Threats Feed

Between April and July 2024, Iranian state-sponsored group Peach Sandstorm deployed a custom backdoor called Tickler in intelligence-gathering operations against satellite, communications, oil and gas, and government sectors in the US and UAE. Their tactics included password spray attacks and LinkedIn-based social engineering. Tickler malware leveraged Azure infrastructure for command-and-control (C2) and utilized DLL files for persistence. Peach Sandstorm also accessed compromised Active Directory accounts to further exploit targeted environments. Their evolving tradecraft demonstrates a persistent focus on the intelligence sector, including higher education, government, and defense.

It has been established that Iranian threat actors have initiated cyber-enabled influence operations targeting the 2024 US presidential election. Groups such as Sefid Flood are impersonating social and political activist groups with the intention of undermining trust in authorities and sowing discord. Iran's Islamic Revolutionary Guard Corps (IRGC)-linked Mint Sandstorm has been observed conducting spear-phishing campaigns against US presidential campaigns, while Peach Sandstorm has been engaged in password spray attacks on local government accounts. Additionally, the Iranian network Storm-2035 has been identified as operating covert news websites with the objective of polarising US voters. These operations represent part of a broader effort by Iran to interfere with elections in the US and other countries like Bahrain and Israel, often targeting political and government sectors.