Threats Feed

Suspected Iranian threat actors, likely linked to APT35 (Agent Serpens), created a fraudulent website impersonating Germany’s Mega Model Agency to conduct targeted espionage. The site collects extensive visitor data—including IP addresses, browser fingerprints, and screen resolutions—using obfuscated JavaScript to enable selective targeting. A fake model profile and inactive album link suggest planned social engineering attacks. Although no victim interaction was confirmed, the infrastructure and tactics indicate preparation for spear phishing. The campaign targets dissidents, journalists, and activists abroad, especially in Germany, aligning with the group’s history of surveillance and influence operations against Iranian opposition figures.

A phishing campaign impersonating Avast targeted Israeli individuals and businesses—likely in the real estate and commercial sectors—through fraudulent antivirus receipts containing malware download links. The attack used multiple URL redirections and GitHub for payload delivery, culminating in the stealthy installation of the legitimate remote access tool ScreenConnect. Once installed, the malware achieved persistence via Windows services, modified authentication packages to access credentials, and established encrypted command and control connections. Evidence suggests similarities with tactics used by the MuddyWater APT group, though attribution remains inconclusive. The campaign’s infrastructure and system language checks confirm its Israeli focus.

The MuddyWater APT group has been observed using malicious macro-enabled Microsoft Word documents to compromise targets. Upon opening these documents and enabling macros, a VBScript backdoor is deployed, establishing communication with attacker-controlled command and control (C2) servers via HTTP. The VBScript backdoor receives and executes remote commands and sends results back to the C2 servers. Identified infrastructure includes domains and IP addresses employing HTTPS over port 443 for covert communication, aiding in firewall evasion.

APT34 (OilRig) has launched a targeted cyber espionage campaign against Iraqi government entities since 2024, using spearphishing emails with forged documents to deploy custom C# malware disguised as PDF files. The malware performs system reconnaissance, anti-VM checks, and sets up persistence via scheduled tasks. It communicates with command-and-control infrastructure through both HTTP and compromised Iraqi government email accounts (SMTP/IMAP). The group also utilizes European-hosted infrastructure with deceptive 404 pages and obfuscated communication protocols. Targeted sectors include government, energy, finance, defense, and telecommunications, indicating a continued focus on intelligence gathering in the Middle East.