Connect with us

Hi, what are you looking for?


Malware & Threats

Microsoft: Iranian APT Impersonating Prominent Journalist in Clever Spear-Phishing Attacks

Microsoft says an APT with links to Iran’s military intelligence is impersonating a prominent journalist in clever spear-phishing attacks.

Iranian hackers

Malware hunters at Microsoft on Wednesday warned that an APT with known links to Iran’s military intelligence has been impersonating a prominent journalist to trick a specific set of people into downloading malicious files.

The bespoke spear-phishing attacks, ongoing since November last year, are targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. 

According to Redmond’s documentation of the discovery, the so-called ‘Mint Sandstorm’ hackers are “patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails.”

“This group is known to conduct resource-intensive social engineering campaigns that target journalists, researchers, professors, or other individuals with insights or perspective on security and policy issues of interest to Tehran,” Microsoft said.

In some instances of this campaign, Microsoft researchers caught the hackers using legitimate but compromised accounts to send phishing lures, and utilization of the Client for URL (curl) command to connect to its command-and-control (C2) server.

The APT has been caught masquerading as high-profile individuals, including as an unidentified journalist at a reputable news outlet. “In some cases, the threat actor used an email address spoofed to resemble a personal email account belonging to the journalist they sought to impersonate and sent benign emails to targets requesting their input on an article about the Israel-Hamas war,” Microsoft said.

“In other cases, [they] used legitimate but compromised email accounts belonging to the individuals they sought to impersonate. Initial email messages did not contain any malicious content.”

“This tradecraft, namely the impersonation of a known individual, the use of highly bespoke phishing lures, and the use of wholly benign messages in the initial stages of the campaign, is likely an attempt to build rapport with targets and establish a level of trust before attempting to deliver malicious content to targets,” the company said.

Advertisement. Scroll to continue reading.

Microsoft said the hacking team found success at certain targets that agreed to review the article or document referenced in the initial email.  “[The hackers] followed up with an email containing a link to a malicious domain,” the researchers said, warning that follow up messages directed targets to sites hosting a RAR archive (.rar) file that purported to contain the draft document targets were asked to review. 

“If opened, this .rar file decompressed into a double extension file (.pdf.lnk) with the same name. When launched, the .pdf.lnk file ran a curl command to retrieve a series of malicious files from attacker-controlled subdomains,” Microsoft said.

Related: Iranian Cyberspies Caught Deploying New Backdoor

Related: Iran-Linked APT Targets US-Based Org With macOS Malware 

Related: Microsoft: Iranian APTs Exploiting PaperCut Vulnerability

Related: Microsoft: Iranian Hackers Targeting US Critical Infrastructure

Related: UK Gov Warns of Phishing Attacks by Iran, Russia Cyberspies

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.