Lynx DLS analysis (IoC and more)

[nuke]

Technical Analysis of Lynx Ransomware Group's DLS – API Structure, Endpoint Usage & Infrastructure Discovery

While analyzing the DLS (Data Leak Site) of the Lynx ransomware group, I uncovered interesting implementation details and indicators related to both their frontend and backend infrastructure. This post outlines the process, tools, and findings in a step-by-step technical breakdown.


Backend Technology: Axios

Upon reviewing the site's code, I identified the use of Axios for backend communications. Axios is a promise-based HTTP client for the browser and Node.js, commonly used for sending asynchronous HTTP requests to REST endpoints. Its presence suggested a structured API-based backend architecture, which I subsequently investigated.


JavaScript Deobfuscation & Endpoint Enumeration

I began by beautifying the minified JavaScript used on the frontend of the Lynx DLS. This allowed me to extract and analyze the various REST API endpoints invoked by the frontend.

Here are the API endpoints I discovered:

Codice: Seleziona tutto

/api/v1/blog/get/news
/api/v1/blog/download/
/api/v1/blog/get/announcements
/api/v1/blog/get/disclosures/
/api/v1/blog/download/
/api/v1/blog/get/folder/
/api/v1/blog/get/file/
/api/v1/blog/get/announcement/${e}
/api/v1/blog/get/captcha
/api/v1/blog/create/report

Focus on /disclosures Endpoint

Among the above endpoints, the most interesting is:

Codice: Seleziona tutto

/api/v1/blog/get/disclosures/

This endpoint retrieves detailed information about leak disclosures. However, querying it directly requires both an id and a password.

The password for the request is not meant to be public, but it's leaked by the site itself through another endpoint:

Codice: Seleziona tutto

/api/v1/blog/get/announcements

This endpoint returns a JSON structure where each object contains a password field. Using these credentials in conjunction with the /disclosures endpoint, I was able to access data from specific leak entries.

New Clear Web Domain Discovery

Screenshot 2025-08-03 at 22-42-44 .png

During reconnaissance, I discovered a previously unreported clear web domain associated with Lynx:

Codice: Seleziona tutto

first.lynxcdn.com

This domain resolves to infrastructure linked to Russian IP addresses and additional subdomains that help map out part of their CDN and panel architecture. Below is the result of DNS and passive lookup analyses:

Codice: Seleziona tutto

first.lynxcdn.com         --> compod.lynxcdn.com
                          --> 198.54.117.244

hoaxilla.lynxcdn.com      --> 45.8.229.230
hostmaster.lynxcdn.com    --> 45.8.229.230
lynxcdn.com               --> 45.8.229.230
second.lynxcdn.com        --> 45.8.229.230
www.lynxcdn.com           --> 77.233.223.93

Screenshot 2025-08-03 at 22-21-38 first.lynxcdn.com - urlscan.io.png

These findings provide insights into the group’s infrastructure diversification strategy, likely to improve redundancy and evade takedown efforts.

Conclusion

This technical walkthrough provides visibility into the Lynx ransomware group’s DLS mechanics, particularly its API usage and the accidental exposure of credentials via its announcement system. The discovery of a new clear web domain linked to Russian infrastructure is further evidence of the group’s evolving threat posture.

Happy to hear thoughts or comparisons if others are seeing similar setups elsewhere.


IOCs Summary:

Codice: Seleziona tutto

# Domains
first.lynxcdn.com
compod.lynxcdn.com
hoaxilla.lynxcdn.com
hostmaster.lynxcdn.com
lynxcdn.com
second.lynxcdn.com
www.lynxcdn.com

# IPs
198.54.117.244
45.8.229.230
77.233.223.93