Tunneling-Based Scans for DNS Resolvers

    Thursday, April 24, 2025 In: Threat Research Print

    Date: 04/24/2025

    Severity: High

    Summary

    Since January 2025, several domains have been observed engaging in scanning activity leveraging DNS tunneling techniques. These domains target DNS resolvers hosted on public IPv4 and IPv6 addresses. To evade source IP-based access controls, the attacker spoofs the source IP to appear as an adjacent destination address. The domains' nameservers are hosted on IPs 209.141.56[.]200 and 2605:6400:20:9d:2d8c:6f33:f4dbab02, with the FQDN encoding the target IP in hexadecimal format within the domain name.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    isavscan.autos

    isavscan.baby

    isavscan.beauty

    isavscan.biz

    isavscan.boats

    isavscan.bond

    isavscan.cfd

    isavscan.christmas

    isavscan.click

    isavscan.college

    oeikdidmgx.online

    kugmx.c66e76fb.0.v4.isavscan.baby

    owkky.c8030120000007210000000025000000.0.v6.isavscan.biz

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    domainname like "isavscan.biz" or url like "isavscan.biz" or siteurl like "isavscan.biz" or domainname like "isavscan.baby" or url like "isavscan.baby" or siteurl like "isavscan.baby" or domainname like "isavscan.autos" or url like "isavscan.autos" or siteurl like "isavscan.autos" or domainname like "isavscan.beauty" or url like "isavscan.beauty" or siteurl like "isavscan.beauty" or domainname like "isavscan.boats" or url like "isavscan.boats" or siteurl like "isavscan.boats" or domainname like "isavscan.bond" or url like "isavscan.bond" or siteurl like "isavscan.bond" or domainname like "isavscan.cfd" or url like "isavscan.cfd" or siteurl like "isavscan.cfd" or domainname like "isavscan.christmas" or url like "isavscan.christmas" or siteurl like "isavscan.christmas" or domainname like "isavscan.click" or url like "isavscan.click" or siteurl like "isavscan.click" or domainname like "oeikdidmgx.online" or url like "oeikdidmgx.online" or siteurl like "oeikdidmgx.online" or domainname like "kugmx.c66e76fb.0.v4.isavscan.baby" or url like "kugmx.c66e76fb.0.v4.isavscan.baby" or siteurl like "kugmx.c66e76fb.0.v4.isavscan.baby" or domainname like "owkky.c8030120000007210000000025000000.0.v6.isavscan.biz" or url like "owkky.c8030120000007210000000025000000.0.v6.isavscan.biz" or siteurl like "owkky.c8030120000007210000000025000000.0.v6.isavscan.biz"

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-04-16-IOCs-for-tunneling-based-scans-for-DNS-resolvers.txt


    Tags

    Threat ActorDNS tunneling

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.