One Suspended Domain, Zero Intel, 88 Pivots: How Authoritative DNS Bypass Unraveled a Malware-and-Gambling Fraud Cluster

A domain on registry hold. No prior reporting. No VirusTotal hits. No ThreatFox entries. No passive DNS history. By every measure available to a threat intelligence analyst, teomslive[.]com was a dead end -- a suspended domain with nothing attached to it.

Forty-eight hours later, we had mapped 88 domains on a shared criminal hosting cluster, recovered three previously unreported malware samples (including a DLL sideloading chain using a legitimately signed Microsoft binary to load a 7.9MB AES-encrypted process injector), identified an active financial fraud platform processing millions of Turkish lira monthly for illegal gambling operators, and documented a novel OSINT technique that any researcher can use to extract intelligence from suspended domains.

This is Operation TeomSlive -- and it started with a DNS query that shouldn't have worked.

The Dead Domain That Wasn't Dead

When a domain registrar places a clientHold on a domain, it's effectively removed from the DNS. Recursive resolvers can't find it. Browsers can't reach it. For most investigators, that's where the trail ends.

But there's a gap in how domain suspension actually works. The clientHold status prevents the registry from publishing the domain's NS records in the TLD zone file. Recursive resolvers query the TLD servers, get nothing, and give up. The domain is "suspended."

The authoritative nameservers, however, don't know that. The zone data is still there. Nobody told them to delete it.

So instead of asking the recursive resolution chain, we asked Namecheap's authoritative nameservers directly:

dig @dns1.namecheaphosting.com teomslive.com A

It answered: 68.65.122.191.

This is a reusable technique. Registry-level suspension (clientHold) removes a domain from the public DNS tree, but the hosting provider's authoritative nameservers typically retain the zone data indefinitely. For any domain suspended by its registrar but still pointed at a hosting provider's nameservers, a direct query to those nameservers will return the historical IP -- bypassing the suspension entirely. No paid APIs. No historical DNS databases. Just a dig command with the right @ target.

With an IP address in hand, a dead domain became a live investigation.

The Twins

The IP 68.65.122.191 resolved to server391-1.web-hosting.com -- a Namecheap shared hosting server on AS22612. Before diving into what else lived there, we checked for related domains.

WHOIS for teomslive[.]com showed it was registered through NameSilo on March 27, 2026, with PrivacyGuardian WHOIS protection under User #3ef104c4. A search for similarly structured domains registered the same day turned up a twin: teemslivo[.]com. Same registrar. Same registration date. Different PrivacyGuardian account (User #68b54613).

The naming pattern is deliberate. Both domains are constructed from the same nine-character pool: t-e-o-m-s-l-i-v-e. They're anagrams of each other. The operator generated two permutations from the same character set and registered them minutes apart using separate NameSilo accounts -- a basic OPSEC measure to avoid single-account correlation.

Both domains pointed to the same Namecheap hosting IP. Two privacy accounts, one infrastructure.

88 Domains on a Criminal Shared Host

Namecheap's shared hosting packs hundreds of domains onto a single IP behind a LiteSpeed reverse proxy. This is cheap, legitimate infrastructure -- the same kind that hosts small businesses and personal blogs. It's also where threat actors blend in.

Enumerating the domains on 68.65.122.191 revealed 88+ co-hosted sites. The majority presented empty directory listings -- the default state of a freshly provisioned cPanel account with no content deployed. Staged infrastructure, waiting to be armed.

But several domains were already operational, and they painted a picture of a multi-vertical criminal operation:

• royalconstructionin[.]com -- Open directory hosting live malware payloads (still downloadable at time of investigation)
• simsekpay[.]com -- A fully built financial fraud platform for illegal gambling payment processing
• miapkonline[.]xyz -- IPTV piracy distribution (Xtream TV Premium, since suspended)
• bcsshipplng[.]com -- Typosquat of "BCS Shipping" (phishing staging)
• lheport8[.]com -- Phishing infrastructure

Security researchers @ecarlesi and @0xscam had independently flagged individual domains on this IP for open directories and malware. But nobody had connected them to the same cluster, mapped the full extent, or identified SimsekPay.

The Open Armory

The royalconstructionin[.]com domain, registered March 17, was serving an open directory listing with three files:

adobe_update.zip          7.8 MB    2026-03-25
Invoice_March2026_unpaid.xll    649 KB    2026-03-23
Invoice_March2026_unpaid.pdf     14 KB    2026-03-25

Three delivery vectors. Three different techniques. All previously unreported.

Vector 1: DLL Sideloading With a Microsoft-Signed Binary

The adobe_update.zip archive contains two files: adobe_update.exe and mscorsvc.dll. The executable is a legitimate, Microsoft-signed binary -- specifically mscorsvw.exe, the .NET Runtime Optimization Service, version 2.0.50727.9149, with a valid Authenticode signature. It's a real Microsoft tool, compiled in 2019, doing exactly what Microsoft built it to do.

The trick is in what it loads. When mscorsvw.exe starts, it searches for mscorsvc.dll using the standard Windows DLL search order -- and because the threat actor placed a malicious DLL with that name in the same directory, Windows loads the attacker's code instead of the legitimate system DLL. This is T1574.002 (DLL Side-Loading), and mscorsvc.dll is a documented sideloading target.

The malicious mscorsvc.dll is where things get serious. At 7.9MB, the DLL is almost entirely payload. Its section layout tells the story:

Section	Size	Entropy	Contents
.text	18 KB	6.04	Decryption and injection logic
.rdata	7.9 MB	8.00	AES-encrypted payload
.pdata	512 B	2.94	Exception handlers

Entropy 8.00 is the theoretical maximum -- pure encrypted or compressed data. The .rdata section's size is exactly divisible by 16 (AES block size). The code section is just a delivery mechanism for the encrypted blob that constitutes 99.7% of the binary.

The PE timestamp places compilation at March 23, 2026 -- eight days before our investigation. This is fresh tooling under active development.

Execution chain:

1. Victim runs adobe_update.exe (looks legitimate, is Microsoft-signed)
2. Windows loads mscorsvc.dll from the same directory
3. DLL checks IsDebuggerPresent and CheckRemoteDebuggerPresent (anti-analysis)
4. DLL calls GlobalMemoryStatusEx (sandbox detection -- VMs typically report less RAM)
5. DLL opens AES algorithm via BCryptOpenAlgorithmProvider
6. DLL decrypts 7.9MB payload from .rdata via BCryptDecrypt
7. DLL enumerates processes via CreateToolhelp32Snapshot
8. DLL injects decrypted payload into target process via VirtualAllocEx + WriteProcessMemory
9. Final implant executes in the context of the hijacked process

The use of Windows native bcrypt APIs for decryption rather than embedded crypto libraries is a deliberate choice -- it reduces the binary's static detection surface by avoiding known cryptographic constants that AV engines flag. The process injection chain is standard but effective: allocate, write, set executable, flush instruction cache.

Without dynamic execution in a sandbox, the final payload family remains unidentified. The 7.9MB encrypted blob is large enough to contain a full-featured RAT -- AsyncRAT, Remcos, and similar implants are all plausible candidates.

Vector 2: Excel-DNA XLL Dropper

The Invoice_March2026_unpaid.xll file abuses a different trust boundary. XLL files are Excel add-in DLLs that Excel will prompt users to install when opened. This one is built on the Excel-DNA framework -- a legitimate open-source .NET integration toolkit for Excel -- weaponized to deliver a packed .NET assembly.

The payload is stored as a packed resource named DEC64_25, loaded and unpacked at runtime when Excel triggers the xlAutoOpen callback. The .rsrc section sits at entropy 7.53 -- heavily packed but not fully encrypted, consistent with the Excel-DNA resource packing format.

Microsoft began blocking untrusted XLL add-ins by default in 2024. This technique still works against organizations running older Excel versions or those that haven't enforced the policy -- which, in enterprise environments with slow patch cycles, is more common than it should be.

Vector 3: PDF Invoice Lure

The PDF is the social engineering glue. A rendered invoice image (760x1081 pixels) with an AcroForm element, themed as an unpaid March 2026 invoice. No embedded URLs, no JavaScript, no exploit code -- just a convincing visual designed to create urgency and drive the victim to open the XLL or download the "Adobe update." It's the human-layer exploit that delivers the victim to the technical ones.

SimsekPay: Gambling's Shadow Banking

Sharing infrastructure with the malware operation, simsekpay[.]com is something different entirely -- a purpose-built payment processor for illegal online gambling.

SimsekPay bills itself as "Turkey's Local Banking Infrastructure" and provides Turkish bank transfer processing via Havale (traditional bank transfers) and FAST (Turkey's instant payment system). Their sales materials are explicit about the target market: they are the "execution layer" between iGaming operators and the Turkish banking system.

The volume tiers tell the scale story:

• Tier 1: 5M - 20M TRY/month
• Tier 2: 20M - 50M TRY/month
• Tier 3: 50M+ TRY/month

At current exchange rates, the top tier represents over $1.5 million USD monthly in illegal gambling payment processing.

The platform offers multi-language support across five languages that map precisely to the Eastern European and Caucasus gambling fraud corridor:

• English (EN) -- international operators
• Turkish (TR) -- target banking market
• Georgian (GE) -- Caucasus gambling operations
• Polish (PL) -- Eastern European iGaming market
• Serbian (RS) -- Balkan gambling corridor

This language selection isn't random. Turkey has been aggressively prosecuting iGaming payment infrastructure -- authorities recently arrested the chairman of PayFix, which had processed approximately 50 million betting transactions worth ~$110M, and suspended licenses for PayFix, Aypara, and Ininal. SimsekPay appears to be filling the enforcement vacuum.

One additional detail: the server returns 403 Forbidden for /.git/HEAD rather than 404 Not Found. A Git repository exists on the server with directory listing blocked. If that restriction is ever relaxed, the full source code -- and potentially the developer's identity -- becomes exposed.

Operator Profile

The infrastructure patterns suggest a general-purpose criminal hosting operation rather than a single-focus threat actor:

Dual-registrar strategy: NameSilo with PrivacyGuardian protection for domains they expect to draw scrutiny (the teomslive twins), Namecheap for bulk operational infrastructure. All domains regardless of registrar resolve to Namecheap shared hosting -- the cross-registrar linkage is visible in DNS but requires active investigation to discover.

Cost-conscious infrastructure: Shared hosting at $2-3/month rather than dedicated servers or bulletproof hosting. This blends criminal infrastructure with thousands of legitimate small websites on the same IP, making IP-based blocking a blunt instrument that creates collateral damage.

Multi-vertical criminal portfolio: Malware delivery, financial fraud, IPTV piracy, phishing, and typosquatting on a single hosting cluster. This breadth is atypical for specialized cybercrime groups and more consistent with an initial access broker (IAB) or criminal infrastructure provider serving multiple customers.

Professional malware development: The DLL sideloading chain -- signed Microsoft carrier, bcrypt AES decryption, process injection with anti-analysis -- reflects professional-grade tradecraft that contrasts sharply with the OPSEC failures in infrastructure management.

OPSEC failures that made this investigation possible:

1. Open directory on royalconstructionin[.]com (malware freely downloadable)
2. Git repository exposed on simsekpay[.]com (403 instead of 404)
3. All criminal infrastructure co-located on a single shared hosting IP
4. Cross-registrar DNS linkage between NameSilo domains and Namecheap hosting
5. Distinctive anagram naming pattern (teomslive/teemslivo)

The Intelligence Gap

Before this investigation, none of this infrastructure had any public threat intelligence coverage. Zero VirusTotal community notes. Zero ThreatFox IOCs. Zero MalwareBazaar submissions. A malware delivery pipeline with three novel samples, a financial fraud platform processing millions in illegal gambling payments, and 88 domains on a criminal hosting cluster -- all operating in a complete intelligence blind spot.

The only prior signals were individual URLScan submissions by @ecarlesi and @0xscam flagging specific open directories. Nobody had connected the dots to the broader cluster.

This investigation was conducted at zero cost using free-tier sources: dig queries to authoritative nameservers, WHOIS lookups, certificate transparency logs, URLScan, Shodan InternetDB, and static malware analysis. The most valuable finding -- recovering the historical IP of a suspended domain -- required nothing more than knowing which nameserver to ask.

Indicators of Compromise

Network Indicators

# Primary hosting IP
68.65.122[.]191   (AS22612, Namecheap Inc., server391-1.web-hosting.com)

# Domains
teomslive[.]com                 (SUSPENDED - registry clientHold)
teemslivo[.]com                 (PARKED - moved to Sedo 91.195.240.123)
royalconstructionin[.]com       (LIVE - malware delivery)
simsekpay[.]com                 (LIVE - financial fraud)
lheport8[.]com                  (LIVE - phishing)
bcsshipplng[.]com               (LIVE - typosquat)
miapkonline[.]xyz               (SUSPENDED - IPTV piracy)
ctrlshiftapp[.]org              (LIVE - staging)
kashieexpress[.]com             (LIVE - staging)
snaptrivia[.]org                (LIVE - staging)
allyougotpodcast[.]com          (LIVE - staging)
edgarbet[.]com                  (LIVE - staging)
voteeshaan[.]com                (LIVE - staging)

# Malware delivery URLs
hxxps://royalconstructionin[.]com/adobe_update.zip
hxxps://royalconstructionin[.]com/Invoice_March2026_unpaid.xll
hxxps://royalconstructionin[.]com/Invoice_March2026_unpaid.pdf

File Indicators

# adobe_update.zip (delivery archive)
SHA256: 7a36d4c0ac975e60526a67797fbcf651e973c284525370a24bbc8f9d28c2c8bf

# adobe_update.exe (legitimate Microsoft-signed sideload carrier, aka mscorsvw.exe)
SHA256: 3e824f0d325fd32f8100ddf6b506ad6250be48286ac20726dcb23a9cedf3e4c1
MD5:    ba428e7084f97b488865397d11059748
Imphash: c899e83bee82f67bdb0072b724c7cc2b

# mscorsvc.dll (malicious AES-encrypted process injector, compiled 2026-03-23)
SHA256: 0fbbe932a3da2cfe5b28032c3dfc5d6bc47e252b6c01264ad65a23d5b73d636e
MD5:    cf717b48600dda906d4a9af337cbe119
Imphash: e7c54d6e9844970dc7dbc27d30f9bd35

# Invoice_March2026_unpaid.xll (Excel-DNA XLL dropper)
SHA256: 866566afef12ceded10520877c2b52c1bb17bf9a90ca4ecf4901de090042ff01
Imphash: c7c26bb8d5952bec53d920e7a4ac8e2a

# Invoice_March2026_unpaid.pdf (social engineering lure)
SHA256: 9bf123551cc1b56fa0c9d8deab7fff69f5e1264ce401d91d9dbe7f1cf221270e

Infrastructure Indicators

# Hosting
server391-1.web-hosting.com (PTR for 68.65.122.191)
AS22612 (Namecheap Inc.)

# Authoritative nameservers (retained zone data for suspended domains)
dns1.namecheaphosting.com
dns2.namecheaphosting.com

# PrivacyGuardian registrant IDs
User #3ef104c4 (teomslive.com)
User #68b54613 (teemslivo.com)

# Contact
hello@simsekpay[.]com

MITRE ATT&CK

ID	Technique	Application
T1583.001	Acquire Infrastructure: Domains	NameSilo + Namecheap bulk registration
T1583.006	Acquire Infrastructure: Web Services	Namecheap shared hosting
T1566.001	Spearphishing Attachment	Invoice PDF + XLL delivery
T1566.002	Spearphishing Link	Link to open directory for adobe_update.zip
T1204.002	User Execution: Malicious File	Victim runs adobe_update.exe or opens XLL
T1574.002	DLL Side-Loading	mscorsvw.exe loads malicious mscorsvc.dll
T1027.013	Encrypted/Encoded File	AES-encrypted .rdata payload (7.9MB)
T1137.006	Office Application Startup: Add-ins	XLL Excel add-in persistence
T1497.001	Sandbox Evasion: System Checks	Debugger + memory size checks
T1057	Process Discovery	CreateToolhelp32Snapshot enumeration
T1055	Process Injection	VirtualAllocEx + WriteProcessMemory

Detection Guidance

For network defenders: Block 68.65.122[.]191 and all listed domains at the perimeter. Hunt for adobe_update.exe co-located with mscorsvc.dll in endpoint telemetry -- the legitimate Microsoft binary appearing outside C:\Windows\Microsoft.NET\ is the red flag. Search email gateway logs for Invoice_March2026_unpaid.xll attachments.

For threat intelligence teams: Track imphash e7c54d6e9844970dc7dbc27d30f9bd35 across malware databases. Monitor PrivacyGuardian User IDs #3ef104c4 and #68b54613 for new domain registrations. The malware payloads on royalconstructionin[.]com were still live at time of publication -- submit to VirusTotal and MalwareBazaar for community detection.

For OSINT researchers: The authoritative nameserver technique documented here works on any registrar that delegates to a hosting provider's nameservers before suspension. When you encounter a clientHold domain, identify the original nameservers from historical WHOIS and query them directly. The zone data is almost always still there.

The operator built professional malware but left the front door open. An open directory on a shared hosting server, co-located with a financial fraud platform, connected to a suspended domain that still answered when you asked the right server. Sometimes the most sophisticated payload in the world doesn't matter if your infrastructure hygiene is garbage.

One domain. Zero prior intel. Total infrastructure.

---

This investigation was conducted by Breakglass Intelligence's autonomous GHOST investigation system. All evidence was captured via passive and semi-passive methods. YARA and Suricata detection rules are available in the full technical report.

Breakglass Intelligence | March 31, 2026