Amid the ongoing conflict involving Iran, we could not help but wonder if the tension has extended online. That said, we sought to trace the DNS footprint of eight of the 10 known Iran-affiliated APT groups listed in S2W’s recently published “Iran APT Landscape Report: State-Sponsored Cyber Threats in an Era of Active Conflict.”

While we were able to collate 190 network IoCs originally from the eight reports cited above, after processing (i.e., domain extraction from subdomains, legitimate domain filtering, and weeding out of inactive domains) aided by the WhoisXML API MCP Server we ended up with 191 unique IoCs comprising four subdomains, 136 domains, and 51 IP addresses for our analysis.

Utilizing our extensive WHOIS, DNS, and threat intelligence sources, our investigation led to these discoveries:

• 9,849 unique client IP addresses communicated with nine domain IoCs
• One domain IoC was bulk-registered with two look-alikes
• 73 domain IoCs were likely to have been registered with malicious intent
• 1,841 distinct potential victim-owned IP addresses communicated with 31 IP IoCs
• 731 email-connected domains
• 10 additional IP addresses, all of which turned out to be malicious
• 865 IP-connected domains, 13 of which turned out to be malicious
• 1,959 string-connected domains, seven of which turned out to be malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Further Scrutiny of the Subdomain IoCs

Before we proceed, note that only one of the APT groups—Pioneer Kitten—had subdomain IoCs, four in total.

The results of our WhoisXML API MCP Server queries for the four subdomain IoCs revealed that all were confirmed active malware distributors that shared identical infrastructure fingerprints and threat timelines. They seemed to be part of a coordinated campaign impersonating major cybersecurity and technology vendors to blend into enterprise network traffic.

Take a look at more information for two examples below.

A Deeper Dive into the Domain IoCs

Note that only three of the APT groups—APT42, APT34, and Pioneer Kitten—had domain IoCs, 136 in all.

Sample network traffic data from the IASC revealed that 9,849 unique client IP addresses under three distinct ASNs communicated with nine domain IoCs all tied to APT42 between 9 February and 9 April 2026 via 129,964 DNS queries.

Our Typosquatting API searches, meanwhile, showed that one domain IoC connected to APT42 was bulk-registered with two look-alikes on 14 April 2025.

Specifically, the domain IoC work-meeting[.]info was bulk-registered with its look-alikes workmeeting[.]info and workmeeting[.]online. In addition, while the domain IoC was administered by Namecheap, the look-alikes were registered with One.com.

Next up, we scoured the First Watch Malicious Domains Data Feed and discovered that 73 domain IoCs for two of the three APT groups—APT42 and APT34—were deemed likely to have been registered with malicious intent.

Here are more details for five examples.

After that, we queried the domain IoCs on WHOIS API and filled in gaps using details from Domain Info API. We found out that:

• The 128 APT42 domains were created between 28 March 2024 and 31 January 2026. The four APT34 domains, meanwhile, were created between 30 October 2023 and 8 July 2024. Finally, the four Pioneer Kitten domains were created between 20 September 2022 and 17 February 2024.

  

• The APT42, APT34, and Pioneer Kitten domains were administered by seven, two, and three registrars, respectively.

  

• While eight APT42 domains did not have registrant countries on record, the remaining APT42, APT34, and Pioneer Kitten domains were registered in three, two, and three countries, respectively.

  

Finally, we queried the domain IoCs on DNS Chronicle API and learned that:

• A total of 122 of the 128 APT42 domains recorded 5,202 historical domain-to-IP resolutions over time.
• Four out of four of the APT34 domains, meanwhile, posted 45 historical domain-to-IP resolutions to date.
• All four Pioneer Kitten domains also logged 208 historical domain-to-IP resolutions in sum.

All in all, 130 of the domain IoCs chalked up 5,455 historical domain-to-IP resolutions as of this writing.

Take a look at more information for five examples below.

It is worth noting that 50 APT42 and three Pioneer Kitten domains continued to resolve to IP addresses in 2026.

A More In-Depth Investigation of the IP IoCs

Next, we analyzed 51 IP IoCs for all of the eight APT groups. Note, however, that one IP address was used by two groups so this section will feature 52 IP addresses in all.

First, sample network traffic data from the IASC revealed that 1,841 IP addresses that could belong to victims under 10 distinct ASNs communicated with 31 of the IP IoCs between 13 October 2025 and 10 April 2026.

A Bulk IP Geolocation Lookup for the IP addresses, meanwhile, showed that:

• The 52 IP IoCs were located in 12 countries split into the following per group:
  • 12 APT42 IP IoCs → 5 countries
  • 6 APT34 IP IoCs → 5 countries
  • 3 MuddyWater IP IoCs → 2 countries
  • 8 CyberAv3ngers IP IoCs → 2 countries
  • 2 BladedFeline IP IoCs → 2 countries
  • 5 Peach Sandstorm IP IoCs → 1 country
  • 4 Void Manticore IP IoCs → 3 countries
  • 12 Pioneer Kitten IP IoCs → 5 countries

  

• While 22 IP addresses did not have ISPs on record, the remaining 30 were administered by 16 ISPs split into the following per group:

  • 12 APT42 IP IoCs → 6 no ISPs; 6 managed by 4 ISPs
  • 6 APT34 IP IoCs → 3 ISPs
  • 3 MuddyWater IP IoCs → 1 no ISP; 2 managed by 2 ISPs
  • 8 CyberAv3ngers IP IoCs → 8 no ISPs
  • 2 BladedFeline IP IoCs → 2 ISPs
  • 5 Peach Sandstorm IP IoCs → 3 no ISPs; 2 managed by 1 ISP
  • 4 Void Manticore IP IoCs → 1 no ISP; 3 managed by 2 ISPs
  • 12 Pioneer Kitten IP IoCs → 3 no ISPs; 9 managed by 3 ISPs

  

Finally, from the results of our DNS Chronicle API queries, we learned that:

• All 12 of the APT42 IP addresses recorded 7,155 historical IP-to-domain resolutions over time.
• Three of the six APT34 IP addresses posted 222 historical IP-to-domain resolutions to date.
• All three of the MuddyWater IP addresses logged 1,420 historical IP-to-domain resolutions in sum.
• Seven of the eight CyberAv3ngers IP addresses clocked in a total of 73 historical IP-to-domain resolutions in all.
• Both BladedFeline IP addresses registered 362 historical IP-to-domain resolutions since.
• Four of the five Peach Sandstorm IP addresses put down 48 historical IP-to-domain resolutions over time.
• All four Void Manticore IP addresses marked 569 historical IP-to-domain resolutions to date.
• Finally, nine of the 12 Pioneer Kitten IP addresses noted down 1,419 historical IP-to-domain resolutions in sum.

Here are more details for eight examples.

It is also interesting to note that five APT42, two Peach Sandstorm, three Void Manticore, and two Pioneer Kitten IP addresses continued to resolve domains in 2026.

Scouring the DNS for New Artifacts

After obtaining more insights into the IoCs related to the eight APT groups, we then sought to uncover additional artifacts.

First off, we queried the 136 domain IoCs on WHOIS History API and discovered that 121 had 148 unique email addresses in their historical WHOIS records. Of these, 15 turned out to be public email addresses.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.