CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Iranian Cyber Threat Actors Targeting U.S. Critical Infrastructure

First reported
Last updated
πŸ“° 3 unique sources, 4 articles

Summary

Hide β–²

Iranian state-sponsored or affiliated cyber threat actors, specifically the group tracked as Storm-2460 and Homeland Justice, are actively targeting U.S. critical infrastructure and diplomatic entities globally. These actors exploit known vulnerabilities in unpatched software, compromise accounts with weak passwords, and collaborate with ransomware affiliates to encrypt, steal, and leak sensitive information. The PipeMagic malware, used to deploy RansomExx ransomware, has been observed targeting various sectors, including IT, financial, and real estate in multiple regions. The PipeMagic malware is now part of the Play ransomware attack chain and mimics ChatGPT Desktop to disguise itself. While no coordinated campaign has been detected, vigilance is urged. The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Department of Defense Cyber Crime Center (DC3), and National Security Agency (NSA) are actively monitoring and coordinating with partners to share intelligence and provide resources. Organizations are advised to report any suspicious activity.

Timeline

  1. 03.09.2025 13:30 πŸ“° 1 articles Β· ⏱ 13d ago

    Iranian Homeland Justice Group Targets Global Embassies with Spear-Phishing Campaign

    An Iran-nexus group, linked to Homeland Justice, has conducted a coordinated and multi-wave spear-phishing campaign targeting embassies and consulates in Europe and other regions. The campaign uses spear-phishing emails with geopolitical themes to send a malicious Microsoft Word document, aiming to deploy malware and harvest system information. The emails were sent from 104 unique compromised addresses belonging to officials and pseudo-government entities. The activity is part of a broader regional espionage effort targeting diplomatic and governmental entities.

    Show sources
    Open in new tab
  2. 19.08.2025 20:16 πŸ“° 1 articles Β· ⏱ 28d ago

    Microsoft Recommends Mitigation Steps for PipeMagic Malware

    Microsoft recommends patching the CVE-2025-29824 vulnerability, enabling tamper protection and network protection in Microsoft Defender for Endpoint, running EDR in block mode, configuring investigation and remediation in full automated mode, and turning on cloud-delivered protection in antivirus products.

    Show sources
    Open in new tab
  3. 18.08.2025 19:03 πŸ“° 2 articles Β· ⏱ 29d ago

    Iranian Cyber Threat Actors Exploit Windows Vulnerability to Deploy PipeMagic RansomExx Malware

    The PipeMagic malware uses a modified version of the GitHub project to include malicious code. The malware communicates with its command-and-control (C2) server over TCP and self-updates by storing modules in memory using a series of doubly linked lists. The malware has an unknown linked list that is likely used dynamically by loaded payloads. The malware is used to escalate privileges before launching ransomware.

    Show sources
    Open in new tab
  4. 30.06.2025 15:00 πŸ“° 3 articles Β· ⏱ 2mo ago

    U.S. Agencies Warn of Potential Iranian Cyber Activity Against Critical Infrastructure

    The PipeMagic malware is now part of the Play ransomware attack chain and mimics ChatGPT Desktop to disguise itself. The malware has been observed targeting organizations in the US IT and real estate sectors, financial companies in Venezuela, retail companies in Saudi Arabia, and a Spanish software firm. The malware has also been observed targeting the Brazilian manufacturing sector, indicating sustained interest and expansion by the threat actors.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids

A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).

Open in new tab

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future.

Open in new tab

Supply Chain Attack Targeting npm Registry Compromises 40 Packages

A supply chain attack targeting the npm registry has compromised over 187 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.

Open in new tab

UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns

The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.

Open in new tab

MostereRAT Malware Campaign Targets Japanese Windows Users

A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.

Open in new tab