Unit 42 of Palo Alto Networks recently uncovered a phishing campaign targeting European companies to harvest victims’ account credentials and take over their Microsoft Azure cloud infrastructure. According to their report, the phishing attempts leveraging the HubSpot Free Form Builder service peaked in June 2024.
The researchers identified 18 domains and 17 IP addresses as indicators of compromise (IoCs) based on their in-depth analysis. The WhoisXML API research team expanded the IoC list in a bid to uncover other potentially connected artifacts. Note, however, that since two domain IoCs—cloudfront[.]net and hsforms[.]com—are owned by legitimate companies, we opted to exclude them from our expansion analysis. As a result, we were left with 33 IoCs—16 domains and 17 IP addresses. Our hunt for connected artifacts led to the discovery of:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
First off, we sought to find more information about the 33 IoCs starting with a Bulk WHOIS Lookup query for the 16 domains tagged as IoCs. We discovered that only 14 of them had current WHOIS records.
They were created between 2011 and 2024. Specifically, 12 were created in 2024, while one domain each was created in 2011 and 2018.
They were registered in three countries—12 in the U.S. and one each in Pakistan and Spain. Two domains did not have current registrant country data.
A query on DNS Chronicle API revealed that all 16 domains tagged as IoCs had historical IP resolutions. The domain cyptech[.]com[.]au had the oldest first IP resolution date—6 October 2019. It also had 41 IP resolutions over time. Altogether, the 16 domain IoCs had 1,432 IP resolutions so far. Take a look at the details for five other domains below.
Next, we queried the 17 IP addresses tagged as IoCs on Bulk IP Geolocation Lookup and found that:
They were administered by nine ISPs led by NTT Global IP Network, which accounted for five IP addresses. Two IoCs each were administered by Amazon, Cloudflare, Endurance International Group, and OVHcloud. Finally, one IP address each was administered by DigitalOcean, Hetzner Online, Limestone Networks, and UK Dedicated Servers.
Our DNS Chronicle API query for the 17 IP addresses tagged as IoCs showed that all of them had 6,456 historical domain resolutions so far. The IP addresses 144[.]217[.]158[.]133, 167[.]114[.]27[.]228, 208[.]91[.]198[.]96, and 74[.]119[.]239[.]234 recorded the oldest first domain resolution date—4 October 2019. Take a look at specific details for five other IP address IoCs below.
We began our search for connected artifacts with a WHOIS History API query for the 16 domains tagged as IoCs. We found that two of them had four email addresses in their historical WHOIS records after duplicates were filtered out. Three of them were public email addresses.
Only two of the public email addresses appeared in the current WHOIS records of other domains. One of them, however, could belong to a domainer, leaving us with only one email address for our analysis. The sole public email address left on our list was shared by 16 domains after duplicates and the IoCs were filtered out.
A DNS Lookup API query for the 16 domains tagged as IoCs revealed that five of them actively resolved to four IP addresses not yet identified as IoCs.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.
COMMENT PREVIEW
More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It’s a quick and easy read.
Sponsored byCSC
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byWhoisXML API
A World-Renowned Source for Internet Developments. Serving Since 2002.
FOLLOW
About The Author
More Stories
From Refugee to Digital Leader: How Justin Is Helping to Connect Rhino Camp
The World Cup of Internet Resilience
Community-Centered Connectivity Initiatives Earn Viddy Awards Recognition