Supercharge Your Threat Investigations with IrisQL
In the fast-paced world of threat intelligence, speed and precision are everything. Today, we are thrilled to introduce IrisQL (Iris Query Language), a powerful, text-based evolution of Iris Investigate’s Advanced Search. For years, investigators have relied on our visual UI to pivot through infrastructure. Now, we’re putting the full power of the Iris engine into a structured, readable format that allows you to hunt at the speed of thought.
The insights below contain real-world queries built from active threat campaigns — FBI/CISA sourced advisory, Trend Micro, Proofpoint, Microsoft MSTIC, and more.
Disclaimer: Domains and indicators below are sourced from public government advisories and vendor threat reports. They are historical in nature and may not currently be malicious. Always vet IOCs for organizational impact before blocking.
What is IrisQL?
IrisQL (Iris Query Language) is a text-based representation of Iris Investigate's Advanced Search queries. Instead of clicking through dropdown menus, you write structured, readable queries in plain text.
Its standout feature is round-trip editing: build a query visually in the Advanced Search UI, then toggle to IrisQL to see the generated code — or start in IrisQL and watch the UI populate in real-time. Queries are plain text, so they work in any text editor, ticketing system, Slack, or Confluence.
Pro tip: If you're unsure of a field name, build the query visually first, then flip on the IrisQL toggle to see the syntax it generates.
Query anatomy
# IrisQL-1.0 ← Required version header (always needed)
FIELD OPERATOR value ← One condition per line
AND ← Explicit logical AND
FIELD OPERATOR value ← Same field, no AND = implicit ORAll queries must begin with # IrisQL-1.0. Strings use double quotes. Numbers and booleans (true/false) have no quotes. Arrays use square brackets: ["val1", "val2"].
1. LummaC2 infostealer — C2 domain infrastructure hunt
FBI/CISA Advisory AA25-141B · May 21, 2025
LummaC2 was the most widespread infostealer of 2024–2025. The FBI/CISA joint advisory lists observed C2 domains — Microsoft DCU seized over 1,000 in May 2025, but new infrastructure continues to emerge. LummaC2 heavily favors .shop, .site, .pw, .top, .live, .run, and .digital TLDs.
Query A — Pivot on known C2 domains from the FBI advisory
IrisQL
# IrisQL-1.0
DOMAIN EXACTLY_IN [
"fragnantbui[.]shop",
"stogeneratmns[.]shop",
"wallkedsleeoi[.]shop",
"reinforcenh[.]shop",
"reliabledmwqj[.]shop",
"gutterydhowi[.]shop",
"ghostreedmnu[.]shop",
"offensivedzvju[.]shop",
"drawzhotdog[.]shop",
"travewlio[.]shop",
"featureccus[.]shop",
"navstarx[.]shop",
"latchclan[.]shop",
"sighbtseeing[.]shop"
]Query B — Hunt for new LummaC2-style infrastructure by TLD and registrar pattern
IrisQL
# IrisQL-1.0
TLD IN ["shop","pw","site","top","live","run","digital","icu","bet","world","fun","today"]
AND
CREATE_DATE WITHIN "The last 30 days"
AND
RISK_SCORE GREATER_THAN 75
AND
REGISTRAR CONTAINS "namecheap"
Query C — Expand from known LummaC2 name server
IrisQL
# IrisQL-1.0
NAMESERVER_DOMAIN MATCHES "namecheap.com"
AND
TLD IN ["shop","pw","site","top","live","run","digital"]
AND
CREATE_DATE WITHIN "The last 14 days"
AND
RISK_SCORE GREATER_THAN 80All 27 confirmed LummaC2 C2 domains in the Netskope/WhoisXML campaign analysis were registered with Namecheap, with 22 listing Iceland as the registrant country. Namecheap + high-abuse TLD + recent registration is a repeatable hunt pattern.
2. SocGholish / FakeUpdates — TDS domain detection
Trend Micro Water Scylla · March 2025 | CIS MS-ISAC Top 10 Malware Q2 2025
SocGholish has led the MS-ISAC Top 10 malware list for over two years. It uses Keitaro Traffic Distribution System (TDS) servers to redirect victims from compromised sites to fake browser update pages. Trend Micro's 2025 analysis identified these TDS domains redirecting thousands of compromised websites.
Query A — Known SocGholish TDS domains from Trend Micro 2025 research
IrisQL
# IrisQL-1.0
DOMAIN EXACTLY_IN [
"blackshelter[.]org",
"rednosehorse[.]com",
"newgoodfoodmarket[.]com",
"aitcaid[.]com",
"marvin-occentus[.]net"
]Query B — Hunt for SocGholish-style TDS infrastructure patterns
# IrisQL-1.0
CREATE_DATE WITHIN "The last 60 days"
AND
REDIRECT_DOMAIN EXISTS true
AND
RISK_SCORE GREATER_THAN 70
AND
TLD IN ["com","org","net"]
AND
REGISTRANT CONTAINS "privacy"
REGISTRANT CONTAINS "redacted"
REGISTRANT CONTAINS "protected"Query C — Netherlands-hosted active domains (SocGholish C2 cluster)
# IrisQL-1.0
IP_COUNTRY_CODE MATCHES "NL"
AND
CREATE_DATE WITHIN "The last 30 days"
AND
RISK_SCORE GREATER_THAN 80
AND
ACTIVE MATCHES true
AND
REGISTRANT DOES_NOT_CONTAIN "meta"
REGISTRANT DOES_NOT_CONTAIN "cloudflare"3. Tycoon 2FA / PhaaS — MFA-bypassing phishing infrastructure
Proofpoint · March 2026 | CrowdStrike Falcon Complete · March 2026 | Europol/Microsoft disruption
Tycoon 2FA was the dominant Phishing-as-a-Service platform of 2024–2025, accounting for 62% of all phishing attempts blocked by Microsoft by mid-2025 and generating over 30 million malicious emails in a single month. 330 domains were seized in a March 2026 law enforcement action, but infrastructure continues to regenerate.
Query A — Microsoft 365 impersonation domains
# IrisQL-1.0
DOMAIN CONTAINS "microsoft"
DOMAIN CONTAINS "office365"
DOMAIN CONTAINS "outlook"
DOMAIN CONTAINS "sharepoint"
AND
DOMAIN DOES_NOT_CONTAIN "microsoft.com"
AND
CREATE_DATE WITHIN "The last 14 days"
AND
RISK_SCORE GREATER_THAN 70Query B — Fresh AiTM phishing infrastructure via SSL pattern
# IrisQL-1.0
SSL_ISSUER_COMMON_NAME CONTAINS "Let's Encrypt"
AND
DOMAIN CONTAINS "login"
DOMAIN CONTAINS "signin"
DOMAIN CONTAINS "account"
DOMAIN CONTAINS "secure"
DOMAIN CONTAINS "verify"
AND
CREATE_DATE WITHIN "The last 7 days"
AND
RISK_SCORE GREATER_THAN 75
AND
TLD IN ["com","net","org","io","co"]Query C — .workers.dev subdomain abuse (EvilProxy / PhaaS pattern)
(Keep in mind you may need to change the CREATE_DATE range to pull the data you're looking for)
# IrisQL-1.0
DOMAIN ENDS_WITH ".workers.dev"
AND
WEBSITE_TITLE CONTAINS "login"
WEBSITE_TITLE CONTAINS "sign in"
WEBSITE_TITLE CONTAINS "Microsoft"
WEBSITE_TITLE CONTAINS "Google"
AND
CREATE_DATE WITHIN "The last 30 days"4. Financial sector phishing — brand impersonation
FBI IC3 2024 Internet Crime Report · CISA Phishing Guidance
Financial sector phishing remains the top lure category. This pattern combines major bank keywords, short registration age, high risk score, and common TLDs to surface active phishing infrastructure.
Query A — Newly registered domains spoofing major U.S. financial brands
# IrisQL-1.0
DOMAIN CONTAINS "chase"
DOMAIN CONTAINS "wellsfargo"
DOMAIN CONTAINS "bankofamerica"
DOMAIN CONTAINS "citibank"
DOMAIN CONTAINS "usbank"
DOMAIN CONTAINS "capitalone"
DOMAIN CONTAINS "paypal"
AND
DOMAIN DOES_NOT_MATCH "chase.com"
AND
DOMAIN DOES_NOT_MATCH "wellsfargo.com"
AND
DOMAIN DOES_NOT_MATCH "bankofamerica.com"
AND
CREATE_DATE WITHIN "The last 14 days"
AND
TLD IN ["com","net","org","info","biz"]
AND
RISK_SCORE GREATER_THAN 70Query B — Financial SSL subject spoofing
# IrisQL-1.0
SSL_SUBJECT CONTAINS "PayPal"
SSL_SUBJECT CONTAINS "Bank of America"
SSL_SUBJECT CONTAINS "Chase"
SSL_SUBJECT CONTAINS "Wells Fargo"
AND
CREATE_DATE WITHIN "The last 30 days"
AND
RISK_SCORE GREATER_THAN 655. LummaC2 — historical registrant email attribution pivot
WhoisXML API / Netskope Lumma Stealer analysis · 2025
WhoisXML API's expansion of confirmed LummaC2 IOCs found 17 historical registrant emails across 6 domains, leading to 228+ connected domains — 18 already tagged malicious. This workflow replicates that attribution technique.
Query A — Historical email pivot
IrisQL — replace email with actor email from your investigation
# IrisQL-1.0
HISTORICAL_EMAIL MATCHES "actor@maliciousdomain.tld"
AND
CREATE_DATE WITHIN "The last 2 years"
AND
RISK_SCORE GREATER_THAN 50Query B — Iceland registrant cluster (LummaC2 campaign pattern)
# IrisQL-1.0
parsed_whois:REGISTRANT CONTAINS "Iceland"
AND
TLD IN ["shop","site","pw","top","live"]
AND
CREATE_DATE WITHIN "The last 60 days"
AND
RISK_SCORE GREATER_THAN 706. APT28 / Forest Blizzard — DNS hijacking infrastructure (FrostArmada)
Microsoft MSTIC / Lumen Black Lotus Labs · April 2026
APT28 (GRU Unit 26165) compromised SOHO routers to hijack DNS and conduct AiTM attacks. At peak in December 2025, over 18,000 IPs from 120 countries communicated with APT28 infrastructure targeting foreign ministries, law enforcement, and cloud providers.
Query A — Outlook Web Access impersonation domains
# IrisQL-1.0
DOMAIN CONTAINS "outlook"
DOMAIN CONTAINS "owa"
DOMAIN CONTAINS "webmail"
AND
DOMAIN DOES_NOT_MATCH "outlook.com"
AND
DOMAIN DOES_NOT_MATCH "office.com"
AND
IP_COUNTRY_CODE IN ["RU","BY","KZ"]
AND
CREATE_DATE WITHIN "The last 6 months"
AND
RISK_SCORE GREATER_THAN 70Query B — Government / MFA login page lookalikes targeting European agencies
# IrisQL-1.0
DOMAIN CONTAINS "gov"
DOMAIN CONTAINS "ministry"
DOMAIN CONTAINS "foreign"
DOMAIN CONTAINS "mfa"
AND
CREATE_DATE WITHIN "The last 90 days"
AND
SSL_ISSUER_COMMON_NAME CONTAINS "Let's Encrypt"
AND
RISK_SCORE GREATER_THAN 75
AND
ACTIVE MATCHES true7. RansomHub pre-encryption reconnaissance
Darktrace · May 2025 | Trend Micro Water Scylla · March 2025
RansomHub frequently uses SocGholish for initial access. Pre-ransomware staging involves Cobalt Strike beacons, NetSupport RAT, and bulletproof hosting infrastructure registered to known high-abuse ASNs.
Query A — Cobalt Strike staging domain patterns
# IrisQL-1.0
DOMAIN CONTAINS "update"
DOMAIN CONTAINS "cdn"
DOMAIN CONTAINS "static"
AND
TLD IN ["com","net","io"]
AND
CREATE_DATE WITHIN "The last 30 days"
AND
RISK_SCORE GREATER_THAN 80
AND
IP_COUNTRY_CODE IN ["RU","NL","UA","BZ"]
AND
SSL_HASH EXISTS falseQuery B — Bulletproof hosting ASN pivot
IrisQL — update ASNs from current threat feed data
# IrisQL-1.0
ASN MATCHES "209588"
ASN MATCHES "59711"
ASN MATCHES "197695"
AND
CREATE_DATE WITHIN "The last 60 days"
AND
ACTIVE MATCHES true
AND
RISK_SCORE GREATER_THAN 708. Typosquatting at scale — bulk-registered brand lookalikes
Picus Security Red Report 2026 (via CircleID) · April 2026
The Red Report 2026 found that 23 of 104 IOC domains were part of typosquatting groups bulk-registered with 2–936 lookalikes each. 28 of those domains were detectable as likely malicious 46–516 days before being publicly reported as IOCs.
