Home / Industry

Exposing a Currently Active Ashiyane Digital Security Domain Infrastructure

The infamous gray hat security company Ashiyane Digital Security Team has gone back online in 2021. At that time, WhoisXML API threat researcher Dancho Danchev exposed more than 100 domains belonging to the group. This analysis was recently expanded to further explore the Iran-based threat group’s Internet-connected infrastructure. Our findings include:

  • 440+ domains seemingly managed and operated by the Ashiyane Digital Security Team
  • 10,900+ related digital properties known to be involved in the group’s campaign
  • 4,000+ currently active and resolving domains tied to the group
  • Several domains hosting gambling, adult, news, and possible phishing content
  • About 1% properties that have been flagged as malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

The Ashiyane Domain Infrastructure

The investigation began with a Gmail email address associated with the Ashiyane Digital Security Team. With the help of Reverse WHOIS API, 441 domain names registered using the email address were found.

An extensive portfolio of 10,968 domains was also uncovered and considered related to the threat group. The properties are part of a domain privacy protection service believed to be managed by the Ashiyane Digital Security Team.

Our analysis focused on retrieving as much information about the group’s infrastructure as possible, including lexical usage, administrative details, presence in malware engine databases, and website content.

Administration Details

A bulk IP lookup for the domains we uncovered revealed that only about 35% currently resolve to different IP addresses. The top Internet service provider (ISP) is Limestone Networks, accounting for 21.3% of the domain resolutions. It is followed by Amazon, EGIHosting, Team Internet, Linode, Nforce Entertainment, Leaseweb, Peg Tech, Nocix, and Centrilogic. The rest of the domains are distributed across 164 other ISPs.

Figure 1: ISP distribution of actively resolving domains directly and indirectly managed by or connected to the Ashiyane Digital Security Team

In general, the domains are administered by domain privacy protection services. More than half of them use Media Elite Holdings Limited as registrar and employ the services of Fundacion Privacy Services Ltd. The other top registrars include eName, DropCatch, Sav.com, GoDaddy, OwnRegistrar, GMO Internet, NameSilo, Alibaba, and Namecheap.

Figure 2: Registrar distribution of actively resolving domains directly and indirectly managed by the Ashiyane Digital Security Team
Malware Detection

Despite being directly associated with the Ashiyane Digital Security Team, only about 1% of the properties have been flagged as malicious by various malware engines.

Lexical Analysis of the Domains

We analyzed the most common text strings and top-level domains (TLDs) used in the domains connected to the Ashiyane Digital Security Team, as this can help security teams focus on what to look out for.

Despite having thousands of TLD options, the domains in the study only use 13 TLDs. Close to 91% use the .com extension, while about 8% fall under the .net TLD. The remaining domains use .ir, .org, .info, .us, .xyz, biz, .me, .co, .asia, .wtf, or .pro.

While generic terms, such as “free,” “online,” and “shop,” are used, you can also see geographically targeted strings like “usa,” “uk,” and “ny.” These are reflected in the word cloud below.

Figure 3: Word cloud showing the most common text strings used in the Ashiyane-connected domains

The repeated appearance of “xn” suggests that several properties in the group’s network are internationalized domain names (IDNs). Many of them also use TLDs within the second-level domains (SLDs), such as wwwnew47com[.]com, linkedincom[.]com, richlifeco[.]com, and ashiyane-co[.]com.

Website Content

We analyzed the content of actively resolving domains using Website Screenshot API. Several are either parked or hosted index and 404 pages. Others host or redirect to pages with gambling, adult, e-commerce, and news content.

Some interesting and possibly malicious content we found are shown below. The domains and their hosted content seem to impersonate legitimate businesses, such as Apple, Intuit, PayPal, and Walmart.

Proactively monitoring digital properties connected to the Ashiyane Digital Security Team and other threat groups can be done by examining publicly available indicators of compromise (IoCs) and looking for shared DNS and WHOIS characteristics.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

New TLDs

Sponsored byRadix


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC