No Time to Spy: Uncovering Domains Distributing SpyNote Malware
Dana Schwabby
BSides Seattle 2026 · Day 1 · Track 1
Dana Schwabby, Head of Investigations and CISO at DomainTools, delivered a detailed walkthrough of how the **SpyNote** Android remote access Trojan (RAT) is distributed through fake Google Play Store pages and how passive DNS analysis can unravel the attacker infrastructure behind it. With 25 years of experience spanning state and federal government, higher education at the University of Washington, and a decade in private industry, Schwabby brings a practitioner's eye to threat hunting.
AI review
A well-executed threat intelligence talk that combines original malware analysis of SpyNote with a masterful demonstration of passive DNS pivot techniques. Schwabby walks through the full kill chain from fake Play Store delivery to C2 infrastructure mapping, turning a single indicator into over 1,100 IPs. The research is product-agnostic enough to be genuinely useful, and the passive DNS methodology is applicable far beyond this single malware family.