{ "id": "4e5993b6-4a6e-4247-a7c1-ed4ed3da0556", "created_at": "2026-04-06T00:14:48.282892Z", "updated_at": "2026-04-10T13:11:30.332231Z", "deleted_at": null, "sha1_hash": "b53699b4a48d16d8f0745bbd3ae62762e2174fd1", "title": "Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 91906, "plain_text": "Iranian Threat Group Updates Tactics, Techniques and Procedures in\r\nSpear Phishing Campaign\r\nBy Mandiant\r\nPublished: 2018-03-13 · Archived: 2026-04-02 10:38:15 UTC\r\nWritten by: Sudeep Singh, Dileep Jallepalli\r\nIntroduction\r\nFrom January 2018 to March 2018, through FireEye’s Dynamic Threat Intelligence, we observed attackers leveraging the\r\nlatest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and\r\nthe Middle East.\r\nWe attribute this activity to TEMP.Zagros (reported by Palo Alto Networks and Trend Micro as MuddyWater), an Iran-nexus\r\nactor that has been active since at least May 2017. This actor has engaged in prolific spear phishing of government and\r\ndefense entities in Central and Southwest Asia. The spear phishing emails and attached malicious macro documents typically\r\nhave geopolitical themes. When successfully executed, the malicious documents install a backdoor we track as\r\nPOWERSTATS.\r\nOne of the more interesting observations during the analysis of these files was the re-use of the latest AppLocker bypass,\r\nand lateral movement techniques for the purpose of indirect code execution. The IP address in the lateral movement\r\ntechniques was substituted with the local machine IP address to achieve code execution on the system.\r\nCampaign Timeline\r\nIn this campaign, the threat actor’s tactics, techniques and procedures (TTPs) shifted after about a month, as did their targets.\r\nA brief timeline of this activity is shown in Figure 1.\r\nThe first part of the campaign (From Jan. 23, 2018, to Feb. 26, 2018) used a macro-based document that dropped a VBS file\r\nand an INI file. The INI file contains the Base64 encoded PowerShell command, which will be decoded and executed by\r\nPowerShell using the command line generated by the VBS file on execution using WScript.exe. The process chain is shown\r\nin Figure 2.\r\nAlthough the actual VBS script changed from sample to sample, with different levels of obfuscation and different ways of\r\ninvoking the next stage of process tree, its final purpose remained same: invoking PowerShell to decode the Base64 encoded\r\nPowerShell command in the INI file that was dropped earlier by the macro, and executing it. One such example of the VBS\r\ninvoking PowerShell via MSHTA is shown in Figure 3.\r\nThe second part of the campaign (from Feb. 27, 2018, to March 5, 2018) used a new variant of the macro that does not use\r\nVBS for PowerShell code execution. Instead, it uses one of the recently disclosed code execution techniques leveraging INF\r\nand SCT files, which we will go on to explain later in the blog.\r\nInfection Vector\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 1 of 23\n\nWe believe the infection vector for all of the attacks involved in this campaign are macro-based documents sent as an email\r\nattachment. One such email that we were able to obtain was targeting users in Turkey, as shown in Figure 4.\r\nThe malicious Microsoft Office attachments that we observed appear to have been specially crafted for individuals in four\r\ncountries: Turkey, Pakistan, Tajikistan and India. What follows is four examples, and a complete list is available in the\r\nIndicators of Compromise section at the end of the blog.\r\nFigure 5 shows a document purporting to be from the National Assembly of Pakistan.\r\nA document purporting to be from the Turkish Armed Forces, with content written in the Turkish language, is shown in\r\nFigure 6.\r\nA document purporting to be from the Institute for Development and Research in Banking Technology (established by the\r\nReserve Bank of India) is shown in Figure 7.\r\nFigure 8 shows a document written in Tajik that purports to be from the Ministry of Internal Affairs of the Republic of\r\nTajikistan.\r\nEach of these macro-based documents used similar techniques for code execution, persistence and communication with the\r\ncommand and control (C2) server.\r\nIndirect Code Execution Through INF and SCT\r\nThis scriptlet code execution technique leveraging INF and SCT files was recently discovered and documented in February\r\n2018. The threat group in this recently observed campaign – TEMP.Zagros – weaponized their malware using the following\r\ntechniques.\r\nThe macro in the Word document drops three files in a hard coded path: C:\\programdata. Since the path is hard coded, the\r\nexecution will only be observed in operating systems, Windows 7 and above. The following are the three files:\r\nDefender.sct – The malicious JavaScript based scriptlet file.