k3yp0d

Overview: This post is long overdue and unlike most of my posts, this is not a technical post, but rather a high level, strategical post, although it does contain references to plethora of technical resources. On March 2nd I dropped a bomb on Twitter, saying a specific certificate is used to sign binaries by an Iranian APT: This caused some confusion in the community and started a chain reaction of numerous reports about related activity from multiple vendors: However, because each vendor has its own unique telemetry, the complete picture was not entirely seen due to the lack of connecting evidence. This can be seen by krypt3ia’s analysis of the reports that followed my Twitter post : While I was thinking on how to approach this and publicly share findings, a private report was available to SentinelOne’s Wayfinder customers on March 27: During the month of April there was only one report, not directly linked to MuddyWater, but recently, during May, two reports were publicly shared tha...