In an effort to share not just what we’re observing on the net but what we’re reading and listening to elsewhere, the below links are provided as an abbreviated digest of media being passed around within our team as well as what we’re seeing in the security community at large. Quotes from the source will be in quotation marks; any commentary from me will be in italics.

Spring can’t arrive soon enough! In our DTI satellite office outside of Boston, the snow is just starting to melt, and my excuses for staying home to paw through logs are declining with it. Meanwhile the industry is seeing chaos on multiple fronts, and fortunes for the rest of the year are anyone’s guess. The latest threat actor name to make us all rethink TA naming schemes is “Sticky Werewolf” but as they say - deciding to unite all the protocols just results in one more protocol for the list. 

Awoo.

Recommended Cybersecurity Podcasts

Vulnerable U - Is DeepSeek a Cybersecurity risk? - A well-stated, reasonable assessment of DeepSeek risks, without hype or dismissal. Worth 13 minutes of your time.

Adversary Universe - China’s Cyber Enterprise Grows: CrowdStrike 2025 Global Threat Report

Discarded - Hiding in Plain Sight: How Defenders Get Creative with Image Detection

Must-Read Cybersecurity Articles and Blog Posts

InformationIsBeautiful - The Most Common 4-Digit PIN codes - Very shiny, but also I’m always thinking about ways to visualize the spectrum of security versus insecurity, and this is an interesting method.

SpyCloud - Properly Cleaning and Gutting Your Phish: How Cybercriminals Are Vetting Victim Data - Really interesting research by SpyCloud here on some patterns in the wild worth knowing about in order to not hit a brick wall while thrunting.

InfoBlox - The Many Faces of DNS Abuse - Good, ground-level review. Nothing earth-shattering but can help get folks up to speed.

Cisco Talos - Weathering the storm: In the midst of a Typhoon

SpyCloud - First of 2025: Trending Cybercrime News & Analysis

RiskyBiz - BlackBasta implodes, internal chats leak online - “The leaker said they shared the data after one of the BlackBasta affiliates launched brute-force attacks targeting Russian banks—a move the leaker didn't agree with because they feared it would trigger an aggressive response from Russian authorities.” - A nice little peek behind the curtain. Also, starting to think that this is a wickedly effective disruption model for dealing with ransomware actors.

APNIC - Recent Cases of Watering Hole Attacks

Krebs On Security - How Phished Data Turns into Apple & Google Wallets - Incredibly good researching and reporting, absolutely worth the read to connect a bunch of disparate dots so you know what you’re looking at when it comes up in practice.

Chainalysis - 35% Year-over-Year Decrease in Ransomware Payments, Less than Half of Recorded Incidents Resulted in Victim Payments

404 Media - Anyone Can Push Updates to the DOGE[.]gov Website

GBHackers - New Darcula 3.0 Tool Generates Phishing Kits to Mimic Global Brands

Bloomberg - Microsoft Cancels Leases for AI Data Centers, Analyst Says - Things may get even more interesting if this is an early sign of the AI bubble bursting.

Washington Post - UK Orders Apple to let it spy on users’ encrypted accounts - Apple deactivated Advanced Data Protection in the UK as a result, leaving everyone less secure.

Web3IsGoingGreat - Over $1.4 billion taken from Bybit crypto exchange - Multiple places confirming this was Lazarus now, no surprise.

APNIC - BGP Zombies at NANOG 93

Latest Cybersecurity Research Papers, Reports, and Books

Recorded Future - The Convergence of Space and Cyber - I haven’t met a security nerd yet that isn’t also a space nerd, so this dovetails nicely! But it will still be outshined by hacking an alien mothership with a macbook, ID4 respect.

GreyNoise - 2025 Mass Internet Exploitation Report - CVEs, pre-KEV exploitation, ransomware, defense, and more.

Crowdstrike - 2025 Global Threat Report

Veracode - State of Software Security 2025 report

Ron Deibert - Chasing Shadows - A book from the director of Citizen Lab? YES PLEASE.

Essential Cybersecurity Tools and Resources Tools and Other Resources

DEF CON - DEF CON 33 Call Index - “Contests, Events, Villages, Parties, Talks, Workshops, Vendors, Press, Music... and more!”

Black Hat - Black Hat Call for Papers

Electronic Frontier Foundation (EFF) - Atlas of Surveillance - “Documenting Police Tech in Our Communities with Open Source Research”

In an effort to share not just what we’re observing on the net but what we’re reading and listening to elsewhere, the below links are provided as an abbreviated digest of media being passed around within our team as well as what we’re seeing in the security community at large. Quotes from the source will be in quotation marks; any commentary from me will be in italics.

Podcasts

CyberWire Research Saturday - The hidden cost of data hoarding - SpyCloud researchers on how Chinese state surveillance data gets sold privately as a side-hustle, as well as some significant differences from European state and criminal hacking.

ChinaTalk - DeepSeek r1 and the future of AI competition - Former OpenAI policy wonk provides some good background on the LLM that's got the market all a-twitter. If Chinese-related tech news, and especially AI, is of interest ChinaTalk is a great, current source.

Articles and Blog Posts

404Media - Hackers claim massive breach of location data giant Gravy - and the followup - Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location

Infoblox - Pushed Down the Rabbit Hole - "Once I visited the compromised site and accepted notifications, I was “pushed” into an ecosystem that not only delivered an endless torrent of malicious content but also colored the mainstream content that was delivered to me." - Really great post on the user-experience and device progression side of mobile compromise and malicious adtech. Very much looking forward to the rest in this series.

Krebs - MasterCard DNS Error Went Unnoticed For Years - 'All of the Akamai DNS server names that MasterCard uses are supposed to end in “akam.net” but one of them was misconfigured to rely on the domain “akam.ne.” ...discovered recently by Philippe Caturegli, founder of the security consultancy Seralys.'

WatchTowr - Backdooring your backdoors - (via Ian Campbell) - "Put simply - we have been hijacking backdoors (that were reliant on now abandoned infrastructure and/or expired domains) that themselves existed inside backdoors, and have since been watching the results flood in."

RiskyBusiness - Threat actor impersonates FSB APT for months to target Russian orgs

Sophos - Cybercriminals still not fully on board the AI train (yet) - "We noted that there does seem to have been a small shift, at least on the forums we investigated; a handful of threat actors are beginning to incorporate generative AI into their toolboxes. This mostly applied to spamming, open-source intelligence (OSINT), and, to a lesser extent, social engineering... However, as before, many threat actors on cybercrime forums remain skeptical about AI."

CNBC - China’s DeepSeek AI dethrones ChatGPT on App Store: Here’s what you should know - The DeepSeek fiasco has made apparent some deeper market undertones that don't inspire me with a lot of confidence for AI/LLM industries in general. What's more interesting to me, though, is that most of what's being reacted to is at least a month old, if not multiple months old, thanks to filings and releases from DeepSeek. Bit of a Sputnik moment, if Sputnik had instead crashed on a Bay Area lawn and started speaking in tongues.

SpyCloud - 2024 in Review - I know year-in-review posts are a dime a dozen, but this is one of the better ones I've read lately.

ESET - PlushDaemon compromises supply chain of Korean VPN Service 

Tenable - Salt Typhoon: An Analysis of Vulnerabilities Exploited 

LetsEncrypt - Announcing Six Day and IP Address Certificate Options - HR has politely asked me to avoid vulgarities when discussing six-day SSL certs.

DarkReading - New Docuseries Spotlights Hackers Who Helped Shape Cybersecurity - Highly anticipating this series, especially with Biella Coleman involved. Bonus: one of the interviewees is Mike Schiffman, who many of us worked with back at Farsight Security prior to the DomainTools acquisition. Mike is both brilliant and hilarious.  

TechCrunch - Edtech giant PowerSchool says hackers accessed personal data of students and teachers

AP - Trump pardons founder of Silk Road website

Research Papers and Reports

arXiv - DarkGram: A Large-Scale Analysis of Cybercriminal Activity Channels on Telegram - Provided with the caveat that arXiv is largely pre-print material, though this paper appears to have been accepted to USENIX.

Google - Google Cloud H1 2025 Threat Horizons Report - PDF link.

APNIC - Impact of scanning on authoritative nameservers 

APNIC - IP addresses through 2024

APNIC - BGP in 2024

APNIC - RPKI 2024 year in review

Tools and Resources

FIRST - DNS abuse techniques matrix

BIML - Berryville Institute of Machine Learning Bibliography - BIML adds machine learning security papers to this bibliography after being read by their research group, along with a "top 5" list. Great curated resource for MLsec.

Following public reports of cyber threat activity, it’s generally expected adversary groups behind the activity will take a step back and change their tactics to avoid any further prying eyes from the security community. With regards to TrickBot, that remains to be so. TrickBot is a banking trojan and has been actively targeting mobile phones for financial gain. 

Following multiple public reports in September and October, TrickBot operators have continued operating with largely the same domain registration patterns and infrastructure as before.

Details

The relatively unique domain registration patterns shown below isolate on a small set of domains with new domains being registered every week. Most resolve to overlapping IP addresses and host plain login pages. 

‍

‍

Previous reports by Cleafy and Zimperium indicated lapses in operational security by the TrickBot operators, which resulted in exposed filestores on their C2 servers. These observed /site/login pages on several of the suspected C2 domains may be an attempt to address those prior security lapses.

‍

‍

‍

Broadening the scope slightly from the identified domain registration details, potentially unrelated domain masquerades were identified with spoofs of online banking websites, pre-paid card services, and malicious files associated with alleged Coinbase passkey setup files. 

Domains spoofing as Target’s Circle Card, formerly known as RedCard

‍

Website Title: TargetCC / Sign In Domains: targetcvv[.]shop targetcvv[.]cc targetcvv[.]com targetcvv[.]vip

‍

Separately, a presumably staged domain with an open filestore was identified. The guide.txt and coinbase.passkeysetup files both resolve the content for a script to invoke a web request to download a malicious file named x.exe at another URL. 

‍

Domains: passkeysetup[.]com
URLs: https[:]//passkeysetup[.]com/coinbase.passkeysetup[.]com/guide.txt
Downloads x.exe and site content displays google[.]com URLs: http[:]//93.123.109.39/x.exe Sha256a3c24af9e8a6c5361d34d030b53203b96f6635c540f442d807d732097493feda

‍

Conclusion

Operators of banking trojans like TrickBot are increasingly sophisticated in their approaches to compromise financial security but are not immune to operational security blunders. As this security researcher reminds themself often enough, just because someone does smart things, doesn’t mean they don’t also do dumb things. This has been demonstrated by the operators of TrickBot to the delight of security researchers on multiple occasions. 

[1] https://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak
[2] https://www.zimperium.com/blog/expanding-the-investigation-deep-dive-into-latest-trickmo-samples/

IOCs

Executive Summary: 

• PRC cyber threat actors dubbed "Salt Typhoon" (as well as FamousSparrow and GhostEmperor) appear to be focused on infiltrating Internet Service Providers (ISPs) at this time.
  • Why is this important? “If hackers gained access to service providers’ core routers, it would leave them in a powerful position to steal information, redirect internet traffic, install malicious software or pivot to new attacks.”
• Unlike similar threat actor groups that include the name "Typhoon," Salt Typhoon looks to be geared towards intelligence collection as opposed to creating backdoors for the purpose of being an Advanced Persistent Threat (APT.)
• Suggestions for network defense include
  • Identify and mitigate living off the land techniques that could provide threat actors with an opportunity to infiltrate an enterprise network. (CISA resource)
  • Locate and remove or isolate unused and/or unpatchable legacy systems.
• Potential link to “shadow C2 infrastructure”
  • By having access to the Internet Service Provider of an enterprise network, a threat actor could manipulate the network from the inside.

Highlights:

- Binary Defense revealed details of how it uncovered PRC state-sponsored cyber actors inside a global aerospace engineering firm's network where they had been snooping around for four months. 

- "I can't really comment on the connection between the incidents, but I can say that given the uptick in Chinese-linked attacks against critical infrastructure supply chains, ISPs, and core internet devices there is a clear strategy at play where attackers are aiming to identity and exploit logical choke points in our society to take control of the flow of information and supplies," Binary Defense Director of Security Research John Dwyer told The Register today when asked about a possible Salt Typhoon connection.

- As recently as August, another Typhoon gang — Volt Typhoon — was accused of hiding in American networks after exploiting a high-severity bug in Versa's SD-WAN software.

- WSJ article states Salt Typhoon threat actors attempt to gain critical data from broadband service providers, has been going on for months and has been linked to China by U.S. government investigators. The reason for targeting broadband providers, in particular, is to take control of those providers’ systems and, from there, access their data and possibly launch a separate cyberattack from within their networks.  

- CISA Executive Assistant Director for Cybersecurity Jeff Greene told us the agency is aware of the report of the compromised ISPs, and said that China is known to be infiltrating all manner of critical targets, who have compromised the IT environments across multiple critical infrastructure sectors and organizations.

- China's Salt Typhoon cyber spies spotted deep inside US ISPs
Activity is confirmed, govt aid provided.
No advisory on mitigations for customers at this time

Resources:

Chinese spies spent months inside aerospace engineering firm's network via legacy IT
(The Register, 18 September 2024)
https://www.theregister.com/2024/09/18/chinese_spies_found_on_us_hq_firm_network

China's Salt Typhoon cyber spies are deep inside US ISPs
(The Register, 25 September 2024)
https://www.theregister.com/2024/09/25/chinas_salt_typhoon_cyber_spies

China-Linked Hackers Breach U.S. Internet Providers in New ‘Salt Typhoon’ Cyberattack
(The Wall Street Journal, 26 September 2024)
https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835

China-linked APT group Salt Typhoon compromised some U.S. internet service providers (ISPs)
(Security Affairs, 26 September 2024) – see graphic below
https://securityaffairs.com/168941/apt/salt-typhoon-china-linked-threat-actors-breached-us-isp.html 

Salt Typhoon Cyberattack Targets U.S. Broadband Service Provider
(TeleCompetitor, 27 September 2024)
https://www.telecompetitor.com/salt-typhoon-cyberattack-targets-u-s-broadband-service-providers/

Image Source: China-linked APT group Salt Typhoon compromised some U.S. internet service providers (ISPs) Security Affairs, 26 September 2024

Continues To Use Credential Phishing Infrastructure to Target Individuals Perceived as a Threat to the Iranian Regime

Since June 2024, the Iran-nexus actor CHARMING KITTEN (APT42, Mint Sandstorm, TA453) continues to create new network infrastructure consistent with what the Mandiant intelligence team identifies as Cluster B. Mandiant previously reported on this CHARMING KITTEN infrastructure cluster using credential phishing pages to target individuals perceived as a threat to the Iranian regime, including researchers, journalists, NGO leaders, and human rights activists. There are no confirmed targets of the new infrastructure; however, it is likely that the actor’s target scope remains focused on entities deemed a threat to the Iranian regime.

Details

Newly Identified Domains:

• growing-prices-advanced[.]top
• competitive-searchvolume-considered[.]top
• software-selection-features[.]buzz
• app-engage-station[.]help
• Horse-improve-department[.]top
• click-manage-room[.]cfd
• flow-exulltation-uplift[.]top
• house-server-digital[.]xyz
• interconnected-equipment-buildings[.]buzz
• nail-forward-valid[.]lol
• request-human-received[.]xyz
• paper-blue-hero[.]top

These domains were all registered since the publication of Mandiant’s blog with some registered as recently as September 2024.  The domains listed above share many similarities with domains previously attributed to Cluster B including:

• Similar TLDs: The new domains use TLDs such as ".top," ".buzz," and ".help," “.cfd,” “.xyz,” and “.lol” all of which were reported by Mandiant. 
• Hyphenated Naming Conventions:  The new domains continue to contain several words separated by hyphens.
• IP Overlap: All listed domains resolve to 135.181.203[.]1, an IP address assigned to the hosting provider, Hetzner, and used to host multiple Cluster B domains publicly reported by Mandiant.

Targeting

Specific targeting for these newly-identified domains is not known. However, public reporting indicates that Cluster B infrastructure commonly masquerades as login pages for Google, YouTube, and other file hosting services. The actor typically disseminates these credential harvesting pages through spear phishing emails that often pose as invitations to conferences or links to legitimate documents hosted on cloud infrastructure. 

The most recent specific targeting information for Cluster B includes multiple entities impacted during March 2024. This includes Cluster B infrastructure to target a news editor working for a Persian-language news television channel using a fake Gmail login page and to target Google, Microsoft, and Yahoo credentials from individuals in the research and academic sectors in the U.S., Israel, and Europe.

Conclusion

The newly identified domains indicate that the CHARMING KITTEN actor continues to be active in the wake of public reporting. It is likely that this new infrastructure is being used in a manner consistent with previously reported activity: targeted spear phishing used to direct intended victims to credential phishing pages. The actor’s target set likely continues to be focused on  entities deemed a threat to the Iranian regime. 

IOCs on GitHub

Find all IOCs on our GitHub.

Crypto News relayed widespread social media reports of Web3-related domain takeovers of Squarespace-held domains.

Wester European targeted SMS campaigns that are phishing for credentials and banking information.

1600+ were registered between 2024-06-19 and 2024-06-20.

200+ registrations in concert with financial or credential phishing

We see over 200+ billing-oriented TEPCO domains created in the last month with the same host. We suspect it’s a mass domain registration in concert with financial or credential phishing.

The domains and historical passive DNS records for the two IPs involved can be found in the GitHub link below. The pDNS may or may not include uninvolved domains, but many appear to be part of the same cluster or campaign.

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/tree/main/2024/TEPCO

195 domains registered and used for credential phishing pulled from a phish impersonating DocuSign using a click thru URL obfuscator.

Potential phishing on reregistering old, inactive vmware-related domains.

Suspicious campaigns registering thousands of domains across cheaper TLDs

We observed multiple suspicious campaigns recently auto-registering thousands of domains across cheaper TLDs such as .cfd and .bond. While their purpose is not yet apparent, and the two sets of events appear unconnected, here's what we've observed so far:

More than 10k domains in 3 days across .cfd registered through Aceville Pte. Ltd. with higher-than-average Iris risk scores fitting several pseudorandom-looking/DGA patterns. Examples:

388aqo001[.]cfd
4qwljn001[.]cfd
8hgsxe001[.]cfd

adix348002[.]cfd
adpzfsn002[.]cfd
aerx7v9002[.]cfd

91-yongjiudizhi-f19q4x8j-dpq[.]cfd
91-yongjiudizhi-q8hkazxp-sij[.]cfd

And several thousand .bond domains newly registered through Key-Systems fitting one of the following patterns:

security-jobs-#####
cyber-security-degree-#####
cyber-security-jobs-#####
homeland-security-jobs-#####
cyber-security-#####
security-surveillance-cameras-#####
home-security-#####
password-manager-#####