You searched for feed - DomainTools | Start Here. Know Now.

DomainTools is a proud participant in the Microsoft Copilot for Security Partner Ecosystem

Kali Fencl — Fri, 14 Feb 2025 17:00:24 +0000

Seattle, WA — [02/14/2025] — DomainTools, the global leader in domain and DNS-based cyber threat intelligence, today announced its inclusion in the Microsoft Copilot for Security Partner Ecosystem. We are proud to have been selected based on our proven experience with Microsoft Security technologies, willingness to explore and provide feedback on cutting edge functionality, and close relationship with Microsoft.

DomainTools is working with Microsoft product teams to help shape Copilot for Security product development in several ways, including validation and refinement of new and upcoming scenarios, providing feedback on product development and operations to be incorporated into future product releases, and validation and feedback of APIs to assist with Copilot for Security extensibility.

DomainTools enables fast, automated context on domain indicators observed in the Microsoft Copilot Security Environment, and teaming with Microsoft Copilot for Security provides the Threat Intelligence, Threat Hunting, and Incident Response support of DomainTools in a way that’s easily accessible to users.

Brandon Dixon, Group Product Manager, Microsoft Copilot for Security said: “We designed Copilot for Security to augment human security competence. When partners like DomainTools leverage Copilot for Security, joint customers will see streamlined security operations made possible by the seamless integration of our product and our partners’ security expertise.”

Anthony Johnson, Principal Product Manager at DomainTools, emphasized this point, stating: “We at DomainTools are thankful to be part of this ecosystem. We strongly believe that participating in the development of Copilot for Security will further our mission of making the internet a safer place.”

About Microsoft Copilot

Copilot for Security is the industry’s first generative AI solution that will help security and IT professionals catch what others miss, move faster, and strengthen team expertise. Copilot is informed by large-scale data and threat intelligence, including more than 78 trillion security signals processed by Microsoft each day, and coupled with large language models to deliver tailored insights and guide next steps. With Copilot, you can protect at the speed and scale of AI and transform your security operations.

About DomainTools:

DomainTools is the global leader for Internet intelligence and the first place security practitioners go when they need to know. The world’s most advanced security teams use our solutions to identify external risks, investigate threats, and proactively protect their organizations in a constantly evolving threat landscape. For more information, visit https://www.domaintools.com.

The post DomainTools is a proud participant in the Microsoft Copilot for Security Partner Ecosystem appeared first on DomainTools | Start Here. Know Now..

Using DomainTools and Microsoft Security Copilot to Enhance Domain Intelligence

Kali Fencl — Fri, 14 Feb 2025 16:59:54 +0000

February 24, 2025 update: general availability for the Security Copilot and DomainTools integration is now live.

Cyber attacks, which almost always leverage DNS infrastructure such as domains and IP addresses, often involve hundreds of data points that make up the malicious infrastructure. This can require cybersecurity teams to spend significant amounts of time collecting and analyzing this data, resulting in slower reporting and decision-making.

How Copilot & DomainTools Enhance Threat Detection

To further our mission of helping our customers stay ahead of emerging threats, DomainTools is proud to announce its integration with Microsoft Security Copilot. This integration provides fast, AI-powered returns of domain intelligence to enhance security investigations and incident response workflows.

Automated Domain Lookups with Copilot Prompts

Analysts can seamlessly retrieve DomainTools data by creating Security Copilot prompts, enabling them to make instantaneous decisions based on context and view domain information in a user-friendly format.

This integration will directly support threat intelligence and incident response efforts. Immediate answers and quick decision-making are important in both areas, and Copilot’s ability to automate and summarize domain insights will both reduce analysts’ mean time to respond and increase their confidence when making decisions on domain indicators.

Enriching Threat Data with Reputation Scores & Passive DNS Data Fields

Copilot can return domain and IP address data featured in the Iris product suite, including passive DNS records, Whois/RDAP details, and the DomainTools Risk Score. DomainTools Risk Score predicts how likely a domain is to be malicious, often before it is operationalized. This can reduce the window of vulnerability between the time a malicious domain is registered and when it is leveraged by bad actors as part of an attack. The Risk Score of a domain provides critical context, and with Copilot you can receive this context immediately through the power of automated information gathering.

Copilot Integration with DomainTools

In practice, the integration of Copilot with DomainTools offers the following key benefits:

Domain query and normalization using Copilot-provided fields
Data enrichment and insights including reputation scores, ownership details, and DNS records
Concise, user-friendly summaries of domain intelligence directly within Copilot

Let’s take a look at these capabilities in detail, beginning with how analysts can develop Copilot prompts to query DomainTools data.

Prompt Development

Below is an example of a basic domain lookup:

Retrieve domain intelligence for example[.]com. Provide reputation score, Whois details, and DNS records.

From this simple query, you can expect an output similar to this:

Reputation Score: High risk (95/100)

Whois Details: Registered to [Owner Name], [Registrar]

DNS Records: [A, MX, NS records]

Drilling down on Whois details will return output like this:

Copilot can also retrieve more advanced threat intelligence powered by DomainTools data. For example, analysts could ask for threat indicators related to a domain, including passive DNS data, subdomains, and history of malicious activity. The expected output would return something like this:

Threat Reputation: Previously linked to phishing campaigns

Passive DNS Data: Resolves to [IP Address], seen in over 20 threat reports

Subdomains: badactor[.]com, badwebsite[.]com

From there, analysts can create additional queries to take a proactive security posturing. The below image demonstrates how Copilot can be used to support threat hunting based on returned indicators:

For historical analysis, investigators can perform Whois lookups for domains of interest. If an analyst asked Copilot to retrieve historical Whois records for badactor[.]com in order to view ownership changes over time, they might receive the following output:

Current Whois: Registered to “PrivacyGuard LLC”

Previous Whois: Previously owned by “CyberCorp Inc.”

Change Date: Ownership changed on 2023-07-15

These prompts are not limited to domain names; analysts can also perform IP address lookups to find associated domains, reputation scores, and more. Though simple, these prompts return significant insights, as shown below:

Prompt: List domains associated with the IP address 192.168.1.1 and provide reputation insights.

Expected Output:

Associated Domains: example[.]com, malicious-site[.]net

Reputation Score: example[.]com (Safe), malicious-site[.]net (High Risk)

Conclusion

We at DomainTools strongly believe that the integration of our data with Copilot will further our mission of making the Internet a safer place. To get started, visit the Microsoft Azure Marketplace for more details on plans, pricing, and how DomainTools can be used within various Microsoft products.

For more information on how DomainTools integrates with other security vendors, visit https://domaintools.com/integrations/.

The post Using DomainTools and Microsoft Security Copilot to Enhance Domain Intelligence appeared first on DomainTools | Start Here. Know Now..

Threat Hunting Demo Landing Page

Zach Baier — Tue, 11 Feb 2025 21:26:47 +0000

Never Be Caught Off Guard, Request a Demo.

Improve your organization’s visibility into advanced cyber threats. Don’t wait for alerts – use attackers’ Internet infrastructure to your advantage

Learn how DomainTools can help you:

Enrich on-network indicators with the freshest data, at scale, in near-real-time.
Investigate and map adversary infrastructure and streamline investigations.
Enumerate threat actor infrastructure with near real-time, best-in-class passive DNS.

Trusted to deliver insight where it matters most

700+

Enterprise Customers

45%

of Fortune 100

3

of the largest Internet companies

4

of the largest banks

Start Here. Know now.

Enterprise-grade domain intelligence to prevent, mitigate, and investigate attacks.

Know now.

Iris Detect

Near real-time Internet infrastructure detection, monitoring, and enforcement platform and API.

Learn More

Know more.

Iris Enrich

Robust API including RDAP and Whois, DNS, SSL certificate, and risk scoring elements to enrich indicators at scale.

Learn More

Largest DNS Library.

Farsight DNSDB

Passive DNS insights to show you how threats emerge and evolve over time.

Learn More

Do more with more. Do it with DomainTools.

Threat Intelligence

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Phishing and Fraud Prevention

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Threat Hunting

,,,,,,,,,,,,,,,

Brand Protection

,,,,,,,,,,,,,,,

Forensics and Incident Response

,,,,,,,

Application Enrichment

,,,,,,,,,,,,,,,

Threat Intelligence

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Detect relevant indicators earlier in their lifecycle to identify and disrupt incipient attacks to better prevent phishing, malware distribution, and command and control (C2) communications.

Phishing and Fraud Prevention

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Know if and when malicious domains and infrastructure are spoofing your assets and block them to protect users before they cause damage.

Threat Hunting

,,,,,,,,,,,,,,,

Proactively discover indicators of compromise and malicious infrastructure that may be hiding inside your network to minimize damage and safeguard sensitive data.

Brand Protection

,,,,,,,,,,,,,,,

Monitor lookalike domain names against typosquatting and domain squatting to protect your brand reputation.

Forensics and Incident Response

,,,,,,,

Discover “who is” behind attacks and threats. Respond to and triage potential incidents with confidence and speed.

Application Enrichment

,,,,,,,,,,,,,,,

Data that makes your homegrown or third party applications more effective and intelligent, providing quicker and more actionable insight.

“

DomainTools gives us the earliest and most updated feed of newly created and updated domain and DNS infrastructure—so the second someone creates a domain, within five minutes, we know about it.

John Doe

Position, Company Name

Get a Demo

Let us show you how to enhance your existing threat intelligence program, solution, or product today

Request a Demo

The post Threat Hunting Demo Landing Page appeared first on DomainTools | Start Here. Know Now..

General Demo Landing Page

Zach Baier — Tue, 11 Feb 2025 21:22:04 +0000

Take the Next Step, Request a Demo.

Enhance your existing threat intelligence program, solution, or product today.

Learn how DomainTools can help you:

Detect unknown risks and secure your network from zero-day attacks.
Identify and neutralize threats at the source, and harden your defenses.
Monitor emerging threat infrastructure and mitigate risk proactively.

Trusted to deliver insight where it matters most

700+

Enterprise Customers

45%

of Fortune 100

3

of the largest Internet companies

4

of the largest banks

Start Here. Know now.

Enterprise-grade domain intelligence to prevent, mitigate, and investigate attacks.

Know now.

Iris Detect

Near real-time Internet infrastructure detection, monitoring, and enforcement platform and API.

Learn More

Know more.

Iris Enrich

Robust API including RDAP, Whois, DNS, SSL certificate, and risk scoring elements to enrich indicators at scale.

Learn More

Know Farther.

Iris Investigate

Investigative platform and API with domain intelligence, risk scoring, and industry-leading passive DNS data.

Learn More

Do more with more. Do it with DomainTools.

Threat Intelligence

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Phishing and Fraud Prevention

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Threat Hunting

,,,,,,,,,,,,,,,

Brand Protection

,,,,,,,,,,,,,,,

Forensics and Incident Response

,,,,,,,

Application Enrichment

,,,,,,,,,,,,,,,

Threat Intelligence

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Detect relevant indicators earlier in their lifecycle to identify and disrupt incipient attacks to better prevent phishing, malware distribution, and command and control (C2) communications.

Phishing and Fraud Prevention

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Know if and when malicious domains and infrastructure are spoofing your assets and block them to protect users before they cause damage.

Threat Hunting

,,,,,,,,,,,,,,,

Proactively discover indicators of compromise and malicious infrastructure that may be hiding inside your network to minimize damage and safeguard sensitive data.

Brand Protection

,,,,,,,,,,,,,,,

Monitor lookalike domain names against typosquatting and domain squatting to protect your brand reputation.

Forensics and Incident Response

,,,,,,,

Discover “who is” behind attacks and threats. Respond to and triage potential incidents with confidence and speed.

Application Enrichment

,,,,,,,,,,,,,,,

Data that makes your homegrown or third party applications more effective and intelligent, providing quicker and more actionable insight.

“

DomainTools gives us the earliest and most updated feed of newly created and updated domain and DNS infrastructure—so the second someone creates a domain, within five minutes, we know about it.

John Doe

Position, Company Name

Get a Demo

Let us show you how to enhance your existing threat intelligence program, solution, or product today

Request a Demo

The post General Demo Landing Page appeared first on DomainTools | Start Here. Know Now..

DT Investigations - Security Research for the Community

Kali Fencl — Sat, 01 Feb 2025 17:25:45 +0000

Hello DTI Friends!

I should start by introducing myself, as that’s how all the best relationships start (or so I’m told).

If we haven’t yet had the opportunity to meet, I’m Daniel Schwalbe, CISO and Head of Investigations at DomainTools. I’ve spent the greater part of two decades tracking cybercriminals and nation-state actors in higher education, government, and large enterprises. I’m very passionate about sharing actionable insights with the community, which is what brings me to your feed today.

We launched DomainTools Investigations (DTI) on January 9 to turn our philosophy of supporting the community into reality. It’s a program with a coterie of researchers and analysts focussed on providing their expertise in investigating, mitigating, and preventing Domain- and DNS-based attacks. The goal is to do so on an ongoing basis, and we’ve already covered a bunch of ground since that announcement!

Let’s catch up on what we’ve shared so far:

HOT OFF THE PRESSES

You heard it here first! We JUST published a report examining the illicit market for aged and verified accounts across social media, email, and advertising platforms which represent a persistent and evolving threat.

Why this is important: The activity highlights the urgent need for enhanced security measures, proactive threat intelligence, and increased awareness to combat the acquisition and exploitation of these compromised accounts.

Get the full scoop and IOCs here.

Where There’s One RAT, There’s A Nest

We recently shared details on Chinese malware delivery sites – hundreds of newly registered domains are actively targeting Chinese-speaking users with malware. Our report analyzes this activity, detailing the range of deceptive lures employed, including imitations of messengers, browsers, VPNs, email services, and Adobe software.

Why this is important: We’ve identified the involved malware families to include Gh0stRAT, ValleyRAT, RemKos RAT, LummaStealer, RedLine and others. As I’m sure you’re aware, understanding the patterns of these malware families can help practitioners develop more effective defenses.

Find the full write-up and list of IOCs here.

Cyber Criminals Playing the Long Game

Just prior to the announcement of DTI, we shared an overview on the Cyberhaven breach. In late December 2024, the technology company reported an unnamed actor replaced its Google Chrome extension on the Google Chrome Web Store with a malicious version.

The actor used a phishing email to compromise a developer’s account via authorizing a malicious third-party application. Our team reviewed publicly available information related to this incident and discovered that the Cyberhaven incident is part of a months-long campaign likely attempting to impact multiple companies primarily in the technology sector.

Why this is important: DTI looked at the IOCs shared by Cyberhaven and discovered a larger network of infrastructure likely used in similar attacks against other targets in the tech sector which is critical to share with others in our field so they may have the opportunity to prevent end users’ sensitive data from being compromised.

Find the full write-up and list of IOCs here.

[Secret Squirrel]

Our team periodically hosts Closed Door Sessions where we partner with other industry analysts and practitioners to share TLP:RED research. The next session will be in Seattle, WA on Wednesday, February 26.

You can request an invite here.

And not that you need any incentive other than super cool cutting edge research, but we’ve had pretty awesome t-shirts to give away at these sessions – You cannot get them anywhere else, must be present to wear. Seriously. They are fantastic conversation starters if you like having that attention.

Where We’ve Been/Where We’ll Be

My team has done (and will do) some traveling to various conferences. If you were lucky enough to get a ticket to the very last ShmooCon – I’m super jealous of you! If you couldn’t make it, be sure to catch Kali Fencl’s presentation – I’m Not Your Enemy: How Practitioners Can Empower Content, all about how practitioners’ training marketers can create content that’s beneficial to our audience and not at all “fluffy.”

And Malachi Walker will be presenting at the BIC Winter Conference on Friday, February 7 in Reston, VA. If you’re in the Beltway, I hope you can check out his session on how DNS Threat Intelligence could help you get your next promotion.

Final Thoughts

We’re very excited to share this research with you. I know some of you are probably still thinking “what’s the catch?” Many of us work for organizations with the main purpose of making money, so we get easily jaded when we read announcements that seem too good to be true. I’m making it my personal challenge to pleasantly surprise you, and I am expecting you to call me on it if we ever miss the mark. Check out my philosophy for DTI here. Maybe listen to Ben Folds’ Philosophy in the background while you read it.

If you found these excerpts and/or the full write-ups helpful, please forward it on to other folks you think would find it useful too – we’d greatly appreciate it!

This newsletter will be a monthly occurrence, so be sure to subscribe on LinkedIn to get early access to the newsletter content!

Thanks for reading – until next month!

Daniel

https://www.linkedin.com/in/schwalbe

https://infosec.exchange/@danonsecurity

The post DT Investigations - Security Research for the Community appeared first on DomainTools | Start Here. Know Now..

Landing Page Template

Thom Leiter — Fri, 31 Jan 2025 20:23:55 +0000

Take the Next Step, Request a Demo.

Learn how DomainTools can help you:

Detect unknown risks and secure your network from zero-day attacks.
Identify and neutralize threats at the source, and harden your defenses.
Monitor emerging threat infrastructure and mitigate risk proactively.

Trusted to deliver insight where it matters most

700+

Enterprise Customers

45%

of Fortune 100

3

of the largest Internet companies

4

of the largest banks

Start Here. Know now.

Enterprise-grade domain intelligence to prevent, mitigate, and investigate attacks.

Know now.

Iris Detect

Near real-time Internet infrastructure detection, monitoring, and enforcement platform and API.

Learn More

Know more.

Iris Enrich

Robust API including Whois, DNS, SSL certificate, and risk scoring elements to enrich indicators at scale.

Learn More

Know Farther.

Iris Investigate

Investigative platform and API with domain intelligence, risk scoring, and industry-leading passive DNS data.

Learn More

Do more with more. Do it with DomainTools.

Threat Intelligence

Phishing and Fraud Prevention

Threat Hunting

Brand Protection

Forensics and Incident Response

Application Enrichment

Threat Intelligence

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Phishing and Fraud Prevention

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Threat Hunting

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Brand Protection

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Forensics and Incident Response

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Application Enrichment

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

“

DomainTools gives us the earliest and most updated feed of newly created and updated domain and DNS infrastructure so the second someone creates a domain, within five minutes, we know about it.”

John Doe

Position, Company Name

Get a Demo

Let us show you how to enhance your existing threat intelligence program, solution, or product today

Request a Demo

The post Landing Page Template appeared first on DomainTools | Start Here. Know Now..

The Resurgence of the “Manipulaters” Team - Breaking HeartSenders

Kelsey LaBelle — Fri, 31 Jan 2025 13:00:00 +0000

The Pakistan-based “Manipulaters” (their corruption of the word “manipulators”) represent a notorious and, in some respects, pioneering cybercrime empire. The Manipulaters have a decade-long history of selling phishing kits, spamming services, and malware. This history spans dozens of cybercrime marketplaces and the malicious domains associated with them are measured in the tens of thousands. The Manipulaters have enabled countless attacks against enterprises and customers; most security teams at Fortune 100 companies have encountered their deployed phishing kits or received spam from their mailers.

Nearly nine years ago, Brian Krebs released research on the Manipulaters Team, a fraud group that tricked people into giving up usernames and passwords via fake bank and e-commerce sites. Since then, the Manipulaters claimed to be turning over a new leaf–righting their wrongs and refraining from running large fraud schemes.

In 2021, Krebs reviewed the social media postings from the Manipulaters which showed they were prospering, while rather poorly hiding their activities behind a software development firm in Lahore that secretly enabled an entire generation of spammers and scammers.

In late 2023, our researchers stumbled upon a set of domains that linked back to their organization. That triggered the subsequent investigation into the historical domain and host records that unearthed that the Manipulaters have profited for more than a decade by selling vast quantities of phishing kits, commodity malware and spamming services, and more – eventually expanding into selling web domains, both for their own use as well as resale to other criminals. Coincidentally, in early 2024 and apropos of nothing, the Manipulaters reached out directly to Krebs asking for his removal of previous stories on their exploits.

Though lacking the technical sophistication many other large cybercrime vendors have, their most notable characteristic is being one of the earliest phishing-focused cybercrime marketplaces to horizontally integrate their business model while also spreading their operations across several separately branded shops. Unfortunately for them, another notable characteristic is a history of severe operational security inconsistencies.

Using a combination of domain-related data and open-source intelligence (OSINT) techniques, DomainTools Research identified dozens of Manipulaters cybercrime marketplaces that show a threat actor group that represents a growing concern. This concern is not limited to innocent consumers and enterprises; a series of operational security failures call into question the integrity of their criminal enterprise and may even suggest some of their customers are also targets. Ironically, the most significant risk to Manipulaters’ customers might be the Manipulaters themselves.

This piece explores both facets of this prolific, but perhaps enigmatically flawed, group.

The Role of Cybercrime Marketplaces

Cybercrime marketplaces serve a foundational role in the underground economy. These marketplaces exist primarily as a storefront for cybercrime service offerings but can also become de facto communities. Such communities can enable cybercrime in several ways, including driving innovation by associating cybercrime with financial reward, refining new techniques and methods that benefit members of the group, and lowering the technical barriers to entry to cybercrime by providing tools developed by others. Importantly, removing technical barriers to entry also increases the addressable market such cybercrime marketplaces cater to.

Marketing Apparatus

What the Manipulaters lack in technical sophistication, they make up for in scale and scope. Whereas other cybercrime groups seek to build an iconic brand, the Manipulaters prefer to deploy dozens of cybercrime shops using different names. This strategy is likely based on several motivating factors, including:

Spreading risk across many domains makes the takedown of a single domain less operationally disruptive and may help avoid law enforcement scrutiny by appearing small.
Operating several brands allows for reputation laundering if a customer accuses them of being a scam or offering low-quality products.
Saturating the underground economy with seemingly disparate products and services that make new entrants less likely to compete.

The Long Road to Now

The Manipulaters are rapidly expanding operations following a period of relative inactivity after journalist Brian Krebs identified several of their members. This expansion appears to focus more on spamming tools and sender services, likely because of the overabundance of phishing kits and the relative ease of cloning them is less profitable than a services model.

Evidence suggests that new members have joined and at least one early member of the Manipulaters left the group. They appear to have a physical presence in Pakistan, including Lahore, Fatehpur, Karachi, and Faisalabad.

The Manipulaters have a long history of selling phishing kits, account checkers, proxy and RDP access, “bulletproof” hosting, and forged identity documents. Regarding software applications, they often rebrand or cobble together existing tools. Their priority now appears to be selling spam services.

Figure 1: Results for host 191.101.164[.]254 in DomainTools Iris Investigate.

The domain wecodesolutions[.]pk is closely associated with the Manipulaters. This domain proves useful in collecting additional domains associated with the host 191.101.164[.]254 (Figure 1). Two domains are of particular interest:

lak3code[.]com

Figure 2: A login panel named “Private Pages” found at lak3code[.]com/web/site/login. This panel became active in 2024.

The interface shown in Figure 2 resembles one featured in an advertisement for “Office 365 Private Page with Antibot” posted on heartsender[.]com, another Manipulaters storefront (Figure 3). The ad includes a list of features used in modern phishing campaigns combined with a management panel.

Figure 3: Manipulaters advertisement for “Office 365 Private Page with Antibot” phishing kit sold on the domain heartsender[.]com. “Antibot” refers to functionality that attempts to evade automated detection techniques, keeping a phish deployed and accessible as long as possible.

mrcodertools[.]com

Figure 4: Authentication page for a panel named “HeartSender” at mrcodertools[.]com/web/site/login.

The path /web/site/login appended to the domain mrcodertools[.]com reveals a management panel named “HeartSender” that resembles the one found at lak3code[.]com/web/site/login (Figure 4). Several menu items are notable: user requests, announcements, advertisements, and user feedback. Most of these pages require an authenticated user to access them. Some, however, do not.

The “Advertisements” screen contains a data table with more than 10,700 rows. Each entry includes a specific software product the Manipulaters sell (Figure 5). This panel may also represent part of the apparatus the Manipulaters use to manage customers and promote their services.

Figure 5: “Advertisements” page found at mrcodertools[.]com/web/ads/index/ and accessible as an unauthenticated user.

The “Create Advertisement” page is similarly accessible by an unauthenticated user. The dropdown menu for the field “Software Type” reveals the names of several products: HeartSender, FudSender, ClaySender, InboxXploiter, XploiterEmailVerifier, D29Sender, and AccountChecker (Figure 6). These product names proved helpful.

Figure 6: “Create Advertisement” page found at mrcodertools[.]com/web/ads/create/ and accessible as an unauthenticated user.

Building a query in DomainTools Iris Investigate for domains containing the product names listed in Figure 6 returns several results, including 117 domains, several hosts, and notable email addresses closely associated with the Manipulaters like saim.raza1338@gmail[.]com (Figure 7). These results offer helpful footholds and pivots to identify additional Manipulaters-controlled domains and infrastructure.

Figure 7: DomainTools Iris Investigate reveals the email address saim.raza1338@gmail[.]com and several notable Manipulaters domains. Note the Advanced Search criteria looking for domain names containing the names of the tools from Figure 6.

Introducing HeartSender

The heartsender[.]com storefront focuses on email and email-to-SMS spamming services (Figure 8). Customer response in cybercrime communities to HeartSender has been largely positive and represents a meaningful technical advancement for the Manipulaters, especially its improved email-to-SMS spamming capabilities (Figure 9). The latest person to join the Manipulaters could be the reason for the improved capabilities.

Figure 8: A shop found at heartsender[.]com, selling spam senders, phishing kits, SMTP access, RDP access, and bulletproof hosting services.

Figure 9: HeartSender promoting email-to-SMS functionality at store.heartsender[.]com.

A code snippet found on another Manipulaters domain may offer insight into how the Node.js version of HeartSender works (Figure 10).

Figure 10: JavaScript file found at mrcodertools[.]com/web/js/main.js. This file could be part of the JavaScript version of HeartSender.

The Javascript function generateXML() dynamically constructs an XML string based on form field values using string concatenation and interpolation. This XML corresponds to a predefined scheme for sending emails using HeartSender. Perhaps the most notable portions of “main.js” are found in the element. These elements exist to evade spam filters and detection generally, including , , , , , and .

The desktop version of HeartSender also deserves particular attention, but for different reasons.

Additional Pivots From the HeartSender Demo and a Pakistan IP Address

Figure 11: A screenshot of HeartSender 4 posted on store.heartsender[.]com displaying the IP address 175.107.237[.]55.

A screenshot of HeartSender 4.00.11’s interface displays the IP address 175.107.237[.]55 (Lahore, Pakistan) (Figure 11). This IP address is associated with several accounts, including the email addresses fudtoolshop@gmail[.]com, bodla057@gmail[.]com, mr6450465@gmail[.]com, and admin@coderteam[.]in. It is also associated with the usernames “saimraza786” and “mrbodla.” These naming conventions and aliases closely match those historically tied to the Manipulaters.

Domain registrations associated with the email address “fudtoolshop@gmail[.]com” return nearly 500 domains, many flagged as high risk in DomainTools Iris Investigate. The email address bodla057@gmail[.]com returns a domain registration for bodla[.]info with registrant “Hamza Bodla” in Fatehpur, Pakistan.

From HeartSender to dozens of Manipulaters-run shops

The host 185.11.145[.]254 has long been associated with Manipulaters activity and revealed dozens of deployed shops.

Figure 12: Domains associated with the host 185.11.145[.]254 and dozens of Manipulaters-run stores.

The Manipulaters often pair shop domains with domains containing tutorials and promotional videos for their products, providing a helpful point of reference for mapping the group’s domain footprint. Some of these domains include:

Shop	Promotion domain
buyspamtool[.]com buyspamtool[.]ru	bstvideos[.]com
claysender[.]com	claysendervideos[.]com
d29sender[.]com	d29sendervideos[.]com
freespamtool[.]com	freespamvideos[.]com
freshspamtool[.]com	freshspamtoolvideos[.]com
fudpage[.]com fudpagetools[.]com	fudpagevideos[.]com
fudspam[.]com fudspam[.]su	fudspamvideos[.]com
fudtools[.]com	fudtoolvideos[.]com
gxsender[.]com	gxsendervideos[.]co
heartsender[.]com heartsenderscampages[.]com	heartsendervideos[.]com
officesender[.]com	officesendervideos[.]com
smtpshop[.]com	smtpshopvideos[.]com
toolsplug[.]com	toolsplugvideos[.]com
xleetshop[.]com	xleetvideos[.]com

Trouble on the Horizon Targeting USPS-Related Impersonation and Session Cookie Grabbing

The Manipulaters’ newfound interest in email-to-SMS spam could be in response to the massive increase in smishing activity impersonating the USPS. Proofs posted on HeartSender’s Telegram channel contain numerous references to postal service impersonation, including proving delivery of USPS-themed phishing lures and the sale of a USPS phishing kit (Figures 13-14).

Figure 13: A test phishing lure sent to a Heartsender customer by the Manipulaters.

Figure 14: A screenshot showing the sale and delivery of what likely is a USPS phishing kit to a Manipulaters customer.

The Manipulaters appear to favor spamming services paired with session cookie grabbers, including operating a cybercrime shop focused almost exclusively on cookie theft and even creating an account named grabber@fudteambilling[.]com (Figure 15). This dangerous combination can make account takeover activity much less detectable than traditional credential phishing.

Figure 15: Manipulaters-operated shop at spamfather[.]com.

A Case Study in Technical Debt and Sloppy Authentication

Figure 16: This panel has several pages accessible by unauthenticated users. These appear to expose customer credentials along with support requests to HeartSender developers. Domain redacted to prevent exposure of SMTP credentials and user tokens.

Ironically, the Manipulaters may create more short-term risk to their own customers than law enforcement. The data table “User Feedbacks” (sic) exposes what appear to be customer authentication tokens, user identifiers, and even a customer support request that exposes root-level SMTP credentials–all visible by an unauthenticated user on a Manipulaters-controlled domain. Given the risk of abuse, this domain will not be published.

There is so much more, however. Breach records associated with the unnamed domain and other domains used by the Manipulaters reveal a large online footprint paired with several severe operational security failures.

When It Rains, It Pours

Research suggests that several PCs associated with the Manipulaters have been compromised by stealer malware for a considerable amount of time, exposing vast swaths of account-related data along with an outline of the group’s membership, operations, and position in the broader underground economy. Curiously, the large subset of identified Manipulaters customers appear to be compromised by the same stealer malware. All observed customer malware infections began after the initial compromise of Manipulaters PCs, which raises a number of questions regarding the origin of those infections.

These breach records can be divided into three clusters. Overlap exists between activity clusters likely because several people were working on the same projects.

Cluster “Adnan”

Associated usernames: adnan, grabber, harsh, mrcoder, xleet

Associated email addresses: admin@fudsender[.]club, admin@fudsender[.]com, admin@heartsender[.]com, f.udtoolshop@gmail[.]com, fudscam@fudsender[.]com, fudsender.utube@gmail[.]com, fudspam.toolss@gmail[.]com, fudspam@hotmail[.]com, fudtool786@gmail[.]com, mohsinaseller@gmail[.]com, mr.codertools@gmail[.]com, saim.pays@gmail[.]com, xleet@fudsender[.]com

Associated domains: busypaymant[.]com, fudsell[.]com, fudsender[.]com, fudsender[.]store, fudteambilling[.]com, fudtool[.]su, fudtoolshop[.]com, fudtoolvideos[.]com, mrcodertools[.]com, profud[.]tools, provip[.]tools, saimraza[.]com

Cluster “Imran”

Associated usernames: fudtoolr, imran231, saimraza786, turbopk

Associated email addresses: abdulrehman940@gmail[.]com, admin@buyspamtools[.]com, admin@fudsender[.]com, admin@fudteam[.]com, admin@remitciti[.]com, admin@turbopk[.]net, ikorai99@gmail[.]com, info@shahg[.]co, itmalik91@gmail[.]com, itwebs92@gmail[.]com, saim.raza1338@gmail[.]com, sh4hgh3x0r@gmail[.]com

Associated domains: billing.saimraza[.]info, fudtoolshop[.]com, fudtoolvideos[.]com

Cluster “Bodla”

Associated usernames: live:fudtoolshop, mr6450465, mrbodla, mrbodlah, saimraza007, saimraza123, saimraza786

Associated email addresses: admin@coderteam[.]in, admin@fudteam[.]com, bodla0143@gmail[.]com, bodla057@gmail[.]com, fudtool786@gmail[.]com, fudtoolshop@gmail[.]com, help.alizain@gmail[.]com, henrylukeusa@gmail[.]com, mr6450465@gmail[.]com, osamaevee2000@gmail[.]com, sahrn512@gmail[.]com

Associated domains: bodla[.]info, coderteam[.]in

Conclusion, Where Do We Go From Here?

The Manipulaters offer illustrative examples of how cybercrime vendors integrate into the broader underground economy. In the decade they have been active, the Manipulaters have appeared in and created many different marketplaces selling phishing kits, malware, spamming services and more. Most recently, DomainTools Research has found them moving into email-to-SMS services with HeartSender, as well as pairing spamming services with session cookie grabbers. We have also found some of their infrastructure seems to be accessible by unauthenticated users and that some of their (and their customers’) infrastructure has been compromised by malware.

Given the Manipulaters’ resurgence and improved capabilities, DomainTools Research urges businesses and consumers to remain vigilant against threat actor groups like the Manipulaters and those they enable with their products and services.

Download our Security Bulletin for more additional background details on the Manipulaters and to explore the role of historical Whois and DNS data in mapping a domain-focused threat actor’s footprint.

For free 2024 lists of domains, email addresses, and usernames associated with the Manipulaters and a non-exhaustive collection of domains from 2015 to early 2018, visit our SecuritySnacks GitHub Repo.

Active Shops – 03.25.24:

bulktools[.]su
buyfreshtools[.]com
buyspampages[.]com
buyspamtool[.]com
buyspamtool[.]ru
claysender[.]com
d29sender[.]com
freespamtool[.]com
freshscampages[.]com
freshspamtool[.]com
freshtoolshop[.]com
fudfreshtools[.]com
fudlinkheartsender[.]com
fudpage[.]com
fudpagetools[.]com
fudscampages[.]com
fudscams[.]net
fudsender[.]com
fudsender[.]live
fudsender[.]ru
fudspam[.]com
fudspam[.]su
fudtools[.]com
gxsender[.]com
heartsender[.]com
heartsenderscampages[.]com
inboxxploiter[.]com
newspamtools[.]com
nodesender[.]com
officesender[.]com
scampageshop[.]com
smtpshop[.]com
spamfather[.]com
spamtoolx[.]com
stroxshop[.]com
toolsplug[.]com
xleetshop[.]com

Email addresses:

admin@buyspamtools[.]com
admin@claysender[.]com
admin@coderteam[.]in
admin@fudsender[.]club
admin@fudsender[.]com
admin@fudsender[.]store
admin@fudspam[.]tools
admin@fudteam[.]com
admin@heartsender[.]com
admin@remitciti[.]com
admin@turbopk[.]net
afaqkhan.khan334@gmail[.]com
ahmadbodla@yahoo[.]com
aliraza0347601@gmail[.]com
askimran.33@gmail[.]com
bluebtcus@gmail[.]com
bodla_143@yahoo[.]com
bodla0143@gmail[.]com
bodla057@gmail[.]com
burhanahmad107@hotmail[.]com
emraanmurtaza9@gmail[.]com
f.udtoolshop@gmail[.]com
faisal_awan2011@yahoo[.]com
freshtoolsshop@gmail[.]com
fud.tool.s@gmail[.]com
fudpages@gmail[.]com
fudpagez@gmail[.]com
fudscam@fudsender[.]com
fudsender.utube@gmail[.]com
fudspam.toolss@gmail[.]com
fudspam@hotmail[.]com
fudtool786@gmail[.]com
fudtoolshop@gmail[.]com
grabber@fudteambilling[.]com
gxsender@hotmail[.]com
hamzaseller@gmail[.]com
heartsender123@gmail[.]com
heartsenderupdates@gmail[.]com
ikorai99@gmail[.]com
imranmurtaza03@gmail[.]com
imranmurtaza323@gmail[.]com
info@shahg[.]co
itwebs92@gmail[.]com
javidtabiseller@gmail[.]com
mohsin@gmail[.]com
mohsinaseller@gmail[.]com
mr_coder@inbox[.]ru
mr.codertools@gmail[.]com
mr6450465@gmail[.]com
mrbodla@gmail[.]com
mrbodla@yahoo[.]com
osamaevee2000@gmail[.]com
pakfunplus91@gmail[.]com
privatetools26@yahoo[.]com
rainyeyes143@gmail[.]com
saim.pays@gmail[.]com
saim.raza1338@gmail[.]com
saim.raza933@gmail[.]com
saimmalik123@yahoo[.]com
saimraza1992@gmail[.]com
sanwal_raza66@yahoo[.]com
sh4hgh3x0r@gmail[.]com
smtpshop.su@yahoo[.]com
sunnyseller@gmail[.]com
support@mr-coder[.]com
talhasheikh918@gmail[.]com
xitforum00@gmail[.]com
xleet@fudsender[.]com

Usernames:

adminfreshscampages
buyfreshtool
clay_sender
clayadmin
d29admin
d29sender
d29senderupdate
freshfud_tools
freshscampagesadmin
fud spam
fud_page
fudfreshtool
fudpages
fudpagesadmin
fudsender
fudspam_com
fudtool
fudtoolshop
hamzabodla
heartsender
imran33
krank007
fudtoolshop
mr-coder
mrbodla
mrbodlah
mrcoder
node_sender
nodesenderadmin
rainy_eyes
rameez786
saadaliadmin
saimraza
saimraza007
saimraza786
sunny_bodla057

39 Domains Seized from the Manipulaters [Update]

The Justice Department’s Criminal Division and FBI, in cooperation with law enforcement partners in the Netherlands have taken down 39 domains and their associated servers used by the Manipulaters (a.k.a. Heartsender, Saim Raza) on January 30, 2025. The seizure of these domains is intended to disrupt the ongoing activity of groups such as this one and stop the proliferation of these phishing kits within the cybercriminal community.

Read the DOJ press release here.

If you would like to get in touch with us on how we unearthed this information, please contact us here.

The post The Resurgence of the “Manipulaters” Team - Breaking HeartSenders appeared first on DomainTools | Start Here. Know Now..

