Newsletter No. 5: A Little Bit of Research in my life…
Subscribe to the Newsletter here
I can’t believe it, but we have made it to the 5th iteration of my DomainTools Investigations (DTI) newsletter! If you’re a returning reader, I’m glad you keep coming back! If you’re a new reader, what you’re about to read is top secret. Anything you say can and will be used against you without express written consent of Major League Baseball. That’s the saying, right?
But seriously, if you’re a new reader, welcome! What you’re really about to read is not top secret; it’s news from our group of researchers and analysts providing their expertise in investigating, mitigating, and preventing Domain and DNS based attacks.
Community is incredibly important to me, and I believe that the only way we’ll make progress in fighting threat actors is coming together to share what we know. So take a look around, and if you have information to collaborate with us to get further in our analyses, please let us know.
So without further ado, here’s what we’ve been up to in May:
🔥HOT OFF THE PRESSES
Published this week (May 28), DTI shared its latest analysis on a malicious campaign using a fake website to spread VenomRAT, a Remote Access Trojan. The research examines attackers’ methods, such as deceptive websites and command infrastructure, indicating a clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems.
Why is This Important? This campaign highlights a growing trend: attackers crafting modular, open-source-based malware that’s stealthy, flexible, and easy to deploy. This DIY malware model helps them move fast and stay hidden.
While open-source tools can aid defenders in detection, the real victims are everyday users—targeted with fake login pages and malware disguised as trusted software, all aimed at draining bank accounts and crypto wallets.
Objects May Be More Malicious Than They Appear
DTI observed an unknown actor continuously creating malicious Chrome Browser extensions since February, 2024. The websites masqueraded as legitimate services, productivity tools, ad and media creation or analysis assistants, and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store. The extensions had a dual functionality, where they appeared to function as intended, but also connected to malicious servers to send user data, receive commands, and execute arbitrary code.
Why is This Important? The actor’s persistence and the time lag in detection and removal pose a threat to users seeking productivity tools and browser enhancements. All users should protect themselves by exercising caution when installing extensions. Stick to the Chrome Web Store and verified developers, carefully review requested permissions, read reviews, and be wary of lookalike extensions.
Threat Actors Love a Good Viral Event
Viral media events capture global attention. Everything from natural disasters to geopolitical shifts to cultural phenomena can dominate headlines and online conversations – and bad actors pay attention and look to capitalize on the public’s interest.
We undertook a project to analyze scam and malicious domains that emerge in the wake of high-profile viral media events. Leveraging AI-driven research capabilities, we aimed to understand how threat actors exploit these moments for financial gain and other nefarious purposes.
Why is This Important? The speed at which these events unfold provides a fertile ground for scammers to deploy a variety of schemes primarily focused on financial exploitation through fake donations, merchandise sales, and cryptocurrency scams. Staying vigilant and critically evaluating any website or domain seeking engagement related to a viral event is crucial
Cybersecurity Scholastic Book Fair
Wouldn’t that be awesome if one of the conferences decided to do a 90s-style Scholastic book fair for cybersecurity and infosec books? One can dream, but until then, here are some of the topics from Ian Campbell’s May Recommended Reading digest:
- Salt Typhoon hacks to influence final round of DARPA’s AI-cyber competition – NextGov
- Uyghur Language Software Hijacked to Deliver Malware – Citizen Lab
- The Human Element Podcast – hosted by my friend and CTO of Maltego, Ben April
Be sure to check out the reading list for Ian’s full recommendations!
Final Thoughts
Again, if you’re a returning reader from last month, I thank you. If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers.
We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here.
If you missed last month’s content, here are some quick links:
- Deceptive Browser Extensions within the Google Store: A Study in AI Slop
- Newly Registered Domains Distributing SpyNote Malware
- Where to Find Aspiring Hackers – or listen to this episode of the Breaking Badness Cybersecurity Podcast to learn more about Proton66 and the threat actor known as Coquettte (yes, with three T’s).
Thanks for reading – see you next month!
Daniel
Related Content
Welcome to the New Year, I hope you all had a restful holiday season! Similarly to the November issue, we decided to hold this edition until the post-holiday inbox avalanche has (hopefully) subsided. I wouldn’t want you to miss your favorite newsletter!
It’s hard to believe that DTI turns one year old this coming Friday! In case you haven’t been a subscriber since “Day One”, allow me a brief recap: In September of 2024, at a DomainTools onsite meeting, serendipity brought together two individuals with deep security industry connections, and a passion for community. We hatched an idea, got a few more colleagues excited about this idea, and in late 2024, we pitched it to our bosses. A scrappy program on a shoestring budget, with an agreement to fail fast and pivot as necessary. We signed up for some KPIs (you better measure success if you want to spend other peoples’ money!), and we launched on January 9th, 2025.
As I sit here, drafting this message, I can’t help but look back with pride on everything we did this past year: The countless hours of collective hard work, the travel all over the world to meet with the community, and most importantly, all the great research we published. We positively crushed it, if I do say so myself!
Now it’s late December, and the future looks decidedly less certain. One half of the DTI Leadership team is no longer with the company. She would hate it if I called her out here by name, but IYKYK. Thank you for a crazy year of collaboration, planning, organizing, problem solving, and innovating. Myself and the remaining DTI Team miss you greatly!
I’m not sure yet what 2026 will bring, but I know it will be different. Different isn’t automatically bad of course, so time will tell! Stay tuned for updates!
Back to Business
For those of you keeping score, the weather here in the Pacific Northwest has officially transitioned from damp, dark, and cold to damper and colder but a little less dark. But luckily none of that has slowed down our researchers. Fueled by hot coffee and cold redbull, they’ve been burning the 4pm oil, and we have some fascinating, and frankly brazen, campaigns to share as we kick off the year.
Our featured research for this edition looks at a massive “super-cluster” of over 5,000 Chinese malware delivery domains. What makes this investigation particularly special is how we did it: our team utilized agentic AI systems to accelerate our analysis by 10x. If you’ve been wondering how AI actually changes the game for threat hunters, this is the blueprint.
We also pulled back the curtain on the bureaucratic side of state-sponsored espionage with our second deep dive into the APT35 leaks. It turns out that Iranian intelligence operators deal with the same mundane office headaches we do: Spreadsheets, expense reports, and ticketing systems.
Finally, we took a look at a B2B2C supply chain attack targeting the hospitality industry. By compromising hotel management accounts, attackers are reaching customers directly through official Booking[.]com channels. It’s a stark reminder that if the supply chain isn’t secure, neither is the trusted platform it supports.
Hot off the Presses
B2B2C Supply Chain Attack: Hotel’s Booking Accounts Compromised to Target Customer
DTI’s investigation reveals a sophisticated campaign targeting Booking[.]com customers by compromising hotel management accounts. Since May 2025, threat actors have generated nearly 1,000 spoofed domains to execute a “verify or cancel” phishing scheme. By hijacking official hotel messaging channels, attackers send urgent alerts that direct travelers to fraudulent sites. These pages are dynamically populated with the victim’s actual reservation details which have been stolen from the hotel’s own database to create a high-trust environment for stealing payment information.
Chinese Malware Delivery Domains Part IV
DTI’s latest investigation into massive Chinese malware delivery infrastructure reveals the addition of over 1,900 new malicious domains in the super cluster of over 5,000 domains we have been tracking since early 2025. This activity, which primarily targets Chinese-speaking users, has evolved from a consolidated infrastructure into a fragmented and localized network using domestic Chinese registrars to improve operational security. The attackers employ deceptive lures such as spoofed downloads for Chrome, VPNs, and office software to deliver an array of trojans and credential stealers.
To manage this massive influx of data, our researchers deployed agentic AI systems to analyze the malicious domains, increasing analysis speed by 10x. By utilizing a “task-based AI orchestrator” paired with specialized sub-agents, the team was able to bypass anti-automation hurdles and autonomously interact with and analyze thousands of sites per day.
Agent Orchestration Flow Diagram
The APT35 Dump Episode 4: Leaking The Backstage Pass To An Iranian Intelligence Operation
DTI’s latest deep dive into the four-part leak of internal documents from APT35 (Charming Kitten) reveals the financial administration powering Iranian state-sponsored espionage. The leaked files, ranging from payment spreadsheets to internal ticketing systems, show how the group has financed and managed their operations in spite of international sanctions. These documents track everything from server procurement and crypto-payment receipts to operator attendance logs and performance metrics, illustrating a “bureaucratic metabolism” where cyberattacks are treated as standard administrative workflows.
Despite this clerical precision, the investigation highlights a glaring lack of operational hygiene. The group failed to secure their backend infrastructure and cleartext credentials even after the internal documents were leaked, allowing researchers to map the financial and administrative connections between APT35/Charming Kitten and the Iranian “Moses Staff” threat actor. By stripping away the mystery of their technical exploits, this research exposes the administration, including budgeting, invoice reconciliation, and supervisor approvals, that sustains Iran’s strategic information operations across the Middle East and beyond.
Screenshot of moses-staff[.]io homepage
What We’re Reading
In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed!
- The top podcast for the month: Cyberwire – Root Access to the Great Firewall
- The top article for the month: Infoblox – Parked Domains Become Weapons with Direct Search Advertising
- The top research for the month: GA Tech et al – From Concealment to Exposure – Understanding the Lifecycle and Infrastructure of APT domains
Checkout the full reading list here
Where We’ll Be
- The DTI Travel Squad is staying local in January, but we will keep you updated on future travel once schedules get finalized!
Final Thoughts
As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!
We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here.
If you missed last month’s content, here are some quick links:
- Threat Intelligence Report: APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets
- Inside the Great Firewall Part 3: Geopolitical and Societal Ramifications
- Inside the Great Firewall Part 2: Technical Infrastructure
- Inside the Great Firewall Part 1: The Dump
Thanks for reading – see you next month!
-Daniel
https://www.linkedin.com/in/schwalbe
https://infosec.exchange/@danonsecurity
Dive into DomainTools Investigations' latest threat intel! Read our 3-part series on China's Great Firewall leak and an analysis of APT35 (Charming Kitten) campaigns targeting the Middle East and Korea, focusing on Exchange attacks. Get the intelligence you need!
Subscribe to the Newsletter here
The title of this month’s newsletter is a deep cut taken from the height of my favorite music genre, the admittedly awkwardly titled “Alternative Music.” What can I say, the 1990s in Seattle were wild, man - you had to be there.
Speaking of being there, last week was the Thanksgiving Holiday here in the United States. Normally my newsletter goes out on the last Tuesday of the month, but considering a lot of security professionals in the US got Thursday and likely Friday off, we decided to push publication by a week, so hopefully more of you can enjoy this edition instead of it getting buried under mashed potatoes and gravy!
The weather here in the Pacific NorthWest has firmly settled into “damp mode” (IYKYK), and the temperatures have started to creep below 40 degrees Fahrenheit (below 4 degrees Celsius for my international friends). I refuse to call it “The Big Dark” however - stop trying to make “The Big Dark” happen, Gretchen! Despite the cold, I’m happy to report that the intensity of DomainTools Investigations’ research output is only heating up.
Our flagship research for November, “Inside the Great Firewall,” is a three-part series based on a recent dump of documents and technical details of China’s censorship infrastructure. This massive leak provided us with over 500 gigabytes of internal operational data. I had the pleasure of joining Dave Bittner on the Research Saturday podcast from N2K | CyberWire to discuss our team’s work.
In addition to this deep dive, we also published a threat intelligence report based on leaked internal documents from APT35 (Charming Kitten). This report maps the Iranian state-sponsored actor's organization, tool kit, and campaign strategies. It details their campaigns against Lebanon, Kuwait, Türkiye, Saudi Arabia, Korea, and domestic Iranian targets, with a focus on their use of Microsoft Exchange attack chains. As a former Exchange Admin, I took personal note of that detail and was glad those days were behind me!
Last but not least, my team and I attended CYBERWARCON in Arlington, Virginia a couple of weeks ago. It was great to connect with the community, we had a small sponsorship booth and had many excellent conversations with fellow practitioners. I personally like the timing of this one-day conference, as it’s a nice bookend to its sister conference SLEUTHCON, which we attended earlier this year.
November was packed with research and tasty threat intelligence, so let's dive right in and get you up to speed!
Hot off the Presses
Inside the Great Firewall Part 1: The Dump
In September 2025, a historic breach of China’s censorship infrastructure leaked over 500 gigabytes of internal data detailing the infrastructure, design, and companies involved with the Great Firewall (GFW). DTI researchers analyzed more than 100,000 documents, internal source code, work logs, configuration files, emails, technical manuals, and operational runbooks.
Part 1 covers the human machinery behind the GFW and the consequences of the leak. This data links specific engineers and administrators to their roles across state-run ISPs (China Telecom, China Unicom, China Mobile), academic research institutions, and Ministry of State Security (MSS)-linked vendors.
Inside the Great Firewall Part 2: Technical Infrastructure
In Part 2, DTI analysts offer a forensic reconstruction of the Great Firewall’s technical infrastructure. From spreadsheets detailing app endpoint behavior, user monitoring intervals, and hardware configurations to blueprint files illustrating node relationships and control flows, the data illustrates a highly centralized yet distributed architecture, built on cooperation between state-run ISPs, telecom vendors, university research labs, and policy-design entities. Using this data, our researchers mapped the operational logic, software structure, and institutional alignment driving the digital surveillance regime.
🔍Read the full technical deep dive here
Inside the Great Firewall Part 3: Geopolitical and Societal Ramifications
In the final part of the series, our team analyzes the strategic doctrine behind the Great Firewall. This analysis reveals the GFW as a cornerstone of China’s broader governance model, extending internal social control mechanisms into the digital realm while also projecting power abroad. The regime serves a dual purpose of insulating the domestic population from undesired narratives and foreign influence, while exporting technologies, protocols, and ideological models of digital sovereignty to other authoritarian or aspiring technocratic regimes.
Threat Intelligence Report: APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets
In October, internal documents from APT35, also referred to as Charming Kitten, were leaked on Github. Our researchers reviewed and analyzed the leaked documents to form a tightly linked forensic trail that maps both technique and organization. In this report, we broke down APT35’s tool kit which covers reconnaissance, initial access, and post-exploitation tooling optimized for large-scale, quota-driven compromise operations. Our team analyzed the actor’s operational profile and campaign strategies, identifying an emphasis on weaponizing exchange attack chains (ProxyShell, Autodiscover, EWS enumeration, and PowerShell driven tasks) to extract mailbox contents and Global Address Lists, maintain mailbox-level persistence, HUMINT extraction, and iterative phishing loops based on harvested address books.
What We’re Reading
In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list will get you up to speed!
- The top article for the month: GreyNoise Intelligence – When Bulletproof Hosting Proves Bulletproof: The Stark Industries Shell Game
- The top research for the month: arXiv – Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models
📚Checkout the full reading list here📚
Where We’ll Be
- SANS Cyber Threat Summit 2025, London, UK, 3-4 December
Final Thoughts
As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will be coming back to read future editions!
We share this newsletter via email as well - if you’d prefer to get it to your inbox, sign up here.
If you missed last month's content, here are some quick links:
- DomainTools Investigations BSides NoVa Recap
- Repo the Repo - NPM Phishing
- Inside a Crypto Scam Nexus
- 18+ E-Crime
Thanks for reading - see you next month!
-Daniel
https://www.linkedin.com/in/schwalbe
https://infosec.exchange/@danonsecurity
https://www.linkedin.com/in/schwalbe
https://infosec.exchange/@danonsecurity
Cybersecurity deep dive: NPM Phishing, Crypto Scams, & 18+ E-Crime analysis. Get expert research on supply chain attacks, wallet drain schemes, and trojans targeting social media. Plus, BSides NoVa recap & top reading list.
Subscribe to the Newsletter here
For the title of this tenth edition of my newsletter, I decided to go with a hit by “The Boss” (Bruce Springsteen for those of you who aren’t familiar). The obvious choice could have been 10 by Pear Jam, who hail from my adopted home town. But 10 is an album title, and not a song title, and we have patterns to follow! Speaking of Seattle, the days have gotten really short already, temperatures are dropping overnight, and I’ve resigned myself to packing away my summer clothes for another 9 months. On the other hand, the crisp air and the promise of Halloween candy, together with the return of some truly excellent TV shows make the indoor time a little more palatable.
But most importantly, spending more time indoors means more time to dive into research! My team has been absolutely prolific this month, bringing you some must-read research and showing up to engage with the community.
We’ve published a comprehensive analysis of the NPM Phishing attacks, where we analyzed how attackers stole developer credentials and bypassed MFA to compromise high-profile software repositories. We also took you Inside a Crypto Scam Nexus, exposing a web of wallet-drain scams tied to a single threat actor’s infrastructure. Furthermore, we’ve tracked a financially motivated cluster of more than 80 spoofed domains and lure websites in our 18+ E-Crime analysis, which were used to deliver Android and Windows trojans to users of age 18+ social media, online gambling, and government tax sites. Our team also attended and presented at BSides NoVa, where Ian Campbell presented on how Domain and DNS intelligence is a critical tool for investigative journalists and Malachi Walker spoke on the attack surface of Formula 1.
Let’s dive right in and get you up to speed!
Hot off the Presses
DomainTools Investigations BSides NoVa Recap
Our commitment to a thriving cybersecurity ecosystem means we put our time and resources toward contributing to collective knowledge and the common good. That’s why we were proud sponsors of BSides NoVa on October 10th and 11th.
Our team delivered two accepted talks, including Senior Security Ops Engineer Ian Campbell’s presentation on DNS and domain intelligence in investigative journalism, and colleague Malachi Walker’s talk on cyber threats in F1 racing. In his full write-up, Ian reflects on the importance of contributing to the infosec community and answers the question: Where do I learn how to do this kind of work?
Repo the Repo – NPM Phishing
DTI researchers analyzed the series of high profile supply chain compromises caused by malicious code written to NPM repositories managed by stolen developer credentials. While developers of prominent NPM repositories have been targeted for many years,these events prompted CISA to release an alert due to their widespread nature.
Attackers used multi-stage fake NPM login pages to steal passwords and successfully intercept the legitimate email OTP/MFA code in real-time. This allowed attackers to establish their own authenticated sessions on the real npmjs[.]com while victims remained unaware their credentials had been stolen and their accounts compromised.
Inside a Crypto Scam Nexus
Our team of analysts uncovered a web of wallet-drain scams, ranging from browser extension popups and iPhone configuration profile traps to fraudulent web trading apps, were all tied to one threat actor’s infrastructure. We exposed how multiple websites such as medaigenesis[.]cc, novacrypt[.]net, and zzztd[.]com were hosted on the same server IP address, 8.221.100[.]222. These sites formed a coordinated infrastructure used to steal cryptocurrency from unsuspecting users.
This cluster of scams demonstrates how threat actors combine technical methods with deception to steal cryptocurrency. By controlling multiple domains and even a browser extension, they exploit trust at several levels: browser add-ons, app installation processes, and convincing web design. The single infrastructure behind these schemes also highlights how a determined attacker can leverage one setup to run multiple scams, from cryptocurrency theft to fake e-commerce.
Read the full investigation here
18+ E-Crime
Starting in September 2024, a financially motivated cluster of more than 80 spoofed domain names and lure websites began targeting users with fake applications and websites themed as government tax sites, consumer banking, age 18+ social media content, and Windows assistant applications. The actor used these spoofed domains to deliver Android and Windows trojans likely for the purpose of stealing credentials or more overtly through the use of fake login pages.
What We’re Reading
In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list is sure to get you up to speed!
- The top article for the month: Bloomberg – Hackers Had Been Lurking in Cyber Firm F5 Systems Since 2023
- The top podcast for the month: Three Buddy Problem – JAGS LABScon 2025 keynote: Steps to an ecology of cyber
- The top research for the month: Dartmouth ISTS – From Chaos To Capability: Building the US Market for Offensive Cyber
Checkout the full reading list here
Where We’ll Be
- AFCEA Vegas Tech & Cyber Expo, Las Vegas, NV, 4-5 November
- CYBERWARCON, Washington, DC, 19 November
Final Thoughts
As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will keep coming back to read future editions!
We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here.
If you missed last month’s content, here are some quick links:
- Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat
- Inside the Kimsuky Leak: How the “Kim” Dump Exposed North Korea’s Credential Theft Playbook
- Newly Identified Domains Likely Linked to Continued Activity from PoisonSeed E-Crime Actor
- Banker Trojan Targeting Indonesian and Vietnamese Android Users
Thanks for reading – see you next month!
-Daniel
https://www.linkedin.com/in/schwalbe
https://infosec.exchange/@danonsecurity
Heading
