We’re excited to announce the release of Live Scan, a new feature that allows you to scan any URL and view what is currently being rendered at that URL, including a visual screenshot, HTML title and favicon, relevant redirection details, and color-coded risk scores of both the domain and IP the site is hosted on.
In this video, Maulik takes you through the basic functionality of Live Scan – how to perform a Live Scan lookup, navigate the results and action any additional pivots or queries.
In this video, Product Manager Jonathan Peyster takes you through the Silent Push Web Scanner – discussing its benefits and providing a demonstration to help you get the most out of the tool.
Silent Push Threat Analysts have used fuzzy hash scans and content similarity queries to uncover 24 control panel Indicators of Future Attack (IOFA) administering MaaS services, for a range of DukeEugene variants – including ERMAC, Hook, Loot, and Pegasus – targeting users of popular mobile banking software and crypto currency exchanges.
Background
DukeEugene is the original threat actor behind the promotion of several android-based Malware-as-a-Service (MaaS) families, including both ERMAC and BlackRock, and later Hook which was published in early Jan 2023 on darknet[.]ug with bogus Russian-language commands hidden inside the malware that were later removed.
In April 2023, Duke Eugene claimed he was leaving the project for “SVO” (slang often used for Russian military service), however the project’s coder continued providing services and the HookBot builder panel’s code was leaked only three months later.
Since that leak, the proliferation of HookBot C2s offering a number of attack vectors (harvesting confidential information and login credentials, performing overlay attacks – where malware opens an active window over a legitimate program to intercept a victim’s interactions, and more) has spread wide. Even so, shared characteristics linking each of these MaaS families remain.
Additional information
This blog contains a public overview of how we at Silent Push have uncovered a host of control panels actively administering MaaS services for this range of DukeEugene-linked variants, including Ermac, Hook, Loot, and Pegasus – all targeting users of popular mobile banking software and crypto currency exchanges.
Silent Push Enterprise users have access to a dedicated TLP Amber report, containing the specific data categories and queries we used to locate and traverse DukeEugene’s infrastructure, as well 4 dedicated Android malware IOFA feeds.
Initial discovery: ERMAC control panel
While conducting research into a suspicious Russian ASN using the Silent Push Web Scanner, we discovered infrastructure linked to an ERMAC control panel.
We then constructed a Web Scanner query that took a piece of data from the ERMAC page, and scanned for all associated DukeEugene ERMAC control panels that used the same page content.
Traversing DukeEugene’s infrastructure
Once we’d mapped out the ERMAC infrastructure, we were able to hash the content, and execute a query that scanned the Internet for matching DukeEugene control panels that are 75% similar to the initial discovery.
This produced a large dataset, on which we executed further enrichment queries utilizing fuzzy hash values linked to a specific website, to confirm a host of true positive IOFAs.
This pivot then led us to other hash types and selected data categories, returning even more true positive examples of both live and dormant IOFA infrastructure.
DukeEugene control panels
We then queried the enriched data to uncover 24 DukeEugene-linked control panels (see IOFA list at the end of this blog for a sample), with the following names:
AZAZEL
BOTS PANEL
CENTINEL BOT PANEL
COMMAND
CONSOLE
Dashboard Seller
Dd0XeR PANEL
E.R.M.V.C
HAXOR Tech Panel
HAXORBOT PANEL
HB RELOAD /GXC TEAM
HOOK BOTNET
HOOKBOT PANEL
Hookbot Panel
MOD
NOTHING
Pegasus PANEL
SAMBOT PANEL
Saphira Panel
Scarab Botnet PANEL
T-Devs Hook V2
T-Rex PANEL
VIP PANEL
ZeuS
Not all of the above represent active control panels, but the naming schemas are part of our detections for this particular threat actor and are being shared here to help the community with their own defenses.
When active panels with the new HTML titles show up on live pages, they will be immediately detected and exposed by our Android malware feeds.
Control panel examples
Pegasus control panel @ https://ok.chicecon[.]com
HookBot control panel @ http://91.202.233[.]174
DukeEugene Mitigation
All domains and IP IOFAs gathered from this research are populated in the following Silent Push IOFA feeds, which are constantly updated:
Android Malware – Duke Eugene Cluster
Android Malware – Ermac IPs
Android Malware – Hookbot Domains
Android Malware – Hookbot IPs
Silent Push Android malware feeds
Silent Push Enterprise users can use data from the above feeds in three ways:
Automated download of a data snapshot, using the ‘Automate Export’ button.
Use a dynamic API for real time ingestion, using the ‘Manual Export’ button.
Filter each feed using custom filter profiles.
Sample of DukeEugene IOFAs
Note: A full list of domain and IP IOFAs linked to our DukeEugene research can be accessed via a Silent Push Enterprise subscription, across 4 dedicated Android malware feeds.This sample is provided to our readers to aid in their detections.
Indicators of Future Attack are domains, IP addresses and DNS records that act as real time, actionable, proactive indications of attacker behavior and intent.
Created using the power of our proprietary intelligence, IOFAs and their associated analytics are commonly used by security teams, analysts and researchers to improve their threat hunting efforts, proactively defend their digital assets or strengthen their security posture by integrating early detection feeds into their security stack.
As part of release 4.2, Silent Push introduced an exclusive page for its IOFA Feeds and associated feed analytics, allowing you to access timely, accurate and complete IOFA data to stop threats before they attack.
Data independence
How are we able to get IOFAs in the first place? How do we know they are trustworthy indicators? Silent Push is able to provide these indicators by using our own first-party data that’s collected, clustered, scored and delivered without third-party intervention.
The ability to create, control and map the relationship between billions of disparate domains, IPs, DNS records and content hashes to identify emerging patterns is what makes our operational threat intelligence so valuable, and highly actionable.
Curated IOFA Feeds
Curated Feeds refer to feeds made by our own threat analysis research team at Silent Push. They are free of false positives, and only include indicators associated with real threats. This is done to ensure you’re getting the realtime data you need, and nothing else.
Our IOFA Feeds specifically contain IPs, domains, and URLs gathered from our research into global threat actors, specific threat campaigns and a range of attack vectors.
Why use Silent Push feeds?
At Silent Push, we do a lot of work in the background to make sure you can instantly consume our data within the feed at the point of delivery.
Yes, we provide you with the raw data in a curated feed, but so do the other guys…
What we also provide you with simultaneously is realtime, associated context that is immediately available as actionable intelligence for your existing security stack. You are able to consume all the relevant information you need in one place, and action it, for example, by using rules to react our feeds in different ways or by using our enriched threat ranking data to inform your own internal scoring.
Summary
In this blog, we’ll walk you through how to access IOFA Feeds in Silent Push, how to interpret feed analytics, feed them into your security stack and utilize the data to improve your security posture.
How to access IOFA Feeds in Silent Push
Enterprise users have complete access to all 50+ IOFA Feeds in Silent Push.
To access the IOFA Feeds, simply navigate to Data Marketplace > IOFA Feeds. This will populate all of our available IOFA Feeds as cards that can be expanded.
You are able to filter the feeds by a particular term in the search bar, filter by IPv4, IPv6, domain or URL data, and sort the feeds into newer or older order.
IOFA Feeds page
IOFA Feed Analytics
Feed Analytics allow security teams to join the dots across the IPv4/6 space, acting as an early warning system populated with infrastructure.
The Feed Analytics screen contextualizes feed data across the following categories.
Overview panel
The Overview panel provides users with basic context of the Feed structure and export formats along with shortcuts to relevant threat articles.
Number of IOFAs: a numerical count of the IOFAs currently listed in the feed
Last Updated: the date at which the feed was last updated
Available export formats: including one or more of the following: CSV, JSON, TXT, RPZ, STIX
Linked TLP Amber Report: a link to the associated threat reports produced by our threat research team
Description of Feed: detailing the associated threat actor/s, common attack vectors and any other relevant information
IOFA Feed Trend panel
The Feed Trend panel helps users to understand how the Feed has evolved overtime.
Date collected: the date an individual IOFA was added to the feed
IOFA count: the total count of IOFAs listed in the feed at a certain point in time
IOFA Feed Trend panel
IOFA Geo Location
Users are able to quickly visualize the geo location of IOFAs on a world map, and download an SVG file of the image to share.
Country source count: a numerical count of an IOFA’s source country displayed on a world map
IOFA Geo Location map
IOFA Feed Tags
Feed Tags are useful shortcuts for users to explore different threat actors or types of criminal infrastructure.
Feed Tags: provide shortcuts to filtered results for specific threat actors or malicious infrastructure (i.e., Trojan Malware, Android Malware, Ermac etc.) on the Threat Ranking page
Collected Tags:
IOFA Feed Tags
IOFA Feed Analysis Indicators
Contextualizing feeds is critical in understanding patterns of behavior across a group of related IOFAs. Feed Analysis Indicators provide users with a thorough overview relating to the Feed’s average risk and repetitional scores, highlighting ‘hot spots’ or areas for concern to help map out attacker infrastructure.
To help understand the size and scale of threat landscapes and patterns, our Top Ten categories provide users with information regarding:
Top 10 TLDs: TLDs in the feed with the highest number of IOFAs
Top 10 ASN: ASNs in the feed with the highest number of IOFAs
Top 10 Registrars: Registrars with the highest number of IOFAs
Top 10 Nameservers: Nameservers with the highest associated number of IOFAs
IOFA Feed Analytics ‘Top Ten’ categories
Threat Ranking
The enriched domains and IP addresses within each feed are also visible in Threat Ranking page under Threat Intelligence Management, providing you with corroborated IOFA data in one indexed and searchable screen. This page features additional risk and reputation scoring to support your analysis.
To navigate here from the IOFA Feed Analytics page, navigate to Threat Intelligence Management > Threat Ranking. Enter the specific IOFA you’d like to observe in the search bar, or, create an Advanced Filter with logical expressions to monitor a group of IOFAs.
Using IOFA Feed Analytics to improve your security posture
Now you have access to our proprietary IOFA data, how can you use it in an actionable manner to stop threats before they’re weaponized? IOFA Feed data can be easily fed into your security stack (SOAR, Microsoft Azure Sentinel, Splunk etc.) and used for purposes such as traffic blocking, quarantining, ongoing monitoring and more.
Download Feed data: File export options
IOFA Feed data can be exported in several ways, depending on how you wish to use it.
Download via manual export:
To manually export Feed data:
From the Feed Analytics screen, select ‘Download File’.
Export as a CSV, JSON, TXT, RPZ or STIX file.
Download via API URL:
From the Feed Analytics screen, select ‘Automate Export’
Select the file type required
Click the Copy API Endpoint button. This endpoint retrieves a time-limited (3 hours) URL that you can call to download the file.
Extract code snippets for external security tools:
IOFA Feed data can also be externally fed into your security stack via Python, curl, and PHP.
After clicking ‘Automate Export’, simply select the cURL, Python or pHp tabs to copy code samples and call it from your desired security tool.
REGISTER FOR COMMUNITY EDITION
IOFA Feeds and their associated analytics are available as part of Silent Push Enterprise Edition – a powerful threat hunting and cyber defense tool used by security teams, threat analysts, and researchers. Request a demo here.
If you’d like to get a taster of the Silent Push platform, register for our free Community Edition that features 90+ data enrichment categories that you can use to track and monitor attacker activity across the global IPv4 space. Click here to sign-up for a free Community Edition account.
We’re thrilled to announce that today, Lionfish Tech Advisors published “Anticipating The Unseen: Elevating Cyber Defense with Silent Push Preemptive Threat Intelligence”.
Authored by Brad LaPorte, a Gartner veteran and CTI industry expert, the report provides a comprehensive evaluation of the evolving cyber threat landscape, and re-affirms the necessity for preemptive threat intelligence solutions.
Evolution Framework
Brad has developed a framework that outlines the evolution of threat intelligence, and conveys how the industry is evolving through several stages – From Level 1 (Proactive) to Level 2 (Predictive), before landing on a new era with Level 3 (Preemptive).
This framework demonstrates how Silent Push stacks up next to legacy threat intelligence providers.
Webinar
We’ll be conducting a webinar in the coming weeks, where Brad will discuss his findings and talking about the topic of advanced threat intelligence. We’ll keep you posted with a date.
Objective: Identify and neutralize threats before they can launch, effectively preventing attacks from occurring.
Sub-tasks and capabilities:
Indicators of Future Attack (IOFA): Identifying indicators that suggest where an attack is coming from.
Data Enrichment: Silent Push adds context to each IP and domain it scans across 90+ categories, enriching observable data with a wealth of information.
Early Detection Feeds: Silent Push provides Early Detection Feeds that monitor threat activity in a global early warning system. This includes real time notification of changes within the global IPv4 and IPv6 space, tracking of Command and Control (C2) infrastructure, and Advanced Persistent Threat (APT) activity.
Reputation Scoring: The platform evaluates risk with reputational scoring, which likely includes detailed insights into the credibility and history of domains, IPs, and URLs. This scoring system can aid in prioritizing threats based on their potential impact.
Integration of Multiple Data Sources: Silent Push integrates various data points, such as passive DNS data, HTML content, and certificate values. The comprehensive integration of data sources may offer a more holistic view of potential cyber threats.
Finding Emerging threats: The emphasis on finding emerging threats prior to launch, including impersonation campaigns, indicates a forward-looking stance in cybersecurity defense.
Tailored solutions: Silent Push caters to a wide range of industries with specific cybersecurity needs, which could mean that their platform is highly adaptable to different sectors and use cases.
Real-time monitoring: With real-time notifications of changes in the global IPv4 space and monitoring of daily changes to an organization’s public DNS presence, Silent Push provides timely updates that can be critical for rapid response to threats.
Community Edition: Offering a Community Edition at no cost not only provides value to security researchers but also fosters a community around their platform, which can lead to shared knowledge and collective improvement in threat detection and response.
CryptoChameleon is a phishing kit first discovered in February 2024. As of publication, the identity of CryptoChameleon’s creator remains elusive.
The kit is used by unknown threat actors to harvest usernames, passwords, password reset URLs, and photo IDs from employees and customers’ mobile devices.
Silent Push Threat Analysts have conducted a wide-ranging research campaign that has revealed a large amount of CryptoChameleon fast flux Indicators of Future Attack (IOFAs) targeting Binance, Coinbase and FCC users, and a host of other platforms, including:
Apple iCloud
Google
Gemini
Kraken
Gamdom
Ledger
Swan Bitcoin
Trezor Hardware Wallet
Uphold
Nexo Crypto
Shake Pay Crypto
Background
On 6th February 2024, Silent Push analysts noticed malicious activity targeting the FCC, and reported it confidentially to CISA.
Subsequent research, published by cloud security vendor Lookout, referenced the same domain as our FCC report, which we now know to be CryptoChameleon infrastructure.
Initial reports noted the targeting of employees at the FCC, Binance and Coinbase, among others, in sophisticated email, SMS, and voice phishing attacks.
CryptoChameleon TTPs
A phishing kit can broadly be defined as a group of tools and files that work together to propagate phishing activity, and quickly deploy infrastructure.
CryptoChameleon phishing activity is propagated using a range of DNS-based and on-page TTPs.
DNSPod nameservers
Our research has discovered that CryptoChameleon makes almost exclusive use of DNSPod[.]com nameservers.
DNSPod are a self-proclaimed “intelligent DNS provider” that’s been used by botnets and bullet-proof hosting operators to propagate malicious activity for a number of years, with an estimated 30% of its infrastructure engaged in malicious activity, according to a recent Unit42 report.
CryptoChameleon uses DNSPod nameservers to engage in fast flux evasion techniques that allow threat actors to quickly cycle through large amounts of IPs linked to a single domain name.
Fast flux allows CryptoChameleon infrastructure to evade traditional countermeasures, and significantly reduces the operational value of legacy point-in-time IOCs.
For more information on fast flux techniques, read our Gamaredon report.
Additional TTPs
Silent Push has also tracked a number of additional TTPs that we aren’t able to divulge in a public blog, for OPSEC reasons.
These variables are linked to the deployment of phishing domains, and form a behavioural fingerprint that allows for quick and easy monitoring of all associated infrastructure.
Silent Push Enterprise users have access to a CryptoChameleon TLP Amber report that reveals these additional measures, along with the specific queries and parameters we’ve used to uncover CryptoChameleon infrastructure, and automated mitigation steps, including dedicated domain and IP feeds.
Phishing kit behaviour
Analysis of the phishing kit indicates the ability to impersonate many different brands, across a range of sectors.
Our research aligns with other public research, which states that CryptoChameleon has separate phishing kits targeting public sector organizations.
The CryptoChameleon phishing kit copies the exact branding of legitimate websites and landing pages, with some key differences that allow the kit to evade standard countermeasures.
CryptoChameleon targets
CryptoChameleon phishing pages contain slices of data that detail the C2 server that’s being used to intercept a user’s personal information, and the organizations that are being targeted.
Analyzing one such domain – lookoutsucks[.]com (likely a parody of Lookout[.]com – the research group that was first to publicize information about the phishing kit), we can see the following companies listed:
Yahoo
Outlook
Gemini
Kraken
Apple / iCloud
Twitter
Binance
Uphold
Lastpass
Google/Gmail
AOL
These details are stored alongside password reset prompts, sign-in prompts, OTP prompts, and 2FA flows that target any user who interacts with the domain.
CryptoChameleon phishing pages
Here’s a few screenshots that show CryptoChameleon phishing infrastructure across various websites.
We started by focusing our attention on DNSPod[.]com – the largest DNS provider in China, known to host a range of malicious infrastructure.
To traverse CryptoChameleon fast flux infrastructure, we executed an IP diversity query using *.dnspod[.]com nameservers as a primary parameter, and a range of secondary parameters informed by what we already know about CryptoChameleon’s deployment methods.
The full list of parameters are available in the aforementioned TLP Amber report.
Silent Push IP diversity queries return a list of IP addresses that a domain or URL has pointed to over a period of time, giving us a wealth of information that we used to map out associated infrastructure.
Analyzing the results
Silent Push DNS queries are built upon a first-party database that puts the emphasis on tracking the underlying infrastructure (nameservers, ASNs etc.) involved in an attack, rather than legacy IOCs that are the mainstay of most security teams’ brand defense workflows.
This allows defenders to anticipate and block pre-weaponized infrastructure by creating an automated early warning system that evaluates a domain or IP based in its relationship with a hosting provider or ASN.
Our IP diversity search allowed us to pinpoint numerous AS names and numbers that are actively involved in propagating CryptoChameleon attacks across the globe.
Our query returned 83 domains (as of writing) that are visibly similar to previous CryptoChameleon infrastructure, such as these domains targeting Coinbase:
76153-coinbse[.]com
81758-coinbse[.]com
81920-coinbse[.]com
81926-coinbse[.]com
81958-coinbse[.]com
826298-coinbse[.]com
83216-coinbse[.]com
837613-coinbse[.]com
83956-coinbse[.]com
Our team then analyzed the domains found via the DNSPod nameserver filtering process, and executed a Web Scanner query using a common set of characteristics, that allowed us to scan for matching infrastructrure.
CryptoChameleon infrastructure ownership
CryptoChamelon appears to control all the domains hosted on 188.68.221[.]152, and several private IP ranges where 95% of the domains follow similar patterns, with the others being more random but potentially still owned by the same operators.
The phishing kit also controls all the domains on the following IPs:
5.188.88[.]11
84.38.181[.]13
45.131.41.244
185.251.88[.]223
158.160.156[.]135
Here’s a sample of IPs containing CryptoChameleon-controlled infrastructure, where many of the domains are mapped to multiple IP ranges:
213.226.112[.]47 – 68 domains
78.153.149[.]108 – 68 domains
77.221.140[.]195 – 69 domains
45.151.232[.]72 – 133 domains
45.151.232[.]64 – 127 domains
45.151.232[.]66 – 48 domains
195.58.51[.]185 – 114 domains
185.185.71[.]105 – 103 domains
31.41.44[.]243 – 108 domains
5.188.88[.]229 – 66 domains
5.188.88[.]112 – 85 domains
87.251.79[.]177 – 82 domains
185.185.70[.]94 – 128 domains
5.188.88[.]34 – 102 domains
141.98.235[.]115 – 32 domains
Enrichment page for CryptoChameleon IP
Using Silent Push to combat CryptoChameleon
All domains and IPs gathered from our research are populated in two dedicated CryptoChameleon IOFA feeds, which are constantly updated using the queries and scans discussed in this blog.
Enterprise users can use our API endpoints to feed CryptoChameleon IOFAs into their existing security stack, or access a time-limited API URL that returns a live data set.
Enterprise users can also use our TLP Amber report to pinpoint hostile ASNs and nameservers involved in CryptoChameleon activity.
Community and Enterprise users have access to a range of IP diversity queries – along with our Web Scanner – that allow security teams to quickly join the dots between billions of disparate data points, and form a complete picture of CryptoChameleon TTPs.
Register for Community Edition
Silent Push Community Edition is a free threat hunting and cyber defense platform featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types, that we used to track CryptoChameleon phishing activity.
Click here to sign-up for a free Community Edition account.
IOFA sample
A full list of CryptoChameleon IOFAs are available as part of a Silent Push Enterprise subscription, via two dedicated IOFA feeds and a TLP Amber report.
The selection of Silent Push was based on our proven experience with Microsoft Security technologies, willingness to explore and provide feedback on cutting edge functionality, and close working relationship with Microsoft.
