Windows Update from Tehran: Mapping Live Iranian APT Infrastructure Across Four Continents | Intercept Cell

A systematic Shodan hunt for fake Microsoft, Google, and LinkedIn certificates uncovered 635 pieces of suspicious infrastructure, including two confirmed Cobalt Strike teamservers disguised as Windows Update. One operates from the Iranian Research Organization for Science & Technology with DNS records pointing to update.microsoft.com, proxied through a Hong Kong VPS. The other sits on Vietnam\

We built a scanner to find nation-state phishing and C2 infrastructure by hunting for SSL certificates impersonating major technology companies. Querying Shodan across 25 targeted searches, we found 635 hits: 244 fake service impersonation certificates, 86 expired certs on likely burned infrastructure, two confirmed Cobalt Strike beacons, a live Charming Kitten C2, and fake credentials harvesting pages deployed in Iranian target countries. None of this has been previously published. The hunt queried Shodan for SSL certificates where the Common Name (CN) claimed to be a legitimate service, update.microsoft.com, accounts.google.com, outlook.live.com, login.microsoftonline.com, www.linkedin.com, but the hosting organization was not the actual owner. Results were filtered to exclude CDN providers (Akamai, Cloudflare, Fastly) to reduce noise. Additional queries targeted known Iranian APT tooling: SimpleHelp and ScreenConnect instances (MuddyWater), offensive tools hosted in Iran, and non-standard port listeners on Iranian infrastructure. Each hit was then deep-probed: full SSL certificate extraction, HTTP responses with host-header variation testing, TCP banner grabs, InternetDB enrichment, reverse DNS, and Cobalt Strike beacon detection. The most significant discovery is a live Cobalt Strike teamserver at 213[.]176[.]77[.]12, registered to the **Iranian Research Organization for Science & Technology (IROST)**, a government institution under Iran's Ministry of Science, Research, and Technology. The server's DNS records are configured to impersonate Windows Update infrastructure: The SSL certificate presents CN redir.update.microsoft.com with issuer "Microsoft Corporation," a self-signed certificate designed to make C2 traffic appear as routine Windows Update activity to network monitoring tools. The server runs **Microsoft IIS 10.0 on Windows** with JARM fingerprint 29d29d00000000000029d29d29d29d0f0dcb2ae084f34cae790be1eab88c30.