Kyle Ehmke's Avatar

Kyle Ehmke

@kyleehmke.bsky.social

Threat intel researcher focused on infrastructure hunting. Views are my own and not my employer's.

464 Followers  |  91 Following  |  95 Posts  |  Joined: 14.10.2023  |  2.7216

Latest posts by kyleehmke.bsky.social on Bluesky

Post image

Suspicious domain ms-driversync[.]com was registered through Njalla on 10/14/25 and resolves to 192.166.82[.]94.

15.10.2025 16:49 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

Suspicious domain mfa[.]directory was registered through Njalla on 10/15/25 and resolves to 149.33.2[.]67.

15.10.2025 16:47 β€” πŸ‘ 4    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
Forecasting Typhoons: Volt Typhoon Next Steps in OT Disruption β€” CYBERWARCON

Looking forward to finally presenting this research into Volt Typhoon in a public forum - and I can't think of a better one than @cyberwarcon.bsky.social
www.cyberwarcon.com/forecasting-...

08.10.2025 20:31 β€” πŸ‘ 34    πŸ” 8    πŸ’¬ 0    πŸ“Œ 0
Preview
Oil Into The Fire β€” CYBERWARCON

Have you ever wanted to see two terminally online nerds really (and I mean *really*) get into the SVR deep lore while continuing the eternal goal of making 2016 last forever?

Gosh does @cyberwarcon.bsky.social have a talk for you!

08.10.2025 18:09 β€” πŸ‘ 45    πŸ” 9    πŸ’¬ 2    πŸ“Œ 3

We've got some good submissions flowing into the @CYBERWARCON CFP, but there's still time for more. If you have good content, and you're worried the honorarium won't cover your travel, please submit, and we'll work it out. We do this because we believe this research matters.

18.09.2025 14:18 β€” πŸ‘ 5    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0

Kim John Un rolls off the tongue nicely

28.08.2025 17:55 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Best conference in the industry is back! cyberwarcon.com

28.08.2025 17:36 β€” πŸ‘ 11    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0
Post image Post image

Suspicious domains micrsosft-netupdate[.]net (109.107.172[.]123) and micrsosft-netupdate[.]net (146.103.115[.]183) were co-registered through Njalla on 8/14/25.

14.08.2025 12:32 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

Suspicious domain adobereader[.]cc was registered through MonoVM on 8/5/25 using freewanatoly@2mail[.]co. Currently resolves to M247 IP 84.252.95[.]40.

06.08.2025 14:14 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Suspicious domain sophossec[.]com was registered through MonoVM on 7/15/25 using kehmar.maung@proton[.]me and resolves to 146.70.247[.]55.

16.07.2025 16:50 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Of all my professional accomplishments, I think I’m proudest of this.

24.06.2025 14:49 β€” πŸ‘ 55    πŸ” 7    πŸ’¬ 7    πŸ“Œ 2
Post image Post image

Likely related domains drowingaws[.]com (13.217.161[.]160) and drowingazur[.]com (20.163.58.252) were co-registered through Njalla on 6/20/25.

23.06.2025 13:25 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image Post image

Suspicious domains awsonlineserch[.]com and azuronlineserch[.]com were co-registered through Njalla on 6/19/25. Currently resolving to 34.204.12[.]191 and 20.83.167[.]25, respectively.

20.06.2025 17:58 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Post image Post image

Suspicious domain windowsntp[.]com was registered through Njalla on 5/22/25 and then began using Cloudflare. Domain itself does not resolve, but subdomain www.windowsntp[.]com indicates MSFT Azure use.

23.05.2025 13:16 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image Post image Post image

Suspicious domain m365sessionlogin[.]com was registered through Njalla on 5/18/25. Domain itself does not resolve, but subdomains login, logon, and office365 indicate hosting at 80.78.30[.]154.

19.05.2025 13:34 β€” πŸ‘ 8    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0
Preview
16 Ways to Reverse 30x30 - American Stewards of Liberty Share this page...

Most of the latter policy positions are copied from the American Stewards of Liberty page here:

web.archive.org/web/20250516...

16.05.2025 12:55 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image Post image Post image

Highly likely Parscale / Nucleus-administered domain congressstrongaction[.]org was registered on 9/23/24 and recently began hosting content. The org's stated policy positions appear largely aimed at curtailing laws and protections related to natural resources.

16.05.2025 12:55 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Post image Post image Post image Post image

Set of suspicious domains co-registered through Njalla on 4/24/25:
esxiupdate[.]com
threatbook[.]cloud

Not currently resolving, but worth keeping an eye on.

24.04.2025 16:15 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image Post image Post image

Set of suspicious domains registered on 4/2/25 (unclear through which reseller) and administered using the same Cloudflare account:

googlealert[.]net
microsoft365signin[.]net
microsoftalert[.]net
outlooksecurity[.]net
outlooksignin[.]net

03.04.2025 14:13 β€” πŸ‘ 5    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Post image

Suspicious domain analytics[.]airforce was registered through Njalla on 4/2/25 and resolves to BL Networks IP 64.52.80[.]61.

02.04.2025 13:55 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

The Children's Health Defense staging site associated with realcdc[.]org indicates they are setting it up to pose as a legitmate CDC site questioning vaccine safety, complete with parent testimonials. Currently no overt indication the site is run by CHD.

21.03.2025 02:27 β€” πŸ‘ 4    πŸ” 2    πŸ’¬ 0    πŸ“Œ 1
Post image

Suspicious domain chromeupdate[.]net was registered through Njalla on 3/11/25. Not currently resolving, but worth keeping an eye on.

11.03.2025 12:18 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Post image

Suspicious domain nvidia-installer[.]com was registered through Njalla on 3/10/25 and resolves to 51.44.166[.]225.

11.03.2025 12:17 β€” πŸ‘ 4    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

Again, not saying that's what is happening here. Nor am I stating the conclusions in the SFS site are incorrect or that there is malicious intent behind it. Unfortunately, it is a concerning vulnerability to IO predicated on shortsighted reactivity that we have to consider these days. (4/4)

06.03.2025 15:49 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Get that site in front of DOGE and then they decide to take a chainsaw to the program due to the claimed inefficiency. That's a big, and seemingly easy, information operations (IO) win for the actor. (3/4)

06.03.2025 15:49 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0

Not saying that this is what is happening here, but consider an actor wants to impact a US government program like SFS. They could cook up a DOGE-looking site replete with links to claimed sources, while making up or using incomplete statistics to claim inefficiency in that program. (2/4)

06.03.2025 15:49 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image Post image Post image Post image

Two suspicious domains co-registered through Njalla on 3/6/25: sfsimpact[.]org and dogechronicle[.]com.

The former purports to be an independent analysis claiming inefficiency in the NSF CyberCorps Scholarship for Service (SFS); the latter claims to report on DOGE activity. (1/4)

06.03.2025 15:49 β€” πŸ‘ 4    πŸ” 5    πŸ’¬ 1    πŸ“Œ 0
Post image

Suspicious domain downloadfile-dropbox[.]com was registered through Njalla on 2/21/25 and is hosted at 86.54.42[.]36.

21.02.2025 15:24 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Post image

Suspicious domain onelivedrv[.]com was registered through Njalla on 2/20/25 and is hosted at 193.42.39[.]159.

20.02.2025 14:07 β€” πŸ‘ 1    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Post image Post image

Suspicious domain vmware-analytics[.]com was registered through Njalla on 2/17/24. Not currently resolving, but subdomain app.vmware-analytics[.]com shows resolution to 178.131.20[.]47.

18.02.2025 13:06 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

@kyleehmke is following 20 prominent accounts