When your "privacy browser" comes with a built-in surveillance suite, it's probably not about privacy.  Our latest research, in collaboration with UNODC, exposes Vault Viper. You might recognize them as "Baoying Group". They are running one of Asia's largest iGaming networks, BBIN, servicing scam centres and cyber-enabled fraud networks across the region.

At the center is the Universe Browser, promoted as a "privacy" and "anti-censorship" tool for illegal online gambling. In reality, it's a high-risk surveillance and exploitation platform designed to bypass detections, proxy access, and maintain persistent access across what we estimate to be millions of devices.

DNS analysis from Infoblox reveals tens of thousands of domains tied to Vault Viper's vast infrastructure, exposing a unique DNS fingerprint and operational control over their own corner of the internet.

But the story does not end here:  BBIN is linked to dozens of commercial ventures - they even had their own airline !  

👉 Read the full report here : https://blogs.infoblox.com/threat-intelligence/vault-viper-high-stakes-hidden-threats/

👉 We spoke to Wired to explain how cybercrime evolved : https://www.wired.com/story/universe-browser-malware-gambling-networks/

#CyberThreatIntel #Infoblox #DNS #VaultViper #riskware #Cybercrime #SoutheastAsia #threatintel #threatintelligence #cybersecurity #infosec #infobloxthreatintel #scam #tds #shazhupan #pigbutchering #malware

When one trick isn't enough… this actor brings the whole toolbox.

Actors start mixing techniques like a cyber cocktail:

- Cloud abuse with AWS S3 lures
- Algorithmically generated (RDGAs) for agility and evasion
- Redirect chains to keep analysts guessing
- TDS filtering to target victims
- Social engineering with fake alerts ("Your cloud storage is full!") or irresistible offers ("Get Netflix for free!")
- Payment scams as the final sting

Here's how it works: The actor is leveraging SMS messages to lure victims into clicking links that point to Amazon S3 buckets. The SMS links are the initial redirection point, silently forwarding the victim to the first bulk registered (RDGA) domain. The redirection is seamless, making it difficult for the victim to notice anything suspicious.

From there, the actor uses multiple RDGA algorithms to generate domains that host scam and scareware campaigns. These domains feature a variety of deceptive themes, such as fake Netflix promotions, "Your Cloud Storage is Full" alerts, or "Failed Payment" warnings.

Once the victim clicks, the redirection chain continues through custom TDS (Traffic Distribution System) domains—also powered by RDGA—before finally landing on a fraudulent payment gateway. Here, victims are tricked into subscribing to fake antivirus products, counterfeit Netflix accounts, or other bogus services.

The top left and right sections showcase different types of lures used in the attack, while the bottom section illustrates how the victim is redirected to rogue payment gateways.

IOCs
protectionsessionactivities[.]top
scanner-detected-protection-network[.]top
internetadvancedsecuritysession[.]autos
detectedservicesoftwareissue[.]autos
cleanalertsafe[.]top
cleanalertsafequick[.]top
cleansafedevicefix[.]top
clean-alert-safe-quick[.]top
quicksaferiskfree[.]top
safe-install-free-faster[.]top
safeinstallfreefaster[.]top
securedsafeservicesecurity[.]autos
quicksaferisk[.]top

#Infoblox #dns #adtech #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel #tds #scam

It's annoying to wake up Friday motivated to wrap up your week's threat hunting, but instead getting derailed because a quick Google search gives you extra work...

All we wanted to do was make an address change... so a quick search for "o2 address change".

The top results were not to the official site but to 02support[.]info and 02official[.]com. sigh.

The one time there isn't an AI summary to scroll past, it is because there is a scam paying to replace it...

Here's some scans and images.

O2: https://urlscan.io/result/0199cdf0-688f-70ac-bae9-84cdf3d565fa
O2: https://urlscan.io/result/0199cdf0-6327-7531-969e-88adda6cf256
EE: https://urlscan.io/result/0199cdf0-8457-773c-8851-b3ecca7000f4
Tesco Mobile: https://urlscan.io/result/0196c3d2-5fdc-71bd-9d4d-89585de0559f
Vodafone: https://urlscan.io/result/01994ca7-3f24-7743-9aaf-d9a670f0fb01

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #phishing #scam

Teamwork makes the dream work! The Black Lotus Labs team at Lumen Technologies has published a new report detailing the infrastructure behind the SystemBC botnet and its role in powering the illicit Rem Proxy service. This service allows threat actors to mask their identities behind compromised MikroTik routers deployed in homes and offices worldwide, enabling a range of email and password-based attacks.
Through our collaboration, we’ve confirmed with high confidence that this is the same botnet we reported on back in January. Excellent work, Black Lotus Labs — great investigating!
Read their full report: https://blog.lumen.com/systembc-bringing-the-noise/
#Infoblox #botnet #dns #phishing #spam #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel #scam

We've been observing a trend on Steam involving Chinese-language accounts leaving spam comments on random user's profiles. They range from commenting single emojis to sentences in Chinese that translate to "we should play games together." Upon investigation, these accounts often link to domains that redirect to malicious content.

