{"id":731,"date":"2025-03-27T13:18:49","date_gmt":"2025-03-27T13:18:49","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=731"},"modified":"2025-03-27T13:18:49","modified_gmt":"2025-03-27T13:18:49","slug":"massive-scale-phishing-marketing-campaign-targets-protection-and-aerospace-firms","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=731","title":{"rendered":"Massive-Scale Phishing Marketing campaign Targets Protection and Aerospace Firms"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p>A latest investigation by DomainTools Investigations (DTI) has uncovered an enormous phishing infrastructure concentrating on protection and aerospace entities, significantly these linked to the battle in Ukraine.<\/p>\n<p>This subtle marketing campaign includes a community of mail servers supporting domains that mimic professional organizations, designed to steal important <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/gbhackers.com\/new-arcane-stealer-spreads-via-youtube\/\" target=\"_blank\" rel=\"noreferrer noopener\">credentials <\/a>from staff in these sectors.<\/p>\n<p>The infrastructure depends on a handful of mail servers, every internet hosting a number of spoofed domains that carefully resemble real firm web sites.<\/p>\n<p>These domains usually host webmail login pages, engineered to seize log-in credentials from unsuspecting customers.<\/p>\n<figure class=\"wp-block-image size-full\"><img data-lazyloaded=\"1\" fetchpriority=\"high\" decoding=\"async\" width=\"512\" height=\"384\" src=\"https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-76.png\" alt=\"Webmail login page hosted on kroboronprom[.]com\" class=\"wp-image-125509\" srcset=\"https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-76.png 512w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-76-300x225.png 300w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-76-80x60.png 80w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-76-150x113.png 150w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-76-265x198.png 265w\" data-sizes=\"(max-width: 512px) 100vw, 512px\"\/><img fetchpriority=\"high\" decoding=\"async\" width=\"512\" height=\"384\" src=\"https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-76.png\" alt=\"Webmail login page hosted on kroboronprom[.]com\" class=\"wp-image-125509\" srcset=\"https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-76.png 512w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-76-300x225.png 300w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-76-80x60.png 80w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-76-150x113.png 150w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-76-265x198.png 265w\" sizes=\"(max-width: 512px) 100vw, 512px\"\/><figcaption class=\"wp-element-caption\">Webmail login web page hosted on kroboronprom[.]com<\/figcaption><\/figure>\n<p>Notably, the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/dti.domaintools.com\/phishing-campaign-targets-defense-and-aerospace-firms-linked-to-ukraine-conflict\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">investigation<\/a> recognized a phishing web page on a site named kroboronprom[.com, which impersonates Ukraine\u2019s largest arms producer, Ukroboronprom.<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" data-lazyloaded=\"1\" decoding=\"async\" width=\"726\" height=\"170\" src=\"https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-50.jpg\" alt=\"Domains Likely Related to kroboronprom[.]com\" class=\"wp-image-125510\" srcset=\"https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-50.jpg 726w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-50-300x70.jpg 300w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-50-150x35.jpg 150w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-50-696x163.jpg 696w\" data-sizes=\"(max-width: 726px) 100vw, 726px\"\/><img loading=\"lazy\" decoding=\"async\" width=\"726\" height=\"170\" src=\"https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-50.jpg\" alt=\"Domains Likely Related to kroboronprom[.]com\" class=\"wp-image-125510\" srcset=\"https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-50.jpg 726w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-50-300x70.jpg 300w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-50-150x35.jpg 150w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-50-696x163.jpg 696w\" sizes=\"auto, (max-width: 726px) 100vw, 726px\"\/><figcaption class=\"wp-element-caption\">Domains Seemingly Associated to kroboronprom[.]com<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\"><strong>Key Findings<\/strong><\/h2>\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Phishing Infrastructure Particulars<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>kroboronprom[.]com<\/strong>: This area, designed to spoof Ukroboronprom, was first detected on December 20, 2024. It hosts a webmail login web page constructed utilizing Mailu, an open-source mail server software program accessible on GitHub.<\/li>\n<li><strong>Related Domains<\/strong>: Upon additional evaluation, 9 different domains with the identical web site title have been recognized. These embody scooby-doo[.]xyz, lucky-guy[.]house, and santa-clause[.]on-line, amongst others. All have been registered with the Spaceship registrar and hosted on GHOSTnet VPS.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Enlargement of Recognized Domains<\/strong>\n<ul class=\"wp-block-list\">\n<li>A secondary search revealed three extra domains (space-kitty[.]on-line, stupid-buddy[.]mother, and hungry-shark[.]sit), which additionally host Mailu webmail login pages. These are suspected for use for credential theft.