Profile avatar
kyleehmke.bsky.social
Threat intel researcher focused on infrastructure hunting. Views are my own and not my employer's.
79 posts 438 followers 86 following
Prolific Poster
Posts 42 Comments 8

The Children's Health Defense staging site associated with realcdc[.]org indicates they are setting it up to pose as a legitmate CDC site questioning vaccine safety, complete with parent testimonials. Currently no overt indication the site is run by CHD.

submitted 5 days ago • 0 comments

Suspicious domain chromeupdate[.]net was registered through Njalla on 3/11/25. Not currently resolving, but worth keeping an eye on.

submitted 14 days ago • 0 comments

Suspicious domain nvidia-installer[.]com was registered through Njalla on 3/10/25 and resolves to 51.44.166[.]225.

submitted 14 days ago • 0 comments

Two suspicious domains co-registered through Njalla on 3/6/25: sfsimpact[.]org and dogechronicle[.]com. The former purports to be an independent analysis claiming inefficiency in the NSF CyberCorps Scholarship for Service (SFS); the latter claims to report on DOGE activity. (1/4)

submitted 19 days ago • 1 comment

Suspicious domain downloadfile-dropbox[.]com was registered through Njalla on 2/21/25 and is hosted at 86.54.42[.]36.

submitted 32 days ago • 0 comments

Suspicious domain onelivedrv[.]com was registered through Njalla on 2/20/25 and is hosted at 193.42.39[.]159.

submitted 33 days ago • 0 comments

Suspicious domain vmware-analytics[.]com was registered through Njalla on 2/17/24. Not currently resolving, but subdomain app.vmware-analytics[.]com shows resolution to 178.131.20[.]47.

submitted 35 days ago • 0 comments

Domain dogestatus[.]org was registered on 2/14/25 and is likely administered using IMGE's Cloudflare account—the same one used for the fake Harris campaign site progress2028[.]com. www.opensecrets.org/news/2024/10... Not currently resolving.

submitted 39 days ago • 0 comments

“Impact” of IO is notoriously hard to measure. The Breakout Scale, from @benimmo.bsky.social, continues to be one of the best tools for doing so. This one is a great example of a “Category 5” op, if the attribution to Overload/Matryoshka is indeed correct.

submitted 47 days ago • 0 comments

I missed this yesterday, but new Attorney General Pam Bondi used her first day on the job to disband the FBI's Foreign Influence Task Force, which has been a key part of government efforts to stop adversaries from meddling in U.S. democracy: https://bit.ly/4jK0RC5

submitted 47 days ago • 29 comments

Suspicious domain sentinleone[.]com was registered through MonoVM on 2/3/25 using rachellecaya62@proton[.]me. Domain resolves to 185.174.101[.]117. Same email address was used for two other domains in late 2024 that are hosted on 177.136.225[.]169: copilotassistants[.]com copilotcrmcloud[.]com

submitted 50 days ago • 0 comments

Little behind on announcing this, but #binjaxtras is now available in BinaryNinja’s plugin manager! #BinaryNinja

submitted 53 days ago • 1 comment

Suspicious domain homegrouplistener[.]com was registered through THCservers on 1/30/25 using revofresh@tutamail[.]com. Currently resolves to 144.172.113[.]80.

submitted 53 days ago • 0 comments

Suspicious domain fortigate-cloud[.]com was registered through Njalla on 1/28/25. Domain uses Cloudflare and doesn't resolve, but Censys indicates subdomain cdn.fortigate-cloud[.]com in use at a MeshCentral server on 185.193.127[.]21.

submitted 54 days ago • 0 comments

Suspicious domain updatemicfosoft[.]com was registered through Njalla on 1/28/25. Subdomain www.updatemicfosoft[.]com shows resolution to BL Networks IP 64.190.113[.]13.

submitted 55 days ago • 0 comments

Domain realcdc[.]org was registered on 1/23/25 and is administered using the same Cloudflare account used for the Children's Health Defense (CHD). Other sites on its cert: cdc.chdstaging[.]org f428ecee2d.nxcli[.]io

submitted 56 days ago • 1 comment

Suspicious domain securityupdatereleases[.]com was registered through MonoVM on 1/16/25 using matondo-atabong@tutamail[.]com. Not currently hosted, but worth keeping an eye on.

submitted 68 days ago • 0 comments

What seems to be the latest Storm-1516 disinformation campaign referring to recently created website presseneu[.]de: "Germany plans to import 1.9 million Kenyan workers"

submitted 95 days ago • 0 comments

Suspicious domain proxy-waf[.]com was registered through MonoVM on 12/15/24 using yuyu47@onionmail[.]org. Domain resolves to EDIS GmbH IP 151.236.15[.]37. Potentially an issue: Google search provides an AI response that the site is used for protecting web apps. Seems like an oversight for an NRD.

submitted 99 days ago • 2 comments

Suspicious domain timesyncserver[.]com was registered through Njalla on 12/4/24 and resolves to 85.239.34[.]155.

submitted 110 days ago • 0 comments

Suspicious domain google-analyze[.]com was registered through MonoVM on 11/29/24 using corbin.kund10@mail[.]ee. Resolves to 91.132.95[.]168.

submitted 112 days ago • 0 comments

Suspicious domain msdefender[.]net was registered on 12/1/24—through PDR but unsure where specifically—using msdefender@onionmail[.]org. Currently using Cloudflare.

submitted 113 days ago • 0 comments

Suspicious domain afpicenter[.]com was registered through MonoVM on 11/15/24 using steven.streejed@tutamail[.]com. Not currently hosted, but worth keeping an eye on.

submitted 130 days ago • 0 comments

Infrastructure registered within the last month and highly likely administered using the same Cloudflare account as America PAC: doge2026[.]com (11/13) dogeamerica[.]org (11/13) doge2025[.]com (10/14) Not currently hosting any content.

submitted 131 days ago • 0 comments

Big wins for entropy today

submitted 132 days ago • 0 comments

Suspicious domain sslvpn-cisco[.]com was registered through Njalla on 11/13/24 and is using Cloudflare.

submitted 132 days ago • 0 comments

Suspicious domain owamfa[.]email was registered through Njalla on 6/5 and resolves to 139.59.8[.]35. DomainTools and Censys indicate a previous resolution to 38.180.39[.]11.

submitted 293 days ago • 0 comments

Suspicious domains 1drivestorage[.]com and 1drive-storage[.]com were registered through Impreza Host on 5/23 using admid541@onionmail[.]org. Relevant resolution at 79.141.170[.]16.

submitted 306 days ago • 0 comments

Suspicious domain awsupdatesupport[.]com was registered through Njalla on 5/23 and resolves to 89.251.22[.]240.

submitted 306 days ago • 0 comments

Suspicious domain office-o365[.]services was registered through Njalla on 5/22 and is hosted on BL Networks IP 64.7.198[.]217. Redirects to the legitimate Office site.

submitted 307 days ago • 0 comments

Suspicious domain ubuntuupdates[.]net was registered through MonoVM on 5/21 using simonhoff@airmail[.]cc. Currently resolves to M247 IP 146.70.158[.]182.

submitted 308 days ago • 0 comments

Set of suspicious domains co-registered through Njalla on 5/6: ms-1drive[.]com (91.92.253[.]214) 1drv-storage[.]com (91.92.253[.]233) drive-ms[.]com (91.92.253[.]232)

submitted 323 days ago • 0 comments

Set of suspicious domains registered through Njalla on 4/26: strategicdefensedynamics[.]agency strategicdefensedynamics[.]net strategicdefensedynamics[.]org strategicdefensedynamics[.]partners

submitted 324 days ago • 1 comment

Suspicious domains softupdate[.]org (5.45.93[.]209) and teamsupdate[.]org (5.61.51[.]33) were registered in short proximity through Njalla on 4/3.

submitted 356 days ago • 0 comments

Suspicious domain docstorage[.]link was registered through Njalla on 4/2. It and subdomain drv[.]docstorage[.]link resolve to 212.46.38[.]222 and redirect to legitimate Microsoft sites.

submitted 357 days ago • 0 comments

Suspicious domain msdn-live[.]com was registered through Njalla on 3/25 and resolves to 89.147.109[.]166. Domain is hosting a remote support portal.

submitted 365 days ago • 0 comments

Suspicious domain msftauth[.]com was registered through Njalla on 2/15. Co-located with the similarly registered (1/31) domain googlservices[.]com at 195.85.114[.]11.

submitted 404 days ago • 0 comments

Suspicious domain salesmicrosoft[.]com was registered through RockHoster on 2/13 and resolves to 104.248.200[.]223.

submitted 405 days ago • 0 comments

Suspicious domain aws-data[.]in was registered through Njalla on 2/11 and resolves to 185.216.68[.]154.

submitted 407 days ago • 0 comments

Suspicious domain intel-drivers[.]com was registered through Njalla on 2/6 and is resolving to IPs 193.142.30[.]96 and 193.142.30[.]81.

submitted 412 days ago • 0 comments

Suspicious domain worldclksyncsvr[.]com was registered through Njalla on 2/2 and resolves to 5.255.118[.]21.

submitted 417 days ago • 0 comments

Suspicious domains registered separately through OrangeWebsite on 1/30 that resolve to nondedicated infrastructure, but have subs on dedicated infrastructure: msedge-srv2[.]com db2.msedge-srv2[.]com (91.207.183[.]103) msedge-tenet[.]com zone1.msedge-tenet[.]com (91.207.183[.]222)

submitted 418 days ago • 0 comments