Hey All, 

Came across a cool query to find the Astaroth domains from this twitter post. https://x.com/johnk3r/status/1833899781099524181

The apex domains (ignoring subdomain) all seem to redirect to twitter, linkedin or instagram which is strange. Combined with the unusual .cfd domain, it’s unique enough to make a query.

This works best if you have regex
services.http.response.headers: (key: `Location` and value.headers:/https?:\/\/(www\.)?(instagram|x|twitter|linkedin).com/) AND services.tls.certificates.leaf_data.names:"*cfd"

For those without regex, you can use this and replace instagram with linkedin, twitter or x. 

services.http.response.headers: (key: `Location` and value.headers:`https://www.instagram.com`) AND services.tls.certificates.leaf_data.names:"*cfd"