Threats Tagged 'infrastructure-analysis'

A multi-domain traffic distribution system (TDS) operation was discovered, centered around the domain toxicsnake-wifes.com. The infrastructure serves as a commodity cybercrime TDS farm, routing victims to phishing, scams, or malware payloads. The operation uses a first-stage JavaScript loader, followed by a second-stage that attempts to fetch upstream payloads. The cluster shares common WHOIS, DNS, and hosting patterns, indicative of bulletproof VPS usage. Multiple burner domains with similar tradecraft were identified, suggesting an organized operator cluster. The infrastructure employs obfuscation, dynamic remote injection, and disposable registration techniques. While the main payload was unreachable during analysis, historical evidence suggests the delivery of malicious content.

MediumCampaignGermanyFranceUnited Kingdom+5#cybercrime#obfuscation#javascript

A sophisticated phishing campaign impersonating U.S.state Departments of Motor Vehicles emerged in May 2025, using SMS phishing and deceptive websites to harvest personal and financial data. Victims received messages about unpaid toll violations, directing them to fake DMV sites requesting extensive information. Technical analysis revealed shared infrastructure, consistent domain naming, and indicators of a China-based threat actor. The campaign used spoofed SMS numbers, often from the Philippines, and email addresses from obscure domains. Phishing websites followed a pattern using state IDs and specific TLDs. Infrastructure analysis showed connections to known malicious IP addresses and Chinese DNS providers. The campaign's widespread impact prompted alerts from multiple states and federal authorities.

MediumCampaignUnited KingdomGermanyFrance+3#infrastructure-analysis#data-harvesting#smishing