Uncovering Prolific Puma, Massive Domain Generator & URL Shortener

Hackers can exploit Massive Domain Generator and URL Shortener services by creating large numbers of deceptive or malicious domains and using URL shorteners to hide the true destination of links. 

This can be used for the following illicit purposes:- 

• Phishing attacks
• Spreading malware
• Directing unsuspecting users to malicious websites
• Makes it harder to trace the source of the attacks

Recently, cybersecurity analysts at Infoblox uncovered a massive domain generator and URL shortener service dubbed “Prolific Puma Service.”

Domain Generator and URL Shortener

In 2023, the $8 trillion cybercrime economy ranks third globally. Puma aids this network, crafting deceptive domain names (RDGA) for:-

• Link shortening
• Aiding phishing
• Scams
• Malware spread

Disrupting Prolific Puma Service means hitting the criminal economy hard, as they create numerous deceptive domains and shorten links for malicious actors, hiding their actions.

This finding highlights the power of using DNS data to spot threats. Prolific Puma was tracked via DNS, showing challenges for domain authorities in controlling abuse. 

Distance from the crime can divert the takedowns, and researchers first spotted Puma domains via RDGA detection six months ago.

Prolific Puma offers covert link shortening for threat actors, and directly accessing an active SLD presents this message:-

• {“type”: “service”,”name”:”@link-shortener/handler-service”}

Link shorteners simplify web link sharing and tackle social media size limits. When a user clicks, a DNS request resolves the shortening service’s IP, like tinyurl[.]com. 

The web request contains a hash to redirect, and additional DNS queries find the content’s IP. Legitimate users shorten links, but malicious actors may use complex redirection layers.

Malicious use of link shorteners, like TinyURL, BitLy, and Google, is common for phishing. Companies should avoid popular shorteners in emails. Prolific Puma’s services remained low-key.

Investigating link shorteners is tricky, as the final landing page can’t be determined without a full URL. Detecting suspicious domains with no public presence raises questions about their usage.

Prolific Puma registered thousands of usTLD domains since May 2023, violating usTLD rules. The usTLD is known for abuse, and privacy issues persist, mainly with NameSilo as the registrar. 

Private registration in the usTLD is unauthorized but exists, and to combat DNS threats, collaboration is needed.

Threat actors show unique traits in their tactics, and Prolific Puma, a DNS threat actor, uses private registration but public usTLD domains with an email reference to the obscure song ‘October 33’ by the lesser-known band, the Black Pumas. 

They also adopt the name ‘Leila Puma,’ which alludes to the same band and adds a touch of mystery with a personal Ukrainian email.

Indicators of Activity

Prolific Puma link shortener domain:

• hygmi[.]com
• yyds[.]is
• 0cq[.]us
• 4cu[.]us
• regz[.]info
• u5s[.]us
• 1jb[.]us
• jrbc[.]info
• uhje[.]me
• 0md[.]us
• fh3[.]us
• 0qa[.]us
• 9jw[.]us
• iv0[.]us
• od9[.]us
• rpzp[.]me
• 8fx[.]us
• 3vb[.]us
• r1u[.]us
• zost[.]link
• 9ow[.]us
• sf8i[.]us
• bu9[.]us
• ce2[.]us
• wf6[.]us
• v8z[.]us
• zj4[.]us
• rjvb[.]link
• fssu[.]link
• xbsf[.]link
• wqeh[.]link
• ymql[.]link
• 7tz[.]us
• w6q[.]us
• giqj[.]me
• u3q[.]us
• ke0[.]us
• v1u[.]us
• ti7[.]us
• 2zc[.]us
• gf6[.]us
• 6dr[.]us
• 6or[.]us
• kc0[.]us
• 0ty[.]us
• styi.info
• 6fe[.]us
• u8n[.]us
• d6s[.]us

Link shortener hosting IPs:

• 45[.]32[.]147[.]158
• 62[.]3[.]15[.]55
• 45[.]32[.]212[.]77
• 149[.]248[.]2[.]42

Redirection and landing pages:

• bwkd[.]me
• ksaguna[.]com
• asdboloa[.]com
• game.co[.]za

Browser-plugin malware domains:

• fubsdgd[.]com

Prolific Puma registration email address:

• blackpumaoct33@ukr[.]net

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.