Yahoo! News Japan reported cases where securities accounts were hijacked so cybercriminals could sell stocks without their rightful owners’ permission. More than 3,500 fraudulent transactions have already been recorded from January to April 2025 alone, amounting to stock owner losses of ¥300+ billion.

A report on the tool that could have been used to phish the Japanese stock owners publicized seven domains as indicators of compromise (IoCs). We used this data, among others from various reports on similar phishing campaigns, to identify more connected artifacts and other pertinent information.

Our in-depth analysis using our expansive repositories of domain and DNS intelligence led to the discovery of:

• 36 registrant-connected domains
• 7,437 email-connected domains, 267 were malicious
• Seven string-connected domains
• 609 look-alike domains found using a similar domain algorithm covering 11 April - 22 May 2025
• 47,232 look-alike domains found on First Watch covering January 2024 - May 2025

A sample of the additional artifacts obtained from our analysis is available for download from our website.

1. Searching for Phishing Kit Connections

We began our search for web properties connected to the phishing kit by querying the seven domains earlier identified as IoCs on Bulk WHOIS API, which revealed that:

• They were created between 2024 and 2025, making them all relatively newly registered when they were weaponized for attacks.

  

• They were administered by three registrars led by Alibaba and Gname.com, which accounted for three domains each.

  

• While three of them did not have registrant countries on record, the remaining four domains were registered in three countries—two in China and one each in Albania and the U.S.

  

We then queried the seven domains identified as IoCs on DNS Chronicle API and found that four of them had 198 domain-to-IP resolutions over time. The domain evrryday[.]com posted 166 resolutions since 28 April 2017.

Next, we took a closer look at the current WHOIS records of the seven domains identified as IoCs and discovered that two—uhlkg[.]cn and zjkso[.]cn—had the same registrant name. Using this data point as a search term for Reverse WHOIS API, we uncovered 36 registrant-connected domains after filtering out duplicates and those already tagged as IoCs.

After that, we queried the seven domains identified as IoCs on WHOIS History API, which showed that three had email addresses in their historical WHOIS records. We unearthed 10 email addresses in all and upon further scrutiny determined that six were public email addresses.

We queried the six public email addresses on Reverse WHOIS API and discovered that five appeared in the historical WHOIS records of 7,437 email-connected domains. While the remaining public email address also had connections, it could belong to a domainer since it had more than 10,000 connected domains.

A Threat Intelligence API query for the 7,437 email-connected domains revealed that 267 have already figured in various attacks. Take a look at five examples below.

Next, we looked more closely at the seven domains identified as IoCs and determined that they started with seven unique text strings. Only four of the strings, however, appeared in other domains based on our Domains & Subdomains Discovery searches. See the list below.

• etcady.
• evrryday.
• uhlkg.
• zjkso.

Specifically, we uncovered seven string-connected domains.

All in all, we unearthed 7,480 connected domains, 267 of which have already been weaponized for attacks.

2. Searching for Phishing Email Connections

As the next step of this research, we obtained 10 phishing emails possibly related to the same fraud campaign and identified the following 10 email domains that we then analyzed:

• cyoa[.]com
• fsqyqq[.]com
• hzlgx[.]com
• icxw[.]com
• nasture[.]de
• pisw[.]com
• shoken_nikko[.]cn
• tmjs[.]net
• unwwxlf[.]com
• zxno[.]com

Here is a sample phishing email from an email address with the domain tmjs[.]net we received on 19 May 2025.

We started by querying the 10 email domains on Bulk WHOIS API and found that:

• They were created between 1999 and 2024, inferring that the fraudsters did not discriminate in terms of domain age. Three of the domains did not have creation dates in their current WHOIS records.

  

• They were administered by five registrars led by GoDaddy, which accounted for three domains. One domain each was administered by DNSPod, Gname.com, PDR, and Register.com. The three remaining domains did not have registrars on record.

  

• They were registered in three countries topped by the U.S., which accounted for five domains. One domain each was registered in China and India, while three did not have registrant countries on record.

  

We also analyzed various phishing reports from the Council of Anti-Phishing Japan that contained 44 masked phishing URLs that we looked further into. These were:

• https[:]//****[.]bond/****[.]php
• https[:]//****[.]cyou/****[.]php
• https[:]//****[.]nikkosmbc[.]co[.]jp/****
• https[:]//****[.]tp****[.]com/login/?token=****
• https[:]//acquaaintanceshi[.]hv****[.]com/
• https[:]//biotransformatio[.]bg****[.]com/
• https[:]//chemiluminescenc[.]tq****[.]com/
• https[:]//cs[.]mufg[.]p****[.]sbs/login
• https[:]//dsgr****[.]com/rakuten
• https[:]//fgjfuz****[.]com/
• https[:]//jx****[.]com/
• https[:]//kmm****[.]com/
• https[:]//mehhkapradwwoesi[.]s****[.]com/
• https[:]//mu****[.]cn/rakusec
• https[:]//nomura-****[.]sbs/infojp
• https[:]//nomuragl****[.]sbs/infojp
• https[:]//offeepotech****[.]gc****[.]com/
• https[:]//oingc****[.]com/
• https[:]//pmm****[.]com/
• https[:]//pnasoa****[.]net/
• https[:]//reqi****[.]cn/rakusec
• https[:]//sb-auth****[.]cloud/sup
• https[:]//sbiisec****[.]com/
• https[:]//sbisec-sapony[.]z****[.]com/ETGate/loge/
• https[:]//sdeb****[.]com/
• https[:]//sec-sbi****[.]com/
• https[:]//secure-authen-****[.]club/autolg
• https[:]//sho****[.]com/
• https[:]//sim****[.]com/
• https[:]//szlot****[.]com/
• https[:]//tac****[.]com/
• https[:]//ttd[.]com/95X@pnasoa****[.]net#zemwg
• https[:]//turav****[.]com/web/
• https[:]//ukeiedehuazhuoe[.]a****[.]com/
• https[:]//vasoconstrictio[.]yuleche****[.]com/
• https[:]//wha****[.]top/ufjoeui
• https[:]//wo****[.]com/
• https[:]//www[.]columnistof****[.]com/member/
• https[:]//www[.]duix****[.]com/
• https[:]//www[.]sbl****[.]com/
• https[:]//www[.]tv****[.]cn/
• https[:]//xeroththaamiahl[.]06****[.]com/
• https[:]//yc****[.]com/
• https[:]//zhuanxiuderuuir[.]ki****[.]com/

We used the domains we extracted from the 44 masked URLs above as search terms on First Watch Malicious Domains Data Feed. We discovered 20 domains containing the strings sb-auth****.cloud, sbiisec****.com, and sec-sbi**.com across three groups that could pertain to the actual domains the phishers used. Here are a couple of examples.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.