Microsoft has successfully received a court warrant to seize 42 malicious domains used by Nickel, a Chinese threat group. Recently, the threat group has targeted the U.S. and 28 other countries.

What is it all about?

The Nickel group was using several malicious domains for intelligence gathering from multiple government agencies, think tanks, and human rights organizations worldwide. 
  • The disruption of 42 malicious domains will stop or restrict the threat group from continuing its activities, as its important attack infrastructure has been now removed that was used in the latest attacks.
  • The victims were hacked using third-party virtual private network suppliers or stolen credentials acquired from spear-phishing campaigns.
  • The seized domains were found redirecting to secure servers by modifying the authoritative name to NS104b[.]microsoftintemetsafety[.]net / NS104a[.]microsoftintemetsafety[.]net.
  • Moreover, taking control of the malicious websites and redirecting traffic from those sites to secure servers of Microsoft, will be helpful in protecting existing and future victims.

A brief history

In 2016, the Digital Crimes Unit of Microsoft first discovered the threat group behind these malicious domains. Mandiant tracks the group as Ke3chang and suspects it to be active since 2010.
  • In 2019, the same group was found targeting government agencies across Europe and  Latin America by the Digital Security Unit (DSU) and Threat Intelligence Center (MSTIC) of Microsoft.
  • It seems that the goal of Nickel is to deliver malware on targeted servers to monitor the activity of their victims, along with collecting data and sending it to servers managed by them.


The recent seizure of domains will be very helpful for stopping the further or ongoing attacks by Nickel. The information may allow security researchers to learn more regarding Nickel’s activities. Additionally, more information, along with the indicators of compromise, has been released as well.

Cyware Publisher