Vault Viper is a sophisticated threat actor linked to Southeast Asian organized crime. It deploys a custom browser to enable illegal online gambling, data exfiltration, and money laundering. Its vast DNS infrastructure supports global fraud.

Why is this special? This is our first report of a custom browser coupled with DNS infrastructure to enable cybercrime and threat distribution.

Detour Dog is a malicious adtech affiliate that uses DNS TXT records to conditionally redirect victims from tens of thousands of compromised websites or to fetch remote content for execution. Detour Dog has been an affiliate of Help TDS, Los Pollos, and Monetizer, and has partnered with Hive0145 to deliver Strela Stealer malware.

Why is this special? Detour Dog bridges TDSs and malware C2, operating a relay system that dynamically routes threats via DNS—a rare and stealthy technique.

Vane Viper is a malicious adtech ecosystem built around Cyprus-based, Russian nexus AdTech Holdings and its subsidiaries. They abuse push notifications for persistence and operate a TDS to direct traffic into a variety of malicious content.

Why is this special? This research maps out the individuals and organizations that comprise the extensive TDS and affiliate network that includes PropellerAds.

Hazy Hawk is a DNS‑savvy threat actor that hijacks abandoned DNS CNAME records pointing to unused cloud resources at major national organizations. The actor hosts scam and malware URLs under these trusted subdomains, using TDSs and push‑notification abuse to target victims.

Why is this special? This is the first reporting of an actor hijacking dangling CNAMES in abandoned cloud resources.

Reckless Rabbit is a sophisticated scam operator leveraging social media ads, fake celebrity endorsements and localized (language) landing pages to lure victims into investment fraud.

It uses RDGAs, wildcard DNS, and TDS-based cloaking to evade detection, scale rapidly and redirect targets based on location or device, making it hard to trace or block effectively.

Ruthless Rabbit, active since late 2022, is a DNS-driven investment scam operation targeting Eastern Europe.

It uses Registered Domain Generation Algorithms (RDGAs) to pre-register thousands of scam domains, wildcard DNS and cloaking services to filter out bots and funnels validated users to fake “profit platforms.”

Morphing Meerkat operates a phishing-as-a-service (PhaaS) platform. This actor uses DNS MX records to identify the victim’s email service provider and dynamically serve fake login pages. Morphing Meerkat exploits compromised WordPress websites as well as open redirect vulnerabilities on adtech servers.

Hasty Hawk hijacks domains with a lame name server delegation whose authoritative DNS providers are exploitable, then uses them for phishing campaigns.

Why is this special? The actor hijacks lame domains via “Sitting Ducks” attacks and has run phishing campaigns spoofing DHL pages and fake donation sites.

A financially motivated threat actor has been hijacking thousands of domains since at least February 2023 for investment fraud schemes. These hijacked domains are embedded in short-lived Facebook ads targeting users in more than 30 languages across multiple continents.

Why is this special? The hijacked domains are taken over using the ‘Sitting Ducks’ attack vector and are utilized in every step of the actors’ campaigns.

A Chinese organized crime syndicate that designed and operates a technology suite that is a full cybercrime supply chain: composed of software, Domain Name System (DNS) configurations, website hosting, payment mechanisms, mobile apps, and more.

Why is this special? This research connects numerous stories by journalists and human rights activists to a single organized crime network.

A cunning actor abusing open resolvers worldwide with MX records and triggering China’s Great Firewall to act mysteriously.

Why is this special? First documentation of modified DNS MX records by the Great Firewall.

A persistent investment fraud actor who leverages DNS CNAME records as a traffic distribution system (TDS) to control access to their malicious content spread through Facebook ads.

Why is this special? First description of the use of DNS CNAME records by threat actors to control and direct content for users.

A malicious link shortening service used by criminals to target consumers worldwide. This actor successfully overcame privacy controls for the usTLD before being exposed by Infoblox.

Why is this special? First description of a malicious link shortener in the industry.

A phishing actor that steals credentials from consumers in Europe, the United States, and Australia using lookalike domains to financial institutions and government tax agencies. Formerly known as Open Tangle.

Why is this special? This is the first reporting of a dedicated lookalike domain actor.

A nation state DNS C2 malware toolkit. Confirmed to be an advanced variant of Pupy RAT, Russian security vendors later claimed Decoy Dog was used to disrupt Russian critical infrastructure.

Why is this special? First discovery and characterization of a C2 malware solely from DNS.

The longest running traffic distribution system (TDS) known in the industry with the largest number of criminal affiliates, brokering traffic for others while delivering malicious campaigns of their own.

Why is this special? First identification of a large-scale TDS discovered through DNS and the use of a dictionary domain generation algorithm (DDGA).