Threat Reports | WXA Research Center | WhoisXML API

WXA Research Center

Access our latest research and insights on WHOIS, IP, and DNS data for cybersecurity, data science, and other business purposes through our webinars, podcasts, white papers, threat reports, and videos from the WXA Academy.

Have questions?

Contact us at

Threat Reports


Exposing the “Haters” behind Patriot Front

Patriot Front is a well-known white supremacist group in the U.S.1 Most recently, dozens of the group’s members disrupted a Pride event in Idaho, resulting in their arrest.2

Continue reading

Careful, the Next Premium SMS Offer You Subscribe to May Be Malicious

Avast recently reported that SMSFactory Android Trojan has affected around 165,000 users worldwide.1 But so far, only a few digital properties have been publicized as indicators of compromise (IoCs).2

Continue reading

Father’s Day: Bad Guys’ Activities

Whois API researchers previously uncovered suspicious web properties related to Mother’s Day1. Some of them were outright malicious, while others hosted questionable content. This Father’s Day, we detected a similar trend, indicating that the bad guys are also getting ready for the special occasion.

Continue reading

Exposing the Criminal Infrastructure of the Blood and Honor Hate Group

Blood and Honor is a well-known right wing extremist (RWE) group that originated from the U.K. founded in 1987. They began spreading their messages through music that supported their political ideology.1

WhoisXML API security researcher Dancho Danchev used various OSINT tools to help law enforcement agents track the group members’ digital footprints. His investigation revealed:

Continue reading

Blurring the Lines between APTs and Cybercrime: Cobalt Mirage Uses Ransomware to Target U.S. Organizations

Cobalt Mirage, a well-known APT group, recently took a page out of cybercriminals’ modus operandi—using ransomware—to go after targets earlier this month.1 So far, only 11 domains and two IP addresses have been publicized as indicators of compromise (IoCs).2

Continue reading

Cardano Joins the List of Favored Crypto Scam Targets

It’s no longer unusual for cybercriminals to go after cryptocurrency owners. We’ve seen scams targeting Bitcoin1 and Ethereum2 owners before. This time, they’re going after Cardano coin owners3 with a supposed giveaway promo.

Continue reading

These DeFi Domains Might Be Risky to Investors

In addition to cryptocurrency wallets and non-fungible token (NFT) companies, malicious actors recently targeted decentralized financial (DeFi) platforms. They got away with US$90 million.1 One way some NFT companies may be addressing the threat is by defensive domain registration.2

Continue reading

Website Defacement: Age-Old but Still Works as Ongoing Campaigns Show

Threat actors typically employ website defacement to further their political, environmental, or even personal agenda. Through SQL injection, cross-site scripting (XSS), and other initial compromise tactics, they replace the content of target sites to display their specially crafted messages.

Continue reading

Threat Actors Might Be Interested in Elon Musk’s Twitter Purchase Too

Threat actors often ride on the latest news and current events to lure users to their specially crafted malicious websites. We’ve seen that happen with the onset of the COVID-19 pandemic1 and the birth of the Black Lives Matter movement.2

We may see that happen again given the hype surrounding Elon Musk’s recent purchase of Twitter.3

Continue reading

Sinkholing May Not Spell the End for Malware Hosts and Botnets

Sinkholing has long proven effective in taking down cybercriminal operations like WannaCry.1 The process has, in fact, more recently employed by Microsoft to thwart Strontium cyber attacks targeting Ukrainians.2

Continue reading

Behind the Bylines of Fake News and Disinformation Pages

Fake news and disinformation campaigns pose real risks to nations worldwide as evidenced by research done by Statista.1 Their peddlers’ motivation? Political and financial gain, according to some opinions.2

Continue reading

Through the Spyglass: NSO Group Spyware Pegasus in Focus

The NSO Group gained infamy for its proprietary spyware Pegasus. In 2021, in fact, Apple sued the company for its alleged ties to threats targeting its service and device users.1

Continue reading

Operation Dream Job: Same Tactics, New Vulnerability and Domains?

Operation Dream Job is a threat group that takes advantage of people’s hope to improve their careers. Instead of finding their dream jobs, however, victims could find themselves vulnerable to remote code execution (RCE).1

Continue reading

What Are the DNS Artifacts Associated with APT36 or Earth Karkaddan?

APT36 or Earth Kardakkan has been targeting government entities, most especially in India, for a couple of years now. But so far, only a few digital properties have been publicized as indicators of compromise (IoCs).1, 2

Continue reading

Behind the Innovative Marketing Rogue Scareware Distribution Network

Innovative Marketing made waves as a rogue scareware operator more than a decade ago.1 But while law enforcement authorities successfully thwarted its large-scale business, its owners have yet to be captured.2, 3

Danchev and WhoisXML API’s research team sought to determine if the company left digital breadcrumbs behind using Maltego and various WhoisXML API tools. He uncovered an expansive list of domains, IP addresses, and other web properties that could help the cybersecurity industry finally put an end to Innovative Marketing.

Continue reading

OSINT Analysis of the World’s Biggest Cybercriminal Infrastructures

WhoisXML API maintains a list of the most prominent cybercriminal groups around the globe in an effort to help fellow researchers and vendors and the authorities enrich their actionable threat intelligence.

Continue reading

Are Cybersquatters Going After the Car Manufacturing Sector?

The recent supply chain attack1 causing Toyota to halt production for days and lose 13,000 in car outputs underscores how wide an organization’s attack surface can be. It also proves how scattered threat vectors can be—from insider mistakes, third-party vulnerabilities, and many others.

Continue reading

From Fake News Proliferation to Data Theft: Tracing the Red Cross Hack to a Misinformation Network

The cyber attack against the International Committee of the Red Cross (ICRC) exposed the data belonging to more than 500,000 people worldwide.1 While no indicators of compromise (IoCs) have been publicized so far, an interesting link to a fake news network was revealed by security researcher Brian Krebs.2

Continue reading

Under the Hood of the Infraud Organization Cybercriminal Operation

While 36 alleged Infraud Organization members were recently captured and indicted1, the incident may not spell the end of woes related to the gang.

We took a closer look at published indicators of compromise (IoCs) related to Infraud Organization, specifically 11 domains, six IP addresses, and three email addresses, which were used as jump-off points to uncover more potential artifacts and IoCs.

Continue reading

Exposing Void Balaur’s Internet-Connected Infrastructure

Void Balaur is a cybercriminal gang, believed to be operating from Latvia, that has been launching typosquatting and spear phishing attacks targeting users worldwide.

WhoisXML API researcher Dancho Danchev recently dove deep into the perpetrators’ campaigns aided by current and historical WHOIS records to find actionable intelligence for cybersecurity and law enforcement purposes.

Continue reading

2022 Olympic Winter Games: Prime Ground for Phishing Lures?

Major sporting events, such as the Olympic Games, have always gained the attention of threat actors. A noteworthy example is the OlympicDestroyer malware1 that targeted the 2018 Winter Olympics.

Continue reading

DHL Was the Most-Phished Company in 2021, Will That Be True in 2022, Too?

Checkpoint research revealed that DHL was the most-phished brand in 2021,1 which led us to wonder if the same will hold for 2022. We scoured the Web for domains and subdomains containing “dhl” and subjected these to further scrutiny to identify more connected artifacts.

Continue reading

An OSINT Analysis of Infraud Organization and Its Cybercriminal Infrastructure

WhoisXML API researcher Dancho Danchev recently delved deep into the Infraud Organization’s cybercriminal infrastructure. Infraud Organization is well-known for maintaining a cybercriminal forum that provides threat actors tons of stolen credit card information.1 Danchev used WHOIS, IP, and DNS tools to identify more artifacts connected to the threat.

Continue reading

Web Search Results Reveal a Suspicious Network of Domains

Search engine scams continue to increase in volume despite the security efforts of major search engine services. The persistent effectiveness of blackhat SEO techniques and the growing list of suspicious or unwanted search results are just some of the pressing concerns that plague Internet users.

Continue reading

Malicious Valentine: Uncovering Thousands of Domains Connected to Romance-Themed Campaigns

Romance-themed campaigns have several faces—some pose as online dating sites1 while others as fake applications.2 These campaigns occur year-round, but Valentine’s Day could make more people vulnerable. In line with this, WhoisXML API researchers gathered and analyzed the IoCs of romance or Valentine-themed campaigns. Among our key findings are:

Continue reading

Exploring BlackTech IoCs Reveals Hundreds of Artifacts in 2022

The BlackTech APT Group struck again, this time with the new FlagPro malware and IoCs. Since the group used the same C&C servers and infrastructure for multiple campaigns in the past, WhoisXML API analyzed the new IoCs together with those reported in the past two years. We uncovered artifacts and possible domain and IP connections. Our analysis includes:

Continue reading

REvil Ransomware: What Can We Learn from Published IoCs in 2022?

REvil has been one of the biggest ransomware threats in 2021, pushing the U.S. Department of State to post a US$10 million reward to anyone who can identify and locate the gang’s leaders.1 AlienVault made headway in identifying REvil-hosting domains.2 We subjected these web properties to IP and DNS searches to identify more connected artifacts.

Continue reading

New Zloader Campaign: Where Do IoCs Lead Us?

A new Zloader campaign has been detected. It is believed to be the work of the MalSmoke cybercrime group. More than 2,000 unique victim IP addresses have downloaded the malware, which exploits a vulnerability in Microsoft’s digital signature verification method.

Continue reading

“Nickel” APT Group: What We Found Out About Microsoft’s Latest Domain Seizure

Microsoft recently seized 42 domains attributed to the China-based Nickel APT group.1 We subjected these web properties to WHOIS queries to find more information.

Continue reading

Exposing the Connection between a Most Wanted Cybercriminal and the BlackEnergy DDoS Attack

Oleksandr Vitalyevich Ieremenko1 is a Ukrainian national charged with several fraud-related and cybercrime cases in August 2015. Barely a year after the allegation, Ieremenko joined a cybercrime group led by Artem Viacheslavovich Radchenko and gained unauthorized entry into the U.S. Securities and Exchange Commission (SEC) network.

Continue reading

A Most Wanted Cybercriminal Runs a Profitable Android Malware Enterprise

Danil Potekhin,1 a Russian national, managed to steal approximately US$17 million from users of several digital currency exchange platforms by defrauding several cryptocurrency exchange sites. Potekhin was then indicted2 in September 2020 for conspiracy to commit computer fraud, unauthorized access to a protected computer, and aggravated identity theft, among other crimes.

Continue reading

Exposing Hundreds of Rogue VPN Domains Potentially Connected to the NSA

WhoisXML API DNS Threat Researcher Dancho Danchev identified domain intelligence related to several bogus free VPN service providers. Those bogus entities could seemingly be traced back to the National Security Agency (NSA) as part of an effort to monitor the online activities of suspicious Iran-based users. 

Continue reading

IoC Report Exposing a Currently Active Cyber Jihad Campaign’s Domain Portfolio

Cyber jihad, a term that loosely describes using the Internet as a communication, fundraising, recruitment, training, and planning tool in cyber attacks[1], gained traction over the years. It has become a force to reckon with for many government institutions tasked to battle cyberterrorism. In fact, at the end of 2020 alone, three cyber-enabled campaigns targeting government institutions worldwide were brought down[2].

Continue reading

CEO Impersonation Alert: A Look into the Top 100 CEOs of 2021

Total losses from BEC scams and CEO impersonation are estimated at tens of US$billion[1][2] over the past years. In 2021, Elon Musk’s impersonators were able to amass about US$2 million[3] from numerous victims. 

Continue reading

Exposing 1,100+ NSO Spyware Group’s Domains, IP Addresses, and MD5 Hashes

The NSO Spyware Group’s spyware dubbed “Pegasus” is known for its ability to be covertly installed on mobile phones running different versions of Android and iOS and spy on their owners’ activities.

Continue reading

Exposing 100+ Domains Possibly Belonging to the Ashiyane Digital Security Team

The Ashiyane Digital Security Team is known to be a gray hat network security company based in Iran.1 It has been allegedly connected to several state-sponsored attacks against various countries over the years. 

Continue reading

IoC Report Exposing Potential Actors behind the Conficker Botnet

Conficker, which infected millions of systems in its heyday in 2008, continues to infect tens of thousands of devices. Dubbed as the “worm that nearly ate the Internet1,” Conficker targets computers running on Microsoft operating systems (OSs), creating a colossal botnet that can be used to launch large-scale cyber attacks.

Continue reading
Try our WhoisXML API for free
Get started