APT29 Goes from Targeted Attacks to Phishing via NOBELIUM | WhoisXML API

Threat Reports

APT29 Goes from Targeted Attacks to Phishing via NOBELIUM: A DNS Deep Dive

Who knew that targeted attack groups like APT29 could also dip into cybercriminal activities.1 The advanced persistent threat (APT) group was seen launching phishing campaigns through NOBELIUM to target Microsoft cloud services.2

Forty-eight NOBELIUM indicators of compromise (IoCs)—41 domains and seven IP addresses—were made public to date.3 To uncover unidentified artifacts in an effort to make the Internet safer and more transparent, we at WhoisXML API dove deep into the threat aided by our comprehensive DNS intelligence.

Our in-depth analysis found:

  • 13 IP addresses to which some of the domains identified as IoCs resolved, 10 of which turned out to be malicious based on malware checks
  • 422 domains that shared the dedicated IP addresses of some of the IoCs and additional resolutions as hosts
  • 577 domains and subdomains containing the strings microsoft365, microsoftonedrive, microsoftdynamics365, microsoftteams, and microsoftintune, 10 of which turned out to be malware hosts based on bulk malware checks

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing
  • [2] https://www.microsoft.com/en-us/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
  • [3] https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv
Try our WhoisXML API for free
Get started