Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation

    Thursday, March 5, 2026 In: Threat Research Print

    Date: 03/05/2026

    Severity: Critical

    Summary

    Rising tensions between the United States, Israel, and Iran have increased the likelihood of cyber operations accompanying military activity. Iranian state-aligned threat actors have historically targeted sectors such as energy, financial services, government, and defense to weaken response capabilities before or during conflict. Infrastructure-level intelligence—including ASN patterns, TLS fingerprints, and hosting clusters—helps identify operational patterns and track Iranian-linked APT activity, enabling organizations to anticipate and defend against potential cyber threats during geopolitical escalation.

    Indicators of Compromise (IOC) List

    URLs/Domain

    anythingshere.shop

    cside.site

    footballfans.asia

    menclub.it

    musiclivetrack.website

    stone110.store

    web14.info

    justweb.click

    girlsbags.shop

    lecturegenieltd.pro

    ntcx.pro

    retseptik.info

    IP Address

    209.74.87.100

    157.20.182.49

    185.236.25.119

    38.180.239.161

    92.243.65.243

    185.76.79.125

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "girlsbags.shop" or siteurl like "girlsbags.shop" or url like "girlsbags.shop" or domainname like "stone110.store" or siteurl like "stone110.store" or url like "stone110.store" or domainname like "retseptik.info" or siteurl like "retseptik.info" or url like "retseptik.info" or domainname like "cside.site" or siteurl like "cside.site" or url like "cside.site" or domainname like "justweb.click" or siteurl like "justweb.click" or url like "justweb.click" or domainname like "ntcx.pro" or siteurl like "ntcx.pro" or url like "ntcx.pro" or domainname like "lecturegenieltd.pro" or siteurl like "lecturegenieltd.pro" or url like "lecturegenieltd.pro" or domainname like "web14.info" or siteurl like "web14.info" or url like "web14.info" or domainname like "anythingshere.shop" or siteurl like "anythingshere.shop" or url like "anythingshere.shop" or domainname like "footballfans.asia" or siteurl like "footballfans.asia" or url like "footballfans.asia" or domainname like "menclub.it" or siteurl like "menclub.it" or url like "menclub.it" or domainname like "musiclivetrack.website" or siteurl like "musiclivetrack.website" or url like "musiclivetrack.website"

    Detection Query 2 :

    dstipaddress IN ("185.236.25.119","157.20.182.49","209.74.87.100","38.180.239.161","92.243.65.243","185.76.79.125") or srcipaddress IN ("185.236.25.119","157.20.182.49","209.74.87.100","38.180.239.161","92.243.65.243","185.76.79.125")

    Reference: 

    https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters#


    Tags

    Threat ActorAPTIranUnited StatesIsraelEnergyFinancial ServicesGovernment Services and FacilitiesDefense Industrial Base

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.