Deceptive websites hosted on newly registered domains are being used to deliver AndroidOS SpyNote malware. These sites mimic the Google Chrome install page on the Google Play Store.

This research analyzes Proton66, a bulletproof hosting network enabling cybercrime operations, serving as a hub for aspiring cybercriminals. It focuses on threat actor, known as "Coquettte" and their ties to the Horrid hacking group, a loosely organized cybercriminal collective fostering amateur threat actors.

Bulletproof Hosting Networks and Proton66

While researching malicious domains hosted on Proton66, we stumbled upon an intriguing discovery—a fake cybersecurity website, cybersecureprotect[.]com, masquerading as a legitimate antivirus service. However, due to an operational security (OPSEC) failure, this domain left its entire malicious infrastructure exposed. This revelation led us down a rabbit hole into the operations of an emerging threat actor known as Coquettte—an amateur cybercriminal leveraging Proton66’s bulletproof hosting to distribute malware and engage in other illicit activities.

Proton66, a well-known Russian bulletproof hosting provider, has long been a haven for cybercriminals looking to operate with impunity. By investigating cybersecureprotect[.]com, we uncovered a larger network of malicious activity, including credential-stealing malware, keyloggers, and trojans, all distributed through Proton66’s infrastructure. Interestingly, Coquettte’s criminal ventures are not limited to malware. Investigators uncovered other projects operated by this actor that suggest a broad interest in illicit activities. One notable example is a website hosted at meth[.]to, which purports to distribute guides on the manufacture of Methamphetamine, C4/Semtex, flashbangs, napalm, and catalytic converter theft. While the site appears to contain detailed instructions, it remains unclear whether the content is genuinely intended as a resource for criminal activity or if it falls into the realm of dark humor, shock content, or trolling.

This analysis provides a detailed technical analysis of Coquettte’s malware infrastructure, including forensic insights into how their campaigns function, the threat posed by Proton66 as a cybercrime enabler, and a comprehensive list of indicators of compromise (IOCs) that security professionals can use to detect and mitigate related threats.

Proton66 as a Threat Actor Breeding Ground

Proton66 is a Russian bulletproof hosting provider (Autonomous System AS198953) notorious for enabling cybercrime by ignoring abuse complaints. In a 2024 threat intelligence report by Intrinsec, researchers identified Proton66 as a key player in the bulletproof hosting arena, facilitating illicit online activities such as malware distribution and phishing campaigns. What sets Proton66 apart is its appeal to less-experienced threat actors; its services allow even amateur hackers to host malicious content with impunity. Many phishing and credential-harvesting sites on Proton66 impersonate major brands (e.g. AT&T, Netflix, GoDaddy, banks, crypto exchanges, and government portals) to steal user data. These operations often exhibit poor OPSEC, indicating the operators are relatively inexperienced.

Example of malicious domains:

Threat Actor “Coquettte” and Their Malware Infrastructure

One emerging threat actor thriving in the Proton66 ecosystem goes by the handle “Coquettte” (note the triple “t”). Coquettte appears to be an amateur cybercriminal leveraging Proton66’s services to deploy malware under the guise of legitimate software. Investigators first uncovered Coquettte’s activities through the domain cybersecureprotect[.]com, a fake cybersecurity product site hosted on Proton66. The website pretended to offer “CyberSecure Pro” antivirus software, but due to an OPSEC failure, its web directory was left publicly accessible – revealing the malicious files within.

The directory contained a compressed zip file (CyberSecure Pro.zip) of a Windows Installer - CyberSecurePro.msi, which is actually the malware droppers rather than security software. When executed, the install reaches out to two hard coded URLs: cia[.]tf and quitarlosi[.], downloads a second-stage payload and drops additional executables from the threat actor controlled servers.

Analysis of the retrieved payload revealed that it was flagged as Rugmi (also known as Penguish or associated with the Amadey loader) – a modular malware loader commonly used by cybercriminals to deploy various secondary payloads such as infostealers, trojans, and ransomware. The specific SHA-256 hash of the Rugmi-infected installer was:
a07c9275d2628f6dee9271452a66683831d21367a63cdb61ade0fac55f3ed9ff (CyberSecure Pro[.]zip).

Execution Flow of the Malware:

• Compressed Archive: CyberSecure Pro[.]zip (SHA-256: a07c9275d2628f6dee9271452a66683831d21367a63cdb61ade0fac55f3ed9ff)
• Windows Installer Dropper: CyberSecure Pro.msi (SHA-256: 5558b04220e017f2a69fd88c575ec9450bde361049e42fd67501a0f89ba21834)
• Dropped Files: Upon execution, the .msi file extracts additional payloads, including:
  • CyberSecureV.exe (SHA-256: 0983d99e87d9300d4a1b54c08d9a365160e406e4cd681bfd6ef82052d932a5b4) and stapelia.exe (SHA-256: 1487a4f637a68a5b1dadc379e770431d591421218818164add86c02853a433aa)  – Identified as Trojan.Rugmi/Penguish, a loader trojan used to deliver infostealers such as Lumma Stealer, Vidar, RecordBreaker, and Rescoms.
  • Configuration scripts and batch files to maintain persistence and execute additional payloads.

Trojan.Rugmi/Penguish’s Role in the Attack:
Rugmi/Penguish is a malware loader designed for stealthy payload delivery. It typically:

• Fetches additional malware (infostealers, trojans) from attacker-controlled servers.
• Evolves its delivery tactics, often used in conjunction with cracked software or fake security products.
• Uses obfuscation techniques to bypass antivirus detection.
• Communicates with C2 servers, like cia[.]tf, to receive commands and drop additional payloads.

Coquettte’s personal website, coquettte[.]com, provided additional insights into their online presence. The site, hosted on AWS, at one point displayed a message stating “18 years old software engineer, pursuing a degree in Comp Sci.” This suggests that Coquettte is a young individual, possibly a student, which aligns with the amateurish mistakes (like the open directory) in their cybercrime endeavors.

Further investigation revealed that the cia[.]tf domain, which was used as a malware command-and-control (C2) server, was registered with the email address root[@]coquettte[.]com. This direct link confirmed that Coquettte not only operated cybersecureprotect[.]com as a malware distribution hub, but also controlled cia[.]tf, which facilitated the downloading and execution of malware payloads. By analyzing registration records and domain relations, researchers identified additional infrastructure linked to Coquettte, indicating a broader cybercriminal operation that leveraged Proton66’s bulletproof hosting to persist despite takedown efforts.

Additional Malicious Activities by Coquettte

Interestingly, Coquettte’s criminal ventures are not limited to malware. Investigators uncovered other projects operated by this actor that suggests a broad interest in illicit activities. One notable example is a website hosted at meth[.]to – which, as the name implies, contains how-to guides for illegal substances and weapons.

The site allegedly provides (unverified) recipes and instructions for manufacturing methamphetamine, making explosives like C4/Semtex, constructing improvised devices (e.g. flashbangs, napalm), and even guides on catalytic converter theft. In essence, it functions as an illicit knowledge base or black-market tutorial site. The presence of such content indicates Coquettte (or their associates) are dabbling in the darker corners of cybercrime beyond just malware – potentially trying to run or contribute to an underground marketplace or forum for criminal activities.

Affiliated or Associated Hacking Groups: Horrid[.]xyz and Other Connections

Further analysis of Coquettte’s infrastructure suggests potential ties to a broader hacking group or collective operating under the name “Horrid.” A domain linked to Coquettte, horrid[.]xyz, was registered by the same group and appears to be part of their extended ecosystem. Several other domains associated with their infrastructure include:

• terrorist[.]ovh
• meth[.]to
• meth[.]su

Both meth[.]to and meth[.]su hosted identical content, purporting to distribute guides on illicit activities, while terrorist[.]ovh was similarly structured. The pattern of overlapping infrastructure suggests that the individuals behind these sites may refer to themselves as “Horrid,” with Coquettte being an alias of one of the members rather than a lone actor.

Additionally, a Google Analytics tracker (G-RPK032CCFZ) embedded in some of their sites was linked across at least four domains, further confirming shared ownership:

• horrid[.]xyz
• terrorist[.]ovh
• meth[.]to
• meth[.]su

These interconnections reinforce the likelihood that “Horrid” operates as a small, loosely structured hacking collective rather than a single individual. The group's affiliation with multiple domains tied to cybercrime and illicit content suggests that it functions as an incubator for inspiring or amateur cybercriminals, providing resources and infrastructure to those looking to establish themselves in underground hacking circles.

Additional Online Presence and Linked Accounts

Beyond their own hosted infrastructure, Coquettte and their associates have left digital footprints across multiple platforms. Several of these accounts were referenced directly on coquettte[.]com in a file titled Contact_me.txt, listing the following links:

• GitHub: github[.]com/coquettte – Personal GitHub repository, potentially containing malware-related code or past projects.
• YouTube: youtube[.]com/@uid4 – (also has the alias “chickenwing_11”) Possible media or tutorial content associated with the group, which may serve to share tactics with aspiring cybercriminals.
• Last.fm Profile: last[.]fm/user/chickenwing_11 – While less directly relevant, this could be a personal account linked to the actor.

Additionally, some of their own infrastructure was self-referenced in Coquettte’s personal website (coquettte[.]com) in a file titled other_projects.txt, which listed:

• Meth[.]to: (https://meth[.]to/) – A site purporting to distribute guides on illicit activities.
• Cia[.]tf: (https://cia[.]tf/) – A malware hosting and C2 domain frequently observed in cybercriminal activities.
• Xn--xuu[.]ws: (https://xn--xuu[.]ws/) – A site that emulates a Linux terminal, which uses code from a community project mercurywork[.]shop, further linking their infrastructure to additional cyber-related projects.

The presence of direct self-references across multiple sites reinforces the interconnected nature of these domains, confirming a shared infrastructure between Horrid, Coquettte, and cia.tf. More importantly, these platforms appear to act as a launchpad for aspiring cybercriminals, giving them access to malware, hosting solutions, and potentially a network of like-minded individuals willing to collaborate on cyber threats.

Proton66 Cyber Threats: Vigilance Needed Against Emerging Malware and Amateur Actors

Proton66-based threats require vigilance on multiple fronts. While the individual threat actor “Coquettte” may be relatively amateur, the malware they deploy (stealers, keyloggers, etc.) can do serious damage if successful. The combination of a bulletproof hosting haven and accessible malware toolkits lowers the bar for entry into cybercrime, meaning even minor actors can pose a risk to organizations. By staying aware of the Proton66 network’s activities and aggressively monitoring for the IOCs and techniques detailed above, security teams can bolster their defenses against this breeding ground of emerging threats.

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Proton66-Coquettte

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

DomainTools Investigations (DTI) identified a large-scale phishing infrastructure heavily focused on defense and aerospace entities with links to the conflict in Ukraine. The infrastructure comprises a small number of mail servers, each supporting a set of domains designed to spoof that of a specific organization. These domains currently host webmail login pages likely intended to harvest credentials from targeted entities.

This activity is not currently attributed to a specific actor, but available evidence indicates this activity is motivated by cyber espionage, with an emphasis on intelligence collection related to the ongoing conflict in Ukraine.

Detection of Phishing on a Spoofed Ukroboronprom Domain

DTI initially identified a likely phishing page hosted on the domain kroboronprom[.]com a domain spoofing Ukroboronprom, Ukraine’s largest arms manufacturer. The phishing page, located at https[:]//kroboronprom[.]com/sso/login?url=/webmail/?homepage, presents a webmail login prompt. The attackers appear to have built the page using Mailu, an open-source mail server software available on GitHub.

Analysis using DomainTools Iris revealed that the kroboronprom[.]com domain was first seen on December 20, 2024, was hosted on GHOSTnet VPS, and displayed the website title “Mailu-Admin | Mailu.” The Iris Pivot Engine identified nine other domains with the same website title, hosted on GHOSTnet VPS, and first seen after December 20, 2024¹.

_{Table 1. Domains Likely Related to kroboronprom[.]com}

These domains were all registered using the registrar Spaceship. A second search² using the Pivot Engine for domains containing a “-” character, registered via Spaceship, hosted on GHOSTnet VPS IP addresses, and first observed after December 20, 2024 revealed three additional domains: 

• space-kitty[.]online 
• stupid-buddy[.]mom 
• hungry-shark[.]sit

Data from urlscan.io (“urlscan”) shows that each of these domains hosts a Mailu webmail login page identical to one seen on kroboronprom[.]com, strongly suggesting they are being used for credential theft.

Iris data showed that, with the exception of scooby-doo[.]xyz, all of these serve as MX domains for mail servers, which support a large set of spoofed domains imitating organizations in the defense, aerospace, and IT sectors. These domains were registered via Spaceship and first observed some time between December 21, 2024 and March 4, 2025. In total, investigation into this activity identified 878 spoofed domains with naming conventions that added or changed a few characters in the targeted entity’s legitimate domain. 

DTI determined how the actor operationalized this infrastructure. However, the most likely scenario involves phishing emails sent to employees of targeted organizations. The actor likely used spoofed domains in the sender field to make the emails appear as if they originated from within the organization. These emails likely contained malicious links or attachments directing recipients to fake webmail login pages designed to steal credentials.

‍

‍_{Table 2. Mail servers and the entities they were likely used to target}

Expanded Domain Analysis: Links to Credential Phishing and Malicious File Distribution

Further analysis of identified infrastructure using urlscan identified four additional domains likely linked to this activity:

• rheinemetall[.]com
• rheinmetall.com[.]de
• ukrtelecom[.]eu
• funky-bober.art

These domains were visually similar to the MX domains identified above and were also hosted on GHOSTnet VPS infrastructure. Another domain, ukrtelcom[.]com, is likely related to this activity based on Whois data overlap with ukrtelecom[.]eu and rheinemetall[.]com. However, at the time of analysis, ukrtelcom[.]com was not hosted on GHOSTnet VPS and did not host a Mailu credential collection page.

In addition to credential phishing, the actor likely used the subdomain cryptshare.rheinemetall[.]com to distribute malicious files. Data from urlscan indicates this subdomain was used to facilitate file distribution between late January and mid-February 2025. Screenshots show the page requesting a password before allowing users to retrieve a file. The subdomain name and password request page refer to Cryptshare, a legitimate secure file retrieval service. DTI cannot confirm how the actor used this subdomain; however, given the available evidence, it was most likely used to deliver malicious files.

Assessment of Cyber Espionage Activity Targeting Defense and Aerospace Sectors

There is insufficient evidence to attribute this activity to a known actor; however, the activity likely has a cyber espionage motivation. DTI makes this assessment with moderate confidence based on the tactics, techniques, and procedures (TTPs) and the heavy focus on the defense and aerospace sectors. 

The focus on spoofing organizations involved in Ukraine’s defense and telecommunications infrastructure further suggests an intent to gather intelligence related to the conflict in Ukraine. Notably, many of the spoofed defense, aerospace, and IT companies have provided support to Ukraine’s military efforts in its conflict with Russia.

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/PhishingInfrastructure-UAConflict.csv

Iris Search Hashes

¹

U2FsdGVkX1/N26ISOMEKt52j4qVRCFOeOdJm5/SVrHprkuaLnu2BQeUp0P0Kc6qfHvj5jP53SaAxcYJDb48++Vqi4NintEcAPIkll0UFs8Dqv6g+tIbYEPXAR9Yrlkqv5MIad+FOlQ8f26MzOpo/M7Hqo94HE1H63Jj+B+DEHHMQ6nNrWIpiEy4XT6Zo2FHo8wSby4ujxE+xC+G9wp5KlAQxnpiW3NjxO6N0NRwt/Evi88HuqJkaBsiChU45YFRUQ4ssMz6PTRmx0f3r7oWwdg2x+VYe6gewGBmhrSZ+CYh7szWd8XGZ1bkHs3PO/bJoLLkYXugS+pII3U3SHEDxSg==

²

U2FsdGVkX1/Oxch4IdGieQH7IfShNh73KLEDd36UhzMQ42084cwIoGKpsWU0GBGPtg8+Z3ONxs1f6kJufq/vnm2dFC6OYb0EktrRZwhzkyOZDatwnICp9trBVL1Xa1Ep6ZIxAONKhwESx7raSr+qaQv3eTbH263IY49x6aT1i06O2C48+ZIFN06/+K8+2JIB3qRu18qYJvxZ21dsy77VMz3XHgA0210bqp5/8BFbwJB4HcnLKKLNcssqA+CdMgi4IHEoK/dFEBqHjZuPVo11genM2tr89FwcsEMYGfnDc0tZy1O75JMMwVcXc3rugbRLiRehxUSqXrXc9jda0mjM9IDkmgBYIDw28Cp6jRuUf/I=

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

In the digital battlefield of influence operations, domain registrations serve as the foundation for launching disinformation campaigns. Russian state-sponsored actors, such as APT28 (Fancy Bear), APT29 (Cozy Bear), and the Internet Research Agency (IRA), have long relied on strategic domain registrations to impersonate trusted entities, spread propaganda, and conduct cyber-enabled espionage.

Despite efforts to curb the abuse of domain registration services, Russian-aligned threat actors continue to exploit specific registrars, hosting providers, and domain obfuscation techniques to evade detection. This analysis explores historical data, cybersecurity reports, and real-world case studies to uncover the domain registrars favored by Russian disinformation operations and the tactics that make their campaigns so effective.

‍

How Russian Disinformation Actors Use Domains

Disguising Disinformation with Fake News Websites

A core strategy of Russian influence operations is the creation of fake news portals that mimic legitimate media organizations. These sites publish pro-Kremlin narratives, fabricated stories, and distorted news articles, often in multiple languages to target diverse audiences.

Example:

• A 2022 Microsoft report detailed how SEABORGIUM, a Russian state-sponsored group, registered domains mimicking major Western think tanks and media outlets, such as:
  • bloomberg-us[.]com (mimicking Bloomberg)
  • bbcnews[.]site (spoofing BBC News)
  • nato-int[.]org (targeting NATO)

Typosquatting and Homoglyph Attacks

To enhance credibility and fool unsuspecting users, Russian actors frequently engage in typosquatting (registering domains with minor spelling variations) and homoglyph attacks (substituting characters with lookalikes).

