{
	"id": "36ca383c-3a46-477b-aead-8eecaa9d38c8",
	"created_at": "2026-04-06T00:10:14.774734Z",
	"updated_at": "2026-04-10T03:20:36.787523Z",
	"deleted_at": null,
	"sha1_hash": "ec84df537624ac0ca20fa1de2e8f976c7e230a27",
	"title": "The Pitfall of Threat Intelligence Whitelisting: Specter Botnet is 'taking over' Top Legit DNS Domains By Using ClouDNS Service",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 451014,
	"plain_text": "The Pitfall of Threat Intelligence Whitelisting: Specter Botnet is\r\n'taking over' Top Legit DNS Domains By Using ClouDNS Service\r\nBy Hui Wang\r\nPublished: 2021-11-18 · Archived: 2026-04-05 23:17:33 UTC\r\nAbstract\r\nIn order to reduce the possible impact of false positives, it is pretty common practice for security industry to\r\nwhitelist the top Alexa domains such as www.google.com , www.apple.com , www.qq.com , www.alipay.com .\r\nAnd we have seen various machine learning detection models that bypass data when they sees these popular\r\nInternet business domains.\r\nThe security war between the white and black never ends, white hats want to see “black” in the data, while\r\nhackers always try to blend in and appear “ white\". In the follow article, we will see an interesting case which\r\nshows that the white we see is not necessarily white.\r\nOur BotMon tracking system recently highlighted that the Specter botnet family started to use two domains\r\napi.github.com and www.ibm.com as C2 domains for its control communicate, while everyone knows for sure\r\nthere is just no way for these FQDN to be malicious. The hacker utilized a pretty bizarre feature from one public\r\nDNS provider ClouDNS to make this all possible.\r\nDoing this will definitely bring troubles to IoC based treat intelligence security, as the C2 are absolutely white.\r\nOrigins\r\nWe first disclosed the Specter botnet back in September last year (September 2020). The botnet is a remote\r\ncontrol trojan (RAT) for Linux platforms with flexible configuration and highly modular/plugin-based, It is consist\r\nof three major modules: Dropper, Loader, and Plugin, with the main functions determined by the Loader \u0026 Plugin,\r\nand this botnet has always been active since our disclosure.\r\nIn September this year, our BotMon's C2 auto-extraction system alerted us that there was an update of Specter's\r\nsample and the auto-extracted C2 was api.github.com on its port 80 .\r\nThere is no need to explains what api.github.com is, although we have seen many malware using github.com\r\nbefore, they pretty much all just use its web service to download their own malicious programs.\r\nBut here how can Specter uses api.github.com as its C2 communication node and passes control traffic back and\r\nforth between github and its bots? Was github hacked, or was it a bug in our own C2 auto-extraction module?\r\nWe took a close look at the sample (md5: 2aec3f06abd677f5f129ddb55d2cde67 ), and saw that the Specter update\r\nfocused on the structure of the C2 configuration file, the C2 config in the previous versions could be located by\r\nsearching the SpectCF string. The new version eliminated this. The following is the decrypted C2 configuration\r\nhttps://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/\r\nPage 1 of 8\n\nfile of this sample, the green part is the C2: api.github.com:80 mentioned above.\r\nThe data in red is the new from this update, and what is it? After parsing in small-end format, weI found that they\r\nare the following 4 IP addresses, belonging to the DNS Hosting provider ClouDNS\r\n85.159.233.158\r\n108.59.1.30\r\n217.182.183.225\r\n185.206.180.169\r\nThe new Specter sample send dns request to C2 using the following code snippet, which has the logic to craft the\r\ndns request packets and the ask the DNS IPs described above about the FQDN to finally get the C2 address.\r\nReaders can use the dig command below on their own and see the difference quite clearly by comparing their\r\noutput.\r\ndig api.github.com @8.8.8.8\r\ndig api.github.com @85.159.233.158\r\nAt this point the fog clears and the C2 api.github.com used by Specter is actually a subdomain under ZONE\r\ngithub.com registered with the DNS Hosting provider ClouDNS. As long as the hacker uses the resolution\r\nserver provided by ClouDNS, the resolution of api.github.com can be any IP the hacker picks.\r\nGithub was not hacked, the Specter botnet operator did not enter the wrong C2 domin, our C2 auto-extraction was\r\nnot buggy, but the white domain api.github.com did indeed become a working C2 domain for this botnet. And this\r\nhttps://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/\r\nPage 2 of 8\n\ntotally legit domain can easily deceive malware analysts and is a great challenge for security tools based on black\r\nand white list rules.\r\nClouDNS\r\nGiven the above exploitation process, let’s explore ClouDNS a little bit more here.\r\nClouDNS is a global managed DNS service provider based in Europe, offering services including GeoDNS,\r\nAnycast DNS and DNS DDoS protection.\r\nClouDNS allows arbitrary registration of DNS Zones and the addition of sub-domain resolution. We\r\nregistered(and later removed after test) a DNS Zone named nsa.gov , added a sub-level domain name test and\r\nresolved to 16.16.16.16 . ClouDNS assigned us 4 Name Servers to resolve this domain name, as shown below.\r\nOnce created successfully, the Name Servers assigned by the platform can be used to resolve the domain name we\r\ncreated.\r\nhttps://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/\r\nPage 3 of 8\n\nTheoretically, we can register any Zone on ClouDNS that is not registered or not restricted by ClouDNS, and the\r\naforementioned Specter C2 api.github.com is a domain name generated in this way.\r\nNot only that, but ClouDNS also has a \"mysterious logic\" in determining whether a domain is \"registered\" or not.\r\nAs mentioned earlier, github.com was already registered on ClouDNS by the Specter gang, but when we tried to\r\nre-register the github.com Zone, we were able to do so, just with a different batch of NSs than the Specter gang, as\r\nhttps://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/\r\nPage 4 of 8\n\nshown here.\r\nSo, ClouDNS supports creating same zones as long as they are on their different NS Servers, this is pretty bizarre\r\nbehavior.\r\nIn fact, based on our test, not only ClouDNS, but also some other DNS hosting providers, have similar\r\n\"vulnerabilities\" in the verification of hosted domains, this is not the topic to be covered in this article\r\nthough.\r\nExplore ClouDNS Random Registration ZONEs\r\nBased on our own Passive DNS data, we selected the TOP 1M popular second-level domains and did some serious\r\ntests. We wanted to find out how many SLDs of domains in the existing DNS system were registered with\r\nClouDNS as new Zones and how many of them could be malicious.\r\nThe results of the probe showed that there were approximately 300 second-level domains that were registered in\r\nbad faith. Some of the maliciously registered SLDs in ClouDNS are as follows.\r\nakadns.net\r\nonedrive.com\r\nplivo.com\r\nsafe.com\r\nconsalud.cl\r\ngodaddysites.com\r\nshopee.com\r\njsdelivr.net\r\nafraid.org\r\nrumahweb.com\r\nmydomain.com\r\ncrypto.com\r\neq.edu.au\r\nhttps://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/\r\nPage 5 of 8\n\nadnxs.com\r\nwebcindario.com\r\nweb.com\r\nlamborghini.com\r\nmanager-magazin.de\r\ntoto.com\r\nmigalhas.com.br\r\ngoogleadservices.com\r\nexample.com\r\ndlink.com\r\nwhitehouse.gov\r\ndomain.com\r\ngooglesyndication.com\r\nfb.com\r\npayeer.com\r\nya.ru\r\nmql5.com\r\naaa.com\r\nhola.com\r\nwukong.com\r\nmihanblog.com\r\nwpengine.com\r\njumia.ma\r\nprotonmail.com\r\ntasnimnews.com\r\nnintendo.com\r\ntabnak.ir\r\nlichess.org\r\ndigitalocean.com\r\nasriran.com\r\namazon.com.br\r\nakamaized.net\r\nyjc.ir\r\noffice.net\r\n4399.com\r\nopera.com\r\nwp.com\r\nytimg.com\r\navast.com\r\ncloudflare.com\r\nplaystation.com\r\nhespress.com\r\nleagueoflegends.com\r\nwixsite.com\r\nskype.com\r\ngooglevideo.com\r\nwp.pl\r\nhttps://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/\r\nPage 6 of 8\n\nwix.com\r\nsamsung.com\r\ndoubleclick.net\r\nweebly.com\r\nudemy.com\r\nspeedtest.net\r\ngodaddy.com\r\nzoom.us\r\nespn.com\r\nspotify.com\r\namazonaws.com\r\nadobe.com\r\nwordpress.com\r\napple.com\r\nmsn.com\r\ngithub.com\r\noffice.com\r\nalipay.com\r\nnetflix.com\r\n360.cn\r\namazon.com\r\nqq.com\r\nIn addition, we also selected the popular TOP 1M FQDNs across to check against ClouDNS, and the results\r\nshowed that there are over 300 FQDNs that can generate non-normal resolution in ClouDNS, and after clean up,\r\nwe found that at least 192 FQDNs are maliciously registered.\r\nSummary\r\nWe have yet to see other malicious actors using this technique on a large scale, however, this is an important\r\nreminder for us that there are cases of malicious behavior being carried out under the cover of apparently normal\r\nnetwork behavior.\r\nContact us\r\nReaders are always welcomed to reach us on Twitter or email us to netlab at 360 dot cn.\r\nIOC\r\nSample MD5\r\n0ffa01708fd0c67c78e9055b8839d24d\r\n162c245378b2e21bdab6ef35dfaad6b1\r\n2aec3f06abd677f5f129ddb55d2cde67\r\nhttps://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/\r\nPage 7 of 8\n\nCC\r\n45.141.70.5\r\nwww.ibm.com @pns101.cloudns.net\r\napi.github.com @ns103.cloudns.net\r\nSource: https://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using\r\n-cloudns-service/\r\nhttps://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/"
	],
	"report_names": [
		"the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service"
	],
	"threat_actors": [],
	"ts_created_at": 1775434214,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec84df537624ac0ca20fa1de2e8f976c7e230a27.pdf",
		"text": "https://archive.orkl.eu/ec84df537624ac0ca20fa1de2e8f976c7e230a27.txt",
		"img": "https://archive.orkl.eu/ec84df537624ac0ca20fa1de2e8f976c7e230a27.jpg"
	}
}