Overview
Episode 2 reveals extensive targeting of organizations across multiple countries in the Middle East and beyond. The evidence includes target lists, successful compromises, and attack infrastructure spanning numerous nations.Primary Target Countries
The main countries targeted in Episode 2 documentation:- Jordan
- Iran
- Kuwait
- Saudi Arabia
- Turkey
Iran
Target Organizations
Documented Iranian targets include: Government Entities:217.218.21.105- Setad Mobareze ba Qachaq v Arz (Anti-Smuggling and Currency Headquarters)178.252.191.163- Qudsdaily (media organization)
109.125.132.66- Shell deployed109.232.1.181- Mail server185.110.30.177185.142.124.20185.172.212.18185.172.212.20185.179.222.50185.189.122.142- Error status185.95.152.161185.95.180.512.187.19.189217.219.209.1137.235.27.28- Error status45.147.77.137- LegacyDN46.100.58.29
mail.barez.org
Target Files
IR_Proxyshell_target.txt- Primary Iranian target listIR_Proxyshell_target2.txt- Secondary Iranian target list
Kuwait
Target Organizations
Business Entities:webmail.kccec.com.kw- Kuwait Canadian Consulting Engineers Companymail.kfmb.com.kw- Kuwait Finance and Investment Companymail.yousifi.com.kw- Yousifi Groupmail.sih-kw.com- Sultan International Holdingmail.montania.orgmail.kiti.com.kwmail.azzadgroup.com.kw
mx03.koutcloud.commx02.koutcloud.commx2.specialitieskuwait.com
smg.zamzamtakaful.com
exch1.kyfco.com
83.96.77.22783.96.120.3978.89.184.15562.215.215.4662.215.164.4162.215.142.531.214.10.52193.22.172.225168.187.130.99
Target Files
KW_proxyshell_target.txtkw-proxyshell-target.kw
Saudi Arabia
Target Organizations
Healthcare:mail.almanahospital.com.sa- Al Mana Hospital (LegacyDN)webmail.almanahospital.com.sa- Failedmail.ihcc.sa- International Healthcare Consulting Company (LegacyDN)outbound.familycare.com.sa- Failed
mail1.solbsteel.com- Solb Steelmail.tanhatmining.com- Tanhat Miningmail.alrashidabetong.com- Al Rashida Betong
mail.aiccp.com.sa- Arabian Industrial & Commercial Projects Companymail.albarakatgroup.commail.arabian-homes.commail.goldenbrown.samail.sosgroup.commail1.manafea.net- Shell deployedsmtp.baroid-sa.comemail.samama.com- Failed
212.12.165.155- Shell deployed212.12.178.178213.236.56.11737.224.113.21546.235.93.139- Mail server77.240.91.151- Failed77.240.91.154- Failed77.240.91.155- Failed77.240.93.43- Mail server85.184.233.203- Shell deployed87.101.187.9293.112.12.13094.77.201.86
Target Files
SA_Proxyshell_target.txt212.12.165.155.yml46.235.93.139.txt77.240.93.43.txt
Turkey
Target Organizations
Government:eposta.mfa.gov.ct.tr- Ministry of Foreign Affairs (critical target)smtp.aydinaski.gov.tr- Aydin ASKİ (Water and Sewerage)mail.bahcelievler.bel.tr- Bahçelievler Municipalitymail.mersin.bel.tr- Mersin Municipality
exchange.akbasoglu.com- Akbaşoğlu Grouphibrit.magmaweld.com- Magma Weldingmail.akartextile.com- Akar Textilemail.basturkcam.com.tr- Baştürk Glassmail.duzeymode.com- Düzey Fashionmsexc.aydintextil.com.tr- Aydın Textilemail.mtplastech.com.tr- MT Plastechmail.narkonteks.com- Narkon Textiles
mail.dnstrade.com.tr- DNS Tradeantivirusgw.teknikgumruk.com.tr- Teknik Gümrük (Customs Consulting)mail.itpro.com.tr- IT Promail.uzmantek.com- Uzmantekmail1.otaknetworks.com- Otak Networkssrv0.kurgu-e.com- Kurgu-e
mail.24yemek.com.tr- 24 Yemek (Food Services)mail.bilpagida.com- Bil Gıda (Food)
mail.nisahastanesi.com- Nisa Hospital
mail.dcaokullari.com- DCA Schools
mail.basakoglu.com.trmail.gopayless.com.trmail.kmcgroup.com.tr- KMC Groupmail.noahsark.com.trmail.ozerensigorta.com- Özeren Insurancemail.taf-inter.commail.umur.com.trmail.zenitled.com.tr- Zenit LEDowa.myl.com.trwebmail.calor.com.trwebmail.intimesolutions.net
static-169-40-68-212.sadecehosting.netstatic-185-132-125-83.ptr.name.trulak.neutecin.com
Target Files
TR_Exchange_target.txthibrit.magmaweld.com.luamail.dnstrade.com.tr.sqltarget turkey.tr
Additional Target Countries
Austria (AT)
Target File:AT_proxyshell_target.txt
Australia (AU)
Target File:AU_Proxyshell_target.txt
Azerbaijan (AZ)
Notable Targets:- Oil and energy sector companies
- Multiple Exchange servers compromised
Belgium (BE)
Multiple organizations targeted with ProxyShell attacks.Bahrain (BH)
Target File:BH_proxy_Shell_target.txt
Documented Compromises:
37.131.21.238- Multiple attack attempts80.95.221.22780.95.213.10180.95.211.3680.95.222.211
Canada (CA)
Multiple organizations targeted across Canadian infrastructure.Egypt (EG)
Target File:EG_Proxyshell_target.txt
Government and commercial entities targeted.
Greece (GR)
Businesses and organizations subjected to ProxyShell exploitation attempts.India (IN)
Various companies and services targeted.Jordan (JO)
While specific organizational details are redacted in available files, Jordan is explicitly mentioned in the README as one of the primary target countries for this episode.Attack Statistics
Based on documented evidence:- Countries Affected: 15+ documented in detail
- Organizations Targeted: 200+ unique targets
- Successful Compromises: Dozens of confirmed webshell deployments
- Attack Vector: Primarily ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
- Target Sectors: Government, Healthcare, Manufacturing, Technology, Finance, Education, Energy
Geographic Distribution
Middle East Focus
The primary focus remains on Middle East countries:- Jordan
- Iran
- Kuwait
- Saudi Arabia
- Turkey
- Bahrain
- Egypt
Extended Targets
Additional targeting across:- Europe (Austria, Belgium, Greece)
- Asia (India, Azerbaijan)
- North America (Canada)
- Oceania (Australia)
Target Selection Criteria
Based on the evidence, Department 40 appears to target:- Government Entities: Ministries, municipalities, regulatory bodies
- Critical Infrastructure: Water, energy, telecommunications
- Healthcare Organizations: Hospitals and medical facilities
- Financial Services: Banks, insurance companies
- Manufacturing: Industrial companies across various sectors
- Media Organizations: News outlets and publishers
- Educational Institutions: Schools and universities