Homeland Justice Phishing Operation Hits Diplomatic and Government Sectors Globally
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Compromised Credentials,Dropper,Malicious Macro,Spyware,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
Iran-aligned threat actor linked to the MOIS group Homeland Justice conducted a large-scale spear-phishing campaign in August 2025, using a compromised mailbox of the Omani Ministry of Foreign Affairs to target embassies, consulates, and international organizations worldwide. The malicious Word attachments, disguised as official diplomatic notices, executed VBA macros that decoded and dropped the sysProcUpdate malware. Targets included diplomatic and government institutions across Europe, the Middle East, Africa, Asia, and the Americas, notably during sensitive ceasefire negotiations. The operation aimed at espionage and reconnaissance, leveraging obfuscation, sandbox evasion, and encrypted C2 communication with screenai.online.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | African Union The African Union (AU) is a continental union of 55 member states located on the continent of Africa. African Union has been targeted by Homeland Justice as the main target. | Verified |
| Case | Ministry of Foreign Affairs Ministry of Foreign Affairs has been targeted by Homeland Justice with abusive purposes. | Verified |
| Case | Sovereign Military Order of Malta The Sovereign Military Order of Malta, officially the Sovereign Military Hospitaller Order of Saint John of Jerusalem, of Rhodes and of Malta, and commonly known as the Order of Malta or the Knights of Malta, is a Catholic lay religious order, traditionally of a military, chivalric, and noble nature. Sovereign Military Order of Malta has been targeted by Homeland Justice as the main target. | Verified |
| Case | UNICEF UNICEF, originally the United Nations International Children's Emergency Fund, officially United Nations Children's Fund since 1953, is an agency of the United Nations responsible for providing humanitarian and developmental aid to children worldwide. UNICEF has been targeted by Homeland Justice as the main target. | Verified |
| Case | United Nations The United Nations (UN) is a global intergovernmental organization established by the signing of the UN Charter on 26 June 1945 with the articulated mission of maintaining international peace and security, to develop friendly relations among states, to promote international cooperation, and to serve as a centre for harmonizing the actions of states in achieving those goals. United Nations has been targeted by Homeland Justice as the main target. | Verified |
| Case | United Nations Office on Drugs and Crime (UNODC) United Nations Office on Drugs and Crime (UNODC) has been targeted by Homeland Justice as the main target. | Verified |
| Case | World Bank The World Bank Group (WBG) is a family of five international organizations that make leveraged loans to developing countries. It is the largest and best-known development bank in the world and an observer at the United Nations Development Group. World Bank has been targeted by Homeland Justice as the main target. | Verified |
| Sector | Government Agencies and Services | Verified |
| Sector | Political | Verified |
| Region | Argentina | Verified |
| Region | Austria | Verified |
| Region | Bahrain | Verified |
| Region | Bangladesh | Verified |
| Region | Brazil | Verified |
| Region | Canada | Verified |
| Region | Colombia | Verified |
| Region | Ethiopia | Verified |
| Region | France | Verified |
| Region | Germany | Verified |
| Region | Hungary | Verified |
| Region | Israel | Verified |
| Region | Italy | Verified |
| Region | Japan | Verified |
| Region | Jordan | Verified |
| Region | Malawi | Verified |
| Region | Mongolia | Verified |
| Region | Netherlands | Verified |
| Region | Nigeria | Verified |
| Region | Oman | Verified |
| Region | Peru | Verified |
| Region | Qatar | Verified |
| Region | Romania | Verified |
| Region | Rwanda | Verified |
| Region | South Korea | Verified |
| Region | Spain | Verified |
| Region | Sweden | Verified |
| Region | Thailand | Verified |
| Region | United Arab Emirates | Verified |
Extracted IOCs
- screenai[.]online
- 02ccc4271362b92a59e6851ac6d5d2c07182064a602906d7166fe2867cc662a5
- 03828aebefde47bca0fcf0684ecae18aedde035c85f9d39edd2b7a147a1146fa
- 05d8f686dcbb6078f91f49af779e4572ba1646a9c5629a1525e8499ab481dbf2
- 1883db6de22d98ed00f8719b11de5bf1d02fc206b89fedd6dd0df0e8d40c4c56
- 1c16b271c0c4e277eb3d1a7795d4746ce80152f04827a4f3c5798aaf4d51f6a1
- 20e7b9dcf954660555d511a64a07996f6178f5819f8501611a521e19fbba74b0
- 2c92c7bf2d6574f9240032ec6adee738edddc2ba8d3207eb102eddf4ab963db0
- 3ac8283916547c50501eed8e7c3a77f0ae8b009c7b72275be8726a5b6ae255e3
- 3d6f69cc0330b302ddf4701bbc956b8fca683d1c1b3146768dcbce4a1a3932ca
- 76fa8dca768b64aefedd85f7d0a33c2693b94bdb55f40ced7830561e48e39c75
- 80e9105233f9d93df753a43291c2ab1a010375357db9327f9fe40d184f078c6b
- b2c52fde1301a3624a9ceb995f2de4112d57fcbc6a4695799aec15af4fa0a122
- f0ba41ce46e566f83db1ba3fc762fd9b394d12a01a9cef4ac279135e4c1c67a9
- hxxps://screenai[.]online/home/
Tip: 15 related IOCs (0 IP, 1 domain, 1 URL, 0 email, 13 file hash) to this threat have been found.
FAQs
Understanding the Iran-Nexus Spear Phishing Campaign
A cyber espionage campaign used a compromised Omani Ministry of Foreign Affairs email account to send malicious emails to governments and organizations worldwide. These emails carried malware disguised as official documents.
The operation has been attributed to Iranian-aligned hackers linked to the Homeland Justice group, which is associated with Iran’s Ministry of Intelligence and Security.
The attackers sought to gather intelligence from diplomatic and government targets. The malware collected system information and connected to a control server, likely as part of a larger spying operation.
Entities in over 40 countries were targeted, including embassies, consulates, ministries, and international organizations such as the UN and UNICEF. Europe and Africa were most heavily targeted.
Victims received emails that looked like legitimate MFA messages. When they opened the attached Word documents and enabled macros, hidden code installed spyware on their systems without their knowledge.
Government and diplomatic institutions hold sensitive geopolitical information. The timing suggests the attackers were interested in influencing or monitoring regional diplomatic negotiations.
Organizations should block macro-enabled documents by default, educate staff on phishing risks, monitor network traffic for suspicious activity, and use endpoint security tools to detect and respond to threats.
While the campaign was highly targeted, its geographic reach was broad. It was not random; attackers selected specific institutions and individuals to maximize intelligence value.