Hello and welcome to the Friday, August 1st, 2025 edition of the Sands Internet Storm Centers.

Stormcast, my name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu Graduate Certificate Program in Cybersecurity Leadership.

Yesterday, SISA in collaboration with other government agencies,

published an updated report about Scattered Spider.

It's not the first time they published a report about this group,

but as I mentioned yesterday, they updated some of the social engineering

kind of techniques being used by the group, but also included some of the social engineering kind of techniques being used

by the group, but also included sort of the usual indicators of a compromise. And the one part

that I was kind of interested in was the new domain patterns that were being used here, like

the targets name-cMS.com or targets name dash helpdesk.com.

So basically that would be the company name and just followed by helpdesk.com.

Then of course, no matches, kind of them impersonating help desks and such.

So I was going over our data to see if we do find any names like this

in yesterday's data. Realized, of course, that after this report was published, Scattered Spider

likely learned about this and may have changed some of their patterns. So I took this also as an opportunity to show a little bit how to use our data here

to find domain names like this.

So we offer a recent domain feed.

That reason domain feed does allow you to essentially look for domains registered on a certain

date or really domains be found on that particular date.

Sometimes, depending on how we find them, it's a little bit delayed.

And in this case, well, I then basically was just searching for this particular pattern like Helpdesk.

...