Newsletters

‍https://www.linkedin.com/in/schwalbe/

‍

Learn More

Newsletters

Community

Fifteen (Newsletters) On A Skateboard

After False Spring and Second Winter, we have reached “The Pollening”, which either precedes actual Spring, or possibly Third Winter - The jury is still out! In any case, I’ve put my "heavy rain coat" in storage, and pulled out my "slightly lighter rain coat." It’s been windy though - the cherry blossoms on the UW Quad are fighting to stay attached, and for a minute today I could have sworn the outside thermometer read 70 degrees. But that can’t be right, it’s April in Seattle after all!

Very much on brand for Spring however, things have started to get real busy again. I just wrapped up a fantastic week in San Francisco at the end of March. I gave a talk at BSidesSF, where I dove deep into the recent activities of Salt Typhoon and the i-Soon leaks.

After that I stuck around for RSAC, and it was great to connect with many of you in person. If I missed you, please drop me a line and let’s figure out the next time we’ll be in the same city. The next opportunity will likely be in Munich toward the end of April, where I will be attending the FIRST CTI Conference. If you’re going to be there, let me know and we’ll research who pours the best Maß !

Speaking of research, in this edition, we’re looking at some heavy-hitting infrastructure research, from the persistent "Doppelgänger" disinformation machine to a significant cryptographic leak within Qihoo 360’s AI platform.

Let’s dive in and get you up to speed!

‍

Hot off the Presses

Doppelgänger / RRN Disinformation Infrastructure Ecosystem 2026

DTI researchers analyzed the Doppelgänger / RRN ecosystem as an infrastructure-based disinformation operation with notable operational waves from 2022 through 2026. Rather than operating as a loose set of fake websites, the network functions as a coordinated system built around large-scale media impersonation. Well-known Western news outlets are copied using domain lookalikes, typo variants, and alternate extensions, all tied to a central group of RRN domains that act as a hub for messaging.

Domain analysis showed registration activity in clear waves, along with consistent use of low-cost top-level domains and repeat patterns in domain naming. The operation also rotates domains after enforcement actions while keeping core naming consistent. The infrastructure is distributed and designed to stay active over time, with multiple connected domains supporting the name narratives. Overall, the findings point to a managed and sustained operation rather than isolated short-term activity.
‍

‍

SecuritySnack - CloudFlare Anti-Security For Phishing

A Microsoft 365 credential harvesting campaign leveraged content delivery and security platforms like Cloudflare to delay detection and risk profiling. The campaign implemented multiple anti-detection techniques, including Cloudflare human verification, hardcoded IP block lists, user agent checks, and multiple sites and redirects, filtering out security tools, bots, and known infrastructure, often returning fake “404 Not Found” pages. The credential harvesting logic was executed through a hidden script using a custom VM function, preventing static analysis and dynamically updating destinations to legitimate domains when checks were triggered. Multiple sites in the cluster shared common infrastructure patterns, including Cloudflare nameservers, Namecheap registration, and a consistent Turnstile sitekey that may be used to identify related domains.
‍

‍

Exposure of TLS Private Key for Myclaw 360 in Qihoo 360 “Security Claw” AI Platform

DTI analyzed the confirmed exposure of a Transport Layer Security (TLS) private key associated with the wildcard certificate *.myclaw[.]360[.]cn, tied to Qihoo 360’s Security Claw platform. Cryptographic validation confirmed that the supplied private key matches the public key contained in the certificate, showing that the exposed credential is authentic and operational. Because the certificate covers the entire domain namespace, possession of the private key would allow impersonation of services across the platform if it remained trusted and unrevoked. Certificate transparency analysis indicates the certificate was subsequently rotated and replaced with a new RSA key pair following the exposure.

The exposure represented a leak of cryptographic trust material associated with the platform’s infrastructure. Evidence indicates the certificate and private key were present within the platform’s installer package, suggesting inclusion during the software build process. Domain registration data, passive DNS, and infrastructure analysis link the affected namespace to Qihoo 360’s operational environment, confirming the exposed key was associated with a service environment under the company’s direct control. Our team worked through a root cause and analytical assessment of the exposure as well as the possible threat scenarios that could result from it.
‍

‍

SecuritySnack - OpenAI Anti-Ads Malware

DTI researchers detailed the discovery of a malicious Chrome extension, named "ChatGPT Ad Blocker", found on the Google Chrome Web Store. The extension masquerades as an ad-blocking tool but is primarily designed to steal the user’s ChatGPT conversations data by systematically copying the HTML page and sending it to a webhook on a private Discord channel.

The identified activity appears to be an attempt to capitalize on OpenAI's policy shift to serve advertisements on its free tier by distributing malicious extensions that allege to block these ads.
‍

‍

What We’re Reading

In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed!

The top article for the month: Kentik - Internet and Airstrikes: Tracking Iran's Extended Communication Blackout
The top research for the month: Mandiant - M-Trends 2026 Report

📚Check out the full reading list here
‍‍

Where We’ll Be

- FIRST CTI Conference, Munich, Germany - 21-23 April

- SLEUTHCON, Arlington, VA - 05 June
‍

Final Thoughts

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:

Thanks for reading & see you next month!

-Daniel

https://infosec.exchange/@danonsecurity‍

Learn More

Newsletters

Community

Fourteen Newsletters and Fifteen Winters

Greetings from Seattle, where “second false spring: has just arrived. It’s a thing, Google it! Returning readers will no doubt recognize that I’m a bit obsessed with the weather here. Even after thirty years in the Emerald City, and my induction as an honorary mossback, the weather and its 12-14 micro-seasons are frequently top of mind. During my first year as an undergrad at the University of Washington, I thought about becoming a meteorologist. I took several atmospheric sciences classes, but then the advanced math got me. Instead I got a degree more suited to my natural talents: Communications 😉

I teased this possibility last month, but now it’s official: The publication of this monthly newsletter has moved to the first Tuesday of the next month, as opposed to the last Tuesday of the month that the newsletter covers. We changed a few things up internally, and for practical reasons, this change is becoming permanent. The use of adapted song titles for each new edition is sticking around, though it might get harder if I keep up sequential numbering. I’d normally ask you to comment on this post if you recognized the song this one is based on, but GenAI kind of takes the fun out of it - Gemini for example got it on the first try 🙄

While February was a short month, the threat landscape was anything but quiet and my team was anything but bored. This edition of my newsletter focuses on a recurring phenomenon we observe in actor tradecraft: The weaponization of trust. Our headliner is a deep dive into Lotus Blossom (G0030) and their sophisticated supply chain attack targeting Notepad++. This wasn't a loud, "smash and grab" operation; it was a surgical infiltration of an update pipeline designed to stay under the radar of even the most diligent admins.

We’re also looking at the "human" side of the house with a new Security Snack on Idolized Crypto Scams. My team traced over 250 domains back to a single infrastructure cluster that uses celebrity personas and fraudulent presales to siphon assets across multiple blockchains.

We closed out February with my talk at BSides Seattle, where I spoke about my team’s research on new domains delivering SpyNote Malware, which we covered extensively last year. If you weren’t able to catch me live, my team and I will be at BSides San Francisco near the end of March, where we have two presentations on the schedule - come find us and say hi! I will be in town for RSAC as well, and would be happy to host you in our space near Moscone.

