Actinium/Gamaredon, reported as a Russian advanced persistent threat (APT) group that has been active for almost a decade now, had started trailing their sights on Ukrainian organizations back in February 2022. At least three major cybersecurity service providers—Microsoft Security, Palo Alto Networks, and Symantec—published indicators of compromise (IoCs) related to the threat over the years. Their reports gave us 151 unique domains, which served as the starting point for our in-depth investigation.

Our analysis uncovered several other IoCs and artifacts that could be related to the threat, namely:

• 19 unique IP addresses the domain IoCs resolved to, one of which was dubbed “dangerous” by various malware engines
• 67 unique domains that shared IP hosts with the domain IoCs
• 218 unique domains that shared a domain IoC’s registrant email address
• 57 connected domains found to be malicious

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

A Look at Actinium/Gamaredon’s IoCs

Our initial data gathering originally gave us 157 domain names from three reports—133 from Microsoft, 19 from Palo Alto, and five from Symantec. Six were duplicates, leaving us with 151 unique domain IoCs.

Domain Name System (DNS) lookups for the 151 domain IoCs led to the discovery of 19 unique IP resolutions, including:

• 194[.]58[.]92[.]102
• 2a00[:]f940[:]4[::]10
• 194[.]67[.]71[.]103
• 178[.]21[.]11[.]27
• 194[.]67[.]71[.]178

Reverse IP lookups for these resulted in 67 unique domains that could be connected to the threat. There could be hundreds more possibly connected domains, as our search results were limited to a sample of five domain names per IP address. Examples of connected domains include:

• 4727potrero[.]com
• abczoo[.]ru
• c3lt[.]host
• dr0neb0ys[.]ru
• eaudeakvavit[.]com
• gold-02[.]online
• jolotras[.]ru
• korovacentr[.]ru
• mixdodgerblue[.]me
• safeguardblog[.]org[.]uk

A bulk WHOIS lookup for the domains from our original IoC list and reverse IP lookups allowed us to find one unredacted registrant email address. Using that as a search term for reverse WHOIS lookups limited to currently active domains gave us an additional 218 possibly connected domains, including:

• gurmou[.]site
• homoptera[.]online
• cerambycidae[.]online
• fanniidae[.]online
• asilidae[.]online
• blattodea[.]online
• stealheada[.]site
• merostomata[.]online
• polyphemus[.]online
• limulusa[.]online

All in all, we managed to obtain an additional 19 IP addresses, 285 domains, and one email address.

Our investigation didn’t stop there. We also subjected the additional web properties we found to the various checks available in Threat Intelligence Platform (TIP) and found that:

• One of the IP addresses the domain IoCs resolved to—194[.]58[.]92[.]102—was dubbed “dangerous” by various malware engines.
• A total of 57 domains possibly connected to the threat are categorized as malicious. Examples include:
  • 0204[.]ru
  • graphosoma[.]online
  • cerambycidae[.]online
  • biblidinae[.]online
  • apidaet[.]online
  • scorpiones[.]online
  • merostomata[.]online
  • eryxis[.]online
  • latesa[.]online
  • discouti[.]online
• Sixteen of the 19 IP addresses our analysis exposed had Secure Sockets Layer (SSL) issues or misconfigurations.
• According to TIP checks, nine of the 57 malicious connected domains had SSL vulnerabilities, 17 had WHOIS record issues, and nine had nameserver misconfigurations.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.