Return to Infoblox Homepage
English Español Deutsch
RESOURCES

Infoblox Threat Intel

Revolver Rabbit

Revolver Rabbit is a DNS threat actor that created over 500,000 domains using a registered domain generation algorithm (RDGA) between February 2022 and July 2024. These domains were used as decoy and C2 domains for XLoader (aka FormBook) malware often used to steal user credentials. The domains cost an estimated $1M in registration fees, indicating that Revolver Rabbit’s cybercriminal activities are highly profitable. Infoblox has monitored the actor’s infrastructure since September 2023 detecting new domains as they emerge, but it took months to link the infrastructure directly to malware.

  • Operating since: At least February 2022
  • Infoblox discovered: March 2023
  • Infoblox published: July 2024
  • Prevalence: Uncommon

Threat actor resources

Press Release

Infoblox Threat Intel
July 17, 2024

Revolver Rabbit’s Million-Dollar Masquerade: Infoblox Uncovers The Hidden World of RDGAs

Santa Clara, Calif., July 17, 2024 — Infoblox Threat Intel released a threat landscape study of the use of registered domain generation algorithms (RDGAs) by malicious actors today.

Read more
Blog

James Barnett
July 17, 2024

RDGAs: The Next Chapter in Domain Generation Algorithms

Infoblox Threat Intel exposes registered DGAs (RDGAs), the novel DGAs used by threat actors like Revolver Rabbit to deliver XLoader, Hancitor, and other malware.

Read more
Research Report

Infoblox Threat Intel
July 17, 2024

REGISTERED DGAs: The Prolific New Menace No One Is Talking About

Registered domain generation algorithms (RDGAs) are a programmatic mechanism that allows threat actors to create many domain names at once, or over time, to register for use in their criminal infrastructure.

Read more
Back To Top