#rdga — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #rdga, aggregated by home.social.
-
Two of the biggest heavyweight scam TTPs - malvertising and pig butchering - have combined. In our latest research, we track hundreds of investment‑scam campaigns using this one-two punch to target Japan and the wider Asia region.
The hybrid approach kicks-off with malvertising ads that impersonate well‑known financial experts, funnel victims through lure sites on RDGA‑generated domains, before finally pulling them into messaging chats run by tireless AI‑style pig butcher bots. The result: an industrial‑scale long con, with individual victims reporting losses of up to ¥10M (~US$63k).
This model is reused across different campaigns and, by pivoting on DNS, we've so far been able to map out an ecosystem of over 23,000 domains.
In our latest blog we talk about our first‑hand experience going through the scheme, break down the entire flow, and share all the related IOCs: https://www.blogs.infoblox.com/threat-intelligence/banners-bots-and-butchers-an-automated-long-con-targeting-japan-asia-and-beyond/
#Infoblox #InfobloxThreatIntel #dns #threatintel #threatintelligence #malvertising #pigbutchering #rdga #dga #lookalikes #crypto #investment #scam #fraud #cybercrime #cybersecurity #infosec #Japan #Asia #AI
-
Two of the biggest heavyweight scam TTPs - malvertising and pig butchering - have combined. In our latest research, we track hundreds of investment‑scam campaigns using this one-two punch to target Japan and the wider Asia region.
The hybrid approach kicks-off with malvertising ads that impersonate well‑known financial experts, funnel victims through lure sites on RDGA‑generated domains, before finally pulling them into messaging chats run by tireless AI‑style pig butcher bots. The result: an industrial‑scale long con, with individual victims reporting losses of up to ¥10M (~US$63k).
This model is reused across different campaigns and, by pivoting on DNS, we've so far been able to map out an ecosystem of over 23,000 domains.
In our latest blog we talk about our first‑hand experience going through the scheme, break down the entire flow, and share all the related IOCs: https://www.blogs.infoblox.com/threat-intelligence/banners-bots-and-butchers-an-automated-long-con-targeting-japan-asia-and-beyond/
#Infoblox #InfobloxThreatIntel #dns #threatintel #threatintelligence #malvertising #pigbutchering #rdga #dga #lookalikes #crypto #investment #scam #fraud #cybercrime #cybersecurity #infosec #Japan #Asia #AI
-
Two of the biggest heavyweight scam TTPs - malvertising and pig butchering - have combined. In our latest research, we track hundreds of investment‑scam campaigns using this one-two punch to target Japan and the wider Asia region.
The hybrid approach kicks-off with malvertising ads that impersonate well‑known financial experts, funnel victims through lure sites on RDGA‑generated domains, before finally pulling them into messaging chats run by tireless AI‑style pig butcher bots. The result: an industrial‑scale long con, with individual victims reporting losses of up to ¥10M (~US$63k).
This model is reused across different campaigns and, by pivoting on DNS, we've so far been able to map out an ecosystem of over 23,000 domains.
In our latest blog we talk about our first‑hand experience going through the scheme, break down the entire flow, and share all the related IOCs: https://www.blogs.infoblox.com/threat-intelligence/banners-bots-and-butchers-an-automated-long-con-targeting-japan-asia-and-beyond/
#Infoblox #InfobloxThreatIntel #dns #threatintel #threatintelligence #malvertising #pigbutchering #rdga #dga #lookalikes #crypto #investment #scam #fraud #cybercrime #cybersecurity #infosec #Japan #Asia #AI
-
Two of the biggest heavyweight scam TTPs - malvertising and pig butchering - have combined. In our latest research, we track hundreds of investment‑scam campaigns using this one-two punch to target Japan and the wider Asia region.
The hybrid approach kicks-off with malvertising ads that impersonate well‑known financial experts, funnel victims through lure sites on RDGA‑generated domains, before finally pulling them into messaging chats run by tireless AI‑style pig butcher bots. The result: an industrial‑scale long con, with individual victims reporting losses of up to ¥10M (~US$63k).
This model is reused across different campaigns and, by pivoting on DNS, we've so far been able to map out an ecosystem of over 23,000 domains.
