The end of the regime is near?

 In the name of the god of rainbows

The brave people of Iran are continuing the fight against the child murdering Islamic Regime! They refuse to give up in face of brutal crackdowns by IRGC and Basiji thugs! Since I last wrote workers across the country have shown there support by striking and students at many universities have protested but the regime dogs have increased violence and shoot at unarmed protestors. Some videos look a warzone but they arent in Syria or Ukraine they are in Iran! And the Regime continues to cut internet to try to hide there crimes! We must be there voice we must let the world know about these brave compatriots! 

Look at these numbers!

!ای کاش من با شیرمردا بودم

Iranian regime censorship at INSANE Levels: How to bypass!

Hello friends,

Ever since the regime police and IRGC killed the beautiful soul of Masha Amini in the streets of Tehran, there have been very dark days for Iran and the Iranian people.

This traitorous regime has since censored the internet and freedom of speech in Iran to an insane degree - it is claimed that the regimes censorship is now higher than that of China!

Regime censorship is out of control!! 

But there is hope that the protesters are young and strong this time. Since the protests began VPN Express usage has increased by over 2100% and ProtonVPN usage by 5000%. While a traditional VPN can work most are blocked. But friends I have a solution

- Use ExpressVPN

- Use TOR with Snowflake extension

- Use ProxySU to setup VMLess proxy https://github.com/proxysu/ProxySU

TOR and Snowflake Extension

Always protect freedom!!!

Stay safe friends 🙏

Who are army of thieves? IRGC news company Fars News HACKED!

Iran International Instagram: "Fars News has been Hacked!"

Multiple source have confirmed that Fars News a IRGC news outlet was hacked earlier with access denied by the hackers. 

Fars news have not admitted to been hacked but it was seen that Fars news site was unable to accessed but it was clear that they were cover up as site was offline for multiple hours. 

Fars news was offline was many hours 

Army of thieves who are allege hacker group of unknown origin or purpose have taken responsibility for hack by post on their telegram: 

Army of Thieves taking credit for hack 

Army of thieves also sent out a threatening message "After 4 hours the fake news website of the Islamic Republic was back on the air but not for long time Who is our next target? Wait and find out 😉" 

So who are Army of thieves?? 

REVEALED: Binance helping Iran to AVOID US Sanctions!! 😱😱

Reuters has reported that Binance the worlds largest cryptocurrency market is helping Iran avoid US sanctions because of very weak identity checks and zero internal integrity within company!

Binance supporting dictatorships! 

Asal Alizade who is trader in Iran said that he and several other traders have been able to use Binance for commercial trading since the sanctions were imposed in 2018 until September 2021. He said that  email address was all he and all his friends used for Binance. It was also noted that Iranian businesses that are money laundering to avoid sanctions  have been able to easily create a Binance account by using a VPN and hiding their IP address.

To make matters worse instead of complying with the sanctions Binance employees were found to be acting dishonestly - they were openly laughing about Iranian companies using the Binance platform! When the popularity of Binance in Iran and the regime was discovered Binance employees sent messages saying "Iran boys" - so it was known that money laundering was happening on the platform!!

Donald Trump Reimpose sanctions on Iran in 2018

Binance says it strictly follows international sanctions but evidence says otherwise! Every day they help Iran to circumvent the sanctions, they help the regime to become stronger. They openly allowed money laundering - what a disgrace! Friends withdraw all cryptocurrencies from Binance NOW!

Iran launches a ROCKET into Space after committing to resume nuclear talks! 🚀🚀😡

Numerous sources have reported that the Iranian regime launched a missile called Zoljaneh a day after its commitment to resume nuclear talks!

Iman Khomeini Space Airport after a previous attempt in February 2021 was the site of this worrying move. It was not clear if the launch was successful but Ahmad Hosseini Iran defense spokesman told IRNA that the launch was really successful. The regime has tried five times to launch satellites into space which if successful would mean that they could build a nuclear weapon. This rocket launch was not a satellite but it worries me what the regime has in mind.

Zoljaneh Missile 

The timing of the missile launch also shows the regime complete hypocrisy as just one day before the launch they said they wanted to resume the stalled nuclear talks in a country in the Persian Gulf region. But their actions are different because earlier this month they removed International Atomic Energy Agency cameras from their nuclear sites to hide their activities and now they are launching a missile into space. This regime does not care about the nuclear deal. They are just procrastinating to build a weapon !!

Certainly at this moment it is worrying that this regime is as corrupt and hypocritical as ever !! 😡😡

Microsoft STOPS cyber attack campaign against Iranian regime group Bohrium - and takes LEGAL ACTION 🧑‍⚖️

Bohrium - another Iranian state backed hacker group!! 

Today it is reported that Microsoft Digital Crime Unit has stopped a malicious cyber campaign against a group supported by the Iranian regime Bohrium and has taken legal action against this threatening actor!

Bohrium are known to pose as recruiters for work in various fields such as technology education transport and government and once they have lured a victim they will send malicious emails loaded with malware that will either allow Remote Code Execution (RCE) or will connect to victims machine to a command and control server (C2C) so they can access all of victims files. Microsoft have also said that they have took down over 41 domains that are being used by Bohrium as C2C servers. 

Microsoft legal document 

In legal document shared by Microsoft there is no date about when Bohrium started this ugly campaign but suggestions suggest that Bohrium started this campaign as early as 2017!! It also suggest that Bohrium have "conducted remote reconnaissance" and "stole authentication credentials"

It is still early to see if Microsoft legal challenge will be successful but it forces Bohrium to be exposed as yet another evil cyber group of Iranian regime. Be careful friends!! 

Iran regime hackers APT34 Helix Kitten launching DEADLY NEW BACKDOOR saitema against Jordan foreign ministry!!

Helix Kitten aka APT34

Malwarebytes reports that APT34 also known as the Helix kitten is on a destructive path and has released a new back door called saitema on victims this time at the Jordanian foreign Ministry!!! 

A malicious Excel document was discovered to place a new saitema backdoor on victims in the form of a deadly macro embedded in an Excel document. Helix kitten attack victims by sending a phishing e-mail to Jordanian ministry staff entitled "Receipt of Confirmation" with an Excel document attached. Sender of the malicious emails also pretends to be a Jordanian government official with a Jordanian logo on his email.

Malicious email sent by helix kitten to Jordan government 

Then when Excel document is opened an eNotif function is called which runs in the background and identifies the victim and their IP address as well as when malware commands are executed. eNotif also checks to see if mouse is connected to the victim's PC, and in that case, 'Update.exe', 'Update.exe.config' and 'Microsoft.Exchange.WenServices.dll' are created in the %APPDATA%/MicrosoftUpdate directory  that opens the back for saitema :(

Saitema backdoor is written in .NET that abuses the DNS protocol for its command and control communications Helix kitten uses techniques such as compression and long random sleep times to disguise malicious traffic in between legitimate traffic. backdoor is design as a finite state machine which means machine will change behavior depending on command sent which can be BEGIN END ALIVE SLEEP RECIEVE DO and SEND.

Saitema backdoor source code 

Malicious excel document and payload with victims targeted means that Malwarebytes say that APT34 aka Helix Kitten did this disgusting act against Jordan. Iranian regime will never stop interfering with others!! Please friends, never open excel documents that look deadly!! 

Iranian RANSOMWARE attack forces 157-year old School to CLOSE FOREVER 😡

Raisi does not fucking care about the youth and our children! 

This evil regime of Iran is hitting again and this time it is ruining the future of the youth!

Lincoln College in the United States is 157 years old and has survived the world wars, and due to the Iranian ransomware attack in December 2021, it has been forced to close forever when the money runs out.

Lincoln College lasted over 157 years before this Ransomware attack by regime forced it to close! 

More than 600 students are now affected by this vicious act of ransomware. The school paid more than $ 100000 to retrieve information blocked by the attack because the attack itself blocked access to data used in student recruitment as well as disrupted fundraising efforts for more than three months!

It follows a worrying trend that more than 1,000 schools were attacked ransomware last year. This disrupts the learning of children and students, as well as the huge cost of repair.

This regime is actively trying to destroy the lives of the youth! They must stop!

Iranian Rocket Kitten hacking group 😾 using CVE-2022-22954 to install new back door !! 🚪🚪

VMWare One now has NEW RCE Vulnerability! 

Morphisec Labs reports that Rocket Kitten an Iranian hacking group believed to be backed by the regime is installing new sophisticated backdoors on victims machines using a RCE vulnerability recently discovered in VMWare Workspace ONE. 😡

This Remote Code Execution (RCE) is registered  as CVE-2022-22954  and affects VMware Workspace ONE. It has a critical 9.8 severity and revolves around a server-side template injection on a Apache Tomcat component that can lead to a complete RCE. An attack that exploits this RCE vulnerability gives them a high level of attack surface and highest privileges possible and can render Antivirus systems useless. 

VMWare Workspace ONE  Architecture

An attack has been observed by Iranian group Rocket Kitten sending PowerShell "stager" commands executed as child processes to prunsrv.exe legitimate application in Tomcat. This PowerShell stager then launches a malicious loader called PowerTrash - which is a notorious PowerShell script.  If this is set up victims with Ransomware on their devices or attackers can move lateral through a network, Gain further privileges through Privilege Escalation - or worse - launch HTTPS reverse backdoors using Metasploit or Cobalt Strike!!😢

PowerTrash - a notorious PowerShell Script! 

Please patch this VMWare vulnerability ASAP Friends! I will investigate Rocket Kitten further! 🧐🙏 

Iranian state-sponsored APT hacking group Lyceum DISCOVERED to be running a SPEAR PHISHING campaign! ⚠️⚠️

Check point research has reported that Lyceum run and backed by the evil Iranian regime has launched a spear phishing campaign in the wake of Russia's invasion of Ukraine

Lyceum have been active since 2017 and are also known as Hexane. This new spear phishing campaign was discovered when an Israeli energy company received a phishing e-mail from inews-reporter@protonmail.com which opened with title "Russian war crimes in Ukraine" and contained images from open source as well as malicious link.

Spear phishing email sent by Lyceum (Source: Checkpoint) 

Once malicious link is clicked a PDF or Word document will appear with open source article from Guardian discussing Russian invasion. Meanwhile a Macro code has download in background of victims machine and executed a .EXE which then stores itself in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup which means that .EXE will not start right away but upon next computer restart, which means user will not be aware that their machine is compromised. In this campaign Lyceum have been spotted using 3 different macro droppers. .NET DNS .NET TCP and GoLang are all used. 

Lyceum .NET DNS Macro Code Dropper (Source: Checkpoint)

Each macro dropper works slightly differently. .NET DNS dropper is a modified tool of DNSDig with additional code added to form frm1. .NET TCP creates a C2 communication by using TCP sockets and then implements its own communication protocol. This dropper can then keylog and take screenshots and list all files + programs on a victims machine as well as downloads and upload files. GoLang dropper is different and executes in 3 stages: the first is to generate a unique ID for victim using MD5 hash of username. Then sends empty HTTP POST request to Lyceum controlled C2 server. Malicious server then registers victim onto server and executes similar commands to .NET TCP dropper. 

GoLang 3 Stage Dropper (Source: Checkpoint)  

For Checkpoint attribution of this spear phishing and cyber espionage campaign was easy. They targeted Israel energy company as well as Saudi, both key enemies of Iran. They also used Heijden.DNS library which Lyceum have used before as well as ProtonMail and DNS Tunneling. 

When will this corrupt Iranian regime stop illegally hacking other nations?? 😡😡

Belarus HACKING group Ghostwriter WORKING with Iran to EXPLOIT Ukraine using BitB Phishing technique!!

BitB attack against Ukraine! 

It has been reported by Google Threat Analysis Group (TAG) that APT actor Ghostwriter which is state sponsored by  Belarusian Ministry of Defense is working with Iran on cyber attacks against Ukraine!! 😤😤

Ghostwriter has been using Browser-in-the-browser (BitB) phishing technique to steal credentials from victims. BitB was disclosed by security researcher mr.d0x, and these exploits usually start with creating poisoned pop-up windows that are used when  logging into a site with a third-party single sign-on (SSO) like google or Facebook.

Real and Fake SSO Pop-Up Windows

 

Mr. d0x explains in this post that poisoned window can be replicated easily using HTML/CSS and JavaScript and then for BitB to work an onClick event is added to ensure href section of a pop up window is ignored in HTML code like below: 

OnClick event added to enable BitB Phishing 

Ghostwriter then combined BitB with landing victims on malicious landing pages. Ghostwriter have been using BitB to phish credentials on these domains:

login-verification[.]top

login-verify[.]top

ua-login[.]top

secure-ua[.]space

secure-ua[.]top 

It is also reported that other states like Iran have been working with Ghostwriter so it is possibly only a matter of time before Iran APT hacking groups such as CharmingKitten and MuddyWater start using a similar technique!  

Stay alert friends!!! 🙏🙏🙏

Australia PROMISE to retaliate to any cyber attack from Iran! 😲

Australia WILL RETALIATE to any cyber attack from Iran! 

Earlier this week it was reported that defense minister of Australia Peter Dutton stated that any cyber attack that originates from Iranian regime will be responded to by Australia "by an equal measure" 😮

Peter Dutton also says that officials in Australia are monitoring malicious cyber activity on a daily basis. And even though Australia has not been targeted for a month Peter Dutton is concerned that Australia could become collateral damage in a cyber war between other countries. He give example of instances were Microsoft is hacked like they were last week by Lapsus$. Hacks like this also will affect Australian government and innocent Australian people too. He also says that Australia would anticipate hacks from regimes like Iran ahead of time. 

Microsoft was hacked by Lapsus$ last week

Australia works very closely with the United States and the UK and have just opened up a new cyber security center in Australia capital of Canberra to monitor malicious cyber threats. 

Cyber war is changing especially with Russian invasion of Ukraine. And cyber attacks can cause so much damage such as loss of money or business collapse and at the worst injury or loss of life to people.😢

Iran has been publicly named by Australia since 2017 as a country that has launched malicious cyber activities against Australia and Australia will continue to publicly attribute Iran and expose attacks made by them to deter the threat. Iranian regime needs to change its ways!! 😤 

NEW RANSOMWARE detected! LokiLocker could originate from Iran!

 

New Ransomware LokiLocker!!! 

It has been reported by BlackBerry Threat Intelligence that a new Ransomware as a Service program has been identified called LokiLocker! 😱

LokiLocker encrypts files and will render a machine unusable if  victim does not pay in time also LokiLocker is a new ransomware software targeting victims who use Windows OS. It also seems that LokiLocker is developed by an Iranian group called AccountCrack also at least three of  known LokiLocker users use usernames that are only found on Iranian hacking channels. LokiLocker should also not be mistaken for Locky or LokiBot as it is a NEW Ransomware program!

LokiLocker config source code 

LokiLocker malware appears to be written in .NET and protected with NETGuard using an additional virtualization plugin called KoiVM. This ransomware then encrypts victim’s files on local drives and network shares with a standard combination of AES for file encryption and RSA for key protection. It then ask victim to email attackers on how to pay ransom. LokiLocker also has a wiper functionality – if victim does not pay all non-system files will be deleted and MBR overwritten - wiping all victim’s files and rendering system unusable!

Could LokiLocker have been developed by Iran?? 

It appears that LokiLocker works as a service that appears to be sold to small number of hackers. It is not clear yet whether this means they come originate from Iran or not, but all evidence seen so far point to corrupt regime! 

Iran launches BRUTAL cyber attack on Israel!! 😲😲

Khamenei loves DDoS attacks as much as me loves spreading terror!! 

Reports suggest that earlier this week Israel government websites were hit by massive cyber attack from Iran!😲

Communications ministry in Israel says that the attack which is suspected to be a DDoS attack blocked access to a number of websites in Israel including websites that are critical to innocent people like medical centers. National cyber directorate of Israel also published a report recently that stated the quality and scale of cyber attacks coming from Iran has increased dramatically in the past year which signals a worrying statement of intent from a regime that loves to cause terror.

This DDoS attack is further retaliation after Iran fired several ballistic missiles into Iraq in response to an Israeli strike that killed 2 IRGC officers in Syria recently. 

Iran launched a missile strike into Iraq earlier this week 

When will this madness end?? 

 

Increase of Iranian cyber attacks on India! Deployment of deadly ransomware in schools!

Local media in India report that cyber attacks from Iran are on the rise. Local media reports indicate that schools and banks as well as government departments such as the police force and defense agencies have been severely targeted. This new wave of cyber attacks has been reported mainly in Kerala and New Delhi as well as in areas such as Bihar and West Bengal.

The Ministry of Home Affairs in India has said that experts are being pressured to accept the requests as a result of the ransomware attack because they are afraid of data being put on  dark web if they do not pay. This type of attack is called Lock and Leak attacks and is very popular with cyber criminals in the Iranian regime.

This follows a public warning that Google issued in 2021 at the CharmingKitten AKA APT35, and I wrote a blog about it here. In that warning, Google said CharmingKitten was using phishing tools to collect data from innocent victims.

Google advisory of CharmingKitten in 2021 

India has always been accustomed to cyber threats from Pakistan and China, but now Iran has to intervene again illegally in another country! When will it stop ??? 😤😤

Iranian hacking group MuddyWater runs new cyber attack campaign in shadows of Russia invasion of Ukraine

 

Khamenei Loves War and Terror! 

Russia Invasion of Ukraine have now entered a full scale cyber war 😢. Hacktivist group Anonymous have retaliated taking out several key communication tools of Russia but it has been reported by Hacker News and Several Other News outlets that Iran has now come to the aid of its ally Russia with State-backed Hacking group MuddyWater now increasing it's activity 😡

In a joint US and UK Release multiple security agencies has put out a warning on MuddyWater saying they are targeting government industries and small private business including those in critical infrastructure and healthcare! 

Manually Generated Telegram Beacon 

The MuddyWater Hacking group steals data like passwords and online accesses which is then passed to disgusting regime controlling Iran and its allies including Russia. They use tools such as manually generated Beacon to harvest data of Telegram like one above. 

 

        MuddyWater runs under Iran's Ministry of Intelligence (MOIS)

The US Cybersecurity and Infrastructure Security Agency (CISA) in there report said MuddyWater is under the control of the Iranian Ministry of Intelligence and Security agency otherwise known as MOIS. Iran is a staunch Russia ally and needs support of Russia  especially now its increasing its nuclear program with JCPOA talks stalling. 

Khamenei has not denounced the Russian military operation in Ukraine and has suggested the root cause of the war was the “mafia regime” of the US and the polices of Western powers.

CISA Report : https://www.cisa.gov/uscert/ncas/alerts/aa22-055a

End these evil dictatorships! We want Peace!#StandWithUkraine 

Is TunnelVision a NEW hacking group controlled by Iranian State???

TunnelVision.. a new Iranian State Actor 

Sentinel Labs reports that potential new Iranian hacking group called TunnelVision have been discovered! They are called TunnelVision because of their constant and excessive reliance on tunneling tools to achieve evil goals. TunnelVision has been caught exploiting the Log4j vulnerability to gain backdoor access to VMWare Horizon.

PowerShell code used to perform exploit 

TunnelVision have been spotted exploiting Fortinet FortiOS Vulnerability CVE-2018-13379 Microsoft Exchange vulnerability ProxyShell and now most recent Log4J. It was easy for Sentinel Labs to attribute this activity to TunnelVision as every time they exploited a innocent victim they used a unique way of tunneling to do so. They relied heavily on Fast Reverse Proxy Client FRPC and Plink to commit their crimes.  

PowerShell code used for Reverse Shells 

The Log4j Exploit is used by TunnelVision by running malicious commands from Tomcat.exe executable in VMWare horizon and then use  Tunneling server 142.44.135[.]86  to link up to a lot of C2 servers like hxxp://google.onedriver-srv.ml/gadfTs55sghsSSS. 

Sentinel Labs also says that TunnelVision could be Charming Kitten AKA Nemesis Kitten AKA APT35 trying out a new evil hacking method but it is not clear if this is the case at this time period.

When will this regime stop meddling?? 🙄🙄

Iran behind hack of Red Cross?? 😱 🏥

Iranian Regime hacking Red Cross! 

Hello my friends 🙏

It has been reported that International Committee for Red Cross ICRC has been hacked and that Iran were behind it. 

ICRC went public on January 19th 2022 stating that their servers had been hacked and that personal records of over half a million people who are receiving aid from Red Cross has been affected. These extremely venerable people are all linked to the restoring family links section of Red Cross but Iranian regime has prove it doesn't care about human rights anyway. 

The Hack itself occurred on November 9th 2021 using CVE-2021-40539 vulnerability on  ADSelfService plus. When ICRC went public with this news in January a cyber actor called Sheriff went onto Raid Forums and tried to sell the leaked dataset. The Email account used for Sheriff to register to Raid Forums was  kelvinmiddelkoop@hotmail.com which was named in court documents linked to an Iranian disinformation media campaign which proves regime guilt. 

Sheriff also seemed to suggest that a ransom attempt had been made to ICRC stating that Mr. Mardini, your words have been heard. Check your email and send a figure you can pay. Mr. Mardini is General of ICRC. ICRC states that they have never had any contact with people who hacker their servers.

Sheriff also is trying to buy Penetration Testing tool Cobalt Strike offering $3000 for a cracked version. Sheriff was  referred to Raid Forums by Pompompurin who says I know who sheriff is but im not saying anything.

Account of Sheriff on Raid Forums

It is evident that not only do this cruel and Evil regime like to prey on people who are desperate and vulnerable but that they also want to hack even more people by getting Cobalt Strike. Please my friends ensure that all your software is patched and up to date.  

Iranian Hacking Group MuddyWater targeting Turkish Hospitals! 😠 Using Malicious PDF and XLS files to execute PowerShell Scripts

Cisco Talos reports that the Iranian-backed hacking group MuddyWater AKA MERCURY AKA Static Kitten has been caught on another hacking campaign this time targeting Turkish hospitals 😡 and other government departments in Turkey. The campaign used malicious PDF and XLS files with embedded VBA macros. These macros contain VBA and PowerShell destructive scripts that run and allow MuddyWater to access the victim system via C2.😤😤

Another high profile target of this MuddyWater campaign was Tubitak which is the Scientific and technological research council in Turkey. PDFs and XLS files were hosted on a domain named snapfile.org and has been social engineered to lure victims in like example below 

Example Malicious PDF file MuddyWater attack victims with 

Malicious files were also named as legitimate files in order to masquerade Turkish Health Department 

Malicious XLS files posted with Fake names by MuddyWater

Embedded VBA and PowerShell scripts are then executed in file which will download other PowerShell modules and infect victims system. VBA macros all had a registry key included too. VBA and first PowerShell script will then download a 2nd PowerShell Script that will give MuddyWater C2 capability 

Malicious PowerShell Script

Talos were able to know MuddyWater was behind this attack due to sloppy behavior by the group. One of IP Addresses used for C2 server was used in January 2021 by MuddyWater. They are also using tracking tokens from Canary Tokens to see how many systems are affected. They also need to use a LOLBin script to be able to execute PowerShell script. 

Turkey has been an Ally to this regime supporting Hamas! and now they target a Hospital? This extent of Evil in this regime knows no bounds!! 👺👺👺

Iranian Hacking Group Phosphorus AKA APT35 AKA Charming Kitten causing DESTRUCTION again!! Using new PowerShell backdoor and Memento Ransomware 🦠️🦠️

 Iranian Hacking group Phosphorus also known as  APT35 and Charming Kitten 

Cyber ​​Reason reports that Iranian Hacking group Phosphorus also known as  APT35 and Charming Kitten have been looking to cause damage and chaos again to innocent people, this time using Microsoft Exchange Server vulnerability ProxyShell as well as using a new stealthy PowerShell backdoor called PowerLess. 

PowerLess is highly modular malware used to connect to a C2 server controlled by Phosphorus and will then used to steal browser data and perform keylogging as well as a whole host of other malicious actions.

A technical inspection revealed that first a malicious file called windowsprocesses.exe was executed and then a new file called dll.dll was loaded. This DLL file is probably inspired by the code on GitHub by farzinenddo, which runs PowerShell with the CLR. dll.dll is a .NET AES decoder with an encrypted key () * & 3dCfabE2 / 123, which then decrypts a file called upc. Upc is then used to run the latest PowerShell malicious script called PowerLess.

PowerLess malicious code

In an interesting turn of events it seems like Charming Kitten also is behind devastating Momento Ransomware as an IP address used for C2 server found in PowerLess code is also being used for Memento! 

Phosphorus also known as  APT35 and Charming Kitten must be stopped! 😤