Malicious Browsers, Messengers, VPNs, and More…

Hundreds of newly registered domains are actively targeting Chinese-speaking users with malware. This report analyzes this activity, detailing the range of deceptive lures employed, including imitations of messengers, browsers, VPNs, email services, and Adobe software.

Details

Since at least June of 2024, a cluster of over four hundred domains have been registered to host spoofed websites to deliver malware to Chinese-speaking users. Spoofed application download websites have included web browsers, VPNs, chat and email applications, as well as crypto wallet and online gambling related apps. These websites share several commonalities in registration details, backend infrastructure, website configurations, and theme. The following is a sampling of those domains.

Identified malware families have included Gh0stRAT, ValleyRAT, RemKos RAT, LummaStealer, RedLine and others.

Common registration details:

• IP ASN: Amazon, CloudFlare, Alibaba, CloudRadium
• Registrar: Dominet (HK) Limited, 22net, webcc, Gname
• Nameserver Domain: alidns[.]com, cloudflare[.]cp, hndnsv1[.]com
• IPs Resolved: 54.215.49[.]143 & 54.193.24[.]113
• SSL Duration: 90 day

Screenshot of malicious domain “chrmpw[.]top”, which spoofs as a GPT Chrome download application

‍

‍

Malicious domain kuailianlow[.]com, which spoofs as Kuailian Accelerator VPN (快连加速器)

Index.html

Both Download buttons contain an onclick=”down()” function call. 

The down() function call is contained in a script within the HTML. Its purpose is to construct the file download path. To accomplish this it references a dictionary variable “window” to retrieve the value from the key “filename”. 

The “filename.js” script is imported in the HTML and contains the window[‘filename’] value.

‍

“Where there's one rat, there's a nest”

Expanding the search for similar websites and domain registration patterns identifies several spoofed VPN download websites.

Commonalities include the use of a filename.js to hold the malicious filename, and coding Chinese language text as opposed to the legitimate websites displaying content based on the language settings in the client’s browser settings. The latter suggests a preference for targeting Chinese language users.

Multiple spoofed VPNs such as LetsVPN appear in online guides as popular choices for bypassing the censorship of the Great Chinese Firewall.

‍

‍

• Possibly related: Gh0stGambit, drive-by-downloads targeting Chinese users https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat 

A similar variation employs an additional imported JavaScript file to dynamically load the page content and button download actions.

Malicious domain, letscdn[.]world, which spoofs as LetsVPN 

Excerpt from Index.html - File Download Buttons with href JavaScript function calls to onDownload()

Excerpt from Index.html - Importing “/assets/js/jquery.min.js” via script tags.

Excerpt from “/assets/js/jquery.min.js” - loads script “/assets/download/filename.js” and returns the download URL as “https[:]//” + “letscdn[.]world” + “/assets/download” + “letsvpn-latest.rar”

The value for the “window.filename” is contained in another imported JavaScript file: “/assets/download/filename.js”

‍

‍

Fake Login Pages Delivering Malware

Examples of fake login pages to deliver malware were also identified. 

The following screenshot of malicious domains “xmengapp[.]top” and “xinmeng[.]xyz”, which spoof a company called Genting Trust Union, which is purportedly an enterprise management platform for businesses to engage customers, however no apparent legitimate company by the name was identified. It is suspected that this is a fabricated company and website to lure in prospective marketing and sales teams. The website purportedly offers several service and data integrator apps for marketing purposes but in fact only delivers trojans described below. 

Included in the website’s imported JavaScript files is “/assets/js/ebzcecf9.js”, which contain login credentials for the website.

Logging into the application would load the following landing page:

‍

Notably, the top bar “cloudtop” is a download button for a suspected malicious file but returns a 404.

The main section (right) is a range of services and tools related to online marketing and lead generation such as driving traffic to websites, automating tasks, managing multiple accounts, managing phone numbers for telemarketing, integrating proxies, overseas payments, AI tools for content creation and the like. 

‍

‍

The left panel contains a page link for “User Management”.

‍

Clicking the blue “Click verification” button shown in the screen capture above opens a pop up alert with the following message

"Detected that the bundled plugin is not installed. Please install and retry."

Clicking “OK”, opens a download prompt for the following .msi file. The msi file is bundled with multiple files including those that AV scanners tag as Gh0stRAT and Farfli trojans. A possible C2 was identified as “134.122.135[.]95”, which is a suspected ValleyRAT C2.

‍

‍

Associated malware, activity and methodologies appear to overlap closely with reporting by Knownsec 404 team and Fortinet of a suspected APT activity named “Silver Fox”.

Compendium of Chinese Malware Delivery Domains

The following are all examples of the spoofed websites for delivering malware utilized in this cluster of activity from at least June 2024 to January 2025. Example malware delivery domains and their respective malware download URLs and SHA256 hashes are provided as available for each example below. This listing is non-exhaustive of the variety of spoofed websites for delivering malware. 

