BleepingComputer reports that more than 500,000 .BOND top-level domains have already been registered by the Revolver Rabbit cybercrime group via registered domain generation algorithms to support the infrastructure used in XLoader information-stealing malware campaigns against Windows and macOS systems.
Most domains created by Revolver Rabbit contained at least one dictionary word and a five-digit number separated from each other by a dash, a report from Infoblox showed. While Revolver Rabbit's .BOND domains were most evident, the threat operation was noted by Infoblox Vice President of Threat Intelligence Renee Burton to have already established over 700,000 domains across various TLDs, "Connecting the Revolver Rabbit RDGA to an established malware after months of tracking highlights the importance of understanding RDGAs as a technique within the threat actor's toolbox," said Infloblox. Such findings follow a Security Joes report detailing that XLoader precursor FormBook only had a singular legitimate .BOND TLD used for its command-and-control servers.