Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Iranian Hackers Use New Tickler Malware for Intelligence Gathering on Critical Infrastructure

The Iran-linked state-sponsored hacker group tracked as Peach Sandstorm has started using a new backdoor in attacks aimed at the US and UAE.

Iran

An Iranian state-sponsored threat actor has been using a new custom backdoor in attacks aimed at organizations in the United States and the United Arab Emirates, according to Microsoft.

The tech giant tracks the group as Peach Sandstorm, but it’s also known as APT33, Elfin, Holmium, Magnallium, and Refined Kitten. In late 2023, Microsoft reported seeing the threat actor targeting employees at US defense industrial base organizations. 

Microsoft has observed Peach Sandstorm using a new piece of malware that it has named Tickler in intelligence gathering operations targeting satellite, communications equipment, government, and oil and gas organizations in the US and UAE. 

Tickler has been described as a custom, multi-stage backdoor that enables the attackers to download additional malware to compromised systems. The malicious payloads observed by Microsoft were capable of collecting systems information, executing commands, deleting files, and downloading/uploading files from/to a command and control (C&C) server.

The tech giant has continued to see Peach Sandstorm leveraging LinkedIn for intelligence gathering and social engineering attacks. 

The hackers have also continued launching password spray attacks, recently being seen conducting such operations against organizations in the defense, space, education, and government sectors in the US and Australia.

The company also noted that the threat actors “leveraged Azure infrastructure hosted in fraudulent, attacker-controlled Azure subscriptions for command-and-control”.

Microsoft published its report on the same day Google Cloud’s Mandiant published a report on an Iranian counterintelligence operation, and the US government issued an advisory on how Iranian state-sponsored actors have been collaborating with ransomware groups

Advertisement. Scroll to continue reading.

Microsoft, Google, Meta and the US government recently also issued reports on Iranian hackers targeting elections.

Related: How Lessons Learned From the 2016 Campaign Led US Officials to Be More Open About Iran Hack

Related: Google Disrupts Iranian Hacking Activity Targeting US Presidential Election

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights