{
	"id": "ce045cbc-f515-41e2-9084-20ec79e50125",
	"created_at": "2026-04-06T00:17:48.390275Z",
	"updated_at": "2026-04-10T03:35:37.611254Z",
	"deleted_at": null,
	"sha1_hash": "e53c83f33d44856220c0b8a7223c8cb43806778f",
	"title": "Probing Lorec53 Phishing through the DNS Microscope",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1192887,
	"plain_text": "Probing Lorec53 Phishing through the DNS Microscope\r\nBy By WhoisXML API  (Sponsored Post)\r\nArchived: 2026-04-05 14:14:45 UTC\r\nLorec53, a relatively new APT group according to NSFocus, actively targeted various Eastern European\r\ngovernment institutions in 2021. The threat actors used well-crafted phishing campaigns to gather and steal data\r\nfrom their targets. Two years after their heyday, is the threat Lorec53 poses gone? Or has the group left still-active\r\ntraces in the DNS?\r\nUsing the 21 indicators of compromise (IoCs)—19 domains and two IP addresses—NSFocus shared via\r\nAlienVault OTX as jump-off points, the WhoisXML API research team sought to find digital bread crumbs the\r\nAPT group may have left behind in the DNS. Our analysis found:\r\n21 domains that were registered using the same email address as two of the IoCs, two of which turned out\r\nto be malicious\r\n12 unique IP addresses to which the domains identified as IoCs resolved\r\n1,818 domains that shared the IoCs’ IP hosts\r\n168 domains that shared unique strings with some of the IoCs\r\nA sample of the additional artifacts obtained from our analysis is available for download from our website.\r\nLorec53 Campaign Tidbits\r\nLorec53 used various lures in their targeted phishing campaigns, including:\r\nA supposed document confirming the target’s agreement to a disease prevention and control-related\r\nproposal\r\nProof of being chosen as a bitcoin recipient\r\nEvidence of a fake COVID variant dubbed “COVID-21”\r\nA supposed update for Adobe Acrobat Reader DC\r\nA fake Android app\r\nAll of the email file attachments above, along with others sent by Lorec53, were laced with malware meant to\r\nexfiltrate confidential data.\r\nNSFocus shared the list of IoCs they collated via AlienVault OTX, which we listed in the table below.\r\nDomains IP Addresses\r\n• name4050[.]com\r\n• name1d[.]site\r\n• 2330[.]site\r\n• 45[.]146[.]165[.]91\r\n• 194[.]147[.]142[.]232\r\nhttps://circleid.com/posts/20230412-probing-lorec53-phishing-through-the-dns-microscope\r\nPage 1 of 5\n\n• 1833[.]site\r\n• 1221[.]site\r\n• 1000020[.]xyz\r\n• smm2021[.]net\r\n• greatgardenplantsblog[.]com\r\n• intelpropertyrd[.]com\r\n• citylimitshog[.]com\r\n• eyedealrealty[.]com\r\n• cabiria[.]biz\r\n• 33655990[.]cyou\r\n• 2215[.]site\r\n• 16868138130[.]space\r\n• 1681683130[.]website\r\n• stun[.]site\r\n• eumr[.]site\r\n• 3237[.]site\r\nCollating Lorec53 Digital Bread Crumbs\r\nWe began our investigation by determining which of the domain IoCs remained live via screenshot lookups. Only\r\ntwo of the domain IoCs continued to host live content to this day.\r\nThe other live page—eyedealrealty[.]com—hosts a real estate company site consistent with its name.\r\nhttps://circleid.com/posts/20230412-probing-lorec53-phishing-through-the-dns-microscope\r\nPage 2 of 5\n\nTo trace Lorec53’s digital footprint, we then sifted through the domain IoCs’ WHOIS records. The current\r\nWHOIS records of the two domains above also indicated their registrants’ personal email addresses.\r\nReverse WHOIS searches for the email addresses revealed they were historically used to register 21 domains in\r\ntotal, two of which turned out to be malicious. An example would be matosariasrealstate[.]com.\r\nNext, DNS lookups for the domain IoCs showed they resolved to nine unique IP addresses, giving us a total of 11\r\nIP hosts when combined with the two identified as IoCs. Six of these were shared hosts, three were dedicated, and\r\ntwo had no matching DNS records.\r\nThe 11 resolving IP addresses were scattered across five countries. The U.S. accounted for five IP hosts, followed\r\nby the Netherlands and Russia with two each.\r\nhttps://circleid.com/posts/20230412-probing-lorec53-phishing-through-the-dns-microscope\r\nPage 3 of 5\n\nReverse IP lookups for the 11 IP addresses led to the discovery of 1,818 domains. A huge majority of these sites\r\nwere parked.\r\nA couple of connected domains also contained at least three well-known brands—CNN, Google, Intel, and Visa.\r\nExamples include:\r\n0[.]www[.]cnn[.]jobs[.]com—indeed[.]com\r\n0078d3ff03b13d29f710d0e6602bcc4a[.]safeframe[.]googlesyndication[.]co\r\nmail[.]intelpropertyrd[.]com\r\n108visa[.}online\r\nThese could figure in phishing and other malware-enabled campaigns targeting job seekers, syndication\r\ncustomers, real estate investors, and credit card holders.\r\nFinally, we noticed that some of the domains tagged as IoCs had unique strings listed in the following table. We\r\nsought to find how many other domains contained each string but used different top-level domain (TLD)\r\nextensions via Domains \u0026 Subdomains Discovery.\r\nIoC\r\nString Found in an\r\nIoC\r\nNumber of Domains Containing the String with a Different\r\nTLD Extension\r\nsmm2021[.]net smm2021. 4\r\ncabiria[.]biz cabiria. 20\r\nstun[.]site stun. 128\r\neumr[.]site eumr. 16\r\nWhile none of them were confirmed to be malware hosts, their close resemblance to the IoCs may warrant close\r\nmonitoring for signs of suspicious activity.\r\nConclusion\r\nBased on the continued existence of live sites either identified as Lorec53 IoCs in 2021 and those that may be part\r\nof the threat group’s infrastructure through email, IP address, or string usage connections, the risks they pose may\r\nnot be gone. That is especially true for the two malicious domains we identified that were registered using the\r\nsame email addresses as two of the original IoCs.\r\nIf you wish to perform a similar investigation or get access to the full data behind this research, please don’t\r\nhesitate to contact us.\r\nNORDVPN DISCOUNT - CircleID x NordVPN\r\nGet NordVPN  [74% +3 extra months, from $2.99/month]\r\nhttps://circleid.com/posts/20230412-probing-lorec53-phishing-through-the-dns-microscope\r\nPage 4 of 5\n\nSource: https://circleid.com/posts/20230412-probing-lorec53-phishing-through-the-dns-microscope\r\nhttps://circleid.com/posts/20230412-probing-lorec53-phishing-through-the-dns-microscope\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://circleid.com/posts/20230412-probing-lorec53-phishing-through-the-dns-microscope"
	],
	"report_names": [
		"20230412-probing-lorec53-phishing-through-the-dns-microscope"
	],
	"threat_actors": [
		{
			"id": "eecf54a2-2deb-41e5-9857-fed94a53f858",
			"created_at": "2023-01-06T13:46:39.349959Z",
			"updated_at": "2026-04-10T02:00:03.296196Z",
			"deleted_at": null,
			"main_name": "SaintBear",
			"aliases": [
				"Bleeding Bear",
				"Cadet Blizzard",
				"Nascent Ursa",
				"Nodaria",
				"Storm-0587",
				"DEV-0587",
				"Saint Bear",
				"EMBER BEAR",
				"UNC2589",
				"TA471",
				"UAC-0056",
				"FROZENVISTA",
				"Lorec53",
				"Lorec Bear"
			],
			"source_name": "MISPGALAXY:SaintBear",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "03a6f362-cbab-4ce9-925d-306b8c937bf1",
			"created_at": "2024-11-01T02:00:52.635907Z",
			"updated_at": "2026-04-10T02:00:05.339384Z",
			"deleted_at": null,
			"main_name": "Saint Bear",
			"aliases": [
				"Saint Bear",
				"Storm-0587",
				"TA471",
				"UAC-0056",
				"Lorec53"
			],
			"source_name": "MITRE:Saint Bear",
			"tools": [
				"OutSteel",
				"Saint Bot"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "083d63b2-3eee-42a8-b1bd-54e657a229e8",
			"created_at": "2022-10-25T16:07:24.143338Z",
			"updated_at": "2026-04-10T02:00:04.879634Z",
			"deleted_at": null,
			"main_name": "SaintBear",
			"aliases": [
				"Ember Bear",
				"FROZENVISTA",
				"G1003",
				"Lorec53",
				"Nascent Ursa",
				"Nodaria",
				"SaintBear",
				"Storm-0587",
				"TA471",
				"UAC-0056",
				"UNC2589"
			],
			"source_name": "ETDA:SaintBear",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Elephant Client",
				"Elephant Implant",
				"GraphSteel",
				"Graphiron",
				"GrimPlant",
				"OutSteel",
				"Saint Bot",
				"SaintBot",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434668,
	"ts_updated_at": 1775792137,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e53c83f33d44856220c0b8a7223c8cb43806778f.pdf",
		"text": "https://archive.orkl.eu/e53c83f33d44856220c0b8a7223c8cb43806778f.txt",
		"img": "https://archive.orkl.eu/e53c83f33d44856220c0b8a7223c8cb43806778f.jpg"
	}
}