In our latest blog we talk about our first‑hand experience going through the scheme, break down the entire flow, and share all the related IOCs: https://www.blogs.infoblox.com/threat-intelligence/banners-bots-and-butchers-an-automated-long-con-targeting-japan-asia-and-beyond/
#Infoblox #InfobloxThreatIntel #dns #threatintel #threatintelligence #malvertising #pigbutchering #rdga #dga #lookalikes #crypto #investment #scam #fraud #cybercrime #cybersecurity #infosec #Japan #Asia #AI
-
Two of the biggest heavyweight scam TTPs - malvertising and pig butchering - have combined. In our latest research, we track hundreds of investment‑scam campaigns using this one-two punch to target Japan and the wider Asia region.
The hybrid approach kicks-off with malvertising ads that impersonate well‑known financial experts, funnel victims through lure sites on RDGA‑generated domains, before finally pulling them into messaging chats run by tireless AI‑style pig butcher bots. The result: an industrial‑scale long con, with individual victims reporting losses of up to ¥10M (~US$63k).
This model is reused across different campaigns and, by pivoting on DNS, we've so far been able to map out an ecosystem of over 23,000 domains.
In our latest blog we talk about our first‑hand experience going through the scheme, break down the entire flow, and share all the related IOCs: https://www.blogs.infoblox.com/threat-intelligence/banners-bots-and-butchers-an-automated-long-con-targeting-japan-asia-and-beyond/
#Infoblox #InfobloxThreatIntel #dns #threatintel #threatintelligence #malvertising #pigbutchering #rdga #dga #lookalikes #crypto #investment #scam #fraud #cybercrime #cybersecurity #infosec #Japan #Asia #AI
-
We've been observing a trend on Steam involving Chinese-language accounts leaving spam comments on random user's profiles. They range from commenting single emojis to sentences in Chinese that translate to "we should play games together." Upon investigation, these accounts often link to domains that redirect to malicious content.
One such domain, 3pq[.]cc, redirected to a fake chat app interface designed to mimic a messaging platform hosted on jimuzhou[.]top. The messages eventually gave a link to trwonr[.]top, an adult-themed survey page. After completing the survey, it prompted visitors to download an APK file that requested access to invasive permissions, hosted on cxrcedu[.]com.
A pivot on one of the URLs revealed thousands of related domains, all exhibiting similar behavior and infrastructure.
Sample IOCs:
3pq[.]cc
jimuzhou[.]top
trwonr[.]top
cxrcedu[.]com
#Infoblox #dns #rdga #spam #scam #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel -
Spammers be spamming. But some may lay low for several months before kicking off their operations.
In late August, we started to observe an influx of a spam campaign targeting Japanese users and impersonating popular companies such as American Express, Amazon and SBI, attempting to phish victims for their credit card and other account information. This was almost a year after the actor first created their domains in September 2024.
This is a technique commonly used by threat actors to avoid detection by security teams, since a lot of attention is usually given to domains that are newly registered. The strategy is to lay low for some time, allowing them to slip under the radar before initiating their operations and remain undetected when they do so.
The actor(s) waited until the domains were close to expiring to start using them in the campaign. They have now renewed several of these domains and, well... that may suggest they intend to continue their activities.
The emails usually contain an action button or a fake url that redirects to links under domains with the pattern <5 to 10 random letters>.cn. Some of the email subjects, along with their translations, are:
-【SBIポイント進呈】ご利用状況に応じた特典をぜひご確認ください — [SBI Points Award] Please Check Your Benefits Based on Usage
- [American Express] カードの利用が一時停止されました — [American Express] Card Usage Has Been Temporarily Suspended
-【お知らせ】カード認証更新のお願い — [Notice] Request to Update Card AuthenticationSample of domains: ehpkmn[.]cn, exttyo[.]cn, qdtqq[.]cn, rnsxk[.]cn, sxviius[.]cn, tyslq[.]cn, wbwfm[.]cn
#Infoblox #dns #phishing #spam #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel #japan #rdga #scam -
-
-
Bilder von heute #RdgA
Übernachtung im B&B bei Les Vouards, südlich des Genfer Sees
-
An interesting traffic distribution system (TDS) we're tracking routes users to quick cash and payday loan sites that are likely scams looking to steal people's personal and financial information.
The TDS chain starts with an RDGA-generated domain following the pattern: <5 to 9 random letters>.<cfd,cyou,info,etc.>. The user is then routed to one of the actor's TDS domains dfgtrk<1 to 10>[.]com. This domain will then redirect to landing pages hosting the scammy loan/cash sites which urge users to enter PII such as name, date of birth, address, social security number, and even bank account information in order to qualify for a loan.
A lot of these sites have generic titles and SLDs mentioning cash, loans, or other financial topics, and seem to mimic legitimate financial services companies.
#dns #Infoblox #rdga #tds #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #scam -
Cybercriminals incorporate artificial intelligence (AI) to be more effective across their businesses functions. In most cases, the technology contributes to the actor's code development or augments their socially-engineered attacks. We provided a real example of this last year in September when we published about youtube account hijackers that use deepfake videos of Elon Musk for a crypto giveaway scam (https://blogs.infoblox.com/threat-intelligence/no-elon-musk-was-not-in-the-us-presidential-debate/). We recently saw similar techniques deployed by a threat actor that we track as Reckless Rabbit (https://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/). However, instead of youtube videos, they directly integrate deepfakes into their websites.
Reckless Rabbit began targeting Japanese-speaking users several months ago. They deliver fake web articles that promote non-existent investment programs. These are not your typical scam web pages. They've been enriched with deepfake AI-generated videos of high profile financial leaders including Elon Musk and Masayoshi Son. They also try to add legitimacy to the report by including artificially-drafted and positive reviews from fictitious netizens. Traditionally, the news content was mostly comprised of just text, static images, and links.
Prior to this change, they were predominantly targeting internet users in Eastern European countries. They continue to use dictionary-based Registered Domain Generation Algorithm (RDGA) domains and Facebook ads for navigating victims to fake news articles.
Reckless Rabbit employs a variety of article lures; below, we've highlighted domains specifically used in their Japanese investment scam campaigns. These sites employ deepfake videos embedded with Japanese captions. The articles impersonate one of Japan's major newspaper companies Yomiuri Shimbun and contain a registration button for the fake investment platform called "Finance Legend". After clicking it, the page redirects the victim to a contact webform. Based on the contents of the articles, presumably, the threat actor will follow up with the victim using the provided contact details and encourage them to make a deposit in exchange for a future return that is much greater than the investment.
bullpimpletruth[.]com
calmsixgenerous[.]com
chivenotepoisonwish[.]com
clarinetmonday[.]com
deeplyblowgrape[.]com
earlycoindadsummer[.]com
fertilerare[.]com
premiumsquarecircle[.]com
purplecombshop[.]com
surnamewinter[.]com
Attached to this message, we've included a screenshot of the fake news article lure, as well as a screen recording of our interaction with the scam website and deepfake video.
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #deepfake #ai #elonmusk #masayoshi #japan #yomiurishimbun #recklessrabbit #investment #rdga #ddga -
Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.
Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.
Here are some examples of the RDGA domains:
2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my
These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (https://infosec.exchange/@InfobloxThreatIntel/114027715851469775) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga -
Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.
Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.
Here are some examples of the RDGA domains:
2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my
These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (https://infosec.exchange/@InfobloxThreatIntel/114027715851469775) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga -
Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.
Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.
Here are some examples of the RDGA domains:
2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my
These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (https://infosec.exchange/@InfobloxThreatIntel/114027715851469775) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga -
Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.
Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.
Here are some examples of the RDGA domains:
2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my
These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (https://infosec.exchange/@InfobloxThreatIntel/114027715851469775) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga -
Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.
Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.
Here are some examples of the RDGA domains:
2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my
These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (https://infosec.exchange/@InfobloxThreatIntel/114027715851469775) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga -
There is another Lizard on the radar! Looming Lizard is an actor creating hundreds of lookalike domains impersonating popular banks and telecommunication companies targeting Spanish speaking countries, such as Mexico. Not only they are lookalikes, but are also RDGAs (Registered DGAs), with new domains created on a daily basis. These are some of the entities they impersonate:
- Banks: Banorte, BBVA, Citi, HSBC, Itaú, Santander, Scotiabank