‍

Spoofs as QuickQ, a network accelerator and encrypted traffic tool. quickqi[.]net quickiq[.]top quickqi[.]net/assets/download/quicqk66.12.msi quickiq[.]top/assets/download/win32-quicq.msi 1a793de251bffb1edc309aa0b7fd02354c7c99d3cb1f24b3e0140d2015dc49a fe1b5431ae27c85b1c652e3ac9541c2a801540c02c04fa7f4a3a9543c284eca5
Spoofs as WhiteWhale VPN (白鲸加速器) isdndjsq[.]top isdndjsq[.]top/assets/download/win32-quicq.msi fe1b5431ae27c85b1c652e3ac9541c2a801540c02c04fa7f4a3a9543c284eca5
Spoofs as Yiwaiwai Customer Service Chat Assistant download purportedly for Chrome, QQ, WeChat, Quanniu, Pinduoduo, Doudian, and others. eyy5201[.]top https[:]//eyy5201[.]top/static/download/yiwaiwai66.31.msi fe86e1fff0afefd79de4fd26f041757495c5fadd116400699411a200978f0e41
Spoof as Lets VPN download sites letsvpn-ui[.]top kingtelmfng[.]top https[:]//letsvpn-ui[.]top/assets/download/letsvpn-latest.exe e09056567f146da73aa0c4266a15cd61655e4402146b75a836d1c92926cd37c4
Screenshot of malicious domain “z42f1m[.]top”, which spoofs as a Microsoft login page for Outlook but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Screenshot of malicious domain “vejm60[.]top”, which spoofs as a Google mail login page but delivers the same malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46 a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796 Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Screenshot of malicious domain “vzvlco[.]top”, which spoofs as a QQ mail login page but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Screenshot of malicious domain “taufp6[.]top”, which spoofs as a 163 mail login page but delivers malware. https[:]//pub-bbd4563a163f414086e62f5cf87a6b4e.r2[.]dev/fah-0.zip 73083665902ccc0cf7cbd48af24ecd62205ff2f0970e3206f6f9be5ae096bc46a099f02c95b99abfcb3825d795797a11d69a08dc0d95e9171325dc13a9bcd796Ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 RedLine LummaStealer
Spoofs as AnyDesk remote desktop application. andesksr[.]com https[:]//andesksr[.]com/assets/download/anydeskx64-32.3.0.zip
Spoofs as Yiji Pay, a financial payment application. yijfu[.]com https[:]//yijfu[.]com/assets/download/PassGuardSetuhz.exe
Spoof of iTools for Windows, a tool used for managing Apple mobile devices. i4z[.]xyz
Spoof of Huorong Internet Security website. Download links spoof as personal and enterprise security applications. huurongs[.]top huoroug[.]top
Spoofs as a game download link for QQ.  qqsgs[.]com
Spoofs as Google Chrome download site. oogiie[.]top
Spoofs as Youdao Dictionary software, a dictionary for translating text between Chinese and English and other languages. yoodaou[.]xyz https[:]//yoodaou[.]xyz/assets/download/QuarkUpdaterSetup_fuzz_1.rar 1a48a730cdd4982a5ac0b44984d70253eab9ea070285d9fc2124c83270576cf4f8c117a65e11fd370cb0673d1066af3415dfd9c8fde98225498f6e4ac92c213e
Spoofs as ToDesk remote desktop software. todeskzis[.]xyz https[:]//todeskzis[.]xyz/assets/download/ToDesk (2).zip 215872ff03e4a9d0baf12643b94d8cb60a5dba86153fa05148bd52344567e030d5b9d07f1aa0bf738521db66439d448913da86420f2c2a0753e35ba6b63a393a
Spoofs as ToDesk remote desktop software. todeskeq[.]top https[:]//0h6ai2g7.oss-ap-southeast-1.aliyuncs[.]com/ToDesk_Setup.zip (is a .rar file) 134cba7e74c243b3f58535fd224f14a637445e176a5017a8d2938f357a88e9cb3823cc7228d7d8f75f007a4eafc0e4f4f1789ce26a6e1ca15c5045e17810396d Retrieves: https[:]//ws636rj.oss-ap-southeast-1.aliyuncs[.]com/encrypted_shellcode.bin
Spoof of WuYou, a service for receiving verification codes such as SMS and online platforms.  wuyoujieee[.]com
oracl[.]top
Spoofs as Skype teleconference application download. skyes1[.]top
Spoof of Youdao, a translation App. yoadao[.]xyz
Gaming platform. 163i[.]tophttps[:]//mumu.163i[.]top/assets/download/Mumu模拟器.zip
Android Emulator to run from Windows Machine - purportedly to play simulate mobile games on desktop. lediam[.]xyz https[:]//d9gc24pw.oss-ap-southeast-1.aliyuncs[.]com/%E9%9B%B7%E7%94%B5%E6%A8%A1%E6%8B%9F%E5%99%A8.zip ffe3be504d0a89ace9271a6a1fc51f6b0539903a10b1bf89285875606852ba65
clashcn[.]xyz
“QC7 goes overseas to navigate global social traffic” “Accurate overseas customer acquisition starts with filtering number data” “Overseas account screening platform” 007z[.]top https[:]//007z[.]top/assets/download/007-Setup.exe e34fd0f5fbc5f09f55ccdf2e6a5f70215c8686f9c83c45f421ac2a475d8bfd47
Spoof of Yuanqi, a website and app providing anime wallpapers without watermarks. yqdesk[.]top
Spoof of KARIOS, which purports to be a “SMS Provider” such as sending text messages. karlosqp[.]xyz
Spoofs as an unnamed merchant backend login page. Clicking login results in a popup with a “please install” link for a malicious file spoofing as a cryptokit_sando. Clicking OK directs to /update page with a banner to download the same file. This time spoofing as a Flashplayer update link. shanghud[.]com https[:]//shanghud[.]com/assets/download/k3.2.6.0升级组件.exe 65049df06de78a4fda14d5f07d83eef1b316c0dea0ecfc3dbec7e5e1b7b20754
T Star Diamond Payment-Merchant Backstage. Spoofs as a login page. Clicking the login button downloads Gh0stRAT malware. xingzuan[.]xyz https[:]//xingzuan[.]xyz/assets/download/xingzuansetupg5.exe 5e1d7275b0abd484c15f186690db73c42e861311da3f5f048563636336933b4a Downloads additional files from: https[:]//wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud[.]com
Spoofs as Dex Screener, a cryptocurrency website. Clicking any buttons initiates a popup with download link spoofing as a Flashplayer update. It contains samples of Gh0stRAT and Blackmoon malware. dexscreeners[.]icu https[:]//aaa8999.oss-us-west-1.aliyuncs[.]com/Flash_x32.zip 86f8239224a0ace2b1e0a2216511b0a0aea1bf055f7cbeca2fcf9c316f3de921
Spoofs as popular Line messenger application. iines[.]xyz
Spoofs of DeepL Pro, a machine translation company. The service purports to emphasize data security with end-to-end encryption and automatic deletion of translated text.  deepil[.]top
Spoofs of DeepL Pro, a machine translation company. The service purports to emphasize data security with end-to-end encryption and automatic deletion of translated text. deeplx[.]top
Spoofs as 2345 Image King, software for viewing images.   2345ktws[.]xyz
Spoofs as Quark, AI. An AI-powered assistant application. quarki[.]top
Spoofs as a cryptocurrency exchange. chachap[.]top https[:]//0l1hsqvd.oss-ap-southeast-1.aliyuncs[.]com/uCheckerInst.zip
Spoofs as 360 browser, a web browser developed by the Chinese internet security company, Qihoo 360. 360browsap[.]top
Spoofs as a mobile and web game site. ttcy365[.]com
Spoofs as Sunflower Remote Control Software, which purports to allow remote access to other computers, file transfer, and remote assistance. orays[.]top
A banner displayed warning of malicious activity spoofing their brand but is in fact also a spoof. baofuupay[.]com https[:]//baofuupay[.]com/assets/download/setup.exe 2901ca8eefd1d431d25f3d45dbf42dc48136b74692801ca0f6b606541d645baf
Spoofs as Enigma Messenger App, an end-to-end encrypted chat app. immersivetranslate[.]top
Spoofs as a cryptocurrency exchange app. tradingview[.]trade
Spoofs Signal messaging application, an end-to-end encrypted chat app.  signall[.]xyz
Spoofs Signal messaging application, an end-to-end encrypted chat app. signel[.]top
Spoofs as AdsPower app, an anti-detect browser for managing multiple online accounts. adspowerr[.]top
Spoofs as 360 Security Guard - Software Manager to download iTools app. iTools is used for managing Apple mobile devices. i4app[.]top
Spoofs as FireFox browser download. firefoxz[.]top
Spoofs of LianLian Pay application. lianlianpoy[.]com
Spoofs as a financial payments management website. shengfuton[.]com
Spoofs as a music streaming app. wymusic[.]top
Spoofs as Snipaste, a screenshot and screen recording tool. snipaste[.]top
Spoofs as Aurora PDF, a service for creating, editing and viewing PDF files.  jiguang[.]icu
Spoofs as Steam, a popular digital distribution platform for video games. steams[.]top
Spoofs as 163 VPN built by NetEase, a Chinese tech company. 163 VPN is primarily designed for users within China to access websites blocked by the Great Firewall of China.  163e[.]top
Spoofs of Gmail Login Page.  qmails[.]top
Spoof of Telegram messenger application. telegrinxkam[.]top https[:]//telegrinxkam[.]top/assets/download/Ttsetuphdmgj.exe d219a6056e1f65507c984475711bd7e674b1319d11fd7a1149f3da983fd4f7c8
Spoof of Telegram messenger application. telegrcm[.]ing teiegram[.]ing
Spoofs as SaleSmartly, a customer communication platform. salesmart[.]top https[:]//wien.oss-ap-southeast-1.aliyuncs[.]com/win7-salesmartly.zip
Spoofs of Google Play store to download a malicious application. goople[.]top
Spoofs of Telegram messaging application. telegrpcm[.]xyz

