{
	"id": "e57af164-b591-4c34-a9e3-66a0bf0f107e",
	"created_at": "2026-04-06T00:14:09.530997Z",
	"updated_at": "2026-04-10T13:12:36.54227Z",
	"deleted_at": null,
	"sha1_hash": "43909669d38d35010440eb203a6b912696b19056",
	"title": "WHO Spoofing Campaign: Infra Investigation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 225947,
	"plain_text": "WHO Spoofing Campaign: Infra Investigation\r\nBy Joe Slowik\r\nArchived: 2026-04-02 12:41:49 UTC\r\nIdentifying Network Infrastructure Related to a World Health Organization Spoofing\r\nCampaign\r\nSuspicious Domain to Functionality\r\nDomainTools monitors network infrastructure creation to identify new threats and track campaigns. As part of this work,\r\nDomainTools researchers identified two domains spoofing the World Health Organization (WHO) in late October and early\r\nNovember 2020:\r\nEuropean-who[.]com\r\nHealth-world-org[.]com\r\nBoth domains redirected to legitimate WHO-resources when accessed: european-who to the European WHO website\r\n(euro.who.int), and health-world-org to the primary WHO website (who.int). While their creation may be concerning, initial\r\nviews indicate little of significance to either item.\r\nFurther analysis shows an interesting detail. While the domains both redirect to legitimate resources for HTTP\r\ncommunication, the European domain features an MX record mapped to dedicated infrastructure completely unrelated to\r\nWHO, shown in the following DomainTools Iris screenshot:\r\nhttps://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign\r\nPage 1 of 5\n\nThe server, located in Lithuania and provided by Informacines Sistemos IR Technologijos UAB, was uniquely associated\r\nwith the “european-who” domain in October and November 2020.\r\nIn this case, we observe a domain with no noticeable or significant HTTP functionality, but which does feature an MX\r\nrecord. This would indicate the domain may be used for sending email even if it is not used for command and control (C2)\r\nor similar functionality. To further refine this item, a search of phishing data and campaigns is required.\r\nIdentifying a Phishing Payload\r\nWorking with several partner security companies, DomainTools identified suspicious emails, masquerading as a WHO\r\nreport and survey email, sent in late October and early November 2020. The emails contained an attachment,\r\n“WHO_Report_11-17.jnlp.” JNLP extensions refer to the Java Network Launching Protocol, used to identify a remote Java\r\nprogram (in Java Archive, or JAR, format) and an initial class to run when launched.\r\nThe observed JNLP object has the following content:\r\nWhile referring to the legitimate WHO website, the JNLP payload retrieves a JAR, “WHO_Report.jar,” from the previously-observed domain, “health-world-org”, and executes the “WHO_Report” class within the JAR. Although navigating to\r\n“health-world-org,” results in a redirect to the main WHO website, specifying the above resource downloads the JAR.\r\nThe JAR has the following characteristics:\r\nWHO_Report.jar\r\nMD5: 2dc6f3972a95bd3091db90d9c24606b3\r\nSHA1: 8fe66769399c11f32d2c18b99e4bdad6dbfe4d5d\r\nSHA256: 98beba8a22b5f579b89cac0a1a35a254ae81488fb549481506f20983e720c5b1\r\nReviewing the JAR, it creates two objects, an executable and a decoy document:\r\nThe document is a legitimate, benign report on the ongoing COVID-19 pandemic authored by WHO which is used to\r\ndistract the victim while in the background the executable launches.\r\nMalware Functionality\r\nThe executable referenced above represents the primary payload for initial execution. Reviewing the JAR file, the program\r\nretrieves it from a new location, “office-pulgin[.]com,” and executes it through a call to another function, “frisco415,”\r\nshown below. Interestingly, the US telephone area code for San Francisco, often referred to as “Frisco,” is 415.\r\nhttps://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign\r\nPage 2 of 5\n\nThe retrieved executable has the following characteristics:\r\nOffice.exe\r\nMD5: 738d16d1feadd8eb8e88149201179cb6\r\nSHA1: 0b32961bedc84134dabeceab4c3d248afa6d5ba9\r\nSHA256: 05d3a35cacf882e34b8433037ad7a9b292fcb2b08439823e4724add4ceacb665\r\nAlso of note, the “office-pulgin” domain is hosted on the same Autonomous System Number (ASN) as “european-who”\r\n(ASN 61272) at 88.119.170[.]2.\r\nWhen launched, the malware performs a request to the IPify service (ipify.org) to determine the victim’s IP address:\r\nThe response is stored in a text file with an image extension at the following location:\r\nC:ProgramDatakaosdma.png\r\nThe malware then attempts to enumerate processes on the running system, access directories typically associated with\r\ncached or saved credentials for web browsers, and access the system hosts file. Once complete the malware attempts to\r\ncommunicate to another domain, “adverting-cdn[.]com” located at 213.252.246[.]23. This IP address is in the same ASN as\r\nall other observed items.\r\nAbsent a successful connection with the resource above, observable malware functionality ceases. DomainTools was unable\r\nto identify any further activity for the sample in question. Based on observed behaviors, DomainTools assesses with medium\r\nconfidence that the “adverting-cdn” domain serves as an exfiltration point for data harvested from the victim machine.\r\nThe overall sequence of events and malware functionality is summarized in the following diagram:\r\nhttps://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign\r\nPage 3 of 5\n\nPurpose and Attribution\r\nAt first glance, the activity identified above appears focused on WHO-related entities and features significant efforts to\r\nmasquerade as legitimate WHO services. Such a level of detail and focus typically indicates narrow targeting and significant\r\ninvestment in lures and infrastructure to ensure campaign success. This would imply specific targeting on WHO-related\r\nentities or other healthcare organizations, potentially for purposes such as state-directed espionage.\r\nHowever, overall malware functionality as observed above is not especially interesting and appears to be a type of common\r\ninformation stealer. While concerning, such malware is in widespread use and often features as part of criminal campaigns\r\ndesigned to harvest financial-related logons or enable ransomware incidents. Furthermore, a review of functionality—such\r\nas dropping a text file named “kaosdma.png” and contacting “adverting-cdn”—identified over a dozen similar samples in\r\nseveral commercial malware repositories.\r\nNone of the additional malware samples identified through the query above show any obvious relationship to the WHO-focused activity or possess identifiers indicating similar levels of targeting specificity. However, malware families\r\nreferenced in identified detections include items such as AZORULT and Glupteba. Although “commodity” in the sense that\r\nthese are available in criminal markets for purchase, this very fact of accessibility to multiple parties means such malware\r\ncould be employed by any entity willing to pay.\r\nSeveral possibilities emerge if we engage in an abbreviated analysis of competing hypotheses based on observations from\r\nthis campaign:\r\nUse of JNLP files as initial payloads leading to follow-on code execution and file retrieval.\r\nFurther use of JAR files loading both a malicious executable and a decoy document to evade user detection.\r\nDeployment of likely commodity malware, such as an AZORULT variant, but which is also available for purchase in\r\nunderground or criminal networks.\r\nRelatively brief (late October through mid-November) but very focused campaign characteristics given specific\r\nspoofing of WHO-related activity.\r\nWHO-specific infrastructure, as well as “office-pulgin” and their hosting servers, are only identified in relation to this\r\ncampaign.\r\nOther, final-stage campaign infrastructure—notably the “adverting-cdn” domain—is common across multiple incidents none\r\nof which appear related to the WHO or similar entities.\r\nFrom these observations, three general hypotheses emerge:\r\n1. The activity in question recycles existing criminal techniques and behaviors for monetization (through credential\r\ntheft or potential preparation for ransomware infection) of healthcare and related sector targets.\r\n2. The activity represents an immature intelligence-directed entity leveraging “off-the-shelf,” purchasable tools to\r\nfacilitate operations for unknown espionage purposes.\r\n3. The identified campaign is the work of a savvy state-directed operator deliberately utilizing a combination of\r\ncommodity tooling with specific targeting to evade analysis and attribution.\r\nUnfortunately, insufficient evidence exists from the current campaign, which emphasizes any of the three possibilities\r\nabove. DomainTools cannot, with currently available information, associate the activity described with any known, tracked\r\nentity at this time. DomainTools will continue to monitor this activity and provide updates as they are available.\r\nConclusion\r\nWhen a new domain is created, its functionality may not be readily apparent. Even if a domain does not resolve to a\r\nwebpage or resource, or simply forwards HTTP traffic to a legitimate site, it may still retain functionality using other\r\nservices and protocols. As observed in this activity, a suspicious domain yielded indicators of likely phishing activity even\r\nthough the domain appeared inactive. Further investigation with partner organizations yielded additional information that\r\nuncovered activity mimicking the WHO during a worldwide health crisis. Although this campaign cannot be linked to any\r\nspecific, known threat at this time, the activity in question is very interesting from the standpoint of technical analysis, and\r\nshows the merits of dogged research and analysis of suspicious network indicators.\r\nIOCs\r\nNetwork Indicators\r\nhttps://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign\r\nPage 4 of 5\n\nDomain\r\nDate\r\nCreated\r\nRegistrar\r\nRegistrant\r\nEmail\r\nName\r\nServer\r\nIP Address\r\nHosting\r\nProvider\r\nadverting-cdn[.]com29 Oct\r\n2020\r\nPDR LTD. D/B/A\r\nPUBLICDOMAINREGISTRY.COM\r\n[email\r\nprotected]\r\nbacloud.com 213.252.246[.]23 BA Cloud\r\neuropean-who[.]com29 Oct\r\n2020\r\nPDR LTD. D/B/A\r\nPUBLICDOMAINREGISTRY.COM\r\n[email\r\nprotected]\r\nbacloud.com 91.216.163[.]179\r\nInformacin\r\nSistemos IR\r\nTechnologi\r\nUAB\r\nhealth-world-org[.]com13 Nov\r\n2020\r\nPDR LTD. D/B/A\r\nPUBLICDOMAINREGISTRY.COM\r\n[email\r\nprotected]\r\nbacloud.com 89.41.26[.]78 M247\r\noffice-pulgin[.]com\r\n30 Sep\r\n2020\r\nPDR LTD. D/B/A\r\nPUBLICDOMAINREGISTRY.COM\r\n[email\r\nprotected]\r\nbacloud.com 88.119.170[.]2\r\nInformacin\r\nSistemos IR\r\nTechnologi\r\nUAB\r\nwho-international[.]com20 Oct\r\n2020\r\nPDR LTD. D/B/A\r\nPUBLICDOMAINREGISTRY.COM\r\n[email\r\nprotected]\r\nbacloud.com 89.41.26[.]78 M247\r\nHost Indicators\r\nFile Name SHA256 Description\r\noffice.exe 05d3a35cacf882e34b8433037ad7a9b292fcb2b08439823e4724add4ceacb665\r\nExecutable\r\npaylaod\r\nand\r\ninformation\r\nstealer.\r\nwho_month_report.doc 77641bee068b0da858ff58be753653a1cd3263115ab9d7d248e7bbcdcc65548f\r\nDecoy\r\ndocument.\r\nWHO_Report.jar 98beba8a22b5f579b89cac0a1a35a254ae81488fb549481506f20983e720c5b1\r\nFirst-stage\r\npayload\r\nleading to\r\nexecutable.\r\nSource: https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign\r\nhttps://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign"
	],
	"report_names": [
		"identifying-network-infrastructure-related-to-a-who-spoofing-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434449,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/43909669d38d35010440eb203a6b912696b19056.pdf",
		"text": "https://archive.orkl.eu/43909669d38d35010440eb203a6b912696b19056.txt",
		"img": "https://archive.orkl.eu/43909669d38d35010440eb203a6b912696b19056.jpg"
	}
}