Domains Used for Black Friday Scams

    Thursday, November 27, 2025 In: Threat Research Print

    Date: 11/27/2025

    Severity: High

    Summary

    As Black Friday approaches, threat actors are ramping up phishing campaigns that abuse newly registered domains crafted to mimic legitimate shopping sites. These scams often link victims to fraudulent luxury-goods stores designed to steal payment information. Security teams have observed a sharp rise in suspicious domain registrations, along with increased volumes of spam and phishing emails specifically themed around Black Friday, indicating coordinated efforts by known fraud groups to exploit the holiday shopping season.

    Indicators of Compromise (IOC) List

    URLs/Domain

    bookddchot.ru 

    wwwhotddcbook.ru

    wwwtopaaabook.ru

    wwwtopeeebook.ru

    xn--80aaae9btead2a.xn--p1ai

    xn--90ahaa0atead2a.xn--p1ai

    wwwtopcccbook.ru

    xn--90araabtead2a.xn--p1ai

    wwwhotsalebooks.ru

    wwwtophosbook.ru

    xn--90askabadrf6a.xn--p1ai

    wwwtopsalebook.ru

    wwwtopsalebooks.ru

    xn--80aclvcqeaduhb.xn--p1ai

    onrunningblackfriday.com

    blackfridaysus.com

    blackfridaydeals.space

    blackfridaysalele.club

    blackfridayshopping.shop

    oferta-blackfriday.com

    blackfridaydailydeal.com

    blackfridayofertas.online

    glamblackfriday.com

    blackfridaysus.com

    hipiyk.com/int?dat=[information removed]

    ocalesit.com/xfc/sfclick?u=[information removed]

    cint2.stlt-grd.online/?clickid=

    Hash

    fc577d03d84db5fd5f973afcf3e595d4471244d7bb71566b1dcf490e161aad2b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "wwwhotsalebooks.ru" or siteurl like "wwwhotsalebooks.ru" or url like "wwwhotsalebooks.ru" or domainname like "wwwhotddcbook.ru" or siteurl like "wwwhotddcbook.ru" or url like "wwwhotddcbook.ru" or domainname like "wwwtopaaabook.ru" or siteurl like "wwwtopaaabook.ru" or url like "wwwtopaaabook.ru" or domainname like "bookddchot.ru" or siteurl like "bookddchot.ru" or url like "bookddchot.ru" or domainname like "wwwtophosbook.ru" or siteurl like "wwwtophosbook.ru" or url like "wwwtophosbook.ru" or domainname like "oferta-blackfriday.com" or siteurl like "oferta-blackfriday.com" or url like "oferta-blackfriday.com" or domainname like "blackfridaysus.com" or siteurl like "blackfridaysus.com" or url like "blackfridaysus.com" or domainname like "wwwtopsalebook.ru" or siteurl like "wwwtopsalebook.ru" or url like "wwwtopsalebook.ru" or domainname like "glamblackfriday.com" or siteurl like "glamblackfriday.com" or url like "glamblackfriday.com" or domainname like "onrunningblackfriday.com" or siteurl like "onrunningblackfriday.com" or url like "onrunningblackfriday.com" or domainname like "blackfridaydailydeal.com" or siteurl like "blackfridaydailydeal.com" or url like "blackfridaydailydeal.com" or domainname like "blackfridayofertas.online" or siteurl like "blackfridayofertas.online" or url like "blackfridayofertas.online" or domainname like "blackfridaydeals.space" or siteurl like "blackfridaydeals.space" or url like "blackfridaydeals.space" or domainname like "wwwtopeeebook.ru" or siteurl like "wwwtopeeebook.ru" or url like "wwwtopeeebook.ru" or domainname like "wwwtopcccbook.ru" or siteurl like "wwwtopcccbook.ru" or url like "wwwtopcccbook.ru" or domainname like "xn--90araabtead2a.xn--p1ai" or siteurl like "xn--90araabtead2a.xn--p1ai" or url like "xn--90araabtead2a.xn--p1ai" or domainname like "wwwtopsalebooks.ru" or siteurl like "wwwtopsalebooks.ru" or url like "wwwtopsalebooks.ru" or domainname like "blackfridaysalele.club" or siteurl like "blackfridaysalele.club" or url like "blackfridaysalele.club" or domainname like "blackfridayshopping.shop" or siteurl like "blackfridayshopping.shop" or url like "blackfridayshopping.shop" or domainname like "blackfridaysus.com" or siteurl like "blackfridaysus.com" or url like "blackfridaysus.com" or domainname like "hipiyk.com/int?dat=[information removed]" or siteurl like "hipiyk.com/int?dat=[information removed]" or url like "hipiyk.com/int?dat=[information removed]" or domainname like "ocalesit.com/xfc/sfclick?u=[information removed]" or siteurl like "ocalesit.com/xfc/sfclick?u=[information removed]" or url like "ocalesit.com/xfc/sfclick?u=[information removed]"

    Detection Query 2 :

    sha256hash IN ("fc577d03d84db5fd5f973afcf3e595d4471244d7bb71566b1dcf490e161aad2b")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-11-25-Domains-for-Black-Friday-scams.txt


    Tags

    MalwarePhishingBlack FridayDomain Spoofing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.