Threats Feed|TA453|Last Updated 05/08/2023|AuthorCertfa Radar|Publish Date13/09/2022

"Korg" in Action: How TA453 Leveraged Multi-Persona Impersonation in Spear Phishing

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Malicious Macro,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

The Iran-aligned threat actor TA453 has introduced a novel technique known as Multi-Persona Impersonation (MPI) to its spear-phishing campaigns. This method involves the simultaneous use of multiple false identities to enhance the credibility of their social engineering attacks. Alongside MPI, TA453 uses a malicious Word document exploiting Remote Template Injection, codenamed "Korg," to exfiltrate data.

Detected Targets

CaseChatham House
Chatham House is a world-leading policy institute with a mission to help governments and societies build a sustainably secure, prosperous and just world. Chatham House has been targeted by TA453 with abusive purposes.
CaseForeign Policy Research Institute
The Foreign Policy Research Institute is an American think tank based in Philadelphia, Pennsylvania, that conducts research on geopolitics, international relations, and international security in the various regions of the world and on ethnic conflict, U.S. national security, terrorism, and on think tanks themselves. Foreign Policy Research Institute has been targeted by TA453 with abusive purposes.
CaseNature Biotechnology
Nature Biotechnology is a monthly peer-reviewed scientific journal published by Nature Portfolio. The editor-in-chief is Barbara Cheifet who heads an in-house team of editors. The focus of the journal is biotechnology including research results and the commercial business sector of this field. Nature Biotechnology has been targeted by TA453 with abusive purposes.
CasePEW Research Center
The Pew Research Center is a nonpartisan American think tank based in Washington, D.C. It provides information on social issues, public opinion, and demographic trends shaping the United States and the world. PEW Research Center has been targeted by TA453 with abusive purposes.
SectorScientific Research
RegionUnited Kingdom
RegionUnited States
RegionMiddle East Countries

Extracted IOCs

  • 354pstw4a5f8.filecloudonline[.]com
  • 16a961475a88313478bc2406d6b442be9809e64ea9e2a4754debcce9200cf36b
  • f6456454be8cb77858d24147b1529890cd06d314aed70c07fc0b5725ac84542b

Tip: 3 related IOCs (0 IP, 1 domain, 0 URL, 0 email, 2 file hash) to this threat have been found.