home.social

#infoblox — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #infoblox, aggregated by home.social.

  1. Threat actors are leveraging shared infrastructure together with subdomain abuse to control and serve hundreds of malicious websites with minimal management.

    This week we were investigating a cluster of crypto brand lookalike domains.Through subdomain abuse – often powered by wildcard DNS configurations – just 34 registered domains expand to over 500 scam sites.

    Investigating website content across that cluster allowed us to find several additional clusters running the same playbook. Thousands of domains on them.

    This initial cluster impersonated dozens of brands — Binance, Coinbase, Kraken, KuCoin, Bybit, Bitmart. Several of these sites push fake app downloads, making malware delivery and crypto wallet theft a likely component of the broader operation.

    A sample of the domains associated:

    cryptocoinsx[.]cfd
    bmarkit[.]com
    zznyusbsgo.bitmart[.]pw
    4pzyy6n7log71mm0.bitmarts[.]cc
    5etxkk2aeh8jfgl0.bitstamptc[.]com

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #Phishing #Scams #malware #crypto #lookalikes #subdomains #iocs

  2. Threat actors are leveraging shared infrastructure together with subdomain abuse to control and serve hundreds of malicious websites with minimal management.

    This week we were investigating a cluster of crypto brand lookalike domains.Through subdomain abuse – often powered by wildcard DNS configurations – just 34 registered domains expand to over 500 scam sites.

    Investigating website content across that cluster allowed us to find several additional clusters running the same playbook. Thousands of domains on them.

    This initial cluster impersonated dozens of brands — Binance, Coinbase, Kraken, KuCoin, Bybit, Bitmart. Several of these sites push fake app downloads, making malware delivery and crypto wallet theft a likely component of the broader operation.

    A sample of the domains associated:

    cryptocoinsx[.]cfd
    bmarkit[.]com
    zznyusbsgo.bitmart[.]pw
    4pzyy6n7log71mm0.bitmarts[.]cc
    5etxkk2aeh8jfgl0.bitstamptc[.]com

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #Phishing #Scams #malware #crypto #lookalikes #subdomains #iocs

  3. Threat actors are leveraging shared infrastructure together with subdomain abuse to control and serve hundreds of malicious websites with minimal management.

    This week we were investigating a cluster of crypto brand lookalike domains.Through subdomain abuse – often powered by wildcard DNS configurations – just 34 registered domains expand to over 500 scam sites.

    Investigating website content across that cluster allowed us to find several additional clusters running the same playbook. Thousands of domains on them.

    This initial cluster impersonated dozens of brands — Binance, Coinbase, Kraken, KuCoin, Bybit, Bitmart. Several of these sites push fake app downloads, making malware delivery and crypto wallet theft a likely component of the broader operation.

    A sample of the domains associated:

    cryptocoinsx[.]cfd
    bmarkit[.]com
    zznyusbsgo.bitmart[.]pw
    4pzyy6n7log71mm0.bitmarts[.]cc
    5etxkk2aeh8jfgl0.bitstamptc[.]com

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #Phishing #Scams #malware #crypto #lookalikes #subdomains #iocs

  4. Threat actors are leveraging shared infrastructure together with subdomain abuse to control and serve hundreds of malicious websites with minimal management.

    This week we were investigating a cluster of crypto brand lookalike domains.Through subdomain abuse – often powered by wildcard DNS configurations – just 34 registered domains expand to over 500 scam sites.

    Investigating website content across that cluster allowed us to find several additional clusters running the same playbook. Thousands of domains on them.

    This initial cluster impersonated dozens of brands — Binance, Coinbase, Kraken, KuCoin, Bybit, Bitmart. Several of these sites push fake app downloads, making malware delivery and crypto wallet theft a likely component of the broader operation.

    A sample of the domains associated:

    cryptocoinsx[.]cfd
    bmarkit[.]com
    zznyusbsgo.bitmart[.]pw
    4pzyy6n7log71mm0.bitmarts[.]cc
    5etxkk2aeh8jfgl0.bitstamptc[.]com

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #Phishing #Scams #malware #crypto #lookalikes #subdomains #iocs

  5. Threat actors are leveraging shared infrastructure together with subdomain abuse to control and serve hundreds of malicious websites with minimal management.

    This week we were investigating a cluster of crypto brand lookalike domains.Through subdomain abuse – often powered by wildcard DNS configurations – just 34 registered domains expand to over 500 scam sites.

