See how PacketWatch integrates Validin threat intelligence to investigate malicious traffic, uncover related infrastructure, and expand threat hunts in WireSight.
Introduction
PacketWatch integrates Validin’s threat intelligence into the PacketWatch WireSight console. This integration includes the Validin Threat Feed, which WireSight checks against every single session for signs of malicious traffic. Validin data is also used in the WireSight Lens Tool, which allows analysts to quickly gather enrichment details on any public IP address or domain on the fly.
This case study shows how PacketWatch Threat Analysts use Validin data to investigate malicious traffic. From there, we pivot to the Validin platform to investigate threat actor infrastructure and uncover additional IP address and domain indicators of compromise (IOCs). We then bring those indicators back into WireSight to conduct additional threat hunts.
PacketWatch integrated the Validin threat intelligence platform to give clients a more complete investigation workflow. Security leaders, IR teams, and threat hunters can identify malicious activity, investigate the infrastructure and patterns behind threat campaigns, and act on newly discovered indicators to help prevent further damage to client assets. This integration gives PacketWatch clients more capabilities and insights to protect their brands and reduce organizational risk.
Real-World Example

Figure 1. Default PacketWatch WireSight Sessions tab
In the Sessions tab of the PacketWatch WireSight console, run the following query to search for identified malicious traffic:
*threat.\*:* AND network.direction:outbound AND NOT threat.indicator.name:"IP Tracking Domains"*
This query returns outbound network connections flagged as threats, excluding those classified as “IP Tracking Domain”. WireSight still tracks and monitors IP Tracking Domains, but because they can lead to false positives, we exclude them from this exercise.
Running this query in a client tenant returns the following session data:

Figure 2. WireSight sessions data
These two session records already tell us several useful details about the network traffic. The red bars on the far left side of the image indicate that Validin has flagged the session traffic as malicious. We see an internal IP address connecting to the external IP address 172.67.156[.]216. Between the two sessions, the server returned 29 packets totaling roughly 9 KB of data. We can also see that this traffic occurred over port 443 and connected to cpajoliette[.]com.
To gather more context, let’s review the IP address and hostname in the WireSight Lens Tool. The Lens Tool’s WHOIS data shows that the IP address belongs to Cloudflare. In this case, Validin’s passive DNS data is less useful because thousands of domains may be hosted behind the same Cloudflare IP address.

Figure 3. Lens Tool WHOIS data for the IP address
However, the Reputation Score for the hostname in the Lens tool provides extra information that is useful to the investigation:

Figure 4. WireSight Lens Tool reputation data for the hostname
Many IOC feeds label an IP address or domain as “malicious” without additional context, forcing analysts to spend extra time doing research to correlate the IOC to a particular threat. With Validin-enriched Lens Tool data, we can see who tagged the hostname as malicious (Maltrail), which campaign it is associated with (LandUpdate808), and which third-party resources provide additional context (SANS ISC).
Now that we have a confirmed true positive, let’s pivot to the Validin console for more context on this domain and look for other recent infrastructure tied to the campaign.
![Figure 5. Validin summary for cpajoliette[.]com Figure 5. Validin summary for cpajoliette[.]com](/images/packetwatch_validin/image7.png)
Figure 5. Validin summary for cpajoliette[.]com
This page provides additional context about the domain. First, we confirm that the domain is associated with the LandUpdate808 fake software update campaign. The link on the page also takes us to the SANS ISC report, which we examine next. We also confirm that the domain uses Cloudflare and now resolves to a different Cloudflare IP address than it did during the captured WireSight session. Finally, the domain’s registration date of December 1, 2010, suggests that it may be a legitimate site that was compromised through a vulnerability.
Taking a short detour to review the SANS ISC report confirms that this domain previously hosted a malicious JavaScript file, d.js, which SANS associates with SmartApeSG, part of the fake software update threat family. The report also shows that the domain leveraged a ClickFix prompt to trick users into downloading malware. SANS Report: https://isc.sans.edu/diary/32796.

