CyberHappenings logo
☰
🏠 Home 📂 Browse ℹī¸ About

Iranian Homeland Justice Group Targets Global Embassies in Phishing Campaign

First reported
Last updated
📰 2 unique sources, 2 articles

Summary

Hide ▲

An Iranian-aligned group, Homeland Justice, has conducted a coordinated, multi-wave spear-phishing campaign targeting embassies and consulates in Europe and other regions. The campaign involves sending spear-phishing emails disguised as legitimate diplomatic communications to deploy malware. The phishing emails exploit geopolitical tensions and use compromised email accounts to send malicious Microsoft Word documents. The malware establishes persistence, contacts a command-and-control server, and harvests system information. The campaign is part of a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension. The campaign began on August 19, 2025, and targeted around four dozen embassies, consulates, and government ministries globally, as well as various international organizations. The campaign is assessed to have concluded shortly after it began, with the attackers' command-and-control infrastructure appearing inactive.

Timeline

  1. 04.09.2025 09:00 📰 1 articles

    Detailed Insights into the Homeland Justice Phishing Campaign

    The campaign began on August 19, 2025, with the first email sent from a compromised account belonging to the Oman Ministry of Foreign Affairs in Paris. The phishing emails were sent through a NordVPN exit node in Jordan to mask their origin. The malicious payload was hidden in the victim's Documents folder with a ".log" extension and included a function called "laylay" to delay execution and evade detection. The final payload, "sysProcUpdate," gathered basic system information for potential follow-on activity. The campaign targeted around four dozen embassies, consulates, and government ministries globally, as well as various international organizations. The campaign is assessed to have concluded shortly after it began, with the attackers' command-and-control infrastructure appearing inactive.

    Show sources
    Open in new tab
  2. 03.09.2025 13:30 📰 1 articles

    Homeland Justice Group Targets Global Embassies in Phishing Campaign

    An Iranian-aligned group, Homeland Justice, has conducted a coordinated, multi-wave spear-phishing campaign targeting embassies and consulates in Europe and other regions. The campaign involves sending spear-phishing emails disguised as legitimate diplomatic communications to deploy malware. The phishing emails exploit geopolitical tensions and use compromised email accounts to send malicious Microsoft Word documents. The malware establishes persistence, contacts a command-and-control server, and harvests system information. The campaign is part of a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

APT41 Targets U.S. Trade Officials in Cyber Espionage Campaign

The House Select Committee on China has issued a warning about ongoing cyber espionage campaigns by China-linked APT41 targeting U.S. trade officials and related organizations. The attacks involve phishing emails impersonating U.S. officials to steal sensitive information. The campaign coincides with contentious U.S.-China trade negotiations. The threat actors exploit software and cloud services to cover their tracks. The attacks aim to steal valuable data and gain unauthorized access to systems. The committee has noted similar tactics used in previous campaigns, including a January 2025 spear-phishing attempt targeting committee staffers. The FBI is investigating the ongoing cyber espionage campaign. APT41 has been known to conduct financially motivated activities in addition to state-sponsored espionage. The group has targeted various sectors, including logistics, utilities, healthcare, high-tech, and telecommunications. The committee recommends user awareness phishing training, mandatory multifactor authentication, FIDO keys, and appropriate email gateway and endpoint security tools to mitigate such attacks.

Open in new tab

Kazakhstan's KazMunayGas Phishing Test Mistaken for Noisy Bear Campaign

Kazakhstan's state-owned oil and gas company KazMunayGas conducted a phishing test in May 2025, which was initially misinterpreted as a cyber espionage campaign by a new threat group named Noisy Bear. The test involved phishing emails targeting KazMunayGas employees with fake documents related to internal communications and policy updates. The phishing emails were sent from a compromised internal email address and included a ZIP attachment with a Windows shortcut (LNK) downloader, a decoy document, and a README.txt file with instructions. The campaign was designed to mimic official internal communications and included themes such as policy updates, internal certification procedures, and salary adjustments. The phishing test was conducted to train employees on identifying and responding to phishing attempts. However, it was mistakenly reported as a cyber espionage campaign by Seqrite Labs, which attributed the activity to a new threat group tracked as Noisy Bear. The threat actor was believed to be of Russian origin and had been active since at least April 2025. The misinterpretation led to speculation about the involvement of a new threat group and the use of sophisticated malware, including a PowerShell loader dubbed DOWNSHELL and a DLL-based implant. The threat actor used a compromised email address belonging to a KazMunayGas finance department employee to send phishing emails. The phishing emails impersonated mundane company business, including reviewing work schedules, incentive systems, and wages. The phishing emails contained a ZIP file with a decoy document and a shortcut (LNK) file named "Salary Schedule.lnk." The LNK file downloaded a batch script, which retrieved the attackers' PowerShell loader named DownShell. DownShell consists of two scripts: one for anti-analysis by undermining the Windows Antimalware Scan Interface (AMSI), and another for CreateRemoteThread Injection to establish a reverse shell. Noisy Bear used a sanctioned Russian bulletproof hosting provider, Aeza Group, to maintain its infrastructure. The threat activity carries geopolitical implications, targeting Kazakhstan's largest oil and gas company, which is state-owned and a significant economic entity. Seqrite Labs found infrastructure and tooling overlaps across other Central Asian attacks, indicating a broader campaign. The incident highlights the importance of clear communication and coordination between cybersecurity researchers and organizations to avoid misinterpretations and ensure accurate reporting of cyber threats.

Open in new tab

SVG Files Used to Deploy Phishing Pages in Colombian Judicial System Impersonation Campaign

A malware campaign leveraging SVG files to deploy Base64-encoded phishing pages impersonating the Colombian judicial system has been identified. The SVG files, distributed via email, execute JavaScript payloads to inject phishing pages and download ZIP archives. The campaign involves 523 unique SVG files that have evaded detection by antivirus engines. The earliest sample dates back to August 14, 2025. The campaign highlights the evolving tactics used by threat actors to bypass security measures and target macOS systems with information stealers like Atomic macOS Stealer (AMOS). This campaign also coincides with broader trends in cyber threats targeting macOS and gamers.

Open in new tab

GhostRedirector Compromises 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module

GhostRedirector, a previously undocumented threat cluster, has compromised at least 65 Windows servers primarily in Brazil, Thailand, and Vietnam. The attacks, active since at least August 2024, deployed the Rungan backdoor and Gamshen IIS module. Rungan executes commands on compromised servers, while Gamshen manipulates search engine results for SEO fraud. The threat actor targets various sectors, including education, healthcare, technology, transportation, insurance, and retail, using SQL injection vulnerabilities for initial access. The group is assessed with medium confidence to be China-aligned. The operation involves using PowerShell to download malware tools and exploits like EfsPotato and BadPotato for privilege escalation.

Open in new tab

APT28 deploys NotDoor backdoor via Microsoft Outlook

APT28, a Russian state-sponsored threat group, has been using a new backdoor malware called NotDoor to target Microsoft Outlook. The malware exploits Outlook as a covert communication, data exfiltration, and malware delivery channel. NotDoor is a VBA macro that monitors incoming emails for specific trigger words. When triggered, it allows attackers to exfiltrate data, upload files, and execute commands on the victim's computer. The malware is delivered via a legitimate signed binary, Microsoft's OneDrive.exe, vulnerable to DLL sideloading. The backdoor was identified by researchers from Lab52, the threat intelligence arm of Spanish cybersecurity firm S2 Grupo. The malware has been deployed against companies in NATO member countries, using advanced techniques to evade detection and maintain persistence. NotDoor supports multiple commands for data exfiltration and file uploads, and uses Base64-encoded PowerShell commands for various operations. The malware creates a staging folder in the %TEMP% directory to store and exfiltrate files, encoding them with custom encryption before sending via email. APT28's attacks involve the abuse of Microsoft Dev Tunnels for C2 infrastructure, providing stealth and rapid infrastructure rotation. The attack chain includes the use of bogus Cloudflare Workers domains to distribute additional payloads, demonstrating a high level of specialized design and obfuscation.

Open in new tab