Iran-nexus Homeland Justice multi-wave diplomatic spear-phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A coordinated, multi-wave spear-phishing campaign tied to an Iran-nexus group expanded against embassies, consulates, and international organizations across multiple regions, raising espionage risk for diplomatic and government email recipients. The operation used geopolitical lures and malicious Microsoft Word files to push victims to Enable Content and run a VBA macro. The email infrastructure relied on 104 compromised addresses, including a mailbox from the Oman Ministry of Foreign Affairs in Paris.
Related Happenings
TA416 European government espionage campaign
Campaign
First: 01.04.2026 15:05
Last: 01.04.2026 15:05
Sources 1
About this happening:
TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
TA416 European government espionage campaign
CampaignAbout this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
Latest development: 03.04.2026 20:34
TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.
Iranian MOIS Telegram malware campaign targeting opposition groups
Campaign
First: 23.03.2026 11:45
Last: 23.03.2026 11:45
Sources 1
About this happening:
The **FBI** warned that **Iranian MOIS-linked hackers** are using **Telegram C2** and **social engineering** to deliver **Windows malware** against journalists, dissidents, and ot...
Iranian MOIS Telegram malware campaign targeting opposition groups
CampaignAbout this happening: The **FBI** warned that **Iranian MOIS-linked hackers** are using **Telegram C2** and **social engineering** to deliver **Windows malware** against journalists, dissidents, and ot...
UnsolicitedBooker Central Asian telecom phishing campaign
Campaign
First: 24.02.2026 11:54
Last: 24.02.2026 11:54
Sources 1
About this happening:
The **UnsolicitedBooker** cluster shifted its phishing operation to **telecommunications companies in Kyrgyzstan and Tajikistan**, extending a multi-month campaign that matters be...
UnsolicitedBooker Central Asian telecom phishing campaign
CampaignAbout this happening: The **UnsolicitedBooker** cluster shifted its phishing operation to **telecommunications companies in Kyrgyzstan and Tajikistan**, extending a multi-month campaign that matters be...
Tomiris 2025 government-targeting campaign
Campaign
First: 01.12.2025 07:07
Last: 01.12.2025 07:07
Sources 1
About this happening:
The **Tomiris 2025 campaign** is using **phishing** and **public-service C2** to target **foreign ministries**, **intergovernmental organizations**, and **government entities**, i...
Tomiris 2025 government-targeting campaign
CampaignAbout this happening: The **Tomiris 2025 campaign** is using **phishing** and **public-service C2** to target **foreign ministries**, **intergovernmental organizations**, and **government entities**, i...
UNK_SmudgedSerpent overlaps with TA453 TA455 and TA450 campaign expands across multiple victims
Campaign
First: 05.11.2025 18:00
Last: 05.11.2025 18:00
Sources 1
About this happening:
**UNK_SmudgedSerpent** is a **previously unknown** campaign that targeted **academics** and **foreign policy experts** focused on **Iran** and related policy issues between **June...
UNK_SmudgedSerpent overlaps with TA453 TA455 and TA450 campaign expands across multiple victims
CampaignAbout this happening: **UNK_SmudgedSerpent** is a **previously unknown** campaign that targeted **academics** and **foreign policy experts** focused on **Iran** and related policy issues between **June...
Timeline
-
03.09.2025 13:30 2 articles · 8mo ago
Iran-nexus group targets diplomatic missions with multi-wave spear-phishing campaign
Initial DisclosureAn Iran-nexus group linked to Homeland Justice conducted a coordinated, multi-wave spear-phishing campaign against embassies, consulates, and international organizations across Europe, the Middle East, Africa, Asia, and the Americas. The messages used geopolitical tension themes, malicious Microsoft Word attachments, and embedded VBA macros that urged recipients to enable content so malware could establish persistence, contact C2, and harvest system information. Dream attributed the activity to Iranian-aligned operators, while ClearSky said the emails reached multiple ministries of foreign affairs and included at least one compromised mailbox from the Oman Ministry of Foreign Affairs in Paris.
Show sources
- Iranian Hackers Exploit 100+ Embassy Email Accounts in Global Phishing Targeting Diplomats — thehackernews.com — 03.09.2025 13:30
- Iran MOIS Phishes 50+ Embassies, Ministries, Int'l Orgs — www.darkreading.com — 04.09.2025 09:00