SecuritySnack - CloudFlare Anti-Security For Phishing
A Microsoft 365 credential harvesting campaign is exploiting CloudFlare's anti-bot and human verification features to evade detection. Learn how attackers use IP blocklists, user-agent filtering, and obfuscated scripts to bypass security scanners—and what it means for the industry.
Service platforms that provide protection and content delivery, like CloudFlare, have become a go-to for many web service hosts—including some malicious actors. These platforms offer inherent benefits like obfuscation, anti-bot, and anti-scanner tools. While excellent for defending legitimate customers, these very features can inadvertently shield malicious sites from proactive identification by security professionals and automated scanning services. This creates a challenging dynamic in the industry where a service provider's role in protecting its customer base competes with the broader community's need for effective security scanning.
This report details a recent Microsoft 365 credential harvesting campaign that leverages this dynamic to delay detection and risk profiling. The campaign implemented multiple anti-detection techniques including the use of CloudFlare human verification, hardcoded IP block lists, user agent checks, and multiple sites and redirects. This cluster highlights the need for service providers to consider taking on an even greater responsibility in knowing their customers and ensuring their defensive capabilities are not being abused to actively protect malicious actors.
Details
securedsnmail[.]com
https[:]//securedsnmail[.]com/secdex.html
Gatekeeping and redirection paths
The site code contains a few layers of gatekeeping to ensure the visitor is a real target and not a security tool.
CloudFlare Human Verification: There's an initial CloudFlare human verification check and redirection.
Aggressive IP and User-Agent Filtering: The site code fetches details about the visitor's IP using https[:]//api.ipify[.]org/?format=json and checks it against a hardcoded blocklist. This list includes ranges belonging to major security companies (Palo Alto, FireEye) and cloud providers (AWS, Google), as well as search engine crawlers.
It also sniffs the visitor's browser for bot-like User-Agents. If a security scanner or bot is detected (e.g., Googlebot, Bingbot, AhrefsBot, or Twitterbot), the page replaces itself with a fake "404 Not Found" message to prevent the malicious site from being indexed or flagged.
User Agent Checks:
IP Checks:
The core credential theft logic is not written in standard JavaScript. Instead, it is executed by a custom VM function (e_d007dc) that interprets an array of encoded instructions. This prevents static analysis from identifying the data-stealing parameters or the Command & Control (C2) URLs.
The framework dynamically updates its destination. When the gatekeeping checks flag, it switches the URL in the VM to a legitimate domain like Google.com, neutralizing the malicious footprint for any subsequent analysis.
Obfuscated Credential Harvesting:
If the user passes these checks, an obfuscated script builds and redirects them to the credential harvesting URL built from an obfuscated script in the following format: `https[:]//office.suitetosecured[.]com/KuPbXodA?b=cGjQKg4&auth={}`, which it then designates an auth value that is presumably used to verify and track the user passing the gatekeeper to the next stage sites.
In reviewing the multiple phishing sites identified in this campaign, a commonality in the Cloudflare turnstile configuration was observed. The Cloudflare Turnstile sitekey (0x4AAAAAACG6TJhrsuZdpjsN) is a static identifier. Specifically, the “CG6TJhrsuZdpjsN” portion appears to be the unique identifier created when a Cloudflare user sets up the Turnstile widget in their CloudFlare dashboard. Security teams could possibly pivot on this key across telemetry sources (e.g. Shodan, Censys, URLScan) to identify newly registered phishing sites before they are utilized in campaigns.
Registration Commonalities
Nameserver: cloudflare.com
Registrar: NAMECHEAP INC
mx host: registrar-servers.com
IP ISP: CloudFlare Inc.
MX Domain:
jellyfish[.]systems
registrar-servers[.]com
Conclusion
The strategic abuse of legitimate content delivery and security platforms, such as CloudFlare, by malicious actors creates a considerable obstacle to proactive security scanning and detection. The Microsoft 365 credential harvesting campaign described in this report, which also employed multiple anti-detection mechanisms, shows how these defensive features can inadvertently shield malicious sites, delay their detection, and hinder informed risk assessments. To address this evolving dynamic, service providers should accept greater responsibility in knowing their customers and ensuring their platform's security capabilities are not leveraged to actively protect malicious campaigns.
A broken snowblower belt taught me something cybersecurity professionals often forget — saying "I don't know" isn't failure. It's where the real work begins.
I’ve never touched a motor before in my life.
This is about cybersecurity, I promise. Bear with me a minute.
The ground outside the DTI Boston Satellite Office (my living room) is thick with snow. We had it easy through most of January, and then multiple blizzards. And after the first one, a piece of ice lodged in the auger of my snowblower, and the impeller belt ripped itself apart.
Deciding I could replace the belt myself involved a bit of hubris, in retrospect. Because as noted, I’ve never touched a motor of any type before in my life. So it should not have been a surprise when I found myself sweating over the guts of my snowblower on a Thursday night trying to force the belt into place.
It didn’t help that my machine included a third wheel of sorts, a tensioner that didn’t exist in any manual or online video about replacing the impeller belt in my exact model. But a life of spreadsheets and threat hunting did not prepare me for motor mechanics, oddly enough.
So I reached out. Because I didn’t know, and while I tried to brute force it, and research it, nothing worked. I tried to bribe the belt into place, and threaten it, and cajole it. None of this resulted in the least amount of progress, and so I asked for help.
There’s still a stigma in admitting you don’t know something in infosec; “information” is in the name, after all. And the sentence “I don’t know” is treated as a failure. But what we need to do is treat it as a starting point instead; “I don’t know, yet.”
I articulated the problem and showed my work. A few minutes later came a reply: “Oh. So. What you need to do is…”
And a few minutes later the snowblower was running like new.
Be the person that reaches out for help when you need it, and show this industry that’s okay. But also be the person that answers when you can, to show each other we’re not alone.
Articles
Almost feel like I need to add an extra section just for Google Threat Intelligence Group - they’ve spent the past few weeks putting out piece after piece of great intel. As always, grateful for folks sharing like this.
Lots of other good reading out there this month, though, too:
Infoblox Threat Intel - Compromised Routers, DNS, and a TDS Hidden in Aeza Networks - One of the best DNS investigation posts I’ve ever read, and I’ve read a lot of them. Infoblox TI not only provides the results of their research, but shows in-depth steps on how to recreate it by eliciting responses from secretive recursive servers, for example.
Gitlab Threat Intelligence - GitLab Threat Intelligence Team reveals North Korean tradecraft - Excellent deep dive into both the fraudulent enterprise IT worker threat and the Contagious Interview campaign, the latter of which targets job applicants for compromise.
Symantec/Carbon Black Threat Hunter Team - North Korean Lazarus Group Now Working With Medusa Ransomware - The brevity here is respectable - it’s actually a very information-dense post with some deeper implications for DPRK-targeted ecospheres.
Research Papers and Reports
Crowdstrike - 2026 Global Threat Report - Heavy on the AI stuff, which I am always skeptical of, but I haven’t dived deeply into the guts here yet.
Tools and Resources
PulseBeat02 - yt-media-storage - Encodes any data into lossless video styles to store on Youtube, and decodes them into the original data, for exfiltration etc. I suppose if you can store a PNG on a starling, you can exfiltrate crown jewels via youtube.
An analysis of an active cryptocurrency scam operation impersonating Trump, Musk, and Truth Social across 250+ domains — uncovering shared wallet infrastructure, on-chain laundering pipelines, and the tactics used to fake legitimacy.
In the past few years, some public figures including President Donald Trump and Elon Musk began promoting investments in various crypto currencies named in their likeness or that they were prominent holders of on their social media platforms they own, Truth Social and X (formerly Twitter) respectively. $TRUMP coin for example was created on January 17, 2025 and endorsed by the official Trump Truth Social account. Likewise the $WLFI coin, in which Trump and his children are listed as co-founders and executives. $MELANIA similarly was endorsed by official Melania Trump posts on X platform. The list goes on, earning Trump the title of “Crypto President”. Elon Musk has had a longer history of high profile endorsements of crypto currency. In fact, repeated posts about pushing his viewers on X to invest in Dogecoin for example led to him calling himself the “Dogefather” on Saturday Night Live. As these figures have made posts promoting or endorsing these currencies, threat actors have begun spoofing these endorsements and promotions to trick users into crypto scams. They spoof the real social media pages and posts and promote crypto currency much like the real personas do but for their own gain.
This report documents the analysis of a cryptocurrency scam operation. The operation has been active since at least January 2025 and spans roughly 250 identified domains across multiple scam themes. Nearly all target retail crypto users, but use different approaches to get their money.
Details
The investigation started with an identified set of 60 suspected scam domains sharing the same Google analytics tag ID. Upon scanning them and extracting wallet addresses from the ones that were live, we then verified those wallets against blockchain APIs, and attempted to trace the funds. That work uncovered the first campaign, a network of fake celebrity crypto giveaway sites. A shared actor wallet address and domain registration pattern then led us to a second larger set of more technical scam configurations involving fake token presale sites impersonating a wide variety of real blockchain projects.
Idol Scam Templates:
Idol scam template set is a collection of sites impersonating Elon Musk, Donald Trump, and Truth Social, all pushing the same basic pitch: send crypto and get double back. About 11 of the 60 domains were active with extractable wallets. Several share a common nameserver infrastructure at streetplug[.]me.
On-chain, the picture was straightforward. The two most active BTC wallets received a combined ~1.5 BTC, but tracing showed all of it came from a single central funder address — not from victims. The actor was likely sending money to themselves to inflate the on-chain transaction history and make the wallets look active. A bridge address connected both wallets with a dust transaction, confirming single-actor control. Downstream, the funds moved through a 5-layer laundering pipeline ending at high-volume mixing or OTC services, some with hundreds of thousands of transactions and multiple fraud flags. One of the upstream wallets was previously reported as being owned by ChangeNow.io, a cryptocurrency swap service that allows transactions to happen wallet-to-wallet instead of involving an exchange like CoinBase or Binance. The pipeline predates this campaign. The intermediary addresses have activity going back to May 2024 with hundreds of transactions, which we suspect is an indication this infrastructure has been used for other operations previously.
We found no confirmed victim deposits in the wallets we could trace, but that doesn't mean there are no victims. The actor may use different receiving addresses than the ones displayed on the sites, or victims may exist in transaction history we couldn't access. However, what we can confirm is that the on-chain activity we traced is the actor moving their own money around.
Example scam sites “trump4u[.]org” and “trumppresent[.]top” masquerade as Truth Social posts by President Trump that purports to have signed an executive order to hand out cryptocurrency rewards to those that click the links. While it is true that President Trump has officially established a Strategic Bitcoin Reserve and a U.S. Digital Asset Stockpile, the specific posts are designed to look like related Truth Social posts to trick users into participating in a fraudulent giveaway.
Similar scam sites spoofs as a Medium platform page and masquerade as a user named “Elon Musk” such as the following screenshot of “usaevent[.]live”.
Other scam variations show Elon Musk alongside an “X” logo purportedly endorsing a Casino related site with a reward for signing up.
One of the scam’s instructions:
In each of these examples, multiple layers of incentives and ploys are used to appear legitimate and pressure site visitors into being conned by the scam..
Incentives:
Fake Comments:
Fake Transactions generated by code on a hardcoded interval
The endgame of the scam is to convince site visitors to click on any of the three links and send money from their wallet. Links to other pages with crypto wallet addresses.
Example: trumpbtc[.]top/btc/index.html from Trump variation
Example: usaevent[.]live with 1musk novelty address variation
Exchange Spoof / Token Presale Drain Templates:
The second style of templates use a less direct transfer style scam approach and instead masquerade as legitimate exchanges. An example is the scam site magaeth[.]bid, which impersonates MegaETH, a real Layer 2 blockchain project, using a cloned website template from bio[.]xyz. Instead of asking victims to manually send crypto, this site connects to their MetaMask wallet and initiates transactions through what looks like a smart contract interaction. Similar to the other templates, these scams also work by using various incentives to trick users into connecting their wallets. They typically appeared to use more dynamically loaded wallet exchanges instead of hardcoding like the other template examples.
The "contract" address in this example (0x134685b581EE7d987c3Caf998CA93CF31BA4Ce10) is just a regular Ethereum wallet, an EOA (Externally Owned Account) with no deployed code on any chain. The following wasn’t fully verified but we suspect the site's JavaScript constructs Web3 contract calls with a full ABI, but when those calls hit the EVM (Etherium Virtual Machine) targeting an EOA, the chain just transfers the ETH (Ether, the native cryptocurrency in Ethereum ecosystem) value and ignores the rest. The victim sees a successful transaction and thinks they bought tokens. In reality, their ETH went straight to the scammer's personal address.
We suspect the site also has two theft mechanisms. One being a presale form that takes whatever amount the victim enters, multiplies by 0.985, and sends it to the scammer. The second being an airdrop withdrawal function that reads the victim's entire wallet balance and sends nearly all of it. If the victim doesn't have enough to be worth draining, the site tells them to deposit more first.
From this scam site, magaeth[.]bid, we suspect there were two victim transactions on Ethereum mainnet totaling 0.1521825 ETH (~$300). Both carried the buyTokens() function selector in their input data, and the first transaction's value (0.0985 ETH) matches exactly what the code would produce from a 0.1 ETH input (0.1 × 0.985). Both senders appear to be real retail users. As of finishing this investigation, the funds haven't been moved.
These sites mimic a crypto exchange giveaway, displaying Elon Musk and/or Donald Trump branding. Victims are told to send crypto to receive double back.
Three wallets use a "1musk" vanity prefix — the actor generated BTC addresses starting with "musk" to reinforce the Elon Musk impersonation. Sites share common decoy addresses in HTML (invalid/truncated strings used as visual filler).
Cluster 2: "Truth Social" Template (4 domains)
Replicate the Truth Social interface with fake posts attributed to Trump about crypto policy or giveaways.
Self-Dealing
Looking up these wallets using open services like blockchain[.]com, we can see transactions to and from the wallet addresses on the scam sites. In some cases it gives the appearance that more than 40k USD worth of transactions had been sent to or from the scammer’s wallets.
Example scammer wallet transaction history:
However, on closer inspection in chain analysis, we see these transactions are from wallets likely controlled by the scammer and are intended to trick users into thinking they are legitimate wallets.
Transaction tracing revealed the on-chain BTC activity is the actor sending money to themselves, not real victim payments.
Single funding source
Scam Wallet 1 received from exactly one sender (central funder). Zero external deposits.
Same funder, two campaigns
Central funder sent wallets on multiple different scam domains
Bridge cross-link
15aeJcFdBD... received 0.269 BTC from Scam Wallet 1, then sent 0.00006 BTC dust to Scam Wallet 2. Direct on-chain link.
Drain convergence
Both scam wallet chains funnel into bc1qp4v9mj...
Rapid drain pattern
Funds moved out within hours of deposit
In this example, all recent inbound transactions were from a single sender, rUg8ac5ikpTaWk5RPei8xuYkNEyUs53G1i. Both sender and scam wallet share a parent Binance hot wallet, a wallet that is connected to the internet allowing for fast trading (rDAE53VfMvftPB4ogpWGWvzkQxfht6JPxr, verified binance.com, 115M XRP). The pattern is consistent with self-transfers between Binance sub-accounts used by the scammer.
Chain Analysis
Starting from the scam wallets, funds were traced upstream (funding source) and downstream (drain destinations) through 5 layers of addresses.
Actor Wallet Pipeline:
Circular flows: Drain 2 sends to Musk Drain, which sends back to Convergence Drain. Bridge sends back to Drain 2. This tangles the trail.
Bridge cross-link: The dust transaction from Bridge to Scam Wallet 2 is the definitive on-chain proof connecting both scam campaigns.
Prior activity involving what are suspected to be the scammer’s wallets suggests that this pipeline was not built for this one campaign and has considerations for larger scale.
Convergence drain has 229 txs dating to May 2024.
Prior scam node bc1q0qc892... has 723 txs (transactions).
The intermediary, 16mJhtpey…, has 1,276 txs.
Single-destination aggregator: 16mJhtpeyctW... has 1,276 txs but sends to exactly one address. This is either automated or purpose-built for batching before passing to a mixer.
Registration patterns and website configurations had multiple commonalities. A common google analytics tag was used across approximately 50 of the scammer’s sites as well as a registration email address.
Registration Patterns:
Trackers:
Google:
G-NK9V3KPEY4
G-YSMK4G52CC
G-5Z0ZNNED69
GTM-PL3G78C
G-R1QQ1Z50QZ
G-WRPVL3G32L
269367857
Matomo:
hxxps://x2025.matomo[.]cloud/
https://25elon.matomo[.]cloud/
Hotjar: 4997593
Statscounter Security: f1980b9f
Emails:
seunexseun[@]gmail[.]com
juliambaldwin777[@]gmail[.]com
ddogenews3[@]gmail[.]com
diana.lopez88866[@]gmail[.]com
brainyworld10[@]gmail[.]com
fsdoplfsdopfsd[@]proton[.]me
feliciaevanslong777[@]gmail[.]com
ervins_cudara86[@]outlook[.]com
konrads_celms30[@]me[.]com
zanis_latkovska[@]aol[.]com
Website Titles:
Elon Musk — Official BTC, ETH & DOGE Giveaway!
Truth Social
LitEnergy — Official Crypto Event
NEAR Protocol | Pool Event
MegaETH | The First Real-Time Blockchain
Monad | The Most Performant EVM-Compatible Layer 1 Blockchain
USA X Crypto Giveaway
Elon Musk — X Crypto Giveaway
Exchange | PancakeSwap
Lottery | PancakeSwap
Hasbulla
Initia
Home - Kaspa
Earn and Borrow Crypto | World Liberty Financial
NEAR Protocol | Pool Event
BIO Protocol - Listing on Binance Launchpool
BIO • Home
Solv Protocol - Stake your Bitcoin today!
ELSKTRADING | Welcome to ELSK Trading
MX IP: 5.189.161[.]88
The following are screenshot samples of the various scam sites associated with this activity. Notably all are overtly crypto related with one exception, an alleged virtual machine resource for AI Agents that could be “claimed” by applying from the site “avm-code[.]com”. That exception has been taken down by Cloudflare for phishing activity:
Conclusion
This investigation mapped a cryptocurrency scam operation spanning roughly 250 domains, two distinct theme types, and at least 24 actor-controlled wallet addresses across BTC, ETH, and XRP. The operation is suspected of being run by a Russian-speaking actor and has been active since at least January 2025.
We identified two thematic campaigns linked by a shared Ethereum wallet address and registration pattern overlaps. The first is a broad network of fake giveaway and doubler sites impersonating idolized personalities. Namely Elon Musk, Donald Trump, Truth Social, as well as various crypto projects. It is distributed across three hosting clusters including bulletproof infrastructure. The second consists of more technically advanced fake token presale sites such as megaeth[.]bid, which connects to victims' MetaMask wallets and initiates transactions that look like smart contract interactions but are actually direct transfers to the scammer's personal address.
The on-chain findings were mixed. For the giveaway sites, blockchain tracing showed the actor funding their own wallets from a central source and cycling approximately 1.5 BTC through a multi-layer laundering pipeline ending at high-volume mixing services. We found no confirmed victim deposits in those wallets. For the second themed campaign we ran down a few of the many sites such as megaeth[.]bid site, in which we confirmed two real victim transactions totaling 0.1521825 ETH (~$300). We verified both through function selector matching and value calculation alignment with the scam code. Those funds remain unmoved in the scammer's wallet.
The confirmed financial impact so far from our limited scope of chain analysis is small, roughly $300 from two victims. However, the infrastructure tells a different story. There are hundreds of similar domains over the past year and the identified laundering pipeline has intermediary addresses with hundreds to thousands of transactions dating back to mid-2024, well before the current campaign. The terminal wallets at the end of the chain have transaction counts in the hundreds of thousands and carry multiple fraud flags from independent reporting databases. The actor registered hundreds of domains, set up hosting across multiple jurisdictions, generated vanity Bitcoin addresses, and built scam toolkits that work across Ethereum and Binance Smart Chain. This is not the infrastructure you build for $300. The operation is designed for sustained, repeatable use, and we are most likely seeing a narrow slice of its total activity.
The strongest investigative leads going forward sit outside of blockchain analysis. The Binance sub-account identified behind the 381,813 XRP wallet is a direct path to KYC records. The domain registration and hosting infrastructure, particularly the shared nameservers at streetplug[.]me and the EuroByte hosting cluster, could yield registrant details. Commercial chain analysis tools (Chainalysis, Elliptic) would likely have attributions for the terminal mixing wallets that our open-source methods couldn't resolve. The blockchain trail itself, by design, ends at services built to break traceability.
What we can say with confidence: a single actor controls both campaigns, uses Russian-language code artifacts, operates from infrastructure that spans France, Russia, and UK-based bulletproof hosting, and has built a wallet pipeline capable of handling significantly more volume than what we observed. The two confirmed victims on megaeth[.]bid are likely real people, one funded from Coinbase, the other a multichain DeFi user, who lost money to a scam disguised as a legitimate blockchain project. There are almost certainly more.
Commentary followed by links to cybersecurity articles and resources that caught our interest internally.
This OWASP guide popped up on my radar this week and, yes, it’s about AI. And yes, it’s entirely predictable. But what appeals to me at the moment is its predictability amidst the nondeterminism of LLM rakestepping. Catastrophic outcomes in these complex systems are foreseeable not just from today, or the day this Adversa post was published, but at least from 1984. It was in 1984 that sociologist Charles Perrow published “Normal Accidents: Living With High-Risk Technologies.” Normal Accidents had nothing to do with artificial intelligence, yet seeing how it’s being deployed today, the book now has everything to do with it. Perrow studied major industrial accidents across much of the twentieth century and isolated some important insights on unexpected catastrophic failures inevitable enough to be called Normal Accidents:
The system is complex.
The system is tightly coupled.
The system has catastrophic potential.
In the agentic systems we see proposed and being implemented before us, certainly complexity plays an integral role - the dirty little secret of LLMs is that to make one useful, especially for a specialized expert task, you’re dealing with multiple layers of LLMs with varying levels of autonomy. It’s the sausage being made behind that single pane of glass most AI products pretend to be.
We then turn to tight coupling - essentially, complex systems producing outputs that must occur in a specific order, such as a multi-stage chemical treatment process. It is the anticipated sequence - in Perrow’s words, the invariant sequence - where B must follow A, because that is the only way to make the product - that defines tight coupling. Think about the sub-tasks each Agent is charged with; pre-prompt hardening against injection attacks, shifting tone and scope of the LLM response, providing expectations to shape system output. Above that and the primary agent doing the task, you have multiple other systems working to evaluate, validate, and re-shape output before it’s pushed to the surface agent, who relays it to you. Should those multiple subsystems interact in varied ways or orders, the output is necessarily - perhaps catastrophically - affected.
Catastrophic potential is mostly self-evident, but let us take a specific example: the modern Security Operations Center, or SOC. Perrow’s book provides multiple corollary environments - think a Nuclear Power operations center full of sensors, monitors, and potential alerts. Or the cockpit of a commercial airplane, which had seen much more automation in the decades prior to 1984 and provided starkly relevant examples of alert and attention issues at critical moments. Indeed, we see SOC failures in some of the biggest hacks on record, where alerts are missed or disregarded, leading to major systemic damage.
So in the SOC we have a complex, tightly-coupled system with catastrophic potential. “The essence of the Normal Accident,” Perrow wrote, is “the interaction of multiple failures that are not in a direct operational sequence.” That is, system components interacting in sequences and ways not only unexpected, but “incomprehensible” during the incident, often leading to much worse outcomes.
And what do we do, 42 years after Normal Accidents’ release? We add a complex, relatively tightly-coupled system of agents to a complex, certainly tightly-coupled system with catastrophic potential called the Security Operations Center. And not only that, but a system of agents fundamentally empowered by their own nondeterministic nature.
“What distinguishes these [system component] interactions,” Perrow wrote, “is that they were not designed into the system by anybody; no one intended them to be linked. They baffle us because we acted in terms of our own designs of a world that we expected to exist - but the world was different.”
In the rush to the AI/Agentic SOC, expect many Normal Accidents.
CERT Polska - Energy Sector Incident Report - If you’re reading this list, you’ve probably already seen this, but linking in case that’s untrue. Probably the best of the recent resources around the Polish energy grid incident, and worth becoming familiar with. Also good writeups by Kim Zetter here, here, and here.
UK Defence Journal - Iranian-linked Scottish accounts fall silent again - Social media accounts that posed as supporters of Scottish Independence once again fell silent amidst the Iranian internet blackout. Fun little detection, if not necessarily a fine one.
Greynoise - -f Around and Find Out: 18 Hours of Unsolicited Telnet Houseguests - Telnet? What year is it?!?! All kidding aside, Greynoise is making some fascinating moves lately, and as much of an AI skeptic as I am, hrbmstr’s experiments with AI analysis show some real value there.
APNIC - What we learned from 63,000 attacks in 12 days on APNIC Honeynet sensors at University of Dhaka - “In just twelve days, our sensor was hit 63,247 times by 4,262 unique source IPs, including five unique IP addresses from Bangladesh. Fourteen of those led to malware download attempts. The time to first attack was less than one hour, and we averaged ~5,270 attacks every single day!” - Not groundbreaking, but another eye-opening bit of research showing with data just how dangerous the internet can be, packet-wise. Good work and writeup on their part.
Phishing campaign targets job seekers with fake career portals and interview invites, stealing ID.me credentials and deploying malware since August 2025.
A malicious actor has created several domain masquerades of small companies posing as job boards, interview themes, and login pages since approximately August 2025. The activity appears to have two distinct objectives. The first is a credential harvesting scheme targeting ID.me accounts — the official identity provider for US government services like the IRS and SSA — which may then be exploited to facilitate financial fraud, including tax refund theft and fraudulent unemployment benefits. The second cluster focuses on malware delivery, tricking job seekers via fake Microsoft Teams meeting invites to download a malicious, unsigned variant of the remote access tool Connectwise. This gives the attacker access to the victim’s machine where they may conduct follow-on attacks.
Registration Commonalities
Nameserver: namecheaphosting.com
IP ISP: Namecheap Inc.
Mail Server Domain
privateemail.com
jellyfish.systems
SSL Issuer: Sectigo
Registrar: NameCheap Inc.
Server Type: Microsoft
ID.me Credential Harvesting
clock-towerrealty[.]org apply-untide[.]rentals
The site purports to be a United Rentals Careers portal and uses legitimate links and site content loaded from the real site, jobs.unitedrentals[.]com.
The two buttons on the top right for “Continue Application” and “APPLY HERE” direct to another actor owned domain, clock-towerrealty[.]org.
http[:]//clock-towerrealty[.]org/APPLY/?ff_landing=13 Continue Application https[:]//clock-towerrealty[.]org/APPLY/?ff_landing=10 APPLY HERE
The code for clock-towerrealty[.]org contains a credential harvester designed to look like a legitimate corporate portal. This appears to be a brand spoof but not a website spoof of the real entity, Clock Tower Realty in Florida, USA.
The malicious domain is using a cheaply registered WordPress site to trick job seekers into providing their email and password. Credentials being targeted are ID.me. If a scammer gets ID.me credentials, they could potentially perform unauthorized logins to steal tax refunds, apply for fraudulent unemployment benefits, or take over Social Security accounts.
When a user clicks the "Sign In" button after entering their information, the data is sent to admin-ajax.php, suggesting the stolen credentials are being stored in the WordPress SQL database.
These scammers may have taken screenshots of legitimate company logos and sent them via WhatsApp during the development of the scam, hence the file names “WhatsApp-Image”. Seeing "WhatsApp-Image" in a site's source code is a strong indicator that the site is fraudulent. Legitimate companies like United Rentals have dedicated IT departments.
The site is instrumented for marketing and behavior tracking using the Google Tag Manager (GTM) ID “GTM-T75PDC7R”,which appears on multiple other actor-controlled sites created between 2025-08 and 2026-01 that feature the same type of scam.
Other domains suspected of being in an associated cluster of activity were also identified masquerading as legitimate small company brands with job interview meeting invites. However, these domains do not simply attempt to steal credentials through fake logon pages. Instead, they deliver a malicious Windows installation file that provides remote access to the compromised machine.
Initial phishing domain: mlcrsoftedge[.]com. The site itself purports to be and links to https[:]//lsxconstructions[.]com/, a seemingly legitimate construction company website, which was created 2025-02-01 and redirects to lsxconstruction[.]com.
When users receive the meeting invite and click the "Join Meeting" button, they unknowingly initiate a download of a modified, unsigned installation file for Connectwise, a remote access tool.
Bundled files such as 7027b69ab6ebc9f3f7d2f6c800793fde2a057b76010d8cfd831cf440371b2b23 are linked to multiple reports of impersonation attacks and Connectwise phishing campaigns going back to 2025-04-23. The majority of the recent activity appears to have started around 2025-11.
Conclusion
The identified phishing activities use domain masquerades with a job theme and consist of two distinct attack types. One focuses on harvesting ID.me credentials, which are used to access government services (IRS, SSA, VA) and facilitate financial fraud. The second delivers a malicious, unsigned remote access tool (Connectwise) disguised as a Microsoft Teams link, resulting in system compromise. While there’s no definitive evidence the two clusters are linked to the same actor, the registration patterns, themes – specifically, masquerading as small companies – and timeframe appear highly correlative.
IOCs
mlcrsoftedge[.]com clock-towerrealty[.]org apply-untide[.]rentals from-unietd[.]rentals frosm-unitde[.]rentals from-united[.]rentals forms-unitde[.]rentals froms-united[.]rentals Sha256: 4107f8e0d6597866d4beb7c30718935353782dc7e199d3956fd10c8456383feb Google Tag Manager: GTM-T75PDC7R
Be wary of "real money" games this New Year. This report uncovers hundreds of fake Android gambling apps using spoofed reviews, fake win declarations, and "waistcoat" shells to trick users into sideloading unregulated, predatory gambling software.
Before trying out your new year luck, be wary of online gambling apps and real money games. This report details an investigation into multiple clusters of dubious Android applications created in the past few weeks that are engaged in predatory gambling and real money gaming apps. Notably, these are not registered apps. They are intentionally misleading users into thinking they are legitimate and reputable through multiple tactics like spoofing the Google Play Store, creating fake reviews, generating fake public win declarations, and creating entire brands with marketing campaigns and broad distribution tactics. These clusters also attempt to evade detection and analysis by having post install code and configuration retrievals from actor controlled sites, which serve a dual purpose of distributing region specific content to users post installation.
The report is segmented into three distinct infrastructure clusters. Each cluster appears to target a general set of countries including Nigeria, India, Pakistan, and the Philippines. They also appear to have non-region specific user base targeting, including English, Portuguese, and Bengali speaking users. Despite the wide range of targets, the clusters share a common theme of mobile-focused gaming or gamified gambling apps to attract users for financial gain.
Details
The three clusters spoof the Google Play Store with fake app reviews and downloadable Android applications. Clusters 1 and 2 involve Android application delivery campaigns that utilize the Cocos2d game engine to obfuscate code setup,load external code and configuration details, and send device and user telemetry to actor controlled domains. These applications are distributed via hundreds of websites spoofing as Google Play Store installation pages with fake reviews. Search Engine Optimization (SEO) manipulation techniques are used to drive traffic to these sites.
Cluster 1: AA Game: Aviator
Approximately 180 domains since March, 2025,170 of which were first seen on 2025-12-14. They host nearly identical websites and serve primarily the same APK file with a few exceptions in older versions. The apps appear to feature crash-gambling mechanics, a style of game where users attempt to collect as much money as possible before the game crashes.
The reviews are clearly fake. They are hardcoded into the HTML, there are multiple identical reviews under different names, and they all share the exact same review id such as “data-review-id="13dc2fa2-4acc-4923-8a55-be2f20d1841a". In a real database, every review has a unique ID. Here, the scammers just copied and pasted the same HTML template.
“Aviator” games are also commonly used themes for unregulated, illegal gambling crash style games. The example app above uses terms like “Get Rich”, and has fake reviews like “I also get rich as a result!” and “Because I made more money than you can imagine!". Legitimate apps on the Play Store are strictly regulated; Google does not allow apps to promise that you will "get rich." These are social engineering tactics used to play on people's desire for easy money.
A defining characteristic of these applications is the use of the Cocos2d framework. In this model, the Android Java layer (DEX) acts as a minimal host for a native C++ engine (libcocos.so), which in turn executes encrypted, compiled JavaScript code.
Although some of the analyzed application’s code paths and text suggested they were targeting Nigerian based users, there were also samples focused on the Indian rupee (INR). Though remnants of what could be past regional targeting were observed, it's unclear if a specific user base is currently being targeted in this cluster.
Analysis of an older development variant of the Android application revealed a module called hall_marqueen. This module is hard-coded to generate fake withdrawal notifications, creating the illusion of a highly active and profitable user base:
code JavaScript
downloadcontent_copy
expand_less
setHallLabelText() {
let e = "";
// 5% chance of a "realistic" name, 95% chance of a generic "UserXXXXX"if (p.instance.getIntRandom(0, 20) > 19)
e = p.instance.getRandomName();
else {
let t = p.instance.getIntRandom(0, 3e5).toString();
while (t.length < 5) t = "0" + t;
e = "User" + t;
}
// Randomized fake withdrawal amountslet t = ["100", "200", "500", "1000", "5000", "10000", "20000"];
const n = Math.floor(Math.random() * t.length);
return e + " successfully withdraws ₹" + t[n];
}
Cluster 2: DK777
Cluster 2 is a more generalized gambling Android app delivery. Sixteen domains registered on the same day host similar websites spoofing the Google Play store to deliver the same APK file. The application "DK777" features slots and multi-game halls, with visual assets emphasizing "big wins" and "jackpots”. The application also uses a Cocos2d framework with a more complex range of obfuscation techniques, including over 1,000 obfuscated files within the application’s classes dex file and 50+ encrypted JSC files. Multiple presumably actor-controlled sites with backups were identified that are used to send device telemetry and retrieve additional configuration and code for execution. Some of the configurations were set to use the Pakistani rupee. Languages in the apps included English, Portuguese, and Bengali.
Initial delivery domains spoof the Google Play Store for DK777 Android app delivery, including the following:
All six domains were registered the same day (2025-12-08) with similar registration and hosting configurations. Pivoting on these configurations revealed over 120 other domains dating back to as early as 2022-01 with similar gambling themes, including "192bet[.]com" and "pak111[.]com".
Screenshots from websites in this cluster show an ongoing theme of targeting Pakistani users along with English, Spanish, and Vietnamese speakers.
Cluster 3: LG Sabong
This cluster has approximately 196 domains. The bulk of registrations occurred between November and 2025-12 with related domains observed as early as 2025-05. The websites have aspects suggesting some localization for Filipino-speaking users. The nomenclature "Sabong" (cockfighting) suggests a focus on a culturally specific gambling market in the Philippines, while some variations of the randomized display images use the Filipino language.
Brief details of connective tissue
Google Tag Manager: GTM-M899ZXM
ISP: CloudFlare Inc.
Registrar: Dynadot Inc
Name Server Domain: cloudflare[.]com
Server Type: AliyunOSS
Website Title:
LG - Apps
LGParty - Apps
LGParty - Apps on Google Play
The sites use a "Cloaking" or "Bridge Page" system typically used in the gambling industry to bypass ad platform restrictions (like Facebook or Google Ads).
The code does not build a real functional website with buttons and text. Instead, it renders a hardcoded "lgpartyShareLand" component, which are PNG images displayed as the site content. These images are randomly selected during page load from two arrays stored on an Aliyun (Alibaba Cloud) server. There are 12 different sets of images for "LGParty" and 9 sets for "LG111". This is likely done so that ad reviewers see different "innocent" versions of the page, making it harder for automated bots to flag the site as a gambling portal.Deceptive Asset URLs
The images display download or install buttons, but the entire site is set up as an onClick event wrapper, which triggers a jumpHander function. The jumpHander does three things:
Generates or retrieves a fbFingerId (Facebook Fingerprint ID) and stores it in the user’s localStorage
Runs a Facebook Pixel event (PageView and ClickLand) to track that a "lead" clicked the ad.
Redirects the user’s browser to a new URL, often to open a "Google Play" style link or an "intent" (to force open the browser on Android) to a subdomain like: https://pllay-godgle.{actor domain}.com
In the redirect action, the system uses "Jump Links" to move the user from the "Bridge Page" (the fake UI) to the actual malicious payload.
var o = "https://pllay-godgle.".concat(location.hostname).concat(location.search);
The final goal is to force the installation of a "Waistcoat" APK. The script contains a utility function to trigger a silent download and communicates with a backend API at /x2/lg-waistcoat/delivery/. The term "waistcoat" (马甲包) is a Chinese industry term for "shell apps" or "wrapper apps" — fake apps used to hide gambling content inside an innocent-looking shell to get past Apple/Google app store reviewers.
APK Filename: Dynamically generated as LGParty.apk or LG111.apk depending on the site configuration.
Execution Logic: The code creates a hidden anchor element (__apk_dl_anchor__), sets the download attribute, and programmatically clicks it:
functionc() {
var e = "".concat(o.Z.siteName, ".apk"); // "LGParty.apk"var a = "https://apk-".concat(location.host, "/apks/").concat(o.Z.siteName, ".apk");
var n = document.createElement("a");
n.id = "__apk_dl_anchor__";
n.href = a;
n.download = e;
n.click(); // Triggers immediate browser download}
The goal is likely application side-loading. Google Play Store policy is quite clear on gambling and real money apps. They must have licenses to operate and complete an application process to be approved among other requirements. Because Google Play Store bans or prevents unlicensed or fraudulent real-money and gambling apps, groups may use "Waistcoat" (shell) pages, images, and fake Play Store UIs to trick the user into downloading a "verified" file from the real Play Store while trying to avoid detection. Once the .apk is installed, the app likely shows an innocent game (like a flight sim or puzzle) until it connects to its server, which can then flip a switch to load in and show the actual illegal gambling interface. In the case of these clusters, the external code update functionality suggests they were or could be used in this manner but there were no identified apps currently in the legitimate Google Play Store.
Broader Outlook and Trend Analysis
The architecture observed here, specifically the Cocos2d native bridge combined with bytecode encryption, is a hallmark of "Shell" applications used in financial fraud. By separating the distribution (spoofed websites) from the logic (encrypted JavaScript), threat actors can pivot regional themes (India vs. Philippines) with minimal changes to the underlying technical framework. With Clusters 1 and 2, this appeared to be the case as the applications sent device telemetry to external servers, then retrieved and loaded configuration and code from those external actor-controlled domains at runtime. It is suspected that both clusters operated with regional and device profile-based configurations. These configurations also enable the actor to change the behavior of the application at any time to load in malicious code after installation.
While there is no direct attribution identified thus far, this pattern has previously been associated with professional syndicates operating out of Southeast Asia that manage high-volume gambling and investment scams.
The core strategy relies on delivering illegitimate applications that deceive users into trusting them. This is accomplished through various deceptive tactics, including the spoofing of the Google Play Store, the fabrication of social proof such as reviews and win declarations, and the establishment of dedicated brand identities with widespread distribution. A key feature of these operations is the attempt to evade analysis by utilizing post-installation code and configuration fetched from actor-controlled domains.
While the applications do not appear to be overtly malicious in nature, as with typical malware granting remote access to user’s devices or stealing credentials, these applications pose as gambling and real money games with no regulation, oversight, or legitimacy. They can and likely do manipulate the gambling app behaviors such as having rigged results or non randomized outcomes.
Security Advice and Conclusion
This campaign highlights the critical role of managed app stores in the mobile ecosystem.
Sideloading Risks: The primary defense against these campaigns is avoiding APK installations from non-standard sources. These apps require sideloading specifically because their core logic — such as the fake marquee module — would be flagged by the automated and manual review processes of legitimate stores such as Google Play Store.
Fabricated Social Proof: Users should be informed that download counts, ratings, and reviews on spoofed websites are cosmetic HTML elements and do not reflect the application's actual standing or security.
Managed Environments: Organizations should leverage Managed Google Play or Mobile Device Management (MDM) solutions to restrict the installation of apps from untrusted sources, as the "hot-update" capabilities of these frameworks allow an app to change its behavior entirely after it has been installed.
Commentary followed by links to cybersecurity articles that caught our interest internally.
I know I’m not the only one that flinched when a Log4j vulnerability dropped on the Thursday before Christmas. That it’s only a 6.3 allowed me to breathe again, but only shallowly.
Long before security, I spent my days in a 911 dispatch room soloing emergency calls and coordinating the response. The overlaps between that and cyber incident response are many, but two are worth calling out today. The first is that both types of response require forming an elaborate mental map of the emergency. And the second is that both types of response aren’t embodied; you’re at a workstation, processing and integrating in real time, but without the ability to physically release the tension involved.
The lack of physical embodiment is one of the reasons 911 calls can stick with you. Recall down to the waver in someone’s voice or something you think you heard in the background can be excruciatingly intimate and precise; the slosh of water in a tub, or the bark of an unrelated dog. And anchored to the desk as you are, there is no way to work the tension out of your body at the time. You learn to sit with it, and in turn the memories sit with you.
Some cyber incident response scenarios play out similarly. We can thrive on the tension, we can perform in near-superhuman ways across parallel tasks of critical importance for an extended period of time, we can love the thrill of pressure and the satisfied exhaustion of knowing how we handled it. But it all takes a toll, and that toll can stick with you.
We ignored it for a long time in Emergency Services, and in some ways still do. But it also resulted in the establishment of mechanisms like Critical Incident Stress Debriefing, mutually supportive ways to blow off steam while acknowledging the incident, and more. Many of us working remote, though, struggle more because the work desk hangs around our neck like an albatross, and we toss it as far as possible once the work day ends. But the stress of those incidents isn’t dealt with, and the mental and physical fatigue make after-hours efforts seem impossible.
Gauge how you and your team handle incidents. Figure out if you leave the stress in your body, or if you can find a way to work it out. It’s even more critical maintenance than replacing spinning disks – because when your stress response systems start throwing errors, they’re much harder to resolve.
Take care of yourselves out there. Take care of each other. We are all we’ve got.
Podcasts
Cyberwire – Root access to the great firewall – DomainTools Head of Investigations Daniel Schwalbe interviewed on our Great Firewall series. Definitely worth a listen – just editing these pieces kept me up at night, given the impact of realizations about the technologies behind the Great Firewall.
DomainTools Investigations – The APT35 Dump Episode 4: Leaking The Backstage Pass To An Iranian Intelligence Operation – The next in our APT35/Charming Kitten series, with some of the strongest writing I’ve seen from our team yet. Several phrases are going to stick with me for a while, but especially “the banality of intrusion.” The depth and breadth of bureaucracy involved is sort of amazing compared to other models.
Greynoise Intelligence – React2Shell research – Greynoise has assembled a boatload of supplemental data on their github for folks defending against the React2Shell vulnerability, or those looking to hunt for exploiters. C2 IPs and domains, full payloads, hashes, and more. Lots of credit goes to Greynoise for providing this to the community.
koenvh – DNS over rsync – Yes, you read that right. No, I won’t take it back, and you can’t make me. I saw it so you have to see it too, I don’t make the rules. It’s not the most cursed protocol I’ve ever seen, but it’s close.
New B2B2C supply chain attack targets Booking.com customers. Attackers are compromising hotel accounts to send & "verify or cancel" phishing messages with dynamic booking data. Learn how to spot these fake domains and protect your payment info.
Since May 2025, an attacker targeting Booking[.]com customers has generated nearly 1,000 spoofed booking and hotel reservation domains. The attackers appear to be compromising hotel booking management accounts to target Booking[.]com customers directly through the platform’s official messaging channels. By sending urgent “verify or cancel” notifications, they direct victims to external phishing sites that dynamically load the traveler’s actual reservation details to steal payment information.
Details
Attack Breakdown
The attack began by compromising hotel booking accounts. Though the specifics are as of yet unknown, it is likely this activity is a tied to attacks reported in November 2025 by Sekoia.io, dubbed the “I Paid Twice” phishing campaign. Sekoia labs suspected the attacker targeted hotel staff to steal credentials for booking platforms. A question remains if the attacker targeting hotels is the same one operating the phishing kits to target the hotel’s customers. Sekoia noted that such stolen hotel booking credentials are sold on Russian-language forums for under $5,000 each. Furthermore, while we found no direct links, a Microsoft STORM-1865 report shares many of the same characteristics with exception of an identified malware delivery component.
Once the attacker obtained these credentials, they then used that access to send lures to the hotel’s customers through Booking[.]com’s services. The victim receives a Booking app message and email from Booking[.]com with a message that they need to update their booking information within 8 hours or risk having their booking cancelled. If the user responds to the message, the attacker sends a URL to an attacker-owned domain with a customer-specific tracker ID.
On the attacker’s website it first presents a fake CloudFlare “Confirm that you are human” checkbox.
In fact, the main page loads an iframe containing the fake button and starts a timer to ask the server if the user has clicked yet.
Upon clicking the fake verification button, the site reloads, taking the customer’s booking ID from the URL and matching it against the data they stole from the hotel. The phishing page is dynamically generated to look like Booking[.]com hotel booking forms. The page is populated with the reservation hotel details and check in date. The victim is lured into re-entering their personal contact details including name, email and phone number.
Subsequently they are asked to re-enter their payment information for the hotel booking.
This appears to be the end goal of the attack, to retrieve contact info and payment information. Normally, we might expect this level of effort and ability to leverage trusted business relationships to attempt to distribute malware such as NetSupport RAT, but as of writing this investigation, the goal of the attack appeared limited to payment information harvesting.
Phishing Web Kit
The filepaths and scripts suggested the attack may involve Scraper/Interceptor kits, which are used almost exclusively for Booking[.]com and Airbnb scams. Such kits are often associated with the Telekopye toolkit or the “U-Admin” ecosystem (Russian-origin phishing-as-a-service).
Common filepaths for the webkit:
/dist/sites/ALL/booking/favicon.ico
/dist/booking/booking/styles-new4.css
/dist/booking/booking/submit-new8.js
It also uses a polling Ajax endpoint with a specific set of PHP files to synchronize the victim’s browser with the attacker’s control panel:
/ajax/captcha.php (The “Check” stage)
/ajax/payment_card_status.php (The “Redirect” controller)
/ajax/user_send_status.php (The “Progress” tracker)
/ajax/change_language.php
This specific naming convention(payment_card_status.php) is a known signature of the “Drainer” or “InfoStealer” variants of the Booking[.]com phishing kit.
However, the sites investigated appeared to use a database of stolen booking information from Booking[.]com and used it to dynamically populate pages for each victim. These factors suggest the attacker is using frankenstein code partially from a common Booking web kit to dynamically load victim specific information.
Domain Infrastructure
One of the domains resolved to “80.64.19[.]92”, which has several overlaps with “77.83.207[.]34” including the following:
Both of the IP addresses above are based in Moscow, Russia and are seen hosting the same services from Debian Linux operating systems: Proftpd Project Proftpd, Exim, Isc Bind, F5 Nginx, Dovecot
The strong link between both IP addresses is notable as the “77.83.207[.]34” has resolved over 370 domains since May 2025 that spoof hotel and confirmation related themes, and those domains have unique emails and registrant names exposed in the registration details.
The registrant email addresses link additional IP addresses resolving large numbers of similar domain name patterns in the same timeframe including “91.92.46[.]181” with another 358 domains and “172.86.75[.]75” with 41 domains.
In a few cases domains were previously seen spoofing as Booking[.]com in December 2024 including the following two now reused in 2025 for similar purposes:
This campaign abuses trust relationships within the hospitality supply chain. By leveraging compromised hotel credentials to send messages through authenticated Booking[.]com channels, threat actors bypass standard email security gateways and user vigilance.
