Researchers at cybersecurity startup Halcyon have uncovered an Iranian-run company, Cloudzy, providing command-and-control services to more than 20 hacking groups, including state-sponsored APT actors, ransomware operators, and spyware vendors. Although registered in the United States, Halcyon believes Cloudzy is operated from Tehran, Iran, potentially violating US sanctions.
Acting as a command-and-control provider (C2P), Cloudzy advertises services to protect user anonymity but does not respond to reports of malicious activity. The company only requires a working email address for registration, never verifying customer identities, and accepts anonymous cryptocurrency payments, despite prohibiting illicit use of its services.
Halcyon’s research indicates that over half of Cloudzy’s hosted servers directly support malicious activities, often utilizing infrastructure from other ISPs. During a 90-day analysis, Halcyon discovered attack infrastructures linked to various governments, including China, Iran, India, North Korea, Pakistan, Russia, and Vietnam, as well as connections to the sanctioned Israeli spyware vendor Candiru and cybercrime rings and ransomware groups.
The investigation also revealed two previously unreported ransomware groups, Ghost Clown and Space Kook, relying on Cloudzy as a C2P for their operations involving Cobalt Strike implants, Conti, BlackBasta, Quantum Locker, and Royal ransomware.
Despite being registered in the US, Cloudzy lacks a physical office in the country. Halcyon’s further investigation exposed ties between Cloudzy and the Iranian firm abrNOC, both allegedly founded by Hannan Nozari in Tehran, Iran. Halcyon identified eight individuals seemingly employed by Cloudzy but based in Iran, with overlapping connections to abrNOC employees.
The cybersecurity firm concluded that Cloudzy exists only on paper, and its so-called employees are, in fact, employees of abrNOC in Tehran, leading to the assessment that C2P Cloudzy is a front for the actual hosting company, abrNOC, operating from Iran.