Threat Hunting on potential APT35 Servers

SUMMARY :

The article discusses the discovery of two servers sharing similarities with those reported by Check Point on APT35, an Iranian threat group. The servers are active and resolve multiple domains used for phishing purposes. The analysis focuses on the HTML page displayed on some domains, which contains four colored dots. Using the SilentPush platform, the team crafted a query to hunt for similar pages, finding matches related to previously reported IPv4 addresses and two undocumented ones. The servers resolve domains mostly used for phishing, masquerading as video conferencing related sites. The ongoing campaign still targets Israel, and the article provides methods for tracking new domains associated with APT35 activities.

OPENCTI LABELS :

phishing,typosquatting,threat hunting,infrastructure tracking,iranian apt,video conferencing


AI COMMENTARY :

1. Introduction to Threat Hunting on Potential APT35 Servers In the ever-evolving world of cybersecurity, identifying and disrupting the infrastructure of advanced persistent threat actors is a critical task. Recent intelligence has highlighted APT35, an Iranian threat group known for sophisticated phishing and typosquatting campaigns. This article details our threat hunting efforts on two servers that exhibit striking similarities to those previously reported by Check Point, outlines our analytical methodologies, and provides practical guidance for monitoring new APT35 domains.

2. Discovery of Two Servers Sharing Similarities with Check Point’s APT35 Report Our research began when we uncovered two active servers resolving multiple domains linked to phishing activities. These servers matched several indicators from Check Point’s reports on APT35, including overlapping hosting environments and parallel domain infrastructure. By correlating passive DNS data and historic indicators, we confirmed that the two servers in question warranted deeper investigation for potential ties to the Iranian threat actor.

3. In-Depth HTML Page Analysis Revealing Four Colored Dots A pivotal moment in our analysis occurred when we browsed several of the suspicious domains and encountered a seemingly innocuous HTML page featuring four colored dots. This simple visual fingerprint became a powerful detection asset. We theorized that the four-dot page served as a staging or landing page for later phishing lures, and its unique structure provided an opportunity for query-based threat hunting across our telemetry systems.

4. Leveraging the SilentPush Platform for Expanded Threat Hunting Queries Utilizing SilentPush, our threat hunting platform, we crafted a targeted query searching for HTML pages containing the four-dot pattern. This query returned matches tied to IPv4 addresses already documented in public APT35 advisories, as well as two previously undocumented addresses. By indexing our web proxy and Internet scanning feeds, we rapidly validated the connections between these servers and the known APT35 infrastructure.

5. Infrastructure Mapping Uncovers Previously Undocumented IPv4 Addresses Our expanded query revealed two new IPv4 addresses not yet discussed in open-source reports. Further analysis of historical DNS resolutions and WHOIS records confirmed these addresses were consistently used in phishing campaigns masquerading as legitimate video conferencing services. Mapping these additional nodes provided a more complete view of the adversary’s hosting environment and reinforced the hypothesis that these servers were part of an orchestrated APT35 infrastructure network.

6. Phishing and Typosquatting Campaigns Masquerading as Video Conferencing Portals The domains hosted on these servers bore slight typographical variations of popular video conferencing brands, a classic typosquatting tactic designed to deceive unsuspecting users. Each domain redirected to the four-dot HTML page before initiating credential capture workflows. By cataloging these domains, monitoring their registration patterns, and analyzing their SSL certificates, we built a dynamic blocklist and improved our phishing detection rules.

7. Continued Focus on Israel as the Primary Target of the Ongoing Campaign Consistent with previous APT35 activity, most of the phishing attempts we observed targeted individuals and organizations in Israel. Analysis of email lures, language localization, and time-based hosting patterns indicated a deliberate strategy to intercept credentials from high-value government and corporate targets. Awareness of this geographic focus enabled us to refine our threat intelligence feeds and provide timely alerts to regional security teams.

8. Proactive Methods for Tracking Emerging APT35 Domains To stay ahead of the adversary, we recommend implementing continuous DNS monitoring for typosquatting variants of popular services, deploying web content fingerprinting for unique HTML artifacts, and integrating threat hunting platforms like SilentPush into SOC workflows. Regularly updating detection rules based on newly discovered infrastructure and employing passive DNS replication will help security teams detect and disrupt future APT35 operations before they inflict significant harm.

9. Conclusion and Recommendations for Future Infrastructure Tracking Our threat hunting mission on potential APT35 servers underscores the importance of creative analysis and robust telemetry. By focusing on subtle indicators—such as the four-dot HTML fingerprint—and leveraging advanced hunt platforms, security practitioners can uncover hidden adversary infrastructure. We encourage defenders to adopt a proactive stance in tracking phishing, typosquatting, and infrastructure tactics associated with Iranian APT groups to safeguard critical assets and stay one step ahead of sophisticated cyber threats.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Threat Hunting on potential APT35 Servers