\r\nDefenderService.inf – The INF file that is used to invoke the above scriptlet file.\r\nWindowsDefender.ini – The Base64 encoded and obfuscated PowerShell script.\r\nAfter dropping the three files, the macro will set the following registry key to achieve persistence:\r\n\\REGISTRY\\USER\\SID\\Software\\Microsoft\\Windows\\CurrentVersio\r\nn\\Run\\\"WindowsDefenderUpdater\" = cmstp.exe /s c:\\programdata\\DefenderService.inf\r\nUpon system restart, cmstp.exe will be used to execute the SCT file indirectly through the INF file. This is possible because\r\ninside the INF file we have the following section:\r\n[UnRegisterOCXSection]\r\n%11%\\scrobj.dll,NI,c:/programdata/Defender.sct\r\nThat section gets indirectly invoked through the DefaultInstall_SingleUser section of INF, as shown in Figure 9.\r\nThis method of code execution is performed in an attempt to evade security products. FireEye MVX and HX Endpoint\r\nSecurity technology successfully detect this code execution technique.\r\nSCT File Analysis\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 2 of 23\n\nThe code of the Defender.sct file is an obfuscated JavaScript. The main function performed by the SCT file is to Base64\r\ndecode the contents of WindowsDefender.ini file and execute the decoded PowerShell Script using the following command\r\nline:\r\npowershell.exe -exec Bypass -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\\\\ProgramData\\\\WindowsDefender.ini)\r\nThe rest of the malicious activities are performed by the PowerShell Script.\r\nPowerShell File Analysis\r\nThe PowerShell script employs several layers of obfuscation to hide its actual functionality. In addition to obfuscation\r\ntechniques, it also has the ability to detect security tools on the analysis machine, and can also shut down the system if it\r\ndetects the presence of such tools.\r\nSome of the key obfuscation techniques used are:\r\nCharacter Replacement: Several instances of character replacement and string reversing techniques (Figure 10)\r\nmake analysis difficult.\r\nAfter deobfuscating the contents of the PowerShell Script, we can divide it into three sections.\r\nSection 1\r\nThe first section of the PowerShell script is responsible for setting different key variables that are used by the remaining\r\nsections of the PowerShell script, especially the following variables:\r\nTEMpPAtH = \"C:\\ProgramData\\\" (the path used for storing the temp files)\r\nGet_vAlIdIP = https://api.ipify.org/ (used to get the public IP address of the machine)\r\nFIlENAmePATHP = WindowsDefender.ini (file used to store Powershell code)\r\nPRIVAtE = Private Key exponents\r\nPUbLIc = Public Key exponents\r\nHklm = \"HKLM:\\Software\\\"\r\nHkcu = \"HKCU:\\Software\\\"\r\nValuE = \"kaspersky\"\r\nSYSID\r\nDrAGon_MidDLe = [array of proxy URLs]\r\nAmong those variables, there is one variable of particular interest, DrAGon_MidDLe, which stores the list of proxy URLs\r\n(detailed at the end of the blog in the Network Indicators portion of the Indicators of Compromise section) that will be used\r\nto interact with the C2 server, as shown in Figure 12.\r\nSection 2\r\nThe second section of the PowerShell script has the ability to perform encryption and decryption of messages that are\r\nexchanged between the system and the C2 server. The algorithm used for encryption and decryption is RSA, which\r\nleverages the public and private key exponents included in Section 1 of the PowerShell script.\r\nSection 3\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 3 of 23\n\nThe third section of the PowerShell script is the biggest section and has a wide variety of functionalities.\r\nDuring analysis, we observed a code section where a message written in Chinese and hard coded in the script will be printed\r\nin the case of an error while connecting to the C2 server:\r\nThe English translation for this message is: “Cannot connect to website, please wait for dragon”.\r\nOther functionalities provided by this section of the PowerShell Script are as follows:\r\nRetrieves the following data from the system by leveraging Windows Management Instrumentation (WMI) queries\r\nand environment variables:\r\nIP Address from Network Adapter Configuration\r\nOS Name\r\nOS Architecture\r\nComputer Name\r\nComputer Domain Name\r\nUsername\r\nAll of this data is concatenated and formatted as shown in Figure 13.\r\nRegister the victim’s machine to the C2 server by sending the REGISTER command to the server. In response, if the\r\nstatus is OK, then a TOKEN is received from the C2 server that is used to synchronize the activities between the\r\nvictim’s machine and the C2 server.