Threats Feed

The Iranian cyber group Emennet Pasargad, also known as Aria Sepehr Ayandehsazan, targeted sectors in Israel and the United States, employing new tactics such as cover personas and fictitious hosting providers. Its operations included cyber-enabled influence campaigns during the 2024 Olympics and the collection of IP camera data to amplify psychological impact. Emennet Pasargad created custom personas, such as "Cyber Court," to support hacktivist activities and targeted U.S.-based streaming services for influence operations. They also leveraged open-source information on Israeli personnel to increase targeting precision, demonstrating an advanced combination of infrastructure obfuscation, influence tactics, and direct compromise efforts.

A recent phishing campaign has targeted Armenian individuals through a benign Word document containing a link that directs users to a fake CAPTCHA page. Victims who follow the prompts inadvertently activate a "PasteJacking" technique, where malicious PowerShell code is silently copied and executed in the system's Run box. This script installs PDQ RMM, a legitimate remote management tool, granting attackers remote access without relying on traditional malware. Indicators point to possible attribution to MuddyWater, based on specific social engineering tactics, PowerShell usage, and open-source adaptations, although a definitive link remains unconfirmed. The incident underscores the use of targeted social engineering attacks against Armenian-speaking users, with potential geopolitical implications.

Iranian cyber actors targeted critical infrastructure sectors in the US, Canada, and Australia, including healthcare, government, energy, and IT organisations. The attackers used password spraying and MFA push bombing to obtain valid accounts and access systems such as Microsoft 365, Azure, and Citrix. They used open source tools to gain access to credentials, including Kerberos SPN enumeration and Active Directory dumps. In some cases, the attackers attempted to exploit the Netlogon vulnerability for privilege escalation. In addition, the actors used discovery techniques using living-off-the-land tools to identify domain controllers, trusted domains and administrative accounts.

Charming Kitten has launched a new cyber campaign targeting NGOs and media organizations in Western and Middle Eastern countries. The campaign begins with initial contact via a Yahoo email, followed by a phishing link sent through WhatsApp. To build credibility, attackers may initiate silent WhatsApp voice calls before redirecting victims to a phishing site designed to mimic Google Meet. This page, hosted on Google Sites, employs an EventListener script to capture any entered data and send it to the attackers' server. Indicators of compromise include the domain atlanticcouncil[.]site and specific WhatsApp numbers.

Earth Simnavaz, also known as APT34 or OilRig, has been targeting governmental entities in the UAE and Gulf region, focusing on the energy sector and critical infrastructure. The group uses sophisticated tactics, including the exploitation of Microsoft Exchange servers for credential theft and privilege escalation via CVE-2024-30088. They employ custom .NET tools, PowerShell scripts, and IIS-based malware to avoid detection. Additionally, the attackers utilize ngrok for persistent access and lateral movement, and manipulate password filters to extract plain-text credentials. These credentials are used for supply chain attacks, with a focus on exfiltrating sensitive data through compromised email servers.

Since June 2024, the Iranian-linked threat group Charming Kitten (APT42) has continued to build phishing infrastructure, identified as Cluster B, to target individuals perceived as threats to the Iranian regime, including researchers, journalists, NGO leaders, and human rights activists. The group registered several new domains, likely intended to host credential phishing pages that masquerade as Google, YouTube, and file-hosting service login portals. Past campaigns have targeted individuals in the U.S., Israel, and Europe, primarily in the research, media, and academic sectors. The phishing emails often contain malicious links disguised as conference invitations or legitimate documents.

UNC1860, an Iranian state-sponsored group likely affiliated with the Ministry of Intelligence and Security (MOIS), targets government and telecommunications sectors in the Middle East, particularly in Saudi Arabia, Qatar, and Israel. The group acts as an initial access provider, exploiting vulnerabilities in internet-facing servers and deploying web shells like STAYSHANTE. Custom tools, such as TEMPLEPLAY and VIROGREEN, allow for remote access and further exploitation. UNC1860's operations are characterised by passive backdoors, credential validation, and stealthy malware that facilitates long-term persistence and hand-off to other threat actors. It's likely that the group has supported disruptive campaigns in the region.

Check Point Research has discovered new malware, Veaty and Spearal, used in Iran-linked cyber attacks against Iraqi government infrastructure. The malware uses techniques such as passive IIS backdoors, DNS tunneling, and compromised email accounts for C2 communications. The attackers also used social engineering tactics and double-extension files to trigger infections. Spearal communicates via DNS queries, while Veaty uses compromised email accounts within the gov-iq.net domain. The campaign targets Iraqi government agencies with ties to the APT34 group, demonstrating a sophisticated and persistent threat to Iraqi infrastructure.

Mandiant has uncovered an Iranian counterintelligence operation aimed at gathering data on Iranians and domestic threats potentially collaborating with foreign intelligence agencies, particularly in Israel. The operation involved fake recruitment websites, disseminated via social media, that lured Farsi-speaking individuals into providing personal and professional details. This data is likely used to identify and persecute Iranian dissidents, activists, and human rights advocates. The campaign, linked to Iran’s IRGC and APT42, operated from 2017 to 2024 and extends beyond Iran to target individuals connected to Syria and Hezbollah.

Threat actors are targeting users in the Middle East with malware disguised as the Palo Alto GlobalProtect VPN tool. Delivered likely through phishing, the malware employs a two-stage infection chain initiated via a malicious setup.exe. It uses advanced command-and-control (C2) infrastructure, including newly registered domains like “sharjahconnect” and the Interactsh project for beaconing. Written in C#, the malware supports remote PowerShell execution, file download/exfiltration, and AES-encrypted communications. It also features sandbox evasion, system information gathering, and beaconing mechanisms to track infection stages. This campaign highlights significant threats to organizations in the region, particularly those reliant on VPN-based remote access.

Between April and July 2024, Iranian state-sponsored group Peach Sandstorm deployed a custom backdoor called Tickler in intelligence-gathering operations against satellite, communications, oil and gas, and government sectors in the US and UAE. Their tactics included password spray attacks and LinkedIn-based social engineering. Tickler malware leveraged Azure infrastructure for command-and-control (C2) and utilized DLL files for persistence. Peach Sandstorm also accessed compromised Active Directory accounts to further exploit targeted environments. Their evolving tradecraft demonstrates a persistent focus on the intelligence sector, including higher education, government, and defense.

Iran-based cyber actors linked to the Iranian government are exploiting organisations across multiple sectors in the US, including education, finance, healthcare, defence, and local government, as well as targets in Israel, Azerbaijan, and the UAE. Since 2017, these actors have focused on gaining and monetising network access, working with ransomware affiliates such as NoEscape, Ransomhouse, and ALPHV (BlackCat). They exploit vulnerabilities in internet-facing services such as Check Point, Palo Alto Networks and Citrix. They also use tools such as AnyDesk, PowerShell, Ligolo and NGROK for persistence and command and control.

APT42 used fake WhatsApp accounts posing as technical support from AOL, Google, Yahoo and Microsoft companies to target individuals in Israel, Palestine, Iran, the United States and the United Kingdom. Targets included political and diplomatic officials, as well as public figures associated with the Biden and Trump administrations. The campaign, identified through user reports, included phishing attempts but did not result in account compromise. APT42 is known for phishing credential theft, with previous campaigns targeting public officials, activists and academics.

Iranian APT group GreenCharlie, linked to Mint Sandstorm and APT42, has been targeting US political campaigns and affiliates since May 2024 through advanced spearphishing and malware operations. The group leverages dynamic DNS domains, VPNs, and compromised infrastructure to conduct espionage activities. Malware variants such as GORBLE, POWERSTAR, and TAMECAT were deployed, showing significant code overlap. GreenCharlie’s infrastructure, associated with Iran-based IPs, supports its campaigns against high-value targets, including research analysts, diplomats, and government officials. The group likely operates under the Islamic Revolutionary Guard Corps (IRGC).

Iranian threat actor TA453 targeted a prominent Jewish religious figure with a fake podcast invitation, delivering the new BlackSmith malware toolkit. The attack leveraged spearphishing links and malicious LNK files to deploy the AnvilEcho PowerShell trojan. AnvilEcho consolidates TA453’s previous malware capabilities into a single script, facilitating intelligence gathering and system reconnaissance. The malware evades detection through obfuscation, steganography, and encrypted communications with TA453-controlled infrastructure. The operation, aligned with Iranian government interests, highlights TA453’s evolving tactics to support espionage.

APT42 has intensified its phishing campaigns against Israel and the U.S., targeting high-profile individuals in the military, defense, diplomatic, academic, and NGO sectors. The group uses spearphishing emails, typosquatting domains, and social engineering tactics to harvest credentials and gain unauthorized access to accounts. Recent campaigns included the use of benign PDF attachments and phishing kits capable of bypassing multi-factor authentication.

It has been established that Iranian threat actors have initiated cyber-enabled influence operations targeting the 2024 US presidential election. Groups such as Sefid Flood are impersonating social and political activist groups with the intention of undermining trust in authorities and sowing discord. Iran's Islamic Revolutionary Guard Corps (IRGC)-linked Mint Sandstorm has been observed conducting spear-phishing campaigns against US presidential campaigns, while Peach Sandstorm has been engaged in password spray attacks on local government accounts. Additionally, the Iranian network Storm-2035 has been identified as operating covert news websites with the objective of polarising US voters. These operations represent part of a broader effort by Iran to interfere with elections in the US and other countries like Bahrain and Israel, often targeting political and government sectors.

Handala has been targeting Israeli critical infrastructure and entities since December 2023. Their activities include phishing campaigns, ransomware attacks, and website defacements, often releasing partial evidence of success to bolster their reputation. Notable incidents include attacks on Israel's Iron Dome radar systems, a ransomware assault on Ma’agan Michael Kibbutz, and an alleged data breach of Zerto, a Hewlett Packard Enterprise subsidiary. The group utilizes sophisticated methods, including phishing links and attachments, to compromise and exfiltrate sensitive data. Handala is considered a serious cyber threat, primarily targeting Israel's critical sectors.

MuddyWater has ramped up cyber activities targeting Israel, Saudi Arabia, Turkey, Azerbaijan, India, and Portugal amid the Israel-Hamas war. Their campaigns utilize phishing emails from compromised accounts, deploying RMM tools like Atera Agent and the new BugSleep backdoor. BugSleep, under continuous development, executes commands and transfers files to C&C servers. The group targets various sectors, including Israeli municipalities, airlines, and journalists. They exploit platforms like Egnyte for phishing and use techniques such as sandbox evasion and process injection. Over 50 spear phishing emails have targeted multiple sectors since February 2024.

The MuddyWater group has updated its tactics in targeting entities in Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel. The group shifted from using the Atera RMM tool to deploying a new implant called MuddyRot. Recent campaigns involved spear phishing with PDF-embedded links, leading to malware downloads. MuddyRot features reverse shell capabilities, dynamic API loading, and obfuscated communication over port 443. It establishes persistence via scheduled tasks and exploits public-facing applications for initial access. This campaign primarily targets sectors involving Western and Middle Eastern entities.

Void Manticore, an Iranian threat actor, executed destructive cyberattacks in Israel and Albania, targeting government sectors. They collaborated with Scarred Manticore, using CVE-2019-0604 for initial access, followed by custom tools like Foxshell and Liontail for command execution. The attacks involved data exfiltration and the deployment of wipers, including the custom BiBi wiper. The group employed Remote Desktop Protocol (RDP) for lateral movement and leveraged Domain Admin credentials for network control. Information leaks were disseminated through personas "Karma" and "Homeland Justice".

APT42 has been actively targeting NGOs, media, academia, legal services, and activists in Western and Middle Eastern countries. Using sophisticated social engineering tactics, APT42 poses as journalists and event organizers to deliver malware through spear phishing, harvesting credentials to access cloud environments. They deploy custom backdoors like NICECURL and TAMECAT for initial access and data exfiltration, utilizing built-in tools and open-source resources to remain undetected. The group employs masquerading techniques and typo-squatted domains to facilitate their campaigns.

Seedworm, also known as MuddyWater, is exploiting the Atera Agent, a legitimate remote monitoring and management (RMM) tool, in its spear-phishing campaigns. The group uses Atera’s 30-day free trial offers to register agents with compromised email accounts, enabling them to access targeted systems remotely without needing their own command-and-control infrastructure. These capabilities include file upload/download, interactive shell access, and AI-powered command assistance through Atera’s web UI. Seedworm distributes the malicious RMM installers hosted on free file platforms via spear-phishing emails, though the specific targeted countries and sectors are not mentioned in the report.