The article discusses the discovery of two servers sharing similarities with those reported by Check Point on APT35, an Iranian threat group. The servers are active and resolve multiple domains used for phishing purposes. The analysis focuses on the HTML page displayed on some domains, which contains four colored dots. Using the SilentPush platform, the team crafted a query to hunt for similar pages, finding matches related to previously reported IPv4 addresses and two undocumented ones. The servers resolve domains mostly used for phishing, masquerading as video conferencing related sites. The ongoing campaign still targets Israel, and the article provides methods for tracking new domains associated with APT35 activities.