Microsoft warns of new spearphishing attack targeting workers at top companies

Iran hackers are trying hard to discover exactly what researchers and academia in the West are working on and discussing, especially about Palestine and Israel – so much so that they’ve launched a new, hard-to-detect phishing campaign against such individuals, aiming to install information-stealing malware.

This is according to Microsoft, whose security researchers recently sounded the alarm on the campaign.

As per the report, a subgroup of a known state-sponsored threat actor APT35 (AKA Charming Kitten, or Phosphorus) is engaged in phishing attacks against high-profile employees of research organizations and universities in Europe and the United States. The emails are custom-made and often make it past email security services.

Middle East in focus

“Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States,” Microsoft said in the report. “In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.”

Besides MediaPI, which seems to be designed to open up an encrypted communications channel with the operators and the compromised endpoints, APT35 is also dropping MischiefTut, a backdoor allowing them to run commands and mount reconnaissance activity. 

“These individuals, who work with or who have the potential to influence the intelligence and policy communities, are attractive targets for adversaries seeking to collect intelligence for the states that sponsor their activity, such as the Islamic Republic of Iran,” Microsoft said. “Based on the identities of the targets observed in this campaign and the use of lures related to the Israel-Hamas war, it’s possible this campaign is an attempt to gather perspectives on events related to the war from individuals across the ideological spectrum.

Via BleepingComputer

More from TechRadar Pro

• US government confirms Iran is behind cyberattacks on water companies
• Here’s a list of the best firewalls around today
• These are the best endpoint security tools right now