DNS Deep Dive: TA416 European Government Espionage Campaigns

Home / Industry

DNS Deep Dive: TA416 European Government Espionage Campaigns

	By WhoisXML API (Sponsored Post) A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider
	June 29, 2026 Views: 122

Proofpoint reported that TA416 resumed their European government espionage activities about a month ago. Their researchers analyzed the campaigns in great depth and published 96 network IoCs comprising subdomains, domains, and email addresses in their report.

We extracted unique domains from the subdomain IoCs and filtered out those that could belong to legitimate entities with the help of the WhoisXML API MCP Server. This step allowed us to collate 91 IoCs for our analysis comprising 11 subdomains, 73 domains, and seven email addresses.

Our DNS deep dive into the TA416 espionage campaigns led to these discoveries:

122 unique client IP addresses that communicated with five of the domain IoCs
Three domain IoCs that were bulk-registered with 5—15 look-alikes each
45,197 email-connected domains, 15 of which were confirmed malicious
69 IP addresses, 60 of which were confirmed malicious
117 IP-connected domains
295 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

TA416 Attack Subdomain IoC Study

To kick off our investigation, we studied the 11 subdomain IoCs further.

The findings from our WhoisXML API MCP Server queries confirmed that three fell under confirmed malicious hostnames. And while many were hosted on legitimate infrastructure, six of them were still considered suspicious. Take a look at more specific information on five examples below.

SUBDOMAIN IoC	WXA MCP SERVER FINDING
attd[.]z23[.]web[.]core[.]windows[.]net	While the apex domain is legitimate, the subdomain has been flagged for malware distribution
filestoretome[.]z23[.]web[.]core[.]windows[.]net	Since this sits in zone z23, which is a confirmed malware host, it may be worth blocking
gooledives[.]z48[.]web[.]core[.]windows[.]net	The most operationally active but has a very short TTL and possibly impersonates Google
mydownfile[.]z11[.]web[.]core[.]windows[.]net	A confirmed malware host with nearly identical activity as attd[.]z23[.]web[.]core[.]windows[.]net
mydownload[.]z29[.]web[.]core[.]windows[.]net	A confirmed malware host

TA416 Attack Domain IoC Diagnosis

Next, we diagnosed the 73 domain IoCs some more.

First, sample network data from the IASC revealed that 122 unique client IP addresses under four distinct ASNs communicated with five of the domain IoCs via 290 DNS queries made between 4 and 23 March 2026.

Typosquatting API queries for the domain IoCs showed that three appeared in four typosquatting groups with 6—16 members each between 26 September and 21 December 2025.

One of the domain IoCs—subusiness[.]org—appeared in two typosquatting groups. The first group had 12 members created between 15 and 16 December 2025. The second, meanwhile, had six members created between 15 and 21 December 2025. Here are more details about the two groups.

DOMAIN IoC	GROUP MEMBER NUMBER	LOOK-ALIKES	CREATION DATE
subusiness[.]org	12	jmbusiness[.]solutions zkbusiness[.]xyz nj-business[.]com jdbusiness[.]nl b3business[.]site allbusiness[.]onl albusiness[.]store aekbusiness[.]com dpbusiness[.]shop hybusiness[.]shop a2gbusiness[.]com	No date No date 12/16/25 12/16/25 No date 12/15/25 No date 12/16/25 12/16/25 12/16/25 12/16/25
subusiness[.]org	6	cnbusiness[.]net mybusiness[.]in[.]th 02business[.]co[.]uk combusiness[.]live carbusiness[.]biz	12/18/25 12/21/25 12/19/25 12/15/25 12/20/25

Next, we queried the domain IoCs on WHOIS API and discovered that:

They were created between 2 June 2004 and 19 March 2026, indicating that the threat actors used domains that were relatively new at the time the campaigns ensued.
They were administered by four different registrars.
While three did not have registrant countries on record, the remaining 70 were registered in two countries.

DNS Chronicle API queries for the domain IoCs revealed that all of them recorded 15,317 historical domain-to-IP resolutions over time. Take a look at more information for five examples below.

DOMAIN IoC	NUMBER OF DOMAIN-TO-IP RESOLUTIONS	DATES SEEN
aaitile[.]com	822	02/04/17–03/28/26
bobbush[.]org	553	02/05/17–01/06/26
stuypa[.]org	465	02/27/17–03/23/26
majicbus[.]org	430	02/06/17–12/23/25
ecolnomy[.]com	390	08/09/19–03/23/26

A total of 49 of the domain IoCs continued to post resolutions this year.

TA416 Attack Email IoC Examination

After that, we focused on the seven email IoCs.

We queried them on the WhoisXML API MCP Server and found out that:

Only two remained active, meaning they passed SMTP verification. And both were Gmail addresses.
None of them were used to register domains.

TA416 Attack New Artifact Hunting

After learning more about the IoCs, we then moved on to hunting for new artifacts.

We started by querying the 73 domain IoCs on WHOIS History API and discovered that 69 had 378 unique email addresses in their historical records. A closer look at them revealed that 88 were public email addresses.

Reverse WHOIS API queries for the public email addresses allowed us to discern that while three were not used as registrant email addresses, six could belong to domainers. The remaining 79 public email addresses, meanwhile, were used to register 45,197 unique email-connected domains after those already dubbed as IoCs were filtered out.

We then queried the email-connected domains on Threat Intelligence API and found out that 15 have already been weaponized for various attacks. Here are more details for five examples.

MALICIOUS EMAIL-CONNECTED DOMAIN	ASSOCIATED THREAT	DATES SEEN
chjq168[.]com	PhishingGeneric threat	01/28/26–04/04/2601/28/26–02/27/26
100viagra[.]com	Malware distribution	02/18/26–04/04/26
cisco-us[.]com	Malware distribution	05/06/25–04/04/26
downloadfreak[.]top	Malware distribution	06/11/25–04/03/26
e-brane[.]com	Phishing	03/06/26–04/04/26

After that, we queried the domain IoCs on DNS Lookup API and discovered that 61 actively resolved to 69 unique IP addresses.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN [74% +3 extra months, from $2.99/month]

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider — Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.
Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.

The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.