Iran’s Cyber Paradox: Degraded APTs, Rising Proxies, and Bootkit Wipers

SOC Prime Team

Iran’s Cyber Paradox: Degraded APTs, Rising Proxies, and Bootkit Wipers

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Iran-linked cyber activity is increasingly moving away from established APT teams and toward proxy operators that use bootkit-style wipers, exploit a widening range of CVEs, and even pair cyber operations with physical disruption of cloud infrastructure. Newly tracked clusters such as Rusty Boots and MoKhargosh have demonstrated bootkit-level persistence, while HYDRO KITTEN has focused on Rockwell PLCs and internet-facing network devices through credential-based intrusion methods. Physical strikes against Gulf-region cloud data centers further expand the risk into a hybrid cyber-physical domain. The report underscores the importance of firmware integrity validation and behavior-based detection in OT environments.

Investigation

The report highlights three major developments. First, Rusty Boots and MoKhargosh have shown the ability to deploy wipers with bootkit-style persistence. Second, HYDRO KITTEN has exploited multiple CVEs affecting Rockwell systems, FortiGate, SonicWall, Ivanti, PAN-OS, and OpenSSH. Third, UNC6446 has used custom C# and Golang malware, including DUSTYPROXY and ERIESNAKE.GO, communicating over unencrypted HTTP tunneled through port 443. The report also references physical attacks targeting cloud infrastructure in Bahrain and Dubai.

Mitigation

Organizations should patch all referenced CVEs across firewalls, OT assets, and SSH services, while enforcing secure boot and regular firmware integrity checks. Defensive teams should monitor for raw disk write activity and modifications to the MBR or VBR, block unencrypted HTTP traffic over port 443, review registry Run keys for unfamiliar executables, and implement OT behavioral monitoring to detect PLC setpoint changes outside approved maintenance periods.

Response

Defenders should immediately block all disclosed IP addresses, domains, and file hashes across DNS, proxy, and endpoint controls. Detection content should be deployed for unencrypted HTTP over TCP/443, secure-boot integrity failures, new registry Run key entries, and suspicious PLC authentication behavior. Threat hunting should focus on the listed malware signatures as well as signs of pre-positioned access, including long inactivity periods followed by abrupt OT-related operations.

"graph TB %% Class definitions classDef technique fill:#e6f7ff classDef tool fill:#ffeb99 classDef malware fill:#ffcccc %% Technique nodes technique_valid_accounts["Technique – T1078 Valid Accounts Description: Use of stolen or otherwise obtained credentials to gain initial access to victim networks."] class technique_valid_accounts technique technique_exploit_remote["Technique – T1210 Exploitation of Remote Services Description: Exploit vulnerable services (e.g., CVEu20112021u201122681, CVEu20112024u20110012, CVEu20112024u201155591) to move laterally and gain control over devices."] class technique_exploit_remote technique technique_persistence_registry["Technique – T1547.001 Registry Run Keys / Startup Folder Description: Install persistence by creating entries in HKCU/HKLM Run keys or placing files in the startup folder."] class technique_persistence_registry technique technique_c2_external_proxy["Technique – T1090.002 External Proxy Description: Route commandu2011andu2011control traffic through external proxy servers to hide attacker infrastructure."] class technique_c2_external_proxy technique technique_c2_web["Technique – T1071.001 Web Protocols: HTTP/S Description: Use standard web protocols (unencrypted HTTP over TCP/443) for C2 communication."] class technique_c2_web technique technique_execution_ps["Technique – T1059.001 PowerShell Description: Execute PowerShell commands to download files, manipulate the system, and run other payloads."] class technique_execution_ps technique technique_remote_access["Technique – T1219 Remote Access Tools Description: Deploy custom backdoors that provide interactive remote sessions."] class technique_remote_access technique technique_credential_exploit["Technique – T1212 Exploitation for Credential Access Description: Leverage harvested credentials to authenticate directly to industrial devices without installing additional malware."] class technique_credential_exploit technique technique_impact_preos["Technique – T1542 Preu2011OS Boot Description: Modify boot components to achieve persistence or impact before the operating system loads."] class technique_impact_preos technique technique_impact_data_destruction["Technique – T1485 Data Destruction Description: Corrupt or delete critical data to impair availability."] class technique_impact_data_destruction technique technique_impact_disk_wipe["Technique – T1561.001 Disk Wipe Description: Overwrite disk sectors to ensure data loss and render the system unusable."] class technique_impact_disk_wipe technique %% Tool and malware nodes tool_dustyproxy["Tool – DUSTYPROXY Description: C# proxy client installed via registry Run key entries; routes traffic through external proxies."] class tool_dustyproxy tool malware_eriesnake_go["Malware – ERIESNAKE.GO Description: Golang backdoor that provides interactive sessions, launches PowerShell commands, and communicates over HTTP on TCP/443."] class malware_eriesnake_go malware malware_rusty_boots["Malware – Rusty Boots Description: Bootu2011kit wiper that survives OS reinstall and corrupts boot components, causing system failure."] class malware_rusty_boots malware malware_mokhargosh["Malware – MoKhargosh Description: Similar bootu2011kit wiper used to render industrial systems unusable after deployment."] class malware_mokhargosh malware %% Flow connections technique_valid_accounts –>|leads_to| technique_exploit_remote technique_exploit_remote –>|enables| technique_persistence_registry technique_persistence_registry –>|uses| tool_dustyproxy tool_dustyproxy –>|installs| technique_persistence_registry tool_dustyproxy –>|routes traffic to| technique_c2_external_proxy technique_c2_external_proxy –>|communicates via| technique_c2_web technique_c2_web –>|facilitates| technique_execution_ps technique_execution_ps –>|launches| malware_eriesnake_go malware_eriesnake_go –>|provides| technique_remote_access technique_remote_access –>|leverages| technique_credential_exploit technique_credential_exploit –>|leads to| technique_impact_preos technique_impact_preos –>|enables| technique_impact_data_destruction technique_impact_data_destruction –>|causes| technique_impact_disk_wipe technique_impact_preos –>|implemented by| malware_rusty_boots technique_impact_preos –>|implemented by| malware_mokhargosh %% Styling class technique_valid_accounts,technique_exploit_remote,technique_persistence_registry,technique_c2_external_proxy,technique_c2_web,technique_execution_ps,technique_remote_access,technique_credential_exploit,technique_impact_preos,technique_impact_data_destruction,technique_impact_disk_wipe technique class tool_dustyproxy tool class malware_eriesnake_go,malware_rusty_boots,malware_mokhargosh malware "

