Tracking Adversaries: Ghostwriter APT Infrastructure

This report explains how CTI analysts pivot on adversary infrastructure to expand visibility into a Ghostwriter (UNC1151) campaign that used malicious XLS macros to drop Cobalt Strike beacons. It documents overlapping IOCs (multiple .shop domains sharing registrar/name servers/robots.txt), shows how additional domains and related malware samples were discovered via VirusTotal and registration-pattern searches (listing ~24 likely malicious domains), and highlights lessons on leveraging infrastructure attributes for attribution and discovery.