Threats Feed|Peach Sandstorm|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date14/09/2023

Peach Sandstorm’s Multi-Faceted Attacks on Satellite, Defense, and Pharma Sectors

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Brute-force,Compromised Credentials,Vulnerability Exploitation
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

Peach Sandstorm, an Iranian threat actor, has conducted password spray attacks since February 2023 against global organizations, notably in the satellite, defense, and pharmaceutical sectors. These attacks originated from TOR IPs and employed a mix of public and custom tools like AzureHound and Roadtools for reconnaissance. Once inside the network, the group established persistence through mechanisms like Azure subscriptions and Azure Arc. They also attempted to exploit vulnerabilities in Zoho ManageEngine and Confluence. Some instances involved data exfiltration and lateral movement using techniques like Golden SAML and remote desktop protocol (RDP).

Detected Targets


Extracted IOCs

  • 102[.]129.215.40
  • 108[.]62.118.240
  • 192[.]52.166.76
  • 76[.]8.60.64

Tip: 4 related IOCs (4 IP, 0 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.

About Affiliation
Peach Sandstorm