Back

mci.ir Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The domain mci.ir exhibits a high-risk score of 98, primarily driven by a significant volume of historical data breaches (85.7%) and active infostealer logs (14.3%) observed between July 2025 and June 2026. A substantial number of client accounts (52,885) and employee accounts (658) were exposed through these events. The data indicates widespread compromise, with malware families like Redline, LummaC2, and Rhadamanthys being prevalent, suggesting credential harvesting and data exfiltration are ongoing threats. The exposure is heavily concentrated in Iran, with a notable presence of Windows 10 Enterprise and Pro operating systems, indicating a potential targeting of enterprise environments.

Total Events

53,543
credential exposure events

Employee Affected Events

658
account email domain = mci.ir

Client Affected Events

52,885
service target = mci.ir

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
15,00010,0005,0000
peak month 13,646
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events7,680
Share14%
Data breaches
Events45,863
Share86%
Infostealer logs (14%)
7,680events
Data breaches (86%)
45,863events

658 compromised employee accounts pose an infrastructure risk, while 52,885 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender91
Kaspersky12
Windows Defender.2

Malware Families Distribution

Distribution of Active Stealer Strains

Redline2,121
LummaC21,008
Rhadamanthys696
RisePro473
Vidar326
StealC321
Acreed155
Cthulhu41
X-Files21

Top Login URLs

Top exposed services found in the event results

  1. 1https://my.mci.ir/user/login.xhtml7,775
  2. 2https://my.mci.ir5,931
  3. 3my.mci.ir/user/login.xhtml5,839
  4. 4my.mci.ir5,476
  5. 5android://VSb4_Ppm_bZ3FGZhJpG8j5azixOFeI8mQ-3VSN212rr9VdLQlhLIZbfXPFSKFlfohYviRVCsVgXHNZTIi_12Hg==@ir.mci.ecareapp/3,167
  6. 6shop.mci.ir2,428
  7. 7https://shop.mci.ir/register2,084
  8. 8https://shop.mci.ir2,018
  9. 9shop.mci.ir/register1,647
  10. 10https://my.mci.ir/user/signUp.xhtml1,405

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

Iran
Events3,773
Germany
Events156
United States
Events122
Netherlands
Events78
United Kingdom
Events73
Canada
Events69
France
Events68

Country Breakdown

  1. 1Iran3,773
  2. 2Germany156
  3. 3United States122
  4. 4Afghanistan91
  5. 5Netherlands78
  6. 6United Kingdom73
  7. 7Canada69
  8. 8France68

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

WordPress6

Operating System Distribution

Distribution of compromised endpoint builds

Windows 10 Enterprise x641,066
Windows 10 Pro [x64]348
Windows 10 Pro325
Windows 11313
Windows 11 24H2 build 26100 (64 Bit)278

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
45,680
Combolist pools
183
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.