Cerber infrastructure operators have previously registered domains (2014) for scams involving fake employment offers under fake Chinese names. The infrastructure is indirectly associated with BART ransomware, Pony/Fareit malware, Android malware and phishing pages. Malware operators also modified C2 infrastructure in the course of a few months to include a “.win” top level domain in addition to other publically reported research.
The full report was posted to the Red Sky Alliance portal on 7/15/16. Indicators are available in ThreatRecon.co. For more information, contact Wapack Labs. 844-4-WAPACK.