DigiCert’s Open-Source Intelligence (OSINT) Report – January 2 – January 8, 2026

The Kimwolf Botnet is Stalking Your Local Network 

(TLP: CLEAR) Kimwolf is a rapidly expanding malware-driven botnet that has compromised more than two million devices worldwide, primarily inexpensive Android TV boxes and digital photo frames. The malware covertly converts these consumer devices into residential proxy nodes, allowing threat actors to route malicious traffic through victims’ home networks without their knowledge. Researchers identified the campaign in late 2025 and linked its growth to weaknesses in how large residential proxy providers manage network access and authentication. The infections spread through a combination of insecure device configurations and flaws in proxy infrastructure. Many unofficial Android TV boxes ship with Android Debug Bridge (ADB) enabled by default, giving attackers remote administrative access. By abusing exposed proxy endpoints, threat actors can connect to these devices, deploy malware, and pivot deeper into local networks. In some cases, devices were found to be preloaded with proxy malware at the factory, compounding the risk. Once infected, Kimwolf forces devices to relay spam, conduct advertising fraud, attempt account takeovers, and participate in distributed denial-of-service attacks. The botnet is highly resilient, quickly rebuilding after disruptions by leveraging vast pools of residential proxy IPs. Operators monetize the network by renting proxy bandwidth, selling app installs, and offering DDoS capabilities, highlighting how insecure consumer hardware and proxy ecosystems are being weaponized at scale.

(TLP: CLEAR) Comments: Kimwolf reflects an opportunistic, industrialized abuse of consumer infrastructure where the value is not the endpoint itself, but the residential network “trust” it provides. By converting millions of low-cost Android TV boxes and similar devices into proxy nodes, malicious actors gain a distributed, geographically diverse foothold that is well suited for evading IP reputation controls, blending into normal consumer traffic patterns, and scaling follow-on operations with low marginal cost. The reported reliance on ADB exposure and weak default configurations suggests a deliberate preference for high-yield access paths that require minimal exploitation sophistication while still enabling privileged control, persistence, and lateral movement into adjacent home or small-office networks. From a DDoS perspective, a botnet composed of residential proxies changes the defensive equation: attacks can be sourced from “clean-looking” last-mile IP space, complicating filtering and increasing collateral risk if defender’s over-block. The described rapid regeneration after takedown pressure also indicates an operating model built around churn and replenishment, where infrastructure scale and re-infection speed matter more than long-term stability of any single node. Strategically, this campaign underscores how the residential proxy economy and insecure supply chains are converging into a durable cybercrime substrate that can support fraud, credential abuse, and disruption on demand, without the traditional constraints of centralized botnet hosting or easily sinkhole command infrastructure.

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect is operated by our dedicated, 24/7 Security Operations Center that works to mitigate attacks against infrastructure, applications, and supporting services. Their work is backed by industry-leading Service Level Agreements (SLAs) for mitigation timeliness and effectiveness.

Source: https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/

Source: https://cybersecuritynews.com/kimwolf-botnet-hacked-2-million-devices/

RondoDoX Botnet Weaponizing a Critical React2Shell Vulnerability to Deploy Malware 

(TLP: CLEAR) RondoDoX is a multi-stage botnet campaign observed through exposed command-and-control logs covering March to December 2025, showing sustained, methodical targeting of vulnerable web applications and IoT devices. The operation evolved through three phases: early manual vulnerability testing, a shift to automated daily scanning by April 2025, and a further escalation to hourly exploitation and payload deployment attempts beginning in July 2025. CloudSEK identified at least six active C2 servers and evidence of roughly ten botnet variants used across the campaign, indicating a modular ecosystem rather than a single static implant. By December 2025, the actors began rapidly weaponizing a critical Next.js flaw to deploy React2Shell payloads, demonstrating an ability to operationalize newly disclosed vulnerabilities quickly. The infection chain centers on probing for remote code execution, dropping ELF binaries, and pulling additional payloads from C2 infrastructure. Once established, the malware sets persistence via cron jobs, kills competing malware to monopolize resources, and deploys cryptominers and supporting tooling for long-term control. It also supports multiple CPU architectures (x86/x64, MIPS, ARM, PowerPC) and uses redundant download methods (wget, curl, tftp, ftp) to maximize successful compromise across heterogeneous enterprise and IoT environments.

(TLP: CLEAR) Comments: RondoDoX reflects a mature botnet operator mindset that prioritizes scale, uptime, and repeatability over bespoke intrusion tradecraft. The most notable signal is the cadence shift from manual testing to daily automation and then to hourly deployment attempts, which indicates the actor is optimizing for rapid turnover of vulnerable infrastructure and assumes defenders will eventually remediate or the victim hosts will be reclaimed by competing malware. That tempo also suggests industrialized scanning and exploitation, where the marginal cost of adding new targets is low, enabling broad opportunistic compromise across both traditional web stacks and IoT exposed services. The December pivot to weaponizing a recent Next.js weakness is operationally important because it shows the botnet is not limited to legacy IoT CVEs; it is also positioning itself to absorb modern enterprise application exposure. In practice, this expands the botnet’s utility beyond cryptomining into infrastructure that can support higher-value outcomes, including acting as relay nodes, staging points, or proxy layers for follow-on operations. Multi-architecture payload support and multiple fallback transfer mechanisms further reinforce that the operator expects inconsistent environments and unstable connectivity, so resilience is engineered into the delivery chain. From a DDoS perspective, the same design choices that maximize infection success also maximize botnet “availability” for traffic generation: broad device diversity increases node count, cron-based persistence sustains dwell time, and competitive kill routines reduce resource contention, all of which improve reliability for sustained UDP, TCP, or HTTP flooding from distributed sources.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a recursive/resolver DNS server that receives DNS queries either via forwarding from on-network resolvers or via an endpoint client. It then uses blocklists, domain categories, artificial intelligence, or a defined policy to determine if the domain should be allowed or blocked. Blocked user traffic is then sent to a sinkhole.

Source: https://cybersecuritynews.com/rondodox-botnet-weaponizing-a-critical-react2shell/

Phishing Campaign Abuses Google Cloud Application to Impersonate Legitimate Google Emails 

(TLP: CLEAR) Check Point researchers reported a phishing campaign that abused Google Cloud Application Integration’s legitimate “Send Email” capability to distribute phishing emails that appeared to be authentic Google notifications. Over a two-week period, they observed nearly 9,400 messages aimed at roughly 3,200 organizations, with emails sent from a real Google address, noreply-application-integration@google[.]com, which materially increased delivery success by leveraging trusted sender reputation rather than traditional spoofing. The lure content closely matched Google’s branding and used routine prompts such as voicemail alerts or shared file notifications to drive clicks. The attack flow relied on a staged redirection chain that began on storage.cloud.google[.]com, then moved to googleusercontent[.]com where a fake CAPTCHA was used to filter out automated scanners and increase confidence for real users and ultimately redirected victims to a counterfeit Microsoft login page hosted on a non-Microsoft domain to capture credentials. Targeting concentrated on manufacturing and industrial firms, followed by technology, SaaS, and finance, with victims primarily in the United States and notable activity in APAC and Europe. Google stated it blocked multiple campaigns, emphasized this was abuse of a workflow feature rather than a compromise of Google infrastructure, and said additional protections were implemented to reduce further misuse.

(TLP: CLEAR) Comments: This campaign is a notable example of “trust transference,” where malicious actors reduce friction by chaining their operation through legitimate, high reputation cloud services rather than relying on overt spoofing. By originating messages from a real Google owned sender and routing users through Google controlled domains early in the click path, the actors deliberately undermine common defensive assumptions that authenticated senders and well-known hostnames imply safety. The staged redirection design also reflects a mature understanding of modern detection, the intermediate fake CAPTCHA step functions as an anti-analysis control that filters automated link scanners and detonation sandboxes while presenting a familiar, legitimacy reinforcing interaction to the victim. The final pivot to a counterfeit Microsoft login page indicates the primary objective is credential theft and downstream account takeover, with likely follow on activity including business email compromise, cloud session hijacking, lateral movement into SaaS environments, and secondary extortion. The sector emphasis on manufacturing and industrial firms is consistent with targeting organizations that often have complex third party relationships and distributed workforces, which increases the probability that users will treat workflow and file sharing prompts as routine. More broadly, the activity highlights an expanding abuse pattern in which adversaries weaponize “sender as a service” and “redirector as a service,” forcing defenders to place greater weight on behavioral signals, destination validation, and identity-based anomaly detection rather than domain reputation alone.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://securityaffairs.com/186425/cyber-crime/phishing-campaign-abuses-google-cloud-application-to-impersonate-legitimate-google-emails.html

Hackers Disrupt French Postal and Banking Services Twice 

(TLP: CLEAR) La Poste and its banking subsidiary, La Banque Postale, experienced renewed service disruptions on New Year’s Day following a cyberattack, coming shortly after a late December incident that significantly impaired parcel tracking services from December 22 to December 26. French authorities stated that no data was stolen and described the activity as a denial-of-service event intended to overwhelm systems and degrade availability rather than compromise information. The Paris public prosecutor’s office has opened an investigation, assigning it to France’s DGSI and the national cyber unit, and confirmed that the pro-Russian hacktivist group NoName057(16) claimed responsibility. Formed in 2022 following Russia’s invasion of Ukraine, NoName057(16) has a history of DDoS campaigns against Ukrainian and European government, media, and corporate targets, often aligned with pro-Russian information warfare objectives. The summary also notes that a Europol and Eurojust coordinated action in July 2025, Operation Eastwood, disrupted more than 100 servers and resulted in arrests in France and Spain, but the group reportedly resumed activity within weeks.

(TLP: CLEAR) Comments: The renewed disruption affecting La Poste and La Banque Postale is consistent with the operational pattern of pro-Russian hacktivist activity observed since Russia’s full scale invasion of Ukraine, where DDoS is used as a low cost, high visibility lever to degrade public services, generate media attention, and reinforce information operations that frame Western governments as unable to protect critical digital services. The timing, immediately following the late December disruption, also suggests an intent to sustain pressure during periods of maximum public reliance on logistics and financial platforms, turning short service interruptions into outsized societal impact by targeting widely used “digital choke points” such as parcel tracking and online banking. The reported attribution to NoName057(16) aligns with the group’s history of targeting European entities perceived as supportive of Ukraine, and it reinforces that DDoS remains a primary tool in the broader Russia Ukraine hybrid conflict, particularly because it can be executed at scale without requiring persistence inside victim networks. Importantly, prior international disruption efforts against NoName057(16) infrastructure have not eliminated the threat, indicating a resilient, regenerating ecosystem where capability can be reconstituted quickly and repeatedly.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.” Businesses, particularly those located within NATO and allies, should maintain constant vigilance and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API-triggering. The result is incredibly fast response against DDoS trouble when you need it most.

Source: https://www.techzine.eu/news/security/137617/hackers-disrupt-french-postal-and-banking-services-twice/

Scattered Lapsus$ Hunters Resurface with New RaaS Platform ‘ShinySp1d3r’ and Aggressive Insider Recruitment 

(TLP: CLEAR) The Scattered Lapsus$ Hunters threat group has resurfaced after a period of inactivity following its high-profile supply chain attack involving Salesforce third-party integrations. Recent intelligence shows the group has reconstituted its operations and is actively recruiting insiders and initial access brokers through underground Telegram channels and credential trading forums. This resurgence coincides with the launch of a new Ransomware-as-a-Service platform called ShinySp1d3r, which is described as a collaborative effort involving individuals linked to ShinyHunters, Scattered Spider, and Lapsus$. Unlike earlier campaigns that relied heavily on social engineering, the group has shifted toward a more structured, commercially driven model focused on purchasing or recruiting privileged access. Recruitment efforts outline clear financial incentives, offering commission-based payouts for access to high-value enterprise environments, particularly large organizations with revenues exceeding $500 million. The group is specifically targeting insiders capable of providing access to corporate identity platforms, VPNs, and remote access tools across sectors such as telecommunications, software, gaming, and call-center operations. Researchers observed the group advertising its credibility by sharing alleged screenshots of sensitive internal systems, including identity management platforms, to reassure potential collaborators. The group has also addressed insider risk concerns directly, attempting to downplay recent exposure of insider activity and emphasizing operational security assurances. Overall, the emergence of ShinySp1d3r and renewed recruitment efforts signal an intent to sustain large-scale extortion and ransomware operations into 2026.

(TLP: CLEAR) Comments: The reported reactivation of Scattered Lapsus$ Hunters and the promotion of a dedicated ransomware as a service offering, ShinySp1d3r, is consistent with an ecosystem shift from opportunistic social engineering toward a more repeatable access acquisition model that prioritizes scale, predictability, and monetization. Public reporting indicates the group has used its Telegram presence to recruit insiders and engage initial access broker style sourcing, including commission-based terms that explicitly value on premises identity control and remote access paths, which suggests a deliberate emphasis on rapid enterprise-wide propagation and high impact extortion outcomes once privileged footholds are obtained. The stated targeting constraints, including exclusions for certain jurisdictions and sectors, should be assessed as operational risk management and brand positioning rather than a reliable indicator of restraint, since such criteria are commonly used to reduce law enforcement attention, limit affiliate disputes, and maintain access broker relationships. The circulation of screenshots, including claims tied to well-known security and identity platforms, may function as credibility signaling to entice insiders and buyers, but it also reflects a recurring pattern in which threat collectives blend authentic compromises with exaggeration to strengthen negotiating leverage and recruitment throughput.

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.

Source: https://cybersecuritynews.com/scattered-lapsus-hunters-resurface-with-new-raas-platform/

Critical jsPDF Flaw Lets Hackers Steal Secrets via Generated PDFs

(TLP: CLEAR) The article reports a critical local file inclusion and path traversal vulnerability in jsPDF’s Node.js builds, tracked as CVE-2025-68428 (CVSS 9.2), where unsanitized, user-controlled file paths can be passed into the library’s filesystem loading routine, causing contents of local files to be embedded into generated PDFs and potentially exfiltrated. The issue primarily centers on the loadFile function, but it can also be reached indirectly through features such as addImage, html, and addFont that may invoke the same file-loading behavior. The impact is limited to Node-targeted distributions (e.g., dist/jspdf.node.js and its minified counterpart), not typical browser-only usage. The flaw is addressed in jsPDF 4.0.0 by restricting filesystem access by default and aligning with Node’s permission model, though the article notes practical caveats, including the experimental status of permission mode in Node 20, recommended use of newer Node releases, and the risk of negating protections through overly broad filesystem allowances or process-wide permission flags.

(TLP: CLEAR) Comments: This vulnerability is most consequential where jsPDF is used server-side to generate PDFs from user-influenced inputs, such as “upload an image by URL or path,” “render HTML into a PDF,” or “select a font or template asset,” because those workflows can unintentionally turn a document-generation feature into a local data exposure channel. Even though the technique does not resemble classic remote code execution, it can still produce high-impact outcomes by leaking environment secrets and service credentials that are commonly present on application hosts (for example, configuration files, API keys, cloud credential files, and private keys), which can then enable follow-on compromise of adjacent systems. The risk profile is amplified by jsPDF’s widespread adoption and by the fact that exploitation can be “quiet”: successful attackers may only need to trigger PDF generation and retrieve the output, making activity blend into normal application behavior unless file access telemetry and anomalous path patterns are monitored. Operationally, this is a strong example of how “low-friction” input paths in developer tooling become security-critical when libraries bridge user-controlled parameters into privileged server resources. The article’s caveats around Node’s permission model matter because they highlight a practical gap between “patched” and “safe”: if defenders rely on process-wide flags or grant broad read permissions for functionality, they may reintroduce the same exposure through configuration. In effect, the core TTP here is abusing trusted server-side document rendering to perform targeted local file read and data staging into an exfiltration-friendly artifact, a pattern that commonly appears in real intrusions once threat actors discover any file-read primitive in an internet-facing workflow.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “Application firewalls can enable the identification of unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command that was not preceded by another command on which it is dependent. These suspicious commands often originate from buffer overflow attacks, DoS attacks, malware, and other forms of attack carried out within application protocols such as HTTP. Another common feature is input validation for individual commands, such as minimum and maximum lengths for arguments. For example, a username argument with a length of 1000 characters is suspicious—even more so if it contains binary data.”

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, enables you to create your own rules in a variety of formats with the UltraWAF policy editor. Plus, you have the option to continuously add new threats through (signature protection for CVE and CWE, such as CMS vulnerabilities) captured by our threat research team.

Source: https://www.bleepingcomputer.com/news/security/critical-jspdf-flaw-lets-hackers-steal-secrets-via-generated-pdfs/

Misconfigured Email Routing Enables Internal-Spoofed Phishing

(TLP: CLEAR) Attackers are increasingly abusing gaps in email authentication and routing, specifically in environments with complex mail flows or misconfigured third party connectors, to deliver phishing that appears to originate from inside the target organization. Microsoft reports that since May 2025, threat actors have leveraged weak spoof protections and nonstandard MX routing to send messages that superficially look internal, using familiar lures such as HR notifications, voicemail alerts, shared documents, and password expiration prompts. This “internal look” materially increases click through rates because recipients are less likely to scrutinize the sender or question legitimacy. A common enabling condition is incomplete enforcement of SPF, DKIM, and DMARC, such as DMARC set to “none” or SPF configured as soft fail, combined with routing scenarios where inbound mail is not consistently evaluated under Microsoft 365’s protections. In these cases, header artifacts may still reveal external origination, but policy does not block delivery. Threat actors then chain the email to phishing as a service platforms like Tycoon2FA, including adversary in the middle workflows designed to capture credentials and potentially bypass MFA, often via staged redirects and human verification prompts such as fake CAPTCHA pages. Microsoft also observed that the same routing and spoofing weaknesses are being used for business email compromise style financial fraud. These messages impersonate executives or finance personnel, abuse urgency, and may include fraudulent invoices or supporting documents to induce wire payments. Overall, the reporting underscores that modern phishing success increasingly depends less on perfect spoofing and more on exploiting trust created by “looks internal” delivery paths enabled by misconfiguration.

(TLP: CLEAR) Comments: This activity highlights how phishing success increasingly hinges on exploiting “trust signals” created by legitimate email architecture rather than on convincingly forged content alone. When complex routing, third party connectors, or misaligned MX paths weaken spoof protections, threat actors can make externally originated messages appear to be internal communications from the organization’s own domain, which materially reduces user skepticism and can also downgrade how aggressively controls triage the message. The recurring lures, such as HR notices, password resets, shared documents, and voicemail, are effective not because they are novel, but because they align with common internal workflows and can be scaled across industries with minimal tailoring. Tycoon2FA and similar PhaaS offerings further compress the kill chain by providing operator ready infrastructure for credential harvesting and adversary in the middle flows that can defeat MFA, turning a single successful click into reusable session artifacts or account takeover conditions. The “To” and “From” sameness tactic exploits how many users visually validate sender identity, while the real differentiators sit in headers, authentication results, and connector provenance, areas rarely reviewed by end users and sometimes not enforced by policy when DMARC is set to monitoring or SPF soft fail is tolerated. Operationally, the downstream risk is not limited to mailbox compromise, it extends to business email compromise, vendor payment diversion, and internal thread hijacking, where the perceived legitimacy of an “internal” sender can accelerate fraudulent approvals and reduce time to detection.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy. 
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.

Source: https://securityaffairs.com/186638/hacking/misconfigured-email-routing-enables-internal-spoofed-phishing.html