Keypoints
- Started with Microsoft’s list of 124 ACTINIUM-associated domains as the seed set.
- Performed a bulk passive DNS export via Validin, producing ~20,402 resolved records covering IP history for the seed domains.
- Used CyberChef to deduplicate and sort records; identified 139.180.174[.]234 as the most frequently reused IP (49 occurrences).
- Pivoted on that IP and filtered DNS first-seen dates (around 2022-07-27) plus a .ru TLD filter to narrow candidates to 2,492 matching records.
- Extracted primary domains with a regular expression in CyberChef, counted subdomains per parent, and compared against Microsoft’s list to find ~122 potential new domains.
- Validated a subset (~30) of the results by confirming matching random subdomain patterns, IP reuse, and registration timing; some false positives remain possible.
- Recommendation: repeat the pivot process on other common IPs from the export to discover additional infrastructure.
MITRE Techniques
- [T1590] Gather Victim Network Information – Passive DNS pivoting was used to discover infrastructure and timing correlations (‘we will leverage passive DNS analysis to identify common patterns (IP, Registration dates, Subdomain Patterns)’)
- [T1583.001] Acquire Infrastructure: Domains – The actor’s infrastructure relied on many domains and autogenerated subdomains (‘Microsoft has also reported that each of these domains has numerous subdomains which are generated from a wordlist.’)
- [T1583.002] Acquire Infrastructure: IP Addresses – Reuse of hosting IPs was used as a pivot point to link domains (‘the most common resolved IP address was 139.180.174[.]234, with 49 occurrences across the 124 initial domains.’)
Indicators of Compromise
- [IP Address] pivoting IP used in analysis – 139.180.174[.]234
- [Domains] example seeds from Microsoft report – acetica[.]online, akowaika[.]ru
- [Domains] newly identified candidate .ru domains – torfasta[.]ru, coffiti[.]ru, and 120 more domains
- [Timestamps] DNS resolution filter used – 2022-07-27 (first-seen resolution date used to filter results)
Technical procedure (condensed): Begin with the 124 domains Microsoft attributed to ACTINIUM and perform a bulk passive-DNS export (the author used Validin) to capture historical A records and resolution timelines; the export in this case yielded ~20,402 records. Import the export into CyberChef (or equivalent) and deduplicate/sort by occurrence to surface frequently reused infrastructure—here the IP 139.180.174[.]234 appeared 49 times across the seed set.
Pivot on the most useful signals: search for domains that resolved to the pivot IP and apply temporal filters (the author filtered for resolutions first seen around 2022-07-27) and TLD filters (e.g., .ru) to narrow results. Export the filtered list, use a regular expression to extract parent domains from subdomains, then count subdomain occurrences per parent to prioritize domains that exhibit the same randomized-wordlist subdomain pattern described by Microsoft.
Finally, perform a set-difference between the extracted parent-domain list and the original Microsoft list to identify candidates not previously reported; the author found ~159 unique .ru domains from the pivot and about 122 additional domains after set-difference. Manually validate a sample (the author checked ~30) by confirming matching subdomain structure, IP reuse, and registration timing; repeat the process for other high-frequency IP pivots to uncover further infrastructure.
Read more: https://embee-research.ghost.io/uncovering-apt-infrastructure-with-passive-dns-pivoting/