Example:

• APT28 (Fancy Bear) used domains like:
  • dnc-email[.]org instead of dnc.org (2016 U.S. election hack)
  • o365-portal[.]net mimicking Microsoft’s login page

Bulletproof Hosting & Fast Flux Networks

Domain registrations alone are not enough—where a website is hosted matters just as much. Russian influence operators often leverage bulletproof hosting providers in Russia, Moldova, and the Netherlands that turn a blind eye to takedown requests.

Fast Flux techniques (where domain IPs frequently change) further complicate tracking efforts, making it difficult for security teams to take down malicious infrastructure.

‍

Which Domain Registrars Do Russian Disinformation Actors Prefer?

Cyber threat intelligence reports from Mandiant, Recorded Future, Microsoft, Graphika, and Spamhaus reveal a pattern of Russian threat actors registering domains with registrars that offer low-cost, privacy-protected, and anonymous domain services.

Commonly Used Registrars

‍

Case Study:

In 2022, security researchers uncovered a Russian disinformation network that registered over 100 fake media domains via Namecheap and Reg.ru, promoting anti-Ukraine narratives in Western countries.

‍

Russian Disinformation Hosting & Infrastructures

Beyond registrars, Russian actors strategically select hosting providers that offer either complete anonymity or jurisdictional protection from Western law enforcement.

• Bulletproof Hosting: These providers ignore abuse complaints and host malware, phishing sites, and fake news portals.
• Cloudflare & Reverse Proxies: Russian threat actors often hide behind Cloudflare to mask their hosting locations.
• Compromised Websites: Instead of registering new domains, Russian operations increasingly hijack legitimate websites to host disinformation.

Example:

• The Secondary Infektion campaign (Graphika, 2020) used compromised WordPress sites across Europe to spread anti-NATO propaganda while avoiding detection.

‍

Emerging Trends: How Russian Actors Are Evolving Their Tactics

As domain registration oversight improves, Russian actors are adapting their methods to maintain their influence.

Aging Domains for Credibility

Instead of launching new domains immediately, Russian disinformation operators are now registering domains months in advance to make them appear more legitimate before deploying them in active campaigns.

Greater Use of Third-Party Resellers

Rather than registering domains directly, Russian actors are purchasing through resellers that operate under major registrars but have weaker oversight policies.

Shift Toward Encrypted & Decentralized Infrastructure

There is growing evidence that Russian-aligned actors are exploring blockchain-based domain name services (e.g., .eth, .crypto) and peer-to-peer hosting to avoid centralized control.

‍

Strategically Registered Domains for Disinformation Campaigns

The use of strategically registered domains is a cornerstone of Russian disinformation campaigns, and despite increased scrutiny, these operations remain highly adaptable. By exploiting privacy-friendly registrars, bulletproof hosting, and emerging technologies, Russian actors continue to manipulate public discourse and influence geopolitics.

As cyber defenders, journalists, and policymakers, it is crucial to stay ahead of these evolving tactics and disrupt their ability to weaponize domain infrastructure for disinformation.

‍

Sign Up For DomainTools Investigations' Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team - available on LinkedIn or email.

This report dives deeper into activity relating to the previously reported cluster of Chinese Malware Delivery domains. Spoofed download websites of many common applications were observed collecting user information and delivering malware to Chinese speaking users.

Details

This report examines a second cluster of over 1100 domains suspected to have been registered by the same group between April 2024 to January 2025.

Cluster 1: The previously reported Chinese Malware Delivery domains appeared dedicated to malware delivery with minimal dynamic content or obfuscation employed. Primarily delivers Windows backdoors and info stealers. Minimal variability in HTML and JavaScript code.

Cluster 2: Suspected to be broadly focused on user data collection and selective malware delivery. Websites employ highly variable and obfuscated JavaScript files and multiple web analytic services. Purport to host binaries for Windows, macOS, iOS, and Android operating systems.

Spoofed Websites

Very similar to Cluster 1, Cluster 2 involves spoofs of many common applications from messenger apps, VPNs, cryptocurrency exchanges, gaming platforms, game emulators, online gambling, web browsers, and multimedia apps.

Below are screenshots of a sampling of the spoofed download websites over the past 60 days:

‍

Domain Registration Details

The majority of the domains identified had common domain registration details:

• Registrar: WebNIC Support
• Server Type: Nginx, Cloudflare, Golfe2
• Nameserver Domains: hndnsv1[.]com, hndnsv2[.]com
• SSL Duration: 90 days

‍

‍

The following heatmap shows the domain registration UTC timestamps for over 1000 domains from April 2024 to January 2025. The horizontal lines show the majority of the registrations occurred during the approximate working times 8 AM to 5 PM for China Time Zone and US East for comparison.

Domain registration times are not strong indicators of location as registrations can be done programmatically at any time. A heatmap of the registrations over time could be used to draw inferences on the normal operating times, volume and fluctuations of a threat group. One inference is that the actor commonly registers domains in bulk of 10 to 20 domains. Another is domain registrations continued steadily through recent US holidays of Thanksgiving, Christmas and New Years but made no new domain registrations from January 23 to February 8. The gap in domain registrations approximates to a week prior to and through Chinese New Year celebrations (January 29th - February 4th).

Based on a sampling of the 1200+ actor domains for domain registration costs, the cheapest registrations ranged from approximately $5 to $11 USD. Estimates based on these approximations suggest the actor may have spent over $6,000 in the past 10 months on domain registrations alone.

User Data Collection

Spoofed download websites were observed importing highly obfuscated JavaScript files. Their primary purpose appears to be to collect user data. Data is sent to one or more web analytic services. Primarily using Google Tag Manager (GTM), 51.LA and Baidu. A possible reason for using both a Chinese site analytics tracker and non-Chinese site analytic services is to improve data collection from users in and outside of China.

Typical data observed being collected:

Data collected include the following information about users in addition to setting cookies to potentially allow the tracking of users more long-term tracking across different websites.

• IP addresses.
• Browser type and version.
• Operating system.
• Screen resolution.
• Referring website.
• Pages visited and time spent on each page.
• Geographic location (based on IP address).

Some websites were observed loading a js-sdk-recorder.min.js file and may attempt to screen record the browser session.

User browser data is collected and checks are performed to include looking for specific browser types and operating system.

The following are trackers extracted from the spoofed download sites and are suspected to be associated with the actor.

‍

SEO Poisoning and Traffic Generation

Creating thousands of websites and using SEO tactics could be aimed at increasing the site’s search ranking to appear higher in search results than legitimate sources. This can drive traffic to other malicious sites.

Fake Login Dashboards to Deliver Malware

The actor employs several websites themed as merchant backend management dashboards, payment services, crypto exchanges, email, and office applications. It is suspected that links to the fake login sites are distributed via phishing and similar means with the credentials shared to recipients. A mix of English and Chinese language use on the fake login websites and a common theme of merchant and payment backend management applications suggests the actor may be targeting English speaking individuals doing business in China.

Website Title: “Login | Upcube - Admin & Dashboard Template”

UPCUBE 商户后台管理 (“Merchant backend management”)

The sites were observed hard coding the credential validation checks in the HTML login forms such as the following example seen from malicious domain: “otpaycn[.]com”.

Upon Logging into the fake Merchant Backend Dashboard, the following index page is loaded. 

The only functional element is the Home Page at the top of the left panel. Clicking the Home Page loads an image in the center of the page that presents itself as a warning banner with a “Confirm” button. Clicking anywhere on the image initiates a download for a malicious dropper file that upon execution runs ValleyRAT on the system and downloads several modules from an Amazon S3 bucket providing additional functionality.

The image roughly translates to the following:

“VPN Usage Reminder Network connection failed, please use the dedicated network VPN It has been detected that your browser is missing the necessary VPN plug-in. Some functions cannot be used normally. Please update this function version first; if you choose to stop updating, you will not be able to use this function normally. What are the risks and how should I choose Confirm.”

‍

Malware

Notably, both clusters 1 and 2 were observed delivering identical Gh0stRAT and ValleyRAT binaries. Cluster 2 operates multiple varieties of spoofed website code, which often appear to utilize highly obfuscated JavaScript to collect user information and potentially selectively render functional malware delivery links. The majority of the websites were observed delivering 0-byte files, and less commonly copies of legitimate install files hosted locally on the site. A subset of the spoofed download sites were observed hosting identical Gh0stRat and ValleyRAT binaries as cluster 1 including “googleochrome[.]com” discussed in more depth later.

The 0-byte files are suspected to be placeholders, with real malware being delivered through obfuscated JavaScript dynamically loaded when certain user conditions are identified such as Geo IP location, language settings and browser type.

Earlier versions of the spoofed download sites appeared to typically host malware locally on the same spoofed website server. Later spoofed download sites began hosting files on other servers, commonly using other actor owned domains and often with subdomains “cnd.” or “down.”

