September 26, 2023

A new advisory from Microsoft states that a threat actor associated with Iranian nation-state hackers has been weaponizing N-day vulnerabilities and incorporating new techniques to access environments of interest.

The threat actor is a sub-group of Mint Sandstorm – a gang also known as Phosphorus and associated with APT35, APT42, Charming Kitten, and TA453.

Microsoft says between late 2021 and mid 2022, the threat actor switched from reconnaissance to direct attacks on US critical infrastructure, which included seaports, energy companies, transit systems and a large US utility and gas entity.


The techniques used by the Mint Sandstorm subgroup are the adoption of publicly disclosed proof-of-concept (POC) code to exploit flaws in internet-facing applications.

Till last year, the threat actor had been slow to adopt exploits for recently-disclosed vulnerabilities with publicly reported POCs. Since the start of 2023, Microsoft observed a notable decrease in the time required for this subgroup to adopt and incorporate public POCs.

The group uses two customs .NET implants known to be Drokbk and Soldier to achieve persistence on victim machines and download additional tools. The distinct attack chain involves low-volume phishing campaigns and a third custom implant.

The new intrusions attributed to the group are concerned as they allow operators to conceal C2 communication, as well as persist in a compromised system, and deploy several post-compromise tools with different capabilities.

Vulnerabilities exploited by the subgroup

  • IBM Aspera Faspex was affected by CVE-2022-47986:
  • Zoho ManageEngine was affected by CVE-2022-47966
  • Apache Log4j2 (CVE-2021-44228 and CVE-2021-45046):

Microsoft recommended a series of mitigation guidelines to protect against this Mint Sandstorm subgroup, including hardening internet-facing assets and reducing the attack surface via rules included in the advisory.

Indicators of Compromise

  • ad55b4a40f9e52682d9d4f069914e09c941e8b77ca7b615e9deffccdfbc54145
  • 64f39b85c1d784df1ca8eb895ac7eaf47bf39acf008ed4ae27a796ac0f841b
  • sync-system-time[.]cf
  • update-windows-security[.]tk
  • dns-iprecords[.]tk
  • universityofmhealth[.]biz
  • oracle-java[.]cf
  • 54.39.202[.]0
  • 51.89.135[.]15
  • 51.89.169[.]201
  • 51.89.187[.]222
  • NY.docx.docx
  • 57cc5e44fd84d98942c45799f367db78adc36a5424b7f8d9319346f945f64a72
  • Abraham%20Accords%20Du.[.]docx
  • 3dcdb0ffebc5ce6691da3d0159b5e811c7aa91f6d8fc204963d2944225b0119d
  • DocTemplate.dotm
  • 65e48f63f455c94d3bf681acaf115caa6e1e60499362add49ca614458bbc4f85
  • DntDocTemp.dotm
  • 444075183ff6cae52ab5b93299eb9841dcd8b0321e3a90fb29260dc12133b6a2
  • 0onlyastep0[.]xyz
  • 0readerazone0[.]xyz
  • 0tryamore0[.]xyz

Leave a Reply

%d bloggers like this: