Tracking Adversaries: Ghostwriter APT Infrastructure
Essential information
- Published
- 24/01/2025 13:30
- Modified
- 24/01/2025 14:24
- Tags
- 2025-01-24 apt belarus cobalt strike ukraine
- Related entities
- 1 vulnerabilities (cve), 25 observables, 1 intrusion sets (apt), 7 techniques (mitre), 1 malware, 4 others
Description
This analysis examines the infrastructure used by the Ghostwriter APT group, focusing on their phishing campaign targeting Ukrainian military. By pivoting on overlapping indicators of compromise (IOCs) from multiple threat reports, a cluster of malicious domains was identified. These domains share common attributes like registrar, name servers, and TLD. Using these patterns, additional unreported domains likely created by Ghostwriter were uncovered. The investigation also revealed associated malware samples communicating with these domains. This infrastructure pivoting approach demonstrates how threat intelligence analysts can gain deeper insights into an adversary's targets, capabilities, and behaviors by thoroughly examining IOC attributes and connections.