Skip to main content

Overview

Episode 2 includes extensive attack reports documenting Department 40’s cyberattack operations against various organizations across multiple countries. These reports demonstrate systematic targeting of government entities, civilian companies, and media organizations.

Attack Infrastructure

AMEEN ALKHALIJ Server

The department operated the AMEEN ALKHALIJ server (ameen-alkhalij.nu) as part of their infrastructure:
  • Purpose: Recruitment website targeting former government and security employees from the United Arab Emirates
  • Evidence: Complete server logs showing access patterns and operations
  • Activity Period: Server logs from January 2025 showing ongoing operations
  • Attack Vector: WordPress installation used as infrastructure component

Server Log Analysis

The server logs reveal:
  • Persistent scanning for WordPress vulnerabilities
  • Multiple access attempts from global IP addresses
  • Infrastructure setup for recruitment operations
  • Coordination with other attack servers

ProxyShell Exploitation Campaign

Attack Method

The department extensively exploited ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) in Microsoft Exchange servers to:
  • Gain initial access to target networks
  • Deploy webshells for persistent access
  • Extract sensitive information
  • Establish command and control infrastructure

Webshell Deployment

Successful shell deployments were documented across multiple organizations:
  • Webshells deployed in /owa/auth/ directories
  • Webshells in /aspnet_client/ directories
  • Custom-named ASPX files for obfuscation
  • Persistent backdoor access maintained

Attack Methodology

Initial Access

  1. Vulnerability Scanning: Identification of vulnerable Exchange servers
  2. Exploitation: ProxyShell exploitation to gain access
  3. Webshell Deployment: Installation of custom webshells
  4. Persistence: Maintaining access through multiple backdoors

Attack Tools

Evidence shows the use of:
  • Metasploit Framework: Modified ProxyShell exploit modules
  • Custom Webshells: ASPX-based backdoors
  • Password Brute-forcing: RDP and SMB credential attacks
  • Network Scanning: Infrastructure reconnaissance

Command History Evidence

The zsh_history.txt file reveals attacker operations: 
# Metasploit exploitation
sudo mv exchange_proxyshell_rce.rb /usr/share/metasploit-framework/modules/exploits/windows/http

# Credential brute-forcing
python mmcbrute.py -t dubai-ranges.txt -p password.list.txt -u user.list.txt

# Target reconnaissance
ping mail.burda.ua

# SMB exploitation
python Smb_Ghost.py -i 88.80.145.93 -p 445 --check

Failed Attack Attempts

The Shell failed.txt file documents unsuccessful webshell deployments, showing:
  • Attempted attacks across Austria, Australia, Azerbaijan, Germany, France, India, Israel, Korea, Turkey, and UK
  • Multiple webshell deployment attempts that failed
  • URLs to attempted webshell locations
  • Evidence of wide-ranging attack campaigns

Examples of Failed Deployments

Austria:
  • https://185.50.235.189/owa/auth/msfuj.aspx
  • https://80.109.157.74/owa/auth/webclient.aspx
Azerbaijan:
  • https://webmail.binagadioil.com/owa/auth/Vw8q1tdLy.aspx
  • https://mail.karasuopco.com/owa/auth/fUMBz0mwHC.aspx
Germany:
  • https://37.24.200.74/aspnet_client/system_web/webclient.aspx
  • https://185.40.175.36/aspnet_client/spryc.aspx
Israel:
  • https://192.116.238.153/owa/auth/dYeuy3CETD.aspx
  • https://mail.prizma-hakirot.co.il/owa/auth/k0OaRqmtco7.aspx

Daily Work Reports

MJD Team Reports

Extensive daily work reports from the MJD team document:
  • Daily activity logs from September-October 2024 (Persian calendar 1403)
  • Systematic tracking of work hours
  • Attack progress documentation
  • Monthly performance summaries
Report Files:
  • 1403-06-25_MJD_DailyReport.pdf through 1403-07-23_MJD_DailyReport.pdf
  • Monthly summary: گزارش کار مهر- MJD.pdf
  • Entry/exit tracking: entry_exit_form.pdf

HSN2 Team Reports

The HSN2 team also maintained daily reports:
  • Reports from August-September 2024 (1403-05-27 through 1403-06-03)
  • Similar tracking methodology to MJD team
  • Coordinated operations with other teams

CVE Analysis Reports

Department 40 conducted analysis of new vulnerabilities:

CVE-2024-1709 Analysis

Two reports documenting analysis and exploitation:
  • CVE-2024-1709 - گزارش بررسی و_REDACTED.pdf (4.2 MB)
  • CVE-2024-1709 - (امارت - ترکی_REDACTED.pdf (966 KB)
These reports demonstrate:
  • Active vulnerability research capabilities
  • Target planning for UAE and Turkey
  • Weaponization of recent CVEs

Monthly Performance Reports

Three monthly performance reports from February 2023 (Bahman 1401):
  • 02120dcf3b263702028a0441881d339ee4ff8e15_گزارش عملکرد ماهانه
  • 4037e9382a99fdd96fe93eb0fd4380eea695bd3a_گزارش عملکرد ماهانه
  • e8ed42d00168744e408dd53c795008c76ee788e6_گزارش عملکرد ماهانه

Additional Reports

Winter Operations Summary

  • گزارش عملکرد زمستان - 1403 Final.pdf (3.8 MB)
  • Comprehensive summary of winter 2024 operations

Initial Access Report

  • گزارش اولیه دسترسی (wise.pdf (822 KB)
  • Documentation of initial access operations

Services Documentation

  • services.pdf (2.4 MB)
  • Infrastructure and services documentation

Key Findings

The attack reports reveal:
  1. Systematic Operations: Highly organized attack campaigns with daily reporting
  2. Multi-Country Targeting: Coordinated attacks across dozens of countries
  3. Professional Infrastructure: Dedicated servers for recruitment and attacks
  4. Vulnerability Research: Active analysis of new CVEs for exploitation
  5. Persistent Access: Multiple webshell deployments for long-term access
  6. Team Coordination: Multiple teams (MJD, HSN2) working in parallel
This evidence demonstrates the sophisticated nature of Department 40’s operations under the IRGC-IO Counterintelligence Division.

Build docs developers (and LLMs) love

Get started for freeTalk to us