{ "id": "7983545f-6049-4096-8d19-0c46c5a1700b", "created_at": "2026-04-06T00:06:44.381229Z", "updated_at": "2026-04-10T03:36:47.958738Z", "deleted_at": null, "sha1_hash": "b43aeddcb5b891768264b5a22f0a8cf35df68df4", "title": "UNC3890: Suspected Iranian Threat Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 488235, "plain_text": "UNC3890: Suspected Iranian Threat Actor Targeting Israeli\r\nShipping, Healthcare, Government and Energy Sectors\r\nBy Mandiant\r\nPublished: 2022-08-17 · Archived: 2026-04-05 15:06:25 UTC\r\nWritten by: Mandiant Israel Research Team\r\nBackground\r\nOver the last year Mandiant has been tracking UNC3890, a cluster of activity targeting Israeli shipping,\r\ngovernment, energy and healthcare organizations via social engineering lures and a potential watering hole.\r\nMandiant assesses with moderate confidence this actor is linked to Iran, which is notable given the strong focus on\r\nshipping and the ongoing naval conflict between Iran and Israel. While we believe this actor is focused on\r\nintelligence collection, the collected data may be leveraged to support various activities, from hack-and-leak, to\r\nenabling kinetic warfare attacks like those that have plagued the shipping industry in recent years.\r\nMandiant assesses with moderate confidence that UNC3890 conducts espionage and intelligence collection\r\nactivity to support multiple Iranian interests and operations. Targeting patterns indicate a strong interest in Israeli\r\nentities and organizations of various sectors, including government, shipping, energy and healthcare. We observed\r\nseveral limited technical connections to Iran, such as PDB strings and Farsi language artifacts.\r\nThis campaign has been active since at least late 2020, and is still ongoing as of mid-2022, and though it is\r\nregional in nature, targeted entities include global companies.\r\nUNC3890 uses at least two unique tools: a backdoor which we named SUGARUSH, and a browser credential\r\nstealer, which exfiltrates stolen data via Gmail, Yahoo and Yandex email services that we’ve named\r\nSUGARDUMP. UNC3890 also uses multiple publicly available tools, such as the METASPLOIT framework and\r\nNorthStar C2.\r\nIn addition, Mandiant discovered UNC3890 operates an inter-connected network of Command-and-Control (C2)\r\nservers. The C2 servers host domains and fake login pages spoofing legitimate services such as Office 365, social\r\nnetworks such as LinkedIn and Facebook, as well as fake job offers and fake commercials for AI-based robotic\r\ndolls. We observed the C2 servers communicating with multiple targets, as well as with a watering hole that we\r\nbelieve was targeting the Israeli shipping sector, in particular entities that handle and ship sensitive components.\r\nThis blog post details the activity of UNC3890, including their proprietary malware, TTPs we have not previously\r\nseen deployed by Iran, and the publicly available tools we identified in our investigation. Mandiant continues to\r\ntrack UNC3890 as well as other potentially related clusters of activity by the same threat actor.\r\nAttribution\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 1 of 15\n\nMandiant uses the label “UNC” groups – or “uncategorized” groups – to refer to a cluster of intrusion activity that\r\nincludes observable artifacts, such as adversary infrastructure , tools, and tradecraft that we are not yet ready to\r\ngive a classification such as TEMP, APT, or FIN (learn more about how Mandiant tracks uncategorized threat\r\nactors). Mandiant found no significant connections between UNC3890 and other clusters of activities we currently\r\ntrack, and therefore sees it as a standalone group. However, we identified several connections suggesting the\r\nactivity is conducted by an Iran-nexus group:\r\nUsage of Farsi words, as observed in strings left by the developers in the newest version of SUGARDUMP,\r\nfor example “KHODA” (the Farsi word for “God”) and “yaal” (the Farsi word for a horse’s mane).\r\nFocused targeting of Israeli entities and organizations, or organizations operating in Israel, consistent with\r\nother clusters of activity operated by Iranian threat actors, specifically UNC757.\r\nUsage of the same PDB path as another Iranian cluster of activity Mandiant tracks as UNC2448 (operated\r\nby the Iranian IRGC, according to public sources), publicly referred to in a U.S. government statement\r\nfrom November 17, 2021. Several publications suggested that UNC2448 is linked to APT35/Charming\r\nKitten cluster of activities, which according to several public sources is operated by the Iranian Islamic\r\nRevolutionary Guard Corps (IRGC). UNC2448 has been targeting Israeli entities as well, among other\r\ncountries of interest to Iran.\r\nUtilization of NorthStar C2 Framework, a C2 framework preferred by other Iranian actors . However, since\r\nit is a publicly available framework used by multiple threat actors, we consider this link circumstantial.\r\nTargeting\r\nIn late 2021, Mandiant identified UNC3890 targeting Israeli entities and showing interest in various sectors,\r\nincluding government, shipping, energy, aviation and healthcare. Even though the targeting we observed is\r\nfocused to Israel, some of the entities targeted by UNC3890, especially in the shipping sector, are global\r\ncompanies. Therefore, the potential impact of UNC3890 activity described in this blog may extend beyond Israel.\r\nThe activity is consistent with historical Iranian interest in these targets. Targeting patterns and lures used by\r\nUNC3890 indicate an attempt to disguise their activity as legitimate login activity, legitimate services and social\r\nnetwork applications, and technology-related visual content.\r\nMalware Observed\r\nMandiant observed UNC3890 deploy the following malware families.\r\nMalware Family Description\r\nSUGARUSH\r\nSUGARUSH is a backdoor written to establish a connection with an embedded C2\r\nand to execute CMD commands.\r\nSUGARDUMP\r\nSUGARDUMP is a credential harvesting utility, capable of password collection from\r\nChromium-based browsers.\r\nSUGARDUMP\r\nSMTP-based\r\nA more advanced version of SUGARDUMP, exfiltrating the stolen credentials via\r\nGmail, Yahoo and Yandex email addresses. Uses a commercial for robotic dolls as a\r\nlure.\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 2 of 15\n\nSUGARDUMP\r\nHTTP-based\r\nThe newest version of SUGARDUMP, exfiltrating the stolen credentials to a\r\ndedicated server over HTTP. Uses a fake job offer as a lure.\r\nMETASPLOIT\r\nMETASPLOIT is a penetration testing software, often abused by malicious threat\r\nactors.\r\nUNICORN\r\nUNICORN is a publicly available tool for conducting a PowerShell downgrade\r\nattack and to inject a shellcode into memory.\r\nNORTHSTAR C2\r\nNORTHSTAR C2 is an open-source C2 framework developed for penetration testing\r\nand red teaming.\r\nOutlook and Implications\r\nUNC3890 has been operating since at least late 2020. Their focused targeting poses a threat to Israel-based\r\norganizations and entities, particularly those affiliated with the government, shipping, energy, aviation and\r\nhealthcare sectors. While we are not aware of targeting outside Israel, it is possible such targeting has occurred, or\r\nwill occur. UNC3890 utilization of legitimate or publicly available tools, in addition to their unique exfiltration\r\nmethod using Gmail, Yahoo and Yandex email addresses, may reflect their efforts to evade detection and to bypass\r\nheuristics or network-based security measures.