The MITRE Corporation updates its list of groups on the ATT&CK page every six months, specifically in April and October each year. The Updates - April 2025 advisory listed seven new groups with corresponding lists of indicators of compromise (IoCs) listed in the References section. Take a look at specific IoC-related details for each group below.

In a bid to uncover more potentially connected artifacts, WhoisXML API expanded the current IoC lists in this post. Our in-depth analysis led to the discovery of:

Three alleged victim IP records obtained from the Internet Abuse Signal Collective (IASC) tied to three Autonomous System (AS) numbers

• 638 email-connected domains, six are malicious
• 26 additional IP addresses, 16 are malicious
• 221 IP-connected domains
• 4,195 string-connected domains, 37 are malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

New MITRE ATT&CK Group IoC Facts

We began our analysis by querying the 189 domains identified as IoCs on Bulk WHOIS API by group.

We found that only 99 of the 189 domains had current WHOIS records. Here is a summary of our creation date-related findings for the five groups with domain IoCs.

• APT42: Only 81 of the 148 domains identified as IoCs had current WHOIS records. The 81 domains were created between 2016 and 2025.
• BlackByte: One of the three domain IoCs had a current WHOIS record. The domain was created in 2018.
• RedEcho: Only seven of the 15 domain IoCs had current WHOIS records. The seven domains were created between 1999 and 2024.
• Sea Turtle: Three of the 13 domain IoCs had current WHOIS records. The three domains were created between 2000 and 2025.
• Storm-1811: Only seven of the 10 domain IoCs had current WHOIS records. The seven domains were created in 2024.

Below is a summary of our registrar-related findings for the 99 domain IoCs with current WHOIS records.

• APT42: The 81 domain IoCs were split across 15 registrars led by Namecheap, which accounted for 29 domains.
• BlackByte: The domain IoC was administered by OVH.
• RedEcho: The seven domain IoCs were spread among four registrars topped by Vitalwerks, which accounted for three domains.
• Sea Turtle: The three domain IoCs were split across two registrars led by Tucows, which accounted for two domains.
• Storm-1811: The seven domain IoCs were spread among three registrars topped by Hostinger and PDR, which accounted for three domains each.

Next, we summed up our registrant country-connected findings for the 99 domains with current WHOIS records below.

• APT42: While one of the domain IoCs did not have a registrant country on record, the 80 remaining ones were split across seven nations led by Iceland, which accounted for 30 domains.
• BlackByte: The domain IoC was registered in Ireland.
• RedEcho: The seven domain IoCs were spread among three registrant countries topped by the U.S., which accounted for five domains.
• Sea Turtle: One domain IoC each was registered in Hungary, Saint Kitts and Nevis, and the U.K.
• Storm-1811: The seven domain IoCs were split across two registrant countries led by the U.S., which accounted for six domains.

Next, we queried the 189 domains identified as IoCs on DNS Chronicle API and discovered that 186 of them had historical domain-to-IP address resolutions over time. In fact, the 186 domain IoCs recorded 9,190 IP resolutions in all. In addition, the domain IoC for APT42 webredirect[.]org posted the oldest resolution date to the IP address 207[.]38[.]70[.]29, that is, 7 February 2017. Take a look at historical DNS details for a domain IoC for each of the five groups with available data below.

We then queried the 109 IP addresses identified as IoCs on Bulk IP Geolocation Lookup by group. Take a look at the summary of our geolocation country-related findings below.

• APT42: The two IP address IoCs were geolocated in Germany.
• BlackByte: The two IP IoCs were geolocated in the Netherlands.
• RedEcho: The 43 IP IoCs were geolocated in two countries—China and South Korea.
• Salt Typhoon: The two IP IoCs were geolocated in the Netherlands.
• Sea Turtle: While three IP IoCs did not have geolocation countries on record, the remaining 47 were scattered across 10 nations—Belgium, France, Germany, Moldova, the Netherlands, Romania, Serbia, Singapore, Sudan, and the U.S.
• Storm-1811: The eight IP IoCs were scattered across three countries, namely, the Netherlands, Singapore, and the U.S.
• Velvet Ant: One IP IoC each was geolocated in China and Japan.

We also uncovered the following ISP-connected findings for the 109 IP address IoCs:

• APT42: The two IP IoCs were administered by Hetzner.
• BlackByte: While one IP IoC did not have an ISP on record, the other was administered by Podaon.
• RedEcho: While one IP IoC did not have an ISP on record, the remaining 42 were split across five ISPs led by HKBNES, which accounted for 16 IP addresses.
• Salt Typhoon: None of the two IP IoCs has ISPs on record.
• Sea Turtle: While nine IP IoCs did not have ISPs on record, the remaining 41 were administered by 14 ISPs topped by DigitalOcean, which accounted for 14 IP addresses.
• Storm-1811: The eight IP IoCs were distributed among six ISPs led by Green Floid, which accounted for three IP addresses.
• Velvet Ant: One IP IoC each was administered by CTGServer and MOACK.

Next, we queried the 109 IP addresses identified as IoCs on DNS Chronicle API and found that 77 of them had historical IP address-to-domain resolutions. The 77 IP addresses, in particular, recorded 10,980 domain resolutions over time. The IP addresses 114[.]34[.]10[.]80, 114[.]35[.]16[.]182, 114[.]35[.]191[.]224, 122[.]116[.]165[.]62, 122[.]116[.]234[.]73, 220[.]132[.]106[.]193, and 220[.]133[.]141[.]117 associated with RedEcho; 178[.]17[.]167[.]51 with Sea Turtle; and 202[.]61[.]136[.]158 with Velvet Ant posted the oldest resolution date, that is, 4 February 2017. Here are historical DNS details for a domain IoC for each of the seven groups below.

In addition, using sample netflow data our researchers obtained from the IASC, we further analyzed three IP addresses identified as IoCs—88[.]119[.]171[.]248, 91[.]90[.]195[.]52, and 62[.]115[.]255[.]163—that served as command-and-control (C&C) server addresses related to the threat. The sample data revealed three alleged victim IP records sent data to the three IP IoCs 10 times. Take a look at ISP and AS data for the IP addresses below.

On the flipside, we also analyzed communications coming from seven IP addresses identified as IoCs and found 60 IP addresses contacted 216 times. Here are ISP and AS data for the IP addresses.

IoC List Expansion Findings

We kicked off our search for connected artifacts with a WHOIS History API query for the 189 domains identified as IoCs and found that 63 of them had 254 email addresses in their historical WHOIS records after duplicates were filtered out. Closer scrutiny of the email addresses revealed that 43 were public email addresses.

We then queried the 43 public email addresses on Reverse WHOIS API and discovered that while none of them appeared in current WHOIS records, 36 did so in historical WHOIS records. Our search led to the discovery of 638 email-connected domains after duplicates and those already identified as IoCs were filtered out.

A Threat Intelligence API query for the 638 email-connected domains showed that six have already figured in various attacks. Take a look at three examples below.

Next, we queried the 189 domains identified as IoCs on DNS Lookup API and found that 35 had active IP resolutions. We ended up with 26 additional IP addresses after filtering out duplicates and those already tagged as IoCs.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

References

APT42

• https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
• https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/

BlackByte

• https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure
• https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware
• https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/
• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/

RedEcho

• https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf
• https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf

Salt Typhoon

• https://blog.talosintelligence.com/salt-typhoon-analysis/

Sea Turtle

• https://blog.talosintelligence.com/seaturtle/
• https://blog.talosintelligence.com/sea-turtle-keeps-on-swimming/
• https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html
• https://www.huntandhackett.com/blog/turkish-espionage-campaigns

Storm-1811

• https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
• https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators

Velvet Ant

• https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/