CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Iranian Cyber Threat Activity Against U.S. Critical Infrastructure and Kinetic Targeting

First reported
Last updated
3 unique sources, 9 articles

Summary

Hide ▲

Iranian state-sponsored or affiliated cyber threat actors are actively targeting U.S. critical infrastructure and conducting global phishing campaigns against diplomatic entities. These actors exploit known vulnerabilities in unpatched or outdated software, compromise internet-connected accounts and devices with weak passwords, and collaborate with ransomware groups to encrypt, steal, and leak sensitive information. A recent coordinated multi-wave spear-phishing campaign targeted embassies and consulates globally, using compromised email accounts to deploy malware. The campaign, attributed to Iranian-aligned operators connected to Homeland Justice, involved sending spear-phishing emails disguised as legitimate diplomatic communications to deploy malware via VBA macros. The phishing emails were sent from 104 unique compromised addresses, including a hacked mailbox from the Oman Ministry of Foreign Affairs. The targeted regions included the Middle East, Africa, Europe, Asia, and the Americas, with a focus on European embassies and African organizations. The campaign is assessed to have likely concluded just days after it began, as the attackers' command-and-control (C2) infrastructure appears to be inactive. In addition, Iranian state-sponsored threat actors, known as Subtle Snail, have conducted a new campaign targeting European telecommunications companies, successfully infiltrating 34 devices across 11 organizations. This group, also known as UNC1549, operates by posing as HR representatives from legitimate entities to engage employees and then compromises them through the deployment of a MINIBIKE backdoor variant. The targeted companies are located in Canada, France, the United Arab Emirates, the United Kingdom, and the United States. The group's primary motivation involves infiltrating telecommunications entities while maintaining interest in aerospace and defense organizations to establish long-term persistence and exfiltrate sensitive data for strategic espionage purposes. The attacks involve extensive reconnaissance on platforms like LinkedIn to identify key personnel within target organizations, specifically focusing on researchers, developers, and IT administrators with elevated access to critical systems and developer environments. The campaign is characterized by the meticulous efforts of Subtle Snail operators to tailor the attack for each victim, using job-themed lures and spear-phishing emails to validate email addresses and collect additional information. The malware used in the campaign includes a web browser stealer that incorporates a publicly available tool called Chrome-App-Bound-Encryption-Decryption to bypass app-bound encryption protections rolled out by Google. MINIBIKE is a fully-featured, modular backdoor with support for 12 distinct commands to facilitate C2 communication, allowing it to enumerate files and directories, list running processes, terminate specific ones, upload files in chunks, and run various payloads. The malware makes Windows Registry modifications such that it's automatically loaded after system startup and features anti-debugging and anti-sandbox techniques to hinder analysis. The group uses predefined paths to guide their searches and focus on stealing emails, VPN configurations, and other information that helps them maintain control, as well as hunting for confidential files stored in shared folders. Furthermore, the Iran-linked cyber-espionage group Nimbus Manticore, also known as UNC1549 and Smoke Sandstorm, has expanded its operations to target critical infrastructure organizations across Western Europe, including Denmark, Portugal, and Sweden. The group uses sophisticated malware variants, including MiniJunk and MiniBrowse, to gain persistent access to infected systems and steal credentials from Chrome and Edge browsers. MiniJunk is an advanced version of the Minibike backdoor, featuring improved obfuscation techniques, code signing, and multiple C2 servers to evade detection. The malware employs multi-stage sideloading to install and establish persistence on victim systems, leveraging fake job-related login pages and tailored spear-phishing emails. Nimbus Manticore has been active since at least 2022, targeting aerospace and defense sectors in Israel and the Middle East, and is associated with the Iranian Revolutionary Guard Corps (IRGC). Additionally, the Iranian state-sponsored threat actor known as APT42 has been observed targeting individuals and organizations of interest to the IRGC as part of a new espionage-focused campaign codenamed SpearSpecter. The campaign, detected in early September 2025 and assessed to be ongoing, systematically targets high-value senior defense and government officials using personalized social engineering tactics. The campaign extends to the targets' family members, creating a broader attack surface that exerts more pressure on the primary targets. APT42 is known for its ability to mount convincing social engineering campaigns that can run for days or weeks to build trust with the targets before sending a malicious payload or tricking them into clicking on booby-trapped links. The SpearSpecter campaign is carried out by cluster D of APT42, which focuses more on malware-based operations, while another campaign detailed by Check Point was carried out by cluster B of the same group, which focuses more on credential harvesting. The campaign involves impersonating trusted WhatsApp contacts to send a malicious link to a supposed required document for an upcoming meeting or conference. When the link is clicked, it initiates a redirect chain to serve a WebDAV-hosted Windows shortcut (LNK) masquerading as a PDF file by taking advantage of the "search-ms:" protocol handler. The LNK file establishes contact with a Cloudflare Workers subdomain to retrieve a batch script that functions as a loader for TAMECAT, a known PowerShell backdoor. TAMECAT employs various modular components to facilitate data exfiltration and remote control, using HTTPS, Discord, and Telegram for command-and-control (C2). The PowerShell framework uses three distinct channels for C2, suggesting the threat actor's goal of maintaining persistent access to compromised hosts even if one pathway gets detected and blocked. TAMECAT comes equipped with features to conduct reconnaissance, harvest files matching certain extensions, steal data from web browsers like Google Chrome and Microsoft Edge, collect Outlook mailboxes, and take screenshots at 15-second intervals. The data is exfiltrated over HTTPS or FTP, and the malware adopts various stealthy techniques to evade detection and resist analysis efforts. Additionally, UNC1549 (aka Nimbus Manticore or Subtle Snail) has been observed deploying backdoors like TWOSTROKE and DEEPROOT in attacks targeting aerospace, aviation, and defense industries in the Middle East. The group has been active since late 2023 through 2025, employing sophisticated initial access vectors including abuse of third-party relationships, VDI breakouts, and highly targeted phishing. The group uses a combination of phishing campaigns and leveraging trusted relationships with third-party suppliers and partners to gain initial access. UNC1549 abuses credentials associated with services like Citrix, VMWare, and Azure Virtual Desktop and Application (VDA) to establish an initial foothold and break out of virtualized sessions. The group targets IT staff and administrators to obtain credentials with elevated privileges for deeper network access. Post-exploitation activities include reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, focusing on network/IT documentation, intellectual property, and emails. Custom tools used by UNC1549 include MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, DCSYNCER.SLICK, CRASHPAD, SIGHTGRAB, and TRUSTTRAP. The group uses publicly available programs like AD Explorer, Atelier Web Remote Commander (AWRC), and SCCMVNC for remote control and reconnaissance. UNC1549 maintains stealth and command-and-control (C2) using extensive reverse SSH shells and domains mimicking the victim's industry. The group plants backdoors that beacon silently for months, only activating them to regain access after the victim has attempted eradication. Furthermore, Iranian threat actors engaged in cyber warfare to facilitate and enhance physical, real-world attacks, a trend known as cyber-enabled kinetic targeting. Imperial Kitten, an Iranian-affiliated hacking group, conducted digital reconnaissance targeting a ship's Automatic Identification System (AIS) platform between December 2021 and January 2024. Imperial Kitten attacked additional maritime vessel platforms, gaining access to CCTV cameras on a maritime vessel for real-time visual intelligence. On January 27, 2024, Imperial Kitten carried out targeted searches for AIS location data for a specific shipping vessel, which was later targeted by an unsuccessful missile strike by Iranian-backed Houthi militants. MuddyWater, an Iranian threat actor, established infrastructure for a cyber network operation in May 2025 and used it to access live CCTV streams from Jerusalem to gather real-time visual intelligence. Iranian threat actors routed their traffic through anonymizing VPN services to obscure their origins and complicate attribution efforts.