‍

Conclusion

The spoofed malware delivery websites sampled in this report all share commonalities in configuration, domain registration patterns, and a suspected intent to target Chinese-speaking users. Indications suggest a broader target audience of Chinese language speakers outside of China including Malaysia and Hong Kong. 

The majority of the malware identified being delivered by the spoofed websites were stealers and trojans with capabilities to steal credentials and provide remote access to compromised systems. All malware identified were intended for Windows operating systems. Among them were multiple samples AV vendors assessed to be Gh0stRAT, Lummanstealer, RedLine, Farfli and ValleyRAT. Of which, C2s were also identified as associated with ValleyRAT. 

The activity and infrastructure of this cluster suggests a strong overlap with previously reported APT group SilverFox. Similarities include the spoofed websites, a focus on targeting Chinese-language speakers, and the use of ValleyRAT. Additionally, the overall volume, variety, and duration of the activity involved aligns with previous reports of SilverFox and suggests an organized and professional enterprise such as a commercial hack-for-hire or nation state sponsored contract. 

While spoofing websites to deliver malware is nothing new, the sustained volume and consistency speaks to a larger systematic approach to target a specific demographic with an apparent intent on gaining access to Windows devices likely to initially steal credentials and provide continued access for follow-on engagements. In the past, speculation around similar campaigns involved acting as access brokers to sell to government organizations or other criminal groups. Another possibility may be the collateral targeting of a population to opportunistically compromise high-value targets. In other words, indiscriminate compromises until they strike gold on gaining access to, for example, a corporation’s system or credentials.

IOCs

‍

Suspected Malware Delivery Domains:

‍

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CNMalwareDelivery-Pt1

Hello CTI Grapevine Superfriends!

You may have noticed some subtle changes to our website: As of today, CTI Grapevine became part of the newly-launched DomainTools Investigations (DTI) family. Since this shift may come as a surprise to some of our avid readers, I wanted to share why we believe it is a great move for our community:

CTI Grapevine was started as an initiative by us, for us: The researchers, analysts, defenders, and the quiet types you never hear about publicly, but who behind the scenes help make the Internet a safer place. You know who you are. We wanted to explore what it would be like for the community if we published relevant and timely Domain- and DNS-related security snacks - “bite size research,” if you will. We had some really great success with this in 2024. You, the community, gave us both positive and constructive feedback on areas of growth, what you wanted us to improve on, and how we could be a better resource to the community at large. As we brainstormed on how to grow the program, we kept coming back to a DomainTools core principle: Community First! 

On a personal note, this core principle is one of the top reasons I stayed with DomainTools after my previous employer Farsight Security was acquired - The InfoSec Community has been a key part of my career for over 20 years, I would not be where I am today without it. In 2002, I started attending The Agora in Seattle, one of the first quarterly closed-vetted InfoSec meetups. After a few years as an attendee, I got involved and helped to organize and host the events for another decade+. Around 2007, I started attending other great community-focussed conferences like ISOI, and later ACoD, DCC, UE - IYKYK. I mention all this to underline how serious I am in my commitment to The Community, and as the Head of DomainTools Investigations, I will make sure we do not stray from that path.