\r\nWhile sending to the C2 server, the data is formatted as follows:\r\n@{SYSINFO = $get.ToString(); ACTION = \"REGISTER\";}\r\nAbility to take screenshots.\r\nChecks for the presence of security tools (detailed in the Appendix) and if any of these security tools are discovered,\r\nthen the system will be shut down, as shown in Figure 14.\r\nAbility to sleep for a given number of seconds.\r\nThe following table summarizes the main C2 commands supported by this PowerShell Script.\r\nC2 Command Purpose\r\nreboot Reboot the system using shutdown command\r\nshutdown Shut down the system using shutdown command\r\nclean Wipe the Drives, C:\\, D:\\, E:\\, F:\\\r\nscreenshot Take a screenshot of the System\r\nupload Encrypt and upload the information from the system\r\nexcel Leverage Excel.Application COM object for code execution\r\noutlook Leverage Outlook.Application COM object for code execution\r\nrisk Leverage DCOM object for code execution\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 4 of 23\n\nConclusion\r\nThis activity shows us that TEMP.Zagros stays up-to-date with the latest code execution and persistence mechanism\r\ntechniques, and that they can quickly leverage these techniques to update their malware. By combining multiple layers of\r\nobfuscation, they deter the process of reverse engineering and also attempt to evade security products.\r\nUsers can protect themselves from such attacks by disabling Office macros in their settings and also by being more vigilant\r\nwhen enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted\r\nsources.\r\nIndicators of Compromise\r\nMacro based Documents and Hashes\r\nSHA256 Hash Filename\r\nTargeted\r\nRegion\r\neff78c23790ee834f773569b52cddb01dc3c4dd9660f5a476af044ef6fe73894 na.doc Pakistan\r\n76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338 Invest in Turkey.doc Turkey\r\n6edc067fc2301d7a972a654b3a07398d9c8cbe7bb38d1165b80ba4a13805e5ac güvenlik yönergesi. .doc Turkey\r\n009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0 idrbt.doc India\r\n18479a93fc2d5acd7d71d596f27a5834b2b236b44219bb08f6ca06cf760b74f6\r\nTürkiye Cumhuriyeti Kimlik\r\nKartı.doc\r\nTurkey\r\n3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb Turkish Armed Forces.doc Turkey\r\n9038ba1b7991ff38b802f28c0e006d12d466a8e374d2f2a83a039aabcbe76f5c na.gov.pk.doc Pakistan\r\n3b1d8dcbc8072b1ec10f5300c3ea9bb20db71bd8fa443d97332790b74584a115 MVD-FORM-1800.doc Tajikistan\r\ncee801b7a901eb69cd166325ed3770daffcd9edd8113a961a94c8b9ddf318c88 KEGM-CyberAttack.doc Turkey\r\n1ee9649a2f9b2c8e0df318519e2f8b4641fd790a118445d7a0c0b3c02b1ba942 IL-1801.doc Turkey\r\naa60c1fae6a0ef3b9863f710e46f0a7407cf0feffa240b9a4661a4e8884ac627 kiyiemniyeti.doc Turkey\r\n93745a6605a77f149471b41bd9027390c91373558f62058a7333eb72a26faf84 TCELL-S1-M.doc Tajikistan\r\nc87799cce6d65158da97aa31a5160a0a6b6dd5a89dea312604cc66ed5e976cc9 egm-1.doc Turkey\r\n2cea0b740f338c513a6390e7951ff3371f44c7c928abf14675b49358a03a5d13 Connectel .pk.doc Pakistan\r\n18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd gßvenlik_yÃœnergesi_.doc Turkey\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 5 of 23\n\n153117aa54492ca955b540ac0a8c21c1be98e9f7dd8636a36d73581ec1ddcf58 MIT.doc Turkey\r\nd07d4e71927cab4f251bcc216f560674c5fb783add9c9f956d3fc457153be025 Gvenlik Ynergesi.doc Turkey\r\naf5f102f0597db9f5e98068724e31d68b8f7c23baeea536790c50db587421102 Gvenlik Ynergesi.doc Turkey\r\n5550615affe077ddf66954edf132824e4f1fe16b3228e087942b0cad0721a6af NA Turkey\r\n3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c\r\nAnadolu GüneydoÄŸu\r\nProjesinde .doc\r\nTurkey\r\nNetwork Indicators\r\nList of Proxy URLs\r\nhxxp://alessandrofoglino[.]com//db_template.php\r\nhxxp://www.easy-home-sales[.]co.za//db_template.php\r\nhxxp://www.almaarefut[.]com/admin/db_template.php\r\nhxxp://chinamall[.]co.za//db_template.php\r\nhxxp://amesoulcoaching[.]com//db_template.php\r\nhxxp://www.antigonisworld[.]com/wp-includes/db_template.php\r\nhxxps://anbinni.ba/wp-admin/db_template.php\r\nhxxp://arctistrade[.]de/wp/db_template.php\r\nhxxp://aianalytics[.]ie//db_template.php\r\nhxxp://www.gilforsenate[.]com//db_template.php\r\nhxxp://mgamule[.]co.za/oldweb/db_template.php\r\nhxxp://chrisdejager-attorneys[.]co.za//db_template.php\r\nhxxp://alfredocifuentes[.]com//db_template.php\r\nhxxp://alxcorp[.]com//db_template.php\r\nhxxps://www.aircafe24[.]com//db_template.php\r\nhxxp://agencereferencement.be/wp-admin/db_template.php\r\nhxxp://americanlegacies[.]org/webthed_ftw/db_template.php\r\nhxxps://aloefly[.]net//db_template.php\r\nhxxp://www.duotonedigital[.]co.za//db_template.php\r\nhxxp://architectsinc[.]net//db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 6 of 