{ "id": "9d84f336-cdd0-428f-a4ce-3f583670d8bd", "created_at": "2026-04-06T00:06:29.206952Z", "updated_at": "2026-04-10T13:12:53.699834Z", "deleted_at": null, "sha1_hash": "b07891a642a097a1afc652f026e61c75fe1de816", "title": "Countering threats from Iran", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47433, "plain_text": "Countering threats from Iran\r\nBy Ajax Bash\r\nPublished: 2021-10-14 · Archived: 2026-04-05 20:00:49 UTC\r\nGoogle’s Threat Analysis Group tracks actors involved in disinformation campaigns, government backed hacking,\r\nand financially motivated abuse. We have a long-standing policy to send you a warning if we detect that your account\r\nis a target of government-backed phishing or malware attempts. So far in 2021, we’ve sent over 50,000 warnings, a\r\nnearly 33% increase from this time in 2020. This spike is largely due to blocking an unusually large campaign from a\r\nRussian actor known as APT28 or Fancy Bear.\r\nWe intentionally send these warnings in batches to all users who may be at risk, rather than at the moment we detect\r\nthe threat itself, so that attackers cannot track our defense strategies. On any given day, TAG is tracking more than\r\n270 targeted or government-backed attacker groups from more than 50 countries. This means that there is typically\r\nmore than one threat actor behind the warnings.\r\nIn this blog, we explore some of the most notable campaigns we’ve disrupted this year from a different government-backed attacker: APT35, an Iranian group, which regularly conducts phishing campaigns targeting high risk users.\r\nThis is the one of the groups we disrupted during the 2020 US election cycle for its targeting of campaign staffers.\r\nFor years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage\r\naligned with the interests of the Iranian government.\r\nHijacked websites used for credential phishing attacks\r\nIn early 2021, APT35 compromised a website affiliated with a UK university to host a phishing kit. Attackers sent\r\nemail messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo.\r\nUsers were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for\r\nsecond-factor authentication codes sent to devices.\r\nAPT35 has relied on this technique since 2017 — targeting high-value accounts in government, academia,\r\njournalism, NGOs, foreign policy, and national security. Credential phishing through a compromised website\r\ndemonstrates these attackers will go to great lengths to appear legitimate – as they know it's difficult for users to\r\ndetect this kind of attack.\r\nPhishing page hosted on a compromised website\r\nUtilization of Spyware Apps\r\nIn May 2020, we discovered that APT35 attempted to upload spyware to the Google Play Store. The app was\r\ndisguised as VPN software that, if installed, could steal sensitive information such as call logs, text messages,\r\ncontacts, and location data from devices. Google detected the app quickly and removed it from the Play Store before\r\nany users had a chance to install it. Although Play Store users were protected, we are highlighting the app here as\r\nTAG has seen APT35 attempt to distribute this spyware on other platforms as recently as July 2021.\r\nhttps://blog.google/threat-analysis-group/countering-threats-iran/\r\nPage 1 of 4\n\nSpyware app disguised as a VPN utility\r\nConference-themed phishing emails\r\nOne of the most notable characteristics of APT35 is their impersonation of conference officials to conduct phishing\r\nattacks. Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first\r\ncontact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on\r\ncorrespondence.\r\nTargets typically had to navigate through at least one redirect before landing on a phishing domain. Link shorteners\r\nand click trackers are heavily used for this purpose, and are oftentimes embedded within PDF files. We’ve disrupted\r\nattacks using Google Drive, App Scripts, and Sites pages in these campaigns as APT35 tries to get around our\r\ndefenses. Services from Dropbox and Microsoft are also abused.