DomainTools Investigations analyzed one month of nameserver activity from the Russian bulletproof hosting service DDoS-Guard, revealing extensive malicious campaigns targeting gambling, cryptocurrency users, and digital asset platforms. Their research highlights the use of sophisticated domain obfuscation, fast flux techniques, and frequent transfers between registrars to evade detection. #DDoSGuard #CounterStrikeGO #YieldNest
Keypoints
- DDoS-Guard, linked to Russian government activity, supports various malicious activities including terrorism, cybercrime, and espionage.
- From 2025-05-13 to 2025-06-11, 677 new domains were created, 269 domains transferred in, 408 transferred out, and 199 deleted from DDoS-Guard’s nameservers.
- Major categories of domains included temporary gambling/betting sites, cryptocurrency-targeting domains, and indeterminate or other threats.
- Aged domains such as bioservamerica[.]com were repurposed for Indonesian gambling sites and extensively used redirects to obscure malicious networks.
- Domain campaigns targeted Vanilla Visa gift card holders using deceptive subdomain techniques to create phishing URLs.
- Multiple domains impersonated CounterStrike: GO trading platforms and weapon skin marketplaces for phishing and fraud schemes.
- Cryptocurrency-related scams targeted wallets, exchanges, and cross-chain protocols including YieldNest, Ledger, MetaMask, and Hybridge through quickly changing DNS records and frequent registrar transfers.
MITRE Techniques
- [T1078] Valid Accounts – Attackers use aged or previously legitimate domains like bioservamerica[.]com to evade detection and masquerade as trusted sites (‘bioservamerica.com redirected to capecodrestaurantweek.com; both used for obfuscation and redirect chains’).
- [T1090] Proxy – Rapid DNS changes and fast flux techniques observed on domains like capecodrestaurantweek[.]com support proxying attacker infrastructure (‘Passive DNS revealed suspiciously rapid and ongoing DNS changes suggestive of fast flux’).
- [T1586] Compromise Accounts – Phishing domains impersonating cryptocurrency wallets and exchanges exploit trusted branding to capture credentials (‘Domains targeting Coinbase, MetaMask, Ledger, MyEtherWallet, and Trezor observed’).
- [T1566] Phishing – Domains such as comtrackmycom[.]com use deceptive subdomains to trick users (‘Subdomains like www.vanillagift.comtrackmycom.com create appearances of legitimate sites’).
- [T1595] Active Scanning – Monitoring domain transfers and creation for threat hunting and mapping actor infrastructure (‘Analyzing nameserver transfers shows attacker domain movement between services’).
Indicators of Compromise
- [Domain Names] Examples include bioservamerica[.]com (Indonesian gambling), comtrackmycom[.]com (Vanilla Visa phishing), cs2-hellcas[.]com (CS:GO phishing), and hybridge[.]finance (cross-chain scam).
- [Registrar Nameservers] DDoS-Guard nameservers used extensively, with domains frequently transferring out to services like Cloudflare, Registrar[.]eu, and 1reg[.]buzz.
- [Domain Clusters] Groups of similar domains like YieldNest-related domains (yicldnest[.]finance, yieldnesf[.]finance) exhibiting short lifespan and rapid DNS changes.
Read more: https://dti.domaintools.com/where-everybody-knows-your-name-observing-malice-complicit-nameservers/