Overview:
On 25 March 2025, DomainTools Investigations (DTI) uncovered a large-scale phishing campaign targeting defense and aerospace organizations tied to the ongoing Russia-Ukraine conflict. The campaign employed a dynamic phishing infrastructure comprising a small number of mail servers and spoofed domains crafted to mimic well-known defense contractors and government entities. The phishing infrastructure was used to host fraudulent webmail login pages designed to harvest employee credentials, likely as part of a broader cyber espionage effort.
While no specific threat actor has yet been publicly attributed to this activity, the tactics, techniques and procedures (TTPs) observed—including targeted spear-phishing, spoofed domains and webmail credential harvesting—align closely with the hallmarks of state-sponsored cyber espionage. In this case, geopolitical motivations related to the Russia-Ukraine war strongly suggest alignment with pro-Russian interests, either from Russian intelligence services or affiliated advanced persistent threat (APT) groups.
Infrastructure Details:
The phishing campaign was first detected through the spoofed domain kroboronprom[.]com, which impersonated Ukroboronprom, Ukraine’s largest state-owned defense conglomerate. As a cornerstone of Ukraine’s defense sector, Ukroboronprom represents a highly attractive target for intelligence collection. The attackers leveraged the domain to deploy a fake webmail login page—built using Mailu—to trick employees into entering their corporate credentials.
Subsequent investigation using DomainTools Iris revealed a broader infrastructure that included multiple spoofed domains registered via Spaceship and hosted through GHOSTnet VPS, a provider previously observed in cybercrime infrastructure. These domains were connected through a small set of mail servers that appeared purpose-built to support high-volume phishing operations. Notably, the infrastructure included domains like cryptshare.rheinemetall[.]com, masquerading as a secure file-sharing platform likely used to distribute malware or capture sensitive files under the guise of legitimate business processes.
In total, researchers linked 923 spoofed domains to the campaign, targeting at least 13 organizations across the defense, aerospace and IT sectors. Many of these entities are considered defense primes or critical suppliers within NATO countries, particularly the United Kingdom and broader European Union.
Significance to the Space Sector:
This campaign provides a clear illustration of the evolving cyber threat landscape facing satellite communications companies and broader space sector stakeholders. As modern warfare becomes increasingly reliant on space-based assets for communications, navigation, intelligence, surveillance and reconnaissance (ISR), these entities have become priority targets for both direct attacks and supply chain infiltration.
While the campaign’s focus appears to be on defense and aerospace firms supporting Ukraine’s war effort, many of the spoofed domains and targeted entities are deeply embedded in the global space sector. Satellite operators, ground segment providers and defense contractors often share overlapping infrastructure and partnerships, creating opportunities for lateral movement once initial access is gained. Phishing remains a primary vector for achieving this initial compromise, as attackers exploit trust in established communications channels—often by impersonating familiar vendors, partners or even internal contacts.
The use of dynamic, modular phishing infrastructure, as seen in this campaign, allows threat actors to pivot quickly between targets, register new domains rapidly and continuously refresh their tactics to evade detection. This agility poses unique challenges for satellite operators, which must secure a diverse and globally distributed network of suppliers, contractors and partners.
Threat Actor Tradecraft: Masquerading as Trusted Vendors:
A notable feature of this campaign—and a broader trend in modern cyber operations—is the use of impersonation tactics to breach supply chains. By spoofing domains of trusted vendors, secure file-sharing platforms and internal mail systems, attackers aim to bypass initial defenses and leverage the trust built between organizations and their suppliers.
The space sector is home to a wide array of international collaborators and subcontractors, many of which make up the supply chain and underscore the risk of vendor impersonation. A compromised vendor can serve as a foothold to escalate privileges, move laterally within larger networks and access sensitive satellite control systems, intellectual property or even mission-critical data.
Conclusion:
The phishing campaign uncovered by DomainTools is a significant example of how geopolitical tensions drive sophisticated cyber threat activity against high-value targets. As the space and satellite communications sectors continue to expand their critical role in defense and national security, they must anticipate and defend against increasingly targeted and adaptive threats. Strengthening defenses across both technical and human layers, maintaining vigilance over supply chain security and actively contributing to collective defense through intelligence sharing are essential steps in mitigating the risk of compromise and ensuring mission continuity.
