The Apothecary Was One Wing. The Real Cluster Is 32 Wings, 184 Subdomains, One Path Signature.

We named "The Apothecary" twelve hours ago. Five botanical-themed subdomains on .bet TLD, freshly precog'd at 23:56 UTC. Soil. Stem. Leaf. Bloom-coded malware delivery.

That post was right within its scope. It was also looking at the tip of an iceberg.

The actual cluster, as the URLhaus and SSLBL feeds caught up overnight, is 32 parent .bet domains hosting 184 subdomains, all serving the same path. The shared signature is the receipt: /software-distribution-dxnp2c7/meta-verify.index — every URL across every wing carries it. The dxnp2c7 token is a campaign-instance identifier, the kind of string an operator drops into a templating system once and then never thinks about again. Same operator. Same kit. Multiple themed wings to spread the load and complicate downstream attribution.

Here is the wing breakdown. Themes we are pretty confident about, plus the parent domains.

Botanical (the original Apothecary). goddess-tapir.bet. colorfu1prep.bet. verd7loka.bet. Subdomains read like a grow-op manifest — soil9siteview, leafhostunit, stem4pathgate, rootmeshsite, grow6taskhub, wild3logicway, glow8siteview, fade2pathgate, huemeshnode, tint7logicnet, rich4taskhub, starthostunit. The naming generator is consistent across every wing — noun, digit, activity-noun. The botanicals are simply one vocabulary the generator was given.

Physics and tech. vectorpathsys.bet. quantumbitlink.bet. cryptosyncflow.bet. torquegridunit.bet. kineticgatehub.bet. tensorlogicbox.bet. inertianetway.bet. matrixhostbit.bet. fluxunitzone.bet. staticmeshview.bet. Subdomain examples: codemeshsite, hash3logicway, key6taskhub, lock5pathgate. This wing is built for the security-buyer aesthetic — every name reads like an EDR vendor's blog post.

Gambling and poker. lo4miren.bet. mist5qora.bet. niva2ron.bet. peta1vrix.bet. so8laven.bet. thora9xel.bet. lookin8back.bet. dis9ualescapes.bet. Reels, dice, slots, folds, deals, aces, plays. Same generator, gambling vocabulary plug.

Thermal. grov6mira.bet. chaevodh0t.bet. Burnmeshnode, fire2taskhub, melt8pathgate, heat5logicnet, ionhostunit. Edgy enough to look like a leaked APT-naming workshop, generic enough to not hit any reputation list.

Algorithmic gibberish. flo3xaren.bet. dusherport2ge.bet. technic2lweak.bet. everfo7mat.bet. coraprimat0sis.bet. producer5chming.bet. Subdomains here drop the noun-digit-activity convention sometimes — short alphanumeric strings, consistent with the registration noise these operators usually use as throwaway sinkholes.

Disturbing or edge. dismemb7harlot.bet. retellin8tolle.bet. convinc8mission.bet. Subdomain examples: meadopacka, darkdelivery. The themes here are unnerving in a way that suggests the generator dictionary is not curated past a basic profanity filter, or the operator is doing it on purpose. Probably the former.

The path signature is what carries the load.

If your defender is hunting the Apothecary cluster, hunt for the path. /software-distribution-dxnp2c7/meta-verify.index. That string is the umbrella IOC. It does not matter what the parent domain is themed around — it is going to keep changing as the operator rolls registrations. The path identifier is sticky. We expect the operator to rotate eventually — dxnp2c7 will become dx-something-else — but right now, today, that string is the receipt that ties every wing back to the same kit.

A practical hunt for any SOC reading this:

Pull your DNS logs for the last seven days. Filter for any A or AAAA query against a subdomain of any .bet TLD. If you find requests, walk the path — what HTTP path was hit. Anything matching software-distribution-dxnp2c7 is in the cluster. The 184 subdomains we have indexed are not the universe. URLhaus is still discovering the cluster as we publish this post; expect the parent count to climb past 32. The wings are small and stand up fast. Pivot off the path, not the parent.

What we have done about it.

Indexed an umbrella record into our iocs index — search analytics.dugganusa.com slash api slash v1 slash search?q=Apothecary+Umbrella and you get the campaign object back, with the full parent-domain list and the path signature in the structured fields. Customers pulling our STIX feed get the umbrella in the next pull. The 184 individual subdomain records were already in the index from URLhaus and SSLBL — we did not need to re-tag them. The path signature does the implicit clustering.

If you are operating under our Free tier, your delay is forty-eight hours. Right now your STIX pull would not show this campaign yet. If you are paying, it is live. The choice of where to sit on that curve is reasonable either way; the campaign is fresh and the operator is still standing up wings as we type.

The 95 percent cap.

The 32-wing attribution to one operator is at high confidence based on the path-signature evidence. Same kit, same templating, same dxnp2c7 token everywhere. We are not at 100 percent because there is a non-zero chance the operator is renting the kit to subscribers, in which case the wings are several customers using one Distribution-as-a-Service provider. If that is the case, the IOCs still cluster correctly for defensive purposes — block the path, you block the campaign — but attribution-style analysis would need to handle the kit-rental hypothesis. For most defenders, this distinction does not matter. For threat researchers, hold the question open until we get malware samples back.

We named the botanical wing The Apothecary. The umbrella does not have a name yet. The operator does not have a name yet. The kit does not have a vendor we can point a finger at.

We have the path. We have the receipts. We have the hunt query.

Murphy was an optimist. Cap stays at ninety-five.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com