{ "name": "Untangling Iran's APT42 Operations", "slug": "untangling-irans-apt42-operations", "description": "APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists.", "published": "2024-05-03T07:36:55+00:00", "created_at": "2024-05-03T07:36:55+00:00", "modified_at": "2024-05-03T08:49:55+00:00", "created_at_opencti": "2024-05-03T07:36:55+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-05-03", "CVE-2021-44228", "apt", "cyber espionage", "iran", "nicecurl", "tamecat" ], "related_entities": { "observables": [ { "id": "", "name": "https://youtransfer.live/" }, { "id": "", "name": "https://s3.tebi.io/icestorage/df32s.txt" }, { "id": "", "name": "https://s3.tebi.io/icestorage/config/nconf.txt" }, { "id": "", "name": "https://email-daemon.online/" }, { "id": "", "name": "https://bitly.org.il/J03p4y3r" }, { "id": "", "name": "https://bitly.org.il/" }, { "id": "", "name": "http://tnt200.mywire.org/Do1" }, { "id": "", "name": "http://onmicrosofl.com/accountID=" }, { "id": "", "name": "tnt200.mywire.org" }, { "id": "", "name": "s3.tebi.io" }, { "id": "", "name": "review.modification-check.online" }, { "id": "", "name": "email-daemon.online.tinurls.com" }, { "id": "", "name": "email-daemon.biz.tinurls.com" }, { "id": "", "name": "youronlineregister.com" }, { "id": "", "name": "youtransfer.live" }, { "id": "", "name": "ynetnews.press" }, { "id": "", "name": "we-transfer.shop" }, { "id": "", "name": "washinqtonpost.press" }, { "id": "", "name": "washingtonlnstitute.org" }, { "id": "", "name": "virtue-regular-ready.online" }, { "id": "", "name": "viewtop.online" }, { "id": "", "name": "viewstand.online" }, { "id": "", "name": "view-total-step.online" }, { "id": "", "name": "view-pool-cope.online" }, { "id": "", "name": "view-panel.live" }, { "id": "", "name": "view-cope-flow.online" }, { "id": "", "name": "verify-person-entry.top" }, { "id": "", "name": "vanityfaire.org" }, { "id": "", "name": "ushrt.us" }, { "id": "", "name": "twision.top" }, { "id": "", "name": "tonpost.press" }, { "id": "", "name": "title-flow-store.online" }, { "id": "", "name": "timesfisrael.com" }, { "id": "", "name": "tcvision.online" }, { "id": "", "name": "themedealine.org" }, { "id": "", "name": "sweet-pinnacle-readily.online" }, { "id": "", "name": "support-account.xyz" }, { "id": "", "name": "stellar-roar-right.buzz" }, { "id": "", "name": "status-short.live" }, { "id": "", "name": "simple-process-static.top" }, { "id": "", "name": "signin-myaccounts.com" }, { "id": "", "name": "signin-mails.com" }, { "id": "", "name": "signin-mail.com" }, { "id": "", "name": "signin-accounts.com" }, { "id": "", "name": "signin-acconut.com" }, { "id": "", "name": "shoting-urls.live" }, { "id": "", "name": "shortulonline.live" }, { "id": "", "name": "shortlinkview.live" }, { "id": "", "name": "shortingurling.live" }, { "id": "", "name": "shorting-ce.live" }, { "id": "", "name": "shortenurl.online" }, { "id": "", "name": "short-view.online" }, { "id": "", "name": "short-url.live" }, { "id": "", "name": "revive-project-live.online" }, { "id": "", "name": "recognize-validation.online" }, { "id": "", "name": "reconsider.site" }, { "id": "", "name": "quomodocunquize.site" }, { "id": "", "name": "pannel-get-data.us" }, { "id": "", "name": "panels-views-ckeck.live" }, { "id": "", "name": "paneling-viewing.live" }, { "id": "", "name": "panel-views-cheking.live" }, { "id": "", "name": "panelchecking.live" }, { "id": "", "name": "panel-view.online" }, { "id": "", "name": "panel-view.live" }, { "id": "", "name": "panel-view-short.online" }, { "id": "", "name": "panel-short-check.live" }, { "id": "", "name": "panel-live-check.online" }, { "id": "", "name": "panel-check-short.live" }, { "id": "", "name": "ovcloud.online" }, { "id": "", "name": "onmicrosofl.com" }, { "id": "", "name": "online-video-services.site" }, { "id": "", "name": "online-processing.online" }, { "id": "", "name": "online-access.live" }, { "id": "", "name": "nterview.site" }, { "id": "", "name": "myaccount-signin.com" }, { "id": "", "name": "mterview.site" }, { "id": "", "name": "meeting-online.site" }, { "id": "", "name": "mccainlnstitute.org" }, { "id": "", "name": "mailerdaemon.online" }, { "id": "", "name": "mailer-daemon.us" }, { "id": "", "name": "mailer-daemon.info" }, { "id": "", "name": "mail-roundcube.site" }, { "id": "", "name": "maariv.net" }, { "id": "", "name": "loriginal.online" }, { "id": "", "name": "live-projects-online.top" }, { "id": "", "name": "live-project-online.live" }, { "id": "", "name": "litby.us" }, { "id": "", "name": "last-check-leave.buzz" }, { "id": "", "name": "ksview.top" }, { "id": "", "name": "khalejtimes.org" }, { "id": "", "name": "khaleejtimes.org" }, { "id": "", "name": "jpostpress.com" }, { "id": "", "name": "jpost.press" }, { "id": "", "name": "israelhayum.com" }, { "id": "", "name": "join-paneling.online" }, { "id": "", "name": "indication-service.online" }, { "id": "", "name": "identifier-direction.site" }, { "id": "", "name": "honest-halcyon-fresher.buzz" }, { "id": "", "name": "home-proceed.online" }, { "id": "", "name": "home-continue.online" }, { "id": "", "name": "gview.site" }, { "id": "", "name": "go-forward.quest" }, { "id": "", "name": "go-conversation.lol" }, { "id": "", "name": "glory-uplift-vouch.online" }, { "id": "", "name": "geaviews.site" }, { "id": "", "name": "g-online.org" }, { "id": "", "name": "fortune-retire-home.top" }, { "id": "", "name": "forieqnaffairs.com" }, { "id": "", "name": "foreiqnaffairs.org" }, { "id": "", "name": "foreiqnaffairs.com" }, { "id": "", "name": "eocnomist.com" }, { "id": "", "name": "endorsement-services.online" }, { "id": "", "name": "email-daemon.site" }, { "id": "", "name": "email-daemon.online" }, { "id": "", "name": "ecomonist.org" }, { "id": "", "name": "email-daemon.biz" }, { "id": "", "name": "drive-file-share.site" }, { "id": "", "name": "drive-access.site" }, { "id": "", "name": "dloffice.top" }, { "id": "", "name": "dloffice.buzz" }, { "id": "", "name": "daemon-mailer.info" }, { "id": "", "name": "cvisiion.online" }, { "id": "", "name": "daemon-mailer.co" }, { "id": "", "name": "coordinate.icu" }, { "id": "", "name": "continue-meeting.site" }, { "id": "", "name": "continue-recognized.online" }, { "id": "", "name": "connection-view.online" }, { "id": "", "name": "confirmation-process.top" }, { "id": "", "name": "check-short-panel.live" }, { "id": "", "name": "check-panel-status.live" }, { "id": "", "name": "check-pabnel-status.live" }, { "id": "", "name": "check-online-panel.live" }, { "id": "", "name": "chat-services.online" }, { "id": "", "name": "businesslnsider.org" }, { "id": "", "name": "briview.online" }, { "id": "", "name": "bq-ledmagic.online" }, { "id": "", "name": "book-download.shop" }, { "id": "", "name": "bloom-flatter-affably.top" }, { "id": "", "name": "bitly.org.il" }, { "id": "", "name": "besvision.top" }, { "id": "", "name": "beaviews.online" }, { "id": "", "name": "azadlliq.info" }, { "id": "", "name": "avid-striking-eagerness.online" }, { "id": "", "name": "aspenlnstitute.org" }, { "id": "", "name": "affect-fist-ton.online" }, { "id": "", "name": "advission.online" }, { "id": "", "name": "admit-roar-frame.top" }, { "id": "", "name": "admiscion.online" }, { "id": "", "name": "activity-permission.online" }, { "id": "", "name": "admin-stable-right.top" }, { "id": "", "name": "accredit-validity.online" }, { "id": "", "name": "accounts-mails.com" }, { "id": "", "name": "account-signin.com" }, { "id": "", "name": "acconut-signin.com" }, { "id": "", "name": "M_APT_Downloader_TAMECAT_NICECURL_VBScript_1" }, { "id": "", "name": "M_APT_Backdoor_TAMECAT" }, { "id": "", "name": "M_APT_Backdoor_TAMECAT_2" }, { "id": "", "name": "M_APT_Backdoor_NICECURL_datamine_module_1" }, { "id": "", "name": "M_APT_Backdoor_NICECURL_1" }, { "id": "", "name": "07384ab4488ea795affc923851e00ebc2ead3f01b57be6bf8358d7659e9ee407" } ], "malware": [ { "id": "legacy:malware:d0ed27eb35bf6764", "name": "TAMECAT", "slug": "tamecat" }, { "id": "legacy:malware:83c7d773a50b2a89", "name": "NICECURL", "slug": "nicecurl" } ], "intrusion_sets": [ { "id": "8336079d-62bc-4f52-badb-912fcb9e0f04", "name": "APT42", "slug": "apt42" } ], "attack_patterns": [ { "id": "74d5f31c-5e2d-4aed-b8b9-4fabdde76dfa", "name": "T1598" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e", "name": "T1003" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "others": [ { "id": "", "name": "Israel" }, { "id": "", "name": "NGO" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations", "https://otx.alienvault.com/pulse/6634b037e1f17e5686963374" ] }