{
	"id": "c020a6a6-311b-4edf-99ae-9e52b340634a",
	"created_at": "2026-04-06T00:15:06.55669Z",
	"updated_at": "2026-04-10T03:22:04.333166Z",
	"deleted_at": null,
	"sha1_hash": "6eee85994b78b28fd281b44aa6ef38d2d9b618f0",
	"title": "How To Track Malicious Infrastructure With DNS Records - Vultur Banking Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 982716,
	"plain_text": "How To Track Malicious Infrastructure With DNS Records -\r\nVultur Banking Trojan\r\nBy Matthew\r\nPublished: 2024-04-11 · Archived: 2026-04-06 00:04:23 UTC\r\nThreat Actors are known for monitoring public reports and adjusting infrastructure that believe may be\r\ncompromised. As intelligence analysts, it's important to be able to keep up with these changes and update\r\nintelligence queries accordingly.\r\nIn this blog, we'll examine an example in which the developers behind the Vultur banking trojan appear to have\r\nupdated the naming scheme of their domain infrastructure in response to a public threat intelligence report.\r\nWe will use passive DNS tooling to cross-examine historical domains and identify common infrastructure and\r\npatterns in naming schemes. We will leverage these as pivot points to identify 13 new domains in use by the\r\nVultur developers.\r\nInitial Intelligence\r\nThe initial intelligence for this post originates from a fantastic Fox-it article describing Vultur Activity. The article\r\ngoes into great detail about Vultur and its capabilities.\r\nWe won't be covering the Vultur functionality here; instead, we will leverage the provided dropper distribution\r\nURLs to identify additional infrastructure.\r\nThe original dropper distribution URLs provided in the Fox-it article can be seen below.\r\nhttps://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/\r\nPage 1 of 11\n\nInitial URLs provided by Fox-IT Report on Vultur\r\nInitial Analysis Of Distribution URLs\r\nThe first step here is to gather basic intelligence on the initial reported URLs.\r\nWe will be leveraging Validin for this analysis. However, you are welcome to use any passive DNS tooling that\r\nyou have access to.\r\nThe initial intelligence can be obtained using a bulk lookup, which provides a summary of the historical IP\r\naddresses associated with each initial domain.\r\nWe can leverage this to look for any commonalities in the historical IP addresses and establish an initial pivot\r\npoint.\r\nhttps://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/\r\nPage 2 of 11\n\nThe bulk lookup returns the list of historical IPs for the domains, and immediately, we can see a commonality in\r\nhistorical IP addresses, which we can leverage as an initial pivot point.\r\nBelow we can see that several of the domains have historically resolved to the same IP address of\r\n82.221.136[.]47\r\nInitial Pivot on Common IP Address\r\nWith a common IP address identified across several (but not all) of the initial URLs, we can leverage this as a\r\npivot point by searching on the IP address and viewing domains that have previously been associated.\r\nIn this case there are over 5000 domains associated. Indicating that this IP is likely a load balancer, proxy, or some\r\nkind of shared infrastructure.\r\nThis means that the IP itself may not be malicious, but there are malicious domains routing through it.\r\nhttps://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/\r\nPage 3 of 11\n\nPivoting on Subdomain\r\nThe initial intelligence shows that the malicious domains all contain the \"mcafee\" subdomain.\r\nWe can leverage this to narrow down our 5000 domains to only those that contain \"mcafee\".\r\nApplying the \"mcafee\" filter brings the 5000+ results down to only 24.\r\nThese 24 results show several of our initial domains and some new domains that leverage a hyphen between the\r\nnumerical values.\r\nhttps://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/\r\nPage 4 of 11\n\nIf we repeat this process for other observed IP addresses, we can see some of the same URLs provided in the\r\ninitial report.\r\nAs well as some new results where the actor has increased the number of numerical values and included a hyphen.\r\nThis process can be repeated with the remainder of the IPs found in the initial bulk search. As well as with new\r\nIPs discovered in historical records during the investigation process.\r\nhttps://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/\r\nPage 5 of 11\n\nDuring our initial review, we were able to obtain 13 domains on the same infrastructure that were not included in\r\nthe initial report.\r\nAs we did not check every IP address and resolve every domain, there are likely more out there that can be found\r\nwith extra searching. You are welcome to try and find more using the free Community Edition of Validin.\r\nValidin\r\nValidin offers cutting-edge DNS, certificate, and crawling data services to empower threat\r\nresearchers and corporate security teams. Identify, track, and mitigate risks with our advanced threat\r\nintelligence solutions.\r\nValidin\r\nhttps://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/\r\nPage 6 of 11\n\nList of Malicious Domains\r\nhttps://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/\r\nPage 7 of 11\n\nmcafee.0041-3413[.]com\r\nmcafee.0041-5413[.]com\r\nmcafee.0051-4413[.]com\r\nmcafee.0051-6413[.]com\r\nmcafee.357-46[.]com\r\nmcafee.486-31[.]com\r\nmcafee.5541-23[.]com\r\nmcafee.5814-1601[.]com\r\nmcafee.5832-1414[.]com\r\nmcafee.5832-3414[.]com\r\nmcafee.654-87[.]com\r\nmcafee.789-20[.]com\r\nmcafee.798-13[.]com\r\nVirustotal Review\r\nhttps://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/\r\nPage 8 of 11\n\nhttps://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/\r\nPage 9 of 11\n\nhttps://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/\r\nPage 10 of 11\n\nSign up for Embee Research\r\nMalware Analysis and Threat Intelligence Research\r\nNo spam. Unsubscribe anytime.\r\nSource: https://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/\r\nhttps://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/"
	],
	"report_names": [
		"infrastructure-tracking-locating-vultur-domains-with-passive-dns"
	],
	"threat_actors": [],
	"ts_created_at": 1775434506,
	"ts_updated_at": 1775791324,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6eee85994b78b28fd281b44aa6ef38d2d9b618f0.pdf",
		"text": "https://archive.orkl.eu/6eee85994b78b28fd281b44aa6ef38d2d9b618f0.txt",
		"img": "https://archive.orkl.eu/6eee85994b78b28fd281b44aa6ef38d2d9b618f0.jpg"
	}
}