HUMAN’s Satori Threat Intelligence and Research Team recently uncovered a novel ad fraud, social engineering, and scareware threat that they dubbed “Pushpaganda.” The attackers tricked users into enabling push notifications—from which the operation was named—to address issues presented via alarming messages.

The campaign abused Google’s Discovery feeds. How? The threat actors use advanced SEO techniques and AI-generated content to inject deceptive news into Android and Chrome users’ personalized content streams. The final payload? Users were served scareware messages. Some also received fake legal threats or were lured into financial scams.

The in-depth Pushpaganda analysis publicized 113 domain IoCs. Aided by the WhoisXML API MCP Server, we determined that some were owned by legitimate entities so they were excluded from our investigation. That said, we limited our analysis to 90 domain IoCs.

Our DNS deep dive led to these discoveries:

• Five unique client IP addresses communicated with four domain IoCs
• One domain IoC was bulk-registered with two look-alikes
• Eight domain IoCs were likely registered with malicious intent
• 1,055 email-connected domains
• 162 IP addresses, 101 were confirmed malicious
• Eight IP-connected domains
• 858 string-connected domains, one was confirmed malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Examining the Pushpaganda Domain IoCs

We started our deep dive by taking a closer look at the 90 domain IoCs.

Sample network traffic data from the IASC, for one, revealed that five unique client IP addresses under two distinct ASNs communicated with four of the domain IoCs via 1,795 DNS queries made between 16 February and 16 April 2026.

We then queried the domain IoCs on Typosquatting API and discovered that the domain IoC triplek[.]co[.]za was bulk-registered with two look-alikes—triplex[.]industries and triplea[.]pl.

Next, we determined that eight of the domain IoCs appeared on the First Watch Malicious Domains Data Feed 67—465 days prior to being dubbed as such on 14 April 2026. They were likely registered with malicious intent between 4 January 2025 and 6 February 2026. Here are more details on five examples.

We then queried the domain IoCs on WHOIS API and completed missing information in their current WHOIS records from their historical records with the help of Domain Info API. We found out that:

• They were a mix of old and new domains created between 18 October 2006 and 10 April 2026, possibly indicating that the attackers did not have a specific domain age preference.

  

• They were administered by 15 different registrars.

  

• While 32 did not have registrant countries on record, the remaining 58 were registered in six different countries.

  

Finally, we queried the domain IoCs on DNS Chronicle API and discovered that together they posted 21,880 historical domain-to-IP resolutions over time. Here are more details on five examples.

Seven of the domain IoCs—alakamahabidyalaya[.]org, apacollege[.]org, assessmentsonline[.]co[.]za, behavioralhealthworkforce[.]org, brokenhillcottages[.]com[.]au, crmcateringcollege[.]com, and gardn[.]org[.]au—started recording resolutions on 5 February 2017.

Uncovering New Pushpaganda-Connected Artifacts

We began our hunt for new artifacts by querying the 90 domain IoCs on WHOIS History API and discovered that 44 had 125 unique email addresses in their historical WHOIS records. Closer examination allowed us to determine that 38 were public email addresses.

Reverse WHOIS API queries for the public email addresses showed that 34 were used to register 1,055 unique email-connected domains after those already tagged as IoCs were filtered out.

We then queried the domain IoCs on DNS Lookup API and found out that 82 actively resolved to 162 unique IP addresses.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.