Lightnews — Scholar-powered news

Kyle Ehmke @kyleehmke.bsky.social · 4h

Suspicious domain ms-driversync[.]com was registered through Njalla on 10/14/25 and resolves to 192.166.82[.]94.

1 1

Kyle Ehmke @kyleehmke.bsky.social · 4h

Suspicious domain mfa[.]directory was registered through Njalla on 10/15/25 and resolves to 149.33.2[.]67.

2 3

Reposted by Kyle Ehmke

Joe Slowik @pylos.co · 7d

Looking forward to finally presenting this research into Volt Typhoon in a public forum - and I can't think of a better one than @cyberwarcon.bsky.social
www.cyberwarcon.com/forecasting-...

Forecasting Typhoons: Volt Typhoon Next Steps in OT Disruption — CYBERWARCON

www.cyberwarcon.com

8 34

Reposted by Kyle Ehmke

Horkos @wylienewmark.bsky.social · 7d

Have you ever wanted to see two terminally online nerds really (and I mean *really*) get into the SVR deep lore while continuing the eternal goal of making 2016 last forever?

Gosh does @cyberwarcon.bsky.social have a talk for you!

Oil Into The Fire — CYBERWARCON

www.cyberwarcon.com

2 9 43

Reposted by Kyle Ehmke

John Hultquist @hultquist.bsky.social · 27d

We've got some good submissions flowing into the @CYBERWARCON CFP, but there's still time for more. If you have good content, and you're worried the honorarium won't cover your travel, please submit, and we'll work it out. We do this because we believe this research matters.

3 5

Kyle Ehmke @kyleehmke.bsky.social · Aug 28

Kim John Un rolls off the tongue nicely

1

Kyle Ehmke @kyleehmke.bsky.social · Aug 28

Best conference in the industry is back! cyberwarcon.com

1 2 10

Kyle Ehmke @kyleehmke.bsky.social · Aug 14

Suspicious domains micrsosft-netupdate[.]net (109.107.172[.]123) and micrsosft-netupdate[.]net (146.103.115[.]183) were co-registered through Njalla on 8/14/25.

1

Kyle Ehmke @kyleehmke.bsky.social · Aug 6

Suspicious domain adobereader[.]cc was registered through MonoVM on 8/5/25 using freewanatoly@2mail[.]co. Currently resolves to M247 IP 84.252.95[.]40.

2

Kyle Ehmke @kyleehmke.bsky.social · Jul 16

Suspicious domain sophossec[.]com was registered through MonoVM on 7/15/25 using kehmar.maung@proton[.]me and resolves to 146.70.247[.]55.

1 1

Reposted by Kyle Ehmke

Horkos @wylienewmark.bsky.social · Jun 24

Of all my professional accomplishments, I think I’m proudest of this.

Active BOOsures, LLC @activemeasures.bsky.social · Jun 24

🚨Volume 69,* Issue 2 of "Studies in Intelligence" dropped🚨

FEATURING a @wylienewmark.bsky.social original on GT/PROLOGUE

(*nice)

www.cia.gov/resources/cs...

Beautiful in Another Context: A Counterintelligence Assessment of GTPROLOGUE - CSIButton to search CIA content.InstagramFacebookTwitterLinkedInYouTubeFlickrTelegram

www.cia.gov

7 7 56

Kyle Ehmke @kyleehmke.bsky.social · Jun 23

Likely related domains drowingaws[.]com (13.217.161[.]160) and drowingazur[.]com (20.163.58.252) were co-registered through Njalla on 6/20/25.

1

Kyle Ehmke @kyleehmke.bsky.social · Jun 20

Suspicious domains awsonlineserch[.]com and azuronlineserch[.]com were co-registered through Njalla on 6/19/25. Currently resolving to 34.204.12[.]191 and 20.83.167[.]25, respectively.

1 1 1

Kyle Ehmke @kyleehmke.bsky.social · May 23

Suspicious domain windowsntp[.]com was registered through Njalla on 5/22/25 and then began using Cloudflare. Domain itself does not resolve, but subdomain www.windowsntp[.]com indicates MSFT Azure use.

1 1

Kyle Ehmke @kyleehmke.bsky.social · May 19

Suspicious domain m365sessionlogin[.]com was registered through Njalla on 5/18/25. Domain itself does not resolve, but subdomains login, logon, and office365 indicate hosting at 80.78.30[.]154.

1 3 8

Kyle Ehmke @kyleehmke.bsky.social · May 16

Most of the latter policy positions are copied from the American Stewards of Liberty page here:

web.archive.org/web/20250516...

16 Ways to Reverse 30x30 - American Stewards of Liberty

Share this page...

web.archive.org

1

Kyle Ehmke @kyleehmke.bsky.social · May 16

Highly likely Parscale / Nucleus-administered domain congressstrongaction[.]org was registered on 9/23/24 and recently began hosting content. The org's stated policy positions appear largely aimed at curtailing laws and protections related to natural resources.

1 1 1

Kyle Ehmke @kyleehmke.bsky.social · Apr 24

Set of suspicious domains co-registered through Njalla on 4/24/25:
esxiupdate[.]com
threatbook[.]cloud

Not currently resolving, but worth keeping an eye on.

1 1

Kyle Ehmke @kyleehmke.bsky.social · Apr 3

Set of suspicious domains registered on 4/2/25 (unclear through which reseller) and administered using the same Cloudflare account:

googlealert[.]net
microsoft365signin[.]net
microsoftalert[.]net
outlooksecurity[.]net
outlooksignin[.]net

2 5

Kyle Ehmke @kyleehmke.bsky.social · Apr 2

Suspicious domain analytics[.]airforce was registered through Njalla on 4/2/25 and resolves to BL Networks IP 64.52.80[.]61.

1 2

Kyle Ehmke @kyleehmke.bsky.social · Mar 21

The Children's Health Defense staging site associated with realcdc[.]org indicates they are setting it up to pose as a legitmate CDC site questioning vaccine safety, complete with parent testimonials. Currently no overt indication the site is run by CHD.

2 4

Kyle Ehmke @kyleehmke.bsky.social · Mar 11

Suspicious domain chromeupdate[.]net was registered through Njalla on 3/11/25. Not currently resolving, but worth keeping an eye on.

2 3

Kyle Ehmke @kyleehmke.bsky.social · Mar 11

Suspicious domain nvidia-installer[.]com was registered through Njalla on 3/10/25 and resolves to 51.44.166[.]225.

2 4

Kyle Ehmke @kyleehmke.bsky.social · Mar 6

Again, not saying that's what is happening here. Nor am I stating the conclusions in the SFS site are incorrect or that there is malicious intent behind it. Unfortunately, it is a concerning vulnerability to IO predicated on shortsighted reactivity that we have to consider these days. (4/4)

1 3

Kyle Ehmke @kyleehmke.bsky.social · Mar 6

Get that site in front of DOGE and then they decide to take a chainsaw to the program due to the claimed inefficiency. That's a big, and seemingly easy, information operations (IO) win for the actor. (3/4)

1 1 2