|
||
|
||
Proofpoint reported that TA416 resumed their European government espionage activities about a month ago. Their researchers analyzed the campaigns in great depth and published 96 network IoCs comprising subdomains, domains, and email addresses in their report.
We extracted unique domains from the subdomain IoCs and filtered out those that could belong to legitimate entities with the help of the WhoisXML API MCP Server. This step allowed us to collate 91 IoCs for our analysis comprising 11 subdomains, 73 domains, and seven email addresses.
Our DNS deep dive into the TA416 espionage campaigns led to these discoveries:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
To kick off our investigation, we studied the 11 subdomain IoCs further.
The findings from our WhoisXML API MCP Server queries confirmed that three fell under confirmed malicious hostnames. And while many were hosted on legitimate infrastructure, six of them were still considered suspicious. Take a look at more specific information on five examples below.
| SUBDOMAIN IoC | WXA MCP SERVER FINDING |
|---|---|
| attd[.]z23[.]web[.]core[.]windows[.]net | While the apex domain is legitimate, the subdomain has been flagged for malware distribution |
| filestoretome[.]z23[.]web[.]core[.]windows[.]net | Since this sits in zone z23, which is a confirmed malware host, it may be worth blocking |
| gooledives[.]z48[.]web[.]core[.]windows[.]net | The most operationally active but has a very short TTL and possibly impersonates Google |
| mydownfile[.]z11[.]web[.]core[.]windows[.]net | A confirmed malware host with nearly identical activity as attd[.]z23[.]web[.]core[.]windows[.]net |
| mydownload[.]z29[.]web[.]core[.]windows[.]net | A confirmed malware host |
Next, we diagnosed the 73 domain IoCs some more.
First, sample network data from the IASC revealed that 122 unique client IP addresses under four distinct ASNs communicated with five of the domain IoCs via 290 DNS queries made between 4 and 23 March 2026.

Typosquatting API queries for the domain IoCs showed that three appeared in four typosquatting groups with 6—16 members each between 26 September and 21 December 2025.

One of the domain IoCs—subusiness[.]org—appeared in two typosquatting groups. The first group had 12 members created between 15 and 16 December 2025. The second, meanwhile, had six members created between 15 and 21 December 2025. Here are more details about the two groups.
| DOMAIN IoC | GROUP MEMBER NUMBER | LOOK-ALIKES | CREATION DATE |
|---|---|---|---|
| subusiness[.]org | 12 | jmbusiness[.]solutions zkbusiness[.]xyz nj-business[.]com jdbusiness[.]nl b3business[.]site allbusiness[.]onl albusiness[.]store aekbusiness[.]com dpbusiness[.]shop hybusiness[.]shop a2gbusiness[.]com | No date No date 12/16/25 12/16/25 No date 12/15/25 No date 12/16/25 12/16/25 12/16/25 12/16/25 |
| subusiness[.]org | 6 | cnbusiness[.]net mybusiness[.]in[.]th 02business[.]co[.]uk combusiness[.]live carbusiness[.]biz | 12/18/25 12/21/25 12/19/25 12/15/25 12/20/25 |
Next, we queried the domain IoCs on WHOIS API and discovered that:

They were administered by four different registrars.

While three did not have registrant countries on record, the remaining 70 were registered in two countries.

DNS Chronicle API queries for the domain IoCs revealed that all of them recorded 15,317 historical domain-to-IP resolutions over time. Take a look at more information for five examples below.
| DOMAIN IoC | NUMBER OF DOMAIN-TO-IP RESOLUTIONS | DATES SEEN |
|---|---|---|
| aaitile[.]com | 822 | 02/04/17–03/28/26 |
| bobbush[.]org | 553 | 02/05/17–01/06/26 |
| stuypa[.]org | 465 | 02/27/17–03/23/26 |
| majicbus[.]org | 430 | 02/06/17–12/23/25 |
| ecolnomy[.]com | 390 | 08/09/19–03/23/26 |
A total of 49 of the domain IoCs continued to post resolutions this year.
After that, we focused on the seven email IoCs.
We queried them on the WhoisXML API MCP Server and found out that:
After learning more about the IoCs, we then moved on to hunting for new artifacts.
We started by querying the 73 domain IoCs on WHOIS History API and discovered that 69 had 378 unique email addresses in their historical records. A closer look at them revealed that 88 were public email addresses.
Reverse WHOIS API queries for the public email addresses allowed us to discern that while three were not used as registrant email addresses, six could belong to domainers. The remaining 79 public email addresses, meanwhile, were used to register 45,197 unique email-connected domains after those already dubbed as IoCs were filtered out.
We then queried the email-connected domains on Threat Intelligence API and found out that 15 have already been weaponized for various attacks. Here are more details for five examples.
| MALICIOUS EMAIL-CONNECTED DOMAIN | ASSOCIATED THREAT | DATES SEEN |
|---|---|---|
| chjq168[.]com | PhishingGeneric threat | 01/28/26–04/04/2601/28/26–02/27/26 |
| 100viagra[.]com | Malware distribution | 02/18/26–04/04/26 |
| cisco-us[.]com | Malware distribution | 05/06/25–04/04/26 |
| downloadfreak[.]top | Malware distribution | 06/11/25–04/03/26 |
| e-brane[.]com | Phishing | 03/06/26–04/04/26 |
After that, we queried the domain IoCs on DNS Lookup API and discovered that 61 actively resolved to 69 unique IP addresses.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byDNIB.com