1 malware family

Prolific Puma

Also known asProlific Puma

Prolific Puma is a DNS threat actor and cybercrime enabler that operates an underground link-shortening service used by multiple malicious actors. Infoblox reported the actor has operated for at least four years and uses a registered domain generation algorithm (RDGA) to create large volumes of pseudo-random, short-lived domains, with reporting citing roughly 35,000 to 75,000 unique domains since April 2022. The actor primarily registers domains through NameSilo and heavily abuses the .us top-level domain, including use of fake registration data and strategic domain aging to evade detection. Infoblox correlated large numbers of Prolific Puma domains through WHOIS domain owner records, aided by the .us TLD’s prohibition on WHOIS proxy services. According to the provided content, Prolific Puma’s infrastructure supports phishing, scams, and browser-based malware delivery, and shortened links are distributed via SMS, social media, and advertisements. The actor uses bulletproof hosting providers, dedicated VPS infrastructure, and Bitcoin for domains and hosting. Their domains are typically short, alphanumeric, and pseudo-random, and are often parked for weeks before use to build reputation and avoid newly registered domain blocking. The content describes Prolific Puma as an indirect but significant infrastructure provider in the broader cybercrime ecosystem. Trend Micro reported that a URL hosting Play ransomware payloads and tools was linked to Prolific Puma, and separate reporting cited shared IP addresses and tools such as PsExec, NetScan, and the Coroxy backdoor as evidence that the Play ransomware group appears to utilize Prolific Puma infrastructure. The content also mentions Prolific Puma alongside Revolver Rabbit and VexTrio Viper as actors using similar techniques. No high-confidence attribution to a nation state is provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics3 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0011

Command and Control

2 techniques

T1105

Ingress Tool Transfer

T1568

Dynamic Resolution

T1568.002

Domain Generation Algorithms

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

PLAYPlay (AKA PlayCrypt) ransomware is a private ransomware operation that has been active since, at least, June 2022. The group operates in a double extortion method, where the victim data is stolen and leaked via a data leak site if the ransom demand is not paid.1Mar 18, 2026

IOCS

Observables

92 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

92 IOCsView more in app

Domains

83 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+75

uri

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

ip.v4

4 total

••••••••••••••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

the hacker newsNews

May 6, 2025

New Investment Scams Use Facebook Ads, RDGA Domains, and IP Checks to Filter Victims

Referenced as another threat actor that adopts registered domain generation algorithm (RDGA) techniques for domain provisioning; no additional campaign details provided in the content.

picus security blogNews

Aug 2, 2024

August 2024: Latest Malware, Vulnerabilities and Exploits

Prolific Puma is an infrastructure and tooling provider for ransomware operations, supporting Play Ransomware Gang with shared IPs and tools.

spamhaus blogNews

Dec 7, 2023

Service providers | WHOIS: identification or correlation? | Spamhaus

Associated with a large number of malicious domains that were correlated through WHOIS domain owner records; the operator registered domains under the .us TLD.

infoblox blogNews

Oct 31, 2023

Prolific Puma: Shadowy Link Shortening Service Enables Cybercrime

Prolific Puma is a DNS-based threat actor operating a large-scale, underground link shortening service that enables other cybercriminals to distribute phishing, scams, and malware. They register tens of thousands of domains using a registered domain generation algorithm (RDGA), primarily with the registrar NameSilo, and abuse TLDs such as .us, .info, .link, and others. Their infrastructure is used as a service by multiple malicious actors to evade detection and facilitate a variety of cybercrime campaigns, including phishing, identity theft, and browser-based malware delivery.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables92

Domains, IPs, and hashes tied to this actor, refreshed continuously.