\r\nGoogle Sites page disguised as a Google Form to redirect to a phishing site\r\nTelegram for threat actor notifications\r\nOne of APT35’s novel techniques involves using Telegram for operator notifications. The attackers embed javascript\r\ninto phishing pages that notify them when the page has been loaded. To send the notification, they use the Telegram\r\nAPI sendMessage function, which lets anyone use a Telegram bot to send a message to a public channel. The\r\nattackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent,\r\nand locales of visitors to their phishing sites in real-time. We reported the bot to Telegram and they have taken action\r\nto remove it.\r\nPublic Telegram channel used for attacker notifications\r\nHow we keep users safe from these threats\r\nWe warn users when we suspect a government-backed threat like APT35 is targeting them. Thousands of these\r\nwarnings are sent every month, even in cases where the corresponding attack is blocked. If you receive a warning it\r\ndoes not mean your account has been compromised, it means you have been identified as a target.\r\nWorkspace administrators are also notified regarding targeted accounts in their domain. Users are encouraged to take\r\nthese warnings seriously and consider enrolling in the Advanced Protection Program or enabling two-factor\r\nauthentication if they haven't already.\r\nWe also block malicious domains using Google Safe Browsing – a service that Google's security team built to\r\nidentify unsafe websites across the web and notify users and website owners of potential harm. When a user of a Safe\r\nBrowsing-enabled browser or app attempts to access unsafe content on the web, they’ll see a warning page explaining\r\nthat the content they’re trying to access may be harmful. When a site identified by Safe Browsing as harmful appears\r\nin Google Search results, we show a warning next to it in the results.\r\nThreat Analysis Group will continue to identify bad actors and share relevant information with others in the industry,\r\nwith the goal of bringing awareness to these issues, protecting you and fighting bad actors to prevent future attacks.\r\nTechnical Details\r\nhttps://blog.google/threat-analysis-group/countering-threats-iran/\r\nPage 2 of 4\n\nIndicators from APT28 phishing campaign:\r\nservice-reset-password-moderate-digital.rf[.]gd\r\nreset-service-identity-mail.42web[.]io\r\ndigital-email-software.great-site[.]net\r\nIndicators from APT35 campaigns:\r\nAbused Google Properties:\r\nhttps://sites.google[.]com/view/ty85yt8tg8-download-rtih4ithr/\r\nhttps://sites.google[.]com/view/user-id-568245/\r\nhttps://sites.google[.]com/view/hhbejfdwdhwuhscbsb-xscvhdvbc/\r\nAbused Dropbox Properties:\r\nhttps://www.dropbox[.]com/s/68y4vpfu8pc3imf/Iraq\u0026Jewish.pdf\r\nPhishing Domains:\r\nnco2[.]live\r\nsummit-files[.]com\r\nfiletransfer[.]club\r\ncontinuetogo[.]me\r\naccessverification[.]online\r\ncustomers-verification-identifier[.]site\r\nservice-activity-session[.]online\r\nidentifier-service-review[.]site\r\nrecovery-activity-identification[.]site\r\nreview-session-confirmation[.]site\r\nrecovery-service-activity[.]site\r\nverify-service-activity[.]site\r\nservice-manager-notifications[.]info\r\nAndroid App:\r\nhttps://www.virustotal.com/gui/file/5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5/detection\r\nhttps://blog.google/threat-analysis-group/countering-threats-iran/\r\nPage 3 of 4\n\nAndroid App C2:\r\ncommunication-shield[.]site\r\ncdsa[.]xyz\r\nRelated stories\r\nSource: https://blog.google/threat-analysis-group/countering-threats-iran/\r\nhttps://blog.google/threat-analysis-group/countering-threats-iran/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.google/threat-analysis-group/countering-threats-iran/" ], "report_names": [ "countering-threats-iran" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433989, "ts_updated_at": 1775826773, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b07891a642a097a1afc652f026e61c75fe1de816.pdf", "text": "https://archive.orkl.eu/b07891a642a097a1afc652f026e61c75fe1de816.txt", "img": "https://archive.orkl.eu/b07891a642a097a1afc652f026e61c75fe1de816.jpg" } }