Latest Update29/07/2025

Threats Feed

  1. Public

    Iranian APT Group Exploits Microsoft and Fortinet Vulnerabilities: A Broad Spectrum Cyber Assault

    Some Iranian government-sponsored APT groups have exploited vulnerabilities in Microsoft Exchange servers and Fortinet devices since March 2021. These actors broadly targeted critical infrastructure sectors in the US, including Transportation and Healthcare and Public Health, as well as Australian organizations. The APT group focused more on exploiting known vulnerabilities rather than specific sectors, using the gained access for ransomware deployment, data exfiltration, and extortion. Several tactics, techniques, and tools were utilized, including creating new user accounts and modifying Task Scheduler.

    read more about Iranian APT Group Exploits Microsoft and Fortinet Vulnerabilities: A Broad Spectrum Cyber Assault
  2. Public

    Lyceum Intensifies Cyber Espionage on Tunisian Telecom and Aviation Sectors

    The Lyceum group (also known as Hexane) is a cyber threat actor focused on the telecommunications, energy and aviation sectors, particularly targeting high-profile organisations in Tunisia. Active since 2018, Lyceum has recently replaced its .NET-based malware with new C++ backdoors and PowerShell scripts to evade detection. The group continues to rely on DNS tunneling for command and control (C2) and uses tools for system reconnaissance, credential theft and keylogging. Lyceum also uses spoofed domains to disguise its activities, demonstrating an adaptive approach to persistent targeting of critical infrastructure.

    read more about Lyceum Intensifies Cyber Espionage on Tunisian Telecom and Aviation Sectors
  3. Public

    MalKamak Targets Middle Eastern Aerospace and Telecom Firms with ShellClient RAT

    The Iranian APT group MalKamak has been targeting aerospace and telecommunications companies in the Middle East since at least 2018, with additional victims in the US, Russia and Europe. The group uses ShellClient, a newly discovered remote access trojan (RAT), to conduct highly targeted cyberattacks. ShellClient uses Dropbox, a popular cloud-based service, for command and control (C2) operations, replacing the group's previous C2 infrastructure.

    read more about MalKamak Targets Middle Eastern Aerospace and Telecom Firms with ShellClient RAT
  4. Public

    MalKamak's GhostShell Campaign Hits Middle East, U.S., and Europe

    Operation GhostShell is a cyber espionage campaign targeting aerospace and telecommunications companies, primarily in the Middle East, with victims in the U.S., Russia and Europe. The operation, carried out by the Iranian group MalKamak, uses a stealthy, evolving remote access trojan (RAT) called ShellClient, which has been in development since 2018. ShellClient evades detection through masquerading, AES encryption and WMI-based reconnaissance. The attackers used tools such as PAExec for lateral movement and lsa.exe for credential dumping. Data exfiltration was facilitated by using WinRar to compress stolen information before sending it via Dropbox.

    read more about MalKamak's GhostShell Campaign Hits Middle East, U.S., and Europe
  5. Public

    Siamesekitten APT Targets Israeli IT Firms with Supply Chain Attacks

    The Iranian APT group Siamesekitten (Lyceum/Hexane) launched targeted cyberattacks on Israeli IT and technology firms in 2021 using advanced social engineering and supply chain tactics. The campaign impersonated HR personnel and organizations via phishing websites and LinkedIn profiles to distribute malware such as Milan and its successor Shark. Victims were infected with DanBot RAT through DNS tunneling and HTTPS C2 communication. The group also exploited legitimate tools like UltraVNC for remote access. Known for prior attacks on oil, gas, and telecom sectors in the Middle East and Africa, Siamesekitten’s recent focus highlights its shift to Israeli targets for espionage and data theft.

    read more about Siamesekitten APT Targets Israeli IT Firms with Supply Chain Attacks
  6. Public

    Domestic Kitten: Inside Iran's Surveillance Campaign Against Citizens

    APT-C-50's Domestic Kitten surveillance operation, linked to the Iranian government, targets over 1,200 Iranian citizens including dissidents, opposition forces, and minorities. Since 2017, ten campaigns delivered the FurBall malware via Iranian blogs, Telegram channels, and SMS links. FurBall collects device data, call logs, SMS messages, and media files, tracking victims' activities. It leverages commercially available parental control software, KidLogger, for its operations. This extensive surveillance continues with four active campaigns as of November 2020.

