Tracking Adversaries: Ghostwriter APT Infrastructure
Jan. 24, 2025, 2:24 p.m.
Description
This analysis examines the infrastructure used by the Ghostwriter APT group, focusing on their phishing campaign targeting Ukrainian military. By pivoting on overlapping indicators of compromise (IOCs) from multiple threat reports, a cluster of malicious domains was identified. These domains share common attributes like registrar, name servers, and TLD. Using these patterns, additional unreported domains likely created by Ghostwriter were uncovered. The investigation also revealed associated malware samples communicating with these domains. This infrastructure pivoting approach demonstrates how threat intelligence analysts can gain deeper insights into an adversary's targets, capabilities, and behaviors by thoroughly examining IOC attributes and connections.
Tags
Date
- Created: Jan. 24, 2025, 1:30 p.m.
- Published: Jan. 24, 2025, 1:30 p.m.
- Modified: Jan. 24, 2025, 2:24 p.m.
Indicators
- 2aa6b36a717be8bc49f7925434ca40f3ecb9f628414b491da3e985677508ca08
- utahsadventurefamily.shop
- twisterplussize.shop
- thevegan8.shop
- semanticscholar.shop
- physio-pedia.shop
- penandthepad.shop
- moonlightmixes.shop
- medicalnewstoday.shop
- lauramcinerney.shop
- lansdownecentre.shop
- kingarthurbaking.shop
- jackbenimblekids.shop
- ikitas.shop
- foampartyhats.shop
- empoweringparents.shop
- eartheclipse.shop
- disneyfoodblog.shop
- connecticutchildrens.shop
- clairedeco.shop
- chaptercheats.shop
- bryndonovan.shop
- backstagemerch.shop
- simonandschuster.shop
- goudieelectric.shop
Additional Informations
- Defense
- Government
- Belarus
- Ukraine