\r\nUNC3890 Attack Lifecycle\r\nEstablish Foothold\r\nWhile Mandiant primarily identified post-exploitation implants utilized by UNC3890, there are some findings that\r\nshed light about their initial access methodologies. Mandiant identified UNC3890 potentially used the following\r\ninitial access vectors:\r\nWatering holes – Mandiant identified a potential watering hole hosted on a login page of a legitimate\r\nIsraeli shipping company, which was likely compromised by UNC3890. The watering hole was active at\r\nleast until November 2021, and upon entering the legitimate login page, the user would be sending a POST\r\nrequest with preliminary data about the logged user to an attacker controlled non-ASCII Punycode domain\r\n(lirıkedin[.]com, interpreted as xn--lirkedin-vkb[.]com).\r\nThe URL structure of the POST request:\r\nhxxps[:]//xn--lirkedin-vkb[.]com/object[.]php?browser=\u003cuser_browser\u003e\u0026ip=\u003cuser_ip\u003e\r\nWhen we inspected the watering hole, it was already inactive, but it was most likely used to target clients and\r\nusers of that Israeli shipping company, in particular, one’s shipping or handling heat-sensitive cargo (based on the\r\nnature of the compromised website). We have an additional indication of an attempted targeting of another major\r\nIsraeli shipping company by UNC3890, which is consistent with the watering hole.\r\nCredentials harvesting by masquerading as legitimate services – we uncovered several domains\r\nresolving to UNC3890’s C2 servers. Some of the domains were masquerading as legitimate services and\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 3 of 15\n\nentities, as can be observed in the table below. UNC3890 may have used these domains to harvest\r\ncredentials to legitimate services, to send phishing lures, or to overall mask their activity and blend in with\r\nexpected network traffic.\r\nIt should be noted that many of these domains were hosted on the same infrastructure used by UNC3890, but date\r\nback to late 2020, which is before we can corroborate UNC3890 has been active.\r\nUNC3890 Domain Legitimate entity/service Comment\r\nlirıkedin[.]com (xn--lirkedin-vkb[.]com)\r\nLinkedIn\r\nC2 domain of\r\nwatering hole\r\npfizerpoll[.]com Pfizer\r\nHosted a fake\r\nCitrix login page\r\nrnfacebook[.]com Facebook  \r\noffice365update[.]live Office 365  \r\nfileupload[.]shop n/a  \r\ncelebritylife[.]news n/a  \r\nnaturaldolls[.]store Part of a robotic dolls commercial which was used to\r\nharvest credentials and as a lure to install\r\nSUGARDUMP\r\nHosts a fake\r\nOutlook login page\r\nxxx-doll[.]com  \r\nIn addition, we identified an UNC3890 server that hosted several ZIP files containing scraped contents of\r\nFacebook and Instagram accounts of legitimate individuals. It is possible they were targeted by UNC3890, or used\r\nas lures in a social engineering effort.\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 4 of 15\n\nFigure 1: A fake Outlook Web Access login page hosted on UNC3890’s domain naturaldolls[.]store\r\nFake job offers, potentially as part of a phishing or watering hole campaign – we observed UNC3890 utilize a\r\n.xls lure file designed as a fake job offer (MD5: 639f83fa4265ddbb43e85b763fe3dbac) which installs\r\nSUGARDUMP, a credential harvesting tool. The job offer was for a software developer position in LexisNexis, a\r\ncompany offering a data analytics solution.\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 5 of 15\n\nFigure 2: A fake LexisNexis job offer which drops SUGARDUMP\r\nFake commercials for AI-based robotic dolls – one of UNC3890’s most recent endeavor to target victims\r\nincludes the usage of a video commercial for AI-based robotic dolls, used as a lure to deliver\r\nSUGARDUMP. In addition, we observed UNC3890 usage of domains with similar themes such as\r\nnaturaldolls[.]store (hosting a fake Outlook login page) and xxx-doll[.]com. In addition, UNC3890\r\ninfrastructure hosted a fake page for the alleged purchasing of robotic dolls, redirecting victims to an\r\nattacker controlled infrastructure.\r\nFigure 3: a screenshot taken from the social engineering video played when SUGARDUMP executes\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 6 of 15\n\nFigure 4: HTML page hosted on UNC3890 infrastructure, with references to purchasing of robotic dolls\r\nPost-Exploitation: From Credentials Harvesting to Full Access and Control\r\nAfter gaining initial access, UNC3890 utilizes a broad toolset to access and control the victim’s environment. In\r\nthis sector we will focus on the analysis of two of UNC3890’s proprietary tools we identified in our investigation:\r\nthe SUGARUSH backdoor, and the SUGARDUMP credential harvesting tool. We will also provide a brief\r\nanalysis of the public tools utilized by UNC3890.\r\nMost of the tools were available for download directly from UNC3890 controlled infrastructure, indicating they\r\nmay have been served as 1st stage implants. Alternatively, they may have been used as 2nd stages (or later), but\r\nUNC3890 may have misconfigured their infrastructure, making it publicly accessible.\r\nSUGARUSH Analysis: A Small But Efficient Backdoor\r\nSUGARUSH is a small custom backdoor that establishes a reverse shell over TCP to a hardcoded C\u0026C address.\r\nUpon first execution, SUGARUSH will create a new service called “Service1”. Subsequently, SUGARUSH\r\ncreates a logging folder called “Logs”, and stores it under its current execution path. A new folder named\r\n“ServiceLog” is created in the “Logs” folder, and a new log file is written with the message “Service is started at\r\n”. The name of the log files is the current date of the infected machine.\r\nSUGARUSH will then check for internet connectivity of the host and will create a log file indicating the result\r\nwith message “You are online at ” or “You are offline at ”. If the attempt for internet connection is successful,\r\nSUGARUSH will establish a new TCP connection to an embedded C\u0026C address via port 4585.\r\nSUGARUSH then waits to receive an answer from the C2 which will be interpreted as a CMD command for\r\nexecution.\r\nSUGARUSH Samples:\r\n37bdb9ea33b2fe621587c887f6fb2989\r\n3f045ebb014d859a4e7d15a4cf827957\r\na7a2d6a533b913bc50d14e91bcf6c716\r\nd528e96271e791fab5818c01d4bc139f\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 7 of 15\n\nSUGARDUMP Analysis: A Browser Credential Harvesting Tool\r\nSUGARDUMP is a small custom utility used for harvesting credentials from Chrome, Opera and Edge Chromium\r\nbrowsers.\r\nWhen executed SUGARDUMP will access the following paths:\r\n%AppData%\\\\Google\\\\Chrome\\\\User Data\r\n%AppData\u0026\\\\Opera Software\\\\Opera Stable\r\n%AppData%\\\\Microsoft\\\\Edge\\\\User Data\r\nOut of each path SUGARDUMP will attempt collect specific folders:\r\n\\\\Default\\\\Login Data\r\n\\\\Login Data\r\nAny other folder that has the string “Profile” in its name.\r\nAfterwards, SUGARDUMP will extract all of the available usernames and passwords from these folders.\r\nThe collected information is subsequently stored in the following format:\r\nFigure 5: SUGARDUMP exfiltrated data format\r\nWe observed several versions of SUGARDUMP:\r\nSUGARDUMP first known version, dated to early 2021. This early version stores the credentials without\r\nexfiltrating them. It is possible it was an unfinished version, or that UNC3890 used other tools and/or\r\nmanually connect to the victim to exfiltrate the stolen credentials.\r\nSUGARDUMP using SMTP-based communication, dated to late 2021-early 2022. This version utilizes\r\nYahoo, Yandex and Gmail addresses for exfiltration, and uses a commercial AI-driven robotic dolls as a\r\nlure.\r\nSUGARDUMP using HTTPs-based communication, dated to April 2022. This version uses a fake\r\nNexisLexis job offer as a lure.\r\nSUGARDUMP first known version – dated to early 2021, we observed two variants of this version: the first one\r\nsaves the stolen credentials under in a .txt file under the path: “C:\\\\Users\\\\User\\\\Desktop\\\\test2.txt”. The second\r\nvariant prints the stolen credentials as a CMD output.\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 8 of 15\n\nWe observed two PDB paths contained in SUGARDUMP samples:\r\nC:\\Users\\User\\source\\repos\\passrecover\\passrecover\\obj\\Release\\passrecover.pdb – we observed a similar\r\nPDB path (the part in bold) used in a toolset (for example, MD5: 69b2ab3369823032991d4b306a170425)\r\nby UNC2448, an actor affiliated with Iran, which was mentioned in a U.S. government statement in\r\nNovember 17, 2021. Since this is a rather generic PDB path, this similarity may be circumstantial, and we\r\nconsider it a weak link.\r\nC:\\Users\\User\\Desktop\\sourc\\Chrome-Password-Recovery-master\\Chrome-Password-Recovery-master\\obj\\Debug\\ChromeRecovery.pdb\r\nSUGARDUMP using SMTP for C2 communication – dated to late 2021-early 2022. This variant was\r\ndownloaded from a known UNC3890 C2 (URL: hxxp://128.199.6[.]246/3-Video-VLC.exe), and is a slightly more\r\nadvanced version with similar credential harvesting functionality.\r\nThe downloaded file “3-Video-VLC.exe” (MD5: ae0a16b6feddd53d1d52ff50d85a42d5) is a Windows installer\r\nwhich, upon execution, drops and executes two files under the path %AppData%\\\\Roaming\\\\:\r\n1. CrashReporter.exe (MD5: 084ad50044d6650f9ed314e99351a608) – a browser credential harvesting tool\r\n(SUGARDUMP).\r\n2. RealDo1080.mp4 (MD5: d8fb3b6f5681cf5eec2b89be9b632b05) – a social engineering video, played using\r\nWindows Media Player while CrashReporter.exe is executed. The video contains a commercial for AI-driven robotic dolls.\r\nUpon first execution, CrashReporter.exe (SUGARDUMP) attempts to locate the folder:\r\n%AppData%\\\\Microsoft\\\\Edge\\\\User Data\\\\CrashPad\\\\\r\nIf it wasn’t found it will search for folder: %AppData%\\\\Microsoft\\\\Internet Explorer\\\\TabRoaming\\\\\r\nIf the latter folder is not found as well, the malware proceeds to create it. The malware will then copy itself into\r\n“TabRoaming” folder again under the name “CrashReporter.exe”. Subsequently, a scheduled task is created,\r\nwhich ensures the persistence of this version of SUGARDUMP:\r\nIn Windows 7 the scheduled task is called: \"MicrosoftInternetExplorerCrashRepoeterTaskMachineUA\",\r\nand contains the description \"Keep your Microsoft software without any bugs. If this task is disabled or\r\nstopped, your Microsoft software may not work properly, meaning bugs that may arise cannot be fixed and\r\nfeatures may not work.”\r\nIn other Windows OS versions the scheduled task is called:\r\n\"MicrosoftEdgeCrashRepoeterTaskMachineUA\", and contains the description “Keep your Microsoft\r\nsoftware without any bugs. If this task is disabled or stopped, your Edge browser may not work properly,\r\nmeaning bugs that may arise cannot be fixed and features may not work.”\r\nThe scheduled task is configured to execute CrashReporter.exe during user logon.\r\nThe malware then attempts to connect to “smtp.yandex.com” and “smtp.mail.yahoo.com” via port 587. If the\r\nattempt is successful, the malware starts to harvest bowser related information on the host.\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 9 of 15\n\nThis version of SUGARDUMP harvest credentials from the following browsers:\r\nFirefox (added functionality with relation to the previous version)\r\nChrome\r\nOpera\r\nEdge\r\nFor each browser the malware attempts to extract login credentials from the following paths:\r\n%Appdata%\\\\Mozilla\\\\Firefox\\\\Profiles\r\n%Appdata%\\\\Google\\\\Chrome\\\\User Data\r\n%Appdata%\\\\Opera Software\\\\Opera Stable\r\n%Appdata%\\\\Microsoft\\\\Edge\\\\User Data\r\nThis version of SUGARDUMP also extracts the browser’s version, browsing history, bookmarks, and cookies.