{
	"id": "f4dbafbf-59ac-4cf9-bc3f-29e328562339",
	"created_at": "2026-04-06T00:16:23.909519Z",
	"updated_at": "2026-04-10T03:35:21.443014Z",
	"deleted_at": null,
	"sha1_hash": "82d28b14cff1b4112f593f91d4d33fe15fc5daa0",
	"title": "How To Track Malware Infrastructure - Identifying MatanBuchus Domains Through Hardcoded Certificate Values",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1816668,
	"plain_text": "How To Track Malware Infrastructure - Identifying MatanBuchus\r\nDomains Through Hardcoded Certificate Values\r\nBy Matthew\r\nPublished: 2024-04-04 · Archived: 2026-04-05 21:28:22 UTC\r\nIn this blog we will identify 6 malicious domains that are likely hosting MatanBuchus malware. We will identify\r\nthese domains through the usage of hardcoded subdomains in the TLS Certificate of the initial shared domain.\r\nAfter leveraging the hardcoded subdomains, we will leverage registration dates and certificate providers to hone in\r\non our final results. Ultimately this will produce 6 domains sharing the same financial theme that was shared in\r\nthe initial intel.\r\nInitial Intelligence\r\nThis post is based on initial intelligence shared by @unit42_intel in an original post here.\r\nIn this post, Unit42 shared details of a treasurybanks[.]org domain used in malicious ads targeting users\r\nlooking for funds recovery services.\r\nReview of First Historical Address\r\nSince the initial indicator was a domain and not an IP address, we can use a passive dns tool like Validin to review\r\nindicators and history about the domain.\r\nOur first step here is to look for historical IP resolutions which may point to similar domains hosted on the same\r\nservers.\r\nhttps://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/\r\nPage 1 of 12\n\nLeveraging Validin for the initial search, we can see that the domain has recently resolved to 47.90.170[.]226\r\nand 91.195.240[.]123\r\nOur next step was to review the historical records for these IP addresses and determine if they resolved to any\r\nsimilar-looking domains in a similar time period.\r\nReviewing the most recent resolved IP address of 47.90.170[.]226 , there are 19 domains that have been\r\nassociated with this address. The most recent 5 domains are the original treasurybanks[.]org and the\r\nsubdomains www,get,download,file .\r\nThe other domains here are from a much older time period and do not show any indications of being related to\r\ntreasurybanks[.]org , so we decided to ignore these and come back later if other searches did not yield results.\r\nReview of Second Historical Address\r\nThe second most recent resolved IP address for treasurybanks[.]org is 91.195.240[.]123 .\r\nWe can again pivot and investigate this IP address for similar domain records that may point us to similar sites.\r\nhttps://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/\r\nPage 2 of 12\n\nThe address 91.195.240[.]123 has a huge number of past records, indicating that is likely a proxy or some kind\r\nof \"middle\" infrastructure shared amongst thousands of other sites.\r\nReviewing the historical records did not yield any useful results.\r\nReviewing the historical DNS records also did not yield any results for similar sites.\r\nFinding a First Pivot Point\r\nhttps://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/\r\nPage 3 of 12\n\nAttempts to pivot on the historical IP records did not yield any meaningful results, so we decided to return to the\r\ninteresting subdomains that we observed on the initial treasurybanks[.]org .\r\nIf we inspect the Certificate history for the treasurybanks[.]org domain, we can see that these subdomains are\r\nhardcoded into the Certificate (this is in contrast to a typical wildcard certificate with something like\r\n*.treasurybanks[.]org\r\nSince the subdomains are hardcoded, we decided to use them as a pivot point.\r\nOf additional note here, is that the certificate leverages GeoTrust and was registered on 2024-03-06 . This\r\ninformation we can leverage as additional pivot points later.\r\nhttps://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/\r\nPage 4 of 12\n\nPivoting on Subdomains In TLS Certificates\r\nWe can now attempt to leverage the following indicators to identify new domains.\r\nHardcoded subdomains (www, file, get, download)\r\nUse of GeoTrust for Certificate signing\r\nRegistration dates around March 2024\r\nTo perform the initial search for hardcoded subdomains, we leveraged Censys to search certificates with\r\nhardcoded values beginning with the previously identified subdomains.\r\nhttps://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/\r\nPage 5 of 12\n\nThe initial results for this search returned 581 results. Many of which did not look anything like the original\r\ncertificate for treasurybanks[.]org .\r\nHowever after scrolling slightly through the first page of results, we can see two certificates ( maxrecovery[.]org\r\nand myfundsrecovery[.]org ) that look extremely similar to our initial treasurybanks[.]org .\r\nWe can also note that both of these certificates are registered with GeoTrust and were registered in March 2024.\r\nApplying Filters On GeoTrust/Digicert\r\nTo hone in on the results, we can add a filter for Digicert (owner of GeoTrust) certificates. This narrows us down\r\nto 15 related certificates.\r\nhttps://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/\r\nPage 6 of 12\n\nSome of these look exactly like our original domain, indicating that we are getting closer to desirable search\r\nresults.\r\nHowever if we scroll down to the end of our 15 results, there are still multiple hits for certificates that don't look\r\nanything like our treasurybanks[.]org\r\nWe can also see that these certificates were registered years ago and are now expired, so we can leverage this to\r\nfilter them out.\r\nApplying Time-Based Filters\r\nTo filter out the 8 undesired results, we can either apply a filter to ignore expired certificates ( and not\r\nlabels:expired ) or apply a new filter specifying that we only want results registered in 2024.\r\nhttps://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/\r\nPage 7 of 12\n\nWe chose to apply the second option, allowing only for certificates registered in 2024. We can see this applied to\r\nthe parsed.validity_period.not_before field, specifying a date range of 2024-01-01 to 2024-03-30.\r\nAfter applying these filters we are left with 7 results.\r\nOf particular interest here, is that our final 7 results all\r\nfollow the same subdomain structure\r\nAre registered in March 2024\r\nMostly follow the same financial theme\r\nhttps://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/\r\nPage 8 of 12\n\nLeveraging urlscan.io to search on these domains, we can see extremely similar structure to that initially reported\r\nby Unit42.\r\nHere is a screenshot from our newly identified domain maxrecovery[.]org\r\nand here is a screenshot from the initial reported domain of treasurybanks[.]org\r\nhttps://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/\r\nPage 9 of 12\n\nAstrologytop[.]com seems to be completely different and maybe a control panel or something completely different\r\nin nature.\r\nBulk Review of Domain History\r\nReturning to Validin with our new list of domains, we can perform a bulk search to look for commonalities.\r\nThis reveals that many of the results have previously resolved to 91.195.240[.]123 , demonstrating an\r\nadditional link in their history.\r\nhttps://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/\r\nPage 10 of 12\n\nWe can also note that the most recent resolved addresses are different but all resolve to ranges owned by Alibaba.\r\nIndicating another commonality.\r\nOne slight exception to this pattern is the astrologytop[.]com domain, which currently resolves to an Alibaba IP\r\nbut does not share the same history as the other domains.\r\nWe were unable to confirm for sure whether this domain was definitely related. However there are enough\r\nsuspicious indicators to suggest that it might be.\r\nSign up for Embee Research\r\nMalware Analysis and Threat Intelligence Research\r\nNo spam. Unsubscribe anytime.\r\nFinal Domains\r\nHigh Confidence\r\ntreasurybanks[.]org\r\nmyfundsrecovery[.]org\r\nmaxrecovery[.]org\r\ndeptoftreasury[.]org\r\nusdatarecovery[.]org\r\nLower Confidence\r\nhttps://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/\r\nPage 11 of 12\n\nastrologytop[.]com\r\nAll Results\r\nTreasurybanks[.]org\r\ndownload[.]treasurybanks[.]org\r\nfile[.]treasurybanks[.]org\r\nget[.]treasurybanks[.]org\r\nwww[.]treasurybanks[.]org\r\nastrologytop[.]com\r\ndownload[.]astrologytop[.]com\r\nfile[.]astrologytop[.]com\r\nget[.]astrologytop[.]com\r\nwww[.]astrologytop[.]com\r\nmyfundsrecovery[.]org\r\ndownload[.]myfundsrecovery[.]org\r\nfile[.]myfundsrecovery[.]org\r\nget[.]myfundsrecovery[.]org\r\nwww[.]myfundsrecovery[.]org\r\nmaxrecovery[.]org\r\ndownload[.]maxrecovery[.]org\r\nfile[.]maxrecovery[.]org\r\nget[.]maxrecovery[.]org\r\nwww[.]maxrecovery[.]org\r\ndeptoftreasury[.]org\r\ndownload[.]deptoftreasury[.]org\r\nfile[.]deptoftreasury[.]org\r\nget[.]deptoftreasury[.]org\r\nwww[.]deptoftreasury[.]org\r\nusdatarecovery[.]org\r\ndownload[.]usdatarecovery[.]org\r\nfile[.]usdatarecovery[.]org\r\nget[.]usdatarecovery[.]org\r\nwww[.]usdatarecovery[.]org\r\nSource: https://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/\r\nhttps://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/"
	],
	"report_names": [
		"tls-certificates-for-threat-intel-dns"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d9b39228-0d9d-4c1e-8e39-2de986120060",
			"created_at": "2023-01-06T13:46:39.293127Z",
			"updated_at": "2026-04-10T02:00:03.277123Z",
			"deleted_at": null,
			"main_name": "BelialDemon",
			"aliases": [
				"Matanbuchus"
			],
			"source_name": "MISPGALAXY:BelialDemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434583,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/82d28b14cff1b4112f593f91d4d33fe15fc5daa0.pdf",
		"text": "https://archive.orkl.eu/82d28b14cff1b4112f593f91d4d33fe15fc5daa0.txt",
		"img": "https://archive.orkl.eu/82d28b14cff1b4112f593f91d4d33fe15fc5daa0.jpg"
	}
}