In an incident reminiscent of leakage of the NSA's hacking tools from the Shadow Brokers, someone has published similar hacking tools belonging to one of Iran's top espionage teams, known as APT34, Oilrig or HelixKitten.
The leaked hacking tools are not as specialized as the NSA tools leaked by 2017, but they are extremely dangerous.
They also spilled the data of the victims of the tools and circulated online.
The tools have been leaked since mid-March on one of its channels applications Telegram from a person using the alias Lab Dookhtegan.
In addition to hacking tools, Lab Dookhtegan published data from APT34 victims. The data contains combinations of names and passwords and appears to have been collected through phishing pages.
Let us mention that his account at Twitter has been closed for obvious reasons
https://twitter.com/dookhtegan
Several cyber security experts have already confirmed the authenticity of the tools.
On the Telegram Channel that was discovered today, the hacker has leaked the source code of six hacking tools and the content from many active backend panels where the victims' data was collected.
Hacking tools:
- Glimpse (newer version of a PowerShell-based trojan named Palo Alto Networks BondUpdater)
- PoisonFrog (older version of BondUpdater)
- HyperShell (web shell called Palo Alto Networks TwoFace)
- HighShell (another web shell)
– Fox Panel (kit Phishing)
- Webmask (DNS tunneling, main tool behind DNSPionage)
In addition to the source code of the above tools, Dookhtegan also leaked victim data collected on some of the APT34 team command and control servers (C&C).
Overall, Dookhtegan leaked data from 66 victims, mainly from the Middle East, Africa, East Asia and Europe.
The data come from government services, but also by private companies. The two largest companies mentioned in the telegram channel are Etihad Airways and Emirates National Oil. A list of victims (but without names of companies / government agencies) is available below.
___________________