Privacy Ninja Domain Stolen, Now Using IP Address Tied To Malware Domain Stolen, Now Using IP Address Tied To Malware

The domain name perl.comwas stolen this week and is now points to an IP address associated with malware campaigns. is a site owned by The Perl Foundation and has been used since 1997 to post news and articles about the Perl programming language.

On January 27th, the Perl NOC site posted that the domain was hijacked and is now pointing users to a different IP address.

“The domain was hijacked this morning, and is currently pointing to a parking site.  Work is ongoing to attempt to recover it,” the post reads.

The site was originally hosted at the IP address, but since being hijacked, it is now hosted at the Google Cloud IP address 35.186.238[.]101.

When visiting the site, users are greeted with a blank page. The HTML for the page contains Godaddy parked domain scripts even though the domain is registered with the registrar key-systems(.)net.

brian d foy, a Perl programming language author, tweeted that they have temporarily setup at for users who wish to access the site until the domain is recovered.

Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?

Until the domain hijacking is resolved, The Perl Foundation is recommending that users do not use as a CPAN mirror and to update it using the following command:

# perl -MCPAN -eshell
cpan shell -- CPAN exploration and modules installation (v2.20)
Enter 'h' for help.

cpan[1]> o conf urllist
Please use 'o conf commit' to make the config permanent!
cpan[2]> o conf commit
commit: wrote '/root/.cpan/CPAN/'

At this time, it is not known how the domain was stolen. BleepingComputer has sent an email to The Perl Foundation with questions about this but has not received an answer.

New IP address tied to malware

The IP address that is now hosted has a long history of being used in older malware campaigns and more recent ones.

In 2019, the IP address 35.186.238[.]101 was tied to a domain distributing a malware executable [VirusTotal] for the now-defunct Locky ransomware.

More recently, a malware [VirusTotal] that appears to be an ad clicker is using the following domains as command and control (C2) servers.


These domain names both resolve to 35.186.238[.]101, as shown below.

Command and control servers hosted at 35.186.238[.]101
Command and control servers hosted at 35.186.238[.]101

When the malware attempts to connect to the URLs at these domains, they are now receicing the same parked domain scripts currently being used when visiting

These HTML responses, rather than instructions from a C2, may indicate that the IP address is under the control of a different threat actor.

Also Read: Limiting Location Data Exposure: 8 Best Practices

For now, it is strongly advised not to visit until the domain is back in the hands of The Perl Foundation, as attackers could very easily switch it to a site for more malicious purposes.

Privacy Ninja provides GUARANTEED quality and results for the following CORE SERVICES:

DPO-As-A-Service (Outsourced DPO Subscription)
Vulnerability Assessment & Penetration Testing (VAPT)
PDPA Obligations for Organizational Compliance (SkillsFuture Credit Eligible)


PDPA Compliance Audit
ital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy

PDPA Data Protection Software
Smart Contract Audit



Leave a Reply

Your email address will not be published. Required fields are marked *


Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.

Powered by WhatsApp Chat

× How can we help you?