A sophisticated spear-phishing campaign linked to an Iran-aligned group has targeted embassies, consulates, and international organizations across the globe, according to Israeli cybersecurity firm Dream.
The campaign, described as “coordinated” and “multi-wave,” has been attributed to actors connected to Homeland Justice, a group known for cyber operations aligned with Iranian interests.
Dream reports that the attackers sent emails disguised as legitimate diplomatic communications to government recipients across Europe, Africa, the Middle East, Asia, and the Americas. The emails used geopolitical themes, particularly tensions between Iran and Israel, as bait to trick recipients into opening malicious Microsoft Word documents.
Once opened, the documents prompt users to enable content, which activates a macro that installs malware. The malware is designed to spy on infected systems by collecting data and connecting to a command-and-control server.
The emails were sent from over 100 compromised addresses, including one belonging to the Oman Ministry of Foreign Affairs in Paris, to appear credible. European and African diplomatic missions were among the most heavily targeted.
In a separate report, the Barracuda researchers have detailed new features implemented in the advanced phishing-as-a-service (PhaaS) kit called ‘Tycoon.’ The researchers observed that Tycoon phishing attacks are using advanced URL encoding techniques in emails posing as voicemail messages from a trusted accounting service. The attacks include a fake CAPTCHA step to enhance legitimacy and evade basic security filters. Techniques such as the Redundant Protocol Prefix and splitting malicious URLs across subdomains are used to obfuscate links and trick users into visiting attacker-controlled websites.