Extly - Documentation

Kportscan 3.0 Updated Jun 2026

This Iranian-linked group has been documented by MITRE ATT&CK using KPortScan 3.0 to perform SMB and RDP scanning during their operations.

To get the most out of KPortScan 3.0, users should follow best practices and guidelines for scanning and reporting. Some tips include:

Restrict internal RDP and SMB traffic strictly to designated administrative jump boxes. kportscan 3.0

| Component | Technology | Function | |-----------|------------|----------| | | Raw sockets + AF_XDP (Linux) / WinDivert (Windows) | Generates and injects probe packets at line rate | | Receiver Engine | eBPF + Zero-copy ring buffers | Captures responses with microsecond timestamps | | Packet Scheduler | Token bucket + adaptive rate control | Avoids network flood & IDS thresholds | | ML Classifier | Lightweight ONNX model (Random Forest) | Differentiates open/filtered/closed from ambiguous responses | | Storage | SQLite (embedded) / ClickHouse (distributed) | Local or fleet-wide scan results |

Port scanning unauthorized external networks can be interpreted as a precursor to a cyberattack and may violate local computer abuse laws or your Internet Service Provider's (ISP) terms of service. Ensure you only execute KportScan 3.0 on networks you own, operate, or have explicit, written authorization to test. KportScan 3.0 vs. Modern Alternatives This Iranian-linked group has been documented by MITRE

The MITRE ATT&CK Framework formally documents that the Iranian threat group (also known as APT35 or Phosphorus) uses KPortScan 3.0. Magic Hound utilizes the utility under the banner of Technique T1046 (Network Service Discovery) to actively map out the internal infrastructure of government, technology, and defense targets. The Ransomware Pipeline

Attackers rarely scan all 65,535 ports randomly. They configure KPortScan 3.0 to isolate specific entryways required for control. The most common targeted services include: Detection Strategies include:

For network administrators and security operations centers (SOCs), the presence of KPortScan 3.0 is considered a . Because it is not a standard administrative tool, its execution on a server typically suggests that an unauthorized actor is currently performing reconnaissance. Detection Strategies include: