IOC Data Suggests Russia Bypassed Geolocation Bans – CTI Report

Our latest Cyber Threat Intelligence (CTI) Research Report provides key insights obtained by CyberProof’s CTI team, which were based on research and analysis of numerous malicious network infrastructures and Indicators of Compromise (IOCs) observed during the first half of 2022.




The Russia-Ukraine conflict is a highly significant aspect of this period. The impact of the conflict is reflected clearly in CyberProof’s CTI data and statistics.

CyberProof’s CTI team continuously tracks developments in the cyber threat landscape, including major malware and ransomware operations, evasive phishing techniques, and critical vulnerabilities and exploits. This coverage also focuses on the collection, active exposure, and validation of IOCs and Indicators of Attack (IOAs) associated with malicious activities. These indicators are utilized to develop optimal detection, response and prevention capabilities for CyberProof’s clients.

Behavior Patterns & Key Trends in 2022

Some of the key insights about the behavior of malicious actors gleaned by the CyberProof CTI team in the first half of 2022 include:

  • Geolocation bans: Although many cyber-attacks were executed by pro-Russian attackers during the Russia-Ukraine conflict in the first half of 2022, Russia holds the seventh place in terms of geolocation associated with malicious activity. This suggests that Russian and other threat actors may have bypassed the geolocation bans by operating via VPNs or proxies from other geolocations, possibly China and the US.

  • Hacker preferences: Malicious actors always prefer to use services, infrastructures, providers, or geolocations that (1) enable them to act freely and anonymously, (2) involve minimal legal intervention, and (3) don’t require a great expense.

  • Malicious .ru domains: The high volume of malicious domains that contained the “ru” country code top-level domain (ccTLD) might imply (1) the targeting of Russian-speaking users, (2) the compromise of “ru” domains for malicious activities, or (3) the minimal legal intervention against malicious .ru domains; many domain registrars banned registration of ru domains during the conflict, and those who supported registration did not apply enough enforcements.

  • Chinese-owned ASNs: Two of the top three ASNs that were most reported as being associated with malicious IP addresses, are owned by the Chinese-state government.

  • URL extensions: Phishing and credential-harvesting related URL extensions such as PHP and HTML were more prevalent than macro-enabled Office documents in malicious URLs. This shift by attackers is likely related to Microsoft’s announcement that they will start blocking Office macros from the internet by default.

  • Compromising WordPress sites: Attackers consistently compromised legitimate WordPress websites during the first half of 2022, i.e., by planting malicious payloads without being detected. WordPress is an extensively targeted CMS that poses fertile ground for abuse.

  • Abusing DuckDNS: The legitimate, dynamic DNS service DuckDNS was abused extensively by attackers. It was used to distribute malicious payloads while remaining under the radar. Other legitimate storage services such as Google Firebase Storage were also extensively misused for malicious activities.

To learn more about trends and behavior patterns of malicious actors in the first half of 2022 and how they were impacted by the Russia-Ukraine conflict, download the report here: