Cybersecurity: Iranian-Aligned Spear-Phishing Campaign
A spear-phishing campaign attributed to Iranian-aligned operators has been identified, targeting diplomatic missions worldwide. This attack involved the use of a compromised email account from the Ministry of Foreign Affairs of Oman.
First discovered in August 2025, the campaign is a continuation of tactics associated with the Homeland Justice group linked to Iran’s Ministry of Intelligence and Security (MOIS). The attackers employed social engineering strategies to distribute malicious Microsoft Word documents disguised as urgent diplomatic communications.
Emails were sent from a compromised @fm.gov.om address, with traffic routed through a NordVPN exit node in Jordan (212.32.83.11) to conceal their origin. Recipients included 270 email addresses across embassies, consulates, and international organizations, featuring document subjects such as “The Future of the region after the Iran-Israel war and the role of Arab countries in the Middle East.”
Analysis by Dreamgroup revealed that the campaign involved 104 unique compromised addresses, indicating a broader scope than initially assessed. The embedded malware within the Word documents used sophisticated encoding, translating numerical sequences into ASCII characters through VBA macro execution.
Attack Mechanism
The technical complexity of the attack is evident in its execution method. Malicious documents contained VBA macros concealed within “This Document” and “UserForm1” modules, facilitating a multi-stage payload delivery system.
The primary decoder function, labeled “dddd,” processes encoded strings by converting three-digit segments into ASCII characters using the formula Chr (Val (Mid (str, counter, 3))). A notable evasion technique includes the “laylay” function, which creates delays through nested loops, significantly hindering dynamic analysis tools and automated sandbox systems.
The malware writes its payload to C:\Users\Public\Documents\ManagerProc[.]log, masking it as a log file before execution with vbHide parameters. Upon deployment, the executable sysProcUpdate establishes persistence by copying itself to C:\ProgramData\sysProcUpdate[.]exe and altering Windows registry DNS settings.
It collects system metadata such as username, computer name, and administrative privileges, sending this data via encrypted HTTPS POST requests to the command-and-control server at screenai.online/Home/.
-
Expense Apps Add Budgeting for Irregular Incomes
In an era where the gig economy is burgeoning, traditional budgeting methods ... -
-
-