Query A — Brand lookalike sweep (replace with your brand)
IrisQL — replace "yourcompanyname" with your brand
# IrisQL-1.0
DOMAIN BEGINS_WITH "yourcompanyname"
AND
DOMAIN DOES_NOT_MATCH "yourcompanyname.com"
AND
DOMAIN DOES_NOT_MATCH "yourcompanyname.net"
AND
CREATE_DATE WITHIN "The last 90 days"
AND
RISK_SCORE GREATER_THAN 40Query B — Character substitution typosquats
# IrisQL-1.0
DOMAIN CONTAINS "paypa1"
DOMAIN CONTAINS "vvells"
DOMAIN CONTAINS "g00gle"
DOMAIN CONTAINS "arnazon"
AND
CREATE_DATE WITHIN "The last 30 days"
AND
TLD IN ["com","net","org"]9. Shared Google Analytics ID — crimeware network mapping
DomainTools Iris Platform · standard OSINT attribution technique
Threat actors frequently reuse the same Google Analytics IDs across fraud infrastructure. One confirmed malicious domain's GA ID can pivot to an entire network.
Query A — Pivot on a shared GA tracking ID
IrisQL — replace with GA ID from your investigation
# IrisQL-1.0
GOOGLE_ANALYTICS MATCHES "UA-XXXXXXXXX-1"Query B — Analytics + high risk + recent registration
# IrisQL-1.0
GOOGLE_ANALYTICS EXISTS true
AND
RISK_SCORE GREATER_THAN 80
AND
CREATE_DATE WITHIN "The last 14 days"
AND
TLD IN ["shop","site","top","online","store"]10. WHOIS privacy abuse + high risk — evasive infrastructure
FBI/CISA LummaC2 Advisory · Picus Red Report 2026
High-risk infrastructure frequently hides behind privacy services while sharing nameservers, ASNs, or IP blocks with known malicious domains.
Query — Privacy-protected high-risk domains on abuse TLDs
# IrisQL-1.0
REGISTRANT CONTAINS "privacy"
REGISTRANT CONTAINS "redacted"
REGISTRANT CONTAINS "withheld"
REGISTRANT CONTAINS "protected"
AND
RISK_SCORE GREATER_THAN 80
AND
CREATE_DATE WITHIN "The last 14 days"
AND
TLD IN ["shop","site","pw","top","live","run","digital","icu","online","store"]
AND
EMAIL EXISTS false
Key fields reference
Hunting tips
Pivot from IOCs. One domain gives you a starting point — extract the nameserver, ASN, or email and build your next query around that shared infrastructure to find the full campaign.
Time-bound every hunt. Use CREATE_DATE WITHIN "The last 14 days" to focus on emerging campaigns and cut noise. Old registrations are usually already burned.
Layer for signal quality. RISK_SCORE GREATER_THAN 80 alone returns too much. Add TLD constraints, a registrar anchor, and date bounds to dramatically improve precision.
Use HISTORICAL_EMAIL. When an actor registered with a real email before switching to privacy, WHOIS history preserves it. A 2022 email can connect to fresh 2025 infrastructure.
Store queries as templates. IrisQL is plain text — keep a library in your wiki. When a new advisory drops, update the EXACTLY_IN list and re-run.
Round-trip with the UI. Unsure of a field name? Build it in Advanced Search first, then flip on IrisQL to see the generated syntax. Best way to learn.
Source intelligence references
Ready to Start Hunting?
IrisQL is designed to grow with your expertise. If you're ever unsure of a field name, simply build it in the UI first and flip the toggle — it's the best way to learn the syntax while getting the data you need.
For a full breakdown of the syntax and more example queries, view our IrisQL Documentation.