​

Infrastructure Documentation

​

Unified Infrastructure Sheets

​

0-SERVICE-Service.csv

• Domain registrations with registrar details
• Hosting services for operational infrastructure
• VPS providers used for attack servers
• SSL certificates for phishing sites
• Email accounts used for procurement
• Payment methods including cryptocurrency
• Renewal dates and subscription periods

​

1-NET-Sheet1.csv

• Server IP addresses and assignments
• Login credentials for root access
• Control panel credentials (aaPanel, ISPMgr, etc.)
• Network configurations and routing details
• Internal system access information

​

0-SERVICE-payment BTC.csv

• Bitcoin wallet addresses used for purchases
• Payment transaction records
• Service provider payment details
• Financial operational security practices

​

Key Infrastructure Components

​

Operational Domains

​

Moses Staff Operations

• moses-staff.io - Primary operation domain
• moses-staff.to - Alternative TLD
• moses-staff.se - European hosting
• Hosted on: TheOnionHost (TOR infrastructure)
• IPs exposed: 95.169.196.20, 95.169.196.23, 95.169.196.37

​

Phishing Infrastructure

• cavinet.org - Registered via Namecheap
• secnetdc.com - Modernizmir hosting
• tecret.com - TOR hosting
• dreamy-jobs.com - Job-themed phishing
• wazayif-halima.org - Arabic job phishing
• israel-talent.com / israel-talent.xyz - Targeted Israeli operations

​

Strategic Operations

• Abrahams Ax domain and infrastructure (abrahams-ax.se)
• Termite.nu - PRQ.se hosting with TOR backend
• BBM Movement infrastructure (bbmovements.com)

​

Procurement Identities

​

Email Accounts

• [email protected] : CMEPZ9WMb8difTw
• [email protected] : 5U5v6L0s
• [email protected] : MXQ8GL5Xqg3yEUV
• [email protected] : RN8OiQ6Y(%H0
• [email protected] : JHg&%asjh98*&^$dI&*^fd
• [email protected] : jgfk&^%hngGJ54*/s+*&%$hggfaD
• [email protected] : GF675%$^#@6-*GH678f-G
• [email protected] : 6EF94ELUgAKdPqH
• [email protected] : 15aB@gd52$kD#
• [email protected] : n!hnuec?'9*Pb2D
• [email protected] : Kh74QjGDq35NtvB

• [email protected] : YHJ*^&R(&FY%RE%&*

​

Service Provider Accounts

• Namecheap - Domain registrar
• NameSilo - Domain registrar
• PRQ.se - Privacy-focused Swedish hosting
• TheOnionHost - TOR hosting services
• Impreza.host - Dark web hosting
• Modernizmir.net - Turkish hosting provider
• PQ.hosting - Privacy hosting
• CloudNS.net - DNS services
• SuperBitHost - SSL certificates

​

Server Credentials

​

Example Exposed Credentials

IP: 95.183.53.24
Login: root
Password: Kcbha6ZsBuTg

aaPanel Internal Address: https://95.183.53.24:37065/f63a6767
Username: le6ddou3
Password: 1cafff29

TOR Host: http://95.183.51.49:7800/88e6c70
Credentials: hhtfhtmz:EyfjC5t5bH@3eqw

IP: 95.169.196.220
TheOnionHost account: [email protected]

​

Attack Infrastructure Details

​

Tunnel Servers

• Maintaining persistence in compromised networks
• Bypassing network security controls
• Establishing reverse proxies using Plink (PuTTY)
• Command and control communications

​

File Storage Servers

• Storing exfiltrated data
• Malware staging and distribution
• Internal file sharing between operatives
• Backup of operational materials

​

Phishing Infrastructure

• Job-themed phishing sites (dreamy-jobs, wazayif-halima, israel-talent)
• Government impersonation domains
• SSL certificates from legitimate providers
• CloudDNS for DNS management and resilience

​

Internal Network Access

​

Communication Systems

• Used for day-to-day operational coordination
• Access credentials documented in infrastructure sheets

• VoIP capabilities for operational communications
• Integration with other team communication tools

• Used for sensitive operational discussions
• Accounts linked to procurement identities

​

Payment Infrastructure

• Bitcoin (BTC) - Primary cryptocurrency for anonymous payments
• Credit cards - Limited use through procurement identities
• PayPal - Occasional use for legitimate-appearing purchases
• Direct hosting billing - For established relationships

​

Operational Security Patterns

​

Procurement Methods

1. Layered identities - Fake personas with consistent email accounts
2. Privacy-focused providers - Preference for PRQ, TheOnionHost, Impreza
3. Cryptocurrency payments - Bitcoin for maximum anonymity
4. ProtonMail accounts - Encrypted email for registrations
5. TOR infrastructure - Dark web hosting for critical operations

​

Infrastructure Management

1. Centralized documentation - Single Excel sheets for all infrastructure
2. Credential reuse - Same procurement identities across multiple services
3. Long-term planning - Multi-year domain registrations and renewals
4. Backup systems - Redundant hosting and multiple TLDs

​

Security Failures

1. Plaintext credentials - All passwords stored in cleartext
2. Centralized documentation - Single point of failure for all infrastructure
3. Limited compartmentalization - All infrastructure documented together
4. Predictable patterns - Consistent naming and procurement methods

​

Timeline and Costs

• Operational timeframe: 2022-2025 (documented periods)
• Domain costs: Ranging from $7-$100 per domain
• Hosting costs: $3-$140 per server per billing period
• SSL certificates: $11-$21 per certificate
• Total documented infrastructure: Hundreds of domains and servers

​

Attribution Indicators

1. BELLACIAO C2 servers - IPs match exposed infrastructure
2. CYCLOPS infrastructure - Overlapping server usage
3. Known phishing campaigns - Domains match reported operations
4. Moses Staff operations - Direct link to IRGC influence operations
5. Personnel connection - Maintained by known IRGC operatives

​

Defensive Recommendations

1. Block exposed IPs and domains - Add to threat intelligence feeds
2. Hunt for related infrastructure - Look for similar patterns
3. Monitor procurement identities - Track the exposed email accounts
4. Update detection rules - Incorporate infrastructure indicators
5. Share intelligence - Contribute findings to the community

​

Next Steps