Helvede

Infoblox Threat Intel“Your device has been blocked due to illegal activity” — 🙄 sure it has. After fat-fingering github[.]com, we were redirected to a domain running a fake Microsoft tech support scams: pop-ups that lock your browser, shout scary messages, and push you to call a “support” number (aka the scammer who’ll walk you through installing remote access tools). They're hosted on legit infra like Azure blobs or Cloudflare Pages. That one redirect led to uncovering 1,200+ other domains hosting identical fake support pages. Of course, whenever a redirect like this happens, there's a malicious traffic distribution system (TDS) involved. Examples include: - tenecitur.z1.web.core.windows[.]net- neon-kleicha-36b137[.]netlify[.]app- us6fixyourwindowsnow[.]pages[.]dev- microsoft-coral-app-6xv89.ondigitalocean[.]app<a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#scam</a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#tds</a>

Infoblox Threat IntelGoing to RSA? We’re giving a 2 hour hands-on learning lab on traffic distribution systems (TDS). Malicious actors use these to hide their activity from security teams and deliver tailored content to victims. Not going to RSA? We’ve written a number of articles on this topic (some included below) and we’re happy to answer questions about TDSs here on Mastodon. <a href="https://blogs.infoblox.com/threat-intelligence/from-click-to-chaos-bouncing-around-in-malicious-traffic-distribution-systems/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://blogs.infoblox.com/threat-intelligence/from-click-to-chaos-bouncing-around-in-malicious-traffic-distribution-systems/</a> <a href="https://www.infoblox.com/resources/webinars/dns-threat-briefing-q1-2025/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.infoblox.com/resources/webinars/dns-threat-briefing-q1-2025/</a> <a href="https://www.infoblox.com/resources/webinars/traffic-distribution-systems-at-the-heart-of-cybercrime/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.infoblox.com/resources/webinars/traffic-distribution-systems-at-the-heart-of-cybercrime/</a> <a href="https://www.infoblox.com/resources/webinars/the-big-ruse/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.infoblox.com/resources/webinars/the-big-ruse/</a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/RSAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RSAC</a> <a href="https://infosec.exchange/tags/RSAC25" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RSAC25</a>

Infoblox Threat IntelOnline gambling operators are sponsoring charities?? If only :(We've identified a malicious gambling affiliate whose specialty is to buy expired domain names which used to belong to charities or reputable organisations. Once they own a domain, they host a website impersonating its previous owner, where they claim to "deeply appreciate the support from [their] sponsors", which surprise surprise, all turn out to be dubious online gambling companies.Because the domain they are taking over is often abandoned or managed by non-technical people, its previous owner often doesn't notify anyone that they've lost control of their website, so it continues being referenced in genuine content, and it continues getting traffic from old links scattered throughout the internet.teampiersma[.]org (screenshots below) americankayak[.]org getelevateapp[.]com hotshotsarena[.]com nehilp[.]org questionner-le-numerique[.]org sip-events[.]co[.]uk studentlendinganalytics[.]com thegallatincountynews[.]comComparison content: 2018: <a href="https://web.archive.org/web/20180119043432/https://teampiersma.org/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://web.archive.org/web/20180119043432/https://teampiersma.org/</a> 2025: <a href="https://web.archive.org/web/20250401092253/https://teampiersma.org/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://web.archive.org/web/20250401092253/https://teampiersma.org/</a><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#scam</a> <a href="https://infosec.exchange/tags/dropcatch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dropcatch</a> <a href="https://infosec.exchange/tags/charity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#charity</a>

Infoblox Threat IntelOne of our researchers recently received a text from an unknown number saying they were eligible to receive a full refund for an Amazon order. The message contained a link to a URL on t[.]co, Twitter/X's link shortener. Clicking the link led to the domain 267536[.]cc, which hosted an Amazon phishing page.From this lead, we were able to find many more domains hosting the same content. The actor registering the domains seems to like .cc, the country code TLD for the Cocos Islands.Sample of the domains: 236564[.]cc 267536[.]cc 671624[.]cc 687127[.]cc 319632[.]cc<a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#scam</a> <a href="https://infosec.exchange/tags/sms" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#sms</a> <a href="https://infosec.exchange/tags/smishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#smishing</a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#phishing</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a>

Infoblox Threat IntelMalicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware. Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments. One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records. Block these:user2ilogon[.]es viewer-ssa-gov[.]es wellsffrago[.]com nf-prime[.]com deilvery-us[.]com wllesfrarqo-home[.]com nahud[.]com. <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lookalikes</a> <a href="https://infosec.exchange/tags/lookalikeDomain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lookalikeDomain</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/pdns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pdns</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#scam</a> <a href="https://infosec.exchange/tags/ssa" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ssa</a>

Infoblox Threat IntelLast week, while reviewing detected lookalike domains, one in particular stood out: cdsi--simi[.]com. A quick search pointed him to a legitimate U.S. military contractor, CDSI, which specializes in electronic warfare and telemetry systems. It's legitimate domain cdsi-simi[.]com features a single hyphen, whereas the lookalike domain uses two hyphens. Passive DNS revealed a goldmine: a cloud system in Las Vegas hosting Russian domains and other impersonations of major companies. Here are a few samples of the domains:- reag-br[.]com Lookalike for Reag Capital Holdings, Brazil. - creo--ia[.]com Lookalike for an industrial fabrication firm in WA State. - admiralsmetal[.]com Lookalike for US based metals provider. - ustructuressinc[.]com Lookalike Colorado based Heavy Civil Contractor. - elisontechnologies[.]com Typosquat for Ellison Technologies machine fabrication. <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lookalikes</a> <a href="https://infosec.exchange/tags/lookalikeDomain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lookalikeDomain</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/pdns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pdns</a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#phishing</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#scam</a> <a href="https://infosec.exchange/tags/dod" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dod</a>

Christoffer S.(infoblox.com) Morphing Meerkat: Advanced Phishing-as-a-Service Platform Using DNS MX Records for Tailored Attacks <a href="https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/</a>This report details the discovery of a sophisticated Phishing-as-a-Service (PhaaS) platform called 'Morphing Meerkat' that has been operating for at least five years. The platform leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims' email providers, spoofing over 100 brands. The threat actor behind this operation sends thousands of spam emails, primarily through specific ISPs, exploits open redirects on adtech infrastructure, compromises WordPress sites, and uses multiple credential exfiltration methods including Telegram. The phishing kit includes advanced evasion techniques such as code obfuscation, anti-analysis measures, and dynamic translation capabilities supporting over a dozen languages to target users globally.<a href="https://swecyb.com/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Cybersecurity</a> <a href="https://swecyb.com/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://swecyb.com/tags/Infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Infoblox</a> <a href="https://swecyb.com/tags/PhaaS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PhaaS</a> <a href="https://swecyb.com/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Phishing</a> <a href="https://swecyb.com/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DNS</a> <a href="https://swecyb.com/tags/Wordpress" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Wordpress</a>

Infoblox Threat IntelFor one reason or another, some domain registrars seem to attract threat actors. This leads to domains registered through these registrars having higher associated risk. Unlike TLD reputation scores, which are fairly consistent from month to month, registrar reputation scores can vary quite a bit month to month. In fact, this month's riskiest registrar, Dominit (HK) Ltd., increased from a score of 7 to 9 and jumped a whopping 29 spots to reach #1.An explanation and minimum-working-example of our reputation algorithm can be found here: <a href="https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/</a><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a>

Infoblox Threat IntelLast week, we discussed the riskiest TLDs of March. Our reputation algorithm is generic, meaning it can be applied to virtually *any* type of data (read more here: <a href="https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/</a>). This time, we'll take a look at the riskiest mail servers we've identified this month. Top of the list? all-harmless[.]domains -- the irony isn't lost on anyone. These mail servers attract phishing actors like honey does flies -- serving such lovely domains as bbva-web-soporte[.]com and kutxabank-movil-app[.]com. Additionally, we've identified one FunNull / Polyfill domain (69558[.]vip) using both baidu[.]com and shifen[.]com mail servers.<a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a>

Infoblox Threat IntelThreat actors often have their favorite TLDs. This month we've found the following TLDs to have the highest risk. The top 5 retain their spot from last month, with the TLD .bond topping the chart with a risk score of 10. This is rare and only happens when the percentage of risky domains is at least 4.5 standard deviations above the mean. Congratulations, I guess?An explanation and minimum-working-example of our reputation algorithm can be found here: <a href="https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/</a><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a>

Infoblox Threat IntelA huge body of work coming from a 1.9TB data leak around crypto scams began dropping this week. There are 32 news organizations involved including our friends at Qurium. We're going to compare notes and see how our previous reporting on crypto scams align with theirs, though we did see in one of the several pieces the names of two Vextrio companies. So that's fun. This page has several independent pieces in it so you do have to poke about to get everything. More pieces will be released in the coming days. <a href="https://www.qurium.org/scam-empire/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.qurium.org/scam-empire/</a> <a href="https://www.occrp.org/en/project/scam-empire/scam-empire-inside-a-merciless-international-investment-scam" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.occrp.org/en/project/scam-empire/scam-empire-inside-a-merciless-international-investment-scam</a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#scam</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/InfobloxThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfobloxThreatIntel</a> <a href="https://infosec.exchange/tags/crypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#crypto</a>

Infoblox Threat IntelWhile everyone is enjoying Carnival in Brazil, threat actors are still out there trying to lure people into their traps. We have found a cluster of lookalikes to the Brazilian DMV office (DETRAN in Portuguese). We observed at least two instances where they were impersonating the DMV office for the Brazilian states of Paraná and Maranhão. The actor(s) create domains with the same label, but on several different TLDs (mostly highly abused). Here are some examples of what they look like. consultes-seu-debitos2025.<space|site|shop|cloud> debitos-sp-2025.<club|com|lat|net|online|store|xyz> de3trasn2025.<click|fun|life|online|xyz> departamentodetran2025.<click|icu|lat> detran2025.<click|icu|lat|sbs> l1cenciamento-detran2025.<click|icu|lat|sbs> <a href="https://infosec.exchange/tags/lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lookalikes</a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://urlscan.io/result/802374b7-6c8b-433b-b6e0-32561f74b7d3/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://urlscan.io/result/802374b7-6c8b-433b-b6e0-32561f74b7d3/</a> <a href="https://urlscan.io/result/721b12bb-d5fe-4c7e-b2b5-724e07aa22e0/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://urlscan.io/result/721b12bb-d5fe-4c7e-b2b5-724e07aa22e0/</a>

Infoblox Threat IntelCriminal organizations are doubling down on malicious adtech to enable delivery of fake applications, malware, credential theft, and more -- not to mention the ability to circumvent enterprise security controls AND target victims with custom content: <a href="https://blogs.infoblox.com/threat-intelligence/the-hidden-dangers-of-malicious-adtech/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://blogs.infoblox.com/threat-intelligence/the-hidden-dangers-of-malicious-adtech/</a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#tds</a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/adtech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#adtech</a>

Infoblox Threat IntelWe use the term Registered DGA in a different way than a traditional DGA since they serve a different purpose. We've created this cheatsheet to help you understand why we make the distinction. Tell us what you think and if there are any terms you would like explained!<a href="https://infosec.exchange/tags/rdga" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#rdga</a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#tds</a> <a href="https://infosec.exchange/tags/ds" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ds</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a>

Infoblox Threat IntelWe researched the domains involved and found that some had been registered at NiceNIC, which we recognize as a problematic registrar located in China. This connection to China aligns with the type of pig-butchering / fake crypto platform scams that we're seeing. What makes this case unique is the use of political disinformation as a lure. An important lesson here is how adtech is being misused to facilitate disinformation and fraud. This is a trend you're probably familiar with if you've been following our content. Sample of identified domains: ecno26r4jj[.]com, affiltrack5681[.]com, client[.]fx-trinity[.]com, smartbrokerreviews[.]top <a href="https://infosec.exchange/tags/pigbutchering" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pigbutchering</a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#scam</a> <a href="https://infosec.exchange/tags/disinformation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#disinformation</a> <a href="https://infosec.exchange/tags/canada" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#canada</a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/mastodon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mastodon</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> 3/3

Infoblox Threat IntelWe have detected a recent malware campaign originating from a Türkiye IP. The campaign involved SnakeKeyLogger and XWorm, sent via emails primarily from`mail.haselayakkabi[.]com[.]tr` (SMTP IP: 45[.]144[.]214[.]104). The subject line was "<Recipient> received a new documents" with attachments like "SCS AWB and Commercial Invoice.rar" and a png of the Dropbox logo. Be cautious and stay safe! The combination of Xworm and SnakeKeyLogger represent a significant threat to privacy, and is capable of stealing passwords, recording keystrokes, and exfiltrating the data using SMTP and telegram.Malware Analysis: <a href="https://tria.ge/250205-bqhf9stndn" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://tria.ge/250205-bqhf9stndn</a> Stay vigilant, everyone! 💻🔒 <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/snakekeylogger" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#snakekeylogger</a> <a href="https://infosec.exchange/tags/xworm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#xworm</a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#phishing</a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/mastodon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mastodon</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a>

DNS-OARC🔹 OARC 44 | Feb 7, 10:05 AM (EST) Chance Tudor (<a href="https://mastodns.net/tags/Infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Infoblox</a>) 🔎 Lame Delegation: A cybercriminal’s hidden goldmine 💰 How forgotten domains become playgrounds for threat actors. <a href="https://mastodns.net/tags/LoveDNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LoveDNS</a> <a href="https://mastodns.net/tags/OARC44" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OARC44</a> ^RP

Infoblox Threat IntelUh-oh! We're seeing an uptick in newly observed domains related to tariffs. Most concerning are those offering 'tariff exclusions' or 'tariff rebates.' Additionally, various domains, both supporting and opposing the tariffs, are emerging from all over the world. An influx of new domains on a topic like this indicates a high potential for fraud, disinformation, or manipulation. Turbulent times create opportunities for scammers to exploit uncertainty. Don't fall for offers of rebates or exceptions to the tariffs. Get your news from trusted sources, and if confronted with an unexpected popup notification or website, remember there's no need to act urgently. Here are some examples of newly registered domains we've seen: tariffexemptions[.]com, tariffrebatespecialists[.]com, and tariff-mitigation[.]xyz. <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#phishing</a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#scam</a> <a href="https://infosec.exchange/tags/fraud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fraud</a> <a href="https://infosec.exchange/tags/mastodon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mastodon</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a>

Infoblox Threat IntelMastodon communities, be vigilant! Bad actors are creating accounts within the Fediverse and then using them to distribute malware. We identified one such case in which the threat actor had gone undetected since 2022. That Mastodon instance was one with a climate change focus. The threat actor was distributing an information stealer through their account. We are happy to have helped the instance owner figure out why they have been on blocklists intermittently for the last few years, but also get that particular threat out of their Mastodon instance and safe for users. There are undoubtedly many more of these across the Fediverse. Hopefully more awareness can get them detected and shut down faster. For our fellow security nerds... this was <a href="https://infosec.exchange/tags/vidar" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#vidar</a> malware with sha256 975932eeda7cc3feea07bc1f8576e1e73e4e001c6fe477c8df7272ee2e0ba20d and a c2 IP 78[.]47[.]227[.]68 from the instance. there is still at least one more Mastodon instance impacted that we are trying to reach. <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/stealer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#stealer</a> <a href="https://infosec.exchange/tags/mastodon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mastodon</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/fakeaccounts" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fakeaccounts</a> <a href="https://infosec.exchange/tags/c2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#c2</a>

Renée BurtonCricket and Matt asked me to join them for the Ask Mr DNS podcast last week. It's a great show that i've listened to for years. We talked about securing networks by blocking bad things in DNS and how our research group <a href="https://infosec.exchange/@InfobloxThreatIntel" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@InfobloxThreatIntel</a> does that work. I talk a bit about malicious adtech like <a href="https://infosec.exchange/tags/VexTrio" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#VexTrio</a> .... This whole show is completely unrehearsed and i had no real idea what we were going to cover lol... so fingers crossed it makes sense to folks. There are some great episodes about the Dyn attacks in 2015 that you should listen to if you have an interest in DDOS attacks. <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#phishing</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malvertising</a> <a href="https://ask-mrdns.com/2025/01/episode-64/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://ask-mrdns.com/2025/01/episode-64/</a>

Recent searches

Search options

Administered by:

Server stats:

#infoblox