DomainTools

@DomainTools@infosec.exchange
669 Followers
170 Following
492 Posts
A global leader for internet #intel that enables security practitioners to proactively defend their organization in a constantly evolving threat landscape.
Websitewww.domaintools.com
Twitterhttps://twitter.com/DomainTools
Podcasthttps://www.domaintools.com/resources/podcasts/

ICYMI: DomainTools Investigations released new research this week!

Skeleton Spider (aka FIN6) is leveraging trusted cloud services like AWS to deliver malware through fake job applications and resume-themed phishing campaigns.

🔍 Learn how this financially motivated group is:

🔹Exploiting cloud infrastructure to evade detection
🔹Using social engineering to lure victims
🔹Building resilient, scalable malware delivery systems

Read the full analysis here: https://dti.domaintools.com/skeleton-spider-trusted-cloud-malware-delivery/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Skeleton-Spider

#CyberSecurity #ThreatIntelligence #Malware #CloudSecurity #Phishing #FIN6 #SkeletonSpider #InfoSec

Eggs in a Cloudy Basket: Skeleton Spider’s Trusted Cloud Malware Delivery - DomainTools Investigations | DTI

Discover how the FIN6 cybercrime group, also known as Skeleton Spider, leverages trusted cloud services like AWS to deliver stealthy malware through fake job applications and resume-themed phishing campaigns. Learn about their tactics, infrastructure, and how to defend against these evolving threats.

DomainTools Investigations | DTI

Cybercrime group FIN6 (aka Skeleton Spider) is leveraging trusted cloud services like AWS to deliver malware through fake job applications.

Our latest analysis breaks down:
🔹 How attackers use LinkedIn & Indeed to build trust
🔹 The use of resume-themed phishing lures
🔹 Cloud-hosted infrastructure that evades detection
🔹 The delivery of the More_eggs backdoor via .LNK files
🔹 Key defense strategies for recruiters and security teams

This campaign is a masterclass in low-complexity, high-evasion phishing

📖 Read the full breakdown: https://dti.domaintools.com/skeleton-spider-trusted-cloud-malware-delivery/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Skeleton-Spider

#CyberSecurity #ThreatIntel #FIN6 #Phishing #CloudSecurity #MalwareAnalysis #InfoSec #SkeletonSpider

I had the opportunity to sit down with former DTer, Joe Slowik at #RSAC to talk about suspicious domains.

Here are some of the key takeaways from our conversation:

🔹 Joe shared how attackers are playing the long game—like in the SolarWinds attack, where a fake AWS domain sat dormant for nearly a decade.
🔹 From aged domains to hijacked home routers, adversaries are evolving. And groups like Volt Typhoon are targeting U.S. critical infrastructure with chilling precision.
🔹 It’s time to rethink defense—beyond tools, toward resilient architecture and even manual fallbacks.

Listen to the podcast here: https://podcasts.apple.com/us/podcast/breaking-badness/id1456143419?i=1000711183082

DomainTools is a proud exhibiting sponsor for SleuthCon!

Visit our booth today to learn more about how to detect relevant indicators earlier in their lifecycle to identify and disrupt incipient attacks.

We're giving out t-shirts and we're raffling off a Mac mini!

See you today and have a great time at SleuthCon if you're attending!

https://www.sleuthcon.com/

In this week's episode of the Breaking Badness Cybersecurity Podcast we delve into the critical role of domains in modern cyber attacks. From sophisticated
nation-state operations to AI-powered phishing kits and malicious browser extensions, domains are the foundational infrastructure for threat actors.

Host @NotTheLinux is joined by four leading cybersecurity experts Joe Slowik, Robert Duncan, John Fokker and Vivek Ramachandran to break down how domains are weaponized and what organizations can do to defend themselves on this ever-evolving frontline.

Listen wherever you get your podcasts:

Apple: https://podcasts.apple.com/us/podcast/beyond-the-perimeter-how-attackers-use-domains/id1456143419?i=1000711183082

Spotify: https://open.spotify.com/episode/0trcyZliGZuEj591IVnZCu

YouTube: https://www.youtube.com/watch?v=CpcJXpWwfQo

Web: https://www.domaintools.com/resources/podcasts/how-attackers-use-domains-phishing-ai-and-how-to-fight-back/?utm_source=Mastodon&utm_medium=Social&utm_campaign=RSAC-Domains

DomainTools is an Exhibiting Sponsor at SLEUTHCON!

Check out our booth later this week at the show. Come for the shirt, stay to learn how domain intelligence can prevent, mitigate, and investigate attacks.

See the full show schedule here: https://www.sleuthcon.com/2025agenda

📅 Upcoming Panel Discussion

Date: Wednesday, June 11
Time: 10AM PT | 1PM ET
Attend to Receive CPE Credits

The cybersecurity landscape is constantly shifting—but some things remain steady. Domains and DNS are among those constants.

In 2024 alone, over 106 million new domains were observed—about 289,000 per day. What patterns lie in this surge, and how can defenders use them to their advantage?

Join experts including Daniel Schwalbe, Renee Burton (Infoblox), Raymond Dijkxhoorn (Surbl), and Peter Lowe as they explore the trends, techniques, and tools that defined domain intelligence over the past year.

Save your spot here: https://www.domaintools.com/webinar-decoding-domain-intelligence/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Q2-Industry-Webinar

What do cats have to do with Lumma C2 infostealing-malware?

Julia Ibinson notes in a recent Security Snack that some of the registration patterns reference prominent Russian figures like athletes, mobsters, actors, etc.

And others featured the same landing page titled "About Cats" which was, as the name suggests, about cats.

How many domains does this page appear?
What's the average risk score?
Where else do these domains feature in IOC databases?

Read the Security Snack for full details: https://www.domaintools.com/resources/blog/tracking-lummac2-infrastructure-with-cats/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Lumma-C2

In 2024, our team found that the web-based version of HeartSender was leaking a significant amount of sensitive data to anyone who accessed it; no login required.

This included customer login details and internal emails from HeartSender staff. Malware infections on the attackers’ own devices revealed extensive account data, along with insights into the group’s structure, operations, and role within the broader cybercrime ecosystem.

Yesterday, Brian Krebs reported that 21 individuals accused of operating Heartsender have been arrested in Pakistan. This milestone was the result of incredible teamwork across borders and organizations, and we're proud to have been part of that global effort.

When we come together, we can give bad actors more bad days.

Find our original analysis and update here: https://www.domaintools.com/resources/blog/the-resurgence-of-the-manipulaters-team-breaking-heartsenders/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Manipulaters

Breaking HeartSenders: The Return of “Manipulaters”

Previously thought to be defunct, the cybercrime group known as the Manipulaters are back to their old tricks (with some new ones too).

DomainTools | Start Here. Know Now.

Pakistani authorities have arrested 21 individuals tied to HeartSender, a long-running phishing and malware-as-a-service operation. The group is linked to global BEC scams and phishing attacks targeting Microsoft 365, iCloud, and more—causing tens of millions in losses.

This takedown highlights the growing international cooperation in cybercrime investigations and the importance of strong digital defenses.

🔗 Read more via @briankrebs (KrebsOnSecurity): https://krebsonsecurity.com/2025/05/pakistan-arrests-21-in-heartsender-malware-service/

#CyberSecurity #ThreatIntel #BEC #Phishing #Malware #DigitalForensics

Pakistan Arrests 21 in ‘Heartsender’ Malware Service – Krebs on Security

×

Cybercrime group FIN6 (aka Skeleton Spider) is leveraging trusted cloud services like AWS to deliver malware through fake job applications.

Our latest analysis breaks down:
🔹 How attackers use LinkedIn & Indeed to build trust
🔹 The use of resume-themed phishing lures
🔹 Cloud-hosted infrastructure that evades detection
🔹 The delivery of the More_eggs backdoor via .LNK files
🔹 Key defense strategies for recruiters and security teams

This campaign is a masterclass in low-complexity, high-evasion phishing

📖 Read the full breakdown: https://dti.domaintools.com/skeleton-spider-trusted-cloud-malware-delivery/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Skeleton-Spider

#CyberSecurity #ThreatIntel #FIN6 #Phishing #CloudSecurity #MalwareAnalysis #InfoSec #SkeletonSpider