- Telecommunications: AT&T, BTC, Claro, Liberty, Movistar, Telcel, Tigo
- Others: post offices, department stores, energy companiesFor one of the lookalikes to Tigo (tigoppy[.]club), the actor was kind enough and offered the ability to trade our (fake) account points for nice prizes (wink wink). Sample of domains for each mentioned company:
- banortex[.]vip, banortepmex[.]store, banorteoi[.]icu, banorteoi[.]sbs, banortebc[.]top
- bbvamex[.]xin, bbvamex[.]xyz, bbvamxn[.]cyou, bbvamxn[.]store, bbvamxn[.]sbs
- citiprr[.]top, citipr[.]top, citipr[.]vip, citiipir[.]top, citiipir[.]vip
- mex-hsbc[.]xyz, mexhsbc[.]icu, mex-hsbc[.]icu, mex-hsbc[.]xin, mexhsbck[.]pro
- itauupy[.]top, ittau[.]top, itauupyi[.]top, itaui[.]cfd, itaupy[.]top
- santander-mex[.]xin, santandermox[.]vip, santander-mex[.]sbs, santander-mex[.]icu, santandermox[.]xyz
- scotiabank-mx.xyz, scotiabok[.]xyz, scotiiiai[.]vip, scotiabanukmx[.]sbs, scotiiiai[.]xin
- attmiex[.]pro, att-com-mx[.]top, attmmex[.]xyz, att-com-mx[.]xin, attmmex[.]vip
- btcbahamass[.]vip, btcbahamasni[.]vip, btcbahamasni[.]xin, btcbahamasi[.]top, btcbahamasni[.]top
- claroar[.]top, claroec[.]vip, clarosv[.]top, claropy[.]vip, clarolo[.]top
- liberty-cr[.]xyz, liberty-cr[.]vip, liberty-cr[.]icu, liberty-cr[.]xin, liberty-cr[.]cc
- movisstar[.]pro, movisstar[.]xyz, movistar-uy[.]xin, movisstar[.]sbs, movistarui[.]icu
- telcelsi[.]top, telcelt[.]bond, telcele[.]info, telceln[.]qpon, telcel0[.]online
- tiiigopy[.]xyz, tigosv[.]top, tigosv[.]cc, tigosvi[.]top, tigoipy[.]top
https://urlscan.io/result/375469cb-d1ac-4b91-8dbe-18c5f42d427d/
https://urlscan.io/result/019656a1-67b5-7007-acc9-8834551420f7/
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infoblox #infobloxthreatintel #lookalike #phishing #rdga #scam -
We use the term Registered DGA in a different way than a traditional DGA since they serve a different purpose. We've created this cheatsheet to help you understand why we make the distinction. Tell us what you think and if there are any terms you would like explained!
#rdga #tds #ds #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel
-
This report has a link to a real example of how Revolver Rabbit uses an RDGA in Xloader. Tracking their domains is tricky and I suspect the full size is much larger than we have caught. if they invest such huge sums into their infrastructure, they must be making bank. #dns #threatintel #threatintelligence #malware #xloader #infoblox #rdga #cybercrime #cybersecurity #infosec #phishing @InfobloxThreatIntel https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/
-
Threat actors are getting into the competitive spirit with scams spoofing the upcoming Paris Olympics. We've seen various types of campaigns, including everything from advertisements for free mobile data packages to websites claiming to sell Olympics merchandise.
Domains used for mobile package campaign: xptmto[.]top, 18gym[.]top, 1ilkd[.]top, 1z3qx[.]top, 2qh8u8[.]top, 2srhcu[.]top
Domains spoofing merchandise sellers: shop-olympics[.]shop, 2024olympics[.]shop
#InfobloxThreatIntel #infoblox #olympics #dns #rdga #phishing #scam #cybersecurity #cybercrime -
Unidentified Attacker “Revolver Rabbit” Uses RDGA to Register 500,000 Domains https://hackread.com/threat-actor-revolver-rabbit-rdga-register-domains/ #RevolverRabbit #Cybersecurity #Security #Phishing #security #Malware #Domain #RDGA #Scam
-
We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about
-
We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about
-
We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about
-
We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about
-
We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about
-
Over a dozen RDGA domains were registered over the last few days that redirect to the gambling website betonesg[.]com for users in Hong Kong and Singapore. These domains demonstrate the use of DNS to control access to content based on IP geolocation. It also shows the common technique for illegal gambling to use domain redirection to hide the site. The website claims to offer a bonus for those who sign up and promises to stream the world's top sporting events.
Sample of domains: sgbt65[.]com, sgbt59[.]com, sgbt57[.]com, sgbt62[.]com, sgbt51[.]com, sgbt66[.]com, sgbt60[.]com
#dns #cybersecurity #cybercrime #threatintel #lookalike #infosec #infoblox #InfobloxThreatIntel #rdga -
This cluster of domains was registered a few days ago and we are seeing them redirect through a traffic distribution system (TDS) to a suspicious domain claiming to give users a "Special Birthday Reward". In one example, going to honcsaq[.]biz redirected to p2kdjk34dd[.]com and tbf92kdt[.]com before finally landing at try.yourbirthday-reward[.]com. To claim this "reward", the site asks for the user's name, phone number, email, and more. After filling out all of the information, it links to various chain restaurant's reward pages.
honcsaq[.]biz,honcsll[.]biz,honcskr[.]biz,honcskf[.]biz,honcsff[.]biz
#dns #cybersecurity #cybercrime #threatintel #infosec #infoblox #InfobloxThreatIntel #rdga -
New RDGA domains registered in the last 48 hours, all with a highly abused TLD. These domains resolve to a landing page that appears to still be in the stages of being built, however, blank pages like this are often used as decoys.
