A latest investigation by DomainTools Investigations (DTI) has uncovered an enormous phishing infrastructure concentrating on protection and aerospace entities, significantly these linked to the battle in Ukraine.
This subtle marketing campaign includes a community of mail servers supporting domains that mimic professional organizations, designed to steal important credentials from staff in these sectors.
The infrastructure depends on a handful of mail servers, every internet hosting a number of spoofed domains that carefully resemble real firm web sites.
These domains usually host webmail login pages, engineered to seize log-in credentials from unsuspecting customers.
![Webmail login page hosted on kroboronprom[.]com](data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20512%20384'%3E%3C/svg%3E)
Notably, the investigation recognized a phishing web page on a site named kroboronprom[.com, which impersonates Ukraine’s largest arms producer, Ukroboronprom.
![Domains Likely Related to kroboronprom[.]com](data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20726%20170'%3E%3C/svg%3E)
Key Findings
- Phishing Infrastructure Particulars
- kroboronprom[.]com: This area, designed to spoof Ukroboronprom, was first detected on December 20, 2024. It hosts a webmail login web page constructed utilizing Mailu, an open-source mail server software program accessible on GitHub.
- Related Domains: Upon additional evaluation, 9 different domains with the identical web site title have been recognized. These embody scooby-doo[.]xyz, lucky-guy[.]house, and santa-clause[.]on-line, amongst others. All have been registered with the Spaceship registrar and hosted on GHOSTnet VPS.
- Enlargement of Recognized Domains
- A secondary search revealed three extra domains (space-kitty[.]on-line, stupid-buddy[.]mother, and hungry-shark[.]sit), which additionally host Mailu webmail login pages. These are suspected for use for credential theft.
- These domains have been used as MX domains for mail servers supporting a big set of spoofed domains concentrating on protection, aerospace, and IT sectors. In complete, 878 spoofed domains have been recognized.
The attackers possible use these spoofed domains to ship phishing emails that seem to originate from throughout the focused group.
These emails comprise malicious hyperlinks or attachments directing recipients to faux webmail login pages designed to reap credentials.
Targets and Motivation
The marketing campaign focuses closely on protection and aerospace firms which have offered help to Ukraine’s navy efforts towards Russia.
This means a motivation rooted in cyber espionage, geared toward gathering intelligence associated to the continuing battle in Ukraine.
In addition to credential phishing, some domains have been linked to the distribution of malicious recordsdata.
The subdomain cryptshare.rheinemetall[.]com was used to facilitate file sharing, masquerading as a professional safe file retrieval service. This means a broader vary of malicious actions past credential theft.
Whereas the exact actor behind this marketing campaign stays unidentified, the emphasis on protection and aerospace entities and the techniques employed strongly counsel a cyber espionage motive tied to the Ukraine battle.
The in depth use of spoofed domains and webmail login pages underscores the sophistication and scale of this risk, highlighting the necessity for vigilance amongst these important sectors.
Are you from SOC/DFIR Groups? – Analyse Malware, Phishing Incidents & get dwell Entry with ANY.RUN -> Begin Now for Free.Â
