Home / Industry

Threat Intel Expansion on Cosmic Lynx BEC Campaign’s Recorded IoCs

Why go after individuals when you can get greater rewards by zooming in on more lucrative targets like large multinational corporations (MNCs)?

That’s the premise behind the Cosmic Lynx business email compromise (BEC) campaign that brought several MNCs, many of which were Fortune 500 or Global 2000 companies, to their knees.

This short study takes a look at the indicators of compromise (IoCs) linked to Cosmic Lynx that Agari publicized. It also adds several IoCs that MNCs and practically any organization the world over should look out for at the very least.

What We Know about Cosmic Lynx

Here are some facts about Cosmic Lynx from the Agari research paper:

Cosmic Lynx is the name of the Russian cybercriminal organization behind 200 BEC campaigns targeting large MNCs globally, specifically in 46 countries across six continents, since July 2019.

The cybercriminals mimicked senior-level executives of Fortune 500 or Global 2000 companies to get to employees with access to the targets’ finances. About ¾ of Cosmic Lynx’s targets had titles like vice president, general manager, or managing director.

The campaign used a twofold impersonation scheme. They first pretend to be the CEO of an organization that is preparing to expand their operations to Asia. They ask the target employee to engage with an external legal counsel for the acquisition payments. The Cosmic Lynx actors then hijack the identity of a legitimate U.K.-based law firm lawyer to facilitate the transaction. They use Hong Kong-based mules to receive the stolen funds but also worked with others from Hungary, Portugal, and Romania.

On average, a BEC victim pays out US$55,000. Cosmic Lynx, however, asks each target for hundreds of thousands or even millions of dollars.

Cosmic Lynx mimics secure corporate networks to trick their targets. The artifacts linked to their campaigns include 65 domains and 61 IP addresses.

Additional Intel Every MNC Needs to Know

Apart from the artifacts Agari publicized, MNCs who wish to ensure utmost protection from Cosmic Lynx may also be wary of a few of the additional domains and IP addresses in Table 1 obtained from WhoisXML API threat intelligence sources, specifically DNS Lookup API and Reverse IP/DNS API. Note that these IoCs were confirmed malicious by VirusTotal. They may, however, not be directly related to the Cosmic Lynx campaign but use the same infrastructure.

Table 1: Nonpublicized Cosmic Lynx IoCs
Domains Obtained from Reverse IP/DNS API and Dubbed Malicious on VirusTotal
IP Addresses Obtained from DNS Lookup API and Dubbed Malicious on VirusTotal

Of the 61 IP addresses collated and published by Agari, 37 were categorized as “malicious” on VirusTotal. The IP address 45[.]90[.]58[.]30 proved most dangerous as it hosted two other malicious domains (i.e., frzamserngsirerive[.]com and naffltsirerive[.]com) based on Reverse IP/DNS API results.

Out of the 65 domains, meanwhile, 64 were dubbed “malicious” on VirusTotal. Five of these (i.e., mail-transport-protection[.]cc [2 IP addresses], secure-email-provider[.]com [4 IP addresses], secure-mail-net[.]com [1 IP address], secure-mail-provider[.]com [4 IP addresses], and secure-ssl-sec[.]com [4 IP addresses]) proved especially dangerous as they were connected to 1—4 malicious IP addresses.

All in all, we obtained an additional two domains and seven IP addresses that were not included in Agari’s list.

BEC attacks have been soaring to ever greater heights in terms of prominence. In 2019, the Internet Crime Complaint Center (IC3) received thousands of complaints from many companies across 20+ U.S. states. As such, the fact that more sophisticated threat groups like Cosmic Lynx are adding BEC campaigns to their arsenals should concern everyone. Protecting against BEC scams and other cyber attacks require not just keeping track of publicized IoCs but also scrutinizing said indicators using domain and IP intelligence tools to comb through all possible threat vectors.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign


Sponsored byDNIB.com

New TLDs

Sponsored byRadix