domain stolen, now using IP address tied to malware

The domain name perl.comwas stolen this week and is now points to an IP address associated with malware campaigns. is a site owned by Tom Christiansen and has been used since 1997 to post news and articles about the Perl programming language.

On January 27th, Perl programming author and editor brian d foy tweeted that the domain was suddenly registered under another person.

Intellectual property lawyer John Berryhill later replied to the tweet that the domain was stolen in September 2020 while at Network Solutions, transferred to a registrar in China on Christmas Day, and finally moved to the Key-Systems registrar on January 27th, 2020. 

It wasn’t until the last transfer that the IP addresses assigned to the domain were changed from to the Google Cloud IP address 35.186.238[.]101.

When visiting the site, users are greeted with a blank page. The HTML for the page contains Godaddy parked domain scripts even though it is registered with the registrar key-systems(.)net.

On the 28th, d foy tweeted that they have set up temporarily at for users who wish to access the site until the domain is recovered.

Until the domain hijacking is resolved, is recommending that users do not use as a CPAN mirror and to update it using the following command:

d foy has told BleepingComputer that it is not believed that the domain owner’s account was hacked and that they are currently working with Network solutions and Key-Systems to resolve the issue.

“I do know from direct communication with the Network Solutions and Key Systems that they are working on this and that the domain is locked. Tom Christiansen, the rightful owner, is going through the recovery process with those registrars.”

“Both registrars, along with a few others, reached out to me personally to offer help and guidance. We are confident that we will be able to recover the domain, but I do not have a timetable for that,” d foy told BleepingComputer.

New IP address tied to malware

The IP address that is now hosted has a long history of being used in older malware campaigns and more recent ones.

In 2019, the IP address 35.186.238[.]101 was tied to a domain distributing a malware executable [VirusTotal] for the now-defunct Locky ransomware.

More recently, a malware [VirusTotal] that appears to be an ad clicker is using the following domains as command and control (C2) servers.

These domain names both resolve to 35.186.238[.]101, as shown below.

When the malware attempts to connect to the URLs at these domains, they are now receiving the same parked domain scripts currently being used when visiting 

These HTML responses, rather than instructions from a C2, may indicate that the IP address is under the control of a different threat actor.

For now, it is strongly advised not to visit until the domain is back in the hands of The Perl Foundation, as attackers could very easily switch it to a site for more malicious purposes.

NOTE:: This article is copyright by we are using it for educational or Information purpose only

The Best Web Security & Protection for 2021