CyberSecurity news

FlagThis - #espionage

Rescana@Rescana //

Iran Increasing Cyberattacks Amidst Regional Conflict - Amidst escalating regional conflicts, Iran shut down internet access, impacting communication and raising concerns about cyber warfare, while facing cyber threats from entities like Israeli-linked hackers.
Amidst escalating regional conflicts, Iran has taken the drastic measure of shutting down internet access for its citizens, a move the government defends as a necessary precaution against Israeli cyberattacks. This disruption has severely impacted communication within the country, leaving Iranians abroad unable to connect with loved ones. One such individual, Amir Rashidi, expressed his anxiety, stating he hadn't heard from his family in two days and was relying on someone else for updates. The situation highlights the growing intersection of cyber warfare and real-world consequences for civilians.

The internet blackout is not the first instance of Iran limiting connectivity. In the past, similar restrictions were imposed during periods of political unrest, such as protests in 2019 and 2022. These shutdowns are implemented by pushing people towards domestic apps, which are often less secure, while also severely restricting access to vital information. Experts like Doug Madory from Kentik have documented significant drops in internet connectivity within Iran following recent Israeli airstrikes, with reductions of 54% initially, followed by further declines of 49% and, subsequently, a staggering 90%.

In a defensive maneuver against cyber threats, Iran is throttling its National Internet Infrastructure. The country claims it is restricting internet connectivity to counter cyber attacks amid regional conflict. The stated aim is to impede cyber intrusions and the synchronization of adversarial operations. An example of the threats Iran faces is demonstrated by the Israeli-linked hackers who seized and burned $90 million from Iran's Nobitex exchange.

Recommended read:
References :
  • infosec.exchange: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks. I spoke to two Iranians who live abroad and can't communicate with their loved ones back home because of the blackout.
  • WIRED: Iran is limiting internet connectivity for citizens amid Israeli airstrikes—pushing people towards domestic apps, which may not be secure, and limiting their ability to access vital information. —
  • Rescana: Iran National Internet Infrastructure Throttling: Cyber Defense Strategy to Prevent Attacks Amid Regional Conflict
  • Cyber Florida at USF: CIP Flash Bulletin | Heightened Iranian Cyber Threat Activity
  • www.scworld.com: DHS: Attacks on US critical infrastructure likely following Iran strikes
  • Arctic Wolf: Cybersecurity Risks Amid Rising Iran–U.S. Tensions
  • : Sysdig Threat Bulletin: Iranian Cyber Threats
  • Tidal Cyber Blog: Iran Cyber Threat Assessment and Defensive Guidance
  • arcticwolf.com: Cybersecurity risks amid rising Iran-U.S. tensions after US strikes.
  • Metacurity: DHS warns of likely Iranian cyberattacks following US missile strikes.
  • nsfocusglobal.com: The Hacktivist Cyber Attacks in the Iran-Israel Conflict
  • www.esecurityplanet.com: US Warns of Iranian Cyber Threats as Tensions Rise Over Middle East Conflict
  • Security Risk Advisors: Iran-Linked Cyber Fattah Leaks Saudi Games Athletes and Visitors Data
  • abcnews.go.com: Iranian-backed hackers at work after US strikes
  • news.sky.com: Businesses urged to strengthen cyber defences amid increase in Iran-adjacent attacks
  • Unit 42: Threat Brief: Escalation of Cyber Risk Related to Iran
  • Tenable Blog: Cybersecurity Snapshot: U.S. Gov’t Urges Adoption of Memory-Safe Languages and Warns About Iran Cyber Threat
Eric Geller@cybersecuritydive.com //

China-Linked Groups Target Global Organizations Cyber Espionage - SentinelOne, a cybersecurity firm, was targeted by China-linked espionage groups in a year-long reconnaissance campaign targeting over 70 organizations globally to gather strategic intelligence.
SentinelOne, a cybersecurity firm, has revealed that it was the target of a year-long reconnaissance campaign by China-linked espionage groups, identified as APT15 and UNC5174. This campaign, dubbed "PurpleHaze," involved network reconnaissance and intrusion attempts, ultimately aiming to gather strategic intelligence and potentially establish access for future conflicts. SentinelOne discovered the campaign when the suspected Chinese spies tried to break into the security vendor's own servers in October 2024. The attempted intrusion on SentinelOne's systems failed, but it prompted a deeper investigation into the broader campaign and the malware being used.

The investigation revealed that over 70 organizations across multiple sectors globally were targeted, including a South Asian government entity and a European media organization. The attacks spanned from July 2024 to March 2025 and involved the use of ShadowPad malware and post-exploitation espionage activity. These targeted sectors include manufacturing, government, finance, telecommunications, and research. The coordinated attacks are believed to be connected to Chinese government spying programs.

SentinelOne has expressed high confidence that the PurpleHaze and ShadowPad activity clusters can be attributed to China-nexus threat actors. This incident underscores the persistent threat that Chinese cyber espionage actors pose to global industries and public sector organizations. The attack on SentinelOne also highlights that cybersecurity vendors themselves are prime targets for these groups, given their deep visibility into client environments and ability to disrupt adversary operations. SentinelOne recommends that more proactive steps are taken to prevent future attacks.

Recommended read:
References :
  • The Register - Security: Chinese spy crew appears to be preparing for conflict by backdooring 75+ critical orgs
  • hackread.com: Chinese-Linked Hackers Targeted 70+ Global Organizations, SentinelLABS
  • www.scworld.com: FAILED ATTACK ON SENTINELONE REVEALS CAMPAIGN BY CHINA-LINKED GROUPS
  • The Hacker News: Over 70 Organizations Across Multiple Sectors Targeted by China-Linked Cyber Espionage Group
  • www.cybersecuritydive.com: SentinelOne rebuffs China-linked attack — and discovers global intrusions
  • SecureWorld News: Chinese Hackers Target SentinelOne in Broader Espionage Campaign
  • securityaffairs.com: China-linked threat actor targeted +70 orgs worldwide, SentinelOne warns
  • Cyber Security News: New Report Reveals Chinese Hackers Targeted to Breach SentinelOne Servers
  • www.sentinelone.com: The security firm said the operatives who tried to breach it turned out to be responsible for cyberattacks on dozens of critical infrastructure organizations worldwide.
  • BleepingComputer: SentinelOne shares new details on China-linked breach attempt
  • cyberpress.org: A newly published technical analysis by SentinelLABS has exposed a sophisticated, multi-phase reconnaissance and intrusion campaign orchestrated by Chinese-nexus threat actors, aimed explicitly at SentinelOne’s digital infrastructure between mid-2024 and early 2025.
  • gbhackers.com: New Report Reveals Chinese Hackers Attempted to Breach SentinelOne Servers
  • industrialcyber.co: SentinelOne links ShadowPad and PurpleHaze attacks to China-aligned threat actors
@www.helpnetsecurity.com //

Russian Cyber Group Laundry Bear Targets Dutch Police - A Russian cyber-espionage group, Laundry Bear (Void Blizzard), has been targeting Western organizations, especially those supporting Ukraine, since April 2024, focusing on stealing emails and data via cloud-based Microsoft Exchange using techniques like pass-the-cookie attacks and password spraying.
A newly identified Russian cyber-espionage group, known as Laundry Bear by Dutch intelligence and Void Blizzard by Microsoft, has been actively targeting Western organizations since at least April 2024. This group is believed to be backed by the Russian government and is primarily focused on gathering intelligence to support Russian strategic interests. Laundry Bear's targets include government entities, defense contractors, aerospace firms, and high-tech businesses in Europe and North America, particularly those supporting Ukraine. The group's activities suggest an interest in sensitive information related to military goods, weapons deliveries, and advanced technologies that are difficult for Russia to acquire due to Western sanctions.

The primary objective of Laundry Bear is to steal sensitive emails and files from compromised systems. They achieve this by targeting cloud-based email environments, specifically Microsoft Exchange. The group employs a range of techniques, including pass-the-cookie attacks, password spraying, and spear phishing aimed at credential theft. Notably, the Dutch intelligence services identified Laundry Bear during an investigation into a credential-stealing attack against the Dutch National Police in September 2024. During this attack, Laundry Bear gained access to an account belonging to a Dutch police employee by using a stolen session cookie to obtain work-related contact information of other police employees.

Microsoft has also observed Laundry Bear targeting critical sectors such as government, defense, transportation, media, NGOs, and healthcare, with a focus on organizations in Europe, North America, NATO member states, and Ukraine. The group frequently gains access by using stolen credentials, likely purchased from online marketplaces. Despite employing relatively simple attack methods and readily available tools, Laundry Bear has achieved a high success rate due to quick-paced cyber operations and efficient automation. Microsoft recommends organizations implement robust security measures to defend against such threats.

Recommended read:
References :
  • The Hacker News: Microsoft has shed light on a previously undocumented cluster of malicious activity originating from a Russia-affiliated threat actor dubbed Void Blizzard (aka Laundry Bear) that it said is attributed to worldwide cloud abuse.
  • www.helpnetsecurity.com: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • Threats | CyberScoop: New Russian state-sponsored APT quickly gains global reach, hitting expansive targets
  • therecord.media: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
  • www.microsoft.com: Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America. The post appeared first on Microsoft Security Blog.
  • www.defensie.nl: Onbekende Russische groep achter hacks Nederlandse doelen - Unknown Russian group behind hacks of Dutch targets - "is behind the hacks on several Dutch organizations, including the police in September 2024.
  • Help Net Security: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • thecyberexpress.com: New Russian Cyber Threat ‘Laundry Bear’ Hits Western Targets
  • www.csoonline.com: New Russian APT group Void Blizzard targets NATO-based orgs after infiltrating Dutch police
  • The Register - Security: New Russian cyber-spy crew Laundry Bear joins the email-stealing pack
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityaffairs.com: Russia-linked APT Laundry Bear linked to 2024 Dutch Police attack
  • industrialcyber.co: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • Virus Bulletin: Microsoft Threat Intelligence, in colaboration with Dutch security organizations AIVD & MIVD, observed Void Blizzard (a.k.a. LAUNDRY BEAR) conducting espionage operations primarily targeting organizations that are important to Russian government objectives.
  • Industrial Cyber: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • www.cybersecuritydive.com: Microsoft, Dutch government spot new Russian hacking group targeting critical infrastructure
  • Metacurity: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • www.metacurity.com: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • Vulnerable U: Void Blizzard hackers raid NATO cloud tenants with Evilginx phishing
  • Danny Palmer: A new Russian APT (LAUNDRY BEAR) is tearing through defence and government entities in NATO member states using stripped back and heavily automated threat techniques that nonetheless went widely undetected until they were spotted by the Dutch police, the Netherlands’s security services revealed.
  • The Record: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
  • www.scworld.com: Russian hackers Void Blizzard step up espionage campaign
  • The Hacker News: Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents
@industrialcyber.co //

Russian GRU Targets Western Logistics Companies - A Russian state-sponsored cyber espionage campaign targets Western logistics entities and tech companies involved in coordinating aid to Ukraine, aiming to access sensitive information and disrupt operations.
A Russian state-sponsored cyber espionage campaign, attributed to the GRU's APT28 (also known as Fancy Bear or Forest Blizzard), has been actively targeting Western logistics entities and technology companies since 2022. This campaign focuses on organizations involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The goal is to gain access to sensitive information and disrupt operations, presenting a serious risk to these targeted organizations and sectors across more than a dozen countries.

These Russian cyber actors have been using a mix of previously disclosed tactics, techniques, and procedures (TTPs), including credential brute force attacks, spear-phishing using multilingual lures, and malware delivery via malicious archives exploiting vulnerabilities. They've also been observed hacking into IP cameras at Ukrainian border crossings to monitor and track aid shipments. The GRU unit, known as military unit 26165, has been linked to compromising a wide array of entities, spanning air, sea, and rail transportation modes.

To defend against these threats, organizations are urged to familiarize themselves with the identified TTPs and indicators of compromise (IOCs), increase monitoring and threat hunting, and strengthen their network defenses. The attacks have targeted companies and government organizations in numerous countries, including Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States. The advisory is co-signed by over 20 agencies from multiple countries, underscoring the global nature of this threat.

Recommended read:
References :
  • Metacurity: This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies.
  • NCSC News Feed: UK and allies expose Russian intelligence campaign targeting western logistics and technology organisations
  • CyberInsider: Russian GRU Cyber Campaign Targets Western Logistics and Tech Firms
  • securityonline.info: Russian GRU’s APT28 Targets Global Logistics Supporting Ukraine Defense
  • securityonline.info: Russian GRU Targets Global Logistics Supporting Ukraine Defense
  • www.cybersecuritydive.com: Russian stepping up attacks on firms aiding Ukraine, Western nations warn
  • cyberinsider.com: Russian GRU Cyber Campaign Targets Western Logistics and Tech Firms
  • BleepingComputer: A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
  • BleepingComputer: A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
  • securityaffairs.com: Russia-linked APT28 targets western logistics entities and technology firms
  • Threats | CyberScoop: Multi-national warning issued over Russia’s targeting of logistics, tech firms
  • socprime.com: russian GRU Unit 26156 Targets Western Logistics and Technology Companies Coordinating Aid to Ukraine in a Two-Year Hacking Campaign
  • Blog: Russian APT28 targets Western firms supporting Ukraine
  • SOC Prime Blog: Detect APT28 Attacks: russian GRU Unit 26156 Targets Western Logistics and Technology Companies Coordinating Aid to Ukraine in a Two-Year Hacking Campaign
  • Metacurity: Russia's APT28 accused of infiltrating Western logistics, technology firms
  • Resources-2: Russian APT28 (aka Fancy Bear/Unit 26165) targets Western logistics and tech firms in Ukraine aid tracking operation
  • Virus Bulletin: Details a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies involved in the coordination, transport and delivery of foreign assistance to Ukraine.
  • DataBreaches.Net: Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • www.scworld.com: CISA warns Russia-linked group APT28 is targeting Western logistics and tech firms aiding Ukraine, posing an elevated threat to supply chains
  • eSecurity Planet: Russian Hackers Target Western Firms Aiding Ukraine, Spy on Shipments
  • www.esecurityplanet.com: Russian military hackers are targeting Western firms aiding Ukraine, using cyberespionage to infiltrate logistics networks and spy on arms shipments.
  • cyberscoop.com: Multi-national warning issued over Russia’s targeting of logistics, tech firms
  • industrialcyber.co: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains
  • www.csoonline.com: Russian APT28 compromised Western logistics and IT firms to track aid to Ukraine
  • Industrial Cyber: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains
  • www.microsoft.com: New Russia-affiliated actor Void Blizzard targets critical sectors for espionage
Field Effect@Blog //

Russian APT28 Exploits Webmail Zero Day Vulnerability - Russian APT28 hackers are exploiting a zero-day vulnerability in webmail servers to extract sensitive information, targeting governmental entities and defense companies.
References: Blog , ESET Research , The Hacker News ...
A cyber espionage campaign dubbed "Operation RoundPress" has been attributed to the Russian state-sponsored hacking group APT28, also known as Fancy Bear, among other aliases. Security researchers at ESET have uncovered that this operation, active since 2023, targets high-value webmail servers by exploiting cross-site scripting (XSS) vulnerabilities. The primary objective is to steal confidential data from specific email accounts. The attackers have been observed targeting several webmail platforms.

In 2024, the scope of Operation RoundPress expanded beyond Roundcube, including webmail software such as Horde, MDaemon, and Zimbra. Specifically, the group exploited a zero-day XSS vulnerability, CVE-2024-11182, in MDaemon before a patch was available. The vulnerability was reported to the developers on November 1st, 2024, and subsequently patched in version 24.5.1. The exploitation involves injecting malicious JavaScript code into the victim's webmail page via spearphishing emails.

The victims primarily consist of governmental entities and defense companies in Eastern Europe. However, governments in Africa, Europe, and South America have also been targeted. The injected JavaScript payloads, analyzed by ESET and named SpyPress, are designed to steal webmail credentials and exfiltrate contacts and email messages from the victim’s mailbox. In the case of MDaemon, the attackers were able to set up a bypass for two-factor authentication. ESET has made Indicators of Compromise (IOCs) available on their GitHub repository.

Recommended read:
References :
  • Blog: Russian APT28 hackers leverage webmail zero-day
  • ESET Research: publishes its investigation of Operation RoundPress, which uses XSS vulnerabilities to target high-value webmail servers. We attribute the operation to Sednit with medium confidence. In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra.
  • www.welivesecurity.com: publishes its investigation of Operation RoundPress, which uses XSS vulnerabilities to target high-value webmail servers. We attribute the operation to Sednit with medium confidence. In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra..
  • The Hacker News: Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers
  • The DefendOps Diaries: Government Webmail Hacked via XSS Bugs in Global Spy Campaign
  • securityonline.info: Operation RoundPress: Sednit Weaponizes XSS to Breach Global Webmail Servers
  • Virus Bulletin: ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers with spear-phishing emails leveraging an XSS vulnerability. Most of the victims are government entities and defence companies in Eastern Europe.
  • WeLiveSecurity: Sednit abuses XSS flaws to hit gov't entities, defense companies
  • WeLiveSecurity: ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities
  • www.scworld.com: Global government webmail servers targeted by Russian cyberespionage operation
  • BleepingComputer: Hackers are running a worldwide cyberespionage campaign dubbed 'RoundPress,' leveraging zero-day and n-day flaws in webmail servers to steal email from high-value government organizations.
  • securityonline.info: Researchers expose a covert cyberespionage campaign, dubbed Operation RoundPress, believed to be orchestrated by the Russia-aligned Sednit APT group.
  • www.techradar.com: Global Russian hacking campaign steals data from government agencies
  • www.scworld.com: Sednit group's 'Operation RoundPress' targets webmail servers globally
  • hackread.com: ESET reports on RoundPress, a cyber espionage campaign by Russia’s Fancy Bear (Sednit) targeting Ukraine-related organizations via webmail…
  • Thomas Roccia :verified:: ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities
  • ciso2ciso.com: Russian APT Exploiting Mail Servers Against Government, Defense Organizations – Source: www.securityweek.com
@thehackernews.com //

North Korean APT Targeting Ukrainian Government - North Korean APT group Konni is targeting Ukrainian government entities with phishing campaigns to gather intelligence on the Russian invasion.
North Korean state-sponsored actor Konni, also known as TA406, has been observed targeting Ukrainian government entities in intelligence collection operations. Researchers at Proofpoint uncovered phishing campaigns initiated in February 2025, where the threat group delivered both credential harvesting tools and malware. These attacks are designed to gather intelligence on the trajectory of the Russian invasion, reflecting Konni's broader pattern of cyber espionage and information gathering. The group's activities extend beyond Ukraine, as they have historically targeted government entities in Russia for strategic intelligence purposes.

The phishing emails used in the attacks often impersonate think tanks and reference important political events or military developments to lure their targets. These emails contain links to password-protected RAR archives hosted on cloud services. Once opened, these archives launch infection sequences designed to conduct extensive reconnaissance of compromised machines. A common tactic involves using CHM files displaying decoy content related to Ukrainian military figures. Clicking on the decoy content triggers the execution of a PowerShell command, downloading a next-stage PowerShell payload from an external server.

This newly launched PowerShell script is capable of gathering detailed information about the compromised system, encoding it, and sending it back to the attacker's server. In some instances, Proofpoint observed HTML files being directly distributed as attachments, instructing victims to click embedded links to download ZIP archives containing malicious files. The ultimate goal of these campaigns is to collect intelligence relevant to the conflict, potentially to support North Korea's military involvement alongside Russia in Ukraine and assess the political landscape.

Recommended read:
References :
  • The Hacker News: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
  • BleepingComputer: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
  • BleepingComputer: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
  • securityonline.info: In a recently disclosed campaign, TA406, a North Korean state-aligned threat actor, has expanded its cyber-espionage efforts by The post appeared first on SecurityOnline.
  • securityonline.info: TA406 Cyber Campaign: North Korea’s Focus on Ukraine Intelligence
  • www.bleepingcomputer.com: North Korea ramps up cyberspying in Ukraine to assess war risk
  • Proofpoint Threat Insight: Proofpoint researchers look into campaigns by Democratic People's Republic of Korea (DPRK) state-sponsored actor TA406 that target government entities in Ukraine.
  • Virus Bulletin: Proofpoint researchers look into campaigns by Democratic People's Republic of Korea (DPRK) state-sponsored actor TA406 that target government entities in Ukraine.
  • cyberriskleaders.com: North Korean Threat Actor TA406 Targets Ukraine for Intelligence Gathering
  • iHLS: North Korean Hackers Target Ukraine to Gauge Russian Military Needs
  • BleepingComputer: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
  • bsky.app: North Korea ramps up cyberspying in Ukraine to assess war risk
  • www.csoonline.com: After helping Russia on the ground North Korea targets Ukraine with cyberespionage
info@thehackernews.com (The@The Hacker News //

Iranian Hackers Target Middle East CNI in Long Term Attack - An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at critical national infrastructure (CNI) in the Middle East.
A long-term cyber intrusion aimed at critical national infrastructure (CNI) in the Middle East has been attributed to an Iranian state-sponsored threat group. The attack, which persisted from May 2023 to February 2025, entailed extensive espionage operations and suspected network prepositioning, a tactic used to maintain persistent access for future strategic advantage. The network security company noted that the attack exhibits tradecraft overlaps with Lemon Sandstorm (formerly Rubidium), also tracked as Parisite, Pioneer Kitten, and UNC757, an Iranian nation-state threat actor active since at least 2017.

The attackers gained initial access by exploiting stolen login credentials to access the victim's SSL VPN system, deploying web shells on public-facing servers, and deploying three backdoors: Havoc, HanifNet, and HXLibrary, for long-term access. They further consolidated their foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim's emails, and conducting lateral movement to the virtualization infrastructure. In response to the victim's initial containment and remediation steps, the attackers deployed more web shells and two more backdoors, MeshCentral Agent and SystemBC.

Even after the victim successfully removed the adversary's access, attempts to infiltrate the network continued by exploiting known Biotime vulnerabilities and spear-phishing attacks aimed at employees to harvest Microsoft 365 credentials. Researchers identified an evolving arsenal of tools deployed throughout the intrusion, including both publicly available and custom-developed malware. The custom tools, such as NeoExpressRAT, a Golang-based backdoor with hardcoded command and control communication capabilities, allowed the threat actors to maintain persistent access while evading traditional detection methods.

Recommended read:
References :
  • The Hacker News: An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.
  • cybersecuritynews.com: Threat Actors Target Critical National Infrastructure with New Malware and Tools
  • gbhackers.com: Threat Actors Target Critical National Infrastructure with New Malware and Tools
  • securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
  • Talkback Resources: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware [ics] [net] [mal]
  • securityonline.info: Recently, the FortiGuard Incident Response (FGIR) team has released an in-depth analysis detailing a prolonged, state-sponsored intrusion into The post appeared first on .
  • gbhackers.com: A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, attributed to an Iranian state-sponsored threat group.
  • www.scworld.com: Middle Eastern critical infrastructure targeted by long-term Iranian cyberattack
  • industrialcyber.co: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
  • Industrial Cyber: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
  • Virus Bulletin: Fortinet's IR team investigate an Iranian-led long-term intrusion on critical infrastructure in the Middle East. Attackers used stolen VPN creds, in-memory loaders for Havoc/SystemBC, and backdoors like HanifNet, HXLibrary, and NeoExpressRAT.

Posts

Blogs

Research Tools