{
	"id": "7489174d-e1df-49d0-b651-2251750fd1b0",
	"created_at": "2026-04-06T00:09:43.043538Z",
	"updated_at": "2026-04-10T03:20:55.645839Z",
	"deleted_at": null,
	"sha1_hash": "f978aab5185bec657a5d94e97f2f16a7ee9b81c7",
	"title": "Introduction To Malware Infrastructure Analysis With Passive DNS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1853511,
	"plain_text": "Introduction To Malware Infrastructure Analysis With Passive\r\nDNS\r\nBy Matthew\r\nPublished: 2024-03-27 · Archived: 2026-04-02 12:01:50 UTC\r\nWe recently became aware of an awesome DNS Analysis tool called Validin which can be used to analyse\r\nmalicious domains and show related infrastructure using DNS records.\r\nThis has been super useful as existing infrastructure analysis tools are primarily focused on analysis and pivoting\r\nfrom IPs, which functions very differently to pivoting from domains.\r\nThe primary concept of DNS pivots is simple, use the DNS history and domain names to identify patterns and\r\nrelated indicators which threat actors have re-used when deploying infrastructure.\r\nSince we're having a lot of fun with the tool and the techniques, we wanted to share some cool and useful\r\nexamples that we have encountered so far.\r\nYou can follow along with the free community version available here.\r\nValidin\r\nValidin offers cutting-edge DNS, certificate, and crawling data services to empower threat\r\nresearchers and corporate security teams. Identify, track, and mitigate risks with our advanced threat\r\nintelligence solutions.\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 1 of 16\n\nValidin\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 2 of 16\n\nPractical Use Cases\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 3 of 16\n\nIdentifying the history of a domain (Current and Previous IP's)\r\nFinding lookalike domains with similar names\r\nIdentifying domains that resolve to the same IP\r\nIdentifying domains with a similar parent domain (.duckdns.org, .ddns etc)\r\nLokiBot - Identifying IP History\r\nAs an initial example using Validin, we can take this domain which was reported as Lokibot on ThreatFox.\r\nBy searching for this domain sempersim[.]su , we can obtain a full history of IP infrastructure related to this\r\ndomain.\r\n(A link to this search can be found here and followed with a free account)\r\nThere are a large number of IPs associated with this domain. The first is from 2022 and has constantly changed\r\nsince then.\r\nThis is an indicator that the actor is regularly changing up their infrastructure, possibly in response to intel sharing\r\nor takedowns.\r\nThis can be better visualized in the timeline feature demonstrated below. Many of the IPs are short-lived, and\r\nsome have lasted longer than others.\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 4 of 16\n\nLokiBot - Identifying Related Domains\r\nIn the initial search on our sempersim[.]su domain, the most recently added result was an IP address of\r\n104.237.252[.]28 .\r\nWe can do a pivot on this IP address and view the history of related domains, this allows us to identify additional\r\ndomains which have resolved to the same server as sempersim[.]su\r\nBy searching or clicking on 104.237.252[.]28 , we can pivot on this IP and see if there are any recent domains\r\npointing to the same location.\r\nIn this case, there are 6 domains that have been pointing at this address in the 2 weeks prior to this analysis.\r\nFour of these results seem to be impersonating Icloud services (Using L instead of I).\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 5 of 16\n\nThe resulting domains can be investigated and validated with other tooling, here is one such example of the first\r\nrelated domain lcloud.com[.]de in Virustotal.\r\nThe remaining results are highly suspicious and are likely related to the same actor as the initial sempersim[.]su\r\ndomain.\r\nIdentifying LookAlike Domains\r\nThe previous analysis pivoted from sempersim[.]su to identify a new domain of lcloud.com[.]de (L instead\r\nof I).\r\nThis new indicator is highly suspicious as it appears to be impersonating an Apple icloud service.\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 6 of 16\n\nIf an actor is utilising one fake ICloud domain, they potentially have more using the same technique. We can\r\nvalidate this theory using the lookalike domain feature on the lcloud.com[.]de domain.\r\nThis search returns 1033 total results for domains with the same mispelling, but for the purposes of demonstration,\r\nwe will use the first new result of lcloud.com[.]se .\r\nPivoting on this new .se domain reveals a history of 15 IP addresses ranging from 2019 to 2023.\r\nThe most recent (based on first seen) of these ip addresses is 194.295.220[.]41 , initial analysis of this IP with\r\nVirustotal reveals 9 related detections.\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 7 of 16\n\nReview of the communicating files for this IP reveals multiple files related to the \"Bagle Worm\"\r\nWe are not particularly familiar with Bagle, but at first glance it seems wildly different to the initial indicator\r\nwhich was based on LokiBot.\r\nThis could be an indicator that the actors behind Lokibot and Bagle are sharing the same infrastructure, or could\r\nbe an indicator that they are the same actor.\r\nExact attribution is beyond the scope of this post, but it's an interesting note that the two are potentially sharing\r\ninfrastructure or at least leveraging extremely similar domains.\r\nReturning to our pivot on sempersim[.]su , we identified an IP address of 104.237.252[.]28 which is also\r\nrelated to www.icloud-find-online[.]me .\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 8 of 16\n\nBy pivoting to this new domain www.icloud-find-online[.]me , we can see the full history of IPs related to the\r\ndomain.\r\nBy observing the ASN numbers and the presence of the \"cloud\" symbol next to the ASN, we can see that the actor\r\nbehind this domain began to use CloudFlare as of 2024-03-19\r\nThis isn't particularly useful to me, but seeing it visualized like this is cool. More experienced intel analysts may\r\nhave plenty of use for this information.\r\nXworm - Identifying Related Domains\r\nHere we have another highly suspicious domain name marxrwo9090.duckdns[.]org which was reported as\r\nXworm on ThreatFox.\r\nBy analysing this domain, we can see that only a single IP of 194.147.140[.]138 has been associated.\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 9 of 16\n\nBy pivoting on this IP address, we can identify a number of suspicious .duckdns.org domains pointing to the\r\nsame location.\r\nOne of these results specifically calls out Xworm as febxworm39090.duckdns[.]org\r\nThere are 25 domains associated with the address 194.147.140[.]138 , and we can again visualise these with the\r\ntimeline feature.\r\nHere, we can see the actor has regularly updated their domains and has primarily relied on dynamic DNS services\r\nsuch as ddns and duckdns.\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 10 of 16\n\nXworm - Pivoting Across CIDR Ranges\r\nIn the previous section, we identified that the actor was regularly using dynamic DNS services to mask the IP at\r\n194.147.140[.]138\r\nIf we consider that the same actor may be using the same ASN or hosting provider to host similar infrastructure,\r\nwe can craft a query to identify additional related domains.\r\nConsider that the initial IP 194.147.140[.]138 belongs to an AS with a CIDR range 194.147.140.0/24\r\n(This section is similar to that published by Gi7w0rm on his DDGroup Analysis, so be sure to check that out too)\r\nWe can expand the search to query this range, which reveals 1468 domains with IP addresses resolving to the\r\nASN. Many of these domains also rely on dynamic dns services such as ddns and duckdns .\r\nA total of 464 domains are leveraging duckdns and resolving to the same ASN. Many of these have highly\r\nsuspicious names and are very recent.\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 11 of 16\n\nThe first of such results is elastolut.duckdns[.]org , which has 11 detections on Virustotal and multiple\r\nmalicious (and very recent) communicating files.\r\nThe first of these related files has been marked as Remcos and have the elastolut.duckdns[.]org listed as a C2\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 12 of 16\n\nFollow Along With This Analysis\r\nThe primary tool we have used here is Validin.\r\nValidin even has a community (free) version for researchers to experiment with.\r\nValidin\r\nValidin offers cutting-edge DNS, certificate, and crawling data services to empower threat\r\nresearchers and corporate security teams. Identify, track, and mitigate risks with our advanced threat\r\nintelligence solutions.\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 13 of 16\n\nValidin\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 14 of 16\n\nSign up for Embee Research\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 15 of 16\n\nMalware Analysis and Threat Intelligence Research\r\nNo spam. Unsubscribe anytime.\r\n(Joe Slowik) Stranded on Pylos - https://pylos.co/2022/11/23/detailing-daily-domain-hunting/\r\nA Beginners Guide to Tracking Malware Infrastructure - https://censys.com/a-beginners-guide-to-tracking-malware-infrastructure/\r\n(Gi7w0rm) Uncovering DDGroup - A Long Time Threat Actor\r\n(JoshuaPenny) Infrastructure Analysis: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023–4966\r\nCitrix Bleed Vulnerability\r\nSource: https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nhttps://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/"
	],
	"report_names": [
		"infrastructure-analysis-with-dns-pivoting"
	],
	"threat_actors": [],
	"ts_created_at": 1775434183,
	"ts_updated_at": 1775791255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f978aab5185bec657a5d94e97f2f16a7ee9b81c7.pdf",
		"text": "https://archive.orkl.eu/f978aab5185bec657a5d94e97f2f16a7ee9b81c7.txt",
		"img": "https://archive.orkl.eu/f978aab5185bec657a5d94e97f2f16a7ee9b81c7.jpg"
	}
}