top of page
Search

We Named It The Apothecary — A Fresh Malware Delivery Cluster

  • Writer: Patrick Duggan
    Patrick Duggan
  • 21 minutes ago
  • 4 min read

# We Named It The Apothecary — A Fresh Malware Delivery Cluster


Our left-of-boom precursor sweep ran tonight at 23:56 UTC and surfaced five novel domains never seen by our pipeline before — all malware delivery, all on the .bet TLD, all sharing a naming convention specific enough to constitute a fingerprint. URLhaus had flagged them within hours; nobody else had named the cluster yet. So we did.


The name we picked: The Apothecary.


The five domains






Two parent domains. Both .bet TLD. Five subdomains following a tight syntactic pattern: [botanical-or-color noun][optional digit][network noun]. Hue, tint, soil, stem, leaf paired with mesh, logic, site, path, host. The vocabulary is half garden, half network engineering.


Why The Apothecary



Three signals layered into the naming choice:


The botanical lexicon. Hue, tint, soil, stem, leaf are an apothecary's herb shelf — color-tinctures, soil-grown roots, woody stems, leaf preparations. The subdomains read like the labels on a pharmacist's drawers. A real coder names project servers auth1, worker-eu-west-2, api-prod. This actor names them as if they were tonics. That deliberate semantic choice is the operator's signature.


The colorfu1prep.bet homoglyph. "Colorful preparations" with the lowercase l substituted for the digit 1. That is the apothecary's classic deception — substituting one ingredient for another, banking on the customer not looking closely at the label. Same trick in 2026 as it was in 1626.


The .bet TLD. A wager. The apothecary sold cures and the apothecary sold poisons; the customer didn't always know which one was in the bottle. URLhaus lists these specifically as malware delivery; the .bet choice is the actor's wink at the buyer that the dose is unknown until taken.


The second parent, goddess-tapir.bet, is the second wing of the same shop. Tapirs are nocturnal, secretive forest animals — herbivorous in the cover story, defensive in actual practice. A goddess-tapir is the apothecary's totem: hidden, mythic, foraging in low light. The mythology is decorative; the function is the same.


So: The Apothecary — operating at minimum two cabinets (colorfu1prep.bet and goddess-tapir.bet), each with several preparations, each delivered from a subdomain whose name describes the role of the payload in the broader campaign.


The modular drawers



Look at the subdomain functions: mesh, logic, site view, path gate, host unit. That is not random. That is a multi-stage delivery architecture mapped to readable names:


  • mesh — peer-to-peer node discovery layer

  • logic — decision logic, conditional payload selection

  • site view — recon / fingerprinting endpoint that profiles the visiting browser before deciding what to serve

  • path gate — gating logic, "this victim qualifies, route them to the next stage"

  • host unit — the host endpoint that actually delivers the payload


The Apothecary built a vending architecture and labeled the drawers honestly. The customer who knows what they want gets the right preparation; the analyst who notices the labels gets a free taxonomy of the operation.


What we do not yet know



  • Which malware family is being delivered. URLhaus tags only "malware download"; the analyzed payload is not yet in any public report we can find.

  • Whether this is a fresh campaign or an existing actor cluster's new domain rotation. Naming convention does not by itself attribute to a specific operator group.

  • Whether the homoglyph in colorfu1prep extends to other parent domains we haven't seen yet — there may be c0lorfulprep.bet, colorfullprep.bet, or other variants in the larger campaign.

  • The full subdomain inventory. Five caught tonight; the actor's drawer cabinet probably has dozens more. Subdomain enumeration is the obvious next move.


What we do know is the pattern is coherent enough to track. Once an actor commits to a naming convention this distinctive, every future variant gives them away.


What we shipped



The five domains are in our iocs index as of 00:08 UTC tonight, tagged actor=The Apothecary and source=dugganusa-precog-apothecary-2026-04-30. They flow through our STIX feed automatically (free tier, register at https://analytics.dugganusa.com/stix/register for an API key). Anyone consuming our threat-intel feed gets the cluster's domain network as part of tomorrow morning's pull, named under the Apothecary lineage.


If Mandiant later names this cluster UNC-####, fine. If Microsoft names it Storm-####, fine. If CrowdStrike picks an animal name, fine. Different conventions, same cluster, all valid. Our claim is on the receipt — the date we caught it (April 30 2026, 23:56 UTC) and the name we gave it (The Apothecary) before anyone else had a name for it at all.


The principle, stated plainly



Most threat intelligence is downstream of detection. A vendor sees the malware family in their telemetry, names it, publishes. Most analysts wait for that name and consume it.


Left-of-boom intelligence is upstream of detection. The pattern is visible in URLhaus feeds, in subdomain enumeration, in the actor's own naming choices. The pattern does not need a malware family attribution to be tracked — it needs a name and a place to live in an index. Once you have those two things, every future variant the actor ships joins a cluster you already know is real.


The Apothecary now lives in our index. Whatever they do next, we have a place to put it.


下次法拉盛见.





Her name was Renee Nicole Good.


His name was Alex Jeffery Pretti.

 
 
 
bottom of page