A classy spear-phishing marketing campaign orchestrated by Iranian-aligned operators has been recognized focusing on diplomatic missions worldwide by a compromised Ministry of Overseas Affairs of Oman mailbox.
The assault, found in August 2025, represents a continuation of ways related to the Homeland Justice group linked to Iran’s Ministry of Intelligence and Safety (MOIS).
The marketing campaign leveraged social engineering methods to distribute malicious Microsoft Phrase paperwork masquerading as pressing diplomatic communications.
Attackers despatched emails from a compromised @fm.gov.om tackle, routing site visitors by a NordVPN exit node in Jordan (212.32.83.11) to obscure their true origin.
Recipients throughout 270 e mail addresses spanning embassies, consulates, and worldwide organizations in a number of areas obtained paperwork with topics referencing “The Way forward for the area after the Iran-Israel conflict and the function of Arab international locations within the Center East”.
The Iran-Nexus Spear phishing Marketing campaign assault path (Supply – Dreamgroup)
Dreamgroup analysts recognized that the marketing campaign prolonged far past preliminary assessments, with 104 distinctive compromised addresses utilized to masks the operation’s true scope.
The malware embedded inside connected Phrase paperwork employed refined encoding methods, changing numerical sequences into ASCII characters by VBA macro code execution.
Assault Mechanism
The technical sophistication of the assault turns into obvious when inspecting its execution mechanism.
The malicious paperwork contained VBA macros hidden inside “This Doc” and “UserForm1” modules, implementing a multi-stage payload supply system.
Marketing campaign VBA Macro Execution Chain (Supply – Dreamgroup)
The first decoder perform, designated as “dddd,” systematically processes encoded strings by studying three-digit segments and changing them to ASCII characters utilizing the components Chr (Val (Mid (str, counter, 3))).
A very noteworthy evasion method entails the “laylay” perform, which creates synthetic delays by 4 nested loops executing 105 iterations every.
This anti-analysis routine considerably hampers dynamic evaluation instruments and automatic sandbox detection techniques.
The malware writes its payload to C:UsersPublicDocumentsManagerProc[.]log, disguising the executable as a innocent log file earlier than execution through the Shell command with vbHide parameters.
Upon profitable deployment, the sysProcUpdate executable establishes persistence by copying itself to C:ProgramDatasysProcUpdate[.]exe and modifying Home windows registry DNS parameters.
The malware collects system metadata together with username, pc identify, and administrative privileges, transmitting this data through encrypted HTTPS POST requests to the command-and-control server at screenai.on-line/Dwelling/.
Enhance your SOC and assist your staff defend your enterprise with free top-notch menace intelligence: Request TI Lookup Premium Trial.
