Connect with us

Hi, what are you looking for?


Cloud Security

Iran-Run ISP ‘Cloudzy’ Caught Supporting Nation-State APTs, Cybercrime Hacking Groups

Researchers unmask an Iranian-run company providing command-and-control services to hacking groups, including state-sponsored APT actors.

Iranian cyberattacks

Researchers at cybersecurity startup Halcyon have unmasked an Iranian-run company providing command-and-control services to more than 20 hacking groups, including ransomware operators, spyware vendors, and state-sponsored APT actors.

The company, identified as Cloudzy, is registered in the United States, but Halcyon believes that it is operated out of Tehran, Iran, by an individual named Hassan Nozari, likely in violation of US sanctions.

In a research note published on Tuesday, Halcyon said the ISP acts like a command-and-control provider (C2P) for various types of threat actors, advertises its services as protecting user anonymity, and does not appear to respond when malicious activity is brought to its attention.

The company said Cloudzy only requires a working email address for registration, never verifies the identity of customers, and accepts anonymous payment in cryptocurrencies. Although its terms and conditions prohibit the use of its services for illicit activities, Halycyon found that the cloud provider asks abusers to pay a nominal fee to continue operations.

Halcyon said it discovered that more than half of the servers hosted by Cloudzy appear to directly support malicious activities, mainly on infrastructure loaned from a dozen other ISPs.

“Our research assesses that Cloudzy’s RDP services, and nearly all malicious activity we identified were principally run from the IP space owned by other Internet service providers,” Halcyon said.

During a 90-day analysis of Cloudzy’s services, Halcyon discovered attack infrastructure associated with hacking groups tied to Chinese, Iranian, Indian, North Korean, Pakistani, Russian, and Vietnamese governments, by the sanctioned Israeli spyware vendor Candiru, and by cybercrime rings and ransomware groups.

Advertisement. Scroll to continue reading.

The investigation revealed the existence of two previous unreported ransomware groups that rely on Cloudzy as a C2P — Ghost Clown (seen deploying Cobalt Strike implants and Conti and BlackBasta ransomware) and Space Kook (relies on Cobalt Strike and the Quantum Locker and Royal ransomware).

Halcyon also discovered that Cloudzy is a company registered in the United States, although it has no physical office in the country. Digging further, it identified a connection with the Iranian firm abrNOC, also allegedly founded by Hannan Nozari, who the company traced to Tehran, Iran.

The researchers identified eight other individuals who appear to be employed at Cloudzy but are in Iran, and discovered a crossover between some of them and employees of abrNOC.

The Halcyon investigation revealed that Cloudzy only exists on paper, with its so-called employees being the employees of abrNOC in Tehran. Some Cloudzy bloggers are either made up or employees of abrNOC.

“Halcyon therefore assessed with high confidence that C2P Cloudzy is almost certainly a cutout for the actual hosting company, abrNOC, operating out of Tehran, Iran,” the cybersecurity firm added.

Related: Ransomware Attacks on Industrial Organizations Doubled in Past Year

Related: Iranian Cyberspies Target US Think Tank With macOS Malware

Related: ‘Asylum Ambuscade’ Group Launch Cybercrime, Espionage Campaigns

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.