Kyle Ehmke
@kyleehmke.bsky.social
Threat intel researcher focused on infrastructure hunting. Views are my own and not my employer's.
Suspicious domain ms-driversync[.]com was registered through Njalla on 10/14/25 and resolves to 192.166.82[.]94.
October 15, 2025 at 4:49 PM
Suspicious domain ms-driversync[.]com was registered through Njalla on 10/14/25 and resolves to 192.166.82[.]94.
Suspicious domain mfa[.]directory was registered through Njalla on 10/15/25 and resolves to 149.33.2[.]67.
October 15, 2025 at 4:47 PM
Suspicious domain mfa[.]directory was registered through Njalla on 10/15/25 and resolves to 149.33.2[.]67.
Reposted by Kyle Ehmke
Looking forward to finally presenting this research into Volt Typhoon in a public forum - and I can't think of a better one than @cyberwarcon.bsky.social
www.cyberwarcon.com/forecasting-...
www.cyberwarcon.com/forecasting-...
Forecasting Typhoons: Volt Typhoon Next Steps in OT Disruption — CYBERWARCON
www.cyberwarcon.com
October 8, 2025 at 8:31 PM
Looking forward to finally presenting this research into Volt Typhoon in a public forum - and I can't think of a better one than @cyberwarcon.bsky.social
www.cyberwarcon.com/forecasting-...
www.cyberwarcon.com/forecasting-...
Reposted by Kyle Ehmke
Have you ever wanted to see two terminally online nerds really (and I mean *really*) get into the SVR deep lore while continuing the eternal goal of making 2016 last forever?
Gosh does @cyberwarcon.bsky.social have a talk for you!
Gosh does @cyberwarcon.bsky.social have a talk for you!
Oil Into The Fire — CYBERWARCON
www.cyberwarcon.com
October 8, 2025 at 6:09 PM
Have you ever wanted to see two terminally online nerds really (and I mean *really*) get into the SVR deep lore while continuing the eternal goal of making 2016 last forever?
Gosh does @cyberwarcon.bsky.social have a talk for you!
Gosh does @cyberwarcon.bsky.social have a talk for you!
Reposted by Kyle Ehmke
We've got some good submissions flowing into the @CYBERWARCON CFP, but there's still time for more. If you have good content, and you're worried the honorarium won't cover your travel, please submit, and we'll work it out. We do this because we believe this research matters.
September 18, 2025 at 2:18 PM
We've got some good submissions flowing into the @CYBERWARCON CFP, but there's still time for more. If you have good content, and you're worried the honorarium won't cover your travel, please submit, and we'll work it out. We do this because we believe this research matters.
Best conference in the industry is back! cyberwarcon.com
August 28, 2025 at 5:36 PM
Best conference in the industry is back! cyberwarcon.com
Suspicious domains micrsosft-netupdate[.]net (109.107.172[.]123) and micrsosft-netupdate[.]net (146.103.115[.]183) were co-registered through Njalla on 8/14/25.
August 14, 2025 at 12:32 PM
Suspicious domains micrsosft-netupdate[.]net (109.107.172[.]123) and micrsosft-netupdate[.]net (146.103.115[.]183) were co-registered through Njalla on 8/14/25.
Suspicious domain adobereader[.]cc was registered through MonoVM on 8/5/25 using freewanatoly@2mail[.]co. Currently resolves to M247 IP 84.252.95[.]40.
August 6, 2025 at 2:14 PM
Suspicious domain adobereader[.]cc was registered through MonoVM on 8/5/25 using freewanatoly@2mail[.]co. Currently resolves to M247 IP 84.252.95[.]40.
Suspicious domain sophossec[.]com was registered through MonoVM on 7/15/25 using kehmar.maung@proton[.]me and resolves to 146.70.247[.]55.
July 16, 2025 at 4:50 PM
Suspicious domain sophossec[.]com was registered through MonoVM on 7/15/25 using kehmar.maung@proton[.]me and resolves to 146.70.247[.]55.
Reposted by Kyle Ehmke
Of all my professional accomplishments, I think I’m proudest of this.
June 24, 2025 at 2:49 PM
Of all my professional accomplishments, I think I’m proudest of this.
Suspicious domains awsonlineserch[.]com and azuronlineserch[.]com were co-registered through Njalla on 6/19/25. Currently resolving to 34.204.12[.]191 and 20.83.167[.]25, respectively.
June 20, 2025 at 5:58 PM
Suspicious domains awsonlineserch[.]com and azuronlineserch[.]com were co-registered through Njalla on 6/19/25. Currently resolving to 34.204.12[.]191 and 20.83.167[.]25, respectively.
Suspicious domain windowsntp[.]com was registered through Njalla on 5/22/25 and then began using Cloudflare. Domain itself does not resolve, but subdomain www.windowsntp[.]com indicates MSFT Azure use.
May 23, 2025 at 1:16 PM
Suspicious domain windowsntp[.]com was registered through Njalla on 5/22/25 and then began using Cloudflare. Domain itself does not resolve, but subdomain www.windowsntp[.]com indicates MSFT Azure use.
Suspicious domain m365sessionlogin[.]com was registered through Njalla on 5/18/25. Domain itself does not resolve, but subdomains login, logon, and office365 indicate hosting at 80.78.30[.]154.
May 19, 2025 at 1:34 PM
Suspicious domain m365sessionlogin[.]com was registered through Njalla on 5/18/25. Domain itself does not resolve, but subdomains login, logon, and office365 indicate hosting at 80.78.30[.]154.
Highly likely Parscale / Nucleus-administered domain congressstrongaction[.]org was registered on 9/23/24 and recently began hosting content. The org's stated policy positions appear largely aimed at curtailing laws and protections related to natural resources.
May 16, 2025 at 12:55 PM
Highly likely Parscale / Nucleus-administered domain congressstrongaction[.]org was registered on 9/23/24 and recently began hosting content. The org's stated policy positions appear largely aimed at curtailing laws and protections related to natural resources.
Set of suspicious domains co-registered through Njalla on 4/24/25:
esxiupdate[.]com
threatbook[.]cloud
Not currently resolving, but worth keeping an eye on.
esxiupdate[.]com
threatbook[.]cloud
Not currently resolving, but worth keeping an eye on.
April 24, 2025 at 4:15 PM
Set of suspicious domains co-registered through Njalla on 4/24/25:
esxiupdate[.]com
threatbook[.]cloud
Not currently resolving, but worth keeping an eye on.
esxiupdate[.]com
threatbook[.]cloud
Not currently resolving, but worth keeping an eye on.
Set of suspicious domains registered on 4/2/25 (unclear through which reseller) and administered using the same Cloudflare account:
googlealert[.]net
microsoft365signin[.]net
microsoftalert[.]net
outlooksecurity[.]net
outlooksignin[.]net
googlealert[.]net
microsoft365signin[.]net
microsoftalert[.]net
outlooksecurity[.]net
outlooksignin[.]net
April 3, 2025 at 2:13 PM
Set of suspicious domains registered on 4/2/25 (unclear through which reseller) and administered using the same Cloudflare account:
googlealert[.]net
microsoft365signin[.]net
microsoftalert[.]net
outlooksecurity[.]net
outlooksignin[.]net
googlealert[.]net
microsoft365signin[.]net
microsoftalert[.]net
outlooksecurity[.]net
outlooksignin[.]net
Suspicious domain analytics[.]airforce was registered through Njalla on 4/2/25 and resolves to BL Networks IP 64.52.80[.]61.
April 2, 2025 at 1:55 PM
Suspicious domain analytics[.]airforce was registered through Njalla on 4/2/25 and resolves to BL Networks IP 64.52.80[.]61.
The Children's Health Defense staging site associated with realcdc[.]org indicates they are setting it up to pose as a legitmate CDC site questioning vaccine safety, complete with parent testimonials. Currently no overt indication the site is run by CHD.
March 21, 2025 at 2:27 AM
The Children's Health Defense staging site associated with realcdc[.]org indicates they are setting it up to pose as a legitmate CDC site questioning vaccine safety, complete with parent testimonials. Currently no overt indication the site is run by CHD.
Suspicious domain chromeupdate[.]net was registered through Njalla on 3/11/25. Not currently resolving, but worth keeping an eye on.
March 11, 2025 at 12:18 PM
Suspicious domain chromeupdate[.]net was registered through Njalla on 3/11/25. Not currently resolving, but worth keeping an eye on.
Suspicious domain nvidia-installer[.]com was registered through Njalla on 3/10/25 and resolves to 51.44.166[.]225.
March 11, 2025 at 12:17 PM
Suspicious domain nvidia-installer[.]com was registered through Njalla on 3/10/25 and resolves to 51.44.166[.]225.
Two suspicious domains co-registered through Njalla on 3/6/25: sfsimpact[.]org and dogechronicle[.]com.
The former purports to be an independent analysis claiming inefficiency in the NSF CyberCorps Scholarship for Service (SFS); the latter claims to report on DOGE activity. (1/4)
The former purports to be an independent analysis claiming inefficiency in the NSF CyberCorps Scholarship for Service (SFS); the latter claims to report on DOGE activity. (1/4)
March 6, 2025 at 3:49 PM
Two suspicious domains co-registered through Njalla on 3/6/25: sfsimpact[.]org and dogechronicle[.]com.
The former purports to be an independent analysis claiming inefficiency in the NSF CyberCorps Scholarship for Service (SFS); the latter claims to report on DOGE activity. (1/4)
The former purports to be an independent analysis claiming inefficiency in the NSF CyberCorps Scholarship for Service (SFS); the latter claims to report on DOGE activity. (1/4)
Suspicious domain downloadfile-dropbox[.]com was registered through Njalla on 2/21/25 and is hosted at 86.54.42[.]36.
February 21, 2025 at 3:25 PM
Suspicious domain downloadfile-dropbox[.]com was registered through Njalla on 2/21/25 and is hosted at 86.54.42[.]36.
Suspicious domain onelivedrv[.]com was registered through Njalla on 2/20/25 and is hosted at 193.42.39[.]159.
February 20, 2025 at 2:07 PM
Suspicious domain onelivedrv[.]com was registered through Njalla on 2/20/25 and is hosted at 193.42.39[.]159.
Suspicious domain vmware-analytics[.]com was registered through Njalla on 2/17/24. Not currently resolving, but subdomain app.vmware-analytics[.]com shows resolution to 178.131.20[.]47.
February 18, 2025 at 1:06 PM
Suspicious domain vmware-analytics[.]com was registered through Njalla on 2/17/24. Not currently resolving, but subdomain app.vmware-analytics[.]com shows resolution to 178.131.20[.]47.
Domain dogestatus[.]org was registered on 2/14/25 and is likely administered using IMGE's Cloudflare account—the same one used for the fake Harris campaign site progress2028[.]com. www.opensecrets.org/news/2024/10...
Not currently resolving.
Not currently resolving.
February 14, 2025 at 8:00 PM
Domain dogestatus[.]org was registered on 2/14/25 and is likely administered using IMGE's Cloudflare account—the same one used for the fake Harris campaign site progress2028[.]com. www.opensecrets.org/news/2024/10...
Not currently resolving.
Not currently resolving.