{
	"id": "c8b5a598-48e5-4296-a86d-be8594ce1a3b",
	"created_at": "2026-04-06T00:07:29.783845Z",
	"updated_at": "2026-04-10T03:23:52.235753Z",
	"deleted_at": null,
	"sha1_hash": "496b4936bc4d97923d3113169a658438d920c332",
	"title": "Threat Spotlight: Angler Lurking in the Domain Shadows",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 256087,
	"plain_text": "Threat Spotlight: Angler Lurking in the Domain Shadows\r\nBy Talos Group,\r\nPublished: 2015-03-03 · Archived: 2026-04-05 15:50:04 UTC\r\nThis post was authored by Nick Biasini and edited by Joel Esler\r\nOverview\r\nOver the last several months Talos researchers have been monitoring a massive exploit kit campaign that is\r\nutilizing hijacked registrant accounts to create large amounts of subdomains for both initial redirection and\r\nexploitation. This campaign has been largely attributed to Angler Exploit Kit with fileless exploits serving various\r\nmalicious payloads.\r\nThe use of hijacked accounts lead to a larger research project into the use of hijacked registrant accounts. During\r\nthis research the earliest examples were found from a 2011 campaign with sporadic usage until December 2014.\r\nSince December 2014 more than 75% of the subdomain activity has occurred indicating a major shift in approach.\r\nThis behavior has been covered before which discussed some of the older campaigns as well as the hosting\r\nindicators (ASN) of the groups making use of the subdomains.\r\nTable of Contents\r\nOverview\r\nExecutive Summary\r\nDomain Shadowing\r\nFast Flux vs Domain Shadowing\r\nHistory of Domain Shadowing\r\nAnalysis of Subdomains\r\nExploit Kit URL History\r\nDetection\r\nIOC\r\nConclusion\r\nCoverage\r\nExecutive Summary\r\nAngler is currently the best exploit kit on the market. The security industry has been waiting in anticipation to see\r\nwhich kit would replace “Blackhole”. While Angler may not have replaced Blackhole in terms of volume, the high\r\nlevel of sophistication and widespread usage leads us to declare Angler as the winner.  It has shown the capability\r\nof integrating new exploits, including 0-days, quickly and effectively. With a new technique we’re calling Domain\r\nShadowing, Angler has shown it is working hard to avoid standard detection.\r\nhttps://blogs.cisco.com/security/talos/angler-domain-shadowing\r\nPage 1 of 7\n\nDomain shadowing is the process of using users domain registration logins to create subdomains (i.e.\r\nsays.imperialsocks.com). Angler Exploit Kit has begun utilizing these hijacked domain registrant accounts to\r\nserve malicious content. This is an increasingly effective attack vector since most individuals don’t monitor their\r\ndomain registrant accounts regularly. These accounts are typically compromised through phishing. The threat\r\nactor then logs in with credentials and creates large amounts of subdomains. Since a lot of users have multiple\r\ndomains this can provide a nearly endless supply of domains. Talos has found several hundred accounts that have\r\nbeen compromised that have control of thousands of unique domains. We have identified close to 10K unique\r\nsubdomains being utilized. This behavior has shown to be an effective way to avoid typical detection techniques\r\nlike blacklisting of sites or IP addresses. Since this campaign has done an exceptional job of rotation not only the\r\nsubdomains, but also the IP addresses associated with the campaign.  Additionally, these subdomains are being\r\nrotated quickly minimizing the time the exploits are active, further hindering both block list effectiveness and\r\nanalysis. This is all done with the users already registered domains.  No additional domain registration was found.\r\nThis recent campaign has been running since late December and coupled with the recent Flash 0-day has shown to\r\nbe a new evolution in exploit kits. Utilizing 0-days and advanced evasion techniques were once reserved for\r\ntargeted attacks and are now being packaged as the next evolution in the productized industrialization of hacking.\r\n This illustrates how products like Angler have raised the bar for the effectiveness of user driven exploit\r\nframeworks putting it in the same arena as the advanced threat market.  Previously, the information security\r\nindustry has been trying to focus on detecting the threats like common, user targeted attacks while taking an “its\r\nnot if, but when” approach to the advanced threats.  Angler is now in the category of “not if, but when your\r\norganization will be impacted.”\r\nDomain Shadowing\r\nAttackers have been phishing for domain accounts to create large amounts of malicious subdomains for some\r\ntime. This technique has not been covered in detail before so a new descriptive term needed to be created,\r\nDomain Shadowing. Domain shadowing is the process of gathering domain account credentials in order to\r\nsilently create subdomains pointed at malicious servers without tipping off the actual owner. Talos has been able\r\nto identify hundreds of accounts that have been compromised, some for a year or more. Not surprisingly, the\r\nmajority of the domains are held by GoDaddy which controls almost a third of the active domains.\r\nThe compromised accounts have several thousand domains assigned to them, however Talos has observed that\r\nonly approximately a third of them have been utilized. This indicates that the actors still have a large reserve of\r\ndomains and based on the data keep leveraging new accounts.\r\nFast Flux vs Domain Shadowing\r\nSimilar to Domain Shadowing, Fast Flux is a technique that rapidly changes the IP address associated with a\r\ndomain to evade detection and blocking techniques. Fast Flux rotates a single domain or DNS entry to a large list\r\nof IP addresses rapidly. Domain Shadowing rotates subdomains associated with a single domain rapidly. These\r\nsubdomains can point to a single IP or a small group of IP addresses depending on the circumstances. Below is a\r\ndiagram illustrating both processes.\r\nhttps://blogs.cisco.com/security/talos/angler-domain-shadowing\r\nPage 2 of 7\n\nIllustrating Difference between Fast Flux DNS and Domain shadowing\r\nHistory of Domain Shadowing\r\nThe first behavioral evidence that Talos found dates back to September 2011. At that time, a group of related\r\ndomains were seen creating a large amount of subdomains. In the span of 45 days, approximately 15% of the total\r\namount of identified subdomains were created. Most of the subdomains were active for less than a day and saw\r\nfewer than ten hits. The subdomains were constructed using randomly generated strings,  such as\r\nacajbehhcef.mysupercouponzz.info. These are characteristics that would resurface in later campaigns but with a\r\nmuch higher volume and quicker rotation. These particular domains were privacy protected so specific attribution\r\nwas not available. They were, however, registered through GoDaddy something that would be a common theme\r\nthroughout.\r\nUntil mid 2014, there was sporadic subdomain usage including a brief smaller campaign using the domains\r\nmentioned above. However, there weren’t any significant campaigns that Talos found in its telemetry data. In May\r\n2014, a new campaign started that was part of a browser lock campaign. The commonality of this campaign was\r\nthe creation of police and alertpolice subdomains. These subdomains were created to serve the notification to\r\ncompromised systems and provide payment details. Talos saw multiple domains associated with multiple different\r\ndomain accounts being utilized during this period. This was also where some of the domain accounts that\r\nappeared in the recent campaign were first used for malicious purposes.\r\nFast forward to the campaign focused around the Angler Exploit Kit. The scope and amount of activity has\r\ncontinued to grow since the original post and was the starting point for this research. Including the most recent\r\nactivity, more than 75% of the overall subdomains seen have occurred in this recent campaign. This campaign has\r\nbeen seen exploiting both Adobe Flash and Microsoft Silverlight vulnerabilities. The diagram below illustrates the\r\ngrowth of activity until mid-February. A larger bubble indicates more supportive events. December 2014 and on\r\nare the largest individual months in the last several years of activity.\r\nhttps://blogs.cisco.com/security/talos/angler-domain-shadowing\r\nPage 3 of 7\n\nIllustrating explosion of usage since December-2014. Larger bubble indicates more events.(As of\r\nmid February)\r\nAnalysis of Subdomains\r\nTalos identified a series of characteristics common to the recent subdomain creation, including multiple tiers of\r\nmalicious subdomains. The first tier is responsible for the redirection to the actual exploit kit landing page. So far,\r\nthere has not been any overlap between the domains utilized for the first tier and the exploit tier. There has also\r\nnot been any overlap in the domain accounts that are utilized.\r\nThe amount of subdomains being utilized for landing pages and exploits are greater than those used for\r\nredirection, by a factor of five. This could be related to the chain of events leading to compromise. The user\r\nbrowses to a web page that is hosting a malicious ad. The malicious ad redirects the user to the first tier of\r\nsubdomains (commonly referred to as a “gate”). This page then redirects to the actual landing page serving\r\nexploits. This final page is being rotated at a rapid pace. Some of the subdomains are only active for a matter of\r\nminutes and only are reached a couple of times.\r\nhttps://blogs.cisco.com/security/talos/angler-domain-shadowing\r\nPage 4 of 7\n\nAttack Chain for Exploit Kit Campaign\r\nThere are some other differentiators between the redirecting domains and the exploit domains. The redirecting\r\ndomains only made use of third level domains that were english word based (i.e. says.imperialsocks.com). The\r\nlanding page / exploit kit subdomains are random string based and recently have branched into using both third\r\nlevel and fourth level domains (i.e. brandmuellergekwantifiseer.astarentals.co.uk \u0026  3e3qcq.plante.bplawfirm.net)\r\nFrom an IP address perspective the same IP is utilized across multiple subdomains for a single domain and\r\nmultiple domains from a single domain account. There are also multiple accounts with subdomains pointed to the\r\nsame IP. The addresses are being rotated periodically with new addresses being used regularly. Currently more\r\nthan 75 unique IP’s have been seen utilizing malicious subdomains.\r\nPatterns have also emerged with the domain accounts that are being leveraged. Accounts with multiple domains\r\nusually have more than one domain being actively leveraged. However, none of the accounts have reached 100%\r\nsaturation so among the accounts with multiple domains there are still unused domains reserved, potentially, for\r\nlater use. The amount of accounts has continued to grow. New accounts were seen as recently as mid February and\r\nbased on the growth there could be a substantial amount of accounts still to be seen.\r\nThe one thing all these accounts have in common is the registrar: GoDaddy. Based on recent data, GoDaddy is the\r\nregistrar for almost a third of the domains on the Internet and is nearly four times the size of the number two\r\nregistrar. If a group is going to take the time to create a phishing campaign this would be the registrar to target,\r\nand the data Talos has found indicates that is the case.\r\nExploit Kit URL History\r\nThis use of Domain Shadowing is the most recent evolution that exploit kits have gone through to evade detection\r\nand remain active and effective for as long as possible. In their infancy, exploit kits and other malicious threats\r\nmade use of hard coded IP addresses for the malicious content. This is obviously a flawed methodology since a\r\nsimple blocklist add would eliminate it from being effective.\r\nThe next iteration was to start registering domains to be used for the exploit. This allowed for the server to be\r\nchanged easily to try and avoid detection a little longer. The downside was that the actors needed to register the\r\ndomains which allowed researchers to investigate and potentially find new domains that had not yet been used.\r\nNext up was the use of dynamic DNS (DDNS), which Talos has covered previously. This allowed actors to stand\r\nhttps://blogs.cisco.com/security/talos/angler-domain-shadowing\r\nPage 5 of 7\n\nup new domains anonymously and quickly. This is quite effective and is currently in use with some exploit kit\r\nactivity.\r\nDomain shadowing using compromised registrant credentials is the most effective, difficult to stop, technique that\r\nthreat actors have used to date. The accounts are largely random so there is no way to track which domains will be\r\nused next. Additionally, the subdomains are very high volume, short lived, and random, with no discernible\r\npatterns. This makes blocking increasingly difficult. Finally, it has also hindered research. It has become\r\nprogressively more difficult to get active samples from an exploit kit landing page that is active for less than an\r\nhour. This helps increase the attack window for threat actors since researchers have to increase the level of effort\r\nto gather and analyze the samples.\r\nDetection\r\nDetection of exploit kit campaigns using this technique is difficult due to the steps taken to avoid the more\r\ncommon detection methods. This again emphasizes the importance of a true defense in depth approach to security\r\nas some of the typical detection techniques will not succeed with this attack. The subdomains and IP’s being used\r\nare changing regularly so typical blacklisting isn’t nearly as effective as it would be normally. The actual samples\r\nbeing served are being morphed frequently which has hindered AV detection significantly (many samples with low\r\ndetection). The keys to detection rely largely on NGIPS and advanced heuristic based malware detection. Most of\r\nthese exploit attempts will trigger multiple NGIPS rules for generic Adobe Flash exploits, generic Silverlight\r\nexploits, and landing page detection. Additionally heuristic based malware detection software will detect the\r\nexploitation attempts as well as the post exploitation behavior.\r\nThere are a couple of other types of detection that may be effective against this threat. Looking for multiple\r\nsubdomains resolving for a single second level domain. Additionally looking for multiple subdomains resolving to\r\na single IP address. Finally looking for random string subdomains could be effective as well. However, this does\r\npresent some challenges as there are lots of legitimate services especially cloud based hosting that make use of\r\nquasi-random subdomains causing high FP rates.\r\nIOC\r\nHashes\r\nSubdomains (Recent)\r\nIP Addresses\r\nSubdomains (All Time)\r\nConclusion\r\nUser’s are at risk for these types of attacks because they are designed to evade detection and prevention. A\r\nmalicious ad can be hosted on virtually any website causing compromise. These random domains that are hosting\r\nthe exploits are difficult to identify and anticipate. This coupled with 0-day attacks has shown to be an extremely\r\nsuccessful methodology with compromise. This particular campaign is unique in its large scale use of Domain\r\nShadowing.\r\nhttps://blogs.cisco.com/security/talos/angler-domain-shadowing\r\nPage 6 of 7\n\nThe process of Domain Shadowing is effective not only because it makes blacklisting difficult but also leverages\r\nthat most users only login to their domain registrar to renew the registration. This threat example clearly\r\ndemonstrates the ongoing evolution of threat actors. Actors are always going to try and stay ahead of detection\r\ntechnologies, and increasingly the researchers.\r\nThis latest campaign has successfully elevated Angler to an advanced exploit kit. One that utilizes 0-day’s and\r\nevasion techniques that were previously associated with advanced threats alone.  At this point its more a question\r\nof “when” Angler will affect you instead of “if”.  If you are relying exclusively on blacklisting technologies, this\r\nthreat is designed to beat it. Utilizing multiple products with different inspection engines can help ensure the most\r\ncomprehensive coverage before, during, and after the attack.\r\nAngler related Snort Rules: 28613-28616,29066,29411-29414,30852,31046,31129-31330,31331-31332,31370-\r\n31372,31694,31695,31898-31901,32390,32399,33182-33187,33271-33274,33286,33292\r\nFor the most up to date list, please refer to Defense Center or FireSIGHT Management Center.\r\nCoverage\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites, including the downloading of the malware\r\ndownloaded   during these attacks.\r\nThe Network Security protection of IPS and NGFW have up-to-date rules to detect malicious network activity by\r\nthreat actors.\r\nSource: https://blogs.cisco.com/security/talos/angler-domain-shadowing\r\nhttps://blogs.cisco.com/security/talos/angler-domain-shadowing\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blogs.cisco.com/security/talos/angler-domain-shadowing"
	],
	"report_names": [
		"angler-domain-shadowing"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434049,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/496b4936bc4d97923d3113169a658438d920c332.pdf",
		"text": "https://archive.orkl.eu/496b4936bc4d97923d3113169a658438d920c332.txt",
		"img": "https://archive.orkl.eu/496b4936bc4d97923d3113169a658438d920c332.jpg"
	}
}