Tenth Newsletter Freeze-Out

Subscribe to the Newsletter here

For the title of this tenth edition of my newsletter, I decided to go with a hit by “The Boss” (Bruce Springsteen for those of you who aren’t familiar). The obvious choice could have been 10 by Pear Jam, who hail from my adopted home town. But 10 is an album title, and not a song title, and we have patterns to follow! Speaking of Seattle, the days have gotten really short already, temperatures are dropping overnight, and I’ve resigned myself to packing away my summer clothes for another 9 months. On the other hand, the crisp air and the promise of Halloween candy, together with the return of some truly excellent TV shows make the indoor time a little more palatable. 

But most importantly, spending more time indoors means more time to dive into research! My team has been absolutely prolific this month, bringing you some must-read research and showing up to engage with the community.

We’ve published a comprehensive analysis of the NPM Phishing attacks, where we analyzed how attackers stole developer credentials and bypassed MFA to compromise high-profile software repositories. We also took you Inside a Crypto Scam Nexus, exposing a web of wallet-drain scams tied to a single threat actor’s infrastructure. Furthermore, we’ve tracked a financially motivated cluster of more than 80 spoofed domains and lure websites in our 18+ E-Crime analysis, which were used to deliver Android and Windows trojans to users of age 18+ social media, online gambling, and government tax sites. Our team also attended and presented at BSides NoVa, where Ian Campbell presented on how Domain and DNS intelligence is a critical tool for investigative journalists and Malachi Walker spoke on the attack surface of Formula 1.

Let’s dive right in and get you up to speed!

Hot off the Presses

DomainTools Investigations BSides NoVa Recap

Our commitment to a thriving cybersecurity ecosystem means we put our time and resources toward contributing to collective knowledge and the common good. That’s why we were proud sponsors of BSides NoVa on October 10th and 11th.

Our team delivered two accepted talks, including Senior Security Ops Engineer Ian Campbell’s presentation on DNS and domain intelligence in investigative journalism, and colleague Malachi Walker’s talk on cyber threats in F1 racing. In his full write-up, Ian reflects on the importance of contributing to the infosec community and answers the question: Where do I learn how to do this kind of work?

🔗Read Ian’s recap here

Repo the Repo – NPM Phishing 

DTI researchers analyzed the series of high profile supply chain compromises caused by malicious code written to NPM repositories managed by stolen developer credentials. While developers of prominent NPM repositories have been targeted for many years,these events prompted CISA to release an alert due to their widespread nature. 

Attackers used multi-stage fake NPM login pages to steal passwords and successfully intercept the legitimate email OTP/MFA code in real-time. This allowed attackers to establish their own authenticated sessions on the real npmjs[.]com while victims remained unaware their credentials had been stolen and their accounts compromised. 

🔗Read our analysis here

Inside a Crypto Scam Nexus 

Our team of analysts uncovered a web of wallet-drain scams, ranging from browser extension popups and iPhone configuration profile traps to fraudulent web trading apps, were all tied to one threat actor’s infrastructure. We exposed how multiple websites such as medaigenesis[.]cc, novacrypt[.]net, and zzztd[.]com were hosted on the same server IP address, 8.221.100[.]222. These sites formed a coordinated infrastructure used to steal cryptocurrency from unsuspecting users.

This cluster of scams demonstrates how threat actors combine technical methods with deception to steal cryptocurrency. By controlling multiple domains and even a browser extension, they exploit trust at several levels: browser add-ons, app installation processes, and convincing web design. The single infrastructure behind these schemes also highlights how a determined attacker can leverage one setup to run multiple scams, from cryptocurrency theft to fake e-commerce.

🔍Read the full investigation here 

18+ E-Crime

Starting in September 2024, a financially motivated cluster of more than 80 spoofed domain names and lure websites began targeting users with fake applications and websites themed as government tax sites, consumer banking, age 18+ social media content, and Windows assistant applications. The actor used these spoofed domains to deliver Android and Windows trojans likely for the purpose of stealing credentials or more overtly through the use of fake login pages.

🔗Learn more here

What We’re Reading 

In case you’re behind on your cybersecurity reading homework, DTI team member Ian Campbell’s monthly recommended reading list is sure to get you up to speed! 

• The top article for the month: Bloomberg – Hackers Had Been Lurking in Cyber Firm F5 Systems Since 2023
• The top podcast for the month: Three Buddy Problem – JAGS LABScon 2025 keynote: Steps to an ecology of cyber
• The top research for the month: Dartmouth ISTS – From Chaos To Capability: Building the US Market for Offensive Cyber 

📚Checkout the full reading list here📚

Where We’ll Be 

• AFCEA Vegas Tech & Cyber Expo, Las Vegas, NV, 4-5 November
• CYBERWARCON, Washington, DC, 19 November 

Final Thoughts

As always, thank you to my returning readers! If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers. And of course I hope you will keep coming back to read future editions!

We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here.

If you missed last month’s content, here are some quick links:

• Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat 
• Inside the Kimsuky Leak: How the “Kim” Dump Exposed North Korea’s Credential Theft Playbook
• Newly Identified Domains Likely Linked to Continued Activity from PoisonSeed E-Crime Actor
• Banker Trojan Targeting Indonesian and Vietnamese Android Users

Thanks for reading – see you next month!

-Daniel