{
	"id": "f93d28c4-9a7b-4a63-9d33-04cb21783bc7",
	"created_at": "2026-05-05T02:46:15.864343Z",
	"updated_at": "2026-05-05T02:46:37.093808Z",
	"deleted_at": null,
	"sha1_hash": "bf1592af2539cab10a20891fc73a15b1cce891c7",
	"title": "Cybercriminal greeners from Iran attack companies worldwide for financial gain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 391104,
	"plain_text": "Cybercriminal greeners from Iran attack companies worldwide for\r\nfinancial gain\r\nArchived: 2026-05-05 02:09:27 UTC\r\nGroup-IB, a global threat hunting and intelligence company headquartered in Singapore, has detected financially\r\nmotivated attacks carried out by Iranian newbie threat actors in June. The attackers used Dharma ransomware and\r\na mix of publicly available tools to target companies in Russia, Japan, China, and India. All the affected\r\norganizations had hosts with Internet-facing RDP and weak credentials. The hackers typically demanded a ransom\r\nbetween 1-5 BTC. The newly discovered hacker group suggests that Iran, which has been known as a cradle of\r\nstate-sponsored APT groups for years, now also accommodates financially motivated cybercriminals.\r\nGroup-IB researchers have recently observed increased activities around Dharma ransomware distribution.\r\nDharma, also known as Crysis, has been distributed under a ransomware-as-a-service (RaaS) model at least since\r\n2016. Its source code popped up for sale in March 2020 making it available to a wider audience. During an\r\nincident response engagement for a company in Russia, Group-IB’s DFIR team established that Persian-speaking\r\nnewbie hackers were behind a new wave of Dharma distribution. Even though the exact number of victims is\r\nunknown, the discovered forensic artifacts allowed to establish the geography of their campaigns and the toolset,\r\nwhich is far behind the level of sophistication of big league Iranian APTs.\r\nIt was revealed that the operators scanned ranges of IPs for hosts with Internet-facing RDP and weak credentials\r\nin Russia, Japan, China, and India. To do so, they used a popular software called Masscan the same technique was\r\nemployed by Fxmsp, an infamous seller of access to corporate networks. Once vulnerable hosts were identified,\r\nthe attackers deployed NLBrute to brute-force their way into the system and to check the validity of obtained\r\ncredentials on other accessible hosts in the network. In some attacks, they attempted to elevate privileges using\r\nexploit for CVE-2017-0213.\r\nInterestingly, the threat actors likely didn’t have a clear plan on what to do with the compromised networks. Once\r\nthey established the RDP connection, they decide on which tools to deploy to move laterally. For instance, to\r\ndisable built-in antivirus software, the attackers used Defender Control and Your Uninstaller. The latter was\r\ndownloaded from Iranian software sharing website the Google search query in Persian language “افزار نرم دانلود\r\nyoure unistaller” was discovered in the Chrome artifacts. Other tools were downloaded by the attackers from\r\nPersian-language Telegram channels when they were already present in the network.\r\nTo scan for accessible hosts in the compromised network, threat actor used Advanced Port Scanner another\r\npublicly available tool. After the network reconnaissance activities were completed, the adversary used collected\r\ninformation to move laterally though the network using the RDP protocol. The end goal of the attackers was to\r\ndrop and execute a variant of Dharma ransomware: the adversary connected to the targeted hosts, dropped\r\nDharma executable, and executed it manually. On average, the ransom demand was between 1-5 BTC.\r\nThe fact Dharma source code has been made widely available led to the increase in the number of operators\r\ndeploying it. It’s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial\r\nhttps://www.group-ib.com/media/iran-cybercriminals/\r\nPage 1 of 3\n\ngain, as Iran has traditionally been a land of state-sponsored attackers engaged in espionage and sabotage. Despite\r\nthat these cybercriminals use quite common tactics, techniques and procedures they have been quite effective.\r\nTherefore, we believe it’s important to provide some recommendations on how to protect against them and give a\r\ncomplete outline of the MITRE ATT\u0026CK mapping.\r\nOleg Skulkin\r\nSenior Digital Forensics Specialist\r\nThe pandemics exposed a great number of vulnerable hosts with many employees working from homes and the\r\nvector became increasingly popular among cybercriminals. Therefore, the default RDP port 3389 should be edited\r\nby changing it to any other. As the attackers usually need several attempts to brute force passwords and gain\r\naccess to the RDP, it is important to enable account lockout policies by limiting the number of failed login\r\nattempts per user. Threat intelligence solutions enable organizations to mitigate risks and further damage by\r\nquickly identifying stolen data and tracking down the source of the breach, while specialized threat detection\r\nsystems allow to discover unwanted intrusions, traffic anomalies within the corporate network, and attempts to\r\ngain unauthorized access to any data.\r\nhttps://www.group-ib.com/media/iran-cybercriminals/\r\nPage 2 of 3\n\nAbout Group-IB\r\nEstablished in 2003, Group-IB is a leading creator of predictive cybersecurity technologies to investigate, prevent,\r\nand fight digital crime globally. Headquartered in Singapore, and with Digital Crime Resistance Centers in the\r\nAmericas, Europe, Middle East and Africa, Central Asia, and the Asia-Pacific, Group-IB delivers predictive,\r\nintelligence-driven defense by analysing and neutralizing regional and country-specific cyber threats via its\r\nUnified Risk Platform, offering unparalleled defense through its industry-leading Cyber Fraud Intelligence\r\nPlatform, Cloud Security Posture Management, Threat Intelligence, Fraud Protection, Digital Risk Protection,\r\nManaged Extended Detection and Response (XDR), Business Email Protection, and External Attack Surface\r\nManagement solutions, catering to government, retail, healthcare, gaming, financial sectors, and beyond. Group-IB collaborates with international law enforcement agencies like INTERPOL, Europol, and AFRIPOL to fortify\r\ncybersecurity worldwide, and has been awarded by advisory agencies including Datos Insights, Gartner, Forrester,\r\nFrost \u0026 Sullivan, and KuppingerCole.\r\nFor more information, visit us at www.group-ib.com or connect with us on LinkedIn, X, Facebook, and Instagram.\r\nDiscover our podcasts to hear from leading voices on Masked Actors and Fraud Intel, where top cybersecurity\r\nexperts share real-world experiences, emerging trends, and practical insights to help you stay one step ahead in the\r\nfight against cyber crime.\r\nSource: https://www.group-ib.com/media/iran-cybercriminals/\r\nhttps://www.group-ib.com/media/iran-cybercriminals/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/media/iran-cybercriminals/"
	],
	"report_names": [
		"iran-cybercriminals"
	],
	"threat_actors": [],
	"ts_created_at": 1777949175,
	"ts_updated_at": 1777949197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf1592af2539cab10a20891fc73a15b1cce891c7.pdf",
		"text": "https://archive.orkl.eu/bf1592af2539cab10a20891fc73a15b1cce891c7.txt",
		"img": "https://archive.orkl.eu/bf1592af2539cab10a20891fc73a15b1cce891c7.jpg"
	}
}