APT34's Phishing Strategy With New Malware Families Targeting Key Sectors
Threat Overview
Mandiant detected a phishing campaign by APT34, an Iranian-nexus threat actor, in late June 2019. The actor, posing as a member of Cambridge University, delivered malicious documents via LinkedIn and introduced three new malware families. The primary industries targeted by this campaign were Energy and Utilities, Government, and Oil and Gas. APT34 is notably active in the Middle East, employing a blend of public and non-public tools to carry out its cyber espionage activities.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Cambridge University The report does mention that the attacker posed as a member of Cambridge University and used LinkedIn to deliver malicious documents. The University of Cambridge is a public collegiate research university in Cambridge, England. Founded in 1209, the University of Cambridge is the third-oldest university in continuous operation. Cambridge University has been targeted by APT34 with abusive purposes. | Verified |
| Sector | Government Agencies and Services | Verified |
| Sector | Energy The activities observed were primarily targeting the following sectors: Energy and Utilities, Government, Oil and Gas. | Verified |
| Sector | Oil and Gas | Verified |
| Sector | Utilities | Verified |
| Region | Middle East Countries | High |
Extracted IOCs
- offlineearthquake[.]com
- c.cdn-edge-akamai[.]com
- www.cam-research-ac[.]com
- 021a0f57fe09116a43c27e5133a57a0a
- 50fb09d53c856dcd0782e1470eaeae35
- 6eca9c2b7cf12c247032aae28419319e
- 96feed478c347d4b95a8224de26a1b2c
- 9fff498b78d9498b33e08b892148135f
- b338baa673ac007d7af54075ea69660b
- caf418cbf6a9c4e93e79d4714d5d3b87
- d8abe843db508048b4d4db748f92a103
- 185[.]15.247.154
- hxxp://www.cam-research-ac[.]com
Tip: 13 related IOCs (1 IP, 3 domain, 1 URL, 0 email, 8 file hash) to this threat have been found.
FAQs
Inside APT34’s Social Engineering Playbook
An Iranian-linked cyber group, APT34, attempted to infiltrate organizations by pretending to be a Cambridge University researcher on LinkedIn, sending fake job documents infected with malware.
APT34, a threat group with ties to Iran, known for cyber espionage targeting industries that align with Iranian national interests.
The attackers aimed to steal sensitive information by planting backdoors, logging keystrokes, and harvesting login credentials from compromised systems.
Primarily organizations in the energy, oil and gas, and government sectors, especially those operating in or around the Middle East.
The attackers used LinkedIn to send a malicious Excel file disguised as a job offer. When opened, it silently installed malware capable of spying on the user and stealing data.
These sectors hold strategic value for Iran’s economic and national security goals, making them high-priority espionage targets.
Organizations should train employees to detect social engineering on platforms like LinkedIn, implement strong endpoint security, monitor network traffic for suspicious behavior, and limit the use of features like Office macros.
While this campaign was targeted, the tactics—especially using social media for malware delivery—can affect many industries if left unchecked.