Threats Feed
- Public
TA453 Targets Jewish Religious Leader with Sophisticated BlackSmith Malware
Iranian threat actor TA453 targeted a prominent Jewish religious figure with a fake podcast invitation, delivering the new BlackSmith malware toolkit. The attack leveraged spearphishing links and malicious LNK files to deploy the AnvilEcho PowerShell trojan. AnvilEcho consolidates TA453’s previous malware capabilities into a single script, facilitating intelligence gathering and system reconnaissance. The malware evades detection through obfuscation, steganography, and encrypted communications with TA453-controlled infrastructure. The operation, aligned with Iranian government interests, highlights TA453’s evolving tactics to support espionage.
read more about TA453 Targets Jewish Religious Leader with Sophisticated BlackSmith Malware - Public
TA453 Campaign Deploys Novel PowerShell Backdoor and Mac-Specific Malware
In mid-May 2023, threat actor TA453 targeted a US-based nuclear security expert affiliated with a foreign affairs think tank using deceptive emails. After initial contact, TA453 deployed a novel PowerShell backdoor, GorjolEcho, via cloud hosting providers. Upon realizing the target used a Mac, they sent another malicious email that delivered Mac-specific malware, NokNok. TA453 operates in support of Iran's Islamic Revolutionary Guard Corps (IRGC), specifically focusing on entities and individuals in the foreign affairs sector, particularly those dealing with Middle Eastern affairs and nuclear security.
read more about TA453 Campaign Deploys Novel PowerShell Backdoor and Mac-Specific Malware - Public
Broadening Horizons: TA453's New Approaches in Cyber Operations
Since late 2020, threat actor TA453 has exhibited a shift in targeting and tactics. Previously targeting academics, diplomats, and journalists among others, TA453 has expanded to target medical researchers, aerospace engineers, realtors, and travel agencies. New tactics include the use of compromised accounts, malware, and confrontational lures. Despite this shift, Proofpoint assesses that TA453 operates in support of Iran's IRGC Intelligence Organization, indicating a broadening scope of cyber operations. The operations appear to focus on the US, Israel, and various European countries, targeting sectors like academia, diplomacy, journalism, human rights, and energy.
read more about Broadening Horizons: TA453's New Approaches in Cyber Operations - Public
"Korg" in Action: How TA453 Leveraged Multi-Persona Impersonation in Spear Phishing
The Iran-aligned threat actor TA453 has introduced a novel technique known as Multi-Persona Impersonation (MPI) to its spear-phishing campaigns. This method involves the simultaneous use of multiple false identities to enhance the credibility of their social engineering attacks. Alongside MPI, TA453 uses a malicious Word document exploiting Remote Template Injection, codenamed "Korg," to exfiltrate data.
read more about "Korg" in Action: How TA453 Leveraged Multi-Persona Impersonation in Spear Phishing - Public
SpoofedScholars: TA453 Targets Intelligence Interests Posing as British Scholars
Iranian-state aligned actor TA453 has been covertly targeting individuals of intelligence interest to the Iranian government by masquerading as British scholars from the University of London's School of Oriental and African Studies (SOAS). The threat actor, targeted Middle Eastern experts, senior professors, and journalists. TA453 compromised a legitimate academic website to deliver personalized credential harvesting pages.
read more about SpoofedScholars: TA453 Targets Intelligence Interests Posing as British Scholars - Public
BadBlood Campaign: TA453 Targets US and Israeli Medical Research Professionals
In late 2020, the Iranian-nexus threat actor TA453 launched a credential phishing campaign called BadBlood, targeting senior medical professionals in genetic, neurology, and oncology research in the United States and Israel. The campaign deviates from the group's usual activity and may indicate a shift in TA453's targeting priorities. The attackers used spearphishing emails with links to a fake OneDrive site to harvest user credentials, potentially to exfiltrate email contents or use compromised accounts for further phishing campaigns.
read more about BadBlood Campaign: TA453 Targets US and Israeli Medical Research Professionals