More recent spoofed download sites continue to separate the spoofed websites from the hosted files by using Amazon’s CloudFront content delivery network such as the following: 

• Spoofed download sites for Lets VPN: “letscavpn[.]com” & “letsekvpn[.]com”
• Download URL: “https[:]//d2g2a3g6fn6aza.cloudfront[.]net/android/letsvpn-latest[.]apk”

Using CDNs such as CloudFront as a delivery network can obscure the true origin location of the malware and make detection and mitigation efforts more difficult. 

C2 Infrastructure

Identified multiple samples of suspected Gh0stRat backdoors being hosted from the spoofed download websites as having Command & Control (C2) to IP addresses. Multiple IP addresses shared the same server scan hash allowing a potential pivot to other IP addresses configured by the actor.

Malware delivery domain “googleochrome[.]com” spoofs as a Chrome browser download site and contains code to load content from a similarly named but different domain: “https[:]//down.googluchrome[.]com”

This initiates a file download for a file named “/Chrome.zip” with a SHA256 hash of “09efbe0c3e69c0f9a578bbbf0d475bd418497717921713779d1aa89dd2be35d6” 

Chrome.zip unzips a file named “Chrome.msi” with a SHA256 hash of “e39e44cb79c5b1918d8139cfbb6d2ada044dbe4b413e86504f10e902072743fd”

Chrome.msi contains a file named “payload”, 522863520bcc368631a2db5016a1af68f60ecb074ddf19c9e7bff9834bb05248

The payload file upon execution calls out to the following IP:

• TCP 154.91.90[.]102:4433
• TCP 154.91.90[.]102:10443

At the time of observed use, the IP hosted a WinRM service with a Shodan.io hash of “%3A897366806”. 145 IPs shared this hash and nearly all are under Tcloudnet, Inc organization. 

Triaging the IPs identified several have a recent history of malicious files communicating with them from similar variants.

Conclusion

A crucial aspect of this investigation lies in recognizing the broader implications of the observed tactics. History has repeatedly demonstrated that techniques initially deployed against one demographic or vertical are often adapted and repurposed to target others. While this campaign appears to currently focus on Chinese-speaking users, the sophisticated methods employed—including obfuscated JavaScript, strategic use of analytics services, and evolving infrastructure for malware delivery and data collection—represent a readily transferable playbook. Therefore, diligent monitoring and analysis of these tactics are not merely relevant to the current situation.

By proactively studying and understanding these techniques now, the cybersecurity community can better prepare for similar threats that may emerge, targeting different demographics and potentially posing a direct risk to a wider range of users in the future. This proactive approach is essential for developing effective defenses and mitigating the impact of future, related campaigns.

IOCs

‍

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CNMalwareDelivery-Pt2

This report examines the illicit online trade of aged and verified accounts for platforms like social media, email, and Google Ads. These accounts, often obtained through hacking or phishing, are valuable for bypassing security and leveraging established trust. They fuel a range of activities, from grey-area marketing tactics to serious crimes like fraud and disinformation, highlighting a significant security risk and a growing challenge in the digital landscape.

Details

In December, 2024, over 100 newly registered domains were observed hosting websites alleging to sell pre-verified and aged accounts. These additions to the burgeoning illicit online market for aged and verified accounts alleged to sell accounts across a range of platforms including social media, email providers, cloud services, and advertising networks like Google Ads. These underground marketplaces cater to a demand for pre-existing, reputable digital identities, often acquired through illicit means such as data breaches, phishing scams, or account takeovers.

Buyers are drawn to these accounts for a variety of reasons, primarily the ability to bypass security measures and leverage the established trust associated with older or verified profiles. While some may employ these accounts for seemingly innocuous purposes like gaining an edge in social media marketing or accessing region-locked content, a significant portion fuels malicious activities, including spam campaigns, fraud, disinformation dissemination, and even more nefarious operations. 

This investigation will delve into recently configured domains and websites in the ecosystem of these account markets, examining the types of accounts traded and techniques employed to drive traffic to their sites.

Cloud and BHW Accounts

Based on domain registration overlaps, the following 3 domains were likely created by the same actor. The websites advertise the sale of cloud accounts from top providers as well as ads accounts, Apple developer accounts, Google Voice accounts, and payment gateway accounts such as Amazon Pay and Cash App accounts. The site alleges the accounts are pre-verified and customers are granted full access to the accounts.

• IP ISP: Hostinger International Limited
• IP Country: US
• Website Title contains all: buy, account

topcloudacc[.]com
acctrusted[.]com
buybhwaccounts[.]xyz

Domain `topcloudacc[.]com` purports to sell AWS, Cloud, Ads, and other accounts.

Website Title: “Buy AWS Account | Best 32-vCPU & Credit Account - 2025”

Domain `acctrusted[.]com` purports to sell cloud accounts for AWS, Azure, Vultr, DigitalOcean and others for sale. 

Website Title: “Buy AWS Accounts | Best Vcpu & Credit Account For Sale 2024”

Domain `buybhwaccounts[.]xyz` purports to sell AWS, Google Cloud, Oracle, Digital Ocean, Ads Accounts, and BHW accounts.

Website Title: “Buy BHW Accounts - BHW Accounts For Sale - buybhwaccounts[.]xyz”

Domain `isp-rebellion[.]com` purports to sell Apple 2FA Accounts.

Website Title: “Apple 2FA Accounts for Sale”

Social Media Accounts for Sale

Domain `regularpva[.]com` purports to sell a variety of social media, email and dating accounts such as Facebook, Instagram, Gmail, Outlook, Twitter, and Yahoo. 

Website Title: “Buy Social Media Accounts - Social Media Pages for Sale - SecurePVA”

Domain `shiftxchange[.]biz` purports to be a marketplace for buying and selling social media accounts among other alleged service offerings.

Website Title: “Social Media Accounts for Sale”

Domains twitterxarena[.]com and redditarena[.]com both redirect to discordarena[.]com and purport to sell premium aged social media accounts including Discord and Reddit.

Website Title: “Premium Aged Discord Accounts for Sale | Discord Arena”

Domain `redditaccsbuy[.]com` purports to sell aged reddit accounts

Website Title: “Reddit Accounts with Karma for Sale | Buy Verified, Aged Reddit Accounts Instantly | Affordable Reddit Account Marketplace”

Examining One Such Network: Aged Google Ads Accounts for Sale

Over 100 identical websites were created in December, 2024 purporting to sell aged Google Ads accounts and invite codes to illicit marketplaces. For awareness, selling or buying Google Ads accounts is a violation of Google's terms of service. Aged accounts might be perceived as having more authority or being less likely to be flagged for suspicious activity, making them attractive to those trying to game the system. 

Registration Overlaps:

• Registrar: Dynadot LLC
• Name Server: cloudFlare.com
• Server Type: CloudFlare
• ISP IP: CloudFlare Inc.
• Domain Name or Website Title contains: google ads or adwords

During December 2024, 128 domains were identified with nearly identical domain registration details. All domains were configured with nearly identical website content. The websites contain links to illicit marketplaces such as credit card number verification and acquisition services, and illicit Russian markets. The websites also contain multiple links with the other 128 domains such that all 128 domains have websites directing traffic to each other. 

This configuration of interconnected website links is characteristic of search engine optimization (SEO) manipulation techniques. Specifically, in also considering the illicit content of these websites, this activity may be created solely to build backlinks to a main "money site" to manipulate search engine rankings typically referred to as a Private Blog Networks (PBN). PBNs can be a particularly effective SEO manipulation technique as search engines like Google consider backlinks as a signal of authority. The more backlinks, the higher the ranking. PBNs attempt to artificially inflate these rankings to drive traffic to their main sites. As such, search engine providers may penalize these networks and main sites by dropping their search rankings or completely removing them from search results. 

Example Google search query results for Google Ad accounts for sale:

Conclusion

In conclusion, the illicit market for aged and verified accounts across social media, email, and advertising platforms represents a persistent and evolving threat. Resold accounts are often acquired through illegitimate means and through account farming and reselling. Aged and pre-verified accounts provide a foundation for a spectrum of illicit and grey-area activities, ranging from spam campaigns, fraud, obfuscated ownership of hosting malicious resources on cloud providers, to manipulating online discourse. 

This activity underscores the critical need for enhanced security measures and robust verification processes by platform providers. Detecting and mitigating account handoff behaviors, such as suspicious login patterns or unusual activity spikes, is crucial to prevent the reselling and abuse of verified accounts. Furthermore, marketing and sales teams must exercise heightened vigilance when encountering accounts with seemingly high engagement or suspicious activity. Aged or re-verified accounts may appear more legitimate, but their origins should be carefully scrutinized. 

Proactive threat intelligence, increased awareness among users and businesses, and collaborative efforts between platforms, law enforcement, and cybersecurity researchers are essential to combat the acquisition and exploitation of these compromised accounts, which continue to undermine the integrity and trustworthiness of the digital landscape.

Appendix

‍

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/AccountsForSale

Malicious Browsers, Messengers, VPNs, and More…

Hundreds of newly registered domains are actively targeting Chinese-speaking users with malware. This report analyzes this activity, detailing the range of deceptive lures employed, including imitations of messengers, browsers, VPNs, email services, and Adobe software.

Details

Since at least June of 2024, a cluster of over four hundred domains have been registered to host spoofed websites to deliver malware to Chinese-speaking users. Spoofed application download websites have included web browsers, VPNs, chat and email applications, as well as crypto wallet and online gambling related apps. These websites share several commonalities in registration details, backend infrastructure, website configurations, and theme. The following is a sampling of those domains.

Identified malware families have included Gh0stRAT, ValleyRAT, RemKos RAT, LummaStealer, RedLine and others.

Common registration details:

• IP ASN: Amazon, CloudFlare, Alibaba, CloudRadium
• Registrar: Dominet (HK) Limited, 22net, webcc, Gname
• Nameserver Domain: alidns[.]com, cloudflare[.]cp, hndnsv1[.]com
• IPs Resolved: 54.215.49[.]143 & 54.193.24[.]113
• SSL Duration: 90 day

Screenshot of malicious domain “chrmpw[.]top”, which spoofs as a GPT Chrome download application

‍

‍

Malicious domain kuailianlow[.]com, which spoofs as Kuailian Accelerator VPN (快连加速器)

Index.html

Both Download buttons contain an onclick=”down()” function call. 

The down() function call is contained in a script within the HTML. Its purpose is to construct the file download path. To accomplish this it references a dictionary variable “window” to retrieve the value from the key “filename”. 

The “filename.js” script is imported in the HTML and contains the window[‘filename’] value.

‍

“Where there's one rat, there's a nest”

Expanding the search for similar websites and domain registration patterns identifies several spoofed VPN download websites.

Commonalities include the use of a filename.js to hold the malicious filename, and coding Chinese language text as opposed to the legitimate websites displaying content based on the language settings in the client’s browser settings. The latter suggests a preference for targeting Chinese language users.

Multiple spoofed VPNs such as LetsVPN appear in online guides as popular choices for bypassing the censorship of the Great Chinese Firewall.

‍

‍

• Possibly related: Gh0stGambit, drive-by-downloads targeting Chinese users https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat 

A similar variation employs an additional imported JavaScript file to dynamically load the page content and button download actions.

Malicious domain, letscdn[.]world, which spoofs as LetsVPN 

Excerpt from Index.html - File Download Buttons with href JavaScript function calls to onDownload()

Excerpt from Index.html - Importing “/assets/js/jquery.min.js” via script tags.

Excerpt from “/assets/js/jquery.min.js” - loads script “/assets/download/filename.js” and returns the download URL as “https[:]//” + “letscdn[.]world” + “/assets/download” + “letsvpn-latest.rar”

The value for the “window.filename” is contained in another imported JavaScript file: “/assets/download/filename.js”

‍

‍

Fake Login Pages Delivering Malware

Examples of fake login pages to deliver malware were also identified. 

The following screenshot of malicious domains “xmengapp[.]top” and “xinmeng[.]xyz”, which spoof a company called Genting Trust Union, which is purportedly an enterprise management platform for businesses to engage customers, however no apparent legitimate company by the name was identified. It is suspected that this is a fabricated company and website to lure in prospective marketing and sales teams. The website purportedly offers several service and data integrator apps for marketing purposes but in fact only delivers trojans described below. 

Included in the website’s imported JavaScript files is “/assets/js/ebzcecf9.js”, which contain login credentials for the website.

Logging into the application would load the following landing page:

‍

Notably, the top bar “cloudtop” is a download button for a suspected malicious file but returns a 404.

The main section (right) is a range of services and tools related to online marketing and lead generation such as driving traffic to websites, automating tasks, managing multiple accounts, managing phone numbers for telemarketing, integrating proxies, overseas payments, AI tools for content creation and the like. 

‍

‍

The left panel contains a page link for “User Management”.

‍

Clicking the blue “Click verification” button shown in the screen capture above opens a pop up alert with the following message

"Detected that the bundled plugin is not installed. Please install and retry."

Clicking “OK”, opens a download prompt for the following .msi file. The msi file is bundled with multiple files including those that AV scanners tag as Gh0stRAT and Farfli trojans. A possible C2 was identified as “134.122.135[.]95”, which is a suspected ValleyRAT C2.

‍

‍

Associated malware, activity and methodologies appear to overlap closely with reporting by Knownsec 404 team and Fortinet of a suspected APT activity named “Silver Fox”.

Compendium of Chinese Malware Delivery Domains

The following are all examples of the spoofed websites for delivering malware utilized in this cluster of activity from at least June 2024 to January 2025. Example malware delivery domains and their respective malware download URLs and SHA256 hashes are provided as available for each example below. This listing is non-exhaustive of the variety of spoofed websites for delivering malware. 

