A typosquatting campaign intended to abuse popular brands is in the works, likely tied to Nobelium, the notorious Russian-state-backed group behind the SolarWinds attacks.

Recorded Future in its latest research is warning that the attackers are using infrastructure similar to that known to be used by Nobelium, to set up their command-and-control (C2) servers. 

This time, the group is preying on users looking online for specific brands who enter common spelling errors or "typos" in the URL. Those misspelled domain names are purchased by threat actors, who stand up spoofed sites to trick people into giving up their credentials, credit-card details, and more. 

"A key factor we have observed from Nobelium operators involved in threat activity is a reliance on domains that emulate other brands (some legitimate and some that are likely fictitious businesses)," the Recorded Future team explained in their report. "Domain registrations and typosquats can enable spearphishing campaigns or redirects that pose a threat to victim networks and brands."