{
	"id": "6575b819-5d17-4d5c-a007-ea7e074f8159",
	"created_at": "2026-04-06T00:08:33.449861Z",
	"updated_at": "2026-04-10T03:32:46.08799Z",
	"deleted_at": null,
	"sha1_hash": "5b2ee376a09a9d916ad2d4b979cf38ee192e231e",
	"title": "Pivoting: Finding Malware Domains Without Seeing Malicious Activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43236,
	"plain_text": "Pivoting: Finding Malware Domains Without Seeing Malicious\r\nActivity\r\nBy Silent Push\r\nPublished: 2019-05-28 · Archived: 2026-04-05 15:15:01 UTC\r\nIt is part of the job of a threat actor to ensure the domains used in their campaigns blend in with the crowd and\r\nstay undetected for the duration of the campaign. It is part of the job of an analyst to spot such domains by looking\r\nfor ways in which they still stand out. \r\nExample\r\nWhile looking through the trove of data on Silent Push, I spotted the domain cdn12-web-security[.]com. At first\r\nglance, this domain looks like a normal domain, part of the content delivery network of a web security service.\r\nHowever, it is slightly odd that more than three months after the domain was registered, cdnn-web-security[.]com\r\ndoesn’t exist for any other n. \r\nWe have also learned to be a bit suspicious of these very normal looking domains: the main domain used in the\r\nSolarWinds supply-chain attack, avsvmcloud[.]com, remained undetected for months at least in part because it\r\nlooks so very normal, seeming to belong to an AWS-like cloud service and hardly standing out among the\r\ndomains you’ll see in your DNS logs. \r\nOn top of this, in the past month alone, we have seen cdn12-web-security[.]com point to no fewer than six\r\ndifferent IP addresses in succession, which is fairly unusual: \r\n80.249.147[.]241\r\n47.91.92[.]75\r\n80.249.147[.]144\r\n47.254.131[.]6\r\n8.208.87[.]225\r\n8.208.101[.]136\r\nStill, we have not seen any malicious activity linked to the domain. In fact, there does not appear to be any public\r\nactivity linked to the domain at all, which suggests that whatever it is that the owners of the domain are doing,\r\nthey keep it small enough to stay under the radar. \r\nBut let us look at the IP addresses. Two of them (80.249.147[.]241 and 80.249.147[.]144) belong to Russian\r\nhosting provider Selectel in Russia, while the other four belong to Alibaba’s US operations. In Silent Push’s\r\nsystems, these two ASNs have fairly high (i.e. bad) IP reputation scores (35 and 28 respectively), which suggests a\r\nfair number of malicious URLs hosted there. It should be noted though this isn’t too uncommon for large cloud\r\nprovider: Amazon AWS’s IP reputation score currently stands at 19. \r\nhttps://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity\r\nPage 1 of 2\n\nNow let us look at the IP address to which the domain pointed to during the last week of January, 8.208.101[.]136,\r\nand see what else is hosted there. \r\nDuring the last week in January, the domain secure-dns-resolve[.]com also pointed to this IP address. And for this\r\ndomain we have public activity of both malware connecting to it and a phishing image hosted there. Interestingly,\r\nand almost certainly not coincidentally, was saw this domain point to the same six IP addresses throughout\r\nJanuary, going through them in the same order. \r\nAnother domain name pointing to the same IP address is dns16-microsoft-health[.]com. Here too we find public\r\nevidence of malware that has connected to it. It will not surprise anyone that dnsn-microsoft-health.com doesn’t\r\nexist for any other n. The domain has also cycled through the same set of IP addresses we saw before. \r\nThis is also true for a fourth domain we saw pointing to 8.208.101[.]136 recently: cdn12-show-content[.]com.\r\nHere though we find no public evidence for activity linked to this domain, malicious or not. \r\nStill, given the many similarities, we are confident to say cdn12-web-security[.]com and cdn12-show-content[.]com are operated by the same actors who also operate secure-dns-resolve[.]com and dns16-microsoft-health[.]com and should be blocked just as much. The same is true for a fifth domain, ms-health-monitor[.]com,\r\nwhich has been linked to malware and which was taken down in January. \r\nAnother thing that links these five domains is the use of DNSPod’s name servers, which have a not too great\r\nreputation of 18 in Silent Push’s systems. \r\nThese five domains aren’t the only ones linked to the mentioned IP addresses. For example,\r\nrighttime4mercy[.]com currently points to 80.249.147[.]144; this domain has been linked to a Hancitor malspam\r\ncampaign in the past.  \r\nIt may thus be that behind these IP addresses are managed by a bulletproof hosting provider which rents out its\r\ninfrastructure to malicious actors and shields them from takedown requests. The Hancitor domain may thus be\r\nunrelated to the other five, though of course no less malicious. \r\nConclusion \r\nPivoting around an IP address or a domain name isn’t generally a very reliable way to link malicious activity,\r\ngiven the wide use of shared and compromised infrastructure, as well as the use of false flags by more advanced\r\nactors. However, it should not be totally ignored either.  \r\nWe started from a single interesting looking domain for which no malicious activity could be found. Through the\r\nSilent Push API and with the help of a few search engine searches, we were able to link it to an active malware\r\ncampaign, and possibly found part of a bulletproof hosting operation.\r\nSource: https://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity\r\nhttps://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity"
	],
	"report_names": [
		"pivoting-finding-malware-domains-without-seeing-malicious-activity"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434113,
	"ts_updated_at": 1775791966,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b2ee376a09a9d916ad2d4b979cf38ee192e231e.pdf",
		"text": "https://archive.orkl.eu/5b2ee376a09a9d916ad2d4b979cf38ee192e231e.txt",
		"img": "https://archive.orkl.eu/5b2ee376a09a9d916ad2d4b979cf38ee192e231e.jpg"
	}
}