IronNet threat intelligence

Updates and analysis on significant cybersecurity events from IronNet’s threat intelligence and research teams.

IronNet Threat

Cyber Threat Reports

Monthly Threat
Intelligence Brief

Significant IronDome Community Findings

IronNet threat research

Nation-state cyber threat reports

North Korea
IronNet-Threat intelligence-Russian Flag@2x
IronNet-Threat intelligence-Chinese Flag@2x
IronNet-Threat intelligence-Iranian-Flag@2x
IronNet-Threat intelligence-North Korean Flag@2x


Updates as of September 2021:

More than 30 active APT29 C2 servers

  • RiskIQ’s initial investigation began with a tweet mentioning possible IOCs associated with APT29 and WellMess
  • Nearly three dozen command-and-control (C2) servers were discovered under the control of APT29 actively serving WellMess and WellMail malware.
  • They linked SSL Certificates and IP addresses to APT29 C2 infrastructure with high confidence.
  • No information to say how it is being used or who the targets are.


Updates as of September 2021:


  • SparklingGoblin was first detected in May 2020.
  • The new APT, SparklingGoblin, has recently been linked to undocumented modular backdoor called Sidewalk.
  • Sidewalk was used during a recent SparklingGoblins campaign targeting a computer retail company in the US.


UNC 215 cyber espionage campaign in Israel

  • Since January 2019, UNC215 has conducted campaigns against Israeli government entities, IT providers, and telecommunications companies.
  • UNC215 is linked with low confidence to APT27.
  • They target organizations that are of interest to Beijing's financial, diplomatic, and strategic objectives, demonstrating China's consistent strategic interest in the Middle East and interest in Israel’s robust technology sector.


Updates as of September 2021:

Siamese Kitten

  • Iranian APT group Siamesekitten [PDF] found responsible for supply chain attack campaigns that targeted IT and communication companies in Israel In May and July 2021.
  • The attacks impersonated IT companies and their HR personnel to compromise computers and access the companies’ clients.
  • The main goal was to conduct espionage and use the infected network to gain access to their clients’ networks and possibly deploy ransomware or wiper malware.
North Korea

North Korea

Updates as of September 2021:

APT37/ Scarcruft browser exploits

  • Volexity uncovered a strategic web compromise of South Korea’s online newspaper the Daily NK.
  • The malicious code was first detected in April 2021, but was at least present on the website in late March 2021 until early June 2021.
  • The attackers are North Korean APT37, aka Scarcruft.
  • Scarcruft modified legitimate files used as part of the normal function of the Daily NK website to include code redirecting users to load malicious JavaScript from the attacker-owned domain jquery[.]services.


Konni malware

  • In late July 2021, Malwarebytes identified an ongoing spear-phishing campaign pushing Konni RAT to target Russia.
  • Konni was first observed in the wild in 2014 and has been potentially linked to the North Korean APT group named APT37.
  • The main victims of this RAT are mostly political organizations in Russia and South Korea, but it has also been observed targeting Japan, Vietnam, Nepal, and Mongolia.

AlienVault Pulses
from IronNet

Get access to the AlienVault OTX pulses from IronNet to apply detection insights into your environment, including threat summaries, software targeted, and related indicators of compromise.

NOTE: You will need to log in on your first visit. Be sure
to sign up on AlienVault to receive IronNet Pulses via email.

Access IronNet’s GitHub

Get access to IronNet's GitHub for recent threat research and reporting from IronNet's Threat Research Teams on recent attacks.

NOTE: You will need to log in on your first visit. Be sure
to sign up on AlienVault to receive IronNet Pulses via email.

Monthly Threat Intelligence Brief

In addition to correlated alerts, significant IronDome community findings revealed 773 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. For example, we analyzed the malicious kerrytj[.]com domain, which hosts two malicious macro-enabled Word documents (invoice.doc/use.doc).

Significant IronDome community findings

IronDefense, deployed across IronDome customer communities, identified a number of network behavioral anomalies that were rated as Suspicious or Malicious by IronNet and/or community SOC analysts.
Below is a list from August 2021.











Analyst Insight

This domain is part of a redirect chain involving pucopum[.]info and box20files[.]com. When visited, it serves an encrypted ZIP file after providing the unzip password to the user. The binary file contained adware along with a malicious version of msimg32[.]dll.

This domain hosts a phishing scam targeting pipeline customer relationship management.

This is a known spyware/malware infection source. Clients are redirected to this domain from infected sites.

This domain navigates to a mobile-optimized site that appears to be adult-themed Tik Tok videos. Mobile users are redirected to the related domains vqtxxbkqhss7tncw[.]jewelry and rbl4all.caroline26[.]com.

This is a Terraclicks-related domain hosting ad redirects. We recommend blocking the domain.

This IP address is a possible internet scanner that OSINT rates Suspicious.

This site redirects users to userscloud[.]com, which presents the user with a potentially unwanted program (PUP) download option and browser notifications.

This domain invokes a pop-under redirect to grandprize[.]xyz. The suspicious traffic was a result of landing on a compromised site. If seen in your network, ensure any redirects and amads[.]uno are blocked.

This domain is indicative of a hacked WordPress site injected with adware/malvertising. The domain may lead to unwanted redirects. If seen in your network, investigate any redirects.

This domain is associated with adware/Terraclicks. Ensure connections are blocked.

Microsoft Exchange server exploitation

Catch ransomware early with IronNet

Ransomware attack vectors, which network detection and response tools such as IronDefense can identify, typically include:

IronNet-Ransomware-Social Engineering Envelope
social engineering:
“legitimate” user credentials:
from services such as remote desktop protocols and remote file sharing
IronNet-Ransomware-Exploitation Arrow
for example via publicly known, but unpatched, software vulnerabilities 
IronNet-Ransomware-Command and Control Globe
command and control:
domain generation
IronNet-Ransomware-Encryption Cloud
files are encrypted after backup files are removed

Discover IronNet
for SOC Analysts

  • Do what you do, even better, with behavioral analytics
  • Learn practical ways to rule out false positives
  • Use detection tools that integrate with your existing cybersecurity stack