{ "Event": { "analysis": "1", "date": "2026-03-04", "extends_uuid": "", "info": "[Threat Intel] Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation", "protected": false, "publish_timestamp": "1773274378", "published": true, "threat_level_id": "2", "timestamp": "1773274378", "uuid": "ee49cbdd-26cb-4766-abae-1b35944a2271", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#cf6788", "local": false, "name": "misp-galaxy:producer=\"Hunt.io\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#3d38fc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Acquire Infrastructure - T1583\"", "relationship_type": "" }, { "colour": "#fb3bcd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Host Information - T1592\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#65d24c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Identity Information - T1589\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#bf6f24", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dynamic Resolution - T1568\"", "relationship_type": "" }, { "colour": "#454726", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#c9dbdd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Stage Capabilities - T1608\"", "relationship_type": "" }, { "colour": "#18349e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"One-Way Communication - T1102.003\"", "relationship_type": "" }, { "colour": "#2da3e8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Network Information - T1590\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#cc5e96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Obfuscation - T1001\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#07a4a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#20a667", "local": false, "name": "misp-galaxy:target-information=\"Iran\"", "relationship_type": "" }, { "colour": "#26fab6", "local": false, "name": "misp-galaxy:target-information=\"Israel\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120046", "local": false, "name": "rectifyq:sub-category=\"infra-profile\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"MuddyWater\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772708441", "to_ids": false, "type": "link", "uuid": "da9c4a9a-b4d2-4ffb-85ba-b0d958d1b02c", "value": "https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1772708441", "to_ids": false, "type": "text", "uuid": "97eccfd6-a8e6-42d8-8986-d88f90358446", "value": "The analysis examines Iranian state-aligned threat actors and their infrastructure patterns during heightened geopolitical tensions. It focuses on mapping network infrastructure, ASN patterns, TLS fingerprints, and hosting clusters associated with various Iranian APT groups. The report highlights the importance of proactive infrastructure monitoring to detect and disrupt potential cyber operations. Key findings include the identification of previously unreported hosts, domains, and servers linked to Iranian operations, as well as insights into the tactics used by groups like MuddyWater and Dark Scepter. The article emphasizes the value of infrastructure intelligence in early threat detection and provides recommendations for organizations to monitor and defend against these threats." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1772708441", "to_ids": false, "type": "text", "uuid": "9e903269-e7cb-4b30-9dd0-e2b2fdd8f7cb", "value": "Name: Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation\nAuthor: AlienVault\nAdversary: MuddyWater\nTags: [\"proactive defense\", \"geopolitical tensions\", \"tls fingerprinting\", \"tonnerre\", \"infrastructure analysis\", \"cyberattacks\", \"iranian apt\", \"sliver\", \"foudre\", \"threat intelligence\", \"fmapp.exe\", \"tsundere\", \"asn patterns\", \"tamecat\"]\nTgtd countries: [\"United States of America\", \"Iran, Islamic Republic of\", \"Israel\"]\nMlwr families: [\"FMAPP.exe\", \"TameCat\", \"Foudre\", \"Tonnerre\", \"Sliver\", \"Tsundere\"]\nAttack_ids: [\"T1583\", \"T1592\", \"T1133\", \"T1082\", \"T1071\", \"T1190\", \"T1589\", \"T1016\", \"T1568\", \"T1584\", \"T1102\", \"T1608\", \"T1102.003\", \"T1590\", \"T1566\", \"T1001\", \"T1573\", \"T1132\", \"T1105\"]\nIndustries: [\"Government\", \"Defense\", \"Energy\", \"Financial Services\", \"Education\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1772708441", "to_ids": false, "type": "threat-actor", "uuid": "7a57335a-ff27-4476-9470-851c7fbc7592", "value": "MuddyWater" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273927", "to_ids": true, "type": "ip-dst", "uuid": "6d7d0e83-3b7f-457a-929b-60d4a7d9507b", "value": "157.20.182.49", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273948", "to_ids": true, "type": "ip-dst", "uuid": "be7cb660-7deb-4a00-af93-5fcae6e8dbe9", "value": "185.236.25.119", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273969", "to_ids": true, "type": "ip-dst", "uuid": "5c4c1e7f-3bc4-4df5-b3aa-620e4ce7ba86", "value": "209.74.87.100", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273990", "to_ids": true, "type": "ip-dst", "uuid": "bef5737d-9022-4ded-9fdc-1d29eefe5bc9", "value": "92.243.65.243", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274012", "to_ids": true, "type": "domain", "uuid": "c48fe5cf-48bc-4ac9-ac65-233315c0082f", "value": "anythingshere.shop", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274033", "to_ids": true, "type": "domain", "uuid": "70f73595-2f3d-43d5-b59d-cfe4721cadeb", "value": "cside.site", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274054", "to_ids": true, "type": "domain", "uuid": "022c260c-5282-4b5f-acb7-f89bbbe038b0", "value": "footballfans.asia", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274076", "to_ids": true, "type": "domain", "uuid": "8f1e6b60-ecf3-4a47-b228-229f64dd4af5", "value": "girlsbags.shop", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274097", "to_ids": true, "type": "domain", "uuid": "ef7cd185-1eb9-49bc-a877-de70880c148c", "value": "justweb.click", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274119", "to_ids": true, "type": "domain", "uuid": "a9c89eb7-cfe3-4d7e-ba56-2c9269372bb6", "value": "lecturegenieltd.pro", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274140", "to_ids": true, "type": "domain", "uuid": "95017dba-1cbc-4ec6-9d1f-1549ee415af4", "value": "menclub.it", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274161", "to_ids": true, "type": "domain", "uuid": "1f8cc50d-e828-40fd-816b-68c05c96c07c", "value": "musiclivetrack.website", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274182", "to_ids": true, "type": "domain", "uuid": "e2277a88-0c11-49b7-aee2-4e911b98702c", "value": "ntcx.pro", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274203", "to_ids": true, "type": "domain", "uuid": "92b11662-dc2a-46f5-bf13-f79b04433789", "value": "retseptik.info", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274224", "to_ids": true, "type": "domain", "uuid": "621e4ab8-2f05-4516-a4c0-7ebde9b1101c", "value": "stone110.store", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274246", "to_ids": true, "type": "domain", "uuid": "ac510438-cc0d-4ac1-859e-bfcbd332f92e", "value": "web14.info", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274267", "to_ids": true, "type": "ip-dst", "uuid": "c3f9e7d4-e9e2-4cc8-b07b-d25f9730538c", "value": "38.180.239.161", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274288", "to_ids": true, "type": "ip-dst", "uuid": "daf5e112-4a43-4305-8d7f-c241cab9aa7b", "value": "185.76.79.125", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773274310", "to_ids": true, "type": "domain", "uuid": "92677c27-9a98-4ee7-b55c-4f71e1053ba0", "value": "menclub.lt", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773274331", "uuid": "c64eebe9-e512-4b64-949e-5651a12b8f3f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773274331", "to_ids": true, "type": "md5", "uuid": "a3178450-4f18-4601-9e76-891000001a8a", "value": "2533307ec1ef8b0611c8896e1460b076", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772825052", "to_ids": true, "type": "sha1", "uuid": "bdc89799-a48b-4a1b-9215-5a452c78888d", "value": "324918c73b985875d5f974da3471f2a0a4874687", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772825052", "to_ids": true, "type": "sha256", "uuid": "64daa068-87df-4b48-85bc-e19d0a4aeadd", "value": "e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772824529", "to_ids": true, "type": "ssdeep", "uuid": "552063ea-f913-495d-8adb-e26990222164", "value": "3072:DvxBhQz1y9Tiy4HzMLPdHZq0L2yKhrADqGVU6:Dbhy+TEILPdHZf2NUU6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772824529", "to_ids": false, "type": "size-in-bytes", "uuid": "dd707fc6-1861-4fe1-8c8c-c4563d99a11f", "value": "150080" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772824529", "to_ids": true, "type": "vhash", "uuid": "ff53e276-8739-4c10-8e7d-b0c84ad4c84f", "value": "015066651d1555151038z527z4cz12fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772824529", "to_ids": true, "type": "filename", "uuid": "444005b8-5616-45b5-aef4-f1279c84946e", "value": "FMAPP.EXE" }, { "category": "Other", "comment": "Checked: 07/03/2026\nLast-scan\t: 07/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772824529", "to_ids": false, "type": "text", "uuid": "30d6e1ec-32ca-4ebd-9169-d6db68fe203f", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2016-06-08T09:50:10.000000+00:00\nLast Submission:2026-03-06T15:16:58.000000+00:00" } ] } ] } }