CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Iranian Cyber Threat Activity Against U.S. Critical Infrastructure

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

Iranian state-sponsored or affiliated cyber threat actors are actively targeting U.S. critical infrastructure and conducting global phishing campaigns against diplomatic entities. These actors exploit known vulnerabilities in unpatched or outdated software, compromise internet-connected accounts and devices with weak passwords, and collaborate with ransomware groups to encrypt, steal, and leak sensitive information. A recent coordinated multi-wave spear-phishing campaign targeted embassies and consulates globally, using compromised email accounts to deploy malware. The campaign, attributed to Iranian-aligned operators connected to Homeland Justice, involved sending spear-phishing emails disguised as legitimate diplomatic communications to deploy malware via VBA macros. The phishing emails were sent from 104 unique compromised addresses, including a hacked mailbox from the Oman Ministry of Foreign Affairs. The targeted regions included the Middle East, Africa, Europe, Asia, and the Americas, with a focus on European embassies and African organizations. The campaign is assessed to have likely concluded just days after it began, as the attackers' command-and-control (C2) infrastructure appears to be inactive. In addition, Iranian state-sponsored threat actors, known as Subtle Snail, have conducted a new campaign targeting European telecommunications companies, successfully infiltrating 34 devices across 11 organizations. This group, also known as UNC1549, operates by posing as HR representatives from legitimate entities to engage employees and then compromises them through the deployment of a MINIBIKE backdoor variant. The targeted companies are located in Canada, France, the United Arab Emirates, the United Kingdom, and the United States. The group's primary motivation involves infiltrating telecommunications entities while maintaining interest in aerospace and defense organizations to establish long-term persistence and exfiltrate sensitive data for strategic espionage purposes. The attacks involve extensive reconnaissance on platforms like LinkedIn to identify key personnel within target organizations, specifically focusing on researchers, developers, and IT administrators with elevated access to critical systems and developer environments. The campaign is characterized by the meticulous efforts of Subtle Snail operators to tailor the attack for each victim, using job-themed lures and spear-phishing emails to validate email addresses and collect additional information. The malware used in the campaign includes a web browser stealer that incorporates a publicly available tool called Chrome-App-Bound-Encryption-Decryption to bypass app-bound encryption protections rolled out by Google. MINIBIKE is a fully-featured, modular backdoor with support for 12 distinct commands to facilitate C2 communication, allowing it to enumerate files and directories, list running processes, terminate specific ones, upload files in chunks, and run various payloads. The malware makes Windows Registry modifications such that it's automatically loaded after system startup and features anti-debugging and anti-sandbox techniques to hinder analysis. The group uses predefined paths to guide their searches and focus on stealing emails, VPN configurations, and other information that helps them maintain control, as well as hunting for confidential files stored in shared folders. Furthermore, the Iran-linked cyber-espionage group Nimbus Manticore, also known as UNC1549 and Smoke Sandstorm, has expanded its operations to target critical infrastructure organizations across Western Europe, including Denmark, Portugal, and Sweden. The group uses sophisticated malware variants, including MiniJunk and MiniBrowse, to gain persistent access to infected systems and steal credentials from Chrome and Edge browsers. MiniJunk is an advanced version of the Minibike backdoor, featuring improved obfuscation techniques, code signing, and multiple C2 servers to evade detection. The malware employs multi-stage sideloading to install and establish persistence on victim systems, leveraging fake job-related login pages and tailored spear-phishing emails. Nimbus Manticore has been active since at least 2022, targeting aerospace and defense sectors in Israel and the Middle East, and is associated with the Iranian Revolutionary Guard Corps (IRGC). There is currently no indication of a coordinated campaign specifically targeting U.S. critical infrastructure, but U.S. agencies are urging vigilance and proactive defense measures.

Timeline

  1. 23.09.2025 00:00 1 articles · 6d ago

    Nimbus Manticore Expands Operations to Western Europe

    The Iran-linked cyber-espionage group Nimbus Manticore, also known as UNC1549 and Smoke Sandstorm, has expanded its operations to target critical infrastructure organizations across Western Europe, including Denmark, Portugal, and Sweden. The group uses sophisticated malware variants, including MiniJunk and MiniBrowse, to gain persistent access to infected systems and steal credentials from Chrome and Edge browsers. MiniJunk is an advanced version of the Minibike backdoor, featuring improved obfuscation techniques, code signing, and multiple C2 servers to evade detection. The malware employs multi-stage sideloading to install and establish persistence on victim systems, leveraging fake job-related login pages and tailored spear-phishing emails. The group's operations are associated with the Iranian Revolutionary Guard Corps (IRGC) and have been active since at least 2022, focusing on the aerospace and defense sectors in Israel and the Middle East.

    Show sources
    Open in new tab
  2. 19.09.2025 16:59 3 articles · 10d ago

    Subtle Snail Targets Global Telecommunications and Aerospace Companies

    The Iran-nexus cyber espionage group UNC1549, also known as Subtle Snail, has expanded its operations to target critical infrastructure organizations across Western Europe, including Denmark, Portugal, and Sweden. The group uses sophisticated malware variants, including MiniJunk and MiniBrowse, to gain persistent access to infected systems and steal credentials from Chrome and Edge browsers. MiniJunk is an advanced version of the Minibike backdoor, featuring improved obfuscation techniques, code signing, and multiple C2 servers to evade detection. The malware employs multi-stage sideloading to install and establish persistence on victim systems, leveraging fake job-related login pages and tailored spear-phishing emails. The group's operations are associated with the Iranian Revolutionary Guard Corps (IRGC) and have been active since at least 2022, focusing on the aerospace and defense sectors in Israel and the Middle East.

    Show sources
    Open in new tab
  3. 03.09.2025 13:30 2 articles · 26d ago

    Iranian Cyber Threat Actors Conduct Global Phishing Campaign

    The first email in this campaign was sent on August 19, 2025, from a legitimate address belonging to the Oman Ministry of Foreign Affairs in Paris, directed back at the organization. The emails were forwarded through a NordVPN exit node in Jordan to mask their origin. The emails included a blurred Word document attachment requiring users to enable macros to view it clearly. The document concealed malicious Visual Basic for Applications (VBA) macros, which, when enabled, executed a payload that gathered basic system information. The campaign targeted around four dozen embassies, consulates, and government ministries from nearly every corner of the earth. The attackers also targeted at least 10 other notable international organizations, including the United Nations, its Office on Drugs and Crime (UNODC), and its Children's Fund (UNICEF); the African Union; and humanitarian organizations like the Order of Malta. The campaign is assessed to have likely concluded just days after it began, as the attackers' command-and-control (C2) infrastructure appears to be inactive.

    Show sources
    Open in new tab
  4. 30.06.2025 15:00 3 articles · 3mo ago

    U.S. Agencies Warn of Potential Iranian Cyber Activity Against Critical Infrastructure

    Iranian state-sponsored or affiliated cyber threat actors are targeting U.S. critical infrastructure. These actors exploit known vulnerabilities, compromise weak passwords, and collaborate with ransomware groups. A coordinated multi-wave spear-phishing campaign targeted embassies and consulates globally, using compromised email accounts to deploy malware. The campaign involved sending spear-phishing emails disguised as legitimate diplomatic communications to deploy malware via VBA macros. The phishing emails were sent from 104 unique compromised addresses, including a hacked mailbox from the Oman Ministry of Foreign Affairs. The targeted regions included the Middle East, Africa, Europe, Asia, and the Americas, with a focus on European embassies and African organizations. The activity was attributed to Iranian threat actors by Israeli cybersecurity company Dream and corroborated by ClearSky. The campaign is assessed to have likely concluded just days after it began, as the attackers' command-and-control (C2) infrastructure appears to be inactive.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

XCSSET macOS Malware Targets Xcode Developers with Enhanced Features

A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.

Open in new tab

ForcedLeak Vulnerability in Salesforce Agentforce Exploited via AI Prompt Injection

A critical vulnerability in Salesforce Agentforce, named ForcedLeak, allowed attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw affected organizations using Salesforce Agentforce with Web-to-Lead functionality enabled. The vulnerability was discovered and reported by Noma Security on July 28, 2025. Salesforce has since patched the issue and implemented additional security measures, including regaining control of an expired domain and preventing AI agent output from being sent to untrusted domains. The exploit involved manipulating the Description field in Web-to-Lead forms to execute malicious instructions, leading to data leakage. Salesforce has enforced a Trusted URL allowlist to mitigate the risk of similar attacks in the future. The ForcedLeak vulnerability is a critical vulnerability chain with a CVSS score of 9.4, described as a cross-site scripting (XSS) play for the AI era. The exploit involves embedding a malicious prompt in a Web-to-Lead form, which the AI agent processes, leading to data leakage. The attack could potentially lead to the exfiltration of internal communications, business strategy insights, and detailed customer information. Salesforce is addressing the root cause of the vulnerability by implementing more robust layers of defense for their models and agents.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.

Open in new tab

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Open in new tab

GeoServer RCE Exploit Used in Federal Agency Breach

A U.S. federal civilian executive branch (FCEB) agency was breached in July 2024 after attackers exploited an unpatched GeoServer instance. The attackers gained initial access through a critical remote code execution (RCE) vulnerability (CVE-2024-36401) and moved laterally within the network, deploying web shells and scripts for persistence and privilege escalation. The breach remained undetected for three weeks until the agency's Endpoint Detection and Response (EDR) tool alerted the Security Operations Center (SOC). The attackers exploited the vulnerability in GeoServer, which was patched in June 2024 but remained unpatched in the agency's environment. They used brute force techniques for lateral movement and privilege escalation, accessing service accounts and deploying web shells like China Chopper. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and comprehensive incident response plans. The attackers discovered the vulnerable GeoServer instances by conducting network scanning with Burp Suite. They exploited the vulnerability to gain access to a public-facing GeoServer instance and downloaded open-source scripts and tools for lateral movement. On July 24, 2024, the attackers exploited the same vulnerability to gain access to a second GeoServer instance and moved laterally to a Web server and SQL server, where they dropped web shells, including China Chopper. The attackers also used Stowaway for command-and-control (C2) traffic and attempted to exploit CVE-2016-5195 for privilege escalation. The agency's incident response plan was inadequate, and some public-facing resources lacked endpoint protection, allowing the breach to remain undetected for three weeks.

Open in new tab