Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.

Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.

Here are some examples of the RDGA domains:
2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my

These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (https://infosec.exchange/@InfobloxThreatIntel/114027715851469775) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.


#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga

Our latest blog is out! It covers a rising issue that many major organization experiences: Subdomain hijacking through abandoned cloud resources.

This research follows our reporting from earlier in the year about the CDC subdomain hijack. We initially assumed that this was an isolated incident. Well… We were wrong.

We tied some of this activity to a threat actor, dubbed Hazy Hawk, who hijacks high-profile subdomains which they use to conduct large-scale scams and malware distribution.

https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #HazyHawk

Over the past few years, we've been discussing our research into Traffic Distribution Systems (TDSs), especially those that power malicious adtech. We've created this cheatsheet to help those unfamiliar with TDSs get up to speed. Tell us what you think and if there are any other cheatsheets you feel would be helpful!

#tds #threatintel #threatintelligence #cybersecurity #cybercrime #infosec #infoblox #infobloxthreatintel

Who doesn't love a bargain? Security Researchers do, especially when they lead to shady stores, dodgy domains, and mysterious merchant accounts!

Recently, while perusing Facebook Marketplace, I stumbled upon some enticingly low-priced items that led me to intriguing domains promising more great bargains. Having recently schooled a family member that fell for a similar scam, I decided to dig deeper and disrupt these scammy storekeepers.

Based on my investigation, and my relative's real-world experience, here's how these scams play out:
- Scammers use compromised social media accounts to post ads directing victims to fake storefronts.
- Popular items are offered at too-good-to-be-true prices, usually under £100/$100, claiming to be excess stock or lost packages needing to be cleared from their warehouses.
- Payments are accepted via PayPal and Stripe, using various merchant accounts that seem to change with each checkout process.
- PayPal payments involve a secondary domain that also appears to be a fake storefront. The merchant account email addresses use different recently registered domains.
- Stripe payments originate from the initial domain with the merchant purporting to be a fashion store LLC that lists yet another suspicious storefront domain.
- Order confirmation and tracking details are provided by email after payment to avoid any suspicion. The scammers are also prompt to reply to any inquiries and readily apologize for shipping delays.
- Fake tracking information shows your 'package' crawling from (virtual) port to port before being returned to the supplier due to a 'Customs clearance' failure... how convenient!

This drawn-out process can last over a month, leading many victims to write off the loss and chalk it up to experience. This delaying tactic also benefits the scammers, allowing them to gather as many sales as possible and cash out before complaints are made to the payment processors.

Recent storefront domains:
- amnn[.]shop
- eorv[.]shop
- eroc[.]shop
- uing[.]shop

Secondary payment domains:
- mccjf[.]store
- fa71[.]store
- mimidai[.]store
- hu81[.]store

PayPal merchant email accounts:
- <name>@<subdomain>.alfonsoa[.]vip
- <name>@<subdomain>.gualive[.]club

Stripe merchant domains:
- alinakapparel[.]com
- biriaievyr[.]com
- laurawear[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam

In our new blog, we share a personal experience of being approached for a fake remote job on Telegram and uncover the methods scammers use to deceive and exploit victims. We were eventually able to trick the scammers and withdraw some money before they finally caught onto us!

You can find the blog here: https://blogs.infoblox.com/threat-intelligence/telegram-tango-dancing-with-a-scammer/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #pigbutchering #crypto

There is another Lizard on the radar! Looming Lizard is an actor creating hundreds of lookalike domains impersonating popular banks and telecommunication companies targeting Spanish speaking countries, such as Mexico. Not only they are lookalikes, but are also RDGAs (Registered DGAs), with new domains created on a daily basis. These are some of the entities they impersonate:

- Banks: Banorte, BBVA, Citi, HSBC, Itaú, Santander, Scotiabank
- Telecommunications: AT&T, BTC, Claro, Liberty, Movistar, Telcel, Tigo
- Others: post offices, department stores, energy companies

For one of the lookalikes to Tigo (tigoppy[.]club), the actor was kind enough and offered the ability to trade our (fake) account points for nice prizes (wink wink). Sample of domains for each mentioned company:

- banortex[.]vip, banortepmex[.]store, banorteoi[.]icu, banorteoi[.]sbs, banortebc[.]top
- bbvamex[.]xin, bbvamex[.]xyz, bbvamxn[.]cyou, bbvamxn[.]store, bbvamxn[.]sbs
- citiprr[.]top, citipr[.]top, citipr[.]vip, citiipir[.]top, citiipir[.]vip
- mex-hsbc[.]xyz, mexhsbc[.]icu, mex-hsbc[.]icu, mex-hsbc[.]xin, mexhsbck[.]pro
- itauupy[.]top, ittau[.]top, itauupyi[.]top, itaui[.]cfd, itaupy[.]top
- santander-mex[.]xin, santandermox[.]vip, santander-mex[.]sbs, santander-mex[.]icu, santandermox[.]xyz
- scotiabank-mx.xyz, scotiabok[.]xyz, scotiiiai[.]vip, scotiabanukmx[.]sbs, scotiiiai[.]xin
- attmiex[.]pro, att-com-mx[.]top, attmmex[.]xyz, att-com-mx[.]xin, attmmex[.]vip
- btcbahamass[.]vip, btcbahamasni[.]vip, btcbahamasni[.]xin, btcbahamasi[.]top, btcbahamasni[.]top
- claroar[.]top, claroec[.]vip, clarosv[.]top, claropy[.]vip, clarolo[.]top
- liberty-cr[.]xyz, liberty-cr[.]vip, liberty-cr[.]icu, liberty-cr[.]xin, liberty-cr[.]cc
- movisstar[.]pro, movisstar[.]xyz, movistar-uy[.]xin, movisstar[.]sbs, movistarui[.]icu
- telcelsi[.]top, telcelt[.]bond, telcele[.]info, telceln[.]qpon, telcel0[.]online
- tiiigopy[.]xyz, tigosv[.]top, tigosv[.]cc, tigosvi[.]top, tigoipy[.]top

https://urlscan.io/result/375469cb-d1ac-4b91-8dbe-18c5f42d427d/
https://urlscan.io/result/019656a1-67b5-7007-acc9-8834551420f7/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infoblox #infobloxthreatintel #lookalike #phishing #rdga #scam

With a goal of simplifying enterprise network security, Infoblox and Google Cloud partner on DNS security solutions
https://www.admin-magazine.com/News/Infoblox-and-Google-Cloud-Partner-on-DNS-Security-Solutions?utm_source=mam
#Infoblox #Google #security #DNS #enterprise #networking

วันนี้ผมยุ่งมาก (แม้ว่าจะไม่มีผมก็ตาม 😎) เช้า Infoblox บ่าย Dell
.
#iamSK #ITPro #ITProfessional #ITNomad #DigitalNomad #Seminar #Conference #Badge #Infoblox #Dell
.

Infoblox Threat Intel had the opportunity to collaborate with the United Nations Office on Drugs and Crime (#UNODC) for their latest report on South East Asian Crime. The report is titled "Inflection Point". It is a great in-depth analysis of the triads and how they fuel the current scam epidemic.

Organized crime is booming - as you can see with the picture below which shows the growth in the physical footprint of the compounds they operate.

Our part of the collaboration (pages 37-42 of the 90+ page report) were around a single actor that we can track in #dns -- naturally!

We analysed a number of illegal Chinese-operated gambling websites and soon found out they were operated by the same 'gambling provider' we named Vault Viper. Vault viper develops its very own "secure gambling browser". Of course it's #malware.

Through DNS, we discovered the companies behind Vault Viper were in fact controlled by Suncity - a criminal junket whose founder has been convicted of laundering billions of dollars.

https://www.unodc.org/roseap/en/2025/04/cyberfraud-inflection-point-mekong/story.html

Illegal gambling is not harmless fun. It fuels some of the largest criminal networks in the world.

The entire report is worth reading to get the latest view from experts on the world of organized crime in Asia that is running #scam, #pigbutchering, #humantrafficking, #cybercrime, #malware, #illegalgambling, illegal porn and who knows what else. The image below shows just how much it has grown in a few years from physical footprints.

We'll be releasing a detailed report on Vault Viper in the coming months.

#infobloxthreatintel #infoblox
#organizedcrime #china

“Your device has been blocked due to illegal activity” — 🙄 sure it has. After fat-fingering github[.]com, we were redirected to a domain running a fake Microsoft tech support scams: pop-ups that lock your browser, shout scary messages, and push you to call a “support” number (aka the scammer who’ll walk you through installing remote access tools).

