Cyber Threat Actor: Mr.XHat
| Actor Type | Location | Known Incidents |
Sensationalist
|
Iran
|
1 incident |
|---|
Profile
Mr.XHat is the alias used by an individual identified in public reporting as an Iranian hacker. The actor came to attention in early 2014 after compromising a Tajikistani domain registrar and manipulating DNS records for several high‑profile country‑code domains. No further biographical details such as age, affiliation with a larger group, or specific organizational ties are provided in the available sources.
The actor’s observed activity focused on targeting domain registration infrastructure to alter DNS settings and deface web properties associated with Google, Yahoo, Twitter, and Amazon’s Tajikistani extensions. The initial access vector described was a directory traversal vulnerability exploited on the registrar’s web server, which allowed the actor to gain unauthorized file system access. Following this foothold, the actor claimed root access to the registrar’s MySQL database where customer credentials were stored in hashed form and subsequently changed the administrative email addresses linked to the targeted domains to intercept password‑reset messages, thereby obtaining plain‑text credentials and accessing customer control panels. The resulting actions caused temporary service disruption and defacement of the affected domains, which were restored to their original DNS configurations after roughly one day.
Attribution to Iran is based on the actor’s self‑identification and geographic location noted in the reporting, although no explicit link to a state sponsor or criminal consortium is presented in the source material. The 2014 Tajik registrar incident remains the sole publicly documented operation attributed to Mr.XHat, illustrating a pattern of using web‑application flaws to achieve DNS hijacking, credential interception, and service disruption. No additional campaigns, malware families, or tooling specifics are mentioned in the provided references.
