Newsletters

This is my third iteration of the DomainTools Investigations (DTI) newsletter, so I think by the power invested in self-help books everywhere, I have fully formed a habit (*pats self on the back*).

I’m glad you’ve stuck around to read DTI news from our group of researchers and analysts focused on providing their expertise in investigating, mitigating, and preventing domain- and DNS-based attacks.

We are now one quarter in since launching DTI and we’ve covered a lot of ground in such a short amount of time. In fact, here’s something we posted just moments ago…

HOT OFF THE PRESSES

Just prior to hitting ‘publish’ on this newsletter, the DTI team shared new research regarding a large-scale phishing infrastructure heavily focused on defense and aerospace entities with links to the conflict in Ukraine. There’s no actor currently attributed to this activity, but available evidence indicates this activity is motivated by cyber espionage, with an emphasis on intelligence collection.

Why is This Important? This movement is critical to pay attention to as it’s not only intelligence gathering relating to the conflict in Ukraine, but the targets have provided support to Ukraine’s military efforts in its conflict with Russia.

Read the full analysis here

The Domain Event for Disinformation

We’ve said it before and we’ll say it again: as we iterate our tactics and techniques as defenders, so do malicious actors. We recently found that Russian actors are evolving in how they spread disinformation by exploiting specific registrars, hosting providers, and domain obfuscation techniques to evade detection.

Why is This Important? As cyber defenders, journalists, and policymakers, it is crucial to stay ahead of these evolving tactics and disrupt their ability to weaponize domain infrastructure for disinformation.

Read the full analysis here

Reading Rainbow

That was one of the best shows, right? I can’t share a reading list without mentioning that show and then getting the theme song stuck in my head. 

My colleague, Ian Campbell, graciously puts together a reading list on what the DTI folks are currently reading/listening to (audiobooks count, people!) 

The goal is to not only share what we’re finding, but to share the findings of others – that’s how we get better as defenders. 

Some of the topics Ian included in his recent reading lists include:

• Properly Cleaning and Gutting Your Phish: How Cybercriminals Are Vetting Victim Data from SpyCloud
• The Many Faces of DNS Abuse from Infoblox
• New Darcula 3.0 Tool Generates Phishing Kits to Mimic Global Brands from gbhackers.

Be sure to check out the reading list for his full recommendations!

• Cybersecurity Reading List Week of March 4, 2025
• Cybersecurity Reading List Week of March 24, 2025

Where We’ll Be

• Closed Door Sessions (Invite-Only, TLP:RED research – say I referred you)
  • Austin – 01 April
  • Boston – 03 April
  • San Francisco – 29 April
• FIC – 01 to 03 April
  • Catch my colleague Malachi Walker at FIC in Lilles, France.
• BSides SF – 29 April
  • My colleague, Austin Northcutt, and I will present WHOIS Your Daddy: Tracking Iranian-backed cyber operations with Passive DNS at 1:30PM PT on 4/26
  • THREE DTI folks at BSides SF? Yep! Malachi will also be there presenting Something’s Phishy: See the Hook Before the Bait
• RSAC – 28 April – 01 May
  • Meet me and the DTI team at RSAC!

Final Thoughts

Again, if you’re a returning reader from last month, I thank you. If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. 

We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here. 

If you missed last month’s content, here are some quick links:

Chinese Malware Delivery Domains Part II: Data Collection

BUT WAIT. Would you like to hear more about our Chinese malware research? In tomorrow’s episode of the Breaking Badness Cybersecurity Podcast, I chat with Wes Young from CSIRTS Gadgets about what DTI found and how he iterated on the information shared. Here’s a teaser for your viewing pleasure, but get the whole episode tomorrow at 9AM PT!

Thanks for reading - see you next month!

Daniel 

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity

Well hello there! If you are a returning reader, that likely means you found this information beneficial to your organization or all of my jokes last month absolutely KILLED. Or all of the above! Either way, welcome back!

If you’re new around these parts, I’m Daniel Schwalbe, CISO and Head of Investigations at DomainTools, and the purpose of this newsletter is to share an overview of what my team at DomainTools Investigations (DTI) has worked on in the past month. 

Before we dig into that, I recently returned from a trip to Japan with my family. It was a whirlwind tour, but even my teenagers loved it! Here’s some of the cool things we did:

We started out in Tokyo, where we met up with an old high school friend of mine who’s been living there for more than two decades. He gave us a crash course in Tokyo’s excellent public transit system.

He showed us around Shinjuku, Roppongi, Akihabara (“Electric Town”), Musashino, Setagaya, and Shibuya.

Next, we took the Shinkansen (the “bullet train”) to Hiroshima to pay our respects, followed by stops in Osaka (the Cup Noodle Museum was fun!) and Kyoto (check out Nishiki Market). We stopped by some of the locations featured in the recent “Shōgun” TV Series, and ate local specialties (Okonomiyaki, Katsu). Speaking of food, it was amazing: Sushi, Ramen, Teppanyaki, Shabu Shabu, Sukiyaki, the list goes on. 

If you are into shopping, the Don Quijote stores are amazing (and a little overwhelming)!

We departed Tokyo at 6pm, and arrived on the west coast at 10am the same day. Time Travel is real, but so is jet lag. Good thing I’m going to Europe soon – read on for more. But enough about my recent travels, let’s jump into what the DTI team has been up to since last month’s newsletter:

RATs! There’s More to Say on Chinese Malware

There’s more to say on this topic, which we covered in our inaugural newsletter, examining a second cluster of over 1100 domains suspected to have been registered by the same group between April 2024 to January 2025. Very similar to Cluster 1, Cluster 2 involves spoofs of many common applications from messenger apps, VPNs, cryptocurrency exchanges, gaming platforms, game emulators, online gambling, web browsers, and multimedia apps.

Why Is This Important? A crucial aspect of this investigation lies in recognizing the broader implications of the observed tactics. By proactively studying and understanding these techniques now, the cybersecurity community can better prepare for similar threats that may emerge.

Get the full scoop and IOCs here.

Yes And…

CSIRT Gadgets took a look into parts I and II of this Chinese malware story and

1. Their writing is pretty hilarious (10/10 would read again) and, 
2. They used a tool called AlphaHunt to find likely linkable attribution (though YMMV).

Based on what DTI sees and what others in the community have reported, AlphaHunt makes the argument that this threat actor could be the SilverFox APT group. 

Take a gander – let us know what you think. We’ve already ruled out other silver foxes like George Clooney and Patrick Dempsey, but can you contribute any additional findings that this is indeed the SilverFox APT group?

Cheers to the Good Guys

The Justice Department published a release in late January regarding seizing servers of the Pakistan-based threat group known as the Manipulaters (and that is how “they” spell).

You may recall last year DomainTools Research looked into this group previously thought to be dormant and found they were very much back to their old tricks – with some new ones thrown in there. The FBI and the Justice Department’s Criminal Division, in cooperation with law enforcement partners in the Netherlands, have taken down 39 domains and related infrastructure linked to this group! Chalk one up to the good guys!

Find our research here, updated to reflect this takedown.

Double Secret Probation Webinar

It’s not actually that secret; you just need to be an existing DomainTools customer to attend. I’ll moderate this discussion with DTI team members Steve Behm and Austin Northcutt as they use our domain and DNS intelligence platform to demonstrate how to stay ahead of Business Email Compromise (BEC) using the example of TA4903, a financially motivated threat actor with notoriously high campaign volume. 

BUT WAIT! There’s more! After the webinar concludes, attendees can get a 14-day trial for the tools we showcase in the demonstration, if they don’t currently have access to them.

DomainTools customers can save their spots here. 

Where We’ll Be

• NICAR – 06 March
  • I’ll be teaching a workshop with my colleague, Kelly Molloy
  • Finding the Story Using DNS search for investigative journalism
• DCC – 10 to 13 March
  • IYKYK. Come say “Hi” if you are attending.
• Closed Door Sessions (Invite-Only, TLP:RED research – say I referred you)
  • Seattle – 26 February (almost at max capacity)
  • Austin – 01 April
  • Boston – 03 April
• FIC – 01 to 03 April
  • Catch my colleague Malachi Walker at FIC in Lilles, France.

Final Thoughts

Again, if you’re a returning reader for last month, I thank you. If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. 

We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here. 

If you missed last month’s content, here are some quick links:

Account Trafficking Websites in December 2024

Chinese Malware Delivery Websites

CTI Grapevine Becomes DomainTools Investigations

Cyberhaven Breach Likely Part of a Long-Term Criminal Campaign

Thanks for reading – see you next month!

Daniel 

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity

Hello DTI Friends!

I should start by introducing myself, as that’s how all the best relationships start (or so I’m told). 

If we haven’t yet had the opportunity to meet, I’m Daniel Schwalbe, CISO and Head of Investigations at DomainTools. I’ve spent the greater part of two decades tracking cybercriminals and nation-state actors in higher education, government, and large enterprises. I’m very passionate about sharing actionable insights with the community, which is what brings me to your feed today. 

We launched DomainTools Investigations (DTI) on January 9 to turn our philosophy of supporting the community into reality. It’s a program with a coterie of researchers and analysts focussed on providing their expertise in investigating, mitigating, and preventing Domain- and DNS-based attacks. The goal is to do so on an ongoing basis, and we’ve already covered a bunch of ground since that announcement! 

Let’s catch up on what we’ve shared so far: 

HOT OFF THE PRESSES

You heard it here first! We JUST published a report examining the illicit market for aged and verified accounts across social media, email, and advertising platforms which represent a persistent and evolving threat. 

Why this is important: The activity highlights the urgent need for enhanced security measures, proactive threat intelligence, and increased awareness to combat the acquisition and exploitation of these compromised accounts.

Get the full scoop and IOCs here.

Where There’s One RAT, There’s A Nest

We recently shared details on Chinese malware delivery sites – hundreds of newly registered domains are actively targeting Chinese-speaking users with malware. Our report analyzes this activity, detailing the range of deceptive lures employed, including imitations of messengers, browsers, VPNs, email services, and Adobe software.

Why this is important: We’ve identified the involved malware families to include Gh0stRAT, ValleyRAT, RemKos RAT, LummaStealer, RedLine and others. As I’m sure you’re aware, understanding the patterns of these malware families can help practitioners develop more effective defenses.  

Find the full write-up and list of IOCs here.

Cyber Criminals Playing the Long Game

Just prior to the announcement of DTI, we shared an overview on the Cyberhaven breach. In late December 2024, the technology company reported an unnamed actor replaced its Google Chrome extension on the Google Chrome Web Store with a malicious version. 

The actor used a phishing email to compromise a developer’s account via authorizing a malicious third-party application. Our team reviewed publicly available information related to this incident and discovered that the Cyberhaven incident is part of a months-long campaign likely attempting to impact multiple companies primarily in the technology sector.

Why this is important: DTI looked at the IOCs shared by Cyberhaven and discovered a larger network of infrastructure likely used in similar attacks against other targets in the tech sector which is critical to share with others in our field so they may have the opportunity to prevent end users’ sensitive data from being compromised. 

Find the full write-up and list of IOCs here. 

[Secret Squirrel]

Our team periodically hosts Closed Door Sessions where we partner with other industry analysts and practitioners to share TLP:RED research. The next session will be in Seattle, WA on Wednesday, February 26.

You can request an invite here.

And not that you need any incentive other than super cool cutting edge research, but we’ve had pretty awesome t-shirts to give away at these sessions – You cannot get them anywhere else, must be present to wear. Seriously. They are fantastic conversation starters if you like having that attention. 

Where We’ve Been/Where We’ll Be

My team has done (and will do) some traveling to various conferences. If you were lucky enough to get a ticket to the very last ShmooCon – I’m super jealous of you! If you couldn’t make it, be sure to catch Kali Fencl’s presentation – I’m Not Your Enemy: How Practitioners Can Empower Content, all about how practitioners’ training marketers can create content that’s beneficial to our audience and not at all “fluffy.” 

And Malachi Walker will be presenting at the BIC Winter Conference on Friday, February 7 in Reston, VA. If you’re in the Beltway, I hope you can check out his session on how DNS Threat Intelligence could help you get your next promotion.

Final Thoughts

We’re very excited to share this research with you. I know some of you are probably still thinking “what’s the catch?” Many of us work for organizations with the main purpose of making money, so we get easily jaded when we read announcements that seem too good to be true. I’m making it my personal challenge to pleasantly surprise you, and I am expecting you to call me on it if we ever miss the mark. Check out my philosophy for DTI here. Maybe listen to Ben Folds’ Philosophy in the background while you read it.

If you found these excerpts and/or the full write-ups helpful, please forward it on to other folks you think would find it useful too – we’d greatly appreciate it! 

This newsletter will be a monthly occurrence, so be sure to subscribe on LinkedIn to get early access to the newsletter content!

Thanks for reading – until next month!

Daniel

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity