Beginning in October 2025, a distributed Iran-nexus threat activity cluster initiated a coordinated campaign targeting enterprise VPN and gateway infrastructure. The dominant vector was high-volume credential stuffing against Cisco ASA SSL-VPN endpoints, executed by six IPs within the Farahoosh Dena /24 subnet (176.46.158.x) using a shared static CSRF token (516cfbe7ebdc7b1aeb85c07863b5fc34e9ec7672) as a unifying operational signature. Credential complexity escalated systematically from trivial sequences through policy-compliant variants, reflecting a structured multi-pass spraying methodology. Late October saw a sustained surge from 50 to 544 daily alerts, signaling deliberate campaign intensification. By November, the same Farahoosh Dena infrastructure generated approximately 4,696 combined alerts, while a parallel FortiGate credential-stuffing campaign emerged from Romanian-attributed FEO PREST SRL infrastructure (62.60.135.x), deploying harvested South African corporate credentials—indicating active breach-data marketization and multi-vendor VPN targeting.
December 2025 marked a strategic inflection point as the campaign transitioned from concentrated, single-vector credential stuffing to a bifurcated operational model. The FEO PREST SRL precision layer (62.60.135.x) evolved to deploy credentials referencing named individuals at specific organizations—SQM mining conglomerate, Altus-branded entities, GPS-coded employer accounts—signalling a shift from opportunistic dictionary attacks to precision targeting using harvested breach data. Simultaneously, a distributed Iranian domestic scanning tier expanded across six state-linked ISPs, introducing CDN-laundering techniques via the Noyan Abr Arvan Iranian cloud provider to conceal true origin IPs traced to MTN Irancell. Novel capabilities included cloud/DevOps secrets harvesting (.env, AWS credentials, Laravel logs), HP LaserJet MFP management interface targeting, and country-specific fuzzing of Chinese infrastructure—indicating compartmentalized operational teams or shared tasking with distinct mission sets.
January 2026 showed a notable reduction in overall alert volume (160 alerts versus prior baselines) while maintaining the bifurcated infrastructure model. FEO PREST (62.60.131.73) pivoted to exclusive Kenya-focused targeting with 28 alerts comprising country-specific attacks and fuzzing probes, while the Iranian domestic cluster sustained broad geographic opportunism across Serbia, China, Japan, and the Middle East. Episodic burst activity—peaks on January 4–5, 16, and 25–28—separated by multi-day dormancy indicated coordinated campaign phases rather than continuous scanning. A novel baithive request containing structured JSON-like fragments from CGI GLOBAL LIMITED (94.183.188.135) suggested active experimentation with new payload vectors. The 42.5% prevalence of unknown-to-threat-intel IPs confirmed sustained infrastructure rotation discipline despite reduced tempo, consistent with a deliberate operational pause or reconfiguration period.
February 2026 represented the most significant escalation of the campaign period, with alert volume nearly quadrupling to 605 alerts from January's 160. China emerged as the dominant external target geography (104 alerts), with FEO PREST (62.60.131.73) executing precision fuzzing and secrets harvesting against Chinese infrastructure. The deployment of out-of-band (OOB) callback exploitation using the shared domain produce.seetong.com across two Feo Prest nodes confirmed active exploitation maturity beyond reconnaissance, validating server-side RCE and SSRF chains. A shared PHPUnit CVE-2017-9841 exploit framework was distributed across 12+ distinct ISPs with near-identical URL sequences, demonstrating coordinated playbook distribution within an affiliate network. A compromised academic resource—Tehran University of Medical Science (194.225.213.122)—appeared as an attack source, indicating opportunistic use of institutional pivot infrastructure. Peak activity concentrated on February 21–22 (205 combined alerts within 48 hours), the highest two-day intensity across the entire observation period.
March 2026 (through the 24th) recorded minimal activity—only two alerts—from a single IP (213.176.18.65, E-Large HongKong) exclusively targeting Chinese infrastructure via PHPUnit CVE-2017-9841 path enumeration. While operationally distinct from the Iran-nexus cluster in infrastructure and volume, the China-exclusive geographic focus and shared PHPUnit exploit framework echo techniques observed across multiple prior months, suggesting either a loosely affiliated operator, a shared toolset within a broader ecosystem, or the tail end of a campaign cycle before potential re-escalation. The sharp contrast with February's intensity may indicate a deliberate operational pause, detection-driven withdrawal, or transition to a new infrastructure generation cycle consistent with the rotation discipline documented throughout the campaign.
| Month | Alerts | Unique Attackers | MoM Change | Dominant Country | Key Event |
|---|---|---|---|---|---|
| Oct 2025 | 3.359 | 297 | — | IR (majority) | Farahoosh Dena VPN credential stuffing campaign surges late month |
| Nov 2025 | 7.483 | 314 | +122.8% | IR (majority) | FortiGate targeting added; harvested South African credentials deployed |
| Dec 2025 | 4.955 | 281 | -33.8% | IR (majority) | Named-individual credentials, CDN laundering, DevOps secrets harvesting introduced |
| Jan 2026 | 160 | 73 | -96.8% | IR (majority) | Reduced tempo; Kenya-exclusive Feo Prest targeting; novel JSON payload vector |
| Feb 2026 | 605 | 178 | +278.1% | IR (majority) | Volume quadruples; OOB RCE exploitation; China primary target; PHPUnit kit distributed |
| Mar 2026 | 2 | 1 | -99.7% | HK (100%) | Minimal activity; single HK IP targets China via PHPUnit CVE-2017-9841 |
| TOTAL | 16.564 | — | — | — | 6-month period |
| Baithive URL request never seen before | 4.946 | |
| Baithive Payload never seen before | 4.178 | |
| Aggressive Attack Detected Against Trap | 2.938 | |
| Baithive payload never seen before | 2.720 | |
| Attacker with IP unknown to integrated 3rd party threat Intelligence | 1.583 | |
| Fuzzing attack | 101 | |
| Country specific targeted attack | 74 | |
| Hidden Client IP Detected | 16 | |
| Injected Out-of-Band Callback Domain Detected | 6 | |
| Baithive payload never seen before token | 1 | |
| Baithive request never seen before | 1 |
| DE — Germany | 8.101 | |
| KE — Kenya | 3.302 | |
| RS — Serbia | 1.235 | |
| CN — China | 282 | |
| US — United States | 197 | |
| ZA — South Africa | 123 | |
| CZ — Czech Republic | 84 | |
| GB — United Kingdom | 63 | |
| JP — Japan | 37 | |
| ME — ME | 28 | |
| RW — RW | 20 | |
| BA — BA | 20 | |
| AZ — Azerbaijan | 16 | |
| CA — Canada | 14 |
Threat actors observed across multiple months with sustained or escalating activity.
| IP Address | Active Period | Est. Alerts | Primary Vector | Classification |
|---|---|---|---|---|
176.46.158.x /24 (6 IPs) | Oct–Nov 2025 | ~6,000+ | Cisco ASA SSL-VPN credential stuffing with shared static CSRF token; structured multi-IP load-balancing | High-Volume Credential Stuffing |
62.60.135.x /24 (FEO PREST SRL) | Nov 2025–Feb 2026 | ~5,500+ | FortiGate SSL-VPN credential stuffing with harvested breach data; OOB RCE callbacks; secrets harvesting | Precision Credential Ops |
62.60.131.73 (FEO PREST) | Jan–Feb 2026 | ~106 | Country-specific fuzzing (Kenya, China); .env/AWS credential harvesting; OOB exploitation via produce.seetong.com | Active Exploitation |
62.60.131.x /24 (FEO PREST SRL) | Dec 2025–Feb 2026 | ~1,500+ | Volumetric aggressive trap engagement; parallel layer to precision credential nodes | Volumetric Probe Layer |
185.164.254.28 (Atrin ICT) | Feb 2026 | ~90 | Sustained automated trap hammering; high-frequency brute-force persistence | Persistent Trap Actor |
185.129.202.216 (Pishgaman) | Jan–Feb 2026 | ~42 | Aggressive trap attacks; sustained honeypot engagement across two months | Recurring Scanner |
80.191.240.34 / 80.191.92.193 (Telecom Infrastructure Co.) | Oct 2025–Feb 2026 | ~65+ | Aggressive probing across honeypot infrastructure; state-linked ISP sourcing | State-Linked Probe Node |
37.255.224.137 (TCE) | Oct–Nov 2025 | ~35+ | Aggressive trap engagement; highest single-IP trap volume in October dataset | Scanning Node |
213.176.18.65 (E-Large HongKong) | Mar 2026 | ~2 | PHPUnit CVE-2017-9841 path enumeration exclusively targeting Chinese infrastructure | Low-Profile Probe |
194.225.213.122 (Tehran Univ. Medical Science) | Feb 2026 | ~5 | Compromised academic institutional pivot point used as attack source | Compromised Institution |
The dominant and most sustained attack vector throughout the campaign period (October 2025 through February 2026) was large-scale credential stuffing against enterprise SSL-VPN endpoints. Initial operations focused exclusively on Cisco ASA (/+webvpn+/index.html, /+CSCOE+/logon.html) using a shared CSRF token (516cfbe7ebdc7b1aeb85c07863b5fc34e9ec7672) as a unifying operational fingerprint across a Farahoosh Dena /24 subnet. By November, the attack surface expanded to include Fortinet FortiGate (POST /logincheck) via FEO PREST SRL infrastructure. Credential complexity escalated month-over-month: from generic defaults and trivial sequences in October, through leet-substitution variants in November, to named individual harvested credentials referencing specific organizations (SQM, Altus, GPS-coded employer accounts) by December. By February 2026, credentials included timestamped variants (fortigate2025, ranj@2026, sqm2025!) confirming real-time corpus maintenance. The evolution from wordlist-based spraying to precision breach-data targeting represents the most significant tactical progression across the observation period.
A persistent secondary vector involved high-frequency, low-payload TCP/UDP probing against honeypot infrastructure, sourced from dozens to hundreds of distinct IPs across Iranian state-linked and commercial ISPs (Iran Telecommunication Company PJS, Telecommunication Infrastructure Company, MTN Irancell, Iran Information Technology Company PJSC, Afranet, and 20+ smaller providers). This layer generated the majority of raw alert volume across all months. Individual IP hit counts were typically low (1–35 events), but the breadth across ISP space and consistent absence from third-party threat intelligence feeds indicated deliberate use of fresh or rotated IP pools. Peak nodes—185.164.254.28 (89 trap hits, Feb), 37.255.224.137 (35 trap hits, Oct), 2.179.194.138 (102 events, Nov)—demonstrated automated high-frequency tooling. This scanning tier is consistent with botnet-assisted capability testing, pre-compromise reconnaissance, or persistent infrastructure mapping operations.
A shared PHPUnit remote code execution exploit framework (CVE-2017-9841, targeting eval-stdin.php) emerged as a cross-ISP distributed capability by February 2026, deployed across 12+ distinct IP addresses spanning Sefroyek Pardaz Engineering, Varesh Cloud, Respina Networks, Vandad Vira Hooman, Tejarat Electronic, and others. The near-identical five-path URL sequence (/vendor/phpunit/, /lib/phpunit/, /phpunit/, /zend/vendor/, standalone layouts) across all nodes eliminates coincidence and confirms shared playbook distribution within a coordinated affiliate network. This vector persisted into March 2026 via E-Large HongKong infrastructure (213.176.18.65), suggesting the framework remains active beyond the primary Iran-nexus cluster. Successful exploitation enables unauthenticated remote code execution on production PHP environments shipping PHPUnit as a development dependency.
Systematic enumeration of cloud credential and configuration exposure vectors emerged in November 2025 and intensified through February 2026. Targeted file paths included .env variants (with path-traversal encoded forms /%2e%2e%2f.env), AWS credential files (/.aws/credentials), PHP configuration (database.php, config.json, phpinfo.php), Laravel application logs (/storage/laravel.log), Kubernetes/Helm environment files (/helm/.env), and Node.js/Python settings files (/s3.js, /s3_config.json, /settings.py, /application.properties). This capability was concentrated within FEO PREST SRL infrastructure (62.60.135.189, 62.60.131.73) and CGI GLOBAL LIMITED, indicating an initial access brokering or cloud account takeover mission set. The targeting of Kubernetes-specific paths demonstrates familiarity with containerized infrastructure attack surfaces and supply chain exposure points.
Active exploitation capability beyond passive reconnaissance was confirmed in February 2026 through OOB callback injection using the shared domain produce.seetong.com across two FEO PREST nodes (62.60.131.73 and 62.60.131.43). This technique validates server-side code execution for SSRF, RCE, and injection chain exploitation, representing a qualitative escalation from credential harvesting to confirmed active exploitation with exfiltration confirmation infrastructure. The shared OOB domain across two distinct IPs confirms operator-level infrastructure centralization and single-actor control of both nodes.
IoT and embedded device exploitation appeared across multiple months as a tertiary capability. In October 2025, IP 178.173.218.62 (Shiraz Hamyar Co.) exploited a Netgear router RCE (setup.cgi?todo=syscmd) to deploy Mozi botnet malware (Mozi.m). November and December introduced systematic HP LaserJet MFP management interface targeting (/set_config_netIdentification.html, /set_config_IP.html, /set_config_deviceinfo.html, /cgi-bin/netset.cgi), with one instance submitting a DNS hijacking payload (hardcoded 95.x.x.x DNS server) against printer administration endpoints. The specificity of HP LaserJet MFP M426D model awareness indicates dedicated IoT/printer exploitation module use, enabling asset data harvesting and potential internal network pivoting via compromised print infrastructure.
A sophisticated anti-attribution capability emerged in December 2025 through the Noyan Abr Arvan Iranian cloud/CDN provider. Three IPs (94.101.182.11, 37.32.19.4, 94.101.182.13) routed attack traffic while concealing true origin addresses (94.101.179.184, 5.122.196.21, 188.121.120.21) behind X-Forwarded-For header manipulation and Akamai egress nodes. True origin IP 5.122.196.21 traced to MTN Irancell, confirming domestic infrastructure use with CDN proxying as an obfuscation layer. This technique—absent from October–November activity—represents a deliberate evasion capability uplift and indicates the actor monitors IP reputation systems and responds with countermeasures.
| Priority | Recommendation | Threat Basis |
|---|---|---|
| CRITICAL | Deploy behavioral multi-factor authentication enforcement and adaptive lockout policies on all SSL-VPN endpoints (Cisco ASA, Fortinet FortiGate), prioritizing service accounts and cloud-integrated roles (svc-adconnect, openshift, ec2-user, sslvpnvitsa). Implement rate-limiting per /24 subnet in addition to per-IP thresholds to counter distributed load-balancing evasion. | Six-IP Farahoosh Dena subnet and four-IP FEO PREST subnet each coordinated credential stuffing across subnet-adjacent nodes specifically to circumvent per-IP rate limiting. Static CSRF token reuse and shared credential corpus confirm single-tool coordination across distributed egress. |
| CRITICAL | Immediately audit and remediate all internet-facing PHP applications for exposed PHPUnit installations in production (CVE-2017-9841). Remove PHPUnit from production deployments, enforce `composer --no-dev` build pipelines, and deploy WAF rules blocking `eval-stdin.php` path variants across `/vendor/`, `/lib/`, `/zend/vendor/`, and standalone `/phpunit/` directory structures. | PHPUnit CVE-2017-9841 exploit framework distributed across 12+ distinct ISP-sourced IPs in February 2026 with identical five-path URL sequences, persisting into March 2026 via Hong Kong infrastructure. Enables unauthenticated RCE on production PHP environments. |
| CRITICAL | Conduct immediate credential breach assessment using the observed organizational identifiers (SQM, Altus, GPS-coded accounts, compass*kzn/jhb usernames) against internal user directories. Force password resets for all accounts matching harvested credential patterns and implement breach-password screening (e.g., HaveIBeenPwned API) in authentication workflows. | December 2025 FEO PREST campaign deployed credentials referencing named individuals at specific organizations with timestamped variants (sqm2025!, Altus@54321, ranj@2026), confirming use of harvested breach data with real-time maintenance. South African corporate usernames (compass005kzn) indicate cross-organizational breach data marketization. |
| HIGH | Enumerate and protect all cloud credential and secrets exposure vectors: audit web roots for accessible .env files, AWS credential paths (/.aws/credentials), phpinfo.php endpoints, database.php, Laravel storage logs, and Kubernetes/Helm environment files. Implement automated secret scanning in CI/CD pipelines and deploy runtime secret detection for cloud-native deployments. | Systematic secrets harvesting across .env, /.aws/credentials, /helm/.env, /storage/laravel.log, and /s3_config.json paths conducted by FEO PREST and CGI GLOBAL LIMITED nodes from November 2025 through February 2026, targeting cloud account takeover and DevOps credential exfiltration objectives. |
| HIGH | Block and alert on out-of-band DNS/HTTP callback infrastructure: add produce.seetong.com and associated domains to DNS sinkholes and egress proxy blocklists. Deploy SSRF protection on all server-side HTTP request handlers. Monitor internal systems for unexpected outbound connections to unknown domains, particularly during application processing of user-controlled URLs. | OOB callback domain produce.seetong.com confirmed active in February 2026 across two FEO PREST nodes for RCE/SSRF chain validation, representing confirmed active exploitation beyond reconnaissance with centralized C2 infrastructure. |
| HIGH | Audit and harden all internet-exposed printer and IoT device management interfaces. Remove HP LaserJet MFP and similar embedded device admin panels from internet-accessible subnets. Deploy network segmentation isolating print/IoT infrastructure. Rotate DNS server configurations on all network-attached devices and monitor for unauthorized DNS server changes. | Mozi botnet deployment via Netgear RCE in October 2025, followed by HP LaserJet MFP targeting with DNS hijacking payloads (hardcoded 95.x.x.x DNS) across November–December 2025, indicating persistent IoT exploitation capability with network pivot potential. |
| HIGH | Implement X-Forwarded-For header validation and CDN origin IP verification to counter Iranian cloud/CDN laundering techniques. Block or flag traffic originating via Noyan Abr Arvan (ARVANCLOUD-AS) when X-Forwarded-For chains trace to MTN Irancell or other flagged Iranian mobile ISP ranges. Require certificate pinning or additional authentication challenges for CDN-proxied sessions. | December 2025 Noyan Abr Arvan CDN laundering technique concealed MTN Irancell true origin IPs behind X-Forwarded-For manipulation and Akamai egress nodes, representing a deliberate anti-attribution countermeasure that renders IP-based blocking ineffective without header chain analysis. |
| MEDIUM | Deploy subnet-level and ASN-level blocking for confirmed persistent attack infrastructure: FEO PREST SRL (62.60.131.0/24, 62.60.135.0/24), Farahoosh Dena (176.46.158.0/24), and Atrin ICT high-volume nodes. Supplement with behavioral detection (static CSRF token reuse, credential corpus fingerprinting) for evasion-aware blocking that persists through IP rotation. | FEO PREST /24 subnets active across four consecutive months (Nov 2025–Feb 2026) with coordinated credential stuffing. Farahoosh Dena /24 sustained across two months. Static CSRF token 516cfbe7ebdc7b1aeb85c07863b5fc34e9ec7672 provides stable behavioral fingerprint independent of IP rotation. |
| MEDIUM | Investigate and remediate the compromised Tehran University of Medical Science infrastructure (`194.225.213.122`) if any administrative or organizational relationship exists. Treat all traffic from academic and institutional IP ranges in Iranian address space as potentially compromised pivot nodes requiring enhanced scrutiny rather than trust-by-affiliation. | Tehran University of Medical Science IP appeared as attack source in February 2026, indicating compromised institutional infrastructure used as a pivot/launch point—a documented Iranian APT tradecraft pattern for extending operational reach through trusted-appearing sources. |
| LOW | Establish a continuous threat intelligence ingestion pipeline specifically monitoring FEO PREST SRL (ASN-level), Farahoosh Dena, Iranian state ISP address blocks (Iran Telecommunication Company PJS, Telecommunication Infrastructure Company, Iran ITC PJSC, MTN Irancell), and E-Large HongKong. Integrate honeypot feed data to provide advance warning of new attack infrastructure before it reaches production systems. | 100% of attacking infrastructure across all six months had zero prior third-party threat intelligence footprint, confirming systematic use of fresh or rotated IPs. Proactive ASN-level monitoring and honeypot telemetry integration provides the only reliable early-warning mechanism against this evasion pattern. |