APT34-Like Threat Infrastructure Uncovered Before Activation

This report documents pre-operational infrastructure observed from November 2024–April 2025 that impersonated an Iraqi academic organization and fabricated UK technology firms; notable artifacts include reuse of a unique SSH key fingerprint across multiple M247-hosted servers, HTTP 404 'Document' decoy responses on port 8080, consistent registrar/DNS/certificate provisioning, and multiple .eu domains tied to regway.com nameservers. The patterns align with tradecraft previously attributed to APT34 (OilRig); the report provides IP/domain IOCs, behavioral signatures, and HuntSQL queries for proactive detection and hunting of related assets before they become operational.