Threats Feed

Mandiant has uncovered an Iranian counterintelligence operation aimed at gathering data on Iranians and domestic threats potentially collaborating with foreign intelligence agencies, particularly in Israel. The operation involved fake recruitment websites, disseminated via social media, that lured Farsi-speaking individuals into providing personal and professional details. This data is likely used to identify and persecute Iranian dissidents, activists, and human rights advocates. The campaign, linked to Iran’s IRGC and APT42, operated from 2017 to 2024 and extends beyond Iran to target individuals connected to Syria and Hezbollah.

APT42 used fake WhatsApp accounts posing as technical support from AOL, Google, Yahoo and Microsoft companies to target individuals in Israel, Palestine, Iran, the United States and the United Kingdom. Targets included political and diplomatic officials, as well as public figures associated with the Biden and Trump administrations. The campaign, identified through user reports, included phishing attempts but did not result in account compromise. APT42 is known for phishing credential theft, with previous campaigns targeting public officials, activists and academics.

Iranian APT group GreenCharlie, linked to Mint Sandstorm and APT42, has been targeting US political campaigns and affiliates since May 2024 through advanced spearphishing and malware operations. The group leverages dynamic DNS domains, VPNs, and compromised infrastructure to conduct espionage activities. Malware variants such as GORBLE, POWERSTAR, and TAMECAT were deployed, showing significant code overlap. GreenCharlie’s infrastructure, associated with Iran-based IPs, supports its campaigns against high-value targets, including research analysts, diplomats, and government officials. The group likely operates under the Islamic Revolutionary Guard Corps (IRGC).

Iranian threat actor TA453 targeted a prominent Jewish religious figure with a fake podcast invitation, delivering the new BlackSmith malware toolkit. The attack leveraged spearphishing links and malicious LNK files to deploy the AnvilEcho PowerShell trojan. AnvilEcho consolidates TA453’s previous malware capabilities into a single script, facilitating intelligence gathering and system reconnaissance. The malware evades detection through obfuscation, steganography, and encrypted communications with TA453-controlled infrastructure. The operation, aligned with Iranian government interests, highlights TA453’s evolving tactics to support espionage.

APT42 has intensified its phishing campaigns against Israel and the U.S., targeting high-profile individuals in the military, defense, diplomatic, academic, and NGO sectors. The group uses spearphishing emails, typosquatting domains, and social engineering tactics to harvest credentials and gain unauthorized access to accounts. Recent campaigns included the use of benign PDF attachments and phishing kits capable of bypassing multi-factor authentication.

The Iranian hacktivist group Lord Nemesis, also known as 'Nemesis Kitten,' targeted the Israeli academic sector via a supply chain attack on Rashim Software, a provider of academic administration and training software. They breached Rashim's infrastructure and accessed its clients, including numerous academic institutions, by using stolen credentials and exploiting admin accounts on customer systems. This allowed them to extract sensitive data, circumvent multi-factor authentication, and instill fear by releasing findings and sending ominous warnings. The attack highlights the significant risks posed by third-party vendors and demonstrates the group's sophisticated planning and understanding of targeted IT environments.

The Ballistic Bobcat (aka Charming Kitten) threat group exploited known vulnerabilities in Microsoft Exchange servers, particularly CVE-2021-26855, to gain initial access to 34 organizations, primarily located in Israel. The group employed a backdoor known as Sponsor and relied on a modular approach that used both configuration files and batch files to evade detection. Besides, the group utilized a range of open-source tools for various activities, including tunneling and credential dumping. The victims are from diverse sectors but are mainly opportunistic rather than specifically targeted. Two victims were identified outside Israel, in Brazil and the UAE, linked to healthcare and an unidentified organization.

In mid-May 2023, threat actor TA453 targeted a US-based nuclear security expert affiliated with a foreign affairs think tank using deceptive emails. After initial contact, TA453 deployed a novel PowerShell backdoor, GorjolEcho, via cloud hosting providers. Upon realizing the target used a Mac, they sent another malicious email that delivered Mac-specific malware, NokNok. TA453 operates in support of Iran's Islamic Revolutionary Guard Corps (IRGC), specifically focusing on entities and individuals in the foreign affairs sector, particularly those dealing with Middle Eastern affairs and nuclear security.

The Iranian cyber-espionage group, Charming Kitten, targeted an individual who published an article about Iran. The attackers impersonated a reporter and carried out a series of seemingly benign interactions before sending a malicious RAR file containing the POWERSTAR backdoor. The backdoor, once executed, collects system information and communicates with a command-and-control server via encrypted channels. The attackers employ several modules for system reconnaissance, establishing persistence, and cleaning up forensic evidence. Notably, they leveraged the InterPlanetary File System (IPFS) as a fallback mechanism for command-and-control communication.

Charming Kitten group's latest malware, BellaCiao, targets Microsoft Exchange servers across the United States, Europe, the Middle East (Turkey), and India. The malware uses a unique communication approach with its command-and-control infrastructure and is tailored to suit individual targets. BellaCiao is a dropper malware that delivers other payloads based on instructions from the C2 server. The initial infection vector is suspected to be Microsoft Exchange exploit chains, and the malware establishes persistence by masquerading as legitimate Microsoft Exchange server processes.

The report details the Mint Sandstorm subgroup's cyberattacks targeting US critical infrastructure, including seaports, energy companies, transit systems, and a major utility and gas entity. The group rapidly adopted publicly disclosed proof-of-concept (POC) code to exploit vulnerabilities in internet-facing applications. The attacks also involved custom tools and implants, lateral movement, and persistence techniques. The phishing campaigns targeted individuals affiliated with think tanks and universities in Israel, North America, and Europe. The targeted sectors include transportation, energy, utilities, policy, security, and academia.

Since late 2020, threat actor TA453 has exhibited a shift in targeting and tactics. Previously targeting academics, diplomats, and journalists among others, TA453 has expanded to target medical researchers, aerospace engineers, realtors, and travel agencies. New tactics include the use of compromised accounts, malware, and confrontational lures. Despite this shift, Proofpoint assesses that TA453 operates in support of Iran's IRGC Intelligence Organization, indicating a broadening scope of cyber operations. The operations appear to focus on the US, Israel, and various European countries, targeting sectors like academia, diplomacy, journalism, human rights, and energy.

The COBALT MIRAGE threat group is using Drokbk malware to target U.S. local government networks. The malware, written in .NET, consists of a dropper and a payload, with limited built-in functionality, primarily executing additional commands from the command and control (C2) server. The February 2022 intrusion began with a compromise of a VMware Horizon server using two Log4j vulnerabilities. Drokbk is deployed post-intrusion alongside other access mechanisms, such as Fast Reverse Proxy (FRPC) tool, for persistence within the victim's environment.

The Secureworks Counter Threat Unit analyzed a ransomware incident involving the Iranian COBALT MIRAGE threat group. The group exploited ProxyShell vulnerabilities, used a customized variant of Fast Reverse Proxy (FRPC) named TunnelFish, and encrypted servers using BitLocker. Despite attempts to erase their digital footprint, several tools and artifacts were recoverable, leading to the identification of associated individuals and entities, including Ahmad Khatibi, CEO of Afkar System Co., and Mansour Ahmadi, CEO of Najee Technology.

The Iran-aligned threat actor TA453 has introduced a novel technique known as Multi-Persona Impersonation (MPI) to its spear-phishing campaigns. This method involves the simultaneous use of multiple false identities to enhance the credibility of their social engineering attacks. Alongside MPI, TA453 uses a malicious Word document exploiting Remote Template Injection, codenamed "Korg," to exfiltrate data.

The DEV-0270 group, believed to be linked to the Iranian organization Secnerd/Lifeweb, has been conducting ransomware operations primarily by exploiting known vulnerabilities in Exchange and Fortinet. The group typically targets organizations with exposed and vulnerable servers. Their tactics involve account discovery, credential dumping, account creation, process injection, privilege escalation, and data encryption. They also use evasion techniques like disabling antivirus tools, and masquerading malicious activities under legitimate processes. Notably, the group uses lateral movement methods like Remote Desktop Protocol and WMIExec for propagation across networks.

A new tool called HYPERSCRAPE, discovered by Google Threat Analysis Group in December 2021, has been found to be used by Charming Kitten to steal user data from Gmail, Yahoo and Microsoft Outlook accounts. HYPERSCRAPE requires the victim's account credentials to run, and once logged in, it changes the account's language settings to English, downloads messages individually as .eml files, and reverts the language back to its original settings once the inbox has been downloaded.

Yellow Garuda has been observed using a new Telegram 'grabber' tool alongside Android malware for domestic targeting, including victims likely linked to the Iranian music industry. The threat actor has been active since 2012, primarily using phishing attacks to harvest credentials. Despite operational security errors, Yellow Garuda has expanded its toolset to include macro-enabled template files. The observed document lures used themes related to nuclear energy, weapons, US shipping ports, and Iran's relationship with the Taliban, indicating potential targeting of a wide range of sectors.

Deep Instinct researchers detected suspicious activity in a Southern U.S. infrastructure and construction company, revealing an attempted compromise of an Exchange server by an Iranian APT, PHOSPHORUS. Seven exploitation attempts were made, including installation of a root certificate and blending malicious traffic with legitimate. The attacker used malware to create a new user account, setup RDP access, and establish a reverse proxy to connect to the compromised system. A new evasion technique, involving masking malicious domains within legitimate ones, was also detected. PHOSPHORUS activities can be traced back to June 2020.

In early February 2022, the TunnelVision threat actor exploited a vulnerable VMware Horizon server using the Log4Shell vulnerability (CVE-2021-44228) to gain unauthorized access. The attack involved suspicious account creation, credential harvesting, and lateral movement using PSexec and RDP. The adversaries also harvested credentials using Procdump and downloaded Sysinternals and SSH tools. The intrusion was attributed to the Iranian-aligned TunnelVision activity cluster, based on observed TTPs and artifacts. The targeted sectors and countries are not specified in the report.

Iranian APT group Phosphorus has developed a new PowerShell backdoor, dubbed PowerLess Backdoor, for espionage purposes. Cybereason researchers discovered the backdoor while investigating the group's exploitation of the ProxyShell vulnerability. The backdoor allows for downloading additional payloads, evasive PowerShell execution, and encrypted communication with the command and control server. Connections were also found between the Phosphorus group and the Memento Ransomware.

APT35 has started widespread scanning and attempts to leverage the Log4j flaw in publicly facing systems only four days after the vulnerability was disclosed. The group used a modular PowerShell-based framework dubbed CharmPower for persistence, information gathering, and command execution.

APT35 has used multiple tactics to compromise high-value targets. The group has used hijacked websites, such as one affiliated with a UK university, for credential phishing attacks. They have also uploaded spyware disguised as VPN software to app stores and impersonated conference officials to conduct phishing campaigns. Additionally, APT35 has utilized link shorteners and click trackers embedded within PDF files and abused services like Google Drive, App Scripts, and Sites pages. The group has adopted a novel approach by leveraging Telegram for real-time operator notifications, enabling them to monitor visitor information to their phishing sites.