For defenders, the primary detection opportunities may lie in the distinct infrastructure patterns rather than the delivery mechanism. While the current objective appears limited to financial fraud, the actors’ established foothold within hotel administrative portals presents a significant latent risk for lateral movement or the deployment of persistent malware (e.g., NetSupport RAT) in future campaigns. The apparent theft of customer booking information also presents a latent risk to customers for follow on phishing attacks.
A question remains, why have Booking[.]com and affected Hotel chains been silent? The answer may be that Booking[.]com legally positions itself as an intermediary and may argue that the hotel is responsible for their own poor security.
What Victims Should Do
If you have received a suspicious message or believe you may have been compromised:
Contact the Hotel Directly: Call the hotel using a number from Google Maps (not the one in the suspicious message) to verify if the request is legitimate.
Check the URL: Genuine Booking[.]com payments occur only on Booking[.]com. Any other URL (e.g., booking-secure-verify.com or hotel-reservation-check.com) is a scam.
Initiate a Chargeback: If you paid, immediately call your bank. Report the transaction as “fraud due to a compromised merchant account,” not just a billing dispute.
Secure Your Accounts: Change your Booking[.]com password and enable Two-Factor Authentication (2FA). If you reused that password elsewhere, change it there too.
Ignore “Recovery” Scams: Be wary of third-party services or random social media accounts claiming they can “recover” your lost funds; these are often secondary scams targeting already vulnerable victims.
Third-Party Platform Risks & Mitigation
This campaign highlights an architectural weakness in the hospitality sector: the operational dependency on third-party platforms (like Booking[.]com) that may not provide enterprise-grade security controls. Hotels are effectively granting “trusted insider” status to external vendors without the ability to enforce internal security policies on those platforms such as the following:
Session Kill Switches: The inability for admins to monitor and force-terminate sessions.
Granular Outbound Filtering: The lack of controls to block sessions from sending unapproved URLs to guests.
Strict Access Control: The absence of IP-allowlisting to restrict login access solely to the hotel’s physical network.
Since hotels cannot force third parties like Booking[.]com to change its architecture or take on specific security liabilities or guarantees for the hotel’s use of their services, the best strategy may be to treat them as an untrusted environment. The most practical defense may be to abstract the user interface away from the staff through your Property Management System (PMS) where more granular controls may be implemented.
Commentary followed by links to cybersecurity articles that caught our interest internally.
(courtesy of cR0w)
Infosec, know thyself.
It’s no surprise that I’m an advocate for deeply introspective paths. My autism positions me for rumination (and much overthinking), but also self-examination and self-evaluation in order to identify strengths to capitalize on and inefficiencies to drum out. In talks I give on autism in cybersecurity with my good friend and work partner from the TechOps side, we emphasize engaging in substantive evaluation of your own thinking, reactions, and sensitivities in relation to your work and environment.
At the right dose, self-reflection can be a superpower all its own, as well as enable more superpowers in its wake.
When cybersecurity professionals become vulnerable enough to engage in metacognitive and other reflection in public, it makes us all better defenders. One good example can often be found amidst Tricia Howard’s work over at Akamai - whether she’s writing on resilience, toxicity and mental health, and more.
You had me at “mission-driven”; after all, the RAND study quote on neurodivergents being essential for national security due to “missions that are too important and too difficult to be left to those who use their brains only in typical ways” is deeply resonant with me. You also had me at “curious” - every investigation I approach, I do so with a natural sense of curiosity that makes it all the richer. But SpyCloud’s piece revolving around their investigators sitting down to talk brains and wins provides even more insight.
From connecting threat actor motivation to behavior and likely evolution, to being able to influence threat actor decision-making in impactful ways, and motivating the team itself by empowering curiosity and impacting justice in the wider world, the conversation speaks deeply to me about critical lessons for our profession, and our industry.
To quote the piece, “iron sharpens iron, and together we get better.”
Let’s work together to form and maintain the sharpening blocks we need to make 2026 the worst year for threat actors on record.
Let’s go.
Articles
GreyNoise Intelligence - When Bulletproof Hosting Proves Bulletproof: The Stark Industries Shell Game - Excellent, brief article from Greynoise’ boB Rudis with clear technical observations to evaluate sanctions on Stark. We need more of this, and we need to prioritize review of our current enforcement methods. More on this to come…
KrebsOnSecurity - Aisuru Botnet Shifts from DDoS to Residential Proxies - Aisuru’s power boggles the mind, as seen in this recent BleepingComputer article, but its evolution is even more interesting. Some of its roots appear to spring from Minecraft disputes, others to embarrass the Chinese Communist party. And the move to offer residential proxy access is not a welcome development.
Anthropic - Disrupting the first reported AI-orchestrated cyber espionage campaign - There is some ongoing controversy about this report, and understandably so. Anthropic’s reports tend to be higher-quality than the other AI firms out there, and in a narrative sense they explain their analysis well - operational tempo, request volumes, and activity patterns seem the right way to do it. But we need IOCs, TTPs, and other technical indicators as narratives are not enough. It’s worth noting that it took a while to convince any industry to share those, so here’s hoping Anthropic blazes the trail with this as well.
Commentary followed by links to cybersecurity articles that caught our interest internally.
It’s almost November, and I’m behind on my reading.
Which isn’t anything new - I’ve been behind on my reading since about sixth grade. But the uptick in infosec-related news and activity definitely feels substantial, a crescendo building towards the end of the year, or next year’s spring offensives, or whatever’s looming over the Taiwan Strait.
De-escalation feels like a quaint notion. The cosmic microwave background of China-nexus actor persistence and ever-present staccato of Russian organized crime and nation-state operations vie for different forms of our attention, but never our rest.
F5 network dwell time has been reported as nearly two years; nearly two years from initial compromise to detection, making coffee every day, going through life events, picking the kids up from soccer practice, two sets of holiday parties.
One of the things I’m stuck thinking about as the days get longer in multiple ways is time. F5 is not the only one that’s had a dwell time like that, and it’s certainly a difference from short-duration actors with more traditional criminal motives. But we’re also seeing the landscape change as Large Language Model-assisted cyber operations begin surfacing. Most uses there are in their infancy, similar to the defender usage of LLMs - still in the “horseless carriage” phase of technology, to steal a concept from Douglas Rushkoff. But they’re maturing - slow, fast, and otherwise.
Looking back to some earlier artificial intelligence work, Google’s AlphaGo took several years to gain mastery level in the game Go, across thirty million games. AlphaZero reached mastery in 4.9 million games, and learned how to beat AlphaGo in 3 days when pitted against it adversarially. OpenAI’s DOTA2 bot amassed 45,000 years of experience in ten months’ time. This was all years ago.
I am left wondering, if AI-based cyber threat offense reaches a more mature level, what happens when you take a system that can learn centuries’ worth of lessons in days, and connect it with strategic actors whose focus is sometimes across decades.
What does that do to time?
And in the interests of time, let’s move on to the news and chatter.
Several of us from DomainTools Investigations will be at CYBERWARCON in Arlington, VA on November 19th. If you’re there as well, don’t hesitate to say hello. Or tell us your secrets.
We’re good at secrets.
Podcasts
Three Buddy Problem - JAGS LABScon 2025 keynote: Steps to an ecology of cyber - Like last month, also from LABScon; in this case, Juan Andres Guerrero-Saade’s keynote presentation on the state of cybersecurity, how to navigate it, and what to look for next. Thirty minutes of some of the best cross-disciplinary exploration I’ve heard.
China Talk - PLA Purges and How Xi Rules with Jon Czin - Background and practical implementation of thinking and planning that informs the Chinese government’s operational stances.
Bloomberg - Hackers Had Been Lurking in Cyber Firm F5 Systems Since 2023 - This has been a bit of a sleeper story so far, but most of the watershed compromises haven’t been declared yet. Spent a night or three tracking possible DNS threads that roughly indicated the same time fence, but you never know until it’s out in print.
GTIG - Pro-Russia Information Operations Leverage Russian Drone Incursions into Polish Airspace - Rare (I think?) and very well-done Google Threat Intelligence piece on opportunistic hybridity in a real-world information campaign. All the notional borders we build fade into the background once feedback loops between cyber, info, and kinetic blend natively like the rest of the world.
Infoblox - Vault Viper: High Stakes, Hidden Threats - The ubiquity of gambling alongside fraud in cyber threat intelligence is no surprise to analysts, but the interconnections and scale often astound. Infoblox doing one of those things they do so well: sketch the outline of the badness, isolate and connect clusters, and lay it all out at micro- and macro-levels.
RecordedFuture - Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals - “Cybercrime in this environment cannot be understood solely as a commercial enterprise; it is also a tool of influence, a means of information acquisition, and a liability when it threatens domestic stability or undermines Russian interests.” - Fascinating deep-dive that paints a much more complex and ambiguous picture of Russian state interaction with cybercrime groups than we’re used to.
Trail of Bits - Prompt injection to RCE in AI agents - Great writeup centering around mapping and exploiting commands marked as “safe” in AI agents and thus allowed to circumvent human review.
Ars Technica - New image-generating AIs are being used for fake expense reports - Well that’s creative. Admittedly, as a teen I pulled a dot matrix printer and Tandy out of the attic to forge my report cards (which worked great in the short term, not so much in the long term, but that’s a story for another time).
Dartmouth ISTS - From Chaos To Capability: Building the US Market for Offensive Cyber - Novel research specifically around private-sector circumstances supporting government cyber operations, including current state of play, gaps, and opportunities in this largely gray area. Feels substantially different from the separate hybrid models we’re used to reading about in China and Russia, among other places.
Ian Campbell's recap of DTI's participation at BSides NoVa
As one part of the broader infosec community, it’s one of our pillars within DomainTools Investigations to contribute meaningfully to collective knowledge as well as common good. We believe that doing so reinforces the fact that cybersecurity is a living ecosystem - an ecosystem of ecosystems, in fact - and thrives or withers accordingly. From Head of Investigations Daniel Schwalbe down through the ranks, we want to see a thriving ecosystem, and there’s no other way to do it than to put our money and time where our mouths are.
You’ve got to have some skin in the game.
One great example of security community activity is BSides NoVa, which happened October 10 & 11. We stepped up as a Gold sponsor alongside other great organizations to bring together a diverse group, from folks looking to enter the industry to those retired from decades in it. In addition, we submitted two talks that were accepted: my colleague Malachi Walker’s talk on cyber threats in F1 racing, and my talk on DNS and domain intelligence in investigative journalism.
BSides is more than just a professional opportunity for me - it’s a deeply personal part of my path into and within infosec. While information security and cybersecurity have always been special interests of mine, the first conference I attended where I really felt the passionate burn to be an integral part of it all was a Security BSides conference, BSides Boston 2016. I sat in Microsoft’s NERD facility (not kidding about the name!) and felt the first undeniable yearning to be doing the cool work that speakers presented, even though I could only half-follow most of it at the time.
From the smallest BSides in a local meeting hall to major events like BSides CHARM, Las Vegas, or NoVa, both the model and the reality represent some of the best our community has to offer. It fills me with pride to be part of an organization that could sponsor this event.
For my part, I was honored to speak to a full room about DomainTools’ history of enabling investigative journalists and security researchers in the community through our Grant access program. We’ve been presenting at the NICAR journalism conference for nearly a decade now, grateful that interest drives not one but two NICAR sessions. In addition to access, we’ve been providing training and investigative support and review to help journalists identify objective truths in data that inform their investigations.
Earlier this year we provided a technical writeup on one such investigation over on our corporate blog, and the details there formed the backbone of this presentation as we demonstrated the value of both DNS records and Whois/RDAP data in unraveling layers of truths. We were also able to highlight several other places where either our data proved helpful or we collaborated with journalists and investigators directly this year alone, including CitizenLab, Reuters, and the prolific Brian Krebs.
Slides for my presentation can be found here on Google Drive (contact me if you need them placed for download elsewhere).
In addition to the slides, I’d like to reiterate my answer to one of the Q&A questions at the end. The session participants were awesome and engaged, across all levels of familiarity with DNS and domain data, and asked excellent questions. One of the better questions was “Where do I learn how to do this kind of work?”
As my introduction slide notes, I’ve got no degrees and no certifications. I cannot speak to higher education or training programs. What I can say is that learning from the folks actually doing the work is key. There are very few areas in which I have so much knowledge that I can claim to be a subject matter expert (which troubles me sometimes as far as both impact and career go). But where I excel is identifying work that I want to be doing, finding the people already doing it, and reverse-engineering their processes to build my own. In practice, this looks like not just reading investigations from Brian Krebs, Shelby Grossman, Renee Diresta, CitizenLab, or Infoblox’ Threat Intel team, but actually writing down and analyzing each step of their investigation to learn where and how they pivot from one piece of data to another, as well as areas they focus on as often fruitful investigatory avenues.
Another great source is journalist Craig Silverman, who devotes his time to teaching other journalists how to dive deep digitally. In addition, pay attention to the various places where Yael Grauer pops up, from Consumer Reports and the Associated Press to DEF CON, especially around privacy or public interest/technology & integrity issues.
Learn from folks doing the work - and then change, adapt, iterate, and customize it. Make it your own.
And go make a splash.
My thanks to BSides NoVa, its sponsors, and everyone who came to my talk or that I talked with on Saturday. We are the ecosystem. Let’s dig, share, and thrive.
A deep dive into the 4-stage NPM phishing attack flow that led to high-profile repository account takeover. Protect your development security.
Recently, a series of high profile supply chain compromises were caused by malicious code written to NPM repositories managed by stolen developer credentials. While developers of prominent NPM repositories have been targeted for many years, these events prompted CISA to release an alert due to their widespread nature. Attackers stole developer accounts through a phishing campaign involving fake NPM management and login pages. This tactic enabled them to take over accounts for malicious activity and remains one of the most common and effective methods of credential theft.
Details
NPJMS is the largest JavaScript repository, with two official domains: npmjs.com is the main site and npmjs.org is also an official NPM domain. Phishers have historically used variations of this domain to deceive users, leveraging common tactics such as typo-squatting through domains like “npnjs[.]com”, which are particularly easy to overlook when presented in lower case characters.
Examining a recently spoofed NPM login page configuration with the domain “npmjs[.]pro” demonstrates how the attack progresses through three distinct stages, each designed to capture a piece of information or deceive the user into the next step.
Stage 1: Homepage Lure
This is the initial landing page of the phishing site, designed to build trust and initiate the login flow.
This is a relative sign-in link. On the malicious domain, clicking "Sign In" sends the user to the /login path on the attacker's server, not the legitimate npmjs[.]com. The attacker's server logs the request and serves the fake login page (Stage 2) in response.
Stage 2: Initial Credential Capture
After being funneled from the fake homepage, the user is presented with the fake login form.
The form's action="/login/" sends the submitted username and password to a script on the attacker's server. The attacker's server captures and logs the credentials. It then uses them to initiate a login attempt on the real npmjs[.]com, triggering a legitimate email OTP to be sent to the victim. At this point, the user's primary npm credentials (username and password) are compromised,and the next stage is to retrieve their MFA/OTP code.
Stage 3: MFA / OTP Code Interception
The attacker's server immediately presents a page to intercept the second-factor authentication code.
This form captures the value from the name="otp" field and sends it to the /login/email-otp endpoint on the attacker's server. The user receives a real OTP via email (triggered by the attacker), which reinforces their belief that the process is secure. The attacker's server receives the valid OTP and now possesses all information required to hijack the account.
Stage 4: Session Hijack and Evasion
This final stage is a server-side action to complete the attack.
The attacker uses the captured credentials and OTP to establish their own authenticated session on the real npmjs[.]com, then redirects the victim to avoid suspicion. The attacker now has full, authenticated access to the victim's npm account. The victim remains unaware that their account and session have been compromised. Their browser redirects them to the real npm sign-in page, making them believe the process did not complete.
Conclusion
This detailed attack flow for credential theft and account takeover shows that classic credential harvesting tactics remain highly effective. As our reliance on shared software supply chains grows, developer vigilance has never been more important. While multi-factor authentication (MFA) is an essential defense, this example shows that OTP codes are only as secure as the domain they are entered into. Always verify the URL in your address bar before entering credentials, and consider adopting phishing-resistant MFA, like hardware security keys, to truly secure your accounts.
IOCs
The provided IOCs are recently registered typosquatted domains of NPMJS.
