{
	"id": "9d238a16-2cab-4c4e-8590-de1cbb4c0c65",
	"created_at": "2026-04-06T00:18:26.587458Z",
	"updated_at": "2026-04-10T13:12:48.819585Z",
	"deleted_at": null,
	"sha1_hash": "b346b4d4e3036287e5f7cddb87684ef2a556e5ae",
	"title": "The DGA Algorithm Used by Dealply and Bujo Campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56517,
	"plain_text": "The DGA Algorithm Used by Dealply and Bujo Campaigns\r\nBy null\r\nPublished: 2022-03-01 · Archived: 2026-04-05 14:09:18 UTC\r\nDuring a recent malware hunt[1], the Cato research team identified some unique attributes of DGA algorithms that\r\ncan help security teams automatically spot malware on their network.\r\nThe “Shimmy” DGA\r\nDGAs (Domain Generator Algorithms) are used by attackers to generate a large number of – you guessed it –\r\ndomains often used for C\u0026C servers. Spotting DGAs can be difficult without a clear, searchable pattern.\r\nCato researchers began by collecting traffic metadata from malicious Chrome extensions to their C\u0026C services.\r\nCato maintains a data warehouse built from the metadata of all traffic flows crossing its global private backbone.\r\nWe analyze those flows for suspicious traffic to hunt threats on a daily basis.\r\nThe researchers were able to identify the same traffic patterns and network behavior in traffic originating from 80\r\ndifferent malicious Chrome extensions, which were identified as from the Bujo, Dealply and ManageX families of\r\nmalicious extensions. By examining the C\u0026C domains, researchers observed an algorithm used to create the\r\nmalicious domains. In many cases, DGAs appear as random characters. In some cases, the domains contain\r\nnumbers, and in other cases the domains are very long, making them look suspicious.\r\nHere are a few examples of the C\u0026C domains (full domain list at the end of this post):\r\nqalus.com jurokotu.com bunafo.com naqodur.com womohu.com bosojojo.com\r\nmucac.com kuqotaj.com bunupoj.com pocakaqu.com wuqah.com dubocoso.com\r\nsanaju.com lufacam.com cajato.com qunadap.com dagaju.com fupoj.com\r\nThe most obvious trait the domains have in common is that they are all part of “.com” TLD (Top-Level Domain).\r\nAlso, all the prefixes are five to eight letters long.\r\nThere are other factors shared by the domains. For one, they all start with consonants and then create a pattern that\r\nis built out of consonants and vowels; so that every domain is represented by consonant + vowel + consonant +\r\nvowel + consonant, etc. As an example, in jurokotu.com domain, removing the TLD will bring “jurokotu”, and\r\ncoloring the word to consonants (red) and vowels (blue) will show the pattern: “jurokotu”.\r\nFrom the domains we collected, we could see that the adversaries used the vowels: o, u and a, and consonants: q,\r\nm, s, p, r, j, k, l, w, b, c, n, d, f, t, h, and g. Clearly, an algorithm has been used to create these domains and the\r\nintention was to make them look as close to real words as possible.\r\n8 Ways SASE Answers Your Current and Future Security \u0026 IT Needs [eBook]\r\nhttps://www.catonetworks.com/blog/the-dga-algorithm-used-by-dealply-and-bujo/\r\nPage 1 of 5\n\n“Shimmy” DGA infrastructure\r\nA few additional notable findings are related to the same common infrastructure used by all the C\u0026C domains.\r\nAll domains are registered using the same registrar – Gal Communication (CommuniGal) Ltd. (GalComm), which\r\nwas previously associated with registration of malicious domains [2].\r\nThe domains are also classified as ‘uncategorized’ by classification engines, another sign that these domains are\r\nbeing used by malware. Trying to access the domains via browser, will either get you a landing page or HTTP\r\nERROR 403 (Forbidden). However, we believe that there are server controls that allow access to the malicious\r\nextensions based on specific http headers.\r\nAll domains are translated to IP addresses belonging to Amazon AWS, part of AS16509. The domains do not share\r\nthe same IP, and from time to time it seems that the IP for a particular domain is changed dynamically, as can be\r\nseen in this example:\r\ntawuhoju.com 13.224.161.119 14/04/2021\r\nhttps://www.catonetworks.com/blog/the-dga-algorithm-used-by-dealply-and-bujo/\r\nPage 2 of 5\n\ntawuhoju.com 13.224.161.119 15/04/2021\r\ntawuhoju.com 13.224.161.22 23/04/2021\r\ntawuhoju.com 13.224.161.22 24/04/2021\r\nWrapping Up\r\nGiven all this evidence, it’s clear to us that the infrastructure used on these campaigns is leveraging AWS and that\r\nit is a very large campaign. We identified many connection points between 80 C\u0026C domains, identifying their\r\nDGA and infrastructure. This could be used to identify the C\u0026C communication and infected machines, by\r\nanalyzing network traffic. Security teams can now use these insights to identify the traffic from malicious Chrome\r\nextensions.\r\nIOC\r\nbacugo[.]com\r\nbagoj[.]com\r\nbaguhoh[.]com\r\nbosojojo[.]com\r\nbowocofa[.]com\r\nbuduguh[.]com\r\nbujot[.]com\r\nbunafo[.]com\r\nbunupoj[.]com\r\ncagodobo[.]com\r\ncajato[.]com\r\ncopamu[.]com\r\ncusupuh[.]com\r\ndafucah[.]com\r\ndagaju[.]com\r\ndapowar[.]com\r\ndubahu[.]com\r\ndubocoso[.]com\r\ndudujutu[.]com\r\nfocuquc[.]com\r\nfogow[.]com\r\nfokosul[.]com\r\nfupoj[.]com\r\nfusog[.]com\r\nfuwof[.]com\r\ngapaqaw[.]com\r\ngaruq[.]com\r\ngufado[.]com\r\nhamohuhu[.]com\r\nhodafoc[.]com\r\nhttps://www.catonetworks.com/blog/the-dga-algorithm-used-by-dealply-and-bujo/\r\nPage 3 of 5\n\nhoqunuja[.]com\r\nhuful[.]com\r\njagufu[.]com\r\njurokotu[.]com\r\njuwakaha[.]com\r\nkocunolu[.]com\r\nkogarowa[.]com\r\nkohaguk[.]com\r\nkuqotaj[.]com\r\nkuquc[.]com\r\nlohoqoco[.]com\r\nloruwo[.]com\r\nlufacam[.]com\r\nluhatufa[.]com\r\nmocujo[.]com\r\nmoqolan[.]com\r\nmuqudu[.]com\r\nnaqodur[.]com\r\nnokutu[.]com\r\nnopobuq[.]com\r\nnopuwa[.]com\r\nnorugu[.]com\r\nnosahof[.]com\r\nnuqudop[.]com\r\nnusojog[.]com\r\npocakaqu[.]com\r\nponojuju[.]com\r\npowuwuqa[.]com\r\npudacasa[.]com\r\npupahaqo[.]com\r\nqaloqum[.]com\r\nqotun[.]com\r\nqufobuh[.]com\r\nqunadap[.]com\r\nqurajoca[.]com\r\nqusonujo[.]com\r\nrokuq[.]com\r\nruboja[.]com\r\nsanaju[.]com\r\nsarolosa[.]com\r\nsupamajo[.]com\r\ntafasajo[.]com\r\ntawuhoju[.]com\r\ntocopada[.]com\r\ntudoq[.]com\r\nturasawa[.]com\r\nwomohu[.]com\r\nhttps://www.catonetworks.com/blog/the-dga-algorithm-used-by-dealply-and-bujo/\r\nPage 4 of 5\n\nwujop[.]com\r\nwunab[.]com\r\nwuqah[.]com\r\nReferences:\r\n[1] https://www.catonetworks.com/blog/threat-intelligence-feeds-and-endpoint-protection-systems-fail-to-detect-24-malicious-chrome-extensions/\r\n[2]  https://awakesecurity.com/blog/the-internets-new-arms-dealers-malicious-domain-registrars/\r\nSource: https://www.catonetworks.com/blog/the-dga-algorithm-used-by-dealply-and-bujo/\r\nhttps://www.catonetworks.com/blog/the-dga-algorithm-used-by-dealply-and-bujo/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.catonetworks.com/blog/the-dga-algorithm-used-by-dealply-and-bujo/"
	],
	"report_names": [
		"the-dga-algorithm-used-by-dealply-and-bujo"
	],
	"threat_actors": [],
	"ts_created_at": 1775434706,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b346b4d4e3036287e5f7cddb87684ef2a556e5ae.pdf",
		"text": "https://archive.orkl.eu/b346b4d4e3036287e5f7cddb87684ef2a556e5ae.txt",
		"img": "https://archive.orkl.eu/b346b4d4e3036287e5f7cddb87684ef2a556e5ae.jpg"
	}
}