216.73.217.80

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

· Published 06/05/2025 19:46 · Modified 06/05/2025 20:13

Export JSON

Essential information

Published
06/05/2025 19:46
Modified
06/05/2025 20:13
Tags
2025-05-06 CVE-2023-38950 CVE-2023-38951 CVE-2023-38952 apt credential harvesting credinterceptor critical-infrastructure custom malware hanifnet havoc hxlibrary lateral movement neoexpressrat proxy chaining remoteinjector systembc web shells
Related entities
35 observables, 1 intrusion sets (apt), 9 techniques (mitre), 2 others

Description

This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including , , and legitimate tools to maintain persistent access across multiple network segments. Key findings include the use of novel malware families like and , as well as extensive and techniques. The intrusion demonstrated sophisticated evasion capabilities and targeted attempts to access operational technology networks. Forensic analysis revealed potential links to previously reported Iranian campaigns. The report provides detailed technical indicators and recommends enhanced logging, EDR deployment, and multi-factor authentication to defend against similar threats.

External references