I would have understood pumping it into NSLOOKUP, but DIG?!

Going to RSA? We’re giving a 2 hour hands-on learning lab on traffic distribution systems (TDS). Malicious actors use these to hide their activity from security teams and deliver tailored content to victims.

Not going to RSA? We’ve written a number of articles on this topic (some included below) and we’re happy to answer questions about TDSs here on Mastodon.

https://blogs.infoblox.com/threat-intelligence/from-click-to-chaos-bouncing-around-in-malicious-traffic-distribution-systems/
https://www.infoblox.com/resources/webinars/dns-threat-briefing-q1-2025/
https://www.infoblox.com/resources/webinars/traffic-distribution-systems-at-the-heart-of-cybercrime/
https://www.infoblox.com/resources/webinars/the-big-ruse/

#dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #RSAC #RSAC25

We recently sat down with our Director of #ThreatIntel to talk about her role at Quad9 and what she enjoys about her work.

https://www.quad9.net/news/blog/staff-highlight-emilia-cebrat-maslowski

Parked domains are used in all sorts of interesting ways. Recently we saw a set used in the sender addresses of spam delivery formbook malware. The emails disguised as salary updates, purchase orders, fines, and vendor enrollments. The sender addresses typically appear to be from HR or some other official group associated with the subject.

The domains associated with these formbook campaigns are lookalikes, designed to impersonate legitimate brands in an attempt to dupe the victim. Some examples of the brands we have seen lookalikes for include Blue-Maritime and Vanity Case Group.

The spam itself appears to run through actor-controlled relays (SPF failures, etc) and originate in AS203557 (Dataclub / Latvia). We see the same actor delivering Formbook via various campaigns for over a year targeting users from different regions, including the Middle East, India, and the United States.

Because the domains are parked, it is hard to confirm whether the spam actor controls them or is just digging around parking lots.

Fun fact: Formbook malware is known to use parked domains for decoy C2 urls as well.

IOCs: blu-maritlme[.]com, thevenitycase[.]com
Example filename: Gross Misconduct.rar
Sha256: 09590f63531e7e5d7b8e86a55e1e3014cc86c99694c94a29c95215acac227c89

#dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #malware #formbook #spam

The #DNS root does not follow Trump, it publishes a diversity report: https://root-servers.org/media/news/2025-External_Diversity_Report.pdf

(Yes, it's diversity of software/hardware, not of humans.)

PowerDNS Recursor 5.0.10, 5.1.4 and 5.2.2 Released
https://blog.powerdns.com/2024/04/09/powerdns-recursor-5-0-10-5-1-4-5-2-2-released #dns #dnssec

Scattered Spider: Still Hunting for Victims in 2025

Scattered Spider, a notorious hacking collective, continues to actively target victims in 2025. The group has expanded its focus to include services like Klaviyo, HubSpot, and Pure Storage, while targeting high-profile brands such as Audemars Piguet, Chick-fil-A, and Twitter/X. Silent Push researchers have identified five unique phishing kits used by Scattered Spider since 2023, with some undergoing updates. A new version of Spectre RAT has been discovered, along with the acquisition of a domain previously owned by Twitter/X. Despite arrests of several members in 2024, Scattered Spider has adapted its tactics, including the use of dynamic DNS providers and updated phishing kits. The group continues to employ sophisticated social engineering attacks to obtain credentials and multi-factor authentication tokens.

Pulse ID: 67f62708c6faf0ab4e24f6d4
Pulse Link: https://otx.alienvault.com/pulse/67f62708c6faf0ab4e24f6d4
Pulse Author: AlienVault
Created: 2025-04-09 07:51:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

libdns: universal DNS provider client APIs for Go; manage DNS records uniformly across 77 different DNS providers

https://github.com/orgs/libdns/repositories?type=all&q=sort%3Aname-asc

Online gambling operators are sponsoring charities?? If only :(

We've identified a malicious gambling affiliate whose specialty is to buy expired domain names which used to belong to charities or reputable organisations.

Once they own a domain, they host a website impersonating its previous owner, where they claim to "deeply appreciate the support from [their] sponsors", which surprise surprise, all turn out to be dubious online gambling companies.

Because the domain they are taking over is often abandoned or managed by non-technical people, its previous owner often doesn't notify anyone that they've lost control of their website, so it continues being referenced in genuine content, and it continues getting traffic from old links scattered throughout the internet.

teampiersma[.]org (screenshots below)
americankayak[.]org
getelevateapp[.]com
hotshotsarena[.]com
nehilp[.]org
questionner-le-numerique[.]org
sip-events[.]co[.]uk
studentlendinganalytics[.]com
thegallatincountynews[.]com

Comparison content:
2018: https://web.archive.org/web/20180119043432/https://teampiersma.org/
2025: https://web.archive.org/web/20250401092253/https://teampiersma.org/

We've seen a high level of events being blocked in #Venezuela recently, including a domain belonging to the #Omnatour #Malvertising Network, which we wrote about last month: https://www.quad9.net/news/blog/trends-h2-2024-cyber-insights

Would love to hear from the community on what you might be seeing.

“The UK’s proposed measures for court orders to suspend IP addresses and domain names” | …the UK wants to globally censor or take down IP addresses & DNS domains
https://alecmuffett.com/article/113152
#NeilBrown #censorship #dns

It's been a long time in the works, but now you can try out Fast Reload in our recursive #DNS resolver Unbound 1.23rc1. This feature allows the server to read the new config in a thread, and when done only briefly pause the server to update the settings.
https://lists.nlnetlabs.nl/pipermail/unbound-users/2025-April/008518.html

Fast Flux: Enabling Robust Malware, C2 and Phishing Networks

“Fast flux” is a technique that has been recently used by threat actors to obfuscate
the locations of malicious servers through rapidly changing Domain Name System
(DNS) records associated with a single domain name and establish robust C2
infrastructure capable of surviving attempts to dismantle it. Fast

Pulse ID: 67f42761b4cf9e873fd49513
Pulse Link: https://otx.alienvault.com/pulse/67f42761b4cf9e873fd49513
Pulse Author: cryptocti
Created: 2025-04-07 19:28:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Is the sky fluxxing?! Last week a CISA advisory on DNS Fast Flux created a lot of buzz. We have an insider's take.

Fast Flux is a nearly 20 year old technique and is essentially the malicious use of dynamic DNS. It is critical that protective DNS services understand this -- and all other DNS techniques -- on that we agree.

What we also know as experts in DNS is that there are many ways to skin a cat, as they say.

#dns #threatintel #cisa #malware #phishing #threatintelligence #infobloxthreatintel #infoblox #cybercrime #cybersecurity #infosec

https://blogs.infoblox.com/threat-intelligence/disrupting-fast-flux-and-much-more-with-protective-dns/

Dans la série « on découvre toujours des choses sur le #DNS » : on ne peut pas utiliser "type stub" dans #BIND si les serveurs de noms sont dans la zone servie (stub ne charge que les noms, et ne peut ensuite pas les résoudre).

#LundiConfession #DNS

Je n'ai jamais réussi à retenir la différence entre stub et forward, je dois regarder la doc' à chaque fois.