GTIG identified a UN1069 attack targeting the npm package axios and shared IoCs that were expanded through additional reports and DNS analysis into a larger set of subdomains, domains, and IP addresses. The investigation linked the infrastructure to phishing-like subdomains, typosquatting domains such as 31ventures[.]info and starbucls[.]xyz, and maliciously associated IPs including 23[.]254[.]128[.]114 and 104[.]168[.]167[.]88. #axios #UN1069 #31ventures #starbucls #dnxcapital #Hotswinds
Keypoints
- GTIG uncovered a UN1069 attack targeting the popular npm package axios on 31 March 2026 and published its analysis on 1 April 2026.
- The article consolidates IoCs from GTIG, Elastic Security Labs, and GitHub, resulting in 22 analyzed IoCs after deduplication and filtering.
- The 22 IoCs included five subdomains, seven domains, and 10 IP addresses.
- Several subdomains showed strong phishing or scam indicators, including fake branding, lack of DNS/WHOIS presence, free anonymous hosting, and inactive or fabricated naming.
- Two domain IoCs appeared in typosquatting groups, including 31ventures[.]info and starbucls[.]xyz, while dnx[.]capital was likely registered with malicious intent long before it was confirmed as malicious.
- DNS and network analysis revealed broad infrastructure and victim interaction, including 16 client IPs to domain IoCs, 32 victim IPs to IP IoCs, and hundreds to thousands of historical DNS resolutions.
- Further hunting uncovered 676 email-connected domains and two additional IP addresses linked to the analyzed infrastructure.
MITRE Techniques
- [T1566 ] Phishing – The infrastructure showed multiple phishing indicators such as fake subdomains and impersonation of legitimate brands (‘fake docsend subdomain on a free, anonymous dynamic DNS service’ and ‘almost certainly impersonating the legitimate 31VENTURES venture capital firm’).
- [T1583 ] Acquire Infrastructure – The attack relied on newly registered, privacy-protected, and likely malicious domains and subdomains to support the campaign (‘newly registered and full WHOIS privacy’ and ‘likely registered with malicious intent’).
- [T1036 ] Masquerading – Domains were structured to impersonate legitimate services or organizations, including typosquatting and brand mimicry (‘starbucls[.]xyz’ and ‘impersonating the legitimate 31VENTURES venture capital firm’).
- [T1482 ] Domain Generation / Typosquatting-like Impersonation – The report specifically identified typosquatting groups containing the domain IoCs (‘two domain IoCs appeared in two typosquatting groups with 5—12 members each’).
- [T1071.001 ] Web Protocols – The malicious infrastructure was observed through DNS and web-related communications, including queries and domain-to-IP resolutions (‘communicated with two domain IoCs via 3,025 DNS queries’).
Indicators of Compromise
- [Subdomains ] suspicious or phishing-related subdomain IoCs – cloud[.]dnx[.]capital, crypto[.]hondchain[.]com, and 3 more items
- [Domains ] typosquatting and maliciously associated domain IoCs – 31ventures[.]info, starbucls[.]xyz, and 5 more items
- [IP Addresses ] malicious or victim-associated IP IoCs – 23[.]254[.]128[.]114, 104[.]168[.]167[.]88, and 8 more items
- [Email Addresses ] historical WHOIS contact data used for enrichment – one public email address and 5 more unique email addresses
- [DNS Queries ] network activity involving domain IoCs – 3,025 DNS queries between 31 January and 1 April 2026
- [DNS Resolutions ] historical domain-to-IP mappings – work[.]gd, 31ventures[.]info, and 911 more resolutions across other domains
- [IP-to-Domain Resolutions ] historical IP-to-domain mappings – 23[.]254[.]128[.]114, 23[.]254[.]253[.]75, and 3,153 more resolutions
Read more: https://circleid.com/posts/the-dns-anatomy-of-the-axios-supply-chain-attack