<\/li>\n<li>These domains have been used as MX domains for mail servers supporting a big set of spoofed domains concentrating on protection, aerospace, and IT sectors. In complete, 878 spoofed domains have been recognized.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>The attackers possible use these spoofed domains to ship <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/gbhackers.com\/konni-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing emails <\/a>that seem to originate from throughout the focused group.<\/p>\n<p>These emails comprise malicious hyperlinks or attachments directing recipients to faux webmail login pages designed to reap credentials.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Targets and Motivation<\/strong><\/h2>\n<p>The marketing campaign focuses closely on protection and aerospace firms which have offered help to Ukraine\u2019s navy efforts towards Russia.<\/p>\n<p>This means a motivation rooted in cyber espionage, geared toward gathering intelligence associated to the continuing battle in Ukraine.<\/p>\n<p>In addition to credential phishing, some domains have been linked to the distribution of malicious recordsdata.<\/p>\n<p>The subdomain cryptshare.rheinemetall[.]com was used to facilitate file sharing, masquerading as a professional safe file retrieval service. This means a broader vary of malicious actions past credential theft.<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" data-lazyloaded=\"1\" decoding=\"async\" width=\"512\" height=\"384\" src=\"https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-77.png\" alt=\"Screenshot of cryptshare.rheinemetall[.]com\" class=\"wp-image-125511\" srcset=\"https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-77.png 512w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-77-300x225.png 300w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-77-80x60.png 80w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-77-150x113.png 150w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-77-265x198.png 265w\" data-sizes=\"(max-width: 512px) 100vw, 512px\"\/><img loading=\"lazy\" decoding=\"async\" width=\"512\" height=\"384\" src=\"https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-77.png\" alt=\"Screenshot of cryptshare.rheinemetall[.]com\" class=\"wp-image-125511\" srcset=\"https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-77.png 512w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-77-300x225.png 300w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-77-80x60.png 80w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-77-150x113.png 150w, https:\/\/gbhackers.com\/wp-content\/uploads\/2025\/03\/image-77-265x198.png 265w\" sizes=\"auto, (max-width: 512px) 100vw, 512px\"\/><figcaption class=\"wp-element-caption\">Screenshot of cryptshare.rheinemetall[.]com<\/figcaption><\/figure>\n<p>Whereas the exact actor behind this marketing campaign stays unidentified, the emphasis on protection and aerospace entities and the techniques employed strongly counsel a cyber espionage motive tied to the Ukraine battle.<\/p>\n<p>The in depth use of spoofed domains and webmail login pages underscores the sophistication and scale of this risk, highlighting the necessity for vigilance amongst these important sectors.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(135deg,rgb(238,238,238) 100%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong>Are you from SOC\/DFIR Groups? \u2013 Analyse Malware, Phishing Incidents &amp; get dwell Entry with ANY.RUN -&gt;\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/any.run\/demo?utm_source=csn&amp;utm_medium=article&amp;utm_campaign=top3_attacks_march&amp;utm_content=demo_2&amp;utm_term=260325\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Begin Now for Free<\/a>.<\/strong><\/strong>\u00a0<\/strong><\/strong><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>A latest investigation by DomainTools Investigations (DTI) has uncovered an enormous phishing infrastructure concentrating on protection and aerospace entities, significantly these linked to the battle in Ukraine. This subtle marketing campaign includes a community of mail servers supporting domains that mimic professional organizations, designed to steal important credentials from staff in these sectors. The infrastructure [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":733,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[398,396,399,397,395,261,303],"class_list":["post-731","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-aerospace","tag-campaign","tag-companies","tag-defense","tag-largescale","tag-phishing","tag-targets"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/731","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=731"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/731\/revisions"}],"predecessor-version":[{"id":732,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/731\/revisions\/732"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/733"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=731"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<!-- This website is optimized by Airlift. Learn more: https://airlift.net. Template:. Learn more: https://airlift.net. Template: 69d9690a190636c2e0989534. Config Timestamp: 2026-04-10 21:18:02 UTC, Cached Timestamp: 2026-06-04 09:13:56 UTC -->