23\n\nhxxp://www.tanati[.]co.za//db_template.php\r\nhxxp://emware[.]co.za//db_template.php\r\nhxxp://breastfeedingbra[.]co.za//db_template.php\r\nhxxp://alhidayahfoundation[.]co[.]uk/category/db_template.php\r\nhxxp://cashforyousa[.]co.za//db_template.php\r\nhxxps://www.airporttaxi-uk[.]co[.]uk/wp-includes/db_template.php\r\nhxxp://antjetaubert[.]de//db_template.php\r\nhxxp://hesterwebber[.]co.za//db_template.php\r\nhxxp://fickstarelectrical[.]co.za//db_template.php\r\nhxxp://alex-frost[.]com/assets/db_template.php\r\nhxxps://americanbrasil[.]com.br//db_template.php\r\nhxxps://aileeshop[.]com//db_template.php\r\nhxxps://annodle[.]com//db_template.php\r\nhxxp://goldeninstitute[.]co.za/contents/db_template.php\r\nhxxp://ednpk[.]com//db_template.php\r\nhxxp://www.arabiccasinochoice[.]com//db_template.php\r\nhxxp://proeventsports[.]co.za//db_template.php\r\nhxxp://glenbridge[.]co.za//db_template.php\r\nhxxp://berped[.]co.za//db_template.php\r\nhxxp://best-digital-slr-cameras[.]com//db_template.php\r\nhxxp://antonhirvonen[.]com/pengalandet.se/wp-includes/db_template.php\r\nhxxp://www.alpacal[.]com//db_template.php\r\nhxxps://www.alakml[.]com/wp-admin/db_template.php\r\nhxxp://ar-rihla[.]com//db_template.php\r\nhxxp://appsvoice[.]info//db_template.php\r\nhxxp://www.bashancorp[.]co.za//db_template.php\r\nhxxp://alexanderbecker[.]net/services/db_template.php\r\nhxxp://visionclinic.co.ls/visionclinic/db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 7 of 23\n\nhxxps://www.angelesrevista[.]com//db_template.php\r\nhxxps://www.antojoentucocina[.]com//db_template.php\r\nhxxp://apollonweb[.]com//db_template.php\r\nhxxps://www.alphapixa[.]com//db_template.php\r\nhxxp://capitalradiopetition[.]co.za//db_template.php\r\nhxxp://www.generictoners[.]co.za//db_template.php\r\nhxxps://alnahdatraining[.]com//db_template.php\r\nhxxps://albousala[.]com//db_template.php\r\nhxxps://www.dopetroleum[.]com//db_template.php\r\nhxxp://bios-chip[.]co.za//db_template.php\r\nhxxp://www.crissamconsulting[.]co.za//db_template.php\r\nhxxp://capriflower[.]co.za//db_template.php\r\nhxxp://www.dingaanassociates[.]co.za//db_template.php\r\nhxxp://indiba-africa[.]co.za//db_template.php\r\nhxxp://verifiedseller[.]co.za/js/db_template.php\r\nhxxps://www.buraqlubricant[.]com//db_template.php\r\nhxxp://aqarco[.]com/wp-admin/db_template.php\r\nhxxp://allaboutblockchain[.]net//db_template.php\r\nhxxp://www.amexcars[.]info/tpl/db_template.php\r\nhxxp://clandecor[.]co.za/rvsUtf8Backup/db_template.php\r\nhxxp://bakron[.]co.za//db_template.php\r\nhxxp://gsnconsulting[.]co.za//db_template.php\r\nhxxp://vumavaluations[.]co.za//db_template.php\r\nhxxp://heritagetravelmw[.]com//db_template.php\r\nhxxp://ampvita[.]com//db_template.php\r\nhxxp://ahero-resource-center[.]org/administrator/db_template.php\r\nhxxps://arbulario[.]com//db_template.php\r\nhxxp://havilahglo[.]co.za/wpscripts/db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 8 of 23\n\nhxxp://www.bestdecorativemirrors[.]com/More-Mirrors/db_template.php\r\nhxxp://delectronics[.]com[.]pk//db_template.php\r\nhxxp://antucomp[.]com//db_template.php\r\nhxxp://advocatetn[.]com/font-awesome/fonts/db_template.php\r\nhxxps://amooy[.]com/webservice/db_template.php\r\nhxxp://www.harmonyguesthouse[.]co.za//db_template.php\r\nhxxp://alanrori[.]com//db_template.php\r\nhxxp://algarvesup[.]com//db_template.php\r\nhxxp://desirablehair[.]co.za//db_template.php\r\nhxxp://comsip[.]org.mw//db_template.php\r\nhxxp://jdcorporate[.]co.za/catalog/db_template.php\r\nhxxp://andrewfinnburhoe[.]com//db_template.php\r\nhxxp://anyeva[.]com/wp-includes/db_template.php\r\nhxxp://www.agenceuhd[.]com//db_template.php\r\nhxxp://host4unix[.]net/host24new/db_template.php\r\nhxxp://www.altaica[.]ca/wordpress/db_template.php\r\nhxxp://www.allbuyer[.]co[.]uk//db_template.php\r\nhxxp://jvpsfunerals[.]co.za//db_template.php\r\nhxxp://immaculatepainters[.]co.za//db_template.php\r\nhxxp://tcpbereka[.]co.za/js/db_template.php\r\nhxxp://clientcare.co.ls//db_template.php\r\nhxxp://investaholdings[.]co.za/htc/db_template.php\r\nhxxp://www.amjobs[.]co[.]uk//db_template.php\r\nhxxp://www.agirlgonewine[.]com/store/db_template.php\r\nhxxp://findinfo-more[.]com//db_template.php\r\nhxxp://asgen[.]org//db_template.php\r\nhxxp://alphasalesrecruitment[.]com//db_template.php\r\nhxxp://irshadfoundation[.]co.za//db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 9 of 23\n\nhxxp://analternatif[.]com/includes/db_template.php\r\nhxxp://arbruisseau[.]com/profiles/db_template.php\r\nhxxp://ladiescircle[.]co.za//db_template.php\r\nhxxp://all-reseller[.]com/zzz_backup/db_template.php\r\nhxxp://alcatrazmoon[.]com/images/db_template.php\r\nhxxp://www.alcalumni[.]com/wp-includes/db_template.php\r\nhxxp://aniljoseph[.]com/servermon/db_template.php\r\nhxxp://alwake3press[.]com/wp-includes/db_template.php\r\nhxxp://www.hfhl[.]org.ls/habitat/db_template.php\r\nhxxp://alcafricanos[.]com/slsmonographs/db_template.php\r\nhxxps://agapeencounter[.]org//db_template.php\r\nhxxp://apobiomedix[.]ca//db_template.php\r\nhxxp://anythinglah[.]info//db_template.php\r\nhxxp://aniroleplay[.]net//db_template.php\r\nhxxp://www.allcopytoners[.]com//db_template.php\r\nhxxp://alphaobring[.]com//db_template.php\r\nhxxp://www.galwayprimary[.]co.za//db_template.php\r\nhxxp://alnuzha[.]org/en/db_template.php\r\nhxxps://ancient-wisdoms[.]com//db_template.php\r\nhxxp://amazingenergysavings[.]net//db_template.php\r\nhxxp://gvs[.]com[.]pk/font-awesome/db_template.php\r\nhxxp://geetransfers[.]co.za/font-awesome/db_template.php\r\nhxxp://carlagrobler[.]co.za/components/db_template.php\r\nhxxp://amazingashwini[.]com//db_template.php\r\nhxxp://aminearserver[.]es//db_template.php\r\nhxxp://lensofafrica[.]co.za//db_template.php\r\nhxxp://greenacrestf[.]co.za/video/db_template.php\r\nhxxp://www.tonaro[.]co.za//db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 10 of 23\n\nhxxp://alephit2[.]biz/kitzz/db_template.php\r\nhxxp://lppaportal[.]org.ls//db_template.php\r\nhxxp://alkousy[.]com//db_template.php\r\nhxxp://ambulatorioveterinariocalusco[.]com/img/common/db_template.php\r\nhxxp://fragranceoil[.]co.za//db_template.php\r\nhxxp://www.eloquent[.]co.za/nweb2/db_template.php\r\nhxxp://chrishanicdc[.]org/wpimages/db_template.php\r\nhxxp://ahc.me[.]uk//db_template.php\r\nhxxp://www.britishasia-equip[.]co[.]uk//db_template.php\r\nhxxp://always-beauty[.]ch//db_template.php\r\nhxxps://www.ancamamara[.]com/wp-admin/db_template.php\r\nhxxp://entracorntrading[.]co.za//db_template.php\r\nhxxp://www.alexjeffersonconsulting[.]com/wp-includes/db_template.php\r\nhxxp://americabr[.]com.br//db_template.php\r\nhxxp://andrew-snyder[.]net/bootstrap/db_template.php\r\nhxxp://signsoftime[.]co.za//db_template.php\r\nhxxp://aperta-armis[.]org//db_template.php\r\nhxxp://absfinancialplanning[.]co.za/images/db_template.php\r\nhxxp://charispaarl[.]co.za//db_template.php\r\nhxxp://indlovusecurity[.]co.za//db_template.php\r\nhxxp://alcafricandatalab[.]com//db_template.php\r\nhxxp://amor-clubhotels[.]com//db_template.php\r\nhxxp://mokorotlocorporate[.]com//db_template.php\r\nhxxp://apppriori[.]com//db_template.php\r\nhxxp://luxconprojects[.]co.za//db_template.php\r\nhxxp://androidphonetips[.]com/wp-includes/db_template.php\r\nhxxp://angel-seeds[.]com.ua/catalog/db_template.php\r\nhxxp://alissanicolai[.]com/assets/db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 11 of 23\n\nhxxps://www.amateurastronomy[.]org//db_template.php\r\nhxxp://aiofotoevideo[.]com//db_template.php\r\nhxxp://www.amika.hr//db_template.php\r\nhxxp://comfortex[.]co.za/php/db_template.php\r\nhxxp://deepgraphics[.]co.za//db_template.php\r\nhxxps://agiledepot[.]com//db_template.php\r\nhxxp://almatours[.]gr//db_template.php\r\nhxxp://analystcnwang[.]com//db_template.php\r\nhxxp://www.malboer[.]co.za/trendy1/db_template.php\r\nhxxp://sefikengfarm.co.ls//db_template.php\r\nhxxp://www.antirughenaturale[.]com/wp-admin/db_template.php\r\nhxxp://passright[.]co.za//db_template.php\r\nhxxp://seismicfactory[.]co.za//db_template.php\r\nhxxp://alessandroalessandrini[.]it//db_template.php\r\nhxxps://aquabsafe[.]com//db_template.php\r\nhxxp://amatikulutours[.]com/tmp/db_template.php\r\nhxxp://ganitis[.]gr//db_template.php\r\nhxxp://aleenasgiftbox[.]com/admin/db_template.php\r\nhxxps://allusdoctors[.]com/themes/db_template.php\r\nhxxp://alainsaffel[.]com//db_template.php\r\nhxxp://www.ariehandomri[.]com//db_template.php\r\nhxxp://aquaneeka[.]co[.]uk/wp-includes/db_template.php\r\nhxxp://itengineering[.]co.za/gatewaydiamond/db_template.php\r\nhxxp://alldomains-crm[.]com/bubblegumpopcorn[.]com/wp-admin/db_template.php\r\nhxxp://www.albertamechanical[.]ca//db_template.php\r\nhxxp://alchamel[.]info//db_template.php\r\nhxxps://almokan[.]net/wp-includes/db_template.php\r\nhxxp://jakobieducation[.]co.za//db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 12 of 23\n\nhxxps://arc-sec[.]net//db_template.php\r\nhxxp://ldams[.]org.ls/supplies/db_template.php\r\nhxxp://menaboracks[.]co.za/tmp/db_template.php\r\nhxxp://www.getcord[.]co.za//db_template.php\r\nhxxp://boardaffairs[.]com//db_template.php\r\nhxxp://capetownway[.]co.za//db_template.php\r\nhxxp://cloudhostdesign[.]com//db_template.php\r\nhxxp://hartenboswaterpark[.]co.za/templates/db_template.php\r\nhxxp://fccorp[.]co.za/php/db_template.php\r\nhxxp://angar68[.]com//db_template.php\r\nhxxp://www.dws-gov[.]co.za//db_template.php\r\nhxxp://alwahahweb[.]com//db_template.php\r\nhxxp://anuragcreatives[.]com//db_template.php\r\nhxxp://embali[.]co.za//db_template.php\r\nhxxp://albertaedmonton[.]com/widgetstyles/db_template.php\r\nhxxp://altosdefontana[.]com//db_template.php\r\nhxxp://airfanhydro[.]net//db_template.php\r\nhxxps://www.alexponcet[.]com/wp-includes/db_template.php\r\nhxxp://agropecuariavilarica[.]com.br//db_template.php\r\nhxxps://www.amazingbuyrd[.]com/admin/db_template.php\r\nhxxp://cdxtrading[.]co.za//db_template.php\r\nhxxp://interafricaconsulting[.]com/wpimages/db_template.php\r\nhxxp://glgroup[.]co.za/images/db_template.php\r\nhxxp://hisandherskennels[.]co.za/php/db_template.php\r\nhxxp://alemaohost[.]com/lotosorg[.]com/db_template.php\r\nhxxp://isibaniedu[.]co.za/admin/db_template.php\r\nhxxp://dianakleyn[.]co.za/layouts/db_template.php\r\nhxxp://themotoringcalendar[.]co.za//db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 13 of 23\n\nhxxp://www.loansonhomes[.]co.za//db_template.php\r\nhxxp://edgesecurity[.]co.za/js/db_template.php\r\nhxxp://highschoolsuperstar[.]co.za/files/db_template.php\r\nhxxp://www.ambientproperty[.]com//db_template.php\r\nhxxp://animationshowreel[.]co.il//db_template.php\r\nhxxp://cafawelding[.]co.za/font-awesome/db_template.php\r\nhxxp://apalawyers.pt//db_template.php\r\nhxxp://www.edesignz[.]co.za//db_template.php\r\nhxxp://centuryacademy[.]co.za/css/db_template.php\r\nhxxps://ambyenta.hr//db_template.php\r\nhxxp://ceramica[.]co.za//db_template.php\r\nhxxp://www.alfredoposada[.]com//db_template.php\r\nhxxp://anastasovsworkshop[.]com/wp-includes/db_template.php\r\nhxxp://allisonplumbing[.]com/wp-includes/db_template.php\r\nhxxp://eastrandmotorlab[.]co.za/fleet/db_template.php\r\nhxxp://angelsongroup[.]com/wp-includes/db_template.php\r\nhxxp://www.mikimaths[.]com//db_template.php\r\nhxxp://hjb-racing[.]co.za/htdocs/db_template.php\r\nhxxp://anotherpartofme[.]com/wp-includes/db_template.php\r\nhxxp://www.andreabelfi[.]com//db_template.php\r\nhxxp://www.iancullen[.]co.za//db_template.php\r\nhxxp://alaskamaterials[.]com//db_template.php\r\nhxxp://jeanetteproperties[.]co.za//db_template.php\r\nhxxp://www.digitalmedia[.]co.za//db_template.php\r\nhxxp://www.rejoicetheatre[.]com//db_template.php\r\nhxxps://alterwebhost[.]com//db_template.php\r\nhxxp://bc-u[.]co[.]uk//db_template.php\r\nhxxp://dpscdgkhan.edu[.]pk/shopping/db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 14 of 23\n\nhxxp://edgeforensic[.]co.za//db_template.php\r\nhxxp://willpowerpos[.]co.za//db_template.php\r\nhxxp://antrismode[.]com/wp-includes/db_template.php\r\nhxxp://colenesphotography[.]co.za/modules/db_template.php\r\nhxxp://anthaigroup.vn//db_template.php\r\nhxxps://alphainvestors[.]com.au//db_template.php\r\nhxxps://aliart[.]nl//db_template.php\r\nhxxps://allmantravel[.]com/thumbs/db_template.php\r\nhxxp://fbrvolume[.]co.za//db_template.php\r\nhxxp://amordegato[.]es/storefront/db_template.php\r\nhxxp://agylub[.]com//db_template.php\r\nhxxp://www.khotsonglodge.co.ls//db_template.php\r\nhxxp://ampli5yd[.]com//db_template.php\r\nhxxps://animeok[.]co.il//db_template.php\r\nhxxps://arbeidsrechtcentrum[.]nl//db_template.php\r\nhxxp://erniecommunications[.]co.za/js/db_template.php\r\nhxxp://promechtransport[.]co.za/scripts/db_template.php\r\nhxxp://centuriongsd[.]co.za//db_template.php\r\nhxxp://www.agencesylvieleclerc[.]com//db_template.php\r\nhxxp://delcom[.]co.za//db_template.php\r\nhxxps://aleoestudio[.]com/gallonature/db_template.php\r\nhxxp://oftheearthphotography[.]com/www/db_template.php\r\nhxxp://h-dubepromotions[.]co.za//db_template.php\r\nhxxp://www.alessioborzuola[.]com/downloads/db_template.php\r\nhxxp://crystaltidings[.]co.za//db_template.php\r\nhxxp://funeralbusinesssolution[.]com/email_template/db_template.php\r\nhxxp://funisalodge[.]co.za/data1/db_template.php\r\nhxxp://experttutors[.]co.za//db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 15 of 23\n\nhxxps://www[.]cartridgecave[.]co.za//db_template.php\r\nhxxp://ecs-consult[.]com//db_template.php\r\nhxxp://www.animationinisrael[.]org/tmp_images/db_template.php\r\nhxxp://gideonitesprojects[.]com//db_template.php\r\nhxxp://hybridauto[.]co.za/photography/db_template.php\r\nhxxp://africanpixels.zar.cc//db_template.php\r\nhxxp://ryanchristiefurniture[.]co.za//db_template.php\r\nhxxp://evansmokaba[.]com/evansmokaba[.]com/thabiso/db_template.php\r\nhxxp://almeriahotelja[.]com/dk/db_template.php\r\nhxxp://al3abflash[.]biz//db_template.php\r\nhxxp://www.fun4kidz[.]co.za//db_template.php\r\nhxxp://alsharhanstore[.]com//db_template.php\r\nhxxp://www[.]infratechconsulting[.]com//db_template.php\r\nhxxp://algihad[.]com/assets/db_template.php\r\nhxxp://americanwestmedia[.]com//db_template.php\r\nhxxp://charliewestsecurity[.]co.za//db_template.php\r\nhxxp://beehiveholdingszar[.]co.za//db_template.php\r\nhxxp://analyticalfootball[.]com//db_template.php\r\nhxxp://apiiination[.]com/leadership/db_template.php\r\nhxxps://ahelicoptermom[.]com/wp-includes/db_template.php\r\nhxxp://servicebox[.]co.za//db_template.php\r\nhxxp://globalelectricalandconstruction[.]co.za/wpscripts/db_template.php\r\nhxxps://aquo[.]in//db_template.php\r\nhxxps://www.alfransia[.]com/wp-admin/db_template.php\r\nhxxp://www.icsswaziland[.]com//db_template.php\r\nhxxp://aiko.pro//db_template.php\r\nhxxps://alceharfield[.]com//db_template.php\r\nhxxp://indocraft[.]co.za/test/db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 16 of 23\n\nhxxp://allegiancesecurity[.]org//db_template.php\r\nhxxp://sullivanprimary[.]co.za//db_template.php\r\nhxxp://www.apmequestrian[.]com//db_template.php\r\nhxxps://alphawaves[.]org/wp-admin/db_template.php\r\nhxxp://www.alexandrasternin[.]com/illustration/db_template.php\r\nhxxp://www.daleth[.]co.za//db_template.php\r\nhxxp://jwseshowe[.]co.za/assets/db_template.php\r\nhxxp://winagainstebola[.]com//db_template.php\r\nhxxp://anubandh[.]in//db_template.php\r\nhxxp://www.alexanderhomestead[.]com//db_template.php\r\nhxxp://alfatek-intelligence[.]com//db_template.php\r\nhxxp://www.aprendiendoencasa[.]com/wp-includes/db_template.php\r\nhxxp://alorabrownies[.]com/wp-admin/db_template.php\r\nhxxp://andrasadam[.]com/tothildiko/wp-includes/db_template.php\r\nhxxp://cazochem[.]co.za/cazochem/db_template.php\r\nhxxp://debnoch[.]com/image/db_template.php\r\nhxxp://hmholdings360[.]co.za//db_template.php\r\nhxxp://iinvest4u[.]co.za//db_template.php\r\nhxxp://burgercoetzeeattorneys[.]co.za//db_template.php\r\nhxxp://anngrigphoto[.]com//db_template.php\r\nhxxp://alchemistasonida[.]com//db_template.php\r\nhxxp://anahera[.]biz/admin/db_template.php\r\nhxxp://h-u-i[.]co.za/heiren/db_template.php\r\nhxxp://insta-art[.]co.za//db_template.php\r\nhxxp://muallematsela[.]com//db_template.php\r\nhxxp://aguasdecastilla[.]com/uploads/db_template.php\r\nhxxp://www.arabgamenetwork[.]com//db_template.php\r\nhxxps://arhiepiscopiabucurestilor[.]ro/templates/db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 17 of 23\n\nhxxp://amruthavana[.]com/blog/db_template.php\r\nhxxp://digitalblue[.]co.za//db_template.php\r\nhxxps://www.alvarezarquitectos[.]com//db_template.php\r\nhxxp://buboobioinnovations[.]co.za/wpimages/db_template.php\r\nhxxp://andrewsbisom[.]com//db_template.php\r\nhxxp://www.m-3[.]co.za//db_template.php\r\nhxxp://beesrenovations[.]co.za/images/db_template.php\r\nhxxps://www.apliety[.]co.il/wp-includes/db_template.php\r\nhxxp://alchamelup[.]org/htdocs/db_template.php\r\nhxxp://benonicoc[.]co.za/resources/db_template.php\r\nhxxps://al-mostakbl[.]com//db_template.php\r\nhxxp://alchimiegrafiche[.]net/bbdelteatro/db_template.php\r\nhxxp://andrespazsoldan[.]com//db_template.php\r\nhxxp://in2accounting[.]co.za//db_template.php\r\nhxxp://aipa[.]ca//db_template.php\r\nhxxp://alphabee.fund/PHPMailer_5.2.0/db_template.php\r\nhxxp://arabsdeals[.]com//db_template.php\r\nhxxps://archiotronic[.]com/wp-includes/db_template.php\r\nhxxp://capewindstrading[.]co.za//db_template.php\r\nhxxps://althurayaa[.]com//db_template.php\r\nhxxp://jhphotoedits[.]co.za//db_template.php\r\nhxxp://cloudhub.co.ls/modules/db_template.php\r\nhxxp://apironco[.]com/wp-includes/db_template.php\r\nhxxp://digital-cameras-south-africa[.]co.za/script/db_template.php\r\nhxxp://ahmadhasanat[.]com//db_template.php\r\nhxxp://alexrocchi[.]com//db_template.php\r\nhxxp://aljaadi[.]com//db_template.php\r\nhxxps://www.engeltjieakademie[.]co.za//db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 18 of 23\n\nhxxp://annabelle[.]nl/next/db_template.php\r\nhxxp://juniorad[.]co.za/vendor/db_template.php\r\nhxxp://animationpulse[.]net//db_template.php\r\nhxxp://angloglot[.]com//db_template.php\r\nhxxp://agricolavicuna.cl//db_template.php\r\nhxxp://alexelgy[.]com/allaccess/db_template.php\r\nhxxp://www.centreforgovernance[.]uk//db_template.php\r\nhxxp://www.aliandconsulting[.]com//db_template.php\r\nhxxp://balaateen[.]co.za/less/db_template.php\r\nhxxp://aleksicdunja[.]com//db_template.php\r\nhxxp://arestihome[.]com//db_template.php\r\nhxxp://am1int.fcomet[.]com/wp1/db_template.php\r\nhxxp://anet-international-group[.]com/shop/db_template.php\r\nhxxp://courtesydriving[.]co.za/js/db_template.php\r\nhxxp://annaplebanek[.]com//db_template.php\r\nhxxp://agencijazemil[.]com//db_template.php\r\nhxxp://airminumtiro[.]com//db_template.php\r\nhxxp://www.androidwikihow[.]com//db_template.php\r\nhxxp://alisabyfinna[.]com//db_template.php\r\nhxxp://rma-law[.]co.za//db_template.php\r\nhxxp://amari[.]ro/components/db_template.php\r\nhxxp://anxiousandunstoppable[.]com//db_template.php\r\nhxxp://www.buhlebayoacademy[.]com//db_template.php\r\nhxxp://arabellajo[.]com/wp/wp-includes/db_template.php\r\nhxxp://blackthorn[.]co.za//db_template.php\r\nhxxp://alaqaba[.]com/dnsarabia[.]com/db_template.php\r\nhxxp://airesis.blog/wp-admin/db_template.php\r\nhxxp://www.aptibet[.]org//db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 