In less than a month (starting April 25th through May 13th) the threat actor registered approximately 11,000 domains which would equate to nothing less than a cost of $150,000 even with bulk domain purchasing discounts. Over 3,500 of the domains were purchased on May 5th alone.

The behavior and domains exhibit key characteristics of an automated domain generation algorithm capability:

• The domains are registered every 7 seconds (as seen by the timestamps)

• The domains are a hash of letters with mostly a ".pw" TLD

The threat actor then shifted tactics and began the use of a proxy/VPN on May 13th to register 1,280 domains. The unredacted name, physical address and telephone number of the actor is in Turkey along with the location of the proxy/VPN address.

There is obviously more discovery to be done but this illustrates the power of a single pivot that delivers a wealth of information and may be the early indication of an emerging campaign.