Redazione RHC : 29 August 2025 20:30
A recent Cyber Threat Intelligence (CTI) analysis conducted by DREAM has revealed details of a complex spear-phishing campaign that occurred in August 2025. The attack, attributed to an Iran-aligned group known as Homeland Justice, leveraged already compromised infrastructure to reach sensitive targets globally. The peculiarity of this operation lies in the use of a compromised email account belonging to the Omani Ministry of Foreign Affairs, which provided a cover of legitimacy for the malicious communications.
The phishing emails contained a malicious attachment, a Microsoft Word document, which represented the first link in the infection chain. This file hid a VBA (Visual Basic for Applications) macro, specially coded to bypass standard security controls. Once activated, the macro decrypted and installed a payload, an executable file named sysProcUpdate.exe, which was the heart of the cyber attack.
The sysProcUpdate.exe malware was designed to perform detailed reconnaissance of the compromised system. Its primary task was to collect system-specific metadata, including information about its configuration and installed software. This data was then encrypted to ensure confidentiality and then securely transmitted to a command and control (C2) server, from which the attackers could manage the campaign and receive the exfiltrated information.
To evade defense systems and analysis, the attackers implemented several sophisticated evasion techniques. They concealed their origin by routing traffic through a VPN exit node in Jordan, making it difficult to locate them. Additionally, the malicious payload was written to a file with the .log extension, a file format not generally associated with malware, with the goal of evading automatic checks. The use of delays in the code further contributed to confusing behavioral analysis systems.
The main targets of this campaign were diplomatic and government institutions. The attack targeted entities across a wide range of geographies, including the Middle East, Africa, Europe, Asia, and the Americas. In Europe, the countries targeted were Italy, France, Romania, Spain, the Netherlands, Hungary, Germany, Austria, and Sweden. The campaign demonstrated a clear preference for high-value targets, aimed at obtaining strategic information through access to government and international organization networks, underscoring the political or geopolitical nature of the threat.
To mitigate the attack, security experts recommend several technical countermeasures. The first and most immediate is blocking Indicators of Compromise (IOCs), such as C2 server IP addresses and malicious file hashes. Another crucial recommendation is proactively monitoring suspicious POST requests directed to C2 servers and checking for changes to the Windows registry, which can indicate malware activity.
Among other mitigation measures, the importance of enforcing macro security in Office programs to prevent arbitrary code execution is emphasized. It is also recommended to conduct a thorough analysis of outgoing VPN traffic to identify any anomalous data flows. Finally, implementing network segmentation is seen as an effective defense to limit malware propagation and reduce the impact of similar attacks in the future.
Redazione