A sophisticated malware campaign is targeting users in the Middle East by disguising malicious software as the Palo Alto GlobalProtect VPN tool. The attackers use this fake installer to infect systems and maintain control over compromised devices.

Who is behind the attack?

The report does not specify the exact group responsible, but the infrastructure and techniques suggest a well-resourced threat actor. The use of beaconing through Interactsh, previously seen with groups like APT28, hints at the possibility of experienced attackers.

What was the goal of this attack?

The attackers aim to gain remote access, execute commands, and exfiltrate sensitive data from targeted systems. The malware’s ability to run PowerShell commands, download additional payloads, and securely communicate with its operators shows a focus on persistent access and data theft.

Who was targeted in this attack?

The primary targets are believed to be organizations and individuals in the Middle East. The attackers likely sought to compromise entities of strategic interest in the region.

How did the attack work?

The malware was disguised as a legitimate VPN installer (GlobalProtect). After installation, it established communication with the attackers, reported infection stages, and allowed remote commands to be executed on the victim's machine.

Why would Middle Eastern organizations be attractive targets?

Organizations in this region often handle sensitive data related to energy, government operations, or defense. Such information can be valuable for espionage or competitive advantage.

What should organizations do to protect themselves?

Organizations should train their staff to recognize phishing attempts, restrict software installations, and monitor network traffic for unusual DNS requests or connections to suspicious servers. Implementing strong endpoint protection and regular threat hunting are also recommended.

Is this a widespread issue or a targeted one?

This appears to be a targeted campaign focusing on specific users or organizations in the Middle East rather than a widespread, indiscriminate attack.

Threats Feed|Unknown|Last Updated 24/04/2025|AuthorCertfa Radar|Publish Date29/08/2024

Malware Masquerading as Palo Alto GlobalProtect Targets Middle Eastern Organizations

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Malware,Phishing,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

Threat actors are targeting users in the Middle East with malware disguised as the Palo Alto GlobalProtect VPN tool. Delivered likely through phishing, the malware employs a two-stage infection chain initiated via a malicious setup.exe. It uses advanced command-and-control (C2) infrastructure, including newly registered domains like “sharjahconnect” and the Interactsh project for beaconing. Written in C#, the malware supports remote PowerShell execution, file download/exfiltration, and AES-encrypted communications. It also features sandbox evasion, system information gathering, and beaconing mechanisms to track infection stages. This campaign highlights significant threats to organizations in the region, particularly those reliant on VPN-based remote access.

Reference and Credit: trend Micro - August 2024

Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool

Detected Targets

Type	Description	Confidence
Region	United Arab Emirates	High
Region	Middle East Countries	Verified

Extracted IOCs

portal.sharjahconnect[.]online
72cdd3856a3ffd530db50e0f48e71f089858e44f
79b38c4be5ac888e38ec5f21ac3710f3d0936a72
94[.]131.108.78
hxxp://94[.]131.108.78:7118/b/desktop/
hxxp://94[.]131.108.78:7118/b/hi/

download

Tip: 6 related IOCs (1 IP, 1 domain, 2 URL, 0 email, 2 file hash) to this threat have been found.

FAQs

Malware Disguised as Palo Alto GlobalProtect Targeting Middle East

: A sophisticated malware campaign is targeting users in the Middle East by disguising malicious software as the Palo Alto GlobalProtect VPN tool. The attackers use this fake installer to infect systems and maintain control over compromised devices.
: The report does not specify the exact group responsible, but the infrastructure and techniques suggest a well-resourced threat actor. The use of beaconing through Interactsh, previously seen with groups like APT28, hints at the possibility of experienced attackers.
: The attackers aim to gain remote access, execute commands, and exfiltrate sensitive data from targeted systems. The malware’s ability to run PowerShell commands, download additional payloads, and securely communicate with its operators shows a focus on persistent access and data theft.
: The primary targets are believed to be organizations and individuals in the Middle East. The attackers likely sought to compromise entities of strategic interest in the region.
: The malware was disguised as a legitimate VPN installer (GlobalProtect). After installation, it established communication with the attackers, reported infection stages, and allowed remote commands to be executed on the victim's machine.
: Organizations in this region often handle sensitive data related to energy, government operations, or defense. Such information can be valuable for espionage or competitive advantage.
: Organizations should train their staff to recognize phishing attempts, restrict software installations, and monitor network traffic for unusual DNS requests or connections to suspicious servers. Implementing strong endpoint protection and regular threat hunting are also recommended.
: This appears to be a targeted campaign focusing on specific users or organizations in the Middle East rather than a widespread, indiscriminate attack.

About Affiliation

Unknown

Associate threats