Infoblox

@sheehanj920 Yes, Sri Lanka should be mapped.

@Infoblox for clarification, should Sri Lanka be mapped or no? they still appear on the map on: infoblox.com/blog/threat-in…

From call scripts and scams to command and control—Southeast Asia’s scam centres are levelling up. In our latest research with Chong Lua Dao, we track a sophisticated Android banking trojan directly to the K99 Triumph City scam compound in Sihanoukville, Cambodia, 🧵

For years the online-fraud industry has mostly relied on slow, labour-intensive methods. Advances in technology have enabled a change of approach economist.com/interactive/as…

👉️ Read the full report here: infoblox.com/blog/threat-in… 👉️ We spoke to the Economist to explain how the scam centre threat is shifting: economist.com/interactive/as…

and 15 languages. What’s more, we have found that there is significant overlap with the infrastructure and business networks attributed to the DNS threat actors Vigorish Viper and Vault Viper, highlighting the continued evolution of the regional cyber threat landscape.

Here are some examples: asakusubinitohas[.]com bmw320ikaka[.]co cpusx[.]com newoneazu[.]com ratmail[.]pro rato[.]page rato[.]to ratodemo[.]pro sesrecipt[.]com silk-gen[.]com sunostart[.]com viewyourstatementonline[.]com

RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same Cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively RATO and its customers operate a large number of domains.

💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. 🧵

⚽ Domain sample: fifa-2026[.]homes, fifa-com[.]media, www-fifa-com[.]website, vvww-fifa[.]com, fifa-26-worldcup[.]com #dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #FIFA #WorldCup2026 #phishing #scam #lookalikes

(we observed some with suspicious Romanian LLC names). These recently-registered domains are mostly Cloudflare-hosted, spread across various TLDs, and consistently abuse FIFA branding. If it’s a suspicious domain in your inbox or feed, assume it’s not official.

⚽Threat actors are warming up for the 2026 World Cup—and they’re targeting fans early. We’ve observed FIFA ticket phishing pages on domains such as fifa[.]bio and ww-fifa[.]com, distributed through malicious spam emails and Facebook ad campaigns. 🧵