{
	"id": "50e1a13b-4e48-47c8-8141-a855a7747841",
	"created_at": "2026-04-06T00:11:31.684283Z",
	"updated_at": "2026-04-10T03:23:33.769106Z",
	"deleted_at": null,
	"sha1_hash": "6cb9629dc5b52b910aceab0924b32175de847d8d",
	"title": "To Aid and Abet: Prolific Puma Helps Cybercriminals Evade Detection | Infoblox",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1442860,
	"plain_text": "To Aid and Abet: Prolific Puma Helps Cybercriminals Evade\r\nDetection | Infoblox\r\nBy Infoblox Threat Intel\r\nPublished: 2023-10-31 · Archived: 2026-04-05 14:37:26 UTC\r\nExecutive Summary\r\nHalloween might be the spookiest time of the year, but threat actors are doing frightening things on the internet\r\nevery day. In the past month we have introduced two terms: Domain Name System (DNS) threat actors and\r\nRDGA (registered domain generation algorithm). We also gave a taste of one type of DNS threat actor, the persistent\r\nphisher, through an exposé of Open Tangle.\r\nToday we are introducing the second actor in this series, Prolific Puma. For four years, maybe longer, Prolific Puma\r\nhas operated in the shadows, unrecognized by defenders. While we don’t know their origin story, we can detect\r\nProlific Puma through DNS and get a glimpse into their character via their domain name registration choices. What’s\r\nin the name? Prolific comes from the simple fact that this is a network that is continually expanding, with new\r\ndomains registered almost daily. As for Puma, well… we’ll share more about the inspiration later in this paper.\r\nThe cybercrime economy is the world’s third largest, with an estimated $8 trillion value in 2023, and Prolific\r\nPuma is part of the supply chain.\r\n1\r\n They create domain names with an RDGA and use these domains to provide a\r\nlink shortening service to other malicious actors, helping them evade detection while they distribute phishing, scams,\r\nand malware. When we disrupt Prolific Puma, we disrupt a larger segment of the criminal economy. Figure 1 is an\r\noverview of the Prolific Puma operations and how they enable criminals. Prolific Puma generates large volumes of\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 1 of 17\n\ndomains algorithmically, and then they use these domains to generate shortened links for other malicious actors,\r\nallowing them to hide their true activity.\r\nFigure 1: An overview of Prolific Puma’s role in the cybercrime supply chain.\r\nTo our knowledge, this paper is the first description of a large underground link shortening service. Moreover, the\r\nactor was discovered not from malware or phishing sites, but from DNS analytics. Prolific Puma is remarkable\r\nbecause they have been able to facilitate malicious activities for over 18 months and have gone unnoticed by the\r\nsecurity industry. With a massive collection of domain names, they are able to distribute malicious traffic and evade\r\ndetection.\r\nThis discovery demonstrates the power of using DNS and domain registration data not only to detect suspicious\r\nactivity, but to bring that information together into a consolidated view of a DNS threat actor. While we were able to\r\ndetect and track the Prolific Puma via DNS, their story highlights the challenges faced by domain registrars and\r\nregistries to control abuse. When actors are distanced from the actual crime, policies can hinder the ability to identify\r\nand takedown the enabling domains.\r\nWe first noticed Prolific Puma domains six months ago through an RDGA detector. Since then, we have\r\ndeveloped a better understanding of their activity using specialized DNS detectors to track the network as it evolves.\r\nIn the sections that follow, we will discuss the Prolific Puma link shortening service, how they register and host\r\ndomains, their abuse of the us top level domain (usTLD), and the role they play in facilitating crime on the internet.\r\nFor the purpose of this publication, we intentionally focus on the actor and their use of DNS, rather than the\r\ncampaigns that use their services. We provide one detailed example of a campaign conducted using Prolific Puma\r\ninfrastructure, which led to both phishing the user and delivering browser-based malware.\r\nShadowy Link Shortening Services\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 2 of 17\n\nProlific Puma provides an underground link shortening service to criminals.\r\n2\r\n Accessing an active second level\r\ndomain (SLD) directly returns the following message:\r\n{“type”: “service”,”name”:”@link-shortener/handler-service”}\r\nThe original purpose of link shorteners was to make the sharing of website links easier, as well as follow social\r\nmedia size limitations. For example,\r\nthe link https://tinyurl.com/c6u6myhw is a shortened version of\r\nhttps://www.infoblox.com/blog/cyber-threat-intelligence/introducing-dns-threat-actors/, our paper that\r\nintroduced the concept of DNS threat actors.\r\nWhen the user clicks on the shortened link, they will be redirected to another URL. Behind the scenes, a DNS\r\nrequest is made to resolve the IP address for the shortening service domain, e.g., tinyurl[.]com. The web request is\r\nthen sent to that address containing the hash value used to identify the original site. In the example above, the\r\nTinyURL service will use the value c6u6myhw to determine where to redirect the connection. Additional DNS\r\nrequests will be made to locate the IP address that hosts the final content, in this case for blogs.infoblox.com. While\r\nlegitimate users will create a simple shortened link to share, a malicious actor may use multiple layers of redirection\r\nbefore the final landing page. This process is depicted in Figure 2.\r\nFigure 2: A notional path depicting how a shortened URL interacts with DNS and the shortening service to redirect\r\nthe victim to malicious content.\r\nMalicious actors are known to abuse link shorteners for phishing.3 In the most publicized cases, however, the link\r\nshorteners are well-known, publicly available services including TinyURL, BitLy, and Google. This abuse is so\r\nrampant that marketing firm Rebrandly recommends that legitimate companies avoid using popular shorteners in\r\ntheir emails.4\r\nProlific Puma doesn’t openly advertise their services. For some period of time, we knew we were tracking a link\r\nshortening service, but it was unclear what they were delivering and for whom they were providing the service. The\r\ntricky thing about investigating link shorteners is that without a full URL, it is not possible to determine the final\r\nlanding page. Our detectors had found a large set of interconnected domains with suspicious behavior and no public\r\npresence, but we were challenged to conclude how they were being leveraged.\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 3 of 17\n\nWe eventually captured several instances of shortened links redirecting to final landing pages that were phishing and\r\nscam sites. Interestingly, the sequence of redirections to the final page varied widely. In some cases, the shortened\r\nlinks led directly to the content.5 In others, multiple layers of redirection occurred before the final landing page.6 We\r\nalso saw Prolific Puma shortened links that were redirected to another shortened link created by a different service.7\r\nIn some cases, the shortened link led to a CAPTCHA challenge.8 We also found reports that Prolific Puma links\r\nwere sent via SMS text messages with fake Amazon delivery notifications as early as January 2020.9 The variance in\r\nhow the links were handled and the content delivered, makes it most likely that Prolific Puma is providing a service\r\nto multiple actors. Evidence suggests that the shortened links are primarily delivered to victims through text\r\nmessages, but they could be used in other contexts, e.g., social media and advertisements.\r\nProlific Puma is not the only illicit link shortening service that we have discovered, but it is the largest and the\r\nmost dynamic. We have not found any legitimate content served through their shortener. Later in this report we\r\ndetail a specific example of a shortened link that leads to phishing for user information, a scam payment, and the\r\ndistribution of browser malware.\r\nAs a service provider within the cybercrime ecosystem, Prolific Puma helps other malicious actors evade\r\ndetection, a tactic included in the enterprise MITRE ATT\u0026CK framework.\r\n10\r\n But, their indirect role in the\r\ndelivery of phishing, scams, and malware to consumers also helps them evade detection. While security providers\r\nmay identify and block the final content, without a broader view it is difficult to see the full scope of the activity and\r\nassociate the domains together under a single DNS threat actor. As we’ll see next, we are able to do this through\r\nDNS analytics.\r\nDetection and Domain Name Characteristics\r\nIn order to provide original intelligence for Infoblox DNS detection and response products in the cloud and on-prem,\r\nwe have designed a large corpus of independent algorithms to detect suspicious and malicious domains, as well as\r\nrelated IP addresses and other DNS resources. Through aggregation of passive DNS (pDNS) query logs and\r\nother data sources, we run a series of analytics on a collection of newly queried, registered, or configured\r\ndomains. These analytics independently characterize the domains and range from flagging a domain as suspicious to\r\nassigning it to a DNS threat actor.\r\nThe discovery of Prolific Puma followed a path common to many of the DNS threat actors we internally name and\r\ntrack. From our automated analytics, some related domains were first labeled individually as suspicious. This\r\nadjudication allowed the domains to be blocked in our DNS recursive resolvers to protect customers, but did not\r\nnecessarily capture the full breadth of activity and did not correlate the domains to a single actor. When we\r\ndeployed algorithms for RDGA discovery in Spring 2023, the Prolific Puma domains began to be identified in\r\ngroups. These groups were also automatically determined, but use statistical methods that ensure a high degree of\r\nconfidence that the RDGA domains are registered by the same DNS threat actor. Finally, another algorithm\r\nidentified outlier behavior in IP resolutions and correlated the individual RDGA clusters. The sheer size of the\r\nactivity raised the profile of this particular DNS threat actor for our human-in-the-loop research and we designed\r\nspecialized DNS fingerprints to track them. In the remainder of this section, we’ll share details about the Prolific\r\nPuma domain name characteristics and features that identify them.\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 4 of 17\n\nBecause the connection between the Prolific Puma domains and the final landing pages is indirect, the actor\r\nhas some protection against discovery. But they also fortify their ability to persist and remain unnoticed through\r\nthe registration of a large number of domains. Malicious traffic gets divided across these domains at fairly low\r\nvolumes. Over time, the domains may even gain a reputation as being “good” through strategic aging, a technique\r\nused by Prolific Puma that we will detail more later in this paper.\r\nProlific Puma controls one of the largest networks we track. Since April 2022, they have registered between 35k\r\nand 75k unique domain names. Figure 3 shows the number of unique domain names registered per day using 3 or 4\r\nlong domain labels. As we recently reported RDGAs have increasingly replaced traditional DGAs and offer new\r\nchallenges to defenders. The use of this technique allows them to easily automate their operations for scale; Prolific\r\nPuma domains are among the thousands of new domains Infoblox detects daily that are generated by an RDGA.\r\nProlific Puma uses NameSilo as their domain name registrar and tends to strategically age their domains before\r\nhosting their service with anonymous providers. Despite a lack of clear relation to the United States, Prolific Puma\r\nconsistently abuses the us top level domain (usTLD), a TLD intended to be reserved for U.S. citizens and\r\norganizations. Prolific Puma is known to register both new domains and dropped domains. As an example, 3ty[.]us\r\nwas previously used by a different actor in June 2022 for Facebook messenger phishing campaigns and was then\r\nregistered by Prolific Puma after the registration lapsed in July 2023.\r\nFigure 3. Registration timeline of Prolific Puma domains containing 3 to 4 characters long domain labels.\r\nProlific Puma domains are alphanumeric, pseudo-random, with variable length, typically 3 or 4 characters\r\nlong, but we have also observed SLD labels as long as 7 characters. The domains are registered on 13 TLDs that\r\nare frequently abused by malicious actors, including: info, us, site, in, link, me, cc, website, life, xyz, club, buzz, and\r\nbest. The infoTLD accounted for the bulk of domains until May 2023. Since then, the actor has used the usTLD for\r\napproximately 55% of the total domains they created. We observe 43 new domains, on average, every day since May\r\n2023.\r\nTLD us link info com cc me\r\nDomains vf8[.]us\r\n2ug[.]us\r\nz3w[.]us\r\ncewm[.]link\r\nwrzt[.]link\r\nhhqm[.]link\r\nuelr[.]info\r\nldka[.]info\r\nfbvn[.]info\r\nkfwpr[.]com\r\ntrqrh[.]com\r\nnhcux[.]com\r\njlza[.]cc\r\nhpko[.]cc\r\nddkn[.]cc\r\nscob[.]me\r\nxnxk[.]me\r\nzoru[.]me\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 5 of 17\n\nyw9[.]us\r\n8tm[.]us\r\nezqz[.]link\r\nzyke[.]link\r\nbaew[.]info\r\nshpw[.]info\r\nkhrig[.]com\r\ndvcgg[.]com\r\nmpsi[.]cc\r\nwkby[.]cc\r\nmjzo[.]me\r\nouzp[.]me\r\nTable 1: Examples of domains registered by Prolific Puma on different TLDs containing 3 to 4 characters long\r\ndomain labels.\r\nOver the last 18 months, Prolific Puma has primarily used NameSilo for registration and name servers.\r\nNameSilo, a cheap domain name and hosting provider, is frequently abused by malicious actors. Aside from\r\naffordability, they offer an API, as do many registrars, which facilitates bulk registration by both legitimate users and\r\ncriminals. To register a domain with NameSilo you need only an email address and a method of payment. However,\r\nto configure the domain for use, a name and physical address are required. Domains that are registered but\r\nunconfigured are parked; the IP address returned through DNS belongs to SEDO Gmbh and is part of the premium\r\nSEDO Multi-Listing Service offered to registrars.\r\nNameSilo is a highly abused registrar according to the Infoblox reputation algorithm. We currently rate the risk of\r\ndomains registered with NameSilo as a 7 on a scale of 0 to 10, where 10 is considered extremely high risk and 5 is\r\naverage. In addition to TLDs, we can also apply our reputation algorithm to name servers. Prolific Puma uses the\r\ndefault name servers for NameSilo, which are within the dnsowl[.]com domain.\r\n11\r\n Our algorithm currently rates the\r\nrisk of dnsowl[.]com name servers as a 6, which is moderate but slightly elevated when compared to all other known\r\nname servers.\r\nInfoblox uses a wide range of reputation scores as features in our analytics. Our reputation algorithm is publicly\r\navailable, applies to all data types, and is statistically optimal, meaning that another algorithm using the same data\r\nwould not be more accurate. The scores are adjusted to a normal distribution that can be interpreted consistently\r\nacross time and data type. A score of 7 is considered high risk and is 1.5 to 3.5 standard deviations above the mean.\r\nHistoric analysis of registrar reputation and name server reputation can be found in our quarterly threat intelligence\r\nreports for Q3 and Q4 2022, respectively.\r\nWhile it is not rare for DNS threat actors to use a single registrar for their operations, it is somewhat uncommon; as\r\nsuch, the use of a single registrar is a feature in our taxonomy of DNS threat actors. The actors that we track have\r\ngenerally persisted for over a year and are often financially motivated. We find that frequently they choose registrars\r\nand TLDs that are the least expensive and are hassle-free. While NameSilo is a cheap registrar, it is not the only one,\r\nand it will not offer the lowest price on domains over a long period of time. In that past, Prolific Puma registered\r\nlarge numbers of domains with other cheap providers, notably NameCheap. The consistent use of NameSilo over a\r\nlong period of time is notable, but the motivation is unknown.\r\nAbuse of usTLD\r\nProlific Puma has registered thousands of domains in the usTLD since May 2023. This is remarkable because,\r\naccording to the usTLD Nexus Requirements Policy, only U.S. citizens, or U.S.-affiliated businesses are eligible to\r\nregister domains in it.12 Moreover, the usTLD requires transparency; no domain names may be registered privately.\r\nAs a result, the email address, name, street address, and phone number associated with the domain are publicly\r\navailable. While this might seem a likely deterrent to crime, it has not been effective; the usTLD is well-known for\r\nabuse.\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 6 of 17\n\nAs Krebs on Security recently reported, the usTLD is one of the most abused country code TLDs (ccTLDs) and\r\nthere is no verification made of the registrant’s relationship to the United States.13 While Krebs holds GoDaddy\r\naccountable as the registry, the TLD suffered from abuse before they took over registry responsibilities in 2020.\r\nWhile once a highly structured and controlled TLD, second level domain (SLD) registrations became available in\r\n2002 after Neustar was awarded the contract to administer the TLD.14 Infoblox rates the usTLD as a moderate but\r\nslightly elevated risk, with a score of 6, in comparison to all other TLDs.\r\nRegistration of a .us domain with NameSilo requires an email address, as well as selection of one of the five Nexus\r\ncategories and application purposes, as shown below in Figure 4. These are used to establish the registrant’s\r\nassociation with the United States; however, the acceptance criteria are very broad.15 During the registration\r\nprocess, the user is warned that they must qualify for one of these and choose a selection. The application purpose\r\nrequirement separates personal from organizational registrations.\r\nFigure 4. Registrants of domain names within the usTLD must choose a related Nexus category and application\r\npurpose from those listed above. This information is published in the WHOIS record.\r\nIn order to fully configure the domain with NameSilo, the registrant must also provide a name, physical address, and\r\nphone number, but these are unverified and the related WHOIS records are not updated automatically. Without an\r\nupdate, only the email address associated with the purchase is publicly available. The registrant can choose to\r\nassociate contact information with previously purchased domain names, but this is a separate configuration from the\r\naccount holder details. This entire process can be completed with fake data, and the domain can be paid for with\r\nBitcoin, enabling threat actors to abuse the service without much difficulty. While NameSilo is the registrar being\r\nabused in this particular case, the difficulties highlighted here are common across the industry.\r\nProlific Puma domain registrants have historically claimed to be a U.S. citizen (C11) using the domain to conduct\r\nbusiness for profit (P1), although this pattern has recently changed. Starting on October 4th, we observed Prolific\r\nPuma domains within the usTLD switch to a domain for personal use (P3) and with private registration\r\nsettings, including both existing and new registrations. This activity eliminated any doubt that Prolific Puma was\r\na malicious actor. As of mid-October, nearly 2000 Prolific Puma domains in the usTLD now have private\r\nregistration.\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 7 of 17\n\nThe presence of private registrations within the usTLD is alarming and violates the terms of the usTLD. Lack\r\nof detailed information through the WHOIS data has hindered intelligence investigations for the last several years,\r\nbut more importantly, through our own experience with NameSilo, it is not possible to select private registration for\r\ndomains in the usTLD through their interface. And yet, it was done. Digging a little deeper and assessing all\r\ndomains we processed between September 1st and October 15th, we found that while Prolific Puma made up the\r\nvast majority of .us domains under Privacy Guardian protection, there were others. Of the over 200 registrars\r\nreporting usTLDs during this timeframe, only four registrars were associated with private registration data, as shown\r\nin the table below. Of the total domains with private records, over 99% were registered with NameSilo. At this\r\ntime, we are not able to explain this behavior.\r\nRegistrar Domain Count (Sept 1 – Oct 15, 2023)\r\nNameSilo – Prolific Puma 1062\r\nNameSilo – possibly not Prolific Puma 411\r\nPorkBun 5\r\nNameCheap 4\r\nSav.com 1\r\nTable 2. Privately registered domains in the usTLD by registrar. These are in violation of the usTLD policies.\r\nWhile the limitations of .us domain names may seem strict, upon closer review, only wholly foreign entities are\r\nexcluded from registering domains within this TLD. If the registrant is suspected of providing false WHOIS\r\ninformation, the Internet Corporation for Assigned Names and Numbers (ICANN) requires the registrar to\r\ninvestigate and allow the information to be updated.16 According to the Nexus requirements policy, registrars must\r\nprovide registrants 30 days to update incomplete or incorrect information. NameSilo and GoDaddy are better\r\npositioned to take down domains based on their malicious activity than their Nexus qualifications. But in the case of\r\nmiddle-layer adversaries like Prolific Puma, exactly how do they do that?\r\nThe abuse of the usTLD, similar to that of others like .xyz and .website, is real. But with modern privacy regulations\r\nand technologies, separating abuse from legitimate use is not trivial, particularly at the scale of the DNS. Protecting\r\nconsumers and organizations against DNS threat actors requires industry collaboration. For our part, we informed\r\nboth NameSilo and GoDaddy of the Prolific Puma activity in September. Aside from the potential violation of\r\nusTLD requirements, however, it is difficult for a registrar to regulate domains that are not used directly for\r\nmalicious purposes. We have also shared a large collection of recent domains with Spamhaus and other vendors.17\r\nProlific Puma Character\r\nAt their heart, threat actors are individuals. They have quirks that often come through in their tactics, techniques, and\r\nprocedures (TTPs). Malware threat actors might be separated by their choice of variable names or how they\r\ncomment their code. These choices might reflect their interests, habits, and sense of humor. DNS threat actors are no\r\ndifferent, though we generally have little information to work with in DNS and domain registration records.\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 8 of 17\n\nAt Infoblox, we focus on suspicious and malicious DNS activity. While we attribute domain name resources to a\r\nDNS threat actor, we rarely attempt to identify their true identity or location. This type of attribution work, in which\r\nanalysts attempt to tie virtual world activity to the physical world, is a specialized field and time consuming.\r\nHowever, because Prolific Puma registers domains in the usTLD, a registry that does not allow private registration,\r\nwe can gain a glimpse into the personality of Prolific Puma.\r\nWhere possible, Prolific Puma uses private domain registration, but usTLD registrations must be public. For these\r\ndomains, the actor has consistently used an email address containing a reference to the song October 33 by the Black\r\nPumas.18 An Austin, Texas-based psychedelic soul band, the Black Pumas gained fame in 2019 with their single,\r\nColors.19 The song October 33 did not reach the top charts, and like Prolific Puma, retains some mystery.\r\n20\r\n While\r\nthe lyrics are overtly a love letter, they make references to loneliness and the music was intended to have a haunting\r\nfeel.21 In spite of their Grammy nomination as Best New Artist in 2019, the Black Pumas are not a household name.\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 9 of 17\n\nProlific Puma uses the name Leila Puma, a name constructed to again refer to the Black Pumas. The name Leila\r\noriginates in Arabic and means “night.”\r\nWhile we don’t know the real world identity of Prolific Puma, we gain an interesting insight into their personality\r\nfrom their registration data. In addition to references to the Black Pumas and their mysterious song October 33,\r\nProlific Puma uses a personal Ukrainian email address. The address they provide is a primary school in Poland, a\r\nnondescript building that might be found in any industrial city. The city of Łódź, the third largest city in Poland, has\r\nwelcomed Ukrainian refugees since the Russian invasion in February 2022.22 A Black Pumas cover of the Kinks\r\nsong “Strangers” was made into an emotional YouTube video featuring Ukrainian refugees entitled “Ukraine\r\nStrangers.” Although unrelated to Prolific Puma activities, this video reached a significant audience in Fall 2022.23\r\nAs noted earlier, the registrant’s information is unverified by NameSilo and appears fake, but their choices give\r\nsome insight into the person or people who make up Prolific Puma.\r\nProlific Puma Operations\r\nFollowing the registration of a domain, Prolific Puma often leaves it unused, or parked, for several weeks. This\r\ntechnique is referred to as strategic aging.\r\n24\r\n Because phishing attacks are traditionally tied to newly registered\r\ndomains, many security systems will block access to them. In response, threat actors realized that by waiting to use\r\ndomains in their campaigns, or “aging” them, they could bypass many security protections.\r\nProlific Puma will make a small number of DNS queries during the aging process, a method used by threat actors to\r\ngain reputation for the domain names. During this period, the domains are parked with NameSilo. Prolific Puma will\r\nthen transfer them to bulletproof hosting providers, purchased using Bitcoin, on a virtual private server (VPS) with a\r\ndedicated IP address. We have found that they will abandon domains after some time, leaving the DNS record\r\npointing to the dedicated IP address.\r\nBased on the breadth of operational techniques we have seen, we suspect that Prolific Puma is providing a\r\nservice for others and that the final landing pages are not in their control. It remains possible, though, that the\r\nsame threat actor controls both the link shortening service and all of the malicious activity conducted through it. We\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 10 of 17\n\nhave not determined how Prolific Puma advertises its services, how its users go about receiving the shortened URL,\r\nor whether it has any legitimate traffic. Within the campaigns through the Prolific Puma service, we have found large\r\nnetworks of domains controlled by other DNS threat actors, often registered with cheap registrars such as\r\nNameCheap. Some of these campaign domains are also generated by RDGAs.\r\nAn Example Campaign\r\nProlific Puma operates a link shortener for a variety of phishing, scam, and malware activities. Below, we describe\r\nan example of one of the campaigns it serves. Figures 5.1-5.4 show screenshots of what a victim would encounter\r\nafter clicking on the initial shortened link, http://bwkd[.]me/ZFjfA3. The link leads to a phishing page designed to\r\nappear like an email, prompting the user to provide personal details and make a payment, and then it infects the user\r\nwith browser plug-in malware. We have also captured a screenshot recording of the process, shown below.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nThe technical steps between the shortened link and the browser plug-in malware in this campaign are as follows:\r\nThe first shortened link http://bwkd[.]me/ZFjfA3 redirects to\r\nhttp://ksaguna[.]com/click.php?key=\u003credacted\u003e, which itself redirects to\r\nhttps://www[.]asdboloa[.]com/ZA/AB_zagopb/?uclick=\u003credacted\u003e\r\nThis final website is a fake Gmail message telling the user that they have won the opportunity to test\r\nthe new iPhone 15.\r\nThe user is instructed to click on a link to claim their phone at https://www[.]game[.]co[.]za/2023program\r\nand enter their delivery information. The website www[.]game[.]co[.]za is a South African discount retailer\r\nusing promotional drives to draw consumers.\r\nFollowing this link under the right conditions leads to a prompt to pay 18 South African Rand (ZAR) to\r\nparticipate in the trial.\r\nFrom there, the user is presented with a page claiming to be postal tracking and prompting them to accept\r\nnotifications from fubsdgd[.]com. Clicking “accept” triggers the installation of browser malware that uses the\r\nOneSignal service to push notifications. While commonly associated with ads, in our experience, browser\r\nplug-in malware is commonly used to deliver scams, phishing, and other malware, along with ads.\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 11 of 17\n\nFinally, the victim is taken through a series of prompts asking them to verify shipping preferences and enter\r\ntheir personal information.\r\nWe do not know how the original shortened URL is delivered to the victim; it may be through an SMS text message\r\ngiven that it opens a fake Gmail message. The domains used during the exploitation of the victim change and are\r\nthemselves part of a large network. This campaign uses a variety of techniques to assure the victim that the offer is\r\ngenuine, including an active stream of testimonial reviews at each step from other “recipients.”\r\nFigure 5.1: An example of the content delivered by Prolific Puma link shorteners. The original shortened link\r\n(http://bwkd[.]me/ZFjfA3) redirected and eventually led to a phishing page designed to look like an email served by\r\nGmail.\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 12 of 17\n\nFigure 5.2. The scam and identity theft portion of the campaign. After selecting to accept the free iPhone as shown in\r\nFigure 5.1, the user is asked to pay a fee and provide their name and address.\r\nFigure 5.3. The malware portion of the campaign. After the victim pays the fee shown in Figure 5.2, they receive a\r\npackage delivery notification and are asked to show notifications from fubsdgd[.]com. If they accept notifications,\r\nmalware is delivered to the victim’s machine.\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 13 of 17\n\nFigure 5.4a-b. After accepting notifications shown in Figure 5.3, the user is prompted to provide further details and\r\npreferences in a series of screens.\r\nConclusion\r\nProlific Puma demonstrates how the DNS can be abused to support criminal activity and remain undetected\r\nfor years. As part of the supply chain, this actor is harder to detect and defeat. Traditional security systems protect\r\nthe user from harm based on the final landing page of a link. DNS detection and response systems, however, can\r\ndisrupt Prolific Puma and similar service providers, thereby thwarting all of the actors who rely on them to deliver\r\nphishing, scams, and malware. By using an RDGA and cheap domain registrars, Prolific Puma is able to scale and\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 14 of 17\n\npersist their operations. But at the same time, we can detect the use of an RDGA through DNS and domain\r\nregistration records.\r\nProlific Puma is only one of the link shortener operators that Infoblox has discovered, and link shorteners are only\r\none type of service found in the shadow economy. Most often we uncover DNS threat actors first through\r\nanalytics that identify suspicious newly registered, configured, or queried domains. Even prior to correlating\r\ndomains with malicious activity, we can use other features, such as TLD and name server reputation, to flag the\r\nrelated domains as suspicious. Later, we are able to connect domains together and isolate a threat actor. By blocking\r\naccess to suspicious domains, organizations can implement a highly effective, low-regret, high security policy for\r\ntheir network and users.\r\nIndicators of Activity\r\nBelow is a small selection of indicators related to Prolific Puma and the campaigns they facilitate. A more\r\ncomprehensive list of recent indicators is found in our open GitHub repository here.\r\nIndicator of Activity Type of Indicator\r\nhygmi[.]com\r\nyyds[.]is\r\n0cq[.]us\r\n4cu[.]us\r\nregz[.]info\r\nu5s[.]us\r\n1jb[.]us\r\njrbc[.]info\r\nuhje[.]me\r\n0md[.]us\r\nfh3[.]us\r\n0qa[.]us\r\n9jw[.]us\r\niv0[.]us\r\nod9[.]us\r\nrpzp[.]me\r\n8fx[.]us\r\n3vb[.]us\r\nr1u[.]us\r\nzost[.]link\r\n9ow[.]us\r\nsf8i[.]us\r\nbu9[.]us\r\nce2[.]us\r\nwf6[.]us\r\nv8z[.]us\r\nProlific Puma link shortener domain\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 15 of 17\n\nzj4[.]us\r\nrjvb[.]link\r\nfssu[.]link\r\nxbsf[.]link\r\nwqeh[.]link\r\nymql[.]link\r\n7tz[.]us\r\nw6q[.]us\r\ngiqj[.]me\r\nu3q[.]us\r\nke0[.]us\r\nv1u[.]us\r\nti7[.]us\r\n2zc[.]us\r\ngf6[.]us\r\n6dr[.]us\r\n6or[.]us\r\nkc0[.]us\r\n0ty[.]us\r\nstyi.info\r\n6fe[.]us\r\nu8n[.]us\r\nd6s[.]us\r\n45[.]32[.]147[.]158\r\n62[.]3[.]15[.]55\r\n45[.]32[.]212[.]77\r\n149[.]248[.]2[.]42\r\nLink shortener hosting IPs\r\nbwkd[.]me\r\nksaguna[.]com\r\nasdboloa[.]com\r\ngame.co[.]za\r\nRedirection and landing pages\r\nfubsdgd[.]com Browser-plugin malware domains\r\nblackpumaoct33@ukr[.]net Prolific Puma registration email address\r\nEndnotes\r\n1. https://cybernews.com/editorial/cybercrime-world-third-economy/\r\n2. https://en.wikipedia.org/wiki/URL_shortening\r\n3. https://portswigger.net/daily-swig/cybercriminals-use-reverse-tunneling-and-url-shorteners-to-launch-virtually-undetectable-phishing-campaigns\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 16 of 17\n\n4. https://support.rebrandly.com/hc/en-us/articles/228632488-Blacklisted-URL-Shorteners-Stop-Using-Them-in-Emails-5. https://urlscan.io/result/3be86d9f-e596-4a9b-9260-d331811262e5/\r\n6. https://urlscan.io/result/00c1d82d-0f03-44b6-96d3-63b503fff464/\r\n7. https://urlscan.io/result/26077ac3-1559-4329-ab48-120181555586/\r\n8. https://urlscan.io/result/726b6baa-d259-4f67-a4f9-aef3bd93aca3/\r\n9. https://turbolab.it/amazon-2444/sms-amazon-hai-messaggio-riguardante-articolo-nome-arrivato-3.-\r\nclassifica-2960\r\n10. https://attack.mitre.org/tactics/TA0005/\r\n11. https://www.namesilo.com/support/v2/articles/domain-manager/dns-troubleshooting\r\n12. https://www.about.us/faqs\r\n13. https://krebsonsecurity.com/2023/09/why-is-us-being-used-to-phish-so-many-of-us/\r\n14. https://en.wikipedia.org/wiki/.us\r\n15. https://www.namesilo.com/popups/us_abbreviations.php\r\n16. https://www.icann.org/resources/pages/inaccuracy-2013-03-22-en\r\n17. https://www.spamhaus.org/\r\n18. https://www.blackpumas.com/\r\n19. https://en.wikipedia.org/wiki/Black_Pumas\r\n20. https://www.youtube.com/watch?v=an3AkQL62F8\r\n21. https://www.facebook.com/theblackpumas/videos/black-pumas-oct-33-song-breakdown/461719384620852/\r\n22. https://eurocities.eu/latest/ukrainian-refugee-integration-in-lodz-and-timisoara/#:~:text=The%20city%20of%20Lodz%20in,refugees%20since%20the%20Russian%20invasion\r\n23. https://www.youtube.com/watch?v=D_Ap_7wjHls\r\n24. https://heimdalsecurity.com/blog/aged-domains-the-silent-danger-to-cybersecurity-new-report/\r\nSource: https://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/"
	],
	"report_names": [
		"prolific-puma-shadowy-link-shortening-service-enables-cybercrime"
	],
	"threat_actors": [
		{
			"id": "81e941dc-9efc-44a5-b408-a570dd39d4e2",
			"created_at": "2023-11-14T02:00:07.098028Z",
			"updated_at": "2026-04-10T02:00:03.451316Z",
			"deleted_at": null,
			"main_name": "Prolific Puma",
			"aliases": [],
			"source_name": "MISPGALAXY:Prolific Puma",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434291,
	"ts_updated_at": 1775791413,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6cb9629dc5b52b910aceab0924b32175de847d8d.pdf",
		"text": "https://archive.orkl.eu/6cb9629dc5b52b910aceab0924b32175de847d8d.txt",
		"img": "https://archive.orkl.eu/6cb9629dc5b52b910aceab0924b32175de847d8d.jpg"
	}
}