Disrupting the Phish-Hunters: Inside a Coordinated Impersonation of the Brand Protection Industry

TL;DR

ZeroFox's Signals Research Program has uncovered a sustained domain impersonation operation aimed squarely at the brand protection and threat intelligence industry. Seventy-three correlated domains, registered between July 2025 and June 2026, impersonate ZeroFox and at least four peer vendors (Corsearch (including its Incopro brand), Red Points, MarkScan, and Group-IB) alongside a long tail of generic "takedown," "anti-piracy," "DMCA," and "IP-enforcement" names. Every domain in the cluster traces back to one operational stack: Dynadot for registration in most cases, Namecheap for hosting in all cases, and a uniform mail and SPF posture engineered to send authenticated email. None of the domains carries a working website. They are staged for impersonation by email, and they are pointed at the one part of the takedown ecosystem that runs on trust between vendors, registrars, hosts, and platforms.

We are publishing the full domain list, the infrastructure fingerprint, and the registrar/host action split because the targets are an entire category of company. We expect peers to find this useful. We expect registrars and hosting providers to want it.

Abuse of Pre-Existing Trust

Takedown work runs on received trust. When a brand protection or anti-piracy vendor sends an abuse notice to a registrar, a hosting provider, or a platform, the receiving team rarely re-litigates the facts. They recognize the sender, they recognize the format, and the action gets queued. That trust is the operational substrate of brand protection. It compresses minutes into hours-of-work saved across millions of takedowns a year. ZeroFox alone handles over a million successful takedowns annually at a 95% acceptance rate, through partnerships with 80+ ISPs, registrars, hosts, and platforms in our Global Disruption Network. Multiply that across the industry and you have a quiet, high-trust workflow that the rest of the security stack depends on.

That trust is now a target. The operator behind this campaign is not building credential-harvesting pages. They are building email senders under our names, our peers' names, and the generic vocabulary of the takedown discipline itself. The goal is to weaponize legitimacy: have a registrar accept a forged takedown, have a hosting provider suspend a legitimate site, have a victim wire money to "reinstate" a Meta account that was never really removed, have an executive open a "DMCA notice" that drops malware on the corporate laptop. None of that requires a polished website. It requires a domain that survives SPF, DKIM, and DMARC checks at the receiver.

Every domain in this campaign passes those checks today.

What We Found

Discovery started with two seeds: zerofoxreporting[.]com (registered 2026-05-09) and zerofox-unlockmeta[.]com (registered 2026-06-12). Both surfaced through routine monitoring of ZeroFox brand permutations. Both pointed at a single Namecheap shared-hosting IP, both were registered through Dynadot, and both served an empty LiteSpeed autoindex page exposing only a /cgi-bin/ directory.

That alone was not a campaign. Two domains on Namecheap shared hosting can be coincidence. The pattern only became a pattern when we ran time-fenced reverse passive-DNS pivots against the hosting IPs and looked for naming theme. What came back was 73 correlated domains, spanning eleven months of continuous registration activity.

Three categories emerged.

Zerofox-Impersonating Domains (10)

Directly using the ZeroFox brand mark or near-variants. The earliest is from late January 2026; the most recent landed on June 12, 2026. Names include zerofoxbrandprotection[.]com, zerofoxenforcement[.]com, zerofoxenforcement[.]vip, zerofoxtakedown[.]com, zerofoxtakedowns[.]com[.]in, zerofoxipreporting[.]com, zerofoxinfringements[.]com, zerofox-group[.]com, zerofoxreporting[.]com, and zerofox-unlockmeta[.]com. The naming reads like a deliberate map of our service taxonomy: enforcement, takedown, IP reporting, infringements, group. The unlock-meta variant specifically targets a victim category we work with daily: brand owners whose Meta assets have been removed and who want them restored.

Domains Impersonating Named Peer Vendors (5)

The operator is not after us alone. The same stack hosts impersonations of:

• Corsearch, corsearchprotection[.]com (Namecheap, 2026-02-10), plus incopro[.]com[.]in (Dynadot, 2026-05-27). Corsearch acquired Incopro in June 2021 and Incopro now operates as part of Corsearch's brand protection portfolio, so these two domains target one corporate group under both of its recognized brand identities. An additional corsearch[.]au on a different IP may or may not be the same hand; we flag it but cannot yet confirm.
• Red Points, redpointsbrandprotection[.]com[.]in (Dynadot, 2026-02-12).
• MarkScan, markscan[.]com[.]in (Dynadot, 2026-03-20).
• Group-IB, group-ib[.]services and group-ib[.]co[.]in (Dynadot, late January and late May 2026).

The choice of .com.in and .co.in is not incidental. Several of these peers operate or take notices in India, where regional ccSLDs read as legitimate localization to a casual recipient. MarkScan in particular runs legitimate regional sites at markscan.co.in, markscan.co.uk, and markscan.com.au, which makes the look-alike markscan[.]com[.]in a one-keystroke deviation from a real localized property. The operator is doing geographic credibility-engineering.

Generic Functional Impersonation (57)

The largest tier doesn't impersonate any specific vendor. It impersonates the function. Names like takedownreporting[.]uk, takedownenforcement[.]com, antipiracyreporting[.]com, dmcareporting[.]com, copyrightenforcement[.]co, infringements[.]buzz, globalrightsprotection[.]com, brandshielding[.]com, securetakedown[.]com, appealsprotection[.]com. Some are obviously utilitarian. Others are designed to sit one Google search away from a real vendor's response. A subset using the descriptor "genius IP" (geniusbrandprotection[.]com, geniusacg[.]com, geniusglobalip[.]com, geniusipgroup[.]com) leans on the generic industry term for innovative IP strategy rather than any specific vendor, but it occupies the same lane.

Across all 73 the earliest registration is 2025-07-31. The most recent is 2026-06-12. The cadence is steady. Not a burst, not a one-off. The operator is running this as a sustained program rather than a single ops cycle.

How We Know It’s One Operator

It would be easy to draw a line on the surface (same TLD picks, similar names) and miss the real signature. The reason we are confident this is one hand is the infrastructure stack, which is identical across the cluster.

Every domain in the campaign sits on Namecheap shared hosting, across four IP addresses in the NCNET blocks: 162[.]0[.]215[.]16, 68[.]65[.]120[.]149, 68[.]65[.]121[.]172, and 68[.]65[.]123[.]243. Every domain uses Namecheap's default nameservers dns1[.]namecheaphosting[.]com and dns2[.]namecheaphosting[.]com, and Namecheap's default Jellyfish mail backbone on mx{1,2,3}-hosting[.]jellyfish[.]systems. Each domain ships with full DKIM (default._domainkey selector present), an SPF record locked to the hosting IP, and a p=none DMARC. Fully provisioned to send authenticated mail, with no inbound enforcement to slow them down.

Registration concentrates at Dynadot (IANA registrar 472) with 60 of 73 domains, and a smaller number at Namecheap, GoDaddy, Registrar.eu, and Intis Telecom. Registrant data is privacy-redacted across the board, which is expected and not by itself meaningful; what is meaningful is the consistency of the choice.

Web content is uniformly null. Each domain serves the same empty LiteSpeed directory listing exposing /cgi-bin/, or in some cases a 162-byte blank. The directory listing timestamp matches the registration date in each case, which tells us the operator stands the domain up, points it at the shell, and leaves it there. There is no phishing kit. There is no fake login page. There is no traditional web payload to detect.

That is the operator's tradecraft choice, and it matters. A campaign built on web phishing is loud. It generates URLs, scan results, browser warnings, abuse reports. A campaign built on email impersonation under fully authenticated DKIM/SPF/DMARC is quiet. It generates one piece of evidence per victim, in inboxes you and we do not see. Until those notices start landing in the inboxes of registrars and hosting providers, the campaign is invisible to most monitoring stacks. That is, we suspect, the point.

What the Operator Is Building

We assess with medium-to-high confidence that this operator is staging fraudulent enforcement and takedown traffic, with four plausible payoffs. We list them in declining order of how likely we think each is:

1. Fraudulent takedown notices to registrars and hosting providers, sent from @zerofoxreporting[.]com or @takedownreporting[.]com or @redpointsbrandprotection[.]com[.]in, requesting suspension of competitor sites or sites the operator has been paid to disable. The receiving abuse team sees a recognizable sender, a familiar format, and queues the action. This is the highest-leverage outcome and the cheapest to execute.
2. Advance-fee account-reinstatement scams aimed at brand owners whose Meta or other platform assets have been removed. The zerofox-unlockmeta[.]com choice is the clearest tell. A victim receives an unsolicited offer from "ZeroFox Brand Protection" to reinstate their account for a fee, pays, and gets nothing. We have seen this pattern targeting other brand protection vendors before. This campaign appears to have industrialized it.
3. Targeted email-borne malware dressed as "DMCA notice" or "infringement report" attachments, exploiting the fact that brand and legal teams open these kinds of notices as part of their job. With authenticated email and a credible sender, the recipient's instinct to engage is the attack surface.
4. Employment-fraud lures targeting job seekers, using domains styled as the careers or HR side of a recognizable vendor. The choice of India-localized ccSLDs like markscan[.]com[.]in is consistent with this pattern, which has been widely documented against Indian job-seekers. Authenticated mail from a recruiter address at a domain one keystroke off the real vendor's URL is enough to extract personal data, application fees, or credentials.

We cannot yet tie any of these to in-the-wild victim reports. As far as we can tell from open sources, the campaign is unreported globally. That is consistent with the email-only posture: the evidence lives in mailboxes the security community has not yet looked into. We expect that to change quickly once this post is public, and we encourage peers and partners to surface any traffic they have seen from these domains.

Why We’re Naming the Other Vendors

We reached out to the named peers privately before publishing, and we are naming them here with that prior notice already given via email or through LinkedIn. The industry is a small one and the operator has chosen to spoof us collectively, so a quiet heads-up to each affected vendor was the right first step, and a public account that names them is the right second one. Withholding peer names entirely while publishing our own would be performative solidarity at best and self-serving at worst. The peers named here, Corsearch (and its Incopro brand), Red Points, MarkScan, and Group-IB, are companies our analysts respect, work alongside, and routinely encounter at different cyber security and industry conferences and meetings. Every one of those peers does work the world is better for, and they got the heads-up the same way we would have wanted one.

Anyone from those organizations who wants the raw indicators, the IP pivots, or the registrar contact paths can reach us at ask[@]zerofox.com and we will share immediately, no conditions.

What We’re Doing About It

Three workstreams are already in motion.

Takedown. We have packaged the 73 domains into a registrar-split action list: 60 at Dynadot, 8 at Namecheap, 3 at GoDaddy, 1 at Intis Telecom, and 1 at Registrar.eu. Dynadot has already suspended 57 of their 60 domains in response to our report, an outcome we want to acknowledge publicly. Identity Digital also acted independently at the registry level to suspend both .services domains across registrar boundaries, group-ib[.]services and antipiracyprotection[.]services, which is a notable signal of the cross-registry coordination this campaign warrants. The remaining 13 were reported in a single consolidated brand-impersonation report to Namecheap, the common hosting provider, as well as separately to the corresponding registrars. We expect the registrar and host-level action to clear the bulk of the cluster within standard SLAs; we anticipate the operator to migrate, and we will pivot with them.

Peer notification. We reached out to the named vendors directly either via email or through LinkedIn. The first notices went out the same day we finalized the indicator set, ahead of this publication.

Sustained monitoring. The Signals Research Program is keeping continuous watch on the four campaign IPs, the Dynadot registration stream, and the operator's naming taxonomy. New additions to the cluster will be appended to the indicator set and shared with our customers and peers.

What You Should Do

If you operate a registrar, a hosting provider, or a platform that receives abuse and takedown traffic, add the 73 domains in the appendix to your sender allow-list checks. If you receive a takedown notice from any of them, the appropriate response is to reject the notice and alert the purported sender out-of-band. None of these domains is an authorized ZeroFox communications channel. ZeroFox sends takedown notices from a small set of clearly identifiable addresses. If you are not sure whether a notice from us is real, write to ask@zerofox[.]com and we will confirm within just a few hours.

If you are a brand owner who has received an unsolicited reinstatement offer from any of the domains in the appendix, do not respond, do not pay, and report it to your usual abuse channel. If you would like ZeroFox to confirm whether a communication is genuinely from us, contact your account team or write to the address above.

Appendix: Full Indicator Set (Defanged)

The complete TLP:AMBER+STRICT investigation report, including all 73 domains, IPs, registrars, registration dates, and the four hosting IPs, is available to vetted partners on request. A redacted version with the full domain list and registrar split is published alongside this post.

Operator infrastructure fingerprint

Indicators

ZeroFox brand impersonation (10), peer-vendor impersonation (5), and generic functional impersonation (57). Full list with first-seen dates, hosting IPs, and per-domain registrars is available on request.

The Signals Research Program is ZeroFox's internal skunkworks for novel threat research, sister to our Disruption Partnerships Program.