APT34 Leveraging Port 8080 and Shared SSH Keys with Deceptive 404 Tactics

Security researchers identified a sophisticated campaign leveraging dormant but meticulously prepared infrastructure, bearing all the hallmarks of APT34 (OilRig).

The operation revolved around a cluster of domains and servers configured to imitate an Iraqi academic institute and several fictitious UK technology firms.

Although these resources remained inactive from a malware delivery perspective, their staging revealed valuable indicators for early detection.

Mimicry, Port 8080 Decoys, and Repeatable Patterns

The campaign’s earliest footprint was observed in late 2024, via the registration of biam-iraq[.]org, which closely resembled a legitimate educational institution.

Initially hosted by Host Sailor, the domain transitioned within days to an M247 IP, 38.180.18[.]189, remaining there for over four months a duration indicative of long-term pre-operational staging.

By March 2025, the infrastructure migrated to another M247 IP, 38.180.140[.]30.

HTTP requests to port 8080 elicited a standardized, inert “404 Not Found” page titled “Document,” a deceptive response designed to mask underlying command-and-control (C2) potential.

The recurring use of port 8080 for fake 404 pages, alongside a consistent SSH fingerprint across multiple servers, echoes tradecraft observed in prior APT34 operations.

Threat intelligence corroborated this pattern; a March 2025 ThreatBook report linked similar infrastructure and response behaviors directly to the suspected Iranian actor.

Passive DNS data revealed the creation of multiple subdomains under biam-iraq[.]org such as mail., cpanel., and webmail which, while inactive, signaled preparatory work for likely credential harvesting or phishing lures.

SSH Key Reuse and Thematic Domain Proliferation

A distinct technical marker was the repeated appearance of a unique SSH fingerprint:

text05ce787de86117596a65fff0bab767df2846d6b7fa782b605daeff70a6332eb0

This fingerprint surfaced across at least five servers within the M247 Europe SRL network, exposing identical SSH banners (“SSH-2.0-OpenSSH_8.0”) and reflecting shared provisioning workflows.

Notably, this reuse extended across distinct Autonomous System Numbers (ASNs), reinforcing the operator’s reliance on a consistent setup routine.

In parallel, researchers documented the rise of several .eu domains all with randomized names and no legitimate organizational ties resolving to the same infrastructure.

These domains, such as plenoryvantyx[.]eu and zyverantova[.]eu, were registered via P.D.R.

Solutions (US) LLC, pointed to regway[.]com nameservers, and utilized Let’s Encrypt for TLS certificates.

The only live website, plenoryvantyx[.]eu, masqueraded as a digital marketing agency but displayed signature stock content and fluctuating branding (e.g., “Sphere Spark,” “BioVersa Dynamics”) across search results, underscoring the synthetic nature of the network.

The infrastructure’s repeatable traits shared SSH keys, distinctive HTTP behaviors on port 8080, domain registration and DNS patterns provide fertile ground for proactive defensive monitoring.

Even in the absence of active payloads, these technical signals allow defenders to cluster, track, and anticipate future APT34-linked assets with precision.

Monitoring should focus on:

• Reused SSH fingerprints across unrelated networks.
• Domains registered through P.D.R. Solutions (US) LLC with regway[.]com nameservers.
• Web servers offering static “404 Not Found” responses with the title “Document” on non-standard ports.
• The emergence of random .eu domains purporting to represent tech or scientific entities.

The campaign’s infrastructure illustrates APT34’s emphasis on deliberate, reusable tradecraft.

By recognizing and tracking these patterns early before operational deployment defenders can gain critical lead time, disrupting adversarial objectives before they escalate into active threats.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates