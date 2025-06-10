The MITRE Corporation updates its list of groups on the ATT&CK page every six months, specifically in April and October each year. The Updates - April 2025 advisory listed seven new groups with corresponding lists of indicators of compromise (IoCs) listed in the References section. Take a look at specific IoC-related details for each group below.

GROUP NUMBER OF DOMAIN IoCs NUMBER OF IP ADDRESS IoCs TOTAL NUMBER OF IoCs APT42 148 2 150 BlackByte 3 2 5 RedEcho 15 43 58 Salt Typhoon 0 2 2 Sea Turtle 13 50 63 Storm-1811 10 8 18 Velvet Ant 0 2 2

In a bid to uncover more potentially connected artifacts, WhoisXML API expanded the current IoC lists in this post. Our in-depth analysis led to the discovery of:

Three alleged victim IP records obtained from the Internet Abuse Signal Collective (IASC) tied to three Autonomous System (AS) numbers

638 email-connected domains, six are malicious

26 additional IP addresses, 16 are malicious

221 IP-connected domains

4,195 string-connected domains, 37 are malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

New MITRE ATT&CK Group IoC Facts

We began our analysis by querying the 189 domains identified as IoCs on Bulk WHOIS API by group.

We found that only 99 of the 189 domains had current WHOIS records. Here is a summary of our creation date-related findings for the five groups with domain IoCs.

APT42: Only 81 of the 148 domains identified as IoCs had current WHOIS records. The 81 domains were created between 2016 and 2025.

Only 81 of the 148 domains identified as IoCs had current WHOIS records. The 81 domains were created between 2016 and 2025. BlackByte: One of the three domain IoCs had a current WHOIS record. The domain was created in 2018.

One of the three domain IoCs had a current WHOIS record. The domain was created in 2018. RedEcho: Only seven of the 15 domain IoCs had current WHOIS records. The seven domains were created between 1999 and 2024.

Only seven of the 15 domain IoCs had current WHOIS records. The seven domains were created between 1999 and 2024. Sea Turtle: Three of the 13 domain IoCs had current WHOIS records. The three domains were created between 2000 and 2025.

Three of the 13 domain IoCs had current WHOIS records. The three domains were created between 2000 and 2025. Storm-1811: Only seven of the 10 domain IoCs had current WHOIS records. The seven domains were created in 2024.

Below is a summary of our registrar-related findings for the 99 domain IoCs with current WHOIS records.

APT42: The 81 domain IoCs were split across 15 registrars led by Namecheap, which accounted for 29 domains.

The 81 domain IoCs were split across 15 registrars led by Namecheap, which accounted for 29 domains. BlackByte: The domain IoC was administered by OVH.

The domain IoC was administered by OVH. RedEcho: The seven domain IoCs were spread among four registrars topped by Vitalwerks, which accounted for three domains.

The seven domain IoCs were spread among four registrars topped by Vitalwerks, which accounted for three domains. Sea Turtle: The three domain IoCs were split across two registrars led by Tucows, which accounted for two domains.

The three domain IoCs were split across two registrars led by Tucows, which accounted for two domains. Storm-1811: The seven domain IoCs were spread among three registrars topped by Hostinger and PDR, which accounted for three domains each.

Next, we summed up our registrant country-connected findings for the 99 domains with current WHOIS records below.

APT42: While one of the domain IoCs did not have a registrant country on record, the 80 remaining ones were split across seven nations led by Iceland, which accounted for 30 domains.

While one of the domain IoCs did not have a registrant country on record, the 80 remaining ones were split across seven nations led by Iceland, which accounted for 30 domains. BlackByte: The domain IoC was registered in Ireland.

The domain IoC was registered in Ireland. RedEcho: The seven domain IoCs were spread among three registrant countries topped by the U.S., which accounted for five domains.

The seven domain IoCs were spread among three registrant countries topped by the U.S., which accounted for five domains. Sea Turtle: One domain IoC each was registered in Hungary, Saint Kitts and Nevis, and the U.K.

One domain IoC each was registered in Hungary, Saint Kitts and Nevis, and the U.K. Storm-1811: The seven domain IoCs were split across two registrant countries led by the U.S., which accounted for six domains.

Next, we queried the 189 domains identified as IoCs on DNS Chronicle API and discovered that 186 of them had historical domain-to-IP address resolutions over time. In fact, the 186 domain IoCs recorded 9,190 IP resolutions in all. In addition, the domain IoC for APT42 webredirect[.]org posted the oldest resolution date to the IP address 207[.]38[.]70[.]29, that is, 7 February 2017. Take a look at historical DNS details for a domain IoC for each of the five groups with available data below.

GROUP DOMAIN IoC NUMBER OF IP RESOLUTIONS FIRST IP RESOLUTION DATE APT42 acconut-signin[.]com 97 12 September 2023 BlackByte alteksecurity[.]org 17 17 January 2023 RedEcho astudycarsceu[.]net 118 7 January 2022 Sea Turtle al-marsad[.]co 4 8 October 2024 Storm-1811 antispam2[.]com 125 5 February 2017

We then queried the 109 IP addresses identified as IoCs on Bulk IP Geolocation Lookup by group. Take a look at the summary of our geolocation country-related findings below.

APT42: The two IP address IoCs were geolocated in Germany.

The two IP address IoCs were geolocated in Germany. BlackByte: The two IP IoCs were geolocated in the Netherlands.

The two IP IoCs were geolocated in the Netherlands. RedEcho: The 43 IP IoCs were geolocated in two countries—China and South Korea.

The 43 IP IoCs were geolocated in two countries—China and South Korea. Salt Typhoon: The two IP IoCs were geolocated in the Netherlands.

The two IP IoCs were geolocated in the Netherlands. Sea Turtle: While three IP IoCs did not have geolocation countries on record, the remaining 47 were scattered across 10 nations—Belgium, France, Germany, Moldova, the Netherlands, Romania, Serbia, Singapore, Sudan, and the U.S.

While three IP IoCs did not have geolocation countries on record, the remaining 47 were scattered across 10 nations—Belgium, France, Germany, Moldova, the Netherlands, Romania, Serbia, Singapore, Sudan, and the U.S. Storm-1811: The eight IP IoCs were scattered across three countries, namely, the Netherlands, Singapore, and the U.S.

The eight IP IoCs were scattered across three countries, namely, the Netherlands, Singapore, and the U.S. Velvet Ant: One IP IoC each was geolocated in China and Japan.

We also uncovered the following ISP-connected findings for the 109 IP address IoCs:

APT42: The two IP IoCs were administered by Hetzner.

The two IP IoCs were administered by Hetzner. BlackByte: While one IP IoC did not have an ISP on record, the other was administered by Podaon.

While one IP IoC did not have an ISP on record, the other was administered by Podaon. RedEcho: While one IP IoC did not have an ISP on record, the remaining 42 were split across five ISPs led by HKBNES, which accounted for 16 IP addresses.

While one IP IoC did not have an ISP on record, the remaining 42 were split across five ISPs led by HKBNES, which accounted for 16 IP addresses. Salt Typhoon: None of the two IP IoCs has ISPs on record.

None of the two IP IoCs has ISPs on record. Sea Turtle: While nine IP IoCs did not have ISPs on record, the remaining 41 were administered by 14 ISPs topped by DigitalOcean, which accounted for 14 IP addresses.

While nine IP IoCs did not have ISPs on record, the remaining 41 were administered by 14 ISPs topped by DigitalOcean, which accounted for 14 IP addresses. Storm-1811: The eight IP IoCs were distributed among six ISPs led by Green Floid, which accounted for three IP addresses.

The eight IP IoCs were distributed among six ISPs led by Green Floid, which accounted for three IP addresses. Velvet Ant: One IP IoC each was administered by CTGServer and MOACK.

Next, we queried the 109 IP addresses identified as IoCs on DNS Chronicle API and found that 77 of them had historical IP address-to-domain resolutions. The 77 IP addresses, in particular, recorded 10,980 domain resolutions over time. The IP addresses 114[.]34[.]10[.]80, 114[.]35[.]16[.]182, 114[.]35[.]191[.]224, 122[.]116[.]165[.]62, 122[.]116[.]234[.]73, 220[.]132[.]106[.]193, and 220[.]133[.]141[.]117 associated with RedEcho; 178[.]17[.]167[.]51 with Sea Turtle; and 202[.]61[.]136[.]158 with Velvet Ant posted the oldest resolution date, that is, 4 February 2017. Here are historical DNS details for a domain IoC for each of the seven groups below.

GROUP IP ADDRESS IoC NUMBER OF DOMAIN RESOLUTIONS FIRST DOMAIN RESOLUTION DATE APT42 49[.]13[.]194[.]118 4 24 December 2021 BlackByte 185[.]93[.]6[.]31 15 5 September 2021 RedEcho 101[.]78[.]177[.]227 2 22 October 2019 Salt Typhoon 185[.]141[.]24[.]28 633 28 April 2020 Sea Turtle 108[.]61[.]103[.]186 296 5 February 2017 Storm-1811 195[.]123[.]233[.]42 154 14 January 2018 Velvet Ant 103[.]138[.]13[.]31 1 21 July 2020

In addition, using sample netflow data our researchers obtained from the IASC, we further analyzed three IP addresses identified as IoCs—88[.]119[.]171[.]248, 91[.]90[.]195[.]52, and 62[.]115[.]255[.]163—that served as command-and-control (C&C) server addresses related to the threat. The sample data revealed three alleged victim IP records sent data to the three IP IoCs 10 times. Take a look at ISP and AS data for the IP addresses below.

IP ADDRESS IoC (Destination IP) ISP ASN 88[.]119[.]171[.]248 N/A 61272 91[.]90[.]195[.]52 Green Floid 204957 62[.]115[.]255[.]163 Arelion (Twelve99) 1299

On the flipside, we also analyzed communications coming from seven IP addresses identified as IoCs and found 60 IP addresses contacted 216 times. Here are ISP and AS data for the IP addresses.

IP ADDRESS IoC (Source IoC) ISP ASN 15[.]235[.]218[.]150 OVHcloud 16276 31[.]13[.]195[.]52 Neterra 34224 45[.]9[.]148[.]114 N/A 49447 62[.]115[.]255[.]163 Arelion (Twelve99) 1299 88[.]119[.]171[.]248 N/A 61272 91[.]107[.]150[.]184 Hetzner Online 24940 91[.]90[.]195[.]52 Green Floid 204957

IoC List Expansion Findings

We kicked off our search for connected artifacts with a WHOIS History API query for the 189 domains identified as IoCs and found that 63 of them had 254 email addresses in their historical WHOIS records after duplicates were filtered out. Closer scrutiny of the email addresses revealed that 43 were public email addresses.

We then queried the 43 public email addresses on Reverse WHOIS API and discovered that while none of them appeared in current WHOIS records, 36 did so in historical WHOIS records. Our search led to the discovery of 638 email-connected domains after duplicates and those already identified as IoCs were filtered out.

A Threat Intelligence API query for the 638 email-connected domains showed that six have already figured in various attacks. Take a look at three examples below.

MALICIOUS EMAIL-CONNECTED DOMAIN ASSOCIATED THREAT TYPES account-logins[.]com Malware distribution brownstoneexpediting[.]com Generic threat mailer-daemon[.]net Malware distribution

Next, we queried the 189 domains identified as IoCs on DNS Lookup API and found that 35 had active IP resolutions. We ended up with 26 additional IP addresses after filtering out duplicates and those already tagged as IoCs.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

