{
	"id": "d71d588d-7a72-423c-9971-87c230862382",
	"created_at": "2026-04-06T00:12:08.459503Z",
	"updated_at": "2026-04-10T13:12:16.346296Z",
	"deleted_at": null,
	"sha1_hash": "021cf1db3154e11806825d9b461b3a3f369e9380",
	"title": "Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies – ClearSky Cyber Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60232,
	"plain_text": "Iranian Threat Agent Greenbug Impersonates Israeli High-Tech\r\nand Cyber Security Companies – ClearSky Cyber Security\r\nPublished: 2017-10-24 · Archived: 2026-04-05 15:32:16 UTC\r\nIranian Threat Agent Greenbug  has been registering domains similar to those of Israeli High-Tech and Cyber\r\nSecurity Companies.\r\nOn 15 October 2017 a sample of ISMdoor was submitted to VirusTotal from Iraq.  The sample name\r\nwas WmiPrv.tmp (f5ef3b060fb476253f9a7638f82940d9) and it had the following PDB string:\r\nC:\\Users\\Void\\Desktop\\v 10.0.194\\x64\\Release\\swchost.pdb\r\nTwo domains were used for command and control:\r\nthetareysecurityupdate[.]com\r\nsecurepackupdater[.]com\r\nBy pivoting off the registration details and servers data of the two domains we discovered others registered by the\r\nthreat agent. Eight contain the name of Israeli high-tech and cyber security companies and one of a Saudi Arabian\r\ntesting \u0026 commissioning of major electrical equipment company.\r\nWe estimate that the domains were registered in order to be used when targeting these companies, organisations\r\nrelated to them, or unrelated third parties. However, we do not have any indication that the companies were\r\nactually targeted or otherwise impacted.\r\nBelow are the malicious domains and the companies who’s names were used.\r\nMalicious Domain Impersonated company\r\nRegistration\r\ndate\r\nwinsecupdater[.]com 11/6/2016\r\ndnsupdater[.]com 12/4/2016\r\nwinscripts[.]net 3/4/2017\r\nallsecpackupdater[.]com Uncertain 4/8/2017\r\nlbolbo[.]com 4/8/2017\r\nsecurepackupdater[.]com  Uncertain 4/8/2017\r\nthetaraysecurityupdate[.]com\r\nThetaRay (thetaray.com) – An Israeli cyber security and\r\nbig data analytics company\r\n4/8/2017\r\nhttp://www.clearskysec.com/greenbug/\r\nPage 1 of 4\n\nymaaz[.]com\r\nYMAAZE (ymaaze.com) – A Saudi Arabian testing \u0026\r\ncommissioning of major electrical equipment company\r\n4/8/2017\r\noospoosp[.]com 8/9/2017\r\nosposposp[.]com 8/9/2017\r\nznazna[.]com 8/9/2017\r\nmbsmbs[.]com 8/9/2017\r\noutbrainsecupdater[.]com\r\nOutbrain (outbrain.com)– A major Israeli online\r\nadvertising company\r\n8/9/2017\r\nsecurelogicupdater[.]com\r\nSecureLogic (space-logic.com) – Likely an Israeli\r\nmarketer of airport security systems by the same name.\r\nOther companies with the same name exist.\r\n8/9/2017\r\nbenyaminsecupdater[.]com  Uncertain 8/9/2017\r\nwixwixwix[.]com\r\nWix (wix.com) – A major Israeli cloud-based web\r\ndevelopment platform\r\n8/9/2017\r\nbiocatchsecurity[.]com\r\nBiocatch (biocatch.com) – an Israeli company developing\r\ntechnology for behavioral biometrics for fraud prevention\r\nand detection\r\n10/14/2017\r\ncorticasecurity[.]com\r\nCortica (cortica.com) – an Israeli company developing\r\nArtificial Intelligence technology\r\n10/14/2017\r\ncovertixsecurity[.]com\r\nCovertix (covertix.com) – An Israeli data security\r\ncompany\r\n10/14/2017\r\narbescurity[.]com\r\nArbe Robotics (arberobotics.com)– An Israeli company\r\ndeveloping autonomous driving technology\r\n10/14/2017\r\nIndicators of compromise\r\nIndicators of compromise are presented below and are available on PassiveTotal.\r\nDomain allsecpackupdater[.]com\r\nDomain znazna[.]com\r\nDomain arbescurity[.]com\r\nDomain benyaminsecupdater[.]com\r\nhttp://www.clearskysec.com/greenbug/\r\nPage 2 of 4\n\nDomain biocatchsecurity[.]com\r\nDomain corticasecurity[.]com\r\nDomain covertixsecurity[.]com\r\nDomain dnsupdater[.]com\r\nDomain lbolbo[.]com\r\nDomain mbsmbs[.]com\r\nDomain ntpupdateserver[.]com\r\nDomain oospoosp[.]com\r\nDomain osposposp[.]com\r\nDomain outbrainsecupdater[.]com\r\nDomain securelogicupdater[.]com\r\nDomain securepackupdater[.]com\r\nDomain thetaraysecurityupdate[.]com\r\nDomain winscripts[.]net\r\nDomain winsecupdater[.]com\r\nDomain wixwixwix[.]com\r\nDomain ymaaz[.]com\r\nDomain benyaminsecupdater[.]com\r\nFilename WmiPrv.tmp\r\nHash 37d586727c1293d8a278b69d3f0c5c4b\r\nHash 82755bf7ad786d7bf8da00b6c19b6091\r\nHash ad5120454218bb483e0b8467feb3a20f\r\nHash e0175eecf8d31a6f32da076d22ecbdff\r\nHash f5ef3b060fb476253f9a7638f82940d9\r\nIP 151.80.113.150\r\nIP 151.80.221.23\r\nIP 217.182.244.254\r\nhttp://www.clearskysec.com/greenbug/\r\nPage 3 of 4\n\nIP 46.105.130.98\r\nIP 5.39.31.91\r\nIP 80.82.66.164\r\nSSLCertificate 3b0b85ea32cab82eaf4249c04c05bdfce5b6074ca076fedf87dbea6b28fab99d\r\nThe Maltego graph below depicts the relationship among the indicators (click to enlarge):\r\nUpdate 2017-10-25 – three hashes removed from IOC list\r\nThe following hashes were mistakenly included in the IOC list and have been removed, as they are unrelated to\r\nthe campaign:\r\nc594b52ec8922a1e980a2ea31b1d1157\r\n179cb8839e9ee8e9e6665b0986bf7811\r\nd30c4df6de21275ae69a4754fc2372ef\r\nSource: http://www.clearskysec.com/greenbug/\r\nhttp://www.clearskysec.com/greenbug/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.clearskysec.com/greenbug/"
	],
	"report_names": [
		"greenbug"
	],
	"threat_actors": [
		{
			"id": "e58deb93-aff1-4be5-8deb-37fe8af0b7ed",
			"created_at": "2022-10-25T16:07:23.918534Z",
			"updated_at": "2026-04-10T02:00:04.789509Z",
			"deleted_at": null,
			"main_name": "Greenbug",
			"aliases": [
				"Greenbug",
				"Volatile Kitten"
			],
			"source_name": "ETDA:Greenbug",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "25896473-161f-411f-b76a-f11bb26c96bd",
			"created_at": "2023-01-06T13:46:38.75749Z",
			"updated_at": "2026-04-10T02:00:03.090307Z",
			"deleted_at": null,
			"main_name": "CHRYSENE",
			"aliases": [
				"Greenbug"
			],
			"source_name": "MISPGALAXY:CHRYSENE",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6bba8e81-73af-4010-86dc-d43c408ca342",
			"created_at": "2023-01-06T13:46:38.553459Z",
			"updated_at": "2026-04-10T02:00:03.021597Z",
			"deleted_at": null,
			"main_name": "Greenbug",
			"aliases": [],
			"source_name": "MISPGALAXY:Greenbug",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434328,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/021cf1db3154e11806825d9b461b3a3f369e9380.pdf",
		"text": "https://archive.orkl.eu/021cf1db3154e11806825d9b461b3a3f369e9380.txt",
		"img": "https://archive.orkl.eu/021cf1db3154e11806825d9b461b3a3f369e9380.jpg"
	}
}