Kyle Ehmke
@kyleehmke
Threat intel researcher focused on infrastructure hunting. Views are my own and not my employer's. Others: @[email protected] @kyleehmke.bsky.social
ID:2419824120
31-03-2014 02:13:47
2,0K Tweets
5,1K Followers
305 Following
![Another John Mark Dougan domain administered via the same account as britishchronicle[.]com, gbgeopolitics[.]com, and londonchronicle[.]news: foreignagentintel[.]com](https://pbs.twimg.com/media/GKxIxEvWAAInEm8.jpg "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-04-10 01:49:38 Another John Mark Dougan domain administered via the same account as britishchronicle[.]com, gbgeopolitics[.]com, and londonchronicle[.]news: foreignagentintel[.]com")
![Suspicious domains softupdate[.]org (5.45.93[.]209) and teamsupdate[.]org (5.61.51[.]33) were registered in short proximity through Njalla on 4/3.](https://pbs.twimg.com/media/GKPPXxGWgAEosBC.jpg "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-04-03 11:49:52 Suspicious domains softupdate[.]org (5.45.93[.]209) and teamsupdate[.]org (5.61.51[.]33) were registered in short proximity through Njalla on 4/3.")
![Suspicious domain docstorage[.]link was registered through Njalla on 4/2. It and subdomain drv[.]docstorage[.]link resolve to 212.46.38[.]222 and redirect to legitimate Microsoft sites.](https://pbs.twimg.com/media/GKNDKZcWcAAzSjo.jpg "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-04-03 01:38:01 Suspicious domain docstorage[.]link was registered through Njalla on 4/2. It and subdomain drv[.]docstorage[.]link resolve to 212.46.38[.]222 and redirect to legitimate Microsoft sites.")
![Couple additional, recent John Mark Dougan domains to tack onto the below thread: xposedem[.]com vidvist[.]com londoncrier[.]co[.]uk londoncrier[.]com](https://pbs.twimg.com/media/GKM_6f3WMAAXMeA.jpg "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-04-03 01:30:37 Couple additional, recent John Mark Dougan domains to tack onto the below thread: xposedem[.]com vidvist[.]com londoncrier[.]co[.]uk londoncrier[.]com")
![Suspicious domain msdn-live[.]com was registered through Njalla on 3/25 and resolves to 89.147.109[.]166. Domain is hosting a remote support portal.](https://pbs.twimg.com/media/GJj7Jo0XcAARawS.png "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-03-26 02:06:54 Suspicious domain msdn-live[.]com was registered through Njalla on 3/25 and resolves to 89.147.109[.]166. Domain is hosting a remote support portal.")
![Some recent domains administered via Parscale / Nucleus accounts indicating the company has done work for websites related to a Jair Bolsonaro-led protest and event: dia25euvou[.]com[.]br euapoioisrael[.]com[.]br](https://pbs.twimg.com/media/GJhEkpyWUAElnfG.jpg "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-03-25 12:40:09 Some recent domains administered via Parscale / Nucleus accounts indicating the company has done work for websites related to a Jair Bolsonaro-led protest and event: dia25euvou[.]com[.]br euapoioisrael[.]com[.]br")
![Couple of Parscale / Nucleus domains purporting to be local news: buckeyestatenews[.]com bigskyprospector[.]com Site content currently in development.](https://pbs.twimg.com/media/GJgtxKOWIAAXYKl.jpg "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-03-25 11:06:58 Couple of Parscale / Nucleus domains purporting to be local news: buckeyestatenews[.]com bigskyprospector[.]com Site content currently in development.")
![Recently acquired domain most likely administered by Parscale / Nucleus: carteltracker[.]com](https://pbs.twimg.com/media/GH_Pb56X0AAjsmZ.jpg "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-03-06 12:44:37 Recently acquired domain most likely administered by Parscale / Nucleus: carteltracker[.]com")
![Suspicious domain msftauth[.]com was registered through Njalla on 2/15. Co-located with the similarly registered (1/31) domain googlservices[.]com at 195.85.114[.]11.](https://pbs.twimg.com/media/GGYzFWyXIAAmloA.png "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-02-15 15:21:26 Suspicious domain msftauth[.]com was registered through Njalla on 2/15. Co-located with the similarly registered (1/31) domain googlservices[.]com at 195.85.114[.]11.")
![Suspicious domain salesmicrosoft[.]com was registered through RockHoster on 2/13 and resolves to 104.248.200[.]223.](https://pbs.twimg.com/media/GGTcYAAWAAAJJXK.jpg "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-02-14 14:22:08 Suspicious domain salesmicrosoft[.]com was registered through RockHoster on 2/13 and resolves to 104.248.200[.]223.")
![Suspicious domain aws-data[.]in was registered through Njalla on 2/11 and resolves to 185.216.68[.]154.](https://pbs.twimg.com/media/GGJS6n7X0AALAki.png "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-02-12 15:04:51 Suspicious domain aws-data[.]in was registered through Njalla on 2/11 and resolves to 185.216.68[.]154.")
![Suspicious domain intel-drivers[.]com was registered through Njalla on 2/6 and is resolving to IPs 193.142.30[.]96 and 193.142.30[.]81.](https://pbs.twimg.com/media/GFvjaliXUAA_6zg.png "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-02-07 15:11:24 Suspicious domain intel-drivers[.]com was registered through Njalla on 2/6 and is resolving to IPs 193.142.30[.]96 and 193.142.30[.]81.")
![Suspicious domain worldclksyncsvr[.]com was registered through Njalla on 2/2 and resolves to 5.255.118[.]21.](https://pbs.twimg.com/media/GFWMIfDWMAAcpL1.png "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-02-02 16:54:38 Suspicious domain worldclksyncsvr[.]com was registered through Njalla on 2/2 and resolves to 5.255.118[.]21.")
![Suspicious domains registered separately through OrangeWebsite on 1/30 that resolve to nondedicated infrastructure, but have subs on dedicated infrastructure: msedge-srv2[.]com db2.msedge-srv2[.]com (91.207.183[.]103) msedge-tenet[.]com zone1.msedge-tenet[.]com (91.207.183[.]222)](https://pbs.twimg.com/media/GFQ1SeDWYAAKCNL.png "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-02-01 15:57:34 Suspicious domains registered separately through OrangeWebsite on 1/30 that resolve to nondedicated infrastructure, but have subs on dedicated infrastructure: msedge-srv2[.]com db2.msedge-srv2[.]com (91.207.183[.]103) msedge-tenet[.]com zone1.msedge-tenet[.]com (91.207.183[.]222)")
![Two sets of suspicious domains registered through Njalla about ten min apart on 1/18: msft-events[.]com event-msft[.]com msftncis[.]com ncsimsft[.]net Not definitively related, but timing, theme, and string switching suggest an overlap. Not hosted, but worth keeping an eye on.](https://pbs.twimg.com/media/GEIiXiIXEAAmOdu.png "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-01-18 15:02:17 Two sets of suspicious domains registered through Njalla about ten min apart on 1/18: msft-events[.]com event-msft[.]com msftncis[.]com ncsimsft[.]net Not definitively related, but timing, theme, and string switching suggest an overlap. Not hosted, but worth keeping an eye on.")
@kyleehmke
Threat intel researcher focused on infrastructure hunting. Views are my own and not my employer's. Others: @[email protected] @kyleehmke.bsky.social
ID:2419824120
31-03-2014 02:13:47
2,0K Tweets
5,1K Followers
305 Following
![Suspicious domains viewandsharedocs[.]com and pdfview[.]contact were co-registered through Njalla on 1/9 and are hosted at 5.230.44[.]115.](https://pbs.twimg.com/media/GDfM6PvWAAEf_Jf.png "Kyle Ehmke (@kyleehmke) on Twitter photo 2024-01-10 14:22:59 Suspicious domains viewandsharedocs[.]com and pdfview[.]contact were co-registered through Njalla on 1/9 and are hosted at 5.230.44[.]115.")