{
	"id": "fe7aed90-2fe3-4d30-b7ec-edb4fb271b83",
	"created_at": "2026-04-06T00:20:06.899332Z",
	"updated_at": "2026-04-10T13:12:01.598179Z",
	"deleted_at": null,
	"sha1_hash": "acb0fc8d8146a1f689a831efda6f475033185c8d",
	"title": "Finding AnchorDNS C2s With Iris Investigate - DomainTools | Start Here. Know Now.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 328537,
	"plain_text": "Finding AnchorDNS C2s With Iris Investigate - DomainTools |\r\nStart Here. Know Now.\r\nBy Chad Anderson\r\nArchived: 2026-04-05 18:07:09 UTC\r\nExecutive Summary\r\nTaking Kryptos Logic’s initial report, DomainTools Researchers illustrate how to hunt for AnchorDNS C2s in\r\ninfrastructure data with a combination of passive DNS and infrastructure observables for identifying those C2s\r\naccurately. Through this process they uncover an additional four C2 domains not found in the initial reporting.\r\nBackground on AnchorDNS\r\nAnchorDNS is a backdoor most commonly used by TrickBot when going after their most prized victims. As an\r\nexfiltration tool, AnchorDNS uses DNS for C2 communications as well as exfiltration of data. This remains highly\r\neffective as most organizations do not filter their outbound DNS traffic.\r\nLast week the researchers at Kryptos Logic published an article on recent changes to AnchorDNS and a new tool\r\ndubbed Anchor Adjuster that allows the attackers using the exfiltration tool to adjust the configuration on the fly\r\nfor further evasion. Along with this tool comes a change in the way that the malware communicates with the C2 as\r\nwell as new encoding that makes detection more difficult. This is all run from Cobalt Strike, the commercial tool\r\nloved by so many threat actors operating today.\r\nhttps://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate\r\nPage 1 of 4\n\nHunting AnchorDNS\r\nKryptos Logic provides an excellent breakdown of the changes in operation along with a fully detailed write up of\r\nthe various queries and responses that’s worth reading if you are a defender looking into these samples. Through\r\ntheir analysis of the samples, Kryptos Logic found the following set of C2 domains:\r\nfarfaris[.]com\r\nkalarada[.]com\r\nxyskencevli[.]com\r\nsluaknhbsoe[.]com\r\njetbiokleas[.]com\r\nnyhgloksa[.]com\r\nLooking for ways to detect new C2s through our daily scanning of the Internet, DomainTools Researchers noticed\r\nan interesting change when reading this report that we will pivot on: the sleep and retry response from the C2.\r\nWhen an AnchorDNS C2 receives a bot’s command successfully, the C2 responds with its own IP address.\r\nAdditionally, when the C2 is unable to respond the response will be 239.255.255[.]255 which tells the bot to sleep\r\nfor the configured amount of time and retry again later. Typically, addresses under 224.0.0.0/4 are reserved for\r\nMulticast and shouldn’t be seen in a DNS response in this way. This makes looking for them in passive DNS and\r\nsubsequently verifying the resulting domains based on their query labels matching the AnchorDNS encoding\r\nscheme rather trivial.\r\nDue to the encoding scheme there ends up being a lot of noise in these queries. In fact, if we query Farsight\r\npassive DNS alone for the number of results that match our query within the time frame that this AnchorDNS\r\nvariant has been active we see over 130,000 query and response pairs.\r\nhttps://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate\r\nPage 2 of 4\n\nTo reduce the noise we can filter these by just the second-level domain (SLD). Iris Investigate does this\r\nautomatically for you with the “Send Domains to Pivot Engine” button in the bottom-right of the passive DNS\r\ninterface. Once in the Pivot Engine there are a number of new potential C2 domains:\r\nlimeal[.]com\r\nmuncuc[.]com\r\nnewarg[.]com\r\ntuxomibo[.]com\r\nIf we examine those domains alongside the known domains from the original Kryptos Logic report, we see that\r\nthe known domains are already scored by the DomainTools Risk Score engine as 100 or already on a blocklist.\r\nThe other new C2 domains are in varying states of risk, some high enough to be alarming and others flying under\r\nthe radar entirely.\r\nAdditional Observations\r\nSince DomainTools researchers like to treat all indicators of compromise (IoCs) as composite objects, there are a\r\nfew other elements outside of just the noise and construction of the query and response pairs found in passive\r\nDNS that make up this C2 infrastructure that could be used in hunting for C2s in the future. These additional\r\nelements are important because they are fundamental in how these new samples work to make up a more robust\r\nmethod for identifying this infrastructure.\r\nThe oldest domain in this set that matches our profile is muncuc[.]com and comes in at just less than a year old\r\nwith records up to the time of this writing. This tells us that when hunting for these result sets, researchers can\r\nhttps://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate\r\nPage 3 of 4\n\ntime box to the last year when looking for new C2 infrastructure and that older infrastructure remains active.\r\nNext, there is the use of a varied number of hosting providers but there are overlaps in ColoCrossing (AS36532),\r\nGreen Floid (AS50979), and Owned-Networks (AS40676). This shows a preference that can be used to narrow\r\ndown potential detections before moving further up the Pyramid of Pain and analyzing a sample to discover the\r\nspecific, custom encoding for the DNS queries.\r\nLastly, the IP of the A record is the same as the IP of the two NS records which point to ns1.[domain].com and\r\nns2.[domain].com. This makes sense and is a requirement for malicious infrastructure performing DNS tunneling.\r\nWithout control of the nameservers the attackers could not have the additional logic required to parse and respond\r\nto messages with commands. In fact, this is often a quick indicator that a domain is malicious as most legitimate\r\ngroups opt to outsource their DNS infrastructure these days to a number of different cloud services that make\r\nmanagement easy and programmatic.\r\nTakeaways\r\nData sets such as passive DNS are ideal for hunting for C2 communications that leverage DNS for exfiltration due\r\nto the sheer number of query and response pairs required by the attacker. While this data is available in public data\r\nsets like the four passive DNS providers in DomainTools Iris Investigate, a similar setup using free and open\r\nsource tools such as CIRCL’s d4 Project can be useful for passively monitoring the DNS queries in your own\r\ninfrastructure and useful for revealing malicious software operating over passive DNS.\r\nAdditionally, domain data found in Iris Investigate is useful for further verification of any domains which surface\r\nas potential C2 communication. Attackers have to control the entirety of a nameserver for DNS exfiltration and\r\nsignaling so NS records for C2 domains are an always useful signal in determining the intent of a domain.\r\nIris Hash Containing All Known C2s\r\nU2FsdGVkX19QbpKjLRpwXzsMlsolXaIChMZoKECwCmCkCtr06hGK0ginsvV/jsBNNd5fNML2HOcDz0GBqdRKXZCp+PkEqszeatgJq\r\nSource: https://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate\r\nhttps://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate"
	],
	"report_names": [
		"finding-anchordns-c2s-with-iris-investigate"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434806,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/acb0fc8d8146a1f689a831efda6f475033185c8d.pdf",
		"text": "https://archive.orkl.eu/acb0fc8d8146a1f689a831efda6f475033185c8d.txt",
		"img": "https://archive.orkl.eu/acb0fc8d8146a1f689a831efda6f475033185c8d.jpg"
	}
}