Skip to main content
Back to Newsletters
Community

Fourteen Newsletters and Fifteen Winters

Daniel Schwalbe
Published on: 
March 5, 2026

Greetings from Seattle, where “second false spring: has just arrived. It’s a thing, Google it!  Returning readers will no doubt recognize that I’m a bit obsessed with the weather here. Even after thirty years in the Emerald City, and my induction as an honorary mossback, the weather and its 12-14 micro-seasons are frequently top of mind. During my first year as an undergrad at the University of Washington, I thought about becoming a meteorologist. I took several atmospheric sciences classes, but then the advanced math got me. Instead I got a degree more suited to my natural talents: Communications 😉 

I teased this possibility last month, but now it’s official: The publication of this monthly newsletter has moved to the first Tuesday of the next month, as opposed to the last Tuesday of the month that the newsletter covers. We changed a few things up internally, and for practical reasons, this change is becoming permanent. The use of adapted song titles for each new edition is sticking around, though it might get harder if I keep up sequential numbering. I’d normally ask you to comment on this post if you recognized the song this one is based on, but GenAI kind of takes the fun out of it - Gemini for example got it on the first try 🙄

While February was a short month, the threat landscape was anything but quiet and my team was anything but bored. This edition of my newsletter focuses on a recurring phenomenon we observe in actor tradecraft: The weaponization of trust. Our headliner is a deep dive into Lotus Blossom (G0030) and their sophisticated supply chain attack targeting Notepad++. This wasn't a loud, "smash and grab" operation; it was a surgical infiltration of an update pipeline designed to stay under the radar of even the most diligent admins.

We’re also looking at the "human" side of the house with a new Security Snack on Idolized Crypto Scams. My team traced over 250 domains back to a single infrastructure cluster that uses celebrity personas and fraudulent presales to siphon assets across multiple blockchains.

We closed out February with my talk at BSides Seattle, where I spoke about my team’s research on new domains delivering SpyNote Malware, which we covered extensively last year. If you weren’t able to catch me live, my team and I will be at BSides San Francisco near the end of March, where we have two presentations on the schedule - come find us and say hi! I will be in town for RSAC as well, and would be happy to host you in our space near Moscone.

Now, without further ado, from supply chain evolution to high-velocity fraud, we’ve got plenty to get you up to speed. Let’s dive in!

Hot off the Presses

Lotus Blossom (G0030) and the NotePad++ Supply Chain Espionage Campaign

DTI researchers analyzed the sustained compromise of the Notepad++ update pipeline from late 2025 into early 2026. Rather than modifying the open-source codebase, attackers infiltrated upstream distribution infrastructure and selectively redirected update traffic for a small group of targets. This allowed them to deliver customized installers and low-noise implants to be delivered while most users continued receiving legitimate updates.Taken together, the operational choices, tooling, and victim profile support attribution, with moderate to high confidence, to the China-aligned espionage actor commonly tracked as Lotus Blossom (G0030) in concurrence with other organizations assessment. 

The Notepad++ compromise represents a clear evolution in Lotus Blossom’s tradecraft. Earlier campaigns relied heavily on spear-phishing and bespoke backdoors delivered directly to victims. Rather than compromising end-user systems through conventional infrastructure attacks, such as opportunistic abuse of widely trusted software updates, the actors shifted the locus of trust toward the developer ecosystem itself. By abusing a legitimate update mechanism relied upon specifically by developers and administrators, they transformed routine maintenance into a covert entry point for high-value access.The incident highlights how trusted software update systems can be quietly weaponized for long-term intelligence collection without causing widespread disruption.

🔍Read the full investigation here

SecuritySnack: Idolized Crypto Scams

A cryptocurrency scam operation spanning roughly 250 domains was identified across multiple themes, including fake celebrity giveaways and fraudulent token presales. The investigation began with a cluster of suspected scam domains sharing the same Google analytics tag ID and expanded through blockchain tracing, wallet analysis, and domain registration overlaps. This process revealed activity across BTC, ETH, and XRP and included impersonation of public figures, platforms, and crypto projects.

On-chain findings were mixed but revealed a well-developed supporting infrastructure. In several cases, blockchain tracing showed actor-controlled wallets funding themselves and cycling assets through multi-layer laundering pipelines. The broader infrastructure includes cross-chain scam tooling, distributed hosting across multiple jurisdictions, and hundreds of related domains. Evidence from shared wallets, infrastructure overlaps, and Russian-language artifacts indicates a single actor likely responsible for both campaigns. 

🔗Read more here

What We’re Reading 

In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed! 

📚Check out the full reading list here

Where We’ll Be 

- NICAR 2026, Indianapolis, IN - 04-06 March 

- BSides San Francisco, San Francisco, CA - 21-22 March

        Come see me speak on Saturday 21 March at 1:05pm, AMC Theater 13

- FIRST CTI Conference, Munich, Germany - 21-23 April

Final Thoughts

As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:

Thanks for reading & see you next month!

-Daniel

https://www.linkedin.com/in/schwalbe/

https://infosec.exchange/@danonsecurity

Related Content

Newsletters
Community
Fourteen Newsletters and Fifteen Winters

Greetings from Seattle, where “second false spring: has just arrived. It’s a thing, Google it!  Returning readers will no doubt recognize that I’m a bit obsessed with the weather here. Even after thirty years in the Emerald City, and my induction as an honorary mossback, the weather and its 12-14 micro-seasons are frequently top of mind. During my first year as an undergrad at the University of Washington, I thought about becoming a meteorologist. I took several atmospheric sciences classes, but then the advanced math got me. Instead I got a degree more suited to my natural talents: Communications 😉 

I teased this possibility last month, but now it’s official: The publication of this monthly newsletter has moved to the first Tuesday of the next month, as opposed to the last Tuesday of the month that the newsletter covers. We changed a few things up internally, and for practical reasons, this change is becoming permanent. The use of adapted song titles for each new edition is sticking around, though it might get harder if I keep up sequential numbering. I’d normally ask you to comment on this post if you recognized the song this one is based on, but GenAI kind of takes the fun out of it - Gemini for example got it on the first try 🙄

While February was a short month, the threat landscape was anything but quiet and my team was anything but bored. This edition of my newsletter focuses on a recurring phenomenon we observe in actor tradecraft: The weaponization of trust. Our headliner is a deep dive into Lotus Blossom (G0030) and their sophisticated supply chain attack targeting Notepad++. This wasn't a loud, "smash and grab" operation; it was a surgical infiltration of an update pipeline designed to stay under the radar of even the most diligent admins.

We’re also looking at the "human" side of the house with a new Security Snack on Idolized Crypto Scams. My team traced over 250 domains back to a single infrastructure cluster that uses celebrity personas and fraudulent presales to siphon assets across multiple blockchains.

We closed out February with my talk at BSides Seattle, where I spoke about my team’s research on new domains delivering SpyNote Malware, which we covered extensively last year. If you weren’t able to catch me live, my team and I will be at BSides San Francisco near the end of March, where we have two presentations on the schedule - come find us and say hi! I will be in town for RSAC as well, and would be happy to host you in our space near Moscone.

Now, without further ado, from supply chain evolution to high-velocity fraud, we’ve got plenty to get you up to speed. Let’s dive in!

Hot off the Presses

Lotus Blossom (G0030) and the NotePad++ Supply Chain Espionage Campaign

DTI researchers analyzed the sustained compromise of the Notepad++ update pipeline from late 2025 into early 2026. Rather than modifying the open-source codebase, attackers infiltrated upstream distribution infrastructure and selectively redirected update traffic for a small group of targets. This allowed them to deliver customized installers and low-noise implants to be delivered while most users continued receiving legitimate updates.Taken together, the operational choices, tooling, and victim profile support attribution, with moderate to high confidence, to the China-aligned espionage actor commonly tracked as Lotus Blossom (G0030) in concurrence with other organizations assessment. 

The Notepad++ compromise represents a clear evolution in Lotus Blossom’s tradecraft. Earlier campaigns relied heavily on spear-phishing and bespoke backdoors delivered directly to victims. Rather than compromising end-user systems through conventional infrastructure attacks, such as opportunistic abuse of widely trusted software updates, the actors shifted the locus of trust toward the developer ecosystem itself. By abusing a legitimate update mechanism relied upon specifically by developers and administrators, they transformed routine maintenance into a covert entry point for high-value access.The incident highlights how trusted software update systems can be quietly weaponized for long-term intelligence collection without causing widespread disruption.

🔍Read the full investigation here

SecuritySnack: Idolized Crypto Scams

A cryptocurrency scam operation spanning roughly 250 domains was identified across multiple themes, including fake celebrity giveaways and fraudulent token presales. The investigation began with a cluster of suspected scam domains sharing the same Google analytics tag ID and expanded through blockchain tracing, wallet analysis, and domain registration overlaps. This process revealed activity across BTC, ETH, and XRP and included impersonation of public figures, platforms, and crypto projects.

On-chain findings were mixed but revealed a well-developed supporting infrastructure. In several cases, blockchain tracing showed actor-controlled wallets funding themselves and cycling assets through multi-layer laundering pipelines. The broader infrastructure includes cross-chain scam tooling, distributed hosting across multiple jurisdictions, and hundreds of related domains. Evidence from shared wallets, infrastructure overlaps, and Russian-language artifacts indicates a single actor likely responsible for both campaigns. 

🔗Read more here

What We’re Reading 

In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed! 

📚Check out the full reading list here

Where We’ll Be 

- NICAR 2026, Indianapolis, IN - 04-06 March 

- BSides San Francisco, San Francisco, CA - 21-22 March

        Come see me speak on Saturday 21 March at 1:05pm, AMC Theater 13

- FIRST CTI Conference, Munich, Germany - 21-23 April

Final Thoughts

As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:

Thanks for reading & see you next month!

-Daniel

https://www.linkedin.com/in/schwalbe/

https://infosec.exchange/@danonsecurity

Learn More
Newsletters
Community
Thirteen Silver Newsletters

DomainTools Investigations kicks off 2026 with deep dives into the KnownSec leak exposing China's cyberespionage ecosystem, predatory online gambling apps, and a phishing campaign weaponizing fake job interviews.

A new year, a new cover image! We recently went through another rebranding exercise, which brought new collateral templates. Most noticeably, it changed our corporate website. Some of you noticed, and let us know exactly how you felt about it! The DomainTools Investigations site (https://dti.domaintools.com) also got a make-over, and I think the main website compliments our DTI site nicely!

Regular readers will notice that once again the newsletter is a week “late” - but once again, there were good reasons for it. So I’m considering releasing it on the first Tuesday of the Month, instead of the last one. If you feel strongly one way or the other, please let me know in the comments (or email me). The use of song titles with numbers that correspond to the current edition for the newsletter title is sticking around for now. My friend @Kali Fencl started that when she helped me launch this newsletter over a year ago, and while it’s getting more difficult, I’m committed. 

Another thing that’s probably staying are mentions of the local weather! Returning readers know I live in Seattle, and the weather here is always a topic of conversation! For example, many of you think the rain never stops in Seattle. Movies depict torrential downpours, but we Seattleites don’t mind: Keep believing that. But in reality, fellow PNW-er Scott Losse explains it best. Check him out and follow him, he’s funny!

Unlike the East Coast (sorry friends!), we just had a brief, miraculous week of mild weather and sunshine. But as it is customary, "The Gray" has returned like clockwork. It’s that part of winter here, where blue sky quickly begins to feel like a distant memory, and dampness is king. Don’t worry, only three to four months of that!

Speaking of winter, while most of the world was recovering from New Year's Eve and shovelling their driveways, my team here at DomainTools Investigations was busy dissecting a fresh mountain of data. If you thought the i-Soon leak from a while back was a one-off, think again. We’ve been heads-down on the KnownSec leak, a fascinating look at one of the supposed "white hat" companies that turned out to be part of the backbone of China’s cyberespionage ecosystem.

Beyond the geopolitical chess match, we’re also tracking some more "down-to-earth" (read: predatory) threats. Our analysts have been playing a high-stakes game of whack-a-mole with a series of dubious online gambling apps that are currently targeting users across the globe with some surprisingly sophisticated evasion tactics.

And for those of you who appreciate a shorter read with your morning coffee, we have a new SecuritySnack focused on "Phishing Interviews." This investigation highlights a particularly cold-hearted campaign that weaponizes the job hunt, exploiting the trust of applicants to harvest government credentials and to drop remote access tools.

We’ve got a lot to cover to kick off the year, so let’s dive right in, and get you all caught up!

Hot off the Presses

THE KNOWNSEC LEAK: Yet Another Leak of China’s Contractor-Driven Cyberespionage Ecosystem

In November of 2025, an allegedly massive leak of data from Chinese company “KnownSec” was posted to a github account. The leak has since been pulled off of Github and downloaded by very few, and of those few who gained access, only one uploaded 65 documents as a primer to the leak elsewhere for others to see. DTI was able to get the 65 document images and this initial investigation is derived from this slice of a much larger leak that is out there but not available.

While Knownsec advertises itself as a “white hat” pillar in China’s cybersecurity landscape, the leak revealed the company operates a vertically integrated espionage stack for reconnaissance, exploitation, collection, and persistence, designed for both domestic surveillance and foreign intelligence operations in support of China’s security state. 

Its internal documents, product manuals, and data repositories show a company engineered to support Chinese national security, intelligence, and military objectives. Tools like ZoomEye and the Critical Infrastructure Target Library give China a global reconnaissance system that catalogs millions of foreign IPs, domains, and organizations mapped by sector, geography, and strategic value. Massive datasets containing real names, ID numbers, mobile phones, emails, and credentials allow Knownsec and its government clients to correlate infrastructure with people, enabling rapid deanonymization, targeting, and social engineering. On top of this data foundation, Knownsec’s offensive products – GhostX, Un-Mail, and Passive Radar – purport to provide a full intrusion and surveillance pipeline.

🔍Read the full investigation here

Pay to Lose: Dubious Online Gambling Games 

DTI analysts identified multiple clusters of dubious Android applications created in the past few weeks that are engaged in predatory gambling and real money gaming apps. Notably, these are not registered apps. They are intentionally misleading users into thinking they are legitimate and reputable through multiple tactics like spoofing the Google Play Store, creating fake reviews, generating fake public win declarations, and creating entire brands with marketing campaigns and broad distribution tactics. These clusters also attempt to evade detection and analysis by having post install code and configuration retrievals from actor controlled sites, which serve a dual purpose of distributing region specific content to users post installation.

The investigation is segmented into three distinct infrastructure clusters. Each cluster appears to target a general set of countries including Nigeria, India, Pakistan, and the Philippines. They also appear to have non-region specific user base targeting, including English, Portuguese, and Bengali speaking users. Despite the wide range of targets, the clusters share a common theme of mobile-focused gaming or gamified gambling apps to attract users for financial gain

🔗Read more 

Security Snack: Phishing Interviews

My team uncovered a malicious actor that has created several domain masquerades of small companies posing as job boards, interview themes, and login pages since approximately August 2025. 

The investigation revealed two distinct objectives. The first is a credential harvesting scheme targeting ID.me accounts — the official identity provider for US government services like the IRS and SSA — which can then be exploited to facilitate financial fraud, including tax refund theft and fraudulent unemployment benefits. 

The second cluster focuses on malware delivery, tricking job seekers via fake Microsoft Teams meeting invites to download a malicious, unsigned variant of the remote access tool Connectwise. This gives the attacker access to the victim’s machine where they may conduct follow-on attacks.

🗒️Learn more here

What We’re Reading 

In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed! 

📚Checkout the full reading list here📚

Where We’ll Be 

  • AFCEA West 2026, San Diego, CA, 10-12 February
  • BSides Seattle, Redmond, WA, 27-28 February
  • NICAR 2026, Indianapolis, IN, 5-6 March
  • BSides SF, San Francisco, CA, 21-22 March

Final Thoughts

As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!

We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.

If you missed last month's content, here are some quick links:


Thanks for reading - see you next month!

-Daniel

Learn More
Newsletters
Community
Rainy Day Newsletter #12 (but not 35)

Welcome to the New Year, I hope you all had a restful holiday season! Similarly to the November issue, we decided to hold this edition until the post-holiday inbox avalanche has (hopefully) subsided. I wouldn’t want you to miss your favorite newsletter!

It’s hard to believe that DTI turns one year old this coming Friday! In case you haven’t been a subscriber since “Day One”, allow me a brief recap: In September of 2024, at a DomainTools onsite meeting, serendipity brought together two individuals with deep security industry connections, and a passion for community. We hatched an idea, got a few more colleagues excited about this idea, and in late 2024, we pitched it to our bosses. A scrappy program on a shoestring budget, with an agreement to fail fast and pivot as necessary. We signed up for some KPIs (you better measure success if you want to spend other peoples’ money!), and we launched on January 9th, 2025.

As I sit here, drafting this message, I can’t help but look back with pride on everything we did this past year: The countless hours of collective hard work, the travel all over the world to meet with the community, and most importantly, all the great research we published. We positively crushed it, if I do say so myself!

Now it’s late December, and the future looks decidedly less certain. One half of the DTI Leadership team is no longer with the company. She would hate it if I called her out here by name, but IYKYK. Thank you for a crazy year of collaboration, planning, organizing, problem solving, and innovating. Myself and the remaining DTI Team miss you greatly!

I’m not sure yet what 2026 will bring, but I know it will be different. Different isn’t automatically bad of course, so time will tell! Stay tuned for updates!

Back to Business

For those of you keeping score, the weather here in the Pacific Northwest has officially transitioned from damp, dark, and cold to damper and colder but a little less dark. But luckily none of that has slowed down our researchers. Fueled by hot coffee and cold redbull, they’ve been burning the 4pm oil, and we have some fascinating, and frankly brazen, campaigns to share as we kick off the year.

Our featured research for this edition looks at a massive “super-cluster” of over 5,000 Chinese malware delivery domains. What makes this investigation particularly special is how we did it: our team utilized agentic AI systems to accelerate our analysis by 10x. If you’ve been wondering how AI actually changes the game for threat hunters, this is the blueprint.

We also pulled back the curtain on the bureaucratic side of state-sponsored espionage with our second deep dive into the APT35 leaks. It turns out that Iranian intelligence operators deal with the same mundane office headaches we do: Spreadsheets, expense reports, and ticketing systems.

Finally, we took a look at a B2B2C supply chain attack targeting the hospitality industry. By compromising hotel management accounts, attackers are reaching customers directly through official Booking[.]com channels. It’s a stark reminder that if the supply chain isn’t secure, neither is the trusted platform it supports.

Hot off the Presses

B2B2C Supply Chain Attack: Hotel’s Booking Accounts Compromised to Target Customer

DTI’s investigation reveals a sophisticated campaign targeting Booking[.]com customers by compromising hotel management accounts. Since May 2025, threat actors have generated nearly 1,000 spoofed domains to execute a “verify or cancel” phishing scheme. By hijacking official hotel messaging channels, attackers send urgent alerts that direct travelers to fraudulent sites. These pages are dynamically populated with the victim’s actual reservation details which have been stolen from the hotel’s own database to create a high-trust environment for stealing payment information.

Learn more

Chinese Malware Delivery Domains Part IV

DTI’s latest investigation into massive Chinese malware delivery infrastructure reveals the addition of over 1,900 new malicious domains in the super cluster of over 5,000 domains we have been tracking since early 2025.  This activity, which primarily targets Chinese-speaking users, has evolved from a consolidated infrastructure into a fragmented and localized network using domestic Chinese registrars to improve operational security. The attackers employ deceptive lures such as spoofed downloads for Chrome, VPNs, and office software to deliver an array of trojans and credential stealers.

To manage this massive influx of data, our researchers deployed agentic AI systems to analyze the malicious domains, increasing analysis speed by 10x. By utilizing a “task-based AI orchestrator” paired with specialized sub-agents, the team was able to bypass anti-automation hurdles and autonomously interact with and analyze thousands of sites per day.

Agent Orchestration Flow Diagram

Read the latest research here

The APT35 Dump Episode 4: Leaking The Backstage Pass To An Iranian Intelligence Operation

DTI’s latest deep dive into the four-part leak of internal documents from APT35 (Charming Kitten) reveals the financial administration powering Iranian state-sponsored espionage. The leaked files, ranging from payment spreadsheets to internal ticketing systems, show how the group has financed and managed their operations in spite of international sanctions. These documents track everything from server procurement and crypto-payment receipts to operator attendance logs and performance metrics, illustrating a “bureaucratic metabolism” where cyberattacks are treated as standard administrative workflows.

Despite this clerical precision, the investigation highlights a glaring lack of operational hygiene. The group failed to secure their backend infrastructure and cleartext credentials even after the internal documents were leaked, allowing researchers to map the financial and administrative connections between APT35/Charming Kitten and the Iranian “Moses Staff” threat actor. By stripping away the mystery of their technical exploits, this research exposes the administration, including budgeting, invoice reconciliation, and supervisor approvals, that sustains Iran’s strategic information operations across the Middle East and beyond.

Screenshot of moses-staff[.]io homepage

Read our investigation here

What We’re Reading

In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed!

Checkout the full reading list here

Where We’ll Be

  • The DTI Travel Squad is staying local in January, but we will keep you updated on future travel once schedules get finalized!

Final Thoughts

As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!

We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here.

If you missed last month’s content, here are some quick links:

Thanks for reading – see you next month!

-Daniel

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity

Learn More

Heading

SecuritySnacks
Research
Newsletters
Podcast Episodes
About
No items found.