Threats Feed|Unknown|Last Updated 27/05/2025|AuthorCertfa Radar|Publish Date24/11/2021

Iranian Threat Actor Exploits MSHTML Vulnerability to Target Farsi Speakers

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Malware,Spyware,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

SafeBreach Labs discovered an Iranian threat actor exploiting the MSHTML vulnerability (CVE-2021-40444) to infect Farsi-speaking victims with the PowerShortShell stealer via spear phishing. The attack, first reported in September 2021, involved a malicious Word document connecting to a server, downloading a DLL, and executing a PowerShell script. This script collected data, including screenshots and files, and exfiltrated it to the attacker's server. The campaign targeted Iranians abroad, particularly in the United States, suggesting ties to Iran's Islamic regime.

Detected Targets

TypeDescriptionConfidence
CaseAida Ghajar
Aida Ghajar is a journalist who works for the digital news outlet IranWire. Aida Ghajar has been targeted by Unknown with abusive purposes.
Verified
SectorDissident
Verified
SectorHuman Rights
High
RegionCanada
Verified
RegionChina
Verified
RegionGermany
Verified
RegionIndia
Verified
RegionNetherlands
Verified
RegionRussia
Verified
RegionSouth Korea
Verified
RegionUnited Kingdom
Verified
RegionUnited States
Verified

Exploited Vulnerabilities

Extracted IOCs

  • 0b90ef87dbbb9e6e4a5e5027116d4d7c4bc2824a491292263eb8a7bda8afb7bd
  • 11368964d768d7fa4ab48100b231790c3d23c45eedfc7a73acd7f3fec703aca7
  • 28ad066cfe08fcce77974ef469c32e4d2a762e50d6b95b8569e34199d679bde8
  • 374239d2056a8a20b05d4bf4431a852af330f2675158afde8de71ac5b991e273
  • 5ac4574929a8825a5d4f267544c33d02919ab38f38f21ce5c9389b67df241b43
  • 5d7a683a6231a4dc0fcc71c4b6d413c6655c7a0e5c58452d321614954d7030d3
  • 6e730b257c3e0c5ce6c73ff0f6732ad2d09f000b423085303a928e665dbbee16
  • b378a1136fddcd533cbdf7473175bf5d34f5eb86436b8eb651435eb3a27a87c6
  • ce962676090195a5f829e7baf013a3213b3b32e27c9631dc932aab2ce46a6b9b
  • d793193c2d0c31bc23639725b097a6a0ffbe9f60a46eabfe0128e006f0492a08
  • e093cce6a4066aa37ed68121fe1464a3e130a3ce0fbb89e8b13651fd7dab842b
  • f69595fd06582fe1426d403844696410904d27e7624f0dcf65d6ea57e0265168
  • 95[.]217.50.126
download

Tip: 13 related IOCs (1 IP, 0 domain, 0 URL, 0 email, 12 file hash) to this threat have been found.

FAQs

PowerShortShell Attack – A Targeted Cyber Threat Against Farsi Speakers Abroad

A cyber espionage campaign exploited a Microsoft vulnerability to infect Farsi-speaking individuals with a stealthy PowerShell-based information stealer.

While the exact group is unnamed, evidence suggests connections to Iranian state-aligned threat actors known for targeting dissidents and using Telegram surveillance.

The attackers aimed to gather sensitive personal data—including system info, documents, and Telegram messages—from individuals potentially viewed as threats to Iran’s government.

Most victims were Farsi-speaking, and nearly half were located in the United States, likely Iranian diaspora members.

Victims received booby-trapped Word documents. Once opened, these documents exploited a Microsoft vulnerability to download malware that secretly collected and sent data to attackers.

Dissidents, journalists, or politically active Iranians abroad may have been considered high-value targets by actors aligned with the Iranian regime.

Avoid opening suspicious attachments, especially from unknown senders. Keep systems fully updated, use antivirus and anti-phishing protections, and enable two-factor authentication on all major accounts.

This was a targeted campaign, not a mass attack. However, its sophisticated tactics and politically motivated targeting raise concerns about similar future efforts.