Threat Infrastructure Uncovered Before Activation

April 23, 2025, 8:49 a.m.

Description

Between November 2024 and April 2025, a set of domains and servers impersonating an Iraqi academic organization and fictitious UK tech firms were tracked. The infrastructure, while dormant, exhibited characteristics similar to APT34 (OilRig), including shared SSH keys, structured websites, and decoy HTTP behavior on M247-hosted servers. Key observations include the use of port 8080 for fake 404 responses, consistent SSH fingerprint reuse, and domains registered through P.D.R. Solutions with regway.com nameservers. The setup suggests deliberate pre-operational staging, offering defenders an early warning opportunity. Detection strategies include monitoring SSH fingerprints, HTTP response patterns, and domain registration behaviors.

External References

https://hunt.io/blog/track-apt34-like-infrastructure-before-it-strikes
https://otx.alienvault.com/pulse/68082a17ee5771aa012e93c3
Tags
oilrig
infrastructure
apt34
domain impersonation
2025-04-22
ssh keys
pre-operational staging
http decoys
m247

Date

  • Created: April 22, 2025, 11:45 p.m.
  • Published: April 22, 2025, 11:45 p.m.
  • Modified: April 23, 2025, 8:49 a.m.

Indicators

  • ce25b9d48b7f04ae2c1c3d729c10f41c4d5d2e7c260ad6d5446e3cc5e9f61281
  • 05ce787de86117596a65fff0bab767df2846d6b7fa782b605daeff70a6332eb0
  • webmail.biam-iraq.org
  • mail.biam-iraq.org
  • cpcontacts.biam-iraq.org
  • webdisk.biam-iraq.org
  • zyverantova.eu
  • cpcalendars.biam-iraq.org
  • cpanel.biam-iraq.org
  • valtryventyx.eu
  • valtorynexon.eu
  • plenoryventyx.eu
  • plenoryvantyx.eu
  • biam-iraq.org
  • axoryvexity.eu
Download all indicators here!

Attack Patterns

  • APT34

Additional Informations

  • Technology
  • Education
  • Iraq
  • United Kingdom of Great Britain and Northern Ireland