Threats Feed

APT34 has been leveraging DNS tunneling for command and control since May 2016. The leaked source code, revealed via a Telegram channel, includes projects like webmask which primarily focus on DNS hijacking and redirection attacks. The attacks target sectors such as technology firms, telecom companies, and gaming companies across the Middle East and Asia, with a particular focus on UAE. The setup involves using NodeJS and Python for DNS servers, an ICAP proxy server to intercept and modify connections, and Haproxy for high availability.

The APT34/OILRIG group, linked to Iranian intelligence, had its operational details leaked by the "Lab Dookhtegan" group on Telegram. The leaks revealed a C2 infrastructure, PowerShell-based agents, ASP web shells ("HighShell" and "HyperShell"), and a DNS-based espionage toolset ("dnspionage"). These tools facilitate file transfer, credential theft and covert communication via proxies and DNS manipulation. The attackers also collected sensitive data, including domain admin credentials, indicating a potential target for high-value networks. While specific sectors or countries are not detailed, the tools suggest a focus on espionage and disruption. Other tools, such as 'MinionProject' and 'FoxPanel222', remain under analysis.