CTI Analysis: Malicious Email Campaign

SUMMARY :

An Iran-nexus spear-phishing campaign masquerading as the Omani Ministry of Foreign Affairs targeted global governments in August 2025. Attributed to Iranian-aligned operators linked to the Homeland Justice group and MOIS, the campaign used compromised mailboxes to send emails with malicious Microsoft Word attachments. The documents contained VBA macros that decoded and deployed malware payloads. The multi-wave operation targeted diplomatic and governmental entities across multiple regions, including the Middle East, Africa, Europe, Asia, and the Americas. The campaign utilized social engineering lures, anti-analysis techniques, and a reconnaissance-focused malware called sysProcUpdate. The attackers aimed to gain initial access, map internal networks, and prepare for further exploitation in diplomatic and industrial organizations.

OPENCTI LABELS :

spear-phishing,anti-analysis,vba macro,reconnaissance,diplomatic targets,iran-nexus,oman mfa


AI COMMENTARY :

1. The CTI Analysis: Malicious Email Campaign uncovers an Iran-nexus spear-phishing operation that unfolded in August 2025. Threat actors masqueraded as the Omani Ministry of Foreign Affairs to deceive global government entities. By compromising legitimate mailboxes, they distributed weaponized Microsoft Word documents with embedded VBA macros. This initial access technique relied on convincingly authoritative lures to bypass cursory scrutiny and initiate the infection chain.

2. Attribution points to Iranian-aligned operators linked to the Homeland Justice group and the Ministry of Intelligence and Security (MOIS). These adversaries demonstrated a clear geopolitical motive to gain footholds within diplomatic and industrial organizations. The use of compromised credentials from Omani MFA accounts provided both credibility and bypass of common email filtering measures. Multi-wave phases ensured persistent engagement with victim networks over an extended period.

3. The attack methodology combined social engineering precision with technical stealth. Emails were crafted to appear as official communiqués from the Omani Ministry, complete with letterhead styling and tailored messaging for regional governments. Once a user enabled editing in the document attachment, hidden VBA macros executed a series of obfuscated commands. Anti-analysis techniques thwarted sandbox detection and slowed down automated inspection, while the payload installer quietly staged the reconnaissance tool sysProcUpdate.

4. Technical analysis reveals that the VBA macro decoded payloads stored in encoded form within the document. Upon execution, the macro invoked PowerShell scripts and deployed sysProcUpdate, a malware engineered for reconnaissance. This implant collected system metadata, enumerated network shares and running services, and exfiltrated findings to attacker-controlled infrastructure. The widespread use of obfuscation layers and conditional execution checks increased the difficulty of reverse engineering the sample.

5. The operation spanned multiple regions, targeting governments and diplomatic missions across the Middle East, Africa, Europe, Asia and the Americas. Each wave of emails adapted its language and social context to match regional holiday calendars or diplomatic events, thereby maximizing click-through rates. The diverse target set underscores the strategic value placed on mapping internal networks and understanding victim environments prior to any further exploitation or lateral movement.

6. The campaign’s primary objectives included initial access, internal reconnaissance and the harvesting of credentials or network diagrams. By mapping communication pathways and privilege controls, the attackers positioned themselves to launch subsequent phases of disruption or espionage. The reliance on compromised trusted mailboxes highlighted a shift towards blending in with normal traffic, challenging defenders to distinguish malicious activity from legitimate correspondence.

7. Organizations can detect similar threats by monitoring for unexpected document macros, anomalous PowerShell execution tied to Word processes, and unusual outbound connections from email servers to unknown domains. Implementing strict macro policies, conducting regular mailbox audits and enabling network segmentation will limit the adversary’s ability to pivot. Timely threat intelligence sharing and analysis of sysProcUpdate artifacts can aid rapid identification and response to emerging Iran-nexus spear-phishing campaigns.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


CTI Analysis: Malicious Email Campaign