Xanda's Blog !~!

How Did I Find APT16 New Infa with VirusTotal pDNS and a lil Bit of Luck


[Quick and short update]

Last couple of weeks, I was reading the The EPS Awakens – Part 2 blog entry from FireEye and found this one IP,, was previously used as their C2 server. I used VirusTotal IP information, these few domains appeared:

2015-07-01 frppl.com
2015-07-01 jrjfj.com
2015-07-01 pjntx.com
2015-07-01 vzflx.com
2015-07-01 yeaqm.com

I went and check more information on each domain listed and found new infra (IPs) being used:

frppl.com domain information
jrjfj.com domain information
pjntx.com domain information
yeaqm.com domain information

I quickly check the server HTTP response header and this is what I’ve found that they are all the same:

HTTP/1.1 403 Forbidden
Server: nginx/1.6.2
Date: (current time of check)
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

Okay, we already have,,, Lets just quickly perform the HTTP response header loop for the whole /24 subnet (or maybeee i lil bit more). This is the result:

Okay i’m running out of time, my kids are waiting for me outside.

From my quick check on the domain resolved to the IP range – , I can safely assume that those are APT16 new infra. But I not really confident to attribute –, but those IPs in that range, and domains revolved to that range, are fishy!

Happy hunting