{
	"id": "17c1a305-ba63-4325-bc5d-51b475c62874",
	"created_at": "2026-04-06T00:10:41.443198Z",
	"updated_at": "2026-04-10T03:33:23.713291Z",
	"deleted_at": null,
	"sha1_hash": "849af341110e821e74ed05361acd7a0b6f239ea5",
	"title": "Taking Action Against Hackers in Iran",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61929,
	"plain_text": "Taking Action Against Hackers in Iran\r\nPublished: 2021-07-15 · Archived: 2026-04-05 13:38:24 UTC\r\nFacebook threat intelligence analysts and security experts work to find and stop a wide range of threats including\r\ncyber espionage campaigns, influence operations and hacking of our platform by nation-state actors and other\r\ngroups. As part of these efforts, our teams routinely disrupt adversary operations by disabling them, notifying\r\nusers if they should take steps to protect their accounts, sharing our findings publicly and continuing to improve\r\nthe security of our products.\r\nToday, we’re sharing actions we took against a group of hackers in Iran to disrupt their ability to use their\r\ninfrastructure to abuse our platform, distribute malware and conduct espionage operations across the internet,\r\ntargeting primarily the United States. This group is known in the security industry as Tortoiseshell, whose activity\r\nwas previously reported to mainly focus on the information technology industry in the Middle East. In an apparent\r\nexpansion of malicious activity to other regions and industries, our investigation found them targeting military\r\npersonnel and companies in the defense and aerospace industries primarily in the US, and to a lesser extent in the\r\nUK and Europe. This group used various malicious tactics to identify its targets and infect their devices with\r\nmalware to enable espionage.\r\nThis activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong\r\noperational security measures to hide who’s behind it. Our platform was one of the elements of the much broader\r\ncross-platform cyber espionage operation, and the group’s activity on Facebook manifested primarily in social\r\nengineering and driving people off-platform (e.g. email, messaging and collaboration services and websites),\r\nrather than directly sharing the malware itself.\r\nWe identified the following tactics, techniques and procedures (TTPs) used by this threat actor across the internet:\r\nSocial engineering: In running its highly targeted campaign, Tortoiseshell deployed sophisticated fake online\r\npersonas to contact its targets, build trust and trick them into clicking on malicious links. These fictitious personas\r\nhad profiles across multiple social media platforms to make them appear more credible. These accounts often\r\nposed as recruiters and employees of defense and aerospace companies from the countries their targets were in.\r\nOther personas claimed to work in hospitality, medicine, journalism, NGOs and airlines. They leveraged various\r\ncollaboration and messaging platforms to move conversations off-platform and send malware to their targets. Our\r\ninvestigation found that this group invested significant time into their social engineering efforts across the internet,\r\nin some cases engaging with their targets for months.\r\nPhishing and credential theft: This group created a set of tailored domains designed to attract particular targets\r\nwithin the aerospace and defense industries. Among them were fake recruiting websites for particular defense\r\ncompanies. They also set up online infrastructure that spoofed a legitimate US Department of Labor job search\r\nsite. As part of their phishing campaigns, they spoofed domains of major email providers and mimicked URL-shortening services, likely to conceal the final destination of these links. These domains appeared to have been\r\nused for stealing login credentials to the victims’ online accounts (e.g. corporate and personal email, collaboration\r\ntools, social media). They also appeared to be used to profile their targets’ digital systems to obtain information\r\nhttps://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/\r\nPage 1 of 6\n\nabout people’s devices, networks they connected to and the software they installed to ultimately deliver target-tailored malware.\r\nMalware: This group used custom malware tools we believe to be unique to their operations, including full-featured remote-access trojans, device and network reconnaissance tools and keystroke loggers. Among these\r\ntools, they continued to develop and modify their malware for Windows known as Syskit, which they’ve used for\r\nyears. They also shared links to malicious Microsoft Excel spreadsheets, which enabled malware to perform\r\nvarious system commands to profile the victim’s machine in a manner very similar to the Liderc reconnaissance\r\ntool identified by researchers at Cisco. One previously unreported variant of the malicious tool was embedded in a\r\nMicrosoft Excel document and was capable of writing the output (i.e. result of the system reconnaissance) to a\r\nhidden area of the spreadsheet, which presumably required an attacker to social engineer the target to trick them\r\ninto saving and returning the file.\r\nOutsourcing malware development: We’ve observed this group use several distinct malware families. Our\r\ninvestigation and malware analysis found that a portion of their malware was developed by Mahak Rayan Afraz\r\n(MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC). Some of the\r\ncurrent and former MRA executives have links to companies sanctioned by the US government.\r\nWe shared our findings and threat indicators with industry peers so they too can detect and mitigate this activity.\r\nTo disrupt this operation, we blocked malicious domains from being shared on our platform, took down the\r\ngroup’s accounts and notified people who we believe were targeted by this threat actor.\r\nThreat Indicators\r\nDomains:\r\n1st-smtp2go[.]email\r\n2nd-smtp2go[.]email\r\n3rd-smtp2go[.]email\r\n4th-smtp2go[.]email\r\naccounts[.]cam\r\nactivesessions[.]me\r\nadobes[.]software\r\nalhds[.]net\r\napppure[.]cf\r\nbahri[.]site\r\nbbcnews[.]email\r\nbitly[.]cam\r\nbiturl[.]cx\r\nbrdcst[.]email\r\ncareeronestop[.]site\r\ncc-security-inc[.]email\r\nccsecurity-mail-inc[.]email\r\nccsecurity-mail-inc[.]services\r\ncitymyworkday[.]com\r\ncityofberkeley[.]support\r\nhttps://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/\r\nPage 2 of 6\n\ncnbcnews[.]email\r\ncnnnews[.]global\r\ncodejquery-ui[.]com\r\ncom-account-challenge[.]email\r\ncom-signin-v2[.]email\r\ncomlogin[.]online\r\ncomlogin[.]services\r\ncopyleft[.]today\r\ncrisiswatchsupport[.]shop\r\ndatacatch[.]xyz\r\ndayzim[.]org\r\ndh135[.]world\r\ndollrealdoll[.]com\r\ndollrealdoll[.]online\r\nentrust[.]work\r\nerictrumpfundation[.]com\r\nfacebookservices[.]gq\r\nfblogin[.]me\r\nfileblade[.]ga\r\nfindcareersatusbofa[.]com\r\nfiservcareers[.]com\r\ngoodreads[.]rest\r\ngoogl[.]club\r\ngropinggo[.]com\r\nhex6mak5z98nubb9vpd6t36cydkncfci9im872qx6hjci2egx8irq3qyt9pj[.]online\r\nhike[.]studio\r\nhiremilitaryheroes[.]com\r\nhosted-microsoft[.]com\r\niemail[.]today\r\nincognito[.]today\r\ninfoga[.]cam\r\niqtel[.]org\r\nirtreporter[.]com\r\nitiee[.]life\r\nitieee[.]life\r\njessicamcgill[.]life\r\njqueryui-code[.]com\r\njumhuria[.]com\r\nkartick[.]net\r\nkaspersky[.]team\r\nlinkgen[.]me\r\nlinksbit[.]com\r\nlinq[.]ink\r\nliveleak[.]cam\r\nliveuamap[.]live\r\nlockheedmartinjobs[.]us\r\nloginaccount[.]email\r\nhttps://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/\r\nPage 3 of 6\n\nlogonexchangeonline[.]com\r\nlogonmicrosoftonline[.]com\r\nlskjirn[.]life\r\nmail2go[.]live\r\nmail2go[.]online\r\nmail2u[.]live\r\nmailaccountlive[.]email\r\nmailaccountlive[.]support\r\nmailpublisher[.]live\r\nmails[.]center\r\nmetacafe[.]live\r\nmicorsoftonilne[.]com\r\nmicorsoftonline[.]website\r\nmicorsoftonline[.]xyz\r\nmicrosoftoffice[.]systems\r\nmicrosoftonilne[.]cloud\r\nmispace[.]cam\r\nmsol[.]live\r\nmsonline[.]live\r\nmssecurityaccount[.]online\r\nmydomainxyz[.]xyz\r\nnews-smtp2go[.]email\r\nnewsl[.]ink\r\nnoreplay[.]email\r\nnovafile[.]tk\r\nonpointcorp[.]co\r\noutlook-services[.]com\r\noutlookservices[.]live\r\noutlookservices[.]me\r\noutube[.]live\r\npic-shareonline[.]com\r\npixlr[.]live\r\npixlr[.]myftp[.]org\r\npost-jquery[.]com\r\nprefiles[.]ml\r\npublicsgroupe[.]net\r\npwutc[.]live\r\nrali[.]live\r\nrecruitme[.]international\r\nrobotics[.]land\r\nsabic[.]work\r\nsandsngo[.]com\r\nsaudivisions2030[.]org\r\nsecurityaccountreply[.]com\r\nseery[.]online\r\nsendblaster[.]org\r\nsender[.]gb[.]net\r\nhttps://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/\r\nPage 4 of 6\n\nshareae[.]cf\r\nshlink[.]run\r\nshlnk[.]run\r\nshort-l[.]link\r\nshortli[.]live\r\nshrt[.]rip\r\nshur[.]live\r\nshurl[.]site\r\nsite1[.]life\r\nsmtp-2go[.]com\r\nsmtp2go[.]best\r\nsmtp2go[.]club\r\nsmtp2go[.]email\r\nsmtp2go[.]fun\r\nsmtp2go[.]icu\r\nsmtp2go[.]live\r\nsmtp2go[.]me\r\nsmtp2go[.]pw\r\nsmtp2go[.]site\r\nsmtp2go[.]space\r\nsmtp2go[.]website\r\nsmtper[.]center\r\nsmtptogo[.]pw\r\nsoc-usa[.]email\r\nsoundcloud[.]fun\r\nsoundcloud[.]live\r\nspreadme[.]international\r\nsrc-ymlang[.]link\r\nsupport-securitymail[.]email\r\nsupport-ymail-team[.]online\r\nsurl[.]ist\r\nsurl[.]live\r\nsxk8xrjtaikv3dxl7hgghw3vptvxpzzxeynrcltu4k3yeecjq3[.]online\r\nsystembackend[.]site\r\ntechmahindra[.]support\r\nteleweb[.]world\r\ntetra[.]email\r\nthegardian[.]ml\r\nthegaurdian[.]live\r\nthomsonsreuters[.]email\r\nthomsonsreuters[.]eu\r\nthomsonsreuters[.]link\r\nthomsonsreuters[.]net\r\ntinil[.]ink\r\ntinly[.]me\r\ntinylink[.]pro\r\ntinyurl[.]gold\r\nhttps://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/\r\nPage 5 of 6\n\ntiwpan[.]xyz\r\ntox[.]cheap\r\ntreasury[.]email\r\ntreporter[.]com\r\ntrumphotel[.]net\r\ntrumpnationallosangeles[.]email\r\ntrumporganization[.]world\r\ntrumporganizations[.]com\r\ntv-youtube[.]com\r\nuploaderfile[.]cf\r\nusdailypost[.]com\r\nusdailypost[.]net\r\nusdp[.]news\r\nvps[.]limited\r\nwatch-youtube[.]com\r\nwikileaks[.]email\r\nworkshopplatform[.]network\r\nxn--rumphotels-vcc[.]com\r\nxn--twitte-u9a[.]com\r\nxyzsitexyz[.]xyz\r\nymail-account[.]support\r\nymail-security-support[.]email\r\nymail-security[.]support\r\nymailaccounts[.]us\r\nymailsupport[.]info\r\nzain[.]network\r\nSource: https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/\r\nhttps://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/"
	],
	"report_names": [
		"taking-action-against-hackers-in-iran"
	],
	"threat_actors": [
		{
			"id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7",
			"created_at": "2023-01-06T13:46:39.054248Z",
			"updated_at": "2026-04-10T02:00:03.197801Z",
			"deleted_at": null,
			"main_name": "Tortoiseshell",
			"aliases": [
				"Yellow Liderc",
				"Imperial Kitten",
				"Crimson Sandstorm",
				"Cuboid Sandstorm",
				"Smoke Sandstorm",
				"IMPERIAL KITTEN",
				"TA456",
				"DUSTYCAVE",
				"CURIUM"
			],
			"source_name": "MISPGALAXY:Tortoiseshell",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00",
			"created_at": "2022-10-25T16:07:24.337332Z",
			"updated_at": "2026-04-10T02:00:04.94285Z",
			"deleted_at": null,
			"main_name": "Tortoiseshell",
			"aliases": [
				"Cobalt Fireside",
				"Crimson Sandstorm",
				"Cuboid Sandstorm",
				"Curium",
				"Devious Serpens",
				"Houseblend",
				"Imperial Kitten",
				"Marcella Flores",
				"Operation Fata Morgana",
				"TA456",
				"Yellow Liderc"
			],
			"source_name": "ETDA:Tortoiseshell",
			"tools": [
				"IMAPLoader",
				"Infostealer",
				"IvizTech",
				"LEMPO",
				"MANGOPUNCH",
				"SysKit",
				"get-logon-history.ps1",
				"liderc",
				"stereoversioncontrol"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47",
			"created_at": "2025-08-07T02:03:24.726943Z",
			"updated_at": "2026-04-10T02:00:03.805423Z",
			"deleted_at": null,
			"main_name": "COBALT FIRESIDE",
			"aliases": [
				"CURIUM ",
				"Crimson Sandstorm ",
				"Cuboid Sandstorm ",
				"DEV-0228 ",
				"HIVE0095 ",
				"Imperial Kitten ",
				"TA456 ",
				"Tortoiseshell ",
				"UNC3890 ",
				"Yellow Liderc "
			],
			"source_name": "Secureworks:COBALT FIRESIDE",
			"tools": [
				"FireBAK",
				"LEMPO",
				"LiderBird"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434241,
	"ts_updated_at": 1775792003,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/849af341110e821e74ed05361acd7a0b6f239ea5.pdf",
		"text": "https://archive.orkl.eu/849af341110e821e74ed05361acd7a0b6f239ea5.txt",
		"img": "https://archive.orkl.eu/849af341110e821e74ed05361acd7a0b6f239ea5.jpg"
	}
}