: Iranians Behind StoneDrill & NewsBeef
Iranians Behind StoneDrill & NewsBeef

Iranians Behind StoneDrill and NewsBeef Malware

: Iranians Behind StoneDrill & NewsBeef
Iranians Behind StoneDrill & NewsBeef

Using simple techniques available to any security vendors looking at VirusTotal data, ICNA has found and clearly identified that the hacker xman_1365_x as being behind the StoneDrill and NewsBeef malware.

Mahdi Honarvar

xman_1365_x is self-identified on forums as Mahdi Honarvar from Mashad. This is shown to be linked to the third wave of attacks by the Shamoon-2 wiper malware.

Not being content with being exposed 3 years ago as a member of the Cyber Army Institute of Nasr, he has continued to work for the Kavosh front company, and this now shows that he and others, through their poor security procedures, have enabled others to easily link the malware back to the Iranian State, inviting retribution from those who were affected.

The size of the NewsBeef and StoneDrill attacks suggests an organized team effort. Searches have revealed he could be part of an organized group. Some of those that Iran Khabarestan exposed were researching and developing spyware against conscientious and political opponents of the Islamic Republic might also be involved? They are as follows:

Malek Mohammadinezhad

He is head of the fake Kavosh company and uses the email address [email protected] His email address, along with the address of [email protected] are seen on the barnamenevis.org programming forum. This has a large number of Iranian users and others could have been recruited from here to help him develop his spyware. Are there others on this forum who have been working for the State?

Behzad Shamsi Achachluei

Spyware and malware developer for smartphones, uses the email address [email protected]

Saeid Beiki

Beiki discovers vulnerabilities and informs the IRGC so that they can spy on people and start cyberwars. He uses the email address [email protected]. His own resume states that in the past he has been a 'Malware Analyst, Kavosh Security Center, Tehran'

Mehdi Hoseinzadeh

Hoseinzadeh is a spyware developer and uses the email address of [email protected]

Milad Torkashvan

Torkashvan is involved with research and development -R&D- of cloud-based attack systems, working as a malware developer. He uses the email address [email protected]

Sayyed Javad Sayyedhamzeh

Sayyedhamzeh is a spyware and destructive malware developer using the email address of [email protected]

Javad Heidariyan

Heidariyan codes malware to spy on Iranians and he uses the email address [email protected]

Nima Nikju

Nikju -Nikjoo- works on coding malware to spy on Iranians and his email address is [email protected]. Nikjoo has been careless in the past, posting his links to Kavosh in his resume.

Mohammad Paryar

Paryar also codes malware to spy on Iranians and he uses the email address of [email protected]
The original blogpost where this information is listed is from is on Iran Khabarestan available HERE. Two of those indicted by the USA FBI in 2016, Hamid Firuzi and Nader Saedi are also named in the article.

It is clear that the attackers have made security mistakes throughout their operations, exposing many details. ICNA is sure that security firms will continue to monitor the malware attacks. The IRGC spyware programme is obviously disorganized and careless and far from enhancing the reputation of the State, it is exposing itself and its operators to revelations by those with the most basic of analytical skills.

Article rating:



Write a Comment

Hosein)root Discovers XSS Vulnerability on Google Earth

On 25 November Hosein)root who asked ICNA publish his true name as Amir Hossein Sharbati on CX...

0 Comments | Read more +
35/000 Characters Tweet Shocks German Hackers!

Thinking that a person could send a tweet with more than 280 characters is more or less like a...

0 Comments | Read more +
4TT4CK3R Identifies Flaw in University of Tehran Website

Vulnerability researcher 4TT4CK3R discovered on 23 August a cross-ste scripting vulnerability ...

0 Comments | Read more +
: 4tt4ck3r Find Vuln In United Kingdom Government
4tt4ck3r Finds Flaw in UK Government Websites

Iranian hacker 4tt4ck3r has previously found Reflected XSS -Cross Site Script...

0 Comments | Read more +
: TYRANT Ransomware
Iranian TYRANT Ransomware

A new type of ransomware have been discovered on October 16 2017 which appear...

0 Comments | Read more +
: IoT Security Research Expertise
Iranian Expertise in IoT Security Research

Iranian academic security researchers at the ITRC (Information Technology Research Cen...

0 Comments | Read more +
: Mohammad Rezania -LinX64-
Android Security and Forensic Science by LinX64

A good article by Iranian academic is important step forward for people to understand security...

0 Comments | Read more +
: http://offsec.ir/writeups
OFFSEC Team Ice CTF Results

Offsec Research CTF Team: "Thinking out of t...

0 Comments | Read more +
Defacement of Hafez Institute of Higher Education by UnSec Team

ICNA was contacted yesterday, 19 October, by UnSec Team member Mostafa Asadi concerning the ha...

0 Comments | Read more +
Manoto Defaced by Cluwix

We can see in the picture that website of Manoto TV show "Stage" was hacked by Black Hat Hacke...

0 Comments | Read more +
: Eagle Security Team
Eagle Security Team Deface Shahrood University of Technology

MR 7KH4T of Iranian hacking group Eagle Security Team is mak...

0 Comments | Read more +
Iranian Black Hat Hackers Mass Deface Iran Sites

Hackers of the team Iranian Black Hat Hackers has make deface of many Iranian...

0 Comments | Read more +
: Iranian Cyber News Agency
New Website

Welcome to Iranian Cyber News Agency website.

New sections now include Vulnerability N...

0 Comments | Read more +
خبرگزاری سایبر ایران

در ب...

0 Comments | Read more +
SMS Virus Developed by Iranian Hacker Claims 100/000 Victims in Iran

In recent weeks a story that has attracted attention of many people has been the development a...

0 Comments | Read more +
: Atash Security Group
Atash Security Group Attack Irancell

The hacker and administrator Omid Killer of the Iranian hacker group ...

0 Comments | Read more +
: Eagle Security Team
Eagle Security Team Hack Saudi Sites

Latest Iranian cyber news from the Eagle Security Team shows that hackers hav...

0 Comments | Read more +
: Lord Hacking Team
Lord Hacking Team Attack Google Telegram & Acunetix

Iranian hackers of Lord Hacking Team is claim attack against:

  • ...

0 Comments | Read more +
: Fake ANF News App
Open Source Research Company Claims Iranian Government Targets Iranian Citizens with Malwareware

Open source research company Check Point Research claims that what it called Iranian governmen...

0 Comments | Read more +
Twitter: Twitter Message
Hackers Take Down Mahan Air Website

It can be seen from Twitter posts that website of Mahan Air was hacked by Iranian group XileRe...

0 Comments | Read more +

Previous, ICNA has reported on U.S. indictments and accusations of Iranian hackers and other c...

0 Comments | Read more +
A Vaccination Called Filtering

We took this text from the Telegram Channel of Iran Security Team Official Channel (

0 Comments | Read more +
IEDB Holds Gatherings Nationwide

In recent weeks and months users and friends of the hardworking IEDB team which has very activ...

0 Comments | Read more +
: Eagle Security Team
Eagle Team

The Iranian Eagle Security Team security researchers is make exposed many SQL...

0 Comments | Read more +
: Kheshtak Security Team
Kheshtak Security Team - Story Continues

More than ever in the 21st century, knowledge is power and information is the force that contr...

0 Comments | Read more +
Termint Security Team Have New Website

Although they have history going back a few momnths the Termint Security Team...

0 Comments | Read more +