A previously unidentified Iranian threat actor has emerged with sophisticated social engineering tactics aimed at academics and foreign policy experts across the United States.

Operating between June and August 2025, this campaign demonstrates the evolving landscape of state-sponsored cyber espionage, where attackers blend traditional phishing techniques with legitimate remote management tools to compromise high-value targets.

The operation, tracked as UNK_SmudgedSerpent, represents a concerning development in Iranian cyber operations, showcasing advanced technical capabilities and patient reconnaissance methods.

The threat actor initiated contact through seemingly benign emails discussing sensitive topics such as Iran’s economic crisis, societal reform, and IRGC militarization.

These carefully crafted messages impersonated prominent figures like Dr. Suzanne Maloney from the Brookings Institution and Patrick Clawson from the Washington Institute, using freemail accounts with slight misspellings to evade detection.

Targets received collaboration requests on research projects examining domestic Iranian political developments, designed to establish trust before transitioning to malicious activities.

Proofpoint security researchers identified UNK_SmudgedSerpent after investigating suspicious email activity targeting over 20 individuals at a US-based think tank.

The campaign revealed overlapping tactics with known Iranian groups including TA455, TA453, and TA450, creating attribution challenges.

Researchers noted the actor’s use of health-themed infrastructure domains such as thebesthomehealth[.]com and mosaichealthsolutions[.]com, along with OnlyOffice file-hosting platform spoofs to deliver malicious payloads.

These domains functioned as redirection points, masquerading as legitimate cloud collaboration services.

The infection chain began with credential harvesting attempts using customized Microsoft 365 login pages that pre-loaded victim information.

When initial phishing attempts failed, the attackers adapted their approach, removing password requirements and presenting spoofed OnlyOffice login portals.

Once targets accessed these fraudulent pages, they encountered document repositories hosting seemingly legitimate PDFs alongside malicious ZIP archives containing MSI files.

Dual RMM Deployment and Persistent Access

The technical execution revealed a sophisticated multi-stage approach centered on remote management and monitoring software abuse.

Upon downloading and executing the malicious MSI file from the compromised OnlyOffice spoof, victims unknowingly installed PDQConnect, a legitimate RMM tool commonly used for IT administration.

This initial deployment established baseline access to victim systems, allowing threat actors to conduct reconnaissance and assess target value.

Following the PDQConnect installation, researchers observed suspected hands-on-keyboard activity where attackers leveraged their initial access to deploy a secondary RMM solution called ISL Online.

This sequential deployment strategy remains partially understood, though analysts suggest it may serve as redundancy or specialized functionality for different operational phases.

The use of legitimate commercial RMM tools, rather than custom malware, provides operational security advantages by blending malicious traffic with normal IT management activities and evading signature-based detection systems.

The campaign’s infrastructure analysis revealed server configuration similarities between UNK_SmudgedSerpent domains and previously identified TA455 operations, particularly the career-themed domain ebixcareers[.]com displaying fake Teams portals.

Additional investigation uncovered files hosted on related infrastructure, including TA455’s custom backdoor MiniJunk and another MSI loader for PDQConnect, further complicating attribution.

Since early August 2025, no additional activity from this actor has been observed, though related infrastructure likely remains operational for future campaigns targeting Iranian foreign policy experts and academic institutions.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Iranian Hackers Targeting Academics and Foreign Policy Experts Using RMM Tools appeared first on Cyber Security News.

North Korean threat actors are evolving their attack strategies by leveraging developer-focused tools as infection vectors.

Recent security discoveries reveal that Kimsuky, a nation-state group operating since 2012, has been utilizing JavaScript-based malware to infiltrate systems and establish persistent command and control infrastructure.

The threat group traditionally focuses on espionage operations against government entities, think tanks, and subject matter experts, but this latest campaign demonstrates their expanding technical capabilities and supply chain targeting sophistication.

The attack chain begins with a simple yet effective delivery mechanism: a JavaScript file named Themes.js that serves as the initial dropper.

Unlike heavily obfuscated malware, this sample employs straightforward code wrapped in a try-catch block, prioritizing functionality over stealth.

The file initiates contact with an adversary-controlled infrastructure hosted on medianewsonline[.]com, a domain infrastructure service that allows threat actors to create subdomains for malicious purposes.

This infrastructure choice reflects the attacker’s understanding of legitimate hosting services that security systems often whitelist or overlook.

Pulsedive security researchers noted the sophistication of the multi-stage attack architecture during their analysis of the infection chain.

The malware operates through a cascading payload delivery system, where each stage downloads and executes subsequent components.

The initial JavaScript file sends a GET request to iuh234[.]medianewsonline[.]com/dwnkl.php, transmitting the compromised machine’s hostname and a hardcoded authentication key.

This reconnaissance phase allows attackers to identify high-value targets before deploying additional payloads to selected systems.

Dissecting the Infection Chain

The second stage represents the reconnaissance backbone of the campaign, collecting critical system information for further exploitation.

When the C2 server responds to the initial GET request, it delivers another JavaScript payload containing five functions that systematically enumerate the infected system’s environment.

The malware executes commands to gather system information, including hardware specifications and network configuration details.

It then retrieves a comprehensive list of all running processes, providing attackers with insight into installed security software and legitimate applications that might interfere with payload execution.

The reconnaissance phase also enumerates files within C:\Users directory, targeting user profiles and identifying potentially valuable data or configuration files.

Each command’s output gets packaged into cabinet (.cab) files and exfiltrated via POST requests to the same C2 server.

The malware demonstrates technical sophistication by modifying the HKCU\Console\CodePage registry key to UTF-8 encoding, ensuring proper text handling during data collection.

Temporary files are systematically deleted after exfiltration, implementing basic operational security practices that hinder forensic analysis.

Persistence mechanisms reveal the attackers’ commitment to long-term access.

The malware writes itself to %APPDATA%\Microsoft\Windows\Themes\Themes.js and creates a scheduled task named Windows Theme Manager that executes the JavaScript dropper every minute using wscript.exe.

This approach leverages legitimate Windows scheduling utilities to maintain command and control connectivity without requiring elevated privileges, making detection more difficult for defenders relying on privilege escalation alerts.

The campaign’s final stage introduces a Word document delivery component, potentially serving as a social engineering lure.

However, security researchers found the document remained empty without embedded macros, suggesting it may function as a placeholder or secondary infection vector for specific targets.

The complete infection chain demonstrates calculated malware engineering designed to evade traditional detection while establishing resilient persistence across multiple execution mechanisms.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors May Abuse VS Code Extensions to Deploy Ransomware and Use GitHub as C2 Server appeared first on Cyber Security News.

Security researchers have uncovered a sophisticated new malware family targeting enterprise environments through a supply chain compromise.

The malware, tracked as Airstalk, represents a significant shift in how attackers exploit legitimate enterprise management tools to evade detection and maintain persistent access to compromised systems.

This discovery highlights the growing vulnerability of business process outsourcing organizations and third-party vendors who manage critical infrastructure on behalf of larger enterprises.

Airstalk operates in two distinct variants, PowerShell and .NET, with both versions leveraging the AirWatch API, now known as VMware Workspace ONE Unified Endpoint Management.

The malware’s primary distinction lies in its abuse of legitimate mobile device management infrastructure to establish command-and-control communications, allowing attackers to remain invisible to traditional security monitoring systems.

This technique enables adversaries to hide malicious traffic within legitimate management API calls, effectively bypassing network-based detection mechanisms that organizations typically rely on.

Palo Alto Networks security analysts identified the malware after discovering evidence suggesting a possible nation-state threat actor deployed Airstalk through a carefully orchestrated supply chain attack.

The research team created the threat activity cluster CL-STA-1009 to track ongoing activities related to this malware family.

The malware’s sophisticated design and multi-threaded architecture suggest substantial investment in development resources, consistent with nation-state threat actors who prioritize long-term persistence over quick operational gains.

The discovered samples demonstrate advanced capabilities including data exfiltration of sensitive browser information, screenshot capture, and sophisticated persistence mechanisms.

Both variants target Google Chrome, though the more advanced .NET variant extends its reach to Microsoft Edge and Island Browser.

The malware creates a modular framework where threat actors can selectively implement or disable specific functions, providing flexibility in operations and potentially serving as a development platform for future variants.

Covert C2 Communication Through AirWatch Dead Drop Mechanism

The most innovative aspect of Airstalk involves its implementation of a dead drop communication channel using the AirWatch MDM API’s custom device attributes feature.

Rather than establishing direct connections to attacker infrastructure, the malware exchanges JSON-formatted messages through the legitimate MDM platform, effectively using enterprise management tools as intermediaries for command transmission and exfiltration.

The communication protocol operates through specific API endpoints, with the malware querying the devices endpoint (/api/mdm/devices/) to retrieve and store command information.

Messages contain required fields including CLIENT_UUID, derived from Windows Management Instrumentation data, and SERIALIZED_MESSAGE, containing Base64-encoded JSON payloads.

This design allows the malware to maintain operational security by avoiding direct network connections to suspicious infrastructure.

The C2 protocol uses message types for different operational stages, including CONNECT for initial communication, CONNECTED for acknowledgment, ACTIONS for task retrieval, and RESULT for exfiltration.

The malware also leverages the AirWatch blob upload endpoint (/api/mam/blobs/uploadblob) for transferring larger data sets, such as screenshots and stolen credentials, further obscuring malicious activity within routine management operations.

This sophisticated approach transforms trusted enterprise tools into channels for espionage, presenting organizations with an unprecedented detection challenge.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Airstalk Malware Leverages AirWatch API MDM Platform to Establish Covert C2 Communication appeared first on Cyber Security News.

A sophisticated Remote Access Trojan labeled EndClient RAT has emerged as a significant threat targeting human rights defenders in North Korea, marking another escalation in advanced malware operations attributed to the Kimsuky threat group.

This newly discovered malware represents a concerning shift in attack sophistication, utilizing stolen code-signing certificates to evade antivirus protections and bypass Windows SmartScreen warnings.

The threat was first identified when a prominent North Korean human rights activist reported suspicious activity on her compromised account, triggering a broader investigation that uncovered the campaign’s scope and technical capabilities.

The attack chain demonstrates meticulous social engineering tactics combined with legitimate-looking delivery mechanisms.

The malware arrives through a deceptively named Microsoft Installer package titled “StressClear.msi,” which had been code-signed using stolen credentials from Chengdu Huifenghe Science and Technology Co Ltd, a Chinese mineral excavation company.

The threat actors engaged in direct, methodical conversations with targeted individuals, instructing them to download and execute the MSI file.

This approach proved effective, with at least 40 confirmed targets identified across the human rights community, though the full scope of the campaign remains unknown due to minimal antivirus detection rates.

0x0v1 security analysts and researchers noted that the malware demonstrates a blend of genuine software components alongside malicious payloads, creating an intricate deception that complicates detection and analysis.

Upon execution, the MSI bundle installs a legitimate South Korean banking authentication module called Delfino from WIZVERA VeraPort, potentially serving as a decoy to establish legitimacy.

Concurrently, the installer deploys a heavily obfuscated AutoIT script wrapped within the genuine AutoIt3.exe binary, allowing the malware to execute in memory while maintaining a low profile against security tools.

The combination of trusted processes and stolen signatures essentially grants the malware unauthorized system access without triggering conventional security alerts.

Technical Persistence and Detection Evasion

The EndClient RAT employs multiple layers of persistence mechanisms designed to survive system reboots and resist removal attempts.

Once installed, the malware establishes persistence through a scheduled task named “IoKlTr” that executes every minute from the Public\Music directory.

The malware creates a globally named mutex identifier (Global\AB732E15-D8DD-87A1-7464-CE6698819E701) to prevent multiple instances from running simultaneously, preventing resource exhaustion that might trigger detection.

When the malware detects Avast antivirus presence, it generates polymorphic variations of itself by injecting garbage data and creating new filenames, demonstrating adaptive evasion capabilities.

The malware also registers a startup link that launches the malicious AutoIT payload during user login, ensuring consistent execution across restarts.

Communication with command-and-control infrastructure occurs through TCP socket connections using a custom protocol with JSON-based messaging framed by sentinel markers (“endClient9688” and “endServer9688”), allowing the malware to receive commands for shell execution, file downloads, and data exfiltration.

This technical architecture reveals sophisticated understanding of Windows internals and demonstrates how modern malware continues to abuse legitimate tools and signing mechanisms to bypass security defenses that organizations depend upon for protection.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New EndClient RAT Attacking Users by Leveraging Stolen Code-Signing to Bypass AV Detections appeared first on Cyber Security News.