At 11:30 AM @neurovagrant is presenting on DNS and domain intelligence as it applies to investigative journalist investigations and related OSINT applications outside of cybersecurity. In related news, @allan is selling Green Archer comic “The Press Guardian”. We highly recommend checking out his table as well!

https://bsidesnova-2025.sessionize.com/session/1001159

Struggling with context-switching and manual data enrichment? Streamline your security workflows with DomainTools integrations!

We embed rich domain intelligence - including real-time DNS insights - directly into your preferred SIEM, SOAR, TIP, and even E/XDR and LLM solutions. This means:

⚡Automated Threat Detection & Response
💪 Reduced Manual Effort
⌛ Faster Investigations

Spend less time searching and more time proactively defending. Discover how to optimize your security resources when you request a meeting with our team today:

https://www.domaintools.com/demo/

Tired of context-switching? 😵‍💫 DomainTools integrations embed rich domain profiles & predictive Risk Scores directly into your security stack. Gain a competitive edge by staying ahead of threats and reducing cyber risk without ever leaving your platform.

https://www.domaintools.com/wp-content/uploads/DomainTools-Integrations-Overview.pdf

Recent high-profile compromises have spotlighted the adversary SCATTERED SPIDER. But new research from the DomainTools Investigations (DTI) team raised questions about a connection between their TTPs and those of a different actor, PoisonSeed.

DTI identified 21 new domains registered since June 1, 2025, that are likely linked to PoisonSeed's activity. These domains spoof email platforms like SendGrid and use fake Cloudflare CAPTCHA pages to harvest enterprise credentials from customers. This activity bears similarities to SCATTERED SPIDER's historical operations.

Threat actors are constantly evolving their methods, making it critical for SOC analysts, incident responders, and threat intelligence analysts to stay ahead of the curve. Could PoisonSeed have an affiliation with the SCATTERED SPIDER collective, "The Com"?

Learn about the new infrastructure, the connections, and what this could mean for your organization's defenses in our full report.

#ThreatIntelligence #Cybersecurity #SCATTEREDSPIDER #PoisonSeed #InfoSec

https://dti.domaintools.com/newly-identified-domains-likely-linked-to-continued-activity-from-poisonseed-e-crime-actor/

Check out our latest blog post on how security teams can use our new Feed API to get near-real-time domain intelligence directly into Splunk.

Historically, threat intelligence feeds were delivered daily, but with the rise of intraday attacks, a more frequent delivery method is needed. Our new Feed API addresses this by allowing you to retrieve new data as often as every 60 seconds⌚, which helps security teams detect and respond to threats faster.

The blog post provides a real-world use case, demonstrating how to integrate our Newly Observed Domains (NOD) feed into Splunk SIEM in about an hour.

Once you've set up the data ingestion, you can use the NOD feed for multiple use cases, including:

❌Proactive Threat Blocking: Block young domains at the DNS layer to prevent exposure.
Threat Hunting: Filter the list to find new attacker infrastructure or patterns tied to a specific threat actor.

👯‍♂️ Brand Protection: Discover typosquatting and brand impersonation by using Levenshtein Distance to find suspicious domains that are similar to your brand name.

🛎️Correlation with Internal Logs: For Splunk Enterprise Security (ES) users, you can automatically create notable events when there's a match between your internal logs and the NOD feed.

Read the full post to learn how to shift from reactive to proactive defense:
https://www.domaintools.com/resources/blog/using-the-domaintools-feed-api-in-splunk/

🔥The "Kim" leak is an intelligence goldmine.

For analysts: We’ve got an unprecedented look into a DPRK threat actor's playbook. This isn't just about known tactics like credential theft and phishing. Our analysis shows a strategic pivot to include Taiwanese developer and government networks, revealing a clear geographical expansion of North Korea's cyber interests.

For defenders: We've mapped the full scope of this threat—from custom Linux rootkits to particular targets like PKI infrastructure and specific tools like NASM and ocrmypdf. Our report provides defensive recommendations and specific Indicators of Compromise (IOCs), so your team can detect and block this persistent, infrastructure-centric campaign.

Get the full technical breakdown and all the IOCs in our new post.

🔗https://dti.domaintools.com/inside-the-kimsuky-leak-how-the-kim-dump-exposed-north-koreas-credential-theft-playbook/

#ThreatIntelligence #Cybersecurity #NationStateAPT #Kimsuky #ThreatAnalysis #DFIR #InfoSec

Stop reacting to threats and start predicting them 🛡️Our integrations give your team the power of advanced DNS intelligence to see emerging threats before they impact your organization, helping you predict, prioritize, and protect.

https://www.domaintools.com/wp-content/uploads/DomainTools-Integrations-Overview.pdf