Skip to main content
Back to Research
Domain Hijacking
Malware
Phishing
Spam
Subdomain Takeover

Industrial Spam Network

Published on: 
December 27, 2024
On This Page
Share:

Overview

Domain hijacking attacks like subdomain takeover and SPF hijacking take advantage of vulnerable or stale configurations in a target domain. The vulnerable domains are then leveraged in spam or phishing campaigns or to spread malware. They can be particularly successful as they can take advantage of the target domain’s established reputation to subvert spam filters and other reputation-based detections.

Subdomain Takeover

In the case of subdomain takeover, attackers look for subdomains that are configured to point to a service that does not appropriately handle subdomain ownership verifications. 

Attackers can identify subdomains pointing to other services by using a range of openly available tools such as Sublist3r, Assetfinder, and ReconNG. Attackers would then check for vulnerable services such as those that allow custom domain names like GitHub pages, AWS S3 or by looking for domains that continue to point to services that no longer exist. 

Exploiting these vulnerable domains allows the attacker to host malicious content such as phishing pages or malware from the domain. This type of attack may allow for “subdomailing”, which refers to the type of email spoofing attack that leverages subdomains of a legitimate domain to send fraudulent emails.

Example DNS log of a potentially vulnerable subdomain:

mail.vulnerable-domain[.]com.  IN  CNAME  
pages.githubusercontent[.]com.

This shows that mail.vulnerable-domain[.]com points to GitHub pages. If for example the associated GitHub pages repository were deleted and the DNS record is unchanged, an attacker could re-create the deleted repository under the same name. In effect, allowing the attacker to control the content of the target domain.

SPF Hijacking

In contrast to subdomain takeover, SPF Hijacking occurs when an attacker gains access to a target’s DNS records either via the registrar or by exploiting vulnerabilities in the DNS infrastructure. Once the attacker has access they can modify the SPF record of a domain. For example, the attacker could add in one of their own domains into the target domain’s SPF record. In effect, this would allow the attacker to send emails that would appear to be originating from the target’s domain.

Example DNS log of a vulnerable SPF record:
vulnerable-domain[.]com. IN TXT "v=spf1 mx -all"

Example attacker tool to modify a DNS record of a target domain:
pdnsutil modify record vulnerable-domain[.]com TXT 'v=spf1 mx attacker-domain[.]com -all'

Example DNS log of the compromised SPF record for domain insertion:
vulnerable-domain[.]com. IN TXT "v=spf1 mx attacker-domain[.]com -all"

In the examples above, pdnsutil, a powerful DNS management tool, is used to modify the “TXT” record of a vulnerable domain to include the attacker’s domain in a new SPF record "v=spf1 mx attacker-domain[.]com -all"

Hunting

Pivoting off a report by Guardio in February 2024, which detailed a large campaign of subdomailing activity involving two attacker domains inserted into vulnerable DNS records.

harrisburgjetcenter[.]com
greaterversatile[.]com

Equipped with knowledge about domain takeover attacks, we can hunt for characteristics of subdomain takeover and SPF hijacking.

To start, we may take similar approaches to an attacker in which passive reconnaissance tools or historical DNS and web scanner data aggregators are leveraged to passively identify potentially vulnerable domain configurations.

Reviewing recent DNS records for actor domain greaterversatile[.]com in RDATA:

First Seen RRNAME RDATA
2024-11-03 tracks.vooyo[.]id. "v=spf1 include:harrisburgjetcenter[.]com include:greaterversatile[.]com -all"
2024-08-04 sync-me.co[.]uk. "v=spf1 include:harrisburgjetcenter[.]com include:greaterversatile[.]com -all"
2024-08-02 hangzhousccom.s5k.86sudu[.]net. "v=spf1 include:harrisburgjetcenter[.]com include:greaterversatile[.]com -all"
2024-08-02 alboan_lp.thephilanthropicapp[.]com. "v=spf1 include:harrisburgjetcenter[.]com include:greaterversatile[.]com -all"

Breaking down the RDATA: "v=spf1 include:harrisburgjetcenter[.]com include:greaterversatile[.]com -all"

  1. v=spf1: indicates it's an SPF record version 1, the most commonly used version.
  2. include:harrisburgjetcenter[.]com: instructs the receiving mail server to consult the SPF record hosted on the domain harrisburgjetcenter[.]com. The receiving server will then use that record to determine if an email claiming to originate from the original domain is legitimate.
  3. include:greaterversatile[.]com: the receiving server will also consult the SPF record hosted on greaterversatile[.]com
  4. -all: specifies a "hard fail" for any email that doesn't pass the SPF check based on the included records. In other words, any email not authorized by the records from harrisburgjetcenter[.]com or greaterversatile[.]com will be rejected.

