Newsletters

Welcome to the New Year, I hope you all had a restful holiday season! Similarly to the November issue, we decided to hold this edition until the post-holiday inbox avalanche has (hopefully) subsided. I wouldn’t want you to miss your favorite newsletter!

It’s hard to believe that DTI turns one year old this coming Friday! In case you haven’t been a subscriber since “Day One”, allow me a brief recap: In September of 2024, at a DomainTools onsite meeting, serendipity brought together two individuals with deep security industry connections, and a passion for community. We hatched an idea, got a few more colleagues excited about this idea, and in late 2024, we pitched it to our bosses. A scrappy program on a shoestring budget, with an agreement to fail fast and pivot as necessary. We signed up for some KPIs (you better measure success if you want to spend other peoples’ money!), and we launched on January 9th, 2025.

As I sit here, drafting this message, I can’t help but look back with pride on everything we did this past year: The countless hours of collective hard work, the travel all over the world to meet with the community, and most importantly, all the great research we published. We positively crushed it, if I do say so myself!

Now it’s late December, and the future looks decidedly less certain. One half of the DTI Leadership team is no longer with the company. She would hate it if I called her out here by name, but IYKYK. Thank you for a crazy year of collaboration, planning, organizing, problem solving, and innovating. Myself and the remaining DTI Team miss you greatly!

I’m not sure yet what 2026 will bring, but I know it will be different. Different isn’t automatically bad of course, so time will tell! Stay tuned for updates!

Back to Business

For those of you keeping score, the weather here in the Pacific Northwest has officially transitioned from damp, dark, and cold to damper and colder but a little less dark. But luckily none of that has slowed down our researchers. Fueled by hot coffee and cold redbull, they’ve been burning the 4pm oil, and we have some fascinating, and frankly brazen, campaigns to share as we kick off the year.

Our featured research for this edition looks at a massive “super-cluster” of over 5,000 Chinese malware delivery domains. What makes this investigation particularly special is how we did it: our team utilized agentic AI systems to accelerate our analysis by 10x. If you’ve been wondering how AI actually changes the game for threat hunters, this is the blueprint.

We also pulled back the curtain on the bureaucratic side of state-sponsored espionage with our second deep dive into the APT35 leaks. It turns out that Iranian intelligence operators deal with the same mundane office headaches we do: Spreadsheets, expense reports, and ticketing systems.

Finally, we took a look at a B2B2C supply chain attack targeting the hospitality industry. By compromising hotel management accounts, attackers are reaching customers directly through official Booking[.]com channels. It’s a stark reminder that if the supply chain isn’t secure, neither is the trusted platform it supports.

Hot off the Presses

B2B2C Supply Chain Attack: Hotel’s Booking Accounts Compromised to Target Customer

DTI’s investigation reveals a sophisticated campaign targeting Booking[.]com customers by compromising hotel management accounts. Since May 2025, threat actors have generated nearly 1,000 spoofed domains to execute a “verify or cancel” phishing scheme. By hijacking official hotel messaging channels, attackers send urgent alerts that direct travelers to fraudulent sites. These pages are dynamically populated with the victim’s actual reservation details which have been stolen from the hotel’s own database to create a high-trust environment for stealing payment information.

Learn more

Chinese Malware Delivery Domains Part IV

DTI’s latest investigation into massive Chinese malware delivery infrastructure reveals the addition of over 1,900 new malicious domains in the super cluster of over 5,000 domains we have been tracking since early 2025.  This activity, which primarily targets Chinese-speaking users, has evolved from a consolidated infrastructure into a fragmented and localized network using domestic Chinese registrars to improve operational security. The attackers employ deceptive lures such as spoofed downloads for Chrome, VPNs, and office software to deliver an array of trojans and credential stealers.

To manage this massive influx of data, our researchers deployed agentic AI systems to analyze the malicious domains, increasing analysis speed by 10x. By utilizing a “task-based AI orchestrator” paired with specialized sub-agents, the team was able to bypass anti-automation hurdles and autonomously interact with and analyze thousands of sites per day.

Agent Orchestration Flow Diagram

Read the latest research here

The APT35 Dump Episode 4: Leaking The Backstage Pass To An Iranian Intelligence Operation

DTI’s latest deep dive into the four-part leak of internal documents from APT35 (Charming Kitten) reveals the financial administration powering Iranian state-sponsored espionage. The leaked files, ranging from payment spreadsheets to internal ticketing systems, show how the group has financed and managed their operations in spite of international sanctions. These documents track everything from server procurement and crypto-payment receipts to operator attendance logs and performance metrics, illustrating a “bureaucratic metabolism” where cyberattacks are treated as standard administrative workflows.

Despite this clerical precision, the investigation highlights a glaring lack of operational hygiene. The group failed to secure their backend infrastructure and cleartext credentials even after the internal documents were leaked, allowing researchers to map the financial and administrative connections between APT35/Charming Kitten and the Iranian “Moses Staff” threat actor. By stripping away the mystery of their technical exploits, this research exposes the administration, including budgeting, invoice reconciliation, and supervisor approvals, that sustains Iran’s strategic information operations across the Middle East and beyond.

Screenshot of moses-staff[.]io homepage

Read our investigation here

What We’re Reading

In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed!

• The top podcast for the month: Cyberwire – Root Access to the Great Firewall
• The top article for the month: Infoblox –  Parked Domains Become Weapons with Direct Search Advertising
• The top research for the month: GA Tech et al – From Concealment to Exposure – Understanding the Lifecycle and Infrastructure of APT domains

Checkout the full reading list here

Where We’ll Be

• The DTI Travel Squad is staying local in January, but we will keep you updated on future travel once schedules get finalized!

Final Thoughts

As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!

We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here.

If you missed last month’s content, here are some quick links:

• Threat Intelligence Report: APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets
• Inside the Great Firewall Part 3: Geopolitical and Societal Ramifications
• Inside the Great Firewall Part 2: Technical Infrastructure
• Inside the Great Firewall Part 1: The Dump

Thanks for reading – see you next month!

-Daniel

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity

‍

Dive into DomainTools Investigations' latest threat intel! Read our 3-part series on China's Great Firewall leak and an analysis of APT35 (Charming Kitten) campaigns targeting the Middle East and Korea, focusing on Exchange attacks. Get the intelligence you need!

Cybersecurity deep dive: NPM Phishing, Crypto Scams, & 18+ E-Crime analysis. Get expert research on supply chain attacks, wallet drain schemes, and trojans targeting social media. Plus, BSides NoVa recap & top reading list.

My team has been on a tear this month, we've published new research on Salt Typhoon, an advanced Chinese APT, and we've analyzed the massive Kimsuky leak, giving us a rare look into a North Korean threat actor's playbook. We also identified new activity from the PoisonSeed e-crime group, and uncovered a banking trojan targeting Android users in Southeast Asia. Let's get you up to speed!

If you are a returning reader, welcome back! If you are a new reader, what you are about to read is news from our group of researchers and analysts, where they provide their expertise in investigating, mitigating, and preventing Domain and DNS based attacks.So without further ado, here’s what our incredible team has been up to for the rest of August

If you are a returning reader, welcome back! If you are a new reader, what you are about to read is news from our group of researchers and analysts, where they provide their expertise in investigating, mitigating, and preventing Domain and DNS based attacks.

Where has this year gone?! We are six months into formally launching DomainTools Investigations (DTI) and subsequently this newsletter! If you’re a returning reader, I’m glad you keep coming back! If you’re a new reader, what you’re about to read is news from our group of researchers and analysts providing their expertise in investigating, mitigating, and preventing Domain and DNS based attacks.

Subscribe to the Newsletter here

I can’t believe it, but we have made it to the 5th iteration of my DomainTools Investigations (DTI) newsletter! If you’re a returning reader, I’m glad you keep coming back! If you’re a new reader, what you’re about to read is top secret. Anything you say can and will be used against you without express written consent of Major League Baseball. That’s the saying, right? 

But seriously, if you’re a new reader, welcome! What you’re really about to read is not top secret; it’s news from our group of researchers and analysts providing their expertise in investigating, mitigating, and preventing Domain and DNS based attacks.

Community is incredibly important to me, and I believe that the only way we’ll make progress in fighting threat actors is coming together to share what we know. So take a look around, and if you have information to collaborate with us to get further in our analyses, please let us know. 

So without further ado, here’s what we’ve been up to in May:

🔥HOT OFF THE PRESSES

Published this week (May 28), DTI shared its latest analysis on a malicious campaign using a fake website to spread VenomRAT, a Remote Access Trojan. The research examines attackers’ methods, such as deceptive websites and command infrastructure, indicating a clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems.

Why is This Important? This campaign highlights a growing trend: attackers crafting modular, open-source-based malware that’s stealthy, flexible, and easy to deploy. This DIY malware model helps them move fast and stay hidden.

While open-source tools can aid defenders in detection, the real victims are everyday users—targeted with fake login pages and malware disguised as trusted software, all aimed at draining bank accounts and crypto wallets.

Read the full analysis here

Objects May Be More Malicious Than They Appear

DTI observed an unknown actor continuously creating malicious Chrome Browser extensions since February, 2024. The websites masqueraded as legitimate services, productivity tools, ad and media creation or analysis assistants, and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store. The extensions had a dual functionality, where they appeared to function as intended, but also connected to malicious servers to send user data, receive commands, and execute arbitrary code.

Why is This Important? The actor’s persistence and the time lag in detection and removal pose a threat to users seeking productivity tools and browser enhancements. All users should protect themselves by exercising caution when installing extensions. Stick to the Chrome Web Store and verified developers, carefully review requested permissions, read reviews, and be wary of lookalike extensions.

Read the full analysis here

Threat Actors Love a Good Viral Event

Viral media events capture global attention. Everything from natural disasters to geopolitical shifts to cultural phenomena can dominate headlines and online conversations – and bad actors pay attention and look to capitalize on the public’s interest. 

We undertook a project to analyze scam and malicious domains that emerge in the wake of high-profile viral media events. Leveraging AI-driven research capabilities, we aimed to understand how threat actors exploit these moments for financial gain and other nefarious purposes.

Why is This Important? The speed at which these events unfold provides a fertile ground for scammers to deploy a variety of schemes primarily focused on financial exploitation through fake donations, merchandise sales, and cryptocurrency scams. Staying vigilant and critically evaluating any website or domain seeking engagement related to a viral event is crucial

Read the full analysis here

Cybersecurity Scholastic Book Fair

Wouldn’t that be awesome if one of the conferences decided to do a 90s-style Scholastic book fair for cybersecurity and infosec books? One can dream, but until then, here are some of the topics from Ian Campbell’s May Recommended Reading digest: 

• Salt Typhoon hacks to influence final round of DARPA’s AI-cyber competition – NextGov
• Uyghur Language Software Hijacked to Deliver Malware – Citizen Lab
• The Human Element Podcast – hosted by my friend and CTO of Maltego, Ben April

Be sure to check out the reading list for Ian’s full recommendations!

Final Thoughts

Again, if you’re a returning reader from last month, I thank you. If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. 

We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here. 

If you missed last month’s content, here are some quick links:

• Deceptive Browser Extensions within the Google Store: A Study in AI Slop
• Newly Registered Domains Distributing SpyNote Malware
• Where to Find Aspiring Hackers – or listen to this episode of the Breaking Badness Cybersecurity Podcast to learn more about Proton66 and the threat actor known as Coquettte (yes, with three T’s).

Thanks for reading – see you next month!

Daniel 

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity

Subscribe to the Newsletter here

Welcome to the fourth iteration of my DomainTools Investigations (DTI) newsletter! I’m glad you’re back – and if you’re new, what you’re about to read is news from our group of researchers and analysts providing their expertise in investigating, mitigating, and preventing Domain and DNS based attacks.

Before we begin, you may have noticed some of my Carmen Sandiego-inspired social posts about where I’ve been traveling recently. I thought I’d take a moment to catch you up on where I’ve been (scroll to the end of the newsletter to see where I’ll be coming up in the next few weeks).

April is Spring Break Season for most of the United States. We usually meet up with other members of the extended family somewhere in the country, and explore new places. This year, we chose New Mexico, the Land of Enchantment™. I had never been, and I’malways excited to check a new state off my list (this makes number 30 for me!).

We flew into Albuquerque, and checked out a few locations from the TV Show Breaking Bad. 

Then we move on to Santa Fe, which besides being the State capital, it’s also a fun place with lots of interesting places to see. Meow Wolf, the underground art collective and immersive experience was definitely one of the highlights!

Another highlight was the visit to the Puye Cliff Dwellings, a settlement that was inhabited as early as 900 AD. The dwellings on top of the mesa top were their summer homes, whereas the cliff side dwellings (partially carved into the cliffs) were the winter homes.

The Puye is great because it has many ancient ruins, but also a few examples of buildings that are accurate reproductions of the original dwellings.

The one thing I didn’t realize until on day two of the trip, when I got a pretty bad headache that wouldn’t go away, is that Santa Fe is at around 7000 feet elevation. As a sea level dweller for over half of my life, I got a nasty case of altitude sickness! Drinking lots of water helped, but it took a bit to acclimate. This concludes this month’s travel round-up, let’s jump into what the DTI team has been up to since my last newsletter:

The Domain Event

In case you missed it, DTI published its inaugural Domain intelligence year-in-review report (cue the confetti!🎉). 

In the cybersecurity community, it’s generally accepted that the threat landscape is fast paced and ever-evolving. It turns out however that there are a few constants that rarely change: Domains and DNS are on top of that list. The purpose of this report is to illuminate Domain patterns and DNS infrastructure created by cybercriminals in order to collectively improve the community’s defenses.

What were some of the key findings, you may be asking yourself? 

• Risk Scoring Detection Techniques: the likelihood of a Domain’s proximity to malware, phishing, spam, etc. to enable prioritization for further investigation and analysis.
• Keyword Analysis of Threat Detection: clear patterns of newly created Domain names that included frequently included terms such as “phishing,” “fraud,” “bitcoin,” “scam,” and others. 
• High Publicity Event Exploitation: large events spurn Domain registration including elections/politics, technological advancements, natural disasters, social movements, and so on. 
• Commonalities in Malicious Domain Attributes: recurring patterns in preferred registrars, ISPs, nameservers, and SSL issuers used by malicious domains.
• Analysis of Newly Registered Top Level Domains (TLDs): analysis to understand how threat actors utilize new TLDs (.lifestyle, .vana, .living, .music – to name a few) in their campaigns. 

Want more? Of course you do! Find the full report here. 

Looking for more of a highlight reel? Find the summary blog post here.

April Was Showered with Research

The team was busy during the month of April, which makes me extremely proud. In case you missed it, here’s what the team worked on: 

Get Your Kicks with Proton66

In this analysis, DTI explores Proton66, a Russian bulletproof hosting provider that supports cybercriminal activities by ignoring abuse complaints. It highlights the activities of Coquettte (the three T’s are not a typo), an emerging threat actor using Proton66’s infrastructure to distribute malware and engage in illicit projects, including a website hosting guides on manufacturing illegal substances. 

Why is This Important? This analysis sheds light on the infrastructure supporting cybercriminal activities, specifically through Proton66. By understanding how threat actors like Coquettte operate and utilize such services, cybersecurity professionals can better detect and mitigate these threats.

Read the full analysis here

Harriet the SpyNote Malware

Here, we looked at how deceptive websites hosted on newly registered domains are being used to distribute SpyNote malware. These sites mimic the Google Chrome install page on the Google Play Store to trick users into downloading SpyNote, a potent Android remote access trojan (RAT) used for surveillance, data exfiltration, and remote control. The research details the common patterns in domain registration, website structure, and malware configurations, noting the use of both English and Chinese-language delivery sites as shown below: 

Why is This Important? SpyNote is a potent Android remote access trojan (RAT) that can steal sensitive data, including personal information, financial details, and credentials. Understanding its distribution methods helps in developing better defenses.

Read the full analysis here

Juiced Up and AI Sloppy

I can’t resist the opportunity to reference a Rolling Stones song – especially when it comes to the idea of AI slop. Here, we illustrate how deceptive browser extensions within the Google Store manipulate ratings and transmit user data. These extensions, often promoted through newly registered websites, pose significant privacy and security risks and this analysis highlights common traits among these extensions, such as manipulated reviews and external data transmission, and provides insights into identifying suspicious extensions by examining their code and user feedback. 

Why is This Important? These extensions could transmit sensitive user data without consent, leading to privacy breaches (a topic I’m incredibly passionate about). It also helps security practitioners to potentially identify and remove malicious extensions and helps maintain the integrity and security of users’ browsing experiences.

Read the full analysis here

Book It

Remember that program from Pizza Hut? Getting rewarded for reading by getting some free pizza? I can’t give everyone a free pizza for reading Ian Campbell’s reading list digest, but I promise you the reward is becoming a better defender through shared knowledge (and that lasts way longer than pizza!)

Some of the topics Ian included in his recent reading lists include:

• Exposed Credentials & Ransomware Operations: Using LLMs to Digest 200K Messages from the Black Basta Chats – SpyCloud
• 4chan Is Down Following What Looks to Be a Major Hack Spurred By Meme War – 404 Media
• Disrupting Fast Flux With Protective DNS – Infoblox

Be sure to check out the reading list for his full recommendations!

• Cybersecurity Reading List Week of April 21, 2025

Where We’ll Be

• TechNet Baltimore – May 6-8
  • Catch my colleague, Malachi Walker, and the DomainTools Federal team at this three-day event
• GISEC – Dubai – May 6-8
  • For those who will be in this neck of the woods, come find me here – I’d love to say hi!
  • I’ll be presenting “Trends in Malicious Domain & DNS Infrastructure” on May 6 beginning at 2:05PM in Hall 6 on the Xlabs stage. Learn more here.
• Closed Door Session (Invite-Only, TLP:RED research – say I referred you)
  • Washington DC, June 5
• SleuthCon June 6
  • DomainTools is one of the sponsors for this event and Malachi will be present here, too!
  • I’ll also be presenting “Seeing is Believing: A Visual and Analytical Map of Russian-affiliated Ransomware Groups” with Analyst1’s Jon DiMaggio. Learn more here. 

Final Thoughts

Again, if you’re a returning reader from last month, I thank you. If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. 

We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here. 

If you missed last month’s content, here are some quick links:

• Phishing Campaign Targets Defense and Aerospace Firms Linked to Ukraine Conflict
• Domain Registrars Powering Russian Disinformation: A Deep Dive into Tactics and Trends

BUT WAIT. There’s more! Would you like to hear more about our Russian disinformation research? In this episode of the Breaking Badness Cybersecurity Podcast, I chat with disinformation expert, Scot Terban, about how Russian threat actors are evolving their playbook to mimic small-town US newspapers to push propaganda. Find the recording here.

Thanks for reading – see you next month!

Daniel 

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity

Subscribe to the Newsletter here

This is my third iteration of the DomainTools Investigations (DTI) newsletter, so I think by the power invested in self-help books everywhere, I have fully formed a habit (*pats self on the back*).

I’m glad you’ve stuck around to read DTI news from our group of researchers and analysts focused on providing their expertise in investigating, mitigating, and preventing domain- and DNS-based attacks.

We are now one quarter in since launching DTI and we’ve covered a lot of ground in such a short amount of time. In fact, here’s something we posted just moments ago…

HOT OFF THE PRESSES

Just prior to hitting ‘publish’ on this newsletter, the DTI team shared new research regarding a large-scale phishing infrastructure heavily focused on defense and aerospace entities with links to the conflict in Ukraine. There’s no actor currently attributed to this activity, but available evidence indicates this activity is motivated by cyber espionage, with an emphasis on intelligence collection.

Why is This Important? This movement is critical to pay attention to as it’s not only intelligence gathering relating to the conflict in Ukraine, but the targets have provided support to Ukraine’s military efforts in its conflict with Russia.

Read the full analysis here

The Domain Event for Disinformation

We’ve said it before and we’ll say it again: as we iterate our tactics and techniques as defenders, so do malicious actors. We recently found that Russian actors are evolving in how they spread disinformation by exploiting specific registrars, hosting providers, and domain obfuscation techniques to evade detection.

Why is This Important? As cyber defenders, journalists, and policymakers, it is crucial to stay ahead of these evolving tactics and disrupt their ability to weaponize domain infrastructure for disinformation.

Read the full analysis here

Reading Rainbow

That was one of the best shows, right? I can’t share a reading list without mentioning that show and then getting the theme song stuck in my head. 

My colleague, Ian Campbell, graciously puts together a reading list on what the DTI folks are currently reading/listening to (audiobooks count, people!) 

The goal is to not only share what we’re finding, but to share the findings of others – that’s how we get better as defenders. 

Some of the topics Ian included in his recent reading lists include:

• Properly Cleaning and Gutting Your Phish: How Cybercriminals Are Vetting Victim Data from SpyCloud
• The Many Faces of DNS Abuse from Infoblox
• New Darcula 3.0 Tool Generates Phishing Kits to Mimic Global Brands from gbhackers.

Be sure to check out the reading list for his full recommendations!

• Cybersecurity Reading List Week of March 4, 2025
• Cybersecurity Reading List Week of March 24, 2025

Where We’ll Be

• Closed Door Sessions (Invite-Only, TLP:RED research – say I referred you)
  • Austin – 01 April
  • Boston – 03 April
  • San Francisco – 29 April
• FIC – 01 to 03 April
  • Catch my colleague Malachi Walker at FIC in Lilles, France.
• BSides SF – 29 April
  • My colleague, Austin Northcutt, and I will present WHOIS Your Daddy: Tracking Iranian-backed cyber operations with Passive DNS at 1:30PM PT on 4/26
  • THREE DTI folks at BSides SF? Yep! Malachi will also be there presenting Something’s Phishy: See the Hook Before the Bait
• RSAC – 28 April – 01 May
  • Meet me and the DTI team at RSAC!

Final Thoughts

Again, if you’re a returning reader from last month, I thank you. If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. 

We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here. 

If you missed last month’s content, here are some quick links:

Chinese Malware Delivery Domains Part II: Data Collection

BUT WAIT. Would you like to hear more about our Chinese malware research? In tomorrow’s episode of the Breaking Badness Cybersecurity Podcast, I chat with Wes Young from CSIRTS Gadgets about what DTI found and how he iterated on the information shared. Here’s a teaser for your viewing pleasure, but get the whole episode tomorrow at 9AM PT!

Thanks for reading - see you next month!

Daniel 

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity

Subscribe to the Newsletter here

Well hello there! If you are a returning reader, that likely means you found this information beneficial to your organization or all of my jokes last month absolutely KILLED. Or all of the above! Either way, welcome back!

If you’re new around these parts, I’m Daniel Schwalbe, CISO and Head of Investigations at DomainTools, and the purpose of this newsletter is to share an overview of what my team at DomainTools Investigations (DTI) has worked on in the past month. 

Before we dig into that, I recently returned from a trip to Japan with my family. It was a whirlwind tour, but even my teenagers loved it! Here’s some of the cool things we did:

We started out in Tokyo, where we met up with an old high school friend of mine who’s been living there for more than two decades. He gave us a crash course in Tokyo’s excellent public transit system.

He showed us around Shinjuku, Roppongi, Akihabara (“Electric Town”), Musashino, Setagaya, and Shibuya.

Next, we took the Shinkansen (the “bullet train”) to Hiroshima to pay our respects, followed by stops in Osaka (the Cup Noodle Museum was fun!) and Kyoto (check out Nishiki Market). We stopped by some of the locations featured in the recent “Shōgun” TV Series, and ate local specialties (Okonomiyaki, Katsu). Speaking of food, it was amazing: Sushi, Ramen, Teppanyaki, Shabu Shabu, Sukiyaki, the list goes on. 

If you are into shopping, the Don Quijote stores are amazing (and a little overwhelming)!

We departed Tokyo at 6pm, and arrived on the west coast at 10am the same day. Time Travel is real, but so is jet lag. Good thing I’m going to Europe soon – read on for more. But enough about my recent travels, let’s jump into what the DTI team has been up to since last month’s newsletter:

RATs! There’s More to Say on Chinese Malware

There’s more to say on this topic, which we covered in our inaugural newsletter, examining a second cluster of over 1100 domains suspected to have been registered by the same group between April 2024 to January 2025. Very similar to Cluster 1, Cluster 2 involves spoofs of many common applications from messenger apps, VPNs, cryptocurrency exchanges, gaming platforms, game emulators, online gambling, web browsers, and multimedia apps.

Why Is This Important? A crucial aspect of this investigation lies in recognizing the broader implications of the observed tactics. By proactively studying and understanding these techniques now, the cybersecurity community can better prepare for similar threats that may emerge.

Get the full scoop and IOCs here.

Yes And…

CSIRT Gadgets took a look into parts I and II of this Chinese malware story and

1. Their writing is pretty hilarious (10/10 would read again) and, 
2. They used a tool called AlphaHunt to find likely linkable attribution (though YMMV).

Based on what DTI sees and what others in the community have reported, AlphaHunt makes the argument that this threat actor could be the SilverFox APT group. 

Take a gander – let us know what you think. We’ve already ruled out other silver foxes like George Clooney and Patrick Dempsey, but can you contribute any additional findings that this is indeed the SilverFox APT group?

Cheers to the Good Guys

The Justice Department published a release in late January regarding seizing servers of the Pakistan-based threat group known as the Manipulaters (and that is how “they” spell).

You may recall last year DomainTools Research looked into this group previously thought to be dormant and found they were very much back to their old tricks – with some new ones thrown in there. The FBI and the Justice Department’s Criminal Division, in cooperation with law enforcement partners in the Netherlands, have taken down 39 domains and related infrastructure linked to this group! Chalk one up to the good guys!

Find our research here, updated to reflect this takedown.

Double Secret Probation Webinar

It’s not actually that secret; you just need to be an existing DomainTools customer to attend. I’ll moderate this discussion with DTI team members Steve Behm and Austin Northcutt as they use our domain and DNS intelligence platform to demonstrate how to stay ahead of Business Email Compromise (BEC) using the example of TA4903, a financially motivated threat actor with notoriously high campaign volume. 

BUT WAIT! There’s more! After the webinar concludes, attendees can get a 14-day trial for the tools we showcase in the demonstration, if they don’t currently have access to them.

DomainTools customers can save their spots here. 

Where We’ll Be

• NICAR – 06 March
  • I’ll be teaching a workshop with my colleague, Kelly Molloy
  • Finding the Story Using DNS search for investigative journalism
• DCC – 10 to 13 March
  • IYKYK. Come say “Hi” if you are attending.
• Closed Door Sessions (Invite-Only, TLP:RED research – say I referred you)
  • Seattle – 26 February (almost at max capacity)
  • Austin – 01 April
  • Boston – 03 April
• FIC – 01 to 03 April
  • Catch my colleague Malachi Walker at FIC in Lilles, France.

Final Thoughts

Again, if you’re a returning reader for last month, I thank you. If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. 

We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here. 

If you missed last month’s content, here are some quick links:

Account Trafficking Websites in December 2024

Chinese Malware Delivery Websites

CTI Grapevine Becomes DomainTools Investigations

Cyberhaven Breach Likely Part of a Long-Term Criminal Campaign

Thanks for reading – see you next month!

Daniel 

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity

Subscribe to the Newsletter here

Hello DTI Friends!

I should start by introducing myself, as that’s how all the best relationships start (or so I’m told). 

If we haven’t yet had the opportunity to meet, I’m Daniel Schwalbe, CISO and Head of Investigations at DomainTools. I’ve spent the greater part of two decades tracking cybercriminals and nation-state actors in higher education, government, and large enterprises. I’m very passionate about sharing actionable insights with the community, which is what brings me to your feed today. 

We launched DomainTools Investigations (DTI) on January 9 to turn our philosophy of supporting the community into reality. It’s a program with a coterie of researchers and analysts focussed on providing their expertise in investigating, mitigating, and preventing Domain- and DNS-based attacks. The goal is to do so on an ongoing basis, and we’ve already covered a bunch of ground since that announcement! 

Let’s catch up on what we’ve shared so far: 

HOT OFF THE PRESSES

You heard it here first! We JUST published a report examining the illicit market for aged and verified accounts across social media, email, and advertising platforms which represent a persistent and evolving threat. 

Why this is important: The activity highlights the urgent need for enhanced security measures, proactive threat intelligence, and increased awareness to combat the acquisition and exploitation of these compromised accounts.

Get the full scoop and IOCs here.

Where There’s One RAT, There’s A Nest

We recently shared details on Chinese malware delivery sites – hundreds of newly registered domains are actively targeting Chinese-speaking users with malware. Our report analyzes this activity, detailing the range of deceptive lures employed, including imitations of messengers, browsers, VPNs, email services, and Adobe software.

Why this is important: We’ve identified the involved malware families to include Gh0stRAT, ValleyRAT, RemKos RAT, LummaStealer, RedLine and others. As I’m sure you’re aware, understanding the patterns of these malware families can help practitioners develop more effective defenses.  

Find the full write-up and list of IOCs here.

Cyber Criminals Playing the Long Game

Just prior to the announcement of DTI, we shared an overview on the Cyberhaven breach. In late December 2024, the technology company reported an unnamed actor replaced its Google Chrome extension on the Google Chrome Web Store with a malicious version. 

The actor used a phishing email to compromise a developer’s account via authorizing a malicious third-party application. Our team reviewed publicly available information related to this incident and discovered that the Cyberhaven incident is part of a months-long campaign likely attempting to impact multiple companies primarily in the technology sector.

Why this is important: DTI looked at the IOCs shared by Cyberhaven and discovered a larger network of infrastructure likely used in similar attacks against other targets in the tech sector which is critical to share with others in our field so they may have the opportunity to prevent end users’ sensitive data from being compromised. 

Find the full write-up and list of IOCs here. 

[Secret Squirrel]

Our team periodically hosts Closed Door Sessions where we partner with other industry analysts and practitioners to share TLP:RED research. The next session will be in Seattle, WA on Wednesday, February 26.

You can request an invite here.

And not that you need any incentive other than super cool cutting edge research, but we’ve had pretty awesome t-shirts to give away at these sessions – You cannot get them anywhere else, must be present to wear. Seriously. They are fantastic conversation starters if you like having that attention. 

Where We’ve Been/Where We’ll Be

My team has done (and will do) some traveling to various conferences. If you were lucky enough to get a ticket to the very last ShmooCon – I’m super jealous of you! If you couldn’t make it, be sure to catch Kali Fencl’s presentation – I’m Not Your Enemy: How Practitioners Can Empower Content, all about how practitioners’ training marketers can create content that’s beneficial to our audience and not at all “fluffy.” 

And Malachi Walker will be presenting at the BIC Winter Conference on Friday, February 7 in Reston, VA. If you’re in the Beltway, I hope you can check out his session on how DNS Threat Intelligence could help you get your next promotion.

Final Thoughts

We’re very excited to share this research with you. I know some of you are probably still thinking “what’s the catch?” Many of us work for organizations with the main purpose of making money, so we get easily jaded when we read announcements that seem too good to be true. I’m making it my personal challenge to pleasantly surprise you, and I am expecting you to call me on it if we ever miss the mark. Check out my philosophy for DTI here. Maybe listen to Ben Folds’ Philosophy in the background while you read it.

If you found these excerpts and/or the full write-ups helpful, please forward it on to other folks you think would find it useful too – we’d greatly appreciate it! 

This newsletter will be a monthly occurrence, so be sure to subscribe on LinkedIn to get early access to the newsletter content!

Thanks for reading – until next month!

Daniel

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity