And now we enter the belly of the beast.

Summer is in its full effect in the United States as many of us return from the surface of the sun Hacker Summer Camp in Las Vegas (covered in a separate post here). Post-BlackHat and DEF CON also arrives with an abundance of gifts for practitioners and researchers: the publication of tons of new research. As always, the items linked below aren’t intended to be a round-up but rather what caught attention internally, having stood out from the rest. 

The rest of the year looms, but not without hope. 

There are some signs that spending freezes are easing up and hiring may be easing up. Even in this heat, that’s cold comfort for those in the middle of the job hunt. It’s never been harder or more filled with frustration, dead ends, and deeper hazards like identity theft or financial scams. If you’re in a place to help, try to do what you can. 

If you’re still on the hunt, keep pushing, and get through however you can. 

Podcasts

Adversary Universe from Crowdstrike - Live at Black Hat: What’s AI Really Capable Of? - 33min - Good, grounded (but relatively upbeat) perspective on AI capabilities for both defenders and attackers. Also some interesting recent attack campaigns seen, including one with convincing multi-persona smishing threads (no evidence of AI in this latter, yet). 

CyberWire Research Saturday - Beyond the smoke screen - 22min- Excellent interview with Dr. Renee Burton of Infoblox Threat Threat Intel detailing their extensive work on the VexTrio cybercriminal group. They gave a great BlackHat briefing on this topic, and the interview is similarly compelling in both technical and behavioral aspects.

Prompt||GTFO - Youtube playlists for episodes one, two, three - ~90min each - Fascinating series of “prompt pits” in which mostly infosec practitioners get together to share use cases and experiences with AI, with a strict “no slides” rule, demos only. Not an endorsement of AI, but interesting to see how practitioners are using it, and most views involved are pretty reasonable and experience-driven. 

Articles

Infoblox - VexTrio Origin Story, Unmasked, and Inside the Robot - A three-part investigation highlighting world class-level research by Infoblox Threat Intel into the evolution, behavior, and technology of a major adtech-related spam and scam actor. Highly recommended to read all three in order to get a better idea of what you end up looking at in the wild. 

Analyst1 - Ransomware Diaries Volume 7: “I Had to Take the Guilt For Everyone” – The Kaseya Hacker Breaks His Silence - Jon DiMaggio’s DEF CON talk with Jon Fokker gripped a full theater for an hour, and the accompanying blog post is even better. There are few investigators on his level, and even fewer storytellers.

Wunderwuzzi - Claude Code: Data Exfiltration with DNS (CVE-2025-55284) - Okay. So. I’m trying to be less adversarial towards GenAI, really I am. But when you allowlist a bunch of bash commands for your autonomous agent and include DNS lookups, you clear a direct path for a long-known and well-researched data exfiltration and command & control method. And then I have to get all mad and shouty again. 

RiskyBulletin - Hackers sabotage Iranian ships at sea, again - “According to an analysis of the leaked files, the group hacked the company's network, identified all maritime communications terminals in its MySQL database, and then deployed malicious code to each ship's satellite terminal that wiped its disk storage.” 

TechCrunch - North Korean spies posing as remote workers have infiltrated hundreds of companies, says CrowdStrike - What I can’t decide is if the seeming overwhelming success of this campaign is down to good execution on the part of DPRK or the sad, sad state of enterprise security, especially whenever it causes friction in hiring processes.

Cofense - Spain TLD’s Recent Rise to Dominance - Anecdotally I’d been seeing .es show up in my investigators more lately even before reading this, and once the article crossed my desk it made more sense. 

Research Papers and Reports

Greynoise Intelligence - Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities - Greynoise looked backward and found that in 80% of cases, a spike in attempted attacks on a particular technology presaged a CVE release for that technology within six weeks. Excellent work and findings, worth reading the full report. Also covered by Research Saturday interviewing Greynoise VP of Data Science Bob Rudis (30min). 

RecordedFuture - Cloud Threat Hunting and Defense Landscape - In which Insikt Group lays out five prominent attack vectors threatening cloud environments, including details on common misconfigurations as well as logging and hunting internally.

CAIDA - Hunting in the Dark: Metrics for Early Stage Traffic Discovery - “Using a metric for discoverability, we model the ability of defenders to measure Crackonosh traffic as the malware population decreases, evaluate the strength of various detection methods, and demonstrate how different darkspace sizes affect both the ability to track the malware, but enable emergent behaviors by exploiting attacker mistakes.”

arXiv - Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition - Results of wide-scale competitive testing across several dozen agents and models, with an eye to evaluating attack transferability and common vulnerabilities. Some significant findings, including limited correlation between size, robustness, or inference-time, meaning that the “better” and “bigger” models didn’t do better than the bargain basement models. 

Tools and Resources

CSO Online - CISA releases Thorium, an open-source, scalable platform for malware analysis - Curious to see where this goes, relative to NSA’s Ghidra.

Entertaining Reading

Wikipedia - The Berners Street Hoax - “Hook spent six weeks sending between a thousand and four thousand letters to tradespeople and businesses ordering deliveries of their goods and services to 54 Berners Street, Westminster, at various times on 27 November 1810.”

Details

Hunting for new malware delivery infrastructure often entails the identification and tracking of common techniques to deliver various stages of malware. Take malware-as-a-service providers for instance, some commonalities in a recent activity cluster entailed the use of hosted powershell scripts acting as a reference to the next malware to download and execute. 

Multiple clusters of stealer activity were observed through early July using PowerShell scripts as an intermediate stage for malware delivery. Creating multiple stages of delivery reduces the initial risk of exposing all malware and associated infrastructure if it is detected early on in execution. It may also slow down response investigations and analysis. 

Hunting for malicious web hosted PowerShell scripts can be as simple as using a Shodan query such as: http.html:"Invoke-WebRequest”.

Example Finding:
77.110.118.195 Resolved malicious domain “alababababa[.]cloud”.

A reused web-hosted powershell script to retrieve a malicious executable, build.exe, which it then starts as a new process.

Filename: build.exe
Sha256: 7ada4d7dfc00943780cb51ea182c7a221953cdabc394011204ba5cd8e4e8f0d3

This script acts as a trojan and connects to a commonly used C2 domain “anodes[.]pro”, which has communicated with more than60 malicious files in the past 2 months, including multiple stealer malware families such as Amadey, Lumma,  Luca, DeerStealer, and RedLine as well as other malware families Rugmi, BlackBasta and DarkGate.

Expanding on the domain behavior in VirusTotal, one additional DeerStealer sample was identified, which also used the same C2 domain. 

Sha256: bd269a6328de0e534f4d8c3a42ea88a4343168053f63da0da95318f4ed17e705

Expanding on the associated infrastructure of the identified intermediary domain “alababababa[.]cloud” through domain registration overlaps identified potentially related activity.

• NameServer: cloudflare[.]com
• IP ISP: CloudFlare Inc
• Address: compliance_abuse[@]webnic[.]cc
• Registrar: WebNIC
• SSL Issuer: WE1

‍

Repeating the previous steps identifies additional malware with commonalities in stealer and C2 usage such as Amadey malware being observed with domain “hugevcdn[.]pro”.

Sha256: 02c158c63d28fd5be24424e41b70a7a361c9be8897590c0453b0d30bd6e0d842
C2: "185.156.72[.]96/te4h2nus/index.php

Similar but considerably higher volume to the C2 domain “anodes[.].pro”, the C2 IP 185.156.72[.]96 has been observed with over 2,700 malicious files communicating to it. Notably with many of the same wide range of malware-as-a-service families using it as a C2.  

In addition, many of the malicious files for LummaStealer and Amadey shared a common C2 IP “185.156.72[.]96” and overlaps with a previous LummaStealer IP “185.156.72[.]2”.

Both IPs are part of an obscure ASN (AS61432) TOV VAIZ PARTNER. This ASN has only one prefix (185.156.72.0/24), which shows only 1 out 719 BGP peer propagations for Hurricane Electric Services. The ASN claims Ukrainian origin and appears to only be propagated by 1 other ASN, AS50073 Webcraft Found LLC in Ukraine. This may generally suggest the ASN is part of a BPHS, bulletproof hosting service.

Example LummaStealer C2s associated to IP 185.156.72[.]2 and 185.156.72[.]96 and anodes[.]pro

‍

Noting a reused SSH certificate “hash:896675070” and “hash:-434889431” from the C2 IP address identifies several historic overlaps such as the following recent IPs:

‍

In addition to indications that the large cluster of malware employs Amazon CloudFront, Amazon Global Accelerator EC2s, and Github user content being used to store and distribute malware. All of which create challenges in proactively blocking malicious domains.

Example 1:
https[:]//raw.githubusercontent[.]com/peterson643eu/projecttop/36b05b6030459ba5435705d8b91aae11f0ba268b/NIOAHYWM.exe
https[:]//raw.githubusercontent[.]com/peterson643eu/projecttop/6fd8d0859aa9d3d300bf79f3da8032b04b1ed540/OURDUBDV.exe
https[:]//github[.]com/peterson643eu/projecttop/raw/refs/heads/main/OURDUBDV.exe

Makes request to http[:]//nexuswarps[.]shop/c
C2s: anodes[.]pro, multiport[.]shop

SSL Hash overlaps with a CloudFront IP resolving “70d9ae273c860e606f236c528381f9ca[.]cloudfront[.]net” suggests the CloudFront service may be used to relay traffic to another endpoint serving malware.

Sampling 200 of the communicating files with meaningful detection names in VirusTotal and limiting to the past 3 months there is an overrepresentative share of LummaC2 and Amadey.

Despite law enforcement takedowns targeting LummaStealer infrastructure in May 2025, it appears Lumma is still operating and continues to be a prominent choice. Though we speculate that this particular cluster of malicious activity decidedly experimented with alternative choices during the month of June and may have opted to continue operations with LummaStealer.  

Conclusion

Despite a May 2025 law enforcement takedown targeting LummaStealer, the malware family appears to remain active and a popular choice for threat actors, particularly through bulletproof hosting services (BPHS) IPs. This analysis of observed malicious activity, with a focus on C2 IPs 185.156.72[.]96 and 185.156.72[.]2 (both part of AS61432, a suspected BPHS), suggests that while there may have been some experimentation with alternative malware during June, operations have largely continued with LummaStealer.

IOCs

Hacker Summer Camp recedes into the rearview mirror and the world starts back up again.

Morning standup. Q3 sprint. Follow-ups and circle-backs. But perhaps we’re changed. Perhaps we re-enter the frays in a slightly different way, shedding data of a marginally changed nature. Philosopher and media theorist Marshall McLuhan said that as a species, “We look at the present through a rear-view mirror” in our “march backwards into the future.”

He continued: “Because of the invisibility of any environment during the period of its innovation, man is only conscious of the environment that has preceded it; in other words, an environment becomes fully visible only when it has been superseded by a new environment.”

Does the landscape after BSidesLV, Black Hat, and DEF CON count as a new environment? Could the information gleaned, hands shaken, and drinks shared change us significantly going forward?

For my part, I always emerge from this week in Las Vegas and find my surroundings drawn into sharper relief. Finer lines mark more edges, but they also bring us together in more ways, if we let them. Light sources are brighter, or revealed as so bright they hid now-revealed details, like a message written on the lightbulb only visible in the briefest of moments upon flicking the switch off. 

McLuhan’s observation in mind, that may be my sign that our chaotic week of community each year marks a new environment, superseding the old and making the latter finally visible. 

Or perhaps that I just need more sleep this year.

—-------

Folks often pose the question: “Which is better, Black Hat or DEF CON?”

The real answer is, “It depends.” 

Black Hat starts the week out with everyone fresh and wide-eyed, staring down the barrel of at least six days of scrambling if they attend both conferences. It is to my benefit that we take care of the business end first before the social and sensory overwhelm hits - I’m much more articulate and sociable, moving mountains to meet practitioners, collaborators, and customers. Discussions are more hard-nosed, shorter, and more focused. Metrics rule the day.

That being said, Black Hat is a delight of a different sort. It’s a much more focused and organized entity rather than creeping chaos. Meeting up with other practitioners and talking shop involves a lot less small talk, with a substantial chunk of theory discussion and an even larger space held to talk practice. 

Plus, less bare concrete. 

One highlight of my Black Hat arrived early; my first briefing was From Prompts to Pwns: Exploiting and Securing AI Agents, presented by NVIDIA AI Red Teamers Rebecca Lynch and Rich Harang. Lynch and Harang began by providing an excellent technical foundation. Points included LLM compromise as enabled by a “universal anti-pattern” that allows for the attacks, as well as agentic autonomy classifications and their relation to both systems architecture and the introduction of nondeterminism into the system. They then pivoted to the practical nature of their red teaming and the realities that informed it. LLM guardrails are mostly just other LLMs performing checks, and so subject to similar attacks. And since these platforms are often crawling the web, the ability to introduce untrusted content spans the entire Internet. Specific technical observables included Cursor rules files, ASCII smuggling, and more. And the idea that malicious actors can more effectively use LLMs to socially engineer the user than other technologies was a brilliant insight.

The talk was equal parts funny and grim, and I’m now hungry to see more from NVIDIA’s AI Red Team.

Another highlight came from the venerable Threat Intel team at Infoblox, No Hoodies Here: Organized Crime in AdTech. The talk revolved around long-term and fascinating research around spam & scam cybercriminals VexTrio, accompanied by the second in Infoblox’ blog series on the group (you can find the first post here). Their research laid bare the evolution of VexTrio into an adtech powerhouse of villainy, complete with Instagram photos of their fast cars, lavish meals, and expensive boats. A deep understanding of both the technologies involved and the human behavior behind them emerged through excellent research and storytelling.

—-------

DEF CON is, of course, an entirely different animal. It’s about one-tenth the price, and I’d guess at least twice the size of Black Hat. And the chaos only ends where the concrete does too (that’s not hyperbole by the way, the floors are all concrete, bring good shoes and ibuprofen).

Now that DEF CON has moved to a single venue it’s become a little more manageable, and staff learned the ins and outs of the new complex last year and applied those lessons to great effect. Attendance is much wider spread than Black Hat, with enthusiasts and other kinds of technologists in attendance. 

There’s more swagger, but there’s also more joy; folks assembling under an umbrella of energetic curiosity and irreverence and self-organizing across a number of villages as well as the main stage talks. 

We were able and honored to show up to and share with DEF CON 33 in a big way three separate talks in three separate villages. 

DNS Scavenger Hunt
Security Advisor Malachi Walker gave an interactive talk at the Blacks in Cyber Village: Following Threat Actors’ Rhythm — to Give Them More Blues. The talk provided indicators to follow around threat actor activity and then engaged the crowd in a DNS-based scavenger hunt from the terminal.

Malware in DNS
Malachi Walker and Senior Security Operations Engineer Ian Campbell spoke on investigative findings in the Malware Village: Plain TXT, Malicious Context: Uncovering DNS Malware. Included were DNS investigation basics, and then several real-world examples of DNS TXT records being used for malware storage and retrieval as well as the step-by-step detection specifics. There’s a bonus round at the end of the slide deck for folks interested in domain mysteries!

Pre-Identifying DNS Wildcards: A New Standard of Care
CISO and Head of Investigations Daniel Schwalbe presented original research and enablement at Recon Village. Informed by a DEF CON 31 win at the Subdomain Enumeration Contest, an alternative method identifying 100 times the winning results required a parallel new solution to identifying and removing wildcarded domains.

Of course, other folks were there too. A LOT of them, actually. And many giving great talks on stages or in villages. Yale Grauer in the Crypto and Privacy Village on Cyber Defenses, cooperq and oopsbagel in the hackers.town community on Rayhunter Internals, and our friend Jon DiMaggio co-speaking with Jon Fokker on the Track 5 stage spilling the tea about a REvil actor, to name just a few. This latter was a fantastic talk that showed the deep and inextricable connection between ransomware observables, human behavior, and group dynamics with substantial realness. 

Summer in Las Vegas is always hot, and uncomfortable, and packed with people. But at the same time, filled to the brim with joy and curiosity, serious business alongside frenetic nerdery. Different but often parallel strains of justice running through many diverse communities celebrating their uniqueness and their shared loves and interests simultaneously. 

I don’t know of another week like it anywhere, and I wouldn’t have it any other way.

(except for maybe the concrete floors.)

Join our teams as they share their DEF CON talks on Tuesday, September 30: https://www.domaintools.com/defcon-session-recap-customer-webinar/

It is a lovely day in information security,

and you are a horrible goose.

We’re a week away from Hacker Summer Camp, and I’m curious: similar to the writer conversation of “plotters versus pantsers” are your shenanigans all lined up in advance, or are your Vegas shenanigans more opportunistic and inspired by the moment? Do you carefully clean and arrange your tools, pack and unpack and repack in advance? Or do you live off the land and a few strips of rusty aluminum stripped from a can of Surge in 1997 and tucked in your wallet ever since?

Unless of course you’re the type of person to avoid shenanigans. Apparently those people exist.

This year’s Hacker Summer Camp includes some steam to vent. We’re charging into the desert amidst a cloud of hot dust and exploited Sharepoint embers, a mass-breach of women’s data after they sought safer dating, a new technology seemingly bent on speedrunning all the lessons computing has learned the hard way, and that’s not even getting into this year’s complexities around domestic agency capabilities. Everything considered, it’s enough to turn to nihilistic partying to cope.

But what I expect to see more of, what I’ve seen from the various clusters assembling for BlackHat, DEF CON, and BSides Las Vegas, is community. It’s our strongest power and our greatest defense. It’s often said that the Internet perceives censorship as damage and routes around it; and there may be drama, there may be dark points, there may be jerks, but community can react to damage the same way. And in many cases, it is.

Find the others. Reach out. Make grand collaborative plans, scale them back, amplify them further. Make room for the quieter voices. And don’t forget to make time to play.

Next week, let’s come to play. 

Podcasts

Lawfare - The Double Black Box: Ashley Deeks on National Security AI - Excellent, thoughtful exploration of ‘the idea that the use of artificial intelligence in the national security space creates a "double black box." The first box is the traditional secrecy surrounding national security activities, and the second, inner box is the inscrutable nature of AI systems themselves, whose decision-making processes can be opaque even to their creators.’ I picked up Deeks’ book immediately after listening to the podcast.

Srsly Risky Biz - Four key players drive Scattered Spider - Some interesting conclusions coming out lately. For instance, incident response investigators cross-referencing incidents attributed to SCATTERED SPIDER keep running across the same voices in voice-delivered social engineering attacks. Also, a few folks playing “Project Manager” roles. 

Articles

Okta - Okta observes v0 AI tool used to build phishing sites - Cheat-sheet style hint here: most Vercel-built sites have telltale DNS records CNAMEing back to vercel[.]com subdomains, and use vercel-dns[.]com nameservers. Maybe start building that into your detections and reassess once Vercel gets a handle on this. Looking at their nameservers for domains first seen July 28, I saw multiple career/application/hiring domains pretending to be from major corporations, several attempts at emulating the customer service platform of a major mobile provider, attempts to emulate adclick revenue and CRM platforms, and more. Just one day’s worth of new AI creations.

Proofpoint - NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods | Proofpoint US - Good work by Proofpoint here amidst a fascinating scam leveraging “net-30” type financing to get goods or services, and then vanish. 

Resecurity - Cybercriminals Attack Seychelles – Offshore Banking as a Target - Well. That’s a shame.

The Record - Russian bulletproof hosting service Aeza Group sanctioned by US for ransomware work - Within a few days they started shifting their nameservers, and the primary ASN moved behind another Russia-aligned BGP safewall for its announcements. One of these days I need to dive deeper into technical observations after international sanctions; if you’ve got good examples, please reach out. 

knostic.ai - Exposing the Unseen: Mapping MCP Servers Across the Internet - Knostic (the startup brainchild of Gadi Evron and Sounil Yu) doing some great foundational fact-finding here around how organizations are deploying Anthropic’s Model Context Protocol. Unsurprisingly, the news isn’t good. 

Cisco Talos - Cybercriminal abuse of large language models - General but good roundup on some of the malicious uses seen in the wild. 

Lawfare - AI and Secure Code Generation - I don’t necessarily agree with everything, but Geer and Aitel know their stuff and make some very good points. 

Reuters - China-linked hackers target Taiwan's chip industry with increasing attacks, researchers say 

DTI - Malware in DNS - This was a quick but clever piece by one of our researchers that struck far louder chords than we expected. 

FT - Disinformation warriors are ‘grooming’ chatbots - LLM-grooming is the new cache poisoning, pass it on.

Research Papers and Reports

Censys - 2025 Sate of the Internet Report 

WEIS - Examining Newly Registered Phishing Domains at Scale 

Tools and Resources

INTERPOL - INTERPOL launches our new external newsletter  

Quad9 - Globe of Wonder - The good folks at Quad9 DNS have open-sourced their visualization tool for mapping realtime events onto a view of the Earth. 

Recent reports of hiding images in DNS records inspired an exploration for such files in the wild from passively collected DNS records available in DNSDB Scout. Put very simply, files can be partitioned and stored in DNS TXT records. They can then be retrieved via DNS requests and put back together. This also means these files may persist until the DNS server removes the records or overwrites them thereby providing a form of unwitting file or data storage. The initial report detailed the partitioning of image files and converting them to hexadecimal before issuing writes to a domain’s TXT records. For that reason, we began a search at the beginning of DNS RDATA TXT records for magic file bytes in hexadecimal format for a wide range of executables and common file types using regex patterns such as the following:

^"((ffd8ffe[0-9a-f].{12,})|(89504e47.{12,})|(47494638[79]61.{8,})|(255044462d.{10,})|(504b0304.{12,})|(4d5a.{16,59}|4d5a.{61,})|(7f454c46.{12,})|(c[ef]faedfe.{12,})|(1f8b08.{14,})|(377abcaf271c.{8,})|(526172211a07.{8,}))

One of the findings from 2021-2022 were TXT records beginning with the magic sequence for an executable file header.

C83464356139303030303330303030303030343030303030306666666630303030623830303030303030303030303030303430303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030306538303030303030306531666261306530306234303963643231623830313463636432313534363836393733323037303732366636373732363136643230363336313665366536663734323036323635

The same .exe header value was seen on 3 different domains, each sharing the same subdomain pattern. 

Digging into one of the domains, “*.felix.stf.whitetreecollective[.]com.”, we see that it has several hundreds of iterated subdomain integer values each with different TXT RDATA values. This suggested that they were fragmenting the .exe file across all the subdomains using the integer value to track the correct sequence.

By exporting the json of the domain TXT records and having a Generative AI throw a script together to piece the file back together in the correct order, we were able to observe the SHA256 file hashes of the files stored in DNS TXT records:

• 7ff0ecf2953b8662ede1577e330a514f09992c18aa3c14ed77cf2ffc115b0866
• e7b22ba761a7f853b63933ffe517cc61596710dbdee992a429ac1bc8d04186a1

Both files appear to be Joke Screenmate malware. These are a form of prank software and may commonly exhibit the following behaviors once run on machines:

• Simulating destructive actions: The program might display fake error messages, fictitious virus warnings, or animations that mimic the deletion of system files, causing panic for the user.
• Interfering with user control: Some screenmates are designed to be difficult to close, may multiply on the screen, or actively evade the user's mouse cursor.
• Displaying unsolicited content: These programs can present a continuous stream of jokes, images, or animations that can be distracting and difficult to stop.
• System performance issues: Like any running application, they consume system resources, and poorly coded screenmates can lead to system slowdowns or crashes.

A brief review of other TXT records for the 3 domains opened another line of inquiry, malicious commands stored in TXT records. This was seen with multiple TXT records associated to drsmitty[.]com such as the following subdomain’s TXT record: 15392.484f5fa5d2.dnsm.in.drsmitty[.]com.

The command contains an encoded Powershell script that acts as a stager and connects to another domain: cspg[.]pw. The URL it requests (/api/v1/nps/payload/stage1) is the default endpoint for a Covenant C2 server to serve its next-stage payload.

Being that the stager script is stored in a DNS TXT record is not by itself enough, some other action would have to take place first on a system to retrieve and execute the script such as the following:

In summary, in 2021-2022 an actor was using DNS TXT records to store and possibly deliver ScreenMate malware and stagers for likely Covenant C2 malware infections. The same C2 domain was seen in another domain’s TXT record in July 2017, msg1.rickrick.qa.urab[.]org.