Threat Infrastructure Uncovered Before Activation
Essential information
- Published
- 22/04/2025 23:45
- Modified
- 23/04/2025 08:49
- Tags
- 2025-04-22 apt34 domain impersonation http decoys infrastructure m247 oilrig pre-operational staging ssh keys
- Related entities
- 15 observables, 1 intrusion sets (apt), 2 techniques (mitre), 4 others
Description
Between November 2024 and April 2025, a set of domains and servers impersonating an Iraqi academic organization and fictitious UK tech firms were tracked. The infrastructure, while dormant, exhibited characteristics similar to APT34 (OilRig), including shared SSH keys, structured websites, and decoy HTTP behavior on M247-hosted servers. Key observations include the use of port 8080 for fake 404 responses, consistent SSH fingerprint reuse, and domains registered through P.D.R. Solutions with regway.com nameservers. The setup suggests deliberate pre-operational staging, offering defenders an early warning opportunity. Detection strategies include monitoring SSH fingerprints, HTTP response patterns, and domain registration behaviors.