One such domain, 3pq[.]cc, redirected to a fake chat app interface designed to mimic a messaging platform hosted on jimuzhou[.]top. The messages eventually gave a link to trwonr[.]top, an adult-themed survey page. After completing the survey, it prompted visitors to download an APK file that requested access to invasive permissions, hosted on cxrcedu[.]com.

A pivot on one of the URLs revealed thousands of related domains, all exhibiting similar behavior and infrastructure.

Sample IOCs:
3pq[.]cc
jimuzhou[.]top
trwonr[.]top
cxrcedu[.]com

#Infoblox #dns #rdga #spam #scam #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel

Spammers be spamming. But some may lay low for several months before kicking off their operations.

In late August, we started to observe an influx of a spam campaign targeting Japanese users and impersonating popular companies such as American Express, Amazon and SBI, attempting to phish victims for their credit card and other account information. This was almost a year after the actor first created their domains in September 2024.

This is a technique commonly used by threat actors to avoid detection by security teams, since a lot of attention is usually given to domains that are newly registered. The strategy is to lay low for some time, allowing them to slip under the radar before initiating their operations and remain undetected when they do so.

The actor(s) waited until the domains were close to expiring to start using them in the campaign. They have now renewed several of these domains and, well... that may suggest they intend to continue their activities.

The emails usually contain an action button or a fake url that redirects to links under domains with the pattern <5 to 10 random letters>.cn. Some of the email subjects, along with their translations, are:
-【SBIポイント進呈】ご利用状況に応じた特典をぜひご確認ください — [SBI Points Award] Please Check Your Benefits Based on Usage
- [American Express] カードの利用が一時停止されました — [American Express] Card Usage Has Been Temporarily Suspended
-【お知らせ】カード認証更新のお願い — [Notice] Request to Update Card Authentication

Sample of domains: ehpkmn[.]cn, exttyo[.]cn, qdtqq[.]cn, rnsxk[.]cn, sxviius[.]cn, tyslq[.]cn, wbwfm[.]cn

#Infoblox #dns #phishing #spam #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel #japan #rdga #scam

Aeza Group is still alive and kicking. Following their July sanction, the operators of bulletproof hosting provider Aeza began to migrate some of their infrastructure to a new ASN they created (AS211522 - Hypercore Ltd). However, they're still primarily operating from their original ASN and registering new domains every day. Some recent domains registered in late July/early August on two dedicated Aeza IPs host fake Russian-language download pages for Windows, Chrome, Minecraft, etc. These pages lure users into downloading malicious executable and torrent files that ultimately attempt to steal the user's credentials from web browsers. Some files dropped by these domains were previously associated with Black Basta and Cobalt Strike in May and July 2025.

Sample domains: windows-download[.]net, drivers-windows[.]com, chrome-downloads[.]net, minecraft-game[.]net

#Infoblox #dns #malware #phishing #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel

Wanna play a game?
Reboot now… or in five minutes?

Help TDS - a notorious traffic distribution system - has a fresh new illusion — a fake system alert that sets the stage before the tech support scam begins.

It’s not just a pop-up; it’s full-screen psychological priming, blurred just enough to slip past security tools. You’re given a “choice”, but either way, the curtain rises.

Click either button and the show begins: a spoofed full-screen Microsoft virus alert, and a phone number that offers an immediate fix.

The real trick? Victims are already convinced it’s real before the scam even loads.

#Infoblox #dns #phishing #tds #scam #scareware #helptds #threatintel #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #TechSupportScam #ScamAlert #DontDialTheNumber

Yet another round of shipping-themed smishing texts have been popping up over the last couple of days. This threat actor is impersonating missed FedEx delivery notifications (switching from a UPS theme used a few weeks ago) to entice users into entering their credit card information. The FedEx phishing pages are only accessible via phones or tablets using the URLs provided in the smishing texts. The attackers attempt to evade detection from search engines and users accessing the pages via desktops by routing them to legitimate pages for Amazon, Yahoo News/Finance, Whole Foods, or Ring.

The domains we've seen follow a distinct RDGA pattern, use CloudFlare hosting, and are distributed via email domains sharing the same mail server IP.

Sample domains: gjvuy[.]xyz,mhecm[.]pro,xvqxa[.]pro,bqcue[.]ink,zlulp[.]ink,zbhqu[.]ink,fjnrp[.]ink,wkdvb[.]ink,sfjfa[.]ink,zbhqu[.]ink,fjnrp[.]ink,wkdvb[.]ink,sfjfa[.]ink

XYZ Registry took down all the domains found at the time.

#Infoblox #dns #smishing #phishing #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec

An interesting traffic distribution system (TDS) we're tracking routes users to quick cash and payday loan sites that are likely scams looking to steal people's personal and financial information.

The TDS chain starts with an RDGA-generated domain following the pattern: <5 to 9 random letters>.<cfd,cyou,info,etc.>. The user is then routed to one of the actor's TDS domains dfgtrk<1 to 10>[.]com. This domain will then redirect to landing pages hosting the scammy loan/cash sites which urge users to enter PII such as name, date of birth, address, social security number, and even bank account information in order to qualify for a loan.

A lot of these sites have generic titles and SLDs mentioning cash, loans, or other financial topics, and seem to mimic legitimate financial services companies.

#dns #Infoblox #rdga #tds #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #scam

After three years of relentless tracking, we’ve published a [paper](https://blogs.infoblox.com/threat-intelligence/vextrios-origin-story-from-spam-to-scam-to-adtech/) that, for the first time, exposes the true identities behind VexTrio. This research connects real names to the various companies that form the VexTrio ecosystem. It begins with the origin story—how a group of Italians launched a successful spam and dating business. Over time, VexTrio expanded its operations into malicious adtech and online scams. For over a decade, the group employed deceptive tactics to defraud countless innocent internet users. These illegitimate gains funded the extravagant lifestyles of VexTrio’s key figures—who, despite increasing scrutiny, have yet to be fully stopped.

We’re deeply grateful to all the contributors who helped us reach this research milestone, especially @rmceoin and Tord from [Qurium](https://www.qurium.org/).

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #adtech #maliciousadtech #advertising #affiliates #scam #notifications #pushnotifications #tds #trafficdistributionsystem #spam #italy #russia #belarus #dating #clickallow

Like CEOs at Coldplay concerts, we keep finding malicious adtech hiding behind well-known advertising brands. While these platforms may appear credible, they allow malicious actors access to their platform, and profit from their successes.

Our posts often focus on adtech operators because they are the ones who manage the infrastructure. But they are not the only ones profiting from this business. Affiliates play a big role by driving traffic (aka visitors) to the adtech platform (TDS).

Malicious affiliates do this by tricking visitors into clicking hidden links or manipulating pages to redirect them automatically. They are so good at it that they generate a profit just due to the sheer volume of traffic they drive into the platform.

Legitimate affiliates do this by posting what they believe to be normal ads on their web pages, tempted by promises of big rewards. Unfortunately for them, this is rarely the reality, and there are many reports of affiliates being underpaid or not paid at all. Additionally, affiliates risk damaging their own brand image – no one wants their legitimate website redirecting to malware, right?

As a user, regardless of how you find yourself diverted into a malicious TDS, if you happen to fit the profile then you face the risk of being sent to a malicious landing page. Scams, disinformation, malware…you name it.

As there are many players involved in this scheme, we’ve created an infographic that highlights who they are and how they fit into the malicious adtech landscape.

Have you come across any of these shady platforms or, worse, been lured into becoming part of the scheme? Let us know!

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #adtech #maliciousadtech #advertising #affiliates #scam #malware #phishing

We've seen it before, but it bears highlighting again: current affairs always lead to a domain gold rush! The newly announced "America Party" has already triggered a wave of sketchy-looking domain registrations, many using the .party TLD. Several redirect to rawdiary[.]com, a five-month-old site hosting third-party articles from sources like OANN, Newsmax and Breitbart, as well as more moderate sources like the FT and the BBC. Others are parked. These domains aren’t inherently malicious, but they're certainly opportunistic and built to look like news. Web content flips fast, so here’s a snapshot of domains unlikely to have been registered for anything in good-faith:

ameirca[.]party
amerca[.]party
amercia[.]party
americs[.]party
amerika[.]party
ameroca[.]party
ameruca[.]party
hyperamerica[.]party
theunitedstates[.]party
americanparty[.]pics
americanparty[.]vip
americaparty[.]ink
americaparty[.]town
theamericanparty[.]vip
americanparty[.]pro

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #americaparty #osint #typosquatting

Cybercriminals incorporate artificial intelligence (AI) to be more effective across their businesses functions. In most cases, the technology contributes to the actor's code development or augments their socially-engineered attacks. We provided a real example of this last year in September when we published about youtube account hijackers that use deepfake videos of Elon Musk for a crypto giveaway scam (https://blogs.infoblox.com/threat-intelligence/no-elon-musk-was-not-in-the-us-presidential-debate/). We recently saw similar techniques deployed by a threat actor that we track as Reckless Rabbit (https://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/). However, instead of youtube videos, they directly integrate deepfakes into their websites.

Reckless Rabbit began targeting Japanese-speaking users several months ago. They deliver fake web articles that promote non-existent investment programs. These are not your typical scam web pages. They've been enriched with deepfake AI-generated videos of high profile financial leaders including Elon Musk and Masayoshi Son. They also try to add legitimacy to the report by including artificially-drafted and positive reviews from fictitious netizens. Traditionally, the news content was mostly comprised of just text, static images, and links.

Prior to this change, they were predominantly targeting internet users in Eastern European countries. They continue to use dictionary-based Registered Domain Generation Algorithm (RDGA) domains and Facebook ads for navigating victims to fake news articles.

Reckless Rabbit employs a variety of article lures; below, we've highlighted domains specifically used in their Japanese investment scam campaigns. These sites employ deepfake videos embedded with Japanese captions. The articles impersonate one of Japan's major newspaper companies Yomiuri Shimbun and contain a registration button for the fake investment platform called "Finance Legend". After clicking it, the page redirects the victim to a contact webform. Based on the contents of the articles, presumably, the threat actor will follow up with the victim using the provided contact details and encourage them to make a deposit in exchange for a future return that is much greater than the investment.

bullpimpletruth[.]com
calmsixgenerous[.]com
chivenotepoisonwish[.]com
clarinetmonday[.]com
deeplyblowgrape[.]com
earlycoindadsummer[.]com
fertilerare[.]com
premiumsquarecircle[.]com
purplecombshop[.]com
surnamewinter[.]com

Attached to this message, we've included a screenshot of the fake news article lure, as well as a screen recording of our interaction with the scam website and deepfake video.

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #deepfake #ai #elonmusk #masayoshi #japan #yomiurishimbun #recklessrabbit #investment #rdga #ddga

Let us introduce "La Fnac". As some of you may already know, La Fnac is a French retailer, and like most large retailers, they want to sell the coolest things that everyone is talking about. That's why, in 2008, they launched their most innovative service yet: an online portal where you could download the latest must-have ringtone for your flip phone.

Of course, they didn't build that online portal themselves. They subcontracted that to another company, and to use their services, they set up a subdomain: 'sonneries-logos.fnac[.]com' on their corporate domain to use a CNAME record that the subcontractor then managed.
You should know where this is going now. It seems clear that La Fnac forgot to remove this alias from their DNS after the service was retired. Surprisingly, they weren't alone! In 2017 (much later than we expected), when the CNAME record became dangling, there were 2 European tech companies that still had aliases pointed to it.

So, when that ringtone download service started seeing activity again in 2025, it wasn't because of a sudden nostalgic resurgence in late naughties ringtones. Obviously, it was hijacked, and used to redirect people to various fake survey scams webpages.

The longer a company exists for, the more tech debt it accumulates, which in the case of DNS can mean greater susceptibility to domain hijacking via dangling DNS records. This is not something exclusive to small companies, or companies with smaller tech teams. We've seen this issue affecting large organisations too. If something as cool as downloading ringtones on your flip phone can be forgotten about; don't be surprised when in 20 years, attackers start leveraging the tech debt you are currently procrastinating over.

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #phishing #scam

The actors behind widespread toll smishing text campaigns are back; this time with a new campaign impersonating regional DMV agencies. New templates for the smishing texts urge users to pay outstanding traffic tickets via a malicious URL that leads to fake payment sites. Interestingly, these texts are often sent before the domain hosting the site is even registered.

They follow similar RDGA patterns as their other campaigns, often hosting the phishing sites on subdomains of SLDs starting with "gov-" to appear legitimate. Sample domains: dmv[.]gov-nft[.]digital, dmv[.]gov-nfy[.]digital, wisdom[.]gov-endbgv[.]vip, michigan[.]gov-etcj[.]cc, azdot[.]gov-ytns[.]cc

#dns #threatintel #infobloxthreatintel #infoblox #cybersecurity #phishing #cybercrime #infosec #smishing

VexTrio and the malware actors snackable (2/N).

At the heart of VexTrio is so called "smartlinks". What is that? BlackHatWorld users explain it well. see pics.

smartlinks are the lipstick for the pig called domain cloaking that is provided by traffic distribution systems (TDS) owned by malicious adtech companies like Los Pollos and Taco Loco (and Adtrafico and and and)

#VexTrio #malware #tds #cybercrime #phishing #scam #threatintel #infoblox #infobloxthreatintel #infosec #cybersecurity #adtech

The Russians aren't coming, they are already here. Without most anyone realizing, they've created an entire malicious adtech industry whose story is just as complex as the Chinese organized crime we're now realizing from their ventures into pig butchering.

VexTrio is just one Russian organized crime group in the malicious adtech world, but they are a critical one. They have a very "special" relationship with website hackers that defies logic. I'd put my money on a contractual one. all your bases belong to russian adtech hackers.

Today we've released the first piece of research that may eventually prove whether I am right. This paper is hard. i've been told. I know. We've condensed thousands of hours of research into about 30 pages. @briankrebs tried to make the main points a lot more consumable -- and wrote a fabulous complimentary article : read both!

There's so much more to say... but at the same time, between ourselves and Brian, we've released a lot of lead material ... and there's more to come. I've emphasized the Russian (technically Eastern European) crime here, but as Brian's article points out there is a whole Italian side too. and more.

We've given SURBL, Spamhaus, Cloudflare, Domain Tools, several registrars, and many security companies over 100k domains. They are also posted on our open github.

Super thanks to our collaborators at Qurium, GoDaddy Sucuri Security, and elsewhere.

#threatintel #scam #tds #vextrio #cybercrime #cybersecurity #infosec #dns #infoblox #InfobloxThreatIntel #malware #phishing #spam

https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/

https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/

Scammers scamming other scammers so they can scam you? We’ve reached peak scam inception!

Sites like ScamAdviser are helpful for checking if a website is shady — but guess what? The scammers lurk there too.

They’re leaving negative reviews against other scam sites (because, of course, there is no honor among thieves), as well as legit sites, pretending to be victims. Why? All so they can drop Telegram or WhatsApp contacts for so-called “crypto recovery services” that supposedly helped them get their stolen money back.

Spoiler Alert: These are just more scams!

They’ll say they’ve recovered your lost crypto - then demand a “release fee” or cut to release it. You’ll pay... and never hear from them again.

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam

Selling your car? Scammers still have it 'VIN' for you!

We've recently seen a large cluster of domains hosting fake Vehicle Identification Number (VIN) lookup sites — and private car sellers are the target.

While this trick isn’t new, it still catches many off guard — especially first-time sellers. Here’s how it usually plays out:

- You list your car on platforms like AutoTrader, Craigslist, or Facebook Marketplace.
- You're contacted by a keen 'buyer', perhaps asking a few questions to build trust.
- The buyer then asks *you* to get a VIN report — but only from a site *they* provide.

Red flag: Legitimate buyers wanting to know a vehicle's history are to be expected - they may ask for the VIN to do this themselves - but insisting on a specific site is a classic scam move.

Here’s what happens next:

- You enter your VIN on the fake site - it teases you with basic info like make and model.
- To get the 'full report' you’re asked to pay $20–$40.
- At best, you're sent to a legitimate payment provider — but the money goes straight to the scammer.
- At worst, you've just entered your card details into a phishing site.

Got your report? Good luck contacting that buyer, they're 'Audi 5000' — long gone. As for the report, it's usually worthless — no odometer readings, no previous owners, no insurance history - and of no value to you or a legit buyer.

Unsurprisingly, 'VIN' features in their devious domain names, and at the time of writing we identrified a large cluster using it with U.S. states and locations, for example:

- goldstatevin[.]com
- gulfstatevin[.]com
- kansasvin[.]com
- misissippivin[.]com
- utahvincheck[.]com

These have since gone offline, hopefully for good. They're not alone though, the following domains appear to target sellers in Australia and are currently active:

- proregocheck[.]com
- smartcheckvin[.]com
- smartvincheck[.]com
- vincheckzone[.]com

Tip: If a buyer wants a VIN report, let them sort it out — or use a trusted provider of your own. If they refuse? Tell 'em to hit the road!

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam