See the latest indicators of compromise; use AHA cybersecurity resources, guidance and recommendations

View this email as a webpage

American Hospital Association
[ American Hospital Association ] [[https://www.aha.org]]
special bulletin logo
[ Image ]

March 27, 2026

TLP:AMBER — Not for Public Distribution

Recipients may share TLP:AMBER information with members of their own organization and its clients on a need-to-know basis to protect their organization and its clients and prevent further harm.

New Indicators of Compromise Associated with Iranian Hacking Groups Targeting Health Care
 

Please distribute the following information to your leadership, cybersecurity, information technology and physical security teams.

The AHA continues to closely monitor potential physical and cyber threats associated with the ongoing conflict in Iran. The AHA maintains close communication and coordination with federal agencies and the field to identify and assess potential threats.

The AHA recently received high-confidence indicators of compromise (IOCs) (listed below) associated with recent Iranian cyberattack activity targeting the Stryker Corporation, a medical supply and technology company. Limited distribution of these IOCs may have occurred through other closed channels. The AHA is distributing the following to AHA members to ensure broad distribution and visibility through non-public channels.

The listed IOCs should be loaded into network defensive and threat-hunting tools as soon as possible. NOTE: While it is believed these IOCs indicate threat actor activity in certain situations, they may not be used exclusively by threat actors. You should perform your own review to determine whether any presence of these IOCs in your systems indicates authorized or unauthorized activity.

See the AHA’s Cybersecurity Advisory for important guidance and resources.

INDICATORS OF COMPROMISE

DomainName connect-st[.]westus3[.]cloudapp[.]azure[.]com
DomainName login[.]netbird[.]io
DomainName medicalrss[.]azurewebsites[.]net
DomainName pharmarss[.]azurewebsites[.]net
DomainName pkgs[.]netbird[.]io
DomainName streamline-es-mad1-1[.]relay[.]netbird[.]io
EmailAddress 1004c010@mailforspams[.]com
EmailAddress 2403sapphire@dollicons[.]com
Filename devobj[.]dll
Filename Handala[.]o
Filename libjson-2[.]dll
Filename libxml1[.]dll
Filename LoggingPlatform[.]dll
Filename netapi32[.]dll
Filename netbird_uninstall[.]exe
Filename secur32[.]dll
Filename Update[.]dll
Filename wtsapi32[.]dll
Hostname sk
Hostname VULTR-GUEST
ipv4 100[.]81[.]130[.]117
ipv4 100[.]81[.]131[.]248
ipv4 100[.]81[.]16[.]78
ipv4 100[.]81[.]204[.]124
ipv4 100[.]81[.]241[.]72
ipv4 100[.]81[.]245[.]63
ipv4 100[.]81[.]34[.]147
ipv4 100[.]81[.]5[.]237
ipv4 100[.]81[.]7[.]188
ipv4 100[.]81[.]76[.]22
ipv4 134[.]33[.]97[.]6
ipv4 137[.]117[.]163[.]217
ipv4 139[.]180[.]147[.]11
ipv4 168[.]62[.]20[.]37
ipv4 185[.]92[.]220[.]10
ipv4 192[.]248[.]173[.]114
ipv4 194[.]113[.]73[.]12
ipv4 194[.]62[.]97[.]199
ipv4 20[.]118[.]48[.]4
ipv4 20[.]119[.]128[.]3
ipv4 20[.]119[.]16[.]57
ipv4 20[.]50[.]64[.]3
ipv4 209[.]151[.]150[.]249
ipv4 209[.]151[.]152[.]244
ipv4 217[.]69[.]13[.]49
ipv4 4[.]34[.]42[.]132
ipv4 4[.]35[.]84[.]4
ipv4 45[.]32[.]155[.]233
ipv4 49[.]249[.]19[.]242
ipv4 5[.]22[.]214[.]221
ipv4 5[.]22[.]219[.]107
ipv4 50[.]146[.]226[.]107
ipv4 52[.]185[.]55[.]202
ipv4 85[.]9[.]196[.]80
ipv4 95[.]179[.]129[.]217
ipv6 2001:19f0:4400:6d7e:5400:5ff:fefe:6c83
ipv6 2001:19f0:6801:b8c:5400:5ff:fefe:7054
ipv6 2001:19f0:7400:8ec3:5400:5ff:fefe:6c75
Sha256 56ac00856b19b41bc388ecf749eb4651369e7ced0529e9bf422284070de457b6
Sha256 597419898ad36594d1cf0fa7acaacfb4b66e27227ea1ad97e3a7fc530d0db7a1
Sha256 614da8af9b544d406318b349af49d85f2b158837f5decbe056210c9a741f90e3
Sha256 6325361d72a26daedacd285f7a59defcf2fac677b676a5750ef8e0786a896a4d
Sha256 6a60c885e822d52cc85c42076c98bbe049dc0d1b5e8043996e4b0d22c3269089
Sha256 72a4d05ca5abd86a8c2be8c94ebe2f15b04049d808003cc8852a308c5696090a
Sha256 895e862b4aca9780792624bbc774dd6b9494420c47f4aeab6aeda2f4f7732203
Sha256 947214762acff23b1a154aa7afde8aecc4179bb72e3d04666d9f677e39cd053b
Sha256 bacbd93bd72120e3ceddb57a9cda8c4c8067b292621b920aaa35d4a0b76e8f4b
Sha256 c5cdb944ad9448eba5aa6140c8ff9629e3f6b99e386adccb393c33f13b3ecb34
Sha256 d7413bb2422ec4a15517011324efc902211eed3130ca8f025ee35bac2c511e75
Sha256 e704be3ce686afe8c8e32f173fcc6da05bf680df0c2fc5376ad53340f1a65e41

The FBI reported the following persons were affiliated with scanning on behalf of an Iranian advanced persistent cyber threat actor.

qcatcake@gmail[.]com
linasoares27@gmail[.]com
yayacharlotte@gmail[.]com
ynhyoosoup@gmail[.]com
arseagle2@gmail[.]com
jonassenmugica597@gmail[.]com
stirnashetler179@gmail[.]com
scantlenschnepf31@gmail[.]com
thurmanwigton281@gmail[.]com
miernikdurr788@gmail[.]com
naufzingermander565@gmail[.]com
linsleyhellmann841@gmail[.]com
thielgeskebede608@gmail[.]com

FURTHER QUESTIONS

Report any threat intelligence and/or business or clinical disruptions to John Riggi, national advisor for cybersecurity and risk, at [email protected] and Scott Gee, deputy national advisor for cybersecurity and risk, at [email protected].

For the latest cyber and risk resources and threat intelligence, visit aha.org/cybersecurity.


 
Twitter
YouTube
Facebook
Instagram
Linkedin
Upcoming Events
AHA News

Send to a Friend   |  Privacy Policy   |  Terms of Use

American Hospital Association 

155 North Wacker Drive, Suite 400, Chicago, IL 60606
AHA.org

If you prefer not to receive these emails you may unsubscribe or manage your email preferences.