{ "id": "980868e3-2d5d-4c32-91b7-d770de68a67d", "created_at": "2026-04-06T00:10:58.749614Z", "updated_at": "2026-04-10T13:11:31.192589Z", "deleted_at": null, "sha1_hash": "fa738be5d10521d4f90279de7ab0c3000544c539", "title": "Source code of Iranian cyber-espionage tools leaked on Telegram", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55226, "plain_text": "Source code of Iranian cyber-espionage tools leaked on Telegram\r\nBy Written by Catalin Cimpanu, ContributorContributor April 17, 2019 at 4:24 p.m. PT\r\nArchived: 2026-04-05 17:28:59 UTC\r\nIn an incident reminiscent of the Shadow Brokers leak that exposed the NSA's hacking tools, someone has now\r\npublished similar hacking tools belonging to one of Iran's elite cyber-espionage units, known as APT34, Oilrig, or\r\nHelixKitten.\r\nThe hacking tools are nowhere near as sophisticated as the NSA tools leaked in 2017, but they are dangerous\r\nnevertheless.\r\nVictim data also dumped online\r\nThe tools have been leaked since mid-March on a Telegram channel by an individual using the Lab Dookhtegan\r\npseudonym.\r\nBesides hacking tools, Dookhtegan also published what appears to be data from some of APT34's hacked victims,\r\nmostly comprising of username and password combos that appear to have been collected through phishing pages.\r\nZDNet was previously aware of some of these tools and victim data after this reporter received a tip in mid-March.\r\nIn a Twitter DM, a Twitter user shared some of the same files that were discovered today on Telegram, and we\r\nbelieve that this Twitter user is the Telegram Lab Dookhtegan persona.\r\nAPT34 Twitter\r\nImage: ZDNet\r\nIn our Twitter conversation, the leaker claimed to have worked on the group's DNSpionage campaign, but this\r\nshould be taken with a grain of salt, as the leaker could very well be a member of a foreign intelligence agency\r\ntrying to hide their real identity while giving more credence to the authenticity of Iran's hacking tools and\r\noperations.\r\nFurthermore, ZDNet has also learned that the same Twitter persona had also contacted tens of other reporters and\r\ninfosec researchers with the same message, in an attempt to promote the leak. Similarly, the same persona has also\r\nposted links to some of these hacking tools on public hacking-focused forums. On these forums, he claimed to be\r\nselling the hacked files, yet, he never mentioned anything about a price.\r\nAuthenticity confirmed\r\nSeveral cyber-security experts have already confirmed the authenticity of these tools. Chronicle, Alphabet's cyber-security division, confirmed this to ZDNet earlier today.\r\nIn the Telegram channel discovered today, the hacker leaked the source code of six hacking tools, and the content\r\nfrom several active backend panels, where victim data had been collected.\r\nhttps://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/\r\nPage 1 of 3\n\nHacking tools:\r\n- Glimpse (newer version of a PowerShell-based trojan that Palo Alto Networks names BondUpdater)\r\n- PoisonFrog (older version of BondUpdater)\r\n- HyperShell (web shell that Palo Alto Networks calls TwoFace)\r\n- HighShell (another web shell)\r\n- Fox Panel (phishing kit)\r\n- Webmask (DNS tunneling, main tool behind DNSpionage)\r\nBesides source code for the above tools, Dookhtegan also leaked on the Telegram channel data taken from victims\r\nthat had been collected in some of APT34's backend command-and-control (C\u0026C) servers.\r\nAPT34 victim data\r\nImage: ZDNet\r\nIn total, according to Chronicle, Dookhtegan leaked data from 66 victims, mainly from countries in the Middle\r\nEast, but also Africa, East Asia, and Europe.\r\nData was taken from both government agencies, but also from private companies. The two biggest companies\r\nnamed on the Telegram channel are Etihad Airways and Emirates National Oil. A list of the victims (but without\r\ncompany/government agency names) is available here.\r\nData leaked from each victim varied, ranging from usernames and password combos to internal network servers\r\ninfo and user IPs.\r\nAdditionally, Dookhtegan also leaked data about past APT34 operations, listing the IP addresses and domains\r\nwhere the group had hosted web shells in the past, and other operational data.\r\nAPT34 web shells\r\nImage: ZDNet\r\nBesides data on past operations, the leaker also doxxed Iranian Ministry of Intelligence officers, posting phone\r\nnumbers, images, and names of officers involved with APT34 operations. For some officers, Dookhtegan created\r\nPDF files containing their names, roles, images, phone numbers, email addresses, and social media profiles.\r\nAPT34 doxx\r\nImage: ZDNet\r\nIt was clear from the detailed doxing packages that the leaker had a bone to pick with the Iranian Ministry of\r\nIntelligence officers, to which he referred many times as \"cruel,\" \"ruthless,\" and \"criminal.\"\r\n\"We have more secret information about the crimes of the Iranian Ministry of Intelligence and its managers and\r\nwe are determined to continue to expose them,\" Dookhtegan said in a Telegram message posted last week.\r\nThe leaker also posted screenshots on the Telegram channel alluding to destroying the control panels of APT34\r\nhacking tools and wiping servers clean.\r\nAPT34 destroyed server\r\nhttps://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/\r\nPage 2 of 3\n\nImage: ZDNet\r\nAPT34 BIOS destroy\r\nImage: ZDNet\r\nThe data leaked on this Telegram channel is now under analysis by several cyber-security firms, ZDNet was told.\r\nIt has also made its way on other file sharing sites, such as GitHub.\r\n\"It's likely this group will alter their toolset in order to maintain operational status,\" Brandon Levene, Head of\r\nApplied Intelligence at Chronicle, told ZDNet today in an email \"There may be some copycat activity derived\r\nfrom the leaked tools, but it is unlikely to see widespread use.\"\r\nThis is because the tools aren't sophisticated and aren't top-tier tools like the ones leaked in the Shadow Brokers'\r\nNSA leak. Nation-state or criminal groups who will reuse these tools will most likely do it as a smoke-screen or\r\nfalse flag, to mask their operations as APT34.\r\nThese were 2017's biggest hacks, leaks, and data breaches\r\nMore cybersecurity coverage:\r\nCrooks use digger to steal ATMs in Northern Ireland\r\nMicrosoft publishes SECCON framework for securing Windows 10\r\nEU: No evidence of Kaspersky spying despite 'confirmed malicious' classification\r\nRussia fines Facebook $50 for failing to comply with local data privacy law\r\nCyber-security firm Verint hit by ransomware\r\nMozilla wants Apple to change users' iPhone advertiser ID every month\r\nVulnerabilities discovered in industrial equipment increased 30% in 2018 TechRepublic\r\nAmazon workers eavesdrop on your talks with Alexa CNET\r\nSource: https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/\r\nhttps://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/" ], "report_names": [ "source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434258, "ts_updated_at": 1775826691, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fa738be5d10521d4f90279de7ab0c3000544c539.pdf", "text": "https://archive.orkl.eu/fa738be5d10521d4f90279de7ab0c3000544c539.txt", "img": "https://archive.orkl.eu/fa738be5d10521d4f90279de7ab0c3000544c539.jpg" } }