{ "id": "da230e02-5180-415c-a53d-28bd08e3b860", "created_at": "2026-04-06T00:14:01.447603Z", "updated_at": "2026-04-10T03:35:33.217861Z", "deleted_at": null, "sha1_hash": "dd0a1e1b0314fa785ca2087c6e0cf11641b7842e", "title": "Research Roundup: Activity on Previously Identified APT33 Domains | ThreatConnect", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 177246, "plain_text": "Research Roundup: Activity on Previously Identified APT33\r\nDomains | ThreatConnect\r\nBy ThreatConnect\r\nPublished: 2020-09-11 · Archived: 2026-04-05 16:17:31 UTC\r\nPosted September 11, 2020\r\nHowdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research\r\nTeam and items from open source publications that have resulted in Observations of related indicators across\r\nThreatConnect’s CAL™ (Collective Analytics Layer).\r\nNote: Viewing the pages linked in this blog post requires a ThreatConnect account.\r\nIn this edition, we cover:\r\nAPT33\r\nRedDelta PlugX\r\nDomains Spoofing CDN, News, and File Sharing Sites\r\nEmotet\r\nRoundup Highlight: Activity on Previously Identified APT33 Domains\r\n20200908A: Previously Identified APT33 Domains Resolving to 109.230.199[.]157\r\nhttps://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/\r\nPage 1 of 3\n\nOur highlight in this Roundup in Incident 20200908A: Previously Identified APT33 Domains Resolving to\r\n109.230.199[.]157. A number of APT33 domains previously identified in a TrendMicro report on obfuscated\r\ncommand and control infrastructure — zeverco[.]com (oliverleftley@inbox[.]com), service-eset[.]com\r\n(wata.nakatsu@mail[.]com), simsoshop[.]com (tsuda2016@mail[.]com), and qualitweb[.]com\r\n(tsuyukisogawa@inbox[.]lv) — began resolving to 109.230.199[.]157 starting in late July 2020. At this time, we\r\ndo not know if this IP address is a sinkhole or parking IP used for previous malicious infrastructure. Further, we\r\ndon’t know the extent to which the aforementioned domains are still under APT33’s control. If 109.230.199[.]157\r\nis a sinkhole or not under APT33’s control, then the following additional infrastructure is not necessarily\r\nassociated with APT33 and may be associated with a different actor.\r\nSeveral additional domains not previously associated with APT33 or other actors’ activity also began resolving to\r\nthis IP in the last two months. The identified domains (and their registrants when known) include the following:\r\npublicsecur[.]com\r\nakadnsplugin[.]com (joshua.toon1978@mail[.]com)\r\nservice-houston[.]com\r\nsupport-newyork[.]com\r\nocsp-support[.]com (warren.jones2626@mail[.]com)\r\nGiven our uncertainty on whether the previous domains and 109.230.199[.]157 IP address are under APT33’s\r\ncontrol, we do not know if these domains are also associated with APT33. Regardless, they merit further scrutiny\r\nas some of them were registered through suspicious resellers like THCservers that various state and criminal\r\nactors have used to procure infrastructure.\r\nAlso of note, the ocsp-support[.]com domain may be associated with two other domains — prefmsedge[.]com\r\n(warren.jones6363@inbox[.]lv) and tracking-protection[.]net (warrenjones39458@protonmail[.]com) — based on\r\nthe reuse of the “Warren Jones” strings in the email address. Unlike ocsp-support[.]com, these domains were\r\nregistered through AminServe.\r\nThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common\r\nCommunity by our Research Team.\r\n20200908B: File Matching YARA Rule Associated to RedDelta PlugX ThreatConnect Research identified\r\na RedDelta PlugX binary and extracted Command and Control locations from the embedded configuration.\r\n20200909A: CDN and News-spoofing Probable Phishing Domains Hosted at 185.228.83[.]110\r\nThreatConnect Research identified a set of suspicious domains hosted on a probable dedicated server that\r\nspoof various content delivery networks (CDNs), news organizations, and file sharing sites. At least one of\r\nthe domains was identified in phishing activity spoofing an Italian organization. Additional associated\r\ndomains were identified based on SSL certificate reuse.\r\nTechnical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or\r\nmore Indicators with an Active status and at least one global Observation across the ThreatConnect community.\r\nhttps://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/\r\nPage 2 of 3\n\nThese analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).\r\nEmotet C2 Deltas from 2020/09/09 as of 8:00EDT or 12:00UTC (Source:\r\nhttps://paste.cryptolaemus.com/emotet/2020/09/09/emotet-C2-Deltas-0800-1200_09-09-20.html)\r\nThreat Roundup for August 28 to September 4 (Source: https://blog.talosintelligence.com/2020/09/threat-roundup-0828-0904.html)\r\nTo receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that\r\nitem’s Details page.\r\nAbout the Author\r\nThreatConnect\r\nBy operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security\r\noperations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy\r\nand value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the\r\nThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a\r\nproactive force in protecting the enterprise. Learn more at www.threatconnect.com.\r\nSubscribe\r\nto our Emails\r\nSource: https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/\r\nhttps://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/" ], "report_names": [ "research-roundup-activity-on-previously-identified-apt33-domains" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434441, "ts_updated_at": 1775792133, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dd0a1e1b0314fa785ca2087c6e0cf11641b7842e.pdf", "text": "https://archive.orkl.eu/dd0a1e1b0314fa785ca2087c6e0cf11641b7842e.txt", "img": "https://archive.orkl.eu/dd0a1e1b0314fa785ca2087c6e0cf11641b7842e.jpg" } }