Timeline

  1. 20.11.2025 09:35 1 articles · 23h ago

    Iranian Threat Actors Use Cyber Reconnaissance for Kinetic Attacks

    Iranian threat actors, including Imperial Kitten and MuddyWater, have been conducting cyber reconnaissance to facilitate physical attacks. Imperial Kitten targeted maritime vessels, gaining access to CCTV cameras and AIS data, which was used to plan a missile strike. MuddyWater accessed live CCTV streams in Jerusalem to gather real-time visual intelligence. These activities highlight the integration of cyber and physical attack methods by nation-state actors.

    Show sources
    Open in new tab
  2. 14.11.2025 16:40 1 articles · 6d ago

    APT42 Launches SpearSpecter Espionage Campaign

    The Iranian state-sponsored threat actor APT42 has been observed targeting individuals and organizations of interest to the IRGC as part of a new espionage-focused campaign codenamed SpearSpecter. The campaign, detected in early September 2025 and assessed to be ongoing, systematically targets high-value senior defense and government officials using personalized social engineering tactics. The campaign extends to the targets' family members, creating a broader attack surface that exerts more pressure on the primary targets. APT42 is known for its ability to mount convincing social engineering campaigns that can run for days or weeks to build trust with the targets before sending a malicious payload or tricking them into clicking on booby-trapped links. The SpearSpecter campaign is carried out by cluster D of APT42, which focuses more on malware-based operations, while another campaign detailed by Check Point was carried out by cluster B of the same group, which focuses more on credential harvesting. The campaign involves impersonating trusted WhatsApp contacts to send a malicious link to a supposed required document for an upcoming meeting or conference. When the link is clicked, it initiates a redirect chain to serve a WebDAV-hosted Windows shortcut (LNK) masquerading as a PDF file by taking advantage of the "search-ms:" protocol handler. The LNK file establishes contact with a Cloudflare Workers subdomain to retrieve a batch script that functions as a loader for TAMECAT, a known PowerShell backdoor. TAMECAT employs various modular components to facilitate data exfiltration and remote control, using HTTPS, Discord, and Telegram for command-and-control (C2). The PowerShell framework uses three distinct channels for C2, suggesting the threat actor's goal of maintaining persistent access to compromised hosts even if one pathway gets detected and blocked. TAMECAT comes equipped with features to conduct reconnaissance, harvest files matching certain extensions, steal data from web browsers like Google Chrome and Microsoft Edge, collect Outlook mailboxes, and take screenshots at 15-second intervals. The data is exfiltrated over HTTPS or FTP, and the malware adopts various stealthy techniques to evade detection and resist analysis efforts.

    Show sources
    Open in new tab
  3. 23.09.2025 00:00 2 articles · 1mo ago

    Nimbus Manticore Expands Operations to Western Europe

    The Iran-linked cyber-espionage group Nimbus Manticore, also known as UNC1549 and Smoke Sandstorm, has expanded its operations to target critical infrastructure organizations across Western Europe, including Denmark, Portugal, and Sweden. The group uses sophisticated malware variants, including MiniJunk and MiniBrowse, to gain persistent access to infected systems and steal credentials from Chrome and Edge browsers. MiniJunk is an advanced version of the Minibike backdoor, featuring improved obfuscation techniques, code signing, and multiple C2 servers to evade detection. The malware employs multi-stage sideloading to install and establish persistence on victim systems, leveraging fake job-related login pages and tailored spear-phishing emails. The group's operations are associated with the Iranian Revolutionary Guard Corps (IRGC) and have been active since at least 2022, focusing on the aerospace and defense sectors in Israel and the Middle East. Additionally, UNC1549 (aka Nimbus Manticore or Subtle Snail) has been observed deploying backdoors like TWOSTROKE and DEEPROOT in attacks targeting aerospace, aviation, and defense industries in the Middle East. The group has been active since late 2023 through 2025, employing sophisticated initial access vectors including abuse of third-party relationships, VDI breakouts, and highly targeted phishing. The group uses a combination of phishing campaigns and leveraging trusted relationships with third-party suppliers and partners to gain initial access. UNC1549 abuses credentials associated with services like Citrix, VMWare, and Azure Virtual Desktop and Application (VDA) to establish an initial foothold and break out of virtualized sessions. The group targets IT staff and administrators to obtain credentials with elevated privileges for deeper network access. Post-exploitation activities include reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, focusing on network/IT documentation, intellectual property, and emails. Custom tools used by UNC1549 include MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, DCSYNCER.SLICK, CRASHPAD, SIGHTGRAB, and TRUSTTRAP. The group uses publicly available programs like AD Explorer, Atelier Web Remote Commander (AWRC), and SCCMVNC for remote control and reconnaissance. UNC1549 maintains stealth and command-and-control (C2) using extensive reverse SSH shells and domains mimicking the victim's industry. The group plants backdoors that beacon silently for months, only activating them to regain access after the victim has attempted eradication.