    read more about Domestic Kitten: Inside Iran's Surveillance Campaign Against Citizens
  7. Public

    Election Interference Exposed: Iranian APT Scans and Exploits U.S. Voter Data

    The joint advisory from CISA and the FBI reveals that an Iranian advanced persistent threat (APT) actor targeted U.S. state websites, specifically election websites, in an attempt to influence the 2020 presidential election. The actor employed methods like scanning with Acunetix, exploiting public-facing applications, and using VPN services to masquerade their operations. The APT also attempted to access and distribute U.S. voter registration data, which was subsequently used in disinformation campaigns misleadingly attributed to domestic sources. The operations spanned from September 20 to October 17, 2020, aiming to compromise election infrastructure and gather sensitive information.

    read more about Election Interference Exposed: Iranian APT Scans and Exploits U.S. Voter Data
  8. Public

    Cyber Threats from Iranian APT Actors to U.S. Electoral Integrity

    Iranian APTs are suspected of attempting to disrupt the U.S. electoral process to undermine public confidence and create discord among voters. These activities have included the creation of fictitious and spoofed media sites to distribute misinformation about voter issues, utilizing voter-registration data, and spreading anti-American sentiments. The APT groups have exploited critical vulnerabilities such as CVE-2020-5902 and CVE-2017-9248, impacting VPNs and content management systems, to conduct distributed denial-of-service (DDoS) attacks, SQL injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.

    read more about Cyber Threats from Iranian APT Actors to U.S. Electoral Integrity
  9. Public

    Lyceum APT Targets Middle Eastern Oil, Gas, and Telecom Sectors

    The Lyceum APT targets the oil, gas and telecommunications sectors in the Middle East, focusing on credential theft and network infiltration through a multi-stage attack chain. The initial infection involves malicious Microsoft Office documents that deploy DanDrop, a VBA-based malware dropper that installs DanBot, a remote access Trojan used for ongoing control. The group also uses PowerShell scripts, including keyloggers and credential decryption tools, to gather sensitive data from Active Directory and RDCMan configurations. The sophisticated attack chain used by this cybercrime group highlights the ongoing threat to critical infrastructure in the Middle East.

    read more about Lyceum APT Targets Middle Eastern Oil, Gas, and Telecom Sectors
  10. Public

    Rampant Kitten: Iranian Cyber Espionage Campaign Exposed

    Check Point Research uncovered an ongoing Iranian espionage campaign, Rampant Kitten, targeting Iranian expats and dissidents. The attackers used Windows infostealers to steal personal documents and access Telegram and KeePass accounts. They employed Android backdoors to intercept SMS-based 2FA codes and record audio, and also created Telegram phishing pages. The campaign's initial infection vector involved a malicious document exploiting external template loading. Key targets included anti-regime organizations and minority resistance groups such as AFALR and Azerbaijan National Resistance Organization. The malware utilized SOAP for communication and featured sophisticated persistence and data exfiltration techniques.

    read more about Rampant Kitten: Iranian Cyber Espionage Campaign Exposed
  11. Public

    PIONEER KITTEN: Exploiting VPN Vulnerabilities to Target Sensitive Sectors

    Pioneer Kitten, an Iran-based adversary active since 2017, targets North American and Israeli entities of intelligence interest, including technology, government, defense, and healthcare sectors. The group relies on exploiting vulnerabilities in VPNs and network appliances (e.g., CVE-2019-11510, CVE-2019-19781, CVE-2020-5902) for initial access, and uses open-source tools like Ngrok and SSHMinion for SSH tunneling and RDP for hands-on activity. Recently, PIONEER KITTEN was seen selling access to compromised networks on underground forums, indicating an attempt to diversify revenue streams.

    read more about PIONEER KITTEN: Exploiting VPN Vulnerabilities to Target Sensitive Sectors
  12. Public

    Iranian Threat Group ITG18 Exposed: Targeting US Military and Political Campaigns

    IBM X-Force IRIS uncovered extensive details on ITG18 through operational errors. Over 40 GB of data and videos revealed ITG18’s targeting of U.S. Navy and Hellenic Navy personnel, U.S. presidential campaigns, pharmaceutical companies, and Iranian-American figures. The group employed credential harvesting, phishing, and email compromise, often using Zimbra to manage compromised accounts. ITG18's operations align with Iranian strategic interests, leveraging personal accounts to gather sensitive data on military operations and geopolitical targets. Multifactor authentication posed challenges, causing operators to pivot to new targets.

    read more about Iranian Threat Group ITG18 Exposed: Targeting US Military and Political Campaigns
  13. Public

    RogueRobin DNS Tunneling: A Look at DarkHydrus' Cyber Espionage Tactics

    The RogueRobin malware, developed by the DarkHydrus group, employs DNS tunneling for covert communications in cyberattacks targeting government and educational institutions. The malware appears in two variants: a PowerShell and a .NET executable, both facilitating commands and control operations via encoded DNS queries. This series explores differences in their operation, emphasizing persistence methods and anti-analysis tactics. The technical nuances of RogueRobin, including its innovative DNS record types, highlight its role in sophisticated cyber espionage campaigns.

    read more about RogueRobin DNS Tunneling: A Look at DarkHydrus' Cyber Espionage Tactics
  14. Public

    Credential and Information Theft: APT33's Job Scam Campaign

    Iranian APT33 has been detected running a phishing campaign that employs fake job scams to lure victims. The campaign aims for credential theft, information theft, and unauthorized remote access. While the targeted sectors and countries are not specified, the indicators of compromise involve domain names like "www[.]global-careers[.]org" and filenames such as "JobDescription.zip" and "JobDescription.vbe".

    read more about Credential and Information Theft: APT33's Job Scam Campaign
  15. Public

    Inside Hexane: Sophisticated Cyber Tools and Tactics Targeting Critical Industries

    Hexane (LYCEUM), a threat actor primarily targeting the Middle East’s oil, gas, and telecommunications sectors, has expanded its attack methods. Using spear-phishing emails with malicious Excel macros, the group delivers DanBot, a RAT capable of DNS and HTTP-based command and control, file transfer, and command execution. Additional tools include a PowerShell-based keylogger, credential decryption scripts, and LDAP data-extraction tools targeting Active Directory accounts. They employ social engineering, password spraying, and DNS tunneling to maintain access, frequently rotating C2 infrastructure. The group’s activity indicates continued cyber threats within these critical sectors.

    read more about Inside Hexane: Sophisticated Cyber Tools and Tactics Targeting Critical Industries
  16. Public

    APT33 Elevates C2 Capabilities with New PowerShell Malware

    The article provides a detailed analysis of a sophisticated PowerShell malware linked to APT33, a notable cyber threat group. It examines a specific file associated with this malware, highlighting its capabilities and behaviors. The malware includes a variety of functions such as privilege escalation, data encryption and decryption, file uploading and downloading, and a mechanism for capturing screenshots. It also features a complex command structure for interacting with a control server, and implements persistence methods through WMI event filters and registry modifications. The analysis contributes to the broader understanding of APT33's tactics and tools.

    read more about APT33 Elevates C2 Capabilities with New PowerShell Malware
  17. Public

    DarkHydrus Resurfaces with New Trojan Leveraging Google Drive for C2 Activities

    DarkHydrus, an adversary group operating primarily in the Middle East, has resumed activities with new tactics, tools, and procedures (TTPs). Recently analyzed by security researchers, the group has been deploying a new variant of the RogueRobin trojan, which now utilizes Google Drive API for command and control (C2) communications. This shift to using legitimate cloud services for C2 indicates an evolution in their operational tactics. The trojan, delivered through macro-enabled Excel documents, exhibits sophisticated evasion techniques, including environment checks and dynamic DNS to mask its C2 communications. The analysis revealed the use of typosquatting and open-source penetration testing tools, underscoring the group’s persistent and evolving threat landscape.

    read more about DarkHydrus Resurfaces with New Trojan Leveraging Google Drive for C2 Activities
  18. Public

    Domestic Kitten: Iranian Surveillance on Citizens Using Malicious Mobile Apps

    The Domestic Kitten campaign, an Iranian surveillance operation active since 2016, targets Iranian citizens, including Kurdish and Turkish natives and ISIS supporters, using malicious mobile apps. These apps, disguised as legitimate, collect sensitive information such as contact lists, call records, SMS messages, browser history, geo-location, photos, and surrounding voice recordings. The stolen data is encrypted and exfiltrated to C&C servers, with IP addresses linked to Iranian origins. The operation's infrastructure suggests involvement by Iranian government entities like the IRGC and Ministry of Intelligence.

