Cyber Threat Intelligence. Allegedly.

1 minute read

Team Cymru recently published a solid analysis of fake IT worker infrastructure, pivoting from luckyguys[.]site using X.509 certificates and NetFlow data. If you haven’t read it, start there.

One question came to mind after reading it: are there other domains following the same naming pattern, registered around the same time?

I searched for domains following a luckyguys naming convention, combined with similar registration timing and exposed services. One result stood out: luckyguys[.]cloud. The domain was registered January 6, 2026, one month after luckyguys[.]site (December 2, 2025) with the same registrar (Hostinger).
luckyguys[.]site WHOIS record luckyguys[.]cloud WHOIS record

It also hosts a Gitea instance. These characteristics are consistent with those observed on luckyguys[.]site.
git.luckyguys[.]site hosting a Gitea instance (source: Validin) luckyguys[.]cloud displaying a Gitea Welcome Page (via urlscan.io)

What made it interesting

IP 45.15.167[.]146 hosts all luckyguys[.]cloud subdomains. Its PTR record resolves to rbluckyguys[.]com. And the exposed login panel references “RB Luckyguys Management.”
Panel available on luckyguys[.]cloud/login (via urlscan.io on January 13, 2026)

The naming linkage extends beyond the primary domain, appearing in PTR records and application artifacts. It suggests a consistent ‘Luckyguys’ naming reuse across this infrastructure.

The subdomains also hint at an instant messaging interface (message.luckyguys[.]cloud and msg.luckyguys[.]cloud). This is consistent with the interface observed on luckyguys[.]site on April 8, 2026 (via urlscan.io).
Login panel found on luckyguys[.]site/login

The abandonment pattern

The domain resolves to significantly more subdomains than luckyguys[.]site (18 vs 5). Per urlscan.io snapshots, the apex domain was reachable in January and March 2026. None of the endpoints respond at the time of writing. It is consistent with infrastructure torn down following public disclosure, as documented in the original Team Cymru post.
luckyguys[.]site subdomains luckyguys[.]cloud subdomains

Attribution

Moderate confidence. Overlap in naming, infrastructure, and artifacts is suggestive, not conclusive. No direct IP overlap with the infrastructure documented by Team Cymru was identified, suggesting this may represent a separate but potentially related infrastructure segment.

IOCs (observed subdomains and related infrastructure)

luckyguys[.]cloud
rbluckyguys[.]com
admin.luckyguys[.]cloud
api.luckyguys[.]cloud
cdn.luckyguys[.]cloud
chat.luckyguys[.]cloud
check.luckyguys[.]cloud
clients.socket.luckyguys[.]cloud
ext.luckyguys[.]cloud
file.luckyguys[.]cloud
git.luckyguys[.]cloud
main.socket.luckyguys[.]cloud
manage.luckyguys[.]cloud
message.luckyguys[.]cloud
msg.luckyguys[.]cloud
rdweb.luckyguys[.]cloud
rustdesk.luckyguys[.]cloud
socket.luckyguys[.]cloud

You May Also Enjoy

Pulling the Thread — Invite Only

8 minute read

How a suspicious filename led to 88 phishing domains, a shared hosting cluster, and an operator who probably should have used a different email address.

Threat Actors are playing the META

3 minute read

Cybercriminals and nation-state actors are converging on the same TTPs—not because they collaborate, but because efficiency is universal. They’re all playing...