{ "id": "a1993356-2484-429c-9a72-83482fef2b3d", "created_at": "2026-04-06T00:15:09.102148Z", "updated_at": "2026-04-10T13:12:35.088231Z", "deleted_at": null, "sha1_hash": "dc32c323a1ba849b85fcdc399e5fae9808c71bac", "title": "Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38255, "plain_text": "Justice Department Announces Court-Authorized Seizure of\r\nDomain Names Used in Furtherance of Spear-Phishing Campaign\r\nPosing as U.S. Agency for International Development\r\nPublished: 2021-06-01 · Archived: 2026-04-05 19:11:51 UTC\r\nWASHINGTON – On May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States\r\nseized two command-and-control (C2) and malware distribution domains used in recent spear-phishing activity\r\nthat mimicked email communications from the U.S. Agency for International Development (USAID). This\r\nmalicious activity was the subject of a May 27 Microsoft security alert, titled “New sophisticated email-based\r\nattack from Nobelium\r\n,” and a May 28 FBI and Cybersecurity and Infrastructure Security Agency joint cybersecurity advisory.\r\nThe Department’s seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation\r\nof victims, as well as identifying compromised victims. However, the actors may have deployed additional\r\nbackdoor accesses between the time of the initial compromises and last week’s seizures.\r\n“Last week’s action is a continued demonstration of the Department’s commitment to proactively disrupt hacking\r\nactivity prior to the conclusion of a criminal investigation,” said Assistant Attorney General John C. Demers for\r\nthe Justice Department’s National Security Division. “Law enforcement remains an integral part of the U.S.\r\ngovernment’s broader disruption efforts against malicious cyber-enabled activities, even prior to arrest, and we\r\nwill continue to evaluate all possible opportunities to use our unique authorities to act against such threats.”\r\n“Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer\r\nnetworks, and can result in significant harm to individual victims, government agencies, NGOs, and private\r\nbusinesses,” said Acting U.S. Attorney Raj Parekh for the Eastern District of Virginia. “As demonstrated by the\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear\r\nPage 1 of 2\n\ncourt-authorized seizure of these malicious domains, we are committed to using all available tools to protect the\r\npublic and our government from these worldwide hacking threats.”\r\n“Friday’s court-authorized domain seizures reflect the FBI Washington Field Office’s continued commitment to\r\ncyber victims in our region,” said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington\r\nField Office. “These actions demonstrate our ability to quickly respond to malicious cyber activities by leveraging\r\nour unique authorities to disrupt our cyber adversaries.”\r\n“The FBI remains committed to disrupting this type of malicious cyber activity targeting our federal agencies and\r\nthe American public,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “We will continue to\r\nuse all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this\r\ntype of hacking activity but to impose risk and consequences upon our adversaries to combat these threats.”\r\nOn or about May 25, malicious actors commenced a wide-scale spear-phishing campaign leveraging a\r\ncompromised USAID account at an identified mass email marketing company. Specifically, the compromised\r\naccount was used to send spear-phishing emails, purporting to be from USAID email accounts and containing a\r\n“special alert,” to thousands of email accounts at over one hundred entities.\r\nUpon a recipient clicking on a spear-phishing email’s hyperlink, the victim computer was directed to download\r\nmalware from a sub-domain of theyardservice[.]com. Using that initial foothold, the actors then downloaded the\r\nCobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim’s\r\nnetwork. The actors’ instance of the Cobalt Strike tool received C2 communications via other subdomains of\r\ntheyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the\r\nDepartment seized pursuant to the court’s seizure order.\r\nThe National Security Division’s Counterintelligence and Export Control Section and the United States Attorney’s\r\nOffice for the Eastern District of Virginia are investigating this matter in coordination with the FBI’s Cyber\r\nDivision and Washington Field Office.\r\nSource: https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear" ], "report_names": [ "justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434509, "ts_updated_at": 1775826755, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dc32c323a1ba849b85fcdc399e5fae9808c71bac.pdf", "text": "https://archive.orkl.eu/dc32c323a1ba849b85fcdc399e5fae9808c71bac.txt", "img": "https://archive.orkl.eu/dc32c323a1ba849b85fcdc399e5fae9808c71bac.jpg" } }