\r\nThe extracted data structure looks as follows:\r\nFigure 6: Exfiltrated data format of SUGARDUMP\r\nThe collected data is subsequently encoded using base64 and stored under: %%\\\\CrashLog.txt\r\nThe malware will then send the file “CrashLog.txt” via email, by connecting and sending it from one of the two\r\nfollowing email addresses:\r\njohn.macperson2021@yandex[.]com\r\njohn.macperson2021@yahoo[.]com\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 10 of 15\n\nThe email is sent to one of these four email addresses:\r\njohn.macperson2021@yandex[.]com\r\njohn.macperson2021@yahoo[.]com\r\njohn.macperson2021@gmail[.]com\r\njohn.macperson@protonmail[.]com\r\nThe subject for each message would be “VLC Player”, with “CrashLog.txt” attached.\r\nIf SUGARDUMP fails to send the message, it creates a new file under: %%\\\\CrashLogName.txt, and writes to the\r\nfile the error details. \"CrashLogName.txt\" is also sent via email, using the same method mentioned above.\r\nAfterwards, the malware terminates its execution.\r\nSUGARDUMP using HTTP for C2 communication – dated to April 2022, this version sends the stolen\r\ncredentials to an UNC3890 C2 server (144.202.123[.]248:80). We observed this version dropped by a .xls file\r\nwhich contains a fake job offer to a software developer position in NexisLexis, a data analytics platform (MD5:\r\n639f83fa4265ddbb43e85b763fe3dbac).\r\nThe .xls file contains a Macro, which upon enablement attempts to execute an embedded PE file using RunDLL\r\n(MD5: e125ed072fc4529687d98cf4c62e283e). The PE file is the newest version of SUGARDUMP we observed\r\nso far.\r\nLike previous versions, this version of SUGARDUMP harvests credentials from Chromium-based browsers\r\nChrome, Opera and Edge. The data is saved in a new file under %TEMP%\\\\DebugLogWindowsDefender.txt.\r\nThe collected data is subsequently encrypted using AES encryption using Cipher Block Chaining (CBC) mode.\r\nThe encryption key is the Sha256 of an embedded password: “1qazXSW@3edc123456be name KHODA 110\r\n!!)1qazXSW@3edc”. The word “KHODA” means god in Farsi.\r\nAfter the encryption process, the data is also encoded using Base64, and subsequently sent over HTTP to an\r\nUNC3890 C2 server: 144.202.123[.]248:80.\r\nThe .NET project for this version of SUGARDUMP was named \"yaal\", which is the Farsi word for a horse’s\r\nmane. This, along with the use of the word “KHODA” in SUGARDUMP’s encryption key, may strengthen the\r\npossibility that the developers of SUGARDUMP are Farsi speakers.\r\nSUGARDUMP Samples:\r\nf362a2d9194a09eaca7d2fa04d89e1e5 – early version\r\n08dc5c2af21ecee6f2b25ebdd02a9079 – early version\r\nae0a16b6feddd53d1d52ff50d85a42d5 – SMTP-based version\r\ne125ed072fc4529687d98cf4c62e283e – HTTP-based version\r\nMITRE ATT\u0026CK Techniques\r\nResource Development\r\nObtain Capabilities (T1588)\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 11 of 15\n\nTool (T1588.002)\r\nDevelop Capabilities (T1587)\r\nMalware (T1587.001)\r\nInitial Access\r\nPhishing (T1566)\r\nPhishing: Spearphishing Link (T1566.002)\r\nTrusted Relationship (T1199)\r\nValid Accounts (T1078)\r\nExecution\r\nScheduled Task/Job (T1053)\r\nScheduled Task (T1053.005)\r\nCommand and Scripting Interpreter (T1059)\r\nPowerShell (T1059.001)\r\nWindows Command Shell (T1059.003)\r\nSystem Services (T1569)\r\nService Execution (T1569.002)\r\nUser Execution (T1204)\r\nMalicious File (T1204.002)\r\nPersistence\r\nScheduled Task/Job (T1053)\r\nScheduled Task (T1053.005)\r\nCreate or Modify System Process (T1543)\r\nWindows Service (T1543.003)\r\nPrivilege Escalation\r\nScheduled Task/Job (T1053)\r\nScheduled Task (T1053.005)\r\nCredential Access\r\nCredentials from Password Stores (T1555)\r\nCredentials from Web Browsers (T1555.003)\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 12 of 15\n\nInput Capture (T1056)\r\nKeylogging (T1056.001)\r\nWeb Portal Capture (T1056.003)\r\nCommand and Control\r\nIngress Tool Transfer (T1105)\r\nRemote Access Software (T1219)\r\nApplication Layer Protocol (T1071)\r\nWeb Protocols (T1071.001)\r\nProtocol Tunneling (T1572)\r\nWeb Service (T1102)\r\nBidirectional Communication (T1102.002)\r\nExfiltration\r\nExfiltration Over C2 Channel (T1041)\r\nExfiltration Over Web Service (T1567)\r\nIndicators of Compromise\r\nType Value Description\r\nMD5 f362a2d9194a09eaca7d2fa04d89e1e5 SUGARDUMP early ver.\r\nMD5 08dc5c2af21ecee6f2b25ebdd02a9079 SUGARDUMP early ver.\r\nMD5 ae0a16b6feddd53d1d52ff50d85a42d5 SUGARDUMP SMTP dropper\r\nMD5 084ad50044d6650f9ed314e99351a608 SUGARDUMP SMTP\r\nMD5 d8fb3b6f5681cf5eec2b89be9b632b05 SUGARDUMP SMTP lure video\r\nMD5 639f83fa4265ddbb43e85b763fe3dbac SUGARDUMP HTTP lure file\r\nMD5 e125ed072fc4529687d98cf4c62e283e SUGARDUMP HTTP\r\nMD5 37bdb9ea33b2fe621587c887f6fb2989 SUGARUSH\r\nMD5 3f045ebb014d859a4e7d15a4cf827957 SUGARUSH\r\nMD5 a7a2d6a533b913bc50d14e91bcf6c716 SUGARUSH\r\nMD5 d528e96271e791fab5818c01d4bc139f SUGARUSH\r\nMD5 d5671df2af6478ac108e92ba596d5557 PowerShell downloader\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 13 of 15\n\nMD5 fcc09a4262b9ca899ba08150e287caa9 METASPLOIT payload\r\nMD5 d47bbec805c00a549ab364d20a884519 METASPLOIT payload\r\nMD5 6dbd612bbc7986cf8beb9984b473330a METASPLOIT payload\r\nMD5 3b2a719ffb12a291acbfe9056daf52a7 METASPLOIT payload\r\nMD5 f97c0f19e84c79e9423b4420531f5a25 METASPLOIT payload\r\nMD5 f538cb2e584116a586a50d607d517cfd UNICORN\r\nMD5 532f5c8a85b706ccc317b9d4158014bf PowerSherll TCP ReverseShell\r\nMD5 9c8788e7ae87ae4f46bfe5ba7b7aa938\r\n.NET executable that dropps and executes\r\nReverseShell\r\nMD5 2fe42c52826787e24ea81c17303484f9 NORTHSTAR C2 Stager\r\nMD5 2a09c5d85667334d9accbd0e06ae9418 PowerShell downloader\r\nMD5 c5116a9818dcd48b8e9fb1ddf022df29 PowerShell downloader\r\nIP 143.110.155[.]195 NorthStar C2 server\r\nIP 128.199.6[.]246\r\nMalware/Tools Hosting, Watering Hole C2, Fake\r\nLogin Pages Hosting\r\nIP 161.35.123[.]176\r\nSUGARUSH C2, Reverse Shell C2, Malicious\r\nDomains Hosting\r\nIP 104.237.155[.]129 C2 server\r\nIP 146.185.219[.]88 C2 server\r\nIP 159.223.164[.]185 C2 server\r\nIP 144.202.123[.]248 C2 server\r\nIP 185.170.215[.]170 Malicious Domain Hosting\r\nDomain\r\nlirıkedin[.]com (xn--lirkedin-vkb[.]com)\r\nFake domain\r\nDomain pfizerpoll[.]com Fake domain\r\nDomain office365update[.]live Fake domain\r\nDomain celebritylife[.]news Fake domain\r\nDomain rnfacebook[.]com Fake domain\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 14 of 15\n\nDomain fileupload[.]shop Fake domain\r\nDomain naturaldolls[.]store Domain\r\nDomain xxx-doll[.]com Domain\r\nDomain aspiremovecentraldays[.]net (suspect) Domain\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nhttps://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping" ], "report_names": [ "suspected-iranian-actor-targeting-israeli-shipping" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "f8fdc3fb-e38e-44a2-87a8-ae11d93b9e02", "created_at": "2023-11-05T02:00:08.088979Z", "updated_at": "2026-04-10T02:00:03.402497Z", "deleted_at": null, "main_name": "UNC3890", "aliases": [], "source_name": "MISPGALAXY:UNC3890", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434004, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b43aeddcb5b891768264b5a22f0a8cf35df68df4.pdf", "text": "https://archive.orkl.eu/b43aeddcb5b891768264b5a22f0a8cf35df68df4.txt", "img": "https://archive.orkl.eu/b43aeddcb5b891768264b5a22f0a8cf35df68df4.jpg" } }