{
	"id": "9126ee32-248d-44d1-8ae0-a0440783206c",
	"created_at": "2026-04-06T00:12:42.876871Z",
	"updated_at": "2026-04-10T13:12:11.511373Z",
	"deleted_at": null,
	"sha1_hash": "3db337368e8e9bb87c8670f520975b35a5037d24",
	"title": "Tracking Malware Infrastructure With Passive DNS and 302 Redirects",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1988668,
	"plain_text": "Tracking Malware Infrastructure With Passive DNS and 302\r\nRedirects\r\nBy Matthew\r\nPublished: 2024-04-01 · Archived: 2026-04-05 20:28:34 UTC\r\nIn this blog, we will identify 36 Latrodectus phishing domains through passive DNS analysis of a domain reported\r\non Twitter/X.\r\nThe initial reported domain leverages 302 redirects to send users to a malicious or benign file. The URL in the 302\r\nredirect is re-used across numerous domains; we can leverage this information to identify additional infrastructure.\r\nIn summary, we will use the following indicators to identify the additional servers\r\nThe same resolved IP address 193.106.174[.]218\r\nThe same usage of 302 redirects to the same URL on documentcloud[.]org\r\nPrevious usage of 302 redirects to harvardlawreview[.]org\r\nThe primary tooling we will be leveraging is Validin.\r\nValidin\r\nValidin offers cutting-edge DNS, certificate, and crawling data services to empower threat\r\nresearchers and corporate security teams. Identify, track, and mitigate risks with our advanced threat\r\nintelligence solutions.\r\nhttps://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/\r\nPage 1 of 13\n\nValidin\r\nhttps://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/\r\nPage 2 of 13\n\nInitial Intelligence\r\nhttps://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/\r\nPage 3 of 13\n\nThe initial intelligence in this blog is from a tweet posted by @Unit42_intel.\r\nThe tweet details a Latrodectus infection leveraging phishing links to redirect victims to a javascript file, which\r\nultimately loads LummaStealer Malware.\r\nWithin the original tweet, there is a screenshot of a phishing link contained in an email. This link contains the\r\ndomain lufyfeo[.]org , which will form the basis and starting point of our analysis today.\r\nOur goal is to analyse this domain to identify patterns or indicators that can identify additional domains and IOCs.\r\nInitial Notes\r\nBased on information contained in the initial post, the lufyfeo[.]org domain is likely leveraging redirects to\r\nsend a victim to alternate \"fake\" pages.\r\nThis information will form an important step in our next analysis, as we will leverage patterns in the 302 redirects\r\nto identify additional domains.\r\nhttps://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/\r\nPage 4 of 13\n\nInitial Analysis With Passive DNS\r\nOur initial analysis can begin by searching the lufyfeo[.]org domain using a passive DNS tool such as Validin.\r\nThis will reveal detailed history about resolved IP addresses have been in use by the domain.\r\nIn the below screenshot, we can see that the most recent IP resolution was 193.106.174[.]218\r\nThis IP address will form our first pivot point.\r\nAfter determining the most recent IP address, we can also review the most recent host responses for the\r\nlufyfeo[.]org domain.\r\nhttps://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/\r\nPage 5 of 13\n\nThis reveals the presence of multiple 302 redirects, which are likely redirecting the user to the next malicious\r\npage.\r\nBy viewing additional information about the 302 redirect, we can see that the redirect location is a PDF file hosted\r\non documentcloud[.]org\r\nBy researching the documentcloud[.]org domain, this appears to be a legitimate site used for hosting pdf files.\r\nhttps://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/\r\nPage 6 of 13\n\nInvestigating this exact PDF link on urlscanAfter investigating this exact PDF link on urlscan, I found that it\r\nappears to be a relatively benign PDF file.\r\nI did not confirm 100%, but I believe that this is a non-malicious PDF returned if the user has not requested the\r\nexact URL provided in the initial email.\r\nLeveraging Redirects as Pivot Points\r\nAt this point, we have now identified the most recent IP address used by lufyfeo[.]org , and we have identified\r\nthat the domain is leveraging 302 redirects to send the user to the next location.\r\nRecall that the lufyfeo[.]org domain contains host responses with 302 redirects.\r\nhttps://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/\r\nPage 7 of 13\n\nBy expanding our search to the most recent resolved IP address for lufyfeo[.]org , we can expand this search to\r\nother domains hosted on the same server.\r\nWe can check this by searching for the most recent resolved IP 192.106.174[.]218 and checking the Host\r\nResponses tab for 302 redirects.\r\nReviewing the redirect details for interiourbydennis[.]com , we can see that the 302 redirects to the same\r\nlocation.\r\nA very similar response can be observed for deqytuu9[.]org and web3rse[.]org\r\nhttps://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/\r\nPage 8 of 13\n\nOf extremely interesting note is that the deqytuu9[.] domain resolves to a pdf file hosted on\r\nharvardlawreview[.]org\r\nTo my knowledge, this is a legitimate domain and legitimate file, but it is interesting to note that other sites\r\nhosting PDFs are being leveraged.\r\nThis will become more important later when we do additional pivoting.\r\nhttps://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/\r\nPage 9 of 13\n\nIdentifying All Current Domains\r\nAt this stage, we have identified an IP address 193.106.174[.]218 that is hosting both the original malicious\r\ndomain lufyfeo[.]org as well as numerous other domains showing similar behaviour.\r\nIn total, there are 1256 host responses for the 193.106.174[.]218 address. Our next goal will be to enumerate all\r\nof these for indications of 302 redirects to URLs containing pdf references on harvardlawreview[.]org or\r\ndocumentcloud[.]org\r\nSince the number of responses was so large, I utilised the JSON export feature of Validin to obtain the complete\r\nresults of the search.\r\nhttps://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/\r\nPage 10 of 13\n\nThis allowed me to focus on information like the 302 redirect location.\r\nWe can start this by exporting all entries in the current response.\r\nAfter exporting the entries, CyberChef can be leveraged to beautify the JSON output and determine which fields\r\nare of interest.\r\nIn this case, we want only the host and location fields within the JSON.\r\nhttps://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/\r\nPage 11 of 13\n\nEnumerating JSON Output With Python\r\nSince we only need to check the location and host fields, we can use a small Python script to enumerate all\r\nresults in the JSON output for references to URLs with PDF references.\r\nRunning this script produces many results for redirects to the same location as the known malicious domain.\r\nAfter deduplicating the results, we are left with 36 domains hosted on the same IP address and redirecting to the\r\nsame documentcloud[.]org file, or the additional harvardlawreview[.]org file.\r\nThe complete list of these domains can be found below.\r\nmayanui[.]com\r\nquwezui[.]org\r\ndurete[.]org\r\nhofaty[.]org\r\nqeqady[.]org\r\nfuwer[.]org\r\ndefifya[.]org\r\ngotuqoa[.]org\r\nsuzabyu[.]org\r\nweb3rse[.]com\r\ninteriourbydennis[.]com\r\nhttps://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/\r\nPage 12 of 13\n\nsytukoe8[.]org\r\nlufyfeo[.]org\r\nboldenslawncare[.]com\r\nqyjifia[.]org\r\nvajosoo[.]org\r\nsabehey[.]org\r\nnevujo[.]org\r\nlyzupoy[.]org\r\nmypusau[.]org\r\nzuwagie6[.]org\r\nmarypopkinz[.]com\r\nsimanay[.]org\r\ncabobao3[.]org\r\nticava[.]org\r\nzefos[.]org\r\nfazadoe[.]org\r\nluhuhu[.]org\r\ncuxu[.]org\r\npubonao[.]org\r\nxacygo[.]org\r\ndeqytuu9[.]org\r\ngejyg[.]org\r\npucak[.]org\r\nintellipowerinc[.]com\r\ngejyg[.]org\r\nSign up for Embee Research\r\nMalware Analysis, Detection Engineering and Threat Intelligence\r\nNo spam. Unsubscribe anytime.\r\nSource: https://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/\r\nhttps://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/"
	],
	"report_names": [
		"phishing-domain-analysis-with-passive-dns-latrodectus"
	],
	"threat_actors": [],
	"ts_created_at": 1775434362,
	"ts_updated_at": 1775826731,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3db337368e8e9bb87c8670f520975b35a5037d24.pdf",
		"text": "https://archive.orkl.eu/3db337368e8e9bb87c8670f520975b35a5037d24.txt",
		"img": "https://archive.orkl.eu/3db337368e8e9bb87c8670f520975b35a5037d24.jpg"
	}
}