My blog post has some shout-outs to tweets from Zach Edwards and shoshana wodinsky (she/her) who also did their own #APRA analysis via X.
Even old research threads like this December 22 Bellingcat (twitter.com/bellingcat/sta…) post about a phishing email that came to them can be useful if you've got fresh data to pivot on.
fwiw everything in my thread below can be done on the free version of Silent Push - godspeed!🖖🏻
alex lanstein Ziarul de Gardă amazon-fr[.]amzxrxvwc[.]com
amazon-fr[.]oln91[.]com
amazon-fr[.]subscription7033[.]com
amazon-fr[.]subscription7031[.]com
amazon[.]fr[.]amzrvxws[.]com
amazon-fr[.]subscription7025[.]com
amazon-fr[.]subscription7032[.]com
amazon-fr[.]subscription7034[.]com
amazon-fr[.]amzpv26[.]fr
alex lanstein Ziarul de Gardă And 185.185.71[.]250 is even🌶️🔥 w/ 53 domains that includes both news4you[.]top + pdf-online[.]top a potential developer-targeting domain of google-tag[.]com + a couple dozen domains that seem to be structured for targeting the Amazon ecosystem.👀 Sharing the full list here:
alex lanstein Ziarul de Gardă amazon-fr[.]primevideo45781[.]com
amazon-fr[.]subscription7023[.]com
amzvrswx[.]com
amzrsxcw[.]com
www[.]amzrvxws[.]com
subscription7023[.]com
amazon-fr[.]amzrsxcw[.]com
amazon-fr[.]amzvrswx[.]com
amazon-fr[.]subscription7030[.]com
amazon-fr[.]subscription7024[.]com
alex lanstein Ziarul de Gardă amazon-fr[.]amzsxwvn[.]com
google-tag[.]com
cc-check[.]cash
mail[.]xn--80aplkfdr[.]xn--p1ai
xn--80aplkfdr[.]xn--p1ai
www[.]xn--80aplkfdr[.]xn--p1ai
zataclub[.]shop
</thread> Best of luck to folks researching this network. Will update if anything new. Thanks for ya'lls work! 🖖🏻
alex lanstein Ziarul de Gardă primevideo45781[[.]]com
amzpv26[.]fr
subscription7033[.]com
subscription7032[.]com
subscription7025[.]com
oln91[.]com
amzrvxws[.]com
amzxrxvwc[.]com
subscription7030[.]com
subscription7034[.]com
subscription7031[.]com
www[.]amzvrswx[.]com
subscription7024[.]com
alex lanstein Ziarul de Gardă The beaconing domain, pdf-online[.]top - we've seen 2 IPs on it 158.160.129[.]176 + 185.185.71[.]250 both have unique hits.
158.160.129[.]176 has the same news4you[.]top + pdf-online[.]top domains but also a domain for potentially targeting developers @ cdn-bootstrapcdn[.]com
alex lanstein Ziarul de Gardă amzvrwrx[.]com
amazon-fr[.]amzvrwrx[.]com
amzvrwcx[.]com
amazon-fr[.]amzvrwcx[.]com
diju[.]ru
www[.]diju[.]ru
mail[.]diju[.]ru
news4you[.]top
pdf-online[.]top
amzsxwvn[.]com
amazon[.]fr[.]amzsxwvn[.]com
primevideo98341[.]com
mail[.]amazon-fr[.]amzsxwvn[.]com
mail[.]amzsxwvn[.]com