Exposing the “Haters” behind Patriot Front

Patriot Front is a well-known white supremacist group in the U.S.¹ Most recently, dozens of the group’s members disrupted a Pride event in Idaho, resulting in their arrest.²

Careful, the Next Premium SMS Offer You Subscribe to May Be Malicious

Avast recently reported that SMSFactory Android Trojan has affected around 165,000 users worldwide.¹ But so far, only a few digital properties have been publicized as indicators of compromise (IoCs).²

Father’s Day: Bad Guys’ Activities

Whois API researchers previously uncovered suspicious web properties related to Mother’s Day¹. Some of them were outright malicious, while others hosted questionable content. This Father’s Day, we detected a similar trend, indicating that the bad guys are also getting ready for the special occasion.

Exposing the Criminal Infrastructure of the Blood and Honor Hate Group

Blood and Honor is a well-known right wing extremist (RWE) group that originated from the U.K. founded in 1987. They began spreading their messages through music that supported their political ideology.¹

WhoisXML API security researcher Dancho Danchev used various OSINT tools to help law enforcement agents track the group members’ digital footprints. His investigation revealed:

Blurring the Lines between APTs and Cybercrime: Cobalt Mirage Uses Ransomware to Target U.S. Organizations

Cobalt Mirage, a well-known APT group, recently took a page out of cybercriminals’ modus operandi—using ransomware—to go after targets earlier this month.¹ So far, only 11 domains and two IP addresses have been publicized as indicators of compromise (IoCs).²

Cardano Joins the List of Favored Crypto Scam Targets

It’s no longer unusual for cybercriminals to go after cryptocurrency owners. We’ve seen scams targeting Bitcoin¹ and Ethereum² owners before. This time, they’re going after Cardano coin owners³ with a supposed giveaway promo.

These DeFi Domains Might Be Risky to Investors

In addition to cryptocurrency wallets and non-fungible token (NFT) companies, malicious actors recently targeted decentralized financial (DeFi) platforms. They got away with US$90 million.¹ One way some NFT companies may be addressing the threat is by defensive domain registration.²

Website Defacement: Age-Old but Still Works as Ongoing Campaigns Show

Threat actors typically employ website defacement to further their political, environmental, or even personal agenda. Through SQL injection, cross-site scripting (XSS), and other initial compromise tactics, they replace the content of target sites to display their specially crafted messages.

Threat Actors Might Be Interested in Elon Musk’s Twitter Purchase Too

Threat actors often ride on the latest news and current events to lure users to their specially crafted malicious websites. We’ve seen that happen with the onset of the COVID-19 pandemic¹ and the birth of the Black Lives Matter movement.²

We may see that happen again given the hype surrounding Elon Musk’s recent purchase of Twitter.³

Sinkholing May Not Spell the End for Malware Hosts and Botnets

Sinkholing has long proven effective in taking down cybercriminal operations like WannaCry.¹ The process has, in fact, more recently employed by Microsoft to thwart Strontium cyber attacks targeting Ukrainians.²

Behind the Bylines of Fake News and Disinformation Pages

Fake news and disinformation campaigns pose real risks to nations worldwide as evidenced by research done by Statista.¹ Their peddlers’ motivation? Political and financial gain, according to some opinions.²

Through the Spyglass: NSO Group Spyware Pegasus in Focus

The NSO Group gained infamy for its proprietary spyware Pegasus. In 2021, in fact, Apple sued the company for its alleged ties to threats targeting its service and device users.¹

Operation Dream Job: Same Tactics, New Vulnerability and Domains?

Operation Dream Job is a threat group that takes advantage of people’s hope to improve their careers. Instead of finding their dream jobs, however, victims could find themselves vulnerable to remote code execution (RCE).¹

What Are the DNS Artifacts Associated with APT36 or Earth Karkaddan?

APT36 or Earth Kardakkan has been targeting government entities, most especially in India, for a couple of years now. But so far, only a few digital properties have been publicized as indicators of compromise (IoCs).^{1, 2}

Behind the Innovative Marketing Rogue Scareware Distribution Network

Innovative Marketing made waves as a rogue scareware operator more than a decade ago.¹ But while law enforcement authorities successfully thwarted its large-scale business, its owners have yet to be captured.^{2, 3}

Danchev and WhoisXML API’s research team sought to determine if the company left digital breadcrumbs behind using Maltego and various WhoisXML API tools. He uncovered an expansive list of domains, IP addresses, and other web properties that could help the cybersecurity industry finally put an end to Innovative Marketing.

OSINT Analysis of the World’s Biggest Cybercriminal Infrastructures

WhoisXML API maintains a list of the most prominent cybercriminal groups around the globe in an effort to help fellow researchers and vendors and the authorities enrich their actionable threat intelligence.

Are Cybersquatters Going After the Car Manufacturing Sector?

The recent supply chain attack¹ causing Toyota to halt production for days and lose 13,000 in car outputs underscores how wide an organization’s attack surface can be. It also proves how scattered threat vectors can be—from insider mistakes, third-party vulnerabilities, and many others.

From Fake News Proliferation to Data Theft: Tracing the Red Cross Hack to a Misinformation Network

The cyber attack against the International Committee of the Red Cross (ICRC) exposed the data belonging to more than 500,000 people worldwide.¹ While no indicators of compromise (IoCs) have been publicized so far, an interesting link to a fake news network was revealed by security researcher Brian Krebs.²

Under the Hood of the Infraud Organization Cybercriminal Operation

While 36 alleged Infraud Organization members were recently captured and indicted¹, the incident may not spell the end of woes related to the gang.

We took a closer look at published indicators of compromise (IoCs) related to Infraud Organization, specifically 11 domains, six IP addresses, and three email addresses, which were used as jump-off points to uncover more potential artifacts and IoCs.

Exposing Void Balaur’s Internet-Connected Infrastructure

Void Balaur is a cybercriminal gang, believed to be operating from Latvia, that has been launching typosquatting and spear phishing attacks targeting users worldwide.

WhoisXML API researcher Dancho Danchev recently dove deep into the perpetrators’ campaigns aided by current and historical WHOIS records to find actionable intelligence for cybersecurity and law enforcement purposes.

2022 Olympic Winter Games: Prime Ground for Phishing Lures?

Major sporting events, such as the Olympic Games, have always gained the attention of threat actors. A noteworthy example is the OlympicDestroyer malware¹ that targeted the 2018 Winter Olympics.

DHL Was the Most-Phished Company in 2021, Will That Be True in 2022, Too?

Checkpoint research revealed that DHL was the most-phished brand in 2021,¹ which led us to wonder if the same will hold for 2022. We scoured the Web for domains and subdomains containing “dhl” and subjected these to further scrutiny to identify more connected artifacts.

An OSINT Analysis of Infraud Organization and Its Cybercriminal Infrastructure

WhoisXML API researcher Dancho Danchev recently delved deep into the Infraud Organization’s cybercriminal infrastructure. Infraud Organization is well-known for maintaining a cybercriminal forum that provides threat actors tons of stolen credit card information.¹ Danchev used WHOIS, IP, and DNS tools to identify more artifacts connected to the threat.

Web Search Results Reveal a Suspicious Network of Domains

Search engine scams continue to increase in volume despite the security efforts of major search engine services. The persistent effectiveness of blackhat SEO techniques and the growing list of suspicious or unwanted search results are just some of the pressing concerns that plague Internet users.

Malicious Valentine: Uncovering Thousands of Domains Connected to Romance-Themed Campaigns

Romance-themed campaigns have several faces—some pose as online dating sites¹ while others as fake applications.² These campaigns occur year-round, but Valentine’s Day could make more people vulnerable. In line with this, WhoisXML API researchers gathered and analyzed the IoCs of romance or Valentine-themed campaigns. Among our key findings are:

Exploring BlackTech IoCs Reveals Hundreds of Artifacts in 2022

The BlackTech APT Group struck again, this time with the new FlagPro malware and IoCs. Since the group used the same C&C servers and infrastructure for multiple campaigns in the past, WhoisXML API analyzed the new IoCs together with those reported in the past two years. We uncovered artifacts and possible domain and IP connections. Our analysis includes:

REvil Ransomware: What Can We Learn from Published IoCs in 2022?

REvil has been one of the biggest ransomware threats in 2021, pushing the U.S. Department of State to post a US$10 million reward to anyone who can identify and locate the gang’s leaders.¹ AlienVault made headway in identifying REvil-hosting domains.² We subjected these web properties to IP and DNS searches to identify more connected artifacts.

New Zloader Campaign: Where Do IoCs Lead Us?

A new Zloader campaign has been detected. It is believed to be the work of the MalSmoke cybercrime group. More than 2,000 unique victim IP addresses have downloaded the malware, which exploits a vulnerability in Microsoft’s digital signature verification method.

“Nickel” APT Group: What We Found Out About Microsoft’s Latest Domain Seizure

Microsoft recently seized 42 domains attributed to the China-based Nickel APT group.¹ We subjected these web properties to WHOIS queries to find more information.

Exposing the Connection between a Most Wanted Cybercriminal and the BlackEnergy DDoS Attack

Oleksandr Vitalyevich Ieremenko¹ is a Ukrainian national charged with several fraud-related and cybercrime cases in August 2015. Barely a year after the allegation, Ieremenko joined a cybercrime group led by Artem Viacheslavovich Radchenko and gained unauthorized entry into the U.S. Securities and Exchange Commission (SEC) network.

A Most Wanted Cybercriminal Runs a Profitable Android Malware Enterprise

Danil Potekhin,¹ a Russian national, managed to steal approximately US$17 million from users of several digital currency exchange platforms by defrauding several cryptocurrency exchange sites. Potekhin was then indicted² in September 2020 for conspiracy to commit computer fraud, unauthorized access to a protected computer, and aggravated identity theft, among other crimes.

Exposing Hundreds of Rogue VPN Domains Potentially Connected to the NSA

WhoisXML API DNS Threat Researcher Dancho Danchev identified domain intelligence related to several bogus free VPN service providers. Those bogus entities could seemingly be traced back to the National Security Agency (NSA) as part of an effort to monitor the online activities of suspicious Iran-based users. 

IoC Report Exposing a Currently Active Cyber Jihad Campaign’s Domain Portfolio

Cyber jihad, a term that loosely describes using the Internet as a communication, fundraising, recruitment, training, and planning tool in cyber attacks^[1], gained traction over the years. It has become a force to reckon with for many government institutions tasked to battle cyberterrorism. In fact, at the end of 2020 alone, three cyber-enabled campaigns targeting government institutions worldwide were brought down^[2].

CEO Impersonation Alert: A Look into the Top 100 CEOs of 2021

Total losses from BEC scams and CEO impersonation are estimated at tens of US$billion^[1][2] over the past years. In 2021, Elon Musk’s impersonators were able to amass about US$2 million^[3] from numerous victims. 

Exposing 1,100+ NSO Spyware Group’s Domains, IP Addresses, and MD5 Hashes

The NSO Spyware Group’s spyware dubbed “Pegasus” is known for its ability to be covertly installed on mobile phones running different versions of Android and iOS and spy on their owners’ activities.

Exposing 100+ Domains Possibly Belonging to the Ashiyane Digital Security Team

The Ashiyane Digital Security Team is known to be a gray hat network security company based in Iran.¹ It has been allegedly connected to several state-sponsored attacks against various countries over the years. 

IoC Report Exposing Potential Actors behind the Conficker Botnet

Conficker, which infected millions of systems in its heyday in 2008, continues to infect tens of thousands of devices. Dubbed as the “worm that nearly ate the Internet¹,” Conficker targets computers running on Microsoft operating systems (OSs), creating a colossal botnet that can be used to launch large-scale cyber attacks.