{
	"id": "645d5bd1-38cc-4ffd-b2cc-85a1744716c7",
	"created_at": "2026-04-06T00:22:23.312255Z",
	"updated_at": "2026-04-10T03:21:16.480492Z",
	"deleted_at": null,
	"sha1_hash": "bc8871ecebd522dfdcd508a49507460d188ec4e7",
	"title": "What tracking an attacker email infrastructure tells us about persistent cybercriminal operations | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 569851,
	"plain_text": "What tracking an attacker email infrastructure tells us about persistent\r\ncybercriminal operations | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-02-01 · Archived: 2026-04-05 15:51:16 UTC\r\nFrom March to December 2020, we tracked segments of a dynamically generated email infrastructure that attackers used to\r\nsend more than a million emails per month, distributing at least seven distinct malware families in dozens of campaigns\r\nusing a variety of phishing lures and tactics. These campaigns aimed to deploy malware on target networks across the world,\r\nwith notable concentration in the United States, Australia, and the United Kingdom. Attackers targeted the wholesale\r\ndistribution, financial services, and healthcare industries.\r\nBy tracing these campaigns, we uncovered a sprawling infrastructure that is robust enough to seem legitimate to many mail\r\nproviders, while flexible enough to allow the dynamic generation of new domain names and remain evasive. Shared IP\r\nspace, domain generation algorithm (DGA) patterns, subdomains, registrations metadata, and signals from the headers of\r\nmalicious emails enabled us to validate our research through overlaps in campaigns where attackers utilized multiple\r\nsegments of purchased, owned, or compromised infrastructure. Using the intelligence we gathered on this infrastructure, we\r\nwere at times able to predict how a domain was going to be used even before campaigns began.\r\nThis email infrastructure and the malware campaigns that use it exemplify the increasing sophistication of cybercriminal\r\noperations, driven by attackers who are motivated to use malware infections for more damaging, potentially more lucrative\r\nattacks. In fact, more recent campaigns that utilized this infrastructure distributed malware families linked to follow-on human-operated attacks, including campaigns that deployed Dopplepaymer, Makop, Clop, and other ransomware\r\nfamilies.\r\nOur deep investigation into this infrastructure brings to light these important insights about persistent cybercriminal\r\noperations:\r\nTracking an email infrastructure surfaces patterns in attacker activity, bubbling up common elements in seemingly\r\ndisparate campaigns\r\nAmong domains that attackers use for sending emails, distributing malware, or command-and-control, the email\r\ndomains are the most likely to share basic registration similarities and more likely to use DGA\r\nMalware services rely on proxy providers to make tracking and attribution difficult, but the proxies themselves can\r\nprovide insights into upcoming campaigns and improve our ability to proactively protect against them\r\nGaining intelligence on email infrastructures enables us to build or improve proactive and comprehensive protections\r\nlike those provided by Microsoft Defender for Office 365 to defend against some of the world’s most active malware\r\ncampaigns\r\nWhile there is existing in-depth research into some of these specific campaigns, in this blog we’ll share more findings\r\nand details on how email distribution infrastructures drive some of the most prevalent malware operations today. Our goal is\r\nto provide important intelligence that hosting providers, registrars, ISPs, and email protection services can use and build\r\non to protect customers from the threats of today and the future. We’ll also share insights and context to empower security\r\nresearchers and customers to take full advantage of solutions like Microsoft Defender for Office 365 to perform deep\r\ninvestigation and hunting in their environment and make their organizations resilient against attacks.\r\nThe role of for-sale infrastructure services in the threat ecosystem\r\nWe spotted the first segment of the infrastructure in March, when multiple domains were registered using distinct naming\r\npatterns, including the heavy use of the word “strange”, inspiring the name StrangeU. In April, a second segment of the\r\ninfrastructure, one that used domain generation algorithm (DGA), began registration as well. We call this segment\r\nRandomU.\r\nhttps://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/\r\nPage 1 of 14\n\nThe emergence of this infrastructure in March dovetailed with the disruption of the Necurs botnet that resulted in the\r\nreduction of service. Before being disrupted, Necurs was one of the world’s largest botnets and was used by prolific malware\r\ncampaign operators such as those behind Dridex. For-sale services like Necurs enable attackers to invest in malware\r\nproduction while leasing the delivery components of their activities to further obfuscate their behavior. The StrangeU and\r\nRandomU infrastructure appear to fill in the service gap that the Necurs disruption created, proving that attackers are highly\r\nmotivated to quickly adapt to temporary interruptions to their operations.