TA407’s Phishing Campaigns Continue Targeting Universities Globally
- Actor Motivations: Exfiltration,Financial Gain
- Attack Vectors: Compromised Credentials,Spear Phishing
- Attack Complexity: Low
- Threat Risk: Low Impact/High Probability
Threat Overview
TA407 (Silent Librarian) has consistently targeted universities, particularly in the US, Europe, and North America, in credential phishing campaigns. Using tailored phishing pages mimicking university login portals, the group compromises accounts to steal academic data, intellectual property, and user credentials. Between 2013 and 2017, TA407 caused over $3.4 billion in intellectual property losses, affecting thousands of university accounts worldwide. The group exploits Freenom domains and various URL shorteners, including university-based services, to distribute phishing links and expand their reach within academia.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Government Agencies and Services | Verified |
| Sector | University | Verified |
| Region | United States | Verified |
| Region | European Countries | Verified |
Extracted IOCs
- aill[.]nl
- atll[.]tk
- azll[.]cf
- azll[.]tk
- blibo[.]ga
- cill[.]ml
- clll[.]cf
- clll[.]tk
- cllt[.]cf
- cllt[.]tk
- cnen[.]cf
- cvve[.]cf
- eill[.]cf
- eill[.]ga
- eill[.]nl
- elll[.]cf
- euve[.]tk
- fill[.]cf
- flil[.]cf
- flll[.]cf
- illl[.]cf
- ills[.]cf
- itll[.]tk
- jlll[.]cf
- liba[.]gq
- libb[.]ga
- libdo[.]cf
- libe[.]cf
- libe[.]ga
- libf[.]ga
- libk[.]ga
- libm[.]ga
- libn[.]gq
- librt[.]ml
- libt[.]ga
- libver[.]ml
- libw[.]gq
- llif[.]cf
- llii[.]xyz
- llit[.]cf
- lliz[.]cf
- lllib[.]cf
- llli[.]cf
- llli[.]nl
- lllt[.]cf
- lzll[.]cf
- mlibo[.]ml
- ncce[.]cf
- nlib[.]ml
- nlll[.]cf
- nlll[.]tk
- ntil[.]cf
- ntll[.]cf
- ntll[.]tk
- nuec[.]cf
- rvna[.]cf
- sitt[.]cf
- ssll[.]cf
- stll[.]tk
- tlit[.]cf
- tlll[.]cf
- tlll[.]tk
- ttit[.]cf
- ttll[.]cf
- ulll[.]tk
- venc[.]cf
- visc[.]cf
- vtll[.]cf
- xill[.]cf
- zlll[.]tk
Tip: 70 related IOCs (0 IP, 70 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.
Overlaps
Source: Secureworks - September 2019
Detection (38 cases): aill[.]nl, azll[.]cf, blibo[.]ga, cill[.]ml, clll[.]tk, cnen[.]cf, cvve[.]cf, eill[.]cf, eill[.]ga, eill[.]nl, elll[.]cf, fill[.]cf, flil[.]cf, flll[.]cf, illl[.]cf, ills[.]cf, jlll[.]cf, liba[.]gq, libb[.]ga, libe[.]ga, libf[.]ga, libk[.]ga, libm[.]ga, libt[.]ga, libver[.]ml, llii[.]xyz, llit[.]cf, llli[.]nl, lllib[.]cf, lzll[.]cf, mlibo[.]ml, nlll[.]cf, ntll[.]tk, nuec[.]cf, stll[.]tk, tlll[.]cf, ulll[.]tk, vtll[.]cf
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.