In the spirit of supporting the community, we knew we needed to be extremely thoughtful in providing more resources. We pitched a program that could attract and sustain kickass researchers and analysts who could focus on providing their expertise on an ongoing basis. Our bosses listened, and decided to give us a year to prove ourselves. And so, DTI was formed as a community-based research effort focused on investigating, mitigating, and preventing Domain- and DNS-based attacks. (And yes, we love puns and DTI is a play on CTI…see what we did there?) With the launch of DTI, building on the foundation of CTI Grapevine, the cybersecurity community will have expanded access to:

• Insights on advanced persistent threats (APTs), nation-states, cyber-espionage groups, business email compromise (BEC), and more
• Published research on the DTI website and available via webinars, closed door sessions, and conferences
• A yearly report that dives into the nuances of Domain- and DNS-based attacks

You can get all of this goodness right here on the site, and never miss an update by setting up an RSS feed to dti.domaintools.com. Additionally, you can find us on the socials (Mastodon: @domaintools@infosec.exchange, Bluesky @domaintools, X @domaintools, LinkedIn https://www.linkedin.com/company/domaintools/ ), or come say “Hi” at various conferences and events we will be frequenting all year long!

Here is to an exciting year ahead, and to borrow a signature word from one of my friends and mentors: Excelsior!

Daniel Schwalbe
CISO and Head of Investigations
DomainTools

PS: Let’s talk about tracking for a minute. More specifically website page views, and email open tracking, or what the kids call “engagement” these days. When we first launched CTI Grapevine, we intentionally had zero tracking on the site. This is somewhat rare in the industry, but as a security and privacy professional, I am allergic to tracking. I block it wherever and however I can. Being in control of DNS resolutions on your own Network is very useful for that purpose. 

But if as a business you must track, at least be as transparent as possible about it. So this is the approach we are taking here. The bargain we made with our bosses in order to take DTI to the next level was to sign up for some KPIs, and we need some kind of measurement to see if we hit those KPIs. We use Google Analytics with tags, and Marketo Measure (Bizible / Adobe). We won’t gate content, and we won’t use more invasive tracking.

Sure, tracking on websites can be blocked by the browser, and almost every email client now has the ability to block open tracking. We accept it, and are OK with that. But if you feel so inclined and want to support our program, maybe consider letting some of that tracking through. 

Overview

On 27 December 2024, the technology company Cyberhaven reported that an unnamed actor replaced its Google Chrome extension on the Google Chrome Web Store with a malicious version. The actor used a phishing email to compromise a developer’s account via authorizing a malicious third-party application. DomainTools researchers reviewed publicly available information related to this incident and discovered that the Cyberhaven incident is part of a months-long campaign likely attempting to impact multiple companies primarily in the technology sector.

Summary of the Cyberhaven Incident

Cyberhaven’s initial analysis of the incident revealed that the actor sent a phishing email claiming that the recipient’s Chrome extension was at risk of being removed from the Chrome Web Store due to policy violations. A link in the email purported to allow the recipient to acknowledge those policies and avoid removal of the extension. Clicking on the link led the recipient through the process of adding a malicious third-party application named “Privacy Policy Extension” to the recipient’s Google account - a tactic commonly known as OAuth phishing. The malicious application received permissions to publish Chrome Web Store extensions, allowing the actor to replace Cyberhaven’s extension with a new version containing malicious code.    

The malicious code comprised two altered JavaScript files:

• worker.js: This script contacted the actor-controlled domain, cyberhavenext[.]pro, which served as command and control (C2) for the incident.  The server hosted configuration data, which it stored in Chrome’s local storage and monitored events from the second script, content.js.
• content.js: This script collected user data from specific websites. The file used in the Cyberhaven incident specifically targeted Facebook-related data such as access tokens, user IDs, account details, business accounts, ad account information, cookies, and user agent strings. The script exfiltrated all compromised data to actor-controlled infrastructure.

Connections to a Broader Campaign

Cyberhaven shared indicators of compromise (IOCs) related to the attack. DomainTools researchers analyzed this information and discovered a large network of infrastructure likely used in similar attacks against other targets. Some of the related domains include:

• cyberhavenext[.]pro
• api.cyberhaven[.]pro
• app.checkpolicy[.]site

The reported C2 domain for the incident, cyberhavenext[.]pro, resolved to the IP address 149.28.124[.]84 which is allocated to the hosting provider Vultr. Passive DNS data in the Iris Investigate platform shows 18 domains resolving to this IP address since 5 November 2024 with the majority beginning to resolve in the last week of December 2024. It is likely that these domains are part of a broader campaign that includes the Cyberhaven incident. This assessment is made with high confidence based on the following factors:

• IP address overlap - likely related domains resolve to the same IP addresses within close time proximity  
• Whois similarities - Domains share similarities in whois information: Namecheap registry, registrar-servers[.]com for NS and MX, and use of Let’s Encrypt certificates
• Domain naming conventions - Domain names spoof specific software products such as AI tools, VPNs, adblockers, and other general web browsing tools.
• Top Level Domains (TLDs) - Heavy use of .pro TLD along with .live, .info, .com, .net, .ink, and .vip 

Research revealed additional related domains on other Vultr IP addresses:

• 149.248.2[.]160
• 136.244.115[.]219
• 45.76.225[.]148

Data from the urlscan platform shows that some of the related domains hosted configurations similar to that reported by Cyberhaven. For example, urlscan data for the domain internxtvpn[.]pro shows a similarly formatted configuration for targeting data from the ChatGPT platform

‍

‍

Configuration Recorded by URLscan on 29 December 2024

Urls can data also shows some of the identified infrastructure hosting credential phishing pages as far back as February 2024. Figure 2 shows a credential phishing page for an unidentified service hosted on admin-set.tkpartner[.]pro (left) and a phishing page likely meant to spoof Facebook’s Business Manager service hosted on tkadmin7.tkv2[.]pro (right). There is not enough evidence to determine how potential victims were directed to these pages or how the actor responsible leveraged compromised credentials. 

‍

Figure 2. Credential phishing pages hosted on infrastructure likely related to that used in the Cyberhaven incident.

Conclusion

It is likely that the Cyberhaven incident was part of a months-long campaign seeking access to sensitive data related to popular web services such as Facebook and ChatGPT. This assessment is made with high confidence based on identified infrastructure, the usage time frame of the infrastructure, and code within the actor’s configuration files. Observed tactics, techniques, and procedures (TTPs) indicate this actor is more likely criminal than state-sponsored.

IOCs

‍

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CyberhavenCampaign

Overview

Domain hijacking attacks like subdomain takeover and SPF hijacking take advantage of vulnerable or stale configurations in a target domain. The vulnerable domains are then leveraged in spam or phishing campaigns or to spread malware. They can be particularly successful as they can take advantage of the target domain’s established reputation to subvert spam filters and other reputation-based detections.

Subdomain Takeover

In the case of subdomain takeover, attackers look for subdomains that are configured to point to a service that does not appropriately handle subdomain ownership verifications. 

Attackers can identify subdomains pointing to other services by using a range of openly available tools such as Sublist3r, Assetfinder, and ReconNG. Attackers would then check for vulnerable services such as those that allow custom domain names like GitHub pages, AWS S3 or by looking for domains that continue to point to services that no longer exist. 

Exploiting these vulnerable domains allows the attacker to host malicious content such as phishing pages or malware from the domain. This type of attack may allow for “subdomailing”, which refers to the type of email spoofing attack that leverages subdomains of a legitimate domain to send fraudulent emails.

Example DNS log of a potentially vulnerable subdomain:

mail.vulnerable-domain[.]com.  IN  CNAME  
pages.githubusercontent[.]com.

This shows that mail.vulnerable-domain[.]com points to GitHub pages. If for example the associated GitHub pages repository were deleted and the DNS record is unchanged, an attacker could re-create the deleted repository under the same name. In effect, allowing the attacker to control the content of the target domain.

SPF Hijacking

In contrast to subdomain takeover, SPF Hijacking occurs when an attacker gains access to a target’s DNS records either via the registrar or by exploiting vulnerabilities in the DNS infrastructure. Once the attacker has access they can modify the SPF record of a domain. For example, the attacker could add in one of their own domains into the target domain’s SPF record. In effect, this would allow the attacker to send emails that would appear to be originating from the target’s domain.

Example DNS log of a vulnerable SPF record:
vulnerable-domain[.]com. IN TXT "v=spf1 mx -all"

Example attacker tool to modify a DNS record of a target domain:
pdnsutil modify record vulnerable-domain[.]com TXT 'v=spf1 mx attacker-domain[.]com -all'

Example DNS log of the compromised SPF record for domain insertion:
vulnerable-domain[.]com. IN TXT "v=spf1 mx attacker-domain[.]com -all"

In the examples above, pdnsutil, a powerful DNS management tool, is used to modify the “TXT” record of a vulnerable domain to include the attacker’s domain in a new SPF record "v=spf1 mx attacker-domain[.]com -all"

Hunting

Pivoting off a report by Guardio in February 2024, which detailed a large campaign of subdomailing activity involving two attacker domains inserted into vulnerable DNS records.

‍

‍

Equipped with knowledge about domain takeover attacks, we can hunt for characteristics of subdomain takeover and SPF hijacking.

To start, we may take similar approaches to an attacker in which passive reconnaissance tools or historical DNS and web scanner data aggregators are leveraged to passively identify potentially vulnerable domain configurations.

Reviewing recent DNS records for actor domain greaterversatile[.]com in RDATA:

‍

‍

Breaking down the RDATA: "v=spf1 include:harrisburgjetcenter[.]com include:greaterversatile[.]com -all"

1. v=spf1: indicates it's an SPF record version 1, the most commonly used version.
2. include:harrisburgjetcenter[.]com: instructs the receiving mail server to consult the SPF record hosted on the domain harrisburgjetcenter[.]com. The receiving server will then use that record to determine if an email claiming to originate from the original domain is legitimate.
3. include:greaterversatile[.]com: the receiving server will also consult the SPF record hosted on greaterversatile[.]com
4. -all: specifies a "hard fail" for any email that doesn't pass the SPF check based on the included records. In other words, any email not authorized by the records from harrisburgjetcenter[.]com or greaterversatile[.]com will be rejected.

Reviewing recent DNS records for actor domain greaterversatile[.]com in RRNAME:

‍

‍

The above DNS records shows that the actor domain greaterversatile[.]com had SPF records in February 2024 that point to several domains and hundreds of IP addresses and in October 2024 was updated to point to two dynamic DNS domains.

Due to the grouping of SPF record placing, the following domains are likely also actor owned during their respective times of association.

‍

‍

In summary of the above records if the domain tracks.vooyo[.]id sends email, the receiving mail server would attempt to validate the SPF records from the actor domains harrisburgjetcenter[.]com and greaterversatile[.]com, which would then be routed again to instanttranslates.dynu[.]net and informationshout.dynu[.]net.

The following DNS records for instanttranslates.dynu[.]net. indicate additional SPF routing would take place.

‍

‍

Due to their use in the SPF records of other actor domains, these additional dynamic DNS domains also acting as SPF redirectors are likely actor operated domains as well:

‍

‍

Subsequently looking up the SPF redirects for universitygreatchoices.gleeze[.]com and others identifies records such as the following in which the designated IP ranges are authorized to send mail by the original domain.

‍

‍

The following diagram shows how the chained SPF records create multiple layers of redirects.

In summary, the chained SPF records create multiple layers of SPF redirects. This may serve to obfuscate the originating mail servers and distribute infrastructure to increase resiliency from disruptions affecting portions of the network. It may also serve to evade detection by hindering analysis by making it difficult for anti-spam and security researchers to identify patterns and write signatures to detect and block the network and the activity it is being used for.

The Senders

Sampling the IP addresses in the RDATA records show a trend of mail servers, reverse DNS, Apache HTTP servers, and Squid Cache servers.

The IPs associated domains to the SPF records were also observed hosting content such as the following samples:

‍

Indicators & Search Hashes	Web Screenshots
*[.]megajobsusa[.]com Shodan hash:-1137946516 ShodanHttp.html_hash:581214383 Censysservices.banner_hashes="sha256:3a47dc2a58324647af74c539d6e9eceb994f5ec3b49ff1744d164e6f340a9e29"
angelcamach0-github-io.pages[.]dev
callor[.]com
gamerchallenger[.]com
sunillulla[.]com

‍

‍

Domains hosting similar web content:

‍

‍

Conclusion

This research has only touched the surface of what appears to be a very large and well coordinated spam and phishing network taking advantage of DNS-related misconfigurations or weaknesses. Indications from domain and infrastructure pivots suggest the network has been operating since at least 2019 to present. The operators of the network appear to demonstrate awareness and response to security reports of their infrastructure and appear to have made multiple attempts to improve its resiliency to identification and disruptions.

Observables

‍

‍

On 18 November 2024, BlackBerry’s threat research team reported on a cyber espionage campaign targeting the Pakistan Navy. This campaign used malicious documents to collect credentials and distribute malware. While BlackBerry did not attribute this activity to a specific actor, subsequent analysis by DomainTools revealed significant overlaps in tactics, techniques, procedures (TTPs), and targeting scope with the cyber-espionage group known as SloppyLemming.

Review of BlackBerry Report

Recent activity from this campaign involved the deployment of a malicious PDF document in early September 2024. The document resembles an internal IT memo, instructing recipients on integrating Axigen Thunderbird for secure email communications. The document contained a link to a malicious website (paknavy.rf[.]gd) mimicking the legitimate Pakistan Navy domain.

Upon visiting the fraudulent site, users were prompted to download a ZIP file, “Axigen_Thunderbird.zip,” which included a malicious Thunderbird extension. Once installed, the extension requested credentials for “@paknavy.gov.pk” email addresses. Entered credentials were transmitted to an actor-controlled domain (updateschedulers[.]com), and the extension downloaded a malware payload hosted on the same domain. BlackBerry researchers identified the malware as a variant of Sync-Scheduler. Public reporting from March 2024 first identified this malware family and its use of  the domain packageupdates[.]net for command and control (C2). BlackBerry also identified related activity in the May/June 2024 time frame using the C2 domain extension.webmailmigration[.]com.

Further analysis by DomainTools uncovered an additional likely associated domain: diplomaticservices[.]link. Whois data from this domain shows a registrant organization of “National Telecom Corporation” likely referencing the Pakistani government’s telecommunications provider. The only other domain using this registrant organization since 2010 is the webmailmigration[.]com domain from the BlackBerry report. 

Overlap with SloppyLemming Actor 

In September 2024, Cloudflare’s threat research team reported on an India-nexus cyber espionage actor it dubbed SloppyLemming (aka OUTRIDER TIGER). This actor primarily targets Pakistan, with a focus on government and defense. SloppyLemming frequently leverages its custom CloudPhish credential logging tool on Cloudflare Worker domains to compromise email credentials from targeted individuals. One of the mail clients CloudPhish specifically targeted was Axigen, which was the mail client referenced in the malicious activity covered in the BlackBerry report. SloppyLemming also employed PDF documents for credential collection and malware delivery.

Data from the urlscan.io scanning service shows an Axigen webmail credential phishing page present on www.login.webmailmigration[.]com in April 2024. Similar Axigen phishing pages present on the following domains between February and July 2024:

• mail-pakchinainvest-com.niancao010.workers[.]dev
• webmail.cybar-net-pk.workers[.]dev
• mail.pof-gov-pk.workers[.]dev

These domains use a similar domain naming convention to that detailed in the SloppyLemming report.

‍

Figure 1. Screenshot of credential phishing pages present on www.login.webmailmigration[.]com in April 2024 (left) and mail.pof-gov-pk.workers[.]dev in August 2024 (right)

Additional similarities between the recent BlackBerry and Cloudflare’s reports include the actor’s use of malicious PDFs malware delivery and a Pakistan-centric target scope. 

Conclusion

It is likely that SloppyLemming is the actor responsible for the malicious activity described in BlackBerry’s recent report. This assessment is made with low confidence based on similar credential phishing and malware delivery TTPs, as well a Pakistan-focused target scope. However, it is plausible that the BlackBerry report discusses a separate actor from SloppyLemming that is employing similar TTPs.

IOCs

paknavy[.]rf[.]gd
updateschedulers[.]com
packageupdates[.]net
finance-gov-pk[.]rf[.]gd
extension[.]webmailmigration[.]com
diplomaticservices[.]link

Fake government job boards attempt to trick job seekers into providing personal information that may be used for fraud, phishing, or other malicious purposes. The bad actors behind these fake job boards cause harm by either soliciting an application fee from victims or by instructing them to download malicious files or deceiving victims into giving personal information such as resumes, historic addresses and contact information.

Multiple countries were identified as targeted by a high number of fake government job boards. For instance, many of the identified domains masquerading as US government job boards were reportedly associated with email campaigns. Those in Pakistan and India appear largely fraud related and employ WhatsApp and Telegram groups. Fake Taiwanese government job postings are suspected to be harvesting personal information for phishing and fraud.

Similarly, nation states such as North Korea also host fake job postings for phishing, and creating fake personas in attempts to be hired by and gain access to western tech companies.

Details

Fake US Government Job Websites

A cluster of domains that goes back to early as 2017 and associated mail servers have been used in email spam. The domain names masquerade as government job or contract bid sites. The domains are frequently configured to redirect to legitimate government job sites such as govcb[.]com and governmentcontracts[.]us likely for the purpose of appearing more legitimate upon inspection.

Example mail server:

• https://www.abuseipdb.com/check/44.215.207.48
• https://check.spamhaus.org/results/?query=govcb-bids-bulletin.us

‍

‍

Fake Taiwanese Government Job Websites

Spoofing as the legitimate taiwanjobs[.]gov[.]tw website for the purposes of phishing, information gathering, and credential harvesting. Taiwanjobs[.]gov[.]tw website reports the following message of ongoing phishing activity using fake look alike websites.

‍

‍

‍

Fake MELA Government Job Websites

Mela Network is the Middle Eastern arm of a global network spanning 46 countries. Their website states: “Mela's mission is to help executives in the MENA (Middle East and North Africa) region grow professionally and personally by exposing them to best practices in leadership and connecting them with a global network of peers.” [https://melanetwork.org/]

‍

‍

‍

Fake Indian Government Job Websites

‍

‍

‍

Fake Pakistan Government Job Websites

Fake Pakistan government job boards similar to those for Indian government job boards. WhatsApp channels and Telegram group links are displayed on pages. Many of these sites are suspected to be used for phishing and fraud. 

‍

‍

‍

Conclusion

Fake job boards are common around the world. They seek to take advantage of job seeker’s motivations in order to harvest personal information and may lead into additional fraud schemes, phishing, identity theft, and malware delivery.

