Home / Industry

Tracking Down APT Group WIRTE’s DNS Movements

The WIRTE advanced persistent threat (APT) group has been active since at least August 2018. It has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.

While the group has been quiet for some time, it has resurfaced, trailing its sights on Middle Eastern entities, specifically the Palestinian Authority, Jordan, Egypt, and Saudi Arabia. According to reports, the group has been using custom loaders like IronWind in recent attacks.

Check Point Research published an in-depth analysis of WIRTE’s attacks from late 2023 to the present and identified 56 indicators of compromise (IoCs) comprising 30 domains, 23 IP addresses, and three subdomains.

The WhoisXML API research team expanded the original list of 56 IoCs to uncover more connected artifacts and found:

  • 360 email-connected domains
  • 36 additional IP addresses, 35 of which turned out to be malicious
  • Six IP-connected domains, one of which turned out to be malicious
  • 41 string-connected domains
  • 3,088 string-connected subdomains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

More on the WIRTE Attack IoCs

We first took a closer look at the 56 WIRTE attack IoCs beginning with the 30 domains. We queried the domain IoCs on Bulk WHOIS Lookup and found that only 26 of them had current WHOIS records. The results revealed that:

  • They were spread across seven registrars led by NameSilo, which accounted for 10 domains. Namecheap administered six domains; PDR, four domains; Dynadot and GMO Internet, two domains each; and Hostinger Operations and PSI-USA, one domain each.
  • They were created between 2022 and 2024. Specifically, one domain in 2022, six in 2023, and 19 in 2024.

  • They were scattered across four registrant countries led by the U.S., which accounted for 15 domains. Iceland came in second place with five domains, while one domain each was registered in Canada and Switzerland. Four domains did not have current registrant country data.

Next, we queried the 30 domain IoCs on DNS Chronicle API and found that they recorded a total of 1,692 IP resolutions between 4 October 2019 and 29 November 2024. Take a look at the DNS history of five domain IoCs below.

DOMAINSTART DATELAST DATENUMBER OF IP RESOLUTIONS
ainiaiwo2025[.]com4 October 20199 November 202440
gagatour2025[.]com6 November 202230 August 202454
vegaskickoffclassic2025[.]com13 December 202321 December 202442
www222025[.]com29 December 20231 January 202511
theelection2025[.]com3 March 20249 November 202416

After that, we looked more closely at the 23 IP addresses tagged as IoCs by querying them first on Bulk IP Geolocation Lookup, which revealed that:

  • They were spread across 11 geolocation countries led by Romania, which accounted for nine IP addresses. Estonia came in second with three IP addresses. Two IP addresses each were geolocated in Brazil and Latvia, while one each originated from Hungary, Ireland, Lithuania, Luxembourg, Mexico, Moldova, and South Africa.
  • They were distributed among nine ISPs led by M247, which accounted for five IP addresses. FlokiNET and Latitude.sh administered three IP addresses each; Servinga, two; and AlexHost, BlueVPS, Host Africa, Nano IT, and NET23VNet, one each. Five IP addresses had no ISP data.

Like the domains tagged as IoCs, we also queried the 23 IP address IoCs on DNS Chronicle API. We found that they historically resolved 981 domains between 4 October 2019 and 29 November 2024. Take a look at the DNS history of five examples below.

IP ADDRESS IoCSTART DATELAST DATENUMBER OF DOMAIN RESOLUTIONS
185[.]158[.]248[.]16106/07/2206/19/2426
213[.]252[.]244[.]23411/19/2111/02/24131
37[.]120[.]247[.]2203/24/2309/14/234
45[.]59[.]118[.]14509/05/2111/11/24102
5[.]42[.]221[.]15105/06/2311/18/236

WIRTE Attack IoC DNS Connections

Our search for WIRTE-connected artifacts took off with a WHOIS History API query for the 30 domains tagged as IoCs, which uncovered 88 email addresses from their historical WHOIS records after duplicates were filtered out. A total of 31 of them turned out to be public email addresses.

A Reverse WHOIS API query for the 31 public email addresses returned 360 email-connected domains after duplicates and the IoCs were filtered out.

Next, we queried the 30 domains tagged as IoCs on DNS Lookup API and found that they resolved to 36 IP addresses after duplicates and the IP address IoCs were filtered out.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API