In recent months, a surge in targeted intrusions attributed to the Iranian-aligned threat group APT35 has set off alarm bells across government and military networks worldwide.
First detected in early 2025, the campaign leverages custom-built malware to infiltrate secure perimeters and harvest user credentials.
Initial indicators of compromise point to spear-phishing emails with HTML attachments that deploy a multi-stage payload once opened, silently establishing a foothold in the target environment.
Analysis of the attack chain reveals that the initial vector often involves weaponized Microsoft Office documents exploiting CVE-2023-23397 to bypass Outlook’s security model.
The embedded code downloads a PowerShell stager, which then fetches the primary credential-stealer module from a remote command-and-control (C2) server.
Stromshield researchers identified this behavior during a compromise of a defense ministry network in April, noting the seamless transition from document exploit to stealthy reconnaissance and credential exfiltration.
Once deployed, the malware masquerades as legitimate system processes to evade detection. It hooks into the Windows Security Support Provider Interface (SSPI) to intercept NTLM challenge-response exchanges, capturing hashed credentials in memory.
These hashes are then relayed to the attacker’s infrastructure, where a combination of hash-cracking and pass-the-hash techniques unlock privileged accounts on high-value servers.
The impact has been significant: multiple accounts within military communications networks were compromised without triggering conventional intrusion detection systems.
In one documented case, the stager code resembles the following snippet, illustrating how the malware invokes SSPI hooks in PowerShell:-
$sspi = Add-Type -MemberDefinition @"
[DllImport("secur32.dll", CharSet=CharSet.Auto)]
public static extern int LsaLogonUser(
IntPtr LsaHandle, string OriginName, uint LogonType,
uint LogonPackage, IntPtr AuthenticationInfo,
uint AuthenticationInfoLength, IntPtr LocalGroups,
IntPtr SourceContext, out IntPtr ProfileBuffer,
out uint ProfileBufferLength, out uint LogonId,
out IntPtr Token, out uint Quotas, out uint SubStatus);
"@ -Name "Lsa" -Namespace "WinAPI" -PassThruInfection Mechanism
The infection mechanism hinges on a two-stage downloader that first discerns the victim’s environment.
Upon successful document exploit, the initial stager performs environment checks—querying registry keys for security tools and scanning loaded kernel modules.
If a recognized analysis sandbox is detected, execution halts to thwart reverse-engineering efforts. Otherwise, the stager decodes a base64-encoded second-stage payload, writing it to %AppData%Roamingmsnetcache.dll before loading it via rundll32.exe.
.webp)
This DLL implements the SSPI hook logic, intercepts credentials, and then performs HTTP GET requests to the C2 domain over port 443, blending traffic with legitimate HTTPS sessions.
Overall, the campaign reflects APT35’s growing sophistication in embedding deep within trusted processes and leveraging native APIs to capture credentials without dropping overt artifacts.
Continued vigilance and advanced behavioral monitoring are crucial to detect such stealthy intrusions before critical access is compromised.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
