Threats Feed

Suspected Iranian threat actors, likely linked to APT35 (Agent Serpens), created a fraudulent website impersonating Germany’s Mega Model Agency to conduct targeted espionage. The site collects extensive visitor data—including IP addresses, browser fingerprints, and screen resolutions—using obfuscated JavaScript to enable selective targeting. A fake model profile and inactive album link suggest planned social engineering attacks. Although no victim interaction was confirmed, the infrastructure and tactics indicate preparation for spear phishing. The campaign targets dissidents, journalists, and activists abroad, especially in Germany, aligning with the group’s history of surveillance and influence operations against Iranian opposition figures.

Team82's research details the IOCONTROL malware, a custom-built cyberweapon used by Iran-linked attackers, specifically the CyberAv3ngers group. The malware targets a range of industrial control systems (ICS) and Internet of Things (IoT) devices, notably impacting fuel management systems in Israel and the US. IOCONTROL's functionality includes communication via the MQTT protocol and features such as arbitrary code execution and self-deletion. The analysis reveals the malware's infrastructure, including its command-and-control server and the methods used to evade detection. The report concludes that IOCONTROL represents a significant threat to critical infrastructure, highlighting the ongoing geopolitical conflict.

A phishing campaign is exploiting sensational fake news about an assassination attempt on US President-elect Donald Trump by an Iranian sniper. The campaign poses as The New York Times using the email address newyork-times@nycmail[.]com. Victims who click on the embedded link are redirected to an ESET-imitation phishing site, where they are prompted to enter corporate domain credentials. This campaign is an example of attackers using major global events, such as political elections, to amplify their efforts. The use of urgency and sensational headlines highlights the need for vigilance in verifying information.

Iranian cyber actors targeted critical infrastructure sectors in the US, Canada, and Australia, including healthcare, government, energy, and IT organisations. The attackers used password spraying and MFA push bombing to obtain valid accounts and access systems such as Microsoft 365, Azure, and Citrix. They used open source tools to gain access to credentials, including Kerberos SPN enumeration and Active Directory dumps. In some cases, the attackers attempted to exploit the Netlogon vulnerability for privilege escalation. In addition, the actors used discovery techniques using living-off-the-land tools to identify domain controllers, trusted domains and administrative accounts.

UNC1860, an Iranian state-sponsored group likely affiliated with the Ministry of Intelligence and Security (MOIS), targets government and telecommunications sectors in the Middle East, particularly in Saudi Arabia, Qatar, and Israel. The group acts as an initial access provider, exploiting vulnerabilities in internet-facing servers and deploying web shells like STAYSHANTE. Custom tools, such as TEMPLEPLAY and VIROGREEN, allow for remote access and further exploitation. UNC1860's operations are characterised by passive backdoors, credential validation, and stealthy malware that facilitates long-term persistence and hand-off to other threat actors. It's likely that the group has supported disruptive campaigns in the region.

Threat actors are targeting users in the Middle East with malware disguised as the Palo Alto GlobalProtect VPN tool. Delivered likely through phishing, the malware employs a two-stage infection chain initiated via a malicious setup.exe. It uses advanced command-and-control (C2) infrastructure, including newly registered domains like “sharjahconnect” and the Interactsh project for beaconing. Written in C#, the malware supports remote PowerShell execution, file download/exfiltration, and AES-encrypted communications. It also features sandbox evasion, system information gathering, and beaconing mechanisms to track infection stages. This campaign highlights significant threats to organizations in the region, particularly those reliant on VPN-based remote access.

Between April and July 2024, Iranian state-sponsored group Peach Sandstorm deployed a custom backdoor called Tickler in intelligence-gathering operations against satellite, communications, oil and gas, and government sectors in the US and UAE. Their tactics included password spray attacks and LinkedIn-based social engineering. Tickler malware leveraged Azure infrastructure for command-and-control (C2) and utilized DLL files for persistence. Peach Sandstorm also accessed compromised Active Directory accounts to further exploit targeted environments. Their evolving tradecraft demonstrates a persistent focus on the intelligence sector, including higher education, government, and defense.

