Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Iran. Show all posts
Malwares
cyber espionage Cyber Espionage Campaign Cyberattacks cybersecurity risks Iran Iranian malware Malware Attack Malwares

Iranian Infy Prince of Persia Cyber Espionage Campaign Resurfaces

 

Security researchers have identified renewed cyber activity linked to an Iranian threat actor known as Infy, also referred to as Prince of Persia, marking the group’s re-emergence nearly five years after its last widely reported operations in Europe and the Middle East. According to SafeBreach, the scale and persistence of the group’s recent campaigns suggest it remains an active and capable advanced persistent threat. 

Infy is considered one of the longest-operating APT groups, with its origins traced back to at least 2004. Despite this longevity, it has largely avoided the spotlight compared with other Iranian-linked groups such as Charming Kitten or MuddyWater. Earlier research attributed Infy’s attacks to a relatively focused toolkit built around two primary malware families: Foudre, a downloader and reconnaissance tool, and Tonnerre, a secondary implant used for deeper system compromise and data exfiltration. These tools are believed to be distributed primarily through phishing campaigns. 

Recent analysis from SafeBreach reveals a previously undocumented campaign targeting organizations and individuals across multiple regions, including Iran, Iraq, Turkey, India, Canada, and parts of Europe. The operation relies on updated versions of both Foudre and Tonnerre, with the most recent Tonnerre variant observed in September 2025. Researchers noted changes in initial infection methods, with attackers shifting away from traditional malicious macros toward embedding executables directly within Microsoft Excel documents to initiate malware deployment. 

One of the most distinctive aspects of Infy’s current operations is its resilient command-and-control infrastructure. The malware employs a domain generation algorithm to rotate C2 domains regularly, reducing the likelihood of takedowns. Each domain is authenticated using an RSA-based verification process, ensuring that compromised systems only communicate with attacker-approved servers. SafeBreach researchers observed that the malware retrieves encrypted signature files daily to validate the legitimacy of its C2 endpoints.

Further inspection of the group’s infrastructure uncovered structured directories used for domain verification, logging communications, and storing exfiltrated data. Evidence also suggests the presence of mechanisms designed to support malware updates, indicating ongoing development and maintenance of the toolset. 

The latest version of Tonnerre introduces another notable feature by integrating Telegram as part of its control framework. The malware is capable of interacting with a specific Telegram group through its C2 servers, allowing operators to issue commands and collect stolen data. Access to this functionality appears to be selectively enabled for certain victims, reinforcing the targeted nature of the campaign. 

SafeBreach researchers also identified multiple legacy malware variants associated with Infy’s earlier operations between 2017 and 2020, highlighting a pattern of continuous experimentation and adaptation. Contrary to assumptions that the group had gone dormant after 2022, the new findings indicate sustained activity and operational maturity over the past several years. 

The disclosure coincides with broader research into Iranian cyber operations, including analysis suggesting that some threat groups operate with structured workflows resembling formal government departments. Together, these findings reinforce concerns that Infy remains a persistent espionage threat with evolving technical capabilities and a long-term strategic focus.
Read more »
Technology
attacks Iran Israel surveillance Technology

Iran Attacks Israeli Cybersecurity Infrastructure


The National Cyber Directorate found a series of cyberattacks that targeted Israeli organisations that offer IT services to companies in the country, and might be linked to Iran.

Earlier this month, the failed cyberattack against Shamir Medical Center on Yom Kippur leaked emails that contained sensitive patient information. The directorate found it to be an Iranian attack disrupting the hospital's functions.

Fortunately, the attack was mitigated before it could do any damage to the hospital's medical record system.

The directorate found that threat actors used stolen data to get access to the targeted infrastructure. Most attacks didn't do any damage, some however, caused data leaks. Due to immediate communications and response, the incidents were addressed quickly. “In the case of Shamir Medical Center, beyond the data leak, the very attempt to harm a hospital in Israel is a red line that could have endangered lives,” the directorate said. 

European gang behind the attack

First, a ransomwware gang based out of Eastern Europe claimed responsibility and posted a ransom demand with a 72-hour window. But Israeli officials later discovered that Iranian threat actors launched the attack. 

According to officials, the incident was connected to a wider campaign against Israeli organisations and critical service providers recently. Over 10 forms suffered cyberattacks and exploited bugs in digital service providers inside supply chains. 

According to Jerusalem Post, "Since the start of 2025, Israel has thwarted dozens of Iranian cyberattacks targeting prominent civilians, including security officials, politicians, academics, journalists, and media professionals. The Shin Bet security agency said these operations aim to collect sensitive personal data that could later be used in physical attacks within Israel, potentially carried out by locally recruited operatives."

Read more »
Ransomwares
Cyber Security Cyberattacks DarkBit Encryption Key Iran Israel MuddyWater ransomware attacks Ransomware group Ransomwares

Profero Cracks DarkBit Ransomware Encryption After Israel-Iran Cyberattack Links

 

Cybersecurity company Profero managed to break the encryption scheme used by the DarkBit ransomware group, allowing victims to restore their systems without having to pay a ransom. This achievement came during a 2023 incident response investigation, when Profero was called in to assist a client whose VMware ESXi servers had been locked by the malware. 

The timing of the breach coincided with escalating tensions between Israel and Iran, following drone strikes on an Iranian Defense Ministry weapons facility, raising suspicions that the ransomware attack had political motivations. The attackers behind the campaign claimed to represent DarkBit, a group that had previously posed as pro-Iranian hacktivists and had targeted Israeli universities. Their ransom messages included strong anti-Israel rhetoric and demanded payments amounting to 80 Bitcoin. 

Israel’s National Cyber Command later attributed the operation to MuddyWater, a well-known Iranian state-backed advanced persistent threat group that has a history of conducting espionage and disruption campaigns. Unlike conventional ransomware operators who typically pursue ransom negotiations, the DarkBit actors appeared less concerned with money and more focused on causing business disruption and reputational harm, signaling motivations that aligned with state-directed influence campaigns. 

When the attack was discovered, no publicly available decryptor existed for DarkBit. To overcome this, Profero researchers analyzed the malware in detail and found flaws in its encryption process. DarkBit used AES-128-CBC keys created at runtime, which were then encrypted with RSA-2048 and appended to each locked file. However, the method used to generate encryption keys lacked randomness. By combining this weakness with encryption timestamps gleaned from file modification data, the researchers were able to shrink the possible keyspace to just a few billion combinations—far more manageable than expected. 

The team further capitalized on the fact that Virtual Machine Disk (VMDK) files, common on ESXi servers, include predictable header bytes. Instead of brute forcing an entire file, they only needed to check the first 16 bytes to validate potential keys. Profero built a custom tool capable of generating key and initialization vector pairs, which they tested against these known file headers in a high-powered computing environment. This method successfully produced valid decryption keys that restored locked data. 

At the same time, Profero noticed that DarkBit’s encryption technique was incomplete, leaving many portions of files untouched. Since VMDK files are sparse and contain large amounts of empty space, the ransomware often encrypted irrelevant sections while leaving valuable data intact. By carefully exploring the underlying file systems, the team was able to retrieve essential files directly, without requiring full decryption. This dual approach allowed them to recover critical business data and minimize the impact of the attack.  

Researchers noted that DarkBit’s strategy was flawed, as a data-wiping tool would have been more effective at achieving its disruptive aims than a poorly implemented ransomware variant. The attackers’ refusal to negotiate further reinforced the idea that the campaign was intended to damage operations rather than collect ransom payments. Profero has chosen not to release its custom decryptor to the public, but confirmed that it is prepared to help any future victims affected by the same malware.  

The case illustrates how weaknesses in ransomware design can be turned into opportunities for defense and recovery. It also highlights how cyberattacks tied to international conflicts often blur the line between criminal extortion and state-backed disruption, with groups like DarkBit using the guise of hacktivism to amplify their impact.
Read more »
Phishing Attacks
Cyber Attacks Cyber War Cyber Warfare Cyberhacking Hacking Attack Iran Iranian hackers Isreal Phishing Attacks

Israel and Iran Cyber War Escalates After June Conflict Despite Ceasefire

 

The long-running cyber conflict between Israel and Iran has intensified following the June war, according to a recent report by the Financial Times. Israeli officials disclosed that they began receiving suspicious text messages containing malicious links soon after the 12-day conflict. One official, speaking anonymously, confirmed that the attacks have not stopped, emphasizing that the cyber hostilities remain active despite a temporary ceasefire on the battlefield. 

Recent incidents highlight the scale of the digital confrontation. Iranian hackers have been linked to phishing campaigns targeting Israeli diplomats and government officials, while also attempting to exploit vulnerabilities in Microsoft software to infiltrate Israeli networks. 

In parallel, Israel and groups aligned with its interests have launched disruptive cyberattacks on Iran, underscoring how digital warfare has become a central element in the shadow war between the two nations. During the June conflict, Iran’s Ministry of Communications reported facing what it described as its most extensive cyberattack campaign to date, with more than 20,000 incidents in just 12 days. 

One attack temporarily disabled Iran’s air defense systems as Israeli Air Force jets launched strikes on Tehran on June 13. Israeli cybersecurity experts later described the air defense breach as a tactical move designed to give Israel an initial advantage, while stressing that intelligence gathering on Iranian military figures and nuclear scientists was the most significant outcome. 

On the other side, an Israeli-aligned hacking group known as Gonjeshke Darande claimed responsibility for siphoning around $90 million from the Iranian cryptocurrency exchange Nobitex, transferring the funds into a wallet that could not be accessed. Nobitex rejected accusations that it operated as a regime tool, though the same group also targeted two major Iranian banks, including state-owned Bank Sepah. 

These attacks reportedly crippled banking systems by disabling not only primary data but also backup and disaster recovery servers, according to Dotin, the software provider for the affected banks. Meanwhile, Iranian-backed hackers conducted cyber operations against 50 Israeli companies, including firms in logistics, human resources, and defense-related sectors.

Leaked resumes of thousands of Israeli citizens linked to defense work were published online. Attackers also attempted to manipulate Israelis by sending fake messages that appeared to come from the Home Front Command, advising civilians to avoid bomb shelters during missile strikes. Other attempts focused on breaching security camera systems to track the locations of incoming rockets. 

Despite these efforts, Israeli cybersecurity officials argue that the cyberattacks on their country have caused minimal disruption. Iran, however, appears to have suffered more significant setbacks. Senior Iranian officials acknowledged weaknesses in their systems, citing the country’s centralized data structures as a vulnerability exploited by Israeli forces. 

The scale of the damage prompted calls within Iran for urgent measures to strengthen its cyber defense capabilities. Experts believe the cyber war will continue to escalate, as it allows both sides to strike at one another without triggering immediate international backlash. Analysts note that while conventional attacks risk provoking strong responses from global powers, operations in cyberspace often proceed unchecked. 

For Israel and Iran, the digital battlefield has become a critical front in their decades-long struggle, one that persists even when guns fall silent.
Read more »
Technology
DarkBit Encyption Internet Iran Israel Ransomware Technology

Experts decoded encryption keys used by DarkBit ransomware gang

Experts decoded encryption keys used by DarkBit ransomware gang

Encryption key for Darkbit ransomware

Good news for people affected by the DarkBit ransomware: experts from Profero have cracked the encryption process, allowing victims to recover their files for free without paying any ransom.

However, the company has not yet released the decryptor. The National Cyber Directorate from Israel connected the DarkBit ransomware operation to the Iran-nexus cybercriminal gang called “MuddyWater APT.”

How the attack started

After a DarkBit ransomware attack in 2023, Profero encrypted various VMware ESXi servers, which were believed as retaliation for Iranian drone attacks. The threat actors did not negotiate the ransom and emphasized disrupting operations and campaigns to damage the target’s reputation.

The gang posed as pro-Iran hackers and had a history of attacking Israeli agencies. In this incident, the gang asked for 80 Bitcoins and had anti-Israel messages in ransom notes. Profero, however, cracked the encryption, allowing free recovery.

How did the experts find out

While studying DarkBit ransomware, experts discovered that its AES-128-CBC key generation tactic gave weak and predictable keys. Profero used file timestamps and a known VMDK header to limit the keyspace to billions of probabilities, allowing effective brute-force.

“We made use of an AES-128-CBC key-breaking harness to test if our theory was correct, as well as a decryptor which would take an encrypted VMDK and a key and IV pair as input to produce the unencrypted file. The harness ran in a high-performance environment, allowing us to speed through the task as quickly as possible, and after a day of brute-forcing, we were successful!” according to the Profero report. 

Persistent effort led to successful encryption

The experts had proven that it was possible and got the key. They continued brute-forcing another VMDK. This method, however, was not scalable for the following reasons:

  • Each VMDK would require a day for the experts to decrypt
  • The harness resides in an HPC environment and is difficult to scale

“While expensive, it ended up being possible. We decided to once again take a look at any potential weaknesses in the crypto,” Proffero experts said.

The experts made a tool to check all possible seeds and create key and IV pairs to match them against VMDK headers. This allowed them to restore the decryption keys. Profero also leveraged the scarce VMDK files, where most of the content was unencrypted, as the ransom was partially encrypted. The experts then directly recovered the most needed files, avoiding brute-force decryption for most of the data.

