{
	"id": "d72de82b-fe20-4024-8795-6227b81546de",
	"created_at": "2026-04-06T01:31:37.389227Z",
	"updated_at": "2026-04-10T03:32:43.667763Z",
	"deleted_at": null,
	"sha1_hash": "1b34211aac883aac55f2df4fa8494307dbff317a",
	"title": "Rewterz Threat Alert - Iranian APT Uses Job Scams to Lure Targets - Rewterz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44457,
	"plain_text": "Rewterz Threat Alert - Iranian APT Uses Job Scams to Lure\r\nTargets - Rewterz\r\nPublished: 2019-11-18 · Archived: 2026-04-06 01:22:15 UTC\r\nSeverity\r\nMedium\r\nAnalysis Summary\r\nA phishing campaign is detected, luring its targets with fake job scams. The campaign is being linked to Iranian\r\nAPT33. Indicators of compromise are given below, some of which have previously been used in other phishing\r\ncampaigns as well. The motive of the campaign is still not known. Similar phishing campaigns have been\r\npreviously launched to deploy Remote Access Trojans.\r\nImpact\r\nCredential Theft\r\nInformation Theft\r\nUnauthorized Remote Access\r\nIndicators of Compromise\r\nDomain Name\r\nwww[.]global-careers[.]org\r\ndyn-intl[.]world-careers[.]org\r\nglobal-careers[.]org\r\nraytheonjobs.serveblog[.]net\r\nFilename\r\nJobDescription.zip\r\nJobDescription.vbe\r\nMD5\r\n673510dd92eb812d70b017c27385d389\r\n7c295c528fea9385a2e3165b683d1a46\r\n24ccad79498d240f19bfd2fc144b875e\r\naf707c4f8e40f529e8a342259ee9c8ae\r\n0efb36b6dd3493b7869e8da731eff77d\r\nhttp://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets\r\nPage 1 of 2\n\nSHA-256\r\ne2b5900211088daf754d900ff7b229defe72bf6ae21efb53c966113a2b2b16b3\r\n92e66acd62dfb1632f6e4ccb90a343cb8b8e2f4fb7c9bfa9ae0745db0748223b\r\n6d76db96a544700a1fdcac810c7429aa64c22f249895d0a6e58d44809350fa69\r\n14985711a5aa14c6cded0f21db544706ba845de89866e06c59a9151e7dafe19f\r\nce0f7048903c6c2ee5357e8678247ae19666e91058060a3d38e09e49a94047b7\r\nSource IP\r\n208.91.197[.]91\r\nURL\r\nhttp[:]//fineksus[.]com/delp[.]exe\r\nRemediation\r\nBlock the threat indicators at their respective controls.\r\nDo not download and execute untrusted files.\r\nDo not respond to untrusted emails.\r\nSource: http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets\r\nhttp://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets"
	],
	"report_names": [
		"rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets"
	],
	"threat_actors": [
		{
			"id": "a63c994f-d7d6-4850-a881-730635798b90",
			"created_at": "2025-08-07T02:03:24.788883Z",
			"updated_at": "2026-04-10T02:00:03.785146Z",
			"deleted_at": null,
			"main_name": "COBALT TRINITY",
			"aliases": [
				"APT33 ",
				"Elfin ",
				"HOLMIUM ",
				"MAGNALIUM ",
				"Peach Sandstorm ",
				"Refined Kitten ",
				"TA451 "
			],
			"source_name": "Secureworks:COBALT TRINITY",
			"tools": [
				"AutoCore",
				"Cadlotcorg",
				"Dello RAT",
				"FalseFont",
				"Imminent Monitor",
				"KDALogger",
				"Koadic",
				"NanoCore",
				"NetWire",
				"POWERTON",
				"PoshC2",
				"Poylog",
				"PupyRAT",
				"Schoolbag"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e5ff825b-0456-4013-b90a-971b93def74a",
			"created_at": "2022-10-25T15:50:23.824058Z",
			"updated_at": "2026-04-10T02:00:05.377261Z",
			"deleted_at": null,
			"main_name": "APT33",
			"aliases": [
				"APT33",
				"HOLMIUM",
				"Elfin",
				"Peach Sandstorm"
			],
			"source_name": "MITRE:APT33",
			"tools": [
				"PowerSploit",
				"AutoIt backdoor",
				"PoshC2",
				"Mimikatz",
				"NanoCore",
				"DEADWOOD",
				"StoneDrill",
				"POWERTON",
				"LaZagne",
				"TURNEDUP",
				"NETWIRE",
				"Pupy",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f",
			"created_at": "2023-01-06T13:46:38.367369Z",
			"updated_at": "2026-04-10T02:00:02.945356Z",
			"deleted_at": null,
			"main_name": "APT33",
			"aliases": [
				"Elfin",
				"MAGNALLIUM",
				"HOLMIUM",
				"COBALT TRINITY",
				"G0064",
				"ATK35",
				"Peach Sandstorm",
				"TA451",
				"APT 33",
				"Refined Kitten"
			],
			"source_name": "MISPGALAXY:APT33",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439097,
	"ts_updated_at": 1775791963,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1b34211aac883aac55f2df4fa8494307dbff317a.pdf",
		"text": "https://archive.orkl.eu/1b34211aac883aac55f2df4fa8494307dbff317a.txt",
		"img": "https://archive.orkl.eu/1b34211aac883aac55f2df4fa8494307dbff317a.jpg"
	}
}