\r\nFigure 1. Timeline of staging and utilization of the email infrastructure\r\nAt first, the new email infrastructure was used infrequently in campaigns that distributed highly commodity malware like\r\nMondfoxia and Makop. Soon, however, it attracted the attention of Dridex and Trickbot operators, who began using the\r\ninfrastructure for portions of their campaigns, sometimes entirely and sometimes mixed with other compromised\r\ninfrastructure or email providers.\r\nAnalyzing these mail clusters provides insight into how human the tangled web of modular attacker infrastructure remains.\r\nFrom unifying key traits in registration and behavior to the simple and effective techniques that the wide variety of malware\r\nuses, attackers’ goals in this diversification point toward combatting automated analysis. However, these same shared\r\ncharacteristics and methods translate to insights that inform resilient protections that defend customers against these attacks.\r\nDomain registration and email infrastructure staging\r\nOn March 7, 2020, attackers began registering a series of domains with Namecheap using sets of stolen email addresses,\r\nlargely from free email services like mail.com, mail.ru, list.ru, and others. These domains all had similar characteristics\r\nthat could be linked back to various similarities in registration. Almost all of the registered domains contained the word\r\n“strange” and were under the .us TLD, hence the name StrangeU. The use of .us TLD prevented domain\r\nor WHOIS privacy services—often used to obfuscate domain ownership and provenance—which are prohibited for\r\nthis TLD.\r\nTo circumvent tracking and detection of these domains, attackers used false registration metadata. However, there\r\nwas heavy crossover in the fake names and email addresses, allowing us to find additional domain names, some of which\r\ncould be tied together using other keywords as shown in the list below, and fingerprint the domain generation mechanism.\r\nThe StrangeU domains were registered in early March 2020 and operated in continuous small bursts until April, when they\r\nwere used for a large ransomware campaign. Following that, a new campaign occurred fairly regularly every few weeks.\r\nRegistration of new domains continued throughout the year, and in September, the StrangeU infrastructure was used in\r\nconjunction with a similar infrastructure to deliver Dridex, after which these domains were used less frequently.\r\nThis second mailing segment, RandomU, employed a different DGA mechanism but still utilized Namecheap and showed a\r\nmore consistent through line of registration metadata than its StrangeU counterpart. This infrastructure, which surfaced in\r\nApril, was used infrequently through the Spring, with a surge in May and July. After the Dridex campaign in September in\r\nwhich it was used along with StrangeU, it has been used in two large Dridex campaigns every month.\r\nhttps://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/\r\nPage 2 of 14\n\nFigure 2. Common patterns in domains belonging to the email infrastructure\r\nThe StrangeU and RandomU segments of domains paint a picture of supplementing modular mailing services that allowed\r\nattackers to launch region-specific and enterprise-targeting attacks at scale, delivering over six million emails. The two\r\nsegments contained a standard barrage of mailing subdomains, with over 60 unique subdomains referencing email across\r\nclusters, consistent with each other, with each domain having four to five subdomains. The following is a sample of malware\r\ncampaigns, some of which we discuss in detail in succeeding sections, that we observed this infrastructure was used for:\r\nKorean spear-phishing campaigns that delivered Makop ransomware in April and June\r\nEmergency alert notifications that distributed Mondfoxia in April\r\nBlack Lives Matter lure that delivered Trickbot in June\r\nDridex campaign delivered through StrangeU and other infra from June to July\r\nDofoil (SmokeLoader) campaign in August\r\nEmotet and Dridex activities in September, October, and November\r\nFigure 3. Timeline of campaigns that used StrangeU and RandomU domains\r\nKorean spear-phishing delivers Makop ransomware (April and June 2020)\r\nIn early April, StrangeU was used to deliver the Makop ransomware. The emails were sent to organizations that had major\r\nbusiness operations in Korea and used names of Korean companies as display names. Signals from Microsoft Defender for\r\nOffice 365 indicated that these campaigns ran in short bursts.\r\nThe emails had .zip attachments containing executables with file names that resembled resumes from job seekers.\r\nOnce a user opened the attachments, the executables delivered Makop, a ransomware-as-a-service (RaaS) payload\r\nthat targeted devices and backups.\r\nhttps://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/\r\nPage 3 of 14\n\nUpon infection, the malware quickly used the WMI command-line (WMIC) utility and deleted shadow copies. It then\r\nused the BCEdit tool and altered the boot configuration to ignore future failures and prevent restoration before encrypting all\r\nfiles and renaming them with .makop extensions.\r\nThe second time we observed the campaign almost two months later, in early June, the attackers used a Makop ransomware\r\nvariant with many modified elements, including added persistence via scripts in the Startup folder before triggering a reboot.\r\nNearly identical attempts to deliver Makop using resume-based lures were covered by Korean security media during the\r\nentire year, using popular mail services through legitimate vendors like Naver and Hanmail. This could indicate that during\r\nshort bursts the Makop operators were unable to launch their campaigns through legitimate services and had to move to\r\nalternate infrastructures like StrangeU instead.\r\nBlack Lives Matter lure delivers Trickbot (June 2020)\r\nOne campaign associated with the StrangeU infrastructure gained notoriety in mid-June for its lure as well as for delivering\r\nthe notorious info-stealing malware Trickbot. This campaign circulated emails with malicious Word documents claiming to\r\nseek anonymous input on the Black Lives Matter movement.\r\nAn initial version of this campaign was observed on June 10 sending emails from a separate, unique attacker-owned mailing\r\ninfrastructure using .monster domains. However, in the next iteration almost two weeks later, the campaign delivered emails\r\nfrom various domains specifically created with the Black Lives Matter signage, interspersed with StrangeU domains:\r\nb-lives-matter[.]site\r\nblivesm[.]space\r\nblivesmatter[.]site\r\nlives-matter-b[.]xyz\r\nwhoslivesmatter[.]site\r\nlives-m-b[.]xyz\r\nereceivedsstrangesecureworld[.]us\r\nb-l-m[.]site\r\nBoth campaigns carried the same Trickbot payload, operated for two days, and used identical post-execution commands and\r\ncallouts to compromised WordPress sites.\r\nOnce a user opened the document attachment and enabled the malicious macro, Word launched cmd.exe with the command\r\n“/c pause” to evade security tools that monitored for successive launches of multiple processes. It then launched commands\r\nthat deleted proxy settings in preparation for connecting to multiple C2 IP addresses.\r\nhttps://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/\r\nPage 4 of 14\n\nFigure 4. Screenshot of the malicious document used to deliver Trickbot\r\nThe commands also launched rundll32.exe, a native binary commonly used as a living-off-the-land binary, to load a\r\nmalicious file in memory. The commandeered rundll32.exe also proceeded to perform other tasks using other living-off-the-land binaries, including wermgr.exe and svchost.exe.\r\nIn turn, the hijacked wermgr.exe process dropped a file with a .dog extension that appeared to be the Trickbot payload. The\r\nsame instance of wermgr.exe then appeared to inject code into svchost.exe and scanned for open SMB ports on\r\nother devices. The commandeered svchost.exe used WMI to open connections to additional devices on the network, while\r\ncontinuing to collect data from the initial infected device. It also opened multiple browsers on localhost connections to\r\ncapture browser history and other information via esentutl.exe and grabber_temp.edb, both of which are often used\r\nby the Trickbot malware family.\r\nThis campaign overwhelmingly targeted corporate accounts in the United States and Canada and avoided individual\r\naccounts. Despite heavy media coverage, this campaign was relatively small, reflecting a common behavior among\r\ncybercrime groups, which often run multiple, dynamic low-volume campaigns designed to evade resilient detection.\r\nDridex campaigns big and small (June to July 2020 and beyond)\r\nFrom late June through July, Dridex operators ran numerous campaigns that distributed Excel documents with malicious\r\nmacros to infect devices. These operators first delivered emails through the StrangeU infrastructure only, but they quickly\r\nstarted to use compromised email accounts of legitimate organizations as well, preventing defenders from easily blocking\r\ndeliveries. Despite this, emails from either StrangeU or the compromised accounts had overlapping attributes. For example,\r\nmany of the emails used the same Reply To addresses that were sourced from compromised individual accounts and not\r\nconsistent with the sender addresses.\r\nDuring the bulk of this run, Excel files were attached directly in the email in order to eventually pull the Dridex payload\r\nfrom .xyz domains such as those below. The attackers changed the delivery domains every few days and connected to IP-based C2s on familiar ports like 4664, 3889, 691, and 8443:\r\nyumicha[.]xyz\r\nhttps://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/\r\nPage 5 of 14\n\nrocesi[.]xyz\r\nsecretpath[.]xyz\r\nguruofbullet[.]xyz\r\nGreyzone[.]xyz\r\nWhen opened, the Excel document installed one of a series of custom Dridex executables downloaded from the attacker C2\r\nsites. Like most variants in this malware family, the custom Dridex executables incorporated code loops, time delays, and\r\nenvironment detection mechanisms that evaded numerous public and enterprise sandboxes.\r\nDridex is known for its capability to perform credential theft and establish connectivity to attacker infrastructure. In this\r\ninstance, the same Dridex payload was circulated daily using varying lures, often repeatedly to the same organizations to\r\nensure execution on target networks.\r\nDuring the longer and more stable Excel Dridex campaigns in June and July, a Dridex variant was also distributed in much\r\nsmaller quantities utilizing Word documents over a one-day period, perhaps testing new evasion techniques. These Word\r\ndocuments, while still delivering Dridex, improved existing obfuscation methods using a unique combination of VBA\r\nstomping and replacing macros and function calls with arbitrary text. In a few samples of these documents, we found text\r\nfrom Shakespearean prose.\r\nvar farewell_and_moon = [\"m\",\"a\",\"e\",\"r\",\"t\",\"s\",\".\",\"b\",\"d\",\"o\",\"d\",\"a\"].reverse().join(\"\")\r\na_painted_word(120888)\r\nfunction as_thy_face(takes_from_hamlet)\r\n{return new ActiveXObject(takes_from_hamlet)}\r\nWhile Microsoft researchers didn’t observe this portion of the campaign moving into the human-operated phase—targets did\r\nnot open the attachment—this campaign was likely to introduce tools like PowerShell Empire or Cobalt Strike to steal\r\ncredentials, move laterally, and deploy ransomware.\r\nEmotet, Dridex, and the RandomU infrastructure (September and beyond)\r\nDespite an errant handful of deliveries distributing Dofoil (also known as SmokeLoader) and other malware, the vast\r\nmajority of the remaining deliveries through StrangeU have been Dridex campaigns that reoccured every few weeks for a\r\nhandful of days at a time. These campaigns started on September 7, when RandomU and StrangeU were notably used in a\r\nsingle campaign, after which StrangeU began to see less utilization.\r\nThese Dridex campaigns utilized an Emotet loader and initial infrastructure for hosting, allowing the attackers to conduct\r\na highly modular email campaign that delivered multiple distinct links to compromised domains. These domains\r\nemployed heavy sandbox evasion and are connected by a series of PHP patterns ending in a small subset of\r\noptions: zxlbw.php, yymclv.php, zpsxxla.php, or app.php. As the campaigns continued, the PHP was dynamically generated,\r\nadding other variants, including vary.php, invoice.php, share.php, and many others. Some examples are below.\r\nhxxps://molinolafama[.]com[.]mx/app[.]php\r\nhxxps://meetingmins[.]com/app[.]php\r\nhxxps://contrastmktg[.]com/yymclv[.]php\r\nhxxps://idklearningcentre[.]com[.]ng/zxlbw[.]php\r\nhxxps://idklearningcentre[.]com[.]ng/zpsxxla[.]php\r\nhxxps://idklearningcentre[.]com[.]ng/yymclv[.]php\r\nhxxps://hsa[.]ht/yymclv[.]php\r\nhxxps://hsa[.]ht/zpsxxla[.]php\r\nhxxps://hsa[.]ht/zxlbw[.]php\r\nhxxps://contrastmktg[.]com/yymclv[.]php\r\nhxxps://track[.]topad[.]co[.]uk/zpsxxla[.]php\r\nhttps://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/\r\nPage 6 of 14\n\nhxxps://seoemail[.]com[.]au/zxlbw[.]php\r\nhxxps://bred[.]fr-authentification-source-no[.]inaslimitada[.]com/zpsxxla[.]php\r\nhxxp://www[.]gbrecords[.]london/zpsxxla[.]php\r\nhxxp://autoblogsite[.]com/zpsxxla[.]php\r\nhxxps://thecrossfithandbook[.]com/zpsxxla[.]php\r\nhxxps://mail[.]168vitheyrealestate[.]com/zpsxxla[.]php\r\nIn this campaign, sandboxes were frequently redirected to unrelated sites like chemical manufacturers or medical\r\nsuppliers, while users received an Emotet downloader within a Word document, which once again used macros to facilitate\r\nmalicious activities.\r\nFigure 5. Screenshot of the malicious document used to deliver Dridex\r\nThe malicious macro utilized WMI to run a series of standard PowerShell commands. First, it downloaded the executable\r\npayload itself by contacting a series of C2 domains associated with Emotet campaigns since July. Afterward, additional\r\nencoded PowerShell commands were used in a similar fashion to download a .zip file that contained a Dridex DLL.\r\nAdditional commands also reached out to a variety of Emotet infrastructure hosted on compromised WordPress\r\nadministrative pages, even after the Dridex payload has already been downloaded. Dridex then modified RUN keys to\r\nautomatically start the Dridex executable, which was renamed to riched20.exe on subsequent logons.\r\nWe also observed simultaneous connections to associated Dridex and Emotet infrastructure. These connections were largely\r\nunencrypted and occurred over a variety of ports and services, including ports 4664 and 9443. At this point the malware\r\nhad firm presence on the machine, enabling attackers to perform human-operated activity at a later date.\r\nIn the past, reports have confirmed Dridex being delivered via leased Emotet infrastructure. There have also been many IP\r\nand payload-based associations. This research adds to that body of work and confirms additional associations via\r\nnamespace, as well as correlation of email lure, metadata, and sender. This iteration of campaign repeated through October\r\nto December largely unchanged with nearly identical mails.\r\nDefending organizations against malware campaigns\r\nAs attacks continue to grow in modularity, the tactics that attackers use to deliver phishing email, gain initial access on\r\nsystems, and move laterally will continuously become more varied. This research shows that despite these disparities and the\r\nincreased resiliency attackers have built, the core tactics and tools that they use are still limited in scope, relying repeatedly\r\non familiar malicious macros, lures, and sending tactics.\r\nSweeping research into massive attacker infrastructures, as well as our real-time monitoring of malware campaigns and\r\nattacker activity, directly inform Microsoft security solutions, allowing us to build or improve protections that block\r\nmalware campaigns and other email threats, both current and future, as well as provide enterprises with the tools for\r\ninvestigating and responding to email campaigns in real-time.\r\nMicrosoft delivers these capabilities through Microsoft Defender for Office 365. Features likes Safe attachments and Safe\r\nlinks ensure real-time, dynamic protection against email campaigns no matter the lure or evasion tactic. These features use a\r\ncombination of detonation, automated analysis, and machine learning to detect new and unknown threats. Meanwhile,\r\nthe Campaign view shows the complete picture of email campaigns as they happen, including timelines, sending patterns,\r\nimpact to the organization, and details like IP addresses, senders, and URLs. These insights into email threats empower\r\nsecurity operations teams to respond to attacks, perform additional hunting, and fix configuration issues.\r\nhttps://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/\r\nPage 7 of 14\n\nArmed with an advanced solution like Microsoft Defender for Office 365 and the rest of technologies in the\r\nbroader Microsoft 365 Defender solution, enterprises can further increase resilience against threats by following these\r\nrecommendations:\r\nEducate end users about protecting personal and business information in social media, filtering unsolicited\r\ncommunication, identifying lures in spear-phishing email, and reporting of reconnaissance attempts and other\r\nsuspicious activity.\r\nConfigure Office 365 email filtering settings to ensure blocking of phishing \u0026 spoofed emails, spam, and emails with\r\nmalware. Set Office 365 to recheck links on click and delete sent mail to benefit from newly acquired threat\r\nintelligence.\r\nDisallow macros or allow only macros from trusted locations. See the latest security baselines for Office and Office\r\n365.\r\nTurn on AMSI for Office VBA.\r\nCheck perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or\r\ndownload files. Turn on network protection to block connections to malicious domains and IP addresses. Such\r\nrestrictions help inhibit malware downloads and command-and-control activity.\r\nTurning on attack surface reduction rules, including rules that can block advanced macro activity, executable content,\r\nprocess creation, and process injection initiated by Office applications, also significantly improves defenses. The following\r\nrules are especially useful in blocking the techniques observed in campaigns using the StrangeU and RandomU\r\ninfrastructure:\r\nBlock executable content from email client and webmail\r\nBlock all Office applications from creating child processes\r\nBlock Office applications from creating executable content\r\nBlock Office applications from injecting code into other processes\r\nBlock Win32 API calls from Office macros\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nBlock Javascript or VBScript from launching downloaded executable content\r\nBlock execution of potentially obfuscated scripts\r\nMicrosoft 365 customers can also use the advanced hunting capabilities in Microsoft 365 Defender, which integrates signals\r\nfrom Microsoft Defender for Office 365 and other solutions, to locate activities and artifacts related to the infrastructure and\r\ncampaigns discussed in this blog. These queries can be used with advanced hunting in Microsoft 365 security center, but the\r\nsame regex pattern can be used on other security tools to identify or block emails.  \r\nThis query searches for emails sent from StrangeU email addresses. Run query\r\nEmailEvents\r\n|whereSenderMailFromDomainmatches\r\nregex@\"^(?:eraust|ereply|reply|ereceived|received|reaust|esend|inv|send|emailboost|eontaysstrange|eprop|frost|eont|servic\r\n(strange|stange|emailboost).*\\.us$\"\r\norSenderFromDomainmatches\r\nregex@\"^(?:eraust|ereply|reply|ereceived|received|reaust|esend|inv|send|emailboost|eontaysstrange|eprop|frost|eont|ser\r\nLearn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.\r\nAdditional resources\r\nListen to Episode 19 of the Security Unlocked podcast, where threat analyst Elif Kaya speaks about this email\r\ninfrastructure\r\nWatch this Microsoft 365 Defender webinar about this research:\r\nhttps://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/\r\nPage 8 of 14\n\nhttps://youtube.com/watch?v=scrs5Z0nsCk%3Ffeature%3Doembed\r\nIndicators of compromise\r\nStrangeU domains\r\nesendsstrangeasia[.]us sendsstrangesecuretoday[.]us emailboostgedigital[.]us\r\nemailboostgelife[.]us emailboostgelifes[.]us emailboostgesecureasia[.]us\r\neontaysstrangeasia[.]us eontaysstrangenetwork[.]us eontaysstrangerocks[.]us\r\neontaysstrangesecureasia[.]us epropivedsstrangevip[.]us ereplyggstangeasia[.]us\r\nereplyggstangedigital[.]us ereplyggstangeereplys[.]us ereplyggstangelifes[.]us\r\nereplyggstangenetwork[.]us ereplyggstangesecureasia[.]us frostsstrangeworld[.]us\r\nservicceivedsstrangevip[.]us servicplysstrangeasia[.]us servicplysstrangedigital[.]us\r\nservicplysstrangelife[.]us servicplysstrangelifes[.]us servicplysstrangenetwork[.]us\r\nereceivedsstrangesecureworld[.]us ereceivedsstrangetoday[.]us ereceivedsstrangeus[.]us\r\nesendsstrangesecurelife[.]us sendsstrangesecureesendss[.]us ereplysstrangesecureasia[.]us\r\nereplysstrangesecurenetwork[.]us receivedsstrangesecurelife[.]us ereplysstrangeworld[.]us\r\nreauestysstrangesecurelive[.]us ereceivedsstrangeworld[.]us esendsstrangesecurerocks[.]us\r\nreauestysstrangesecuredigital[.]us reauestysstrangesecurenetwork[.]us reauestysstrangesecurevip[.]us\r\nreplysstrangesecurelife[.]us ereauestysstrangesecurerocks[.]us ereceivedsstrangeasia[.]us\r\nereceivedsstrangedigital[.]us ereceivedsstrangeereceiveds[.]us ereceivedsstrangelife[.]us\r\nereceivedsstrangelifes[.]us ereceivedsstrangenetwork[.]us ereceivedsstrangerocks[.]us\r\nereceivedsstrangesecureasia[.]us receivedsstrangeworld[.]us replysstrangedigital[.]us\r\ninvdeliverynows[.]us esendsstrangesecuredigital[.]us esendsstrangesecureworld[.]us\r\nsendsstrangesecurenetwork[.]us ereceivedsstrangevip[.]us replysstrangerocs[.]us\r\nreplysstrangesecurelive[.]us invpaymentnoweros[.]us invpaymentnowes[.]us\r\nreplysstrangeracs[.]us reauestysstrangesecurebest[.]us receivedsstrangesecurebest[.]us\r\nreauestysstrangesecurelife[.]us ereplysstrangevip[.]us reauestysstrangesecuretoday[.]us\r\nereplysstrangesecureus[.]us ereplysstrangetoday[.]us ereceivedsstrangesecuredigital[.]us\r\nereceivedsstrangesecureereceiveds[.]us ereceivedsstrangesecurelife[.]us ereceivedsstrangesecurenetwork[.]us\r\nereceivedsstrangesecurerocks[.]us ereceivedsstrangesecureus[.]us ereceivedsstrangesecurevip[.]us\r\nsendsstrangesecurebest[.]us sendsstrangesecuredigital[.]us sendsstrangesecurelive[.]us\r\nsendsstrangesecureworld[.]us esendsstrangedigital[.]us esendsstrangeesends[.]us\r\nesendsstrangelifes[.]us esendsstrangerocks[.]us esendsstrangesecureasia[.]us\r\nesendsstrangesecureesends[.]us esendsstrangesecurenetwork[.]us esendsstrangesecureus[.]us\r\nhttps://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/\r\nPage 9 of 14\n\nesendsstrangesecurevip[.]us esendsstrangevip[.]us ereauestysstrangesecureasia[.]us\r\nereplysstrangeasia[.]us ereplysstrangedigital[.]us ereplysstrangeereplys[.]us\r\nereplysstrangelife[.]us ereplysstrangelifes[.]us ereplysstrangenetwork[.]us\r\nereplysstrangerocks[.]us ereplysstrangesecuredigital[.]us ereplysstrangesecureereplys[.]us\r\nereplysstrangesecurelife[.]us ereplysstrangesecurerocks[.]us ereplysstrangesecurevip[.]us\r\nereplysstrangesecureworld[.]us ereplysstrangeus[.]us reauestysstrangesecureclub[.]us\r\nreauestysstrangesecureereauestyss[.]us reauestysstrangesecureworld[.]us receivedsstrangesecureclub[.]us\r\nreceivedsstrangesecuredigital[.]us receivedsstrangesecureereceivedss[.]us receivedsstrangesecurelive[.]us\r\nreceivedsstrangesecurenetwork[.]us receivedsstrangesecuretoday[.]us receivedsstrangesecurevip[.]us\r\nreceivedsstrangesecureworld[.]us replysstrangesecurebest[.]us replysstrangesecureclub[.]us\r\nreplysstrangesecuredigital[.]us replysstrangesecureereplyss[.]us replysstrangesecurenetwork[.]us\r\nreplysstrangesecuretoday[.]us replysstrangesecurevip[.]us replysstrangesecureworld[.]us\r\nsendsstrangesecurevip[.]us esendsstrangelife[.]us esendsstrangenetwork[.]us\r\nesendsstrangetoday[.]us esendsstrangeus[.]us esendsstrangeworld[.]us\r\nsendsstrangesecureclub[.]us sendsstrangesecurelife[.]us plysstrangelifes[.]us\r\nintulifeinoi[.]us replysstrangerocks[.]us invpaymentnowe[.]us\r\nreplysstrangelifes[.]us replysstrangenetwork[.]us invdeliverynowr[.]us\r\nereceivedggstangevip[.]us ereplyggstangerocks[.]us servicceivedsstrangeworld[.]us\r\nservicplysstrangesecureasia[.]us servicplysstrangeservicplys[.]us emailboostgeasia[.]us\r\nemailboostgeereplys[.]us emailboostgenetwork[.]us emailboostgerocks[.]us\r\neontaysstrangedigital[.]us eontaysstrangeeontays[.]us eontaysstrangelife[.]us\r\neontaysstrangelifes[.]us epropivedsstrangeworld[.]us ereceivedggstangeworld[.]us\r\nereplyggstangelife[.]us frostsstrangevip[.]us servicplysstrangerocks[.]us\r\ninvdeliverynow[.]us invpaymentnowlife[.]us invdeliverynowes[.]us\r\ninvpaymentnowwork[.]us replysstrangedigitals[.]us replysstrangelife[.]us\r\nreplysstrangelifee[.]us replystrangeracs[.]us\r\nRandomU domains\r\ncnewyllansf[.]us kibintiwl[.]us planetezs[.]us sakgeldvi[.]us\r\nrdoowvaki[.]us kabelrandjc[.]us wembaafag[.]us postigleip[.]us\r\njujubugh[.]us honidefic[.]us utietang[.]us scardullowv[.]us\r\nvorlassebv[.]us jatexono[.]us vlevaiph[.]us bridgetissimema[.]us\r\nhttps://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/\r\nPage 10 of 14\n\nschildernjc[.]us francadagf[.]us strgatibp[.]us jelenskomna[.]us\r\nprependerac[.]us oktagonisa[.]us enjaularszr[.]us opteahzf[.]us\r\nskaplyndiej[.]us dirnaichly[.]us kiesmanvs[.]us gooitounl[.]us\r\nizvoznojai[.]us kuphindanv[.]us pluienscz[.]us huyumajr[.]us\r\narrutisdo[.]us loftinumkx[.]us ffermwyrzf[.]us hectorfranez[.]us\r\nmunzoneia[.]us savichicknc[.]us nadurogak[.]us raceaddicteg[.]us\r\nmpixiris[.]us lestenas[.]us collahahhaged[.]us enayilebl[.]us\r\nhotteswc[.]us kupakiliayw[.]us deroutarek[.]us pomagatia[.]us\r\nmizbebzpe[.]us firebrandig[.]us univerzamjw[.]us amigosenrutavt[.]us\r\nkafrdaaia[.]us cimadalfj[.]us ubrzanihaa[.]us yamashumiks[.]us\r\njakartayd[.]us cobiauql[.]us idiofontg[.]us hoargettattzt[.]us\r\nencilips[.]us dafanapydutsb[.]us intereqr[.]us chestecotry[.]us\r\ndiegdoceqy[.]us ffwdenaiszh[.]us sterinaba[.]us wamwitaoko[.]us\r\npeishenthe[.]us hegenheimlr[.]us educarepn[.]us ayajuaqo[.]us\r\nimkingdanuj[.]us dypeplayentqt[.]us traktorkaqk[.]us prilipexr[.]us\r\ncollazzird[.]us sentaosez[.]us vangnetxh[.]us valdreska[.]us\r\nmxcujatr[.]us angelqtbw[.]us bescromeobsemyb[.]us hoogametas[.]us\r\nmlitavitiwj[.]us pasgemaakhc[.]us facelijaxg[.]us harukihotarugf[.]us\r\npasosaga[.]us mashimariokt[.]us vodoclundqs[.]us trofealnytw[.]us\r\ncowboyie[.]us dragovanmm[.]us jonuzpura[.]us cahurisms[.]us\r\nleetzetli[.]us jonrucunopz[.]us flaaksik[.]us wizjadne[.]us\r\nzatsopanogn[.]us roblanzq[.]us barbwirelx[.]us givolettoan[.]us\r\ngyfarosmt[.]us zastirkjx[.]us sappianoyv[.]us noneedfordayvnb[.]us\r\nandreguidiao[.]us concubinsel[.]us meljitebj[.]us alcalizezsc[.]us\r\nspringenmw[.]us kongovkamev[.]us starlitent[.]us cassineraqy[.]us\r\nariankacf[.]us plachezxr[.]us abulpasastq[.]us scraithehk[.]us\r\nwintertimero[.]us abbylukis[.]us lumcrizal[.]us trokrilenyr[.]us\r\nskybdragonqx[.]us pojahuez[.]us rambalegiec[.]us relucrarebk[.]us\r\nvupardoumeip[.]us punicdxak[.]us vaninabaranaogw[.]us yesitsmeagainle[.]us\r\nupcominge[.]us arwresaub[.]us zensimup[.]us joelstonem[.]us\r\nciflaratzz[.]us adespartc[.]us maaltijdr[.]us acmindiaj[.]us\r\nmempetebyj[.]us itorandat[.]us galenicire[.]us cheldisalk[.]us\r\nhttps://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/\r\nPage 11 of 14\n\nzooramawpreahkt[.]us sijamskojoc[.]us fliefedomrr[.]us ascenitianyrg[.]us\r\ntebejavaaq[.]us finnerssshu[.]us slimshortyub[.]us angstigft[.]us\r\navedaviya[.]us aasthakathykh[.]us nesklonixt[.]us drywelyza[.]us\r\npaginomxd[.]us gathesitehalazw[.]us antinodele[.]us ferestat[.]us\r\ntianaoeuat[.]us pogilasyg[.]us mjawxxik[.]us bertolinnj[.]us\r\nauswalzenna[.]us mmmikeyvb[.]us megafonasgc[.]us litnanjv[.]us\r\nboockmasi[.]us andreillazf[.]us vampirupn[.]us lionarivv[.]us\r\nihmbklkdk[.]us okergeeliw[.]us forthabezb[.]us trocetasss[.]us\r\nkavamennci[.]us mipancepezc[.]us infuuslx[.]us dvodomnogeg[.]us\r\nzensingergy[.]us eixirienhj[.]us trapunted[.]us greatfutbolot[.]us\r\nporajskigx[.]us mumbleiwa[.]us cilindrarqe[.]us uylateidr[.]us\r\nsdsandrahuin[.]us trapeesr[.]us trauttbobw[.]us bostiwro[.]us\r\nniqiniswen[.]us ditionith[.]us folseine[.]us zamoreki[.]us\r\nsonornogae[.]us xlsadlxg[.]us varerizu[.]us seekabelv[.]us\r\nnisabooz[.]us pohvalamt[.]us inassyndr[.]us ivenyand[.]us\r\nkarbonsavz[.]us svunturc[.]us babyrosep[.]us aardigerf[.]us\r\nfedrelandx[.]us degaeriah[.]us detidiel[.]us acuendoj[.]us\r\npeludine[.]us impermatav[.]us datsailis[.]us melenceid[.]us\r\nbeshinon[.]us dinangnc[.]us fowiniler[.]us laibstadtws[.]us\r\nbischerohc[.]us muctimpubwz[.]us jusidalikan[.]us peerbalkw[.]us\r\nrobesikaton[.]us thabywnderlc[.]us osoremep[.]us krlperuoe[.]us\r\nntarodide[.]us bideoskin[.]us senagena[.]us kelyldori[.]us\r\nkawtriatthu[.]us rbreriaf[.]us enaqwilo[.]us monesine[.]us\r\nonwinaka[.]us yonhydro[.]us siostailpg[.]us bannasba[.]us\r\nmilosnicacz[.]us tunenida[.]us sargasseu[.]us malayabc[.]us\r\nprokszacd[.]us premarketcl[.]us zedyahai[.]us xinarmol[.]us\r\nminttaid[.]us pufuletzpb[.]us nekbrekerdv[.]us ppugsasiw[.]us\r\nkatarkamgm[.]us kyraidaci[.]us falhiblaqv[.]us lisusant[.]us\r\nmameriar[.]us quslinie[.]us nirdorver[.]us trocairasec[.]us\r\npochwikbz[.]us ingykhat[.]us okrzynjf[.]us razsutegayl[.]us\r\ndimbachzx[.]us buchingmc[.]us iessemda[.]us fatarelliqi[.]us\r\nefetivumd[.]us vdevicioik[.]us klumppwha[.]us stefiensi[.]us\r\nhttps://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/\r\nPage 12 of 14\n\ndonetzbx[.]us wetafteto[.]us denementnd[.]us cyllvysr[.]us\r\nviweewmokmt[.]us destescutyi[.]us craulisrt[.]us maggiebagglesxt[.]us\r\nyawapasaqi[.]us spimilatads[.]us paseadoryy[.]us apageyantak[.]us\r\nmagicofaloeaj[.]us prefatoryhe[.]us statvaiq[.]us piketuojaqk[.]us\r\nmushipotatobt[.]us suergonugoy[.]us gummiskoxt[.]us torunikc[.]us\r\nadoleishswn[.]us rovljanie[.]us ivicukfa[.]us vajarelliwe[.]us\r\nburksuit[.]us adoraableio[.]us bassettsz[.]us chevyguyxq[.]us\r\nlunamaosa[.]us telemovelmi[.]us pimptazticui[.]us posteryeiq[.]us\r\nmiriamloiso[.]us salahlekajl[.]us inveshilifj[.]us alquicelbi[.]us\r\nhitagjafirt[.]us ohatranqm[.]us scosebexgofxu[.]us vivalasuzyygb[.]us\r\nlugleeghp[.]us alicuppippn[.]us wedutuanceseefv[.]us abnodobemmn[.]us\r\nzajdilxtes[.]us inhaltsqxw[.]us rejtacdat[.]us contunaag[.]us\r\npitajucmas[.]us delopezmc[.]us donjimafx[.]us iheartcoxlc[.]us\r\nrommelcrxgi[.]us jorguetky[.]us jadesellvb[.]us fintercentrosfs[.]us\r\nralbarix[.]us kynnirinnty[.]us bibulbio[.]us aspazjagh[.]us\r\ngleboqrat[.]us tensinory[.]us usitniterx[.]us zaretkyui[.]us\r\nhentugustqy[.]us surigatoszuk[.]us nitoeranybr[.]us spitzkopuo[.]us\r\npodkarpatruszz[.]us milfincasqo[.]us datatsbjew[.]us changotme[.]us\r\nlosbindebt[.]us ninjachuckvb[.]us desfadavacp[.]us potkazatiun[.]us\r\nsernakct[.]us razmersat[.]us purtinaah[.]us ampiovfa[.]us\r\ndurstinyskv[.]us kreukenct[.]us shinanyavc[.]us kolaryta[.]us\r\nyangtsekk[.]us voyagedeviema[.]us elblogdelld[.]us utiligijc[.]us\r\npeaplesokqo[.]us jenggoteq[.]us dogliairler[.]us kandizifb[.]us\r\nflunkmasteraz[.]us clewpossejj[.]us hymgaledaja[.]us gmckayar[.]us\r\nfagordul[.]us pnendickhs[.]us arrogede[.]us stilenii[.]us\r\ncafelireao[.]us poishiuuz[.]us nonfunccoupyo[.]us madrigalbta[.]us\r\ntarad[.]us sarahcp[.]us wickyjr[.]us ghadrn[.]us\r\nsirvond[.]us qumarta[.]us verow[.]us mondeki[.]us\r\nlirana[.]us niarvi[.]us belena[.]us qucono[.]us\r\nulianag[.]us lenut[.]us shivave[.]us jendone[.]us\r\nseddauf[.]us jarare[.]us uchar[.]us ealesa[.]us\r\nwyoso[.]us marnde[.]us thiath[.]us aulax[.]us\r\nhttps://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/\r\nPage 13 of 14\n\nbobelil[.]us jestem[.]us detala[.]us phieyen[.]us\r\nannazo[.]us dilen[.]us jelan[.]us ipedana[.]us\r\nkeulsph[.]us ztereqm[.]us rinitan[.]us natab[.]us\r\nharitol[.]us ricould[.]us lldra[.]us miniacs[.]us\r\nzahrajr[.]us cayav[.]us pheduk[.]us qugagad[.]us\r\ndehist[.]us letama[.]us mencyat[.]us vindae[.]us\r\nuranc[.]us handil[.]us galezay[.]us bamerna[.]us\r\nyllyn[.]us ckavl[.]us ilalie[.]us daellee[.]us\r\ncuparoc[.]us zelone[.]us burnile[.]us uloryrt[.]us\r\nshexo[.]us phalbe[.]us hanolen[.]us lorria[.]us\r\nbeten[.]us xuserye[.]us iclelan[.]us cwokas[.]us\r\nvesic[.]us ontolan[.]us wajdana[.]us telama[.]us\r\nmissani[.]us usinaye[.]us ertanom[.]us kericex[.]us\r\ndenaga[.]us tyderq[.]us seliza[.]us kinnco[.]us\r\nqurtey[.]us arzenitlu[.]us vellpoildzu[.]us keityod[.]us\r\nltangerineldf[.]us lizergidft[.]us serrucheah[.]us lolricelolad[.]us\r\nexpiantaszg[.]us hljqfyky[.]us abarrosch[.]us lepestrinynr[.]us\r\nelektroduendevq[.]us waggonbauwh[.]us chaquetzgg[.]us revizijiqa[.]us\r\nziggyiqta[.]us rokenounkaf[.]us lottemanvl[.]us corsetatsvp[.]us\r\nextasiatny[.]us darkinjtat[.]us pastorsta[.]us sategnaxf[.]us\r\nmordiquedp[.]us mogulanbub[.]us aleesexx[.]us strekktumgz[.]us\r\nkresanike[.]us oberhirtesn[.]us wyddiongw[.]us etherviltjd[.]us\r\ngdinauq[.]us tumisolcv[.]us oardbzta[.]us zamislimrx[.]us\r\ntidifkil[.]us anwirbtda[.]us breliaattainoqt[.]us steinzeitps[.]us\r\ngrafoay[.]us shuramiok[.]us sanarteau[.]us jerininomgv[.]us\r\nkusturirp[.]us tenisaragonpu[.]us terquezajf[.]us remularegf[.]us\r\nnobanior[.]us julijmc[.]us dekrapp[.]us odaljenakd[.]us\r\nSource: https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operati\r\nons/\r\nhttps://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/\r\nPage 14 of 14\n\nDuring the bulk from .xyz domains of this run, Excel files such as those below. were attached The attackers directly in the email changed the delivery in order to eventually domains every pull the Dridex few days and connected payload to IP\u0002\nbased C2s on familiar ports like 4664, 3889, 691, and 8443:\nyumicha[.]xyz   \n   Page 5 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/"
	],
	"report_names": [
		"what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations"
	],
	"threat_actors": [],
	"ts_created_at": 1775434943,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc8871ecebd522dfdcd508a49507460d188ec4e7.pdf",
		"text": "https://archive.orkl.eu/bc8871ecebd522dfdcd508a49507460d188ec4e7.txt",
		"img": "https://archive.orkl.eu/bc8871ecebd522dfdcd508a49507460d188ec4e7.jpg"
	}
}