Malicious Campaign Targeting Diplomatic Assets

Sept. 3, 2025, 8:14 p.m.

Description

An Iranian-aligned spear-phishing campaign masquerading as Omani Ministry of Foreign Affairs communications targeted global government entities. The operation used compromised mailboxes to distribute malicious Word documents containing VBA macros. When executed, these macros decoded and deployed a payload named sysProcUpdate, which gathered system metadata and attempted to beacon to a command and control server. The campaign showed sophisticated techniques including anti-analysis measures, persistence mechanisms, and regional targeting across multiple countries. Evidence suggests this was part of a broader espionage effort by the Homeland Justice group associated with Iran's Ministry of Intelligence and Security, coinciding with heightened geopolitical tensions.

External References

https://dreamgroup.com/wp-content/uploads/2025/08/Dream_CTI_Analysis_Malicious_Campaign_by_MOIS_Targeting_Diplomatic_Assets.pdf
https://otx.alienvault.com/pulse/68b87b6478ccea81579b86e1
Tags
espionage
iran
diplomacy
vba macros
spear-phishing
oman mfa
2025-09-03
sysprocupdate

Date

  • Created: Sept. 3, 2025, 5:31 p.m.
  • Published: Sept. 3, 2025, 5:31 p.m.
  • Modified: Sept. 3, 2025, 8:14 p.m.

Indicators

  • screenai.online
Download all indicators here!

Attack Patterns

Additional Informations

  • Government
  • Malawi
  • Rwanda
  • Ethiopia
  • Mongolia
  • Nigeria
  • Hungary
  • Sweden
  • Austria
  • Qatar
  • Egypt
  • Colombia
  • Bangladesh
  • Jordan
  • United Arab Emirates
  • Netherlands
  • Argentina
  • Spain
  • Italy
  • Thailand
  • Peru
  • Canada
  • Japan
  • France
  • Germany
  • Romania
  • Oman
  • Bahrain
  • Israel
  • Brazil