Newsletters

Well hello there! If you are a returning reader, that likely means you found this information beneficial to your organization or all of my jokes last month absolutely KILLED. Or all of the above! Either way, welcome back!

If you’re new around these parts, I’m Daniel Schwalbe, CISO and Head of Investigations at DomainTools, and the purpose of this newsletter is to share an overview of what my team at DomainTools Investigations (DTI) has worked on in the past month. 

Before we dig into that, I recently returned from a trip to Japan with my family. It was a whirlwind tour, but even my teenagers loved it! Here’s some of the cool things we did:

We started out in Tokyo, where we met up with an old high school friend of mine who’s been living there for more than two decades. He gave us a crash course in Tokyo’s excellent public transit system.

He showed us around Shinjuku, Roppongi, Akihabara (“Electric Town”), Musashino, Setagaya, and Shibuya.

Next, we took the Shinkansen (the “bullet train”) to Hiroshima to pay our respects, followed by stops in Osaka (the Cup Noodle Museum was fun!) and Kyoto (check out Nishiki Market). We stopped by some of the locations featured in the recent “Shōgun” TV Series, and ate local specialties (Okonomiyaki, Katsu). Speaking of food, it was amazing: Sushi, Ramen, Teppanyaki, Shabu Shabu, Sukiyaki, the list goes on. 

If you are into shopping, the Don Quijote stores are amazing (and a little overwhelming)!

We departed Tokyo at 6pm, and arrived on the west coast at 10am the same day. Time Travel is real, but so is jet lag. Good thing I’m going to Europe soon – read on for more. But enough about my recent travels, let’s jump into what the DTI team has been up to since last month’s newsletter:

RATs! There’s More to Say on Chinese Malware

There’s more to say on this topic, which we covered in our inaugural newsletter, examining a second cluster of over 1100 domains suspected to have been registered by the same group between April 2024 to January 2025. Very similar to Cluster 1, Cluster 2 involves spoofs of many common applications from messenger apps, VPNs, cryptocurrency exchanges, gaming platforms, game emulators, online gambling, web browsers, and multimedia apps.

Why Is This Important? A crucial aspect of this investigation lies in recognizing the broader implications of the observed tactics. By proactively studying and understanding these techniques now, the cybersecurity community can better prepare for similar threats that may emerge.

Get the full scoop and IOCs here.

Yes And…

CSIRT Gadgets took a look into parts I and II of this Chinese malware story and

1. Their writing is pretty hilarious (10/10 would read again) and, 
2. They used a tool called AlphaHunt to find likely linkable attribution (though YMMV).

Based on what DTI sees and what others in the community have reported, AlphaHunt makes the argument that this threat actor could be the SilverFox APT group. 

Take a gander – let us know what you think. We’ve already ruled out other silver foxes like George Clooney and Patrick Dempsey, but can you contribute any additional findings that this is indeed the SilverFox APT group?

Cheers to the Good Guys

The Justice Department published a release in late January regarding seizing servers of the Pakistan-based threat group known as the Manipulaters (and that is how “they” spell).

You may recall last year DomainTools Research looked into this group previously thought to be dormant and found they were very much back to their old tricks – with some new ones thrown in there. The FBI and the Justice Department’s Criminal Division, in cooperation with law enforcement partners in the Netherlands, have taken down 39 domains and related infrastructure linked to this group! Chalk one up to the good guys!

Find our research here, updated to reflect this takedown.

Double Secret Probation Webinar

It’s not actually that secret; you just need to be an existing DomainTools customer to attend. I’ll moderate this discussion with DTI team members Steve Behm and Austin Northcutt as they use our domain and DNS intelligence platform to demonstrate how to stay ahead of Business Email Compromise (BEC) using the example of TA4903, a financially motivated threat actor with notoriously high campaign volume. 

BUT WAIT! There’s more! After the webinar concludes, attendees can get a 14-day trial for the tools we showcase in the demonstration, if they don’t currently have access to them.

DomainTools customers can save their spots here. 

Where We’ll Be

• NICAR – 06 March
  • I’ll be teaching a workshop with my colleague, Kelly Molloy
  • Finding the Story Using DNS search for investigative journalism
• DCC – 10 to 13 March
  • IYKYK. Come say “Hi” if you are attending.
• Closed Door Sessions (Invite-Only, TLP:RED research – say I referred you)
  • Seattle – 26 February (almost at max capacity)
  • Austin – 01 April
  • Boston – 03 April
• FIC – 01 to 03 April
  • Catch my colleague Malachi Walker at FIC in Lilles, France.

Final Thoughts

Again, if you’re a returning reader for last month, I thank you. If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. 

We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here. 

If you missed last month’s content, here are some quick links:

Account Trafficking Websites in December 2024

Chinese Malware Delivery Websites

CTI Grapevine Becomes DomainTools Investigations

Cyberhaven Breach Likely Part of a Long-Term Criminal Campaign

Thanks for reading – see you next month!

Daniel 

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity

Hello DTI Friends!

I should start by introducing myself, as that’s how all the best relationships start (or so I’m told). 

If we haven’t yet had the opportunity to meet, I’m Daniel Schwalbe, CISO and Head of Investigations at DomainTools. I’ve spent the greater part of two decades tracking cybercriminals and nation-state actors in higher education, government, and large enterprises. I’m very passionate about sharing actionable insights with the community, which is what brings me to your feed today. 

We launched DomainTools Investigations (DTI) on January 9 to turn our philosophy of supporting the community into reality. It’s a program with a coterie of researchers and analysts focussed on providing their expertise in investigating, mitigating, and preventing Domain- and DNS-based attacks. The goal is to do so on an ongoing basis, and we’ve already covered a bunch of ground since that announcement! 

Let’s catch up on what we’ve shared so far: 

HOT OFF THE PRESSES

You heard it here first! We JUST published a report examining the illicit market for aged and verified accounts across social media, email, and advertising platforms which represent a persistent and evolving threat. 

Why this is important: The activity highlights the urgent need for enhanced security measures, proactive threat intelligence, and increased awareness to combat the acquisition and exploitation of these compromised accounts.

Get the full scoop and IOCs here.

Where There’s One RAT, There’s A Nest

We recently shared details on Chinese malware delivery sites – hundreds of newly registered domains are actively targeting Chinese-speaking users with malware. Our report analyzes this activity, detailing the range of deceptive lures employed, including imitations of messengers, browsers, VPNs, email services, and Adobe software.

Why this is important: We’ve identified the involved malware families to include Gh0stRAT, ValleyRAT, RemKos RAT, LummaStealer, RedLine and others. As I’m sure you’re aware, understanding the patterns of these malware families can help practitioners develop more effective defenses.  

Find the full write-up and list of IOCs here.

Cyber Criminals Playing the Long Game

Just prior to the announcement of DTI, we shared an overview on the Cyberhaven breach. In late December 2024, the technology company reported an unnamed actor replaced its Google Chrome extension on the Google Chrome Web Store with a malicious version. 

The actor used a phishing email to compromise a developer’s account via authorizing a malicious third-party application. Our team reviewed publicly available information related to this incident and discovered that the Cyberhaven incident is part of a months-long campaign likely attempting to impact multiple companies primarily in the technology sector.

Why this is important: DTI looked at the IOCs shared by Cyberhaven and discovered a larger network of infrastructure likely used in similar attacks against other targets in the tech sector which is critical to share with others in our field so they may have the opportunity to prevent end users’ sensitive data from being compromised. 

Find the full write-up and list of IOCs here. 

[Secret Squirrel]

Our team periodically hosts Closed Door Sessions where we partner with other industry analysts and practitioners to share TLP:RED research. The next session will be in Seattle, WA on Wednesday, February 26.

You can request an invite here.

And not that you need any incentive other than super cool cutting edge research, but we’ve had pretty awesome t-shirts to give away at these sessions – You cannot get them anywhere else, must be present to wear. Seriously. They are fantastic conversation starters if you like having that attention. 

Where We’ve Been/Where We’ll Be

My team has done (and will do) some traveling to various conferences. If you were lucky enough to get a ticket to the very last ShmooCon – I’m super jealous of you! If you couldn’t make it, be sure to catch Kali Fencl’s presentation – I’m Not Your Enemy: How Practitioners Can Empower Content, all about how practitioners’ training marketers can create content that’s beneficial to our audience and not at all “fluffy.” 

And Malachi Walker will be presenting at the BIC Winter Conference on Friday, February 7 in Reston, VA. If you’re in the Beltway, I hope you can check out his session on how DNS Threat Intelligence could help you get your next promotion.

Final Thoughts

We’re very excited to share this research with you. I know some of you are probably still thinking “what’s the catch?” Many of us work for organizations with the main purpose of making money, so we get easily jaded when we read announcements that seem too good to be true. I’m making it my personal challenge to pleasantly surprise you, and I am expecting you to call me on it if we ever miss the mark. Check out my philosophy for DTI here. Maybe listen to Ben Folds’ Philosophy in the background while you read it.

If you found these excerpts and/or the full write-ups helpful, please forward it on to other folks you think would find it useful too – we’d greatly appreciate it! 

This newsletter will be a monthly occurrence, so be sure to subscribe on LinkedIn to get early access to the newsletter content!

Thanks for reading – until next month!

Daniel

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity