Recorded Future’s Insikt Group discovered a wide-reaching phishing campaign utilizing the FiercePhish open source offensive phishing framework. The campaign, which is hosted on Russian domain infrastructure but does not target users in Russia, is globally harvesting credentials from a variety of organizations in the public and private sectors. This campaign, coordinated using asherintartrading[.]com, has been active since at least December 2019 and has cycled through over 30 DigitalOcean IP addresses, sometimes in a matter of hours. The fast changes in infrastructure indicate that the threat actor is proficient in evading security defenses and blocking tactics.
Analysis of a screenshot of asherintartrading[.]com was taken on the day the domain was first created on December 27, 2019, and shows the domain was configured as a FiercePhish management portal.
Source: Recorded Future/Insikt Group