Threat Intelligence Resources
Blog
Infoblox Threat Intel
June 6, 2022
Executive Summary: VexTrio DDGA Domains Spread Adware, Spyware, and Scam Web Forms
Since February 2022, Infoblox’s Threat Intelligence Group has tracked malicious campaigns using dictionary domain generation algorithm (DDGA) domains to distribute scams and unwanted content.
Blog
Infoblox Threat Intel
June 6, 2022
VexTrio DDGA Domains Spread Adware, Spyware, and Scam Web Forms
The VexTrio DDGA is being used by malicious actors who take advantage of cheap, private domain registrations to create complex attack infrastructure that remain undetected for a long time.
Blog
Infoblox Threat Intel
February 1, 2023
Don’t Dial that Number! Distribution of Phishing Lookalikes through Fake Support Calls
The report highlights a tactic used to manipulate users, but was published nearly seven months after the campaign occurred.
Media Article
The Hacker News
March 5, 2023
Retrieving data. Wait a few seconds and try to cut or copy again
A new DNS threat actor dubbed Savvy Seahorse is leveraging sophisticated techniques to entice targets into fake investment platforms and steal funds.
Blog
Infoblox Threat Intel
April 20, 2023
Dog Hunt: Finding Decoy Dog Toolkit via Anomalous DNS Traffic
Infoblox analyzes over 70 billion DNS records each day, along with millions of domain-related records from other sources, to identify suspicious and malicious domains throughout the internet.
Media Article
Bleeping Computer
April 23, 2023
Decoy Dog malware toolkit found after analyzing 70 billion daily DNS queries
A new enterprise-targeting malware toolkit called ‘Decoy Dog’ has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity.
Report
Infoblox Threat Intel
April 24, 2023
A Deep3r Look at Lookal1ke Attacks
Threat actors have used visually similar domains to deceive users into visiting malicious websites since the advent of the internet.
Media Article
TechRepublic
May 2, 2023
Infoblox discovers rare Decoy Dog C2 exploit
Domain security firm Infoblox discovered a command-and-control exploit that, while extremely rare and complex, could be a warning growl from a new, as-yet anonymous state actor.
Media Article
Gestalt IT
May 11, 2023
Infoblox Uncovers Decoy Dog
Infoblox has released a threat report on a remote access trojan toolkit called “Decoy Dog” that utilized DNS command and control and went undetected for a year in various sectors across multiple regions.
Blog
Michael Zuckerman
May 19, 2023
Black Basta: Anatomy of the Attack
In the constantly evolving realm of cyber threats, new groups consistently arise, creating turmoil for organizations worldwide.
Blog
Infoblox Threat Intel
May 24, 2023
Infoblox Researchers Uncover Malicious Domains Hosting Cryptocurrency Scams
Infoblox security researchers have uncovered a group of malicious domains that are being used to host cryptocurrency scams, some of which have been associated with the hacking of YouTube channels.
Blog
Bob Hansmann
June 19, 2023
Deadly Combo: MFA & Lookalike Domains
In response to some important shifts in the threat landscape at the beginning of the year, Infoblox unveiled some innovative new capabilities at this year’s RSA conference in San Francisco.
Report
Infoblox Threat Intel
July 25, 2023
Decoy Dog is No Ordinary Pupy: Separating a Sly DNS Malware from the Pack
Decoy Dog is a malware toolkit discovered by Infoblox that uses the domain name system
(DNS) to perform command and control (C2).
Blog
Infoblox Threat Intel
July 25, 2023
Decoy Dog is No Ordinary Pupy: Separating a Sly DNS Malware from the Pack
The article provides a brief overview of our conclusions. Get the full report, including our Decoy Dog YARA rule, here and read the original paper here.
Press Release
Infoblox Threat Intel
July 25, 2023
Decoy Dog is No Ordinary Pupy – Infoblox Reveals Shift in Malware Tactics After Initial Discovery
Infoblox discovers that open-source software Pupy is a smokescreen for the real capabilities of Decoy Dog – highlighting the critical need for DNS security
Blog
Infoblox Threat Intel
August 24, 2023
VexTrio Deploys DNS-based TDS Server
In early 2022, Infoblox detected a widespread attack involving compromised WordPress websites that conditionally redirect visitors to intermediary command and control (C2) and dictionary domain generation algorithm (DDGA) domains.
Webinar
Dr. Renée Burton
September 5, 2023
Decoy Dog is No Ordinary Pupy: Separating a Sly DNS Malware from the Pack
In April 2023, Infoblox disclosed the discovery of Decoy Dog, a malware toolkit that uses the domain name system (DNS) to perform command and control (C2).
Blog
Renée Burton
September 26, 2023
Introducing DNS Threat Actors
Everyone loves a good whodunit. As the story of the recent attacks on MGM International and Caesars Entertainment unfolded, major news outlets competed to attribute an attacker to the ransomware that shut down a large portion of MGM operations.
Blog
Infoblox Threat Intel
October 3, 2023
Lookalike Domain Attacks are on the Rise. Be on the Lookout for these Four Types.
Explore the rise of lookalike domain attacks and their potential threats.
Blog
Infoblox Threat Intel
October 5, 2023
RDGAs: The New Face of DGAs
Think you know what DGA means? Think Again. RDGAs are used to register tens of thousands of domains by DNS threat actors every day.
Blog
Infoblox Threat Intel
October 12, 2023
Open Tangle Creates a Phishing Net for Consumers
Recently we introduced the concept of DNS threat actors and promised a series of portfolios to share details of actors we track; this article is the first.
Blog
Renée Burton
October 17, 2023
Click Here to Talk to an Attacker: How Bad Guys are Undermining Trust in Multi-factor Authentication (MFA)
Discover the rising threat of MFA lookalike domains and how they are exploited for account takeovers. Learn how the new Rapid Domain Triage capability can protect you!
Media Article
BetaNews
6 months ago
Prolific Puma protects pernicious phishing plotters
We’re all familiar with link shortening services, those handy tools that allow you to shrink URLs down to a manageable size to make them easier to share.
Solution Note
Infoblox
October 31, 2023
DNS-Based Threat Hunting for Unveiling Threats Early Before They Strike
The scope of DNS is enormous. There are now 1589 top level domains and 200,000 new
domains are created everyday.
Blog
Infoblox Threat Intel
October 31, 2023
Prolific Puma: Shadowy Link Shortening Service Enables Cybercrime
Learn how a link shortening service that supports cybercrime remained undetected for years and was discovered via Domain Name Service (DNS) analytics.
Media Article
Krebs on Security
October 31, 2023
.US Harbors Prolific Malicious Link Shortening Service
Researchers at Infoblox say they’ve been tracking what appears to be a three-year-old link shortening service that is catering to phishers and malware purveyors.
Webinar
Brent Eskridge
December 13, 2023
SMS Cybercrime: a DNS Perspective
As email protection has increased, criminals have moved to attack users through SMS and other text messaging services.
Blog
Infoblox Threat Intel
December 21, 2023
Infoblox discovers rare Decoy Dog C2 exploit
Learn how multiple DNS threat actors and their infrastructures were found, revealing over 7,000 USPS-themed phishing domains.
Blog
Infoblox Threat Intel
January 23, 2024
Cybercrime Central: VexTrio Operates Massive Criminal Affiliate Program
DNS threat actor VexTrio runs a large-scale criminal affiliate program including ClearFake and SocGholish actors.
Media Article
Dark Reading
January 23, 2024
VexTrio' TDS: The Biggest Cybercrime Operation on the Web?
The traffic distribution system supports tens of thousands of malicious domains and cyberattack campaigns that reach far and wide globally.
Webinar
Dr. Renée Burton
February 7, 2024
Traffic Distribution Systems at the Heart of Cybercrime
In mainstream media, cybercriminals are often portrayed as exotic figures that employ dark arts of computer programming to disrupt social order.
Media Article
TechRepublic
February 9, 2024
Infoblox says IT Pros Are Missing This Mega-Threat From Organised Global Cyber Criminals
Cyber security threat actor VexTrio is flying under the radar for most APAC region cyber security professionals because it is a web traffic distribution middle man rather than an endpoint source of malware.
Solution Note
Infoblox
February 13, 2024
SOC Insights
Apply AI-driven analytics to turn vast amounts of event, network, ecosystem, and DNS intelligence data into actionable insights to elevate SecOps efficiency.
Blog
Infoblox Threat Intel
February 20, 2024
Ivanti Connect Secure VPN Exploitation – Correctly Interpreting DNS IoCs
Domains in a list of IoCs such as the ones found in recent articles about attacks involving Ivanti 0-days are a valuable product of incident response, but they can’t simply be added to a blocklist.
Report
Infoblox Threat Intel
February 28, 2024
Beware the Shallow Waters: Savvy Seahorse Lures Victims to Fake Investment Platforms Through Facebook Ads
A persistent investment fraud actor who leverages DNS CNAME records as a traffic distribution system (TDS) to control access to their malicious content spread through Facebook ads.
Blog
Infoblox Threat Intel
February 28, 2024
Beware the Shallow Waters: Savvy Seahorse Lures Victims to Fake Investment Platforms Through Facebook Ads
Learn how the threat actor Savvy Seahorse Facebook ads to lure users to fake investment platforms and leverages DNS to allow their attacks to persist for years.
Media Article
Bleeping Computer
February 28, 2024
Savvy Seahorse gang uses DNS CNAME records to power investor scams
A threat actor named Savvy Seahorse is abusing CNAME DNS records Domain Name System to create a traffic distribution system that powers financial scam campaigns.
Solution Note
Infoblox
April 26, 2024
Infoblox Threat Intel
Uplift the entire security stack by optimizing your custom blend of threat intelligence.
Solution Note
Infoblox
April 26, 2024
Threat Insight
Real Time Inspection of Enterprise Network DNS Traffic to Detect Unknown Threats.
Press Release
Infoblox Threat Intel
April 29, 2024
Muddling Meerkat Press Release
Santa Clara, Calif., April 29, 2024 — Infoblox Inc., a leader in cloud networking and security services, today announced that its threat intel researchers,…
Report
Infoblox Threat Intel
April 29, 2024
Muddling Meerkat Report
Sometimes there are threats we can observe but not fully understand. This might be doubly
true when the evidence comes from Domain Name System (DNS) logs.
Blog
Dr. Renée Burton
April 29, 2024
Muddling Meerkat Blog Post
This paper introduces a perplexing actor, Muddling Meerkat, who appears to be a People’s Republic of China (PRC) nation state actor.