watchTowr Labs investigated thousands of abandoned but live backdoors installed on various compromised sites to determine what data the original backdoor owners have stolen. They published their findings in “Backdooring Your Backdoors—Another $20 Domain, More Governments” and, in the process, identified 34 domains as indicators of compromise (IoCs).

The WhoisXML API research team expanded the list of IoCs through a DNS deep dive and uncovered:

• 498 email-connected domains
• 10 IP addresses, eight of which turned out to be malicious
• 192 IP-connected domains
• 666 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Closer Look at the IoCs

Before diving into the IoC list expansion, we looked more closely at the 34 domains tagged as IoCs first. We began by querying them on Bulk WHOIS API and found that all of them had current WHOIS records. Here are our findings.

• A majority of the domain IoCs, 24 to be exact, were administered by Stichting Registrar of Last Resort Foundation. Amazon took second place, accounting for five of the total domain IoC volume. Gandi administered two domain IoCs, while R01-RU and Alibaba Cloud Computing accounted for one each. Finally, one domain IoC did not have registrar information in its current WHOIS record.

  

• They were created between 1999 and 2024. Specifically, 31 domain IoCs were created in 2024 while one each was created in 1999, 2007, and 2012.

  

• Only 11 of them had registrant country data in their current WHOIS records. Of these, five were registered in the U.K., four in the U.S., and two in Singapore.

  

Next, we queried the 34 domains tagged as IoCs on DNS Chronicle API and found that they had 518 IP address resolutions over time. Ccteam[.]ru recorded the oldest IP resolution date—9 October 2019. Take a look at the DNS histories of five other domain IoCs below.

Expanding the List of IoCs

Our search for possibly connected artifacts began with a WHOIS History API query for the 34 domains tagged as IoCs. We found that their historical records contained 168 email addresses after duplicates were removed. Of these, 65 turned out to be public email addresses.

Next, we queried the 65 public email addresses on Reverse WHOIS API and discovered that 33 of them appeared in the current WHOIS records of other domains. However, 15 of the 33 public email addresses present in other domains’ current WHOIS records could belong to domainers so they were excluded from further investigation.

The 18 public email addresses left on our list appeared in the current WHOIS records of 498 email-connected domains after duplicates and those already identified as IoCs were filtered out.

We then queried the 34 domains tagged as IoCs on DNS Lookup API and found that 32 of them actively resolved to 10 unique IP addresses after duplicates were filtered out.

A Threat Intelligence API query for the 10 IP addresses showed that eight of them have already been weaponized for various attacks.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.