Microsoft has issued a warning about a group of Iranian-backed state hackers affiliated with the APT35 Iranian cyberespionage group, also known as Charming Kitten and Phosphorus. These hackers are actively targeting high-profile employees of research organizations and universities across Europe and the United States through spearphishing attacks, deploying a newly identified backdoor malware called MediaPl. The attackers, part of the APT35 subgroup Mint Sandstorm, have been operating since November 2023, sending customized and difficult-to-detect phishing emails to individuals working on Middle Eastern affairs. The campaign’s focus is on stealing sensitive data from the breached systems of high-value targets, including researchers, professors, and journalists.
Microsoft observed Mint Sandstorm using bespoke phishing lures in attempts to socially engineer targets into downloading malicious files. In some instances, the hackers employed new post-intrusion techniques, including the use of the custom backdoor MediaPl. This malware utilizes encrypted communication channels to interact with its command-and-control server, masquerading as Windows Media Player to avoid detection. Another PowerShell-based backdoor malware, MischiefTut, aids in dropping additional malicious tools and provides reconnaissance capabilities, allowing the threat actors to run commands on compromised systems. Microsoft highlights the sophistication of these cyberespionage campaigns, emphasizing the attackers’ focus on individuals with knowledge of security and policy issues aligned with Iranian interests.
The APT35 subset, Mint Sandstorm, has a history of targeting individuals who can influence the intelligence and policy communities, such as researchers, professors, and journalists. Microsoft notes that the current campaign, with lures related to the Israel-Hamas war, may be an attempt to gather perspectives on the conflict from individuals across the ideological spectrum. The targeted high-profile individuals are considered attractive targets for adversaries seeking intelligence collection on behalf of states sponsoring such activities, like the Islamic Republic of Iran. The warning underscores the ongoing threats posed by state-backed cyberespionage groups and the importance of cybersecurity measures to protect sensitive data.
