[Unnamed group]  (Back to overview)

Over the last few weeks, several significant leaks regarding a number of Iranian APTs took place. After analyzing and investigating the documents we conclude that they are authentic. Consequently, this causes considerable harm to the groups and their operation. The identity of the actor behind the leak is currently unknown, however based on the scope and the quality of the exposed documents and information, it appears that they are professional and highly capable. This leak will likely hamstring the groups' operation in the near future. Accordingly, in our assessment this will minimize the risk of potential attacks in the next few months and possibly even year. Note -most of the leaks are posted on Telegram channels that were created specifically for this purpose. Below are the three main Telegram groups on which the leaks were posted: Lab Dookhtegam pseudonym ("The people whose lips are stitched and sealed" –translation from Persian) –In this channel attack tools attributed to the group 'OilRig' were leaked; including a webshell that was inserted into the Technion, various tools that were used for DNS attacks, and more. Green Leakers–In this channel attack tools attributed to the group 'MuddyWatter' were leaked. The group's name and its symbol are identified with the "green movement", which led the protests in Iran after the Presidential elections in 2009. These protests were heavily repressed by the revolutionary guards (IRGC) Black Box–Unlike the previous two channels this has been around for a long time. On Friday May 5th, dozens of confidential documents labeled as "secret" (a high confidentiality level in Iran, one before the highest -top secret) were posted on this channel. The documents were related to Iranian attack groups' activity.

Associated Families
win.fivehands win.puzzlemaker win.sombrat

Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin
2022-08-30eSentireeSentire Threat Response Unit (TRU)
Hacker Infrastructure Used in Cisco Breach Discovered Attacking a Top Workforce Management Corporation & an Affiliate of Russia’s Evil Corp Gang Suspected, Reports eSentire
Cobalt Strike FiveHands UNC2447
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-03-21eSentireeSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2021-11-30Bleeping ComputerIonut Ilascu
Yanluowang ransomware operation matures with experienced affiliates
2021-11-30SymantecSymantec Threat Hunter Team
Yanluowang: Further Insights on New Ransomware Threat
BazarBackdoor Cobalt Strike FiveHands
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-06-28CrowdStrikeAlexandru Ghita
New Ransomware Variant Uses Golang Packer
FiveHands HelloKitty
2021-06-15NCC GroupMichael Matthews, NCC RIFT, William Backhouse
Handy guide to a new Fivehands ransomware variant
2021-06-08KasperskyAlexey Kulaev, Boris Larin, Costin Raiu
PuzzleMaker attacks with Chrome zero-day exploit chain
Chainshot puzzlemaker
2021-05-13BlackberryBlackBerry Threat Research and Intelligence Team
Threat Thursday: SombRAT — Always Leave Yourself a Backdoor
MAR-10324784-1.v1: FiveHands Ransomware
Analysis Report: FiveHands Ransomware
2021-05-03Rewterz Information SecurityRewterz Information Security
Rewterz Threat Alert – Financially Motivated Aggressive Group Carrying Out Ransomware Campaigns – Active IOCs
FiveHands SombRAT UNC2447
2021-04-29FireEyeJustin Moore, Raymond Leong, Tyler McLellan
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Cobalt Strike FiveHands HelloKitty
2020-11-12BlackberryBlackBerry Research and Intelligence team
The CostaRicto Campaign: Cyber-Espionage Outsourced
SombRAT CostaRicto
2019-05-01ClearSkyClearSky Research Team
Iranian Nation-State APT Groups 'Black Box' Leak
[Unnamed group]

Credits: MISP Project