DTI's March newsletter covers Doppelgänger disinformation infrastructure analysis, Cloudflare-abusing phishing campaigns, a TLS private key exposure in Qihoo 360's AI platform, and a malicious ChatGPT ad blocker Chrome extension stealing user conversations.

Discover how Handala, Homeland Justice, and Karma function as a unified MOIS-linked cyber influence ecosystem. This threat intelligence assessment reveals how Iran uses "hack-and-leak" operations to weaponize perception over technical complexity.

From Gramsci's 'morbid symptoms' to modern threat intelligence - a cybersecurity roundup exploring why defenders should treat root causes over chasing dramatic threats, with curated links on ransomware, HUMINT, disinformation, and more.

Explore the DPRK’s modular malware architecture. Analyze how North Korea uses compartmentalized toolchains for espionage, crypto theft, and strategic signaling.

Stay protected against the "ChatGPT Ad Blocker" malware. This investigation reveals how a malicious Chrome extension uses Discord webhooks to steal private ChatGPT conversations, prompts, and metadata.

DTI analysis of a leaked TLS private key from Qihoo 360's AI security platform, covering cryptographic validation, threat scenarios, and incident response.

A Microsoft 365 credential harvesting campaign is exploiting CloudFlare's anti-bot and human verification features to evade detection. Learn how attackers use IP blocklists, user-agent filtering, and obfuscated scripts to bypass security scanners—and what it means for the industry.

Learn how Lotus Blossom (G0030) weaponized Notepad++ updates. Plus, a deep dive into 250+ crypto scam domains and upcoming BSides San Francisco sessions.

A broken snowblower belt taught me something cybersecurity professionals often forget — saying "I don't know" isn't failure. It's where the real work begins.

Analysis of the Doppelgänger / RRN disinformation ecosystem. Learn how this DevOps-style infrastructure uses automated media impersonation, TLD rotation, and cloud-native hosting to target global audiences and evade enforcement.

An analysis of an active cryptocurrency scam operation impersonating Trump, Musk, and Truth Social across 250+ domains — uncovering shared wallet infrastructure, on-chain laundering pipelines, and the tactics used to fake legitimacy.

How Lotus Blossom (G0030) compromised the Notepad++ update pipeline in a precision supply-chain espionage campaign targeting high-value organizations.

If you are a returning reader, welcome back! If you are a new reader, what you are about to read is news from our group of researchers and analysts, where they provide their expertise in investigating, mitigating, and preventing Domain and DNS based attacks.

Daniel Schwalbe shares the latest from DomainTools Investigations (DTI) including more on our previously reported cluster of Chinese malware delivery domains, an upcoming webinar, and events where you can meet the DTI team.

DomainTools Investigations kicks off 2026 with deep dives into the KnownSec leak exposing China's cyberespionage ecosystem, predatory online gambling apps, and a phishing campaign weaponizing fake job interviews.

My team has been on a tear this month, we've published new research on Salt Typhoon, an advanced Chinese APT, and we've analyzed the massive Kimsuky leak, giving us a rare look into a North Korean threat actor's playbook. We also identified new activity from the PoisonSeed e-crime group, and uncovered a banking trojan targeting Android users in Southeast Asia. Let's get you up to speed!

If you are a returning reader, welcome back! If you are a new reader, what you are about to read is news from our group of researchers and analysts, where they provide their expertise in investigating, mitigating, and preventing Domain and DNS based attacks.So without further ado, here’s what our incredible team has been up to for the rest of August.

The May 2025 DomainTools Investigations Newsletter covers news regarding a malicious campaign using a fake website to spread VenomRAT, malicious Chrome Browser extensions, viral media events capturing the attention of bad actors, and more

Cybersecurity deep dive: NPM Phishing, Crypto Scams, & 18+ E-Crime analysis. Get expert research on supply chain attacks, wallet drain schemes, and trojans targeting social media. Plus, BSides NoVa recap & top reading list.

Dive into DomainTools Investigations' latest threat intel! Read our 3-part series on China's Great Firewall leak and an analysis of APT35 (Charming Kitten) campaigns targeting the Middle East and Korea, focusing on Exchange attacks. Get the intelligence you need!

The April 2025 DomainTools Investigations newsletter covers our inaugural Domain intelligence year-in-review report along with research completed in the month of April on Proton66, SpyNote Malware, and malicious browser extensions and AI slop.

Where has this year gone?! We are six months into formally launching DomainTools Investigations (DTI) and subsequently this newsletter! If you’re a returning reader, I’m glad you keep coming back! If you’re a new reader, what you’re about to read is news from our group of researchers and analysts providing their expertise in investigating, mitigating, and preventing Domain and DNS based attacks.

Daniel Schwalbe, CISO and Head of Investigations, shares his inaugural DomainTools Investigations newsletter.