CIRCLE WITH A DOT

Having trouble finding a free streaming site for World Cup ️ matches? This threat actor has you covered with thousands of websites for all 104 matches! We've been tracking a likely Vietnam-based actor that mass purchases expired domains (we call these dropcatch) and repurposes their existing web traffic to funnel visitors into illegal sports streaming sites, and then straight into a betting platform the same actor operates. The domain portfolio is a graveyard of real internet history: 2026worldcupnorthamerica[.]com (once cited by the Dallas Morning News and the US Men's National Team Facebook fan page), childreninachangingclimate[.]org (formerly a children's aid program), thebreastcancercharities[.]org (formerly non-profit The Breast Cancer Charities of America), and a domain officially used by major US grocery store chains involved in a large proposed merger. Collectively, this actor has spent hundreds of thousands of dollars acquiring dropcatch domains alone — a strong signal that dropcatching is a genuinely effective vehicle for cyber fraud. Behind all of it sits a staggering tech stack operated by a single actor: 5,000+ domains, illegal streaming services, CDNs, TDSs, trackers, cloakers, betting platforms, and mobile apps. That's not a side hustle, that's an enterprise. ️ While the platform largely targets Vietnamese-speaking users, as well as others in Asia and Oceania, the financial damage reaches much further. Sports authorities and broadcasters worldwide are losing revenue every time someone watches a live NBA , MLB :, esports , poker , or World Cup match for free on one of these sites, and this actor has all of them covered.Some examples from the domains we've uncovered so far::Dropcatch domains host or redirect to illegal streaming servicesautoredistrict[.]orgchildreninachangingclimate[.]org2026worldcupnorthamerica[.]comfolsomprisonmuseum[.]orgallaboutbasketball[.]usthebreastcancercharities[.]org:Fraudulent domains host or redirect to illegal streaming services90phutaa[.]cc90phutab[.]cc90phutac[.]ccxoilaczzzzw[.]tvxoilaczzzzt[.]tvxoilaczzzzh[.]tv:Lookalike domains used by the betting platformsfifa001[.]comfifa002[.]comfifa02[.]comworldcup00[.]comworldcup000[.]comworldcup02[.]com#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #dropcatch #malvertising #illegalstreaming #sportsbetting #domainabuse #vietnam #worldcup #asia #fifa #streaming #betting #2026worldcup #charities #nonprofit #lookalike #xoilac #90phut

@nlnetlabs como mucho y no bastara para tres! @gryphius

#Denic hat nen Final Report für den #DNS Outage der .de TLD vom 5. Mai 2026 veröffentlicht.TL;DR: sie haben 3 verschiedene Keys aber mit den selben Metadaten (Keytag) generiert. Letztlich wurde halt nur einer der ZSKs mit demselben Keytag in die Zone geschrieben. - Dementsprechend konnten halt nur die RRSIGs von einem HSM validiert werden.https://blog.denic.de/en/final-report-dns-outage-of-5-may-2026/

@bortzmeyer @jpmens is it possible that some obscure script in the process would try to find a new keypair from a given keytag? Using brute force, given the small size of a keytag, it shouldn't be that long. Or former expired keys sitting somewhere on the disk.

@letoams @nlnetlabs Sorry about that, I will correct this with a ldns-1.9.2 releaseIt happened because 1.9.0 had a ABI change (return code of ldns_dnssec_rrs_add_rr()) for which it didn't bump version. So I made the mistake to correct this with 1.9.1, but that should have been corrected with a 1.10.0 instead

@rantanlan@social.tchncs.de yes, nothing else

Update! An anonymous benefactor has provided me with a list of eighty-four THOUSAND domains with multiple hyphens.https://codeberg.org/edent/Consecutive--Dash----DomainsThere are some deeply weird entries in there. Who knew that .kred was still going?!

Cześć! Przeprowadzka z mastodon.com.pl zakończona. Czas na nowe rozdanie i pełne wdrożenie na #infosec.exchange.Dla tych, którzy widzą mnie po raz pierwszy: analizuję rzeczy głębiej, niż nakazuje zdrowy rozsądek. Interesuje mnie szeroko pojęte #cybersecurity z perspektywy praktyka. W wolnym czasie bawię się w: Hardening i bezpieczeństwo mobile (mój bastion to GrapheneOS) Zaawansowaną segmentację sieciową i kontrolę ruchu u źródła (#VPN / #DNS) Ruch #FOSS, suwerenność cyfrową i dekonstrukcję modeli zaufaniaZawsze chętnie patrzę poza utarte schematy, stale szukając nowych horyzontów. Swoje analizy, testy i technologiczne śledztwa regularnie opisuję na blogu: https://meridian.bearblog.dev/Dzięki za każde podbicie (boost) i do zobaczenia w dyskusjach! #introduction #powitanie #privacy #grapheneos #foss #opensource #wireguard #mullvad #dns

Reverse engineered the Mintegral MBridge SDK (common in gaming APKs with aggressive adv).The SDK assembles exfiltration endpoints at runtime via AES/XOR decryption + Android IPC Intents. No hardcoded domain in the binary. MobSF classifies the package as Advertisement and stops there. Knox and Play Protect see legitimate inter-process communication between signed components — nothing to flag.Extracted 6 C2/collection domains. Loaded them into AegisDNS as a SIGINT feed.Both Knox and Play Protect: no block, no alert.AegisDNS: all 6 blocked at resolution.The IPC obfuscation chain is effective against every on-device analysis layer. It stops at port 53 — the one operation the OS cannot perform inside the obfuscation boundary.Full write-up with architecture, the structural argument for perimeter DNS vs MTD, and operational trade-offs (block rate, DoH bypass mitigation via iptables, PCRE2/FFI trade-off):https://cariagiovannib.wordpress.com/2026/06/06/crowdstrike-didnt-block-it-knox-didnt-block-it-a-dns-query-did/#dns #android #reverseengineering #infosec #mobilesecurity

After releasing the Cascade beta, NLnet Labs HQ has a @jpmens vs. @bortzmeyer poll going.#DNS #DNSSEC

@testman I don't think it's accurate to say DNS hasn't evolved 'a bit' over the years or that DNS is "mostly" just websites / A, AAAA, MX, and TXT RRTypes.

PowerDNS Authoritative Server 5.1.0 Releasedhttps://blog.powerdns.com/2026/06/03/powerdns-authoritative-server-5.1.0-released#dns #dnssec

@rainer ugh, hoffentlich kommt dies bald: https://letsencrypt.org/2026/02/18/dns-persist-01Noch ist die RFC nicht verabschiedet.

Great day at the Nominet Members Regional Event today which was held at Triumph Motorcycles Limited factory in Hinckley. Interesting insights on the UK domain space, how it stacks up against other TLDs, what's happening with AI, but also, where some opportunities are hiding. Also, got to see The Great Escape motorbike!#nominet #dns #domain

Screenshot from my custom (Rust) DNS filtering-forwarder with new experimental runtime IDN homograph detection against a predefined protected domain list.Screenshot results reflect these punycodes:xn--ggle-55da.com google.com BLOCKxn--pypl-53dc.com paypal.com BLOCKxn--pple-43d.com apple.com BLOCKxn--fiq228c5hs.cn chinese ALLOW#DNS #homograph #cybersecurity

@shaft and 4.8 doesn't have a README !!! (nor is "daemon" mentioned other than in openlog(3)

@leftover Danke für den Tipp, das werde ich mir mal genauer ansehen. Im Moment klappt es allerdings auch so ganz gut.

Weekend Reads* Centrality in the DNS https://www.potaroo.net/ispcol/2026-05/dns-centrality.html* RPKI RP fuzzing analysis https://arxiv.org/abs/2605.26651* Iran Internet partial restoration https://blog.cloudflare.com/iran-internet-partially-restored-may-2026/* Enterprise security for the AI era https://arxiv.org/abs/2605.22985* Characterizing Starlink queuing configuration https://arxiv.org/abs/2605.27717#DNS #RPKI #Iran #AI #Starlink

@BastilleBSD Using censurfridns.dk, so a dns-service, but nowhere near cf or the ilk.

I self-host the DNS for my domains for more than 20 years now. 2026 now finally was the year, where I decomissioned the last BIND server and replaced it with a PowerDNS, containerized in Podman :podman: and a SQLite backend.I already migrated the hidden-primariy to PowerDNS in 2022 (because of the REST API, compatibility with Traefik, easier DNSSEC handling and the higher flexibility) and now my secondaries are also migrated.Nontheless, BIND was one of the most stable pieces of technology that I've ever used. But it also felt a bit unwieldy and old-fashined ins some ways.#dns #bind #powerdns #podman #contianer #linux #domain