{
	"id": "c1dcc106-ecbe-46e0-9088-9b580759fe5d",
	"created_at": "2026-04-06T00:13:39.470944Z",
	"updated_at": "2026-04-10T03:20:36.868964Z",
	"deleted_at": null,
	"sha1_hash": "3735b7d451bdcfa7487d1361d03b370e76308b76",
	"title": "A DNS Investigation of the Phobos Ransomware 8Base Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 410566,
	"plain_text": "A DNS Investigation of the Phobos Ransomware 8Base Attack\r\nBy By WhoisXML API  (Sponsored Post)\r\nArchived: 2026-04-05 19:00:39 UTC\r\nIntel-Ops researchers recently discovered that the 8Base Ransomware Group has been using Phobos ransomware\r\nto infect their targets’ networks. 8Base has reportedly been active since mid-2023.\r\nThe Phobos operators have been selling the ransomware’s multiple variants (e.g., Eking, Eight, Elbie, Devos and\r\nFaust) via the ransomware-as-a-service (RaaS) model. In the past, various groups utilized the ransomware to\r\ninfect several targets, including county governments, emergency service providers, educational institutions, public\r\nhealthcare service providers, and other critical infrastructure entities, successfully collecting ransom amounting to\r\nmillions of U.S. dollars.\r\nSixty-three indicators of compromise (IoCs) comprising 46 domains and 17 IP addresses were made public in\r\nrelation to the 8Base Phobos ransomware attack featured in this post. The WhoisXML API research team\r\nexpanded the IoC list in a bid to find other potentially connected artifacts and uncovered:\r\n368 email-connected domains\r\nThree additional IP addresses, one of which is already tagged as malicious\r\n13 IP-connected domains\r\n20 string-connected domains\r\nA sample of the additional artifacts obtained from our analysis is available for download from our website.\r\nBehind the 8Base Phobos Ransomware Attack IoCs\r\nAs per usual, we sought to find more information about the 63 IoCs. We began by subjecting the 46 domains\r\nidentified as IoCs to a bulk WHOIS lookup, which revealed that:\r\nThe domain IoCs were spread across three registrars. A huge chunk of them, 44 to be exact, were registered\r\nwith Namecheap, Inc. One domain IoC each was registered with PSI-USA, Inc. and REG.RU LLC.\r\nhttps://circleid.com/posts/20240530-a-dns-investigation-of-the-phobos-ransomware-8base-attack\r\nPage 1 of 5\n\nAll 46 domain IoCs were created in 2023, specifically between 9 June and 13 November, making them all\r\nfairly new when they were weaponized.\r\nA majority of the domain IoCs, 44 to be exact, were registered in Iceland. One domain IoC each was\r\nregistered in Canada and Russia.\r\nNext, we performed a bulk IP geolocation lookup for the 17 IP addresses identified as IoCs and found that:\r\nAll 17 IP address IoCs were geolocated in Germany.\r\nOnly one of the IP address IoCs has a public ISP—Hetzner Online.\r\nhttps://circleid.com/posts/20240530-a-dns-investigation-of-the-phobos-ransomware-8base-attack\r\nPage 2 of 5\n\nExpanding on the 8Base Phobos Ransomware Attack Infrastructure\r\nTo find out if 8Base had other domains and IP addresses in its attack infrastructure, we expanded the list of IoCs\r\nstarting with WHOIS History API queries for the 46 domain IoCs. That led to the discovery of four email\r\naddresses from their historical WHOIS records. Three of the four email addresses were public.\r\nReverse WHOIS API queries for the three public email addresses provided us with 368 connected domains after\r\nduplicates and the IoCs were filtered out. Close to 200 of the email-connected domains, 193 to be exact, sported\r\nthe .pro ngTLD extension, akin to one domain IoC. The 175 remaining email-connected domains, meanwhile,\r\nwere spread across seven TLD extensions, specifically .cn, .hk. .com.cn, .top, .com, .tw, and .us.\r\nA bulk WHOIS lookup for the 368 email-connected domains showed that 144 were, like the domain IoCs, created\r\nin 2023.\r\nNext, we ran DNS lookups for the 46 domains identified as IoCs and found that some of them resolved to three IP\r\naddresses that are not in the current IoC list.\r\nhttps://circleid.com/posts/20240530-a-dns-investigation-of-the-phobos-ransomware-8base-attack\r\nPage 3 of 5\n\nThreat intelligence lookups for the three additional IP addresses revealed that one—45[.]89[.]127[.]159—was\r\nseemingly associated with malware distribution.