Iranian Dream Job campaign

SUMMARY :

An Iranian campaign targeting the aerospace industry has been uncovered, distributing SnailResin malware through a 'dream job' scheme. Attributed to TA455, a subgroup of Charming Kitten, the campaign uses social engineering tactics on LinkedIn, impersonating recruiters to lure victims. The attack employs multi-stage infection chains, DLL side-loading, and leverages legitimate services like Cloudflare and GitHub to evade detection. The campaign has been active since September 2023, constantly evolving its infrastructure and malware. Similarities with North Korean Lazarus Group tactics suggest either impersonation or shared attack methods. The campaign primarily targets aerospace, aviation, and defense industries in the Middle East, especially Israel and UAE.

OPENCTI LABELS :

iran,evasion,aerospace,linkedin,dll side-loading,slugresin,dream job,charming kitten,snailresin,apt35


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Iranian Dream Job campaign