Now, without further ado, from supply chain evolution to high-velocity fraud, we’ve got plenty to get you up to speed. Let’s dive in!

‍

Hot off the Presses

Lotus Blossom (G0030) and the NotePad++ Supply Chain Espionage Campaign

DTI researchers analyzed the sustained compromise of the Notepad++ update pipeline from late 2025 into early 2026. Rather than modifying the open-source codebase, attackers infiltrated upstream distribution infrastructure and selectively redirected update traffic for a small group of targets. This allowed them to deliver customized installers and low-noise implants to be delivered while most users continued receiving legitimate updates.Taken together, the operational choices, tooling, and victim profile support attribution, with moderate to high confidence, to the China-aligned espionage actor commonly tracked as Lotus Blossom (G0030) in concurrence with other organizations assessment.

The Notepad++ compromise represents a clear evolution in Lotus Blossom’s tradecraft. Earlier campaigns relied heavily on spear-phishing and bespoke backdoors delivered directly to victims. Rather than compromising end-user systems through conventional infrastructure attacks, such as opportunistic abuse of widely trusted software updates, the actors shifted the locus of trust toward the developer ecosystem itself. By abusing a legitimate update mechanism relied upon specifically by developers and administrators, they transformed routine maintenance into a covert entry point for high-value access.The incident highlights how trusted software update systems can be quietly weaponized for long-term intelligence collection without causing widespread disruption.
‍

‍

🔍Read the full investigation here‍

SecuritySnack: Idolized Crypto Scams

A cryptocurrency scam operation spanning roughly 250 domains was identified across multiple themes, including fake celebrity giveaways and fraudulent token presales. The investigation began with a cluster of suspected scam domains sharing the same Google analytics tag ID and expanded through blockchain tracing, wallet analysis, and domain registration overlaps. This process revealed activity across BTC, ETH, and XRP and included impersonation of public figures, platforms, and crypto projects.

On-chain findings were mixed but revealed a well-developed supporting infrastructure. In several cases, blockchain tracing showed actor-controlled wallets funding themselves and cycling assets through multi-layer laundering pipelines. The broader infrastructure includes cross-chain scam tooling, distributed hosting across multiple jurisdictions, and hundreds of related domains. Evidence from shared wallets, infrastructure overlaps, and Russian-language artifacts indicates a single actor likely responsible for both campaigns.

‍

‍

🔗Read more here

‍

What We’re Reading

In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed!

The top article for the month: Infoblox Threat Intel - Compromised Routers, DNS, and a TDS Hidden in Aeza Networks
The top research for the month: Crowdstrike - 2026 Global Threat Report

📚Check out the full reading list here

‍‍

Where We’ll Be

- NICAR 2026, Indianapolis, IN - 04-06 March

- BSides San Francisco, San Francisco, CA - 21-22 March

Come see me speak on Saturday 21 March at 1:05pm, AMC Theater 13

- FIRST CTI Conference, Munich, Germany - 21-23 April

‍

Final Thoughts

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:

‍

Thanks for reading & see you next month!

-Daniel

https://www.linkedin.com/in/schwalbe/

Read the latest research here

‍

Learn More

Newsletters

Community

Thirteen Silver Newsletters

DomainTools Investigations kicks off 2026 with deep dives into the KnownSec leak exposing China's cyberespionage ecosystem, predatory online gambling apps, and a phishing campaign weaponizing fake job interviews.

A new year, a new cover image! We recently went through another rebranding exercise, which brought new collateral templates. Most noticeably, it changed our corporate website. Some of you noticed, and let us know exactly how you felt about it! The DomainTools Investigations site (https://dti.domaintools.com) also got a make-over, and I think the main website compliments our DTI site nicely!

Regular readers will notice that once again the newsletter is a week “late” - but once again, there were good reasons for it. So I’m considering releasing it on the first Tuesday of the Month, instead of the last one. If you feel strongly one way or the other, please let me know in the comments (or email me). The use of song titles with numbers that correspond to the current edition for the newsletter title is sticking around for now. My friend @Kali Fencl started that when she helped me launch this newsletter over a year ago, and while it’s getting more difficult, I’m committed.

Another thing that’s probably staying are mentions of the local weather! Returning readers know I live in Seattle, and the weather here is always a topic of conversation! For example, many of you think the rain never stops in Seattle. Movies depict torrential downpours, but we Seattleites don’t mind: Keep believing that. But in reality, fellow PNW-er Scott Losse explains it best. Check him out and follow him, he’s funny!

Unlike the East Coast (sorry friends!), we just had a brief, miraculous week of mild weather and sunshine. But as it is customary, "The Gray" has returned like clockwork. It’s that part of winter here, where blue sky quickly begins to feel like a distant memory, and dampness is king. Don’t worry, only three to four months of that!

Speaking of winter, while most of the world was recovering from New Year's Eve and shovelling their driveways, my team here at DomainTools Investigations was busy dissecting a fresh mountain of data. If you thought the i-Soon leak from a while back was a one-off, think again. We’ve been heads-down on the KnownSec leak, a fascinating look at one of the supposed "white hat" companies that turned out to be part of the backbone of China’s cyberespionage ecosystem.

Beyond the geopolitical chess match, we’re also tracking some more "down-to-earth" (read: predatory) threats. Our analysts have been playing a high-stakes game of whack-a-mole with a series of dubious online gambling apps that are currently targeting users across the globe with some surprisingly sophisticated evasion tactics.

And for those of you who appreciate a shorter read with your morning coffee, we have a new SecuritySnack focused on "Phishing Interviews." This investigation highlights a particularly cold-hearted campaign that weaponizes the job hunt, exploiting the trust of applicants to harvest government credentials and to drop remote access tools.

We’ve got a lot to cover to kick off the year, so let’s dive right in, and get you all caught up!

‍

Hot off the Presses

THE KNOWNSEC LEAK: Yet Another Leak of China’s Contractor-Driven Cyberespionage Ecosystem

In November of 2025, an allegedly massive leak of data from Chinese company “KnownSec” was posted to a github account. The leak has since been pulled off of Github and downloaded by very few, and of those few who gained access, only one uploaded 65 documents as a primer to the leak elsewhere for others to see. DTI was able to get the 65 document images and this initial investigation is derived from this slice of a much larger leak that is out there but not available.

While Knownsec advertises itself as a “white hat” pillar in China’s cybersecurity landscape, the leak revealed the company operates a vertically integrated espionage stack for reconnaissance, exploitation, collection, and persistence, designed for both domestic surveillance and foreign intelligence operations in support of China’s security state.

Its internal documents, product manuals, and data repositories show a company engineered to support Chinese national security, intelligence, and military objectives. Tools like ZoomEye and the Critical Infrastructure Target Library give China a global reconnaissance system that catalogs millions of foreign IPs, domains, and organizations mapped by sector, geography, and strategic value. Massive datasets containing real names, ID numbers, mobile phones, emails, and credentials allow Knownsec and its government clients to correlate infrastructure with people, enabling rapid deanonymization, targeting, and social engineering. On top of this data foundation, Knownsec’s offensive products – GhostX, Un-Mail, and Passive Radar – purport to provide a full intrusion and surveillance pipeline.
‍

‍

Pay to Lose: Dubious Online Gambling Games

DTI analysts identified multiple clusters of dubious Android applications created in the past few weeks that are engaged in predatory gambling and real money gaming apps. Notably, these are not registered apps. They are intentionally misleading users into thinking they are legitimate and reputable through multiple tactics like spoofing the Google Play Store, creating fake reviews, generating fake public win declarations, and creating entire brands with marketing campaigns and broad distribution tactics. These clusters also attempt to evade detection and analysis by having post install code and configuration retrievals from actor controlled sites, which serve a dual purpose of distributing region specific content to users post installation.

The investigation is segmented into three distinct infrastructure clusters. Each cluster appears to target a general set of countries including Nigeria, India, Pakistan, and the Philippines. They also appear to have non-region specific user base targeting, including English, Portuguese, and Bengali speaking users. Despite the wide range of targets, the clusters share a common theme of mobile-focused gaming or gamified gambling apps to attract users for financial gain
‍

‍

Security Snack: Phishing Interviews

My team uncovered a malicious actor that has created several domain masquerades of small companies posing as job boards, interview themes, and login pages since approximately August 2025.

The investigation revealed two distinct objectives. The first is a credential harvesting scheme targeting ID.me accounts — the official identity provider for US government services like the IRS and SSA — which can then be exploited to facilitate financial fraud, including tax refund theft and fraudulent unemployment benefits.

The second cluster focuses on malware delivery, tricking job seekers via fake Microsoft Teams meeting invites to download a malicious, unsigned variant of the remote access tool Connectwise. This gives the attacker access to the victim’s machine where they may conduct follow-on attacks.

‍

What We’re Reading

In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed!

The top podcast for the month: ChinaTalk - Richard Danzig on AI and Cyber
The top article for the month: CERT Polska - Energy Sector Incident Report
The top research for the month: GTIG - No Place Like Home Network: Disrupting the World's Largest Residential Proxy Network

📚Checkout the full reading list here📚

‍

Where We’ll Be

AFCEA West 2026, San Diego, CA, 10-12 February
BSides Seattle, Redmond, WA, 27-28 February
NICAR 2026, Indianapolis, IN, 5-6 March
BSides SF, San Francisco, CA, 21-22 March
- ‍Come see me speak on Saturday
  ‍

Final Thoughts

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:

Thanks for reading - see you next month!

-Daniel

‍

Learn More

Newsletters

Community

Rainy Day Newsletter #12 (but not 35)

Welcome to the New Year, I hope you all had a restful holiday season! Similarly to the November issue, we decided to hold this edition until the post-holiday inbox avalanche has (hopefully) subsided. I wouldn’t want you to miss your favorite newsletter!

It’s hard to believe that DTI turns one year old this coming Friday! In case you haven’t been a subscriber since “Day One”, allow me a brief recap: In September of 2024, at a DomainTools onsite meeting, serendipity brought together two individuals with deep security industry connections, and a passion for community. We hatched an idea, got a few more colleagues excited about this idea, and in late 2024, we pitched it to our bosses. A scrappy program on a shoestring budget, with an agreement to fail fast and pivot as necessary. We signed up for some KPIs (you better measure success if you want to spend other peoples’ money!), and we launched on January 9th, 2025.

As I sit here, drafting this message, I can’t help but look back with pride on everything we did this past year: The countless hours of collective hard work, the travel all over the world to meet with the community, and most importantly, all the great research we published. We positively crushed it, if I do say so myself!

Now it’s late December, and the future looks decidedly less certain. One half of the DTI Leadership team is no longer with the company. She would hate it if I called her out here by name, but IYKYK. Thank you for a crazy year of collaboration, planning, organizing, problem solving, and innovating. Myself and the remaining DTI Team miss you greatly!

I’m not sure yet what 2026 will bring, but I know it will be different. Different isn’t automatically bad of course, so time will tell! Stay tuned for updates!

Back to Business

For those of you keeping score, the weather here in the Pacific Northwest has officially transitioned from damp, dark, and cold to damper and colder but a little less dark. But luckily none of that has slowed down our researchers. Fueled by hot coffee and cold redbull, they’ve been burning the 4pm oil, and we have some fascinating, and frankly brazen, campaigns to share as we kick off the year.

Our featured research for this edition looks at a massive “super-cluster” of over 5,000 Chinese malware delivery domains. What makes this investigation particularly special is how we did it: our team utilized agentic AI systems to accelerate our analysis by 10x. If you’ve been wondering how AI actually changes the game for threat hunters, this is the blueprint.

We also pulled back the curtain on the bureaucratic side of state-sponsored espionage with our second deep dive into the APT35 leaks. It turns out that Iranian intelligence operators deal with the same mundane office headaches we do: Spreadsheets, expense reports, and ticketing systems.

Finally, we took a look at a B2B2C supply chain attack targeting the hospitality industry. By compromising hotel management accounts, attackers are reaching customers directly through official Booking[.]com channels. It’s a stark reminder that if the supply chain isn’t secure, neither is the trusted platform it supports.

Hot off the Presses

B2B2C Supply Chain Attack: Hotel’s Booking Accounts Compromised to Target Customer

DTI’s investigation reveals a sophisticated campaign targeting Booking[.]com customers by compromising hotel management accounts. Since May 2025, threat actors have generated nearly 1,000 spoofed domains to execute a “verify or cancel” phishing scheme. By hijacking official hotel messaging channels, attackers send urgent alerts that direct travelers to fraudulent sites. These pages are dynamically populated with the victim’s actual reservation details which have been stolen from the hotel’s own database to create a high-trust environment for stealing payment information.

Learn more

Chinese Malware Delivery Domains Part IV

DTI’s latest investigation into massive Chinese malware delivery infrastructure reveals the addition of over 1,900 new malicious domains in the super cluster of over 5,000 domains we have been tracking since early 2025. This activity, which primarily targets Chinese-speaking users, has evolved from a consolidated infrastructure into a fragmented and localized network using domestic Chinese registrars to improve operational security. The attackers employ deceptive lures such as spoofed downloads for Chrome, VPNs, and office software to deliver an array of trojans and credential stealers.

To manage this massive influx of data, our researchers deployed agentic AI systems to analyze the malicious domains, increasing analysis speed by 10x. By utilizing a “task-based AI orchestrator” paired with specialized sub-agents, the team was able to bypass anti-automation hurdles and autonomously interact with and analyze thousands of sites per day.

Agent Orchestration Flow Diagram

The APT35 Dump Episode 4: Leaking The Backstage Pass To An Iranian Intelligence Operation

DTI’s latest deep dive into the four-part leak of internal documents from APT35 (Charming Kitten) reveals the financial administration powering Iranian state-sponsored espionage. The leaked files, ranging from payment spreadsheets to internal ticketing systems, show how the group has financed and managed their operations in spite of international sanctions. These documents track everything from server procurement and crypto-payment receipts to operator attendance logs and performance metrics, illustrating a “bureaucratic metabolism” where cyberattacks are treated as standard administrative workflows.

Despite this clerical precision, the investigation highlights a glaring lack of operational hygiene. The group failed to secure their backend infrastructure and cleartext credentials even after the internal documents were leaked, allowing researchers to map the financial and administrative connections between APT35/Charming Kitten and the Iranian “Moses Staff” threat actor. By stripping away the mystery of their technical exploits, this research exposes the administration, including budgeting, invoice reconciliation, and supervisor approvals, that sustains Iran’s strategic information operations across the Middle East and beyond.

Screenshot of moses-staff[.]io homepage

Read our investigation here

What We’re Reading

In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed!

The top podcast for the month: Cyberwire – Root Access to the Great Firewall
The top article for the month: Infoblox – Parked Domains Become Weapons with Direct Search Advertising
The top research for the month: GA Tech et al – From Concealment to Exposure – Understanding the Lifecycle and Infrastructure of APT domains

Checkout the full reading list here

Where We’ll Be

The DTI Travel Squad is staying local in January, but we will keep you updated on future travel once schedules get finalized!

Final Thoughts

We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here.

If you missed last month’s content, here are some quick links:

Thanks for reading – see you next month!

-Daniel

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity

‍

Learn More

Newsletters

Community

Newsletter 11 Could Take Forever

Dive into DomainTools Investigations' latest threat intel! Read our 3-part series on China's Great Firewall leak and an analysis of APT35 (Charming Kitten) campaigns targeting the Middle East and Korea, focusing on Exchange attacks. Get the intelligence you need!

The title of this month’s newsletter is a deep cut taken from the height of my favorite music genre, the admittedly awkwardly titled “Alternative Music.” What can I say, the 1990s in Seattle were wild, man - you had to be there.

Speaking of being there, last week was the Thanksgiving Holiday here in the United States. Normally my newsletter goes out on the last Tuesday of the month, but considering a lot of security professionals in the US got Thursday and likely Friday off, we decided to push publication by a week, so hopefully more of you can enjoy this edition instead of it getting buried under mashed potatoes and gravy!

The weather here in the Pacific NorthWest has firmly settled into “damp mode” (IYKYK), and the temperatures have started to creep below 40 degrees Fahrenheit (below 4 degrees Celsius for my international friends). I refuse to call it “The Big Dark” however - stop trying to make “The Big Dark” happen, Gretchen! Despite the cold, I’m happy to report that the intensity of DomainTools Investigations’ research output is only heating up.

Our flagship research for November, “Inside the Great Firewall,” is a three-part series based on a recent dump of documents and technical details of China’s censorship infrastructure. This massive leak provided us with over 500 gigabytes of internal operational data. I had the pleasure of joining Dave Bittner on the Research Saturday podcast from N2K | CyberWire to discuss our team’s work.

In addition to this deep dive, we also published a threat intelligence report based on leaked internal documents from APT35 (Charming Kitten). This report maps the Iranian state-sponsored actor's organization, tool kit, and campaign strategies. It details their campaigns against Lebanon, Kuwait, Türkiye, Saudi Arabia, Korea, and domestic Iranian targets, with a focus on their use of Microsoft Exchange attack chains. As a former Exchange Admin, I took personal note of that detail and was glad those days were behind me!

Last but not least, my team and I attended CYBERWARCON in Arlington, Virginia a couple of weeks ago. It was great to connect with the community, we had a small sponsorship booth and had many excellent conversations with fellow practitioners. I personally like the timing of this one-day conference, as it’s a nice bookend to its sister conference SLEUTHCON, which we attended earlier this year.

November was packed with research and tasty threat intelligence, so let's dive right in and get you up to speed!

Hot off the Presses

Inside the Great Firewall Part 1: The Dump

In September 2025, a historic breach of China’s censorship infrastructure leaked over 500 gigabytes of internal data detailing the infrastructure, design, and companies involved with the Great Firewall (GFW). DTI researchers analyzed more than 100,000 documents, internal source code, work logs, configuration files, emails, technical manuals, and operational runbooks.

Part 1 covers the human machinery behind the GFW and the consequences of the leak. This data links specific engineers and administrators to their roles across state-run ISPs (China Telecom, China Unicom, China Mobile), academic research institutions, and Ministry of State Security (MSS)-linked vendors.

🔗Read the report here

Inside the Great Firewall Part 2: Technical Infrastructure

In Part 2, DTI analysts offer a forensic reconstruction of the Great Firewall’s technical infrastructure. From spreadsheets detailing app endpoint behavior, user monitoring intervals, and hardware configurations to blueprint files illustrating node relationships and control flows, the data illustrates a highly centralized yet distributed architecture, built on cooperation between state-run ISPs, telecom vendors, university research labs, and policy-design entities. Using this data, our researchers mapped the operational logic, software structure, and institutional alignment driving the digital surveillance regime.

🔍Read the full technical deep dive here

Inside the Great Firewall Part 3: Geopolitical and Societal Ramifications

In the final part of the series, our team analyzes the strategic doctrine behind the Great Firewall. This analysis reveals the GFW as a cornerstone of China’s broader governance model, extending internal social control mechanisms into the digital realm while also projecting power abroad. The regime serves a dual purpose of insulating the domestic population from undesired narratives and foreign influence, while exporting technologies, protocols, and ideological models of digital sovereignty to other authoritarian or aspiring technocratic regimes.

🔗Read our analysis here

Threat Intelligence Report: APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets

In October, internal documents from APT35, also referred to as Charming Kitten, were leaked on Github. Our researchers reviewed and analyzed the leaked documents to form a tightly linked forensic trail that maps both technique and organization. In this report, we broke down APT35’s tool kit which covers reconnaissance, initial access, and post-exploitation tooling optimized for large-scale, quota-driven compromise operations. Our team analyzed the actor’s operational profile and campaign strategies, identifying an emphasis on weaponizing exchange attack chains (ProxyShell, Autodiscover, EWS enumeration, and PowerShell driven tasks) to extract mailbox contents and Global Address Lists, maintain mailbox-level persistence, HUMINT extraction, and iterative phishing loops based on harvested address books.

Read Ian’s recap here

What We’re Reading

In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed!

The top article for the month: GreyNoise Intelligence – When Bulletproof Hosting Proves Bulletproof: The Stark Industries Shell Game
The top research for the month: arXiv – Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models

📚Checkout the full reading list here📚

Where We’ll Be

SANS Cyber Threat Summit 2025, London, UK, 3-4 December

Final Thoughts

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:

Thanks for reading - see you next month!

-Daniel

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity

Learn More

Newsletters

Community

Tenth Newsletter Freeze-Out

Cybersecurity deep dive: NPM Phishing, Crypto Scams, & 18+ E-Crime analysis. Get expert research on supply chain attacks, wallet drain schemes, and trojans targeting social media. Plus, BSides NoVa recap & top reading list.

For the title of this tenth edition of my newsletter, I decided to go with a hit by “The Boss” (Bruce Springsteen for those of you who aren’t familiar). The obvious choice could have been 10 by Pear Jam, who hail from my adopted home town. But 10 is an album title, and not a song title, and we have patterns to follow! Speaking of Seattle, the days have gotten really short already, temperatures are dropping overnight, and I’ve resigned myself to packing away my summer clothes for another 9 months. On the other hand, the crisp air and the promise of Halloween candy, together with the return of some truly excellent TV shows make the indoor time a little more palatable.

But most importantly, spending more time indoors means more time to dive into research! My team has been absolutely prolific this month, bringing you some must-read research and showing up to engage with the community.

We’ve published a comprehensive analysis of the NPM Phishing attacks, where we analyzed how attackers stole developer credentials and bypassed MFA to compromise high-profile software repositories. We also took you Inside a Crypto Scam Nexus, exposing a web of wallet-drain scams tied to a single threat actor’s infrastructure. Furthermore, we’ve tracked a financially motivated cluster of more than 80 spoofed domains and lure websites in our 18+ E-Crime analysis, which were used to deliver Android and Windows trojans to users of age 18+ social media, online gambling, and government tax sites. Our team also attended and presented at BSides NoVa, where Ian Campbell presented on how Domain and DNS intelligence is a critical tool for investigative journalists and Malachi Walker spoke on the attack surface of Formula 1.

Let’s dive right in and get you up to speed!

Hot off the Presses

DomainTools Investigations BSides NoVa Recap

Our commitment to a thriving cybersecurity ecosystem means we put our time and resources toward contributing to collective knowledge and the common good. That’s why we were proud sponsors of BSides NoVa on October 10th and 11th.

Our team delivered two accepted talks, including Senior Security Ops Engineer Ian Campbell’s presentation on DNS and domain intelligence in investigative journalism, and colleague Malachi Walker’s talk on cyber threats in F1 racing. In his full write-up, Ian reflects on the importance of contributing to the infosec community and answers the question: Where do I learn how to do this kind of work?

‍

‍

Repo the Repo – NPM Phishing

DTI researchers analyzed the series of high profile supply chain compromises caused by malicious code written to NPM repositories managed by stolen developer credentials. While developers of prominent NPM repositories have been targeted for many years,these events prompted CISA to release an alert due to their widespread nature.

Attackers used multi-stage fake NPM login pages to steal passwords and successfully intercept the legitimate email OTP/MFA code in real-time. This allowed attackers to establish their own authenticated sessions on the real npmjs[.]com while victims remained unaware their credentials had been stolen and their accounts compromised.

‍

Read our analysis here

‍

Inside a Crypto Scam Nexus

Our team of analysts uncovered a web of wallet-drain scams, ranging from browser extension popups and iPhone configuration profile traps to fraudulent web trading apps, were all tied to one threat actor’s infrastructure. We exposed how multiple websites such as medaigenesis[.]cc, novacrypt[.]net, and zzztd[.]com were hosted on the same server IP address, 8.221.100[.]222. These sites formed a coordinated infrastructure used to steal cryptocurrency from unsuspecting users.

This cluster of scams demonstrates how threat actors combine technical methods with deception to steal cryptocurrency. By controlling multiple domains and even a browser extension, they exploit trust at several levels: browser add-ons, app installation processes, and convincing web design. The single infrastructure behind these schemes also highlights how a determined attacker can leverage one setup to run multiple scams, from cryptocurrency theft to fake e-commerce.

‍

Read the full investigation here

‍

18+ E-Crime

Starting in September 2024, a financially motivated cluster of more than 80 spoofed domain names and lure websites began targeting users with fake applications and websites themed as government tax sites, consumer banking, age 18+ social media content, and Windows assistant applications. The actor used these spoofed domains to deliver Android and Windows trojans likely for the purpose of stealing credentials or more overtly through the use of fake login pages.

Learn more here

‍

What We’re Reading

In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list is sure to get you up to speed!

The top article for the month: Bloomberg – Hackers Had Been Lurking in Cyber Firm F5 Systems Since 2023
The top podcast for the month: Three Buddy Problem – JAGS LABScon 2025 keynote: Steps to an ecology of cyber
The top research for the month: Dartmouth ISTS – From Chaos To Capability: Building the US Market for Offensive Cyber
‍

Checkout the full reading list here

‍

Where We’ll Be

AFCEA Vegas Tech & Cyber Expo, Las Vegas, NV, 4-5 November
CYBERWARCON, Washington, DC, 19 November

Final Thoughts

We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here.

If you missed last month’s content, here are some quick links:

Thanks for reading – see you next month!

-Daniel

‍

Learn More

Newsletters

Community

Newsletter Number 9, Keep On Movin' Down The Line

My team has been on a tear this month, we've published new research on Salt Typhoon, an advanced Chinese APT, and we've analyzed the massive Kimsuky leak, giving us a rare look into a North Korean threat actor's playbook. We also identified new activity from the PoisonSeed e-crime group, and uncovered a banking trojan targeting Android users in Southeast Asia. Let's get you up to speed!

September is coming to a close, and with it, the sun bids adieu to Seattle (my home base) for another six months or so. Anybody who has lived here for more than a couple of years can recognize the exact day it happens. It’s a different date every year, but it’s unmistakable! In just 24 hours, it goes from pleasantly sunny, low 70s weather (low 20s C for my international friends) to min-50s (mid-teens in C) and rain. Summer is over, and the grey gloom returns to give birth to the Pumpkin Spice Latte. That day was yesterday 😕

But it’s not all bad. With less available daylight, we give ourselves permission to spend more time inside, and that means more time for research! If you are a returning reader, welcome back! If you are a new reader, what you are about to read is news from our group of researchers and analysts, where they provide their expertise in investigating, mitigating, and preventing Domain and DNS based attacks.

Hot off the Presses

Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat

Less than a week ago (25 September), we published research that maps Salt Typhoon’s infrastructure and operational profiles. The APT linked to the PRC’s Ministry of State Security has a targeting profile that spans the U.S., U.K., Taiwan, and the E.U., with confirmed breaches in at least a dozen U.S. telecom firms, multiple state National Guard networks, and allied communications providers. The research covers known intelligence and operational profiles, links to other entities within the PRC’s cyber espionage apparatus, and a deep dive into the infrastructure and behavioral patterns uncovered by our researchers.

Salt Typhoon has demonstrated sophisticated spycraft in exploiting network edge devices, maintaining long-dwell persistence via firmware/rootkit implants, harvesting data from telecom providers, and using plausibly deniable contractor infrastructure to obscure attribution. Our research provides crucial intelligence for attribution, detection, and threat modeling of the observed activity.

🔗Read the full report here

Inside the Kimsuky Leak: How the “Kim” Dump Exposed North Korea’s Credential Theft Playbook

DTI researchers broke down the “Kim” leak, mapping the full scope of the North Korean threat actor’s infrastructure from custom Linux rootkits to particular targets like PKI infrastructure and specific tools like NASM and ocrmypdf. Our analysis also found a strategic pivot to include Taiwanese developer and government networks, revealing a clear geographical expansion of North Korea's cyber interests.

The leak provides a unique opportunity to look directly into a DPRK threat actor’s playbook. Moreover, it gives analysts and defenders insight into the actor’s operational profile, including credential-focused intrusions targeting South Korean and Taiwanese networks, with a blending of Chinese-language tooling, infrastructure, and possible logistical support.

🔗Read the full analysis here

—-----

Newly Identified Domains Likely Linked to Continued Activity from PoisonSeed E-Crime Actor

DTI researchers identified a set of malicious domains likely linked to the e-crime group known as PoisonSeed. The identified domains spoofed the email sender platform SendGrid and used fake Cloudflare CAPTCHA pages to steal enterprise credentials, with similar tactics, techniques, and procedures (TTPs) as those historically tied to SCATTERED SPIDER.

While there is no definitive evidence of a direct link between PoisonSeed and SCATTERED SPIDER, the infrastructure identified as belonging to PoisonSeed highlights ongoing efforts by e-crime actors to use TTPs similar to SCATTERED SPIDER. These actors are likely continuing to leverage these TTPs to compromise enterprise credentials to facilitate a range of malicious activity.

Banker Trojan Targeting Indonesian and Vietnamese Android Users

DTI researchers observed a threat actor spoofing trusted platforms like the Google Play Store to target Android users in Southeast Asia. The actor disguised their malware as legitimate payment and government identity applications to trick Indonesian and Vietnamese users into downloading malware linked to BankBot.Remo.1.origin, a previously closed source banking trojan that had its source code leaked on Russian-language forums in 2016.

—-----

What We’re Reading

With the arrival of fall, and back to school season in full swing, it got me thinking: Wouldn’t it be great if there were a scholastic book fair for cybersecurity? Well there isn’t, but there is my colleague Ian Campbell's monthly recommended reading list for September:

The top article for the month: The Record - Ransomware gang takedowns causing explosion of new, smaller groups
The top podcast for the month: Microsoft Threat Intelligence - Stopping Domain Impersonation with AI
The top research for the month: arXiv - Large Language Models for Security Operations Centers: A Comprehensive Survey

📚Check out the full reading list here 📚

Where We’ll Be

BSidesNOVA, Arlington, VA, 10-11 October
GovWare, Singapore, 21-23 October
TechNet Indo-Pacific, Honolulu, HI, 28-30 October

Final Thoughts

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:

Thanks for reading - see you next month!

-Daniel

Learn More

Newsletters

Community

Eight Days a Newsletter: I lo-o-o-ove research!

If you are a returning reader, welcome back! If you are a new reader, what you are about to read is news from our group of researchers and analysts, where they provide their expertise in investigating, mitigating, and preventing Domain and DNS based attacks.So without further ado, here’s what our incredible team has been up to for the rest of August

Can you believe August is almost over? Here in the Pacific Northwest, Summer is making its last stand. If the weather professionals are right, we will have another 10 days or so of temperatures in the low 80s (that’s high 20s in Celsius for my international readers), before Fall settles in. As every Seattleite knows, there is that one day in September, when the temperature drops suddenly, and the rain returns, and then it’s another 9 months before the best time of the year comes back. Not that we’re bitter or anything, those 3 months of summer are glorious and make all the rain worth it.

You know where it rarely rains though? Las Vegas! And that’s where the DTI team spent 8 days at the beginning of August for Hacker Summer Camp. Some people will argue that 8 days in Vegas is about 6.5 days too long. And the heat also did not disappoint, every day peaked north

of 105F, or 40+ in Celsius. But luckily, it’s a dry heat they say 🙄

Our brilliant Marketing team had a great solution to keep us out of the heat: We chartered several shuttle buses that drove back and forth between Black Hat and the hotel where the larger DomainTools contingent stayed. Great advertising and we got to ride in style!

My other van is the DNS express!

Even if you didn’t work for DomainTools, you could catch a free ride. All for the price of being a captive audience and having to watch our demo reel 😎:

Come take a ride in my windowless black van!

The team had a packed schedule, and lots of community events to support! The Diana Initiative, BSides Las Vegas, Sober in Cyber, Black Hat, DEF CON, as well as a handful of other community events and cons that I cannot name publicly - IYKYK.

At the end of the week, I had the pleasure to present at DEF CON 33 in the Recon Village. I talked about how to use passive DNS to enumerate subdomains and how to effectively identify deep wildcards:

Did I mention it was hot? Shorts and T-shirt to the rescue!

My colleagues Ian Campbell and Malachi Walker also presented at DEF CON, together in the Malware Village and Malachi gave a second talk in the BIC Village

While the days were long and hot, and the nights were short and fueled by energy drinks, we loved every minute of it. Hacker Summer Camp is where “our people” meet, and we wouldn't miss it for anything!

So without further ado, here’s what our incredible team has been up to for the rest of August:

From Laptops to Laundromats: How DPRK IT Workers Infiltrated the Global Remote Economy

In this post we discuss how the Reconnaissance General Bureau (RGB) of the DPRK orchestrated an operation that used stolen or forged identities to secure tech jobs for their operatives for the purpose of gaining access to intellectual property, and to receive salaries in cryptocurrency.

The article covers key actors like Song Kum Hyok, an officer in the Andariel subgroup, to facilitators who run "laptop farms" to create the illusion that the workers are U.S.-based. The money laundering process is also detailed, showing how funds are routed through front companies and crypto brokers in various countries to convert the fraudulently obtained wages into usable capital for North Korea's strategic programs, including weapons development.

Crypto transfers and money laundering

https://dti.domaintools.com/from-laptops-to-laundromats-how-dprk-it-workers-infiltrated-the-global-remote-economy/?utm_source=LinkedIn&utm_medium=Social&utm_campaign=DTI-Newsletter-August

Hunting for Malware Networks

For this investigation, we took a look at recently active malware-as-a-service (MaaS) operations. We analyzed their use of web-hosted PowerShell scripts as an effective initial-stage payload delivery mechanism. This technique serves to compartmentalize the attack chain, reducing the exposure of core command and control (C2) infrastructure and complicating forensic investigations.

One example detailed in this article centers around a script that connects to a commonly used C2 domain, and was observed distributing over 60 different malicious files in the past 2 months. It included multiple stealer malware families such as Amadey, Lumma, Luca, DeerStealer, and RedLine as well as other malware families like Rugmi, BlackBasta and DarkGate.

The investigation into the broader infrastructure revealed a significant concentration of malicious activity originating from a small number of IP addresses, all associated with the same ASN. It seems likely that this ASN is part of a bulletproof hosting operation.

Additionally, threat actors appear to increasingly be leveraging legitimate distributed services like Amazon CloudFront and GitHub to host and deliver malware. This makes proactive network-based blocking more difficult.

Analysis of 200 binaries in VirusTotal over the past 3 months show that there appears to be an overrepresentative share of LummaC2 and Amadey.

🔗Go hunting

SpyNote Malware Part 2

The SpyNote malware campaign has resurfaced, and the threat actors are employing deceptive websites that mimic the Google Play Store to trick users into downloading an Android RAT (Remote Access Trojan).

SpyNote is designed for surveillance, data exfiltration, and remote control of a victim's device. Its capabilities include keylogging, stealing 2FA codes, capturing audio and video, and remotely wiping data. This new campaign incorporates minor changes in the actor's tactics, such as slight IP resolution changes and the addition of anti-analysis techniques in the APK dropper to protect the payload from detection.

The malicious websites use JavaScript to initiate the download of a dropper APK. This dropper conceals its functions using DEX Element Injection and decrypts a second-stage SpyNote payload. The payload then loads the command-and-control (C2) logic from a separate file, using obfuscation to hinder static analysis.

Malware execution flowchart

🔗Catch that RAT

Cybersecurity Reading List - Week of 2025-08-25

In this latest installment of his reading list, my colleague Ian Campbell highlights a recent influx of new research and publications in the cybersecurity field. As always, he covers several different types of media, something for everybody:

Podcasts: "Adversary Universe from Crowdstrike" for a perspective on AI, "CyberWire Research Saturday" for a deep dive into the VexTrio cybercriminal group, and "Prompt||GTFO" for demonstrations on how practitioners are using AI.
Articles: An interview with a Kaseya hacker, and a piece on data exfiltration via DNS.
Research Papers and Reports: Greynoise Intelligence study on how attack spikes can precede new CVEs, a RecordedFuture report on cloud threat hunting, and a CAIDA paper on early-stage traffic discovery.
Tools and Resources: Learn about CISA's new open-source malware analysis platform, Thorium
Entertaining Reading: "The Berners Street Hoax"

🔗Read more here

Customer Webinar: Exclusive Recap of the DTI Team DEF CON 33 Talks

For those who couldn't make it to Las Vegas, we're bringing these talks directly to you.

Here's what we'll cover:

Malware in DNS: A look at how attackers hide malicious code in DNS TXT records.
Pre-Identifying DNS Wildcards: Learn new techniques for subdomain enumeration and attack surface management.
DNS Scavenger Hunt: An interactive session where you can put your skills to the test.

Webinar Details:

Date: Tuesday, September 30th
Time: 10:00 AM PT / 1:00 PM ET
Duration: 1.5 hours

Where We’ll Be

Underground Economy, France, 1-4 September
Back to Las Vegas for private event, September 8-12
- If you find yourself in the area that week, let us know and we’d be happy to meet up over a refreshing beverage
DC Closed Door Session, National Harbor, MD, 17 September
- TLP:RED research, please note “DFS Newsletter” in the “Referred By” section: https://dti.domaintools.com/request-an-invite/
Intelligence & National Security Summit, National Harbor, MD, 18-19 September
LABScon, Scottsdale, AZ, 17-20 September

Final Thoughts

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:

Thanks for reading - see you next month!

Daniel

Learn More

Newsletters

Community

Seven Nation Newsletter: I'm goin' to Wichita!

OK, maybe not Wichita. But just one week from now, many of us will gather on the surface of the sun (Vegas in August) for Hacker Summer Camp.

Speaking of Hacker Summer Camp - Come see my talk at DEF CON 33 in the Recon Village, on Friday, August 8 at 2:10pm. I’ll be demonstrating some methods for efficiently assessing a domain’s DNS wildcard status, and proposing a new “standard of care” for routine testing and logging of the wildcard status of ALL (FQDN, RRtype) combinations.

So without further ado, here’s what our incredible team has been up to in July:

Malware in DNS: A Covert Delivery Mechanism

Our researchers discovered instances where executable files are stored in fragments within DNS TXT records, allowing them to persist until removed or overwritten. A notable finding, first observered between 2021 and 2022, involved "Joke Screenmate malware." Delivered via this method, it simulates destructive actions and interferes with user control. Additionally, we also found malicious Powershell scripts, acting as stagers for Covenant C2 servers, encoded in TXT records. This highlights a sophisticated technique used by actors to store and potentially deploy malware, with related C2 domains observed as far back as 2017.

Powershell script that acts as a stager

🔗Read more here

Chinese Malware Delivery Domains: Part III - The "SilverFox" Campaign

We’re continuing to track "SilverFox," a persistent cyber actor primarily operating during Chinese working hours. Since June 2023, SilverFox has established over 2,800 domains for malware delivery, targeting Chinese-speaking individuals globally. The campaign focuses on delivering Windows-specific malware through fake application download sites and deceptive update prompts. It utilizes spoofed login pages for various apps, including marketing, business sales, and cryptocurrency platforms. Operational changes by the actor include anti-automation measures, reduced site trackers, increased server distribution, and discreet registration details. As of June 2025, a significant number of identified domains were actively distributing malware. The motivations are largely suspected to be financial, including credential and financial theft, and potentially access brokering.

🔗Find that fox

Where Everybody Knows Your Name: Observing Malice-Complicit Nameservers

Monitoring nameservers associated with malicious activities offers valuable insights into cybercrime ecosystems. Our team highlights the Russian bulletproof hosting service DDoS-Guard as a key area of focus, due to its links to criminal activity, terrorism, and espionage. A month-long analysis (13 May - 11 June, 2025) of DDoS-Guard's nameserver activity revealed thousands of domain transfers, creations, and deletions. They can be categorized into gambling/betting, cryptocurrency-targeting, and other malicious activities.

Using aged domains and sophisticated obfuscation techniques, examples included Indonesian gambling, phishing campaigns targeting gift card holders, and extensive malicious activity against CounterStrike: GO players,. The most active threats were observed within the cryptocurrency sphere, with domains emulating legitimate wallets and exchanges. Monitoring such nameservers can help establish behavioral patterns of malicious actors, and is recommended for digital asset and cryptocurrency services in order to identify and block associated domains.

🔗Name that nameserver

Iran's Intelligence Group 13: A Profile of a Covert Cyber Strike Unit

Iran's Intelligence Group 13 is a covert cyber strike unit embedded within the Shahid Kaveh Cyber Group, part of the Islamic Revolutionary Guard Corps (IRGC) cyber arsenal. This group is characterized by its aggressive operations, ideological motivations, and positioning at the intersection of cyber-espionage, industrial sabotage, and psychological warfare. Our report assesses that Intelligence Group 13 is likely to be used for retaliatory digital operations, especially following recent U.S. airstrikes. The research details the group's hierarchy within the IRGC, including leadership figures like Hamidreza Lashgarian and Reza Salarvand. We also cover tradecraft, which includes disrupting critical infrastructure, pre-positioning malware, and aggressive intelligence collection. A key strategy is the integration of psychological warfare through propaganda fronts like CyberAveng3rs. The group is supported by an extensive ecosystem of contractors and front companies, which frequently rebrand to evade sanctions. Future campaigns are expected to blend cyber-kinetic threats with narrative manipulation, targeting critical infrastructure, public perception, and institutional trust.

https://www.linkedin.com/in/schwalbe/

Where We’ll Be

Hacker Summer Camp, August 3-10
- Come say hi to our team at The Diana Initiative, BSidesLV, Black Hat, or DEF CON! We will also have a free shuttle bus to/from the Cosmopolitan and Mandalay Bay: https://www.domaintools.com/events/black-hat-2025-shuttle/
Underground Economy, September 1-4
DC Closed Door Session, September 17
- TLP:RED research, please note “DFS Newsletter” in the “Referred By” section: https://dti.domaintools.com/request-an-invite/

Final Thoughts

Again, if you’re a returning reader from last month, I thank you. If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers.

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:

Thanks for reading - see you next month!

Daniel

Learn More

Newsletters

Community

It's 6’n the Mornin’ (and my Newsletter at your door!)

Where has this year gone?! We are six months into formally launching DomainTools Investigations (DTI) and subsequently this newsletter! If you’re a returning reader, I’m glad you keep coming back! If you’re a new reader, what you’re about to read is news from our group of researchers and analysts providing their expertise in investigating, mitigating, and preventing Domain and DNS based attacks.

Today, I had the opportunity to listen to a session at FIRSTCon25 where Tom Millar of CISA, Eireann Leverett of Killara Cyber, Wendy Nather of 1Password, and Declan Ingram of Trust Hound, discussed cyber resilience in the current threat context. One of the core focuses during this session was Community and how cyber resilience is born out of Community.

The message of Community resonated with me because of our work here with DTI and how great this Community has been through the years. So take a look around, and if you’d like to collaborate with us to get further in our analyses, please let us know.

So without further ado, here’s what our incredible team has been up to in June:

🐀 Trust Exploited: NetSupport RAT

In our latest research, our team identified malicious multi-stage downloader Powershell scripts hosted on multiple themed websites including Gitcodes and fake Docusign captcha verifications. These sites attempt to deceive users into copying and running an initial powershell script on their Windows Run command. Upon doing so, the powershell script downloads another downloader script and executes on the system, which in turn retrieves additional payloads and executes them eventually installing NetSupport RAT on the infected machines.

🔗 Read more here

🕸️ Skeleton Spider (FIN6): Trusted Cloud Malware Delivery

This research combines technical insights and practical analysis for both general audiences and cybersecurity professionals. We examined how FIN6 uses trusted cloud services, such as AWS, to host malicious infrastructure, evade detection, and ultimately deploy malware through socially engineered lures.

🔗 Explore here

🛰️ Mapping Hidden Alliances: Russian-Affiliated Ransomware Ecosystems

Jon DiMaggio at Analyst1, Scylla Intel, and our team dove into Russian-affiliated Ransomware Groups. This work follows previous research DomainTools undertook in tracking ransomware families and provides a visual representation of hidden connections between criminal factions, going beyond just mapping “families” to understand the intricate relationships between them. The core focus was on identifying overlaps in human operators, code fragments, infrastructure, and TTPs.

Jon and I presented this at SLEUTHCON - to see our presentation, 👍& 🔔to the SLEUTHCON YouTube page.

🔗 Dive into the mapping

Cybersecurity Schlolastic Book Fair

Ian Campbell’s June Recommended Reading digest:

Qualys – Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
Proofpoint – The Bitter End: Unraveling Eight Years of Espionage Antics—Part One
Mandiant – Hello, Operator? A Technical Analysis of Vishing Threats

📚Click for the full list

Where We’ll Be

FIRSTCon25, June 23-27
- Are you here this week? Come find our team as we sponsor this wonderful event!
Hacker Summer Camp, August 3-10
- Come say hi to our team at The Diana Initiative, BSidesLV, Black Hat, or DEF CON! We will also have

Final Thoughts

Again, if you’re a returning reader from last month, I thank you. If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers.

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:

Thanks for reading - see you next month!

Daniel

Read the full anal ysis here

Learn More

Newsletters

Community

Newsletter No. 5: A Little Bit of Research in my life…

I can’t believe it, but we have made it to the 5th iteration of my DomainTools Investigations (DTI) newsletter! If you’re a returning reader, I’m glad you keep coming back! If you’re a new reader, what you’re about to read is top secret. Anything you say can and will be used against you without express written consent of Major League Baseball. That’s the saying, right?

But seriously, if you’re a new reader, welcome! What you’re really about to read is not top secret; it’s news from our group of researchers and analysts providing their expertise in investigating, mitigating, and preventing Domain and DNS based attacks.

Community is incredibly important to me, and I believe that the only way we’ll make progress in fighting threat actors is coming together to share what we know. So take a look around, and if you have information to collaborate with us to get further in our analyses, please let us know.

So without further ado, here’s what we’ve been up to in May:

🔥HOT OFF THE PRESSES

Published this week (May 28), DTI shared its latest analysis on a malicious campaign using a fake website to spread VenomRAT, a Remote Access Trojan. The research examines attackers’ methods, such as deceptive websites and command infrastructure, indicating a clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems.

Why is This Important? This campaign highlights a growing trend: attackers crafting modular, open-source-based malware that’s stealthy, flexible, and easy to deploy. This DIY malware model helps them move fast and stay hidden.

While open-source tools can aid defenders in detection, the real victims are everyday users—targeted with fake login pages and malware disguised as trusted software, all aimed at draining bank accounts and crypto wallets.

Objects May Be More Malicious Than They Appear

DTI observed an unknown actor continuously creating malicious Chrome Browser extensions since February, 2024. The websites masqueraded as legitimate services, productivity tools, ad and media creation or analysis assistants, and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store. The extensions had a dual functionality, where they appeared to function as intended, but also connected to malicious servers to send user data, receive commands, and execute arbitrary code.

Why is This Important? The actor’s persistence and the time lag in detection and removal pose a threat to users seeking productivity tools and browser enhancements. All users should protect themselves by exercising caution when installing extensions. Stick to the Chrome Web Store and verified developers, carefully review requested permissions, read reviews, and be wary of lookalike extensions.

Read the full analysis here

Threat Actors Love a Good Viral Event

Viral media events capture global attention. Everything from natural disasters to geopolitical shifts to cultural phenomena can dominate headlines and online conversations – and bad actors pay attention and look to capitalize on the public’s interest.

We undertook a project to analyze scam and malicious domains that emerge in the wake of high-profile viral media events. Leveraging AI-driven research capabilities, we aimed to understand how threat actors exploit these moments for financial gain and other nefarious purposes.

Why is This Important? The speed at which these events unfold provides a fertile ground for scammers to deploy a variety of schemes primarily focused on financial exploitation through fake donations, merchandise sales, and cryptocurrency scams. Staying vigilant and critically evaluating any website or domain seeking engagement related to a viral event is crucial

Read the full analysis here

Cybersecurity Scholastic Book Fair

Wouldn’t that be awesome if one of the conferences decided to do a 90s-style Scholastic book fair for cybersecurity and infosec books? One can dream, but until then, here are some of the topics from Ian Campbell’s May Recommended Reading digest:

Salt Typhoon hacks to influence final round of DARPA’s AI-cyber competition – NextGov
Uyghur Language Software Hijacked to Deliver Malware – Citizen Lab
The Human Element Podcast – hosted by my friend and CTO of Maltego, Ben April

Be sure to check out the reading list for Ian’s full recommendations!

Final Thoughts

Again, if you’re a returning reader from last month, I thank you. If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers.

We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here.

If you missed last month’s content, here are some quick links:

Deceptive Browser Extensions within the Google Store: A Study in AI Slop
Newly Registered Domains Distributing SpyNote Malware
Where to Find Aspiring Hackers – or listen to this episode of the Breaking Badness Cybersecurity Podcast to learn more about Proton66 and the threat actor known as Coquettte (yes, with three T’s).

Thanks for reading – see you next month!

Daniel