Figure 6. Domain observed in the SANS ISC r
We now have a clearer idea of what to look for in our investigation. Knowing which domain was visited and that the ClickFix was involved, we can review endpoint logs for suspicious cmd.exe or PowerShell commands, as well as any processes launched or created during that timeframe.
Circling back to Validin, we look for additional infrastructure tied to the campaign. In the “Host Connections” tab, we find a potentially useful lead:

Figure 7. Validin Host Connections tab
The page lists several “JS_LINKS-HOST” records pointing to seemingly unrelated domains. This suggests that these domains contain links to cpajoliette[.]com, potentially as part of an SEO abuse campaign. We test this hypothesis by examining the page source of one of the listed domains. We select bestofmidwest[.]com, view the HTML source, and search for cpajoliette:
![Figure 8. HTML source for bestofmidwest[.]com Figure 8. HTML source for bestofmidwest[.]com](/images/packetwatch_validin/image12.png)
Figure 8. HTML source for bestofmidwest[.]com
This result strongly supports the SEO abuse hypothesis. The threat actors appear to be injecting code into vulnerable WordPress sites to promote their infrastructure.
Visiting the cpajoliette[.]com directly reveals an apparently benign website for the “Joliette Silver Stars Figure Skating Club”:
![Figure 9. cpajoliette[.]com home page Figure 9. cpajoliette[.]com home page](/images/packetwatch_validin/image11.png)
Figure 9. cpajoliette[.]com home page
Next, we request the d.js file identified in the SANS ISC report.
![Figure 10. Redirect after requesting cpajoliette[.]com/d[.]js Figure 10. Redirect after requesting cpajoliette[.]com/d[.]js](/images/packetwatch_validin/image15.png)
Figure 10. Redirect after requesting cpajoliette[.]com/d[.]js
The request immediately redirects to a new domain and JavaScript file: bronzewhisper[.]top/alias/tenant-asset[.]js. Deobfuscating and analyzing this JavaScript is beyond the scope of this article, but this code functions as a ClickFix loader, further confirming what we already suspected.
Now that we have a new domain IOC, let’s examine it in Validin for additional pivot opportunities:

Figure 11. Domain A record in Validin
The Resolutions tab shows an A record pointing to a previously unknown IP address. Because this domain is not behind Cloudflare, the IP address may be a useful IOC. We also see that the A record is very new, suggesting that this infrastructure may be new to the campaign. In the Host Connections tab, we look for distinctive attributes that could support additional pivots:
![Figure 12. bronzewhisper[.]top HOST-META tag in Validin Figure 12. bronzewhisper[.]top HOST-META tag in Validin](/images/packetwatch_validin/image14.png)
Figure 12. bronzewhisper[.]top HOST-META tag in Validin
Validin captured the following HOST-META value <meta name=”description” content=”Licensed general contractor specializing in residential and commercial construction projects.”>. Because every Validin data point is pivotable, we can click this value to find any other infrastructure observed using this exact meta description.

Figure 13. Validin HOST-META pivot results
This looks promising! The results include several suspicious .top domains that were recently registered, mostly use the same ASN (AS213230, HETZNER-CLOUD2-AS), and all resolve to IP addresses geolocated in Germany. We now have a growing list of potential IOCs for threat hunting and further pivoting:
178.156.219[.]224
87.99.148[.]129
87.99.159[.]241
87.99.143[.]230
5.161.124[.]201
5.78.196[.]236
bronzewhisper[.]top (original pivot)
cobaltmeadow[.]top
jadepassagehub[.]top
openmeadowlab[.]top
Farther down the page, we find another recently registered domain tagged as malicious under the ZPHP label:

Figure 14. Additional domain flagged as malicious
ZPHP is a new lead, so let’s pivot to the domain for more detail and assess whether this campaign is related:
![Figure 15. Validin summary for sharpfield[.]top Figure 15. Validin summary for sharpfield[.]top](/images/packetwatch_validin/image18.png)
Figure 15. Validin summary for sharpfield[.]top
Under Reputation Factors, Validin identifies ZPHP as an alias for SmartApeSG, suggesting that sharpfield[.]top may belong to the same campaign as our other IOCs. This entry also links to a SANS ISC report, although we do not see this domain mentioned. So how did this get correlated to that campaign?
Additional Pivots
The second link points to the Maltrail list containing this domain as an IOC. This link is extensive, but searching for “sharpfield” shows the domain grouped under two qualifiers. The first is the SANS ISC report already discussed. The second provides another additional clue: BODY_SHA1-HOST = c06768826d06adfea5f86c63fcb01c21c8d67e0f. This value is the SHA1 hash of the domain’s HTML body. Validin includes this fingerprint in its dataset, allowing us to search the hash and identify domains with the same HTML body.

Figure 16. SHA-1 body-hash Pivot in Validin
This pivot identifies four additional IOCs:
silvercourier[.]top
silvertrailhub[.]top
5.161.248[.]121
104.36.229[.]207
Pivoting into the first new IP address, 5.161.248[.]121, reveals another potentially useful HOST-META value in the Host Connections tab:

Figure 17. IOC HOST-META tag
This pivot was fruitful previously, so we repeat it here:

Figure 18. HOST-META pivot results in Host Connections
The pivot identifies one new IP IOC, *178.156.128[.]5*, and shows that other IPs and domains using this same meta description have also been associated with the ZPHP campaign.
Returning to the original pivot
At this point, we return to the earlier bronzewhisper[.]top pivot and investigate its hosting IP address, 178.156.219[.]224:

Figure 19, IP address A records in Validin
In the Host Connections tab, we find another meta description observed on the site several days earlier:

Figure 20. HOST-META tag in Validin
This pivot identifies two additional domain IOCs:
ambergallery[.]top
copperhorizon[.]top
We repeat this process by examining meta descriptions and other domains hosted at the identified IP addresses. This yields the following additional IOCs, all registered within the two weeks preceding the investigation:
crimsonterrace[.]top
coralmanor[.]top
ivorycourtyard[.]top
ivorycompass[.]top
silverfolio[.]top
coralregistry[.]top
cedarlanternhub[.]top
granitequill[.]top
stoneharvest[.]top
marblebeacon[.]top
hazelcanvas[.]top
ambercompanion[.]top
One final interesting pivot is the favicon hash e3a46f20be728d46dac88ec757345713. This pivot identifies one additional domain IOC:
saffronjunction[.]top
To validate these IOCs, we can request the JavaScript path observed on the previously identified domains:

Figure 21. Matching obfuscated JavaScript
The browser also shows that this page uses the same favicon as the original bronzewhisper[.]top pivot:

Figure 22. Matching favicon
Closing the Loop in PacketWatch WireSight
Now that we have identified these previously unreported IOCs through Validin pivoting, we query the client’s WireSight session data (full packet capture) from the last month to determine whether any of the campaign’s domains or IP addresses were contacted:
*\*.host:(crimsonterrace.top OR coralmanor.top OR ivorycourtyard.top OR ivorycompass.top OR jadepassagehub.top OR silverfolio.top OR coralregistry.top OR cedarlanternhub.top OR granitequill.top OR ambergallery.top OR copperhorizon.top OR alabastervoyage.top OR ambercompanion.top OR silvertrailhub.top OR silvercourier.top OR cobaltmeadow.top OR openmeadowlab.top OR bronzewhisper.top OR stoneharvest.top OR marblebeacon.top OR hazelcanvas.top OR saffronjunction.top) OR \*.ip:(178.156.219.224 OR 178.156.128.5 OR** **87.99.148.129 OR 87.99.159.241 OR 87.99.143.230 OR 5.161.124.201 OR 5.78.196.236 OR 5.161.248.121 OR 104.36.229.207)*

Figure 23. WireSight session data returned by the search query
We got a hit! We can now use this telemetry to investigate further and determine whether the attack succeeded.
This case demonstrates the value of going beyond the static threat-feed IOCs by using Validin’s dataset to pivot and uncover additional threat actor infrastructure. These newly identified IOCs are added to custom WireSight Signals in Irix, enabling automatic WireSights for future matches.
Conclusion
To learn more about how you can use PacketWatch security offerings to protect your environments, contact sales@packetwatch.com.
Validin enables MSSPs and security vendors to improve their customer offerings by offering high-fidelity threat intelligence data. To learn more about how you can integrate Validin directly into your platforms and workflows, contact us here.
New IOCs
178.156.219[.]224
178.156.128[.]5
87.99.148[.]129
87.99.159[.]241
87.99.143[.]230
5.161.124[.]201
5.78.196[.]236
5.161.248[.]121
104.36.229[.]207
crimsonterrace[.]top
coralmanor[.]top
ivorycourtyard[.]top
ivorycompass[.]top
jadepassagehub[.]top
silverfolio[.]top
coralregistry[.]top
cedarlanternhub[.]top
granitequill[.]top
ambergallery[.]top
copperhorizon[.]top
alabastervoyage[.]top
ambercompanion[.]top
silvertrailhub[.]top
silvercourier[.]top
cobaltmeadow[.]top
openmeadowlab[.]top
bronzewhisper[.]top
stoneharvest[.]top
marblebeacon[.]top
hazelcanvas[.]top
saffronjunction[.]top