In this report, the Miaan digital research team shows how the private group had been using malware in cyber-attacks on hundreds of Iranian dissidents and activists. These attacks stole data, passwords, personal information, and more.
The research began after a report published in February 2018 by the Centre for Human Rights in Iran (CHRI) describing how malware targeted the web-administrator of Majoban Noor, a website associated with the Nematollahi Gonabadi Sufi order in Iran. After two years of research that uncovered a web of domain names, apps, and accounts, it became apparent that the malware and related phishing attacks were linked to a private group based in the city of Mashhad called Andromedaa. Andromedaa used the same command-and-control server as the attackers and had registered several website domains used for phishing and malware distribution. Some of Andromedaa’s activities were independently identified by Talos Intelligence and the Center of Iranian National Computer Emergency Response Team – MAHER-ماهر.
Read the report for more details.
