light on the group’s operations, including their attack chain and methodologies.¹

Outpost24 identified 20 indicators of compromise (IoCs) that WhoisXML API expanded through a DNS deep dive.

Tracing the DNS Footprints of REF7707

The REF7707 campaign actors recently targeted the foreign ministry of a South American country. According to a published report, the group has been connected to previous compromises in Southeast Asia.

The threat actors reportedly used three new malware—FINALDRAFT, GUIDLOADER, and PATHLOADER—for the attack. The study listed 13 indicators of compromise (IoCs) comprising eight domains and five IP addresses.¹

WhoisXML API expanded the current list of IoCs and uncovered connected artifacts, namely:

DNS Deep Diving into 2025’s Up and Coming Ransomware Families

Ransomware attacks are expected to continue plaguing individual users and organizations worldwide because they work. As of 2024, victims were asked to pay an average of US$2.5 million per incident.¹

A report named 10 of the most active ransomware families in 2024,² which WhoisXML API decided to further investigate. We obtained lists of indicators of compromise (IoCs) for RansomHub,³ LockBit 3.0,⁴ Play,⁵ Akira,⁶ Hunters,⁷ Medusa,⁸ BlackBasta,⁹ Qilin,¹⁰ BianLian,¹¹ and INC. Ransom¹² (aka Lynx).¹³

We expanded a list of 120 IoCs comprising 48 domains and 72 IP addresses to uncover connected artifacts and found:

Igniting a DNS Spark to Investigate the Inner Workings of SparkCat

A recent investigation led to the discovery of Android and iOS apps laced with a malicious software development kit (SDK) dubbed “SparkCat.” As a result, the apps stole victims’ crypto wallet recovery phrases. Based on the malware time stamps and configuration file creation dates found in GitLab repositories, SparkCat has been seemingly active since March 2024.

SecureList published five indicators of compromise (IoCs) related to SparkCat.¹ WhoisXML API dove deep into the threat’s DNS footprints and uncovered other artifacts comprising:

Malicious Ads Targeting Advertisers in the DNS Spotlight

Google and Microsoft are consistently among the most-phished brands. Case in point: Microsoft topped a recently published list¹, while Google ranked third.

A total of 97 domains were recently identified as indicators of compromise (IoCs) related to a new attack that targeted Microsoft advertisers. The threat actors used malicious Google ads to steal the login information of users of Microsoft’s advertising platform.²

A DNS Investigation of SEO Manipulation via Bad Seed BadIIS

Search engine optimization (SEO) manipulation campaigns are not necessarily new in the cybercrime world. Many attacks often target users of popular software and services.

A new report featured such a threat dubbed “BadIIS” that has been trailing its sights on Internet Information Services (IIS) users.¹ The campaign redirected victims from Asian countries to illegal gambling websites. The report identified 51 indicators of compromise (IoCs).²

Sneaking a Peek into the Inner DNS Workings of Sneaky 2FA

Phishing-as-a-service (PhaaS) offering Sneaky 2FA was recently used in an adversary-in-the-middle (AitM) attack targeting Microsoft 365 users. It reportedly used fake Microsoft authentication pages with automatically filled-in email address fields to add to its sense of authenticity to lure in victims.¹

Researchers analyzed the threat and identified at least 61 indicators of compromise (IoCs) comprising 57 domains, two IP addresses, and two subdomains.

Unloading MintsLoader IoCs Using DNS Intelligence

A sophisticated malware campaign leveraging MintsLoader is targeting critical infrastructure and legal firms across the U.S. and Europe. MintsLoader’s advanced techniques, including using a domain generation algorithm (DGA) to create new command-and-control (C&C) servers, make detection difficult.¹

Building on the 61 indicators of compromise (IoCs) related to the ongoing MintsLoader attack identified by threat researchers at eSentire², the WhoisXML API research team utilized our comprehensive DNS intelligence and uncovered additional artifacts comprising:

DNS Spotlight: Rockstar2FA Shuts Down, FlowerStorm Starts Up

It’s not unusual for threat actors to take over fellow criminals’ existing infrastructure after they have been abandoned. Think ZeuS, which its original operator allegedly sold to another actor who eventually turned it into SpyEye.¹

Rockstar2FA followed ZeuS’s fate it seems, as soon after its operators quieted down, FlowerStorm, which shared many of its features and functionality, took its place.²

Illuminating Lumma Stealer DNS Facts and Findings

Popular malware-as-a-service (MaaS) offering Lumma Stealer has been active since 2022. It has been employed, in fact, to target victims in Argentina, Colombia, the U.S., the Philippines, and several other countries worldwide.¹

In its latest campaign, the threat actors used fake CAPTCHAs to deliver the stealer. Cybersecurity researchers identified 34 indicators of compromise (IoCs) comprising 27 domains and seven subdomains in their in-depth analysis.²

The WhoisXML API research team dove deeper into the threat aided by our comprehensive DNS intelligence and uncovered potentially connected artifacts, namely:

DNS Deep Dive: Peeking into Back Doors to Abandoned but Live Backdoors

Backdoors allow threat actors to bypass a target organization’s normal authentication mechanisms.¹ Most of these malware steal sensitive information and send it to command-and-control (C&C) servers—domains under the attackers’ control.

Did you ever wonder what happens to domains that served as C&C servers? Many of them remain operational and can be accessed by other threat actors.²

Early Discovery and Prediction of Meduza Stealer IoCs with First Watch

Meduza Stealer – a stealer-class malware that is capable of exfiltrating a wide variety of data from the infected device and can infect servers – has been first discovered in June 2023 by the Uptycs research team. It has been gaining traction since then, with multiple versions released by its developer that remains pretty active on darknet forums and Telegram. It has since been analyzed by research teams from Splunk, Broadcom, and other organizations.

Meduza Stealer is distributed by their creators on a subscription model, so there are various threat actors running multiple campaigns that use Meduza Stealer as a payload.

DNS Insights on a Free Form Builder Service Phishing Campaign

Phishers can take advantage of any third-party service to infiltrate an organization’s network. They did just that to harvest victims’ credentials and take over their organizations’ Microsoft Azure cloud infrastructure by leveraging the HubSpot Free Form Builder service.¹

A total of 33 indicators of compromise (IoCs) related to the phishing campaign have already been identified. The WhoisXML API research team expanded the list of IoCs and uncovered:

The MOONSHINE Exploit Kit and the DarkNimbus Backdoor in the DNS Spotlight

While it may not be the first time the Earth Minotaur attackers used the MOONSHINE exploit kit to trail after targets, upping its capabilities with the addition of DarkNimbus delivery may be a novel tactic.¹

Fellow threat researchers already identified 53 indicators of compromise (IoCs) related to the latest Earth Minotaur attack.²

The WhoisXML API research team dove deep into the threat aided by our comprehensive DNS intelligence and uncovered additional artifacts comprising:

New Year, Old Threats: What Does the DNS Reveal about 2025?

A few days after the world welcomed 2025, news about advanced phishing campaigns leveraging generative AI surfaced.¹

The use of sophisticated attack methods is expected, and so is the continuous weaponization of domain names.

WhoisXML API investigated a sample of 1,000 2025 domains from First Watch Malicious Domains Data Feed and analyzed their DNS footprint. We uncovered:

More Signs of the more_eggs Backdoor Found in the DNS

Using resumes as a social engineering lure isn’t new. But they’re more often than not employed in run-of-the-mill phishing campaigns.

This time around, threat actor TA4557 utilized a weaponized resume to drop a backdoor called “more_eggs,” which leads to a persistent attack that results in credential theft.

The WhoisXML API research team obtained a published list of 17 more_eggs indicators of compromise (IoCs) and expanded it to identify more connected artifacts.¹ Our in-depth analysis found:

Peering into Midnight Blizzard’s DNS Footprint

While Midnight Blizzard is believed to have been active since 2008, its tactics continue to evolve to this day. The threat actor was recently observed leveraging signed Remote Desktop Protocol (RDP) configuration files to gain access to victims’ devices.

The target? Thousands of people connected to various organizations in the public, academia, and defense sectors.¹

The WhoisXML API research team expanded a list of 39 domains tagged as indicators of compromise (IoCs), 34 of which were extracted from subdomain IoCs. Our analysis led to the discovery of:

Tracking Down APT Group WIRTE’s DNS Movements

Many if not all advanced persistent threat (APT) groups continue to launch attacks long after they are first formed. One such group, WIRTE, for instance, has been active since at least August 2018.¹

The most recent WIRTE attack utilized custom loaders like IronWind to infiltrate target networks based in the Middle East, specifically the Palestinian Authority, Jordan, Egypt, and Saudi Arabia.²

Unraveling the DNS Connections of ToxicPanda

Banking Trojans like Zeus or ZBOT have been plaguing bank customers the world over since around 2007.¹ And the primary reason for their longevity and persistence to date is that they work.

While many banking Trojans focused on infecting computers, newer ones like ToxicPanda have been designed to affect Android devices.²

The WhoisXML API research team expanded a list of 21 domains tagged as ToxicPanda indicators of compromise (IoCs) and uncovered:

Silent Night, Deadly Sites: How Christmas Cyber Threats Lurk in the DNS

For many people, Christmas is a time for gift giving, shopping, and merrymaking. And more often than not, they opt to make their purchases and reservations online. That’s where trouble, unfortunately, typically begins.

Many online offers and deals, especially those at unbelievably affordable prices, are either scams or threat vectors.¹

WhoisXML API collated 22,923 christmas domains from First Watch Malicious Domains Data Feed on 26 November 2024 and analyzed their DNS footprint. We uncovered:

A DNS Deep Dive into New Crypto Threat “Hidden Risk”

The number of people who own cryptocurrencies the world over has reached more than 560 million people this year.¹ To cyber attackers, that could mean more than half a million potential victims, as crypto owners are often lured by fake news promising investment opportunities or market insights. The actors behind Hidden Risk appear to have targeted them with a malicious campaign that uses fake crypto news to distribute the RustBucket malware.

The WhoisXML API research team compiled 81 indicators of compromise (IoCs) from a published report and expanded it aided by DNS intelligence.²

A DNS Investigation of the GootLoader Campaign

It’s one thing for a piece of malware to steal victims’ data. It gets worse, though, when that malware paves the way for even more sinister actions like dropping a ransomware or allowing further compromise without getting detected. That’s the case for GootLoader.¹

Twelve domains have been tagged as GootLoader indicators of compromise (IoCs).² The WhoisXML API expanded this list to uncover other connected artifacts and found:

Uncovering Potential Black Friday and Thanksgiving Threats with DNS Data

Thanksgiving may be one of the most awaited holidays in the U.S. along with the day of the biggest sale—Black Friday—typically associated with it. Unfortunately, cybercriminals also lie in wait for unwitting people in search of the best promos and biggest discounts to visit their malware-laden web pages.

We obtained a sample of 2,324 domains containing the text strings blackfriday and thanksgiving from the First Watch Malicious Domains Data Feed and analyzed their DNS footprint.

The WhoisXML API research team’s in-depth DNS investigation led to the discovery of:

Exploring the SideWinder APT Group’s DNS Footprint

The SideWinder advanced persistent threat (APT) group, also known as “T-APT-04” or “RattleSnake,” has been around for more than a decade now. So it is not surprising for its network to have grown over the years. In fact, as many as 100 domains have been identified as SideWinder indicators of compromise (IoCs) as of 15 October 2024.¹

The WhoisXML API research team dove deep into the existing SideWinder network using DNS intelligence by expanding the current IoC list and found:

A DNS Deep Dive into FUNNULL’s Triad Nexus

If you have heard of the Polyfill supply chain attack, then you may already have an idea about what FUNULL is. It is said to have bought the domain polyfill[.]io, which was responsible for a massive attack that affected millions of websites in June 2024.¹

FUNULL, as it turns out, is not only behind the Polyfill supply chain attack but also several other malicious campaigns involving investment scams, fake trading app distribution, and suspect gambling networks, all clumped together in what security researchers have dubbed “Triad Nexus.”²

The WhoisXML API research team expanded a list of 63 Triad Nexus suspicious indicators and found tons of other potentially connected artifacts, namely:

A DNS Investigation into Mamba 2FA, the Latest AitM Phishing Player

Adversary-in-the-middle (AitM) phishing attacks have been growing in popularity, and it's not surprising.¹ As more companies adopt multifactor authentication (MFA) security measures, more threat actors are using this tactic. Why? AitM has the ability to bypass security measures like MFA.

WhoisXML API recently analyzed Mamba 2FA, the latest addition to the list of AitM phishing players.² In particular, we expanded a list of 58 indicators of compromise (IoCs) and uncovered:

New RomCom Variant Spotted: A Comparative and Expansion Analysis of IoCs

RomCom has once again evolved and been made stealthier as per its latest variant, Snipbot.

The new version was popularly used in attacks that led to data theft, while the previous variants were used to deliver ransomware. The victim pool included organizations across various sectors, including legal and IT services.¹

The WXA research team sought to compare the list of IoCs of the three latest versions—RomCom 3.0,² RomCom 4.0,³ and Snipbot.⁴ We also expanded the list of IoCs to uncover more potentially connected artifacts. Using WHOIS, IP, and DNS intelligence, our analysis led to the discovery of:

A DNS Investigation of the 32 Doppelganger Websites the U.S. Government Seized

Pretty much everything people need to accomplish these days, especially obtaining information, is doable online. So, is it really surprising how much fake news we can find on the Web?

The threat actors behind the Doppelganger campaign showed how much damage disinformation can sow, and what believing in it can result in. Fake news, for instance, can have real-life consequences like losing an election or long-term reputational damage.

Investigating the Proliferation of Deepfake Scams

Deepfakes can cause real harm. In February 2024, for example, an employee of a multinational company was tricked into handing US$25 million to a scammer who pretended to be their company’s CFO.¹

In light of this and similar attacks, security researchers have tried to shed more light into deepfake scams and the risks they pose. One report, in particular, unveiled 416 scam IoCs.²

The WhoisXML API research team investigated just how widespread deepfake scam infrastructures could be in the DNS through an IoC list expansion analysis. Our study uncovered potentially connected artifacts comprising:

Examining the DNS Underbelly of the Voldemort Campaign

The threat actors behind the malware that must not be named, also known as “Voldemort,” reportedly sent around 20,000 phishing emails that impacted at least 70 organizations worldwide.¹ Believed to be part of an advanced persistent group (APT), they used Voldemort distributed via weaponized Google Sheets files to infect the systems of target nations.

Nineteen indicators of compromise (IoCs) comprising 10 subdomains and nine IP addresses have already been identified, but more artifacts could be lurking in the DNS.²

Stripping Down the BlackSuit Ransomware Network Aided by DNS Data

Ransomware attacks are among the biggest threats organizations face, potentially costing them millions of dollars. One of the most recent campaigns involves the BlackSuit ransomware, a rebranded version of Royal ransomware. BlackSuit actors stole and exposed 1 million individuals’ full names, Social Security numbers (SSNs), birthdays, and insurance claim details.¹

In response, the Cybersecurity and Infrastructure Security Agency (CISA) updated its BlackSuit ransomware advisory, which now includes 91 indicators of compromise (IoCs) comprising 14 domain names, five subdomains, and 72 IP addresses.²

A DNS Deep Dive into the NetSupport RAT Campaign

NetSupport RAT,¹ the weaponized version of legitimate remote device administration tool NetSupport Manager, is no longer a newbie when it comes to cyber attacks. It was first used in November 2023 and then again in January 2024.

Security researchers have performed in-depth analyses on the tool, in the process identifying nine domain names as indicators of compromise (IoCs).²

Tracking the DNS Footprint of the Polyfill Supply Chain Attackers

Threat actors will always find a way to get into their targets’ networks, even if they have to go through indirect channels. Such was the story behind the Polyfill supply chain attack.

Users of the content delivery network (CDN) service worldwide ended up with compromised networks courtesy of a malicious JavaScript code the cyber attackers injected.

The Extended Reach of the Extension Trojan Campaign in the DNS

The Extension Trojan, which first surfaced in 2021, has made a troubling resurgence in a recent campaign, impacting over 300,000 users globally.¹

Researchers have identified 22 indicators of compromise (IoCs) related to the attack earlier this August. But more artifacts could remain in the DNS.

Inspecting Konfety’s Evil Twin Apps through the DNS Lens

Taking time out to duplicate mobile apps to create “evil twins” instead of just poisoning the versions available for download on marketplaces is a relatively novel infection tactic—one the threat actors behind Konfety used.¹ At least 250 mobile apps on Google Play alone have been affected so far and that could lead to ad fraud, unwanted browser extension installation, illicit web search monitoring, and sideloading malicious code onto devices.

Hunting for U.S. Presidential Election-Related Domain Threats in the DNS

The 2024 U.S. presidential elections is already a hotbed for tension, but more threats could be looming in the DNS in the form of cybersquatting domains. Often registered for profit, these domains could be exploited for far more sinister purposes.

Our research uncovered a staggering number of cyber resources linked to presidential candidates and election-related keywords. Our in-depth analysis revealed:

A Closer Look at the Meduza Stealer through a DNS Deep Dive

We have seen many data stealers siphon off confidential data from victims’ devices over the years.¹ And their perpetrators usually employed simple tactics like social engineering and phishing to install the malware on target systems. The Meduza Stealer may be the first stealer we analyzed that exploited a vulnerability.

An in-depth investigation of the Meduza Stealer unveiled 16 indicators of compromise (IoCs) comprising 13 domain names and three IP addresses earlier this month.²

On a DNS Threat Hunt for DISGOMOJI

There’s a first time for everything, they say. And guess what? That’s also true for cyber attacks. Or at least for the latest UTA0137 cyber espionage campaign targeting Indian organizations. It used DISGOMOJI, a malware coded in Golang and came in the guise of emojis.¹ 

A total of 24 indicators of compromise (IoCs) related to the DISGOMOJI-enabled attack comprising 19 domain names and five IP addresses have been made public so far.²

The Most Phished Brands of 2024 in the DNS Spotlight

Phishers will always go after products and services with the greatest number of users to get the biggest bang for their buck.

The 20 most phished brands of 2024¹ have been named, but nothing about the potentially connected threat artifacts have been revealed yet. The WhoisXML API sought to do just that.

Uncovering DNS Details on Operation Celestial Force

Operation Celestial Force is advanced persistent threat (APT) group Cosmic Leopard’s latest campaign targeting organizations primarily based in India.¹ The threat actors used an Android and Windows malware combination to steal confidential data from targets.

A report of an in-depth investigation of Operation Celestial Force identified 19 domains as indicators of compromise (IoCs), which the WhoisXML API research team expanded to uncover other potentially connected artifacts.

On the Hunt for Remnants of the Samourai Wallet Crypto Mixing Services in the DNS

The founders of the cryptocurrency mixing services company Samourai Wallet, Keonne Rodriguez and William Lonergan Hill, were sentenced in April 2024. They are currently serving time for executing more than US$2 billion in unlawful transactions and laundering more than US$100 million in criminal proceeds.¹

The Samourai Wallet website was taken down and its mobile offerings taken off Google Play Store. Despite these efforts, though, do remnants of the crypto mixing services remain in the DNS?

The WhoisXML API research team sought to find out by expanding a list of three domains identified as indicators of compromise (IoCs). Our investigation uncovered:

A Peek at the V3B Phishing Kit Attack via the DNS Lens

Phishing is already a top global threat. So it doesn’t help the cybersecurity community and law enforcement agencies that even cybercrime newbies can now launch attacks aided by phishing kits.

That is, unfortunately, the case with a malicious campaign aided by the V3B Phishing Kit that has been targeting European banking customers.¹

The WhoisXML API research team expanded a list of 28 domains tagged as IoCs for a V3B Phishing Kit-enabled attack and found:

Tracking Down Fake Cryptocurrency Sellers Using DNS Intelligence

The cryptocurrency market has grown over the years. In fact, the market capitalization peaked at US$3 trillion in November 2021, experiencing subsequent ups and downs before reaching US$2.58 trillion in March 2024.¹ And while this trend is good, it may also spell bad news—more threat actors are bound to initiate crypto-centered scams.

The WhoisXML API research team was recently alerted to fake cryptocurrency-selling campaigns. We analyzed 130 domains believed to belong to fake crypto sellers. Our IoC expansion analysis found more than 2,700 potentially connected artifacts comprising:

Following the DNS Trail of APT Group Newbie Unfading Sea Haze

New advanced persistent threat (APT) group Unfading Sea Haze, possibly advocating Chinese interests in the South China Sea, recently reared its head in May 2024.¹ A total of 34 indicators of compromise (IoCs) related to the Unfading Sea Haze attack was made public.

The WhoisXML API research team sought to follow the APT group’s digital breadcrumbs in the DNS to identify more connected artifacts. Our IoC list expansion analysis uncovered:

On the DNS Trail of the Foxit PDF Bug Exploitation Attackers

We have seen attackers exploit vulnerabilities in PDF reader Adobe Acrobat in the past. But we rarely hear about threat actors setting their sights on its lesser-known competitor Foxit PDF Reader, that is, until May 2024.¹

A total of nine indicators of compromise (IoCs)—eight domain names and one IP address—have been made public on LevelBlue Labs.² Could there be other potentially connected artifacts?

Profiling a Popular DDoS Booter Service’s Ecosystem

DDoS booter services have made launching attacks easier for cybercriminals, adding to the daily threats that individuals and organizations face. However, users of these tools inevitably leave online tracks, particularly in the DNS.

Building on a list of 644 IoCs uncovered by WhoisXML API threat researcher Dancho Danchev, our research team found more than 2,000 potential artifacts comprising:

A DNS Investigation of the Phobos Ransomware 8Base Attack

Phobos ransomware, distributed via the ransomware-as-a-service (RaaS) business model, reemerged in connection to an 8Base attack.¹

A total of 63 indicators of compromise (IoCs) comprising 46 domains and 17 IP addresses have been made public on 5 March 2024. The WhoisXML API research team sought to find out more about the 8Base Phobos ransomware campaign aided by our comprehensive DNS intelligence.

A DNS Deep Dive into Web Hosting Service Provider AWT

WhoisXML API threat researcher Dancho Danchev recently uncovered a dubious web hosting service provider—Advanced Web Tech (AWT), along with pertinent information about its owner and 14 domains that he has dubbed as indicators of compromise (IoCs).

The WhoisXML API research team expanded Danchev’s investigation by looking more closely at the IoCs and his other findings and found other potentially connected artifacts, including:

A DNS Investigation of the Typhoon 2FA Phishing Kit

Phishing-as-a-service (PhaaS) and similar offerings have made cybercrime accessible to anyone willing to risk incarceration in exchange for quick-and-easy money. And the creators of Typhoon 2FA, a phishing kit said to be able to bypass two-factor authentication (2FA) on Microsoft 365 and Google accounts are taking advantage of that fact.¹

A total of 103 Typhoon 2FA indicators of compromise (IoCs) have been identified to date.² We found more possibly connected artifacts using our comprehensive DNS intelligence sources, including:

Stately Taurus APT Group Targets Asian Countries: What Do the Campaign IoCs Reveal?

Stately Taurus, an APT group active since 2012, was recently seen targeting ASEAN countries, particularly Japan, Myanmar, the Philippines, and Singapore.

Building on lists of 30 IoCs,^{1, 2} WhoisXML API researchers found more than 130 connected artifacts comprising:

Examining a U.S. Tax Scammer's Web Infrastructure through the DNS Lens

As 15 April 2024, the deadline for filing taxes in the U.S., draws near, it is not surprising that scammers have come out of their hiding holes once again. One particular U.S. tax scammer, in fact, has been reportedly going after small businesses and self-employed individuals.¹

Three domains have been identified as indicators of compromise (IoCs) for the threat. We expanded that list to identify other web properties that could be part of the threat actor’s attack infrastructure and uncovered:

Hunting for TimbreStealer Malware Artifacts in the DNS

Yet another information-stealing malware TimbreStealer has been discovered. Threat actors were seen distributing it to target victims in Mexico using finance-themed phishing lures.

Building on the list of 152 IoCs,¹ WhoisXML API researchers found more than 19,000 potential artifacts comprising:

Uncovering Suspicious Download Pages Linked to App Installer Abuse

Several financially motivated threat actors were seen abusing Microsoft’s App Installer, likely in an effort to distribute ransomware.

Building on the list of domains and subdomains tagged as IoCs,¹ WhoisXML API researchers found more than 1,100 potential artifacts comprising:

Checking Out the DNS for More Signs of ResumeLooters

The threat actors behind ResumeLooters¹ may have found another way to siphon off personally identifiable information (PII), that is, by stealing their victims’ CVs.

Security researchers reported about the ResumeLooters campaign in early February 2024. They identified 15 indicators of compromise (IoCs), specifically seven domain names, three subdomains, and five IP addresses as part of their analysis.

The WhoisXML API research team sought to uncover more artifacts possibly related to ResumeLooters aided by in-house DNS intelligence and found:

On the DNS Trail of the Rise of macOS Backdoors

The number of malware, including backdoors, specifically targeting macOS rose by more than 50% from 2022 to 2023.¹ We analyzed two of them—RustDoor and KandyKorn.

The first backdoor, RustDoor,² was said to have ties to a Windows ransomware operator while the second, KandyKorn,³ stole data from affected users. We sought to find out how widespread their digital footprints were in the DNS through IoC expansion analyses.

Searching for Potential Propaganda Vehicle Presence in the DNS

PAPERWALL, an ongoing propaganda campaign targeting 30 countries in Europe, Asia, and Latin America, recently caught the attention of several threat research firms.¹ And that is not surprising since spreading propaganda has become a popular means to influence the way people, including powerful political and economic figures, make national or even international decisions.

We analyzed 132 PAPERWALL indicators of compromise (IoCs) to uncover other potentially connected artifacts and found:

Following the VexTrio DNS Trail

A huge part of the cybersecurity community has heard much about the ClearFake and SocGholish operators and their work. But not much has been revealed about their traffic distribution system (TDS) provider, VexTrio.

An in-depth study of VexTrio identified 16 domains and seven subdomains as indicators of compromise (IoCs). It also mentioned the threat actors targeting TikTok and URL shortening services TinyURL, t.co, and is.gd.¹

Tracing Ivanti Zero-Day Exploitation IoCs in the DNS

Vulnerabilities in Ivanti Connect Secure VPN and Policy Secure were recently exploited by UNC5221 and potentially other threat actors.

As Ivanti continues to deploy patches, keeping an eye out on the digital infrastructure used in the high-impact exploitation is critical. WhoisXML API researchers found hundreds of threat artifacts after analyzing and expanding a list of 20 IoCs.¹ Tapping into DNS intelligence led to the discovery of:

DNS Investigation: Is xDedic Truly Done for After Its Takedown?

At the height of xDedic’s popularity in 2016, it was said to have provided cybercriminals access to 85,000 hacked web servers.¹ In early 2019, however, law enforcement agents from all over the world teamed up and took the cybercrime-as-a-service (CaaS) marketplace down. Are all of its traces gone from the DNS?

DNS Deep Diving into Pig Butchering Scams

Ever heard of a cybercrime newbie pig butchering scam? For the less initiated, pig butchering occurs when attackers get you to invest in seemingly legitimate ventures or assets but are actually just after stealing your money.

Eight indicators of compromise (IoCs) related to pig butchering scams were recently publicized.¹ We used them as jump-off points to uncover unidentified potentially connected artifacts that include:

The New RisePro Version in the DNS Spotlight

RisePro has managed to infect hundreds of thousands of devices since its launch in 2022. A new variant capable of not just data theft but also remote control has made the headlines recently.¹

Ten indicators of compromise (IoCs) related to the latest RisePro variant have been made public in November 2023.² The WhoisXML API research team expanded the IoC list to uncover hundreds of connected artifacts, including:

Tracking Down Sea Turtle IoCs in the DNS Ocean

The Sea Turtle cyber espionage group recently made waves after launching an attack on a new target country.¹ They were also observed using more evasive techniques.

Still, it turns out that Sea Turtle artifacts aren’t endangered. WhoisXML API researchers found hundreds after analyzing and expanding 37 IoCs.² Leveraging DNS intelligence, we uncovered:

Uncloaking the Underbelly of JinxLoader

Loaders that are readily available in underground markets make it easy for cybercriminals, even newbies, to launch successful attacks. One such tool that has been gaining infamy—JinxLoader—has become available in hacker forums.¹ 

Nineteen JinxLoader indicators of compromise (IoCs) have been made public in November 2023, which we at WhoisXML API queried on various DNS tools to identify all potential infection vectors.

Examining the Mirai.TBOT IoCs under the DNS Microscope

Mirai possibly remains the world’s largest botnet to date. In 2016, it managed to disrupt the operations of OVH SAS, Dyn, and Krebs on Security.¹ After that massive hit, the botnet bowed out of the spotlight for a while. It has, however, now resurfaced with improved capabilities, including the ability to exploit zero-days.

Exploring Epsilon Stealer Traces Aided by DNS Intel

The Epsilon Stealer has been making online game-playing a destructive hobby for players the world over. It has also been putting the targeted games’ creators potential revenue and reputation at great risk.

WhoisXML API threat research team extracted a list of 76 domains from the 133 indicators of compromise (IoCs) identified by security researchers¹ and expanded it in a bid to uncover as many connected artifacts as possible. Our DNS deep dive into Epsilon led to the discovery of:

A Peek at the PikaBot Infrastructure

Malvertising seems to be making a huge comeback. PikaBot, which started gaining renown in early 2023, has been found using malicious search ads as a distribution means.¹

Security researchers have conducted an in-depth analysis of the threat and published 11 indicators of compromise (IoCs)—two domains and nine IP addresses—in the process, which the WhoisXML API research team expanded to find hundreds of potentially connected artifacts, namely:

Investigating the UNC2975 Malvertising Campaign Infrastructure

The threat actors behind the UNC2975 malvertising campaign have been distributing two backdoors—DANABOT or DARKGATE—to unwitting users’ computers. Those who happen to click poisoned search engine results and social media posts may end up losing their data or worse.¹

Kimsuky: DNS Intel Gathering

Kimsuky, an advanced persistent threat (APT) group believed to be active since 2013, recently launched another campaign. Instead of their usual tactic of using malware-laden Hangul Word Processor (HWP) or Microsoft Word spear-phishing email attachments, they shifted to weaponizing compressed files or embedding malicious links instead.¹

Unveiling Stealthy WailingCrab Aided by DNS Intelligence

WailingCrab, a piece of malware reportedly abusing the Internet of Things (IoT) messaging protocol MQTT, gained notoriety for its stealth. IBM X-Force security researchers recently published an in-depth analysis of the malware.¹

A Peek Under the Hood of the Atomic Stealer Infrastructure

Atomic Stealer, also known as “AMOS,” has been wreaking havoc among Mac users yet again. This time, however, instead of taking the guise of fake applications, it now comes disguised as rogue browser updates. Worse? Its operators have compromised several sites to widen their distribution base.¹

Security researchers published seven Atomic Stealer indicators of compromise (IoCs) comprising six domains and one IP address. The WhoisXML API research team expanded this list to uncover unreported potentially connected artifacts aided by comprehensive DNS intelligence.

A Fake ID Marketplace under the DNS Lens

Fake IDs have become a commodity for those who wish to travel or migrate to another country but do not necessarily have the necessary legal documents to do so. That is probably the reason for the growth in volume of fake ID marketplaces.

Behind the Genesis Market Infrastructure: An In-Depth DNS Analysis

The Federal Bureau of Investigation (FBI) and other law enforcement agencies shut down Genesis Market, a darknet market for cybercriminal attack tools, in April 2023.¹ Apart from seizing the operators’ infrastructure, more than a hundred people were nabbed for taking part in the malicious operation. Does that spell the end for the black market?

Rogue Bulletproof Hosts May Still Be Alive and Kicking as DNS Intel Shows

Today’s more advanced cybersecurity solutions and measures have pushed cybercriminals and other threat actors to go deeper underground. Hence the rise in their use of bulletproof hosting services.¹

WhoisXML API threat researcher Dancho Danchev recently amassed 308 domains that could belong to rogue bulletproof hosting service providers. Our research team sought to uncover unidentified potentially connected artifacts in an effort to make the Internet safer and more transparent aided by our comprehensive DNS intelligence.

Carding, Still in Full Swing as DNS Intel Shows

Carding has been around since the 1980s. But unlike in the past when only the most tech-savvy cybercriminals could launch attacks, even newbies today can. How? By learning all they can from carding forums and getting the tools they need from fellow carders.

A DNS Deep Dive into BreachForums Domains

BreachForums, a forum for English-speaking black hat hackers, was taken down by the Federal Bureau of Investigation (FBI) on 21 March 2023.¹ That happened shortly after its owner Conor Brian Fitzpatrick was arrested.

Tracing BlackNet RAT’s History through a DNS Deep Dive

BlackNet RAT has been plaguing users the world over since at least 2020. Back then, it came bundled with emails supposedly promoting a drug that could protect against COVID-19 infections.¹

You would think that after the pandemic has passed, the malware would disappear, too. But it hasn’t. In fact, BlackNet RAT’s operators have moved on to far bigger things. Their existing botnet, in fact, remained a top threat in the first quarter of this year.²

Phishing Group Found Abusing .top Domains

WhoisXML API threat researcher Dancho Danchev recently discovered a phishing operation seemingly amassing .top domains for their malicious cause. He collated 89 email addresses that he has dubbed indicators of compromise (IoCs) so far.

To uncover as many potentially connected artifacts as possible, the WhoisXML API research team scoured the DNS for domains and IP addresses the threat actors could weaponize for future attacks if they haven’t already and found:

Fishing for QR Code Phishing Traces in the DNS

QR code phishing has reportedly been on the rise. And that isn’t surprising given that almost everyone today can’t live without their mobile phones. In fact, a study cited that 86% of the entire global population use their smartphones to browse the Internet, settle bills online, and even pay for purchases in brick-and-mortar establishments.¹

APT29 Goes from Targeted Attacks to Phishing via NOBELIUM: A DNS Deep Dive

Who knew that targeted attack groups like APT29 could also dip into cybercriminal activities.¹ The advanced persistent threat (APT) group was seen launching phishing campaigns through NOBELIUM to target Microsoft cloud services.²

Forty-eight NOBELIUM indicators of compromise (IoCs)—41 domains and seven IP addresses—were made public to date.³ To uncover unidentified artifacts in an effort to make the Internet safer and more transparent, we at WhoisXML API dove deep into the threat aided by our comprehensive DNS intelligence.

Catching Messenger Phishing Footprints Using a DNS Net

A new phishing campaign dubbed “MrTonyScam”¹ is currently targeting Facebook business accounts aided by password-stealing malware. The attackers were seen using a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages.

Rhysida, Not Novel but Still Dangerous: DNS Revelations

Rhysida is a new ransomware that has been reportedly plaguing users since August 2023. An in-depth analysis of the malware revealed that while it doesn’t have any new or very advanced features, it remains just as effective when it comes to holding victims’ data hostage.¹

While Rhysida was last seen trailing its sights on healthcare and other government organizations in the U.S., its operators have also gone after the Chilean army.

The Makings of ADHUBLLKA According to the DNS

ADHUBLLKA has been said to have ties to at least three malware—ransomware CryptoLocker, remote access Trojan (RAT) LimeRAT, and another ransomware GlobeImposter.¹ Its operators may have incorporated the various parts of the three malware into their creation.

Forty-seven ADHUBLLKA indicators of compromise (IoCs)—11 domains,² 32 email addresses, and four email addresses—have been published so far. Our latest foray into the DNS led to additional artifacts. Here’s a summary of our findings.

Probing the DNS for Signs of XLoader Abuse

XLoader may have been trying to set its sights on macOS users since 2021, but back then, it only successfully targeted those who opted to install Java.

It’s back, though. This time, XLoader’s new variant can infect macOS devices should its user happen to download a rogue OfficeNote package.¹

DNS Abuse and Redirection: Enough for a New JS Malware to Hide Behind?

A JavaScript (JS) malware sporting the same tactic as Decoy Dog’s¹—redirection via Google Public DNS abuse—has been plaguing site owners by leading their unwitting visitors to tech support scam websites.²

Traffic redirection via DNS abuse to hide traces of malicious activity seems to be gaining ground as a common cybercriminal tactic. Sucuri has, in fact, identified 35 indicators of compromise (IoCs) comprising 30 domains and five IP addresses related to the latest threat.

Searching for Smishing Triad DNS Traces

The Smishing Triad struck again, but this time, they’re trailing their sights on users in the U.S.¹

The threat group is proving that phishing can take on many forms. While most attackers typically target vulnerable users on their computers, Smishing Triad has extended their reach to devices we can’t live without—our mobile phones.

From URSNIF IoCs to Software Spoofing: Using DNS Intel to Connect the Dots

The URSNIF banking Trojan has consistently evolved throughout the years, threatening financial organizations with data theft. It was recently seen being used by TA544 to target Italian banks.

More than 40 IP addresses and domains were publicly listed^{1, 2, 3, 4} as URSNIF indicators of compromise (IoCs). WhoisXML API researchers subjected them to a DNS intelligence analysis to uncover more connected artifacts, including:

Thawing IcedID Out through a DNS Analysis

The current threat landscape continuously proves that the theory of evolution also applies to malware. The latest proof? IcedID, which went from being a run-of-the-mill banking trojan to a ransomware dropper.

More than 50 IP addresses and domains were publicly listed^{1, 2, 3, 4} as IcedID indicators of compromise (IoCs). WhoisXML API researchers subjected them to a DNS intelligence analysis to uncover more connected artifacts, including:

Examining WoofLocker under the DNS Lens

As far as scams go, WoofLocker has probably proven that staying in the game is possible with continuous improvement. The latest trick up its sleeve? The addition of traffic direction to ongoing schemes.¹

AlienVault OTX compiled 784 indicators of compromise (IoCs) over the course of WoofLocker’s eight years of operation.² Apart from identifying unreported connected artifacts, we at WhoisXML API also sought to determine if the threat actors employed various providers, maintained a well-dispersed infrastructure, and compromised sites other than those hosting adult content.

Decoy Dog, Too Sly to Leave DNS Traces?

Decoy Dog has gained renown for its ability to abuse the DNS to evade detection and consequent removal. Is it too sly, though, to leave even the tiniest traces behind?

Infoblox identified 23 Decoy Dog indicators of compromise (IoCs) comprising 11 domains and 12 IP addresses in an in-depth analysis report they published in April 2023.¹

Will Redis Remain on Threat Actors’ Radar?

The Mushtik Gang was the first threat group that took advantage of the Redis Lua Sandbox Escape and Remote Code Execution Vulnerability, also known as “CVE-2022-0543,” in March 2022.¹ Since then, many attackers² have exploited the bug to get to their intended targets.

P2PInfect, a self-replicating peer-to-peer (P2P) worm, is just the latest tool a threat group used. Seven indicators of compromise (IoCs) have been made public in July.³

To uncover yet-unidentified Redis attack-connected artifacts, WhoisXML API expanded the list of published IoCs aided by exhaustive DNS intelligence.

Finding WyrmSpy and DragonEgg Ties to APT41 in the DNS

It’s not unusual for threat groups to survive and even continue to thrive despite the capture and incarceration of some of their members, sometimes even leaders. APT41 can be considered proof of that.¹ 

Lookout researchers believe that APT41, responsible for tons of targeted attacks since at least 2012,² was recently spotted distributing two mobile spyware—WyrmSpy and DragonEgg—to further their cyber espionage activities. A total of 12 IoCs—five for WyrmSpy and seven for DragonEgg—have been made public and attributed to the APT group.

WhoisXML API sought to determine ties between APT41 and WyrmSpy and DragonEgg aided by comprehensive DNS intelligence. We also identified other artifacts that could be connected to the recently discovered mobile spying campaigns, including:

DNS Insights behind the JumpCloud Supply Chain Attack

Cybersecurity has become a must to every organization given the proliferation of attacks. It’s quite ironic then when even the solutions we use to protect our systems and identities get exploited.

Researchers recently uncovered supply chain attacks targeting identity access management (IAM) platform JumpCloud.¹ A total of 32 IoCs related to the threat have been identified.

To make the Internet safer and more transparent, WhoisXML API took a closer look at the JumpCloud supply chain attack IoCs via a DNS deep dive and identified more artifacts, namely:

AI Tool Popularity: An Opportunity for Launching Malicious Campaigns?

A Cybersecurity Collaboration between WhoisXML API and Bayse Intelligence.

An increasing number of organizations are reaping the benefits that AI tools offer. Despite improving employee productivity, however, 78% of users are afraid that threat actors could exploit the solutions to defraud them.¹ The widening range of attacks targeting tools like ChatGPT² and Grammarly,³ unfortunately, isn’t assuaging their fears. 

To help out, WhoisXML API and Bayse Intelligence teamed up to identify web properties that attackers could have already used, are currently using, or may weaponize in the future to target eight of 2023’s best AI productivity tools.⁴

Our collaborative effort led to these findings:

Signs of MuddyWater Developments Found in the DNS

MuddyWater has been launching politically motivated targeted attacks since 2012. Despite its age, though, the threat actors aren’t showing any sign of retiring anytime soon.

Reports say MuddyWater recently updated its C&C framework with PhonyC2’s launch¹ in an attempt to better control their hold on target networks. That’s not all, they also partnered with DEV-1084² in hopes of keeping their APT involvement a secret from intended victims.

Deep Instinct named 39 PhonyC2 IoCs in their analysis. Microsoft, meanwhile, published 14 IoCs related to the MuddyWater-DEV-1084 partnership.

To uncover yet-unidentified connected artifacts, WhoisXML API researchers dove deeper into the threats aided by our comprehensive DNS intelligence and found:

DNS Revelations on Eevilcorp

They say, “Art imitates life,” but the opposite can also be true when it comes to cybercrime. And no threat group could be a better example than Eevilcorp¹—a real-life counterpart of the “Mr. Robot” antagonist E Corp.

Nine domains have been publicized as Eevilcorp attack IoCs. To uncover more connected artifacts, the WhoisXML API research team dove deep into the threat aided by comprehensive DNS intelligence. Our in-depth analysis revealed:

A DNS Deep Dive into Malware Crypting

These days, it has become common practice for threat actors to employ malware crypting to better evade detection and consequent blocking. And that has made AceCryptor a must-have, it seems, for cyber attackers.¹

The ubiquity of malware crypting has also sparked a clamor among several cybersecurity community members to push for a clampdown on the service.²

To uncover yet-unidentified more connected artifacts in our bid to make the Internet safer, WhoisXML API expanded lists of IoCs connected to malware crypting services in general³ and AceCryptor⁴ aided by our extensive DNS intelligence.

Our in-depth analysis led to the discovery of:

BlackCat Hacks Reddit Again, Take a Look at What the DNS Revealed

The BlackCat ransomware gang first trailed their sights on Reddit last February.¹ They were able to steal user data by phishing an employee. They weren’t done, though, as they again hacked the sharing platform’s network, managing to lock employees out of their systems and threatening to leak the stolen data should the company fail to pay the ransom.

A total of 13 IP addresses were identified as indicators of compromise (IoCs) related to the ransomware.²

To uncover yet-unidentified connected artifacts as part of our ultimate goal—to make the Internet safer and more transparent—WhoisXML API trooped to the DNS and found:

MOVEit Exploit-CLOP Ransomware Threat Vector Identification Aided by DNS Intelligence

Several threat actor groups have joined in on exploiting the zero-day MOVEit vulnerability to launch their own brands of mayhem—and the CLOP ransomware group is just one of them.¹ The MOVEit vulnerability gave the CLOP ransomware operators access to connected databases, enabling them to infer information about their structure and content.

A total of 139 indicators of compromise (IoCs) related to the MOVEit-enabled CLOP ransomware attacks have been made public since the start of June.

To uncover yet-unidentified more connected artifacts, we at WhoisXML API dove deep into the threat aided by our comprehensive DNS intelligence.

Our in-depth analysis found that:

Alleviating the Risks .zip and Similar Domain Extensions Could Pose via DNS Intelligence

Google’s announcement of the ngTLD .zip’s launch last month was met by a lot of debate. Many believe threat actors could abuse it for phishing and other malicious campaigns since it could be easily confused with the .zip file name extension.¹ They weren’t wrong to be concerned since their fear has already come to fruition.²

To help organizations avoid the potential perils that the .zip and similarly confusing ngTLD extensions (i.e., .app, .cab, .cam, .mobi, .mov, .pub, .rip, and .win) may pose, the WhoisXML API research team scoured the DNS for such domains created between 1 January and 31 May 2023 to see if any of them should be avoided. We uncovered:

Scanning for LockBit Ransomware DNS Traces

Named as one of the most effective and undoubtedly most prolific currently active ransomware groups today, LockBit topped ReliaQuest’s latest ransomware quarterly list for the first three months of 2023.¹

Initially distributed with SocGholish’s help,² the LockBit ransomware operators have since changed tactics—spreading the threat via the RaaS model instead. Find out what else we discovered from our expansion analysis of the 198 published IoCs,³ apart from the following:

DNS Snooping on Apple iOS 14 Zero-Click Spyware KingsPawn

The NSO Group’s Pegasus malware blazed the trail for what we know now as zero-click spyware targeting mobile OSs, including Apple's iOS, for government use last year. They made such a splash that just last April, new spyware market player QuaDream released what we could consider Pegasus’s relative—KingsPawn.

Meanwhile, Microsoft published an in-depth study of KingsPawn where they named 64 domains as indicators of compromise (IoCs). 

We scoured the DNS for other potentially KingsPawn-related artifacts and found:

When Marketing Vendors Get Attacked, Clients Suffer: Third-Party Risk Discovery in the DNS

Security incidents that start out in a third party can be detrimental to a connected organization. FortifyData recently listed some of the year’s top third-party data breaches,¹ highlighting the threat’s commonality and scale.

WhoisXML API zoomed in on one of the incidents on the list—the AT&T data breach, where 9 million accounts² were exposed after their marketing vendor suffered an incident. Some of our key findings are:

Scouring the DNS for Traces of Bumblebee SEO Poisoning

Not all online ads are created equal. Some could be more than just bothersome. They could be malware in disguise. Such was Bumblebee’s case, which posed as a software installer in poisoned ads.¹ 

Secureworks publicized 31 IoCs for the Bumblebee SEO poisoning attack in an in-depth analysis report. The WhoisXML API research team trooped to the DNS to find all potential threat vectors via an IoC expansion analysis and found:

A DNS Deep Dive: That VPN Service May Be OpcJacker in Disguise

Threat actors will always use the most widely used applications to make headway in their malware campaigns, even software or services meant to enhance online security. OpcJacker is doing just that—posing as a VPN software installer when it’s actually a data-stealing malware.¹

Our OpcJacker IoC list² expansion analysis includes:

Searching for Nevada Ransomware Digital Crumbs in the DNS

According to Resecurity researchers, threat actors are currently spreading Nevada ransomware in the Dark Web via the ransomware-as-a-service (RaaS) model.¹ The malware underwent several upgrades in January 2023 alone and has been plaguing both Windows and Linux computer users today.

Using a list of indicators of compromise (IoCs) from AlienVault OTX² as jump-off points, WhoisXML API searched for Nevada ransomware digital crumbs in the DNS.

Our deep dive into the threat revealed:

How the SVB and Credit Suisse Crash Was Reflected in the DNS

Domain registrations and subdomain additions often tend to be linked to noteworthy events, such as the recent collapses of the Silicon Valley Bank (SVB), Credit Suisse, Silvergate Capital Corp., Signature Bank, and the First Republic Bank.^{1, 2}

Just as threat actors found ways to weaponize pandemic-related domains and subdomains, they could do the same with bank collapse-connected web properties. Our recent foray into the DNS in search of trends helped us to obtain:

Dissecting 1M+ Malicious Domains Under the DNS Lens

As domain names continue to serve as threat actors’ primary initial access vehicles, WhoisXML API researchers analyzed over 1 million malicious domains listed by Threat Intelligence Data Feed (TIDF) on 13 April 2023. Through our analysis, we:

Discovering Potential BEC Scam Vehicles through the DNS

Victims the world over lose billions to business email compromise (BEC) scammers each year.¹ And according to FBI IC3, the threat won’t slow down anytime soon.

WhoisXML API researchers expanded seven indicators of compromise (IoCs) connected to a BEC scam targeting executives discovered just this February² and found:

Looking for Traces of Social Media-Based Celebrity Scams in the DNS

Fake or compromised celebrity profiles on social media are often used to entice their followers to click malicious links. A recently discovered cryptocurrency scam utilizing that technique was featured in Infoblox’s Q4 2022: Cyber Threat Report.¹

Fake endorsements from politicians and other celebrities convincing users to avail of nonexistent Meta coins, supposedly part of the Metaverse, were seen targeting users based in EU countries.

The Infoblox report revealed five IoCs, which we then expanded, allowing us to uncover:

Detecting Possible Fraud Vehicles Specific to Latin America and the Caribbean

Fraud is a global problem, but some subtrends could be unique to a specific country or region. For one, Accertify identified airline and digital wallet fraud as some of the fraud types proliferating in Latin America and the Caribbean (LAC).¹

WhoisXML API researchers decided to investigate how these LAC fraud subtrends looked like in the DNS and discovered:

Drawing the Line between SYS01 and Ducktail through DNS Traces

Morphisec recently discovered SYS01 Stealer,¹ a threat that shared Ducktail’s² penchant for going after Facebook business owners and advertisers. Apart from their shared targets and tactics, though, the malware had varying payloads.

The WhoisXML API team sought to determine what DNS-based commonalities SYS01 and Ducktail shared, if any, through an expansion analysis of 10 SYS01 domains identified as indicators of compromise (IoCs) that found:

Black Basta Ransomware DNS Investigation Led to OneNote and Courier Impersonation

Black Basta has become alarming as a ransomware group that uses double extortion and can turn off endpoint detection and response (EDR) solutions.

Security teams and companies are putting much weight into detecting Black Basta ransomware, including ExtraHop¹ which released a detailed demonstration on how to detect the ransomware. For our part, WhoisXML API researchers investigated IoCs^2,3 related to the threat, where we collected WHOIS- and DNS-related contextual information. Among our key findings are:

2023 Update—How Are the Most-Spoofed Brands Represented in the DNS?

The ongoing fight against phishing has become a tug of war. As attempts to make the threat more elusive increase, cybersecurity solutions also become more robust.

SlashNext alone detected 255 million phishing attempts within six months in 2022, allowing them to name the most-impersonated global brands in The State of Phishing Report 2022.¹

WhoisXML API researchers built on this list to enable threat detection, attribution, and expansion. Among our key findings are:

Probing Lorec53 Phishing through the DNS Microscope

Lorec53 is an APT group that actively targeted government institutions in Eastern European countries in 2021. NSFocus conducted an in-depth study on them that revealed they utilized various phishing campaigns to infiltrate target systems and exfiltrate the data they needed.¹

NSFocus shared 21 indicators of compromise (IoCs) they compiled via AlienVault OTX,² which we used to conduct an expansion analysis to identify digital bread crumbs they may have left behind. Our deep dive revealed:

Is Your Intranet Vulnerable to Attacks? Investigating Intranet Impersonation in the DNS

A recent Reddit security incident¹ highlighted how intranet gateways can widen an organization’s attack surface. In connection with that, WhoisXML API researchers investigated intranet domain impersonation and found:

Shining the WHOIS and DNS Spotlight on International Fraud

Millions of users have fallen for online scams at least once—the primary reason why fraudsters haven’t stopped devising more and more malicious campaigns over time. In fact, a 2022 study found that users worldwide have lost as much as US$55.3 billion to scammers.¹

WhoisXML API researchers recently conducted an IoC expansion analysis on three email addresses used in scams found by threat researcher Dancho Danchev that led to the discovery of:

Beyond Healthcare IoCs: Threat Expansion and EHR Impersonation Detection

Cuba ransomware is only one of the threats the healthcare industry faces as the Internet of Medical Things (IoMT)¹ continues to expand.

To aid the sector, WhoisXML API looked at Cuba ransomware IoCs^{2, 3} to enable threat contextualization and expansion. The researchers  also investigated how the top EHR software providers⁴ were being spoofed in the DNS as part of third-party risk assessment. Among our key findings are:

Detecting ChatGPT Phishing on Social Media with the Help of DNS Intelligence

With a 100 million-strong and growing user base,¹ ChatGPT was bound to attract the attention of phishers and other cybercriminals.

Cyble researchers, in fact, recently published their in-depth analysis of campaigns seen since December 2022, barely a month after ChatGPT’s launch. ²

We used the four domains identified as indicators of compromise (IoCs) in the report as jump-off points for an expansion analysis that led to the discovery of:

Detecting Malware Disguised as OneNote with Threat Intelligence

We’ve seen various Microsoft apps abused in malicious campaigns time and time again, but guess which software recently joined the fray. OneNote, Microsoft’s note-taking software, has become threat actors’ new favored target. 

Proofpoint researchers have recently spotted malicious actors disseminating malware camouflaged as OneNote files. They named 82 indicators of compromise (IoCs) from which we obtained 17 domains and 13 IP addresses.¹ We used these web properties as IoC expansion analysis jump-off points that led to the discovery of:

Detecting Carder-Friendly Forums through IoC Expansion

Unfortunately for credit card holders, some people aren’t averse to using cards they don’t own to get their hearts' desires. And today’s cybercriminals are only too happy to help them out via now-widespread carding forums and communities.

Fortunately for law enforcers and cybersecurity pros, diving deeper into initial lists of indicators of compromise (IoCs) can lead to the discovery of as many potential threat vectors as possible. Our own IoC expansion analysis, for instance, revealed:

SocGholish IoCs and Artifacts: Tricking Users to Download Malware

SocGholish, an initial-access threat, was recently observed deploying ransomware, according to ReliaQuest researchers.¹

WhoisXML API used the indicators of compromise (IoCs) published by ReliaQuest to understand the threat’s infrastructure and uncover more artifacts. Our research revealed:

The Fight against Hive Ransomware May Not Be Done as Yet-Unidentified Artifacts Show

The Hive Ransomware Group managed to accumulate US$130 million in ransom demand from more than 1,500 victims worldwide in their heyday. They trailed their sights on hospitals, school districts, financial firms, and critical infrastructure until the U.S. Department of Justice (DOJ) disrupted their operations.¹ But have we seen the group’s demise?

Our indicator of compromise (IoC)² expansion analysis found more digital breadcrumbs, including:

Expansion Analysis of a Known Cyber Jihad IoC List

Cyberterrorism or using the Internet to conduct violent acts that result in loss of life or significant bodily harm to achieve political or ideological gains through threat or intimidation¹ has increasingly become a global problem. A large part of that threat comes from cyber jihadist attacks.

WhoisXML API threat researcher Dancho Danchev recently amassed six email addresses cyber jihadists have been known to use. He performed an IoC expansion analysis using these as jump-off points and discovered:

Catching Batloader Disguised as Legit Tools through Threat Vector Identification

Disguising malware as legitimate tools has always worked to trick users into downloading them, and the threat actors behind Batloader banked on just that. Trend Micro researchers tracked and analyzed Batloader-related developments toward the end of 2022¹ and identified 17 domains as indicators of compromise (IoCs).²

WhoisXML API researchers managed to add 5,000+ artifacts to that list, including:

Gauging How Big a Threat Gigabud RAT Is through an IoC List Expansion Analysis

Cyble researchers recently reported their analysis of Gigabud RAT, which served as an attack vector targeting clients of Banco de Comercio, Advice, Thai Lion Air, Shopee Thailand, SUNAT, the Department of Special Investigation (DSI) of Thailand, the Bureau of Internal Revenue (BIR) of the Philippines, and Kasikornbank.¹

The researchers have identified 10 indicators of compromise (IoCs) so far, including four URLs. We expanded these URLs to 1,190 artifacts, namely:

Tracing Connections to Rogue Software Spread through Google Search Ads

Bleeping Computer’s analysis of a recent malicious campaign targeting users looking for open-source software download sites publicized 68 domains as indicators of compromise (IoCs).¹

WhoisXML API researchers expanded that list aided by WHOIS and DNS intelligence and uncovered 800+ more artifacts, including 36 malicious web properties. These are:

Malware Persistence versus Early Detection: AutoIT and Dridex IoC Expansion Analysis

AutoIT-compiled malware¹ and Dridex² may have stood the test of time as far as threat lifespans go, but their resilience doesn’t make them invincible. Our IoC expansion analysis into the latest AutoIT³ and Dridex⁴ attacks just so happened to reveal 1,425 yet-undisclosed artifacts that may be able to help with mitigation, namely:

Sifting for Digital Breadcrumbs Related to the Latest Zoom Attack

Zoom has long been a prime cyber attack target, which isn’t surprising given that the platform accounts for 3.3 trillion meeting minutes each year.¹

Most recently, threat actors laced Zoom downloads with IceID malware designed to steal affected users’ credentials. Cyble researchers publicized three indicators of compromise (IoCs) so far,² we added more than 20,000 artifacts to that. Our IoC list expansion analysis specifically dug up:

Cloud Atlas May Hide Their Tracks but 1,800+ Unpublicized Artifacts Can Help Orgs Tag Them

All advanced persistent threat (APT) groups aim for detection evasion to enable lateral movement. But apart from tools, tactics, and procedures (TTPs) typically employed in targeted attacks, Cloud Atlas trailed its sights on targets in politically charged nations as an additional evasion tactic.

Despite the threat actors’ efforts to hide from investigators, though, Check Point Research (CPR) still managed to identify 10 indicators of compromise (IoCs) that WhoisXML API researchers expanded further to include 1,850 more artifacts.

Our deep dive into Cloud Atlas revealed:

Exposing Chat Apps Exploited for Supply Chain Attacks

The popularity of chat apps surged during the pandemic when companies had to turn to remote work to remain productive despite government-imposed lockdowns. The increased usage hasn’t died down post-pandemic since many organizations opted to make the hybrid work setup permanent.

Amid that backdrop, therefore, it’s not surprising for threat actors to trail their sights on vulnerable business chat apps to instigate destructive supply chain attacks. Trend Micro recently published a technical analysis related to this threat, listing nine command-and-control (C&C) server addresses as indicators of compromise (IoCs).¹

WhoisXML API researchers used the publicized IoCs as jump-off points for an expansion analysis that uncovered:

Uncovering Other DarkTortilla Threat Vectors

Cyble Research and Intelligence Labs (CRIL) recently performed an in-depth technical analysis of DarkTortilla, which they dubbed a “sophisticated phishing malware.”¹

WhoisXML API researchers used the indicators of compromise (IoCs) CRIL identified as jump-off points for an expansion analysis that led to the discovery of:

Supply Chain Security: A Closer Look at the IconBurst and Material Tailwind Attacks

ReversingLabs saw the volume of supply chain software attacks rise to unprecedented heights this year and predicts we’ll see more in 2023.¹ Their report cited two examples of such attacks—IconBurst² and Material Tailwind³—and urged npm and PyPI users to be wary of downloading packages from open-source repositories.

RedLine Stealer: IoC Analysis and Expansion

For US$100, threat actors can use RedLine Stealer to steal sensitive information, including saved credentials, bank details, and system data.

A CloudSEK technical analysis¹ of the threat inspired us to investigate over 900 publicly available RedLine Stealer IoCs. Our key findings include:

Own a Facebook Business? Beware of Ducktail

WithSecurity recently discovered malicious operation Ducktail targeting businesses that maintain Facebook pages and engage in Facebook advertising.¹ Their report identified 1,885 indicators of compromise (IoCs).²

Is Aurora as Stealthy as Its Operators Believe?

New kid on the data-stealing block Aurora is fast becoming a cybercriminal favorite due to its ability to fly under the radar.¹

SEKOIA.IO researchers published 51 indicators of compromise (IoCs) for Aurora so far.² We performed an IoC expansion exercise on the 28 IP addresses and eight domains in search of digital breadcrumbs.

Exposing the New Potential Ways Royal Ransomware Gets Delivered

A threat actor Microsoft dubbed “DEV-0569” found new ways to deploy Royal ransomware.¹ One is right up our alley, as the tactic involved using typosquatting domains.

Why Domain Seizure May Not Stop Money Mule Recruitment Campaigns

U.S. law enforcement agencies recently seized 18 domains believed to be part of money mule recruitment campaigns in a bid to put a stop to ongoing malware attacks. Bleeping Computer researchers published the indicators of compromise (IoCs) on their blog.¹

From Counties to Banks: Tracing the Footprint of Ransomware Attack IoCs

On 11 September 2022, a U.S. country announced that it fell prey to a cyber attack. SecurityScorecard believes the Cryxos trojan may be involved and published an in-depth analysis,¹ which included three IP addresses tagged as indicators of compromise (IoCs).

Watch Out, That Browser Extension Could Be Cloud9 in Disguise

Zimperium zLabs threat researchers recently reported the case of the Cloud9 Chrome Botnet, and rightly so. Using a malicious Chrome extension, the threat actors have stolen personal information stored in affected users’ browsers. Worse, they turned the infected computers into bots for more destructive attacks.¹

Is There More to the New Transparent Tribe TTPs?

Transparent Tribe has been targeting Indian government entities since the start of the year. Believed to be part of the ongoing Pakistan-India conflict, only a few indicators of compromise (IoCs) have been published so far.¹

Nothing Funny or Romantic about These RomCom IoCs and Artifacts

Fake tools abound online, and one of those spreading them is RomCom. He has already been seen spoofing Keepass, Veeame, SolarWinds, Advanced IP Scanner, PDF Reader Pro, and other popular software.¹

Robin Banks May Be Robbing You Blind

Robin Banks, not a who but a what, is a phishing-as-a-service (PhaaS) platform that IronNet researchers discovered in March this year.¹ Many may have thought associated risks were done and over with when Cloudflare shut down pages connected to the threat in July. But that wasn’t the case since Robin Banks reemerged just this month.²

Investment-Related Cybersquatting: Another Way to Lose Money?

With a 98% chance of a global economic recession,¹ financial markets are giving off warning signs—one of which is increasing volatility.

Beware That Software Update, It Could Be Magniber in Disguise

Threat actors have long been using fake software updates to trick users into downloading malware. And the ongoing massive Magniber ransomware campaign is no different.¹

The Business of Cybercrime: Does Malicious Campaign Planning Take as Long as Legitimate Marketing Campaign Planning?

Targeting the potential buyers of the world’s most-awaited gadgets¹ is a cybercrime staple. But what you may not know is that much like legitimate businesses, the more convincing the malicious sites are, the greater their chances of success.

Dormant Colors IoC Expansion: Don’t Install Browser Extensions from These Domains

A malvertising campaign dubbed “Dormant Colors” has had more than 1 million malicious browser extension installs.¹ The threat actors can hijack web searches and inject affiliate links through these extensions.

The Inner Workings of Aleksei Belan’s Criminal Network

Aleksei Belan is part of the Federal Bureau of Investigation (FBI) Most Wanted List. He was charged for several cybercriminal activities connected to a massive Yahoo! database compromise involving at least 500 million user accounts.¹

Rogue Tor Browser: When Search for Anonymity Leads to Exposure Instead

Many users dream of browsing the Web without anyone’s prying eyes—something the Tor browser can help them accomplish.¹ So what happens then when they end up downloading a rogue installer, especially one that spies on them instead?²

Exposing Bulgaria’s Kyulev Data Leak Hacker

A Bulgarian data leaker managed to access and steal the sensitive data of several high-profile targets. To make matters worse, the hacker had been seen offering access to the compromised database.

To assist the cybersecurity community and law enforcement sector, WhoisXML API threat researcher Dancho Danchev analyzed the threat actor’s digital footprints.

Domain Shadowing IoC Expansion Led to Thousands of Possible Connections

Threat actors have been known to hide behind legitimate Internet services¹ to spread malware and lure victims to phishing sites and other malicious campaigns.

Uncovering a Large Footprint of Fake NordVPN Sites

NordVPN isn’t new to being the target of various scammers. Over the years, we’ve seen malicious campaigns that start with luring users to a fake NordVPN site.^{1, 2}

Anyone looking to subscribe to a VPN service could easily land on a fake site and get a malware infection.

Eternity’s LilithBot, Soon Available to Regular Internet Users?

Eternity has been wreaking havoc by making malware-as-a-service (MaaS) offerings available to any interested would-be cyber attacker since January 2022.¹ And at very low prices (US$70–90),² even novice hackers could launch destructive campaigns.

A Closer Look at Active Cyber Jihad Web Properties

Cyber jihad refers to the way extremist terrorists use the Internet to wage war against their enemies.¹ Typical targets include the U.S., Western European countries, and Israel.

Experts say waging war is no longer limited to the physical world but has crossed over to the virtual realm. And 67 domains identified as indicators of compromise (IoCs) to recent cyber jihad attacks prove that.

Behind the Flashpoint Intel Site Compromise

Back in 2019, the Flashpoint Intel site suffered from a zero-day attack that caused visitors with JavaScript enabled on their systems to be redirected to an external website with a malware-laced pop-up.¹

Alleviating BlackEnergy-Enabled DDoS Attacks

BlackEnergy was originally sold as a crimeware toolkit when it first surfaced in 2007. Since then, it has undergone modifications that have made it one of advanced persistent threat (APT) actors’ go-to attack tools. Used in the Ukraine power grid attack in 2015, the malware effectively used a distributed denial-of-service (DDoS) attack to hide their true goal—data stealing.¹ 

Insights into an Active Malicious Spam Domain Portfolio

Age clearly doesn’t matter when it comes to cyber threats, as proven by spam. Malicious spam emails cost businesses as much as US$20.5 billion a year.¹

Probing Networks of Cybercrime-Friendly Forums

Malicious actors may lurk inside online forums to learn and share tactics. Some may even publish the compromised data of their victims on cybercrime-tolerant forums.

Looking into these online platforms may help law enforcement agencies and the cybersecurity community investigate threat actor behaviors and trace their activities.

On the Frontlines of the Syrian Electronic Army’s Digital Arsenal

Possibly one of the first public Internet armies, the Syrian Electronic Army is notorious for stealing user credentials to deface websites. Among their suspected victims are U.S. government websites, media outlets, PayPal, and eBay. Two of its members were indicted in 2018.¹

Selling Stolen Credit Cards Is Still a Thing

Monetary gain is a primary goal for almost any cybercriminal. And one of the ways they go about earning money without investing a dime is by stealing credit card details.¹ In fact, peddling stolen credit card numbers with their corresponding CVVs in underground markets can earn operators millions.²

The Inner Workings of the Russian Business Network

VeriSign dubbed the Russian Business Network (RBN) as “the baddest of the bad”¹ in a report. And the fact that it played host to sites owned by the most notorious spammers, malware operators, phishers, distributed denial-of-service (DDoS) attackers, and other cybercriminals proved that.²

Probing an Active Digital Trail of Iranian Hackers

The cybersecurity community and law enforcement agencies have been tracking the activities of Iran-based hackers for quite some time now.

Shedding Light on the Darkode Forum

The Darkode Forum, which started operating in 2007, was taken down through a global effort in 2015.¹ But the community came back online in 2019.²

Should We Consider the Maze Ransomware Extinct?

The Maze Ransomware Group announced in 2020 that it would shut down its operations after stealing and exposing sensitive data of several high-profile targets. But have they really ceased their operations?

Uncovering the Current Workings of Guccifer 2.0

Guccifer 2.0¹ is the person or group behind the now infamous Democratic National Committee (DNC) hack back in 2016.²

Who Could Be Behind the Latest GitHub-Hosted Malware Infrastructure?

While GitHub has built-in security measures¹ to prevent users from using its infrastructure to host malware code, wily cyber attackers may be looking for ways to bypass them. We’ve seen that happen with a cryptocurrency miner² and several malicious projects.³

What Is Anonymous International Up to Now

Anonymous International is infamous for launching much-publicized hacking attacks against political targets since 2006.¹ And they haven’t stopped to this day.²

URL Shortening Gone Wrong with GCHQ

In 2016, cybersecurity researchers discovered that British spies were using a free URL shortener to try gathering intelligence and influencing online activists during the protests in Iran since 2009.¹

Is the Bakasoftware Operation Still Up and Running?

In 2008, Bakasoftware reportedly made as much as US$5 million a year from scaring victims into downloading and installing their product to get rid of fake malware infections.¹ Many thought the operation had gone out the door yet WhoisXML API threat researcher Dancho Danchev may suggest otherwise. His findings include:

Tracing the Digital Footprint of Iran’s Mabna Hackers

The Mabna hackers victimized hundreds of organizations worldwide and were known to sell stolen sensitive information. After nine of its members were indicted¹ in the U.S., the elusive threat actors may have left breadcrumbs of their criminal activities in the form of DNS connections.

Exposing the Infrastructure Behind the Democratic National Committee System Intrusion

The high-profile cyberintrusion of the Democratic National Committee (DNC) computer system in 2015¹ disrupted the 2016 presidential election in the U.S. It remains one of the most popular cyber attacks, with top security firms performing different investigations.

Is Your Software a Top Impersonation Target?

Copycatting the world’s most popular software applications is a commonly used technique to lure users into visiting seemingly legitimate yet often malicious pages.

DIY Web Attacks Might Still Live on via WebAttacker

WebAttacker can be considered an aged threat, but it may not be out of the cybercrime game just yet.¹ While it has been in business since 2006, what WhoisXML API threat researcher Dancho Danchev discovered recently seems to indicate its operators could still be up to no good.

Exposing a Currently Active Ashiyane Digital Security Domain Infrastructure

An Iran-based hacker forum that was shut down in 2018 became active again last year.¹ While our initial investigation at that time uncovered 100+ digital properties related to the group, our most recent exploration exposes thousands more. 

The Current State of Malicious PPI Businesses and Affiliate Networks

Pay-per-install (PPI) and affiliate networks, which made headlines between 2008 and 2013, may not entirely be gone. Research by WhoisXML API threat researcher Dancho Danchev revealed that some of the domains registered using email addresses belonging to their operators remain active to this day.

From Counterfeiting to Phishing: Cybersquatting Properties Target Network Device Makers

Fake network devices are being sold online, some of which can bypass security functions.¹ Recently, a CEO was arrested for allegedly selling about a billion dollars’ worth of counterfeit Cisco devices.²

Is Monkeypox Following COVID-19’s (Digital) Footsteps?

Monkeypox was recently declared a public health emergency¹ so it’s bound to gain even more attention in the coming weeks or months. Even before then, it has already been used as a phishing campaign lure,² are we set to see more of this?

Have You Seen These Roaming Mantis Connected Artifacts Wandering into Your Phone?

Roaming Mantis may have stolen the credentials or infected the devices of hundreds of thousands of people. The threat group did that through a smishing campaign targeting Android and iOS users. According to SEKOIA-IO,¹ more than 90,000 unique IP addresses have requested XLoader from Roaming Mantis’s command-and-control (C&C) servers as of mid-July 2022.

Profiling the Threat Actor Known as “Hagga” and His Work

The threat actor known as “Hagga,” first identified in the latter part of 2021,¹ has been using Agent Tesla to steal sensitive user information for some time now. Published reports have identified several indicators of compromise (IoCs)² believed to be part of Hagga’s criminal infrastructure.

Beauty and the Beast: Possible Vehicles for Cosmetic Products Counterfeiting

Fake beauty products have proliferated through illicit websites and social platforms¹, putting people and brands in danger. Counterfeit products may contain harmful products, and victims may end up suing the impersonated brands, according to Cosmetics Business².

Are Threat Actors Intercepting Your OTPs? These Cyber Resources Might Be Helping Them

A recently discovered banking Trojan¹ that can restart its malicious routine was delivered using two cybersquatting domains targeting BBVA, a Spanish multinational financial services firm. The malware is aptly named “Revive” and can intercept one-time passwords (OTPs) and all other messages received on the infected device.

KrotReal: Is the Koobface Bot Master Back in Business?

KrotReal, identified as the infamous Koobface Gang’s bot master, is seemingly back in business.¹ But instead of going after social media users, is he now targeting adult content viewers?

Luxury Jewelry, Anyone? Watch Out for Scams

Cartier recently decided to beef up its efforts in hopes of taking down sites and pages selling knock-offs of its products.¹

Are other luxury jewelers² and their customers at risk of the same threat? We sought to answer this and more with our in-depth analysis of potential look-alike domains and subdomains peddling counterfeit goods.

Koobface Makes a Comeback

The infamous Koobface Gang¹ is possibly causing malware mayhem again. After Facebook and cybersecurity researchers unmasked the perpetrators back in 2012, the gang members shut down their servers in a bid to avoid capture.²

NotPetya: Not Quite Dead, as Recent IoCs Show

NotPetya first saw light in June 2017, shortly after Petya’s emergence. NotPetya was believed to have caused organizations worldwide US$10 million in damages.¹

Unlike Its Namesake, Aoqin Dragon Isn’t Mythical

Aoqin Dragon may not be as foolproof as it seems. Despite evading discovery for almost a decade,¹ cybersecurity researchers shed some light on the advanced persistent threat (APT) group’s inner workings.

Conti Ransomware: Still Alive and Kicking

Despite the heightened lookout for key members of Wizard Spider given the huge reward offered by the U.S. government,¹ Conti ransomware continues to plague individuals and businesses worldwide.

Predator Surveillance Software May Not Be Lawful at All

Predator has been found to illegally spy on journalists and politicians the world over since December 2021.¹ But the threat the app poses may not have died down despite its exposure.

GALLIUM APT Group and Other Threat Actors in Disguise

Threat actors were observed taking advantage of legitimate services by creating subdomains and using them as command-and-control (C&C) domains¹ and phishing site hosts².

Exposing the “Haters” behind Patriot Front

Patriot Front is a well-known white supremacist group in the U.S.¹ Most recently, dozens of the group’s members disrupted a Pride event in Idaho, resulting in their arrest.²

Both Aged and New Domains Play a Role in the NDSW/NDSX Malware Campaign

The threat actors behind the NDSW/NDSX malware campaign¹ used both newly registered and aged domains, likely to get the best of both worlds. But the digital breadcrumbs they left behind could help investigators get a step closer to catching them.

Phishers Are Impersonating Maersk: What Other Container Shipping Companies Are Targeted?

The supply chain attack on Toyota¹ last February 2022 is only one example of how such an attack could be detrimental to an organization. Therefore, a phishing and impersonation campaign² targeting one of the largest container shipping lines is quite concerning.

Careful, the Next Premium SMS Offer You Subscribe to May Be Malicious

Avast recently reported that SMSFactory Android Trojan has affected around 165,000 users worldwide.¹ But so far, only a few digital properties have been publicized as indicators of compromise (IoCs).²

Father’s Day: Bad Guys’ Activities

Whois API researchers previously uncovered suspicious web properties related to Mother’s Day¹. Some of them were outright malicious, while others hosted questionable content. This Father’s Day, we detected a similar trend, indicating that the bad guys are also getting ready for the special occasion.

Exposing the Criminal Infrastructure of the Blood and Honor Hate Group

Blood and Honor is a well-known right wing extremist (RWE) group that originated from the U.K. founded in 1987. They began spreading their messages through music that supported their political ideology.¹

WhoisXML API security researcher Dancho Danchev used various OSINT tools to help law enforcement agents track the group members’ digital footprints. His investigation revealed:

In the Market for a New Car? Beware Not to Get on the Phishing Bandwagon

Anything sold on the market, especially necessities, are fair game to phishers as campaign hooks. And that’s just what we saw happening with an ongoing phishing campaign targeting German car dealership companies.¹

Online Shopping Danger? We Discovered 13K+ Cybersquatting Properties Targeting the Top E-Commerce Sites

Online shoppers have always been prone to cybercrime, such as financial scams, hacking, and credential theft. Domains and subdomains are common vehicles for these criminal activities, but more compelling are those that imitate major e-commerce sites.

Blurring the Lines between APTs and Cybercrime: Cobalt Mirage Uses Ransomware to Target U.S. Organizations

Cobalt Mirage, a well-known APT group, recently took a page out of cybercriminals’ modus operandi—using ransomware—to go after targets earlier this month.¹ So far, only 11 domains and two IP addresses have been publicized as indicators of compromise (IoCs).²

A Look into Cybersquatting and Phishing Domains Targeting Facebook, Instagram, and WhatsApp

Meta’s infringement and cybersquatting case against Namecheap was dismissed¹ last 25 April 2022 following a settlement². While the details of the settlement were private, the registrar ended up transferring 61 domains to Meta. 

In line with this, WhoisXML API researchers decided to monitor the cybersquatting activity related to three Meta applications covered in the dismissed case—Facebook, Instagram, and WhatsApp. Our findings include:

Beware of Frappo and Related Cybersquatting Domains

Phishing-as-a-service (PaaS) solutions like the recently discovered Frappo,¹ make brand impersonation campaigns easy to instigate and automate. Among those targeted by the new toolkit were large companies in the financial, e-commerce, and entertainment sectors, namely, Amazon, ATB Financial, Bank of Montreal (BMO), Bank of America (BOA), Chase, CIBC, Citibank, Citizens Bank, Costco, Desjardins, M&T Bank, Netflix, Royal Bank of Canada (RBC), Rogers, Scotia Bank, Tangerine Bank, TD Canada Trust, Uber, and Wells Fargo.

Cardano Joins the List of Favored Crypto Scam Targets

It’s no longer unusual for cybercriminals to go after cryptocurrency owners. We’ve seen scams targeting Bitcoin¹ and Ethereum² owners before. This time, they’re going after Cardano coin owners³ with a supposed giveaway promo.

These DeFi Domains Might Be Risky to Investors

In addition to cryptocurrency wallets and non-fungible token (NFT) companies, malicious actors recently targeted decentralized financial (DeFi) platforms. They got away with US$90 million.¹ One way some NFT companies may be addressing the threat is by defensive domain registration.²

Website Defacement: Age-Old but Still Works as Ongoing Campaigns Show

Threat actors typically employ website defacement to further their political, environmental, or even personal agenda. Through SQL injection, cross-site scripting (XSS), and other initial compromise tactics, they replace the content of target sites to display their specially crafted messages.

Threat Actors Might Be Interested in Elon Musk’s Twitter Purchase Too

Threat actors often ride on the latest news and current events to lure users to their specially crafted malicious websites. We’ve seen that happen with the onset of the COVID-19 pandemic¹ and the birth of the Black Lives Matter movement.²

We may see that happen again given the hype surrounding Elon Musk’s recent purchase of Twitter.³

We Don’t Want to Spoil Mothers’ Day but These Domains Might

With Mothers’ Day just around the corner, threat actors may already be devising or have already deployed scams targeting mothers and children looking for Mothers’ Day gifts.

Sinkholing May Not Spell the End for Malware Hosts and Botnets

Sinkholing has long proven effective in taking down cybercriminal operations like WannaCry.¹ The process has, in fact, more recently employed by Microsoft to thwart Strontium cyber attacks targeting Ukrainians.²

Behind the Bylines of Fake News and Disinformation Pages

Fake news and disinformation campaigns pose real risks to nations worldwide as evidenced by research done by Statista.¹ Their peddlers’ motivation? Political and financial gain, according to some opinions.²

Through the Spyglass: NSO Group Spyware Pegasus in Focus

The NSO Group gained infamy for its proprietary spyware Pegasus. In 2021, in fact, Apple sued the company for its alleged ties to threats targeting its service and device users.¹

Expanding the Conti Ransomware IoCs Using WHOIS and IP Clues

Conti ransomware continues to gain traction via the ransomware-as-a-service (RaaS) business model, with threat actors launching more than 1,000 attacks against various organizations worldwide. In March 2022, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Conti ransomware alert page with close to 100 domain indicators of compromise (IoCs).¹

HermeticWiper: Another Threat Targeting Ukraine at Large

Ukraine users have reportedly been targeted by a malware known as HermeticWiper.¹ Known for wiping out data on victims’ computers, the malware has affected hundreds of systems since it emerged.

Operation Dream Job: Same Tactics, New Vulnerability and Domains?

Operation Dream Job is a threat group that takes advantage of people’s hope to improve their careers. Instead of finding their dream jobs, however, victims could find themselves vulnerable to remote code execution (RCE).¹

What Are the DNS Artifacts Associated with APT36 or Earth Karkaddan?

APT36 or Earth Kardakkan has been targeting government entities, most especially in India, for a couple of years now. But so far, only a few digital properties have been publicized as indicators of compromise (IoCs).^{1, 2}

Be Wary of Bogus Web Properties This Tax Season

The tax season is not only for taxpayers. Threat actors also flock to the Internet, baiting individuals and entities through different types of tax frauds.¹ WhoisXML API trailed their sights on possible vehicles for malicious activities this tax season by uncovering domains and subdomains that contain tax-related terms.

Behind the Innovative Marketing Rogue Scareware Distribution Network

Innovative Marketing made waves as a rogue scareware operator more than a decade ago.¹ But while law enforcement authorities successfully thwarted its large-scale business, its owners have yet to be captured.^{2, 3}

Danchev and WhoisXML API’s research team sought to determine if the company left digital breadcrumbs behind using Maltego and various WhoisXML API tools. He uncovered an expansive list of domains, IP addresses, and other web properties that could help the cybersecurity industry finally put an end to Innovative Marketing.

OSINT Analysis of the World’s Biggest Cybercriminal Infrastructures

WhoisXML API maintains a list of the most prominent cybercriminal groups around the globe in an effort to help fellow researchers and vendors and the authorities enrich their actionable threat intelligence.

Are Cybersquatters Going After the Car Manufacturing Sector?

The recent supply chain attack¹ causing Toyota to halt production for days and lose 13,000 in car outputs underscores how wide an organization’s attack surface can be. It also proves how scattered threat vectors can be—from insider mistakes, third-party vulnerabilities, and many others.

Digital Spillovers of Russia’s Invasion Of Ukraine

The war between Ukraine and Russia has become a global crisis like no other. The situation has spillovers beyond humanitarian, physical, and economic effects, including increased activity on the Domain Name System (DNS).

From Fake News Proliferation to Data Theft: Tracing the Red Cross Hack to a Misinformation Network

The cyber attack against the International Committee of the Red Cross (ICRC) exposed the data belonging to more than 500,000 people worldwide.¹ While no indicators of compromise (IoCs) have been publicized so far, an interesting link to a fake news network was revealed by security researcher Brian Krebs.²

Under the Hood of the Infraud Organization Cybercriminal Operation

While 36 alleged Infraud Organization members were recently captured and indicted¹, the incident may not spell the end of woes related to the gang.

We took a closer look at published indicators of compromise (IoCs) related to Infraud Organization, specifically 11 domains, six IP addresses, and three email addresses, which were used as jump-off points to uncover more potential artifacts and IoCs.

The Oscars and Suspicious Web Activity: What's the Link?

Hollywood’s popularity extends beyond providing entertainment. Like last year¹, threat actors seemingly used sites dedicated to this year’s Oscar nominees² as malware hosts. We looked at thousands of domains and subdomains containing the best picture titles and best actor/actress names to identify how many of them are actually malicious.

Exposing Void Balaur’s Internet-Connected Infrastructure

Void Balaur is a cybercriminal gang, believed to be operating from Latvia, that has been launching typosquatting and spear phishing attacks targeting users worldwide.

WhoisXML API researcher Dancho Danchev recently dove deep into the perpetrators’ campaigns aided by current and historical WHOIS records to find actionable intelligence for cybersecurity and law enforcement purposes.

2022 Olympic Winter Games: Prime Ground for Phishing Lures?

Major sporting events, such as the Olympic Games, have always gained the attention of threat actors. A noteworthy example is the OlympicDestroyer malware¹ that targeted the 2018 Winter Olympics.

DHL Was the Most-Phished Company in 2021, Will That Be True in 2022, Too?

Checkpoint research revealed that DHL was the most-phished brand in 2021,¹ which led us to wonder if the same will hold for 2022. We scoured the Web for domains and subdomains containing “dhl” and subjected these to further scrutiny to identify more connected artifacts.

An OSINT Analysis of Infraud Organization and Its Cybercriminal Infrastructure

WhoisXML API researcher Dancho Danchev recently delved deep into the Infraud Organization’s cybercriminal infrastructure. Infraud Organization is well-known for maintaining a cybercriminal forum that provides threat actors tons of stolen credit card information.¹ Danchev used WHOIS, IP, and DNS tools to identify more artifacts connected to the threat.

Web Search Results Reveal a Suspicious Network of Domains

Search engine scams continue to increase in volume despite the security efforts of major search engine services. The persistent effectiveness of blackhat SEO techniques and the growing list of suspicious or unwanted search results are just some of the pressing concerns that plague Internet users.

Malicious Valentine: Uncovering Thousands of Domains Connected to Romance-Themed Campaigns

Romance-themed campaigns have several faces—some pose as online dating sites¹ while others as fake applications.² These campaigns occur year-round, but Valentine’s Day could make more people vulnerable. In line with this, WhoisXML API researchers gathered and analyzed the IoCs of romance or Valentine-themed campaigns. Among our key findings are:

The Irony: Data Privacy Sites Bring Risks Instead of Protection

It’s ironic to think that sites hinting at promoting data privacy awareness and/or protection are serving malware instead, but that’s a sad truth. We found thousands of web properties through WHOIS, IP, and DNS searches to identify malicious data privacy-related sites.

Exploring BlackTech IoCs Reveals Hundreds of Artifacts in 2022

The BlackTech APT Group struck again, this time with the new FlagPro malware and IoCs. Since the group used the same C&C servers and infrastructure for multiple campaigns in the past, WhoisXML API analyzed the new IoCs together with those reported in the past two years. We uncovered artifacts and possible domain and IP connections. Our analysis includes:

REvil Ransomware: What Can We Learn from Published IoCs in 2022?

REvil has been one of the biggest ransomware threats in 2021, pushing the U.S. Department of State to post a US$10 million reward to anyone who can identify and locate the gang’s leaders.¹ AlienVault made headway in identifying REvil-hosting domains.² We subjected these web properties to IP and DNS searches to identify more connected artifacts.

Illegally Streaming “Spider-Man: No Way Home” Could Be Hazardous to Your Computer

While watching ‘Spider-Man: No Way Home’ in movie theaters could pose health risks considering the ongoing pandemic, downloading torrents of or illegally streaming the movie can be hazardous to your computer’s health too. Researchers discovered that torrent files could be XMR Miner malware in disguise¹.

65,000+ NFT-Related Domains and Subdomains: Possible Vehicles for NFT Scams?

As non-fungible tokens (NFTs) become increasingly popular and valuable, related scams are also on the rise. Since these scams utilize domain names and websites, WhoisXML API examined the registration of NFT-related domain names, fortifying our findings with WHOIS and IP intelligence. Our analysis revealed:

New Zloader Campaign: Where Do IoCs Lead Us?

A new Zloader campaign has been detected. It is believed to be the work of the MalSmoke cybercrime group. More than 2,000 unique victim IP addresses have downloaded the malware, which exploits a vulnerability in Microsoft’s digital signature verification method.

Gift Cards, Anyone? Watch Out for Fraud and Malware Hosts

The Federal Trade Commission (FTC) maintains a page dedicated to gift card scams¹, and there’s a good reason for that. Each year, consumers who succumb to lures end up losing thousands² instead of getting gifts for their loved ones. We found thousands of web properties through IP and DNS searches to identify IoCs and other artifacts possibly tied to gift card scams and phishing.

Log4j Vulnerability: What Do the IoCs Tell Us So Far?

A new vulnerability called “CVE-2021-44228” or “Log4Shell” was detected on 9 December 2021, alerting the cybersecurity community to possible remote code execution (RCE) attacks. WhoisXML API analyzed initial IoC lists to shed light on possible artifacts and connections. Among our findings are:

“Nickel” APT Group: What We Found Out About Microsoft’s Latest Domain Seizure

Microsoft recently seized 42 domains attributed to the China-based Nickel APT group.¹ We subjected these web properties to WHOIS queries to find more information.

Are Mypressonline[.]com’s Free Subdomain Hosting Services Being Abused?

We were alerted to the ongoing mypressonline[.]com phishing campaign¹ and sought to uncover the site’s complete domain footprint and potential evidence of hosting abuse.

Digging Up Zombie Domains: What WHOIS History Reveals about 3,800+ Verified Phishing Hosts

As phishing remains an imminent attack vector leading to costly and damaging campaigns, WhoisXML API researchers dug up the WHOIS history of 3,800+ domain names and subdomains associated with verified phishing URLs. We present our key findings and analyses in a white paper and associated threat research materials covering:

Telcos Are on Phishers’ Radar, Who Is at Risk?

The telecommunications sector has been identified by PhishLabs as phishers’ top 3 target in a November 2021 report.¹ We looked at the newly registered domains (NRDs) and subdomains containing the strings “broadband,” “mobile,” and “telecom” to determine who among the 10 biggest telcos in the world are at risk of getting phished.

Locky Ransomware: Still a Threat as List of IoCs Grows

Despite its age, Locky ransomware, which first made headlines in 2016,¹ is still making the rounds. We obtained 61 IP addresses connected to the threat and used these as jump-off points to uncover other web properties that users need to avoid accessing.²

Uncovering Signs of Internet Fraud with WHOIS, DNS, and IP Data

The FTC Consumer Sentinel Network¹ reported US$3.5 billion in losses due to different types of fraud as of the third quarter of 2021. Clearly, fraud is an imminent threat that needs to be detected and prevented as early as possible to avoid further losses to individuals and the global economy.

Facebook Is Now Meta, Will Threat Actors Ride the Wave?

Company rebranding efforts are always a big deal, as they usually translate to expanding a known brand’s portfolio. That’s why many such events are announced during some of the world’s biggest conferences. The same could be said of Mark Zuckerberg’s introduction of Meta in Connect 2021.¹

Are Banks and Their Customers Once Again at Risk of Typosquatting Woes?

Banks and other financial institutions have always been a top-of-mind attack target.¹ We analyzed an ongoing cybersquatting campaign targeting U.S. Bancorp using four malicious domains and their corresponding IP resolutions that IBM X-Force Exchange identified.²

Insurance Companies Are The Target of Recent Cybersquatting Campaigns

We analyzed an ongoing cybersquatting campaign targeting MetLife, Inc., using 12 malicious domains that IBM X-Force Exchange identified.¹

Are Cybersquatting Campaigns Targeting Airlines Taking Off?

Any company that serves thousands if not millions of users is considered ripe for threat actor picking. Threats and attacks often start with the simple act of typosquatting. Such was the case for an ongoing cybersquatting campaign targeting Turkish Airlines.¹

Exposing the Connection between a Most Wanted Cybercriminal and the BlackEnergy DDoS Attack

Oleksandr Vitalyevich Ieremenko¹ is a Ukrainian national charged with several fraud-related and cybercrime cases in August 2015. Barely a year after the allegation, Ieremenko joined a cybercrime group led by Artem Viacheslavovich Radchenko and gained unauthorized entry into the U.S. Securities and Exchange Commission (SEC) network.

A Most Wanted Cybercriminal Runs a Profitable Android Malware Enterprise

Danil Potekhin,¹ a Russian national, managed to steal approximately US$17 million from users of several digital currency exchange platforms by defrauding several cryptocurrency exchange sites. Potekhin was then indicted² in September 2020 for conspiracy to commit computer fraud, unauthorized access to a protected computer, and aggravated identity theft, among other crimes.

Exposing Hundreds of Rogue VPN Domains Potentially Connected to the NSA

WhoisXML API DNS Threat Researcher Dancho Danchev identified domain intelligence related to several bogus free VPN service providers. Those bogus entities could seemingly be traced back to the National Security Agency (NSA) as part of an effort to monitor the online activities of suspicious Iran-based users. 

IoC Report Exposing an Active WannaCry Ransomware Domain Portfolio

WannaCry ransomware made waves as part of a global cyber attack detected in 2017, which resulted in around US$4 billion¹ in financial losses. The ransomware campaign targeted organizations in various industries, including the telecommunications, airline, and medical services sectors.

IoC Report Exposing a Currently Active Cyber Jihad Campaign’s Domain Portfolio

Cyber jihad, a term that loosely describes using the Internet as a communication, fundraising, recruitment, training, and planning tool in cyber attacks^[1], gained traction over the years. It has become a force to reckon with for many government institutions tasked to battle cyberterrorism. In fact, at the end of 2020 alone, three cyber-enabled campaigns targeting government institutions worldwide were brought down^[2].

Exposing Thousands of Active Kaseya Ransomware C&C Domains

About 1,500 small and medium-sized businesses (SMBs)¹ may have been affected by the ransomware attack targeting Kaseya, an IT solutions developer catering to managed service providers (MSPs) and enterprises. The attack, which occurred in July 2021, exploited a vulnerability in the company’s remote monitoring and management software. The threat actors behind the attack reportedly asked for US$70 million² in exchange for a decryption tool.

Domain Squatting Analysis of the Gaming Industry: Thousands of Online Gaming-Related Web Properties

The video gaming industry is among the highest-earning entertainment sectors, outperforming¹ the movie industry in the past year. It has also become a favorite of cyber attackers.

We analyzed thousands of gaming-related domains and subdomains to see how prevalent threats are in the industry. Aside from analyzing the overall e-sports sector, our analysis targeted four of the most popular gaming companies—Bandai Namco, Epic Games, Electronic Arts, and Ubisoft.

CEO Impersonation Alert: A Look into the Top 100 CEOs of 2021

Total losses from BEC scams and CEO impersonation are estimated at tens of US$billion^[1][2] over the past years. In 2021, Elon Musk’s impersonators were able to amass about US$2 million^[3] from numerous victims. 

A Look at Thousands of Credential Phishing-Related Domain Names

Cofense researchers found that more than half of the millions of emails they analyzed were credential phishing emails.¹ To see how prevalent these are in the domain world, we extracted domains that contain account-related text strings, such as “login,” “signin,” and “password.” When used alongside popular company names like PayPal and Amazon, these account-related text strings can make phishing emails appear more credible.

Exposing 1,100+ NSO Spyware Group’s Domains, IP Addresses, and MD5 Hashes

The NSO Spyware Group’s spyware dubbed “Pegasus” is known for its ability to be covertly installed on mobile phones running different versions of Android and iOS and spy on their owners’ activities.

Exposing 100+ Domains Possibly Belonging to the Ashiyane Digital Security Team

The Ashiyane Digital Security Team is known to be a gray hat network security company based in Iran.¹ It has been allegedly connected to several state-sponsored attacks against various countries over the years. 

IoC Report Exposing Potential Actors behind the Conficker Botnet

Conficker, which infected millions of systems in its heyday in 2008, continues to infect tens of thousands of devices. Dubbed as the “worm that nearly ate the Internet¹,” Conficker targets computers running on Microsoft operating systems (OSs), creating a colossal botnet that can be used to launch large-scale cyber attacks.

Analyzing “Brian Krebs” Typosquatting Domains to Spread Malware

Brian Krebs¹, an American journalist and investigative reporter, is best known for his coverage of cybercrime & cybersecurity news—notably through his blog KrebsOnSecurity.com.