    Investigating website content across that cluster allowed us to find several additional clusters running the same playbook. Thousands of domains on them.

    This initial cluster impersonated dozens of brands — Binance, Coinbase, Kraken, KuCoin, Bybit, Bitmart. Several of these sites push fake app downloads, making malware delivery and crypto wallet theft a likely component of the broader operation.

    A sample of the domains associated:

    cryptocoinsx[.]cfd
    bmarkit[.]com
    zznyusbsgo.bitmart[.]pw
    4pzyy6n7log71mm0.bitmarts[.]cc
    5etxkk2aeh8jfgl0.bitstamptc[.]com

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #Phishing #Scams #malware #crypto #lookalikes #subdomains #iocs

  6. 💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

    🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

    @rato_support
    @ratofaqs
    @rato_backup
    @rato_hosting
    @Rato2_bot

    Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

    asakusubinitohas[.]com
    bmw320ikaka[.]co
    cpusx[.]com
    newoneazu[.]com
    ratmail[.]pro
    rato[.]page
    rato[.]to
    ratodemo[.]pro
    sesrecipt[.]com
    silk-gen[.]com
    sunostart[.]com
    viewyourstatementonline[.]com

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

  7. 💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

    🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

    @rato_support
    @ratofaqs
    @rato_backup
    @rato_hosting
    @Rato2_bot

    Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

    asakusubinitohas[.]com
    bmw320ikaka[.]co
    cpusx[.]com
    newoneazu[.]com
    ratmail[.]pro
    rato[.]page
    rato[.]to
    ratodemo[.]pro
    sesrecipt[.]com
    silk-gen[.]com
    sunostart[.]com
    viewyourstatementonline[.]com

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

  8. We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
    So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

    Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

    If you hunt threats distributed via adtech, these indicators can be useful pivots. infoblox.com/blog/threat-intel

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

  9. We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
    So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

    Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

    If you hunt threats distributed via adtech, these indicators can be useful pivots. infoblox.com/blog/threat-intel

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

  10. 🔴 A threat isn't much of a threat if it can't reach the right victims. 📦 That's why many modern threat actors rely on cloakers and traffic distribution systems (TDS) to target, route, and hide at scale. In a six‑month joint effort analyzing four months of data with Confiant, we identified 15,500 domains configured to Keitaro instances and actively used in cyber campaigns. Keitaro is a legitimate ad tracker, but it is frequently misused by cybercriminals as an all‑in‑one tracker + TDS + cloaker in scam and malware campaigns. We encounter Keitaro in our investigations nearly every day, and we set out to quantify that abuse in the broader landscape. We're publishing a three‑part series to share what we learned. Part 1 focuses on a subset of actors who leverage AI in their operations, most of whom are tied to investment scams. At the end of the report, you'll find a link to our github repository that contains thousands of related Keitaro iocs.

    infoblox.com/blog/threat-intel

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising

  11. 🔴 A threat isn't much of a threat if it can't reach the right victims. 📦 That's why many modern threat actors rely on cloakers and traffic distribution systems (TDS) to target, route, and hide at scale. In a six‑month joint effort analyzing four months of data with Confiant, we identified 15,500 domains configured to Keitaro instances and actively used in cyber campaigns. Keitaro is a legitimate ad tracker, but it is frequently misused by cybercriminals as an all‑in‑one tracker + TDS + cloaker in scam and malware campaigns. We encounter Keitaro in our investigations nearly every day, and we set out to quantify that abuse in the broader landscape. We're publishing a three‑part series to share what we learned. Part 1 focuses on a subset of actors who leverage AI in their operations, most of whom are tied to investment scams. At the end of the report, you'll find a link to our github repository that contains thousands of related Keitaro iocs.

    infoblox.com/blog/threat-intel

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising

  12. Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.

    Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.

    Here are some examples of the RDGA domains:
    2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my

    These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (infosec.exchange/@InfobloxThre) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.


    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga

  13. Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.

    Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.

    Here are some examples of the RDGA domains:
    2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my

    These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (infosec.exchange/@InfobloxThre) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.


    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga

  14. Infoblox Threat Intel had the opportunity to collaborate with the United Nations Office on Drugs and Crime (#UNODC) for their latest report on South East Asian Crime. The report is titled "Inflection Point". It is a great in-depth analysis of the triads and how they fuel the current scam epidemic.

    Organized crime is booming - as you can see with the picture below which shows the growth in the physical footprint of the compounds they operate.

    Our part of the collaboration (pages 37-42 of the 90+ page report) were around a single actor that we can track in #dns -- naturally!

    We analysed a number of illegal Chinese-operated gambling websites and soon found out they were operated by the same 'gambling provider' we named Vault Viper. Vault viper develops its very own "secure gambling browser". Of course it's #malware.

    Through DNS, we discovered the companies behind Vault Viper were in fact controlled by Suncity - a criminal junket whose founder has been convicted of laundering billions of dollars.

    unodc.org/roseap/en/2025/04/cy

    Illegal gambling is not harmless fun. It fuels some of the largest criminal networks in the world.

    The entire report is worth reading to get the latest view from experts on the world of organized crime in Asia that is running #scam, #pigbutchering, #humantrafficking, #cybercrime, #malware, #illegalgambling, illegal porn and who knows what else. The image below shows just how much it has grown in a few years from physical footprints.

    We'll be releasing a detailed report on Vault Viper in the coming months.

    #infobloxthreatintel #infoblox
    #organizedcrime #china

  15. Infoblox Threat Intel had the opportunity to collaborate with the United Nations Office on Drugs and Crime (#UNODC) for their latest report on South East Asian Crime. The report is titled "Inflection Point". It is a great in-depth analysis of the triads and how they fuel the current scam epidemic.

    Organized crime is booming - as you can see with the picture below which shows the growth in the physical footprint of the compounds they operate.

    Our part of the collaboration (pages 37-42 of the 90+ page report) were around a single actor that we can track in #dns -- naturally!

    We analysed a number of illegal Chinese-operated gambling websites and soon found out they were operated by the same 'gambling provider' we named Vault Viper. Vault viper develops its very own "secure gambling browser". Of course it's #malware.

    Through DNS, we discovered the companies behind Vault Viper were in fact controlled by Suncity - a criminal junket whose founder has been convicted of laundering billions of dollars.

    unodc.org/roseap/en/2025/04/cy

    Illegal gambling is not harmless fun. It fuels some of the largest criminal networks in the world.

    The entire report is worth reading to get the latest view from experts on the world of organized crime in Asia that is running #scam, #pigbutchering, #humantrafficking, #cybercrime, #malware, #illegalgambling, illegal porn and who knows what else. The image below shows just how much it has grown in a few years from physical footprints.

    We'll be releasing a detailed report on Vault Viper in the coming months.

    #infobloxthreatintel #infoblox
    #organizedcrime #china

  16. Stay alert! These disinformation campaigns affect all of us, no matter where we are!

    Traffic Distribution Systems (TDSs) run by malicious adtech companies are seen delivering disinformation in different languages, tailored to the country the victim accesses from. They utilize subdomains to differentiate their content. The landing pages impersonate well-known brands and celebrities, aiming to deceive users. It's crucial to block these TDS domains and prevent any content they deliver.

    Here are some examples of TDS domains that redirect to these disinformation campaigns:

    zoograithavaupy[.]net
    asjynxon[.]com
    phaunaitsi[.]net

    And here are some landing page domains associated with this campaign:

    cooknove[.]com
    healthbrit[.]com
    foodleas[.]com
    daily-web[.]live

    #phishing #dns #scam #fraud #disinformation #threatIntel #cybercrime #threatIntelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #iocs #domains #impersonating

    urlscan.io/result/ef3f29ea-67d

  17. Stay alert! These disinformation campaigns affect all of us, no matter where we are!

    Traffic Distribution Systems (TDSs) run by malicious adtech companies are seen delivering disinformation in different languages, tailored to the country the victim accesses from. They utilize subdomains to differentiate their content. The landing pages impersonate well-known brands and celebrities, aiming to deceive users. It's crucial to block these TDS domains and prevent any content they deliver.

    Here are some examples of TDS domains that redirect to these disinformation campaigns:

    zoograithavaupy[.]net
    asjynxon[.]com
    phaunaitsi[.]net

    And here are some landing page domains associated with this campaign:

    cooknove[.]com
    healthbrit[.]com
    foodleas[.]com
    daily-web[.]live

    #phishing #dns #scam #fraud #disinformation #threatIntel #cybercrime #threatIntelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #iocs #domains #impersonating

    urlscan.io/result/ef3f29ea-67d