{ "type": "Domain", "indicator": "amazonaws.work", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/amazonaws.work", "alexa": "http://www.alexa.com/siteinfo/amazonaws.work", "indicator": "amazonaws.work", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4066366191, "indicator": "amazonaws.work", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "681a66fd8309a0fad22d97ae", "name": "Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multiple network segments. Key findings include the use of novel malware families like HanifNet and NeoExpressRAT, as well as extensive credential harvesting and lateral movement techniques. The intrusion demonstrated sophisticated evasion capabilities and targeted attempts to access operational technology networks. Forensic analysis revealed potential links to previously reported Iranian APT campaigns. The report provides detailed technical indicators and recommends enhanced logging, EDR deployment, and multi-factor authentication to defend against similar threats.", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-06T19:46:05.811000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Fox Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 387007, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6874bb3d32d8c700c4032cb0", "name": "Threat Actor Activity Related to the Iran Conflict", "description": "Recent observations from Nozomi Networks Labs highlight a significant escalation in cyberattacks attributed to Iranian threat actor groups, particularly targeting U.S. organizations in the transportation and manufacturing sectors. A 133% increase in activity was noted between May and June, with a total of 28 attacks reported during this period, compared to 12 in the preceding two months. The primary actors involved include MuddyWater, APT33, OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice. MuddyWater, the most active of these groups, focuses on government and critical sectors, having successfully targeted at least five U.S. companies. APT33 has also shown notable activity, conducting attacks against three U.S. companies primarily engaged in aerospace and petrochemicals. Other groups, such as OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice, have each executed attacks against two U.S. firms, again emphasizing the concentration on transportation and manufacturing.", "modified": "2025-08-13T08:00:49.493000", "created": "2025-07-14T08:09:33.706000", "tags": [ "nozomi networks", "nozomi threat", "intelligence", "labs", "apt33", "iran", "june", "muddywater", "oilrig", "cyberav3ngers", "april" ], "references": [ "https://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "domain": 13, "hostname": 18, "URL": 40 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "293 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681ac7f182949e1ea4764e41", "name": "IOC&TTP - Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "2024\u5e7411\u6708\uff0cFortiGuard \u4e8b\u4ef6\u54cd\u5e94\u56e2\u961f\uff08FGIR\uff09\u5728\u4e2d\u4e1c\u67d0\u5173\u952e\u57fa\u7840\u8bbe\u65bd\uff08CNI\uff09\u7f51\u7edc\u4e2d\u53d1\u73b0\u4e86\u4e00\u8d77\u957f\u671f\u6e17\u900f\u653b\u51fb\uff0c\u8ffd\u6eaf\u53ef\u81f32023\u5e745\u6708\uff0c\u90e8\u5206\u75d5\u8ff9\u751a\u81f3\u53ef\u8ffd\u6eaf\u81f32021\u5e745\u6708\u3002\u653b\u51fb\u8005\u88ab\u9ad8\u5ea6\u786e\u4fe1\u4e0e**\u4f0a\u6717\u56fd\u5bb6\u652f\u6301\u7684\u5a01\u80c1\u7ec4\u7ec7 Lemon Sandstorm\uff08\u53c8\u540d Fox Kitten / Pioneer Kitten\uff09**\u6709\u5173\u3002\u6b64\u6b21\u5165\u4fb5\u663e\u793a\u4e86\u56fd\u5bb6\u7ea7APT\u5bf9CNI\u73af\u5883\u6301\u4e45\u5316\u63a7\u5236\u4e0e\u7eb5\u6df1\u6e17\u900f\u7684\u5f3a\u5927\u80fd\u529b\u3002\n\n\u653b\u51fb\u8005\u6700\u521d\u901a\u8fc7\u88ab\u76d7\u7528\u7684SSL VPN\u8d26\u53f7\u8fdb\u5165\u7f51\u7edc\uff0c\u5229\u7528\u591a\u79cd\u81ea\u5b9a\u4e49\u6216\u5f00\u6e90\u6076\u610f\u8f6f\u4ef6\uff08HanifNet\u3001HXLibrary\u3001NeoExpressRAT\u3001RemoteInjector\u3001SystemBC\u3001MeshCentral \u7b49\uff09\u7ef4\u6301\u6301\u4e45\u8bbf\u95ee\u3002\u5176\u5173\u952e\u76ee\u6807\u5305\u62ec\uff1a\u90ae\u4ef6\u7cfb\u7edf\u3001\u865a\u62df\u5316\u57fa\u7840\u8bbe\u65bd\u3001\u51ed\u8bc1\u6536\u96c6\u7cfb\u7edf\u53ca\u6a21\u62df\u7684OT\u7f51\u7edc\u3002\u653b\u51fb\u5de5\u5177\u7ec4\u5408\u7075\u6d3b\uff0c\u6db5\u76d6 webshell\u3001\u53cd\u5411\u4ee3\u7406\u3001\u5bc6\u7801\u94a9\u5b50DLL\u3001PowerShell\u8fdc\u63a7\u3001SSH\u3001RDP\u96a7\u9053\u7b49\u3002\n\n\u6b64\u5916\uff0c\u653b\u51fb\u8005\u8fd8\u90e8\u7f72\u4e86\u4e00\u7cfb\u5217\u9488\u5bf9\u6027\u6781\u5f3a\u7684\u9493\u9c7c\u6d3b\u52a8\u4e0eWeb\u95e8\u6237\u7be1\u6539\u624b\u6bb5\uff08\u5982\u4fee\u6539Exchange OWA\u767b\u5f55\u9875\u9762\u7684JavaScript\u4ee5\u62e6\u622a\u5bc6\u7801\uff09\uff0c\u5e76\u901a\u8fc7PoC\u4ee3\u7801\u5229\u7528\u5df2\u77e5Web\u6f0f\u6d1e\u5b9e\u65bd\u6e17\u900f\u3002\n\n\u6b64\u4e8b\u4ef6\u5c55\u793a\u4e86\u4f0a\u6717APT\u5728\u5173\u952e\u57fa\u7840\u8bbe\u65bd\u7f51\u7edc\u4e2d\u8fdb\u884c**\u60c5\u62a5\u6536\u96c6\u4e0e\u51b2\u7a81\u51c6\u5907\u5b9a\u4f4d\uff08prepositioning\uff09**\u7684\u771f\u5b9e\u610f\u56fe\u3002\u62a5\u544a\u8be6\u7ec6\u5217\u51fa\u5165\u4fb5\u65f6\u95f4\u7ebf\u3001\u6076\u610f\u4ee3\u7801\u5206\u6790\u3001TTP\u884c\u4e3a\u6a21\u5f0f\u3001MITRE ATT&CK\u6620\u5c04\u3001IOCs\u3001C2\u57df\u540d/IP\u3001APT\u5f52\u5c5e\u7ebf\u7d22\u4e0e\u5177\u4f53\u9632\u5fa1\u5efa\u8bae\u3002", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-07T02:39:45.775000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68218d8bfd3eede26d8aa89e", "name": "Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-12T05:56:27.300000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821a99cca8c0daeb63e0e80", "name": "FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure", "description": "", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-12T07:56:12.393000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf", "https://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict" ], "related": { "alienvault": { "adversary": [ "Fox Kitten" ], "malware_families": [], "industries": [ "Energy", "Government" ] }, "other": { "adversary": [ "Lemon Sandstorm" ], "malware_families": [], "industries": [ "Energy", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "681a66fd8309a0fad22d97ae", "name": "Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multiple network segments. Key findings include the use of novel malware families like HanifNet and NeoExpressRAT, as well as extensive credential harvesting and lateral movement techniques. The intrusion demonstrated sophisticated evasion capabilities and targeted attempts to access operational technology networks. Forensic analysis revealed potential links to previously reported Iranian APT campaigns. The report provides detailed technical indicators and recommends enhanced logging, EDR deployment, and multi-factor authentication to defend against similar threats.", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-06T19:46:05.811000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Fox Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 387007, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6874bb3d32d8c700c4032cb0", "name": "Threat Actor Activity Related to the Iran Conflict", "description": "Recent observations from Nozomi Networks Labs highlight a significant escalation in cyberattacks attributed to Iranian threat actor groups, particularly targeting U.S. organizations in the transportation and manufacturing sectors. A 133% increase in activity was noted between May and June, with a total of 28 attacks reported during this period, compared to 12 in the preceding two months. The primary actors involved include MuddyWater, APT33, OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice. MuddyWater, the most active of these groups, focuses on government and critical sectors, having successfully targeted at least five U.S. companies. APT33 has also shown notable activity, conducting attacks against three U.S. companies primarily engaged in aerospace and petrochemicals. Other groups, such as OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice, have each executed attacks against two U.S. firms, again emphasizing the concentration on transportation and manufacturing.", "modified": "2025-08-13T08:00:49.493000", "created": "2025-07-14T08:09:33.706000", "tags": [ "nozomi networks", "nozomi threat", "intelligence", "labs", "apt33", "iran", "june", "muddywater", "oilrig", "cyberav3ngers", "april" ], "references": [ "https://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "domain": 13, "hostname": 18, "URL": 40 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "293 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681ac7f182949e1ea4764e41", "name": "IOC&TTP - Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "2024\u5e7411\u6708\uff0cFortiGuard \u4e8b\u4ef6\u54cd\u5e94\u56e2\u961f\uff08FGIR\uff09\u5728\u4e2d\u4e1c\u67d0\u5173\u952e\u57fa\u7840\u8bbe\u65bd\uff08CNI\uff09\u7f51\u7edc\u4e2d\u53d1\u73b0\u4e86\u4e00\u8d77\u957f\u671f\u6e17\u900f\u653b\u51fb\uff0c\u8ffd\u6eaf\u53ef\u81f32023\u5e745\u6708\uff0c\u90e8\u5206\u75d5\u8ff9\u751a\u81f3\u53ef\u8ffd\u6eaf\u81f32021\u5e745\u6708\u3002\u653b\u51fb\u8005\u88ab\u9ad8\u5ea6\u786e\u4fe1\u4e0e**\u4f0a\u6717\u56fd\u5bb6\u652f\u6301\u7684\u5a01\u80c1\u7ec4\u7ec7 Lemon Sandstorm\uff08\u53c8\u540d Fox Kitten / Pioneer Kitten\uff09**\u6709\u5173\u3002\u6b64\u6b21\u5165\u4fb5\u663e\u793a\u4e86\u56fd\u5bb6\u7ea7APT\u5bf9CNI\u73af\u5883\u6301\u4e45\u5316\u63a7\u5236\u4e0e\u7eb5\u6df1\u6e17\u900f\u7684\u5f3a\u5927\u80fd\u529b\u3002\n\n\u653b\u51fb\u8005\u6700\u521d\u901a\u8fc7\u88ab\u76d7\u7528\u7684SSL VPN\u8d26\u53f7\u8fdb\u5165\u7f51\u7edc\uff0c\u5229\u7528\u591a\u79cd\u81ea\u5b9a\u4e49\u6216\u5f00\u6e90\u6076\u610f\u8f6f\u4ef6\uff08HanifNet\u3001HXLibrary\u3001NeoExpressRAT\u3001RemoteInjector\u3001SystemBC\u3001MeshCentral \u7b49\uff09\u7ef4\u6301\u6301\u4e45\u8bbf\u95ee\u3002\u5176\u5173\u952e\u76ee\u6807\u5305\u62ec\uff1a\u90ae\u4ef6\u7cfb\u7edf\u3001\u865a\u62df\u5316\u57fa\u7840\u8bbe\u65bd\u3001\u51ed\u8bc1\u6536\u96c6\u7cfb\u7edf\u53ca\u6a21\u62df\u7684OT\u7f51\u7edc\u3002\u653b\u51fb\u5de5\u5177\u7ec4\u5408\u7075\u6d3b\uff0c\u6db5\u76d6 webshell\u3001\u53cd\u5411\u4ee3\u7406\u3001\u5bc6\u7801\u94a9\u5b50DLL\u3001PowerShell\u8fdc\u63a7\u3001SSH\u3001RDP\u96a7\u9053\u7b49\u3002\n\n\u6b64\u5916\uff0c\u653b\u51fb\u8005\u8fd8\u90e8\u7f72\u4e86\u4e00\u7cfb\u5217\u9488\u5bf9\u6027\u6781\u5f3a\u7684\u9493\u9c7c\u6d3b\u52a8\u4e0eWeb\u95e8\u6237\u7be1\u6539\u624b\u6bb5\uff08\u5982\u4fee\u6539Exchange OWA\u767b\u5f55\u9875\u9762\u7684JavaScript\u4ee5\u62e6\u622a\u5bc6\u7801\uff09\uff0c\u5e76\u901a\u8fc7PoC\u4ee3\u7801\u5229\u7528\u5df2\u77e5Web\u6f0f\u6d1e\u5b9e\u65bd\u6e17\u900f\u3002\n\n\u6b64\u4e8b\u4ef6\u5c55\u793a\u4e86\u4f0a\u6717APT\u5728\u5173\u952e\u57fa\u7840\u8bbe\u65bd\u7f51\u7edc\u4e2d\u8fdb\u884c**\u60c5\u62a5\u6536\u96c6\u4e0e\u51b2\u7a81\u51c6\u5907\u5b9a\u4f4d\uff08prepositioning\uff09**\u7684\u771f\u5b9e\u610f\u56fe\u3002\u62a5\u544a\u8be6\u7ec6\u5217\u51fa\u5165\u4fb5\u65f6\u95f4\u7ebf\u3001\u6076\u610f\u4ee3\u7801\u5206\u6790\u3001TTP\u884c\u4e3a\u6a21\u5f0f\u3001MITRE ATT&CK\u6620\u5c04\u3001IOCs\u3001C2\u57df\u540d/IP\u3001APT\u5f52\u5c5e\u7ebf\u7d22\u4e0e\u5177\u4f53\u9632\u5fa1\u5efa\u8bae\u3002", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-07T02:39:45.775000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68218d8bfd3eede26d8aa89e", "name": "Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-12T05:56:27.300000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821a99cca8c0daeb63e0e80", "name": "FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure", "description": "", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-12T07:56:12.393000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "amazonaws.work", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "amazonaws.work", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780461356.1259625 }