It’s not unusual for threat actors to pick up after fellow cyber attackers shut down their operations. Many of them still want to cause as much trouble without having to start from scratch—building their own malicious creations and infrastructure.

That is the story of phishing-as-a-service (PhaaS) offering FlowerStorm as well. Weeks after cybersecurity experts disrupted Rockstar2FA’s operations, Sophos noticed an uptick in the use of similar PhaaS portals believed to be part of FlowerStorm. The researchers identified 190 FlowerStorm indicators of compromise (IoCs) comprising 183 domains and seven IP addresses.

The WhoisXML API research team scoured the DNS for more artifacts possibly connected to the FlowerStorm infrastructure and uncovered:

• 192 email-connected domains
• Three additional IP addresses
• 100 IP-connected domains
• 1,053 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

More on the FlowerStorm IoCs

As is our usual first step to expand existing IoC lists, we looked more closely at the 183 domains tagged as IoCs.

A Bulk WHOIS API query for the 183 domains tagged as IoCs revealed that:

• Only 182 had registrar data in their current WHOIS records. Hostinger Operations led the pack with 54 domain IoCs. PDR followed closely with 53 domains. GMO Internet Group came in third place with 33 IoCs. Web Commerce Communications and CV Rumahweb Indonesia completed the list with 23 and 19 domain IoCs, respectively.

  

• While 182 domain IoCs were created in 2024, one was created way back in 2013.

• A majority of the domains, 107 to be exact, were registered in the U.S. A total of 23 IoCs were registered in Malaysia, while 19 were registered in Indonesia. Meanwhile, 34 domain IoCs did not have registrant country information in their current WHOIS records.

  

Next, we queried the 183 domains tagged as IoCs on DNS Chronicle API and found that 181 had 645 IP resolutions to date. Take a look at five other examples below.

We then took a closer look at the seven IP addresses tagged as IoCs through a Bulk IP Geolocation Lookup query, which showed that:

• Only four had geolocation countries in their records—two IP address IoCs each originated from Japan and the U.S.
• Only three had ISPs—two IP addresses were administered by Tencent Global and one by Endurance International Group.

  

A query on DNS Chronicle API for the seven IP addresses tagged as IoCs revealed that four had 2,019 domain resolutions over time. The IP address IoC 69[.]49[.]230[.]198 recorded the first domain resolution on 7 January 2022. Here are two other examples.

FlowerStorm DNS Investigation Findings

To kick off our search for connected artifacts, we queried the 183 domains tagged as IoCs on WHOIS History API and found that 34 had 15 email addresses in their historical WHOIS records after duplicates were filtered out. Upon closer examination, three of the addresses were public email addresses.

A Reverse WHOIS API query for the three public email addresses showed that two appeared in the current WHOIS records of 192 email-connected domains after duplicates and those already identified as IoCs were filtered out.

Next, we queried the 183 domains tagged as IoCs on DNS Lookup API, which revealed that 38 actively resolved to three IP addresses that have not yet been named as IoCs.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.