Operator core · kit + AS57724 DDoS-Guard nodes
AS59692 IQWeb fronting · co-located vertical
OFAC catalyst · CT detection method
Iranian sanctioned subset
PhishDestroy (prior per-domain coverage)
Observed / high confidence
Certificate Transparency brand-token detection, free reverse-IP enumeration (VirusTotal / OTX / HackerTarget), BGP origin-AS (bgp.he.net), and kit fingerprinting · attribution by IP/AS + kit, not naming grammar · indicators defanged · CrimsonVector 2026