Automated Discovery of Chenlun Domains - Splunk Enterprise Security

Zach Baier — Thu, 30 Jan 2025 16:20:00 +0000

TL;DR

This technical blog explores a next step in this investigation on Chenlun by automating Splunk searches to gather domains using DomainTools, and share them using Splunk’s trigger actions. By integrating DomainTools with Splunk, you can streamline the identification of malicious domains, stay ahead of attackers, and optimize your security resources.

Using Passive DNS to Discover Newly Created Domains

Learn how I leveraged the DomainTools app for Splunk to automatically query Farsight DNSDB to discover newly created domains matching Chenlun’s domain generation algorithm (DGA).

Why Automating the Search Process is Important

When a critical search yields valuable results that are subject to change over time, automating the search process becomes essential. This automation not only ensures timely updates but also significantly reduces the manual effort required.

Once scheduled, I used Splunk’s trigger actions to send the results via email to myself and other team members for us to know when new Chenlun domains are observed in DNS.

Background

In November of 2024, I wrote an article discussing new developments in phishing attacks attributed to Chenlun/Sinkinto01. DomainTools data allowed us to identify a preference of using subdomains with short life-cycles on older apex-level domains. Both subdomains and apex-level domains used indicate the use of a DGA as a method of obfuscation.

Using Passive DNS in Splunk to Uncover Subdomains

Using a regular expression to search for domains matching the identified patterns, I queried against our passive DNS database using the flexible search within our DomainTools app for Splunk and uncovered subdomains that were last observed in DNS within 24 hours from the time of the search. Below shows the output from regex pattern 1:

^us.*\.[[:digit:]]{2}(us|up).*(us|ps)\.(us|co)\.$

Splunk offers the ability to schedule a report based off of a search. In order to see the Splunk Processing Language (SPL) search equivalent of my query shown above I simply opened it up in search.

Clicking on “Open in Search” automatically showed me the SPL needed.

Saving this search as a report is key as it allows one to schedule it to run and gather fresh data from DNSDB’s passive DNS database at a regular interval.

After saving the report, there is an option to schedule the report. I chose to have the search run every 8 hours as we have teams spread across different time zones across the globe.

Splunk offers the ability to add a trigger action to any scheduled report. Adding a trigger action is where one can determine what they’d like to do with the output from the results of the search. The image below shows the option of sending the results to email recipients with the option to include a CSV attachment of the results.

Other trigger actions include:

Create a notable event for triaging in Enterprise Security
Create an alert within an app like Slack using a webhook
Run a specific Splunk SOAR playbook
Execute a custom script

Now, every 8 hours, those added to the recipient list get an email including a CSV with the results from my DNSDB flexible search. Here is what the results would look like:

Conclusion

With the help of DomainTools DNSDB flexible search and Splunk’s scheduled reports, we now have a specific Chenlun domain intelligence feed allowing us to create alerts, inform investigations, and automate responses to certain threats.

Splunk’s capability of automating searches coupled with our domain-related data has also left me considering other use cases where this would be helpful such as:

Discover domains using legitimate brands for phishing
Discover domains matching a threat actor’s domain creation profile
Discover domains being used in business email comprise campaigns
Discover domains spoofing legitimate brands for credential harvesting
Discover domains being used for malware distribution

The ability to create scheduled reports with this domain-related data allows one to stay ahead of emerging threats, automate security processes, and reduce the risk of bad outcomes.

Watch on YouTube

The post Automated Discovery of Chenlun Domains - Splunk Enterprise Security appeared first on DomainTools | Start Here. Know Now..

DomainTools Invests in Domain & DNS Research with Launch of DomainTools Investigations

Kali Fencl — Thu, 09 Jan 2025 14:00:06 +0000

Powered by a seasoned team of security analysts and researchers to focus on preventing, mitigating, and investigating attacks.

Seattle, WA – January 9, 2025 – DomainTools, the global leader in domain and DNS-based cyber threat intelligence, today announced the launch of DomainTools Investigations (DTI), a community-based research effort focused on preventing, mitigating, and investigating domain and DNS based attacks.

With the launch of DTI, the cybersecurity community will have access to the insights DomainTools analysts gather on advanced persistent threats (APTs), nation-states, cyber-espionage groups, business email compromise (BEC), and more. In addition to driving the analysis and data behind DomainTools’ industry-leading products, DTI security analysts and researchers will produce and publish innovative research on the DTI website and share findings in webinars, industry events, and conferences.

DomainTools has been collecting and analyzing domain and DNS data for more than two decades, uniquely positioning DTI to analyze threat actor behavior and surface newly emerging patterns in threat activity based on the largest historical active and passive DNS database – as it’s happening.

The team of analysts and researchers who make up DTI is led by top cyber industry expert Daniel Schwalbe, who spent the greater part of two decades tracking cybercriminals and nation-state actors in higher education, government, and large enterprises. As head of Investigations and CISO at DomainTools, Schwalbe is committed to sharing actionable insights with the community. The diverse DTI team is composed of well-respected industry researchers and analysts with deep knowledge, specializing in reverse-engineering, malware, and global threat actors.

“We have assembled a team of extremely talented experts in threat research as the foundation of DTI. Each member of the team is deeply invested in publishing research for the benefit of the cybersecurity community, which has been a personal mission of mine for more than 20 years. As threat actors constantly evolve in fascinating ways, we’re uncovering new and valuable information that can inform attack prevention strategies.” said Schwalbe.

DomainTools has captured more than 97% of the Internet, mapping and analyzing billions of domains and DNS infrastructure to provide security teams with advanced domain risk analytics and real-time passive DNS feeds for proactive defensive strategies.

“The industry phrase – ‘It’s Always DNS’ – has never been truer than in 2024. The purpose of DTI in 2025 is to relentlessly analyze tactics, techniques and procedures (TTPs) we’re seeing and inform the community of the evolution of these practices,” said Brendan O’Connell, chief product officer. “The work being done within DTI is critical within the security industry and provides every organization with the tools they need to protect themselves today.“

The launch of DTI comes as threat actors increasingly leverage credential phishing like Charming Kitten, banking trojans like TrickBot, and various other tactics for financial gain. For the latest research from DTI visit https://dti.domaintools.com.

Interested in staying up to date on the latest threats, trends, and tactics? Follow us on X and Mastodon @domaintools.

About DomainTools

The post DomainTools Invests in Domain & DNS Research with Launch of DomainTools Investigations appeared first on DomainTools | Start Here. Know Now..

Cybersecurity Tales: Espionage, Ransomware, and the Stories Behind the Threats

Zach Baier — Wed, 08 Jan 2025 14:00:00 +0000

Welcome to this special episode of the Breaking Badness Cybersecurity Podcast! We’re turning the spotlight on the books that have shaped the world of cybersecurity and inspired professionals in the field. As part of our ongoing book club series, this episode is a journey into storytelling, research, and the unique perspectives that make cybersecurity literature so compelling. From ransomware diaries to the geopolitics of cyber warfare, this discussion is packed with insights and actionable takeaways for anyone working in Infosec.

Show Notes:

The Power of Storytelling in Cybersecurity

Storytelling plays a crucial role in translating complex cybersecurity concepts into accessible, engaging narratives. Whether it’s a book on ransomware investigations or an exploration of espionage, the human element keeps the audience hooked.

“Good cybersecurity writing has to have storytelling. If you get too caught up in the technical details, you miss the forest for the trees.” – Alan Liska

The Risks and Rewards of Writing About Cybercrime

Jon DiMaggio, author of The Art of Cyber Warfare, shares his experiences writing about ransomware, espionage, and the personal risks involved.

“When a threat actor uses your face as their avatar, it’s a surreal moment—but also a sign of respect in their culture.” – Jon DiMaggio

DiMaggio describes the challenges of documenting his work with government agencies while ensuring balanced, unbiased storytelling. He even reveals how cybercriminals downloaded his book illegally and gave feedback!

Dimitri Alperovitch, author of World on the Brink, shares his insights on the evolving cyber threats posed by China and the global implications.

“China’s rise to power has been enabled by American businesses, intellectual property transfers, and the attractiveness of their market. We all have a role in building resilience against this threat.” – Dimitri Alperovitch

Must-Read Books for Infosec Professionals

The panel highlights books that every cybersecurity professional should read, blending technical insights with broader cultural and historical perspectives.

1. The Art of Cyber Warfare by Jon DiMaggio

This book blends personal experience with technical analysis to recount cyber espionage and ransomware incidents.

“The first half of the book is my passion—telling the stories behind real-world ransomware and espionage attacks. It’s what I love the most.” – Jon DiMaggio
DiMaggio draws on his career in cybersecurity and government intelligence to explore the inner workings of cybercrime and threat actors.
Link: The Art of Cyberwarfare: An Investigator’s Guide to Espionage, Ransomware, and Organized Cybercrim e

2. Countdown to Zero Day by Kim Zetter

Kim Zetter’s landmark book provides an in-depth look at the Stuxnet attack, widely considered the first true cyber weapon.

“Kim Zetter’s storytelling is unparalleled. She captures the complexities of cybersecurity like no one else.” – Alan Liska
A must-read for understanding the history and implications of nation-state cyber operations.
Link: Countdown to Zero Day

3. World on the Brink by Dmitri Alperovitch

This book examines China’s role in cyber warfare, the geopolitical stakes surrounding Taiwan, and the risks of economic dependence on Chinese technology.

“This isn’t just a challenge for governments. Businesses and individuals must work together to deter threats and ensure resilience.” – Dmitri Alperovitch
A thought-provoking look at the intersection of cybersecurity, geopolitics, and strategy.
Link: World on the Brink

4. Hunting Cyber Criminals by Vinny Troia

Vinny Troia offers an inside look at the lives of cybercriminals and the techniques used to track them.

“I really enjoyed the storytelling in this book. It brings the technical and personal aspects of cybercrime investigations together.” – Jon DiMaggio
A gripping account of the battle between law enforcement and threat actors.
Link: Hunting Cyber Criminals

5. Bluenomicon: The Network Defender’s Compendium

This free ebook is a practical guide for blue team defenders, offering tools and techniques for securing networks.

“I love the illustrations—it’s medieval meets futuristic. The tone flows so well, which you wouldn’t expect from an industry book.” – Kali Fencl
Relevance: A hands-on resource for cybersecurity practitioners.
Link: Bluenomicon

6. Normal Accidents by Charles Perrow

Charles Perrow explores how complex systems fail, with lessons that apply directly to cybersecurity.

“The book dives into tightly coupled systems and how unpredictable interactions lead to failures—concepts that are deeply relevant to IT and security.” – Ian Campbell
A fascinating perspective on understanding and managing risk in complex environments.
Link: Normal Accidents

7. Active Measures by Thomas Rid

A thorough examination of disinformation campaigns and their influence on global politics and cybersecurity.

“Rid’s analysis of disinformation is crucial for understanding the interplay of misinformation, politics, and security.” – Alan Liska
With misinformation playing a role in modern cyber incidents, this book provides essential context.
Link: Active Measures

8. Thinking Fast and Slow by Daniel Kahneman

This book examines cognitive biases and their impact on decision-making, offering valuable insights for analysts.

“Every analyst should read this. It helps you step back, challenge your biases, and think more critically.” – Alan Liska
A practical guide to improving critical thinking and analysis.
Link: Thinking Fast and Slow

9. Inside Cyber Warfare by Jeffrey Carr

One of the foundational books on cyber warfare, providing historical and technical insights into digital conflict.

“It’s dated but still a fantastic historical look at the early days of cyber warfare. It inspired me to dive deeper into the field.” – Jon DiMaggio
Perfect for understanding how cyber warfare has evolved over time.
Link: Inside Cyber Warfare

10. The Ransomware Hunting Team by Renee Dudley and Daniel Golden

This book highlights the unsung heroes working behind the scenes to combat ransomware.

“It’s a fascinating account of the collaboration and effort that goes into combating ransomware.” – Jon DiMaggio
An inspiring look at the fight against one of cybersecurity’s most persistent threats.
Link: The Ransomware Hunting Team

11. This Is How They Tell Me the World Ends by Nicole Perlroth

Nicole Perlroth investigates the zero-day market and the global arms race in digital vulnerabilities.

“It’s a riveting exploration of how zero-days have become a commodity, shaping the future of cyber warfare and defense.” – Daniel Schwabe
A must-read for those curious about the dark underbelly of cyber weapons.
Link: This Is How They Tell Me the World Ends

Giveaway Alert: Win a Cybersecurity Book!

We’re giving away a free copy of The Art of Cyber Warfare by Jon DiMaggio! To enter, simply comment “Book it” on our LinkedIn post for this episode. The winner will be announced on Wednesday, January 15th, so don’t miss out!”

Watch on YouTube

That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!

The post Cybersecurity Tales: Espionage, Ransomware, and the Stories Behind the Threats appeared first on DomainTools | Start Here. Know Now..