Infoblox Threat Intel
DNS All Day, Every Day
DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a high-powered scope to zero in on cyber threats.
What We Do
Infoblox is finding the threat actors hiding in your DNS
We are the leading creator of original DNS threat intelligence. We’re proactive, not just defensive, using our insights to track threat actor infrastructure and disrupt cybercrime where threat actors begin. We also believe in sharing knowledge to support the broader security community by publishing detailed research on select actors and associated indicators.
Recently Discovered Infoblox Threat Actors
Vault
Viper
Published: October 16, 2025
Vault Viper is a sophisticated threat actor linked to Southeast Asian organized crime. It deploys a custom browser to enable illegal online gambling, data exfiltration, and money laundering. Its vast DNS infrastructure supports global fraud.
Why is this special? This is our first report of a custom browser coupled with DNS infrastructure to enable cybercrime and threat distribution.
Detour
Dog
Published: September 30, 2025
Detour Dog is a malicious adtech affiliate that uses DNS TXT records to conditionally redirect victims from tens of thousands of compromised websites or to fetch remote content for execution. Detour Dog has partnered with Help TDS, Hive0145, and others to deliver scams and malware, including information stealers.
Why is this special? Detour Dog bridges traffic distribution and malware C2, operating a relay system that dynamically routes threats via DNS—a rare and stealthy technique.
Vane
Viper
Published: September 16, 2025
Vane Viper is a malicious adtech ecosystem built around Cyprus-based, Russian nexus AdTech Holdings and its subsidiaries. They abuse push notifications for persistence and operate a TDS to direct traffic into a variety of malicious content.
Why is this special? This research maps out the individuals and organizations that comprise the extensive TDS and affiliate network that includes PropellerAds.
How Infoblox creates original DNS threat intelligence
DNS Experts
We discover threat actors hiding in DNS because we know where to look. Starting with suspicious domains, we connect the dots and identify actor infrastructure, then begin tracking it as it evolves. Identifying new domains as they emerge so customers are continually protected.
Threat Expertise
We know how malicious actors operate and how malware, phishing, and other threats manifest in DNS. We’ve used this knowledge to develop specialized systems to detect lookalike domains, DNS C2 malware, registered domain generation algorithms (RDGAs) and suspicious behavior.
Data Science
We use machine learning and data science to analyze very large volumes of DNS queries every day to provide near-real time protection against data exfiltration, domain generation algorithms (DGAs), and a wide range of other threats.
Our threat intelligence powers
our security products
Disrupt cybercrime pre-incident with intel designed for DNS
Infoblox Threat Defense™ uses Infoblox Threat Intel to identify and stop threats before the rest of the industry.
Infoblox Security Products
Infoblox Threat DefenseCybersecurity EcosystemDNS Infrastructure Protection
About our Team
Eat. Sleep. DNS. Repeat.
What sets us apart? Two things: mad DNS skills and unparalleled visibility.
Featured articles
Krebs on Security | October 31, 2023
.US Harbors Prolific Malicious Link Shortening Service
Infoblox tracks a three-year-old link shortening service that caters to phishers and malware purveyors
TechRepublic | February 9, 2024
IT Pros Missing Mega-Threat From Organised Cyber Criminals
VexTrio threat actor delivers high volumes of malware to networks globally
Bleeping Computer | February 28, 2024
Savvy Seahorse Gang Uses DNS CNAME Records to Power Investor Scams
Savvy seahorse directs Facebook users to fake investment platforms to steal personal data
GITHUB
MASTODON