CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Religious Minority Persecuted in Iran Targeted With Sophisticated Android Spyware

Kaspersky is warning of a previously unknown espionage campaign targeting the Persian-speaking religious minority Bahaʼi with Android spyware.

As part of the campaign, victims were lured to a VPN application claiming to provide access to Bahaʼi religious resources that are banned in Iran.

Kaspersky is warning of a previously unknown espionage campaign targeting the Persian-speaking religious minority Bahaʼi with Android spyware.

As part of the campaign, victims were lured to a VPN application claiming to provide access to Bahaʼi religious resources that are banned in Iran.

The application contains highly sophisticated spyware designed to collect all types of data from devices, including call logs and contact lists, and to track victims’ activities. The malware, named SandStrike, also supports commands that allow the attackers to perform various operations on the device.

The threat actor behind SandStrike created Facebook and Instagram accounts with over 1,000 followers and lured victims using religious-themed materials containing a link to a Telegram channel controlled by the attackers.

The adversary used this channel to distribute the nefarious VPN application claiming it would allow users to access banned sites. The attackers set up their own VPN infrastructure to increase the legitimacy of the claims.

Kaspersky’s description of the attacks involving SandStrike spyware come just weeks after reports that Iran has intensified its persecution of the Baha’i religious minority.

SandStrike, however, was only one of the threat actors active in the Middle East during the third quarter of the year, Kaspersky says.

The security firm analyzed the sophisticated malware platform Metatron, observed the SilentBreak threat group using a new C++ backdoor, SoleExecutor, and documented the activities of DeftTorero (aka Lebanese Cedar, Volatile Cedar).

Advertisement. Scroll to continue reading.

Detailed in September, Metatron focuses on telecommunications, ISPs, and universities in the Middle Eastern and Africa. The adversary bypasses native security solutions and executes malware directly into memory.

In its analysis of the advanced persistent threat (APT) actors’ activity for the third quarter of 2022, Kaspersky also mentions the operations of Russian, Chinese, and North Korean threat actors, pointing out that cyberespionage remains the main goal of the observed APT campaigns.

“APT actors are now strenuously used to create attack tools and improve old ones to launch new malicious campaigns. In their attacks, they use cunning and unexpected methods: SandStrike, attacking users via VPN service, where victims tried to find protection and security, is an excellent example,” said Kaspersky lead security researcher Victor Chebyshev.

Related: Iranian Hackers Target Enterprise Android Users With New RatMilad Spyware

Related: Sophisticated Android Spyware ‘Hermit’ Used by Governments

Related: New Android Spyware Uses Turla-Linked Infrastructure

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.