CTI Analysis: Malicious Email Campaign
Essential information
- Published
- 02/09/2025 08:58
- Modified
- 02/09/2025 09:43
- Tags
- 2025-09-02 anti-analysis diplomatic targets iran-nexus oman mfa reconnaissance spear-phishing vba macro
- Related entities
- 15 observables, 1 intrusion sets (apt), 19 techniques (mitre), 1 malware, 30 others
Description
An Iran-nexus spear-phishing campaign masquerading as the Omani Ministry of Foreign Affairs targeted global governments in August 2025. Attributed to Iranian-aligned operators linked to the Homeland Justice group and MOIS, the campaign used compromised mailboxes to send emails with malicious Microsoft Word attachments. The documents contained VBA macros that decoded and deployed malware payloads. The multi-wave operation targeted diplomatic and governmental entities across multiple regions, including the Middle East, Africa, Europe, Asia, and the Americas. The campaign utilized social engineering lures, anti-analysis techniques, and a reconnaissance-focused malware called sysProcUpdate. The attackers aimed to gain initial access, map internal networks, and prepare for further exploitation in diplomatic and industrial organizations.