Online gambling operators are sponsoring charities?? If only :(

We've identified a malicious gambling affiliate whose specialty is to buy expired domain names which used to belong to charities or reputable organisations.

Once they own a domain, they host a website impersonating its previous owner, where they claim to "deeply appreciate the support from [their] sponsors", which surprise surprise, all turn out to be dubious online gambling companies.

Because the domain they are taking over is often abandoned or managed by non-technical people, its previous owner often doesn't notify anyone that they've lost control of their website, so it continues being referenced in genuine content, and it continues getting traffic from old links scattered throughout the internet.

teampiersma[.]org (screenshots below)
americankayak[.]org
getelevateapp[.]com
hotshotsarena[.]com
nehilp[.]org
questionner-le-numerique[.]org
sip-events[.]co[.]uk
studentlendinganalytics[.]com
thegallatincountynews[.]com

Comparison content:
2018: https://web.archive.org/web/20180119043432/https://teampiersma.org/
2025: https://web.archive.org/web/20250401092253/https://teampiersma.org/

Is the sky fluxxing?! Last week a CISA advisory on DNS Fast Flux created a lot of buzz. We have an insider's take.

Fast Flux is a nearly 20 year old technique and is essentially the malicious use of dynamic DNS. It is critical that protective DNS services understand this -- and all other DNS techniques -- on that we agree.

What we also know as experts in DNS is that there are many ways to skin a cat, as they say.

#dns #threatintel #cisa #malware #phishing #threatintelligence #infobloxthreatintel #infoblox #cybercrime #cybersecurity #infosec

https://blogs.infoblox.com/threat-intelligence/disrupting-fast-flux-and-much-more-with-protective-dns/

DragonForce appears to be taking over the infrastructure of RansomHub, the largest ransomware group. A huge scoop courtesy of the Cyble threat intelligence research team. #Ransomware #Cybersecurity #ThreatIntelligence

https://thecyberexpress.com/dragonforce-claims-to-be-taking-over-ransomhub/

How to build a a Threat Intelligence GenAI Reporter using MCP (Model Context Protocol) and ORKL Database - Article by Thomas Roccia @fr0gger #ThreatIntelligence #GenAI https://blog.securitybreak.io/building-a-threat-intelligence-genai-reporter-with-orkl-and-claude-a0ae2e969693

A new release of the AIL project is coming soon, featuring a significant improvement in language detection.

A lot of work has been done on LexiLang by @terrtia to clean up dictionaries and improve support for localized languages and slang.

In the example below, you can see a user active in different Telegram channels, using both Russian and Ukrainian.

https://www.ail-project.org/

If you're interested in the topic, join us at a 2-day hackathon in Luxembourg on April 8–9, 2025, focused on open-source security tools. The developers of the AIL project will be there in person!

https://hackathon.lu/

#threatintel #threatintelligence #opensource #ail #intelligence

@ail_project
@circl

Malicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware.

Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments.

One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.

Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records.

Block these:

user2ilogon[.]es
viewer-ssa-gov[.]es
wellsffrago[.]com
nf-prime[.]com
deilvery-us[.]com
wllesfrarqo-home[.]com
nahud[.]com.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #malware #scam #ssa

Last week, while reviewing detected lookalike domains, one in particular stood out: cdsi--simi[.]com. A quick search pointed him to a legitimate U.S. military contractor, CDSI, which specializes in electronic warfare and telemetry systems. It's legitimate domain cdsi-simi[.]com features a single hyphen, whereas the lookalike domain uses two hyphens.

Passive DNS revealed a goldmine: a cloud system in Las Vegas hosting Russian domains and other impersonations of major companies.

Here are a few samples of the domains:

- reag-br[.]com Lookalike for Reag Capital Holdings, Brazil.
- creo--ia[.]com Lookalike for an industrial fabrication firm in WA State.
- admiralsmetal[.]com Lookalike for US based metals provider.
- ustructuressinc[.]com Lookalike Colorado based Heavy Civil Contractor.
- elisontechnologies[.]com Typosquat for Ellison Technologies machine fabrication.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #phishing #malware #scam #dod

For one reason or another, some domain registrars seem to attract threat actors. This leads to domains registered through these registrars having higher associated risk. Unlike TLD reputation scores, which are fairly consistent from month to month, registrar reputation scores can vary quite a bit month to month. In fact, this month's riskiest registrar, Dominit (HK) Ltd., increased from a score of 7 to 9 and jumped a whopping 29 spots to reach #1.

An explanation and minimum-working-example of our reputation algorithm can be found here: https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/

DomainTools Investigations (DTI) shares its latest analysis: “Phishing Campaign Targets Defense and Aerospace Firms Linked to Ukraine Conflict.”

The infrastructure comprises a small number of mail servers, each supporting a set of domains designed to spoof that of a specific organization. These domains currently host webmail login pages likely intended to harvest credentials from targeted entities.

The phishing infrastructure targets defense and aerospace entities linked to the Ukraine conflict.
Infrastructure comprises a small number of mail servers supporting domains designed to spoof specific organizations.
Likely intended to harvest credentials from targeted entities.
Motivated by cyber espionage, focusing on intelligence related to the Ukraine/Russia conflict.

Stay informed and help us combat these threats - read the full article and join the discussion.

https://dti.domaintools.com/phishing-campaign-targets-defense-and-aerospace-firms-linked-to-ukraine-conflict/?utm_source=Mastodon&utm_medium=Social&utm_campaign=PhishingInfra-UAConflict

New ransom group blog post!

Group name: ransomhub
Post title: cisd.org
Info: https://cti.fyi/groups/ransomhub.html

Fine that H-ISAC is publishing this out of "an abundance of caution," but the originating account looks like total crap. I do not think ISIS-K is planning car bombings of hospitals, nor has any evidence been presented that they are.

#ThreatIntel #ThreatIntelligence

https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/tlpwhite-aa319249-potential-terror-threat-targeted-at-health-sector-aha-health-isac-joint-threa.pdf

Last week, we discussed the riskiest TLDs of March. Our reputation algorithm is generic, meaning it can be applied to virtually *any* type of data (read more here: https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/). This time, we'll take a look at the riskiest mail servers we've identified this month. Top of the list? all-harmless[.]domains -- the irony isn't lost on anyone.

These mail servers attract phishing actors like honey does flies -- serving such lovely domains as bbva-web-soporte[.]com and kutxabank-movil-app[.]com. Additionally, we've identified one FunNull / Polyfill domain (69558[.]vip) using both baidu[.]com and shifen[.]com mail servers.

Dive into DomainTools Investigations’ latest analysis: "The Domain Registrars Powering Russian Disinformation: A Deep Dive into Tactics and Trends."

Russian state-sponsored actors are leveraging low-cost, privacy-protected, and anonymous domain services to launch sophisticated disinformation campaigns.

Key Highlights:
Fake news portals mimicking legitimate media
Typosquatting and homoglyph attacks
Bulletproof hosting and Fast Flux networks
Preferred registrars
Emerging trends in domain registration tactics

Stay informed and help us combat these threats - read the full article and join the discussion: https://dti.domaintools.com/domain-registrars-powering-russian-disinformation/?utm_source=Mastodon&utm_medium=Social&utm_campaign=disinformation

I just published the source code for my very naive #Python implementation for generating a node network based on MITRE Intrusion Sets and Techniques. It will output linked #Markdown files linking intrusion sets to their used techniques.

Perhaps someone finds it useful or interesting to experiment with.

Source code: https://github.com/cstromblad/markdown_node

I hinted at this in a thread started by @Viss where he asked for input on a few very likely malicious domains. Me @Viss @cR0w @neurovagrant and others did some OSINT fun work with a couple of the original domains.

It was this thread: https://mastodon.social/@Viss/114145122623079635

Now I posted a picture of a node network rendered in Obsidian and I hinted that perhaps Obsidian could be used as a poor mans version of performing threat intelligence work.

Threat actors often have their favorite TLDs. This month we've found the following TLDs to have the highest risk. The top 5 retain their spot from last month, with the TLD .bond topping the chart with a risk score of 10. This is rare and only happens when the percentage of risky domains is at least 4.5 standard deviations above the mean. Congratulations, I guess?

An explanation and minimum-working-example of our reputation algorithm can be found here: https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/

The MISP project maintains and offers a comprehensive knowledge base covering threat actors, ransomware groups, malware, and more.

Even if you don't use MISP, you can now easily search across all MISP Project knowledge bases, including galaxies, taxonomies, and MISP object templates.

https://search.misp-community.org

Cybercrime is increasingly recognized as a national security threat. Google Cloud execs highlight the need for proactive prevention strategies in the face of emerging financial crime threats. With evolving tactics, organizations must enhance their security posture and threat intelligence. Awareness and innovation are key. How are you adapting your cybersecurity strategies to combat these evolving threats? #Cybersecurity #Privacy #ThreatIntelligence

Read more: https://short.steelefortress.com/70cu1k

While everyone is enjoying Carnival in Brazil, threat actors are still out there trying to lure people into their traps. We have found a cluster of lookalikes to the Brazilian DMV office (DETRAN in Portuguese). We observed at least two instances where they were impersonating the DMV office for the Brazilian states of Paraná and Maranhão.

The actor(s) create domains with the same label, but on several different TLDs (mostly highly abused). Here are some examples of what they look like.

consultes-seu-debitos2025.<space|site|shop|cloud>
debitos-sp-2025.<club|com|lat|net|online|store|xyz>
de3trasn2025.<click|fun|life|online|xyz>
departamentodetran2025.<click|icu|lat>
detran2025.<click|icu|lat|sbs>
l1cenciamento-detran2025.<click|icu|lat|sbs>

#lookalikes #dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel

https://urlscan.io/result/802374b7-6c8b-433b-b6e0-32561f74b7d3/
https://urlscan.io/result/721b12bb-d5fe-4c7e-b2b5-724e07aa22e0/

Black Basta Chat Logs Reveal Ransomware Group’s TTPs, IoCs https://thecyberexpress.com/black-basta-ransomware-group-leak/ #blackbastaransomwaregroup #TheCyberExpressNews #ThreatIntelligence #cybersecuritynews #TheCyberExpress #Vulnerabilities #RansomwareNews #FirewallDaily #BlackBasta #Ransomware #CyberNews #TTPs

Criminal organizations are doubling down on malicious adtech to enable delivery of fake applications, malware, credential theft, and more -- not to mention the ability to circumvent enterprise security controls AND target victims with custom content: https://blogs.infoblox.com/threat-intelligence/the-hidden-dangers-of-malicious-adtech/
#tds #dns #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #adtech