CYBERSQUATTING OF DOMAINS USING NEW TLDS .DIY AND .FOOD

    Friday, October 18, 2024 In: Threat Research Print

    Date: 10/18/2024

    Severity: Medium

    Summary

    The cyber campaign has expanded to include new TLDs, specifically .diy and .food. Initially, threat actors utilized the domain choto[.]xyz as a traffic redirection service through April 2024 but have since switched to choto[.]click while maintaining the same URL paths. Ongoing monitoring of newly registered domains is planned to identify and track emerging trends and attack campaigns.

    Indicators of Compromise (IOC) List

    URL/Domain

    betano.diy

    betano.food

    betway.diy

    betway.food

    caliente.diy

    caliente.food

    onlyfans.diy

    onlyfans.food

    xhamster.diy

    xhamster.food

    xnxx.diy

    xvideos.diy

    xvideos.food

    https://choto.click/vx/38sa4zcebspir7lt

    https://choto.click/vx/68lmfh0mv9jpsk1n

    https://choto.click/vx/c5oujoeneiak8g6s

    https://choto.click/vx/dsxrr32nz1hlh4wa

    https://choto.click/vx/g0p2psgfh60ypi4b

    https://choto.click/vx/njhpaqk1l7xnpehe

    https://choto.click/vx/of6v9q4jnjzlzgwp

    https://choto.click/vx/syrzavohf4zjujur

    https://choto.click/vx/t6o8rk8mmbhqgpxs

    https://choto.click/vx/t94xjdvc9lypquqd

    https://choto.click/vx/ubf3duweqjwqv271

    https://choto.click/vx/zkqywwamrzs8m2ms

    https://choto.click/vx/zpasrmlfidmobvpx

    https://choto.xyz/vx/38sa4zcebspir7lt

    https://choto.xyz/vx/68lmfh0mv9jpsk1n

    https://choto.xyz/vx/c5oujoeneiak8g6s

    https://choto.xyz/vx/dsxrr32nz1hlh4wa

    https://choto.xyz/vx/g0p2psgfh60ypi4b

    https://choto.xyz/vx/njhpaqk1l7xnpehe

    https://choto.xyz/vx/of6v9q4jnjzlzgwp

    https://choto.xyz/vx/syrzavohf4zjujur

    https://choto.xyz/vx/t6o8rk8mmbhqgpxs

    https://choto.xyz/vx/t94xjdvc9lypquqd

    https://choto.xyz/vx/ubf3duweqjwqv271

    https://choto.xyz/vx/zkqywwamrzs8m2ms

    https://choto.xyz/vx/zpasrmlfidmobvpx

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "betano.diy" or url like "betano.diy" or userdomainname like "betano.food" or url like "betano.food" or userdomainname like "betway.diy" or url like "betway.diy" or userdomainname like "betway.food" or url like "betway.food" or userdomainname like "caliente.diy" or url like "caliente.diy" or userdomainname like "caliente.food" or url like "caliente.food" or userdomainname like "onlyfans.diy" or url like "onlyfans.diy" or userdomainname like "onlyfans.food" or url like "onlyfans.food" or userdomainname like "xhamster.diy" or url like "xhamster.diy" or userdomainname like "xhamster.food" or url like "xhamster.food" or userdomainname like "xnxx.diy" or url like "xnxx.diy" or userdomainname like "xvideos.diy" or url like "xvideos.diy" or userdomainname like "xvideos.food" or url like "xvideos.food" or userdomainname like "https://choto.click/vx/38sa4zcebspir7lt" or url like "https://choto.click/vx/38sa4zcebspir7lt" or userdomainname like "https://choto.click/vx/68lmfh0mv9jpsk1n" or url like "https://choto.click/vx/68lmfh0mv9jpsk1n" or userdomainname like "https://choto.click/vx/c5oujoeneiak8g6s" or url like "https://choto.click/vx/c5oujoeneiak8g6s" or userdomainname like "https://choto.click/vx/dsxrr32nz1hlh4wa" or url like "https://choto.click/vx/dsxrr32nz1hlh4wa" or userdomainname like "https://choto.click/vx/g0p2psgfh60ypi4b" or url like "https://choto.click/vx/g0p2psgfh60ypi4b" or userdomainname like "https://choto.click/vx/njhpaqk1l7xnpehe" or url like "https://choto.click/vx/njhpaqk1l7xnpehe" or userdomainname like "https://choto.click/vx/of6v9q4jnjzlzgwp" or url like "https://choto.click/vx/of6v9q4jnjzlzgwp" or userdomainname like "https://choto.click/vx/syrzavohf4zjujur" or url like "https://choto.click/vx/syrzavohf4zjujur" or userdomainname like "https://choto.click/vx/t6o8rk8mmbhqgpxs" or url like "https://choto.click/vx/t6o8rk8mmbhqgpxs" or userdomainname like "https://choto.click/vx/t94xjdvc9lypquqd" or url like "https://choto.click/vx/t94xjdvc9lypquqd" or userdomainname like "https://choto.click/vx/ubf3duweqjwqv271" or url like "https://choto.click/vx/ubf3duweqjwqv271" or userdomainname like "https://choto.click/vx/zkqywwamrzs8m2ms" or url like "https://choto.click/vx/zkqywwamrzs8m2ms" or userdomainname like "https://choto.click/vx/zpasrmlfidmobvpx" or url like "https://choto.click/vx/zpasrmlfidmobvpx" or userdomainname like "https://choto.xyz/vx/38sa4zcebspir7lt" or url like "https://choto.xyz/vx/38sa4zcebspir7lt" or userdomainname like "https://choto.xyz/vx/68lmfh0mv9jpsk1n" or url like "https://choto.xyz/vx/68lmfh0mv9jpsk1n" or userdomainname like "https://choto.xyz/vx/c5oujoeneiak8g6s" or url like "https://choto.xyz/vx/c5oujoeneiak8g6s" or userdomainname like "https://choto.xyz/vx/dsxrr32nz1hlh4wa" or url like "https://choto.xyz/vx/dsxrr32nz1hlh4wa" or userdomainname like "https://choto.xyz/vx/g0p2psgfh60ypi4b" or url like "https://choto.xyz/vx/g0p2psgfh60ypi4b" or userdomainname like "https://choto.xyz/vx/g0p2psgfh60ypi4b" or url like "https://choto.xyz/vx/g0p2psgfh60ypi4b" or userdomainname like "https://choto.xyz/vx/njhpaqk1l7xnpehe" or url like "https://choto.xyz/vx/njhpaqk1l7xnpehe" or userdomainname like "https://choto.xyz/vx/of6v9q4jnjzlzgwp" or url like "https://choto.xyz/vx/of6v9q4jnjzlzgwp" or userdomainname like "https://choto.xyz/vx/syrzavohf4zjujur" or url like "https://choto.xyz/vx/syrzavohf4zjujur" or userdomainname like "https://choto.xyz/vx/t6o8rk8mmbhqgpxs" or url like "https://choto.xyz/vx/t6o8rk8mmbhqgpxs" or userdomainname like "https://choto.xyz/vx/t94xjdvc9lypquqd" or url like "https://choto.xyz/vx/t94xjdvc9lypquqd" or userdomainname like "https://choto.xyz/vx/ubf3duweqjwqv271" or url like "https://choto.xyz/vx/ubf3duweqjwqv271" or userdomainname like "https://choto.xyz/vx/zkqywwamrzs8m2ms" or url like "https://choto.xyz/vx/zkqywwamrzs8m2ms" or userdomainname like "https://choto.xyz/vx/zpasrmlfidmobvpx" or url like "https://choto.xyz/vx/zpasrmlfidmobvpx"

    Reference: 

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-10-17-IOCs-for-TLD-CyberSquatting.txt    


    Tags

    Malware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.