med-mastodon.com is one of the many independent Mastodon servers you can use to participate in the fediverse.
Medical community on Mastodon

Administered by:

Server stats:

363
active users

#threatintelligence

2 posts1 participant0 posts today

We've seen it before, but it bears highlighting again: current affairs always lead to a domain gold rush! The newly announced "America Party" has already triggered a wave of sketchy-looking domain registrations, many using the .party TLD. Several redirect to rawdiary[.]com, a five-month-old site hosting third-party articles from sources like OANN, Newsmax and Breitbart, as well as more moderate sources like the FT and the BBC. Others are parked. These domains aren’t inherently malicious, but they're certainly opportunistic and built to look like news. Web content flips fast, so here’s a snapshot of domains unlikely to have been registered for anything in good-faith:

ameirca[.]party
amerca[.]party
amercia[.]party
americs[.]party
amerika[.]party
ameroca[.]party
ameruca[.]party
hyperamerica[.]party
theunitedstates[.]party
americanparty[.]pics
americanparty[.]vip
americaparty[.]ink
americaparty[.]town
theamericanparty[.]vip
americanparty[.]pro

Let us introduce "La Fnac". As some of you may already know, La Fnac is a French retailer, and like most large retailers, they want to sell the coolest things that everyone is talking about. That's why, in 2008, they launched their most innovative service yet: an online portal where you could download the latest must-have ringtone for your flip phone.

Of course, they didn't build that online portal themselves. They subcontracted that to another company, and to use their services, they set up a subdomain: 'sonneries-logos.fnac[.]com' on their corporate domain to use a CNAME record that the subcontractor then managed.
You should know where this is going now. It seems clear that La Fnac forgot to remove this alias from their DNS after the service was retired. Surprisingly, they weren't alone! In 2017 (much later than we expected), when the CNAME record became dangling, there were 2 European tech companies that still had aliases pointed to it.

So, when that ringtone download service started seeing activity again in 2025, it wasn't because of a sudden nostalgic resurgence in late naughties ringtones. Obviously, it was hijacked, and used to redirect people to various fake survey scams webpages.

The longer a company exists for, the more tech debt it accumulates, which in the case of DNS can mean greater susceptibility to domain hijacking via dangling DNS records. This is not something exclusive to small companies, or companies with smaller tech teams. We've seen this issue affecting large organisations too. If something as cool as downloading ringtones on your flip phone can be forgotten about; don't be surprised when in 20 years, attackers start leveraging the tech debt you are currently procrastinating over.

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #phishing #scam

Vacation time is also apparently a very productive time. Analysis time, again. Took 68 articles related to malware analysis, categorized the analyzed malware into primary purpose and then, yeah... the output is here:

cstromblad.com/posts/summary-m

The idea was to try and answer the bigger questions, what appears to be the primary driver behind malware development? What else might we learn?

Again I find these aggregate views and perspectives quite useful from a threat intelligence perspective and most certainly from a threat landscape perspective.

STRÖMBLAD · 30 Days of Malware Analysis - What trends can be observed?What if you took the last 30 days of malware analysis performed by various firms and organizations, what would be the trends? What could we learn from the aggregate view of all this data? In this analysis I review 68 articles and attempt to categorize them all by what the primary purpose of the malware appears to be, along with a reference to the original research and a short summary of the analysis. All in all, a quite useful aggregate view providing a decent level of insights into the malware landscape.

I have updated my previously published analysis of Iranian cyber activity. The analysis is rooted in #OSINT and recently published articles about Iranian threat activity. The analysis is centered around victimology and techniques/capabilities.

I find it quite useful with clearly referenced sources to provide transparency towards where the "evidence" has been fetched from.

cstromblad.com/posts/iranian-t

Anything missing what you'd like to see included that would make it more "useful"?

STRÖMBLAD · Iranian Threat Actor ProfileThis is an EXPERIMENTAL THREAT PROFILE for Iran using a meta analysis based on five open source articles related to Iranian threat actors. Would specifc patterns emerge as part of the analysis, and would the final product be at all useful for threat intelligence purposes? Let me know what you think!

New guest post on THOR Collective Dispatch from @InfoSecSherpa:

Don’t Let Mis(s) Information Take the Crown 👑

Even threat hunters can get tripped up by polished propaganda.

This post shows how to apply the Intelligence Cycle to news, helping you filter bias, validate sources, and structure OSINT like a pro.

Read it: dispatch.thorcollective.com/p/

THOR Collective Dispatch · Don't Let Mis(s) Information Take the CrownBy Sherpa Intelligence

ICYMI: DomainTools Investigations released new research this week!

Skeleton Spider (aka FIN6) is leveraging trusted cloud services like AWS to deliver malware through fake job applications and resume-themed phishing campaigns.

🔍 Learn how this financially motivated group is:

🔹Exploiting cloud infrastructure to evade detection
🔹Using social engineering to lure victims
🔹Building resilient, scalable malware delivery systems

Read the full analysis here: dti.domaintools.com/skeleton-s

DomainTools Investigations | DTI · Eggs in a Cloudy Basket: Skeleton Spider’s Trusted Cloud Malware Delivery - DomainTools Investigations | DTIDiscover how the FIN6 cybercrime group, also known as Skeleton Spider, leverages trusted cloud services like AWS to deliver stealthy malware through fake job applications and resume-themed phishing campaigns. Learn about their tactics, infrastructure, and how to defend against these evolving threats.

MISP 2.4.211 & 2.5.13 Released - A Double Dose of Security, Search, and Stability.

These releases are packed with critical security patches, a major overhaul of the search functionality, and a host of improvements and bug fixes to enhance your threat intelligence experience.

#opensource #threatintelligence #threatintel #cti

🔗 misp-project.org/2025/06/06/mi

MISP Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing · MISP 2.4.211 & 2.5.13 Released - A Double Dose of Security, Search, and StabilityMISP Threat Intelligence & Sharing

DomainTools Investigations’ (DTI) latest analysis uncovers a technically sophisticated malware campaign that uses fake CAPTCHAs and spoofed document verification pages (like Docusign) to trick users into self-infecting their machines with the NetSupport RAT.

Key tactics include:

🔹 Clipboard poisoning via fake CAPTCHA pages
🔹Multi-stage PowerShell downloaders
🔹Spoofed Gitcodes and Docusign domains
🔹Infrastructure overlap with known threat groups like SocGholish, FIN7 and STORM-0408

Read the full breakdown including security recommendations here: dti.domaintools.com/how-threat

Selling your car? Scammers still have it 'VIN' for you!

We've recently seen a large cluster of domains hosting fake Vehicle Identification Number (VIN) lookup sites — and private car sellers are the target.

While this trick isn’t new, it still catches many off guard — especially first-time sellers. Here’s how it usually plays out:

- You list your car on platforms like AutoTrader, Craigslist, or Facebook Marketplace.
- You're contacted by a keen 'buyer', perhaps asking a few questions to build trust.
- The buyer then asks *you* to get a VIN report — but only from a site *they* provide.

Red flag: Legitimate buyers wanting to know a vehicle's history are to be expected - they may ask for the VIN to do this themselves - but insisting on a specific site is a classic scam move.

Here’s what happens next:

- You enter your VIN on the fake site - it teases you with basic info like make and model.
- To get the 'full report' you’re asked to pay $20–$40.
- At best, you're sent to a legitimate payment provider — but the money goes straight to the scammer.
- At worst, you've just entered your card details into a phishing site.

Got your report? Good luck contacting that buyer, they're 'Audi 5000' — long gone. As for the report, it's usually worthless — no odometer readings, no previous owners, no insurance history - and of no value to you or a legit buyer.

Unsurprisingly, 'VIN' features in their devious domain names, and at the time of writing we identrified a large cluster using it with U.S. states and locations, for example:

- goldstatevin[.]com
- gulfstatevin[.]com
- kansasvin[.]com
- misissippivin[.]com
- utahvincheck[.]com

These have since gone offline, hopefully for good. They're not alone though, the following domains appear to target sellers in Australia and are currently active:

- proregocheck[.]com
- smartcheckvin[.]com
- smartvincheck[.]com
- vincheckzone[.]com

Tip: If a buyer wants a VIN report, let them sort it out — or use a trusted provider of your own. If they refuse? Tell 'em to hit the road!

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam

Martyn Williams (Stimson Center’s Korea Program and 38 North) and Nick Roy (Silent Push) presented an interesting talk at THOTCON 0xD on a misconfigured DPRK server and the data they found. Cool to see everything that goes into getting online in DPRK and the tools used to do so. They posted their THOTCON slide deck at silibank.com/thotcon, which Nick apparently purchased after the domain was allowed to expire by DPRK entities.

Their NK Tech Lab site is a new center for investigation and analysis into how North Korea uses technology to serve and suppress its citizens.

Nktechlab.org
Silibank.com/thotcon

#thotcon#dprk#cti

Eat, Sleep, Scam, Repeat?

Losing your life savings to a crypto scam is devastating — but for many victims, the nightmare doesn’t end there.

While recently investigating a network of fake cryptocurrency exchanges, we uncovered something even more twisted: a cluster of scam websites posing as law firms offering 'crypto recovery' services.

Yep, the very same scammers who stole the funds are now posing as lawyers, pretending to help victims recover what they lost… for a fee, of course.

Preying on victim hope and desperation, these scammers have been known to:
- Contact victims directly using details obtained during the original scam
- Advertise openly on social media
- Lurk in public forums, targeting those seeking help from the community

Using a mix of lookalike sites impersonating legit legal firms and entirely fake entities, often with stolen names and photos of legitimate legal professionals, here are some recent examples of what we've encountered:

- Posing as 'Adam & Shawn Law Group'
- adamshawnllp[.]com
- adamshawnlaw[.]com
- Posing as 'Jefferson Caldwell International Law Firm'
- jeffersoncaldwelllawgroup[.]com
- Posing as 'Schlueter & Associates'
- schlueterlawfirm[.]it[.]com
- Posing as 'Zojz & Associates Legal Group'
- zojz[.]com
- zojz[.]cc

Not only do these domains share registration characteristics with fake crypto exchanges, but we've also observed site structures, content and design elements across fake law firms, crypto exchanges and task scam sites.

Aside from avoiding the initial scams, be cautious of any 'law firm' that:

- Sends unsolicited emails or DMs offering crypto recovery help
- Has a website with no verifiable legal credentials
- Pressures you to pay fees upfront, especially to a third-party entity or via crypto
- Uses vague or generic testimonials

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam