{ "id": "e8c8beff-a76d-467c-b6b1-8d832469150a", "created_at": "2026-04-29T02:20:45.069233Z", "updated_at": "2026-04-29T08:21:09.434191Z", "deleted_at": null, "sha1_hash": "50ce3d2f9cf68173c7a68ce162fef26985a7cb63", "title": "Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3331559, "plain_text": "Iranian APT Infrastructure in Focus: Mapping State-Aligned\r\nClusters During Geopolitical Escalation\r\nPublished: 2026-03-04 ยท Archived: 2026-04-29 02:11:16 UTC\r\nTensions between the United States, Israel, and Iran have reached a critical point following a series of diplomatic\r\nbreakdowns, which led to escalating military exchanges and proxy engagements across the Middle East. History\r\nhas shown that when hostilities rise to this degree, cyber operations do not lag far behind kinetic activity. They\r\nprecede it.\r\nThese operations, whether infrastructure reconnaissance, pre-positioning, or network intrusion, are part of the\r\noperational groundwork of modern conflict. Disrupting communications and compromising critical systems can\r\nweaken response capabilities long before physical engagement begins. Iranian state-aligned actors have\r\nhistorically targeted energy, financial services, government networks, and defense-related organizations across the\r\nU.S., Israel, and allied regions.\r\nThis post does not attempt to assess the political dimensions of the conflict. Instead, it focuses on infrastructure-level intelligence such as ASN patterns, TLS fingerprints, and hosting clusters derived from Hunt.io. While many\r\nindicators originate from public reporting, infrastructure scanning and behavioral clustering can expand them into\r\nwider operational patterns.\r\nUnderstanding these patterns is what enables proactive defense to see the threat coming before it hits. To illustrate\r\nhow this plays out in real operations, we first examine several Iranian-linked threat actors currently tracked within\r\nHunt.io.\r\nIranian Threat Actors Currently Tracked in Hunt.io\r\nHunt.io continuously extracts high-value IOCs such as IP addresses, hosts, and SHA-256 hashes from a wide\r\nrange of OSINT sources and consolidates them into a single, structured view. 19 threat groups linked to Iran are\r\ncurrently tracked by Hunt.\r\nBy normalizing and linking this data at the threat actor level, analysts can quickly pivot between infrastructure,\r\nartifacts, and campaigns, reducing the time needed to move from attribution to actionable hunting and detection.\r\nhttps://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters\r\nPage 1 of 13\n\nFigure 1: Overview of Iranian threat actor profiles containing IPs, hosts, and sample hashes\r\nThese actors represent a mix of state-aligned and hacktivist-motivated operations, with campaigns ranging from\r\nespionage and credential harvesting to ransomware and attacks targeting critical infrastructure.\r\nFigure 2: Profile for MuddyWater APT group\r\nCurrent infrastructure intelligence identifies 264 total IPs, 432 hosts, and 128 related SHA-256 hashes attributed\r\nto MuddyWater. Activity observed as recently as the end of January highlighted a persistent campaign targeting\r\norganizations in the Middle East and North Africa (MENA). Research also suggested domain reuse dating back to\r\nOctober 2025.\r\nhttps://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters\r\nPage 2 of 13\n\nFigure 3: VoidManticore profile showing the most recent IPs and hosts\r\nVoidManticore includes a footprint of 13 tracked IPs, 1 associated host, and 91 SHA-256 hashes. Recent\r\nreporting involves the exploitation of an Omani government mailbox to facilitate the delivery of malicious\r\nMicrosoft Word documents focusing on critical infrastructure and government entities worldwide.\r\nFigure 4: Screenshot of APT42 profile page\r\nAPT42, also known as Charming Cypress or Mint Sandstorm, links to 54 IPs, 233 total hosts, and 44 SHA-256\r\nhashes. Analysis of recent campaigns introduces TameCat, a modular, PowerShell-based backdoor used to target\r\nsenior defense and government officials.\r\nhttps://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters\r\nPage 3 of 13\n\nFigure 5: Most recent activity linked to APT35 as identified by Hunt\r\nHigh-value IOCs revealed 79 IPs, 2,211 hosts, and 67 SHA-256 hashes attributed to APT35. This threat actor has\r\nused WhatsApp to distribute spear-phishing messages using spoofed websites to steal the credentials of security\r\nand defense-related individuals. In late 2025, a trove of documents and information linked to APT35 was leaked,\r\nincluding C2 infrastructure IPs, usernames, and passwords, and more.\r\nFigure 6: Infy group actor profile page\r\nInfy has a footprint of 18 IPs, 53 associated hosts, and 58 SHA-256 hashes. Following recent campaign shifts,\r\nthe group has been observed using updated Foudre and Tonnerre variants to target Iranian dissidents and\r\nregional government entities, leveraging Telegram-based C2 to bypass defenses.\r\nhttps://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters\r\nPage 4 of 13\n\nFigure 7: Infrastructure Pattern Comparison Across Iranian-Linked Actors\r\nInfrastructure Patterns Observed\r\nAcross intrusion campaigns, network infrastructure is an operational requirement for any threat actor\r\ncommunicating with target systems. While provisioning that infrastructure, actors frequently, sometimes\r\nunknowingly, leave behind patterns that defenders can fingerprint and track in real-time.\r\nClustering on behaviors such as repeated use of specific autonomous systems (AS), hosting providers, certificate\r\nauthorities, and domain registrars can enable C2/threat group tracking well beyond reported indicators of\r\ncompromise.\r\nThe following examines these patterns as observed through Hunt.io's Attack Capture feature, beginning with a\r\nknown MuddyWater IP identified in the above threat actor profile page.\r\nAlso referred to as Mango Sandstorm, MuddyWater APT, and other Iranian state-linked groups have displayed a\r\npreference for including NameCheap and Hosterdaddy Private Limited (AS136557).\r\nAlthough additional ASNs have appeared in historical reporting, these two providers recur with enough frequency\r\nto serve as high-confidence infrastructure clustering pivots. This is particularly valuable when combined with\r\nrecurring use of offensive tools unique to Iranian APTs like remote monitoring and management (RMM),\r\nPowerShell scripts, etc.\r\nOpen directory listings are among the highest-value findings in infrastructure hunting. A misconfigured server\r\noffers not only an inventory of attacker tooling, but a window into the mindset of how network intrusions are\r\nconducted. In Attack Capture, file hashes can be pivoted to find if any other servers are hosting the same file.\r\nHosted on NameCheap, 209.74.87[.]100 is present in the MuddyWater threat actor profile page on 20 February.\r\nhttps://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters\r\nPage 5 of 13\n\nFigure 8: Attack Capture file manager for open directory hosted at 209.74.87[.]100\r\nAmong the thousands of exposed artifacts on the server was FMAPP.exe, a proxy binary used as a tunneling\r\ncomponent.\r\nPivoting on the file hash (SHA-256:\r\ne25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b) resulted in a single IP not\r\npreviously reported, 157.20.182[.]49.\r\nFigure 9: SHA-256 hash pivot result on FMAPP.exe, showing an additional IP\r\nConsistent with MuddyWater's established AS pattern, the above IP is hosted on the Hosterdaddy Private Limited\r\nnetwork and is another server within this wider cluster. Similar to the initial directory, many of the exposed files\r\nconsisted of offensive tooling.\r\nhttps://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters\r\nPage 6 of 13\n\nFigure 10: Snippet of the files available for download from 157.20.182[.]49\r\nThe directory remained accessible until February 26. Several days later, on March 2, our network scans identified\r\na Sliver C2 server on port 31337. The C2's presence was only captured for a single day. It remains unclear whether\r\nMuddyWater is actively operating the Sliver C2 instance, but as the below will explain, it appears the group may\r\nbe using openly available tooling to blend in with cybercriminals and other actors.\r\nFigure 11: Identification of Sliver C2 on port 31337 on 157.20.182[.]49\r\nOf note, two files from the directory jumped out as interesting/suspicious and required further analysis:\r\nudp_3.0.py: A custom Python-based UDP command and control server using a lightweight symmetric\r\ncipher for communications over port 1269.\r\nreset.ps1: Multi-stage PowerShell dropper and installer, responsible for downloading JavaScript payloads,\r\nincluding Node.js runtime dependencies.\r\nhttps://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters\r\nPage 7 of 13\n\nParticularly interesting was the dropper's explicit dependency on ethers.js and the WebSocket library, indicating\r\nEthereum-based infrastructure as a communications component. Upon execution, reset.ps1 communicates with\r\n185.236.25[.]119:3001 using websockets. This IP is identified as high risk in Hunt due to login to Tsundere botnet\r\npanels on ports 80 and 3000.\r\nFigure 12: C2 is linked to reset.ps1 is also identified as hosting Tsundere botnet panels\r\nStarting with a single IP address, infrastructure pivoting uncovered two additional servers within the same hosting\r\ncluster, including a node potentially leveraging blockchain-related libraries for command-and-control\r\ncommunications.\r\nAdditionally, it appears MuddyWater is using publicly available malware likely to blend in with cybercriminals.\r\nTarget-referenced files related to a UAE engineering company found within the .49 directory further strengthened\r\nthe assessment of campaign alignment.\r\nThis activity is consistent with previously documented MuddyWater infrastructure patterns and overlaps known\r\nhosting and tooling behaviors attributed to the group.\r\nHow to Track These Actors with Hunt.io\r\nThe earlier MuddyWater example demonstrated how pivoting from IP to hash to ASN can expose wider\r\ninfrastructure clusters tied to an actor. The same clustering logic applies across other Iranian-linked groups.\r\nIn this section, we extend that approach using HuntSQL and examine Dark Scepter, a recently identified actor\r\noverlapping APT34 (OilRig).\r\nReviewing C2 domains linked to Dark Scepter showed Cloudflare being used to proxy infrastructure and obscure\r\norigin IP addresses. Cloudflare fronting is common among Iranian-aligned operators, which makes certificate\r\nSubject Alternative Name (SAN) pivoting especially valuable for revealing backend servers.\r\nWhile CDN fronting can delay direct attribution, the underlying domain frequently appears as a SAN entry on\r\ncertificates issued elsewhere. Pivoting on certificate hostnames often exposes the real infrastructure behind the\r\nhttps://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters\r\nPage 8 of 13\n\nproxy.\r\nUsing the C2 domain web14[.]info as an example, we pivot on certificate hostnames to identify the likely backend\r\nserver.\r\nExample Query:\r\nSELECT\r\n ip,\r\n port,\r\n hostnames\r\nFROM\r\n certificates\r\nWHERE\r\n hostnames RLIKE 'web[0-9]{2}.info[^a-zA-Z0-9.]'\r\n AND timestamp \u003e '2026-02-01'\r\ngroup by\r\n ip,\r\n port,\r\n hostnames\r\n \r\nCopy\r\nExample Output:\r\nFigure 13: HuntSQL query to locate the real IP used by Dark Scepter\r\nhttps://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters\r\nPage 9 of 13\n\nThe query, which uses regex to look for all occurrences of web*.info, identifies actor-controlled infrastructure\r\nhosted on M247 Europe SRL at 38.180.239[.]161. From the results, we also see several domains listed as\r\nhostnames. Some of these domains have previously appeared in public reporting, including Maltrail.\r\nanythingshere[.]shop\r\ncside[.]site\r\nfootballfans[.]asia\r\nmenclub[.]lt\r\nmusiclivetrack[.]website\r\nstone110[.]store\r\nweb14[.]info\r\nA review of the webpage details on 38.180.239[.]161 reveals a unique title, \"Wonders Above\". To further pivot on\r\nthese new findings, we can build an additional HuntSQL query to determine how prevalent this title is across the\r\ninternet and whether it is a solid hunting query.\r\nFigure 14: Example webpage when making a GET request to the attacker-controlled IP, 38.180.239[.]161\r\nExample Query:\r\nSELECT\r\n ip,\r\n port\r\nFROM\r\nhttps://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters\r\nPage 10 of 13\n\nhttpv2\r\nWHERE\r\n html.head.title LIKE '%Wonders Above%'\r\ngroup by\r\n ip,\r\n port\r\n \r\nCopy\r\nExample Output:\r\nFigure 15: HuntSQL query results for servers hosting the 'Wonders Above' page\r\nThe results returned two additional IP addresses using either port 443, 2053, 2083, or 2096, plus the server we\r\nstarted with in the previous query. The new servers share the same webpage and Let's Encrypt certificates with\r\nmultiple hostnames as seen below:\r\n92.243.65[.]243\r\n185.76.79[.]125\r\nThe virtual servers are hosted on Akton d.o.o. (AS25467), and EDIS GmbH (AS57169), respectively. Observed\r\ndomain names: justweb[.]click, girlsbags[.]shop, lecturegenieltd[.]pro, ntcx[.]pro, and retseptik[.]info.\r\nPivoting on reused webpages and certificate hostnames is a reliable way to track not only Dark Scepter and other\r\nIranian groups, but a majority of threat actors who think simply moving their C2 infrastructure behind Cloudflare\r\nwill deter defenders.\r\nhttps://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters\r\nPage 11 of 13\n\nWhat U.S. and Israeli Organizations Should Monitor\r\nIranian state-linked actors have consistently targeted organizations aligned with national intelligence priorities and\r\nthose deemed as a threat. For U.S. and Israeli entities, the sectors of greatest exposure are government agencies,\r\ndefense contractors, energy and utilities operators, university and policy institutions, and financial services.\r\nMonitoring Recommendations\r\nDefenders should prioritize monitoring the following:\r\nVPN and remote access appliances: Monitor for anomalous geolocation shifts, ASN changes, and\r\nauthentication attempts tied to high-risk hosting networks.\r\nSuspicious emails: Enforce MFA across all users and monitor for OAuth abuse, token replay, and credential\r\nharvesting patterns.\r\nSpoofed domains: Continuously scan for typosquatting domains and certificate reuse tied to defense,\r\nenergy, and government keywords.\r\nASN-based monitoring: Track infrastructure originating from repeatedly observed Iranian-linked ASNs\r\nsuch as Hosterdaddy Private Limited (AS136557).\r\nTLS fingerprinting: Leverage JARM and JA4x fingerprint clustering within HuntSQL to detect backend\r\ninfrastructure reuse behind CDN proxies.\r\nIndicators of Compromise (IOCs)\r\nThe infrastructure uncovered throughout this investigation reveals several previously unreported hosts, domains,\r\nand servers linked to Iranian-aligned operations.\r\nThe indicators below represent a subset of the infrastructure identified during this analysis. Additional indicators\r\nand actor infrastructure can be explored directly through Hunt.io threat actor profiles.\r\nIP addresses Details\r\n209.74.87[.]100 Open directory IP found in MuddyWater threat actor profile\r\n157.20.182[.]49 Additional IP/open directory sharing the same file (FMAPP.exe) as 209.74.87[.]100\r\n185.236.25[.]119 C2 for reset.ps1, a PowerShell loader found in 157.20.182[.]49\r\n38.180.239[.]161 Attacker-controlled IP linked to Dark Scepter hidden behind Cloudflare\r\n92.243.65[.]243 Secondary IP linked to 38.180.239[.]161 when pivoting on web page titles.\r\n185.76.79[.]125 Tertiary IP linked to the two above sharing the same web titles and TLS certificates\r\nhttps://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters\r\nPage 12 of 13\n\nDomains Details\r\nanythingshere[.]shop Dark Scepter C2 domain\r\ncside[.]site Dark Scepter C2 domain\r\nfootballfans[.]asia Dark Scepter C2 domain\r\nmenclub[.]lt Dark Scepter C2 domain\r\nmusiclivetrack[.]website Dark Scepter C2 domain\r\nstone110[.]store Dark Scepter C2 domain\r\nweb14[.]info Initial C2 domain linked to Dark Scepter\r\njustweb[.]click Dark Scepter C2 domain\r\ngirlsbags[.]shop Dark Scepter C2 domain\r\nlecturegenieltd[.]pro Dark Scepter C2 domain\r\nntcx[.]pro Dark Scepter C2 domain\r\nretseptik[.]info Dark Scepter C2 domain\r\nConclusion\r\nNetwork intrusions rarely begin with exploitation. They begin with infrastructure provisioning, staging, and\r\nreconnaissance that often occurs weeks before any direct interaction with a target. The indicators documented in\r\nthis assessment surfaced through proactive infrastructure clustering and behavioral pivoting, not reactive post-incident reporting.\r\nOnce an IP address or domain becomes widely published, operators have typically already rotated infrastructure.\r\nMonitoring ASN patterns, certificate reuse, hosting clusters, and hash overlaps shifts detection earlier in the\r\nintrusion lifecycle, where disruption is still possible. Infrastructure intelligence is not about reacting faster. It is\r\nabout seeing earlier.\r\nIf your organization, industry, or national infrastructure is exposed to these types of campaigns, Hunt.io\r\ncan help you identify and track the infrastructure behind them.\r\nGet in touch with our team to learn how Hunt.io supports proactive threat hunting and infrastructure\r\nmonitoring.\r\nSource: https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters\r\nhttps://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters" ], "report_names": [ "iranian-apt-infrastructure-state-aligned-clusters" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-29T06:58:57.893292Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-29T06:58:56.316107Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision", "COBALT MIRAGE", "Agent Serpens" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-29T06:58:57.745497Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450", "MuddyKrill" ], "source_name": "MITRE:MuddyWater", "tools": [ "MuddyViper", "STARWHALE", "LP-Notes", "POWERSTATS", "Rclone", "Out1", "Tsundere Botnet", "PowerSploit", "Small Sieve", "Fooder", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-29T06:58:56.573445Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-29T06:58:56.310338Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK51", "Boggy Serpens", "Earth Vetala", "Static Kitten", "COBALT ULSTER", "Mango Sandstorm", "TA450", "TEMP.Zagros", "Seedworm", "G0069" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-29T06:58:57.692044Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "f763fd1f-f697-40eb-a082-df6fd3d13cb1", "created_at": "2023-01-06T13:46:38.561288Z", "updated_at": "2026-04-29T06:58:56.246729Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "Operation Mermaid", "Prince of Persia", "Foudre" ], "source_name": "MISPGALAXY:Infy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-29T06:58:56.187821Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Parastoo", "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-29T06:58:57.738664Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-29T06:58:57.506187Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-29T06:58:58.009074Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-29T06:58:57.501827Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-29T06:58:57.538371Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-29T06:58:57.579232Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-29T06:58:57.702025Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-29T06:58:56.229515Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Cobalt Gypsy", "Helix Kitten", "APT34", "ATK40", "G0049", "EUROPIUM", "TA452", "Earth Simnavaz", "Twisted Kitten", "Crambus", "APT 34", "IRN2", "Evasive Serpens", "Hazel Sandstorm" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-29T06:58:57.99378Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "59c9f31b-e032-44b9-bf3b-4f2cb3d17e39", "created_at": "2022-10-25T16:07:23.734244Z", "updated_at": "2026-04-29T06:58:57.963058Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "APT-C-07", "Infy", "Operation Mermaid", "Prince of Persia" ], "source_name": "ETDA:Infy", "tools": [ "Foudre", "Infy", "Tonnerre" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-29T06:58:58.033485Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429245, "ts_updated_at": 1777450869, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/50ce3d2f9cf68173c7a68ce162fef26985a7cb63.pdf", "text": "https://archive.orkl.eu/50ce3d2f9cf68173c7a68ce162fef26985a7cb63.txt", "img": "https://archive.orkl.eu/50ce3d2f9cf68173c7a68ce162fef26985a7cb63.jpg" } }