Our latest blog is out! It covers a rising issue that many major organization experiences: Subdomain hijacking through abandoned cloud resources.

This research follows our reporting from earlier in the year about the CDC subdomain hijack. We initially assumed that this was an isolated incident. Well… We were wrong.

We tied some of this activity to a threat actor, dubbed Hazy Hawk, who hijacks high-profile subdomains which they use to conduct large-scale scams and malware distribution.

https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #HazyHawk

In our new blog, we share a personal experience of being approached for a fake remote job on Telegram and uncover the methods scammers use to deceive and exploit victims. We were eventually able to trick the scammers and withdraw some money before they finally caught onto us!

You can find the blog here: https://blogs.infoblox.com/threat-intelligence/telegram-tango-dancing-with-a-scammer/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #pigbutchering #crypto

With a goal of simplifying enterprise network security, Infoblox and Google Cloud partner on DNS security solutions
https://www.admin-magazine.com/News/Infoblox-and-Google-Cloud-Partner-on-DNS-Security-Solutions?utm_source=mam
#Infoblox #Google #security #DNS #enterprise #networking

Infoblox Threat Intel had the opportunity to collaborate with the United Nations Office on Drugs and Crime (#UNODC) for their latest report on South East Asian Crime. The report is titled "Inflection Point". It is a great in-depth analysis of the triads and how they fuel the current scam epidemic.

Organized crime is booming - as you can see with the picture below which shows the growth in the physical footprint of the compounds they operate.

Our part of the collaboration (pages 37-42 of the 90+ page report) were around a single actor that we can track in #dns -- naturally!

We analysed a number of illegal Chinese-operated gambling websites and soon found out they were operated by the same 'gambling provider' we named Vault Viper. Vault viper develops its very own "secure gambling browser". Of course it's #malware.

Through DNS, we discovered the companies behind Vault Viper were in fact controlled by Suncity - a criminal junket whose founder has been convicted of laundering billions of dollars.

https://www.unodc.org/roseap/en/2025/04/cyberfraud-inflection-point-mekong/story.html

Illegal gambling is not harmless fun. It fuels some of the largest criminal networks in the world.

The entire report is worth reading to get the latest view from experts on the world of organized crime in Asia that is running #scam, #pigbutchering, #humantrafficking, #cybercrime, #malware, #illegalgambling, illegal porn and who knows what else. The image below shows just how much it has grown in a few years from physical footprints.

We'll be releasing a detailed report on Vault Viper in the coming months.

#infobloxthreatintel #infoblox
#organizedcrime #china

Is the sky fluxxing?! Last week a CISA advisory on DNS Fast Flux created a lot of buzz. We have an insider's take.

Fast Flux is a nearly 20 year old technique and is essentially the malicious use of dynamic DNS. It is critical that protective DNS services understand this -- and all other DNS techniques -- on that we agree.

What we also know as experts in DNS is that there are many ways to skin a cat, as they say.

#dns #threatintel #cisa #malware #phishing #threatintelligence #infobloxthreatintel #infoblox #cybercrime #cybersecurity #infosec

https://blogs.infoblox.com/threat-intelligence/disrupting-fast-flux-and-much-more-with-protective-dns/

Malicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware.

Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments.

One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.

Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records.

Block these:

user2ilogon[.]es
viewer-ssa-gov[.]es
wellsffrago[.]com
nf-prime[.]com
deilvery-us[.]com
wllesfrarqo-home[.]com
nahud[.]com.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #malware #scam #ssa

(infoblox.com) Morphing Meerkat: Advanced Phishing-as-a-Service Platform Using DNS MX Records for Tailored Attacks https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/

This report details the discovery of a sophisticated Phishing-as-a-Service (PhaaS) platform called 'Morphing Meerkat' that has been operating for at least five years. The platform leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims' email providers, spoofing over 100 brands. The threat actor behind this operation sends thousands of spam emails, primarily through specific ISPs, exploits open redirects on adtech infrastructure, compromises WordPress sites, and uses multiple credential exfiltration methods including Telegram. The phishing kit includes advanced evasion techniques such as code obfuscation, anti-analysis measures, and dynamic translation capabilities supporting over a dozen languages to target users globally.

While everyone is enjoying Carnival in Brazil, threat actors are still out there trying to lure people into their traps. We have found a cluster of lookalikes to the Brazilian DMV office (DETRAN in Portuguese). We observed at least two instances where they were impersonating the DMV office for the Brazilian states of Paraná and Maranhão.

The actor(s) create domains with the same label, but on several different TLDs (mostly highly abused). Here are some examples of what they look like.

consultes-seu-debitos2025.<space|site|shop|cloud>
debitos-sp-2025.<club|com|lat|net|online|store|xyz>
de3trasn2025.<click|fun|life|online|xyz>
departamentodetran2025.<click|icu|lat>
detran2025.<click|icu|lat|sbs>
l1cenciamento-detran2025.<click|icu|lat|sbs>

#lookalikes #dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel

https://urlscan.io/result/802374b7-6c8b-433b-b6e0-32561f74b7d3/
https://urlscan.io/result/721b12bb-d5fe-4c7e-b2b5-724e07aa22e0/

Uh-oh! We're seeing an uptick in newly observed domains related to tariffs. Most concerning are those offering 'tariff exclusions' or 'tariff rebates.' Additionally, various domains, both supporting and opposing the tariffs, are emerging from all over the world.
An influx of new domains on a topic like this indicates a high potential for fraud, disinformation, or manipulation. Turbulent times create opportunities for scammers to exploit uncertainty. Don't fall for offers of rebates or exceptions to the tariffs. Get your news from trusted sources, and if confronted with an unexpected popup notification or website, remember there's no need to act urgently.

Here are some examples of newly registered domains we've seen: tariffexemptions[.]com, tariffrebatespecialists[.]com, and tariff-mitigation[.]xyz.

#phishing #dns #scam #fraud #mastodon #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel

Mastodon communities, be vigilant! Bad actors are creating accounts within the Fediverse and then using them to distribute malware. We identified one such case in which the threat actor had gone undetected since 2022. That Mastodon instance was one with a climate change focus. The threat actor was distributing an information stealer through their account.

We are happy to have helped the instance owner figure out why they have been on blocklists intermittently for the last few years, but also get that particular threat out of their Mastodon instance and safe for users.

There are undoubtedly many more of these across the Fediverse. Hopefully more awareness can get them detected and shut down faster.

For our fellow security nerds... this was #vidar malware with sha256 975932eeda7cc3feea07bc1f8576e1e73e4e001c6fe477c8df7272ee2e0ba20d
and a c2 IP 78[.]47[.]227[.]68 from the instance.
there is still at least one more Mastodon instance impacted that we are trying to reach.

#malware #stealer #mastodon #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #fakeaccounts #c2

Have you ever wondered what happens if you say yes to every request to receive push notifications from sketchy websites?
For the past few months we have done exactly that, exposing an old phone to an endless barrage of scareware and malicious ads.
Find out more here: https://blogs.infoblox.com/threat-intelligence/pushed-down-the-rabbit-hole/

#dns #threatintel #adtech #adware #malware #scam #phishing #cybercrime #cybersecurity #vextrio #infoblox #infobloxthreatintel #malvertising #tds

Cricket and Matt asked me to join them for the Ask Mr DNS podcast last week. It's a great show that i've listened to for years.

We talked about securing networks by blocking bad things in DNS and how our research group @InfobloxThreatIntel does that work. I talk a bit about malicious adtech like #VexTrio ....

This whole show is completely unrehearsed and i had no real idea what we were going to cover lol... so fingers crossed it makes sense to folks.

There are some great episodes about the Dyn attacks in 2015 that you should listen to if you have an interest in DDOS attacks.

#threatintel #dns #cybercrime #cybersecurity #infosec #infoblox #phishing #malware #malvertising

https://ask-mrdns.com/2025/01/episode-64/

Pig Butchering & Employment Fraud: The Lure of High-Paying, Simple Work

Let’s take a look at how fraudsters use the lure of simple, high-paying work to defraud individuals. /1

#threatintel #dns #cybersecurity #scam #pigbutchering #InfobloxThreatIntel #Infoblox #cybercrime #infosec #crypto

VexTrio User Experience 4/N

@knitcode decided it was time to get crypto-scammed by VexTrio.....here's the story...

Unfortunately, when i got to the final scam to steal my funds i landed at a page that unavailable.. so my money wasn't stolen. I did capture 16 minutes of screen recording while they mined my device and tried to interact with their fake online users, so that was fun. Imgur won't let me load that long of a video so I've got screenshots to the highlights.

Here's how the scam works:
* Somehow you end up visiting a VexTrio crypto scam domain. Since we track their movements, I just collected one from our detectors.
* You get a "welcome back" with some amazing bitcoin balance.. mine was $113k! and a continue button... if you click that...
* You get a threatening "your account will be deleted in one day" for inactivity, but you have the option to log in now! excellent. click.
* but what about the password? No problem. the site has remembered your password for you. ;)
* When you login, you are asked if you want to withdraw your funds. Of course!
* It's been 364 days since you were here, so the site needs to "verify" each of your mining transactions. It takes about 10 minutes to do this while it seemingly mines your device. ;)
* users are "chatting" away talking about ethics and mining strategies. you can add comments but they won't answer you.
* Finally you get the chance to withdraw your funds... first you have to get approval from your account manager and fill out a withdrawal form. .. she doesn't have a record of you, but that's ok. you are approved to withdraw $113k.
* You need to give a credit card or paypal account in order to pay their "official" partner Binance to do the conversion. what is $64 fee for $113k? ! sign me up!
* Click the final button to pay Binance and receive your payout.... unfortunately, for me this is where I hit the oops can't display... after 16 minutes! peqemynite[.]top was not working.
* This domain was previously behind cloudflare caching but starting Nov 11th, it started resolving as Russian IP in Prospero (which interestingly shared IP with keitarotds[.]top) and then Unitel also Russia. So that's fun.
* To recap... VexTrio domain -> cryptoscam -> Binance fraud -> Russian IP.

Attached are screenshots. i have a few urlscan images of this too but the process takes so long that getting the full user experience is hard.

here's some more IOCs. There are bunch of domains on: 91.212.166[.]95. I started at globalminingbit[.]top (after the TDS) and ended at peqemynite[.]top. Here's some current domains: qegymiewo[.]top,ditosoydi[.]top,keziryevo[.]top,xujodyaza[.]top,vupahoawy[.]top,rycozaaqi[.]top,zupahayja[.]top,mafaweewa[.]top,pesaraafy[.]top.
globalminingbit[.]top is also out of the CF cover now and at Proton66 (also Russia) 193.143.1(.)195

The banking trojan, Octo2, now employs a Domain Generation Algorithm (DGA)!

The new variant of the Octo (ExobotCompact) banking trojan, Octo2, is targeting mobile users with several new advanced features. This malware is known for disguising itself as legitimate apps, taking control of the victim’s device to steal sensitive information and commit on-device fraud. For now, the malware has been seen in the wild in Italy, Poland, Moldova, and Hungary, masquerading as apps like NordVPN and Google Chrome. Unfortunately, given its history, it is expected to become global soon.

This new variant, investigated by ThreatFabric, features enhanced functionalities, including a Domain Generation Algorithm (DGA) that dynamically changes its command-and-control (C2) server addresses, making it significantly harder to detect.

Here are some domains associated with this new variant that we have in our collection:
5106c5dbc9e0d004489af35abec41027[.]info
7729f264dc01834757c9f06f2d313e28[.]com
a414602e421935fd057be3c06a3d080c[.]info
53cd7bfaebd095ad083c34f007469ff5[.]biz
5fa5009fb05a5cee1abd7a2dbb6eb948[.]net
8921267492331aabcb4394c801d4e490[.]shop
bbad1dcadd801af41da97ecf292b147f[.]xyz
c80530d100da2e953c21c55d7cb4b86a[.]info
ffce9e39ccdfbe3f1e88806545321ad7[.]org

ThreatFabric report: https://www.threatfabric.com/blogs/octo2-european-banks-already-under-attack-by-new-malware-variant

Threat actors are using the recent U.S. presidential debate and deep fake videos of Elon Musk to lure victims into crypto scams. Following up on our post from Saturday, we have just released a new blog exploring this campaign.
https://blogs.infoblox.com/threat-intelligence/no-elon-musk-was-not-in-the-us-presidential-debate/

We did a few interviews at Black Hat about recent research on Sitting Ducks, Vigorish Viper, and why DNS should be an important part of the security stack. Here is one of those with Dark Reading. #dns #threatintel #cybercrime #cybersecurity #infosec #infoblox
https://www.darkreading.com/threat-intelligence/blackhat-2024-dns-trail-of-breadcrumbs-lead-back-to-attackers