They're hosted on legit infra like Azure blobs or Cloudflare Pages. That one redirect led to uncovering 1,200+ other domains hosting identical fake support pages. Of course, whenever a redirect like this happens, there's a malicious traffic distribution system (TDS) involved.

Examples include:
- tenecitur.z1.web.core.windows[.]net

- neon-kleicha-36b137[.]netlify[.]app

- us6fixyourwindowsnow[.]pages[.]dev

- microsoft-coral-app-6xv89.ondigitalocean[.]app

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #tds

Scams Taking Their Toll?

We've previously posted about toll-themed domains being used in mass smishing campaigns targeting drivers in the US, but they're not the only ones being taken for a ride. While recently investigating a huge cluster of scam domains sharing many similar traits, we've noticed toll scams targeting drivers far and wide, including in Australia, Hong Kong, New Zealand, Portugal, Saudi Arabia, Singapore, Taiwan and the United Arab Emirates.

Think you're safe because you didn't click submit? Think again! These crafty wheeler-dealers are using the JavaScript Socket.io library for real-time communications, meaning text is sent to the scammers as you type!

Examining these back-and-forth communications suggests that your data is being sent to a chat room, and the server response includes 'online-count-user,' showing you're not the only one interacting with the scam at that moment.

Regional examples:
- AU - inforequestl[.]icu
- HK - hketcupdate[.]top
- NZ - niztagoovt[.]com
- PT - visitorsa-pt[.]click
- SA - absher[.]qpon
- SG - lta-gov-sg[.]top
- TW - fetollc[.]top
- AE - dubaipoieh[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing

Going to RSA? We’re giving a 2 hour hands-on learning lab on traffic distribution systems (TDS). Malicious actors use these to hide their activity from security teams and deliver tailored content to victims.

Not going to RSA? We’ve written a number of articles on this topic (some included below) and we’re happy to answer questions about TDSs here on Mastodon.

https://blogs.infoblox.com/threat-intelligence/from-click-to-chaos-bouncing-around-in-malicious-traffic-distribution-systems/
https://www.infoblox.com/resources/webinars/dns-threat-briefing-q1-2025/
https://www.infoblox.com/resources/webinars/traffic-distribution-systems-at-the-heart-of-cybercrime/
https://www.infoblox.com/resources/webinars/the-big-ruse/

#dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #RSAC #RSAC25

Parked domains are used in all sorts of interesting ways. Recently we saw a set used in the sender addresses of spam delivery formbook malware. The emails disguised as salary updates, purchase orders, fines, and vendor enrollments. The sender addresses typically appear to be from HR or some other official group associated with the subject.

The domains associated with these formbook campaigns are lookalikes, designed to impersonate legitimate brands in an attempt to dupe the victim. Some examples of the brands we have seen lookalikes for include Blue-Maritime and Vanity Case Group.

The spam itself appears to run through actor-controlled relays (SPF failures, etc) and originate in AS203557 (Dataclub / Latvia). We see the same actor delivering Formbook via various campaigns for over a year targeting users from different regions, including the Middle East, India, and the United States.

Because the domains are parked, it is hard to confirm whether the spam actor controls them or is just digging around parking lots.

Fun fact: Formbook malware is known to use parked domains for decoy C2 urls as well.

IOCs: blu-maritlme[.]com, thevenitycase[.]com
Example filename: Gross Misconduct.rar
Sha256: 09590f63531e7e5d7b8e86a55e1e3014cc86c99694c94a29c95215acac227c89

#dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #malware #formbook #spam

Online gambling operators are sponsoring charities?? If only :(

We've identified a malicious gambling affiliate whose specialty is to buy expired domain names which used to belong to charities or reputable organisations.

Once they own a domain, they host a website impersonating its previous owner, where they claim to "deeply appreciate the support from [their] sponsors", which surprise surprise, all turn out to be dubious online gambling companies.

Because the domain they are taking over is often abandoned or managed by non-technical people, its previous owner often doesn't notify anyone that they've lost control of their website, so it continues being referenced in genuine content, and it continues getting traffic from old links scattered throughout the internet.

teampiersma[.]org (screenshots below)
americankayak[.]org
getelevateapp[.]com
hotshotsarena[.]com
nehilp[.]org
questionner-le-numerique[.]org
sip-events[.]co[.]uk
studentlendinganalytics[.]com
thegallatincountynews[.]com

Comparison content:
2018: https://web.archive.org/web/20180119043432/https://teampiersma.org/
2025: https://web.archive.org/web/20250401092253/https://teampiersma.org/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infosec #scam #dropcatch #charity

Is the sky fluxxing?! Last week a CISA advisory on DNS Fast Flux created a lot of buzz. We have an insider's take.

Fast Flux is a nearly 20 year old technique and is essentially the malicious use of dynamic DNS. It is critical that protective DNS services understand this -- and all other DNS techniques -- on that we agree.

What we also know as experts in DNS is that there are many ways to skin a cat, as they say.

#dns #threatintel #cisa #malware #phishing #threatintelligence #infobloxthreatintel #infoblox #cybercrime #cybersecurity #infosec

https://blogs.infoblox.com/threat-intelligence/disrupting-fast-flux-and-much-more-with-protective-dns/

This week, we encountered a new phishing campaign utilizing the Tycoon 2FA Phishing-as-a-Service (PhaaS) to bypass multifactor authentication (MFA).

The RDGA domains have Russian TLDs but are hosted on CloudFlare infrastructure. We have been seeing them use shared infrastructure for a few months now, definitely trying to make detection more challenging. They continue to obfuscate every piece of code but have updated their verification page. Previously, we always saw their custom Cloudflare Turnstile page, but now they also use a new captcha challenge, as shown below.(You can also check it here https://urlscan.io/result/0195ed8b-7a48-7348-a814-0a058571b51e/ )

Their old Cloudflare Turnstile page seems to still be their favorite, even though they now change their message more frequently: "Checking response before request" or "Tracking security across platform" are some of the new messages they use.

Here is a sample of the hundreds of domains we are detecting:
womivor[.]ru
nthecatepi[.]ru
toimlqdo[.]ru
dantherevin[.]ru
xptdieemy[.]ru

#dns #domains #phishing #AitM #PhaaS #tycoon #scam #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #2MFABypass

One of our researchers recently received a text from an unknown number saying they were eligible to receive a full refund for an Amazon order. The message contained a link to a URL on t[.]co, Twitter/X's link shortener. Clicking the link led to the domain 267536[.]cc, which hosted an Amazon phishing page.

From this lead, we were able to find many more domains hosting the same content. The actor registering the domains seems to like .cc, the country code TLD for the Cocos Islands.

Sample of the domains:
236564[.]cc
267536[.]cc
671624[.]cc
687127[.]cc
319632[.]cc

#cybercrime #cybersecurity #dns #infoblox #infobloxthreatintel #infosec #scam #sms #smishing #phishing #threatintel #threatintelligence

Malicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware.

Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments.

One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.

Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records.

Block these:

user2ilogon[.]es
viewer-ssa-gov[.]es
wellsffrago[.]com
nf-prime[.]com
deilvery-us[.]com
wllesfrarqo-home[.]com
nahud[.]com.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #malware #scam #ssa

We published a blog yesterday about a PhaaS and phishing kit that employs DoH and DNS MX records to dynamically serve personalized phishing content. It also uses adtech infrastructure to bypass email security and sends stolen credentials to various data collection spaces, such as Telegram, Discord, and email. https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/

#dns #doh #mx #adtech #obfuscation #phaas #phishing #phishingkit #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #wordpress #spam #telegram #discord #morphingmeerkat

Last week, while reviewing detected lookalike domains, one in particular stood out: cdsi--simi[.]com. A quick search pointed him to a legitimate U.S. military contractor, CDSI, which specializes in electronic warfare and telemetry systems. It's legitimate domain cdsi-simi[.]com features a single hyphen, whereas the lookalike domain uses two hyphens.

Passive DNS revealed a goldmine: a cloud system in Las Vegas hosting Russian domains and other impersonations of major companies.

Here are a few samples of the domains:

- reag-br[.]com Lookalike for Reag Capital Holdings, Brazil.
- creo--ia[.]com Lookalike for an industrial fabrication firm in WA State.
- admiralsmetal[.]com Lookalike for US based metals provider.
- ustructuressinc[.]com Lookalike Colorado based Heavy Civil Contractor.
- elisontechnologies[.]com Typosquat for Ellison Technologies machine fabrication.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #phishing #malware #scam #dod