{ "type": "Domain", "indicator": "uppdatefile.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/uppdatefile.com", "alexa": "http://www.alexa.com/siteinfo/uppdatefile.com", "indicator": "uppdatefile.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4243021515, "indicator": "uppdatefile.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "69a9e3eea1d0b6fa8bf0f06d", "name": "Iranian APT on Networks of U.S. Bank, Airport, Software Company", "description": "Iranian APT group Seedworm has been active on networks of multiple U.S. companies since February 2026, targeting a bank, airport, software company, and NGOs. The group deployed new backdoors named Dindoor and Fakeset, signed with certificates previously linked to Seedworm. The activity occurs amid escalating tensions between the U.S., Israel, and Iran. Seedworm, known for espionage and information gathering, has broadened its scope to target various sectors globally. The article discusses recent Iranian cyber activities, potential future threats, and provides recommendations for defenders to prepare against DDoS, credential attacks, leaks, critical infrastructure attacks, and destructive operations.", "modified": "2026-03-06T11:28:56.048000", "created": "2026-03-05T20:13:34.917000", "tags": [ "pdq", "critical infrastructure", "u.s. targets", "httpsnoop", "fakeset", "iranian apt", "espionage", "dindoor", "backdoor", "cyberattack", "bibiwiper", "darkcomp", "phoenix", "cve-2023-6895", "cve-2017-7921", "stagecomp", "ddos", "data exfiltration", "apt", "geopolitical conflict" ], "references": [ "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "United States of America", "Canada", "Israel" ], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "Fakeset", "display_name": "Fakeset", "target": null }, { "id": "Stagecomp", "display_name": "Stagecomp", "target": null }, { "id": "Darkcomp", "display_name": "Darkcomp", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null }, { "id": "PDQ", "display_name": "PDQ", "target": null }, { "id": "BibiWiper", "display_name": "BibiWiper", "target": null }, { "id": "HTTPSnoop", "display_name": "HTTPSnoop", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Defense", "Aerospace", "Government", "Transportation", "Technology", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 25, "domain": 3, "hostname": 2 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 386493, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1814b55e1559397600e7f7", "name": "EbeeMay2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-28T10:11:01.506000", "created": "2026-05-28T10:11:01.506000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "redacted", "ipv62a12", "ipv62a03", "localappdata", "cve20234966 cve", "cve20136282 cve", "cve20132597 cve" ], "references": [ "IOCs-MAY4.csv" ], "public": 1, "adversary": "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 79, "URL": 57, "CIDR": 3, "CVE": 15, "FileHash-MD5": 151, "FileHash-SHA1": 113, "FileHash-SHA256": 164, "domain": 137, "email": 4, "hostname": 47 }, "indicator_count": 770, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a145859610577c7da2af377", "name": "Pre-Positioned Access: The Cyber Threat Behind the Iran Conflict", "description": "The ongoing conflict between the United States, Israel, and Iran has escalated the cyber threat landscape significantly. This surge in activity, which has extended beyond the immediate conflict zone to regions including North America and Europe, is characterized by active intrusions rather than merely elevated risks. These threats are not from a singular group but rather a network of Iranian-aligned actors sharing infrastructure, tooling, and objectives.", "modified": "2026-05-25T14:10:33.495000", "created": "2026-05-25T14:10:33.495000", "tags": [ "void manticore", "handala", "dark scepter", "high ip", "high domain", "domain", "c2 medium", "dust specter", "muddywater", "critical domain" ], "references": [ "https://www.centripetal.ai/threat-research/pre-positioned-access-cyber-threat-iran-conflict" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Energy", "Finance", "Aerospace", "Healthcare", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 17, "CVE": 1, "URL": 1, "domain": 25, "hostname": 2 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b8f03b3216aa326067f7a0", "name": "HANDALA-Iranian Nexus Actor", "description": "", "modified": "2026-04-18T12:01:34.910000", "created": "2026-03-17T06:10:03.844000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 127, "FileHash-SHA1": 92, "FileHash-SHA256": 117, "URL": 19, "domain": 27, "hostname": 4 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2d25f22157c4f01760c98", "name": "Threat Intelligence Report: MANGO SANDSTORM Dindoor / Fakeset Campaign", "description": "In February 2026, the Iranian cyber espionage group MuddyWater, also known as Mango Sandstorm, executed a targeted intrusion campaign against select organizations in the U.S., Israel, and Canada. The campaign, revealed in March 2026, employed two primary malware tools: Dindoor, a backdoor utilizing the Deno runtime, and Fakeset, a Python-based implant. This operation was marked by the use of legitimate tools and cloud services to ensure persistent access and facilitate data exfiltration, aligning closely with Iranian state interests, notably the Ministry of Intelligence and Security (MOIS).", "modified": "2026-03-24T18:05:19.124000", "created": "2026-03-24T18:05:19.124000", "tags": [ "muddywater", "deno runtime", "powershell", "march", "dindoor", "fakeset", "rclone", "python", "analysis", "opens", "february", "mercury", "powgoop", "powerstats", "malware", "encrypt", "facebook", "muddyviper" ], "references": [ "https://krypt3ia.wordpress.com/2026/03/20/threat-intelligence-report-mango-sandstorm-indoor-fakeset-activity/" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [], "malware_families": [ { "id": "MuddyViper", "display_name": "MuddyViper", "target": null }, { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "MuddyWater", "display_name": "MuddyWater", "target": null } ], "attack_ids": [ { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [ "Government", "Telecommunications", "Defense", "Energy", "Financial", "Transportation" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 25, "domain": 3 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "67 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ae390cbed6e5f95e62c3ff", "name": "IOC - Iranian APT on Networks of U.S. Bank, Airport, Software Company", "description": "", "modified": "2026-03-09T03:05:48.882000", "created": "2026-03-09T03:05:48.882000", "tags": [ "pdq", "critical infrastructure", "u.s. targets", "httpsnoop", "fakeset", "iranian apt", "espionage", "dindoor", "backdoor", "cyberattack", "bibiwiper", "darkcomp", "phoenix", "cve-2023-6895", "cve-2017-7921", "stagecomp", "ddos", "data exfiltration", "apt", "geopolitical conflict" ], "references": [ "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us" ], "public": 1, "adversary": "Seedworm", "targeted_countries": [ "United States of America", "Canada", "Israel" ], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "Fakeset", "display_name": "Fakeset", "target": null }, { "id": "Stagecomp", "display_name": "Stagecomp", "target": null }, { "id": "Darkcomp", "display_name": "Darkcomp", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null }, { "id": "PDQ", "display_name": "PDQ", "target": null }, { "id": "BibiWiper", "display_name": "BibiWiper", "target": null }, { "id": "HTTPSnoop", "display_name": "HTTPSnoop", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Defense", "Aerospace", "Government", "Transportation", "Technology", "Energy" ], "TLP": "white", "cloned_from": "69a9e3eea1d0b6fa8bf0f06d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 25, "domain": 3, "hostname": 2 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "83 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69acdc8678f67a8a346af16e", "name": "Iranian APT on Networks of U.S. Bank, Airport, Software Company", "description": "", "modified": "2026-03-08T02:18:46.686000", "created": "2026-03-08T02:18:46.686000", "tags": [ "pdq", "critical infrastructure", "u.s. targets", "httpsnoop", "fakeset", "iranian apt", "espionage", "dindoor", "backdoor", "cyberattack", "bibiwiper", "darkcomp", "phoenix", "cve-2023-6895", "cve-2017-7921", "stagecomp", "ddos", "data exfiltration", "apt", "geopolitical conflict" ], "references": [ "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us" ], "public": 1, "adversary": "Seedworm", "targeted_countries": [ "United States of America", "Canada", "Israel" ], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "Fakeset", "display_name": "Fakeset", "target": null }, { "id": "Stagecomp", "display_name": "Stagecomp", "target": null }, { "id": "Darkcomp", "display_name": "Darkcomp", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null }, { "id": "PDQ", "display_name": "PDQ", "target": null }, { "id": "BibiWiper", "display_name": "BibiWiper", "target": null }, { "id": "HTTPSnoop", "display_name": "HTTPSnoop", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Defense", "Aerospace", "Government", "Transportation", "Technology", "Energy" ], "TLP": "white", "cloned_from": "69a9e3eea1d0b6fa8bf0f06d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 25, "domain": 3, "hostname": 2 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "84 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ac66128f7d265e2d1d986f", "name": "Seedworm Targets Critical Sectors Using Latest Backdoors", "description": "Seedworm compromises systems in critical sectors including airports and governments. The threat actor was observed to use state of the art backdoors named Dindoor and Fakeset that were signed with valid certificates.", "modified": "2026-03-07T17:53:22.170000", "created": "2026-03-07T17:53:22.170000", "tags": [ "ctia type", "date", "march", "time", "https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 25, "domain": 3 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "84 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.2.csv", "IOCs.2026.1.csv", "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us", "https://krypt3ia.wordpress.com/2026/03/20/threat-intelligence-report-mango-sandstorm-indoor-fakeset-activity/", "IOCs-MAY4.csv", "https://www.centripetal.ai/threat-research/pre-positioned-access-cyber-threat-iran-conflict" ], "related": { "alienvault": { "adversary": [ "MuddyWater" ], "malware_families": [ "Stagecomp", "Fakeset", "Bibiwiper", "Dindoor", "Httpsnoop", "Pdq", "Darkcomp", "Phoenix" ], "industries": [ "Technology", "Transportation", "Defense", "Finance", "Government", "Aerospace", "Energy" ] }, "other": { "adversary": [ "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "Seedworm", "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT", "MuddyWater" ], "malware_families": [ "Stagecomp", "Fakeset", "Bibiwiper", "Dindoor", "Muddywater", "Httpsnoop", "Pdq", "Muddyviper", "Darkcomp", "Phoenix" ], "industries": [ "Technology", "Healthcare", "Financial", "Transportation", "Finance", "Defense", "Government", "Telecommunications", "Aerospace", "Energy" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "69a9e3eea1d0b6fa8bf0f06d", "name": "Iranian APT on Networks of U.S. Bank, Airport, Software Company", "description": "Iranian APT group Seedworm has been active on networks of multiple U.S. companies since February 2026, targeting a bank, airport, software company, and NGOs. The group deployed new backdoors named Dindoor and Fakeset, signed with certificates previously linked to Seedworm. The activity occurs amid escalating tensions between the U.S., Israel, and Iran. Seedworm, known for espionage and information gathering, has broadened its scope to target various sectors globally. The article discusses recent Iranian cyber activities, potential future threats, and provides recommendations for defenders to prepare against DDoS, credential attacks, leaks, critical infrastructure attacks, and destructive operations.", "modified": "2026-03-06T11:28:56.048000", "created": "2026-03-05T20:13:34.917000", "tags": [ "pdq", "critical infrastructure", "u.s. targets", "httpsnoop", "fakeset", "iranian apt", "espionage", "dindoor", "backdoor", "cyberattack", "bibiwiper", "darkcomp", "phoenix", "cve-2023-6895", "cve-2017-7921", "stagecomp", "ddos", "data exfiltration", "apt", "geopolitical conflict" ], "references": [ "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "United States of America", "Canada", "Israel" ], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "Fakeset", "display_name": "Fakeset", "target": null }, { "id": "Stagecomp", "display_name": "Stagecomp", "target": null }, { "id": "Darkcomp", "display_name": "Darkcomp", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null }, { "id": "PDQ", "display_name": "PDQ", "target": null }, { "id": "BibiWiper", "display_name": "BibiWiper", "target": null }, { "id": "HTTPSnoop", "display_name": "HTTPSnoop", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Defense", "Aerospace", "Government", "Transportation", "Technology", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 25, "domain": 3, "hostname": 2 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 386493, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1814b55e1559397600e7f7", "name": "EbeeMay2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-28T10:11:01.506000", "created": "2026-05-28T10:11:01.506000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "redacted", "ipv62a12", "ipv62a03", "localappdata", "cve20234966 cve", "cve20136282 cve", "cve20132597 cve" ], "references": [ "IOCs-MAY4.csv" ], "public": 1, "adversary": "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 79, "URL": 57, "CIDR": 3, "CVE": 15, "FileHash-MD5": 151, "FileHash-SHA1": 113, "FileHash-SHA256": 164, "domain": 137, "email": 4, "hostname": 47 }, "indicator_count": 770, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a145859610577c7da2af377", "name": "Pre-Positioned Access: The Cyber Threat Behind the Iran Conflict", "description": "The ongoing conflict between the United States, Israel, and Iran has escalated the cyber threat landscape significantly. This surge in activity, which has extended beyond the immediate conflict zone to regions including North America and Europe, is characterized by active intrusions rather than merely elevated risks. These threats are not from a singular group but rather a network of Iranian-aligned actors sharing infrastructure, tooling, and objectives.", "modified": "2026-05-25T14:10:33.495000", "created": "2026-05-25T14:10:33.495000", "tags": [ "void manticore", "handala", "dark scepter", "high ip", "high domain", "domain", "c2 medium", "dust specter", "muddywater", "critical domain" ], "references": [ "https://www.centripetal.ai/threat-research/pre-positioned-access-cyber-threat-iran-conflict" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Energy", "Finance", "Aerospace", "Healthcare", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 17, "CVE": 1, "URL": 1, "domain": 25, "hostname": 2 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b8f03b3216aa326067f7a0", "name": "HANDALA-Iranian Nexus Actor", "description": "", "modified": "2026-04-18T12:01:34.910000", "created": "2026-03-17T06:10:03.844000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 127, "FileHash-SHA1": 92, "FileHash-SHA256": 117, "URL": 19, "domain": 27, "hostname": 4 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2d25f22157c4f01760c98", "name": "Threat Intelligence Report: MANGO SANDSTORM Dindoor / Fakeset Campaign", "description": "In February 2026, the Iranian cyber espionage group MuddyWater, also known as Mango Sandstorm, executed a targeted intrusion campaign against select organizations in the U.S., Israel, and Canada. The campaign, revealed in March 2026, employed two primary malware tools: Dindoor, a backdoor utilizing the Deno runtime, and Fakeset, a Python-based implant. This operation was marked by the use of legitimate tools and cloud services to ensure persistent access and facilitate data exfiltration, aligning closely with Iranian state interests, notably the Ministry of Intelligence and Security (MOIS).", "modified": "2026-03-24T18:05:19.124000", "created": "2026-03-24T18:05:19.124000", "tags": [ "muddywater", "deno runtime", "powershell", "march", "dindoor", "fakeset", "rclone", "python", "analysis", "opens", "february", "mercury", "powgoop", "powerstats", "malware", "encrypt", "facebook", "muddyviper" ], "references": [ "https://krypt3ia.wordpress.com/2026/03/20/threat-intelligence-report-mango-sandstorm-indoor-fakeset-activity/" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [], "malware_families": [ { "id": "MuddyViper", "display_name": "MuddyViper", "target": null }, { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "MuddyWater", "display_name": "MuddyWater", "target": null } ], "attack_ids": [ { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [ "Government", "Telecommunications", "Defense", "Energy", "Financial", "Transportation" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 25, "domain": 3 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "67 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ae390cbed6e5f95e62c3ff", "name": "IOC - Iranian APT on Networks of U.S. Bank, Airport, Software Company", "description": "", "modified": "2026-03-09T03:05:48.882000", "created": "2026-03-09T03:05:48.882000", "tags": [ "pdq", "critical infrastructure", "u.s. targets", "httpsnoop", "fakeset", "iranian apt", "espionage", "dindoor", "backdoor", "cyberattack", "bibiwiper", "darkcomp", "phoenix", "cve-2023-6895", "cve-2017-7921", "stagecomp", "ddos", "data exfiltration", "apt", "geopolitical conflict" ], "references": [ "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us" ], "public": 1, "adversary": "Seedworm", "targeted_countries": [ "United States of America", "Canada", "Israel" ], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "Fakeset", "display_name": "Fakeset", "target": null }, { "id": "Stagecomp", "display_name": "Stagecomp", "target": null }, { "id": "Darkcomp", "display_name": "Darkcomp", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null }, { "id": "PDQ", "display_name": "PDQ", "target": null }, { "id": "BibiWiper", "display_name": "BibiWiper", "target": null }, { "id": "HTTPSnoop", "display_name": "HTTPSnoop", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Defense", "Aerospace", "Government", "Transportation", "Technology", "Energy" ], "TLP": "white", "cloned_from": "69a9e3eea1d0b6fa8bf0f06d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 25, "domain": 3, "hostname": 2 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "83 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69acdc8678f67a8a346af16e", "name": "Iranian APT on Networks of U.S. Bank, Airport, Software Company", "description": "", "modified": "2026-03-08T02:18:46.686000", "created": "2026-03-08T02:18:46.686000", "tags": [ "pdq", "critical infrastructure", "u.s. targets", "httpsnoop", "fakeset", "iranian apt", "espionage", "dindoor", "backdoor", "cyberattack", "bibiwiper", "darkcomp", "phoenix", "cve-2023-6895", "cve-2017-7921", "stagecomp", "ddos", "data exfiltration", "apt", "geopolitical conflict" ], "references": [ "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us" ], "public": 1, "adversary": "Seedworm", "targeted_countries": [ "United States of America", "Canada", "Israel" ], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "Fakeset", "display_name": "Fakeset", "target": null }, { "id": "Stagecomp", "display_name": "Stagecomp", "target": null }, { "id": "Darkcomp", "display_name": "Darkcomp", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null }, { "id": "PDQ", "display_name": "PDQ", "target": null }, { "id": "BibiWiper", "display_name": "BibiWiper", "target": null }, { "id": "HTTPSnoop", "display_name": "HTTPSnoop", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Defense", "Aerospace", "Government", "Transportation", "Technology", "Energy" ], "TLP": "white", "cloned_from": "69a9e3eea1d0b6fa8bf0f06d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 25, "domain": 3, "hostname": 2 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "84 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ac66128f7d265e2d1d986f", "name": "Seedworm Targets Critical Sectors Using Latest Backdoors", "description": "Seedworm compromises systems in critical sectors including airports and governments. The threat actor was observed to use state of the art backdoors named Dindoor and Fakeset that were signed with valid certificates.", "modified": "2026-03-07T17:53:22.170000", "created": "2026-03-07T17:53:22.170000", "tags": [ "ctia type", "date", "march", "time", "https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 25, "domain": 3 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "84 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "uppdatefile.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "uppdatefile.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780212933.632295 }