A phishing campaign targeting defense and aerospace organizations linked to the Ukraine conflict has been uncovered, leveraging spoofed domains and credential-harvesting infrastructure.
Between December 2024 and March 2025, attackers deployed mail servers hosting fake webmail login pages to steal credentials from entities supporting Ukraine’s military efforts, with 878 spoofed domains identified across 12 mail servers.
Phishing Infrastructure and Domain Spoofing Techniques
The campaign utilized GHOSTnet VPS-hosted domains registered via Spaceship registrar, imitating legitimate organizations through subtle typos or character modifications.
For example, kroboronprom[.]com spoofed Ukraine’s state-owned arms manufacturer Ukroboronprom, while rheinemetall[.]com mimicked German defense contractor Rheinmetall.
Attackers employed Mailu, an open-source mail server platform, to create credential-harvesting pages resembling corporate webmail portals.
Operational Infrastructure
- MX Domains: 12 primary domains (e.g., hungry-shark[.]site, stupid-buddy[.]mom) served as mail exchangers, supporting spoofed subdomains targeting entities in 11 countries.
- Target Distribution: MX DomainTargeted SectorSpoofed Domainskroboronprom[.]comUkraine-based defense101santa-clause[.]onlineU.S.-based IT93lucky-guy[.]spaceTurkey-based defense82
Emails likely used domain spoofing in sender fields to impersonate internal communications, directing victims to malicious login pages.
Malware Distribution and Expanded Attack Surface
Beyond credential harvesting, the threat actor deployed cryptshare.rheinemetall[.]com, a subdomain mimicking the legitimate Cryptshare file-sharing service.
This page (Figure 2) required password authentication to download files, suggesting potential malware distribution between January and February 2025.
Five additional domains were linked to this activity through WHOIS data and infrastructure patterns:
- ukrtelecom[.]eu (spoofing Ukrainian telecom providers)
- funky-bober.art (hosting identical Mailu pages)
- ukrtelcom[.]com (pending activation for attacks)
The infrastructure displayed defense evasion tactics by:
- Using decentralized VPS hosting
- Registering domains with whimsical names (e.g., rainbow-pony[.]buzz) to avoid suspicion
- Implementing TLS encryption on phishing pages
Cyber Espionage Assessment and Conflict Links
DTI assesses with moderate confidence that this activity supports intelligence collection related to the Ukraine conflict, given:
- Sector Focus: 73% of spoofed domains targeted defense/aerospace firms supplying Ukraine
- Geopolitical Alignment: Heavy emphasis on NATO member states (France, UK, Turkey) providing military aid
- TTP Consistency: Infrastructure overlaps with historical Russian-aligned APT patterns, though unattributed
The campaign highlights evolving threats to critical supply chains in active conflict zones. Organizations should implement:
- Domain monitoring for typosquatting variants
- Multi-factor authentication for email systems
- Network traffic analysis for GHOSTnet VPS IP ranges (5.230.xx.xx and 5.231.1.xx)
Indicators of Compromise (IOCs), including full domain lists and MX server IPs, are available in DomainTools’ GitHub repository.
This operation underscores the strategic blending of low-cost phishing tactics with geopolitical targeting to compromise high-value defense networks.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=A phishing campaign targeting defense and aerospace organizations linked to the Ukraine conflict has been uncovered.){kind=link}