Attack Flow

Attack Narrative & Commands:
1. Credential Harvesting (T1078) – The attacker, having compromised a low‑privilege service account, obtains the “Rockwell” service credentials from an insecure credential store.
2. Remote Interactive Logon (T1078, LogonType 10) – Using those credentials, the attacker connects to the target PLC management workstation via RDP, generating a successful logon event (EventID 4624, LogonType 10) that matches the rule’s selection1.
3. Exploit Attempt (T1190 / T1542.003) – While logged in, the attacker runs a crafted HTTP request against the RSLogix 5000 web service, triggering the authentication bypass (CVE‑2021‑22681). The service logs a failed authentication event (EventID 4625) with a failure reason string containing “CVE‑2021‑22681”, satisfying selection2.
4. Post‑Exploitation (T1059.001, T1071.001, T1090.002) – A PowerShell reverse‑shell is established through an external proxy to download the malicious payload, but these steps are not required for the rule to fire.

Regression Test Script: The script below automates steps 2 and 3 to produce the exact telemetry.

# ==============================
# Hydro Kitten Exploitation Test
# ==============================

# 1️⃣ Variables – replace with your environment values
$targetHost   = "10.0.0.50"               # IP of the RSLogix server
$rockwellUser = "Rockwell"
$rockwellPwd  = "P@ssw0rd!"               # Known (or captured) password
$proxyUrl     = "http://proxy.example.com:8080"

# 2️⃣ Establish a remote interactive session (RDP) using the Rockwell credentials
$secPwd = ConvertTo-SecureString $rockwellPwd -AsPlainText -Force
$cred   = New-Object System.Management.Automation.PSCredential ($rockwellUser, $secPwd)

Write-Host "[*] Starting RDP session to $targetHost with $rockwellUser..."
# Start-Process creates a new logon session – this generates EventID 4624 with LogonType 10
Start-Process -FilePath "mstsc.exe" -ArgumentList "/v:$targetHost" -Credential $cred

Start-Sleep -Seconds 10   # Allow time for the logon to be recorded

# 3️⃣ Trigger the CVE‑2021‑22681 authentication bypass attempt
$exploitUrl = "http://$targetHost/rslogix/rslogix.cgi?CVE-2021-22681=1"

Write-Host "[*] Sending malformed request to trigger CVE detection..."
Invoke-WebRequest -Uri $exploitUrl -Proxy $proxyUrl -Method GET -UseBasicParsing -ErrorAction SilentlyContinue

Write-Host "[+] Exploit request sent. Check SIEM for EventID 4625 containing 'CVE-2021-22681'."

Cleanup Commands: Remove the RDP session and any temporary artifacts.

# Terminate the RDP client process
Get-Process -Name mstsc -ErrorAction SilentlyContinue | Stop-Process -Force

# (Optional) Clear PowerShell history to reduce forensic footprint
Clear-History

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free