Iran-based cyber actors linked to the Iranian government are exploiting organisations across multiple sectors in the US, including education, finance, healthcare, defence, and local government, as well as targets in Israel, Azerbaijan, and the UAE. Since 2017, these actors have focused on gaining and monetising network access, working with ransomware affiliates such as NoEscape, Ransomhouse, and ALPHV (BlackCat). They exploit vulnerabilities in internet-facing services such as Check Point, Palo Alto Networks and Citrix. They also use tools such as AnyDesk, PowerShell, Ligolo and NGROK for persistence and command and control.

It has been established that Iranian threat actors have initiated cyber-enabled influence operations targeting the 2024 US presidential election. Groups such as Sefid Flood are impersonating social and political activist groups with the intention of undermining trust in authorities and sowing discord. Iran's Islamic Revolutionary Guard Corps (IRGC)-linked Mint Sandstorm has been observed conducting spear-phishing campaigns against US presidential campaigns, while Peach Sandstorm has been engaged in password spray attacks on local government accounts. Additionally, the Iranian network Storm-2035 has been identified as operating covert news websites with the objective of polarising US voters. These operations represent part of a broader effort by Iran to interfere with elections in the US and other countries like Bahrain and Israel, often targeting political and government sectors.

Handala has been targeting Israeli critical infrastructure and entities since December 2023. Their activities include phishing campaigns, ransomware attacks, and website defacements, often releasing partial evidence of success to bolster their reputation. Notable incidents include attacks on Israel's Iron Dome radar systems, a ransomware assault on Ma’agan Michael Kibbutz, and an alleged data breach of Zerto, a Hewlett Packard Enterprise subsidiary. The group utilizes sophisticated methods, including phishing links and attachments, to compromise and exfiltrate sensitive data. Handala is considered a serious cyber threat, primarily targeting Israel's critical sectors.

Peach Sandstorm, an Iranian threat actor, has conducted password spray attacks since February 2023 against global organizations, notably in the satellite, defense, and pharmaceutical sectors. These attacks originated from TOR IPs and employed a mix of public and custom tools like AzureHound and Roadtools for reconnaissance. Once inside the network, the group established persistence through mechanisms like Azure subscriptions and Azure Arc. They also attempted to exploit vulnerabilities in Zoho ManageEngine and Confluence. Some instances involved data exfiltration and lateral movement using techniques like Golden SAML and remote desktop protocol (RDP).

APT33, an Iranian threat group active since 2013, targets multiple countries and sectors, primarily focusing on Saudi Arabia and the United States. The group employs spear phishing with malicious attachments and links, watering hole attacks, and uses both custom and commodity malware, including the Shamoon data-wiper. They exploit known vulnerabilities and leverage stolen credentials to gain access. Key targets include government, aerospace, petrochemical, engineering, finance, and telecom industries. APT33’s infrastructure includes domain masquerading and compromised servers. Recent activities include targeting cloud infrastructure and using spoofed domains to distribute malware.

The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Cyber National Mission Force (CNMF) identified multiple APT actors exploiting vulnerabilities in an Aeronautical Sector organization as early as January 2023. The actors targeted a public-facing application (Zoho ManageEngine ServiceDesk Plus) and the organization’s firewall device, exploiting CVE-2022-47966 and CVE-2022-42475. They gained unauthorized access, established persistence, moved laterally, and engaged in defense evasion by deleting logs. Although the attackers achieved extensive network enumeration and credential access, the report didn't confirm any data exfiltration.

In April 2022, CISA detected Iranian government-sponsored APT activity compromising an FCEB organization's network via the Log4Shell vulnerability. Initial exploitation targeted an unpatched VMware Horizon server, later spreading to the domain controller. The threat actors utilized PowerShell commands, disabled Windows Defender, and established persistence through scheduled tasks. Tools like Mimikatz and Ngrok were deployed for credential harvesting and C2 communication. Despite attempts to dump the LSASS process, additional anti-virus measures thwarted this activity. Lateral movement was observed, as were activities aimed at credential and account manipulation.

In April 2022, Iranian government-sponsored actors exploited the Log4Shell vulnerability in VMware Horizon servers, targeting a Federal Civilian Executive Branch (FCEB) organization. They installed XMRig crypto mining malware and used tools like Mimikatz and Ngrok for credential theft and tunneling. The attack involved disabling Windows Defender, downloading malicious files, hiding artifacts, and creating scheduled tasks for persistence. The campaign highlights advanced tactics in disabling security controls and maintaining persistent access. The targeted sector was the US government.

