View From the Top<\/h3>\n
Infoblox analyzes over 70 billion DNS queries per day<\/strong> across 13,000 customers worldwide<\/strong>. A significant portion of these customers use our protective security platform, Infoblox Threat Defense\u2122<\/strong>.<\/p>\n Between August and November 2025, this preemptive security offering protected more than 12 million devices per day<\/strong> globally. On average, 648 million response policy zones (RPZs)<\/strong> were applied per day. RPZs act as a powerful defense mechanism\u2014blocking or redirecting DNS traffic tied to malware, phishing or command-and-control (C2) activity. <\/p>\n Between August and November 2025, over 7.6 million new threat-related domains<\/strong> were discovered\u2014a 20 percent increase<\/strong> compared to the previous quarter. More importantly, 85.4 percent of these domains were identified before any user interaction<\/strong>. <\/p>\n This 20 percent growth reflects both the expanding threat landscape and the increasing adoption of our preemptive security capabilities. <\/p>\n Threat actors rely on numerous techniques when generating domains to their advantage. Domain generation algorithms (DGAs) accounted for most of the activity, but we also observed extensive use of lookalike domains, traffic distribution systems (TDSs) and domains configured for tunneling traffic.<\/p>\n The Infoblox data science team detects in real time newly observed domains not seen across our customer base in the previous 60 days and flagged for high-risk activities such as malicious spam, phishing, lookalike characteristics, DNS tunneling and more.<\/p>\n The daily rate of discovered Zero-Day detections remained steady, averaging between 3,000 and 10,000 domains per day<\/strong>, and none of these domains persist longer than 72 hours<\/strong>. This rapid turnover demonstrates how easily threat actors can replenish and weaponize new infrastructure. For organizations beginning their journey with preemptive DNS security, Zero-Day DNS detections offer an excellent low-regret blocking opportunity<\/strong>\u2014they pose minimal risk of business disruption while significantly reducing exposure. <\/p>\n Infoblox identifies patterns and commonalities across suspicious or malicious domains. If sufficient evidence across a cluster is found, a threat actor name will be assigned. As of November 15, Infoblox Threat Intel identified more than 258,000 suspicious or malicious domain clusters and over 910 named actors. Three new threat actors were made public this quarter. The most impactful are Detour Dog2<\/sup> and Vault Viper.3<\/sup><\/p>\n Detour Dog compromised tens of thousands of websites globally using DNS-based malware. Their attacks operate server-side, meaning visitors see a normal website while the infected site secretly issues DNS queries that allow attackers to redirect visitors or deliver malware. The campaign shifted from simple redirect-to-scam tactics to full malware distribution but only to a very small percentage of victims visiting the infected websites.<\/p>\n Key DNS characteristics:<\/strong><\/p>\n Detour Dog\u2019s infrastructure is resilient and stealthy \u2014 even after takedown attempts, they recover quickly<\/strong>. In August 2025, attempts to sinkhole their C2 domain briefly interrupted operations, but Detour Dog restored control within hours; analysis of sinkhole traffic revealed ~30,000 infected hosts, with spikes to over 2 million DNS TXT requests in an hour.<\/p>\n Vault Viper represents a large-scale cybercrime operation intertwined with illegal gambling platforms and organized crime in Southeast Asia. What began as an investigation into gambling websites in Cambodia uncovered an extensive ecosystem tied to a major iGaming \u201cwhite-label\u201d provider.<\/p>\n At the center is the Universe Browser<\/strong>, promoted as a censorship-bypassing \u201cprivacy\u201d tool but functioning like malware: <\/p>\n The Windows installer employs anti-VM checks, code injection, persistence mechanisms and keylogging\u2014supporting credential theft and surveillance.<\/p>\n Vault Viper maintains tens of thousands of domains in its DNS infrastructure, enabling global resilience. Researchers used a distinct DNS signature to trace a sprawling network of companies, hosting providers, registrars and servers. The operation intersects with major organized-crime activities including money laundering, fraud, human trafficking and iGaming.<\/p>\n Vault Viper is not just a cyberthreat\u2014it is a convergence point for digital and traditional criminal enterprises.<\/p>\n While not tied directly to the above actors, ClickFix remains a persistent and high-impact threat. ClickFix is a social engineering technique, not a single campaign or actor. Its purpose is to push victims into a malicious \u201ccall to action,\u201d often through fake CAPTCHAs or interaction prompts. Because these elements seem familiar, users click without hesitation\u2014which is exactly what attackers want.<\/p>\n Figure 1. IoCs from Mastodon Channel (@InfobloxThreatIntel)4<\/sup><\/p>\n ClickFix is particularly dangerous because it is a living-off-the-land technique. Instead of introducing new binaries that endpoint detection and response (EDR) tools can easily detect, the threat actor abuses via ClickFix built-in system tools like MSHTA.<\/p>\n In a recent observed campaign, attackers leveraged the legitimate Windows tool MSHTA to execute commands. To their advantage, most open-source scanning tools (e.g., VirusTotal) did not flag associated domains as malicious and allowed them to continue their malicious operation. As a result, Fake CAPTCHA and ClickFix-style attacks are here to stay.<\/p>\n Cybercriminals take advantage of every opportunity to lure victims into their traps, and the holidays are no exception. Every holiday season Infoblox Threat Intel sees a wide range of criminal threats emerging, from fake shops to malware. Domains are registered to look like well-known brands, kits allow scammers to quickly build thousands of fake shops, links in email lead to malware downloads. Easy access to AI to build images and create compelling text content makes it even easier to run these campaigns at scale.<\/p>\n Use of AI Images in Spam Campaigns<\/strong><\/p>\n We\u2019re also seeing the use of AI images to bolster spam campaigns like using a legitimate email marketing firm and impersonating Amazon. The account has subsequently been suspended (target domains unobtainable).<\/p>\n This demonstrates the use of AI image generation, e.g., the use of the Amazon Smile logo but malformed text (see Figure 2).<\/p>\n Figure 2. Holiday lures<\/p>\n Another holiday theme frequently exploited by threat actors is travel<\/strong>. Those planning to get away over the holidays should stay vigilant for suspicious attachments. Recently, Infoblox Threat Intel has observed high volumes of booking-related phishing emails<\/strong> that prey on travel-minded users. <\/p>\nZero-Day DNS Detection<\/h3>\n
Threat Actors<\/h3>\n
Detour Dog: Powering Strela Stealer<\/h3>\n
\n
Vault Viper: High Stakes, Hidden Threats<\/h3>\n
\n
ClickFix: Tricking Users, Evading Endpoints<\/h3>\n
![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/tis-the-season-image1.jpeg\")
<\/p>\nHoliday Lures and Seasonal Risks<\/h3>\n
![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/tis-the-season-image2.jpeg\")
<\/p>\n