Keypoints
- WhoisXML API expanded indicator sets for seven active APT groups (APT33, APT41, FIN7, Kimsuky, Molerats, Turla, ZIRCONIUM) that have targeted North America.
- Researchers started from 41 APT candidates then filtered to groups that attacked in 2023, impacted North America, had domain IoCs, and had email-connected domains traceable via WhoisXML solutions.
- Analysis produced 59 domain IoCs and used WHOIS History, reverse WHOIS, and Screenshot APIs to uncover related infrastructure and contacts.
- Findings included more than 140 email addresses (47 not redacted), 540 current and 1,940 historical email-connected domains, plus hundreds of live domains verified via screenshots.
- Deep dive into APT33 expanded nine public domains into 42 email addresses (12 public), 119 current email-connected domains, and 855 historical email-connected domains.
- The study highlights how current and historical WHOIS records can reveal domain portfolios and email-linked infrastructure associated with APT activity.
MITRE Techniques
- [T1485] Data Destruction – Use of destructive wiper malware is described: [‘using SHAMOON or Disttrack.’]
- [T1486] Data Encrypted for Impact – Use of ransomware families is noted as part of campaigns: [‘PowerTrash, Cl0p, and BlackMatter.’]
- [T1219] Remote Access Tools – Use of RATs and surveillanceware for operations and access: [‘RftRAT and Amadey’]
- [T1583.003] Acquire Infrastructure: Register Domains – Adversary infrastructure built from domains and email-linked registrations is indicated by the report’s domain IoCs: [’59 domains identified as IoCs’]
Indicators of Compromise
- [Domain] domain IoCs – 59 domains identified as IoCs (example: nine public APT33 domains expanded in the study), and a total set of 59 domain IoCs.
- [Email address] WHOIS-exposed addresses – more than 140 email addresses discovered via WHOIS History API (example: 12 public addresses, 30 redacted; 47 not privacy-protected).
- [Email-connected domains] infrastructure links – 119 current and 855 historical email-connected domains for APT33 (overall >540 current and >1,940 historical email-connected domains across groups).
- [Malware/family names] malware referenced as campaign indicators – examples include SHAMOON, Disttrack, WyrmSpy, DragonEgg, PowerTrash, Cl0p, BlackMatter, RftRAT, Amadey.
WhoisXML API’s technical workflow began by compiling 41 APT candidates from public sources, then applying clear filters: groups active in 2023, those that targeted North America, availability of domain IoCs, and the presence of email-connected domains traceable through WhoisXML solutions. This narrowing produced seven APTs and an initial set of 59 domain IoCs drawn from security research blogs; these domains served as seed indicators for further DNS and WHOIS investigation.
Using WHOIS History API, reverse WHOIS searches, and a Screenshot API, researchers expanded those seeds into identity- and infrastructure-related artifacts: they recovered more than 140 email addresses (47 unobscured), mapped 540+ current and 1,940+ historical email-connected domains across the dataset, and captured hundreds of live domains via screenshots to confirm active infrastructure. The team applied the same process to an APT33 subset—starting from nine public domains—and enumerated 42 associated email addresses (12 public), 119 current email-connected domains, and 855 historical email-connected domains.
The technical takeaway is that current and historical WHOIS records, combined with reverse WHOIS and visual verification, can materially expand known APT domain portfolios and reveal email-linked operational infrastructure. These methods enable investigators to move from a small set of domain IoCs to larger clusters of related domains and contact points that can inform detection, blocking, and attribution efforts.