Job seekers should conduct research on job postings before applying, recognize domain name masquerades and be wary of unsolicited job offers. Additionally, it's crucial to recognize red flags such as unexpected fees, high-pressure tactics, requests for sensitive personal information, and unknown personas offering special favors.

‍

IOCs

Ever think about the duality of fishing and hunting? Folks may argue fishing is a more passive endeavor. One sets a lure and waits. Hunting on the other hand, folks may argue, is a more active endeavor in which a hunter might generally be expected to seek out their intended target. 

Let’s put this in terms of cyber threats. Most humans by now have undoubtedly heard of cyber attacks and perhaps even had some experiences with phishing in its various forms be it over email, text, voice call or a discord channel. But, what about the threat hunters? Threat hunting proactively seeks out undetected threats, usually within an organization’s network. Investigating indicators in a threat report can identify suspicious domains, detect patterns, and correlate findings with other sources. 

With that said, thousands upon thousands of ill-intent domains are registered every day and some few fine folks set out the hounds and have a proper hunt. As one does, the trails are scoured and more indicators are found. But without further ado, this is one such quarry.

Opening Meet

This hunt got its start from a CloudFlare report on SloppyLemming. Also known as Outrider Tiger, SloppyLemming has reportedly been targeting Pakistani entities among others in Southeast Asia since late 2022. A range of domains have been utilized to lure victims into credential harvesting sites and deliver malware.

Frequent Domain Registration Patterns

• Use of CloudFlare services
• 90 day SSL Certificates
• Trends in domain naming convention 
• Frequently assessed with risk scores of 100 by DomainTools

There’s the scent and the hunt begins. Sifting through domain registrations, DNS records, web scan data and the like, the lines form.

Hunting For Associated Indicators:

SloppyLemming domain `aljazeerak[.]online`

Website Title `Pakistan International Airlines - PIA | Great People to Fly With`
-> Unreported domain `fly-pakistan[.]com`

Historic Screenshot of domain aljazeerak[.]online masquerading as a Pakistani Airline

SloppyLemming domain `itsupport-gov[.]com`

whois email `abdulrehm8282[@]gmail[.]com`

-> Unreported domain `itsupport-gov[.]net`

- SSL temok[.]com + MX eye-mail[.]net + Registrar NameSilo 

- Has Google Code `G-5XJE64N2SQ`

SloppyLemming domains `cflayerprotection[.]com, cloudlflares[.]com`

Whois Email `cht8p9zpl5[@]domprivacy[.]de`

-> Unreported domains

mfaturk[.]com

firebasebackups[.]com

cloudproxyserv[.]com

Historic Screenshot of domain paknavy-pk[.]org

Hunting CloudFlare Worker With SubDomain Name Masquaredes in DNS Records

Next, we search for CloudFlare Workers[.]dev subdomains with navy or gov and pk or lk naming elements using DNSDB Scout

;; query: Regex RRNames (navy|gov)-(pk|lk).+workers\.dev\.$ ANY (Limit 5000) // Last After: 2024-09-26 00:00:00 (UTC)

Sample:

```

anfbalochistan-gov-pk.workers[.]dev
clickonce.pakistan-gov-pk.workers[.]dev
cpanel-nha-gov-pk.pakistan-gov-pk.workers[.]dev
discordoutput.pakistan-gov-pk.workers[.]dev
email-moitt-gov-pk.pakistan-gov-pk.workers[.]dev
fbr-gov-pk-auth.workers[.]dev
gda-gov-pk.kr-i-sas-orv-e-l-a.workers[.]dev
gov-pk.workers[.]dev
gov-pkgov.workers[.]dev
gwadarport-gov-pk.gwadarportt.workers[.]dev
helpdesk-police-gov-pk.aabhimulla446.workers[.]dev
instagram-com.pakistan-gov-pk.workers[.]dev
ispr-gov-pk.workers[.]dev
kpt-gov-pk.workers[.]dev
maif-piac-aero.gov-pkgov.workers[.]dev
mail-asian-parliament-org.pakistan-gov-pk.workers[.]dev
mail-communication-gov-pk.pakistan-gov-pk.workers[.]dev
mail-depo-gov-pk.govtpak.workers[.]dev
mail-depo-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-dgdp-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-ecac-gov-pk.pakistan-gov-pk.workers[.]dev
mail-ecp-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-ecp-gov-pk.pakistan-gov-pk.workers[.]dev
mail-fbr.gov-pk.workers[.]dev
mail-gwadarport-gov-pk.kr-i-sas-orv-e-l-a.workers[.]dev
mail-gwadarport-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-hit-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-invest-gov-pk.gwadarportt.workers[.]dev
mail-islamabadpolice-gov-pk.ntc-telecommunication-safecity.workers[.]dev
mail-kpt-gov-pk.gob-pk.workers[.]dev
mail-kpt-gov-pk.niancao010.workers[.]dev
mail-kpt-gov-pk.pak-gov-pk.workers[.]dev
mail-mod-gov-pk.pakistan-gov-pk.workers[.]dev
mail-modp.gov-pkgov.workers[.]dev
mail-modp-gov-pk.govtpak.workers[.]dev
mail-modp-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-modp-gov-pk.pak-gov-pk.workers[.]dev
mail-mofa-gov-pk.pakistan-gov-pk.workers[.]dev
mail-na-gov-pk.na-gov-pk.workers[.]dev
mail-nba-gov-pk.pakistan-gov-pk.workers[.]dev
mail-ntc-net-pk.gov-pkgov.workers[.]dev
mail-paf-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-paknavy.gov-pk.workers[.]dev
mail-pc-gov-pk-login.ethanhunthero125.workers[.]dev
mail-pof-gov-pk.govtpak.workers[.]dev
mail-ppra-org-pk.pakistan-gov-pk.workers[.]dev
mail-punjab-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-punjab-gov-pk.ntc-telecommunication-safecity.workers[.]dev
mail-punjab-gov-pk.punjab-info-tech-board.workers[.]dev
mail-sco-gov-pk.mil-bd.workers[.]dev
mail-sco-gov-pk.ntc-telecomcorporation.workers[.]dev
meharusman524gov-pk.workers[.]dev
meharusman524gov-pk4230.workers[.]dev
na-gov-pk.workers[.]dev
na-gov-pk-bfd.workers[.]dev
navy-lk.workers[.]dev
nha-gov-pk.pakistan-gov-pk.workers[.]dev
old-violet-aae5.meharusman524gov-pk4230.workers[.]dev
pak-gov-pk.workers[.]dev
pakistan-gov-pk.workers[.]dev
paknavy-gov-pk.workers[.]dev
pitb.gov-pkgov.workers[.]dev
pitb-gov-pk.workers[.]dev
pmo-gov-pk-auth.workers[.]dev
pof-gov-pk.workers[.]dev
pythonscanner.gov-pkgov.workers[.]dev
reports-ecp-gov-pk.mlc-landdistribution.workers[.]dev
throbbing-sun-f4e8.meharusman524gov-pk4230.workers[.]dev
wapda-gov-pk.workers[.]dev
webmail.wapda-gov-pk.workers[.]dev
webmail-gda-gov-pk.gwadarportt.workers[.]dev
webmail-wapda-gov-pk.pakistan-gov-pk.workers[.]dev
worker-cool-credit-6d6f.navy-lk.workers[.]dev
worker-dark-paper-2231.gov-pkgov.workers[.]dev
worker-patient-wave-96d1.pakistan-gov-pk.workers[.]dev
worker-plain-wind-01a9.pakistan-gov-pk.workers[.]dev
worker-silent-pond-c90d.pakistan-gov-pk.workers[.]dev

