🇮🇷 IR5 malware families

Greenbug

Also known asGreenbug

Greenbug is an Iranian threat actor associated in the provided reporting with credential theft, remote access tooling, DNS-tunneling command-and-control, and infrastructure impersonating regional technology and security companies. The content links Greenbug to activity supporting Shamoon operations against Saudi organizations, where the group was assessed to help steal user credentials ahead of destructive attacks. Researchers also reported Greenbug registering lookalike domains impersonating Israeli high-tech and cybersecurity companies, as well as a Saudi electrical testing and commissioning company, and using domains such as thetareysecurityupdate[.]com and securepackupdater[.]com for command and control. The group is associated with the ISMdoor/Ismdoor remote access trojan and related tooling referred to in the content as ISMAgent. Reporting cited in the content states Greenbug used HTTP-based C2 in earlier versions and later shifted to covert DNS-based C2, including DNS TXT and AAAA queries for bidirectional communications, command delivery, and data exfiltration. The DNS channel was described as rare, covert, and suited to long-term operations. The content also notes that ISMAgent used a DNS tunneling protocol very similar to ISMDoor, and separate reporting linked ISMAgent/ISMDoor-style tooling to OilRig tradecraft. The analyzed Greenbug RAT existed in at least three versions, with the latest identified as version 5.0.0. Across versions it used timer-queue callbacks and multiple threads to manage execution, connectivity checks, and command retrieval. It communicated with update.winappupdater.com over HTTP paths including /Home/CC and /Home/CR, and referenced /Home/SCV, /Home/BM, /Home/AV, /Home/CR, and /Home/CC. Capabilities described in the content include self-update, self-removal, configuration retrieval, command execution, host and network reconnaissance, security-product enumeration via WMIC against root\SecurityCenter and root\SecurityCenter2, keylogging via WinIt.exe, Powercat-based shell access to a remote server on port 4444, and Mimikatz execution. The SI functionality collected username, IP configuration, net view output, domain administrator user information, current network connections, system information, task lists, services, and security product information. The content also states the malware used PowerShell UAC bypass scripts including Invoke-BypassUAC and Invoke-PsUACme. Known aliases and related names directly mentioned in the content include Greenbug, ISMdoor/Ismdoor, and ISMAgent.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Software & Services
Commercial & Professional Services

Where they target

Geographies tied to known operations.

🇮🇱 Israel
🇸🇦 Saudi Arabia

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

22 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics28 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1583

Acquire Infrastructure

T1583.001

Domains

TA0001

Initial Access

1 technique

T1566

Phishing

T1566.002

Spearphishing Link

TA0002

Execution

1 technique

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

TA0004

Privilege Escalation

1 technique

T1548

Abuse Elevation Control Mechanism

T1548.002

Bypass User Account Control

TA0006

Credential Access

2 techniques

T1003×2

OS Credential Dumping

T1056

Input Capture

T1056.001×2

Keylogging

TA0007

Discovery

9 techniques

T1007

System Service Discovery

T1016

System Network Configuration Discovery

T1033

System Owner/User Discovery

T1046

Network Service Discovery

T1049

System Network Connections Discovery

T1057

Process Discovery

T1082

System Information Discovery

T1087

Account Discovery

T1518

Software Discovery

TA0009

Collection

1 technique

T1056

Input Capture

T1056.001×2

Keylogging

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1071.004

DNS

T1105

Ingress Tool Transfer

T1219

Remote Access Tools

TA0010

Exfiltration

1 technique

T1041

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

ISMDoorOn 15 October 2017 a sample of ISMdoor was submitted to VirusTotal from Iraq. The sample name was WmiPrv.tmp (f5ef3b060fb476253f9a7638f82940d9) and it had the following PDB string: C:\Users\Void\Desktop\v 10.0.194\x64\Release\swchost.pdb2May 25, 2026

ISM RATYara Signature rule trojan_ismrat_gen { meta: description = "ISM RAT" ... } ... The second and 5.0.0 versions ... store the name of the executable Ism.exe in a structure.1Mar 18, 2026

ISMAgentISMAgent uses the DnsQuery_A API function to issue DNS AAAA requests to resolve custom crafted subdomains at an actor owned domain to send data to and receive commands from OilRig.1Mar 18, 2026

MimikatzOne is “CreateMimi1Bat”; which likely executes Mimikatz (executes PowerShell scripts: ccd61.ps1 and Invoke-bypassuac), according to Arbor.1Mar 18, 2026

ShamoonResearchers have identified a possible new collaborator in the continued Shamoon attacks against Saudi organizations... helping Shamoon steal user credentials of targets ahead of Shamoon’s destructive attacks.1Mar 18, 2026

IOCS

Observables

33 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

33 IOCsView more in app

Domains

21 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+13

ip.v4

6 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

hash.md5

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

hash.sha256

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

palo alto networks unit 42 blogNews

Apr 16, 2019

DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling

Referenced only as a separate cluster previously linked to ISMDoor; mentioned to contextualize similarities between ISMAgent and ISMDoor DNS-tunneling behavior.

clearsky blogNews

Oct 24, 2017

Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies

Registered lookalike domains impersonating Israeli high-tech and cybersecurity companies, and used ISMdoor samples and related command-and-control infrastructure in a likely targeting campaign.

threatpostNews

May 2, 2017

Shamoon Collaborator Greenbug Adopts New Communication Tool

Credential-theft and remote access activity supporting Shamoon operations, including use of the Ismdoor RAT with DNS-based C2 (DNS tunneling/DNSMessenger-style) to issue commands and exfiltrate data; uses credential dumping (likely Mimikatz) and keylogging to harvest credentials ahead of destructive attacks.

ncc group researchNews

Feb 17, 2017

ISM RAT

Uses a remote access Trojan for cyberespionage and victim information collection; according to Symantec, the RAT and other tools were used to collect user information later used in execution of the wiper malware Disttrack.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping22

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables33

Domains, IPs, and hashes tied to this actor, refreshed continuously.