Validin reposted this
𝗣𝗶𝘃𝗼𝘁𝗶𝗻𝗴 𝗼𝗻 𝗗𝗣𝗥𝗞 𝗜𝗧 𝗪𝗼𝗿𝗸𝗲𝗿 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲—𝗼𝗻𝗲 𝗺𝗼𝗿𝗲 𝗱𝗼𝗺𝗮𝗶𝗻 Team Cymru recently published a solid analysis of fake IT worker infrastructure, pivoting from luckyguys[.]site using X.509 certificates and NetFlow data. Building on their findings, I looked for domains with a similar naming pattern and overlapping infrastructure characteristics in late 2025 / early 2026. One domain stood out, luckyguys[.]cloud: • Registered on January 6, 2026 (one month after luckyguys[.]site, December 2, 2025) • Same registrar (Hostinger) • Exposed Gitea instance, same as luckyguys[.]site • IP 45.15.167[.]146 (AS209847) hosts all luckyguys[.]cloud subdomains; its PTR record resolves to rbluckyguys[.]com, indicating naming linkage • Login panel referencing “RB Luckyguys Management” The domain resolves to a significantly larger set of subdomains than luckyguys[.]site (18 vs 5, see Validin screenshot). The apex domain was reachable in January and March 2026 (via urlscan.io), but none responded at time of writing. This is consistent with infrastructure abandoned or rapidly torn down following public disclosure, as suggested in the original Team Cymru post. Attribution remains moderate confidence. Overlap in naming, infrastructure, and artifacts is suggestive. This could indicate related infrastructure but coincidence remains possible. 𝗜𝗢𝗖𝘀: luckyguys[.]cloud rbluckyguys[.]com 45.15.167[.]146 h/t Team Cymru and Eli W. for the initial research. Edit: Writeup now available on Plausible Deniability https://lnkd.in/enHgKD8F