DomainTools
@domaintools.bsky.social
A global leader for internet #intel that enables security practitioners to proactively defend their organization in a constantly evolving threat landscape.
From NPM bypasses to crypto scam networks—October brought a wave of complexity, and we’ve got the full analysis.
Read and subscribe to October’s edition of the DomainTools Investigations Newsletter here: https://www.linkedin.com/newsletters/dt-investigations-news-7289801727560630273/
Read and subscribe to October’s edition of the DomainTools Investigations Newsletter here: https://www.linkedin.com/newsletters/dt-investigations-news-7289801727560630273/
October 28, 2025 at 8:02 PM
From NPM bypasses to crypto scam networks—October brought a wave of complexity, and we’ve got the full analysis.
Read and subscribe to October’s edition of the DomainTools Investigations Newsletter here: https://www.linkedin.com/newsletters/dt-investigations-news-7289801727560630273/
Read and subscribe to October’s edition of the DomainTools Investigations Newsletter here: https://www.linkedin.com/newsletters/dt-investigations-news-7289801727560630273/
Thanks to all that attended Ian Campbell and @mjwalk.bsky.social #BSidesNoVA talks this morning. Please don’t hesitate to stop by our table and say hello 👋 !
October 11, 2025 at 4:38 PM
Thanks to all that attended Ian Campbell and @mjwalk.bsky.social #BSidesNoVA talks this morning. Please don’t hesitate to stop by our table and say hello 👋 !
At 11:30 AM Ian is presenting on DNS and domain intelligence as it applies to investigative journalist investigations. In related news, Allan Liska is selling “The Press Guardian”. We highly recommend checking out his table as well!
bsidesnova-2025.sessionize.com/session/1001...
bsidesnova-2025.sessionize.com/session/1001...
October 11, 2025 at 1:57 PM
At 11:30 AM Ian is presenting on DNS and domain intelligence as it applies to investigative journalist investigations. In related news, Allan Liska is selling “The Press Guardian”. We highly recommend checking out his table as well!
bsidesnova-2025.sessionize.com/session/1001...
bsidesnova-2025.sessionize.com/session/1001...
Attending #BSidesNoVA? Be sure to say hello to Malachi and Ian at the DomainTools table before their talks at 11:30!
October 11, 2025 at 1:02 PM
Attending #BSidesNoVA? Be sure to say hello to Malachi and Ian at the DomainTools table before their talks at 11:30!
Steve Behm at #splunkconf25 shared a 2-year investigation into attacks on USPS & Amazon. His talk highlighted how to use Splunk and DomainTools to detect DGA domains and automate domain discovery.
#Cybersecurity #ThreatIntelligence #Splunk #Phishing
#Cybersecurity #ThreatIntelligence #Splunk #Phishing
September 10, 2025 at 7:53 PM
Steve Behm at #splunkconf25 shared a 2-year investigation into attacks on USPS & Amazon. His talk highlighted how to use Splunk and DomainTools to detect DGA domains and automate domain discovery.
#Cybersecurity #ThreatIntelligence #Splunk #Phishing
#Cybersecurity #ThreatIntelligence #Splunk #Phishing
New research raises questions about PoisonSeed using TTPs similar to SCATTERED SPIDER. The DTI team identified 21 new malicious domains spoofing SendGrid and using fake Cloudflare CAPTCHAs to harvest credentials:
https://bit.ly/46w63on
#ThreatIntel #PoisonSeed #SCATTEREDSPIDER
https://bit.ly/46w63on
#ThreatIntel #PoisonSeed #SCATTEREDSPIDER
September 10, 2025 at 1:22 PM
New research raises questions about PoisonSeed using TTPs similar to SCATTERED SPIDER. The DTI team identified 21 new malicious domains spoofing SendGrid and using fake Cloudflare CAPTCHAs to harvest credentials:
https://bit.ly/46w63on
#ThreatIntel #PoisonSeed #SCATTEREDSPIDER
https://bit.ly/46w63on
#ThreatIntel #PoisonSeed #SCATTEREDSPIDER
With our new Feed API, security teams can get near-real-time domain intelligence to prevent & respond to threats faster. Learn how to integrate the Newly Observed Domains feed into Splunk for use cases like proactive threat blocking & brand protection: https://bit.ly/4lZwFCE
![Screenshot of a spreadsheet with columns labeled 'time 1', 'timestamp 1', 'domain 1', and 'appx_domain 1'. Each column lists various entries including times, dates, and website URLs such as ups[.]com, chick-fil-a[.]com, and best-rate[.]site.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:jk5cjbjmnbl2dnx24zurqn23/bafkreielu7ausbrsjavfi2efxnay6p5tfsfezzmgegw3zb3xf6senhuhgq@jpeg)
September 8, 2025 at 4:06 PM
With our new Feed API, security teams can get near-real-time domain intelligence to prevent & respond to threats faster. Learn how to integrate the Newly Observed Domains feed into Splunk for use cases like proactive threat blocking & brand protection: https://bit.ly/4lZwFCE
The "Kim" leak exposes a DPRK APT expanding operations into Taiwan & targeting identity systems. Our analysis provides IOCs & defensive guidance for analysts & SOC teams: https://dti.domaintools.com/inside-the-kimsuky-leak-how-the-kim-dump-exposed-north-koreas-credential-theft-playbook/
![Diagram showing web domains and their connections: koala-app[.]com linked to mofa.go[.]kr, webcloud-notice.com linked to spo.go[.]kr, nid-security[.]com linked to dcc.mil[.]kr, and jeder97271@wuzak[.]com linked to wuzak[.]com.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:jk5cjbjmnbl2dnx24zurqn23/bafkreib6erzsk5chlxvzdznqqobmox6f7esho3zbwn5oxojgj6knse6voy@jpeg)
September 5, 2025 at 4:53 PM
The "Kim" leak exposes a DPRK APT expanding operations into Taiwan & targeting identity systems. Our analysis provides IOCs & defensive guidance for analysts & SOC teams: https://dti.domaintools.com/inside-the-kimsuky-leak-how-the-kim-dump-exposed-north-koreas-credential-theft-playbook/
Thank you, Dr. Renée Burton, for your incredible work making the digital world safer! As VP of infoblox.bsky.social Threat Intel, she & her team exposed VexTrio, a massive global ad fraud and scam operation
Learn more: https://thecyberwire.com/podcasts/research-saturday/390/notes
Learn more: https://thecyberwire.com/podcasts/research-saturday/390/notes
August 25, 2025 at 4:08 PM
Thank you, Dr. Renée Burton, for your incredible work making the digital world safer! As VP of infoblox.bsky.social Threat Intel, she & her team exposed VexTrio, a massive global ad fraud and scam operation
Learn more: https://thecyberwire.com/podcasts/research-saturday/390/notes
Learn more: https://thecyberwire.com/podcasts/research-saturday/390/notes
A new #SpyNote report is out! 🚨 Dive into the tactics of this Android RAT campaign, from dynamic payload decryption to new obfuscation methods. Learn how threat actors are using deceptive Google Play Store clones to target users
https://dti.domaintools.com/spynote-malware-part-2/
https://dti.domaintools.com/spynote-malware-part-2/
August 25, 2025 at 3:39 PM
A new #SpyNote report is out! 🚨 Dive into the tactics of this Android RAT campaign, from dynamic payload decryption to new obfuscation methods. Learn how threat actors are using deceptive Google Play Store clones to target users
https://dti.domaintools.com/spynote-malware-part-2/
https://dti.domaintools.com/spynote-malware-part-2/
A new #SpyNote report is out! 🚨 Dive into the tactics of this Android RAT campaign, from dynamic payload decryption to new obfuscation methods. Learn how threat actors are using deceptive Google Play Store clones to target users
https://dti.domaintools.com/spynote-malware-part-2/
https://dti.domaintools.com/spynote-malware-part-2/
August 22, 2025 at 9:05 PM
A new #SpyNote report is out! 🚨 Dive into the tactics of this Android RAT campaign, from dynamic payload decryption to new obfuscation methods. Learn how threat actors are using deceptive Google Play Store clones to target users
https://dti.domaintools.com/spynote-malware-part-2/
https://dti.domaintools.com/spynote-malware-part-2/
Recent DTI research tracked a trojan using hosted PowerShell scripts, uncovering bulletproof hosting services and how #LummaStealer remains a threat.
Read the full report: https://dti.domaintools.com/hunting-for-malware-networks/
#Cybersecurity #ThreatIntel #Malware #BlueTeam
Read the full report: https://dti.domaintools.com/hunting-for-malware-networks/
#Cybersecurity #ThreatIntel #Malware #BlueTeam
August 22, 2025 at 4:58 PM
Recent DTI research tracked a trojan using hosted PowerShell scripts, uncovering bulletproof hosting services and how #LummaStealer remains a threat.
Read the full report: https://dti.domaintools.com/hunting-for-malware-networks/
#Cybersecurity #ThreatIntel #Malware #BlueTeam
Read the full report: https://dti.domaintools.com/hunting-for-malware-networks/
#Cybersecurity #ThreatIntel #Malware #BlueTeam