WHOIS Your Daddy: Tracking Iranian-backed Cyber Operations Through Infrastructure
Austin Northcutt
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
Starting from just four malicious domains attributed to Iranian state-sponsored threat actor MuddyWater, DomainTools solutions engineer Austin Northcutt used passive DNS pivoting and name server analysis to expand the initial indicator set to over 2,500 domains. The talk demonstrates how threat actors leave consistent infrastructure "fingerprints" that researchers can exploit to uncover entire malicious networks from a single unique data point. ---
AI review
Northcutt turned four MuddyWater C2 domains into 2,500+ suspect indicators through passive DNS pivoting on a single suspicious name server — HostorDaddy — and the tradecraft lesson is reproducible by any threat intel practitioner with access to passive DNS data. This is a well-executed methodology demonstration, not just a vendor pitch for DomainTools.