lines joined to form a circle
Blog DomainTools Research

Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity

We would like to thank Black Lotus Labs at Lumen for their contributions and assistance in this analysis.

If you would prefer to listen to The DomainTools Research team discuss their analysis, it is featured in our recent episode of Breaking Badness, which is included at the bottom of this post.


Cyber Threat Intelligence (CTI) practitioners can gain insight into adversary operations by tracking conflicts or geopolitical tensions. Similar to a “follow the money” approach in criminal investigations, looking at conflict zones can reveal cyber capabilities deployed as part of events —either by the parties to the conflict itself, or third parties interested in monitoring events for their own purposes.

The above theory is supported by historical incidents linked to geopolitical tensions:

Based on precedent, analysts can identify developments in adversary operations and technical capabilities by tracking identifiers related to major events and conflict zones. Identifying capabilities deployed to take advantage of such items can yield insights into fundamental attacker tradecraft and behaviors, and enable defense and response for incidents which may strike far closer to home at a later date.

Initial Discovery: Caucasus Conflict

With the above thesis in mind, DomainTools researchers examined technical artifacts emerging around the 2020 conflict between Armenia and Azerbaijan in the Caucasus region. While investigating, researchers discovered the following malicious document file on a commercial multi-scanner service:

Name: PKK militants in Nagorno-Karabakh.doc
MD5: e00af9b6303460666ae1b4bdeb9503ba
SHA1: ce810173555d6a98ce10c847f16e95575fe13405
SHA256: 7c495c21c628d37ba2298e4a789ff677867521be27ec14d2cd9e9bf55160518f

Masquerading as a news article covering details about the Caucasus conflict, the document contains a reference to an external site to fetch additional material to the victim’s computer:

The 7 stages of intrusion. With 1 being at the top and 7 being at the bottom of the image.

In this specific case, the document attempts to communicate to the domain “msofficeupdate[.]org”:

The 7 stages of intrusion. With 1 being at the top and 7 being at the bottom of the image.

Overall, the document appears focused on the Armenian-Azerbaijani conflict with dedicated network infrastructure enabling the attack sequence. While we could stop and view this item in isolation, further analysis reveals even more interesting elements.

Identifying Items for Pivoting

Both the document and the domain contain items of interest for further analysis and pivoting. Reviewing lessons from a previous DomainTools blog, we can examine the technical indicators related to this campaign as composite objects with opportunities to discern fundamental adversary behaviors.

Examining the document, file metadata, shown here using Phil Harvey’s ExifTool, indicates the presence of an unusually long string of numbers as a template object:

The 7 stages of intrusion. With 1 being at the top and 7 being at the bottom of the image.

Based on the template object and a hard-coded Uniform Resource Locator (URL), the document will attempt to communicate to the domain identified above. The actual functionality of the malicious document hinges on network communication to the attacker domain, with an HTTP request to a resource such as the following:


All following functionality appears dependent on a response to this request. At this time, DomainTools does not have any data or other information as to what may be returned from this response. As a result, our analysis is limited to the document itself and identified network infrastructure. However, defenders may find value in the URL pattern in the HTTP request—words divided by single numbers—for developing Network Intrusion Detection System (NIDS) signatures.

The 7 stages of intrusion. With 1 being at the top and 7 being at the bottom of the image.

Lack of view into follow-on execution aside, we have a search string to use to fingerprint additional file samples or to disposition items that may be related to the original campaign in the template string. Notably, for a malicious document, the item does not contain any active content (ActiveX objects or Visual Basic for Applications [VBA] macros), limiting our ability to identify further items. However, the template item appears unique enough to serve as a signifier to identify additional samples similarly constructed.

On the infrastructure side, we have several more leads to follow. As previously documented in past blogs on infrastructure hunting and analysis, we have a combination of technical indicators related to domain creation and hosting as well as thematic identifiers related to the domain name itself. For the domain in question, as seen in the previous DomainTools Iris Investigate inspection image above, the following observations hold:

  • Leaked registrant email, “g.j.dodson[AT]protonmail[.]com”.
  • Domain registration service, “PDR Ltd. d/b/a”.
  • Authoritative name server associated with the domain, “bitdomain[.]biz”.
  • Hosting on a dedicated server, “46.30.188[.]236”, through the Netherlands-based provider “Web2objects Gmbh”.
  • An SSL/TLS certificate obtained through Sectigo with limited identifying information.
  • A domain “theme” of mimicking Microsoft Office update services.

While any of the above items in isolation may be relatively limited for identifying adversary tendencies or additional infrastructure—either by being too general or far too specific—in combination, they can yield patterns for further analysis. For example, looking for a combination of privacy-centric email addresses registering domains via PublicDomainRegistry using the name server “bitdomain[.]biz” hosted in Europe with Sectigo SSL/TLS certificates can yield a result set for further analysis. Applying a “thematic” search to the results of such an investigation, such as looking for other Microsoft or Office themes in domain names, can identify additional items for analysis related to this campaign.

Unraveling Additional Infrastructure

Based on the characteristics described in the previous section, DomainTools researchers identified 35 domains matching the patterns associated with the initially observed malicious domain at varying levels of estimative probability or confidence. As shown in the following table, we can observe additional tendencies such as favoring several privacy-oriented email services during registration and an overwhelming focus on European Virtual Private Server (VPS) providers for hosting purposes.

DomainDate CreatedRegistrant EmailIP AddressHosting ProviderHosting LocationConfidence
iphoneupdatecheck[.]com2016-05-12[email protected][email protected]SEMedium
brexitimpact[.]com2016-06-23[email protected] Creanova Hosting Solutions Ltd.FILow
srv3-serveup-ads[.]net2019-04-16[email protected] Internet Solutions Pte LtdSGLow
newoffice-template[.]com2019-06-12[email protected] Hosting Inc.FRHigh
ms-check-new-update[.]com2019-07-08[email protected] EOODBGMedium
template-new[.]com2019-08-28N/A66.70.218.38OVH Hosting Inc.FRHigh
user-twitter[.]com2019-11-13[email protected]N/AN/AN/AMedium
live-media[.]org2019-11-27[email protected] SASFRMedium
officeupgrade[.]org2019-11-29[email protected] Servers LLCUSHigh
template-office[.]org2020-01-10[email protected] Group B.V.DEMedium
get-news-online[.]com2020-01-15[email protected]N/AN/AN/ALow
liveinfo[.]org2020-01-15[email protected] GmbHDEMedium
newoffice-update[.]com2020-02-11[email protected] Hosting Inc.CAMedium
update-office[.]com2020-03-03[email protected] US LLCUSHigh
upgrade-office[.]com2020-03-18[email protected] Hosting Inc.CAHigh
tls-login[.]com2020-03-25[email protected] Technologies Pte Ltd.SGHigh
upgrade-office[.]org2020-04-07[email protected] B.V.NLHigh
newupdate[.]org2020-06-04[email protected] S.A.LVMedium
2020-windows[.]com2020-06-19[email protected] FreehostUALow
petronas-me[.]com2020-07-05[email protected]N/AN/AN/ALow
msupdatecheck[.]com2020-07-10[email protected] Hosting Inc.CAHigh
log1inbox[.]com2020-08-15[email protected]N/AN/AN/AMedium
gmocloudhosting[.]com2020-08-17[email protected]N/AN/AN/ALow
msofficeupdate[.]org2020-08-20[email protected] GmbHGBHigh
interior-gov[.]com2020-08-31[email protected]N/AN/AN/ALow
e-government-pk[.]com2020-09-04[email protected]N/AN/AN/ALow
e-govoffice[.]com2020-09-07[email protected]N/AN/AN/ALow
azureblog[.]info2020-09-25[email protected]N/AN/AN/ALow
rneil[.]ru2020-10-01[email protected]N/AN/AN/ALow
weather-server[.]net2020-10-09[email protected]N/AN/AN/AMedium
doc-fid[.]com2020-10-21[email protected]N/AN/AN/ALow
rarnbler[.]com2020-11-09[email protected]
msofficeupdate[.]com2020-11-10[email protected] Sistemos IR Technologijos UABLTHigh
netserviceupdater[.]com2020-11-11[email protected]N/AN/AN/AMedium
new-office[.]org2020-11-13[email protected] Hosting Inc.FRMedium

While the majority of items were created in 2020, some potentially related network observables date as far back as 2016. When matched against malicious document samples examined in the following section, we begin to see the outlines of a persistent, somewhat lengthy campaign. Although extended in time, the same fundamental network behaviors are reflected in observed items throughout this period.

Observed visually, such as in the DomainTools Iris Investigate visualization below, we see clusters of activity divided between name servers, registrars, and Top Level Domains (TLDs). With an even larger population, we could begin to distill even more aspects of this adversary’s methods of operation and potentially devise predictive algorithms for future infrastructure creation.

The 7 stages of intrusion. With 1 being at the top and 7 being at the bottom of the image.

Locating Additional Samples

In addition to identifying additional network infrastructure, a combination of reviewing the original document as well as pivoting off of observed network infrastructure yields additional malicious document samples. Primarily, the unique Template string of numbers combined with relationship to domains and document themes enable the discovery of additional items. As shown in the following table, these items are linked through both the unique Template string as well as contacting infrastructure related to the analysis provided above on network observables.

SHA256File NamestrongFirst SeenSubmitter CountryDomain Contacted
1f117d5f398e599887ec92a3f8982751ceb83f2adb85d87a2c232906104e8772C. Bayramov.doc25 Jul
4ad0e64e8ebed1d15fac85cd7439bb345824f03d8b3c6866e669c24a42901daaScandal that killed 346 people.doc29 May
68bde4ec00c62ffa51cef3664c5678f1f4985eb6054f77a5190b4d62bd910538xyz.doc13 Sep
7ba76b2311736dbcd4f2817c40dae78f223366f2404571cd16d6676c7a640d70Фадеев М1.doc18 Dec
7c495c21c628d37ba2298e4a789ff677867521be27ec14d2cd9e9bf55160518fPKK militants in Nagorno-Karabakh.doc12 Oct
89503c73eadc918bb6f05c023d5bf777fb2a0de1e0448f13ab1003e6d3b71fefО поставке зенитных ракетных систем С-400.doc11 Dec
c630aa8ebd1d989af197a80b4208a9fd981cf40fa89e429010ada56baa8cf09dПланируемые расходы 2020(1).doc28 Dec
e5a4957d0078d0bb679cf3300e15b09795167fdcfa70bbeab6de1387cd3f75bfStrategic Defence and Security Review (2021 SDSR).doc31 Oct
7a1effd3cfeecdba57904417c6eeaa7a74d60a761138885b338e8dc17f2c3fbcСправочник АП_26.10.2020_.doc29 Oct
0b116f5b93046c3ce3588bb2453ddbb907d990c2053827600375d8fd84d05d8bНовые поправки к Госпрограмме переселения в РФ (вст. в силу 01.07.2020).doc16 Sep 2020UAN/A
79c0097e9def5cc0f013ba64c0fd195dae57b04fe3146908a4eb5e4e6792ba24N/A16 Sep
d8f13e6945b6a335382d14a00e35bfefadbdfb625562e1120e5ed0b545f63e11N/A09 Nov 2020N/
348b25023c45ed7b777fa6f6f635cb587b8ffbf100bfa6761d35610bba525a11Минтруд госслужба.doc04 Nov
93279005aa4c8eddf01020b31bc2b401fe1366cbcc9bb2032ffaeb2984afcd79Минтруд госслужба 1 1.doc03 Nov

As described in greater detail in the following section, these items largely feature themes related to conflict in the Caucasus or continuing conflict in Ukraine. Additionally, they extend from December 2019 through November 2020, indicating this activity has continued without significant change for nearly a year.

In addition to these items, DomainTools researchers also identified a second set of documents, all originating from France, with a “testing” theme but matching various characteristics of the above items, such as the unique Template string:

SHA256File NamestrongFirst SeenSubmitter CountryDomain Contacted
29b49fc728510b8d10a84edbd884cd23a0c453c1158551dbd2d266539d5d09b5testmw4.doc18 Sep 2020FRN/A
da43472f3bced232ae8f905e819339fb75da0224a31fb1c394110c77b3318b09testmw8.doc18 Sep
6478821432b8458053d953b6cff7d1b49f4349f5da366278778c87bc8789b65ctestmw7.doc18 Sep
4285a05a993359b8418b590d3309a361f2c42ef7bc29216c0209e57b74513adbtestmw6.doc18 Sep 2020FRN/A
40b21a2cd054e01cf37eb22d041ef2ea652eaaeae0ba249439fa7ec07a4e9765testmw5.doc18 Sep
282c805363469440eef082ac0f2a52dbdd47a8cdaecc08df4c1b4c073c5a8256testmw3.doc18 Sep
df2a85d84daf10b4dcf8d8fdd83493f3c04f2ac7b3edaf4730df0522cc52009ftestmw2.doc18 Sep 2020FRN/A

The items above stand out from the other documents for several reasons:

  • All were submitted to the same multiscanner service on the same day.
  • The items appear to be iterative given the file naming schema (testmw2, testmw3, etc.).
  • Analysis of the files indicates fuzzing or alteration of capability among them, in line with the iterative nature of the file names.

An initial conclusion would be these are “testing” runs for a malicious document format or template which would emerge in later campaigns. However, the timing is off for this conclusion to hold as the “test” items appear in mid-September when items using the same template (functionality and lure document) first appear in December 2019.

Overall, this batch of items remains somewhat a mystery as there are no obvious signs linking it to other campaigns. Additionally, some of the items in question are non-functional or lack other components linked to the activity in the first set of documents associated with a likely persistent campaign. DomainTools does not possess any additional information to disposition these items at this time, so they remain somewhat of a mystery relative to the other malicious documents which appear more clearly designed for espionage purposes.

Motivations and Attribution

The identified documents emerge from multiple locations but overwhelmingly focus on Azerbaijan and Ukraine.

The 7 stages of intrusion. With 1 being at the top and 7 being at the bottom of the image.

More interesting still are the themes associated with the documents in their text and titles. In addition to the document which sparked this investigation and its themes centering on the recent conflict on the Caucasus, identified topics include the following:

  • C. Bayramov.doc: references the Azerbaijani foreign minister, Ceyhun Bayramov.
  • Фадеев M1.doc: presents itself as a fundraising advertisement for a documentary filmmaker covering events in the Donetsk region of Ukraine, an area of conflict.
  • О поставке зенитных ракетных систем С-400.doc: masquerades as a report on the S-400 air defense system, produced by Russia and sold to multiple countries.
  • Планируемые расходы 2020(1).doc: “Planned Expenses 2020”, a document that appears to show personnel expenses for a Ukrainian local government entity.
  • Strategic Defence and Security Review (2021 SDSR).doc: a strategic defense planning document intended for the Slovenian defense ministry. Notably, this document appears related to a phishing email sent to an individual who appears to be the Slovenian military attache to the country’s embassy in the Russian Federation.
  • Справочник АП_26.10.2020_.doc: a planning document from the Russian-backed but unrecognized breakaway Donetsk People’s Republic.
  • Новые поправки к Госпрограмме переселения в РФ (вст. в силу 01.07.2020).doc: a document on internal resettlement within the Russian Federation.
  • Минтруд госслужба.doc:a document from the Russian-backed but unrecognized breakaway Luhansk People’s Republic.

Overall, documents appear related to political, military, and related subjects largely in conflict zones such as the Caucasus and the Russian-backed breakaway regions of eastern Ukraine. Additional items, such as the Slovenian defense document which DomainTools researchers were able to link to a phishing email, strongly imply state-sponsored interests for espionage or similar purposes as motivating this campaign.

The 7 stages of intrusion. With 1 being at the top and 7 being at the bottom of the image.

In October 2020, several researchers noticed some of the documents identified in this report and linked it to a group referred to in public reporting as “Cloud Atlas” or “Inception.” While data available at present does not completely align with prior Cloud Atlas activity, the following commonalities are observed:

  • Targeting focusing on Russian near-abroad regions.
  • Use of template objects for initial activity through malicious documents.
  • Likely reliance on network communication to retrieve second-stage tooling for follow-on activity.

The response to the HTTP requests sent by the documents would presumably be the key for aligning the above campaigns to the Cloud Atlas actor, but absent this evidence DomainTools can neither confirm nor deny association to this group at present.

Irrespective of specific attribution, possible links to a known Advanced Persistent Threat (APT) actor (Cloud Atlas) combined with campaign themes that are highly political in nature with no obvious mechanism for monetization make the discovered campaign a likely state-sponsored or state-directed espionage campaign. While targeting in this case may imply Russian-related interests, it is important to note that earlier Cloud Atlas activity has also targeted entities in the Russian Federation. One possible alternative hypothesis given the targeting in Russia, as well as a focus on breakaway regions in Ukraine, is that the activity represents Ukraine-sponsored cyber espionage activity. Although interesting, again insufficient evidence exists to support this hypothesis at this time.

While the activity described above is certainly concerning, available information at this time does not support even weak attribution to any state interest, with only plausible (but as yet unproven) links to the Cloud Atlas entity. Although specific attribution may not be possible, we can nonetheless conclude with high confidence that this activity represents cyber espionage activity directed by some, as yet unknown, state actor.


Tracking themes related to geopolitical events can be quite fruitful for discovering active campaigns likely related to state-sponsored interests. In the above example, searching for items related to the Armenia-Azerbaijan conflict in the Caucasus in late 2020 yielded a malicious document. Further analysis of this document and related infrastructure then led to the discovery of additional items which outlined an entire campaign stretching back to 2019.

While the victims of this campaign appear geographically limited, largely focusing on Ukraine and Azerbaijan, the lessons drawn from the analysis of both the malicious documents and related network infrastructure can be used to further defense against similar types of attacks. By monitoring for these types of event-specific incidents, CTI analysts can gain insight into emerging APT activity and deploy defensive countermeasures shortly after discovery.

To learn how to identify and track adversary operations in DomainTools Iris Investigate visit our product page.

The DomainTools Security Research Team Discusses Their Analysis: