Iranian Threat Actor Exploits MSHTML Vulnerability to Target Farsi Speakers
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Vulnerability Exploitation,Malware,Spyware,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
SafeBreach Labs discovered an Iranian threat actor exploiting the MSHTML vulnerability (CVE-2021-40444) to infect Farsi-speaking victims with the PowerShortShell stealer via spear phishing. The attack, first reported in September 2021, involved a malicious Word document connecting to a server, downloading a DLL, and executing a PowerShell script. This script collected data, including screenshots and files, and exfiltrated it to the attacker's server. The campaign targeted Iranians abroad, particularly in the United States, suggesting ties to Iran's Islamic regime.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Aida Ghajar Aida Ghajar is a journalist who works for the digital news outlet IranWire. Aida Ghajar has been targeted by Unknown with abusive purposes. | Verified |
| Sector | Dissident | Verified |
| Sector | Human Rights | High |
| Region | Canada | Verified |
| Region | China | Verified |
| Region | Germany | Verified |
| Region | India | Verified |
| Region | Netherlands | Verified |
| Region | Russia | Verified |
| Region | South Korea | Verified |
| Region | United Kingdom | Verified |
| Region | United States | Verified |
Exploited Vulnerabilities
Extracted IOCs
- 0b90ef87dbbb9e6e4a5e5027116d4d7c4bc2824a491292263eb8a7bda8afb7bd
- 11368964d768d7fa4ab48100b231790c3d23c45eedfc7a73acd7f3fec703aca7
- 28ad066cfe08fcce77974ef469c32e4d2a762e50d6b95b8569e34199d679bde8
- 374239d2056a8a20b05d4bf4431a852af330f2675158afde8de71ac5b991e273
- 5ac4574929a8825a5d4f267544c33d02919ab38f38f21ce5c9389b67df241b43
- 5d7a683a6231a4dc0fcc71c4b6d413c6655c7a0e5c58452d321614954d7030d3
- 6e730b257c3e0c5ce6c73ff0f6732ad2d09f000b423085303a928e665dbbee16
- b378a1136fddcd533cbdf7473175bf5d34f5eb86436b8eb651435eb3a27a87c6
- ce962676090195a5f829e7baf013a3213b3b32e27c9631dc932aab2ce46a6b9b
- d793193c2d0c31bc23639725b097a6a0ffbe9f60a46eabfe0128e006f0492a08
- e093cce6a4066aa37ed68121fe1464a3e130a3ce0fbb89e8b13651fd7dab842b
- f69595fd06582fe1426d403844696410904d27e7624f0dcf65d6ea57e0265168
- 95[.]217.50.126
Tip: 13 related IOCs (1 IP, 0 domain, 0 URL, 0 email, 12 file hash) to this threat have been found.
FAQs
PowerShortShell Attack – A Targeted Cyber Threat Against Farsi Speakers Abroad
A cyber espionage campaign exploited a Microsoft vulnerability to infect Farsi-speaking individuals with a stealthy PowerShell-based information stealer.
While the exact group is unnamed, evidence suggests connections to Iranian state-aligned threat actors known for targeting dissidents and using Telegram surveillance.
The attackers aimed to gather sensitive personal data—including system info, documents, and Telegram messages—from individuals potentially viewed as threats to Iran’s government.
Most victims were Farsi-speaking, and nearly half were located in the United States, likely Iranian diaspora members.
Victims received booby-trapped Word documents. Once opened, these documents exploited a Microsoft vulnerability to download malware that secretly collected and sent data to attackers.
Dissidents, journalists, or politically active Iranians abroad may have been considered high-value targets by actors aligned with the Iranian regime.
Avoid opening suspicious attachments, especially from unknown senders. Keep systems fully updated, use antivirus and anti-phishing protections, and enable two-factor authentication on all major accounts.
This was a targeted campaign, not a mass attack. However, its sophisticated tactics and politically motivated targeting raise concerns about similar future efforts.