i share some anti-Iranian TAs in CTI Sources topic in group , i hope by monitoring their activities we got better understanding of their moments and planning better strategies .


i will update the list as long as i can

planning to add previous IoCs / TTPs etc ....

Signature Kid is a header only tool that st.eal.s a signature from a file and copy it to whathever file you want.

Beyond St.ea.ling, Signature Kid goes a step further by Windows Internal to trick the system to treat the copied signature as valid.

https://github.com/dslee2022/SignatureKid

updated

[ ] new Indra TA social medias
[ ] wallet addresses added

it said : "technical analysis"
it's only me that see no "technical" ?

Untill now We shared :

[ 00 ] Attack Against Iran’s State Broadcaster (done by Ghyam Sarnegouni TA )

[ 01 ] Indra (گنجشگ درنده) samples related to attacks on Iran Railway Company & some Companies on syria ( related to I.R.G.C )


find them on Samples Topic on Group

Plz share us your IoCs related to current attacks against Iran it will help everyone prepping for Threat Actors as currently we don't have any global CTI

According to Israeli sources (who obtained a copy of the AFTA report on the recent Sepah Bank attack by Indra):

[00] The attacker gained access through an old Windows Server 2003 machine used for email services. This server was running MDaemon.

Note: The source stated that the specific mail server was server[.]ictops[.]ir, but we found no public records of this domain. It is likely a local/internal domain used by the bank, which reduces the likelihood that this server was the initial entry point in this attack.

[01] The attacker moved Lateral to other servers (no evidence on how this was done).

[02] They reached the targeted server and deployed their C2 (NjRat) via a PowerShell noscript.

Note : The C2 server was hosted in Canada.

that's all we know :(
i created a chart for better understanding
wish it helps

PDF version :

you were right


i can't believe this
same scenario as snappfood !!!!!!!


again stealc WTF !!!!!!!!!!!

ArvinClub has been active for a while

https://news.1rj.ru/str/arvinclub3

They done cool things
Such as finding BlackReward onion website IP
DDOS on mojahedin khalq
And also not cool things like ransom companies 👀

i found this stealer developer
This individual executed the stealer on their own device for testing purposes. Here, we are sharing the logs from the developer system.

may be useful
might be related to bank melli current breach 🤷🏻‍♂️


Fact or lie? A superficial review of the latest attack on the National Bank server
( mail[.]sadad[.]co[.]ir , mail[.]bmi[.]ir , mail[.]mail2[.]bmi[.]ir )
https://web.archive.org/web/20221103094525/https://aptiran.github.io/CENTER/