add bkengineersindia.com to add-wildcard-domain

[g0d33p3rsec]

Phishing Domain/URL/IP(s):

https://bkengineersindia.com/M3AzSDVuMUQ3SjNZOWw=
https://bkengineersindia.com/M2sxMzhFNm4wZjNJNnk=
https://bkengineersindia.com/M04zTjF1MVE0MTNPNVk=
https://bkengineersindia.com/MnU4RDM4MTE5MDQyNG0=
https://bkengineersindia.com/M0QyMTlMME01VDh3MmE=
https://bkengineersindia.com/M0UzbDNlN244bzhzN1A=
https://bkengineersindia.com/M1oyeTlnN1g0VDh1OFk=
https://bkengineersindia.com/MWkwYjcwMGE3dzdDMjc=
http://bkengineersindia.com/M3czejVmOTU0UzJWNVE=
http://bkengineersindia.com/MzUzUzU1OUQ0eTFPNzY=
http://bkengineersindia.com/M2szRjV4OVUyTzg0OHk=
https://bkengineersindia.com/M3kzUDZwMDMwYTYzOWI= 
https://bkengineersindia.com/M0gzdjUwOXc3RzZINnI=
http://bkengineersindia.com/M2kzdjVNOWQ3QzN4OEE=
http://bkengineersindia.com/Mjc3cjN4MmwzUzQwN2E=
http://bkengineersindia.com/MjEwaDl4NmI5ejVnMnE=
http://bkengineersindia.com/M3IzQjM1MDUxRDhXMEU=
http://bkengineersindia.com/M2EySDV2NTU1MDFmOUE=
http://bkengineersindia.com/M2IzZzVKOUgzejFDMTU=
http://bkengineersindia.com/M1oxbTd1M0w4azlGOE0=
http://bkengineersindia.com/M3owcDRmOFQ4WTJPMkU=
http://bkengineersindia.com/M3UyNDZEME85UjRNNkQ=
http://bkengineersindia.com/M2EzWTV4Nko4YTFIOHc=
http://bkengineersindia.com/M2UzcDVTN0w1YTBqNGg=
http://bkengineersindia.com/M20zQzVmOVUxdzk4MWQ=
http://bkengineersindia.com/M0wzMTVFOXk0SzVPNmE=
http://bkengineersindia.com/M24zdDZMMTAxUjhqMmg=
http://bkengineersindia.com/MzMxOTJWMGYwcTN1Mm4=
http://bkengineersindia.com/MzYzUjExODI5SjVkMGU=
http://bkengineersindia.com/M0QxbDM5M3Y5UjQwNkk=
http://bkengineersindia.com/M3YzTTZDMFA1STdXN3c=
http://bkengineersindia.com/M24zWTZNMHYxWDRMOUM=
http://bkengineersindia.com/M3kzUDZwMDMwYTYzOWI=

Impersonated domain

https://www.microsoft.com/
https://www.instagram.com/
https://x.com/
https://www.betway.co.za
https://ff.garena.com
https://www.zimbra.com/
https://ww1.ukzn.ac.za/
https://www.wsu.ac.za/

Describe the issue

This domain is now hosting the phishing kit that was previously at englishplusmore[.]com(#404), carnesboinobre[.]com[.]br(#398), technowide[.]com[.]tr(#396), jestertunes[.]com (#393), safecartusa[.]com (#391), foreverfarley[.]com (#387), azezieldraconous[.]com (#381), westernautomobileassembly[.]com (#376) , littleswanaircon[.]com[.]sg (#372), iwan2travel[.]com(#370 ), applesforfred[.]com (#369), theaerie[.]ca (#367), nico[.]sa (#366), ajstelecom[.]com[.]mx (#362), and many others (approximately 120 domains since 2021).

Related external source

Screenshot

Click to expand

[g0d33p3rsec]

I'm noticing that most hosts seem to be vulnerable to CVE-2008-3844 when I run them through Shodan.
https://www.shodan.io/host/166.62.28.145

compare with the host that was being used yesterday
https://www.shodan.io/host/50.87.249.228

This is a vuln that has consistently shown up on hosts related to this activity group. It may be of limited anticipatory use, but I'm still going to keep an eye on it.

[g0d33p3rsec]

[g0d33p3rsec]

Site was back up this morning.