Malicious Campaign Targeting Diplomatic Assets
Essential information
- Published
- 03/09/2025 17:31
- Modified
- 03/09/2025 20:14
- Tags
- 2025-09-03 diplomacy espionage iran oman mfa spear-phishing sysprocupdate vba macros
- Related entities
- 1 observables, 14 techniques (mitre), 30 others
Description
An Iranian-aligned spear-phishing campaign masquerading as Omani Ministry of Foreign Affairs communications targeted global government entities. The operation used compromised mailboxes to distribute malicious Word documents containing VBA macros. When executed, these macros decoded and deployed a payload named sysProcUpdate, which gathered system metadata and attempted to beacon to a command and control server. The campaign showed sophisticated techniques including anti-analysis measures, persistence mechanisms, and regional targeting across multiple countries. Evidence suggests this was part of a broader espionage effort by the Homeland Justice group associated with Iran's Ministry of Intelligence and Security, coinciding with heightened geopolitical tensions.