Massive Phishing Campaign Targeting Ukraine Defense Contractors

A newly uncovered cyber-espionage operation has targeted defense and aerospace companies across the globe, specifically those supporting Ukraine amid its ongoing war with Russia. According to new research from DomainTools, nearly 900 fake websites have popped up in just a few months, each one impersonating well-known military contractors and tech firms with close ties to Ukraine.

The goal is to trick employees into handing over their email credentials. These aren’t sloppy scams. Many of the sites look exactly like the internal login pages staff are used to seeing, down to the smallest detail. And behind the scenes, the infrastructure powering it all is designed to stick around and stay hidden.

Phishing Infrastructure Mimics Trusted Brands

At the heart of the operation is a phishing infrastructure built around a small number of mail servers and a much larger set of spoofed domains. The campaign began with the domain kroboronprom[.]com, a lookalike of Ukroboronprom, Ukraine's state-owned defense conglomerate. This domain hosted a Mailu-based login page likely designed to trick users into handing over their email credentials.

Subsequent analysis revealed at least nine more domains using the same Mailu login template and hosted on the same GHOSTnet VPS infrastructure. These domains—such as scooby-doo[.]xyz, rainbow-pony[.]buzz, and rocky-jellyfish[.]biz—were all registered through the registrar Spaceship. Despite their whimsical names, they served a serious purpose: acting as MX domains for phishing campaigns impersonating major defense firms in the U.S., Europe, and Asia.

Further investigation uncovered even more domains following a similar pattern. Researchers identified over 870 spoofed domains with names that altered or added characters to legitimate company URLs. These spoofed domains were often used in phishing emails that appeared to come from inside the organization, with links directing targets to webmail login pages hosted on attacker-controlled infrastructure.

Targets Spanned Defense, Aerospace, and IT Sectors

The phishing campaign was global. Organizations spoofed included:

• France-based aerospace and defense firms (e.g., via domains like lucky-turtle[.]ink and stupid-buddy[.]mom)

• U.K. and Italian defense companies

• South Korean and Turkish aerospace firms

• U.S.-based IT companies involved in Ukraine support

• Swedish, Norwegian, and Ukrainian organizations in military sectors

These targets align closely with countries that have provided military, technical, or intelligence support to Ukraine during its war with Russia. The focus on these organizations suggests a clear cyber espionage motivation.

Credential Harvesting and Potential Malware Delivery

While most of the infrastructure was dedicated to credential theft via fake login pages, some elements of the campaign may have also supported malicious file delivery. One subdomain, cryptshare.rheinemetall[.]com, appeared to mimic a secure file-sharing service. Though the exact payload delivered remains unknown, its design strongly implies the attackers were distributing malware or weaponized documents under the guise of legitimate communication.

This combination of credential harvesting and file delivery fits a well-known pattern used by state-aligned threat actors to infiltrate target networks. Stolen credentials can be used to access sensitive systems, while malware can facilitate lateral movement or data exfiltration.

Malicious File Distribution via Fake Cryptshare Portal

In addition to stealing credentials, the campaign may have also involved malware delivery using infrastructure disguised as a secure file-sharing service. DomainTools researchers flagged a subdomain, cryptshare.rheinemetall[.]com, that mimicked Cryptshare, a legitimate service used for password-protected file transfers.

A screenshot from urlscan.io shows the spoofed Cryptshare interface, including a password prompt page likely designed to appear trustworthy to defense sector employees. According to urlscan data, the domain was active between late January and mid-February 2025, a period during which it may have been used to deliver malicious files or weaponized documents.

The subdomain was part of a larger cluster of suspicious infrastructure, including:

• rheinemetall[.]com

• rheinmetall.com[.]de

• ukrtelecom[.]eu

• funky-bober[.]art

These domains shared visual and infrastructure similarities with the earlier Mailu-based phishing sites and were hosted on the same GHOSTnet VPS backend. Another domain, ukrtelcom[.]com, showed Whois overlap with the others, but did not appear to be active at the time of the analysis.

While DomainTools could not confirm exactly what files were shared through the spoofed Cryptshare portal, the evidence strongly points to its use in malicious file delivery, reinforcing the idea that this operation wasn’t limited to credential theft. It also likely sought deeper access through malware deployment.

Attribution: Unclear but Tactically Consistent

DomainTools has not attributed the campaign to a specific threat actor, but the investigation notes that the tactics, techniques, and procedures (TTPs) strongly suggest a cyber espionage operation. This assessment is supported by the exclusive targeting of defense and aerospace firms tied to the Ukraine conflict, and the consistent use of Mailu-based infrastructure.

The use of the Spaceship registrar, coupled with the GHOSTnet VPS hosting provider, points to a deliberate effort to obscure attribution and delay takedowns. Many of the spoofed domains remain active, and the infrastructure continues to evolve.

Similar phishing tactics have been observed in other recent campaigns by suspected Russian actors, including device code-based phishing targeting email accounts and spear phishing attempts aimed at WhatsApp users.

Strategic Context: Intelligence Gathering Amid Conflict

As Ukraine continues to receive support from Western military contractors and defense firms, intelligence about these relationships, supply chains, and proprietary technologies is highly valuable to adversarial states. Stealing credentials from employees at these companies could grant attackers access to:

• Internal documents on weapons systems

• Communications with government clients

• Supply chain data and vendor contracts

• Sensitive operational timelines

Hostile actors could leverage intelligence like this to develop countermeasures, disrupt supply chains, or anticipate strategic moves on the battlefield.

Broader Implications: Escalating Cyber Operations

This campaign underscores the persistent threat posed by well-resourced adversaries using relatively simple tactics like spoofed domains and phishing kits, but they did it at scale. As geopolitical tensions rise, cyber-enabled espionage is becoming more common, more automated, and harder to detect.

It also raises important questions about resilience across the defense industrial base. Even large firms with mature security programs remain vulnerable to credential theft if employees are fooled by convincing phishing pages.

With the U.S. government reportedly pulling back some cyber and information operations against Russia, campaigns like this one may face less counterpressure. That shift makes commercial cybersecurity visibility and vigilance even more critical.

Indicators of Compromise (IOCs)

DomainTools published a list of related IOCs on GitHub, including:

• Domains used for spoofing

• IP addresses tied to GHOSTnet VPS

• Screenshots of login portals

• Subdomain structures linked to Cryptshare

Security teams supporting targeted sectors are encouraged to review and block this infrastructure. Proactive DNS monitoring, employee phishing simulations, and multifactor authentication can help reduce the impact of such campaigns.

VulnU will continue to track emerging threats targeting critical infrastructure and organizations connected to global conflict zones. For updates on related research, subscribe to our newsletter.