The Fully Undetectable (FUD) PowerShell backdoor report details a sophisticated attack beginning with a malicious Word document ("Apply Form.docm") used in a LinkedIn-based spearphishing campaign originating from Jordan. The document contains a macro that launches a PowerShell script, creating a scheduled task to execute further malicious actions. The backdoor communicates with its C2 server, executing various commands such as process list exfiltration, user enumeration, and Active Directory exploration. SafeBreach identified operational security mistakes allowing decryption of the C2 commands. The campaign, involving PowerShell scripts and scheduled tasks, targets systems for data exfiltration and potential lateral movement.

SafeBreach Labs has discovered CodeRAT, a new remote access trojan (RAT) targeting Farsi-speaking software developers with capabilities ranging from espionage to data exfiltration. Delivered via a Word document that exploits Microsoft DDE, CodeRAT monitors activity in various applications, particularly those related to social networking and development tools. Uniquely, it uses public file upload APIs and Telegram groups for command and control, bypassing typical C2 infrastructure. The malware supports 50 commands, including clipboard capture, process control and file upload. The CodeRAT developer released the source code on GitHub after it was discovered by researchers.

The Iranian SiameseKitten (Lyceum) group deployed new malware masquerading as an Adobe update, communicating with a command and control server. The malware includes a reverse shell and employs fake Microsoft certificates, echoing tactics seen with other Iranian groups like Phosphorus. The attack involved a lure PDF related to drone attacks in Iran, aiming to establish persistence via the Startup folder. The parent file and reverse shell were downloaded from domains registered on June 6th, highlighting the group's continued use of sophisticated detection avoidance techniques.

POLONIUM, suspected to be coordinating with Iran's Ministry of Intelligence and Security, is actively targeting Israeli organizations across multiple sectors such as critical manufacturing, IT, and defense. The group exploits supply chain vulnerabilities by compromising IT companies to further target downstream organizations like aviation companies and law firms. TTPs include custom implants like CreepyDrive that use cloud services for C2 and data exfiltration. MSTIC also notes overlap with Iranian groups MERCURY, CopyKittens, both in targeted victims and techniques like using AirVPN and OneDrive. Though unconfirmed, around 80% of victims were observed running Fortinet appliances, suggesting a potential CVE-2018-13379 exploitation.

The Iranian APT group Moses Staff deployed a new, previously undocumented Remote Access Trojan (RAT) called StrifeWater for its cyber-espionage and disruption operations. The StrifeWater RAT has been used in initial attack stages, demonstrating various capabilities like listing system files, executing system commands, creating persistence, and downloading updates. Post-infection, it's replaced with ransomware not for financial gain but to disrupt operations and inflict system damage. Victims of these attacks span globally across countries like Israel, Italy, India, Germany, Chile, Turkey, UAE, and the US.

SafeBreach Labs discovered an Iranian threat actor exploiting the MSHTML vulnerability (CVE-2021-40444) to infect Farsi-speaking victims with the PowerShortShell stealer via spear phishing. The attack, first reported in September 2021, involved a malicious Word document connecting to a server, downloading a DLL, and executing a PowerShell script. This script collected data, including screenshots and files, and exfiltrated it to the attacker's server. The campaign targeted Iranians abroad, particularly in the United States, suggesting ties to Iran's Islamic regime.

Some Iranian government-sponsored APT groups have exploited vulnerabilities in Microsoft Exchange servers and Fortinet devices since March 2021. These actors broadly targeted critical infrastructure sectors in the US, including Transportation and Healthcare and Public Health, as well as Australian organizations. The APT group focused more on exploiting known vulnerabilities rather than specific sectors, using the gained access for ransomware deployment, data exfiltration, and extortion. Several tactics, techniques, and tools were utilized, including creating new user accounts and modifying Task Scheduler.

The Lyceum group (also known as Hexane) is a cyber threat actor focused on the telecommunications, energy and aviation sectors, particularly targeting high-profile organisations in Tunisia. Active since 2018, Lyceum has recently replaced its .NET-based malware with new C++ backdoors and PowerShell scripts to evade detection. The group continues to rely on DNS tunneling for command and control (C2) and uses tools for system reconnaissance, credential theft and keylogging. Lyceum also uses spoofed domains to disguise its activities, demonstrating an adaptive approach to persistent targeting of critical infrastructure.