    read more about Domestic Kitten: Iranian Surveillance on Citizens Using Malicious Mobile Apps
  19. Public

    Unveiling APT33’s Dropshot: Decrypting the Sophisticated Wiper Malware

    APT33’s Dropshot, also known as StoneDrill, is a sophisticated wiper malware targeting organizations primarily in Saudi Arabia. Dropshot uses advanced anti-emulation techniques and obfuscation to evade detection. The malware decrypts its payload from an encrypted resource and employs anti-emulation strategies, including invalid Windows API calls. It also leverages zlib for decompression. This analysis focuses on decrypting Dropshot's encrypted resource to understand its functionality. The malware's association with APT33 and similarities to the Shamoon malware underscore its threat to targeted sectors.

    read more about Unveiling APT33’s Dropshot: Decrypting the Sophisticated Wiper Malware
  20. Public

    APT33's Dropshot Malware: Advanced Evasion Techniques Unveiled

    APT33's Dropshot malware, also known as StoneDrill, targeted organizations primarily in Saudi Arabia. Dropshot, a sophisticated wiper malware, employs advanced anti-emulation techniques and string encryption to evade detection and analysis. The malware's high entropy suggests packed or compressed data, particularly in the .rsrc section, indicating hidden malicious content. This analysis focuses on decrypting the strings within Dropshot.

    read more about APT33's Dropshot Malware: Advanced Evasion Techniques Unveiled
  21. Public

    Espionage Operations by Flying Kitten Impact US, Israel, and Academia

    The Flying Kitten group conducted extensive espionage and surveillance campaigns from 2013 to 2014. Utilizing spearphishing, social engineering, and the "Stealer" malware, they targeted high-profile individuals, security researchers, and various sectors. The campaigns involved compromised social media accounts and phishing domains to gather credentials and sensitive information. The malware recorded keystrokes, took screenshots, and collected system data, focusing on credential harvesting rather than file exfiltration. This activity impacted targets in the United States, Israel, and global academia and business sectors.

    read more about Espionage Operations by Flying Kitten Impact US, Israel, and Academia
  22. Public

    Flying Kitten to Rocket Kitten: Persistent Phishing Threats from Iran

    The Iranian cyber groups Flying Kitten and Rocket Kitten exhibited overlapping tactics in credential theft and spearphishing, targeting entities in sectors like media, education, and technology across the UK, US, and Iran. Utilizing domains that mimicked legitimate services, such as Google and Microsoft, they orchestrated phishing campaigns to harvest user credentials. Their operations involved shared phishing toolkits and malware, including a keylogger, with connections back to Iranian infrastructure. Despite cessation of Flying Kitten activities post-2014, their tools and tactics were resurrected by Rocket Kitten, highlighting the persistent threat posed by these actors.

    read more about Flying Kitten to Rocket Kitten: Persistent Phishing Threats from Iran
  23. Public

    Saudi Arabian Government Hit by Stealthy Macro Malware

    A Saudi Arabian Government entity has been targeted by an innovative attack that relies on macros within malicious Word documents and leverages various scripts rather than a binary payload. The attack uses a VBScript to lower security settings within Microsoft Word and Excel and fetches data from Pastebin. A PowerShell script then communicates with the C2 server and exfiltrates data, persistently remaining undetected and continuing to collect information from the targeted system. The primary targeted sector is the Government.

    read more about Saudi Arabian Government Hit by Stealthy Macro Malware
  24. Public

    TwoFace Webshell: Persistent Threat in Middle Eastern Networks

    Unit 42 uncovered the TwoFace webshell, a sophisticated dual-component tool used by attackers for prolonged unauthorized access within a Middle Eastern organization's network. The TwoFace webshell enabled execution of various commands and facilitated lateral movement by copying itself across servers. The intruders utilized Mimikatz to harvest credentials and orchestrated their attacks from multiple international IP addresses, suggesting a broad geographic operational footprint. Analysis revealed that the attackers maintained access since at least June 2016, using obfuscated C# code on ASP.NET servers to remain undetected and manage the webshell payload.

    read more about TwoFace Webshell: Persistent Threat in Middle Eastern Networks