Trust this “Amazon” phishing email in Japan—and you’re Prime sashimi 🎣 🍣

Looking into our malspam data, we identified an active campaign impersonating Amazon and targeting Japanese citizens. The emails use subjects such as 「至急 Amazonプライム会員情報の確認」 (“Urgent: Confirm Amazon Prime member information”).

The URLs within the emails ultimately lead to an Amazon phishing page, but only after routing victims through a TDS. Interestingly, instead of keeping the TDS step invisible, the actors chose to show it off—repackaging it as a reassuring security check.

Upon clicking the link within the email, victims are first redirected to an RDGA TDS domain, where fingerprinting occurs. If the user does not match the targeting criteria (e.g., connecting from outside Japan), access is blocked. If they do match, potential victims are redirected to a second RDGA domain.
This second and last domain is not a TDS domain, but funny enough, these actors decided they would emulate it anyway!

At that step victims are already at the landing page but instead of immediately displaying a standard Amazon phishing page, the website displays a CAPTCHA and fake console interface simulating environment fingerprinting checks to “make sure your environment and connection is safe” before "proceeding to the landing page". Ironically, part of their message is true: fingerprinting did happen one domain earlier. It just wasn’t for the user’s benefit—it was to make sure the environment was safe… for the scammers. A few seconds later, without added user interaction needed, a fake Amazon login page is displayed.

Domains samples:
qqc10c[.]cyou
51wang11c[.]cyou

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #amazon #malspam #email #fingerprinting #japan

From call scripts and scams to command and control—Southeast Asia’s scam centres are levelling up.

In our latest research with Chong Lua Dao, we track a sophisticated Android banking trojan directly to the K99 Triumph City scam compound in Sihanoukville, Cambodia, and the high-ranking political elites behind it.

Using a combination of technical analysis, infrastructure patterns, and operational visibility provided by former captives, we were able to map thousands of targeted lure and C2 domains used to distribute and administer the malware across Asia, Africa, Europe, and Latin America.

What we uncovered is a turnkey malware-as-a-service (MaaS) platform sold to scam-centre based criminal networks, including K99, enabling real-time surveillance, credential theft, biometric data exfiltration, and financial fraud on a global scale. Victims are funnelled through domains impersonating government services, financial institutions, e-commerce platforms and airlines, with new domains registered every month.

In addition to giving criminal operators complete control over infected devices, behind the malware sits a highly coordinated operation. Our investigation unpacks the whole thing, revealing multiple C2 panels organised by country and “customer” as well as the integration of AI-driven tools used to support attacks targeting victims in at least 21 countries and 15 languages.

What’s more, we have found that there is significant overlap with the infrastructure and business networks attributed to the DNS threat actors Vigorish Viper and Vault Viper, highlighting the continued evolution of the regional cyber threat landscape.

👉 Read the full report here: https://www.infoblox.com/blog/threat-intelligence/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers/
👉 We spoke to the Economist to explain how the scam centre threat is shifting: https://www.economist.com/interactive/asia/2026/04/10/scam-inc-has-a-new-weapon?fsrc=core-app-economist

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #malware #scam

💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

@rato_support
@ratofaqs
@rato_backup
@rato_hosting
@Rato2_bot

Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

asakusubinitohas[.]com
bmw320ikaka[.]co
cpusx[.]com
newoneazu[.]com
ratmail[.]pro
rato[.]page
rato[.]to
ratodemo[.]pro
sesrecipt[.]com
silk-gen[.]com
sunostart[.]com
viewyourstatementonline[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

⚽ Threat actors are warming up for the 2026 World Cup—and they’re targeting fans early.

We’ve observed FIFA ticket phishing pages on domains such as fifa[.]bio and ww-fifa[.]com, distributed through malicious spam emails and Facebook ad campaigns. These sites prompt a bogus FIFA ID login to purchase tickets, then transition to a checkout flow collecting personal and payment information.

Payment flows redirect to actor-controlled domains (pay[.]fifa-com[.]com) or Stripe checkout pages with inconsistent merchants (we observed some with suspicious Romanian LLC names).

These recently-registered domains are mostly Cloudflare-hosted, spread across various TLDs, and consistently abuse FIFA branding. If it’s a suspicious domain in your inbox or feed, assume it’s not official. 🛑 ⚽

Domain sample: fifa-2026[.]homes, fifa-com[.]media, www-fifa-com[.]website, vvww-fifa[.]com, fifa-26-worldcup[.]com

#dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #FIFA #WorldCup2026 #phishing #scam #lookalikes

🚨 Tax Season, Scam Season: Lookalike Domains Target Spain’s Agencia Tributaria

Today (April 8), the tax filing and refund period officially starts in Spain — and as expected, so do the scams.

We’ve identified multiple new registrations of lookalike domains impersonating Spain’s official tax authority (Agencia Tributaria) happening over the past weeks, including:

agenciatributaria-gob[.]com
agencia-tributaria[.]im
agenciatributaria[.]de
sede-agenciatributaria[.]com

Threat actors moved so fast that some campaigns were launched before the official refund process even started, already promising generous (and obviously fake) tax refunds.

For example, agencia-tributaria[.]im advertises refunds of €250+ — a clear lure.

Laughs aside, while they may not be the smartest in terms of timing, they are learning new tricks. We’ve been talking a lot about TDSs lately, and they seem to like them too.

That same domain redirects users almost instantly to a malicious phishing landing page if they match the attacker’s targeting criteria. However, when accessed from a Linux virtual machine, fingerprinting likely flags a security analyst environment — and suddenly you’re redirected to the lovely and familiar "google[.]com" page, never seeing a second of the phishing content. The same seems to occur if you access it from another country.

They may have been fast starting their campaigns (maybe too fast)…but we’re faster finding them!

#dns #infoblox
#infobloxthreatintel
#threatintel
#threatintelligence
#cybercrime
#cybersecurity #phishing #scam
#spain #agenciatributaria #declaraciondelarenta

Keitaro series, Part 3: What happens when we zoom out from individual campaigns and examine the broader ecosystem of Keitaro abuse?

In the third and final installment on Keitaro, we take a step back to analyze cross‑campaign trends and the Keitaro features most frequently abused at scale. We also look at cookies and cracked versions tied to threat actors like TA2726, and share what provider engagement and takedowns actually look like in practice.

https://www.infoblox.com/blog/threat-intelligence/patterns-pirates-and-provider-action-what-we-learned-working-with-keitaro/

#dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #keitaro #adtech #tds

We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

If you hunt threats distributed via adtech, these indicators can be useful pivots. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

Seeing FQDNs like "mtmoqiuq.20.218.142.124.static.hostiran[.]name" and "sgrwnbid.172-202-98-170.cloud-xip[.]com", we first thought some ASNs could be exploited similarly to the ".ARPA abuse" we described in one of our recent blogs. Turns out we were overthinking it... This kind of "DNS abuse" is so straight forward... We're not sure it qualifies as DNS abuse...

Here is what is going on: Whatever IP address you prepend to "static.hostiran[.]name" creates a hostname which resolves to this IP... That is it! Same goes for cloud-xip[.]com!

We've seen these kinds of hostnames a lot in SPAM emails recently, like the one we screenshot below which loads an image from a CDN as a giant hyperlink. We aren't sure why malicious SPAM actors bother to use this trick in their email links... If they control an IP, they can use it directly in URLs. They don't need a domain name!? And it isn't like this bypasses a firewall... If their IP is blocked, queries to those FQDNs will be too...

Our best guesses are that:
- Using hostnames rather than IPs helps them bypass SPAM email detection?
- And / or it enables them to create "subdomains", which they seem to be doing to track something, either SPAM campaigns, or their victims.

Technically, this could be used to create lookalike FQDNs. Those examples look like random subdomains, but literally anything can be prepended to the IP, so the only limit is your imagination! Not the most convincing lookalike by any means... but we've seen worse!

Here is an example of how this can be abused to both, load content from literally any IP, and create low quality lookalikes:
https://urlscan.io/result/019d1b3d-b94e-70f9-aae7-ecf5a02e3c89/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #spam #scam

Dios mio! While researching a particular type of Colombian folk music, we stumbled across a .edu domain selling... accordions? Our first thought was potentially domain hijacking, but it appears to be more likely an exploitation of CVE-2026-27210 (TLDR; cross-site scripting). While the vulnerability has been patched in the plugin itself, not all pages have updated their plugins, and search engines have already indexed the poisoned pages! Pivoting led to 50+ additional domains found spread across three risky TLDs: .sbs, .pics, and .shop. The domains on .sbs and .pics appear to be config servers to exploit the vulnerability; the domains on .shop are the landing pages where victims can be scammed.

IOCs:
000o[.]sbs,0pen[.]sbs,123buys[.]shop,123me[.]shop,1bg[.]pics,1ki[.]pics,1mage[.]sbs,1ql[.]pics,1ty[.]pics,1vi[.]pics,1wr[.]pics,2ty[.]pics,569oagri[.]shop,66buys[.]shop,6ip[.]pics,6ym[.]pics,7rt[.]pics,8pi[.]pics,99buys[.]shop,99i[.]pics,9gwe[.]shop,a25n[.]shop,bk2[.]pics,bk59t[.]shop,buysok[.]shop,c68k[.]shop,cc1[.]pics,doo[.]pics,ep7[.]pics,estore-1[.]com,g9gvv[.]sbs,gaer896[.]shop,gm5[.]pics,gosok[.]shop,gt3[.]pics,h66p[.]shop,hh6[.]pics,iilvw[.]sbs,im9[.]pics,img1[.]sbs,in6[.]pics,jj3[.]pics,kk9[.]pics,lilil[.]sbs,llvvw[.]sbs,m66p6[.]shop,mebuys[.]shop,mg6[.]pics,mh8f6k[.]shop,mkk[.]pics,ms1[.]pics,nn6[.]pics,onsgs[.]com,p6[.]pics,p888p[.]shop,pan1[.]top,pic1[.]sbs,pic2[.]sbs,pt11[.]sbs,py3y[.]com,qq1[.]pics,rey89p[.]shop,shop56[.]shop,t88t8[.]shop,tp1[.]pics,tp9[.]pics,trues[.]sbs,up9[.]pics,upimg[.]sbs,uu2[.]pics,vt5[.]pics,vteyu[.]shop,vvf1[.]sbs,vvp1[.]sbs,w2w[.]pics,w88p[.]shop,wp59q[.]shop,wvlll[.]sbs,wvv1[.]sbs,wvvvv[.]sbs,x2p[.]pics,xyaer548[.]shop,yi1[.]pics

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #seo_poisoning #seopoisoning

🔴 A threat isn't much of a threat if it can't reach the right victims. 📦 That's why many modern threat actors rely on cloakers and traffic distribution systems (TDS) to target, route, and hide at scale. In a six‑month joint effort analyzing four months of data with Confiant, we identified 15,500 domains configured to Keitaro instances and actively used in cyber campaigns. Keitaro is a legitimate ad tracker, but it is frequently misused by cybercriminals as an all‑in‑one tracker + TDS + cloaker in scam and malware campaigns. We encounter Keitaro in our investigations nearly every day, and we set out to quantify that abuse in the broader landscape. We're publishing a three‑part series to share what we learned. Part 1 focuses on a subset of actors who leverage AI in their operations, most of whom are tied to investment scams. At the end of the report, you'll find a link to our github repository that contains thousands of related Keitaro iocs.

https://www.infoblox.com/blog/threat-intelligence/inside-keitaro-abuse-a-persistent-stream-of-ai-driven-investment-scams/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising