216.73.217.22

PhaaS actor uses DoH and DNS MX to dynamically distribute phishing

· Published 31/03/2025 19:56 · Modified 31/03/2025 19:57

Export JSON

Essential information

Published
31/03/2025 19:56
Modified
31/03/2025 19:57
Tags
2025-03-31 cloud malspam morphing meerkat phishing
Related entities
21 observables, 1 intrusion sets (apt), 4 techniques (mitre)

Description

Infoblox discovered a kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (21)

  • 5.230.210.77
  • 5.230.209.74
  • 45.133.174.25
  • 194.169.172.188
  • 185.229.66.117
  • 185.209.161.155
  • 175.9.54.154
  • 173.224.126.37
  • 122.183.248.102
  • 107.173.166.107
  • 109.200.24.11
  • 185.117.90.212
  • zeinabghasemi.ir
  • truck-parts.nl
  • nfond.com
  • movesfitnesszoom.co.uk
  • jeel.top
  • hexatimes.com
  • foxmail.net
  • carriertrucks.com
  • 38474.com

Intrusion sets (APT) (1)

  • Morphing Meerkat
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:15 · Modified 21/12/2025 13:15

Techniques (MITRE) (4)

External references