Example of domains: dgonna[.]xyz, tgonna[.]xyz, fgonna[.]xyz, ygonna[.]xyz, pgonna[.]xyz
#dns #cybersecurity #cybercrime #threatintel #lookalike #infosec #infoblox #InfobloxThreatIntel #rdga -
Some of the newly registered domains we observed today, lookalikes to 1xbet[.]com, a gambling site:
1xbet-449[.]top,1xbet-fvl[.]top,1xbet-hik[.]top,1xbet-lak[.]top,1xbet-pxw[.]top,1xbet-rzdp[.]top,1xbet-techl[.]top,1xbetar[.]online,1xbetgirisyap2024[.]com,casino-1xbet-site-3[.]top
Domains like these are often advertised in spam social media posts. Screenshot of an example attached.
#dns #cybersecurity #cybercrime #threatintel #lookalike #infosec #infoblox #InfobloxThreatIntel #rdga -
We have observed a new group of RDGA domains registered on April 12, 2024, which appear to be Chinese news sites. These domains share identical content on their front pages and resemble generic placeholder templates. Notably, all the article dates are from multiple years ago. Sample of the domains: 366106a0[.]shop,366106a1[.]shop,366106a10[.]shop,366106a11[.]shop,366106a12[.]shop.
#dns #threatintel #infoblox #rdga -
We recently observed a cluster of RDGA-generated domains all registered 3/25 that appear to host Turkish-language betting sites. All domain names contain the Turkish words "giris" and "guncel" which translate to "login" and "current." Most domain names also contain a mixture of additional English and Turkish words, especially ones related to gambling such as "bet" and "casino." The landing page for truvabetgirisguncel[.]com can be seen in the screenshot below, along with the page's English translation. Additional domains: akcebetgirisguncel[.]com, elexbetgirisguncel[.]com, vdcasinogirisguncel[.]com, cratosslotgirisguncel[.]com, betkomgirisguncel[.]com, betroadgirisguncel[.]com, parmabetgirisguncel[.]com
#rdga #threatintel #gambling #cybersecurity #dns #infoblox #cybercrime
-
Scam using Amazon lookalike phishing domains registered a few days ago. The domain amazon-2888[.]com advertises that users can earn a commission by completing a "task order". To start earning your commission, all you need to do is sign in with your phone number and password ;)
There is also a Telegram account associated with this scam, "@amazonOnline_Service"A few examples:
amazon-2888[.]com,amazon-3666[.]com,amazon-2666[.]com,amazon-1666[.]com
#rdga #phishing #lookalike #dns #infoblox #cybercrime #cybersecurity #threatintel -
Want to test your luck? Here are 6 out of 20 algorithmically generated registered domains (RDGA) related to Japanese gambling that were registered within the last week.
1568142[.]cc, 1568143[.]cc, 1568147[.]cc, 1568148[.]cc, 1568152[.]cc, 1568153[.]cc
We have found that online gambling facilitated through networks like this are actually housing criminal activity, and are a reminder of the old adage 'The house always wins.'
#dns #gambling #dga #rdga #cybersecurity #betting #infoblox -
There's no doubt threat actors love to capitalize on upcoming events as part of their social engineering tactics, and this month's focus is Valentine's Day. We've seen a number of RDGA-generated domains with this theme, including over 200 recently created domains following the pattern 'valentines-day-<5 random digits>[.]bond.' These are part of a larger cluster of over 400k domains all with similar registration patterns and using the .bond TLD.
A sample of these domains include: valentines-day-49901[.]bond, valentines-day-68785[.]bond, valentines-day-78319[.]bond, valentines-day-86056[.]bond
#dns #infoblox #rdga #valentinesday #socialengineering #threatintel #cybersecurity #cybercrime
-
Wanna catch some Zs? .. this week one actor registered over 1k domains with a registered DGA (RDGA)... including zr3lcaymo[.]sbs, zta6w5gof[.]sbs, ztx5u0eyj[.]sbs, zvg2hg3gk[.]sbs, zwfcc43ma[.]sbs, zxw8ov1zn[.]sbs, zyylbgvi9[.]sbs, zzwnihkem[.]sbs
#dns #infoblox #threatintel #cybersecurity #infosec #dga #rdga #suspicious