Large-Scale Phishing Campaign Targets Defense and Aerospace Companies

A recent investigation by DomainTools Investigations (DTI) has uncovered a massive phishing infrastructure targeting defense and aerospace entities, particularly those linked to the conflict in Ukraine.

This sophisticated campaign involves a network of mail servers supporting domains that mimic legitimate organizations, designed to steal critical credentials from employees in these sectors.

The infrastructure relies on a handful of mail servers, each hosting multiple spoofed domains that closely resemble genuine company websites.

These domains typically host webmail login pages, engineered to capture log-in credentials from unsuspecting users.

Notably, the investigation identified a phishing page on a domain named kroboronprom[.com, which impersonates Ukraine’s largest arms manufacturer, Ukroboronprom.

Key Findings

1. Phishing Infrastructure Details
   • kroboronprom[.]com: This domain, designed to spoof Ukroboronprom, was first detected on December 20, 2024. It hosts a webmail login page built using Mailu, an open-source mail server software available on GitHub.
   • Associated Domains: Upon further analysis, nine other domains with the same website title were identified. These include scooby-doo[.]xyz, lucky-guy[.]space, and santa-clause[.]online, among others. All were registered with the Spaceship registrar and hosted on GHOSTnet VPS.
2. Expansion of Identified Domains
   • A secondary search revealed three additional domains (space-kitty[.]online, stupid-buddy[.]mom, and hungry-shark[.]sit), which also host Mailu webmail login pages. These are suspected to be used for credential theft.
   • These domains were used as MX domains for mail servers supporting a large set of spoofed domains targeting defense, aerospace, and IT sectors. In total, 878 spoofed domains were identified.

The attackers likely use these spoofed domains to send phishing emails that appear to originate from within the targeted organization.

These emails contain malicious links or attachments directing recipients to fake webmail login pages designed to harvest credentials.

Targets and Motivation

The campaign focuses heavily on defense and aerospace companies that have provided support to Ukraine’s military efforts against Russia.

This suggests a motivation rooted in cyber espionage, aimed at gathering intelligence related to the ongoing conflict in Ukraine.

Besides credential phishing, some domains were linked to the distribution of malicious files.

The subdomain cryptshare.rheinemetall[.]com was used to facilitate file sharing, masquerading as a legitimate secure file retrieval service. This indicates a broader range of malicious activities beyond credential theft.

While the precise actor behind this campaign remains unidentified, the emphasis on defense and aerospace entities and the tactics employed strongly suggest a cyber espionage motive tied to the Ukraine conflict.

The extensive use of spoofed domains and webmail login pages underscores the sophistication and scale of this threat, highlighting the need for vigilance among these critical sectors.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.