{ "type": "Domain", "indicator": "dmca-security.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/dmca-security.com", "alexa": "http://www.alexa.com/siteinfo/dmca-security.com", "indicator": "dmca-security.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4147071887, "indicator": "dmca-security.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "690f574fc4d9aa9a815a658c", "name": "Finding Related Fake \"DMCA Takedown\" Domains with Validin.", "description": "On November 5, 2025, several prominent YouTube content creators experienced an attack involving fake DMCA takedown notices that led to malicious downloads. The domain prominently associated with this scam was http://dmca-security.com, which acted as the initial phishing site. Cybersecurity analysts, including Tanner and John Hammond, investigated this domain to uncover related malicious infrastructure and gather relevant indicators of compromise (IoCs). Analysis of the phishing domain revealed connections to additional domains and IP addresses, focusing on pivoting techniques in DNS history to trace the threat. Specifically, the IP address 101.99.92[.]246 was identified as being utilized shortly after the phishing domain's registration. This indicates a potentially organized effort by the threat actors to quickly establish a network of malicious domains.", "modified": "2025-12-08T14:05:40.882000", "created": "2025-11-08T14:44:31.092000", "tags": [ "validin", "copy code", "dmca", "ip address", "wbmmfq", "john hammond", "dns history", "youtube", "august", "pivots", "april", "contact" ], "references": [ "https://www.validin.com/blog/fake_dmca_notice_scam_hunting/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "URL": 3, "domain": 102, "hostname": 6 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.validin.com/blog/fake_dmca_notice_scam_hunting/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "690f574fc4d9aa9a815a658c", "name": "Finding Related Fake \"DMCA Takedown\" Domains with Validin.", "description": "On November 5, 2025, several prominent YouTube content creators experienced an attack involving fake DMCA takedown notices that led to malicious downloads. The domain prominently associated with this scam was http://dmca-security.com, which acted as the initial phishing site. Cybersecurity analysts, including Tanner and John Hammond, investigated this domain to uncover related malicious infrastructure and gather relevant indicators of compromise (IoCs). Analysis of the phishing domain revealed connections to additional domains and IP addresses, focusing on pivoting techniques in DNS history to trace the threat. Specifically, the IP address 101.99.92[.]246 was identified as being utilized shortly after the phishing domain's registration. This indicates a potentially organized effort by the threat actors to quickly establish a network of malicious domains.", "modified": "2025-12-08T14:05:40.882000", "created": "2025-11-08T14:44:31.092000", "tags": [ "validin", "copy code", "dmca", "ip address", "wbmmfq", "john hammond", "dns history", "youtube", "august", "pivots", "april", "contact" ], "references": [ "https://www.validin.com/blog/fake_dmca_notice_scam_hunting/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "URL": 3, "domain": 102, "hostname": 6 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "dmca-security.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "dmca-security.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780248673.353489 }