Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Trending KB Articles


DNS Beacons Connecting to Russian C2s

KB Article #: 000008841 Apr 18, 2023Knowledge
Infoblox Threat Intelligence Advisory Alert: Newly Identified DNS Beacons Connecting to Russian C2s
Infoblox’s Threat Intelligence Group is the first to identify a set of beacons that exploit DNS to establish communications with C2 infrastructure located in Russia. The beacons have been active since at least April 2022 but are persistent, very low-profile, and hard to discover. While the attack vector is not known yet, the team believes that the bad actors are using a modified PuPy RAT (Remote Access Trojan), which allows the attacker to control the compromised device. While we are confident that the queries are a C2 communication, Infoblox is unable to verify the underlying cause. Infoblox is actively working with others across the security industry to understand the situation.

The team continues to research this threat and will publish more information next week. Follow us on social media to receive the full report (links below). We’re publishing these indicators such that organizations may take mitigating actions to prevent these C2 communications. We’ve identified the following C2 domains thus far: (please remove the [brackets] prior to loading URLs into a block list.  Brackets are used to ensure they are not clicked within this email)
  • claudfront[.]net
  • allowlisted[.]net
  • atlas-upd[.]com
  • ads-tm-glb[.]click
  • cbox4[.]ignorelist[.]com
  • hsdps[.]cc. 
As a specialized DNS based security vendor, Infoblox tracks adversary infrastructure and can see suspicious activity early in the threat lifecycle, when there is “intent to compromise '' and before the actual attack starts. Any indicators that are deemed suspicious are then included into Infoblox’s Suspicious domains feed to enable organizations to pre-emptively protect themselves from new and emerging threats. In this case, many of the Russian C2 domains were already discovered and included in the Suspicious domains feeds in BloxOne Threat Defense (Advanced) back in the fall of 2022. In addition to the Suspicious Domains feed, these domains have now been added to Infoblox’s anti-malware feed.

Infoblox recommends the following actions:

If you’re a BloxOne Threat Defense (Advanced) Customer

If you are a BloxOne Threat Defense (Essentials or Business On-premises) Customer
  • If you have applied the anti-malware feed to your RPZ policy configuration, the on-premise DNS servers will have already pulled the active data set including those indicators known to be related to this threat. If not, follow Infoblox recommendations to block with the suspicious domains and anti-malware feeds.
  • Validate security events generated by the on-premise DNS appliances via the Infoblox Reporting server
If you are a BloxOne Threat Defense (Business Cloud) Customer
If you are not a BloxOne Threat Defense Customer If you find these in your traffic or would like more information please contact your account manager or email

Follow the story on social media for ongoing updates

Additional Resources:

Showing results for 
Search instead for 
Did you mean: