Threats Feed

Iran-based cyber actors linked to the Iranian government are exploiting organisations across multiple sectors in the US, including education, finance, healthcare, defence, and local government, as well as targets in Israel, Azerbaijan, and the UAE. Since 2017, these actors have focused on gaining and monetising network access, working with ransomware affiliates such as NoEscape, Ransomhouse, and ALPHV (BlackCat). They exploit vulnerabilities in internet-facing services such as Check Point, Palo Alto Networks and Citrix. They also use tools such as AnyDesk, PowerShell, Ligolo and NGROK for persistence and command and control.

APT42 used fake WhatsApp accounts posing as technical support from AOL, Google, Yahoo and Microsoft companies to target individuals in Israel, Palestine, Iran, the United States and the United Kingdom. Targets included political and diplomatic officials, as well as public figures associated with the Biden and Trump administrations. The campaign, identified through user reports, included phishing attempts but did not result in account compromise. APT42 is known for phishing credential theft, with previous campaigns targeting public officials, activists and academics.

Iranian APT group GreenCharlie, linked to Mint Sandstorm and APT42, has been targeting US political campaigns and affiliates since May 2024 through advanced spearphishing and malware operations. The group leverages dynamic DNS domains, VPNs, and compromised infrastructure to conduct espionage activities. Malware variants such as GORBLE, POWERSTAR, and TAMECAT were deployed, showing significant code overlap. GreenCharlie’s infrastructure, associated with Iran-based IPs, supports its campaigns against high-value targets, including research analysts, diplomats, and government officials. The group likely operates under the Islamic Revolutionary Guard Corps (IRGC).

Iranian threat actor TA453 targeted a prominent Jewish religious figure with a fake podcast invitation, delivering the new BlackSmith malware toolkit. The attack leveraged spearphishing links and malicious LNK files to deploy the AnvilEcho PowerShell trojan. AnvilEcho consolidates TA453’s previous malware capabilities into a single script, facilitating intelligence gathering and system reconnaissance. The malware evades detection through obfuscation, steganography, and encrypted communications with TA453-controlled infrastructure. The operation, aligned with Iranian government interests, highlights TA453’s evolving tactics to support espionage.

APT42 has intensified its phishing campaigns against Israel and the U.S., targeting high-profile individuals in the military, defense, diplomatic, academic, and NGO sectors. The group uses spearphishing emails, typosquatting domains, and social engineering tactics to harvest credentials and gain unauthorized access to accounts. Recent campaigns included the use of benign PDF attachments and phishing kits capable of bypassing multi-factor authentication.

It has been established that Iranian threat actors have initiated cyber-enabled influence operations targeting the 2024 US presidential election. Groups such as Sefid Flood are impersonating social and political activist groups with the intention of undermining trust in authorities and sowing discord. Iran's Islamic Revolutionary Guard Corps (IRGC)-linked Mint Sandstorm has been observed conducting spear-phishing campaigns against US presidential campaigns, while Peach Sandstorm has been engaged in password spray attacks on local government accounts. Additionally, the Iranian network Storm-2035 has been identified as operating covert news websites with the objective of polarising US voters. These operations represent part of a broader effort by Iran to interfere with elections in the US and other countries like Bahrain and Israel, often targeting political and government sectors.

Handala has been targeting Israeli critical infrastructure and entities since December 2023. Their activities include phishing campaigns, ransomware attacks, and website defacements, often releasing partial evidence of success to bolster their reputation. Notable incidents include attacks on Israel's Iron Dome radar systems, a ransomware assault on Ma’agan Michael Kibbutz, and an alleged data breach of Zerto, a Hewlett Packard Enterprise subsidiary. The group utilizes sophisticated methods, including phishing links and attachments, to compromise and exfiltrate sensitive data. Handala is considered a serious cyber threat, primarily targeting Israel's critical sectors.

