Iran MOIS Phishes 50+ Embassies, Ministries, Int'l Orgs - Dark Reading

Cyberattacks & Data BreachesThreat IntelligenceCyber RiskData PrivacyNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificIran MOIS Phishes 50+ Embassies, Ministries, Int'l OrgsThe Homeland Justice APT tried spying on countries and organizations from six continents, using more than 100 hijacked email accounts.Nate Nelson,Contributing WriterSeptember 4, 20254 Min ReadSource: Kirsty McLaren via Alamy Stock PhotoIranian state hackers used a treasure trove of compromised email accounts to phish dozens of worldwide diplomatic missions.Researchers from Dream Security and Clear Sky Cyber Security have both since tied this activity to the advanced persistent threat (APT) known colloquially as "Homeland Justice," associated with Iran's Ministry of Intelligence (MOIS). The key to Homeland Justice's strategy was 104 unique, variously official, compromised addresses, which it used to send emails under the guise of official government business. Attached to those emails, of course, were files carrying infostealing malware.Iran's Phishing CampaignThe first email in this campaign was sent Aug. 19. It was generated using a legitimate address belonging to the Oman Ministry of Foreign Affairs in Paris, and directed right back at the organization from whence it came.It had all the hallmarks of the many phishing attacks to come. The note was forwarded through a NordVPN exit node in Jordan to mask where it was really coming from. It included a blurred Word document attachment, requiring that the user enable macros to view it clearly. Enabling macros revealed it to be an invitation to an online seminar on "The Future of the region after the Iran-Israel war and the role of Arab countries in the Middle East," a hot-button issue of potential interest to the ministry. The document also concealed malicious Visual Basic for Applications (VBA) macros.Related:Chinese Police Use ChatGPT to Smear Japan PM TakaichiIt was a rather atavistic approach to such a high-level operation. "Since Microsoft improved the default security controls around document macros, we have seen a reduction in malicious macros and an uptick in identity attack techniques such as adversary-in-the-middle (AiTM) attacks to capture credentials and hijack session cookies," explains Kevin E. Greene, a chief cybersecurity technologist at BeyondTrust.But "you’d be surprised," says the team from Dream Security. "Macro-enabled documents still work, and phishing remains one of the most effective initial-access vectors. The technique is 'old-school,' but in this case the emails came from a legitimate, compromised account, which increased credibility and likely click-through; with that level of trust, simple techniques still succeed." They assess with moderate confidence that at least one observed victim did click through and enable the malicious macros.From there, a malicious payload would have been decoded and executed. The attackers integrated some basic evasion techniques in this phase of the attack, including using the "vbHide" VBA parameter to conceal the malware from view as it's executing, then hiding it in plain sight by plopping it in the victim's Documents folder, appended with an innocuous ".log" extension. They also used a function called "laylay," which delayed payload execution by performing lots of repetitive counting, otherwise pointless if not for the fact that it might have thrown off security software.Related:Singapore & Its 4 Major Telcos Fend Off Chinese HackersThe final payload, "sysProcUpdate," gathered basic system information, perhaps only as an introduction for follow-on malicious activity.Researchers from Dream assess that this campaign has likely concluded, just days after it began, since at the time of writing, the attackers' command-and-control (C2) infrastructure appears to be inactive.Worldwide Embassies TargetedPhishing emails of this nature went out to around four dozen embassies, consulates, and government ministries, representing countries from nearly every corner of the earth, including:Consulates and ministries from across the Middle East, including Oman, Qatar, Bahrain, Israel, Jordan, and the UAEEmbassies and consulates belonging to Italy, France, Romania, Spain, the Netherlands, Hungary, Germany, Austria, and SwedenEmbassies and consulates of 12 African countries, including Ethiopia, Nigeria, Rwanda, Malawi, and eight more undisclosedDiplomatic missions from seven Asian countries, including Korea, Japan, Thailand, Bangladesh, Mongolia, and another unidentified twoDiplomatic missions and ministries from eleven nations in the Western hemisphere, including but not limited to Canada, Brazil, Colombia, Peru, and ArgentinaRelated:Senegalese Data Breaches Expose Lack of Security MaturityBesides these government agencies, the attackers also targeted at least 10 other notable international organizations of various kinds: the United Nations, its Office on Drugs and Crime (UNODC), and its Children's Fund (UNICEF); the African Union; and humanitarian organizations like the Order of Malta. The World Bank was also targeted, as was an organization in the maritime sector, and one in energy."In an age of rising geopolitical tensions, knowing what an embassy is reporting back, or being told through diplomatic cables and other communications, can provide a strategic advantage to an adversary," Greene says. "There is also an element of trophy hunting and posturing involved, where it might be viewed as a way to earn a political point without being seen to directly attack foreign soil."He also notes that "as effectively remote outposts in a different time zone, embassies may have more limited resources or rely on local resources to support and configure their systems. They also employ contractors and local staff who may not be familiar with all the cyber security risks or be able to spot a poorly written phishing email in a second or third language," making them occasionally easy pickings.Read more about:DR Global Middle East & AfricaAbout the AuthorNate NelsonContributing WriterNate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.See more from Nate NelsonMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportCybersecurity Forecast 2026The ROI of AI in SecurityThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space