Latest Update04/07/2025

Threats Feed

  1. Public

    DEV-0270's Cyber Offensive: A Profiling of Their Ransomware Operations

    The DEV-0270 group, believed to be linked to the Iranian organization Secnerd/Lifeweb, has been conducting ransomware operations primarily by exploiting known vulnerabilities in Exchange and Fortinet. The group typically targets organizations with exposed and vulnerable servers. Their tactics involve account discovery, credential dumping, account creation, process injection, privilege escalation, and data encryption. They also use evasion techniques like disabling antivirus tools, and masquerading malicious activities under legitimate processes. Notably, the group uses lateral movement methods like Remote Desktop Protocol and WMIExec for propagation across networks.

    read more about DEV-0270's Cyber Offensive: A Profiling of Their Ransomware Operations
  2. Public

    CodeRAT Targets Farsi-Speaking Developers with Innovative C2 Techniques

    SafeBreach Labs has discovered CodeRAT, a new remote access trojan (RAT) targeting Farsi-speaking software developers with capabilities ranging from espionage to data exfiltration. Delivered via a Word document that exploits Microsoft DDE, CodeRAT monitors activity in various applications, particularly those related to social networking and development tools. Uniquely, it uses public file upload APIs and Telegram groups for command and control, bypassing typical C2 infrastructure. The malware supports 50 commands, including clipboard capture, process control and file upload. The CodeRAT developer released the source code on GitHub after it was discovered by researchers.

    read more about CodeRAT Targets Farsi-Speaking Developers with Innovative C2 Techniques
  3. Public

    MERCURY Turns to SysAid Applications for Targeted Cyberattacks in Israel

    The Iran-based threat actor MERCURY, linked to Iran's Ministry of Intelligence and Security (MOIS), was detected exploiting Log4j 2 vulnerabilities in SysAid applications against organizations in Israel. Using these exploits for initial access, MERCURY established persistence, dumped credentials, and moved laterally within the targeted organizations. The actor also utilized both custom and well-known hacking tools alongside built-in operating system tools. Microsoft has implemented detections against MERCURY's tools in its Defender Antivirus and Defender for Endpoint and has directly notified customers targeted or compromised by MERCURY.

    read more about MERCURY Turns to SysAid Applications for Targeted Cyberattacks in Israel
  4. Public

    Charming Kitten's HYPERSCRAPE Tool Found Stealing User Data from Email Accounts

    A new tool called HYPERSCRAPE, discovered by Google Threat Analysis Group in December 2021, has been found to be used by Charming Kitten to steal user data from Gmail, Yahoo and Microsoft Outlook accounts. HYPERSCRAPE requires the victim's account credentials to run, and once logged in, it changes the account's language settings to English, downloads messages individually as .eml files, and reverts the language back to its original settings once the inbox has been downloaded.

    read more about Charming Kitten's HYPERSCRAPE Tool Found Stealing User Data from Email Accounts
  5. Public

    Yellow Garuda's New Arsenal: Telegram 'Grabber' Tool and Android Malware in Focus

    Yellow Garuda has been observed using a new Telegram 'grabber' tool alongside Android malware for domestic targeting, including victims likely linked to the Iranian music industry. The threat actor has been active since 2012, primarily using phishing attacks to harvest credentials. Despite operational security errors, Yellow Garuda has expanded its toolset to include macro-enabled template files. The observed document lures used themes related to nuclear energy, weapons, US shipping ports, and Iran's relationship with the Taliban, indicating potential targeting of a wide range of sectors.

    read more about Yellow Garuda's New Arsenal: Telegram 'Grabber' Tool and Android Malware in Focus
  6. Public

    Iranian APTs Exploit Media Sector for Credential Harvesting and Malware Delivery

    This Proofpoint report details the escalating targeting of journalists and media organisations by state-sponsored advanced persistent threats (APTs). The report highlights how groups linked to China (TA412, TA459), North Korea (TA404), Iran (TA453, TA456, TA457), and Turkey (TA482) are using a variety of methods, including phishing emails with malicious attachments or web beacons for reconnaissance and social media credential harvesting, to achieve their intelligence and propaganda goals. The report highlights the persistent nature of the threat, the variety of tactics used, and the importance of enhanced security measures for journalists to protect their sources and the integrity of their reporting. Ultimately, it aims to raise awareness of this specific cybersecurity threat and encourage proactive protection measures within the media sector.

    read more about Iranian APTs Exploit Media Sector for Credential Harvesting and Malware Delivery
  7. Public

    OilRig Campaigns: Phishing and PowerShell Attacks on Global Sectors

    AttackIQ has released attack graphs emulating OilRig’s operations against global sectors, based on reports from Mandiant, Intezer, and Palo Alto Networks. The 2020 social media phishing campaign used LinkedIn to distribute malicious documents, leading to the Tonedeaf backdoor installation, persistence via scheduled tasks, and credential dumping with tools like LaZagne. The 2018 QuadAgent campaign targeted technology service providers and government agencies with PowerShell malware, establishing persistence, and utilizing multi-channel command-and-control communication, including SSL, HTTP, and DNS.

    read more about OilRig Campaigns: Phishing and PowerShell Attacks on Global Sectors
  8. Public

    APT34’s Saitama Agent: Phishing and DNS Tunneling in Jordan

    APT34's Saitama Agent employs a spear phishing email with a malicious Excel attachment to deliver malware using unique DNS tunneling and stateful programming techniques. The Excel document contains a VBA macro that hides its activities and communicates with the C2 server using DNS requests. The macro checks for mouse connections, drops multiple files, and uses a scheduled task for persistence. The campaign appears to be targeting Jordan, leveraging a Jordanian government ministry's logo to deceive victims.

    read more about APT34’s Saitama Agent: Phishing and DNS Tunneling in Jordan
  9. Public

    Iranian Lyceum Group Deploys Malware Disguised as Adobe Update

    The Iranian SiameseKitten (Lyceum) group deployed new malware masquerading as an Adobe update, communicating with a command and control server. The malware includes a reverse shell and employs fake Microsoft certificates, echoing tactics seen with other Iranian groups like Phosphorus. The attack involved a lure PDF related to drone attacks in Iran, aiming to establish persistence via the Startup folder. The parent file and reverse shell were downloaded from domains registered on June 6th, highlighting the group's continued use of sophisticated detection avoidance techniques.

    read more about Iranian Lyceum Group Deploys Malware Disguised as Adobe Update
  10. Public

    MuddyWater's Malicious Macros: A Long-Term Threat to Middle Eastern Nations

    The MuddyWater threat group has been conducting a long-term infection campaign targeting Middle East countries since the last quarter of 2020. The campaign utilizes a malicious Word document containing VBA macros wrapped in a compressed file to compromise victims' systems. The VBA macros drop a concise VBS script, which functions as a small RAT, allowing the execution of commands via cmd and communication with a C2 server using HTTP GET and POST requests. The targeted countries include Pakistan, Kazakhstan, Armenia, Syria, Israel, Bahrain, Turkey, South Africa, Sudan, and others in the Middle East region.

    read more about MuddyWater's Malicious Macros: A Long-Term Threat to Middle Eastern Nations
  11. Public

    Phosphorus Targets Israeli and US Officials with Spear-Phishing

    This report from Check Point Research details an Iranian spear-phishing campaign targeting high-profile former Israeli and US officials. According to Check Point, the high-profile targets of this operation include Tzipi Livni, former Israeli Foreign Minister and Deputy Prime Minister; a former major general in the Israeli Defence Forces (IDF) who held a highly sensitive position; the chairman of a leading Israeli security think tank; a former US ambassador to Israel; the former chairman of a prominent Middle East research centre; and a senior executive in the Israeli defence industry. The attackers used sophisticated techniques, including email thread hijacking and a custom URL shortener, to trick victims into revealing sensitive information. A legitimate identity verification service was also exploited to steal identity documents. The report analyses the attack infrastructure, methods and possible attribution to the Iran-linked Phosphorus APT group, suggesting a motive that may be linked to escalating geopolitical tensions between Iran and Israel. The ultimate goal appears to be access to victims' inboxes and personally identifiable information (PII), although the possibility of physical harm is also considered.

    read more about Phosphorus Targets Israeli and US Officials with Spear-Phishing
  12. Public

    Iranian-Linked POLONIUM Targets Israeli Manufacturing and Defense Industries

    POLONIUM, suspected to be coordinating with Iran's Ministry of Intelligence and Security, is actively targeting Israeli organizations across multiple sectors such as critical manufacturing, IT, and defense. The group exploits supply chain vulnerabilities by compromising IT companies to further target downstream organizations like aviation companies and law firms. TTPs include custom implants like CreepyDrive that use cloud services for C2 and data exfiltration. MSTIC also notes overlap with Iranian groups MERCURY, CopyKittens, both in targeted victims and techniques like using AirVPN and OneDrive. Though unconfirmed, around 80% of victims were observed running Fortinet appliances, suggesting a potential CVE-2018-13379 exploitation.

    read more about Iranian-Linked POLONIUM Targets Israeli Manufacturing and Defense Industries
  13. Public

    Stealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack

    Deep Instinct researchers detected suspicious activity in a Southern U.S. infrastructure and construction company, revealing an attempted compromise of an Exchange server by an Iranian APT, PHOSPHORUS. Seven exploitation attempts were made, including installation of a root certificate and blending malicious traffic with legitimate. The attacker used malware to create a new user account, setup RDP access, and establish a reverse proxy to connect to the compromised system. A new evasion technique, involving masking malicious domains within legitimate ones, was also detected. PHOSPHORUS activities can be traced back to June 2020.

    read more about Stealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack
  14. Public

    ENT-11: Iranian APT Group's PowGoop Attacks Uncovered

    The Iranian APT group ENT-11, also known as MuddyWater, has been using a variant of the PowGoop malware, dubbed "E400", targeting foreign governments, telecommunications, energy sectors, intergovernmental economic cooperation organizations, and the banking sector, primarily in the Middle East. Insights from NTT Security revealed dozens of PowGoop command and control servers dating back to October 2020. The group appears to be winding down operations with the E400-PowGoop variant, but it is expected to continue modifying its tools and creating new variants.

    read more about ENT-11: Iranian APT Group's PowGoop Attacks Uncovered
  15. Public

    TunnelVision Threat Actor Exploits Log4Shell Vulnerability in VMware Horizon Servers

    In early February 2022, the TunnelVision threat actor exploited a vulnerable VMware Horizon server using the Log4Shell vulnerability (CVE-2021-44228) to gain unauthorized access. The attack involved suspicious account creation, credential harvesting, and lateral movement using PSexec and RDP. The adversaries also harvested credentials using Procdump and downloaded Sysinternals and SSH tools. The intrusion was attributed to the Iranian-aligned TunnelVision activity cluster, based on observed TTPs and artifacts. The targeted sectors and countries are not specified in the report.

    read more about TunnelVision Threat Actor Exploits Log4Shell Vulnerability in VMware Horizon Servers
  16. Public

    Analysis of MuddyWater Malware Targeting Diverse International Sectors

    The analysis by multiple cybersecurity agencies, including the FBI and NSA, reveals MuddyWater's extensive use of the POWGOOP malware family among other malicious tools in cyber espionage activities. Targeting sectors such as telecommunications, defense, local government, and oil and natural gas, MuddyWater has impacted organizations across Asia, Africa, Europe, and North America. The analyzed malware employed techniques like DLL side-loading, PowerShell scripts for command execution, and data exfiltration via encrypted channels to C2 servers. These actions are part of a broader Iranian government-sponsored initiative, indicating a significant threat to global security infrastructure.

    read more about Analysis of MuddyWater Malware Targeting Diverse International Sectors
  17. Public

    The Rise Of GRAMDOOR And STARWHALE In The Middle East: UNC3313 Suspected

    The Iranian cyber espionage group UNC3313, also known as TEMP.Zagros and MuddyWater, has been identified as the perpetrator of a series of cyber attacks on Middle Eastern government and technology entities. The group used new targeted malware, GRAMDOOR and STARWHALE, to exploit vulnerabilities and gain unauthorized access. UNC3313 also utilized publicly available remote access software and modified open-source offensive security tools for lateral movement within the targeted systems. The group's activities suggest a strong focus on geopolitical targets and the telecommunications sector in the Middle East. The use of the Telegram API for command and control allows for malicious traffic to blend in with legitimate user behavior, indicating the group's efforts to evade detection.

    read more about The Rise Of GRAMDOOR And STARWHALE In The Middle East: UNC3313 Suspected
  18. Public

    MuddyWater: Iranian APT Group Targets Global Networks Across Multiple Sectors

    The Iranian government-sponsored APT group, MuddyWater, has been conducting cyber operations against government and private sector organizations across Asia, Africa, Europe, and North America. The targeted sectors include telecommunications, defense, local government, oil and natural gas. MuddyWater's campaigns involve the exploitation of public vulnerabilities, usage of open-source tools, spear-phishing, and the deployment of multiple types of malware such as PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS. The group has been active since 2018 and is known for maintaining persistence on victim networks and obfuscating PowerShell scripts to hide C2 functions.

    read more about MuddyWater: Iranian APT Group Targets Global Networks Across Multiple Sectors
  19. Public

    PowerLess Backdoor: Analyzing the Phosphorus Group's Cyber Espionage Tool

    Iranian APT group Phosphorus has developed a new PowerShell backdoor, dubbed PowerLess Backdoor, for espionage purposes. Cybereason researchers discovered the backdoor while investigating the group's exploitation of the ProxyShell vulnerability. The backdoor allows for downloading additional payloads, evasive PowerShell execution, and encrypted communication with the command and control server. Connections were also found between the Phosphorus group and the Memento Ransomware.

    read more about PowerLess Backdoor: Analyzing the Phosphorus Group's Cyber Espionage Tool
  20. Public

    StrifeWater: Unmasking the New RAT Deployed by Iranian APT Moses Staff

    The Iranian APT group Moses Staff deployed a new, previously undocumented Remote Access Trojan (RAT) called StrifeWater for its cyber-espionage and disruption operations. The StrifeWater RAT has been used in initial attack stages, demonstrating various capabilities like listing system files, executing system commands, creating persistence, and downloading updates. Post-infection, it's replaced with ransomware not for financial gain but to disrupt operations and inflict system damage. Victims of these attacks span globally across countries like Israel, Italy, India, Germany, Chile, Turkey, UAE, and the US.

    read more about StrifeWater: Unmasking the New RAT Deployed by Iranian APT Moses Staff
  21. Public

    Evolution of MuddyWater: Targeting Governmental and Telecom Sectors in the Middle East

    The MuddyWater threat group continues to evolve its tactics and techniques. The group exploits publicly available offensive security tools and has been refining its custom toolset to avoid detection. It utilizes the PowGoop malware family, tunneling tools, and targets Exchange servers in high-profile organizations, particularly governmental entities and telecommunication companies in the Middle East. The group has also been observed exploiting CVE-2020-0688 and using Ruler for its malicious activities.

    read more about Evolution of MuddyWater: Targeting Governmental and Telecom Sectors in the Middle East
  22. Public

    CharmPower: APT35's Modular Toolset Exploits Log4j Vulnerability

    APT35 has started widespread scanning and attempts to leverage the Log4j flaw in publicly facing systems only four days after the vulnerability was disclosed. The group used a modular PowerShell-based framework dubbed CharmPower for persistence, information gathering, and command execution.

    read more about CharmPower: APT35's Modular Toolset Exploits Log4j Vulnerability
  23. Public

    Seedworm Group Suspected in Sweeping Espionage Campaign Across Telecom and IT Services

    An espionage campaign tentatively linked to the Iranian-backed Seedworm group has been using compromised organizations as stepping stones to additional victims or targets that may have been compromised solely to perform supply-chain-type attacks on other organizations. The attackers primarily used legitimate tools, publicly available malware, and living-off-the-land tactics, with a significant interest in Exchange Servers. While the ultimate end goal remains unknown, the focus on telecom operators suggests the attackers are gathering intelligence on the sector, potentially pivoting into communications surveillance.

    read more about Seedworm Group Suspected in Sweeping Espionage Campaign Across Telecom and IT Services
  24. Public

    Iranian Threat Actor Exploits MSHTML Vulnerability to Target Farsi Speakers

    SafeBreach Labs discovered an Iranian threat actor exploiting the MSHTML vulnerability (CVE-2021-40444) to infect Farsi-speaking victims with the PowerShortShell stealer via spear phishing. The attack, first reported in September 2021, involved a malicious Word document connecting to a server, downloading a DLL, and executing a PowerShell script. This script collected data, including screenshots and files, and exfiltrated it to the attacker's server. The campaign targeted Iranians abroad, particularly in the United States, suggesting ties to Iran's Islamic regime.

    read more about Iranian Threat Actor Exploits MSHTML Vulnerability to Target Farsi Speakers