A new investigation by the internet intelligence firm DomainTools Investigations (DTI) has revealed a massive phishing campaign targeting defense and aerospace entities, potentially linked to ongoing cyber espionage operations related to the war in Ukraine.
According to DTI's findings, the infrastructure involves a set of mail servers, each operating a network of spoofed domains designed to impersonate legitimate organizations in defense, aerospace, and IT sectors. The domains are believed to be used to host fraudulent webmail login pages, designed to harvest login credentials.
The goal of the phishing activity, while not currently attributed to a specific threat actor, appears to be intelligence gathering related to the ongoing conflict in Ukraine.
The investigation began with the identification of a phishing login page hosted on a domain designed to spoof Ukroboronprom, Ukraine's largest arms manufacturer. The page, which was first observed on December 20, 2024, was hosted on a GHOSTnet VPS and was one of several similar domains identified during the course of the investigation.
Further analysis revealed that the domain was part of a broader network, with nine other domains found to host identical webmail login pages. The domains were all registered through the Spaceship registrar and hosted on GHOSTnet VPS. The domains were first observed between December 21, 2024, and March 4, 2025. The domains serve as Mail Exchanger (MX) records for mail servers, the researchers noted.
In total, the investigation uncovered 878 spoofed domains, all of which closely mimicked the legitimate domains of various defense, aerospace, and IT organizations. These spoofed domains used minor character alterations to deceive recipients into believing the emails were coming from trusted sources.
Furthermore, the researchers discovered four additional domains linked to the phishing operation: rheinemetall[.]com, rheinmetall.com[.]de, ukrtelecom[.]eu, and funky-bober.art. The domains shared visual similarities with the previously identified MX domains and were also hosted on GHOSTnet VPS infrastructure. However, ukrtelcom[.]com, while displaying overlapping Whois data with the others, was not actively hosting a phishing page at the time of analysis.
DTI's investigation also uncovered that one of the domains, cryptshare.rheinemetall[.]com, was used to distribute malicious files. This subdomain was active between late January and mid-February 2025.
“DTI cannot confirm how the actor used this subdomain; however, given the available evidence, it was most likely used to deliver malicious files,” the researchers noted.
