DNS Uncovers Infrastructure Used in SSO Attacks

Dec. 21, 2025, 6:21 p.m.

Description

The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, and this actor has used it to target at least 18 universities and educational institutions across the United States since April 2025. The campaigns were delivered through email and the phishing domains used subdomains that mimicked the legitimate SSO sites.

External References

https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/
https://otx.alienvault.com/pulse/69307a4a316b3f36d7ee486e
Tags
phishing
aitm
reverse proxy
evilginx
2025-12-03
tinyurl
mitm
sso

Date

  • Created: Dec. 3, 2025, 5:58 p.m.
  • Published: Dec. 3, 2025, 5:58 p.m.
  • Modified: Dec. 21, 2025, 6:21 p.m.

Indicators

  • 160.153.178.199
  • 203.161.60.59
  • 132.148.74.178
  • 72.167.52.130
  • 208.109.39.196
  • 192.169.177.165
  • 132.148.73.92
  • 66.29.133.135
  • 162.0.214.254
  • 160.153.176.197
  • 162.0.228.151
  • 199.192.23.40
  • 208.109.244.86
  • 72.167.224.193
  • 64.202.186.223
Download all indicators here!

Attack Patterns

  • Evilginx

Additional Informations

  • Education
  • hafikoman.com
  • amj-international.com
  • lpdeco.com
  • ideallivingsolutions.com
  • brownak.com
  • bazmepaigham.com
  • citywideprayer.com
  • schnaitsee.com
  • allwebdirectories.com
  • ads2ads.com
  • ilchirone.com
  • hurenkontakte.com
  • impexinc.com
  • kbdav.com
  • joshuasdodds.com
  • e-briefe.com
  • yoopuipui.com
  • lost-signal.com
  • igreensoft.com
  • intellipex.com
  • dogcuty.com
  • forty-something.com
  • aghomesandproperties.com
  • intercuba.com
  • eggcoo.com
  • data-logistics.com
  • georgiayr.com
  • brillianceboundielts.com
  • dartsinireland.com
  • dhoughton.com
  • acmsquared.com
  • apartamentosmalaga.com
  • geegletee.com
  • ispamembers.com
  • freaksandfriends.com
  • winbet299mas.com
  • goraba.com
  • cappadociavisittours.com
  • bedrijvenregister.com
  • jimmylange.com
  • thelovecity.com
  • buildonhope.com
  • qrcodespoweredbygs1.com
  • mykidsfashion.com
  • l2storm.com
  • monnalissaboutique.com
  • weddingsarahetemmanuel.com
  • tubeunderwater.com
  • bestshayari.com
  • heisseliebe.com
  • esdetodo.com
  • inkdchronicles.com
  • transusasia.com
  • ehsantrust.com
  • controlunlimited.com
  • catering-amato.com
  • coralridgehour.com
  • srpskazemlja.com
  • armingaud.com
  • littlenuggetsco.com
  • sercanaydin.com
  • mpoterbaru2024.com
  • thermalresistivity.com
  • cccsok.com
  • eheringe-trauringe.com
  • northstarcouncil.com
  • fluffybascha.com
  • United States of America