ISC - Add Punycode to your Threat Hunting Routine

[DarkWizardCatcher]

CTI Content

✅ Content successfully downloaded and saved to file.

Content Preview:

Add Punycode to your Threat Hunting Routine

IDNs or “International Domain Names” have been with us for a while now (see RFC3490[1]). They are (ab)used in many attack scenarios because.. it works! Who can immediately spot the difference between:

The magic is to replace classic characters by others that look almost the same. In the example above, the letter “o” has been replaced by Greek character “o”.

If they are very efficient for attackers, they remain below the radar in many organizations. ...

Full content length: 1,539 characters
Saved to: .hearth/intel-drops/issue-243-cti.txt

*The full content has been downloaded and will be processed automatically.*https://isc.sans.edu/diary/Add+Punycode+to+your+Threat+Hunting+Routine/32640/

Link to Original Source

https://isc.sans.edu/diary/Add+Punycode+to+your+Threat+Hunting+Routine/32640/

Your Name / Handle

DarkWizardCatcher

Link to Profile (Optional)

No response

[letswastetimee]

✅ A new hunt has been drafted from your submission! (Attempt 1/5)

Hypothesis: Threat actors are using Punycode-encoded International Domain Names (IDNs) with the "xn--" prefix in DNS queries to masquerade visually similar domain names that impersonate legitimate services for credential harvesting and malware delivery.

Please review the updated file here:
View Hunt Draft

---

🔍 Duplicate Detection Results:
⚠️ Legacy duplicate detection not available.

---

If you want to regenerate, please leave a comment on this issue with your feedback or what you'd like changed, then add the regenerate label.

If it looks good, add the approved label.

[letswastetimee]

🚀 Your submission has been approved and a pull request has been created. Thank you!
🔗 View PR: #247