Industrial Spam Network
Overview
Domain hijacking attacks like subdomain takeover and SPF hijacking take advantage of vulnerable or stale configurations in a target domain. The vulnerable domains are then leveraged in spam or phishing campaigns or to spread malware. They can be particularly successful as they can take advantage of the target domain’s established reputation to subvert spam filters and other reputation-based detections.
Subdomain Takeover
In the case of subdomain takeover, attackers look for subdomains that are configured to point to a service that does not appropriately handle subdomain ownership verifications.
Attackers can identify subdomains pointing to other services by using a range of openly available tools such as Sublist3r, Assetfinder, and ReconNG. Attackers would then check for vulnerable services such as those that allow custom domain names like GitHub pages, AWS S3 or by looking for domains that continue to point to services that no longer exist.
Exploiting these vulnerable domains allows the attacker to host malicious content such as phishing pages or malware from the domain. This type of attack may allow for “subdomailing”, which refers to the type of email spoofing attack that leverages subdomains of a legitimate domain to send fraudulent emails.
Example DNS log of a potentially vulnerable subdomain:
mail.vulnerable-domain[.]com. IN CNAME
pages.githubusercontent[.]com.This shows that mail.vulnerable-domain[.]com points to GitHub pages. If for example the associated GitHub pages repository were deleted and the DNS record is unchanged, an attacker could re-create the deleted repository under the same name. In effect, allowing the attacker to control the content of the target domain.
SPF Hijacking
In contrast to subdomain takeover, SPF Hijacking occurs when an attacker gains access to a target’s DNS records either via the registrar or by exploiting vulnerabilities in the DNS infrastructure. Once the attacker has access they can modify the SPF record of a domain. For example, the attacker could add in one of their own domains into the target domain’s SPF record. In effect, this would allow the attacker to send emails that would appear to be originating from the target’s domain.
Example DNS log of a vulnerable SPF record:vulnerable-domain[.]com. IN TXT "v=spf1 mx -all"
Example attacker tool to modify a DNS record of a target domain:pdnsutil modify record vulnerable-domain[.]com TXT 'v=spf1 mx attacker-domain[.]com -all'
Example DNS log of the compromised SPF record for domain insertion:vulnerable-domain[.]com. IN TXT "v=spf1 mx attacker-domain[.]com -all"
In the examples above, pdnsutil, a powerful DNS management tool, is used to modify the “TXT” record of a vulnerable domain to include the attacker’s domain in a new SPF record "v=spf1 mx attacker-domain[.]com -all"
Hunting
Pivoting off a report by Guardio in February 2024, which detailed a large campaign of subdomailing activity involving two attacker domains inserted into vulnerable DNS records.
| harrisburgjetcenter[.]com greaterversatile[.]com |
Equipped with knowledge about domain takeover attacks, we can hunt for characteristics of subdomain takeover and SPF hijacking.
To start, we may take similar approaches to an attacker in which passive reconnaissance tools or historical DNS and web scanner data aggregators are leveraged to passively identify potentially vulnerable domain configurations.
Reviewing recent DNS records for actor domain greaterversatile[.]com in RDATA:
| First Seen | RRNAME | RDATA |
| 2024-11-03 | tracks.vooyo[.]id. | “v=spf1 include:harrisburgjetcenter[.]com include:greaterversatile[.]com -all” |
| 2024-08-04 | sync-me.co[.]uk. | “v=spf1 include:harrisburgjetcenter[.]com include:greaterversatile[.]com -all” |
| 2024-08-02 | hangzhousccom.s5k.86sudu[.]net. | “v=spf1 include:harrisburgjetcenter[.]com include:greaterversatile[.]com -all” |
| 2024-08-02 | alboan_lp.thephilanthropicapp[.]com. | “v=spf1 include:harrisburgjetcenter[.]com include:greaterversatile[.]com -all” |
Breaking down the RDATA: "v=spf1 include:harrisburgjetcenter[.]com include:greaterversatile[.]com -all"
- v=spf1: indicates it’s an SPF record version 1, the most commonly used version.
- include:harrisburgjetcenter[.]com: instructs the receiving mail server to consult the SPF record hosted on the domain
harrisburgjetcenter[.]com. The receiving server will then use that record to determine if an email claiming to originate from the original domain is legitimate. - include:greaterversatile[.]com: the receiving server will also consult the SPF record hosted on
greaterversatile[.]com - -all: specifies a “hard fail” for any email that doesn’t pass the SPF check based on the included records. In other words, any email not authorized by the records from
harrisburgjetcenter[.]comorgreaterversatile[.]comwill be rejected.
Reviewing recent DNS records for actor domain greaterversatile[.]com in RRNAME:
| First Seen | RRNAME | RDATA |
| 2024-02-06 | greaterversatile[.]com. | “v=spf1 include:nostrezz[.]com include:discussionapps[.]com include:tessiesantiago[.]com include:winningwebs[.]com include:crowleylouisiana[.]com include:constancespry[.]com include:gigabytestores[.]com include:mailmyorder[.]com include:clothesforfit[.]online include:bamboozlebarges[.]com ip4:139.162.114.162 ip4:139.162.114.194 ip4:139.162.114.243 ip4:139.162.114.252 ip4:139.162.114.77 ip4:139.162.135.240 ip4:139.162.135.50 ip4:139.162.150.80 ip4:139.162.154.171 ip4:139.162.154.181 ip4:139.162.154.222 ip4:139.162.176.50 ip4:1” “39.162.154.43 ip4:139.162.186.198 ip4:139.162.186.64 ip4:139.162.34.36 ip4:139.177.176.124 ip4:139.162.36.56 ip4:139.177.176.143 ip4:139.177.176.189 ip4:139.177.176.34 ip4:172.104.115.104 ip4:172.104.115.106 ip4:172.104.115.110 ip4:172.104.110.219 ip4:172” “.104.120.48 ip4:172.104.115.112 ip4:172.104.132.134 ip4:172.104.115.113 ip4:172.104.159.162 ip4:172.104.115.114 ip4:172.104.159.25 ip4:172.104.159.45 ip4:172.104.115.131 ip4:172.104.115.134 ip4:172.104.115.135 ip4:172.104.115.143 ip4:172.104.115.145 ip4:1” “72.104.115.150 ip4:172.104.115.182 ip4:172.104.115.194 ip4:172.104.115.201 ip4:172.104.115.210 ip4:172.104.115.220 ip4:172.104.115.227 ip4:172.104.115.234 ip4:172.104.115.242 ip4:172.104.115.243 ip4:172.104.115.5 ip4:172.104.115.75 ip4:172.104.115.76 ip4:” “172.104.115.79 ip4:172.104.115.83 ip4:172.104.115.95 ip4:172.104.151.14 ip4:172.104.151.76 ip4:172.104.243.226 ip4:172.104.245.100 ip4:172.104.245.102 ip4:172.104.245.12 ip4:172.105.249.106 ip4:172.105.90.47 ip4:172.105.90.63 ip4:172.105.92.60 ip4:172.105” “.92.98 ip4:194.233.164.223 ip4:194.233.164.99 ip4:194.233.167.103 ip4:194.233.167.108 -all” |
| 2024-10-24 | greaterversatile[.]com. | “”v=spf1 include:instanttranslates.dynu[.]net include:informationshout.dynu[.]net -all”” |
The above DNS records shows that the actor domain greaterversatile[.]com had SPF records in February 2024 that point to several domains and hundreds of IP addresses and in October 2024 was updated to point to two dynamic DNS domains.
Due to the grouping of SPF record placing, the following domains are likely also actor owned during their respective times of association.
| nostrezz[.]com discussionapps[.]com tessiesantiago[.]com winningwebs[.]com crowleylouisiana[.]com constancespry[.]com gigabytestores[.]com mailmyorder[.]com clothesforfit[.]online bamboozlebarges[.]com instanttranslates.dynu[.]net informationshout.dynu[.]net |
In summary of the above records if the domain tracks.vooyo[.]id sends email, the receiving mail server would attempt to validate the SPF records from the actor domains harrisburgjetcenter[.]com and greaterversatile[.]com, which would then be routed again to instanttranslates.dynu[.]net and informationshout.dynu[.]net.
The following DNS records for instanttranslates.dynu[.]net. indicate additional SPF routing would take place.
| First Seen | RRNAME | RDATA |
| 2024-10-21 | instanttranslates.dynu[.]net. | “v=spf1 include:universitygreatchoices.gleeze[.]com include:perfectdiplomaforyou.kozow[.]com include:neverstoplearning.dynuddns[.]com include:instantuniversityinscription.ddnsfree[.]com include:universityexchangeinfo.freeddns[.]org include:strategyandplansaction.fre” “eddns[.]org include:universitygrades.mywire[.]org include:resourcesanddocuments.gleeze[.]com include:multimedialearningskills.kozow[.]com -all” |
| 2024-10-21 | instanttranslates.dynu[.]net. | “v=spf1 include:universitygreatchoices.gleeze[.]com include:perfectdiplomaforyou.kozow[.]com include:neverstoplearning.dynuddns[.]com include:instantuniversityinscription.ddnsfree[.]com include:universityexchangeinfo.freeddns[.]org include:strategyandplansaction.freeddns[.]org include:universitygrades.mywire[.]org include:resourcesanddocuments.gleeze[.]com include:multimedialearningskills.kozow[.]com -all” |
| 2024-08-08 | instanttranslates.dynu[.]net. | “v=spf1 include:justifyintegrated.accesscam[.]org include:handlerhedriver.accesscam[.]org include:occupationsociety.casacam[.]net include:commemorate.ddnsfree[.]com include:requestdistort.ddnsgeek[.]com include:strategicpromote.freeddns[.]org include:biographydetermine.giize[.]com include:compartmentrelevance.gleeze[.]com include:multimediatan.kozow[.]com -all” |
Due to their use in the SPF records of other actor domains, these additional dynamic DNS domains also acting as SPF redirectors are likely actor operated domains as well:
| universitygreatchoices.gleeze[.]com biographydetermine.giize[.]com commemorate.ddnsfree[.]com compartmentrelevance.gleeze[.]com handlerhedriver.accesscam[.]org instantuniversityinscription.ddnsfree[.]com justifyintegrated.accesscam[.]org multimedialearningskills.kozow[.]com multimediatan.kozow[.]com neverstoplearning.dynuddns[.]com occupationsociety.casacam[.]net perfectdiplomaforyou.kozow[.]com requestdistort.ddnsgeek[.]com resourcesanddocuments.gleeze[.]com strategicpromote.freeddns[.]org strategyandplansaction.freeddns[.]org universityexchangeinfo.freeddns[.]org universitygrades.mywire[.]org |
Subsequently looking up the SPF redirects for universitygreatchoices.gleeze[.]com and others identifies records such as the following in which the designated IP ranges are authorized to send mail by the original domain.
| First Seen | RRNAME | RDATA |
| 2024-12-09 | universitygreatchoices.gleeze[.]com. | “”v=spf1 ip4:169.254.95.120 ip4:81.7.16.166 ip4:91.143.91.100 ip4:212.23.222.100 ip4:212.23.222.102/31 ip4:91.228.12.147/28 ip4:91.228.12.160/28 ip4:91.228.12.176 ip4:63.141.247.144/29 ip4:158.69.99.224/29 ip4:167.114.154.18 ip4:192.95.49.96/30 ip4:198.27.9” “5.240/28 ip4:198.50.160.232 ip4:198.50.160.250 ip4:61.255.174.141/30 ip4:61.255.174.144/28 ip4:61.255.174.160/30 ip4:61.255.174.179/29 ip4:195.254.134.64/27 ip4:23.105.32.64/29 ip4:23.105.32.73 ip4:45.92.29.240/28 ip4:193.39.184.224/28 ip4:23.105.132.157/30 ip4:23.105.132.160/29 ip4:45.130.201.8/30 ip4:45.130.201.88/29 ip4:45.130.201.128/28 ip4:45.130.201.150 ip4:45.130.201.161 ip4:45.130.201.180 ip4:45.130.201.186 ip4:45.130.201.201 ip4:45.130.201.211 ip4:45.130.201.240/28 ip4:37.235.49.209 ip4:37.235.49.214 ip4:51.38.246.64/30 ip4:69.61.90.49 ip4:69.61.94.33 ip4:69.61.95.20 ip4:69.174.102.208 ip4:104.223.94.253 ip4:142.4.195.32/29 ip4:142.44.135.12 ip4:142.44.135.127 ip4:144.217.46.144/29 ip4:144.217.117.34 ip4:149.56.78.219 ip4:151.236.24.159 ip4:185.215.186.128/29 ip4:192.71.218.35 ip4:192.71.218.82 ip4:192.95.57.0/30 ip4:192.99.176.248/29 ip4:217.182.120.160/30 ip4:5.189.187.81 ip4:5.189.134.15 ip4:5.189.134.16/30 ip4:2.58.203.26 ip4:2.58.203.33 ip4:2.58.203.36 ip4:2.58.203.51 ip4:45.67.85.8/31 ip4:45.67.85.12 ip4:45.67.85.20 ip4:45.67.85.28 ip4:45.67.85.41 ip4:45.67.85.47 ip4:45.67.85.62/31 ip4:63.141.232.128/27 ip4:89.34.97.64/27 ip4:216.211.204.63 ip4:216.211.204.64 ip4:216.211.204.71 ip4:216.211.204.77 ip4:216.211.204.79 ip4:149.50.96.53 ip4:149.50.102.119 ip4:149.50.102.120/29 ip4:149.50.102.128/29 ip4:149.50.102.144 ip4:149.50.102.254 ip4:149.50.103.0/28 ip4:149.50.103.24 ip4:94.156.239.216/29 ip4:94.156.239.224/27 ip4:185.99.2.80/28 ip4:185.99.2.96/30 ip4:185.164.32.96/28 ip4:185.164.32.112/29 ip4:185.164.32.11 ip4:31.56.241.27 ip4:31.56.241.86 ip4:31.56.241.120/30 ip4:162.213.211.64/29 ip4:162.251.120.172 ip4:162.251.122.160/27 ip4:172.96.14.24/29 ip4:204.10.162.128/29 ip4:45.92.29.224/28 ip4:199.66.92.32/27 -all”” |
The following diagram shows how the chained SPF records create multiple layers of redirects.
In summary, the chained SPF records create multiple layers of SPF redirects. This may serve to obfuscate the originating mail servers and distribute infrastructure to increase resiliency from disruptions affecting portions of the network. It may also serve to evade detection by hindering analysis by making it difficult for anti-spam and security researchers to identify patterns and write signatures to detect and block the network and the activity it is being used for.
The Senders
Sampling the IP addresses in the RDATA records show a trend of mail servers, reverse DNS, Apache HTTP servers, and Squid Cache servers.
The IPs associated domains to the SPF records were also observed hosting content such as the following samples:
| Indicators & Search Hashes | Web Screenshots |
| *[.]megajobsusa[.]com Shodan hash:-1137946516 ShodanHttp.html_hash:581214383 Censysservices.banner_hashes=”sha256:3a47dc2a58324647af74c539d6e9eceb994f5ec3b49ff1744d164e6f340a9e29″ |  |
| angelcamach0-github-io.pages[.]dev |  |
| callor[.]com |  |
| gamerchallenger[.]com |  |
| sunillulla[.]com |  |
Domains hosting similar web content:
| 727.tcrouzet[.]com aids.rainesupport[.]com andrecordeiro[.]ch andynope.maid-cafe[.]ch angelcamach0-github-io.pages[.]dev arianmisini[.]com arizonaloud[.]de asmicloudsolutions.github[.]io bc.tekysupport[.]com bluegum[.]media callor[.]com codefoundry.co[.]id contier[.]kr csms4.sistech[.]ai cyberzootopia[.]com dates.rainesupport[.]com discoverplymouth[.]net fhalo-resources[.]com fu.hrps-it[.]com gallotreeservices[.]com github.speicher-dein-strom[.]de helpinneed.asso.eu[.]org hi.applyer.cn leak[.]lk ljxcfdfhkjgcqfeesvarpjqxegetudn.helpinneed.asso.eu[.]org moneyantra[.]com muhammeddemircan[.]com nextlab[.]biz pwaf2023[.]click radarnextboy.rainesupport[.]com regional-one[.]com.lga[.]sc respons.gvcreation[.]fr safecall.givero.co[.]kr santiagolamora[.]com sobatsoba[.]com socarenergie[.]ch tabiri[.]compassionateheartskenya[.]org tuneastwood.rainesupport[.]com twwebsitenotificationguardian.justinl[.]in vorteile.hrps-it[.]com www.adrygurumi.ortscorporate[.]com www.dagondevelopment[.]com www.donaubuild[.]com www.hidro2clean[.]com/www/ www.insightsdigitalagency[.]com www.khstalentbank[.]com www.ldfg[.]se xn--krakena-kb4c[.]com zmv[.]sk |
Conclusion
This research has only touched the surface of what appears to be a very large and well coordinated spam and phishing network taking advantage of DNS-related misconfigurations or weaknesses. Indications from domain and infrastructure pivots suggest the network has been operating since at least 2019 to present. The operators of the network appear to demonstrate awareness and response to security reports of their infrastructure and appear to have made multiple attempts to improve its resiliency to identification and disruptions.
Observables
| 727.tcrouzet[.]com aaafield[.]com aborretag[.]com achingdish[.]com adnecaring[.]com adnespres[.]com aerchers[.]com ahniab[.]com aids.rainesupport[.]com airsacy[.]com albuquerquejobsite[.]com alsquil[.]com amerstv[.]com andrecordeiro[.]ch andynope.maid-cafe[.]ch anescat[.]com angcheap[.]com angelcamach0-github-io.pages[.]dev anthigh[.]com arcadiadomains[.]com arianmisini[.]com arizonaloud.de aromaver[.]com asecort[.]com asmanspecs[.]com asmicloudsolutions.github[.]io ationmov[.]com atiosurte[.]com aucomplex[.]com autoferbar[.]com avemusica[.]com bartapy[.]com bartsam[.]com basicempre[.]com bc.tekysupport[.]com bearele[.]com beargy[.]com bearrope[.]com befull[.]pro begieclose[.]com bericbires[.]com betterhal[.]com betterove[.]com binarydron[.]com biographydetermine.giize[.]com biresth[.]com bithorts[.]com bitquil[.]com blecally[.]com blespeaker[.]com blognapic[.]com bluegum[.]media blushdicid[.]com blushtable[.]com bonusang[.]com bookcles[.]com bughtsurte[.]com bulathoon[.]com bumpergris[.]com bundemidis[.]com bunnymov[.]com callor[.]com callycous[.]com capusabor[.]com capuslong[.]com caserojo[.]com cenblush[.]com chersberic[.]com chocoundab[.]com ciacat[.]com circleqts[.]com circuithed[.]com civiccovercove[.]com cliffaria[.]com cliffjuly[.]com cloeruby[.]com cobalpalm[.]com cocecheap[.]com codefoundry.co[.]id coleenv[.]com collstran[.]com commemorate.ddnsfree[.]com compartmentrelevance.gleeze[.]com contier[.]kr coofwiki[.]com cophhar[.]com cophreor[.]com cornmove[.]com csms4.sistech.ai currentrad[.]com cyanapy[.]com cyanbonnet[.]com cyberzootopia[.]com dates.rainesupport[.]com daticol[.]com dedhetera[.]com defcips[.]com defspoiler[.]com denamark[.]com dentalscroll[.]com depiness[.]com derdiving[.]com derpear[.]com desstequal[.]com desstnorra[.]com diacips[.]com dicrhombus[.]com dicwisty[.]com discoverplymouth[.]net dismsec[.]com ditydesert[.]com diuminfos[.]com donepron[.]com dopermo[.]com duckoc[.]com duodrawing[.]com durablepic[.]com eapmily[.]com earthorm[.]com elecoral[.]com elerapid[.]com elerased[.]com ennicbus[.]com entsdic[.]com entsearth[.]com envsky[.]com envwer[.]com eomeganet[.]com eptcat[.]com eptli[.]com equesolive[.]com essbumper[.]com estwer[.]com etcout[.]com express-door[.]ru falsignal[.]com faradrain[.]com farmsteadassist[.]com feeldugout[.]com ferspic[.]com fhalo-resources[.]com fieldabor[.]com firenippe[.]com fivevail[.]com floodshieldguide[.]com flowerpsed[.]com fluxnorra[.]com foundpurd[.]com foxingtime[.]com fu.hrps-it[.]com fullcoil[.]com gallotreeservices[.]com gebumper[.]com gerspask[.]com gicpene[.]com giculgusit[.]com giculscan[.]com giftedvist[.]com github.speicher-dein-strom[.]de glymain[.]com glysource[.]com greaterversatile[.]com greygicul[.]com grisphold[.]com gusitbits[.]com halclose[.]com handleoper[.]com handlerhedriver.accesscam[.]org harrisburgjetcenter[.]com hedhill[.]com helpinneed.asso.eu[.]org hesclose[.]com heterafuel[.]com heteratal[.]com hexagonb[.]com hexaspecs[.]com hi.applyer.cn hoodnero[.]com hoodte[.]com hoschers[.]com idealcellphones[.]com ilygu[.]com ilytedd[.]com inaayas[.]me ineduse[.]com infarmasa[.]com infosdef[.]com ingsous[.]com ingunit[.]com innersof[.]com instantuniversityinscription.ddnsfree[.]com inycooper[.]com ioneplane[.]com italyivers[.]com ittunner[.]com jamesest[.]com jarstand[.]com jarundes[.]com jouleworld[.]com justifyintegrated.accesscam[.]org justlyjournal[.]com kledfers[.]com leak[.]lk leftfarad[.]com lentgon[.]com letdiplay[.]com levcobal[.]com liglissa[.]com lilaccyan[.]com lilcheap[.]com liliotegli[.]com lisemain[.]com lissachor[.]com listhy[.]com litelev[.]com ljxcfdfhkjgcqfeesvarpjqxegetudn.helpinneed.asso.eu[.]org lobyvill[.]com logerbus[.]com logergy[.]com longtermcover[.]com lublicgear[.]com macbookdigest[.]com maggede[.]me makeapy[.]com maltditing[.]com mangrapid[.]com mantdrove[.]com marryzinc[.]com maticgic[.]com mauveitaly[.]com mauveplug[.]com meansarrow[.]com meetve[.]com mesany[.]com mesotheliomainsights[.]org mesplug[.]com mikcheap[.]com miromali[.]com mishdep[.]com mishsy[.]com misshans[.]com mixgifted[.]com mizrrworold[.]ru mollyrhes[.]com monesnic[.]com moneyantra[.]com monodvill[.]com mopmeni[.]com mostmit[.]com movieeap[.]com mrscoph[.]com muhammeddemircan[.]com multimedialearningskills.kozow[.]com multimediatan.kozow[.]com muncatic[.]com namecapus[.]com nanomoder[.]com nauticalguardian[.]com nearmagnet[.]com needvist[.]com neverstoplearning.dynuddns[.]com nextlab[.]biz ninebash[.]com nippelia[.]com norratesla[.]com nyakundireport[.]com occupationsociety.casacam[.]net ockledel[.]com ocklerased[.]com octomation[.]app ohmmilky[.]com olrosa[.]com onicpic[.]com opagarin[.]com operrojo[.]com ormamber[.]com ormcoof[.]com orsexess[.]com osnhans[.]com ovepres[.]com partsruppo[.]com pastroll[.]com pearhyl[.]com pediarous[.]com perfectdiplomaforyou.kozow[.]com permostar[.]com picofrank[.]com picomeans[.]com picsspres[.]com pinhaged[.]com pizzakled[.]com placeooo[.]com plateoze[.]com playloger[.]com porkgro[.]com powlsquick[.]com psedined[.]com psloon[.]com pwaf2023[.]click pykelly[.]com qsurte[.]com quickine[.]com quilthat[.]com radarnextboy.rainesupport[.]com raindroel[.]com ramtable[.]com rapidpor[.]com rasedenity[.]com realtrion[.]com regional-one[.]com.lga.sc reorwif[.]com requestdistort.ddnsgeek[.]com resourcesanddocuments.gleeze[.]com respons.gvcreation[.]fr resslear[.]com restliam[.]com rfmac[.]com riddlearea[.]com rinlook[.]com roerin[.]com rollwer[.]com rosapic[.]com rotcoffe[.]com rousrin[.]com rouwal[.]com safecall.givero.co[.]kr samberic[.]com santiagolamora[.]com sarumi[.]ir sarumihome[.]ir scanged[.]com scrormake[.]com sheildmona[.]com shieldshelf[.]com shiftity[.]com sifemedia[.]com siotitan[.]com sitegicul[.]com sitesstorm[.]com smuerule[.]com sobatsoba[.]com socarenergie[.]ch somonlus[.]com somonscror[.]com spersosel[.]com spoilerus[.]com stased[.]com strategicpromote.freeddns[.]org strategyandplansaction.freeddns[.]org sunillulla[.]com surtecal[.]com susdem[.]com syletc[.]com symgrey[.]com tabiri[.]compassionateheartskenya[.]org tealblanco[.]com tealcharge[.]com tebaned[.]com thilystat[.]com tinhexagon[.]com tiptrent[.]com tolltunner[.]com toothidly[.]com tuneastwood.rainesupport[.]com tunnerhar[.]com turdess[.]com turelses[.]com turkeyhigh[.]com turkishtraders[.]net twwebsitenotificationguardian.justinl[.]in tydraw[.]com uncerain[.]com unclemones[.]com undbory[.]com undesquil[.]com uniqrapid[.]com universityexchangeinfo.freeddns[.]org universitygrades.mywire[.]org universitygreatchoices.gleeze[.]com unraoanker[.]com untprint[.]com verrhes[.]com videosinfo[.]com videothily[.]com viewank[.]com villdeer[.]com vipcys[.]com vipspask[.]com vitmisly[.]com volveenv[.]com volvesing[.]com volvesus[.]com vorteile.hrps-it[.]com watchfal[.]com websoff[.]net weekge[.]com wellnavy[.]com whivecpu[.]com whiveparts[.]com wootybag[.]com wormicro[.]com wrindia[.]com www.adrygurumi.ortscorporate[.]com www.dagondevelopment[.]com www.donaubuild[.]com www.hidro2clean[.]com/www/ www.insightsdigitalagency[.]com www.khstalentbank[.]com www.ldfg[.]se xn--krakena-kb4c[.]com yearnano[.]com yedsures[.]com yercraig[.]com yerunt[.]com yukedmin[.]com yukedtupe[.]com zapedit[.]com zincbart[.]com zincwinter[.]com zipperazul[.]com zippermake[.]com zipsiren[.]com zmv[.]sk |
Related Content
Cyberhaven Breach Likely Part of a Long-Term Criminal Campaign
Industrial Spam Network