    Show sources
    Open in new tab
  4. 19.09.2025 16:59 4 articles · 2mo ago

    Subtle Snail Targets Global Telecommunications and Aerospace Companies

    The Iran-nexus cyber espionage group UNC1549, also known as Subtle Snail, has expanded its operations to target critical infrastructure organizations across Western Europe, including Denmark, Portugal, and Sweden. The group uses sophisticated malware variants, including MiniJunk and MiniBrowse, to gain persistent access to infected systems and steal credentials from Chrome and Edge browsers. MiniJunk is an advanced version of the Minibike backdoor, featuring improved obfuscation techniques, code signing, and multiple C2 servers to evade detection. The malware employs multi-stage sideloading to install and establish persistence on victim systems, leveraging fake job-related login pages and tailored spear-phishing emails. The group's operations are associated with the Iranian Revolutionary Guard Corps (IRGC) and have been active since at least 2022, focusing on the aerospace and defense sectors in Israel and the Middle East. Additionally, UNC1549 (aka Nimbus Manticore or Subtle Snail) has been observed deploying backdoors like TWOSTROKE and DEEPROOT in attacks targeting aerospace, aviation, and defense industries in the Middle East. The group has been active since late 2023 through 2025, employing sophisticated initial access vectors including abuse of third-party relationships, VDI breakouts, and highly targeted phishing. The group uses a combination of phishing campaigns and leveraging trusted relationships with third-party suppliers and partners to gain initial access. UNC1549 abuses credentials associated with services like Citrix, VMWare, and Azure Virtual Desktop and Application (VDA) to establish an initial foothold and break out of virtualized sessions. The group targets IT staff and administrators to obtain credentials with elevated privileges for deeper network access. Post-exploitation activities include reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, focusing on network/IT documentation, intellectual property, and emails. Custom tools used by UNC1549 include MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, DCSYNCER.SLICK, CRASHPAD, SIGHTGRAB, and TRUSTTRAP. The group uses publicly available programs like AD Explorer, Atelier Web Remote Commander (AWRC), and SCCMVNC for remote control and reconnaissance. UNC1549 maintains stealth and command-and-control (C2) using extensive reverse SSH shells and domains mimicking the victim's industry. The group plants backdoors that beacon silently for months, only activating them to regain access after the victim has attempted eradication.

    Show sources
    Open in new tab
  5. 03.09.2025 13:30 2 articles · 2mo ago

    Iranian Cyber Threat Actors Conduct Global Phishing Campaign

    The first email in this campaign was sent on August 19, 2025, from a legitimate address belonging to the Oman Ministry of Foreign Affairs in Paris, directed back at the organization. The emails were forwarded through a NordVPN exit node in Jordan to mask their origin. The emails included a blurred Word document attachment requiring users to enable macros to view it clearly. The document concealed malicious Visual Basic for Applications (VBA) macros, which, when enabled, executed a payload that gathered basic system information. The campaign targeted around four dozen embassies, consulates, and government ministries from nearly every corner of the earth. The attackers also targeted at least 10 other notable international organizations, including the United Nations, its Office on Drugs and Crime (UNODC), and its Children's Fund (UNICEF); the African Union; and humanitarian organizations like the Order of Malta. The campaign is assessed to have likely concluded just days after it began, as the attackers' command-and-control (C2) infrastructure appears to be inactive.

    Show sources
    Open in new tab
  6. 30.06.2025 15:00 3 articles · 4mo ago

    U.S. Agencies Warn of Potential Iranian Cyber Activity Against Critical Infrastructure

    Iranian state-sponsored or affiliated cyber threat actors are targeting U.S. critical infrastructure. These actors exploit known vulnerabilities, compromise weak passwords, and collaborate with ransomware groups. A coordinated multi-wave spear-phishing campaign targeted embassies and consulates globally, using compromised email accounts to deploy malware. The campaign involved sending spear-phishing emails disguised as legitimate diplomatic communications to deploy malware via VBA macros. The phishing emails were sent from 104 unique compromised addresses, including a hacked mailbox from the Oman Ministry of Foreign Affairs. The targeted regions included the Middle East, Africa, Europe, Asia, and the Americas, with a focus on European embassies and African organizations. The activity was attributed to Iranian threat actors by Israeli cybersecurity company Dream and corroborated by ClearSky. The campaign is assessed to have likely concluded just days after it began, as the attackers' command-and-control (C2) infrastructure appears to be inactive.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

AI-Powered Malware Families Deployed in the Wild

Google's Threat Intelligence Group (GTIG) has identified new malware families that leverage artificial intelligence (AI) and large language models (LLMs) for dynamic self-modification during execution. These malware families, including PromptFlux, PromptSteal, FruitShell, QuietVault, and PromptLock, demonstrate advanced capabilities for evading detection and maintaining persistence. PromptFlux, an experimental VBScript dropper, uses Google's LLM Gemini to generate obfuscated VBScript variants and evade antivirus software. It attempts persistence via Startup folder entries and spreads laterally on removable drives and mapped network shares. The malware is under development or testing phase and is assessed to be financially motivated. PromptSteal is a data miner written in Python that queries the LLM Qwen2.5-Coder-32B-Instruct to generate one-line Windows commands to collect information and documents in specific folders and send the data to a command-and-control (C2) server. It is used by the Russian state-sponsored actor APT28 in attacks targeting Ukraine. The use of AI in malware enables adversaries to create more versatile and adaptive threats, posing significant challenges for cybersecurity defenses. Various threat actors, including those from China, Iran, and North Korea, have been observed abusing AI models like Gemini across different stages of the attack lifecycle. The underground market for AI-powered cybercrime tools is also growing, with offerings ranging from deepfake generation to malware development and vulnerability exploitation.

Open in new tab

Iranian APT Phishing Campaign Targets US Think Tanks

Between June and August 2025, an Iranian advanced persistent threat (APT) group, tentatively named UNK_SmudgedSerpent, conducted targeted phishing attacks against prominent US think tanks and policy experts. The campaign impersonated influential figures in US foreign policy, including Suzanne Maloney and Patrick Clawson, to steal credentials and deploy remote monitoring and management (RMM) software. The group's tactics, techniques, and procedures (TTPs) overlapped with multiple known Iranian APTs, suggesting possible reorganization or collaboration within Iranian cyber operations. The phishing attempts involved impersonating key figures in US policy discussions on Iran, using tailored emails to lure targets into clicking malicious links. The group used a combination of techniques reminiscent of multiple Iranian APTs, including TA453 (Charming Kitten) and TA455 (Smoke Sandstorm), and deployed RMM software, a tactic previously associated with TA450 (MuddyWater). The campaign targeted over 20 subject matter experts at a U.S.-based think tank and used decoy documents and zip files containing RMM installers. The attackers also impersonated prominent U.S. foreign policy figures associated with think tanks like Brookings Institution and Washington Institute, and used spoofed login pages to harvest Microsoft account credentials. The group's activity was observed to have paused, but concerns persist due to the tactical overlap with known Iranian APTs. The group's tactics and infrastructure suggest possible personnel movement or shared infrastructure procurement between Iranian contracting outfits.

Open in new tab

TruffleNet Attack Campaign Targeting AWS Environments

The TruffleNet attack campaign leverages stolen credentials to target AWS environments, particularly Amazon's Simple Email Service (SES). The campaign uses the open-source scanning tool TruffleHog and exploits legitimate tools like Portainer to perform reconnaissance and execute downstream business email compromise (BEC) attacks. The campaign involved over 800 unique hosts across 57 distinct Class C networks. Attackers use legitimate AWS APIs to test stolen credentials and perform reconnaissance. The campaign also includes BEC attacks targeting the oil and gas sector, using compromised WordPress sites to establish sending identities.

Open in new tab

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. The campaign began with spear phishing emails themed around diplomatic meetings and conferences. The malicious LNK files exploit ZDI-CAN-25373, a Windows shortcut vulnerability disclosed in March 2025. The LNK file invokes PowerShell with an obfuscated command that decodes a tar archive file named rjnlzlkfe.ta. The tar archive contains three critical files that enable the attack chain through DLL side-loading. The malware includes a legitimate Canon printer assistant utility with an expired digital signature. The second file, cnmpaui.dll, serves as a lightweight loader designed to decrypt and execute the PlugX payload. PlugX is a RAT that provides comprehensive remote access capabilities including command execution, keylogging, file upload and download operations, persistence establishment, and extensive system reconnaissance functions.

Open in new tab

Nation-State Actors Compromise Ribbon Communications Network

Ribbon Communications, a provider of backbone technology for communication networks, detected unauthorized access to its IT network in early September 2025. The intrusion, potentially initiated as early as December 2024, is attributed to a nation-state actor. The breach affected several customer files saved on two laptops outside the main network. Ribbon has notified impacted customers and does not expect material financial impact. The attack profile suggests Chinese involvement, consistent with known cyberespionage campaigns targeting telecommunications companies. Ribbon Communications has over 3,100 employees in 68 global offices and is working with third-party cybersecurity experts and federal law enforcement to investigate the breach. The company expects to incur additional costs in the fourth quarter of 2025 related to the breach investigation and network strengthening efforts. Ribbon's solutions are used by major telecommunications providers and critical infrastructure organizations, including the US Department of Defense and the City of Los Angeles. The company is based in Plano, Texas and specializes in communications software and IP optical networking technology for service providers and critical infrastructure organizations. The company was formed in 2017 following the merger of Sonus Networks and Genband. The attack on Ribbon follows several notable breaches of US firms, as well as telecom companies in other countries, in recent years. The most notable of these attacks were committed by Salt Typhoon, a Chinese nation-state threat group focused on cyberespionage.

Open in new tab