For #3CX #3CXApocalypse I'm honestly a bit impressed with the identified malicious infrastructure - there's some obvious pivots and relationships, but overall aside from a "visual check" on domain name similarity these break out into multiple, almost completely distinct clusters by infrastructure characteristics. Looks like #DerpK has been learning.

Image courtesy of the fine folks at @DomainTools