‍

Spoofs as QuickQ, a network accelerator and encrypted traffic tool. quickqi[.]net quickiq[.]top quickqi[.]net/assets/download/quicqk66.12.msi quickiq[.]top/assets/download/win32-quicq.msi 1a793de251bffb1edc309aa0b7fd02354c7c99d3cb1f24b3e0140d2015dc49a fe1b5431ae27c85b1c652e3ac9541c2a801540c02c04fa7f4a3a9543c284eca5
Spoofs as WhiteWhale VPN (白鲸加速器) isdndjsq[.]top isdndjsq[.]top/assets/download/win32-quicq.msi fe1b5431ae27c85b1c652e3ac9541c2a801540c02c04fa7f4a3a9543c284eca5
Spoofs as Yiwaiwai Customer Service Chat Assistant download purportedly for Chrome, QQ, WeChat, Quanniu, Pinduoduo, Doudian, and others. eyy5201[.]top https[:]//eyy5201[.]top/static/download/yiwaiwai66.31.msi fe86e1fff0afefd79de4fd26f041757495c5fadd116400699411a200978f0e41
Spoof as Lets VPN download sites letsvpn-ui[.]top kingtelmfng[.]top https[:]//letsvpn-ui[.]top/assets/download/letsvpn-latest.exe e09056567f146da73aa0c4266a15cd61655e4402146b75a836d1c92926cd37c4
Screenshot of malicious domain “z42f1m[.]top”, which spoofs as a Microsoft login page for Outlook but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Screenshot of malicious domain “vejm60[.]top”, which spoofs as a Google mail login page but delivers the same malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46 a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796 Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Screenshot of malicious domain “vzvlco[.]top”, which spoofs as a QQ mail login page but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Screenshot of malicious domain “taufp6[.]top”, which spoofs as a 163 mail login page but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Spoofs as AnyDesk remote desktop application. andesksr[.]com https[:]//andesksr[.]com/assets/download/anydeskx64-32.3.0.zip
Spoofs as Yiji Pay, a financial payment application. yijfu[.]com https[:]//yijfu[.]com/assets/download/PassGuardSetuhz.exe
Spoof of iTools for Windows, a tool used for managing Apple mobile devices. i4z[.]xyz
Spoof of Huorong Internet Security website. Download links spoof as personal and enterprise security applications. huurongs[.]top huoroug[.]top
Spoofs as a game download link for QQ.  qqsgs[.]com
Spoofs as Google Chrome download site. oogiie[.]top
Spoofs as Youdao Dictionary software, a dictionary for translating text between Chinese and English and other languages. yoodaou[.]xyz https[:]//yoodaou[.]xyz/assets/download/QuarkUpdaterSetup_fuzz_1.rar 1a48a730cdd4982a5ac0b44984d70253eab9ea070285d9fc2124c83270576cf4f8c117a65e11fd370cb0673d1066af3415dfd9c8fde98225498f6e4ac92c213e
Spoofs as ToDesk remote desktop software. todeskzis[.]xyz https[:]//todeskzis[.]xyz/assets/download/ToDesk (2).zip 215872ff03e4a9d0baf12643b94d8cb60a5dba86153fa05148bd52344567e030d5b9d07f1aa0bf738521db66439d448913da86420f2c2a0753e35ba6b63a393a
Spoofs as ToDesk remote desktop software. todeskeq[.]top https[:]//0h6ai2g7.oss-ap-southeast-1.aliyuncs[.]com/ToDesk_Setup.zip (is a .rar file) 134cba7e74c243b3f58535fd224f14a637445e176a5017a8d2938f357a88e9cb3823cc7228d7d8f75f007a4eafc0e4f4f1789ce26a6e1ca15c5045e17810396d Retrieves: https[:]//ws636rj.oss-ap-southeast-1.aliyuncs[.]com/encrypted_shellcode.bin
Spoof of WuYou, a service for receiving verification codes such as SMS and online platforms.  wuyoujieee[.]com
oracl[.]top
Spoofs as Skype teleconference application download. skyes1[.]top
Spoof of Youdao, a translation App. yoadao[.]xyz
Gaming platform. 163i[.]tophttps[:]//mumu.163i[.]top/assets/download/Mumu模拟器.zip
Android Emulator to run from Windows Machine - purportedly to play simulate mobile games on desktop. lediam[.]xyz https[:]//d9gc24pw.oss-ap-southeast-1.aliyuncs[.]com/%E9%9B%B7%E7%94%B5%E6%A8%A1%E6%8B%9F%E5%99%A8.zip ffe3be504d0a89ace9271a6a1fc51f6b0539903a10b1bf89285875606852ba65
clashcn[.]xyz
“QC7 goes overseas to navigate global social traffic” “Accurate overseas customer acquisition starts with filtering number data” “Overseas account screening platform” 007z[.]top https[:]//007z[.]top/assets/download/007-Setup.exe e34fd0f5fbc5f09f55ccdf2e6a5f70215c8686f9c83c45f421ac2a475d8bfd47
Spoof of Yuanqi, a website and app providing anime wallpapers without watermarks. yqdesk[.]top
Spoof of KARIOS, which purports to be a “SMS Provider” such as sending text messages. karlosqp[.]xyz
Spoofs as an unnamed merchant backend login page. Clicking login results in a popup with a “please install” link for a malicious file spoofing as a cryptokit_sando. Clicking OK directs to /update page with a banner to download the same file. This time spoofing as a Flashplayer update link. shanghud[.]com https[:]//shanghud[.]com/assets/download/k3.2.6.0升级组件.exe 65049df06de78a4fda14d5f07d83eef1b316c0dea0ecfc3dbec7e5e1b7b20754
T Star Diamond Payment-Merchant Backstage. Spoofs as a login page. Clicking the login button downloads Gh0stRAT malware. xingzuan[.]xyz https[:]//xingzuan[.]xyz/assets/download/xingzuansetupg5.exe 5e1d7275b0abd484c15f186690db73c42e861311da3f5f048563636336933b4a Downloads additional files from: https[:]//wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud[.]com
Spoofs as Dex Screener, a cryptocurrency website. Clicking any buttons initiates a popup with download link spoofing as a Flashplayer update. It contains samples of Gh0stRAT and Blackmoon malware. dexscreeners[.]icu https[:]//aaa8999.oss-us-west-1.aliyuncs[.]com/Flash_x32.zip 86f8239224a0ace2b1e0a2216511b0a0aea1bf055f7cbeca2fcf9c316f3de921
Spoofs as popular Line messenger application. iines[.]xyz
Spoofs of DeepL Pro, a machine translation company. The service purports to emphasize data security with end-to-end encryption and automatic deletion of translated text.  deepil[.]top
Spoofs of DeepL Pro, a machine translation company. The service purports to emphasize data security with end-to-end encryption and automatic deletion of translated text. deeplx[.]top
Spoofs as 2345 Image King, software for viewing images.   2345ktws[.]xyz
Spoofs as Quark, AI. An AI-powered assistant application. quarki[.]top
Spoofs as a cryptocurrency exchange. chachap[.]top https[:]//0l1hsqvd.oss-ap-southeast-1.aliyuncs[.]com/uCheckerInst.zip
Spoofs as 360 browser, a web browser developed by the Chinese internet security company, Qihoo 360. 360browsap[.]top
Spoofs as a mobile and web game site. ttcy365[.]com
Spoofs as Sunflower Remote Control Software, which purports to allow remote access to other computers, file transfer, and remote assistance. orays[.]top
A banner displayed warning of malicious activity spoofing their brand but is in fact also a spoof. baofuupay[.]com https[:]//baofuupay[.]com/assets/download/setup.exe 2901ca8eefd1d431d25f3d45dbf42dc48136b74692801ca0f6b606541d645baf
Spoofs as Enigma Messenger App, an end-to-end encrypted chat app. immersivetranslate[.]top
Spoofs as a cryptocurrency exchange app. tradingview[.]trade
Spoofs Signal messaging application, an end-to-end encrypted chat app.  signall[.]xyz
Spoofs Signal messaging application, an end-to-end encrypted chat app. signel[.]top
Spoofs as AdsPower app, an anti-detect browser for managing multiple online accounts. adspowerr[.]top
Spoofs as 360 Security Guard - Software Manager to download iTools app. iTools is used for managing Apple mobile devices. i4app[.]top
Spoofs as FireFox browser download. firefoxz[.]top
Spoofs of LianLian Pay application. lianlianpoy[.]com
Spoofs as a financial payments management website. shengfuton[.]com
Spoofs as a music streaming app. wymusic[.]top
Spoofs as Snipaste, a screenshot and screen recording tool. snipaste[.]top
Spoofs as Aurora PDF, a service for creating, editing and viewing PDF files.  jiguang[.]icu
Spoofs as Steam, a popular digital distribution platform for video games. steams[.]top
Spoofs as 163 VPN built by NetEase, a Chinese tech company. 163 VPN is primarily designed for users within China to access websites blocked by the Great Firewall of China.  163e[.]top
Spoofs of Gmail Login Page.  qmails[.]top
Spoof of Telegram messenger application. telegrinxkam[.]top https[:]//telegrinxkam[.]top/assets/download/Ttsetuphdmgj.exe d219a6056e1f65507c984475711bd7e674b1319d11fd7a1149f3da983fd4f7c8
Spoof of Telegram messenger application. telegrcm[.]ing teiegram[.]ing
Spoofs as SaleSmartly, a customer communication platform. salesmart[.]top https[:]//wien.oss-ap-southeast-1.aliyuncs[.]com/win7-salesmartly.zip
Spoofs of Google Play store to download a malicious application. goople[.]top
Spoofs of Telegram messaging application. telegrpcm[.]xyz

‍

Conclusion

The spoofed malware delivery websites sampled in this report all share commonalities in configuration, domain registration patterns, and a suspected intent to target Chinese-speaking users. Indications suggest a broader target audience of Chinese language speakers outside of China including Malaysia and Hong Kong. 

The majority of the malware identified being delivered by the spoofed websites were stealers and trojans with capabilities to steal credentials and provide remote access to compromised systems. All malware identified were intended for Windows operating systems. Among them were multiple samples AV vendors assessed to be Gh0stRAT, Lummanstealer, RedLine, Farfli and ValleyRAT. Of which, C2s were also identified as associated with ValleyRAT. 

The activity and infrastructure of this cluster suggests a strong overlap with previously reported APT group SilverFox. Similarities include the spoofed websites, a focus on targeting Chinese-language speakers, and the use of ValleyRAT. Additionally, the overall volume, variety, and duration of the activity involved aligns with previous reports of SilverFox and suggests an organized and professional enterprise such as a commercial hack-for-hire or nation state sponsored contract. 

While spoofing websites to deliver malware is nothing new, the sustained volume and consistency speaks to a larger systematic approach to target a specific demographic with an apparent intent on gaining access to Windows devices likely to initially steal credentials and provide continued access for follow-on engagements. In the past, speculation around similar campaigns involved acting as access brokers to sell to government organizations or other criminal groups. Another possibility may be the collateral targeting of a population to opportunistically compromise high-value targets. In other words, indiscriminate compromises until they strike gold on gaining access to, for example, a corporation’s system or credentials.

IOCs

‍

Suspected Malware Delivery Domains:

‍

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CNMalwareDelivery-Pt1

Hello CTI Grapevine Superfriends!

You may have noticed some subtle changes to our website: As of today, CTI Grapevine became part of the newly-launched DomainTools Investigations (DTI) family. Since this shift may come as a surprise to some of our avid readers, I wanted to share why we believe it is a great move for our community:

CTI Grapevine was started as an initiative by us, for us: The researchers, analysts, defenders, and the quiet types you never hear about publicly, but who behind the scenes help make the Internet a safer place. You know who you are. We wanted to explore what it would be like for the community if we published relevant and timely Domain- and DNS-related security snacks - “bite size research,” if you will. We had some really great success with this in 2024. You, the community, gave us both positive and constructive feedback on areas of growth, what you wanted us to improve on, and how we could be a better resource to the community at large. As we brainstormed on how to grow the program, we kept coming back to a DomainTools core principle: Community First! 

On a personal note, this core principle is one of the top reasons I stayed with DomainTools after my previous employer Farsight Security was acquired - The InfoSec Community has been a key part of my career for over 20 years, I would not be where I am today without it. In 2002, I started attending The Agora in Seattle, one of the first quarterly closed-vetted InfoSec meetups. After a few years as an attendee, I got involved and helped to organize and host the events for another decade+. Around 2007, I started attending other great community-focussed conferences like ISOI, and later ACoD, DCC, UE - IYKYK. I mention all this to underline how serious I am in my commitment to The Community, and as the Head of DomainTools Investigations, I will make sure we do not stray from that path.

In the spirit of supporting the community, we knew we needed to be extremely thoughtful in providing more resources. We pitched a program that could attract and sustain kickass researchers and analysts who could focus on providing their expertise on an ongoing basis. Our bosses listened, and decided to give us a year to prove ourselves. And so, DTI was formed as a community-based research effort focused on investigating, mitigating, and preventing Domain- and DNS-based attacks. (And yes, we love puns and DTI is a play on CTI…see what we did there?) With the launch of DTI, building on the foundation of CTI Grapevine, the cybersecurity community will have expanded access to:

• Insights on advanced persistent threats (APTs), nation-states, cyber-espionage groups, business email compromise (BEC), and more
• Published research on the DTI website and available via webinars, closed door sessions, and conferences
• A yearly report that dives into the nuances of Domain- and DNS-based attacks

You can get all of this goodness right here on the site, and never miss an update by setting up an RSS feed to dti.domaintools.com. Additionally, you can find us on the socials (Mastodon: @domaintools@infosec.exchange, Bluesky @domaintools, X @domaintools, LinkedIn https://www.linkedin.com/company/domaintools/ ), or come say “Hi” at various conferences and events we will be frequenting all year long!

