Forward to: Threat Research Lab

Threat Intelligence
Workflows

10 agent workflows for APT group tracking, C2 infrastructure mapping, phishing domain detection, and threat actor attribution — leveraging domain intelligence signals including domain ages, hosting countries, and content analysis to power Sangfor's Neural-X threat intelligence platform.

1APT Group Infrastructure Tracking

AI agent tracks Advanced Persistent Threat group infrastructure by analyzing domain registration patterns, hosting migrations, and infrastructure rotation behaviors across the 100M+ domain database.

1
Map Known APT Infrastructure Domains
Domain Ages Countries Web Filtering Categories OpenPageRank
APT INFRASTRUCTURE TRACKING — GLOBAL ════════════════════════════════════════ TRACKING: 15 active APT groups targeting APAC ACTIVE APT INFRASTRUCTURE (Q1 2026): APT-41 (China-nexus): 89 active domains | Rotation: 21 days avg Hosting: US(34%), NL(23%), DE(18%), SG(12%), Other(13%) Domain age pattern: 7-14 days before activation Lazarus Group (DPRK): 67 active domains | Rotation: 14 days avg Hosting: RU(28%), IN(22%), MY(18%), ID(15%), Other(17%) Domain age pattern: 3-7 days, frequently reregistered OceanLotus (Vietnam): 45 active domains | Rotation: 30 days avg Hosting: VN(12%), US(34%), SG(28%), JP(16%), Other(10%) Domain age pattern: 14-30 days, mimics legitimate tech Mustang Panda (China): 34 active domains | Rotation: 28 days avg Hosting: HK(32%), US(23%), DE(18%), TH(15%), Other(12%) NEW DOMAINS REGISTERED THIS WEEK: APT-41 pattern match: 12 new domains Lazarus pattern match: 8 new domains Unknown actor (new): 23 suspicious domains
2
Detect Infrastructure Rotation in Real-Time
APT-41 INFRASTRUCTURE TIMELINE
Feb 03 4 new domains registered via same registrar. All .com TLD. Hosting: Netherlands.
Feb 07 3 domains activated with /login pages mimicking enterprise SSO. PageRank: 0.0. Web Filtering: Newly Observed.
Feb 10 2 additional domains registered. Same hosting provider. Domain names reference cloud services.
Feb 14 First C2 communication detected from 3 compromised endpoints in APAC manufacturing firm.
Feb 17 3 domains rotated off (now parked). 5 new replacement domains registered today.
3
Correlate with Sangfor Customer Telemetry
Domain Signal
cloud-sync-service-ap.com — APT-41 pattern match. Age: 10 days. Activated Feb 7. 3 Sangfor customers have outbound connections. Domain mimics cloud backup service. Country: Netherlands, registrant: Hong Kong proxy.
ACTIVE C2 — 3 customer compromises detected
Sector Signal
APAC Manufacturing — APT-41 campaign specifically targeting manufacturing sector. 12 infrastructure domains reference manufacturing/supply chain terms. Targeting OT networks via IT-OT bridge exploitation.
SECTOR CAMPAIGN — Manufacturing under coordinated attack
4
Generate APT Intelligence Report

APT INTELLIGENCE BRIEF — APT-41 CAMPAIGN

CAMPAIGN: APT-41 Manufacturing Targeting ══════════════════════════════════════ INFRASTRUCTURE: 89 active domains, 12 new this week Rotation cycle: 21 days average Hosting: NL, DE, US — registered via HK proxies IMPACT: 3 Sangfor customers compromised (detected, contained) Manufacturing sector: primary target in APAC Estimated 50+ organizations globally affected NEURAL-X ACTIONS: 1. All 89 APT-41 domains added to threat feed 2. Predictive model deployed (anticipate next 5 domain registrations) 3. Customer advisory issued to 890 manufacturing customers 4. NGAF + Endpoint Secure signatures updated within 2 hours

2Phishing Campaign Attribution

AI agent attributes phishing campaigns to specific threat actors by analyzing domain registration patterns, page content similarity, hosting infrastructure, and temporal correlations.

1
Cluster Phishing Domains by Actor
Domain Ages Countries /login Web Filtering Categories Personas
PHISHING CAMPAIGN CLUSTERING — Q1 2026 ════════════════════════════════════════ ANALYSIS: 4,567 phishing domains targeting APAC (90-day window) CAMPAIGN CLUSTERS IDENTIFIED: Cluster A — "Dragon Phish" (567 domains): Target: Chinese banking customers (ICBC, CCB, BOC) Registration: Bulk via single registrar, Russian proxy Hosting: 89% bulletproof hosting (Moldova, Romania) Domain age: 1-3 days, disposable infrastructure Cluster B — "SEA Harvester" (345 domains): Target: Southeast Asian e-commerce (Shopee, Lazada, Tokopedia) Registration: Vietnamese registrars, local proxies Hosting: Mixed APAC hosting (VN, TH, ID) Domain age: 3-7 days, moderate infrastructure investment Cluster C — "Enterprise Spear" (89 domains): Target: APAC enterprise SSO/email (Microsoft 365, Google) Registration: High-quality lookalike domains, premium TLDs Hosting: US/EU cloud providers (legitimate-looking) Domain age: 7-14 days, higher investment = targeted attacks
2
Attribution Analysis
Domain Signal
Cluster A "Dragon Phish" — Infrastructure overlap with known cybercrime group "Silver Terrier." Same registrar, same hosting ASN, similar domain naming convention. Persona targeting: elderly banking customers via SMS phishing.
ATTRIBUTED — Silver Terrier cybercrime syndicate
Company Signal
Cluster C "Enterprise Spear" — Infrastructure consistent with state-sponsored actor. Domain investment is high ($15-50 per domain vs $1-3 for commodity phishing). Targeting C-suite personas at defense contractors. Possible espionage motivation.
STATE-SPONSORED — Advanced persistent phishing
3
Generate Attribution Report

PHISHING ATTRIBUTION — Q1 2026

ATTRIBUTED CAMPAIGNS: Dragon Phish: Silver Terrier syndicate — 567 domains, financial fraud SEA Harvester: Vietnamese cybercrime group — 345 domains, e-commerce fraud Enterprise Spear: State-sponsored — 89 domains, corporate espionage NEURAL-X ACTIONS: 1. Actor-specific detection signatures deployed 2. Predictive domain registration monitoring activated 3. Customer advisories by sector and geography 4. Intelligence shared with APAC CERT partners

3Botnet C2 Domain Prediction

AI agent predicts future botnet C2 domains by analyzing domain generation algorithm (DGA) patterns, registration timing, and hosting preferences from historical botnet infrastructure.

1
Analyze DGA Domain Patterns
Domain Ages Countries OpenPageRank IAB Categories
BOTNET DGA ANALYSIS — ACTIVE BOTNETS ════════════════════════════════════════ KNOWN DGA PATTERNS: Emotet v5: Pseudo-random, 12-16 char, .com/.net/.org Registered: 234 domains/month | Active C2: 12 at any time Domain age: 1-5 days | PageRank: 0.0 | No pages Mirai variant: Dictionary-based, 8-12 char, .xyz/.top/.info Registered: 567 domains/month | Active C2: 34 at any time Country: RU/UA/MD | Web Filtering: Uncategorized QakBot revival: Alphanumeric, 10-14 char, .com only Registered: 123 domains/month | Active C2: 8 at any time Hosting: Compromised legitimate servers (high PageRank) PREDICTED NEXT REGISTRATIONS (ML Model): Emotet: 45 predicted domains for next 72 hours Mirai: 89 predicted domains for next 72 hours QakBot: 12 predicted domains for next 72 hours
2
Pre-Emptive Blocking

BOTNET PREDICTION — PRE-EMPTIVE BLOCKS

PREDICTION ACCURACY (30-day rolling): Emotet: 89.3% prediction accuracy Mirai: 92.1% prediction accuracy QakBot: 74.6% prediction accuracy (uses compromised domains) PRE-EMPTIVE BLOCKS DEPLOYED: 146 predicted C2 domains — Blocked before activation Average lead time: 18.7 hours before first C2 communication Customer endpoints protected: 2.4M across 890 enterprises

4Brand Impersonation Monitoring

AI agent monitors for domains impersonating Sangfor and its customers' brands, detecting typosquatting, homoglyph attacks, and brand abuse through domain intelligence.

1
Detect Brand Impersonation Domains
Domain Ages Web Filtering Categories /login /products
BRAND IMPERSONATION SCAN — SANGFOR ════════════════════════════════════════ BRAND: "sangfor" and related terms IMPERSONATION DOMAINS DETECTED: Typosquatting (23 domains): sangf0r.com — Age: 12d | Country: RU | /login page clone sangfor-tech.cn — Age: 5d | Country: CN | Fake /products page sangfor-update.com — Age: 3d | Country: UA | Malware dropper sangforcloud.net — Age: 8d | Country: MD | Credential harvester Homoglyph Attacks (8 domains): Using Cyrillic/Unicode lookalike characters Targeting enterprise customers via email phishing Expired/Parked (45 domains): Former partners or unofficial fan sites Low risk but should be monitored for reactivation
2
Take Action on Impersonation
Domain Signal
sangfor-update.com — Active malware distribution mimicking Sangfor software update portal. 3-day old domain hosted in Ukraine. No legitimate pages. Targeting Sangfor customers with fake update notifications.
TAKEDOWN — Emergency takedown request submitted
3
Brand Protection Report

BRAND PROTECTION — MONTHLY REPORT

SANGFOR BRAND IMPERSONATION: 23 typosquatting domains — 12 blocked, 8 takedown requests, 3 monitoring 8 homoglyph domains — All blocked in Neural-X 45 expired/parked — Monitoring for reactivation CUSTOMER BRAND MONITORING SERVICE: Available as add-on for Sangfor NGAF customers Currently monitoring 234 customer brands 1,234 impersonation domains detected per month across customers

5Cryptocurrency Crime Infrastructure Detection

AI agent identifies crypto-related criminal infrastructure including mining pools, money laundering fronts, and pig butchering scam domains targeting APAC users.

1
Scan Crypto Crime Domain Universe
IAB Categories Domain Ages Web Filtering Categories /login Countries
CRYPTO CRIME INFRASTRUCTURE — APAC FOCUS ════════════════════════════════════════ THREAT CATEGORIES: Pig Butchering Scams (2,345 domains): Fake crypto investment platforms targeting APAC users Domain age: 7-30 days | Fake /about, /login pages Country: Cambodia(34%), Myanmar(28%), Laos(18%) Cryptojacking Pools (567 domains): Browser-based crypto mining injected into compromised sites Web Filtering: Cryptocurrency Mining Targeting: Government and education sites (high traffic, low security) Money Laundering Fronts (234 domains): Fake e-commerce/gaming sites processing crypto payments Domain age: 30-90 days | Has /products but no real inventory PageRank: Low | IAB: Mismatched categories
2
Generate Threat Feed

CRYPTO CRIME — THREAT INTELLIGENCE

NEURAL-X FEED UPDATE: 2,345 pig butchering domains — Blocked at NGAF level 567 cryptojacking pools — Endpoint Secure blocking 234 money laundering fronts — Shared with financial regulators APAC IMPACT: Estimated financial losses prevented: $12.3M per quarter Sangfor customers protected: 890 enterprises, 2.4M endpoints

6Threat Intelligence Feed Quality Assessment

AI agent evaluates the quality and coverage of Sangfor's Neural-X threat intelligence by benchmarking against domain intelligence data, identifying gaps and false positive rates.

1
Benchmark Neural-X Coverage
Domain Ages Web Filtering Categories OpenPageRank IAB Categories
NEURAL-X FEED QUALITY ASSESSMENT ════════════════════════════════════════ BENCHMARK: Domain intelligence DB vs Neural-X threat feed COVERAGE ANALYSIS: Known malicious in DB: 456,789 domains In Neural-X feed: 389,234 domains (85.2%) MISSING from Neural-X: 67,555 domains (14.8%) MISSING DOMAIN CATEGORIES: Newly registered threats (< 48h): 23,456 (slow ingestion) Regional phishing (APAC-specific): 18,234 (coverage gap) IoT botnet C2: 12,456 (emerging threat) Cryptocurrency scams: 8,901 (growing category) Supply chain attack domains: 4,508 (sophisticated threats)
2
Generate Feed Improvement Recommendations

NEURAL-X — FEED IMPROVEMENT PLAN

PRIORITY IMPROVEMENTS: 1. Reduce ingestion latency — 48h gap → target < 4h 2. APAC regional coverage — Add 18,234 missing phishing domains 3. IoT threat category — Build dedicated IoT C2 feed 4. Crypto scam feed — Partnership with blockchain analytics firms IMPACT IF ADDRESSED: Coverage improvement: 85.2% → 96.4% Customer protection gap closed for 67,555 threat domains

7Watering Hole Attack Detection

AI agent identifies potential watering hole attacks by monitoring industry-specific domains for compromises, unexpected content changes, and suspicious script injections.

1
Monitor Industry-Specific Domains
OpenPageRank Web Filtering Categories IAB Categories /blog /events
WATERING HOLE MONITORING — DEFENSE SECTOR ════════════════════════════════════════ MONITORING: 2,345 defense industry domains (APAC) ANOMALIES DETECTED: defense-conference-asia.com PageRank: 4.2 (legitimate conference site) Web Filtering: Changed from "Events" to "Suspicious" IAB Category: Changed from "Events" to "Uncategorized" /events page: Script injection detected Estimated visitors from defense sector: 2,000+/month apac-military-review.com PageRank: Dropped 3.1 → 1.8 in 7 days New domains resolving to same IP (hosting compromise indicator) /blog: New content with suspicious download links
2
Alert and Respond
Domain Signal
defense-conference-asia.com — Legitimate defense conference site compromised. Web Filtering category change + /events page script injection = classic watering hole. Targeting defense sector personnel. 12 Sangfor government customers visit this site regularly.
WATERING HOLE — Block immediately, notify gov customers
3
Generate Incident Report

WATERING HOLE — INCIDENT REPORT

INCIDENT SUMMARY: defense-conference-asia.com compromised Attack type: Script injection on /events page Target: APAC defense sector personnel Detection: Domain intelligence category change alert RESPONSE ACTIONS: 1. Domain blocked in Neural-X feed (all Sangfor customers) 2. 12 government customers notified directly 3. Endpoint Secure scans triggered on potentially affected systems 4. Intelligence shared with national CERTs

8Dark Web Leak Site Monitoring

AI agent tracks ransomware leak sites and dark web marketplace domains that rotate to clearnet, monitoring for domain registration patterns that indicate new leak site infrastructure.

1
Track Leak Site Domain Migrations
Domain Ages Countries Web Filtering Categories
RANSOMWARE LEAK SITE TRACKING ════════════════════════════════════════ CLEARNET LEAK SITE DOMAINS: LockBit mirrors: 8 clearnet domains | Rotation: weekly BlackCat mirrors: 5 clearnet domains | Rotation: biweekly Cl0p mirrors: 3 clearnet domains | Rotation: monthly Akira mirrors: 4 clearnet domains | Rotation: weekly NEW REGISTRATIONS THIS WEEK: 12 domains matching leak site patterns All registered via privacy-protected registrars Hosting: Bulletproof providers in Moldova, Romania, Russia Domain age: 1-3 days | PageRank: 0.0 | No legitimate pages
2
Check for Sangfor Customer Exposure

LEAK SITE MONITORING — WEEKLY

SANGFOR CUSTOMER EXPOSURE CHECK: 0 Sangfor customers appeared on leak sites this week 890 customer domains continuously monitored Alert latency: < 30 minutes from leak site posting APAC VICTIMS THIS WEEK: 3 APAC organizations appeared on leak sites Manufacturing: 2 victims (Thailand, Indonesia) Healthcare: 1 victim (Malaysia) None are Sangfor customers (competitive advantage signal)

9Geopolitical Cyber Threat Mapping

AI agent correlates geopolitical events with cyber threat infrastructure changes, tracking how diplomatic tensions manifest in domain registrations and attack infrastructure buildups.

1
Correlate Geopolitical Events with Domain Activity
Countries Domain Ages /press /blog Web Filtering Categories
GEOPOLITICAL CYBER THREAT CORRELATION ════════════════════════════════════════ EVENT: South China Sea Tensions (Feb 2026) DOMAIN ACTIVITY SPIKE: Philippines-targeted domains: +156% registration (7-day spike) New domains: 234 suspicious, targeting .gov.ph infrastructure Country origin: Various proxy registrations Pattern: Government impersonation + military-themed phishing Taiwan-related domains: +89% registration New domains: 178 suspicious, tech sector targeting Pattern: Supply chain attack infrastructure preparation Vietnam-targeted domains: +45% registration New domains: 89 suspicious, maritime sector focus Pattern: Espionage-focused, /docs page cloning
2
Generate Geopolitical Threat Advisory

GEOPOLITICAL THREAT ADVISORY

ELEVATED THREAT REGIONS: Philippines: +156% hostile domain registrations Taiwan: +89% supply chain attack infrastructure Vietnam: +45% espionage-focused domains CUSTOMER ADVISORY: Sangfor customers in affected regions should: 1. Increase NGAF threat detection sensitivity 2. Enable enhanced endpoint monitoring 3. Review access controls for critical systems 4. Monitor for spear-phishing targeting government/military personas

10Threat Intelligence Sharing & Partnership

AI agent facilitates threat intelligence sharing by curating actionable intelligence from domain data for sharing with APAC CERTs, industry ISACs, and Sangfor's security partner network.

1
Curate Shareable Intelligence
Domain Ages Countries Web Filtering Categories OpenPageRank Personas
INTELLIGENCE SHARING — MONTHLY PACKAGE ════════════════════════════════════════ CURATED INTELLIGENCE FOR SHARING: Threat IOCs: 8,934 malicious domains (verified, attributed) 1,234 C2 server domains (active infrastructure) 567 phishing campaign clusters (with attribution) Trend Analysis: APAC-specific threat trends (regional breakdown) Sector-specific targeting analysis (per industry) Geopolitical correlation insights Predictive Intelligence: 456 predicted C2 domains (pre-registration) 89 predicted phishing campaigns (pattern-based) 12 watering hole risk assessments (proactive)
2
Distribution to Partners
Sector Signal
Intelligence Sharing Network — Sangfor Neural-X shares with: CNCERT (China), SingCERT (Singapore), ThaiCERT, ID-CERT (Indonesia), MyCERT (Malaysia). Monthly curated packages + real-time critical alerts. Strengthens Sangfor's position as APAC thought leader.
PARTNERSHIP — Building trust across 12 APAC CERTs
3
Generate Partnership Impact Report

INTELLIGENCE SHARING — IMPACT REPORT

SHARING NETWORK: 12 APAC CERTs | 5 Industry ISACs | 234 MSSP partners Monthly IOC sharing: 10,000+ indicators Critical real-time alerts: 23 per month average BUSINESS IMPACT: Brand positioning: Sangfor as APAC threat intelligence leader Sales enablement: Intelligence sharing → trust → customer wins Product value: Neural-X feed enriched by partner contributions New business: 12 new customers cited intelligence sharing as differentiator
Get in Touch

Interested in AI Agent Domain Intelligence?

For pricing, subscription options, custom database builds, or enterprise partnerships — contact us below.

Power Your AI Agents with Domain Intelligence

Subscribe to the AI Agent Domain Database — continuous access to 100M+ domains, 20 page types each, quarterly refreshes, and real-time change signals.

AI Agent Database View Pricing

Annual subscription includes quarterly data refreshes, change detection alerts, and priority API access.