Keypoints
- Operation Texonto ran two mass PSYOP email waves (November and December 2023) delivering PDF attachments with disinformation aimed at Ukrainians and Ukrainian speakers abroad.
- Spearphishing in October–November 2023 targeted a Ukrainian defense company and an EU agency with links to fake Microsoft/O365 login pages to capture credentials.
- Operators acquired multiple domains mimicking Ukrainian government sites (e.g., ua‑minagro[.]com, uaminagro[.]com, minuaregion[.]org) and hosted mail servers at Nice IT, Hostinger, Serverius, BlueVPS.
- Phishing infrastructure included near‑typo domains such as login.microsoftidonline[.]com and choicelive149200[.]com used for OWA/Office365 credential theft.
- Shared infrastructure and domain reuse connected PSYOP, spearphishing, and later Canadian pharmacy spam campaigns, indicating operator reuse/monetization of burnt assets.
- ESET links the operation with high confidence to a Russia‑aligned group based on TTPs and targeting, but no definitive technical attribution to a named actor was established.
MITRE Techniques
- [T1583.001] Acquire Infrastructure: Domains – attackers purchased domain names to impersonate Ukrainian government sites (‘Operators bought domain names at Namecheap.’)
- [T1583.004] Acquire Infrastructure: Server – attackers rented servers from multiple providers to host mail and phishing infrastructure (‘Operators rented servers at Nice IT, Hostinger, Serverius, and BlueVPS.’)
- [T1566] Phishing – mass emails with disinformation content were sent to Ukrainian targets to influence perceptions (‘Operators sent emails with disinformation content.’)
- [T1566.002] Phishing: Spearphishing Link – targeted emails contained links to fake Microsoft login pages to steal Office365 credentials (‘Operators sent emails with a link to a fake Microsoft login page.’)
- [T1036] Masquerading – domains and email addresses were crafted to appear similar to legitimate Ukrainian government entities (‘Operators used domain names similar to official Ukrainian government domain names.’)
Indicators of Compromise
- [Domain] email/phishing infrastructure – login.microsoftidonline[.]com, ua‑minagro[.]com, and other domains such as uaminagro[.]com, minuaregion[.]org
- [IP address] mail/phishing servers – 45.9.148[.]165 (infoattention[.]com), 193.43.134[.]113 (login.microsoftidonline[.]com), and other IPs listed for Hostinger/Serverius/BlueVPS
- [File hashes] PDF attachments used in disinformation – 3C201B2E40357996B3832C72EA305606F07477E3, 15BF71A771256846D44E8CB3012EE6BC6F9E1532, and 2 more hashes
- [Filenames] documents used in PSYOPs – Minagroua111.pdf, Mozua.pdf
- [Email addresses] sender identities seen in headers – happyny@infonotification[.]com, mozua@ua‑minagro[.]com (plus several similar minregion/minagroua addresses)
Operators staged a coordinated procedure: register deceptive domains, provision rented servers across multiple hosting providers, and operate SMTP/web services to send tailored emails. For credential theft they crafted spearphishing messages directing recipients to near‑typo domains that hosted fake Microsoft/O365 login flows (example: login.microsoftidonline[.]com with OAuth parameters resembling legitimate redirects to outlook.office365.com). Bulk PSYOPs delivered PDF attachments that misused Ukrainian ministry branding to spread disinformation; those PDFs were catalogued with SHA‑1 hashes and detected as PDF/Fraud by ESET. Email headers and server IPs (e.g., 45.9.148[.]165, 185.12.14[.]13, 193.43.134[.]113) tie the sending infrastructure to multiple domains used across phishing and disinformation waves.
Investigation linked campaigns by identifying overlapping infrastructure (same hosting providers, reused mail servers, and shared domain registration patterns). The actors alternated objectives: credential harvesting using spearphishing links and large‑scale influence operations via non‑malicious but deceptive PDFs. When portions of the infrastructure became exposed, operators reused mail servers and domains to send monetized spam (Canadian pharmacy offers), indicating opportunistic reuse of burnt assets to either profit or fund further operations.
Defensive takeaways: block/monitor the listed domains and IPs, treat emails from government‑like domains outside official registries as suspicious, verify OAuth redirect domains before submitting credentials, and catalog the identified PDF hashes and filenames for content inspection and mail filtering. Correlate email envelope‑from/return‑path fields with originating IPs when triaging suspected spearphishing to expose infrastructure reuse.