Skip to content
Return to Infoblox Homepage

Infoblox Threat Intel

DNS All Day, Every Day

DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a high-powered scope to zero in on cyber threats.

What We Do

of threats detected before the first DNS query
of protection on average before an attack
false positive rate
new indicators added per month
DNS events analyzed daily

Infoblox is finding the threat actors hiding in your DNS

We are the leading creator of original DNS threat intelligence. We’re proactive, not just defensive, using our insights to track threat actor infrastructure and disrupt cybercrime where threat actors begin. We also believe in sharing knowledge to support the broader security community by publishing detailed research on select actors and associated indicators.


Muddling Meerkat: The Great Firewall Manipulator

Threat actors discovered by Infoblox



Published: June 6, 2022

The longest running traffic distribution system (TDS) known in the industry with the largest number of criminal affiliates, brokering traffic for others while delivering malicious campaigns of their own.

Why is this special? First identification of a large-scale TDS discovered through DNS and the use of a dictionary domain generation algorithm (DDGA).


Published: July 25, 2023

A nation state DNS C2 malware toolkit. Confirmed to be an advanced variant of Pupy RAT, Russian security vendors later claimed Decoy Dog was used to disrupt Russian critical infrastructure.

Why is this special? First discovery and characterization of a C2 malware solely from DNS.


Published: October 16, 2023

A phishing actor that steals credentials from consumers in Europe, the United States, and Australia using lookalike domains to financial institutions and government tax agencies. Formerly known as Open Tangle.

Why is this special? This is the first reporting of a dedicated lookalike domain actor.


Published: October 31, 2023

A malicious link shortening service used by criminals to target consumers worldwide. This actor successfully overcame privacy controls for the usTLD before being exposed by Infoblox.

Why is this special? First description of a malicious link shortener in the industry.



Published: February 28, 2024

A persistent investment fraud actor who leverages DNS CNAME records as a traffic distribution system (TDS) to control access to their malicious content spread through Facebook ads.

Why is this special? First description of the use of DNS CNAME records by threat actors to control and direct content for users.


Published: April 29, 2024

A cunning actor abusing open resolvers worldwide with MX records and triggering China’s Great Firewall to act mysteriously.

Why is this special? First documentation of modified DNS MX records by the Great Firewall.

How Infoblox creates original DNS threat intelligence

DNS Experts

We discover threat actors hiding in DNS because we know where to look. Starting with suspicious domains, we connect the dots and identify actor infrastructure, then begin tracking it as it evolves. Identifying new domains as they emerge so customers are continually protected.

Threat Expertise

We know how malicious actors operate and how malware, phishing, and other threats manifest in DNS. We’ve used this knowledge to develop specialized systems to detect lookalike domains, DNS C2 malware, registered domain generation algorithms (RDGAs) and suspicious behavior.

Data Science

We use machine learning and data science to analyze very large volumes of DNS queries every day to provide near-real time protection against data exfiltration, domain generation algorithms (DGAs), and a wide range of other threats.

Our threat intelligence powers
our security products

Disrupt cybercrime pre-incident with intel designed for DNS

BloxOne Threat Defense uses Infoblox Threat Intel to identify and stop threats before the rest of the industry.


About our Team
Eat. Sleep. DNS. Repeat.

What sets us apart? Two things: mad DNS skills and unparalleled visibility.

Featured articles

Krebs on Security  |  October 31, 2023

.US Harbors Prolific Malicious Link Shortening Service

Infoblox tracks a three-year-old link shortening service that caters to phishers and malware purveyors

TechRepublic  |  February 9, 2024

IT Pros Missing Mega-Threat From Organised Cyber Criminals

VexTrio threat actor delivers high volumes of malware to networks globally

Bleeping Computer  |  February 28, 2024

Savvy Seahorse Gang Uses DNS CNAME Records to Power Investor Scams

Savvy seahorse directs Facebook users to fake investment platforms to steal personal data

Threat intelligence resources

Our team of DNS threat intelligence experts believe in sharing knowledge to support the broader security community. Please explore our resources and articles below.

Back To Top