A hacking group — suspected to be the Russia-linked Turla Team — reregistered at least three old domains associated with the decade-old Andromeda malware, allowing the group to distribute its own reconnaissance and surveillance tools to Ukrainian targets.

Cybersecurity firm Mandiant stated in a Thursday advisory that Turla Team APT, also known by Mandiant’s designation of UNC4210, took control of three domains that were part of Andromeda’s defunct command-and-control (C2) infrastructure to reconnect to the compromised systems. The endgame was to distribute a reconnaissance utility known as Kopiluwak and a backdoor known as QuietCanary.