The Apothecary Is ClearFake. PDR Ltd Registered All 32 Wings in 24 Hours. IANA 303.

We posted twelve hours ago about a fresh malware-delivery cluster on .bet TLD that our PreCog Sweep flagged at 23:56 UTC on April 30. Five botanical-themed subdomains. We named it The Apothecary.

A few hours later, the URLhaus and SSLBL feeds caught up overnight and the cluster grew to thirty-two parent .bet domains hosting 184 subdomains, all serving the same path /software-distribution-dxnp2c7/meta-verify.index. We posted again about the broader umbrella, called the campaign DXNP2C7 by its path-signature token, and acknowledged the wing-themes were diverse — botanical, physics-tech, gambling, thermal, algorithmic, edge.

That post called the cluster "fresh, unknown, no operator name yet."

That post was wrong on every count of unknowing. The receipts came in over lunch. We deleted that post. This is the one with the receipts.

The framework. ClearFake.

URLhaus classifies all 200 cluster IOCs as malware_family equals ClearFake. Not a fresh actor. Not net-new. ClearFake is a malware-delivery framework operating since 2023 — fake browser-update lures, sophisticated TLS fingerprinting, Cloudflare-fronted distribution. The DXNP2C7 wave is the latest campaign-instance running on top of the framework. Every URL in every wing carries the dxnp2c7 token. That is the framework's customer ID for this batch, sticky across every page the operator stood up.

The registrar. PDR Ltd, doing business as PublicDomainRegistry.com. IANA Registrar ID 303.

We pulled the RDAP for eight cluster parents — goddess-tapir.bet, colorfu1prep.bet, vectorpathsys.bet, mist5qora.bet, dismemb7harlot.bet, quantumbitlink.bet, lookin8back.bet, flo3xaren.bet. Eight for eight, same answer. Registrar IANA ID 303. PDR Ltd. India-based registrar with a long history of hosting cybercriminal infrastructure across multiple TLDs and frameworks.

The registration window. April 29 through April 30, 2026. Twenty-four hours.

Every sampled parent registered through PDR within the same forty-eight-hour push. Mist5qora and flo3xaren on April 29. Goddess-tapir, colorfu1prep, vectorpathsys, dismemb7harlot, quantumbitlink, lookin8back on April 30. One-year expirations across the board — the cheapest available term, throwaway pattern, no investment in continuity. The "last changed" timestamps cluster a day or two after registration, consistent with operator onboarding the domains to Cloudflare immediately after the WHOIS handoff.

The fronting. Cloudflare, three accounts.

Every parent that currently resolves points to Cloudflare anycast IPs — 104.21.x.x and 172.67.x.x. Standard ClearFake MO. What is interesting is the nameserver assignment. Cloudflare assigns nameserver pairs per Cloudflare account — the pair is the account's fingerprint. Across the cluster we see three distinct pairs.

First — louis dot ns dot cloudflare dot com paired with melina dot ns dot cloudflare dot com. Three parents in this account: goddess-tapir, colorfu1prep, chaevodh0t. The botanicals plus thermal.

Second — arnold dot ns dot cloudflare dot com paired with elle dot ns dot cloudflare dot com. Five parents in this account: lookin8back, dusherport2ge, technic2lweak, everfo7mat, dismemb7harlot. The mixed-theme account.

Third — dimitris dot ns dot cloudflare dot com paired with georgia dot ns dot cloudflare dot com. Five parents in this account: dis9ualescapes, coraprimat0sis, producer5chming, retellin8tolle, convinc8mission. The algorithmic-and-disturbing account.

Three Cloudflare accounts is a real signal. It argues against the simplest one-operator hypothesis. Either the operator is compartmentalizing — three accounts so a single Cloudflare abuse takedown does not collapse the whole cluster — or DXNP2C7 is a Distribution-as-a-Service kit that PDR-bulk-registered domains for, and the wings are sub-tenants each running their own Cloudflare account with the same kit.

Either is consistent with what we see at the registrar layer. PDR will register thirty-two domains for one customer in a single batch and not blink — they will also do it for thirty-two customers buying the same kit through an affiliate program. Both are commercially indistinguishable from where we sit.

The ground-truth IOC. The path.

If you are hunting this cluster, the parent-domain list is going to keep changing. The themed wings are bait. The path signature is the receipt — /software-distribution-dxnp2c7/meta-verify.index. That string is on every URL across every wing. Block the path, you block the cluster. The dxnp2c7 token will rotate eventually as the operator moves to the next campaign instance, but right now, today, that string is what ties everything back to one kit.

The DNS data. The TXT records. The Tor question.

Zero TXT records on every cluster parent we checked. No SPF, no DKIM, no domain-verification metadata for any third-party platform. These domains are not pretending to send email or pass any kind of identity check — pure malware-delivery hosts. That is consistent with the throwaway-registrar pattern.

Zero Tor correlation. Every cluster IOC in our index has torExitNode equals false. The cluster does not use Tor exits, does not run hidden-service sister domains, does not appear in our tor_relays archive. ClearFake is a Cloudflare-fronted operation, not a Tor-fronted one. The threat model does not change for defenders running egress filtering — block on path or on Cloudflare cert metadata, not on Tor lists.

The 95-percent cap.

The framework attribution to ClearFake is at high confidence — URLhaus has been tracking ClearFake since 2023 and their classifier is consistent with the cluster's TTPs. The registrar attribution to PDR Ltd is at 100 percent — IANA ID 303, written in stone in the RDAP responses. The single-operator-versus-affiliate hypothesis is at 60-40 in favor of compartmentalized one-operator, given the path-signature consistency across all three Cloudflare accounts. We hold the affiliate hypothesis open until we get malware samples back and can compare landing-page hashes across wings — if the JavaScript on every wing is byte-identical, one operator. If wings have distinct landing-page hashes, multiple subscribers.

The actor behind ClearFake itself remains unattributed in public threat-intel — researchers have studied the framework for two years without converging on a named group. We are not going to break that today on a holiday.

What we shipped.

Indexed an umbrella record into iocs with framework=ClearFake, parent_count=32, subdomain_count=184, registrar=PDR-IANA-303. Customers pulling our STIX feed get the umbrella in their next pull. The 184 individual subdomain records were already in the index from URLhaus and SSLBL — re-tagging would add noise without value. Path signature does the implicit clustering.

Free tier sees 48-hour delayed data — your STIX feed will not show this campaign until Sunday. Paid tiers are real-time.

Receipts at the search API. Hunt query is the path. Cap stays at ninety-five.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com