A Russian Spearphishing Domain Is Now Hosted in New York City

Central to the Mueller indictment is attribution to Russia of a spearphishing campaign from domains then located in Romania. It is therefore more than a little surprising that one of these spearphishing domains is not only still in operation in May 2018, but hosted in New York City.

The first article linking the DNC hack to APT28 spearphishing by SecureWorks (here) in June 2016. Secureworks had been tracking APT28 spearphishing for some time through their bitly links. They provided two examples linking respectively to the malicious domains: accounts-google[.com and googlesetting[.com. I’ve looked at both, but will discuss only the latter in this note. These domains were previously discussed at CA here.

The SecureWorks article showed the following syntax for the hyperlink to googlesetting[.com.

The string ZGlm… expresses the target email (difeitalia.canberra[@] in base64 (see for conversions). According to public IP records, on April 29, 2015 (the relevant date), googlesetting[.]com resolved to, an IP address in Romania.  The domain is associated with APT28 by, inter alia, its registrant: Andre Roy, email address ///,:  a registrant discussed at CA here. In early 2015, the domain also sometimes resolved to a US IP address (

The googlesetting[.]com domain had quite a few contemporary attestations, in particular, inquiries to phishtank by Ukrainian activists associated with Informnapalm. The earliest attestation that I’ve located occurred on 2014-07-23 in a phishing email to anna.prokaeva[@] see below. At the time, the domain similarly resolved to IP address in Romania:

On 2018-05-26, a spearphishing email with IDENTICAL syntax to the 2014 spearphishing email was reported by Virus Total: see below.  The target (omaralshater[@] is, of course, different.

In late May 2018, the domain resolved to IP address, hosted by Bodis LLC in New York City: see here; here.

What does this mean? Dunno. But it sure seems odd to see the re-appearance in 2018 of a domain characteristic of the APT28 spearphishing campaign, this time in New York City.

Update (July 20): A commenter observed that Bodis LLC parks hundreds of thousands of unused domains, so the appearance of this domain in May 2018 doesn’t, in itself, mean anything. Thinking further on other possibilities, it seems possible that someone, in the course of re-investigating spearphishing events, might have done a search at VirusTotal or other anti-virus service on a string from a 2015 phishing attempt. If such a search was done in May 2018, Virus Total would only know the date of the inquiry, not the date of the phishing attempt. At the end of the day, there doesn’t seem to be anything here. I don’t wish to contribute to any additional inaccuracy on this murky topic and will consider deleting this post.

Climate Audit

Dear friends of this aggregator

  • Yes, I intentionally removed Newsbud from the aggregator on Mar 22.
  • Newsbud did not block the aggregator, although their editor blocked me on twitter after a comment I made to her
  • As far as I know, the only site that blocks this aggregator is Global Research. I have no idea why!!
  • Please stop recommending Newsbud and Global Research to be added to the aggregator.

Support this site

News Sources

Source Items
WWI Hidden History 50
Grayzone Project 119
Pass Blue 180
Dilyana Gaytandzhieva 14
John Pilger 416
The Real News 367
Scrutinised Minds 29
Need To Know News 2408
FEE 4435
Marine Le Pen 323
Francois Asselineau 25
Opassande 53
HAX on 5July 220
Henrik Alexandersson 847
Mohamed Omar 356
Professors Blog 10
Arg Blatte Talar 40
Angry Foreigner 18
Fritte Fritzson 12
Teologiska rummet 32
Filosofiska rummet 104
Vetenskapsradion Historia 151
Snedtänkt (Kalle Lind) 214
Les Crises 2655
Richard Falk 158
Ian Sinclair 101
SpinWatch 59
Counter Currents 8810
Kafila 433
Gail Malone 37
Transnational Foundation 221
Rick Falkvinge 94
The Duran 9470
Vanessa Beeley 93
Nina Kouprianova 9
MintPress 5570
Paul Craig Roberts 1662
News Junkie Post 58
Nomi Prins 27
Kurt Nimmo 191
Strategic Culture 4673
Sir Ken Robinson 20
Stephan Kinsella 93
Liberty Blitzkrieg 842
Sami Bedouin 64
Consortium News 2568
21 Century Wire 3477
Burning Blogger 324
Stephen Gowans 85
David D. Friedman 150
Anarchist Standard 16
The BRICS Post 1507
Tom Dispatch 503
Levant Report 18
The Saker 4149
The Barnes Review 517
John Friend 453
Psyche Truth 152
Jonathan Cook 145
New Eastern Outlook 3799
School Sucks Project 1768
Giza Death Star 1851
Andrew Gavin Marshall 15
Red Ice Radio 606
GMWatch 2200
Robert Faurisson 150
Espionage History Archive 34
Jay's Analysis 920
Le 4ème singe 90
Jacob Cohen 206
Agora Vox 14802
Cercle Des Volontaires 431
Panamza 2106
Fairewinds 116
Project Censored 928
Spy Culture 502
Conspiracy Archive 76
Crystal Clark 11
Timothy Kelly 553
PINAC 1482
The Conscious Resistance 799
Independent Science News 76
The Anti Media 6584
Positive News 820
Brandon Martinez 30
Steven Chovanec 61
Lionel 291
The Mind renewed 439
Natural Society 2619
Yanis Varoufakis 964
Tragedy & Hope 122
Dr. Tim Ball 114
Web of Debt 141
Porkins Policy Review 408
Conspiracy Watch 174
Eva Bartlett 591
Libyan War Truth 321
DeadLine Live 1910
Kevin Ryan 62
Aaron Franz 225
Traces of Reality 166
Revelations Radio News 121
Dr. Bruce Levine 142
Peter B Collins 1533
Faux Capitalism 205
Dissident Voice 10504
Climate Audit 222
Donna Laframboise 424
Judith Curry 1119
Geneva Business Insider 40
Media Monarchy 2313
Syria Report 78
Human Rights Investigation 91
Intifada (Voice of Palestine) 1685
Down With Tyranny 11556
Laura Wells Solutions 43
Video Rebel's Blog 429
Revisionist Review 485
Aletho News 19954
ضد العولمة 27
Penny for your thoughts 2949
Northerntruthseeker 2330
كساريات 37
Color Revolutions and Geopolitics 27
Stop Nato 4703 Blog 2997 Original Content 6797
Corbett Report 2295
Stop Imperialism 491
Land Destroyer 1175
Webster Tarpley Website 1083

Compiled Feeds

Public Lists

Title Visibility
Funny Public