Infoblox Threat Intel
DNS All Day, Every Day
DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a high-powered scope to zero in on cyber threats.
What We Do
Infoblox is finding the threat actors hiding in your DNS
We are the leading creator of original DNS threat intelligence. We’re proactive, not just defensive, using our insights to track threat actor infrastructure and disrupt cybercrime where threat actors begin. We also believe in sharing knowledge to support the broader security community by publishing detailed research on select actors and associated indicators.
Threat actors discovered by Infoblox
Vextrio
Viper
Published: June 6, 2022
The longest running traffic distribution system (TDS) known in the industry with the largest number of criminal affiliates, brokering traffic for others while delivering malicious campaigns of their own.
Why is this special? First identification of a large-scale TDS discovered through DNS and the use of a dictionary domain generation algorithm (DDGA).
Decoy
Dog
Published: July 25, 2023
A nation state DNS C2 malware toolkit. Confirmed to be an advanced variant of Pupy RAT, Russian security vendors later claimed Decoy Dog was used to disrupt Russian critical infrastructure.
Why is this special? First discovery and characterization of a C2 malware solely from DNS.
Loopy
Lizard
Published: October 16, 2023
A phishing actor that steals credentials from consumers in Europe, the United States, and Australia using lookalike domains to financial institutions and government tax agencies. Formerly known as Open Tangle.
Why is this special? This is the first reporting of a dedicated lookalike domain actor.
Prolific
Puma
Published: October 31, 2023
A malicious link shortening service used by criminals to target consumers worldwide. This actor successfully overcame privacy controls for the usTLD before being exposed by Infoblox.
Why is this special? First description of a malicious link shortener in the industry.
Savvy
Seahorse
Published: February 28, 2024
A persistent investment fraud actor who leverages DNS CNAME records as a traffic distribution system (TDS) to control access to their malicious content spread through Facebook ads.
Why is this special? First description of the use of DNS CNAME records by threat actors to control and direct content for users.
Revolver
Rabbit
Published: July 17, 2024
A DNS actor using an advanced algorithm to create hundreds of thousands of domains for use in advertising campaigns.
Why is this special? Revolver Rabbit’s RDGA is prolific, varied, and exemplifies the challenge in discovering and determining the nature of networks designed to obscure actor operations.
Vigorish
Viper
Published: July 22, 2024
A Chinese organized crime syndicate that designed and operates a technology suite that is a full cybercrime supply chain: composed of software, Domain Name System (DNS) configurations, website hosting, payment mechanisms, mobile apps, and more.
Why is this special? This research connects numerous stories by journalists and human rights activists to a single organized crime network.
Horrid
Hawk
Published: November 14, 2024
A financially motivated threat actor has been hijacking thousands of domains since at least February 2023 for investment fraud schemes. These hijacked domains are embedded in short-lived Facebook ads targeting users in more than 30 languages across multiple continents.
Why is this special? The hijacked domains are taken over using the ‘Sitting Ducks’ attack vector and are utilized in every step of the actors’ campaigns.
How Infoblox creates original DNS threat intelligence
DNS Experts
We discover threat actors hiding in DNS because we know where to look. Starting with suspicious domains, we connect the dots and identify actor infrastructure, then begin tracking it as it evolves. Identifying new domains as they emerge so customers are continually protected.
Threat Expertise
We know how malicious actors operate and how malware, phishing, and other threats manifest in DNS. We’ve used this knowledge to develop specialized systems to detect lookalike domains, DNS C2 malware, registered domain generation algorithms (RDGAs) and suspicious behavior.
Data Science
We use machine learning and data science to analyze very large volumes of DNS queries every day to provide near-real time protection against data exfiltration, domain generation algorithms (DGAs), and a wide range of other threats.
Our threat intelligence powers
our security products
Disrupt cybercrime pre-incident with intel designed for DNS
BloxOne Threat Defense uses Infoblox Threat Intel to identify and stop threats before the rest of the industry.
Infoblox Security Products
BloxOne® Threat DefenseCybersecurity EcosystemAdvanced DNS Protection
About our Team
Eat. Sleep. DNS. Repeat.
What sets us apart? Two things: mad DNS skills and unparalleled visibility.
Featured articles
Krebs on Security | October 31, 2023
.US Harbors Prolific Malicious Link Shortening Service
Infoblox tracks a three-year-old link shortening service that caters to phishers and malware purveyors
TechRepublic | February 9, 2024
IT Pros Missing Mega-Threat From Organised Cyber Criminals
VexTrio threat actor delivers high volumes of malware to networks globally
Bleeping Computer | February 28, 2024
Savvy Seahorse Gang Uses DNS CNAME Records to Power Investor Scams
Savvy seahorse directs Facebook users to fake investment platforms to steal personal data
GITHUB
MASTODONThreat intelligence resources
Our team of DNS threat intelligence experts believe in sharing knowledge to support the broader security community. Please explore our resources and articles below.
Research Report
Stelios Chatzistogias, Laura da Rocha and Renée Burton
January 8, 2025
Muddling Malspam: The Use of Spoofed Domains in Malicious Spam
This paper is the result of a spam hunt. Despite established safeguards, Infoblox Threat Intel discovered widespread usage of malicious spam and domain spoofing emanating from Chinese IP space. Learn more about the discovered spam campaigns and the tactics used.
Press Release
Infoblox Threat Intel
July 22, 2024
Infoblox Exposes: Chinese Cybercrime Syndicate Linking European Football Sponsors, Human Trafficking and a Trillion-Dollar Illegal Gambling Economy
Santa Clara, Calif., July 22, 2024 — Infoblox Inc., a leader in cloud networking and security services, today announced a significant breakthrough in cybercrime…
Blog
Maël Le Touz, Jacques Portal, Renée Burton,
and Elena Puga
July 22, 2024
Gambling is No Game: DNS Links Between Chinese Organized Crime and Sports Sponsorships
Learn how the detection of a single anomalous domain led to the discovery of a vast enterprise leveraging sports sponsorships for Chinese organized crime.
Press Release
Infoblox Threat Intel
July 17, 2024
Revolver Rabbit’s Million-Dollar Masquerade: Infoblox Uncovers The Hidden World of RDGAs
Santa Clara, Calif., July 17, 2024 — Infoblox Threat Intel released a threat landscape study of the use of registered domain generation algorithms (RDGAs) by malicious actors today.
Research Report
Infoblox Threat Intel
July 17, 2024
REGISTERED DGAs: The Prolific New Menace No One Is Talking About
Registered domain generation algorithms (RDGAs) are a programmatic mechanism that allows DNS actors to create many domain names at once or over time to register for use in their infrastructure.
Blog
Infoblox Threat Intel
February 28, 2024
Beware the Shallow Waters: Savvy Seahorse Lures Victims to Fake Investment Platforms Through Facebook Ads
Learn how the threat actor Savvy Seahorse Facebook ads to lure users to fake investment platforms and leverages DNS to allow their attacks to persist for years.
Blog
Infoblox Threat Intel
February 20, 2024
Ivanti Connect Secure VPN Exploitation – Correctly Interpreting DNS IoCs
Domains in a list of IoCs such as the ones found in recent articles about attacks involving Ivanti 0-days are a valuable product of incident response, but they can’t simply be added to a blocklist.
Media Article
Tech Republic
February 9, 2024
Infoblox says IT Pros are Missing this Mega-Threat from Organised Global Cyber Criminals
Cyber security threat actor VexTrio is flying under the radar for most APAC region cyber security professionals because it is a web traffic distribution middle man rather than an endpoint source of malware.
Media Article
Krebs on Security
October 31, 2023
.US Harbors Prolific Malicious Link Shortening Service
The top-level domain for the United States — .US — is home to thousands of newly-registered domains tied to a malicious link shortening service that facilitates malware and phishing scams, new research suggests.