Threat hunting

How I’m fighting cybercrime with Spamhaus (and how you can too!)

Meet Jeroen Gui - student, founder of JustGuard, and a top contributor to Spamhaus' Threat Intel Community Portal. Passionate about making the internet a safer place, Jeroen submits thousands of malicious domains, URLs, and raw email sources every month. But what drives him to share his data, and how can you get involved too?

Between input and output: The enigma of being a Spamhaus threat investigator

Spamhaus processes millions of IPs and domains every day. Given the vast amount of incoming data, automation is a necessity. But is technology alone enough? Let’s find out. Meet one of our researchers, Jonas Arnold, as he sheds light on the threat investigators' role in Spamhaus and the fight against Internet abuse.

The beta nature of the Threat Intel Community Portal

If you haven't noticed, the Threat Intel Community is in beta, and to be honest, it will be for some time - probably until the end of 2024. "Why?" we hear you chorus. In a nutshell, we're all learning together - it's a process of discovering what data you want...

Want to submit data? Be our guest!

For many years Spamhaus has been asked if it accepts data from third parties. The standard response has always been “Only after a detailed technical process and if certain criteria is met". But today, that response changes to “Yes, we do”. If you want to submit malicious domains, IPs, email...

Lifting the lid on a long-time operating Brazilian malware gang

For over 8 years, our researchers have been tracking an operation that targets Brazilian internet users, and is focused on stealing their banking credentials, withdrawing funds from its victim’s accounts. Here’s a potted history.

Neutralizing Tofsee Spambot – Part 3 | Network-based kill switch

In part three, we focus on using a network kill switch - causing an out-of-bounds read error, leading to Tofsee crashing.

Neutralizing Tofsee Spambot - Part 2 | InMemoryConfig store vaccine

In part two, learn about a second malware vaccine our team has produced, focused on polluting Tofsee's internal configuration store.

Understanding top-level domain (TLD) abuse helps illuminate and predict domain threat trends

The Domain Name System (DNS) is the backbone of the internet, enabling agile communication between internet entities. This blog post will focus on top-level domains (TLD), and how they can impact the security landscape.

Neutralizing Tofsee Spambot – Part 1 | Binary file vaccine

The Spamhaus Malware Researchers have been busy in their lairs, reverse engineering Tofsee malware to provide you with the code required for two malware vaccines and a network-based kill switch. A hat trick of protection against this spambot! This is the first in this three-part series, and looks at how to inject a malware vaccine into the binary file.

Dissecting the new shellcode-based variant of GuLoader (CloudEyE)

One of the Spamhaus Project's malware specialists has been battling GuLoader, attempting to analyze this tricky malware. Here they share their findings and explain how you can extract URLs from GuLoader.

What does Spamhaus do?

I write this article for all of you out there who aren't deeply embedded in this industry because the people I work with are remarkable. The world should know what they are doing to quietly protect all those who say “Spamwho?” be that your grandma or the network nerd at work.

Smoke Loader malware improves after Microsoft spoils its Campaign

Early this year, in March 2018, Microsoft’ Windows Defender Research Team in Redmond published some interesting insights into a massive malware campaign distributing a dropper/loader called Smoke Loader (also known as Dofoil). The main purpose of the documented campaign was to distribute a coin miner payload that is using infected...