Hunting Laundry Bear: Infrastructure Analysis Guide and Findings

Description

This analysis explores the infrastructure of Laundry Bear, a Russian state-sponsored APT group active since April 2024, targeting NATO countries and Ukraine. The investigation expands on initial indicators, using advanced pivoting techniques to uncover additional domains and infrastructure. Key findings include the discovery of multiple lookalike domains, similar registration patterns, and shared hosting infrastructure. The analysis reveals a network of domains with login and account management themes, redirecting to legitimate Microsoft services. The investigation also uncovers connections to other potential malicious activities, including spear-phishing attempts and the use of PDF files for possible malware delivery. The findings demonstrate the extensive infrastructure used by the threat actor and highlight the importance of advanced threat hunting techniques in uncovering related malicious activities.