Reviewing recent DNS records for actor domain greaterversatile[.]com in RRNAME:

First Seen RRNAME RDATA
2024-02-06 greaterversatile[.]com. "v=spf1 include:nostrezz[.]com include:discussionapps[.]com include:tessiesantiago[.]com include:winningwebs[.]com include:crowleylouisiana[.]com include:constancespry[.]com include:gigabytestores[.]com include:mailmyorder[.]com include:clothesforfit[.]online include:bamboozlebarges[.]com ip4:139.162.114.162 ip4:139.162.114.194 ip4:139.162.114.243 ip4:139.162.114.252 ip4:139.162.114.77 ip4:139.162.135.240 ip4:139.162.135.50 ip4:139.162.150.80 ip4:139.162.154.171 ip4:139.162.154.181 ip4:139.162.154.222 ip4:139.162.176.50 ip4:1" "39.162.154.43 ip4:139.162.186.198 ip4:139.162.186.64 ip4:139.162.34.36 ip4:139.177.176.124 ip4:139.162.36.56 ip4:139.177.176.143 ip4:139.177.176.189 ip4:139.177.176.34 ip4:172.104.115.104 ip4:172.104.115.106 ip4:172.104.115.110 ip4:172.104.110.219 ip4:172" ".104.120.48 ip4:172.104.115.112 ip4:172.104.132.134 ip4:172.104.115.113 ip4:172.104.159.162 ip4:172.104.115.114 ip4:172.104.159.25 ip4:172.104.159.45 ip4:172.104.115.131 ip4:172.104.115.134 ip4:172.104.115.135 ip4:172.104.115.143 ip4:172.104.115.145 ip4:1" "72.104.115.150 ip4:172.104.115.182 ip4:172.104.115.194 ip4:172.104.115.201 ip4:172.104.115.210 ip4:172.104.115.220 ip4:172.104.115.227 ip4:172.104.115.234 ip4:172.104.115.242 ip4:172.104.115.243 ip4:172.104.115.5 ip4:172.104.115.75 ip4:172.104.115.76 ip4:" "172.104.115.79 ip4:172.104.115.83 ip4:172.104.115.95 ip4:172.104.151.14 ip4:172.104.151.76 ip4:172.104.243.226 ip4:172.104.245.100 ip4:172.104.245.102 ip4:172.104.245.12 ip4:172.105.249.106 ip4:172.105.90.47 ip4:172.105.90.63 ip4:172.105.92.60 ip4:172.105" ".92.98 ip4:194.233.164.223 ip4:194.233.164.99 ip4:194.233.167.103 ip4:194.233.167.108 -all"
2024-10-24 greaterversatile[.]com. ""v=spf1 include:instanttranslates.dynu[.]net include:informationshout.dynu[.]net -all""

The above DNS records shows that the actor domain greaterversatile[.]com had SPF records in February 2024 that point to several domains and hundreds of IP addresses and in October 2024 was updated to point to two dynamic DNS domains.

Due to the grouping of SPF record placing, the following domains are likely also actor owned during their respective times of association.

nostrezz[.]com
discussionapps[.]com
tessiesantiago[.]com
winningwebs[.]com
crowleylouisiana[.]com
constancespry[.]com
gigabytestores[.]com
mailmyorder[.]com
clothesforfit[.]online
bamboozlebarges[.]com
instanttranslates.dynu[.]net
informationshout.dynu[.]net

In summary of the above records if the domain tracks.vooyo[.]id sends email, the receiving mail server would attempt to validate the SPF records from the actor domains harrisburgjetcenter[.]com and greaterversatile[.]com, which would then be routed again to instanttranslates.dynu[.]net and informationshout.dynu[.]net.

The following DNS records for instanttranslates.dynu[.]net. indicate additional SPF routing would take place.

First Seen RRNAME RDATA
2024-10-21 instanttranslates.dynu[.]net. "v=spf1 include:universitygreatchoices.gleeze[.]com include:perfectdiplomaforyou.kozow[.]com include:neverstoplearning.dynuddns[.]com include:instantuniversityinscription.ddnsfree[.]com include:universityexchangeinfo.freeddns[.]org include:strategyandplansaction.fre" "eddns[.]org include:universitygrades.mywire[.]org include:resourcesanddocuments.gleeze[.]com include:multimedialearningskills.kozow[.]com -all"
2024-10-21 instanttranslates.dynu[.]net. "v=spf1 include:universitygreatchoices.gleeze[.]com include:perfectdiplomaforyou.kozow[.]com include:neverstoplearning.dynuddns[.]com include:instantuniversityinscription.ddnsfree[.]com include:universityexchangeinfo.freeddns[.]org include:strategyandplansaction.freeddns[.]org include:universitygrades.mywire[.]org include:resourcesanddocuments.gleeze[.]com include:multimedialearningskills.kozow[.]com -all"
2024-08-08 instanttranslates.dynu[.]net. "v=spf1 include:justifyintegrated.accesscam[.]org include:handlerhedriver.accesscam[.]org include:occupationsociety.casacam[.]net include:commemorate.ddnsfree[.]com include:requestdistort.ddnsgeek[.]com include:strategicpromote.freeddns[.]org include:biographydetermine.giize[.]com include:compartmentrelevance.gleeze[.]com include:multimediatan.kozow[.]com -all"

Due to their use in the SPF records of other actor domains, these additional dynamic DNS domains also acting as SPF redirectors are likely actor operated domains as well:

universitygreatchoices.gleeze[.]com
biographydetermine.giize[.]com
commemorate.ddnsfree[.]com
compartmentrelevance.gleeze[.]com
handlerhedriver.accesscam[.]org
instantuniversityinscription.ddnsfree[.]com
justifyintegrated.accesscam[.]org
multimedialearningskills.kozow[.]com
multimediatan.kozow[.]com
neverstoplearning.dynuddns[.]com
occupationsociety.casacam[.]net
perfectdiplomaforyou.kozow[.]com
requestdistort.ddnsgeek[.]com
resourcesanddocuments.gleeze[.]com
strategicpromote.freeddns[.]org
strategyandplansaction.freeddns[.]org
universityexchangeinfo.freeddns[.]org
universitygrades.mywire[.]org

Subsequently looking up the SPF redirects for universitygreatchoices.gleeze[.]com and others identifies records such as the following in which the designated IP ranges are authorized to send mail by the original domain.

First Seen RRNAME RDATA
2024-12-09 universitygreatchoices.gleeze[.]com. ""v=spf1 ip4:169.254.95.120 ip4:81.7.16.166 ip4:91.143.91.100 ip4:212.23.222.100 ip4:212.23.222.102/31 ip4:91.228.12.147/28 ip4:91.228.12.160/28 ip4:91.228.12.176 ip4:63.141.247.144/29 ip4:158.69.99.224/29 ip4:167.114.154.18 ip4:192.95.49.96/30 ip4:198.27.9" "5.240/28 ip4:198.50.160.232 ip4:198.50.160.250 ip4:61.255.174.141/30 ip4:61.255.174.144/28 ip4:61.255.174.160/30 ip4:61.255.174.179/29 ip4:195.254.134.64/27 ip4:23.105.32.64/29 ip4:23.105.32.73 ip4:45.92.29.240/28 ip4:193.39.184.224/28 ip4:23.105.132.157/30 ip4:23.105.132.160/29 ip4:45.130.201.8/30 ip4:45.130.201.88/29 ip4:45.130.201.128/28 ip4:45.130.201.150 ip4:45.130.201.161 ip4:45.130.201.180 ip4:45.130.201.186 ip4:45.130.201.201 ip4:45.130.201.211 ip4:45.130.201.240/28 ip4:37.235.49.209 ip4:37.235.49.214 ip4:51.38.246.64/30 ip4:69.61.90.49 ip4:69.61.94.33 ip4:69.61.95.20 ip4:69.174.102.208 ip4:104.223.94.253 ip4:142.4.195.32/29 ip4:142.44.135.12 ip4:142.44.135.127 ip4:144.217.46.144/29 ip4:144.217.117.34 ip4:149.56.78.219 ip4:151.236.24.159 ip4:185.215.186.128/29 ip4:192.71.218.35 ip4:192.71.218.82 ip4:192.95.57.0/30 ip4:192.99.176.248/29 ip4:217.182.120.160/30 ip4:5.189.187.81 ip4:5.189.134.15 ip4:5.189.134.16/30 ip4:2.58.203.26 ip4:2.58.203.33 ip4:2.58.203.36 ip4:2.58.203.51 ip4:45.67.85.8/31 ip4:45.67.85.12 ip4:45.67.85.20 ip4:45.67.85.28 ip4:45.67.85.41 ip4:45.67.85.47 ip4:45.67.85.62/31 ip4:63.141.232.128/27 ip4:89.34.97.64/27 ip4:216.211.204.63 ip4:216.211.204.64 ip4:216.211.204.71 ip4:216.211.204.77 ip4:216.211.204.79 ip4:149.50.96.53 ip4:149.50.102.119 ip4:149.50.102.120/29 ip4:149.50.102.128/29 ip4:149.50.102.144 ip4:149.50.102.254 ip4:149.50.103.0/28 ip4:149.50.103.24 ip4:94.156.239.216/29 ip4:94.156.239.224/27 ip4:185.99.2.80/28 ip4:185.99.2.96/30 ip4:185.164.32.96/28 ip4:185.164.32.112/29 ip4:185.164.32.11 ip4:31.56.241.27 ip4:31.56.241.86 ip4:31.56.241.120/30 ip4:162.213.211.64/29 ip4:162.251.120.172 ip4:162.251.122.160/27 ip4:172.96.14.24/29 ip4:204.10.162.128/29 ip4:45.92.29.224/28 ip4:199.66.92.32/27 -all""

The following diagram shows how the chained SPF records create multiple layers of redirects.

In summary, the chained SPF records create multiple layers of SPF redirects. This may serve to obfuscate the originating mail servers and distribute infrastructure to increase resiliency from disruptions affecting portions of the network. It may also serve to evade detection by hindering analysis by making it difficult for anti-spam and security researchers to identify patterns and write signatures to detect and block the network and the activity it is being used for.

The Senders

Sampling the IP addresses in the RDATA records show a trend of mail servers, reverse DNS, Apache HTTP servers, and Squid Cache servers.

The IPs associated domains to the SPF records were also observed hosting content such as the following samples:

Indicators & Search Hashes Web Screenshots
*[.]megajobsusa[.]com
Shodan hash:-1137946516
ShodanHttp.html_hash:581214383
Censysservices.banner_hashes="sha256:3a47dc2a58324647af74c539d6e9eceb994f5ec3b49ff1744d164e6f340a9e29"
angelcamach0-github-io.pages[.]dev
callor[.]com
gamerchallenger[.]com
sunillulla[.]com

Domains hosting similar web content:

727.tcrouzet[.]com
aids.rainesupport[.]com
andrecordeiro[.]ch
andynope.maid-cafe[.]ch
angelcamach0-github-io.pages[.]dev
arianmisini[.]com
arizonaloud[.]de
asmicloudsolutions.github[.]io
bc.tekysupport[.]com
bluegum[.]media
callor[.]com
codefoundry.co[.]id
contier[.]kr
csms4.sistech[.]ai
cyberzootopia[.]com
dates.rainesupport[.]com
discoverplymouth[.]net
fhalo-resources[.]com
fu.hrps-it[.]com
gallotreeservices[.]com
github.speicher-dein-strom[.]de
helpinneed.asso.eu[.]org
hi.applyer.cn
leak[.]lk
ljxcfdfhkjgcqfeesvarpjqxegetudn.helpinneed.asso.eu[.]org
moneyantra[.]com
muhammeddemircan[.]com
nextlab[.]biz
pwaf2023[.]click
radarnextboy.rainesupport[.]com
regional-one[.]com.lga[.]sc
respons.gvcreation[.]fr
safecall.givero.co[.]kr
santiagolamora[.]com
sobatsoba[.]com
socarenergie[.]ch
tabiri[.]compassionateheartskenya[.]org
tuneastwood.rainesupport[.]com
twwebsitenotificationguardian.justinl[.]in
vorteile.hrps-it[.]com
www.adrygurumi.ortscorporate[.]com
www.dagondevelopment[.]com
www.donaubuild[.]com
www.hidro2clean[.]com/www/
www.insightsdigitalagency[.]com
www.khstalentbank[.]com
www.ldfg[.]se
xn--krakena-kb4c[.]com
zmv[.]sk

Conclusion

This research has only touched the surface of what appears to be a very large and well coordinated spam and phishing network taking advantage of DNS-related misconfigurations or weaknesses. Indications from domain and infrastructure pivots suggest the network has been operating since at least 2019 to present. The operators of the network appear to demonstrate awareness and response to security reports of their infrastructure and appear to have made multiple attempts to improve its resiliency to identification and disruptions.

Observables

727.tcrouzet[.]com
aaafield[.]com
aborretag[.]com
achingdish[.]com
adnecaring[.]com
adnespres[.]com
aerchers[.]com
ahniab[.]com
aids.rainesupport[.]com
airsacy[.]com
albuquerquejobsite[.]com
alsquil[.]com
amerstv[.]com
andrecordeiro[.]ch
andynope.maid-cafe[.]ch
anescat[.]com
angcheap[.]com
angelcamach0-github-io.pages[.]dev
anthigh[.]com
arcadiadomains[.]com
arianmisini[.]com
arizonaloud.de
aromaver[.]com
asecort[.]com
asmanspecs[.]com
asmicloudsolutions.github[.]io
ationmov[.]com
atiosurte[.]com
aucomplex[.]com
autoferbar[.]com
avemusica[.]com
bartapy[.]com
bartsam[.]com
basicempre[.]com
bc.tekysupport[.]com
bearele[.]com
beargy[.]com
bearrope[.]com
befull[.]pro
begieclose[.]com
bericbires[.]com
betterhal[.]com
betterove[.]com
binarydron[.]com
biographydetermine.giize[.]com
biresth[.]com
bithorts[.]com
bitquil[.]com
blecally[.]com
blespeaker[.]com
blognapic[.]com
bluegum[.]media
blushdicid[.]com
blushtable[.]com
bonusang[.]com
bookcles[.]com
bughtsurte[.]com
bulathoon[.]com
bumpergris[.]com
bundemidis[.]com
bunnymov[.]com
callor[.]com
callycous[.]com
capusabor[.]com
capuslong[.]com
caserojo[.]com
cenblush[.]com
chersberic[.]com
chocoundab[.]com
ciacat[.]com
circleqts[.]com
circuithed[.]com
civiccovercove[.]com
cliffaria[.]com
cliffjuly[.]com
cloeruby[.]com
cobalpalm[.]com
cocecheap[.]com
codefoundry.co[.]id
coleenv[.]com
collstran[.]com
commemorate.ddnsfree[.]com
compartmentrelevance.gleeze[.]com
contier[.]kr
coofwiki[.]com
cophhar[.]com
cophreor[.]com
cornmove[.]com
csms4.sistech.ai
currentrad[.]com
cyanapy[.]com
cyanbonnet[.]com
cyberzootopia[.]com
dates.rainesupport[.]com
daticol[.]com
dedhetera[.]com
defcips[.]com
defspoiler[.]com
denamark[.]com
dentalscroll[.]com
depiness[.]com
derdiving[.]com
derpear[.]com
desstequal[.]com
desstnorra[.]com
diacips[.]com
dicrhombus[.]com
dicwisty[.]com
discoverplymouth[.]net
dismsec[.]com
ditydesert[.]com
diuminfos[.]com
donepron[.]com
dopermo[.]com
duckoc[.]com
duodrawing[.]com
durablepic[.]com
eapmily[.]com
earthorm[.]com
elecoral[.]com
elerapid[.]com
elerased[.]com
ennicbus[.]com
entsdic[.]com
entsearth[.]com
envsky[.]com
envwer[.]com
eomeganet[.]com
eptcat[.]com
eptli[.]com
equesolive[.]com
essbumper[.]com
estwer[.]com
etcout[.]com
express-door[.]ru
falsignal[.]com
faradrain[.]com
farmsteadassist[.]com
feeldugout[.]com
ferspic[.]com
fhalo-resources[.]com
fieldabor[.]com
firenippe[.]com
fivevail[.]com
floodshieldguide[.]com
flowerpsed[.]com
fluxnorra[.]com
foundpurd[.]com
foxingtime[.]com
fu.hrps-it[.]com
fullcoil[.]com
gallotreeservices[.]com
gebumper[.]com
gerspask[.]com
gicpene[.]com
giculgusit[.]com
giculscan[.]com
giftedvist[.]com
github.speicher-dein-strom[.]de
glymain[.]com
glysource[.]com
greaterversatile[.]com
greygicul[.]com
grisphold[.]com
gusitbits[.]com
halclose[.]com
handleoper[.]com
handlerhedriver.accesscam[.]org
harrisburgjetcenter[.]com
hedhill[.]com
helpinneed.asso.eu[.]org
hesclose[.]com
heterafuel[.]com
heteratal[.]com
hexagonb[.]com
hexaspecs[.]com
hi.applyer.cn
hoodnero[.]com
hoodte[.]com
hoschers[.]com
idealcellphones[.]com
ilygu[.]com
ilytedd[.]com
inaayas[.]me
ineduse[.]com
infarmasa[.]com
infosdef[.]com
ingsous[.]com
ingunit[.]com
innersof[.]com
instantuniversityinscription.ddnsfree[.]com
inycooper[.]com
ioneplane[.]com
italyivers[.]com
ittunner[.]com
jamesest[.]com
jarstand[.]com
jarundes[.]com
jouleworld[.]com
justifyintegrated.accesscam[.]org
justlyjournal[.]com
kledfers[.]com
leak[.]lk
leftfarad[.]com
lentgon[.]com
letdiplay[.]com
levcobal[.]com
liglissa[.]com
lilaccyan[.]com
lilcheap[.]com
liliotegli[.]com
lisemain[.]com
lissachor[.]com
listhy[.]com
litelev[.]com
ljxcfdfhkjgcqfeesvarpjqxegetudn.helpinneed.asso.eu[.]org
lobyvill[.]com
logerbus[.]com
logergy[.]com
longtermcover[.]com
lublicgear[.]com
macbookdigest[.]com
maggede[.]me
makeapy[.]com
maltditing[.]com
mangrapid[.]com
mantdrove[.]com
marryzinc[.]com
maticgic[.]com
mauveitaly[.]com
mauveplug[.]com
meansarrow[.]com
meetve[.]com
mesany[.]com
mesotheliomainsights[.]org
mesplug[.]com
mikcheap[.]com
miromali[.]com
mishdep[.]com
mishsy[.]com
misshans[.]com
mixgifted[.]com
mizrrworold[.]ru
mollyrhes[.]com
monesnic[.]com
moneyantra[.]com
monodvill[.]com
mopmeni[.]com
mostmit[.]com
movieeap[.]com
mrscoph[.]com
muhammeddemircan[.]com
multimedialearningskills.kozow[.]com
multimediatan.kozow[.]com
muncatic[.]com
namecapus[.]com
nanomoder[.]com
nauticalguardian[.]com
nearmagnet[.]com
needvist[.]com
neverstoplearning.dynuddns[.]com
nextlab[.]biz
ninebash[.]com
nippelia[.]com
norratesla[.]com
nyakundireport[.]com
occupationsociety.casacam[.]net
ockledel[.]com
ocklerased[.]com
octomation[.]app
ohmmilky[.]com
olrosa[.]com
onicpic[.]com
opagarin[.]com
operrojo[.]com
ormamber[.]com
ormcoof[.]com
orsexess[.]com
osnhans[.]com
ovepres[.]com
partsruppo[.]com
pastroll[.]com
pearhyl[.]com
pediarous[.]com
perfectdiplomaforyou.kozow[.]com
permostar[.]com
picofrank[.]com
picomeans[.]com
picsspres[.]com
pinhaged[.]com
pizzakled[.]com
placeooo[.]com
plateoze[.]com
playloger[.]com
porkgro[.]com
powlsquick[.]com
psedined[.]com
psloon[.]com
pwaf2023[.]click
pykelly[.]com
qsurte[.]com
quickine[.]com
quilthat[.]com
radarnextboy.rainesupport[.]com
raindroel[.]com
ramtable[.]com
rapidpor[.]com
rasedenity[.]com
realtrion[.]com
regional-one[.]com.lga.sc
reorwif[.]com
requestdistort.ddnsgeek[.]com
resourcesanddocuments.gleeze[.]com
respons.gvcreation[.]fr
resslear[.]com
restliam[.]com
rfmac[.]com
riddlearea[.]com
rinlook[.]com
roerin[.]com
rollwer[.]com
rosapic[.]com
rotcoffe[.]com
rousrin[.]com
rouwal[.]com
safecall.givero.co[.]kr
samberic[.]com
santiagolamora[.]com
sarumi[.]ir
sarumihome[.]ir
scanged[.]com
scrormake[.]com
sheildmona[.]com
shieldshelf[.]com
shiftity[.]com
sifemedia[.]com
siotitan[.]com
sitegicul[.]com
sitesstorm[.]com
smuerule[.]com
sobatsoba[.]com
socarenergie[.]ch
somonlus[.]com
somonscror[.]com
spersosel[.]com
spoilerus[.]com
stased[.]com
strategicpromote.freeddns[.]org
strategyandplansaction.freeddns[.]org
sunillulla[.]com
surtecal[.]com
susdem[.]com
syletc[.]com
symgrey[.]com
tabiri[.]compassionateheartskenya[.]org
tealblanco[.]com
tealcharge[.]com
tebaned[.]com
thilystat[.]com
tinhexagon[.]com
tiptrent[.]com
tolltunner[.]com
toothidly[.]com
tuneastwood.rainesupport[.]com
tunnerhar[.]com
turdess[.]com
turelses[.]com
turkeyhigh[.]com
turkishtraders[.]net
twwebsitenotificationguardian.justinl[.]in
tydraw[.]com
uncerain[.]com
unclemones[.]com
undbory[.]com
undesquil[.]com
uniqrapid[.]com
universityexchangeinfo.freeddns[.]org
universitygrades.mywire[.]org
universitygreatchoices.gleeze[.]com
unraoanker[.]com
untprint[.]com
verrhes[.]com
videosinfo[.]com
videothily[.]com
viewank[.]com
villdeer[.]com
vipcys[.]com
vipspask[.]com
vitmisly[.]com
volveenv[.]com
volvesing[.]com
volvesus[.]com
vorteile.hrps-it[.]com
watchfal[.]com
websoff[.]net
weekge[.]com
wellnavy[.]com
whivecpu[.]com
whiveparts[.]com
wootybag[.]com
wormicro[.]com
wrindia[.]com
www.adrygurumi.ortscorporate[.]com
www.dagondevelopment[.]com
www.donaubuild[.]com
www.hidro2clean[.]com/www/
www.insightsdigitalagency[.]com
www.khstalentbank[.]com
www.ldfg[.]se
xn--krakena-kb4c[.]com
yearnano[.]com
yedsures[.]com
yercraig[.]com
yerunt[.]com
yukedmin[.]com
yukedtupe[.]com
zapedit[.]com
zincbart[.]com
zincwinter[.]com
zipperazul[.]com
zippermake[.]com
zipsiren[.]com
zmv[.]sk

Related Content

Research
THE KNOWNSEC LEAK: Yet Another Leak of China’s Contractor-Driven Cyber-Espionage Ecosystem

Leaked Knownsec documents reveal China’s cyberespionage ecosystem. Analyze TargetDB, GhostX, and 404 Lab’s role in global reconnaissance and critical infrastructure targeting.

Learn More
Research
The APT35 Dump Episode 4: Leaking The Backstage Pass To An Iranian Intelligence Operation

APT35/Charming Kitten's leaked documents expose the financial machinery behind state-sponsored hacking. Learn how bureaucracy, crypto micro-payments, and administrative ledgers sustain Iranian cyber operations and link them to Moses Staff.

Learn More
Research
Chinese Malware Delivery Domains Part IV

Chinese Malware Delivery Domains Part IV uncovers 1,900+ new sites targeting Chinese-speaking users. Get a deep dive into infrastructure, TTPs, and AI-powered threat analysis.

Learn More

Heading

SecuritySnacks
Research
Newsletters
Podcast Episodes
About
No items found.