```

• Site content of domain `pythonscanner.gov-pkgov.workers[.]dev`

Hunting for Domain Masquerades in Whois and Web Scans

Hunting for Pakistani domain masquerades using cloudflare. The nature of these broader hunts are apt to uncover unintended prey. In this case, the stumbling on a mix of Pakistani travel and government job boards, and Crypto exchange masquerades.

```

govtjobspak[.]live
pakkjob[.]com
pakgovtsjobs[.]com
gov-declare[.]help
karakfinance[.]cfd
fi-ton[.]org

```

```

search:query=CoinTelegraphLegal.pdf&crumb=location:\\45.82.13[.]15@80\Downloads\&displayname=Downloads

```

Conclusion

Hunting for undetected threats can take on many forms. Prompted by threat reports and intelligence, threat hunters may cast a wider net to seek out undetected indicators, detect patterns, and correlate findings with other sources of information. That said, wider nets can catch more than the intended quarry. In this case, finding an ecosystem of websites impersonating as Pakistani airlines, government job boards, as well as remnants of malicious domains and scanners on Pakistani government domains. While it may not all be SloppyLemming activity, it highlights an apparent wider spread targeting of Pakistan.

References

https://www.cloudflare.com/threat-intelligence/research/report/unraveling-sloppylemmings-operations-across-south-asia/

Since 1 August 2024, a likely India-nexus targeted intrusion actor has targeted entities in China and South Asia using credential phishing pages mimicking legitimate webmail login portals. Domain naming conventions as well as observed phishing pages reveal likely targeting of entities in the government and defense sectors. Observed tactics, techniques, and procedures and target scope are consistent with public reporting on Indian targeted intrusion actors.  

Details

Identified domains share the following similarities:

• Registration via 1api registrar service
• Use of Royalhost nameservers
• Resolving to the IP address 65.21.85[.]206
• Domain naming convention using webmail login or file download themes often combined with references to specific, likely targeted entities

The 65.21.85[.]206 IP address is a shared host resolving numerous domains likely unrelated to the India-nexus targeted intrusion activity. However, historical data from this host indicates the India-nexus actor has used 65.21.85[.]206 since at least April 2024 to host phishing domains.  

Figure 1. Example Credential Phishing Page from nepal-mofa[.]com

Analysis of this activity also shows one of the actor-registered domains (never-giveup.mail-downloadfiles[.]com) redirecting to a credential phishing page hosted on the cloud service Netlify (large-files-d0wnl0ad-session-expired.netlify[.]app). These domains are likely being used to target Chinese entities.

Figure 2. Chinese-language Credential Phishing Page Hosted on Netlify

IOCs

Conclusion

This activity is consistent with targeted intrusion activity identified in previous public reporting. Naming conventions are generally consistent with activity from the group known as Sidewinder with domains spoofing webmail login portals and the targeting of entities in China and South Asia. The India-nexus targeted intrusion group known as Patchwork also historically exhibited a similar target scope. 

In a recent article from KrebsonSecurity, they detail that at least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain.

Read the research: https://krebsonsecurity.com/2024/07/researchers-weak-security-defaults-enabled-squarespace-domains-hijacks/

In this 15th edition, M-Trends provides an inside look at the evolving cyber threat landscape, with data drawn directly from frontline incident response investigations and threat intelligence findings of high-impact attacks and remediations around the globe.

• The latest incident response metrics including dwell times, detection sources, initial infection vectors, and so much more
• China-nexus attackers increasingly targeting edge devices and platforms that lack EDR
• Trending adversary operations and motivations behind zero day attacks
• The evolution of phishing techniques amidst modern security controls
• How attackers are leveraging AiTM to compromise multi-factor authentication safeguards
• The reasons and solutions behind growing cloud and hybrid cloud environment intrusions
• How AI is effectively used in red and purple team operations to help boost cyber defenses

Read Anton Chavakin's take on the report: https://medium.com/anton-on-security/reading-the-mandiant-m-trends-2024-acb3208add80

Another year has passed and that means another Verizon DBIR. For those that don’t want to read the full DBIR, here was our perspective from the Internet intelligence side of cybersecurity:

• Median time for users to fall for phishing emails is 49 seconds
• Pretexting is a more likely social action than Phishing
• Ransomware was a top threat across 92% of industries (less representative than last year - median ratio of initially requested ransom and company revenue was only 1.34%)
• The human element was a component of 68% of breaches

What do these threats all have in common? DNS!

https://www.verizon.com/business/resources/reports/dbir

The Resurgence of the “Manipulaters” Team - Breaking HeartSenders

In January 2024, The Manipulaters pleaded with Brian Krebs to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities.

https://krebsonsecurity.com/2024/04/the-manipulaters-improve-phishing-still-fail-at-opsec