The Iranian and Nexus threat actor, known as UNC2428, has been observed to offer a backdoor known as Murkytour as part of an employment-themed social engineering campaign targeting Israel in October 2024.
Mandiant, owned by Google, described UNC2428 as a threat actor alongside Iran, working in cyberspy-related tasks. The Intrusion Set is said to have distributed malware through a “complex chain of deception technology.”
“The UNC2428 social engineering campaign targeted individuals while promoting recruitment opportunities from Israeli defense contractor Rafael,” the company said in its 2025 annual M-trends report.
Individuals who expressed interest were redirected to a site that impersonated Raphael and were asked to download tools to help them apply for jobs.
This tool (“RafaelConnect.exe”) is an installer called Lone Fleet, which once launched, presented a graphical user interface (GUI) to victims to enter personal information and submit their resume.
Once submitted, Murkytour’s backdoor was launched as a background process by a launcher called Leafpile, allowing attackers to permanent access to the compromised machine.
“The Iranian Nexus threat actors have built in a graphical user interface (GUI) to disguise the execution and installation of malware as a legitimate application or software,” Mandiant said. “The addition of a GUI configured to present a typical installer to users and mimic the shape and functionality of the lure used can reduce doubts from targeted individuals.”
It is worth mentioning that the campaign overlaps with activities caused by the Israeli National Cyber Directorate, which are attributed to an Iranian threat actor named Black Shadow.
Recognised as operating on behalf of Iran’s Intelligence Reporting Agency (MOI), the hacking group is known for targeting a wide range of Israeli industrial industries, including academia, tourism, communications, finance, transportation, healthcare, government and technology.
According to Mandiant, UNC2428 is one of many Iranian threat activity clusters that trained Israel in 2024 in sight. One prominent group is Cyber Toufan, which targeted Israeli-based users with their own Pokybright wipers.
UNC3313 is another Iranian and Nexus threat group that has conducted surveillance and strategic intelligence gathering operations through a spear phishing campaign. UNC3313, first documented by the company in February 2022, is believed to be affiliated with Muddywater.
“Threat Actor hosted the malware with popular file sharing services and links built into training and webinar themed fishing ladies,” Mandiant said. “In one such campaign, UNC3313 distributed Jellybean Dropper and Candybox backdoors to organizations and individuals eligible for phishing operations.”
The attacks installed by UNC3313 have leaned heavily towards nine different legal remote monitoring and management (RMM) tools, the muddy water group’s signature tactic, to avoid detection efforts and provide permanent remote access.
The threat intelligence company also said in July 2024 that there is a suspected enemy associated with Iran that distributes backdoor code-named Kaktaspar by passing it as an installer for Palo Alto Networks’ Global Protect Remote Access Software.
At startup, the installation wizard secretly deploys a .NET backdoor that validates only one instance of a process running before communicating with an external command and control (C2) server.
Despite the use of RMM tools, it has been observed that Iranian threat actors like UNC1549 are taking steps to incorporate cloud infrastructure into their trademarks to ensure that services and actions are combined in enterprise environments.
“In addition to techniques such as type-slicing and domain reuse, threat actors have found that hosting C2 nodes or payloads in their cloud infrastructure and using cloud-native domains reduces the scrutiny applied to operations,” Mandiant said.
Insight into the Iranian threat situation is incomplete without APT42 (aka the attractive kitten). It is known for its elaborate social engineering and efforts to build trustworthy relationships to collect qualifications and provide bespoke malware for data removal.
According to Mandiant, Google, Microsoft, Yahoo! As part of a qualification harvesting campaign, threat actors who deploy fake login pages are using Google sites and Dropbox to direct their targets to forge their Google Meet Landing or login pages.
Overall, the cybersecurity company said in 2024 it had identified more than 20 unique malware families, including droppers, downloaders and backdoors used by Iranian actors in their campaigns in the Middle East.
“Iranian Nexus threat actors continue to pursue cyber operations that are consistent with the interests of the Iranian regime, and will change their methodology to adapt to the current security environment,” Mandiant said.
Source link
