Up to 75,000 unique domain names have been registered by Prolific Puma since April 2022, with the operation registering nearly 800 domains daily at its peak in January, an Infoblox report showed. While malicious domains were registered across 13 top-level domains, more than 50% of all domains created since May were on the U.S. top-level domain. Moreover, nearly 2,000 usTLD domains have been privately registered from Sept. 1 to Oct. 15.
The findings also showed that NameSilo has been primarily used by Prolific Puma for URL hosting for the past three years, with registered domains left inactive for weeks to bypass detection before being moved to a bulletproof hosting provider.
While there has been no evidence indicating Prolific Puma’s control of the landing pages, researchers believe the possibility of the threat actor’s hold of the entire operation.