A sophisticated spear-phishing campaign orchestrated by Iranian-aligned operators has been identified targeting diplomatic missions worldwide through a compromised Ministry of Foreign Affairs of Oman mailbox.
The attack, discovered in August 2025, represents a continuation of tactics associated with the Homeland Justice group connected to Iran’s Ministry of Intelligence and Security (MOIS).
The campaign leveraged social engineering techniques to distribute malicious Microsoft Word documents masquerading as urgent diplomatic communications.
Attackers sent emails from a compromised @fm.gov.om address, routing traffic through a NordVPN exit node in Jordan (212.32.83.11) to obscure their true origin.
Recipients across 270 email addresses spanning embassies, consulates, and international organizations in multiple regions received documents with subjects referencing “The Future of the region after the Iran-Israel war and the role of Arab countries in the Middle East”.
.webp "Iran-Nexus Hackers Abuses Omani Mailbox to Target Global Governments 3")
Dreamgroup analysts identified that the campaign extended far beyond initial assessments, with 104 unique compromised addresses utilized to mask the operation’s true scope.
The malware embedded within attached Word documents employed sophisticated encoding techniques, converting numerical sequences into ASCII characters through VBA macro code execution.
Attack Mechanism
The technical sophistication of the attack becomes apparent when examining its execution mechanism.
The malicious documents contained VBA macros hidden within “This Document” and “UserForm1” modules, implementing a multi-stage payload delivery system.
.webp "Iran-Nexus Hackers Abuses Omani Mailbox to Target Global Governments 4")
The primary decoder function, designated as “dddd,” systematically processes encoded strings by reading three-digit segments and converting them to ASCII characters using the formula Chr (Val (Mid (str, counter, 3))).
A particularly noteworthy evasion technique involves the “laylay” function, which creates artificial delays through four nested loops executing 105 iterations each.
This anti-analysis routine significantly hampers dynamic analysis tools and automated sandbox detection systems.
The malware writes its payload to C:UsersPublicDocumentsManagerProc[.]log, disguising the executable as a harmless log file before execution via the Shell command with vbHide parameters.
Upon successful deployment, the sysProcUpdate executable establishes persistence by copying itself to C:ProgramDatasysProcUpdate[.]exe and modifying Windows registry DNS parameters.
The malware collects system metadata including username, computer name, and administrative privileges, transmitting this information via encrypted HTTPS POST requests to the command-and-control server at screenai.online/Home/.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
