Uncover APT34-Like Infrastructure Before It Becomes a Threat
From November 2024 to April 2025, researchers identified inactive infrastructure masquerading as an Iraqi educational entity and UK technology companies, hosted on M247. Indicators such as reused SSH credentials, standardized web layouts, and deceptive HTTP replies on port 8080 reflect tactics commonly associated with APT34 (OilRig). Although no malicious payloads were observed, the infrastructure points to early-stage operational setup. Defenders can bolster early threat detection by tracking SSH fingerprint reuse, recurring domain themes, and anomalous HTTP behavior.
Technical Description
Domain Activity and Infrastructure Staging:
Beginning in November 2024, the domain biam-iraq[.]org, which spoofed an Iraqi academic institution, initially resolved to a Host Sailor IP before transitioning to M247’s IP address 38.180.18[.]189, where it remained for over four months. On March 18, 2025, it was redirected to another M247 address: 38.180.140[.]30. This server responded on port 8080 with a static “404 Not Found” page titled Document a signature behavior attributed to APT34 as of March 2025. Passive DNS data also revealed the presence of subdomains such as mail, webmail, cpanel, and cpcontacts, indicative of staging for phishing or credential theft, despite the absence of any live content.
HTTP Patterns and Deceptive Responses:
The infrastructure repeatedly leveraged port 8080 to deliver a static 404 “Document” page, featuring a consistent Content-Length of 338 bytes likely crafted to evade scrutiny. This uniform behavior, observed across several servers, mirrors APT34’s reliance on templated server configurations. The unchanging HTTP response, last recorded on April 16, 2025, suggests an intentional tactic to mask command-and-control operations, offering defenders a dependable detection signature.
SSH Credential Reuse and Host Correlation:
A single SSH fingerprint was consistently reused across five servers hosted by M247 including 38.180.18[.]189 and 38.180.140[.]30 between March 21 and March 29, 2025. All servers presented the same SSH banner (SSH-2.0-OpenSSH_8.0), pointing to a common provisioning method. This reuse across disparate IP addresses and autonomous systems offers a strong, persistent indicator for uncovering related infrastructure, even in the absence of active payloads.
.eu Infrastructure and Thematic Patterns:
In March 2025, a cluster of .eu domains such as plenoryvantyx[.]eu, zyverantova[.]eu, valtryventyx[.]eu, valtorynexon[.]eu, and axoryvexity[.]eu resolved to the IP address 38.180.18[.]189. These domains, registered through P.D.R. Solutions (US) LLC, utilized regway[.]com as their nameservers and were secured with Let’s Encrypt TLS certificates. Although the domain names appear algorithmically generated and lack any legitimate associations, their convergence on shared infrastructure points to a deliberate and coordinated configuration, potentially intended for phishing or spoofing operations in the future.
Fake Corporate Identities:
Among the domains, only plenoryvantyx[.]eu hosted an active website, masquerading as “Sphere Spark,” a fabricated UK-based marketing agency featuring generic, placeholder content. Search engine results also associated the domain with “BioVersa Dynamics,” an alleged scientific organization highlighting branding inconsistencies. Other domains, such as valtorynexon[.]eu and zyverantova[.]eu, were linked to fictitious tech firms like “ZenStack Technologies” and “Dynamic Byte Systems.” These invented personas, lacking any verifiable presence, appear designed to emulate legitimate entities, increasing the infrastructure’s plausibility and effectiveness in deception-based campaigns.
Threat Identification and Surveillance Techniques:
Analysts developed two detection queries to uncover similar infrastructure. The first focuses on identifying the distinctive HTTP 404 “Document” response served on port 8080, filtering based on specific body content and a fixed Content-Length. The second tracks the reuse of a known SSH fingerprint across multiple IP addresses, aiding in the identification of related hosts. By leveraging consistent patterns in HTTP and SSH behavior, these queries enable early detection of dormant infrastructure, giving defenders enhanced visibility into potential pre-attack staging.
Conclusion:
The observed infrastructure demonstrates a deliberate and methodical setup consistent with APT34 tradecraft, leveraging deceptive domain registrations, shared SSH fingerprints, and standardized HTTP decoy responses to stage operations covertly. Domains impersonated academic institutions and fictitious tech firms, aiming to establish trust for future phishing or impersonation attacks. Uniform server behavior such as the 404 “Document” page on port 8080 and identical SSH banners serves as a reliable detection signature. Analysts created targeted queries to track these patterns, enabling proactive identification of related assets. Although no active payloads were detected, the infrastructure’s design strongly indicates pre-operational staging, underscoring the need for early detection and continuous monitoring.
Impact
The identified infrastructure poses a significant risk of being leveraged in future phishing, credential harvesting, or espionage campaigns. By mimicking trusted entities and maintaining operational stealth, the attackers increase their chances of successful intrusion while evading early detection. The use of consistent server behaviors and fabricated company profiles enhances their ability to blend into legitimate network traffic. If left unmonitored, such setups could enable targeted attacks against government, academic, or corporate sectors.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Resource Development, Command and Control |
| Technique Name | Resource Development: Acquire Infrastructure
Command and Control: Application Layer Protocol |
| Sub Technique Name |
Resource Development - Acquire Infrastructure: Domains, Server Command and Control - Application Layer Protocol: Web Protocols |
| Attack Type | Malware |
| Targeted Applications | Windows |
| Region Impacted | Iraq, ME |
| Industry Impacted | Government , Education , Energy , Telecommunications |
| IOC’s | IP 38[.]180[.]18[.]173 , 38[.]180[.]18[.]253 , 38[.]180[.]18[.]249 , 38[.]180[.]18[.]189 , 38[.]180[.]18[.]18 Domain: axoryvexity[.]eu , zyverantova[.]eu , cpanel[.]biam-iraq[.]org , webdisk[.] biam-iraq[.]org , webmail[.]biam-iraq[.]org , valtryventyx[.]eu , valtorynexon[.]eu , cpcalendars[.]biam-iraq[.]org , mail[.]biam-iraq[.]org , cpcontacts[.]biam-iraq[.]org, plenoryvantyx[.]eu |
| CVE | NA |
Recommended Actions
- Monitor SSH Fingerprint Reuse: Continuously track unique SSH fingerprints across networks to uncover infrastructure linked through shared provisioning.
- Identify Suspicious HTTP Responses: Use HuntSQL or equivalent tools to detect servers serving a static 404 “Document” page on port 8080 with a fixed Content-Length of 338 bytes.
- Watch Domain Registration Patterns: Flag domains registered through P.D.R. Solutions (US) LLC and using regway[.]com nameservers for potential malicious intent.
- Scrutinize .eu Domain Activity: Investigate randomly generated .eu domains, especially those posing as tech or research entities without verifiable legitimacy.
- Leverage Passive DNS Monitoring: Analyze passive DNS data to identify subdomains like mail, webmail, or cpanel. as indicators of phishing infrastructure in staging.
References
NA