APT34 Leak Exposes Espionage Tools and Tactics of Iranian Cyber Actors
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Vulnerability Exploitation,Backdoor,Trojan
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
Threat Overview
The APT34/OILRIG group, linked to Iranian intelligence, had its operational details leaked by the "Lab Dookhtegan" group on Telegram. The leaks revealed a C2 infrastructure, PowerShell-based agents, ASP web shells ("HighShell" and "HyperShell"), and a DNS-based espionage toolset ("dnspionage"). These tools facilitate file transfer, credential theft and covert communication via proxies and DNS manipulation. The attackers also collected sensitive data, including domain admin credentials, indicating a potential target for high-value networks. While specific sectors or countries are not detailed, the tools suggest a focus on espionage and disruption. Other tools, such as 'MinionProject' and 'FoxPanel222', remain under analysis.
Extracted IOCs
- myleftheart[.]com
- 07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741
- 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed
- 2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459
- 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62
- a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e
- b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768
- c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
- dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
- fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392
Tip: 10 related IOCs (0 IP, 1 domain, 0 URL, 0 email, 9 file hash) to this threat have been found.
Overlaps
Source: NSFOCUS - November 2019
Detection (10 cases): 07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741, 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed, 2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459, 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62, a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e, b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768, c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e, dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229, fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392, myleftheart[.]com
Source: IronNet - September 2019
Detection (one case): myleftheart[.]com
Source: Cyware - August 2019
Detection (nine cases): 07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741, 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed, 2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459, 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62, a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e, b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768, c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e, dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229, fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392
Source: Palo Alto Network - April 2019
Detection (seven cases): 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed, 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62, a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e, c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e, dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229, fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392, myleftheart[.]com
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.