A financially motivated threat actor has been hijacking thousands of domains since at least February 2023 for investment fraud schemes. These hijacked domains are embedded in short-lived Facebook ads targeting users in more than 30 languages across multiple continents.

Why is this special? The hijacked domains are taken over using the ‘Sitting Ducks’ attack vector and are utilized in every step of the actors’ campaigns.

A Chinese organized crime syndicate that designed and operates a technology suite that is a full cybercrime supply chain: composed of software, Domain Name System (DNS) configurations, website hosting, payment mechanisms, mobile apps, and more.

Why is this special? This research connects numerous stories by journalists and human rights activists to a single organized crime network.

A DNS actor using an advanced algorithm to create hundreds of thousands of domains for use in advertising campaigns.

Why is this special? Revolver Rabbit’s RDGA is prolific, varied, and exemplifies the challenge in discovering and determining the nature of networks designed to obscure actor operations.

A cunning actor abusing open resolvers worldwide with MX records and triggering China’s Great Firewall to act mysteriously.

Why is this special? First documentation of modified DNS MX records by the Great Firewall.

A persistent investment fraud actor who leverages DNS CNAME records as a traffic distribution system (TDS) to control access to their malicious content spread through Facebook ads.

Why is this special? First description of the use of DNS CNAME records by threat actors to control and direct content for users.

A malicious link shortening service used by criminals to target consumers worldwide. This actor successfully overcame privacy controls for the usTLD before being exposed by Infoblox.

Why is this special? First description of a malicious link shortener in the industry.

A phishing actor that steals credentials from consumers in Europe, the United States, and Australia using lookalike domains to financial institutions and government tax agencies. Formerly known as Open Tangle.

Why is this special? This is the first reporting of a dedicated lookalike domain actor.

A nation state DNS C2 malware toolkit. Confirmed to be an advanced variant of Pupy RAT, Russian security vendors later claimed Decoy Dog was used to disrupt Russian critical infrastructure.

Why is this special? First discovery and characterization of a C2 malware solely from DNS.

The longest running traffic distribution system (TDS) known in the industry with the largest number of criminal affiliates, brokering traffic for others while delivering malicious campaigns of their own.

Why is this special? First identification of a large-scale TDS discovered through DNS and the use of a dictionary domain generation algorithm (DDGA).