Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams

May 6, 2025, 8:16 p.m.

Description

This report analyzes common techniques, tactics, and procedures (TTPs) used by several investment scam actors who lure victims with fake platforms, including crypto exchanges. Key TTPs include registering large numbers of domains algorithmically, embedding similar web forms to collect user data, hiding activity through traffic distribution systems, leveraging fake news with celebrity endorsements, and sharing website structures indicative of using kits. The report focuses on two notable actors, Reckless Rabbit and Ruthless Rabbit, detailing their distinct characteristics and DNS exploitation methods. It highlights the importance of DNS in building and maintaining scam infrastructure, emphasizing the use of registered domain generation algorithms (RDGAs) and traffic distribution systems (TDSs) to strengthen resilience and evade detection.

External References

https://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams
https://otx.alienvault.com/pulse/681a2fbdb6a3c2b834cac40d
Tags
social engineering
cryptocurrency
facebook ads
cloaking
2025-04-29
rdga
dns abuse
web forms
tds
investment scams
2025-05-06
dns exploitation
registered domain generation algorithms

Date

  • Created: May 6, 2025, 3:50 p.m.
  • Published: May 6, 2025, 3:50 p.m.
  • Modified: May 6, 2025, 8:16 p.m.

Indicators

  • 7b3001eef10d518496867654ec76e4f3c6c33550d7a67780ce0440a4c28b5b50
  • 7402355aa0d7eb0248bf6fdfb572a43e6457e5c1b26719147464ea224e5009a7
  • 23fb5db0618f6a48381978574a34168554a6ecd14f7d21a1d754d27a8ca4eea8
  • wildcardbdidbanpdla.brilliantwallaby.info
  • middle.sturdypants.com
  • trading.nexperts.pro
  • wmaycurr.info
  • wjulbucks.info
  • well-groomedcanvas.com
  • wasakot.pro
  • wall.info
  • viserbik.pro
  • venzotexapp.cloud
  • vensotixapp.click
  • vensotixapp-platform.store
  • vasezonixapp.guru
  • vasezonix-app.trade
  • upkeep-vocal.com
  • tyxarai.org
  • temple-well-known.info
  • topsmot.pro
  • somajob.pro
  • ssepcoin.info
  • swap.info
  • sixcrowd.com
  • sitemot.pro
  • silk.info
  • roomyspeedboat.info
  • response.data
  • quantumflash.org
  • qpdecbid.info
  • primeassets.uk
  • powapi.net
  • port-rusty-time.com
  • mykryplogin.com
  • murzasanny.com
  • mercifulknife.com
  • medi.info
  • longmarble.info
  • mcraftdb.tech
  • location.host
  • lnovchalk.info
  • library-novel-axe.com
  • koctice.info
  • kinabik.pro
  • kcfebdrill.info
  • immediatemomentum.site
  • immediateluminary.com
  • iaprwall.info
  • goaljob.pro
  • gptifexai.com
  • fjulswap.info
  • fjunmedi.info
  • faugswap.info
  • extra-largewrinkles.info
  • everix-edge.org
  • encouragingtax.info
  • easyjob.pro
  • dropbik.pro
  • drill.info
  • curr.info
  • cryptoveteran.care
  • coin.info
  • chalk.info
  • camersyf.com
  • bucks.info
  • brudamot.pro
  • brilliantwallaby.info
  • bortjob.pro
  • bmaypost.info
  • bitcoinapex-platform.top
  • bitcoinapex-platform.guru
  • bitcoinapex-platform.click
  • bitcoin-profit.org
  • bitcoin-eprex.com
  • bitcoin-apex.help
  • bitcoin-apex.guru
  • aportunexapp.wiki
  • aportunexapp.trade
  • aportunexapp.top
  • aportunexapp.help
  • aportunexapp.bond
  • aportunex-app.wiki
  • aportunex-app.trade
  • aportunex-app.shop
  • acoustic-fund-rate.info
  • almarsilk.info
Download all indicators here!

Attack Patterns

Additional Informations

  • Finance
  • bitcoinapex.website
  • bitcoin-apex.website
  • Poland
  • Romania
  • Russian Federation