About Microsoft Copilot
Copilot for Security is the industry’s first generative AI solution that will help security and IT professionals catch what others miss, move faster, and strengthen team expertise. Copilot is informed by large-scale data and threat intelligence, including more than 78 trillion security signals processed by Microsoft each day, and coupled with large language models to deliver tailored insights and guide next steps. Copilot allows organizations to protect using the speed and scale of AI, and transform their security operations.
A note from Silent Push
Ken Bagnall, CEO of Silent Push, said: “Organizations are desperately trying to detect and block emerging attacker activity prior to an attack launching.
“Combining the power of our platform to expose Indicators of Future Attack (IOFA), with the ability to act through Copilot AI, allows customers to predict and block emerging threats before damage occurs.
Timely, accurate and complete first-party data is what sets Silent Push apart from legacy threat intel providers, and consuming data this via Copilot AI gives customers increased trust, accuracy, and speed, in detecting emerging threats”, Ken Bagnall said.
We’re working with Microsoft Product Teams to help shape Copilot for Security product development in several ways, including validation and refinement of new and upcoming scenarios, providing feedback on product development and operations to be incorporated into future product releases, and validation and feedback of APIs to assist with Copilot for Security extensibility.
A note from Microsoft
Vasu Jakkal, Corporate Vice President of Microsoft Security, said: “In the context of security, AI’s impact is likely to be profound, tilting the scales in favor of defenders and empowering organizations to defend at machine speed.
“At Microsoft, we are privileged to have a leading role in advancing AI innovation, and we are so grateful to our incredible ecosystem of partners, whose mission-driven work is critical to helping customers secure their organizations and confidently bring the many benefits of AI into their environments”, Vasu Jakkal said.
CyberHUB-AM, an Armenian cyber security organization supporting regional NGO’s and journalists, recently published research about aTelegram phishing campaign conducted throughout 2023 and 2024.
Silent Push Threat Analysts have used this information to identify and monitor phishing infrastructure targeting Armenian and Uzbekistani Telegram users, including live phishing domains and portal spoofing infrastructure.
Delivery Method
The attack chain begins with an Armenian Telegram message asking the user to cast a vote for the sender in a contest they claim to be participating in, and asking them to follow a link.
The link appears to resolve to the non-existent URL daxcearm[.]wve (there is no .wve top-level domain), but actually uses the cutt[.]ly URL shortener to send the user to a final malicious URL – https://dolbaebshesp[.]in/.
The final URL hosts a Telegram phishing page in the Uzbek language. 2023 phishing kits previously reported on by CyberHUB-AM used Armenian.
This recent campaign could indicate a unique threat actor, or an updated campaign using the wrong language on the landing page. Although it is unclear why a message in Armenian would link to an Uzbek phishing page, these kinds of mistakes are fairly commonplace in regional cybercrime.
Tracking the Telegram phishing pages
Threat actors deploy their infrastructure to a set of definable (and searchable) parameters.
Our analysts were able to isolate the phishing infrastructure involved in the campaign using proprietary fingerprinting that maps out malicious domains, using a combination of content similarity checks, and the Silent Push Live Scan feature.
Using these methods, we discovered 26 phishing domains, three of which are still live at the point of investigation: uzgolos[.]shop, uzvvots[.]shop, and vote-uzbekistan48[.]top.
Screenshot of vote-uzbekistan48[.]top using Silent Push Live Scan
We confirmed the domains were actively phishing for Telegram login codes by accessing the URL in a browser, entering a phone number linked to a Telegram account, after which a code was sent to that account:
Telegram login code message
Though the three live URLs, and other domain names in the campaign, suggest that Uzbekistan is the geographic region that’s being targeted, we also discovered older URLs from August and September 2023 that can be reasonably linked to the same campaign.
These domain names, including tajikistan-vote[.]site, arm-vote[.]space, and ukr-vote[.]site, and the likely related http://uz-golos[.]shop/, suggest active targeting of other countries too.
New domains that match the signature will be automatically added to the feed.
Register for Community Edition
Silent Push Community Edition is a free threat hunting and cyber defense platform featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types, including Silent Push ‘Web Scanner’ and ‘Live Scan’ that we used to track the phishing campaign in this blog.
Click here to sign-up for a free Community Edition account.
![Screenshot of vote-uzbekistan48[.]top using the Silent Push 'Live Scan' screenshot feature.](https://www.silentpush.com/wp-content/uploads/image-20240423-120846.png)