\r\nAnd like the 17 IP addresses identified as IoCs, a bulk IP geolocation lookup for the three additional IP addresses\r\nshowed they all originated from Germany even though only one—88[.]198[.]21[.]27—had public ISP data. It was\r\nadministered by Hetzner Online.\r\nNext, we ran reverse IP/DNS lookups for 20 IP addresses in total (17 identified as IoCs and three additional from\r\nthe DNS lookups) and found that 10 of them could be dedicated hosts. The 10 remaining IP addresses showed no\r\nresults.\r\nAltogether the 10 possibly dedicated IP addresses hosted 13 domains after duplicates, the IoCs, and the email-connected domains were filtered out. More than half of the IP-connected domains, seven to be exact, sported the\r\n.de ccTLD extension, consistent with the geolocation lookup results. The six remaining IP-connected domains,\r\nmeanwhile, were spread across five TLD extensions, specifically .com, .me, .net, .org, and .team. Note that .net\r\nwas also used by one domain IoC.\r\nA bulk WHOIS lookup for the 13 IP-connected domains showed that like the domain IoCs, four were created in\r\n2023.\r\nTo cover all the bases, we then looked for other domains starting with the same text strings seen among the\r\ndomain IoCs using Domains \u0026 Subdomains Discovery. We uncovered 20 domains after filtering out duplicates,\r\nthe IoCs, and email- and IP-connected domains containing these seven strings:\r\nadvserv.\r\namx15.\r\namx395.\r\namx55.\r\nblogserv.\r\nmexstat.\r\nhttps://circleid.com/posts/20240530-a-dns-investigation-of-the-phobos-ransomware-8base-attack\r\nPage 4 of 5\n\nmxtmx.\r\nGiven that they only used different TLD extensions from the domains identified as IoCs, they could be\r\nweaponized for similar attacks. It is also interesting to note that serv appeared in 12 of the string-connected\r\ndomains in combination with adv or blog. 8Base could be using supposed advertising or blog servers or services\r\nas a social engineering ruse.\r\nThroughout our investigation, interesting similarities between the IoCs and potentially connected artifacts stood\r\nout, namely:\r\nExtensive use of the .pro TLD extension like one of the domain IoCs\r\nAbout a third each of the email- and IP-connected domains were created in 2023 like the domain IoCs\r\nPotential ties to Germany as it has been named as a geolocation country, the sole ISP seen in DNS records\r\nis based in the country, and many connected domains used .de as TLD extension\r\nOur further investigation of the latest 8Base Phobos ransomware attack led to the discovery of 404 potentially\r\nconnected web properties. We specifically found 401 email-, IP-, and string-connected domains and three IP\r\naddresses.\r\nIf you wish to perform a similar investigation or learn more about the products used in this research, please\r\ndon’t hesitate to contact us.\r\nDisclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help\r\nprotect against potential dangers. Consequently, it is possible that some entities identified as “threats” or\r\n“malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly\r\nrecommend conducting supplementary investigations to corroborate the information provided herein.\r\nNORDVPN DISCOUNT - CircleID x NordVPN\r\nGet NordVPN  [74% +3 extra months, from $2.99/month]\r\nSource: https://circleid.com/posts/20240530-a-dns-investigation-of-the-phobos-ransomware-8base-attack\r\nhttps://circleid.com/posts/20240530-a-dns-investigation-of-the-phobos-ransomware-8base-attack\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://circleid.com/posts/20240530-a-dns-investigation-of-the-phobos-ransomware-8base-attack"
	],
	"report_names": [
		"20240530-a-dns-investigation-of-the-phobos-ransomware-8base-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434419,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3735b7d451bdcfa7487d1361d03b370e76308b76.pdf",
		"text": "https://archive.orkl.eu/3735b7d451bdcfa7487d1361d03b370e76308b76.txt",
		"img": "https://archive.orkl.eu/3735b7d451bdcfa7487d1361d03b370e76308b76.jpg"
	}
}