Threat Intelligence

Threat Intelligence / Industry Updates

Unloading MintsLoader IoCs Using DNS Intelligence

Mar 10, 2025

Several American and European organizations across the energy, oil and gas, and legal sectors were recently targeted by a campaign leveraging MintsLoader, a malware loader that delivers malicious software to a victim's device.

DNS Spotlight: Rockstar2FA Shuts Down, FlowerStorm Starts Up

Mar 08, 2025

It's not unusual for threat actors to pick up after fellow cyber attackers shut down their operations. Many of them still want to cause as much trouble without having to start from scratch - building their own malicious creations and infrastructure.

DNS Deep Dive: Peeking into Back Doors to Abandoned but Live Backdoors

Mar 03, 2025

watchTowr Labs investigated thousands of abandoned but live backdoors installed on various compromised sites to determine what data the original backdoor owners have stolen. They published their findings in "Backdooring Your Backdoors -- Another $20 Domain, More Governments" and, in the process, identified 34 domains as indicators of compromise (IoCs).

DNS Insights on a Free Form Builder Service Phishing Campaign

Feb 24, 2025

Unit 42 of Palo Alto Networks recently uncovered a phishing campaign targeting European companies to harvest victims' account credentials and take over their Microsoft Azure cloud infrastructure. According to their report, the phishing attempts leveraging the HubSpot Free Form Builder service peaked in June 2024.

More Signs of the more_eggs Backdoor Found in the DNS

Feb 20, 2025

Using resumes to fake job applications is not a novel social engineering lure for run-of-the-mill phishing campaigns. But utilizing the same tactic to launch a targeted attack isn't that common.

Illuminating Lumma Stealer DNS Facts and Findings

Feb 17, 2025

The Lumma Stealer, known for using the malware-as-a-service (MaaS) model, has figured in various campaigns targeting victims in countries like Argentina, Colombia, the U.S., the Philippines, and others since 2022.

The MOONSHINE Exploit Kit and the DarkNimbus Backdoor in the DNS Spotlight

Feb 05, 2025

The Earth Minotaur threat group recently revived the MOONSHINE exploit kit, first discovered in 2019. According to Trend Micro's in-depth analysis, MOONSHINE had more than 55 servers in 2024 and has been updated with more exploits and functions compared with its 2019 version.

Peering Into Midnight Blizzard’s DNS Footprint

Jan 28, 2025

Thousands of people working for organizations in the public, academia, and defense sectors are being targeted by spear-phishing attacks operated by a threat group called "Midnight Blizzard." The messages contained a Remote Desktop Protocol (RDP) configuration file connected to the malicious actor's server.

Global Domain Activity Trends Seen in Q4 2024

Jan 23, 2025

Our research team analyzed 24.4+ million domains registered between 1 October and 31 December 2024 from the Newly Registered Domains (NRD) Data Feed.

Tracking Down APT Group WIRTE’s DNS Movements

Jan 21, 2025

The WIRTE advanced persistent threat (APT) group has been active since at least August 2018. It has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.

Most Popular

Thumbing Through the DNS Traces of TamperedChef

DNS Spotlight: New MITRE ATT&CK Group Entrants as of October 2025

Hard Data on DDoS, DNS, and the Race for Resilience

Going DNS Deep Diving Into GhostCall and GhostHire

COLDRIVER’s MAYBEROBOT in the DNS Spotlight

Burrowing Into the Beamglea Campaign DNS Infrastructure

Chasing After RacoonO365 IoCs Using DNS and Domain Intelligence

Spelunking Into SVG Phishing: Amatera Stealer and PureMiner DNS Deep Dive

Global Domain Activity Trends Seen in Q3 2025

Scouring the DNS for Traces of the Hiddengh0st and Winos SEO Poisoning Campaign