WhoisXML API threat researcher Dancho Danchev obtained a publicly accessible list of email addresses known to be owned and used by Iranian hackers. The email addresses led us to more than 4,400 domain names, any of which can be weaponized and used in phishing, credential theft, and other forms of cyber attacks.

We studied the domain portfolio in light of our DNS, WHOIS, and IP intelligence and uncovered the following:

• Nearly half of the domains had active IP resolutions.
• Only two domains were reported malicious, leading to four more unredacted email addresses.
• The email addresses have been used to register 900+ additional domains, some of which were also malicious.
• More than 1,100 additional connected domains contained text strings used in the malicious domains, 12% of which were also malicious.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Domain Portfolio Analysis

What Organizations Are Responsible for the Domains?

Nearly a third of the domains were registered with GoDaddy and Network Solutions. The other top registrars were Namecheap, PDR Ltd., CSL Computer, TurnCommerce, Maff, Domain International Services, and Gname.

On the other hand, the IP addresses of the resolving domains were mostly assigned to Amazon, Softqloud, Cloudflare, Google, Gransys, Hetzner, Squarespace, Peg Tech, Confluence, and Unified Layer.

What Text Strings and TLDs Were Used?

We performed a lexical analysis of the domains possibly connected to the Iran-based hackers. Some of the most common text strings and examples of domains bearing them were:

• “email” (e.g., bonkers-test-email[.]com)
• “your” (e.g., confirm-your-email[.]com)
• “test” (e.g., test-your-email[.]com)
• “new” (e.g., newforum[.]ir)
• “free” (e.g., free-download-cartoon[.]com)

These and other recurring words can be seen in the image below.

The hackers’ domain portfolio mostly fell under the .com space, but other TLDs were used, including .ir, .net, .org, .biz, and .us.

Where Are the Domains Located?

With the help of Bulk IP Geolocation and Bulk WHOIS Lookup, we determined that the U.S. was the domain portfolio’s top location in terms of IP resolution and domain registration. That can be seen in the side-by-side comparison below.

The other countries that appeared on both charts include Canada and China.

What Content Do the Domains Host?

Aside from parked domains and gambling and adult sites, other contents hosted on the domains were mostly news- and e-commerce-related. We also found interesting content that appeared on two domains that displayed a PayPal donation page.

Other suspicious website screenshots include those that were made to appear like Discuz and WordPress.

Expansion of the Iran-Based Hackers’ Domain Portfolio

Aside from scrutinizing the domains uncovered by our threat researcher, we also endeavored to find more possible domain connections. That was done by looking at the historical WHOIS records of the domains that were reported as malicious. One malicious domain, salarserver[.]ir, was tied to four unredacted email addresses all throughout its registration history.

Performing a reverse WHOIS search on the emails, we discovered 981 additional domains that were not on the initial list of domains. They were also mostly under the .ir (82%) and .com (13%) TLD spaces.

Digging Deeper

Ten of the additional domains were flagged as malicious, with some looking quite similar to the malicious domains on our initial list—absher-sa-sa[.]com and salarserver[.]ir.

Digging deeper, we used Reverse WHOIS Search again to uncover .com domains containing the text string “absher,” and .ir domains containing “salar.” That led us to 1,162 additional digital properties, about 12% of which were flagged as malicious.

We uncovered the domain portfolio of a group of hackers by running DNS and WHOIS analyses on email addresses tied to them. These connections were further expanded by digging into the historical WHOIS records of the malicious domains and looking for string-related associations.

While some may have coincidental connections, the majority can be treated as suspicious and may help the cybersecurity community formulate an effective early warning system.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.