Suspicious traffic to unusual site names in the .info TLD
One of my customer's systems has been connecting to unusual sites in the .info TLD. These are site names like:

The names all seem to be 3 long but obscure English words. They all have similar registration details, in particular the same registrar and creation date.

Registry Domain ID: D503300000043619417-LRMS
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2017-10-25T20:30:30Z
Creation Date: 2017-08-26T02:08:26Z
Registry Expiry Date: 2018-08-26T02:08:26Z

All resolved addresses point to blocks owned by "Hurricane Electric":

The traffic is all HTTPS encrypted.

Has anyone seen anything similar?

7 Posts

Sign Up for Free or Log In to start participating in the conversation!