A different try to analyze and simplify threat intelligence
Threats Feed
We are excited to announce that the preliminary editions of Threats Feed and Actors Insights are now accessible to the public. Our efforts are focused on incorporating additional practical features and beneficial resources with the intention of nurturing an informed community. Stay connected for further updates.
UNC1860 Targets Middle Eastern Networks with Specialized Tooling
UNC1860, an Iranian state-sponsored group likely affiliated with the Ministry of Intelligence and Security (MOIS), targets government and telecommunications sectors in the Middle East, particularly in Saudi Arabia, Qatar, and Israel. The group acts as an initial access provider, exploiting vulnerabilities in internet-facing servers and deploying web shells like STAYSHANTE. Custom tools, such as TEMPLEPLAY and VIROGREEN, allow for remote access and further exploitation. UNC1860's operations are characterised by passive backdoors, credential validation, and stealthy malware that facilitates long-term persistence and hand-off to other threat actors. It's likely that the group has supported disruptive campaigns in the region.
read more about UNC1860 Targets Middle Eastern Networks with Specialized ToolingVeaty and Spearal Malware Used in Targeted Iraqi Government Attacks
Check Point Research has discovered new malware, Veaty and Spearal, used in Iran-linked cyber attacks against Iraqi government infrastructure. The malware uses techniques such as passive IIS backdoors, DNS tunneling, and compromised email accounts for C2 communications. The attackers also used social engineering tactics and double-extension files to trigger infections. Spearal communicates via DNS queries, while Veaty uses compromised email accounts within the gov-iq.net domain. The campaign targets Iraqi government agencies with ties to the APT34 group, demonstrating a sophisticated and persistent threat to Iraqi infrastructure.
read more about Veaty and Spearal Malware Used in Targeted Iraqi Government AttacksIRGC-Linked Campaign Uses Fake Recruitment to Target Farsi Speakers Worldwide
Mandiant has uncovered an Iranian counterintelligence operation aimed at gathering data on Iranians and domestic threats potentially collaborating with foreign intelligence agencies, particularly in Israel. The operation involved fake recruitment websites, disseminated via social media, that lured Farsi-speaking individuals into providing personal and professional details. This data is likely used to identify and persecute Iranian dissidents, activists, and human rights advocates. The campaign, linked to Iran’s IRGC and APT42, operated from 2017 to 2024 and extends beyond Iran to target individuals connected to Syria and Hezbollah.
read more about IRGC-Linked Campaign Uses Fake Recruitment to Target Farsi Speakers WorldwideIran-Based Hackers Target U.S. Sectors, Collaborate with Ransomware Affiliates
Iran-based cyber actors linked to the Iranian government are exploiting organisations across multiple sectors in the US, including education, finance, healthcare, defence, and local government, as well as targets in Israel, Azerbaijan, and the UAE. Since 2017, these actors have focused on gaining and monetising network access, working with ransomware affiliates such as NoEscape, Ransomhouse, and ALPHV (BlackCat). They exploit vulnerabilities in internet-facing services such as Check Point, Palo Alto Networks and Citrix. They also use tools such as AnyDesk, PowerShell, Ligolo and NGROK for persistence and command and control.
read more about Iran-Based Hackers Target U.S. Sectors, Collaborate with Ransomware Affiliates