Alerts & Notice
- Public
Document.exe: New malicious Word file by Iranian state-backed hackers
In the past few days, a malicious Word document sample, believed to be linked to Iranian state-backed hackers, was shared with our team at CERTFA Lab by a community member. Upon the initial analysis, we discovered that this sample includes an OLE object and an AutoOpen macro, which read and decode obfuscated text from UserForm1.TextBox1 into ASCII characters, and then converted from base64 to drop a payload onto the victim's system at C:\Users\Public\Document.exe.
read more about Document.exe: New malicious Word file by Iranian state-backed hackers - Public
Mobile Phone: New Android Surveillance Malware Targeting Persian Speakers
A malicious Android application disguised as a mobile phone utility was recently shared with our team at CERTFA Lab. Upon analysis, we discovered this sample to be a sophisticated surveillance tool with strong indicators linking it to Domestic Kitten (APT-C-50), an Iranian state-backed hacking group associated with the Islamic Revolutionary Guard Corps (IRGC).
read more about Mobile Phone: New Android Surveillance Malware Targeting Persian Speakers - Public
Security Alert: IranGuard Spyware Campaign
A spear-phishing campaign is distributing surveillance malware named "IranGuard" targeting Iranian individuals and organizations. The malware is delivered via spear-phishing emails impersonating the "Etelaat Faraja" (فرماندهی اطلاعات فراجا - FARAJA Intelligence Command), an Iranian law enforcement intelligence agency. The campaign distributes both Android (APK) and Windows (EXE) variants of the spyware, providing comprehensive surveillance capabilities across both mobile and desktop platforms.
read more about Security Alert: IranGuard Spyware Campaign