ET MALWARE Observed Subdomain Hijacker Domain to AI Slop in TLS SNI (pgpump .github .io)

SID: 2063022Rev: 13 viewsHistory

Sourceet/open

CreatedJune 16, 2025

UpdatedJune 16, 2025

Classificationbad-unknown

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Subdomain Hijacker Domain to AI Slop in TLS SNI (pgpump .github .io)"; flow:established,to_server; tls.sni; dotprefix; content:".pgpump.github.io"; endswith; fast_pattern; reference:url,www.yahoo.com/news/entertainment/articles/smith-turned-down-christopher-nolan-011030992.html; reference:url,404media.co/spam-blogs-ai-slop-domains-wowlazy/; reference:url,urlscan.io/result/01977723-c01e-714e-9418-d8a87b7eabaa/; classtype:bad-unknown; sid:2063022; rev:1; metadata:attack_target Client_Endpoint, created_at 2025_06_16, deployment Perimeter, performance_impact Low, confidence High, signature_severity Minor, updated_at 2025_06_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol_DNS;)

References

url	www.yahoo.com/news/entertainment/articles/smith-turned-down-christopher-nolan-011030992.html
url	404media.co/spam-blogs-ai-slop-domains-wowlazy/
url	urlscan.io/result/01977723-c01e-714e-9418-d8a87b7eabaa/

Metadata

attack targetClient_Endpoint

created at2025_06_16

deploymentPerimeter

performance impactLow

confidenceHigh

signature severityMinor

updated at2025_06_16

mitre tactic idTA0011

mitre tactic nameCommand_And_Control

mitre technique idT1071

mitre technique nameApplication_Layer_Protocol_DNS

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!