Two of the biggest heavyweight scam TTPs - malvertising and pig butchering - have combined. In our latest research, we track hundreds of investment‑scam campaigns using this one-two punch to target Japan and the wider Asia region.

The hybrid approach kicks-off with malvertising ads that impersonate well‑known financial experts, funnel victims through lure sites on RDGA‑generated domains, before finally pulling them into messaging chats run by tireless AI‑style pig butcher bots. The result: an industrial‑scale long con, with individual victims reporting losses of up to ¥10M (~US$63k).

This model is reused across different campaigns and, by pivoting on DNS, we've so far been able to map out an ecosystem of over 23,000 domains.

In our latest blog we talk about our first‑hand experience going through the scheme, break down the entire flow, and share all the related IOCs: https://www.blogs.infoblox.com/threat-intelligence/banners-bots-and-butchers-an-automated-long-con-targeting-japan-asia-and-beyond/

#Infoblox #InfobloxThreatIntel #dns #threatintel #threatintelligence #malvertising #pigbutchering #rdga #dga #lookalikes #crypto #investment #scam #fraud #cybercrime #cybersecurity #infosec #Japan #Asia #AI

Photographer made it his life work to track down amazing doppelgängers. Here are his best finds.

https://fed.brid.gy/r/https://www.upworthy.com/doppelgangers-photo-project

------
#humour #lookalikes to #celebs meet each others

https://youtu.be/18QGRoIHX6s?si=mBIYciUlCNYmBx7n

------

#humour #sarcasm

#chris_evans_tgi met #all_saints_band in 98
& #jack_carroll_comedian was born that year & he #lookalikes , that s just #rumours #dreams &
#little_lies
ps: he plays #trombone_ish

https://youtu.be/iqzKJOBific?si=aDujLaU1-RppeDEj

--------

------
#humour

#will_mellor_actor sings

#lookalikes #benson_boone_music #borat

https://youtu.be/v85csFDThuk?si=n4IS1UQLj3adtt9P

------

WhatsApp, doc?

We recently observed about 800 lookalike domains impersonating WhatsApp. These domains are all on the .com, .cc, and .cn TLDs and exhibit a few naming patterns:

Randomized short .cc domains:
- whatsqgs[.]cc, whatsqka[.]cc, whatsqys[.]cc

Structured .com domains:
- app-<3 letters>-whatshktw[.]com
- app-<3 letters>-whatsappcc[.]com

Structured .cn domains:
- <4 letters>-wahtsapp[.]cn

These domains were all created within the last 20 days, tops, and given the bulk registration and consistent infrastructure, point to a coordinated campaign. All 800+ domains are hosted in ASN 205960 (KR, 'IP Transit'), share the same nameserver domain (domainnamedns[.]com), and embed a highly-suspicious Chinese analytics loader from aizhantj[.]com (seriously, this thing is weird; check the references below). The sites present fake WhatsApp login/download portals in Chinese, suggesting East-Asian targeting.

Selection of IOCs
app-xfn-whatsappcc[.]com
app-xbb-whatsappcc[.]com
app-wum-whatshktw[.]com
ptjh-wahtsapp[.]com
kemc-wahstapp[.]cn
hzfv-wahstapp[.]cn
iiqu-wahstapp[.]cn
ggeu-wahstapp[.]cn
whatsyuy[.]cc
xjdp-wahstapp[.]cn
yaue-wahstapp[.]cn
zvxd-wahstapp[.]cn

References
https://urlscan.io/result/0199f335-4b61-76ca-851f-c832a7d5f9bd/#transactions (tj.js is the weird analytics GET request)
https://urlscan.io/result/0199f34a-e9a8-7788-a057-29a6c9a3f133 (the loader itself)
https://www.shodan.io/search?query=aizhantj.com

#infoblox #phishing #lookalikes #infosec #threatintel #dns #whatsapp