Mastodawn

Two of the biggest heavyweight scam TTPs - malvertising and pig butchering - have combined. In our latest research, we track hundreds of investment‑scam campaigns using this one-two punch to target Japan and the wider Asia region.

The hybrid approach kicks-off with malvertising ads that impersonate well‑known financial experts, funnel victims through lure sites on RDGA‑generated domains, before finally pulling them into messaging chats run by tireless AI‑style pig butcher bots. The result: an industrial‑scale long con, with individual victims reporting losses of up to ¥10M (~US$63k).

This model is reused across different campaigns and, by pivoting on DNS, we've so far been able to map out an ecosystem of over 23,000 domains.

In our latest blog we talk about our first‑hand experience going through the scheme, break down the entire flow, and share all the related IOCs: https://www.blogs.infoblox.com/threat-intelligence/banners-bots-and-butchers-an-automated-long-con-targeting-japan-asia-and-beyond/

#Infoblox #InfobloxThreatIntel #dns #threatintel #threatintelligence #malvertising #pigbutchering #rdga #dga #lookalikes #crypto #investment #scam #fraud #cybercrime #cybersecurity #infosec #Japan #Asia #AI

Banners, Bots and Butchers: The AI-Driven Long Con in Asia

Hybrid malvertising and pig butchering scams targeting Asia may mark future direction of AI-driven cyber fraud

Infoblox Blog

Infoblox Threat Intel Sep 19, 2025

We've been observing a trend on Steam involving Chinese-language accounts leaving spam comments on random user's profiles. They range from commenting single emojis to sentences in Chinese that translate to "we should play games together." Upon investigation, these accounts often link to domains that redirect to malicious content.

One such domain, 3pq[.]cc, redirected to a fake chat app interface designed to mimic a messaging platform hosted on jimuzhou[.]top. The messages eventually gave a link to trwonr[.]top, an adult-themed survey page. After completing the survey, it prompted visitors to download an APK file that requested access to invasive permissions, hosted on cxrcedu[.]com.

A pivot on one of the URLs revealed thousands of related domains, all exhibiting similar behavior and infrastructure.

Sample IOCs:
3pq[.]cc
jimuzhou[.]top
trwonr[.]top
cxrcedu[.]com

#Infoblox #dns #rdga #spam #scam #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel

Infoblox Threat Intel Sep 9, 2025

Spammers be spamming. But some may lay low for several months before kicking off their operations.

In late August, we started to observe an influx of a spam campaign targeting Japanese users and impersonating popular companies such as American Express, Amazon and SBI, attempting to phish victims for their credit card and other account information. This was almost a year after the actor first created their domains in September 2024.

This is a technique commonly used by threat actors to avoid detection by security teams, since a lot of attention is usually given to domains that are newly registered. The strategy is to lay low for some time, allowing them to slip under the radar before initiating their operations and remain undetected when they do so.

The actor(s) waited until the domains were close to expiring to start using them in the campaign. They have now renewed several of these domains and, well... that may suggest they intend to continue their activities.

The emails usually contain an action button or a fake url that redirects to links under domains with the pattern <5 to 10 random letters>.cn. Some of the email subjects, along with their translations, are:
-【SBIポイント進呈】ご利用状況に応じた特典をぜひご確認ください — [SBI Points Award] Please Check Your Benefits Based on Usage
- [American Express] カードの利用が一時停止されました — [American Express] Card Usage Has Been Temporarily Suspended
-【お知らせ】カード認証更新のお願い — [Notice] Request to Update Card Authentication

Sample of domains: ehpkmn[.]cn, exttyo[.]cn, qdtqq[.]cn, rnsxk[.]cn, sxviius[.]cn, tyslq[.]cn, wbwfm[.]cn

#Infoblox #dns #phishing #spam #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel #japan #rdga #scam

bilbo_b Sep 9, 2025

Bilder von Montag
#RdgA

bilbo_b Sep 7, 2025

Bilder von heute

#RdgA

bilbo_b Sep 6, 2025

Bilder von heute #RdgA

Übernachtung im B&B bei Les Vouards, südlich des Genfer Sees

Infoblox Threat Intel Aug 27, 2025

An interesting traffic distribution system (TDS) we're tracking routes users to quick cash and payday loan sites that are likely scams looking to steal people's personal and financial information.

The TDS chain starts with an RDGA-generated domain following the pattern: <5 to 9 random letters>.<cfd,cyou,info,etc.>. The user is then routed to one of the actor's TDS domains dfgtrk<1 to 10>[.]com. This domain will then redirect to landing pages hosting the scammy loan/cash sites which urge users to enter PII such as name, date of birth, address, social security number, and even bank account information in order to qualify for a loan.

A lot of these sites have generic titles and SLDs mentioning cash, loans, or other financial topics, and seem to mimic legitimate financial services companies.

#dns #Infoblox #rdga #tds #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #scam

Infoblox Threat Intel Jul 8, 2025

Cybercriminals incorporate artificial intelligence (AI) to be more effective across their businesses functions. In most cases, the technology contributes to the actor's code development or augments their socially-engineered attacks. We provided a real example of this last year in September when we published about youtube account hijackers that use deepfake videos of Elon Musk for a crypto giveaway scam (https://blogs.infoblox.com/threat-intelligence/no-elon-musk-was-not-in-the-us-presidential-debate/). We recently saw similar techniques deployed by a threat actor that we track as Reckless Rabbit (https://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/). However, instead of youtube videos, they directly integrate deepfakes into their websites.

Reckless Rabbit began targeting Japanese-speaking users several months ago. They deliver fake web articles that promote non-existent investment programs. These are not your typical scam web pages. They've been enriched with deepfake AI-generated videos of high profile financial leaders including Elon Musk and Masayoshi Son. They also try to add legitimacy to the report by including artificially-drafted and positive reviews from fictitious netizens. Traditionally, the news content was mostly comprised of just text, static images, and links.

Prior to this change, they were predominantly targeting internet users in Eastern European countries. They continue to use dictionary-based Registered Domain Generation Algorithm (RDGA) domains and Facebook ads for navigating victims to fake news articles.

Reckless Rabbit employs a variety of article lures; below, we've highlighted domains specifically used in their Japanese investment scam campaigns. These sites employ deepfake videos embedded with Japanese captions. The articles impersonate one of Japan's major newspaper companies Yomiuri Shimbun and contain a registration button for the fake investment platform called "Finance Legend". After clicking it, the page redirects the victim to a contact webform. Based on the contents of the articles, presumably, the threat actor will follow up with the victim using the provided contact details and encourage them to make a deposit in exchange for a future return that is much greater than the investment.

bullpimpletruth[.]com
calmsixgenerous[.]com
chivenotepoisonwish[.]com
clarinetmonday[.]com
deeplyblowgrape[.]com
earlycoindadsummer[.]com
fertilerare[.]com
premiumsquarecircle[.]com
purplecombshop[.]com
surnamewinter[.]com

Attached to this message, we've included a screenshot of the fake news article lure, as well as a screen recording of our interaction with the scam website and deepfake video.

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #deepfake #ai #elonmusk #masayoshi #japan #yomiurishimbun #recklessrabbit #investment #rdga #ddga

Infoblox Threat Intel May 27, 2025

Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.

Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.

Here are some examples of the RDGA domains:
2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my

These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (https://infosec.exchange/@InfobloxThreatIntel/114027715851469775) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga

Infoblox Threat Intel (@[email protected])

Attached: 1 image Lumma Stealer is currently one of the most popular malware. Campaigns involving this info stealer have a notable presence in DNS. We’ve been tracking a threat actor that deploys large number of domains to advertise file share links dropping Lumma Stealer. These campaigns are interesting because the actor uses traffic distribution system (TDS), cloaking, and web tracking technology (e.g. Matomo, Bablosoft) to hide and protect the malicious content. Here are recent examples of the TDS and landing page domains. :::TDS + Cloaking::: am4[.]myidmcrack[.]site bjnhuy[.]shop filefetch[.]click mplopop[.]shop oyoclean[.]sbs psldi3z[.]com readyf1[.]click volopi[.]cfd :::Landing Page::: 14redirect[.]cfd downf[.]lol fbfgsnew[.]com icjvueszx[.]com lkjpoisjnil[.]site sikoip[.]cfd zulmie[.]cfd An attack that we investigated today showed a new Lumma Stealer payload and C2 domain that is only a day old. :::Lumma Stealer executable SHA256::: df148680db17e221e6c4e8aed89b4d3623f4a8ad86a3a4d43c64d6b1768c5406 :::Text sites containing Lumma Stealer configuration details::: hXXps://rentry[.]co/feouewe5/raw hXXps://pastebin[.]com/raw/uh1GCpxx :::Newly created Lumma Stealer C2::: hXXps://urbjanjungle[.]tech/api #malware #lummastealer #c2 #tds #tracker #cloaking #dns #mastodon #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel

Infosec Exchange

Infoblox Threat Intel May 1, 2025

There is another Lizard on the radar! Looming Lizard is an actor creating hundreds of lookalike domains impersonating popular banks and telecommunication companies targeting Spanish speaking countries, such as Mexico. Not only they are lookalikes, but are also RDGAs (Registered DGAs), with new domains created on a daily basis. These are some of the entities they impersonate:

- Banks: Banorte, BBVA, Citi, HSBC, Itaú, Santander, Scotiabank
- Telecommunications: AT&T, BTC, Claro, Liberty, Movistar, Telcel, Tigo
- Others: post offices, department stores, energy companies

For one of the lookalikes to Tigo (tigoppy[.]club), the actor was kind enough and offered the ability to trade our (fake) account points for nice prizes (wink wink). Sample of domains for each mentioned company:

- banortex[.]vip, banortepmex[.]store, banorteoi[.]icu, banorteoi[.]sbs, banortebc[.]top
- bbvamex[.]xin, bbvamex[.]xyz, bbvamxn[.]cyou, bbvamxn[.]store, bbvamxn[.]sbs
- citiprr[.]top, citipr[.]top, citipr[.]vip, citiipir[.]top, citiipir[.]vip
- mex-hsbc[.]xyz, mexhsbc[.]icu, mex-hsbc[.]icu, mex-hsbc[.]xin, mexhsbck[.]pro
- itauupy[.]top, ittau[.]top, itauupyi[.]top, itaui[.]cfd, itaupy[.]top
- santander-mex[.]xin, santandermox[.]vip, santander-mex[.]sbs, santander-mex[.]icu, santandermox[.]xyz
- scotiabank-mx.xyz, scotiabok[.]xyz, scotiiiai[.]vip, scotiabanukmx[.]sbs, scotiiiai[.]xin
- attmiex[.]pro, att-com-mx[.]top, attmmex[.]xyz, att-com-mx[.]xin, attmmex[.]vip
- btcbahamass[.]vip, btcbahamasni[.]vip, btcbahamasni[.]xin, btcbahamasi[.]top, btcbahamasni[.]top
- claroar[.]top, claroec[.]vip, clarosv[.]top, claropy[.]vip, clarolo[.]top
- liberty-cr[.]xyz, liberty-cr[.]vip, liberty-cr[.]icu, liberty-cr[.]xin, liberty-cr[.]cc
- movisstar[.]pro, movisstar[.]xyz, movistar-uy[.]xin, movisstar[.]sbs, movistarui[.]icu
- telcelsi[.]top, telcelt[.]bond, telcele[.]info, telceln[.]qpon, telcel0[.]online
- tiiigopy[.]xyz, tigosv[.]top, tigosv[.]cc, tigosvi[.]top, tigoipy[.]top

https://urlscan.io/result/375469cb-d1ac-4b91-8dbe-18c5f42d427d/
https://urlscan.io/result/019656a1-67b5-7007-acc9-8834551420f7/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infoblox #infobloxthreatintel #lookalike #phishing #rdga #scam

www.scotiabank-mx.xyz - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs