Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Religious Minority Persecuted in Iran Targeted With Sophisticated Android Spyware

Kaspersky is warning of a previously unknown espionage campaign targeting the Persian-speaking religious minority Bahaʼi with Android spyware.

As part of the campaign, victims were lured to a VPN application claiming to provide access to Bahaʼi religious resources that are banned in Iran.

Kaspersky is warning of a previously unknown espionage campaign targeting the Persian-speaking religious minority Bahaʼi with Android spyware.

As part of the campaign, victims were lured to a VPN application claiming to provide access to Bahaʼi religious resources that are banned in Iran.

The application contains highly sophisticated spyware designed to collect all types of data from devices, including call logs and contact lists, and to track victims’ activities. The malware, named SandStrike, also supports commands that allow the attackers to perform various operations on the device.

The threat actor behind SandStrike created Facebook and Instagram accounts with over 1,000 followers and lured victims using religious-themed materials containing a link to a Telegram channel controlled by the attackers.

The adversary used this channel to distribute the nefarious VPN application claiming it would allow users to access banned sites. The attackers set up their own VPN infrastructure to increase the legitimacy of the claims.

Kaspersky’s description of the attacks involving SandStrike spyware come just weeks after reports that Iran has intensified its persecution of the Baha’i religious minority.

SandStrike, however, was only one of the threat actors active in the Middle East during the third quarter of the year, Kaspersky says.

The security firm analyzed the sophisticated malware platform Metatron, observed the SilentBreak threat group using a new C++ backdoor, SoleExecutor, and documented the activities of DeftTorero (aka Lebanese Cedar, Volatile Cedar).

Detailed in September, Metatron focuses on telecommunications, ISPs, and universities in the Middle Eastern and Africa. The adversary bypasses native security solutions and executes malware directly into memory.

In its analysis of the advanced persistent threat (APT) actors’ activity for the third quarter of 2022, Kaspersky also mentions the operations of Russian, Chinese, and North Korean threat actors, pointing out that cyberespionage remains the main goal of the observed APT campaigns.

“APT actors are now strenuously used to create attack tools and improve old ones to launch new malicious campaigns. In their attacks, they use cunning and unexpected methods: SandStrike, attacking users via VPN service, where victims tried to find protection and security, is an excellent example,” said Kaspersky lead security researcher Victor Chebyshev.

Related: Iranian Hackers Target Enterprise Android Users With New RatMilad Spyware

Related: Sophisticated Android Spyware ‘Hermit’ Used by Governments

Related: New Android Spyware Uses Turla-Linked Infrastructure

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.