Strategically Aged Domains Used in TDS for Investment and Job Scams

    Friday, March 21, 2025 In: Threat Research Print

    Date: 03/21/2025

    Severity: High 

    Summary

    We've identified an ongoing campaign leveraging strategically aged domains in Traffic Direction System (TDS) activity. The final landing pages promote investment scams and fraudulent part-time or work-from-home opportunities. To evade detection, attackers register new domains and keep them dormant for at least a month before activation. Our analysis uncovered over 80,000 domains that eventually redirect to URLs under linksapp[.]top. This campaign primarily targets users in Japan and South Africa and is still active.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    aalhr-wonder.xyz

    awbgsd-lawyer.xyz

    bad-yjhbfn.xyz

    behavior-xpzd.xyz

    cdztph-sing.xyz

    fast-vrcyjc.xyz

    food-ewlpgk.xyz

    phinzone.com

    rglrmn-debate.xyz

    tp-verbs.xyz

    ytbkrr-remember.xyz

    jp.linel.top

    linksapp.top

    us.linel.top

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls : 

    userdomainame like "aalhr-wonder.xyz" or url like "aalhr-wonder.xyz" or userdomainname like "awbgsd-lawyer.xyz" or url like "awbgsd-lawyer.xyz" or userdomainname like "bad-yjhbfn.xyz" or url like "bad-yjhbfn.xyz" or userdomainname like "behavior-xpzd.xyz" or url like "behavior-xpzd.xyz" or userdomainname like "cdztph-sing.xyz" or url like "cdztph-sing.xyz" or userdomainname like "fast-vrcyjc.xyz" or url like "fast-vrcyjc.xyz" or userdomainname like "food-ewlpgk.xyz" or url like "food-ewlpgk.xyz" or userdomainname like "phinzone.com" or url like "phinzone.com" or userdomainname like "rglrmn-debate.xyz" or url like "rglrmn-debate.xyz" or userdomainname like "rglrmn-debate.xyz" or url like "rglrmn-debate.xyz" or userdomainname like "tp-verbs.xyz" or url like "tp-verbs.xyz" or userdomainname like "ytbkrr-remember.xyz" or url like "ytbkrr-remember.xyz" or userdomainname like "jp.linel.top" or url like "jp.linel.top" or userdomainname like "us.linel.top" or url like "us.linel.top"

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-20-IOCs-for-strategically-aged-domain-activity.txt


    Tags

    Threat ActorJapanSouth Africa

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.