Read more »
Threat Landscape
Critical Infrastructure Cyber Attacks Iran Nation-State Attack Threat Landscape

Iran Claims it Thwarted Sophisticated Cyberattack on its Infrastructure

 

Iran thwarted a “widespread and complex” cyberattack on Sunday that targeted the nation’s infrastructure, a senior official told Tasnim News Agency, which is affiliated with the Islamic Revolutionary Guard Corps. 

Behzad Akbari, the head of the government's Telecommunications Infrastructure Company (TIC), revealed the occurrence, which was not explained in detail. "One of the most widespread and complex cyber attacks against the country's infrastructure was identified and preventive measures were taken," Akbari noted. 

The cyber incident occurred a day after a huge explosion at Shahid Rajaei, the country's busiest commercial port, which killed at least 28 people and injured 800 more, according to police. The cause has not been determined. There is no indication that it was related to any cyber activity. 

Ambrey Intelligence, a maritime risk consultant, claims the explosion was caused by "improper handling of a shipment of solid fuel intended for use in Iranian ballistic missiles" imported from China, while Iran's defence ministry denies this. 

It comes amid ongoing talks between Iran and the United States over the Islamic Republic's contentious nuclear program, amid concerns that the nation will aim to enrich uranium to the point where it could build a nuclear bomb. Iran has had many noteworthy cyberattacks in recent years, including those against the country's fuel system in 2021 and a steel mill in June 2022, both claimed by a group calling itself Predatory Sparrow, which stated that its attacks were "carried out carefully to protect innocent individuals.” 

While the Predatory Sparrow group claims to be made up of dissidents, the attack on the steel mill appeared to be carried out with sophisticated operational planning to avoid casualties, raising the possibility that it was sponsored by a foreign state agency with a risk management process. Iranian officials blamed the United States and Israel for the 2021 cyberattack on Iran's gasoline systems, but provided no evidence. 

At the time, Gholamreza Jalali, the country's civil defence chief, told state television: "We are still unable to say forensically, but analytically, I believe it was carried out by the Zionist Regime, the Americans, and their agents.” 

Jalili claimed that the United States and Israel were responsible for a cyberattack on the Shahid Rajaei port authority's technological infrastructure in 2020, but he did not provide any evidence. The United States and Israel are thought to have worked on the Stuxnet worm, which was discovered in 2010 and was aimed to destroy Iran's nuclear program.
Read more »
Operational Technology
IoT Iran malware Operational Technology

IOCONTROL Malware: A Threat to Critical Infrastructure in Israel and the United States

 

A newly identified malware, IOCONTROL, is causing widespread alarm as it targets critical infrastructure in Israel and the United States. Developed by Iranian hackers, IOCONTROL is specifically designed to attack Internet of Things (IoT) devices and operational technology (OT) systems, posing a severe risk to essential services.

This highly sophisticated and adaptive malware can infect a wide range of industrial devices, including routers, programmable logic controllers, human-machine interfaces, IP cameras, firewalls, and systems for managing fuel operations. These devices often serve as the backbone of critical infrastructure, such as fuel supply chains and water treatment facilities.

The malware’s modular design allows it to adapt its behavior based on the targeted manufacturer. Security researchers from Claroty’s Team82 uncovered IOCONTROL and classified it as a nation-state cyberweapon capable of causing large-scale disruptions. Among the manufacturers affected are D-Link, Hikvision, Unitronics, and Phoenix Contact.

How Does IOCONTROL Work?

IOCONTROL boasts several advanced features that make it exceptionally dangerous:

  • Persistence: Once installed, the malware ensures it remains active even after device reboots by utilizing a script that reactivates it during boot-up.
  • Communication: It uses the MQTT protocol over port 8883 to connect with its command-and-control (C2) server, a common protocol for IoT devices that helps evade detection.
  • Stealth: The malware leverages DNS over HTTPS (DoH) for domain resolution, making its network communications encrypted and harder to monitor.
  • Encryption: Configuration files are encrypted using AES-256-CBC, preventing security analysts from easily accessing or interpreting them.

Functions of the Malware

IOCONTROL is designed to perform a variety of malicious tasks, making it one of the most dangerous malware targeting critical infrastructure. Its key functions include:

  1. Collecting and Sending System Information: The malware gathers device details, such as name, user credentials, and model, and transmits this data to its C2 server for attackers to control the device.
  2. Installation Verification: It ensures the malware is correctly installed and functioning as intended.
  3. Command Execution: Attackers can run operating system commands on infected devices, with results sent back to the C2 server.
  4. Self-Removal: To avoid detection, the malware can erase all traces, including files, scripts, and logs.
  5. Network Scanning: It scans networks for specific IP addresses and open ports, identifying new devices to infect.

These capabilities allow IOCONTROL to destroy systems, steal sensitive information, and propagate to other devices within a network.

Impact on Infrastructure

Claroty’s analysis reveals that IOCONTROL has been used to breach 200 fuel stations in the United States and Israel. In one attack, hackers infiltrated Gasboy fuel systems and point-of-sale terminals, potentially giving them control over fuel pumps and connected devices.

The hacking group CyberAv3ngers, linked to these attacks, has previously claimed responsibility for targeting water treatment facilities. These incidents underscore the malware’s ability to disrupt vital services, such as fuel and water supply, which are critical to daily life and economic stability.

Why Is This Alarming?

The IOCONTROL malware appears to be part of a larger effort by Iranian hackers to exploit vulnerabilities in industrial systems, particularly in nations perceived as adversaries. These attacks align with escalating geopolitical tensions and the growing prevalence of cyber conflicts between nations.

The malware’s modular structure makes it especially threatening, as it can be customized to target devices from multiple manufacturers. Its combination of stealth, persistence, and adaptability poses a significant challenge to global cybersecurity efforts.

Steps to Protect Systems

To mitigate the risks posed by IOCONTROL, Claroty’s report recommends the following measures for organizations managing critical infrastructure:

  • Regularly upgrade and patch device firmware.
  • Monitor network traffic for unusual activity or behavior.
  • Implement best practices in access control to minimize exposure to threats.
  • Review Claroty’s indicators of compromise (IoCs) to detect potential infections.

Conclusion

The rising number of attacks on critical infrastructure highlights the urgent need for vigilance and proactive defense measures. Organizations must take immediate steps to secure their systems against the evolving threat posed by IOCONTROL, which has already demonstrated its potential for widespread disruption.

Read more »
WhatsApp
Cyber Attacks espionage Iran Israel spying surveillance Telegram WhatsApp

Iran Spies on Senior Israeli Officials, Launches Over 200 Cyberattacks

Iran Spies on Senior Israeli Officials, Launches Over 200 Cyberattacks

Shin Bet, an Israeli Cybersecurity Service said recently it discovered over 200 Iranian phishing attempts targeting top Israeli diplomats to get personal information. Shin Bet believes the attacks were launched by Iranian actors through Telegram, WhatsApp, and email. 

The threat actors tried to bait targets into downloading infected apps that would give them access to victim devices and leak personal data like location history and residential addresses.

Iran Targeting Israeli Officials

The targeted senior officials include academicians, politicians, media professionals, and others

ShinBet said the stolen information would be used by Iran to launch attacks against Israeli nationals “through Israeli cells they have recruited within the country.” The targets were reached out with an “individually tailored cover story for each victim according to their area of work, so the approach doesn’t seem suspicious.”

In one case, the attacker disguised as a Cabinet Secretary lured the target saying he wanted to coordinate with PM Benjamin Netanyahu. Shin Bet has tracked the targets involved in the campaign and informed them about the phishing attempts. 

“This is another significant threat in the campaign Iran is waging against Israel, aimed at carrying out assassination attacks. We request heightened awareness, as cyberattacks of this type can be avoided before they happen through awareness, caution, suspicion, and proper preventative behavior online,” said a Shin Bet official.

Reasons for attack

Shin Bet “will continue to act to identify Iranian activity and thwart it in advance.” It believes the motive behind the attacks was to manage future attacks on Israeli nationals using information given by Israeli cells recruited by Iran. The campaign is a sign of an escalation between Iran and Israel, the end goal being assassination attempts.

The bigger picture

The recent discovery of phishing campaigns is part of larger targeted campaigns against Israel. In September 2024, 7 Jewish Israelis were arrested for allegedly spying on IDF and Israeli security figures for Iran. 

The Times of Israel reports, “Also in September, a man from the southern city of Ashkelon was arrested on allegations that he was smuggled into Iran twice, received payment to carry out missions on behalf of Tehran, and was recruited to assassinate either Israel’s prime minister, defense minister, or the head of the Shin Bet.”

Read more »
Subscribe to: Comments (Atom)