VERY IMPORTANT

Over the course of several weeks, Talos focused research on Sundown activity and our findings were surprising. What we found was a kit that operated on a relatively small infrastructure footprint, but had what appeared to be one of the largest domain shadowing implementations we had ever seen. The campaign operated out of handful of IPs, but we ended up finding in excess of 80K malicious subdomains associated with more than 500 domains leveraging various registrant accounts. This translates into a kit that will largely evade traditional blacklisting solutions. Sundown remained highly vigilant and the subdomains in use were recycled quickly to help in avoiding detection. In some cases, it appeared to be a single use domain shadowing which is incredibly difficult to stop by using blacklisting.