Iranian Groups - Lemon Sandstorm (more like lemonparty sandstorm am i rite?) & MuddyWater

1. Active C2 Servers ┌──────────────────┬───────────────────────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────┬───────────────────────────┐ │ Target │ Associated APT Group │ Key Indicators / TTPs │ Status │ ├──────────────────┼───────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────┤ │ handala-hack.tw │ Lemon Sandstorm (UNC757 / Pioneer Kitten) │ Server: Lego Server header observed on multiple high ports (8443, 8081, 9999, 444). │ Active │ │ 167.160.187.43 │ Operation Epic Fury (Iranian Nexus) │ Primary C2 for LotAccessUI.EXE (Windows) and backup for Android stage 2 malware. │ Active │ │ 9732.5486311.xyz │ Operation Epic Fury │ Backup C2 for Windows payload; uses RDTSC anti-VM techniques to evade sandboxes. │ Active │ │ 157.20.182.75 │ MuddyWater (Mango Sandstorm) │ Redirects to google.com using a spoofed server: gws header to mask C2 traffic. │ Active │ │ nomercys.it.com │ MuddyWater │ C2 for RustyWater (Archer RAT), a sophisticated Rust-based trojan targeting Israeli IT/MSPs. │ Active (Infra identified) │ └──────────────────┴───────────────────────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────┴───────────────────────────┘ 2. Seized / Inactive Infrastructure The following domains have been seized by the FBI (Maryland District Court) as part of an ongoing law enforcement operation against foreign state-sponsored cyber activities: * justicehomeland.org * handala-hack.to * karmabelow80.org * api.ra-backup.com (Primary Android C2 for Operation Epic Fury) * handala-hack.ps (Redirects to a LiteSpeed server, previously active) 3. Key Findings & Analysis * Infrastructure Hybridization: Groups like Handala Hack (associated with MOIS/Void Manticore) are increasingly using .tw and .to TLDs to bypass regional blocking. * Spoofing Techniques: MuddyWater continues to use HTTP 301 redirects to legitimate domains (Google) and spoofed server banners (gws) to blend with normal web traffic. * Language Shift: The adoption of Rust (RustyWater) by MuddyWater indicates a move toward memory-safe, cross-platform languages that are harder to signature and reverse-engineer. * Evasion Rigor: Operation Epic Fury's use of CPU cycle counting (RDTSC) for sandbox detection allowed it to maintain extremely low detection rates on public scanning platforms for months. 4. Recommendations * Network Level: Block outbound traffic to 167.160.187.43, 157.20.182.75, and any domain returning the Server: Lego Server banner. * Host Level: Scan for the presence of LotAccessUI.EXE or any unauthorized Rust-based binaries in critical system directories. * Monitoring: Monitor for anomalous DNS tunneling (TXT queries) often employed by APT34 (OilRig) proxies in the region.