The dark money group’s democracyunmuted[.]org domain is almost certainly administered using the same Cloudflare account as demfluencers[.]com.
The latter—originally registered in June 2025 and operational in the Nov/Dec timeframe—claims to provide paid opportunities and access for influencers.
Now hosting content for a Senate resolution proposed by CHD, Autism Action Network, Health Freedom Defense Fund, Stand For Health Freedom, and The Brownstone Institute. TLDR: it’s a lot of anti-vax advocacy’s greatest hits.
The linked guide to voting page for college students was removed and currently returns a Page not found error.
Most recent available entry from early September available here:
web.archive.org/web/20250903...
Between 10 and 11 September 2025, the “Know your voting rights” entry for college students was removed from vote.gov.
While not definitively related, this coincides with the timeframe—8 September 2025 per the earliest cert—when National Design Studio ostensibly began working on the site.
New toadie site in the works: 47compliance[.]org
Highly likely administered using the same Cloudflare account as a number of other pro Trump/GOP and anti Dem sites, including:
insidebidensbasement[.]org
kamalaskoup[.]org
protect47[.]org
New Children's Health Defense site registered on 1/9/26 and currently in development:
covidjustice[.]org
covidjustice[.]metalteam[.]dev (69.16.249[.]248, dev site)
Suspicious domain ms-driversync[.]com was registered through Njalla on 10/14/25 and resolves to 192.166.82[.]94.
Suspicious domain mfa[.]directory was registered through Njalla on 10/15/25 and resolves to 149.33.2[.]67.
Looking forward to finally presenting this research into Volt Typhoon in a public forum - and I can't think of a better one than @cyberwarcon.bsky.social
www.cyberwarcon.com/forecasting-...
Have you ever wanted to see two terminally online nerds really (and I mean *really*) get into the SVR deep lore while continuing the eternal goal of making 2016 last forever?
Gosh does @cyberwarcon.bsky.social have a talk for you!
We've got some good submissions flowing into the @CYBERWARCON CFP, but there's still time for more. If you have good content, and you're worried the honorarium won't cover your travel, please submit, and we'll work it out. We do this because we believe this research matters.
Kim John Un rolls off the tongue nicely
Best conference in the industry is back! cyberwarcon.com
Suspicious domains micrsosft-netupdate[.]net (109.107.172[.]123) and micrsosft-netupdate[.]net (146.103.115[.]183) were co-registered through Njalla on 8/14/25.
Suspicious domain adobereader[.]cc was registered through MonoVM on 8/5/25 using freewanatoly@2mail[.]co. Currently resolves to M247 IP 84.252.95[.]40.
Suspicious domain sophossec[.]com was registered through MonoVM on 7/15/25 using kehmar.maung@proton[.]me and resolves to 146.70.247[.]55.
Of all my professional accomplishments, I think I’m proudest of this.
Likely related domains drowingaws[.]com (13.217.161[.]160) and drowingazur[.]com (20.163.58.252) were co-registered through Njalla on 6/20/25.
Suspicious domains awsonlineserch[.]com and azuronlineserch[.]com were co-registered through Njalla on 6/19/25. Currently resolving to 34.204.12[.]191 and 20.83.167[.]25, respectively.
Suspicious domain windowsntp[.]com was registered through Njalla on 5/22/25 and then began using Cloudflare. Domain itself does not resolve, but subdomain www.windowsntp[.]com indicates MSFT Azure use.
Suspicious domain m365sessionlogin[.]com was registered through Njalla on 5/18/25. Domain itself does not resolve, but subdomains login, logon, and office365 indicate hosting at 80.78.30[.]154.
Most of the latter policy positions are copied from the American Stewards of Liberty page here:
web.archive.org/web/20250516...
Highly likely Parscale / Nucleus-administered domain congressstrongaction[.]org was registered on 9/23/24 and recently began hosting content. The org's stated policy positions appear largely aimed at curtailing laws and protections related to natural resources.
Set of suspicious domains co-registered through Njalla on 4/24/25:
esxiupdate[.]com
threatbook[.]cloud
Not currently resolving, but worth keeping an eye on.
Set of suspicious domains registered on 4/2/25 (unclear through which reseller) and administered using the same Cloudflare account:
googlealert[.]net
microsoft365signin[.]net
microsoftalert[.]net
outlooksecurity[.]net
outlooksignin[.]net
Suspicious domain analytics[.]airforce was registered through Njalla on 4/2/25 and resolves to BL Networks IP 64.52.80[.]61.
The Children's Health Defense staging site associated with realcdc[.]org indicates they are setting it up to pose as a legitmate CDC site questioning vaccine safety, complete with parent testimonials. Currently no overt indication the site is run by CHD.
Suspicious domain chromeupdate[.]net was registered through Njalla on 3/11/25. Not currently resolving, but worth keeping an eye on.
Suspicious domain nvidia-installer[.]com was registered through Njalla on 3/10/25 and resolves to 51.44.166[.]225.
Again, not saying that's what is happening here. Nor am I stating the conclusions in the SFS site are incorrect or that there is malicious intent behind it. Unfortunately, it is a concerning vulnerability to IO predicated on shortsighted reactivity that we have to consider these days. (4/4)