DomainTools

We are excited to announce our IP risk and IP hotlist are now available in real-time feeds. These feeds give you access to all IP addresses which can be filtered to show only the most dangerous and currently active infrastructure to help you: ✅Build high-confidence IP block lists ✅Identify currently active hostile infrastructure for immediate action ✅Enhance SOC and Threat Intel workflows with IP-based enrichment ✅Create custom network or endpoint block rules ✅Triage IP-based alerts ✅Monitor threat actor hosting infrastructure ✅Detect and respond to active C2 servers Learn more by reading our blog here: https://lnkd.in/g83tgGH5

📰Real Fake News: How Doppelgänger spreads disinformation to Western audiences. DTI’s latest research on the Russian-backed Doppelgänger influence campaigns breaks down the organizational structure and operational distribution model that pushes “fake news” to real news feeds. What we cover: 🔹A model of the first 72-hours of a Doppelgänger influence campaign. 🔹The multi-stage pipeline designed to move content from controlled publishing infrastructure into large-scale public exposure across social media platforms. 🔹The recurring technical and behavioral indicators that can assist analysts in identifying active influence operations. 🔹How Doppelgänger aligns with Russia's use of "information confrontation" in its geopolitical strategy. Read our full investigation here: https://lnkd.in/gvCkyx8h

The sun is out in Seattle and the April DTI newsletter from Daniel Schwalbe is officially live! 📰 This past month, the DTI team spent their time digging into the modularity of state-sponsored threats—specifically the DPRK and Iran. Plus, we have the latest roundup by Ian Campbell of the month's essential cybersecurity reading. What we researched: 🇰🇵 DPRK’s Mature Portfolio: How they run parallel malware tracks for revenue vs. espionage without cross-contaminating infrastructure. 🇮🇷 The MOIS Influence Machine: A deep dive into the Handala/Homeland Justice ecosystem and the recent destructive activity targeting Stryker. 🧽 SecuritySnack: Why that "Google Authenticator" Chrome extension might actually be a Trojan horse using a "deploy clean, update dirty" strategy. Catch up and subscribe ⬇️ https://lnkd.in/gwZ-tAwn

Government agencies are advancing Zero Trust, but are they leveraging DNS intelligence to its full potential? DomainTools helps defenders uncover adversary infrastructure before it becomes a threat with 22+ years of data for domains, DNS, IPs, and risk scoring. The DomainTools Advantage: ✅ Infrastructure Mapping: Correlate domain and DNS attributes to expose threat-actor infrastructure ✅ Counter-Intelligence Operations: Use registration analytics and relationship data to track adversaries' digital footprints ✅ Protective DNS: Proactively block malicious domains, phishing attempts, and counterfeit infrastructure Learn how DomainTools data empowers proactive defense here: https://lnkd.in/gD7ivbTa

😷Infectious Interviews: Inside the DPRK’s Contagious Interview Developer Workflow Compromise Our latest Security Snack from DomainTools Investigations dives into the DPRK’s "Contagious Interview” campaign that weaponizes legitimate hiring workflows to exploit trust rather than technical vulnerabilities. Read the full investigation from DTI: https://lnkd.in/gzwQpDGh #ThreatIntel #CyberSecurity #DPRK #InfoSec #DomainTools

Is your SOC moving fast enough to keep up with evolving threats? Join our webinar: Supercharging the SOC with DomainTools MCP to learn how to supercharge your workflow using DomainTools MCP. We’ll dive into how real-time, verifiable context can transform a standard investigation into a high-speed hunt for malicious infrastructure. 🗓️May 07, 2026 🕜 10:00 AM PT / 1:00 PM ET 🔗https://lnkd.in/gnPdmDbx

ICYMI: IrisQL, our new query language, makes it easier than ever to share logic across teams and ticketing systems. IrisQL is designed for deeper, more flexible access to the Iris Investigate database using a text-based interface for building complex search queries. With features like auto-complete, syntax highlighting, and real-time validation, users can now enjoy seamless round-trip editing: building queries visually in the UI to generate code, or writing IrisQL directly to see it reflected in the Advanced Search pane. Explore the full breakdown and start optimizing your security stack here: https://lnkd.in/g2ermAbF #ThreatHunting #IrisQL #Infosec #DataScience

💥Level up your threat hunting with IrisQL, our new query language designed for deeper, more flexible access to the Iris Investigate database. IrisQL offers a text-based interface for building complex search queries with features like auto-complete, syntax highlighting, and real-time validation. Users can now enjoy seamless round-trip editing: building queries visually in the UI to generate code, or writing IrisQL directly to see it reflected in the Advanced Search pane, making it easier than ever to share logic across teams and ticketing systems. Explore the full breakdown and start optimizing your security stack here: https://lnkd.in/g2ermAbF #ThreatHunting #IrisQL #Infosec #DataScience

FIC Lille🇫🇷 has passed, but the threats haven't! ICYMI: Our Principal Engineer, Maxime Zielony, spoke at INCYBER Forum on the evolution of real-time DNS intelligence! If you missed the chance to catch his talk in Lille, check out the recording below to learn how raw domain data can be used to stop bad actors before they strike. https://lnkd.in/duJkz7f9

The deploy clean, update dirty strategy 🧼🫧 New from DomainTools Investigations, a Chrome extension impersonating Google's Authenticator application was identified as part of an ongoing malicious campaign active since at least early 2026. The campaign works by publishing utility software with legitimate functionality to attract a user base, while the underlying permissions and architecture are designed to support capabilities far beyond what the stated purpose requires. Learn more: https://lnkd.in/gvv8Dgre #CyberSecurity #InfoSec #2FA