Suspicious domain ms-driversync[.]com was registered through Njalla on 10/14/25 and resolves to 192.166.82[.]94.
15.10.2025 16:49 β π 2 π 1 π¬ 0 π 0@kyleehmke.bsky.social
Threat intel researcher focused on infrastructure hunting. Views are my own and not my employer's.
Suspicious domain ms-driversync[.]com was registered through Njalla on 10/14/25 and resolves to 192.166.82[.]94.
15.10.2025 16:49 β π 2 π 1 π¬ 0 π 0Suspicious domain mfa[.]directory was registered through Njalla on 10/15/25 and resolves to 149.33.2[.]67.
15.10.2025 16:47 β π 4 π 2 π¬ 0 π 0Looking forward to finally presenting this research into Volt Typhoon in a public forum - and I can't think of a better one than @cyberwarcon.bsky.social
www.cyberwarcon.com/forecasting-...
Have you ever wanted to see two terminally online nerds really (and I mean *really*) get into the SVR deep lore while continuing the eternal goal of making 2016 last forever?
Gosh does @cyberwarcon.bsky.social have a talk for you!
We've got some good submissions flowing into the @CYBERWARCON CFP, but there's still time for more. If you have good content, and you're worried the honorarium won't cover your travel, please submit, and we'll work it out. We do this because we believe this research matters.
18.09.2025 14:18 β π 5 π 3 π¬ 0 π 0Kim John Un rolls off the tongue nicely
28.08.2025 17:55 β π 1 π 0 π¬ 0 π 0Best conference in the industry is back! cyberwarcon.com
28.08.2025 17:36 β π 11 π 2 π¬ 1 π 0Suspicious domains micrsosft-netupdate[.]net (109.107.172[.]123) and micrsosft-netupdate[.]net (146.103.115[.]183) were co-registered through Njalla on 8/14/25.
14.08.2025 12:32 β π 0 π 0 π¬ 1 π 0Suspicious domain adobereader[.]cc was registered through MonoVM on 8/5/25 using freewanatoly@2mail[.]co. Currently resolves to M247 IP 84.252.95[.]40.
06.08.2025 14:14 β π 2 π 0 π¬ 0 π 0Suspicious domain sophossec[.]com was registered through MonoVM on 7/15/25 using kehmar.maung@proton[.]me and resolves to 146.70.247[.]55.
16.07.2025 16:50 β π 1 π 1 π¬ 0 π 0Of all my professional accomplishments, I think Iβm proudest of this.
24.06.2025 14:49 β π 55 π 7 π¬ 7 π 2Likely related domains drowingaws[.]com (13.217.161[.]160) and drowingazur[.]com (20.163.58.252) were co-registered through Njalla on 6/20/25.
23.06.2025 13:25 β π 1 π 0 π¬ 0 π 0Suspicious domains awsonlineserch[.]com and azuronlineserch[.]com were co-registered through Njalla on 6/19/25. Currently resolving to 34.204.12[.]191 and 20.83.167[.]25, respectively.
20.06.2025 17:58 β π 1 π 1 π¬ 1 π 0Suspicious domain windowsntp[.]com was registered through Njalla on 5/22/25 and then began using Cloudflare. Domain itself does not resolve, but subdomain www.windowsntp[.]com indicates MSFT Azure use.
23.05.2025 13:16 β π 1 π 1 π¬ 0 π 0Suspicious domain m365sessionlogin[.]com was registered through Njalla on 5/18/25. Domain itself does not resolve, but subdomains login, logon, and office365 indicate hosting at 80.78.30[.]154.
19.05.2025 13:34 β π 8 π 3 π¬ 1 π 0Most of the latter policy positions are copied from the American Stewards of Liberty page here:
web.archive.org/web/20250516...
Highly likely Parscale / Nucleus-administered domain congressstrongaction[.]org was registered on 9/23/24 and recently began hosting content. The org's stated policy positions appear largely aimed at curtailing laws and protections related to natural resources.
16.05.2025 12:55 β π 1 π 1 π¬ 1 π 0Set of suspicious domains co-registered through Njalla on 4/24/25:
esxiupdate[.]com
threatbook[.]cloud
Not currently resolving, but worth keeping an eye on.
Set of suspicious domains registered on 4/2/25 (unclear through which reseller) and administered using the same Cloudflare account:
googlealert[.]net
microsoft365signin[.]net
microsoftalert[.]net
outlooksecurity[.]net
outlooksignin[.]net
Suspicious domain analytics[.]airforce was registered through Njalla on 4/2/25 and resolves to BL Networks IP 64.52.80[.]61.
02.04.2025 13:55 β π 2 π 1 π¬ 0 π 0The Children's Health Defense staging site associated with realcdc[.]org indicates they are setting it up to pose as a legitmate CDC site questioning vaccine safety, complete with parent testimonials. Currently no overt indication the site is run by CHD.
21.03.2025 02:27 β π 4 π 2 π¬ 0 π 1Suspicious domain chromeupdate[.]net was registered through Njalla on 3/11/25. Not currently resolving, but worth keeping an eye on.
11.03.2025 12:18 β π 3 π 2 π¬ 0 π 0Suspicious domain nvidia-installer[.]com was registered through Njalla on 3/10/25 and resolves to 51.44.166[.]225.
11.03.2025 12:17 β π 4 π 2 π¬ 0 π 0Again, not saying that's what is happening here. Nor am I stating the conclusions in the SFS site are incorrect or that there is malicious intent behind it. Unfortunately, it is a concerning vulnerability to IO predicated on shortsighted reactivity that we have to consider these days. (4/4)
06.03.2025 15:49 β π 3 π 0 π¬ 1 π 0Get that site in front of DOGE and then they decide to take a chainsaw to the program due to the claimed inefficiency. That's a big, and seemingly easy, information operations (IO) win for the actor. (3/4)
06.03.2025 15:49 β π 2 π 1 π¬ 1 π 0Not saying that this is what is happening here, but consider an actor wants to impact a US government program like SFS. They could cook up a DOGE-looking site replete with links to claimed sources, while making up or using incomplete statistics to claim inefficiency in that program. (2/4)
06.03.2025 15:49 β π 2 π 0 π¬ 1 π 0Two suspicious domains co-registered through Njalla on 3/6/25: sfsimpact[.]org and dogechronicle[.]com.
The former purports to be an independent analysis claiming inefficiency in the NSF CyberCorps Scholarship for Service (SFS); the latter claims to report on DOGE activity. (1/4)
Suspicious domain downloadfile-dropbox[.]com was registered through Njalla on 2/21/25 and is hosted at 86.54.42[.]36.
21.02.2025 15:24 β π 3 π 2 π¬ 0 π 0Suspicious domain onelivedrv[.]com was registered through Njalla on 2/20/25 and is hosted at 193.42.39[.]159.
20.02.2025 14:07 β π 1 π 2 π¬ 0 π 0Suspicious domain vmware-analytics[.]com was registered through Njalla on 2/17/24. Not currently resolving, but subdomain app.vmware-analytics[.]com shows resolution to 178.131.20[.]47.
18.02.2025 13:06 β π 2 π 1 π¬ 0 π 0