Threat Hunting on potential APT35 Servers

Sept. 29, 2025, 8:51 a.m.

Description

The article discusses the discovery of two servers sharing similarities with those reported by Check Point on APT35, an Iranian threat group. The servers are active and resolve multiple domains used for phishing purposes. The analysis focuses on the HTML page displayed on some domains, which contains four colored dots. Using the SilentPush platform, the team crafted a query to hunt for similar pages, finding matches related to previously reported IPv4 addresses and two undocumented ones. The servers resolve domains mostly used for phishing, masquerading as video conferencing related sites. The ongoing campaign still targets Israel, and the article provides methods for tracking new domains associated with APT35 activities.

External References

https://www.stormshield.com/news/apt35-plays-same-music-again
https://otx.alienvault.com/pulse/68d7b01af9417544ec39f9e5
Tags
phishing
typosquatting
threat hunting
infrastructure tracking
2025-09-27
iranian apt
video conferencing

Date

  • Created: Sept. 27, 2025, 9:36 a.m.
  • Published: Sept. 27, 2025, 9:36 a.m.
  • Modified: Sept. 29, 2025, 8:51 a.m.

Attack Patterns

  • Magic Hound

Additional Informations

  • Academic
  • Media
  • Military
  • Government
  • Israel