MuddyWater has ramped up cyber activities targeting Israel, Saudi Arabia, Turkey, Azerbaijan, India, and Portugal amid the Israel-Hamas war. Their campaigns utilize phishing emails from compromised accounts, deploying RMM tools like Atera Agent and the new BugSleep backdoor. BugSleep, under continuous development, executes commands and transfers files to C&C servers. The group targets various sectors, including Israeli municipalities, airlines, and journalists. They exploit platforms like Egnyte for phishing and use techniques such as sandbox evasion and process injection. Over 50 spear phishing emails have targeted multiple sectors since February 2024.

The MuddyWater group has updated its tactics in targeting entities in Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel. The group shifted from using the Atera RMM tool to deploying a new implant called MuddyRot. Recent campaigns involved spear phishing with PDF-embedded links, leading to malware downloads. MuddyRot features reverse shell capabilities, dynamic API loading, and obfuscated communication over port 443. It establishes persistence via scheduled tasks and exploits public-facing applications for initial access. This campaign primarily targets sectors involving Western and Middle Eastern entities.

The Iranian hacktivist group Lord Nemesis, also known as 'Nemesis Kitten,' targeted the Israeli academic sector via a supply chain attack on Rashim Software, a provider of academic administration and training software. They breached Rashim's infrastructure and accessed its clients, including numerous academic institutions, by using stolen credentials and exploiting admin accounts on customer systems. This allowed them to extract sensitive data, circumvent multi-factor authentication, and instill fear by releasing findings and sending ominous warnings. The attack highlights the significant risks posed by third-party vendors and demonstrates the group's sophisticated planning and understanding of targeted IT environments.

In March 2024, the National Cyber Directorate of Israel detected a sophisticated phishing campaign attributed to the Iranian group MuddyWater. This campaign, primarily targeting government and local government sectors in Israel, employs phishing emails with links to malicious ZIP files hosted on Onehub. These files contain the ScreenConnect tool, which enables remote control over compromised computers, allowing for sustained network access. MuddyWater is known for its expertise in social engineering and exploiting vulnerabilities, actively targeting sectors like aviation, academia, communications, government, and energy. Their focus is on maintaining a stealthy presence to facilitate further malicious activities.

The Menorah malware, used by the APT34 threat group to target organisations in the Middle East, creates a mutex to ensure single-instance operation. The malware exfiltrates data and executes commands from a hardcoded command and control (C2) server. These commands include creating processes, listing files, downloading files and exfiltrating arbitrary data. The analysis provides technical details, including SHA256 hashes, mutex identifiers and the address of the C2 server, to aid detection and response efforts.

A phishing malware campaign targeting Albanian governmental entities was discovered, involving an archived file named "kurs trajnimi.zip." The malware uses "ScreenConnectWindowsClient.exe" for command-and-control (C2) operations, exploiting CVE-2023-36778, a Microsoft Exchange Server vulnerability. Static analysis revealed techniques for screen capture, anti-analysis, and system discovery. The malicious program requires Administrator or SuperUser privileges to execute, indicating an intent to evade detection and exploit higher-level system resources.

Charming Kitten, an Iran nexus threat actor group, used the Sponsor backdoor to target 34 entities across Brazil, Israel, and UAE. Initial access was gained by exploiting Microsoft Exchange vulnerabilities (CVE-2021-26855). The campaign targeted various sectors, including automotive, communications, engineering, financial services, healthcare, insurance, legal, manufacturing, retail, technology, and telecommunications. Sponsor backdoor, disguised as an updater program, used discreetly deployed batch files to evade detection. Charming Kitten also deployed tools like Plink, Merlin agent, Mimikatz, and Meterpreter reverse shells.

Peach Sandstorm, an Iranian threat actor, has conducted password spray attacks since February 2023 against global organizations, notably in the satellite, defense, and pharmaceutical sectors. These attacks originated from TOR IPs and employed a mix of public and custom tools like AzureHound and Roadtools for reconnaissance. Once inside the network, the group established persistence through mechanisms like Azure subscriptions and Azure Arc. They also attempted to exploit vulnerabilities in Zoho ManageEngine and Confluence. Some instances involved data exfiltration and lateral movement using techniques like Golden SAML and remote desktop protocol (RDP).

APT33, an Iranian threat group active since 2013, targets multiple countries and sectors, primarily focusing on Saudi Arabia and the United States. The group employs spear phishing with malicious attachments and links, watering hole attacks, and uses both custom and commodity malware, including the Shamoon data-wiper. They exploit known vulnerabilities and leverage stolen credentials to gain access. Key targets include government, aerospace, petrochemical, engineering, finance, and telecom industries. APT33’s infrastructure includes domain masquerading and compromised servers. Recent activities include targeting cloud infrastructure and using spoofed domains to distribute malware.

The Ballistic Bobcat (aka Charming Kitten) threat group exploited known vulnerabilities in Microsoft Exchange servers, particularly CVE-2021-26855, to gain initial access to 34 organizations, primarily located in Israel. The group employed a backdoor known as Sponsor and relied on a modular approach that used both configuration files and batch files to evade detection. Besides, the group utilized a range of open-source tools for various activities, including tunneling and credential dumping. The victims are from diverse sectors but are mainly opportunistic rather than specifically targeted. Two victims were identified outside Israel, in Brazil and the UAE, linked to healthcare and an unidentified organization.

The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Cyber National Mission Force (CNMF) identified multiple APT actors exploiting vulnerabilities in an Aeronautical Sector organization as early as January 2023. The actors targeted a public-facing application (Zoho ManageEngine ServiceDesk Plus) and the organization’s firewall device, exploiting CVE-2022-47966 and CVE-2022-42475. They gained unauthorized access, established persistence, moved laterally, and engaged in defense evasion by deleting logs. Although the attackers achieved extensive network enumeration and credential access, the report didn't confirm any data exfiltration.

APT34 has launched a new phishing campaign, using a decoy file named “GGMS Overview.doc” to target U.S.-based enterprises. The campaign employs a variant of the SideTwist Trojan for long-term control over victim hosts. Malicious macros in the document deploy the Trojan, which communicates with a C&C server. Interestingly, the C&C IP address is associated with the United States Department of Defense Network Information Center. The Trojan is capable of executing commands from the C&C and exfiltrating local files. It suggests the APT34 group might be conducting a test operation to preserve attack resources.

Charming Kitten has intensified its cyber espionage operations targeting Iranian dissidents, legal professionals, journalists, and human rights activists in Germany and abroad. According to the German BfV, the group uses detailed social engineering and spoofed online identities to initiate contact and build trust. Victims are lured into video calls via phishing links that mimic legitimate platforms like Google or Microsoft. These links lead to credential-harvesting sites, often intercepting two-factor authentication as well. Stolen credentials are then used to access cloud services and extract personal data using tools like Google Takeout.

In mid-May 2023, threat actor TA453 targeted a US-based nuclear security expert affiliated with a foreign affairs think tank using deceptive emails. After initial contact, TA453 deployed a novel PowerShell backdoor, GorjolEcho, via cloud hosting providers. Upon realizing the target used a Mac, they sent another malicious email that delivered Mac-specific malware, NokNok. TA453 operates in support of Iran's Islamic Revolutionary Guard Corps (IRGC), specifically focusing on entities and individuals in the foreign affairs sector, particularly those dealing with Middle Eastern affairs and nuclear security.

Deep Instinct's research team has uncovered a new Command and Control (C2) framework named PhonyC2, which is believed to be linked to the threat group MuddyWater. The PhonyC2 framework was found on a server connected to infrastructure previously used by MuddyWater in various cyberattacks, including the assault on Technion in Israel. This discovery suggests PhonyC2 is MuddyWater's latest tool for orchestrating cyber espionage and it's used in an active PaperCut exploitation. The code analysis revealed structural and functional similarities to MuddyWater's previous C2 frameworks (MuddyC3), reinforcing the attribution.

The Iranian cyber-espionage group, Charming Kitten, targeted an individual who published an article about Iran. The attackers impersonated a reporter and carried out a series of seemingly benign interactions before sending a malicious RAR file containing the POWERSTAR backdoor. The backdoor, once executed, collects system information and communicates with a command-and-control server via encrypted channels. The attackers employ several modules for system reconnaissance, establishing persistence, and cleaning up forensic evidence. Notably, they leveraged the InterPlanetary File System (IPFS) as a fallback mechanism for command-and-control communication.