During its investigations and with the cooperation of multiple partners, ANSSI has discovered several clusters of malicious activity, including domain names, subdomains and email addresses, used in a large attack campaign with traces going back to 2017. The threat actor registered multiple domain names, and created several subdomains with a naming pattern revealing its potential targets.