Malware, VPNs, and Fake Diplomacy: Large-Scale Iranian Cyber Espionage Campaign Against Global Government Entities Uncovered
While diplomats were reading letters, Iranian spies were quietly hacking their networks.
While diplomats were reading letters, Iranian spies were quietly hacking their networks.
In August 2025, specialists from Dream Threat Intelligence detected a large-scale phishing attack organized by operators linked to Iran. The campaign, attributed to the Homeland Justice group under the control of Iran's Ministry of Intelligence and Security (MOIS), was disguised as official diplomatic correspondence from the Omani Ministry of Foreign Affairs. A compromised email account from the Omani embassy in Paris was used for distribution, with letters sent to government entities and international organizations worldwide.
According to experts, a macro read an encrypted sequence of numbers from a hidden text field in the form and decoded it, converting three-digit segments into ASCII characters. The resulting executable file was saved under the guise of a log file named ManagerProc.log in the C:\Users\Public\Documents folder and then executed stealthily, with no visible signs of activity on the user's screen. Classic evasion techniques were used to enhance stealth: launching with the vbHide parameter, execution slowdown, error suppression, and code masquerading as a log file. The malware also copied itself to C:\ProgramData\sysProcUpdate.exe for persistence and then modified DNS and TCP/IP settings in the system registry, complicating detection and ensuring the potential for long-term presence.
The implanted sysProcUpdate executable collected data on the username, computer name, and privilege level, generating a JSON structure that was then transmitted via HTTPS requests to the remote C2 server https://screenai.online/Home/. During sandbox testing, the connection failed, indicating either server blocking or temporary unavailability. Among the identified network indicators were persistent attempts to establish TLS connections to this domain on port 443.
The campaign was notable for its scale and multi-layered structure: at least 104 compromised email addresses were used to conceal the source, and sending was conducted through a VPN server. The attack was carried out simultaneously in several regions, including the Middle East, Europe, Asia, Africa, the Americas, and international organizations, taking into account the specifics and context of each target. Some emails mentioned the topic of "The future of the region after the Iran-Israel conflict and the role of Arab countries in the Middle East," highlighting attempts to use geopolitical tensions as bait.
The attack infrastructure included legitimate government domains (e.g., *@fm.gov.om), VPN servers, and malicious hosting on the screenai.online domain. The phishing attachments mimicked official Foreign Ministry documents, urging recipients to "unlock the content" and enable macros. Some recipients saw warning banners from Proofpoint in Ukrainian, indicating penetration into organizations using localized filtering tools.
Dream assesses that this operation has all the hallmarks of espionage activity, with a likely subsequent stage of data exfiltration or lateral movement within networks. The campaign uses a combination of deeply customized phishing lures, social engineering, and technical defense evasion techniques, demonstrating a high level of preparation and knowledge of the diplomatic landscape. The most probable objectives of the attack were intelligence gathering, establishing a foothold, and maintaining long-term presence within critical institutions.
Specialists recommend immediately blocking all identified Indicators of Compromise (IoCs), monitoring outgoing POST requests to URLs containing /Home/, regularly checking the system registry for unauthorized changes to network settings, and disabling Microsoft Office macros by default. It is also recommended to analyze VPN logs for suspicious connections originating from non-standard regions and to implement network segmentation with restrictions on outbound traffic.
Based on the totality of evidence, the campaign represents a complex, multi-stage espionage operation focused on diplomatic institutions, particularly in Europe and the Middle East, with a high level of stealth and potential for further attack phases.
