Author Archives: Emin Baylarov

In this post, we build on Microsoft’s 2022 ACTINIUM intelligence report by using passive DNS analysis to uncover additional domains that align with the patterns identified in the original report. By analyzing domain attributes such as IP addresses, registration dates, and subdomain patterns, we aim to identify potential new ACTINIUM infrastructure that may have emerged […]

In this blog, we will identify 36 Latrodectus phishing domains through passive DNS analysis of a domain reported on Twitter/X. The initial reported domain leverages 302 redirects to send users to a malicious or benign file. The URL in the 302 redirect is re-used across numerous domains; we can leverage this information to identify additional […]

In this blog we will identify 6 malicious domains that are likely hosting MatanBuchus malware. We will identify these domains through the usage of hardcoded subdomains in the TLS Certificate of the initial shared domain. After leveraging the hardcoded subdomains, we will leverage registration dates and certificate providers to hone in on our final results. […]

Threat actors are known to monitor public reports and adjust any infrastructure they believe may be exposed. As intelligence analysts, it’s essential to stay updated on these changes and refine intelligence queries as needed. In this blog, we’ll look at a case where the creators of the Vultur banking trojan seem to have modified their […]

Threat actors frequently use domain-based infrastructure to support and execute malicious operations. When setting up these new domains, they often leave behind identifiable patterns, which can help in creating signatures that link new infrastructure to previously known activity. Developing these signatures can be challenging, and public documentation on the process is limited. Today, we’ll examine […]