Kyle Ehmke
@kyleehmke.bsky.social
Threat intel researcher focused on infrastructure hunting. Views are my own and not my employer's.
Suspicious domain ms-driversync[.]com was registered through Njalla on 10/14/25 and resolves to 192.166.82[.]94.
October 15, 2025 at 4:49 PM
Suspicious domain ms-driversync[.]com was registered through Njalla on 10/14/25 and resolves to 192.166.82[.]94.
Suspicious domain mfa[.]directory was registered through Njalla on 10/15/25 and resolves to 149.33.2[.]67.
October 15, 2025 at 4:47 PM
Suspicious domain mfa[.]directory was registered through Njalla on 10/15/25 and resolves to 149.33.2[.]67.
Best conference in the industry is back! cyberwarcon.com
August 28, 2025 at 5:36 PM
Best conference in the industry is back! cyberwarcon.com
Suspicious domains micrsosft-netupdate[.]net (109.107.172[.]123) and micrsosft-netupdate[.]net (146.103.115[.]183) were co-registered through Njalla on 8/14/25.
August 14, 2025 at 12:32 PM
Suspicious domains micrsosft-netupdate[.]net (109.107.172[.]123) and micrsosft-netupdate[.]net (146.103.115[.]183) were co-registered through Njalla on 8/14/25.
Suspicious domain adobereader[.]cc was registered through MonoVM on 8/5/25 using freewanatoly@2mail[.]co. Currently resolves to M247 IP 84.252.95[.]40.
August 6, 2025 at 2:14 PM
Suspicious domain adobereader[.]cc was registered through MonoVM on 8/5/25 using freewanatoly@2mail[.]co. Currently resolves to M247 IP 84.252.95[.]40.
Suspicious domain sophossec[.]com was registered through MonoVM on 7/15/25 using kehmar.maung@proton[.]me and resolves to 146.70.247[.]55.
July 16, 2025 at 4:50 PM
Suspicious domain sophossec[.]com was registered through MonoVM on 7/15/25 using kehmar.maung@proton[.]me and resolves to 146.70.247[.]55.
Likely related domains drowingaws[.]com (13.217.161[.]160) and drowingazur[.]com (20.163.58.252) were co-registered through Njalla on 6/20/25.
June 23, 2025 at 1:25 PM
Likely related domains drowingaws[.]com (13.217.161[.]160) and drowingazur[.]com (20.163.58.252) were co-registered through Njalla on 6/20/25.
Suspicious domains awsonlineserch[.]com and azuronlineserch[.]com were co-registered through Njalla on 6/19/25. Currently resolving to 34.204.12[.]191 and 20.83.167[.]25, respectively.
June 20, 2025 at 5:58 PM
Suspicious domains awsonlineserch[.]com and azuronlineserch[.]com were co-registered through Njalla on 6/19/25. Currently resolving to 34.204.12[.]191 and 20.83.167[.]25, respectively.
Suspicious domain windowsntp[.]com was registered through Njalla on 5/22/25 and then began using Cloudflare. Domain itself does not resolve, but subdomain www.windowsntp[.]com indicates MSFT Azure use.
May 23, 2025 at 1:16 PM
Suspicious domain windowsntp[.]com was registered through Njalla on 5/22/25 and then began using Cloudflare. Domain itself does not resolve, but subdomain www.windowsntp[.]com indicates MSFT Azure use.
Suspicious domain m365sessionlogin[.]com was registered through Njalla on 5/18/25. Domain itself does not resolve, but subdomains login, logon, and office365 indicate hosting at 80.78.30[.]154.
May 19, 2025 at 1:34 PM
Suspicious domain m365sessionlogin[.]com was registered through Njalla on 5/18/25. Domain itself does not resolve, but subdomains login, logon, and office365 indicate hosting at 80.78.30[.]154.
Highly likely Parscale / Nucleus-administered domain congressstrongaction[.]org was registered on 9/23/24 and recently began hosting content. The org's stated policy positions appear largely aimed at curtailing laws and protections related to natural resources.
May 16, 2025 at 12:55 PM
Highly likely Parscale / Nucleus-administered domain congressstrongaction[.]org was registered on 9/23/24 and recently began hosting content. The org's stated policy positions appear largely aimed at curtailing laws and protections related to natural resources.
Set of suspicious domains co-registered through Njalla on 4/24/25:
esxiupdate[.]com
threatbook[.]cloud
Not currently resolving, but worth keeping an eye on.
esxiupdate[.]com
threatbook[.]cloud
Not currently resolving, but worth keeping an eye on.
April 24, 2025 at 4:15 PM
Set of suspicious domains co-registered through Njalla on 4/24/25:
esxiupdate[.]com
threatbook[.]cloud
Not currently resolving, but worth keeping an eye on.
esxiupdate[.]com
threatbook[.]cloud
Not currently resolving, but worth keeping an eye on.
Set of suspicious domains registered on 4/2/25 (unclear through which reseller) and administered using the same Cloudflare account:
googlealert[.]net
microsoft365signin[.]net
microsoftalert[.]net
outlooksecurity[.]net
outlooksignin[.]net
googlealert[.]net
microsoft365signin[.]net
microsoftalert[.]net
outlooksecurity[.]net
outlooksignin[.]net
April 3, 2025 at 2:13 PM
Set of suspicious domains registered on 4/2/25 (unclear through which reseller) and administered using the same Cloudflare account:
googlealert[.]net
microsoft365signin[.]net
microsoftalert[.]net
outlooksecurity[.]net
outlooksignin[.]net
googlealert[.]net
microsoft365signin[.]net
microsoftalert[.]net
outlooksecurity[.]net
outlooksignin[.]net
Suspicious domain analytics[.]airforce was registered through Njalla on 4/2/25 and resolves to BL Networks IP 64.52.80[.]61.
April 2, 2025 at 1:55 PM
Suspicious domain analytics[.]airforce was registered through Njalla on 4/2/25 and resolves to BL Networks IP 64.52.80[.]61.
The Children's Health Defense staging site associated with realcdc[.]org indicates they are setting it up to pose as a legitmate CDC site questioning vaccine safety, complete with parent testimonials. Currently no overt indication the site is run by CHD.
March 21, 2025 at 2:27 AM
The Children's Health Defense staging site associated with realcdc[.]org indicates they are setting it up to pose as a legitmate CDC site questioning vaccine safety, complete with parent testimonials. Currently no overt indication the site is run by CHD.
Suspicious domain chromeupdate[.]net was registered through Njalla on 3/11/25. Not currently resolving, but worth keeping an eye on.
March 11, 2025 at 12:18 PM
Suspicious domain chromeupdate[.]net was registered through Njalla on 3/11/25. Not currently resolving, but worth keeping an eye on.
Suspicious domain nvidia-installer[.]com was registered through Njalla on 3/10/25 and resolves to 51.44.166[.]225.
March 11, 2025 at 12:17 PM
Suspicious domain nvidia-installer[.]com was registered through Njalla on 3/10/25 and resolves to 51.44.166[.]225.
Two suspicious domains co-registered through Njalla on 3/6/25: sfsimpact[.]org and dogechronicle[.]com.
The former purports to be an independent analysis claiming inefficiency in the NSF CyberCorps Scholarship for Service (SFS); the latter claims to report on DOGE activity. (1/4)
The former purports to be an independent analysis claiming inefficiency in the NSF CyberCorps Scholarship for Service (SFS); the latter claims to report on DOGE activity. (1/4)
March 6, 2025 at 3:49 PM
Two suspicious domains co-registered through Njalla on 3/6/25: sfsimpact[.]org and dogechronicle[.]com.
The former purports to be an independent analysis claiming inefficiency in the NSF CyberCorps Scholarship for Service (SFS); the latter claims to report on DOGE activity. (1/4)
The former purports to be an independent analysis claiming inefficiency in the NSF CyberCorps Scholarship for Service (SFS); the latter claims to report on DOGE activity. (1/4)
Suspicious domain downloadfile-dropbox[.]com was registered through Njalla on 2/21/25 and is hosted at 86.54.42[.]36.
February 21, 2025 at 3:25 PM
Suspicious domain downloadfile-dropbox[.]com was registered through Njalla on 2/21/25 and is hosted at 86.54.42[.]36.
Suspicious domain onelivedrv[.]com was registered through Njalla on 2/20/25 and is hosted at 193.42.39[.]159.
February 20, 2025 at 2:07 PM
Suspicious domain onelivedrv[.]com was registered through Njalla on 2/20/25 and is hosted at 193.42.39[.]159.
Suspicious domain vmware-analytics[.]com was registered through Njalla on 2/17/24. Not currently resolving, but subdomain app.vmware-analytics[.]com shows resolution to 178.131.20[.]47.
February 18, 2025 at 1:06 PM
Suspicious domain vmware-analytics[.]com was registered through Njalla on 2/17/24. Not currently resolving, but subdomain app.vmware-analytics[.]com shows resolution to 178.131.20[.]47.
Domain dogestatus[.]org was registered on 2/14/25 and is likely administered using IMGE's Cloudflare account—the same one used for the fake Harris campaign site progress2028[.]com. www.opensecrets.org/news/2024/10...
Not currently resolving.
Not currently resolving.
February 14, 2025 at 8:00 PM
Domain dogestatus[.]org was registered on 2/14/25 and is likely administered using IMGE's Cloudflare account—the same one used for the fake Harris campaign site progress2028[.]com. www.opensecrets.org/news/2024/10...
Not currently resolving.
Not currently resolving.
Suspicious domain sentinleone[.]com was registered through MonoVM on 2/3/25 using rachellecaya62@proton[.]me. Domain resolves to 185.174.101[.]117.
Same email address was used for two other domains in late 2024 that are hosted on 177.136.225[.]169:
copilotassistants[.]com
copilotcrmcloud[.]com
Same email address was used for two other domains in late 2024 that are hosted on 177.136.225[.]169:
copilotassistants[.]com
copilotcrmcloud[.]com
February 3, 2025 at 1:43 PM
Suspicious domain sentinleone[.]com was registered through MonoVM on 2/3/25 using rachellecaya62@proton[.]me. Domain resolves to 185.174.101[.]117.
Same email address was used for two other domains in late 2024 that are hosted on 177.136.225[.]169:
copilotassistants[.]com
copilotcrmcloud[.]com
Same email address was used for two other domains in late 2024 that are hosted on 177.136.225[.]169:
copilotassistants[.]com
copilotcrmcloud[.]com
Suspicious domain homegrouplistener[.]com was registered through THCservers on 1/30/25 using revofresh@tutamail[.]com. Currently resolves to 144.172.113[.]80.
January 31, 2025 at 1:54 PM
Suspicious domain homegrouplistener[.]com was registered through THCservers on 1/30/25 using revofresh@tutamail[.]com. Currently resolves to 144.172.113[.]80.
Suspicious domain fortigate-cloud[.]com was registered through Njalla on 1/28/25. Domain uses Cloudflare and doesn't resolve, but Censys indicates subdomain cdn.fortigate-cloud[.]com in use at a MeshCentral server on 185.193.127[.]21.
January 30, 2025 at 3:04 PM
Suspicious domain fortigate-cloud[.]com was registered through Njalla on 1/28/25. Domain uses Cloudflare and doesn't resolve, but Censys indicates subdomain cdn.fortigate-cloud[.]com in use at a MeshCentral server on 185.193.127[.]21.