{ "id": "490ad082-f246-41d5-8649-53baa0cdf8f6", "created_at": "2026-04-06T00:13:22.158936Z", "updated_at": "2026-04-10T03:37:36.948653Z", "deleted_at": null, "sha1_hash": "471317cdde87c3ccb3ce9a636462990308940330", "title": "New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54020, "plain_text": "New leaks of Iranian cyber-espionage operations hit Telegram and\r\nthe Dark Web\r\nBy Written by Catalin Cimpanu, ContributorContributor May 8, 2019 at 6:18 p.m. PT\r\nArchived: 2026-04-05 13:36:21 UTC\r\nTwo new leaks exposing Iranian cyber-espionage operations have been published online, via Telegram channels\r\nand websites on the Dark Web and the public Internet.\r\nSee als\r\nOne leak claims to contain operational data from the MuddyWater hacking group, while the second leak reveals\r\ninformation about a new group identified in official Iranian government documents as the Rana Institute --and\r\ncurrently not linked to any known Iranian cyber-espionage group.\r\nA first leak happened last month\r\nThese two leaks come after last month, a mysterious figure using the Lab Dookhtegam pseudonym dumped on a\r\nTelegram channel the source code of several malware strains associated with APT34 (Oilrig), an Iranian\r\ngovernment-backed cyber-espionage group.\r\nThese two new leaks are different from the first. None of them include source code for malware. Instead, they\r\ncontain images of source code of unknown origins, images of command and control server backends, and images\r\nlisting past hacked victims.\r\nMultiple cyber-security firms, such as Chronicle, FireEye, and Palo Alto Networks, confirmed the authenticity of\r\nthis first leak. Security researchers from ClearSky Security and Minerva Labs have confirmed this last batch.\r\nWith two additional leaks hitting the airwaves, the theory that we are witnessing a well-orchestrated campaign to\r\nexpose Iran's hacking operations looks now more valid than ever.\r\nThe perpetrators may be hoping that the political fallout from exposing Iran's hacks would damage the country's\r\nrelations with neighbors, foreign political allies, and private sector companies that may rethink their operations\r\nand relations with the Iranian government.\r\nMuddyWater leak\r\nThis was the second leak to emerge in the public eye after the Lab Dookhtegam leak that occurred on Telegram\r\nlast month. A group calling themselves the Green Leakers took responsabillity.\r\nThe group still operates two Telegram channels and two different Dark Web portals where they are selling data\r\nthey claim is from the operations of the MuddyWater APT (APT = advanced persistent threat, a name used to\r\nhttps://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/\r\nPage 1 of 3\n\ndescribe government-backed hacking groups).\r\nIran MuddyWaters dark web\r\nImage: ZDNet\r\nIran MuddyWaters on Telegram\r\nImage: ZDNet\r\nBecause this data was put up for sale, the leakers did not release any tools for free, like Lab Dookhtegam in the\r\nfirst leak. Instead, they posted:\r\n- images showing the source code of a command and control (C\u0026C) server used by the MuddyWater APT'\r\n- images of MuddyWater C\u0026C server backends --which also included unredacted IP addresses of some of\r\nMuddyWater's victims.\r\nIran Rana C\u0026C backend leak\r\nImage: ZDNet\r\nBecause the leakers have revealed only a small sample of data in the form of screenshots, the jury is still out on\r\nthe authenticity of this leak; however, it cannot be discounted for the time being.\r\nBoth ZDNet and Minerva Labs have been keeping an eye on this leak for new developments, but besides having\r\nthe Telegram channels suspended and having to create new ones, nothing new has been shared for a few days now.\r\nRana Institute leak\r\nThe third leak involving data of Iranian cyber-operations, which ZDNet has been tracking for almost a week,\r\noccurred on a website on the public Internet written in Persian and on a Telegram channel.\r\nThe leakers dumped small snippets from documents labeled \"secret\" that appeared to have originated with the\r\nIranian Ministry of Intelligence and which described the Rana Institute, a contractor hired for cyber-espionage\r\noperations.\r\nUnlike the alleged MuddyWater leak, this one has been verified by security researchers with ClearSky Security,\r\nsome of the leading experts in Iranian hacking operations.\r\nThe leaked documents are a treasure trove of threat intelligence for APT researchers, and expose the activities of a\r\nnew group whose activities have never been described or even spotted until today, despite being active since 2015.\r\n\"These documents contain lists of victims, cyber-attack strategies, alleged areas of access, a list of employees, and\r\nscreenshots from internal websites relevant to espionage systems,\" ClearSky said in a report published a few hours\r\nago.\r\n\"The documents shed light on some aspects of the group's activity, notably: tracking Iranians, tracking Iranian\r\ncitizens outside of Iran, and the group's members.\"\r\nIran Rana leak on the clear web\r\nImage: ZDNet\r\nhttps://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/\r\nPage 2 of 3\n\nThe website where most of the Rana leak was published contained the personal details of Rana Institute members,\r\nalong with a slew of information about past campaigns --most of which focused on hacking airlines to retrieve\r\npassenger manifests, and hacking travel booking sites to retrieve reservations and payment card numbers.\r\nBut in addition to airlines and booking sites, the group also targeted insurance, IT, and telecom firms, as well as\r\ngovernment agencies and departments from all over the world.\r\nIran Rana target countries\r\nImage: ClearSky Security\r\nPer the leaked documents, the Rana hackers were also asked to develop malware, with the most notable project\r\nthat was assigned to their team being of developing malware capable of damaging SCADA industrial control\r\nsystems --similar to Stuxnet or Shamoon.\r\n\"The project was unsuccessful and did not achieve its goals despite a large budget,\" ClearSky researchers said.\r\nAchieving their goals\r\nBy exposing the Rana group, it appears that the leakers --whoever they are-- are achieving their goal of sabotaging\r\nIran's cyber-espionage operations.\r\nWith hacking tools out in the open and with past campaigns exposed to the whole world, Iran's hacking groups\r\nwill have to re-tool and focus on new campaigns going forward, potentially delaying any current or planned\r\nhacking efforts --exactly what the leakers may have wanted.\r\nData leaks: The most common sources\r\nRelated cybersecurity coverage:\r\nA hacker is wiping Git repositories and asking for a ransom\r\nJapanese government to create and maintain defensive malware\r\nChinese hackers were using NSA malware a year before Shadow Brokers leak\r\nSurge of MegaCortex ransomware attacks detected\r\nWordPress finally gets the security features a third of the Internet deserves\r\nIn a first, Israel responds to Hamas hackers with an air strike\r\nThe dark web is smaller, and may be less dangerous, than we think TechRepublic\r\nGame of Thrones has the most malware of any pirated TV show CNET\r\nSource: https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/\r\nhttps://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/" ], "report_names": [ "new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434402, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/471317cdde87c3ccb3ce9a636462990308940330.pdf", "text": "https://archive.orkl.eu/471317cdde87c3ccb3ce9a636462990308940330.txt", "img": "https://archive.orkl.eu/471317cdde87c3ccb3ce9a636462990308940330.jpg" } }