The Federal Bureau of Investigation (FBI) shared a warning on 29 April 2025 about the LabHost phishing-as-a-service (PhaaS) campaign that threatened the security of users worldwide, along with a massive list of related indicators of compromise (IoCs). WhoisXML API embarked on an in-depth analysis of the IoCs through a DNS deep dive.

The FBI, in particular, identified 42,515 LabHost PhaaS campaign IoCs. We analyzed 42,401 after excluding duplicates and non-domain entries. To these, we added 1,661 net new typosquatting domains akin to the IoCs on the FBI list. Our investigation of the joint list of 44,062 domains led to these findings and enrichments:

• 18 well-known brands appearing in the net new typosquatting domains, all of which were also found on the FBI list
• 11,009 unique client IP addresses querying 163 domains through a total of 74,617 DNS requests based on Internet Abuse Signal Collective (IASC) DNS traffic data
• 3,319 domains in First Watch Malicious Domains Data Feed with creation dates averaging 419 days prior to the FBI warning date
• 61,727 subdomains with common strings including www, mail, webmail, cpanel, webdisk, and smtp
• 1,346 unique IP resolutions of the 44,062 domains, 1,055 of which were malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

DNS Investigation of the LabHost PhaaS Campaign IoCs

As our first step, we cleaned up the FBI list and were left with 42,401 domains identified as IoCs after excluding duplicates, IP addresses, and non-domains. Then we used our list of domains culled from the FBI list as an input to query all our Typosquatting Data Feed files and found an additional 1,661 connected domains, bringing the total number of domains to 44,062.

Next, we queried the 1,661 typosquatting domains on Bulk WHOIS API and found that 682 of them had current WHOIS records based on creation dates. The domains were created between 2012 and 2025. Specifically, one domain each was created in 2012 and 2022, 81 in 2023, 458 in 2024, and 141 in 2025.

While three of the 682 domains did not have registrar information on record, the remaining 679 were split among 62 registrars. Dynadot, NameSilo, Porkbun, Namecheap, Domain Science, GoDaddy, Spaceship, Gname.com, PDR, and Tucows comprised the top 10 registrars.

And while 93 of the 682 domains did not have registrant countries on record, the remaining 589 were registered in 27 countries. The U.S., Iceland, Hungary, Canada, China, the U.K., and Switzerland comprised the top 7 registrant countries.

A closer look at the 682 domains revealed that 342 of them contained text strings pertaining to 18 well-known brands even if some were misspelled. The 18 brands possibly being mimicked were Scotia Bank, Canada Post, Royal Bank of Canada, Amazon (including Amazon Prime), Australia Post, Netflix, Telus, Royal Mail, Apple, Chase, NZ Post, Poste Italiane, CIBC, DHL, Westpac, Costco, Shopify, and Spotify. Interestingly, all these brands also appear in the original FBI list.

Using sample DNS traffic data our researchers obtained from the IASC, we further analyzed the 44,062 domains. The sample data revealed that 11,009 unique client IP addresses queried 163 distinct domains between 8 April and 9 May 2025, through a total of 74,617 DNS requests.

We then checked the 44,062 domains against First Watch Malicious Domains Data Feed and found that 3,320 were listed. Notably, 3,319 of these domains had creation dates prior to the FBI’s warning date. Specifically, their creation dates ranged up to 813 days before the alert was released with an average lead time of 419 days.

Interestingly, the FBI also reported creation dates for the 42,515 LabHost PhaaS campaign domain IoCs as part of their warning, allowing for a comparison between the FBI’s reported dates and those recorded by First Watch. While many of the FBI’s dates overlapped with those from First Watch, notable divergences emerged. In fact, First Watch more frequently reported earlier creation dates than the FBI, suggesting possible differences in data sources.

We also queried Subdomains Lookup API and discovered that out of the 44,062 domains, only a minority had a total of 61,727 retrievable subdomains. We further scrutinized the 13,239 unique last-level subdomain values (i.e., leftmost text strings) determined that www, mail, webmail, cpanel, webdisk, smtp, ftp, whm, pop, and localhost comprised the top 10.

Next, we queried the 44,062 domains from the FBI list and the net new typosquatting domains on DNS Lookup API and found that 1,371 of them had 3,541 active IP resolutions. After filtering out duplicates, we were left with 1,346 unique IP addresses. Also, while 879 were IPv4 addresses, the remaining 467 were IPv6 addresses.

A Bulk IP Geolocation Lookup query for the 1,346 IP addresses, meanwhile, showed that they were split into 41 geolocation countries topped by the U.S., Germany, the Netherlands, Russia, China, Canada, the U.K., Singapore, India, and Australia. Four had no geolocation countries on record.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.