This analysis explores the infrastructure of Laundry Bear, a Russian state-sponsored APT group active since April 2024, targeting NATO countries and Ukraine. The investigation expands on initial indicators, using advanced pivoting techniques to uncover additional domains and infrastructure. Key findings include the discovery of multiple lookalike domains, similar registration patterns, and shared hosting infrastructure. The analysis reveals a network of domains with login and account management themes, redirecting to legitimate Microsoft services. The investigation also uncovers connections to other potential malicious activities, including spear-phishing attempts and the use of PDF files for possible malware delivery. The findings demonstrate the extensive infrastructure used by the threat actor and highlight the importance of advanced threat hunting techniques in uncovering related malicious activities. Author: AlienVault
Related Tags:
ukraine targets
domain typosquatting
russian threat actor
T1589.002
infrastructure analysis
T1584.001
T1608.001
NGO
Netherlands
Associated Indicators:
ADE08CD340765E68F65174820B46C0E3D9B52AB4
micsrosoftonline.com
bidscale.net
ebsurnmit.eu
mail-forgot.com
remerelli.com
deloittesharepoint.com
usembassyservice.com
miscrsosoft.com