PoisonSeed, a notorious threat actor, has intensified its operations by leveraging new domains to enhance credential theft activities. Since June 1, 2025, DomainTools Investigations have flagged 21 recently registered domains associated with PoisonSeed. While specific targets remain undisclosed, the actor’s historical focus on cryptocurrency platforms and corporate environments accentuates the critical need for vigilance.
These domains, registered through the NiceNIC International Group Co. registrar and hosted on IP addresses linked to Global-Data System IT Corporation (AS42624), contain references to SendGrid and generic digital services like single sign-on portals and login pages. Notable examples include https-loginsg[.]com, sgaccountsettings[.]com, and my-sandgrid[.]com.
DomainTools investigators have shared a comprehensive list of hundreds of domains exhibiting similar registration and hosting characteristics on their GitHub repository, aiding threat hunters and analysts in identifying potential risks.
A key element of PoisonSeed’s strategy involves deploying fake Cloudflare CAPTCHA challenges to deceive visitors. These malicious domains present interstitial pages resembling authentic Cloudflare Ray ID verification screens, complete with fabricated Ray ID strings, aiming to lower user suspicion before redirecting them to phishing sites soliciting enterprise credentials.
Upon harvesting credentials, PoisonSeed operatives are likely to exploit them for subsequent phishing endeavors, lateral movement within compromised corporate networks, or unauthorized entry into cryptocurrency accounts. Previous campaigns have showcased PoisonSeed’s adeptness in combining brand impersonation with social engineering to execute large-scale cryptocurrency extortion via SendGrid-themed phishing.
Notably, PoisonSeed’s tactics closely align with those attributed to the SCATTERED SPIDER adversary group, known for targeting various sectors across the U.S., U.K., and Canada with disruptive and data theft incidents. While direct evidence linking PoisonSeed’s new domains to SCATTERED SPIDER’s breaches is lacking, shared methodologies like fake CAPTCHA interstitials and domain naming conventions suggest a potential operational connection between the two groups.
SCATTERED SPIDER, a part of “The Com” collective, comprises financially motivated cybercriminals specializing in smishing, SIM-swap fraud, and MFA-fatigue attacks. The evolution of PoisonSeed’s techniques may stem from collaboration or turnover within “The Com,” indicating a possible transfer of core tactics from SCATTERED SPIDER to PoisonSeed.
The emergence of PoisonSeed’s infrastructure underscores the increasing sophistication of eCrime actors in credential theft. Security teams are advised to monitor NiceNIC-registered domains referencing SendGrid or SSO, scrutinize inbound traffic for Cloudflare CAPTCHA interstitials from unfamiliar domains, block or redirect known PoisonSeed domains and associated IP addresses, and reinforce multi-factor authentication protocols alongside user-awareness training on CAPTCHA impersonation.
Continuous threat intelligence sharing and collaborative monitoring are paramount in thwarting PoisonSeed’s efforts to compromise enterprise credentials and minimize subsequent repercussions.
Mayura Kathir, a cybersecurity reporter at GBHackers News, covers a range of daily incidents, including data breaches, malware attacks, cybercrime, vulnerabilities, zero-day exploits, and more.
📰 Related Articles
- Beloved Quixotic Bakery Closes Retail Shop, Expands Operations
- Zarraffa’s Coffee Expands with New Drive-Thru in Rockhampton
- Ysé Expands International Presence with London Boutique Opening
- Yokogawa Unveils CENTUM VP Release 7 for Enhanced Operations
- YTL Hotels Expands Portfolio with Moxy and AC Hotels