A Network IoC Analysis for 8 Iran-Affiliated APT Groups

MITRE Techniques

• [T1583.001 ] Acquire Infrastructure: Domains – Domains were registered and used as attacker infrastructure, including bulk-registered look-alikes and maliciously intended domains (‘work-meeting[.]info was bulk-registered with its look-alikes workmeeting[.]info and workmeeting[.]online’).
• [T1583.003 ] Acquire Infrastructure: Virtual Private Server – IP and domain infrastructure was maintained over time through persistent hosting and resolution patterns (‘all were confirmed active malware distributors that shared identical infrastructure fingerprints’).
• [T1584.001 ] Compromise Infrastructure: Domains – Infrastructure was set up to impersonate trusted vendors and blend into enterprise traffic (‘part of a coordinated, multibrand impersonation campaign targeting Sophos and Fortinet, among others’).
• [T1071.004 ] Application Layer Protocol: DNS – DNS queries and historical domain-to-IP resolutions were central to the observed activity (‘9,849 unique client IP addresses… communicated with nine domain IoCs’ and ‘recorded 5,202 historical domain-to-IP resolutions’).
• [T1588.001 ] Obtain Capabilities: Malware – The subdomains were tied to malware distribution infrastructure (‘all were confirmed active malware distributors’).
• [T1598.003 ] Phishing for Information: Spearphishing Link – The use of look-alike domains and vendor impersonation suggests lure-based access collection (‘chosen to blend in as a legitimate cloud/API service from trusted brand Sophos’).
• [T1565.001 ] Data Manipulation: Stored Data Manipulation – DNS and WHOIS records were used to conceal or alter attribution through infrastructure changes (‘domain extraction from subdomains, legitimate domain filtering, and weeding out of inactive domains’).