Investigating the UNC2975 Malvertising Campaign Infrastructure | WhoisXML API

Threat Reports

Investigating the UNC2975 Malvertising Campaign Infrastructure

The threat actors behind the UNC2975 malvertising campaign have been distributing two backdoors—DANABOT or DARKGATE—to unwitting users’ computers. Those who happen to click poisoned search engine results and social media posts may end up losing their data or worse.1

Security researchers identified 28 indicators of compromise (IoCs), including 19 domains and nine IP addresses. To uncover as many potentially connected artifacts as possible, the WhoisXML API team expanded the IoC list aided by our comprehensive DNS intelligence sources and found:

  • 239 domains connected to email addresses found in the historical WHOIS records of the domains identified as IoCs
  • 13 IP addresses, not part of the current list of IoCs, to which the domains identified as IoCs resolved
  • Three domains that shared the dedicated hosts of the domain IoCs or resolved to the IP addresses identified as IoCs
  • 2,772 domains that contained text strings found among the domains identified as IoCs

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors
Try our WhoisXML API for free
Get started