Potential Cyber Targets Revealed in Greenbug's Domain Registrations: Israeli and Saudi Firms in Focus
- Actor Motivations: Undetected
- Attack Vectors: Malware,Phishing
- Attack Complexity: Unknown
- Threat Risk: Low Impact/Low Probability
Threat Overview
The Iranian threat agent Greenbug registered domains similar to Israeli high-tech and cybersecurity companies, as well as a Saudi Arabian electrical equipment firm. A sample of the ISMdoor malware was submitted from Iraq on October 15, 2017, indicating the threat actor's activities. Despite these registrations, no evidence of direct targeting or impact on these companies is present. High-tech, cybersecurity, online advertising, airport security systems, web development, behavioral biometrics, artificial intelligence, data security, and autonomous driving are sectors potentially of interest to the actor.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Arbe Robotics An Israeli company developing autonomous driving technology. Arbe Robotics has been targeted by Greenbug with unknown purposes. | Verified |
| Case | Biocatch An Israeli company developing technology for behavioral biometrics for fraud prevention and detection. Biocatch has been targeted by Greenbug with unknown purposes. | Verified |
| Case | Cortica An Israeli company developing Artificial Intelligence technology. Cortica has been targeted by Greenbug with unknown purposes. | Verified |
| Case | Covertix An Israeli data security company. Covertix has been targeted by Greenbug with unknown purposes. | Verified |
| Case | Outbrain A major Israeli online advertising company. Outbrain has been targeted by Greenbug with unknown purposes. | Verified |
| Case | SecureLogic Likely an Israeli marketer of airport security systems. SecureLogic has been targeted by Greenbug with unknown purposes. | Verified |
| Case | ThetaRay An Israeli cyber security and big data analytics company. ThetaRay has been targeted by Greenbug with unknown purposes. | Verified |
| Case | Wix A major Israeli cloud-based web development platform. Wix has been targeted by Greenbug with unknown purposes. | Verified |
| Case | YMAAZE A Saudi Arabian testing & commissioning of major electrical equipment company. YMAAZE has been targeted by Greenbug with unknown purposes. | Verified |
| Sector | High-Tech | Medium |
| Sector | Information Technology | Medium |
| Region | Israel There is no explicit information in the report indicating that specific countries were targeted by the attack. However, it is mentioned that the domains registered by the threat actor are similar to those of Israeli and Saudi Arabian companies. This could imply an interest in these regions, but there's no confirmation of actual targeting based on the given information. | Medium |
| Region | Saudi Arabia | Medium |
Extracted IOCs
- allsecpackupdater[.]com
- arbescurity[.]com
- benyaminsecupdater[.]com
- biocatchsecurity[.]com
- corticasecurity[.]com
- covertixsecurity[.]com
- dnsupdater[.]com
- lbolbo[.]com
- mbsmbs[.]com
- ntpupdateserver[.]com
- oospoosp[.]com
- osposposp[.]com
- outbrainsecupdater[.]com
- securelogicupdater[.]com
- securepackupdater[.]com
- thetaraysecurityupdate[.]com
- thetareysecurityupdate[.]com
- winscripts[.]net
- winsecupdater[.]com
- wixwixwix[.]com
- ymaaz[.]com
- znazna[.]com
- 37d586727c1293d8a278b69d3f0c5c4b
- 82755bf7ad786d7bf8da00b6c19b6091
- ad5120454218bb483e0b8467feb3a20f
- e0175eecf8d31a6f32da076d22ecbdff
- f5ef3b060fb476253f9a7638f82940d9
- 3b0b85ea32cab82eaf4249c04c05bdfce5b6074ca076fedf87dbea6b28fab99d
- 151[.]80.113.150
- 151[.]80.221.23
- 217[.]182.244.254
- 46[.]105.130.98
- 5[.]39.31.91
- 80[.]82.66.164
Tip: 34 related IOCs (6 IP, 22 domain, 0 URL, 0 email, 6 file hash) to this threat have been found.
FAQs
Iranian Threat Actor Spoofs Israeli Cyber Firms
An Iranian threat group, Greenbug, registered several deceptive domains resembling Israeli tech and cybersecurity companies, potentially to use them in cyberattacks.
The activity is attributed to Greenbug, a known Iranian threat actor previously linked to cyber espionage campaigns.
While no attacks were confirmed, the infrastructure indicates a likely intent to deceive targets through impersonation, potentially to deploy malware or gather sensitive data.
The spoofed domains suggest a focus on cybersecurity, online advertising, AI, and web development firms—mainly Israeli, with one Saudi company included.
The group registered lookalike domains and used some of them for malware command and control, a common method for managing compromised systems.
Cybersecurity and high-tech companies often hold valuable intellectual property or customer data, making them attractive to nation-state actors.
They should monitor for fake domains, block malicious ones, educate employees about phishing, and inspect their networks for suspicious traffic or malware traces.
This appears to be a targeted campaign aimed at a specific set of companies, likely based on geopolitical interests.