Iran-Nexus Hackers Impersonate Omani MFA to Target Governments Entities

Cybersecurity researchers uncovered a sophisticated, Iran-linked spear-phishing operation that exploited a compromised Ministry of Foreign Affairs (MFA) mailbox in Oman to deliver malicious payloads to government entities worldwide.

Analysts attribute the operation to the “Homeland Justice” group, believed to be aligned with Iran’s Ministry of Intelligence and Security (MOIS).

Leveraging stolen diplomatic communications, encoded macros, and layered evasion techniques, the campaign underscores a renewed push for regional espionage amid heightened geopolitical tensions.

Diplomatic Lures with Malicious Macros

Attackers initiated the campaign by hijacking an official email account of the Omani MFA in Paris, sending messages that appeared to contain urgent multi-factor authentication (MFA) notices.

Recipients ranging from embassies and consulates to international organizations were urged to “Enable Content” to view purportedly legitimate Word documents.

Embedded within these attachments was a VBA macro dropper that reconstructed a binary payload from sequences of three-digit numbers stored in a hidden form control.

Upon document open, the macro executed a four-part chain:

1. Delay and Anti-Analysis: A nested loop routine (laylay) triggered thousands of no-op iterations, stalling sandbox and dynamic analysis environments.
2. Payload Decoding: The function (dddd) parsed triplets of digits in a user form’s TextBox control into ASCII characters, recreating the binary of the malware executable.
3. Stealthy Drop and Execution: The decoded payload was written to C:UsersPublicDocumentsManagerProc.log—a seemingly innocuous log file—and launched hidden via a Shell command with error suppression.
4. Persistence and Cleanup: Further delays ensured the process completed quietly, and the macro’s simplistic error handlers concealed any failures.

This execution chain exemplifies classic macro-based delivery, yet the use of numeric encoding and deliberate delays elevated its stealth, allowing the attackers to bypass standard email security filters and sandbox inspections.

Global Regional Espionage

A forensic review identified 270 spear-phishing emails sent from 104 unique Omani MFA addresses, indicating the campaign’s expansive reach.

Infrastructure logs revealed the use of NordVPN exit nodes in Jordan to obscure the true origin of messages. Targets spanned six global regions:

• Europe: Ten countries, 73 unique addresses.
• Africa: Twelve countries, 30 addresses.
• Asia: Seven countries, 25 addresses.
• Middle East: Seven countries, 20 addresses.
• Americas: Eleven countries, 35 addresses.
• International Organizations: Ten bodies, 12 addresses.

Europe emerged as the primary focus, while African missions also faced heavy targeting. The inclusion of prominent multilateral organizations—UN, UNICEF, World Bank—highlighted the attackers’ interest in strategic diplomacy and humanitarian networks.

Moreover, timing coincided with delicate regional negotiations, suggesting that intelligence gathering aimed to influence or anticipate diplomatic outcomes.

Evasion, Reconnaissance, and Next-Stage Risks

The dropped executable, dubbed sysProcUpdate, demonstrated further sophistication. It employed anti-analysis methods—such as custom unhandled exception filters and section packing—to complicate reverse engineering.

Once active, the malware harvested host metadata (username, computer name, administrative status), encrypted the information, and sent it via HTTPS POST to a command-and-control server (https://screenai.online/Home/).

A beaconing loop ensured persistent connectivity attempts even when the server was unreachable.

To maintain a foothold, sysProcUpdate replicated itself to C:ProgramDatasysProcUpdate.exe and altered Windows registry settings under DNS cache parameters, potentially enabling future lateral movement.

The attackers’ emphasis on reconnaissance suggests this initial wave aimed to map internal network topologies and identify high-value systems for subsequent exploitation.

Recommendations for Mitigation

1. Indicator Blocking: Deny communications with screenai.online, and quarantine documents matching known hashes (e.g., those bearing the sysProcUpdate payload).
2. Macro Security Policies: Default Office installations to disable macros, and enforce strict signing requirements for any enabled macros.
3. Network Monitoring: Inspect outbound POST traffic to unknown or unusual domains, and correlate with internal user activity.
4. Registry Audits: Regularly verify critical DNS and TCP/IP registry keys for unauthorized modifications.
5. VPN Traffic Analysis: Flag sudden spikes in VPN logins via nodes inconsistent with organizational norms, particularly exit nodes located in unaffected regions.

By combining robust email filtering, proactive network defenses, and user training to recognize deceptive macro lures, organizations can thwart this style of spear-phishing and limit an adversary’s ability to establish covert access for espionage or sabotage.

Indicators of Compromise (IoCs):

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.