Here is to an exciting year ahead, and to borrow a signature word from one of my friends and mentors: Excelsior!

Daniel Schwalbe
CISO and Head of Investigations
DomainTools

PS: Let’s talk about tracking for a minute. More specifically website page views, and email open tracking, or what the kids call “engagement” these days. When we first launched CTI Grapevine, we intentionally had zero tracking on the site. This is somewhat rare in the industry, but as a security and privacy professional, I am allergic to tracking. I block it wherever and however I can. Being in control of DNS resolutions on your own Network is very useful for that purpose. 

But if as a business you must track, at least be as transparent as possible about it. So this is the approach we are taking here. The bargain we made with our bosses in order to take DTI to the next level was to sign up for some KPIs, and we need some kind of measurement to see if we hit those KPIs. We use Google Analytics with tags, and Marketo Measure (Bizible / Adobe). We won’t gate content, and we won’t use more invasive tracking.

Sure, tracking on websites can be blocked by the browser, and almost every email client now has the ability to block open tracking. We accept it, and are OK with that. But if you feel so inclined and want to support our program, maybe consider letting some of that tracking through. 

Overview

On 27 December 2024, the technology company Cyberhaven reported that an unnamed actor replaced its Google Chrome extension on the Google Chrome Web Store with a malicious version. The actor used a phishing email to compromise a developer’s account via authorizing a malicious third-party application. DomainTools researchers reviewed publicly available information related to this incident and discovered that the Cyberhaven incident is part of a months-long campaign likely attempting to impact multiple companies primarily in the technology sector.

Summary of the Cyberhaven Incident

Cyberhaven’s initial analysis of the incident revealed that the actor sent a phishing email claiming that the recipient’s Chrome extension was at risk of being removed from the Chrome Web Store due to policy violations. A link in the email purported to allow the recipient to acknowledge those policies and avoid removal of the extension. Clicking on the link led the recipient through the process of adding a malicious third-party application named “Privacy Policy Extension” to the recipient’s Google account - a tactic commonly known as OAuth phishing. The malicious application received permissions to publish Chrome Web Store extensions, allowing the actor to replace Cyberhaven’s extension with a new version containing malicious code.    

The malicious code comprised two altered JavaScript files:

• worker.js: This script contacted the actor-controlled domain, cyberhavenext[.]pro, which served as command and control (C2) for the incident.  The server hosted configuration data, which it stored in Chrome’s local storage and monitored events from the second script, content.js.
• content.js: This script collected user data from specific websites. The file used in the Cyberhaven incident specifically targeted Facebook-related data such as access tokens, user IDs, account details, business accounts, ad account information, cookies, and user agent strings. The script exfiltrated all compromised data to actor-controlled infrastructure.

Connections to a Broader Campaign

Cyberhaven shared indicators of compromise (IOCs) related to the attack. DomainTools researchers analyzed this information and discovered a large network of infrastructure likely used in similar attacks against other targets. Some of the related domains include:

• cyberhavenext[.]pro
• api.cyberhaven[.]pro
• app.checkpolicy[.]site

The reported C2 domain for the incident, cyberhavenext[.]pro, resolved to the IP address 149.28.124[.]84 which is allocated to the hosting provider Vultr. Passive DNS data in the Iris Investigate platform shows 18 domains resolving to this IP address since 5 November 2024 with the majority beginning to resolve in the last week of December 2024. It is likely that these domains are part of a broader campaign that includes the Cyberhaven incident. This assessment is made with high confidence based on the following factors:

• IP address overlap - likely related domains resolve to the same IP addresses within close time proximity  
• Whois similarities - Domains share similarities in whois information: Namecheap registry, registrar-servers[.]com for NS and MX, and use of Let’s Encrypt certificates
• Domain naming conventions - Domain names spoof specific software products such as AI tools, VPNs, adblockers, and other general web browsing tools.
• Top Level Domains (TLDs) - Heavy use of .pro TLD along with .live, .info, .com, .net, .ink, and .vip 

Research revealed additional related domains on other Vultr IP addresses:

• 149.248.2[.]160
• 136.244.115[.]219
• 45.76.225[.]148

Data from the urlscan platform shows that some of the related domains hosted configurations similar to that reported by Cyberhaven. For example, urlscan data for the domain internxtvpn[.]pro shows a similarly formatted configuration for targeting data from the ChatGPT platform

‍

‍

Configuration Recorded by URLscan on 29 December 2024

Urls can data also shows some of the identified infrastructure hosting credential phishing pages as far back as February 2024. Figure 2 shows a credential phishing page for an unidentified service hosted on admin-set.tkpartner[.]pro (left) and a phishing page likely meant to spoof Facebook’s Business Manager service hosted on tkadmin7.tkv2[.]pro (right). There is not enough evidence to determine how potential victims were directed to these pages or how the actor responsible leveraged compromised credentials. 

‍

Figure 2. Credential phishing pages hosted on infrastructure likely related to that used in the Cyberhaven incident.

Conclusion

It is likely that the Cyberhaven incident was part of a months-long campaign seeking access to sensitive data related to popular web services such as Facebook and ChatGPT. This assessment is made with high confidence based on identified infrastructure, the usage time frame of the infrastructure, and code within the actor’s configuration files. Observed tactics, techniques, and procedures (TTPs) indicate this actor is more likely criminal than state-sponsored.

IOCs

‍

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CyberhavenCampaign

Overview

Domain hijacking attacks like subdomain takeover and SPF hijacking take advantage of vulnerable or stale configurations in a target domain. The vulnerable domains are then leveraged in spam or phishing campaigns or to spread malware. They can be particularly successful as they can take advantage of the target domain’s established reputation to subvert spam filters and other reputation-based detections.

Subdomain Takeover

In the case of subdomain takeover, attackers look for subdomains that are configured to point to a service that does not appropriately handle subdomain ownership verifications. 

Attackers can identify subdomains pointing to other services by using a range of openly available tools such as Sublist3r, Assetfinder, and ReconNG. Attackers would then check for vulnerable services such as those that allow custom domain names like GitHub pages, AWS S3 or by looking for domains that continue to point to services that no longer exist. 

Exploiting these vulnerable domains allows the attacker to host malicious content such as phishing pages or malware from the domain. This type of attack may allow for “subdomailing”, which refers to the type of email spoofing attack that leverages subdomains of a legitimate domain to send fraudulent emails.

Example DNS log of a potentially vulnerable subdomain:

mail.vulnerable-domain[.]com.  IN  CNAME  
pages.githubusercontent[.]com.

This shows that mail.vulnerable-domain[.]com points to GitHub pages. If for example the associated GitHub pages repository were deleted and the DNS record is unchanged, an attacker could re-create the deleted repository under the same name. In effect, allowing the attacker to control the content of the target domain.

SPF Hijacking

In contrast to subdomain takeover, SPF Hijacking occurs when an attacker gains access to a target’s DNS records either via the registrar or by exploiting vulnerabilities in the DNS infrastructure. Once the attacker has access they can modify the SPF record of a domain. For example, the attacker could add in one of their own domains into the target domain’s SPF record. In effect, this would allow the attacker to send emails that would appear to be originating from the target’s domain.

Example DNS log of a vulnerable SPF record:
vulnerable-domain[.]com. IN TXT "v=spf1 mx -all"

Example attacker tool to modify a DNS record of a target domain:
pdnsutil modify record vulnerable-domain[.]com TXT 'v=spf1 mx attacker-domain[.]com -all'

Example DNS log of the compromised SPF record for domain insertion:
vulnerable-domain[.]com. IN TXT "v=spf1 mx attacker-domain[.]com -all"

In the examples above, pdnsutil, a powerful DNS management tool, is used to modify the “TXT” record of a vulnerable domain to include the attacker’s domain in a new SPF record "v=spf1 mx attacker-domain[.]com -all"

Hunting

Pivoting off a report by Guardio in February 2024, which detailed a large campaign of subdomailing activity involving two attacker domains inserted into vulnerable DNS records.

‍

‍

Equipped with knowledge about domain takeover attacks, we can hunt for characteristics of subdomain takeover and SPF hijacking.

To start, we may take similar approaches to an attacker in which passive reconnaissance tools or historical DNS and web scanner data aggregators are leveraged to passively identify potentially vulnerable domain configurations.

Reviewing recent DNS records for actor domain greaterversatile[.]com in RDATA:

‍

‍

Breaking down the RDATA: "v=spf1 include:harrisburgjetcenter[.]com include:greaterversatile[.]com -all"

1. v=spf1: indicates it's an SPF record version 1, the most commonly used version.
2. include:harrisburgjetcenter[.]com: instructs the receiving mail server to consult the SPF record hosted on the domain harrisburgjetcenter[.]com. The receiving server will then use that record to determine if an email claiming to originate from the original domain is legitimate.
3. include:greaterversatile[.]com: the receiving server will also consult the SPF record hosted on greaterversatile[.]com
4. -all: specifies a "hard fail" for any email that doesn't pass the SPF check based on the included records. In other words, any email not authorized by the records from harrisburgjetcenter[.]com or greaterversatile[.]com will be rejected.

Reviewing recent DNS records for actor domain greaterversatile[.]com in RRNAME:

‍

‍

The above DNS records shows that the actor domain greaterversatile[.]com had SPF records in February 2024 that point to several domains and hundreds of IP addresses and in October 2024 was updated to point to two dynamic DNS domains.

Due to the grouping of SPF record placing, the following domains are likely also actor owned during their respective times of association.

‍

‍

In summary of the above records if the domain tracks.vooyo[.]id sends email, the receiving mail server would attempt to validate the SPF records from the actor domains harrisburgjetcenter[.]com and greaterversatile[.]com, which would then be routed again to instanttranslates.dynu[.]net and informationshout.dynu[.]net.

The following DNS records for instanttranslates.dynu[.]net. indicate additional SPF routing would take place.

‍

‍

Due to their use in the SPF records of other actor domains, these additional dynamic DNS domains also acting as SPF redirectors are likely actor operated domains as well:

‍

‍

Subsequently looking up the SPF redirects for universitygreatchoices.gleeze[.]com and others identifies records such as the following in which the designated IP ranges are authorized to send mail by the original domain.

‍

‍

The following diagram shows how the chained SPF records create multiple layers of redirects.

In summary, the chained SPF records create multiple layers of SPF redirects. This may serve to obfuscate the originating mail servers and distribute infrastructure to increase resiliency from disruptions affecting portions of the network. It may also serve to evade detection by hindering analysis by making it difficult for anti-spam and security researchers to identify patterns and write signatures to detect and block the network and the activity it is being used for.

The Senders

Sampling the IP addresses in the RDATA records show a trend of mail servers, reverse DNS, Apache HTTP servers, and Squid Cache servers.

The IPs associated domains to the SPF records were also observed hosting content such as the following samples:

‍

Indicators & Search Hashes	Web Screenshots
*[.]megajobsusa[.]com Shodan hash:-1137946516 ShodanHttp.html_hash:581214383 Censysservices.banner_hashes="sha256:3a47dc2a58324647af74c539d6e9eceb994f5ec3b49ff1744d164e6f340a9e29"
angelcamach0-github-io.pages[.]dev
callor[.]com
gamerchallenger[.]com
sunillulla[.]com

‍

‍

Domains hosting similar web content:

‍

‍

Conclusion

This research has only touched the surface of what appears to be a very large and well coordinated spam and phishing network taking advantage of DNS-related misconfigurations or weaknesses. Indications from domain and infrastructure pivots suggest the network has been operating since at least 2019 to present. The operators of the network appear to demonstrate awareness and response to security reports of their infrastructure and appear to have made multiple attempts to improve its resiliency to identification and disruptions.

Observables

‍

‍

On 18 November 2024, BlackBerry’s threat research team reported on a cyber espionage campaign targeting the Pakistan Navy. This campaign used malicious documents to collect credentials and distribute malware. While BlackBerry did not attribute this activity to a specific actor, subsequent analysis by DomainTools revealed significant overlaps in tactics, techniques, procedures (TTPs), and targeting scope with the cyber-espionage group known as SloppyLemming.

Review of BlackBerry Report

Recent activity from this campaign involved the deployment of a malicious PDF document in early September 2024. The document resembles an internal IT memo, instructing recipients on integrating Axigen Thunderbird for secure email communications. The document contained a link to a malicious website (paknavy.rf[.]gd) mimicking the legitimate Pakistan Navy domain.

Upon visiting the fraudulent site, users were prompted to download a ZIP file, “Axigen_Thunderbird.zip,” which included a malicious Thunderbird extension. Once installed, the extension requested credentials for “@paknavy.gov.pk” email addresses. Entered credentials were transmitted to an actor-controlled domain (updateschedulers[.]com), and the extension downloaded a malware payload hosted on the same domain. BlackBerry researchers identified the malware as a variant of Sync-Scheduler. Public reporting from March 2024 first identified this malware family and its use of  the domain packageupdates[.]net for command and control (C2). BlackBerry also identified related activity in the May/June 2024 time frame using the C2 domain extension.webmailmigration[.]com.

Further analysis by DomainTools uncovered an additional likely associated domain: diplomaticservices[.]link. Whois data from this domain shows a registrant organization of “National Telecom Corporation” likely referencing the Pakistani government’s telecommunications provider. The only other domain using this registrant organization since 2010 is the webmailmigration[.]com domain from the BlackBerry report. 

Overlap with SloppyLemming Actor 

In September 2024, Cloudflare’s threat research team reported on an India-nexus cyber espionage actor it dubbed SloppyLemming (aka OUTRIDER TIGER). This actor primarily targets Pakistan, with a focus on government and defense. SloppyLemming frequently leverages its custom CloudPhish credential logging tool on Cloudflare Worker domains to compromise email credentials from targeted individuals. One of the mail clients CloudPhish specifically targeted was Axigen, which was the mail client referenced in the malicious activity covered in the BlackBerry report. SloppyLemming also employed PDF documents for credential collection and malware delivery.

Data from the urlscan.io scanning service shows an Axigen webmail credential phishing page present on www.login.webmailmigration[.]com in April 2024. Similar Axigen phishing pages present on the following domains between February and July 2024:

• mail-pakchinainvest-com.niancao010.workers[.]dev
• webmail.cybar-net-pk.workers[.]dev
• mail.pof-gov-pk.workers[.]dev

These domains use a similar domain naming convention to that detailed in the SloppyLemming report.

‍

Figure 1. Screenshot of credential phishing pages present on www.login.webmailmigration[.]com in April 2024 (left) and mail.pof-gov-pk.workers[.]dev in August 2024 (right)

Additional similarities between the recent BlackBerry and Cloudflare’s reports include the actor’s use of malicious PDFs malware delivery and a Pakistan-centric target scope. 

Conclusion

It is likely that SloppyLemming is the actor responsible for the malicious activity described in BlackBerry’s recent report. This assessment is made with low confidence based on similar credential phishing and malware delivery TTPs, as well a Pakistan-focused target scope. However, it is plausible that the BlackBerry report discusses a separate actor from SloppyLemming that is employing similar TTPs.

IOCs

paknavy[.]rf[.]gd
updateschedulers[.]com
packageupdates[.]net
finance-gov-pk[.]rf[.]gd
extension[.]webmailmigration[.]com
diplomaticservices[.]link

Fake government job boards attempt to trick job seekers into providing personal information that may be used for fraud, phishing, or other malicious purposes. The bad actors behind these fake job boards cause harm by either soliciting an application fee from victims or by instructing them to download malicious files or deceiving victims into giving personal information such as resumes, historic addresses and contact information.

Multiple countries were identified as targeted by a high number of fake government job boards. For instance, many of the identified domains masquerading as US government job boards were reportedly associated with email campaigns. Those in Pakistan and India appear largely fraud related and employ WhatsApp and Telegram groups. Fake Taiwanese government job postings are suspected to be harvesting personal information for phishing and fraud.

Similarly, nation states such as North Korea also host fake job postings for phishing, and creating fake personas in attempts to be hired by and gain access to western tech companies.

Details

Fake US Government Job Websites

A cluster of domains that goes back to early as 2017 and associated mail servers have been used in email spam. The domain names masquerade as government job or contract bid sites. The domains are frequently configured to redirect to legitimate government job sites such as govcb[.]com and governmentcontracts[.]us likely for the purpose of appearing more legitimate upon inspection.

Example mail server:

• https://www.abuseipdb.com/check/44.215.207.48
• https://check.spamhaus.org/results/?query=govcb-bids-bulletin.us

‍

‍

Fake Taiwanese Government Job Websites

Spoofing as the legitimate taiwanjobs[.]gov[.]tw website for the purposes of phishing, information gathering, and credential harvesting. Taiwanjobs[.]gov[.]tw website reports the following message of ongoing phishing activity using fake look alike websites.

‍

‍

‍

Fake MELA Government Job Websites

Mela Network is the Middle Eastern arm of a global network spanning 46 countries. Their website states: “Mela's mission is to help executives in the MENA (Middle East and North Africa) region grow professionally and personally by exposing them to best practices in leadership and connecting them with a global network of peers.” [https://melanetwork.org/]

‍

‍

‍

Fake Indian Government Job Websites

‍

‍

‍

Fake Pakistan Government Job Websites

Fake Pakistan government job boards similar to those for Indian government job boards. WhatsApp channels and Telegram group links are displayed on pages. Many of these sites are suspected to be used for phishing and fraud. 

‍

‍

‍

Conclusion

Fake job boards are common around the world. They seek to take advantage of job seeker’s motivations in order to harvest personal information and may lead into additional fraud schemes, phishing, identity theft, and malware delivery.

Job seekers should conduct research on job postings before applying, recognize domain name masquerades and be wary of unsolicited job offers. Additionally, it's crucial to recognize red flags such as unexpected fees, high-pressure tactics, requests for sensitive personal information, and unknown personas offering special favors.

‍

IOCs