Security researchers have uncovered new details about the infrastructure used by LoJax UEFI rootkit used in attacks from APT28. The analysis revealed two command and control (C2) servers were still active in early 2019. The research mapped some IP addresses the UK’s National Cyber Security Center (NCSC) gave as indicators of compromise for malware used by FAncy bear in a report in October of last year. Some of the domains were not encountered in the wild, and some of them have not been seen in LoJAX samples. Two of them were still pointing to live C2 servers in 2019.
Source: https://www.bleepingcomputer.com/news/security/lojax-command-and-control-domains-still-active/