Security researchers identified several new suspicious internet domains. These domains appear to be setting up the "plumbing" (servers and web addresses) for potential future cyberattacks, including some that mimic legitimate software updates and postal services.

Who was behind the attack?

One specific incident involves infrastructure possibly related to APT33, a known threat group. However, the report notes this attribution is not definitive but is based on the reuse of specific server networks previously used by that group.

What are the nature and goals of the activity?

The primary activity observed is Resource Development. This means the attackers are currently building the tools and renting the servers they need to launch attacks. Goals likely include credential harvesting (stealing login info) and establishing command and control for botnets.

How was the activity carried out?

The actors registered new website names using private email addresses and privacy-focused services to hide their identities. They then rented dedicated servers to host these sites, occasionally moving them to different server addresses to avoid detection.

What actions should organizations take to protect themselves?

Organizations should block the specific server IP addresses and website names listed in the report. It is also recommended to monitor for any web traffic involving the "Realhosters" name server, as it is linked to suspicious activity.

Threats Feed|APT33|Last Updated 11/02/2026|AuthorCertfa Radar|Publish Date21/05/2020

Suspected APT33 Cyber Infrastructure Identified in Recent Domain Registrations

Actor Motivations: Undetected
Attack Vectors: Phishing
Attack Complexity: Unknown
Threat Risk: Unknown

Threat Overview

The report uncovers suspicious network infrastructure possibly linked to APT33, highlighting the registration of the domain taskreminder[.]net and its association with the ns1.realhosters.com name server and OVH hosting. It draws parallels with previously identified APT33 infrastructure, emphasizing the pattern of using specific name servers and hosting services. Additionally, the report identifies domains spoofing Poste Italiane and “msupdate” themed domains, suggesting potential credential harvesting and malicious software distribution activities.

Reference and Credit: ThreatConnect - May 2020

ThreatConnect Research Roundup: Possible APT33 Infrastructure

Detected Targets

Type	Description	Confidence
Region	Italy	Verified

Extracted IOCs

afr-msupdate[.]com
asia-msupdate[.]com
de-msupdate[.]com
taskreminder[.]net
times-sync[.]com
137[.]74.157.84
91[.]134.187.25

download

Tip: 7 related IOCs (2 IP, 5 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.

Overlaps

APT33Cyber Espionage by APT33 Targets Education, National Security, and Oil Industries

Source: Trend Micro - November 2019

Detection (one case): 137[.]74.157.84

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Common Questions Regarding APT33 Cyber Infrastructure

: Security researchers identified several new suspicious internet domains. These domains appear to be setting up the "plumbing" (servers and web addresses) for potential future cyberattacks, including some that mimic legitimate software updates and postal services.
: One specific incident involves infrastructure possibly related to APT33, a known threat group. However, the report notes this attribution is not definitive but is based on the reuse of specific server networks previously used by that group.
: The primary activity observed is Resource Development. This means the attackers are currently building the tools and renting the servers they need to launch attacks. Goals likely include credential harvesting (stealing login info) and establishing command and control for botnets.
: The actors registered new website names using private email addresses and privacy-focused services to hide their identities. They then rented dedicated servers to host these sites, occasionally moving them to different server addresses to avoid detection.
: Organizations should block the specific server IP addresses and website names listed in the report. It is also recommended to monitor for any web traffic involving the "Realhosters" name server, as it is linked to suspicious activity.

About Affiliation

APT33

Associate threats