216.73.217.80

Malicious Campaign Targeting Diplomatic Assets

· Published 03/09/2025 17:31 · Modified 03/09/2025 20:14

Export JSON

Essential information

Published
03/09/2025 17:31
Modified
03/09/2025 20:14
Tags
2025-09-03 diplomacy espionage iran oman mfa spear-phishing sysprocupdate vba macros
Related entities
1 observables, 14 techniques (mitre), 30 others

Description

An Iranian-aligned campaign masquerading as Omani Ministry of Foreign Affairs communications targeted global government entities. The operation used compromised mailboxes to distribute malicious Word documents containing . When executed, these macros decoded and deployed a payload named , which gathered system metadata and attempted to beacon to a command and control server. The campaign showed sophisticated techniques including anti-analysis measures, persistence mechanisms, and regional targeting across multiple countries. Evidence suggests this was part of a broader effort by the Homeland Justice group associated with 's Ministry of Intelligence and Security, coinciding with heightened geopolitical tensions.

External references