The article discusses a study conducted by the WhoisXML API research team on six advanced persistent threat (APT) groups that have targeted European countries. The research aims to identify threat artifacts and provides insights into the tactics and domains associated with these groups. The findings reveal extensive email-connected domains and indicators of compromise (IoCs) related to these APT groups.…
Author: CircleID
Short Summary:
The article discusses a significant data breach involving nearly 1 million individuals’ information due to a BlackSuit ransomware attack on April 10, 2024. The compromised data included sensitive personal information. The Cybersecurity and Infrastructure Security Agency (CISA) updated its advisory on BlackSuit, revealing it as a rebranded version of the Royal ransomware.…
Short Summary:
The article discusses the NetSupport RAT, a remote access trojan used by advanced persistent threat (APT) groups. It highlights the challenges in detecting and removing such malware, along with an analysis of its indicators of compromise (IoCs) and associated artifacts identified by security researchers.…
Short Summary:
The article discusses the Polyfill supply chain attack, where threat actors compromised popular open-source polyfill projects by injecting malicious JavaScript code. This led to users being redirected to scam sites, particularly affecting mobile device users. Researchers identified indicators of compromise (IoCs) and conducted an analysis of the attack infrastructure, revealing various domains and IP addresses linked to the attack.…
Short Summary:
The article discusses the security risks associated with internationalized domain names (IDNs), particularly in the context of the Nitrogen malware campaign, where attackers used Punycode to create deceptive domains. The research team from WhoisXML API analyzed over 63,000 unique fully qualified domain names (FQDNs) containing native-language characters to uncover trends and potential threats in DNS security.…
Short Summary:
The ReasonLabs Research Team has identified a widespread polymorphic malware campaign known as the Extension Trojan, which forcefully installs malicious extensions on users’ browsers, affecting over 300,000 Google Chrome and Microsoft Edge users. The campaign has been linked to various domains and IP addresses, with significant findings regarding the indicators of compromise (IoCs) associated with the threat.…
Short Summary:
Satori has reported on a significant fraud campaign named “Konfety,” which exploits the CaramelAds mobile ad SDK to create malicious duplicates of popular apps. The investigation revealed numerous indicators of compromise (IoCs), including 250 evil twin apps on Google Play, 302 email-connected domains, and multiple IP addresses linked to malware distribution.…
Short Summary:
The WhoisXML API research team has identified thousands of election-related cybersquatting domains that could be exploited for profit or malicious purposes. Their study revealed over 3,300 domains linked to presidential candidates, with many being unattributable and potentially harmful. The investigation highlights the need for vigilance in the face of election-related cyber threats.…
Short Summary
Read More
Fortinet has identified a new variant of the Meduza Stealer that exploits the Microsoft Windows SmartScreen vulnerability (CVE-2024-21412). This malware campaign uses malicious PDF files to bypass security warnings and deliver the Meduza Stealer, which steals data from victims and sends it to a command-and-control server.…
Short Summary:
The WhoisXML API research team analyzed over 7.3 million domains registered in July 2024 to identify popular registrars, TLD extensions, and trends in domain registration. The analysis revealed the dominance of .com as the most popular TLD, along with insights into WHOIS data redaction and the prevalence of phishing threats among newly registered domains.…
Short Summary:
The UTA0137 cyber espionage group, linked to Pakistani hackers, has employed a new malware called DISGOMOJI, disguised as emojis, to target Indian organizations. Volexity’s analysis revealed numerous indicators of compromise (IoCs) and additional threat artifacts related to this attack.
Key Points:
UTA0137 is a cyber espionage group believed to be affiliated with Pakistani hackers.…“`html
Short SummaryThe Zscaler ThreatLabz 2024 Phishing Report identifies the 20 most phished brands, including Microsoft, OneDrive, and Amazon, highlighting the exploitation of customer trust by phishers. An investigation by WhoisXML API uncovered 3,120 branded domains, with 12 identified as malicious, emphasizing the need for vigilance against phishing attacks.…
Advanced persistent threat (APT) groups will employ any means necessary to compromise the networks of their intended targets. And for Cosmic Leopard, that means using GravityRAT, an Android-based malware, and HeavyLift, a Windows-based malware loader, in their most recent operation Cisco Talos has dubbed “Operation Celestial Force.”…
Our research team analyzed more than 21.5 million domains registered between 1 April and 30 June 2024, as seen in the Newly Registered Domains (NRDs) Data Feed. We detected that the number of NRDs slightly increased compared with the previous quarter, at 2.6%. The NRDs and malicious indicators of compromise (IoCs) detected in Q2, led us to uncover the following:
The TLD type distribution of the Q2-registered domains The most popular generic top-level domain (gTLD) and country-code TLD (ccTLD) extensions The most popular registrars The top gTLDs and ccTLDs used by the malicious domains detected as IoCs in Q2We also analyzed the top mail exchange (MX) fully qualified domain names (FQDNs) and their providers for a past period of 365 days using our passive DNS database file released in May 2024.…
Keonne Rodriguez and William Lonergan Hill, founders of Samourai Wallet, a cryptocurrency mixing service, were sentenced in April 2024 and their sites taken down for executing more than US$2 billion in unlawful transactions and laundering more than US$100 million in criminal proceeds. Are all traces of the illegal business in the DNS gone?…
Phishing is and remains a top threat. Google alone blocks around 100 million phishing emails daily, and it doesn’t help that phishers get extra help from phishing kits—ready-made cybercrime tools that allow even cybercriminal newbies to launch attacks following a few simple steps.
Resecurity recently uncovered a phishing campaign targeting the customers of several European banks aided by the V3B Phishing Kit.…
Threat researcher Dancho Danchev recently uncovered 130 domains that seemingly belong to fake cryptocurrency sellers. The WhoisXML API research team sought to find potential connections to the threat by expanding the current list of indicators of compromise (IoCs) using our vast array of DNS intelligence sources.…
A new advanced persistent threat (APT) group dubbed “Unfading Sea Haze” has been trailing its sights on various organizations based in countries surrounding the South China Sea. As it turns out, the group has been active since at least 2018 and targeted eight known victims, mostly military and government entities, in support of Chinese interests so far.…
Check Point Research reported a Foxit PDF Reader vulnerability that threat actors have begun exploiting, putting the application’s users at risk. When exploited, the bug triggers security warnings that may deceive unsuspecting users into executing harmful commands.
The WhoisXML API research team, in a bid to shed more light on the issue by uncovering more potential attack vectors, thus expanded a public list of indicators of compromise (IoCs).…
Cybercriminals can launch distributed denial-of-service (DDoS) attacks with relative ease these days by using DDoS booter services, online services that automate the DDoS attack process.
WhoisXML API threat researcher Dancho Danchev recently uncovered a list of the user information for a popular DDoS booter service, which our research team used to create a profile and expand to identify related artifacts.…