Keypoints
- Initial trigger came from a tweeted phishing link pointing to lufyfeo[.]org that used 302 redirects to deliver the next-stage resource.
- Passive DNS (Validin) showed the domain recently resolved to IP 193.106.174[.]218, which became the primary pivot for discovery.
- Host response details revealed repeated 302 redirects to the same document URLs on documentcloud[.]org and a pdf on harvardlawreview[.]org.
- Enumerating all host responses for 193.106.174[.]218 produced 1,256 entries; a JSON export was used to extract relevant fields (host and location).
- Data was cleaned with CyberChef and a Python script to search the location fields for PDF/script redirects, deduplicating results to identify 36 related domains.
- The identified flow involved redirects to .js and PDF resources that ultimately lead to MSI/DLL delivery associated with Latrodectus and LummaStealer behavior.
- A consolidated list of the 36 domains was produced for further blocking or investigation (examples include lufyfeo[.]org, interiourbydennis[.]com, deqytuu9[.]org).
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – Initial access via emailed links that redirect victims to malicious resources (‘phishing link contained in an email’).
- [T1583.001] Acquire Infrastructure: Domains – Attackers registered/hosted numerous domains on the same IP to serve phishing redirects and staging pages (’36 domains hosted on the same IP address’).
- [T1105] Ingress Tool Transfer – Download of secondary payloads (JS/MSI) via redirected URLs and WebDAV traffic used to fetch an MSI (‘JS generates WebDAV traffic for MSI’).
- [T1204.002] User Execution: Malicious File – Victim action (double-clicking) executes delivered scripts/installers that trigger the malware chain (‘victim double-clicks JS file’).
- [T1071.001] Application Layer Protocol: Web Protocols – Malware or staging communicates and retrieves payloads over HTTP/HTTPS through redirects and hosted files (‘302 redirects to the same location’).
- [T1027] Obfuscated Files or Information – Payloads and delivery may be obfuscated or staged across benign-looking PDF/script hosts to evade detection (‘redirects to a javascript file which ultimately loads LummaStealer Malware’).
- [T1547.001] Boot or Logon Autostart Execution – Installer/ DLL persistence mechanisms are implied by MSI/DLL installation steps observed in the infection chain (‘MSI installs Latrodectus DLL’).
Indicators of Compromise
- [IP] Resolved hosting for malicious domains – 193.106.174[.]218 (primary pivot), 192.106.174[.]218 appears in records as well.
- [Domain] Phishing and staging examples – lufyfeo[.]org, interiourbydennis[.]com, and 33 more domains (total 36 identified).
- [Redirect targets / Hosts] Document and hosting services used for staged resources – documentcloud[.]org (PDF/js hosting), harvardlawreview[.]org (PDF used as alternate redirect target).
- [Behavioral] Redirect pattern – multiple domains returning HTTP 302 to the same document URLs or script locations (‘302 redirects to the same location’).
The technical procedure began with a reported phishing link to lufyfeo[.]org; using a passive DNS tool (Validin) the analyst extracted recent resolution history and host response details, which showed the domain resolving to 193.106.174[.]218 and returning HTTP 302 redirects to external document URLs. Observing that the 302 locations repeatedly pointed to files on documentcloud[.]org (and occasionally harvardlawreview[.]org) indicated a reusable redirect target that could be used as a pivot for finding sibling domains on the same server.
To enumerate related infrastructure the analyst queried all host responses for 193.106.174[.]218 (1,256 entries) and exported the JSON output. They used CyberChef to format the JSON and identified the fields of interest (host and location), then ran a small Python script to scan each entry for location URLs referencing PDFs or scripts. The script produced many matches which, after deduplication, yielded 36 unique domains that returned the same PDF/script redirect locations associated with the reported phishing activity.
Key artifacts and steps for replication or detection include: pivoting from an initial suspicious domain to its most recent resolved IP, extracting host response headers to detect 302 redirect behavior, exporting full passive-DNS results to JSON, using a JSON tool to isolate host/location fields, and scripting a targeted search across the dataset to find domains that share redirect targets. The resulting domain list and observed redirect patterns can be used to block or further investigate staging hosts and downstream payload delivery.
Read more: https://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/