Exposing FBI's Most Wanted Cybercriminals - Iran's Mabna Hackers - An OSINT Analysis

Dear blog readers,

I've decided to share some of the actionable intelligence that I have at my disposal regarding the FBI's Most Wanted Iran-based Mabna Hackers which I originally outlined in my second release of the "A Qualitative and Technical Collection OSINT-Enriched Analysis of the Iranian Hacking Scene Through the Prism of the Infamous Ashiyane Digital Security Team" where you can also obtain a copy of the first release entitled "Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran" in terms of catching up in terms of what Iran-based hackers and hacking groups are up to up to present day with the research report basically representing one of the most comprehensive and in-depth publicly accessible report on Iran's hacking scene.

Sample screenshots of Mabna Institute including the associated Web sites where the information is offered:

Sample phishing URLs known to have been involved in the campaign:

ezvpn.mskcc.saea.ga    

library.asu.saea.ga    

library.lehigh.saea.ga    

moodle.ucl.ac.saea.ga    

saea.ga    

unex.learn.saea.ga    

unomaha.on.saea.ga    

www.uvic.saea.ga

catalog.lib.usm.edu.seae.tk

elearning.uky.edu.seae.tk

www.aladin.wrlc.org.seae.tk

alexandria.rice.ulibr.ga

cmich.ulibr.ga

columbia.ulibr.ga

edu.edu.libt.cf

ezproxy-authcate.lib.monash.ulibr.ga

login.revproxy.brown.edu.edu.libt.cf

ezproxy-authcate.monash.lib.ulibr.ga

ezproxy-f.deakin.au.ulibr.ga

lib.dundee.ac.uk.ulibr.ga

cas.usherbrooke.ca.cavc.tk

catalog.lib.ksu.edu.cavc.tk

isa.epfl.ch.cavc.tk

login.vcu.edu.cavc.tk

www.med.unc.edu.cavc.tk

cas.iu.edu.cavc.tk

ltuvpn.latrobe.edu.au.reactivation.in

passport.pitt.edu.reactivation.in

edu.login.revproxy.brown.edu.libt.cf

shibboleth.nyu.edu.reactivation.in

login.revproxy.brown.edu.login.revproxy.brown.edu.libt.cf

weblogin.pennkey.upenn.edu.reactivation.in

webmail.reactivation.in

www.ezlibproxy1.ntu.edu.sg.reactivation.in

www.ezpa.library.ualberta.ca.reactivation.in

www.lib.just.edu.jo.reactivation.in

www.passport.pitt.edu.reactivation.in

shib.ncsu.ulibr.cf/

www.shibboleth.nyu.edu.reactivation.in

www.weblogin.pennkey.upenn.edu.reactivation.in

ezlibproxy1.ntu.edu.sg.reactivation.in

login.revproxy.brown.edu.libt.cf

weblogin.umich.edu.lib2.ml

catalog.sju.edu.mncr.tk

ezpa.library.ualberta.ca.reactivation.in

lib.just.edu.jo.reactivation.in

login.ezproxy.lib.purdue.edu.reactivation.in

login.libproxy.temple.shibboleth2.uchicago.ulibr.cf

shib.ncsu.shibboleth2.uchicago.ulibr.cf

shibboleth2.uchicago.shibboleth2.uchicago.ulibr.cf

singlesignon.gwu.shibboleth2.uchicago.ulibr.cf

webauth.ox.ac.uk.shibboleth2.uchicago.ulibr.cf

edu.libt.cf

login.libproxy.temple.ulibr.cf

shib.ncsu.ulibr.cf

singlesignon.gwu.ulibr.cf

webauth.ox.ac.uk.ulibr.cf

library.cornell.ulibr.ga

login.ezproxy.gsu.ulibr.ga

shibboleth2.uchicago.ulibr.cf

login.library.nyu.ulibr.ga

mail.ulibr.ga

webcat.lib.unc.ulibr.ga

www.ulibr.ga

www.alexandria.rice.ulibr.ga

www.cmich.ulibr.ga

www.columbia.ulibr.ga

www.ezproxy-authcate.lib.monash.ulibr.ga

www.ezproxy-authcate.monash.lib.ulibr.ga

www.ezproxy-f.deakin.au.ulibr.ga

www.lib.dundee.ac.uk.ulibr.ga

www.library.cornell.ulibr.ga

www.login.ezproxy.gsu.ulibr.ga

www.login.library.nyu.ulibr.ga

auth.berkeley.edu.libna.ml

sso.lib.uts.edu.au.libna.ml

bb.uvm.edu.cvre.tk

cline.lib.nau.edu.cvre.tk

illiad.lib.binghamton.edu.cvre.tk

libcat.smu.edu.cvre.tk

login.brandeis.edu.cvre.tk

msim.cvre.tk

libcat.library.qut.nsae.ml

www.webcat.lib.unc.ulibr.ga

Sample domains known to have been involved in the campaign:

mlibo.ml

blibo.ga

azll.cf

azlll.cf

lzll.cf

jlll.cf

elll.cf

lllib.cf

tsll.cf

ulll.tk

tlll.cf

libt.ga

libk.ga

libf.ga

libe.ga

liba.gq

libver.ml

ntll.tk

ills.cf

vtll.cf

clll.tk

stll.tk

llii.xyz

lill.pro

eduv.icu

univ.red

unir.cf

unir.gq

unisv.xyz

unir.ml

unin.icu

unie.ml

unip.gq

unie.ga

unip.cf

nimc.ga

nimc.ml

savantaz.cf

unie.gq

unip.ga

unip.ml

unir.ga

untc.me

jhbn.me

unts.me

uncr.me

lib-service.com

unvc.me

untf.me

nimc.cf

anvc.me

ebookfafa.com

nicn.gq

untc.ir

librarylog.in

llli.nl

lllf.nl

libg.tk

ttil.nl

llil.nl

lliv.nl

llit.site

flil.cf

e-library.me

cill.ml

fill.cf

libm.ga

eill.cf

llib.cf

eill.ga

nuec.cf

illl.cf

cnen.cf

aill.nl

eill.nl

mlib.cf

ulll.cf

nlll.cf

clll.nl

llii.cf

etll.cf

1edu.in

aill.cf

atna.cf

atti.cf

aztt.tk

cave.gq

ccli.cf

cnma.cf

cntt.cf

crll.tk

csll.cf

ctll.tk

cvnc.ga

cvve.cf

czll.tk

cztt.tk

euca.cf

euce.in

ezll.tk

ezplog.in

ezproxy.tk

eztt.tk

flll.cf

iell.tk

iull.tk

izll.tk

lett.cf

lib1.bid

lib1.pw

libb.ga

libe.ml

libg.cf

libg.ga

libg.gq

libloan.xyz

libnicinfo.xyz

libraryme.ir

libt.ml

libu.gq

lill.gq

llbt.tk

llib.ga

llic.cf

llic.tk

llil.cf

llit.cf

lliv.tk

llse.cf

ncll.tk

ncnc.cf

nctt.tk

necr.ga

nika.ga

nsae.ml

nuec.ml

rill.cf

rnva.cf

rtll.tk

sctt.cf

shibboleth.link

sitl.tk

slli.cf

till.cf

titt.cf

uill.cf

uitt.tk

ulibe.ml

ulibr.ga

umlib.ml

umll.tk

uni-lb.com

unll.tk

utll.tk

vsre.cf

web2lib.info

xill.tk

zedviros.ir

zill.cf 

Sample IPs known to have been involved in the campaign:

103.241.3.91

104.152.168.23

107.180.57.7

107.180.58.47

138.201.17.56

144.217.120.73

144.76.189.80

162.218.237.3

167.114.103.215

173.254.239.2

176.31.33.115

178.33.115.10

184.95.37.90

185.105.185.22

185.28.21.83

185.55.227.104

185.86.180.250

188.40.34.186

193.70.117.250

195.154.102.75

198.252.106.149

198.91.81.5

199.204.187.164

31.220.20.111

66.70.197.208

78.46.77.105

79.175.181.11

82.102.15.215

87.98.249.207

88.99.139.8

88.99.160.209

88.99.40.240

88.99.69.4

93.174.95.64

94.76.204.201

136.243.145.233

136.243.198.45

141.8.224.221

148.251.116.93

148.251.12.172

162.218.237.31

167.114.13.164

172.246.144.34

173.254.239.217

6.31.33.115

176.31.33.116

176.9.188.235

85.28.21.83

185.28.21.95

192.169.82.134

198.27.68.142

198.91.81.51

45.35.33.126

46.4.91.26

5.135.123.163

5.196.194.234

51.254.198.131

51.254.21.142

79.175.181.118

88.99.128.229

88.99.139.88

88.99.69.49

3.174.95.64

Stay tuned!