Iran-Nexus Hackers Exploit Omani Mailbox to Target Governments

A sophisticated spear-phishing campaign that exploited a compromised mailbox belonging to the Ministry of Foreign Affairs of Oman.

The operation, attributed to an Iranian-aligned group known as Homeland Justice and linked to Iran’s Ministry of Intelligence and Security (MOIS), masqueraded as legitimate multi-factor authentication (MFA) communications to infiltrate governments and diplomatic missions around the world.

The campaign leveraged the hijacked Omani MFA mailbox to send malicious Microsoft Word attachments disguised as official registration forms.

The dropper then wrote the reconstructed executable into a file named ManagerProc.log in the public documents folder, executed it invisibly via Windows Shell, and established beaconing to a command-and-control (C2) domain at screenai.online.

Forensic analysis linked the campaign’s tactics, techniques, and procedures (TTPs) to earlier operations conducted by Homeland Justice, suggesting a coordinated regional espionage effort targeting diplomatic and governmental entities amid heightened Middle East tensions.

Data from 270 spear-phishing emails revealed that attackers employed 104 unique compromised addresses to camouflage the origin of their messages.

This breadth demonstrates a multi-wave operation reaching embassies, consulates, and international organizations during sensitive ceasefire negotiations between certain nations and Hamas.

The lure emails consistently invoked urgent MFA updates, conveyed high-level authority, and exploited users’ familiarity with enabling macros—hallmarks of a well-orchestrated espionage drive.

Each document contained encoded numerical strings embedded within a VBA macro. When opened and “Enabled Content” was clicked, the macro decoded the numbers—reading three digits at a time and converting them into ASCII characters—to reconstruct the malware payload.

The initial phase targeted the Omani Embassy in Paris. Attackers crafted emails referencing regional security topics—such as “The Future of the region after the Iran-Israel war and the role of Arab countries in the Middle East”—and instructed recipients to enable embedded macros. A NordVPN exit node in Jordan (IP 212.32.83.11) masked the emails’ true origin.

Technical Analysis

• Payload Decoder (dddd): Reads three-digit sequences from a hidden form control and converts them to binary executable content.
• Anti-Analysis Delay (laylay): Four nested loops each iterating 105 times to thwart sandbox analysis.
• Execution Wrapper (RRRR): Invokes laylay twice, then runs the dropped payload with vbHide, suppressing errors.
  An AutoOpen macro orchestrated the dropper: decoding the payload, writing it as ManagerProc.log, and executing it invisibly.

Upon execution, the malware—dubbed sysProcUpdate—collected host metadata (user name, computer name, privilege level), encrypted it, and posted it via HTTPS to the C2 server. Although sandbox tests failed to reach the server (GetLastError 0x2ee7), real-world victims likely transmitted sensitive footprint data.

Regional Targeting

• Africa: Twelve countries, 30 unique emails (15 primary, 17 secondary).
• Europe: Ten countries, 73 unique emails (39 primary, 57 secondary).
• Asia: Seven countries, 25 unique emails (14 primary, 12 secondary).
• Americas: Eleven countries, 35 unique emails (1 primary, 21 secondary).
• International Organizations: Ten bodies, 12 unique emails (6 primary, 6 secondary).
• Generic Domains: 103 unique emails across non-attributable domains (47 primary, 76 secondary).
• The campaign’s use of an official government mailbox lent credibility, while VPN routing obscured attribution. The sysProcUpdate payload focused on reconnaissance, yet registry modifications and persistence across reboots indicate preparations for deeper network penetration. The uniform payload and regional lure themes underscore a high-stakes espionage undertaking.

Recommendations

1. Block all identified IOCs, including ManagerProc.log, sysProcUpdate binaries, and screenai.online domains.
2. Monitor outbound HTTPS POSTs to suspicious Home endpoints.
3. Audit DNS and TCP/IP registry settings for unauthorized changes.
4. Disable Office macros by default and enforce strict whitelist policies.
5. Analyze VPN logs for traffic anomalies linked to Jordan-based exit nodes.
6. Implement network segmentation and limit egress to approved domains.

By adopting these measures, governments and diplomatic missions can better detect and mitigate spear-phishing threats orchestrated by state-sponsored actors.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.