19 of 23\n\nhxxp://alecattic[.]com/wp-includes/db_template.php\r\nhxxp://anglero[.]com//db_template.php\r\nhxxp://getabletravel[.]co.za/wpscripts/db_template.php\r\nhxxp://www.allwestdental[.]com/wp-includes/db_template.php\r\nhxxp://printernet[.]co.za//db_template.php\r\nhxxp://genesisbs[.]co.za//db_template.php\r\nhxxp://allsporthealthandfitness[.]com//db_template.php\r\nhxxp://www.humorcarbons[.]com//db_template.php\r\nhxxp://intelligentprotection[.]co.za//db_template.php\r\nhxxp://amazethings[.]com//db_template.php\r\nhxxp://incoso[.]co.za/images/db_template.php\r\nhxxp://www.antoanetapalikarska[.]com//db_template.php\r\nhxxps://www.alteaparadise[.]com/wp-includes/db_template.php\r\nhxxp://amirmenahem[.]com//db_template.php\r\nhxxp://isound[.]co.za//db_template.php\r\nhxxp://www.alestilorachel[.]com//db_template.php\r\nhxxp://alcfm[.]net/wp-admin/db_template.php\r\nhxxp://www.acer-parts[.]co.za//db_template.php\r\nhxxp://www.gsmmid[.]com//db_template.php\r\nhxxp://skhaleni[.]co.za//db_template.php\r\nhxxps://amiici.vision//db_template.php\r\nhxxps://andihaas[.]at/wp-includes/db_template.php\r\nhxxp://www.albertaprimebeef[.]com//db_template.php\r\nhxxps://www.appster[.]it/wp-includes/db_template.php\r\nhxxp://amofoundation[.]org/wp-includes/db_template.php\r\nhxxp://iqra[.]co.za/pub/db_template.php\r\nhxxp://thecompasssolutions[.]co.za//db_template.php\r\nhxxp://archwaycarpetscrm[.]co[.]uk//db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 20 of 23\n\nhxxp://iggleconsulting[.]com//db_template.php\r\nhxxps://angel-blanco[.]net/wp-includes/db_template.php\r\nhxxps://anotherdayinparadise[.]ca//db_template.php\r\nhxxp://www.bitp[.]co.za//db_template.php\r\nhxxp://cupboardcure[.]co.za/vendor/db_template.php\r\nhxxp://all2wedding[.]com/wp-includes/db_template.php\r\nhxxp://allianz[.]com.pe/wp-admin/db_template.php\r\nhxxp://amiehepperlin[.]com//db_template.php\r\nhxxps://www.amighini[.]it/webservice/db_template.php\r\nhxxp://broken-arrow[.]co.za//db_template.php\r\nhxxp://www.ihlosiqs-pm[.]co.za//db_template.php\r\nhxxp://alisimple[.]si/wp-includes/db_template.php\r\nhxxp://allthat[.]social//db_template.php\r\nhxxp://www.amphibiblechurch[.]com//db_template.php\r\nhxxp://bestencouragementwords[.]com//db_template.php\r\nhxxp://alayhamtechnologies[.]com//db_template.php\r\nhxxps://alaskanharvestseafood[.]com/backup/db_template.php\r\nhxxps://www.air-mag[.]ro//db_template.php\r\nhxxp://get-paid-for-online-survey[.]com//db_template.php\r\nhxxp://www.antc[.]ch/wp-includes/db_template.php\r\nhxxp://firstchoiceproperties[.]co.za//db_template.php\r\nhxxp://habibtextiles[.]pk//db_template.php\r\nhxxp://fsproperties[.]co.za/engine1/db_template.php\r\nhxxp://diegemmerkat[.]co.za//db_template.php\r\nhxxp://molepetravel.co.ls//db_template.php\r\nhxxp://mmetl[.]co.za//db_template.php\r\nhxxp://altrablog[.]com//db_template.php\r\nhxxp://abrahamseed[.]co.za//db_template.php\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 21 of 23\n\nhxxp://www.amerindgen[.]com/author/admin1/db_template.php\r\nhxxp://altcoinaddict[.]com//db_template.php\r\nhxxp://iiee.edu[.]pk//db_template.php\r\nhxxp://cmhts[.]co.za/resources/db_template.php\r\nhxxp://domesticguardians[.]co.za/Banner/db_template.php\r\nhxxps://amishcountryfurnishings[.]com//db_template.php\r\nhxxps://allday[.]gr//db_template.php\r\nhxxp://www.alinn-u-yin[.]com//db_template.php\r\nhxxps://www.allin-chain[.]com//db_template.php\r\nhxxps://www.anatapackaging[.]com/vendors/db_template.php\r\nhxxp://alexcelts[.]com/wp/db_template.php\r\nhxxp://www.allstylus[.]com.br//db_template.php\r\nhxxp://www.algom-law[.]com//db_template.php\r\nhxxp://ambiances-toiles[.]fr//db_template.php\r\nAppendix\r\nSecurity Tools Checked on the Machine\r\nwin32_remote\r\nwin64_remote64\r\nollydbg\r\nProcessHacker\r\ntcpview\r\nautoruns\r\nautorunsc\r\nfilemon\r\nprocmon\r\nregmon\r\nprocexp\r\nidaq\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 22 of 23\n\nidaq64\r\nImmunityDebugger\r\nWireshark\r\ndumpcap\r\nHookExplorer\r\nImportREC\r\nPETools\r\nLordPE\r\ndumpcap\r\nSysInspector\r\nproc_analyzer\r\nsysAnalyzer\r\nsniff_hit\r\nwindbg\r\njoeboxcontrol\r\njoeboxserver\r\nSource: https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" ], "report_names": [ "iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434488, "ts_updated_at": 1775826690, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b53699b4a48d16d8f0745bbd3ae62762e2174fd1.pdf", "text": "https://archive.orkl.eu/b53699b4a48d16d8f0745bbd3ae62762e2174fd1.txt", "img": "https://archive.orkl.eu/b53699b4a48d16d8f0745bbd3ae62762e2174fd1.jpg" } }