Iranian Hackers Exploit Embassy Email Accounts in Coordinated Phishing Campaign
Iranian-aligned threat actors tied to the Homeland Justice cluster have carried out a coordinated, multi-wave spear-phishing campaign targeting embassies, consulates, and diplomatic organizations across the Americas, Africa, the Middle East, Asia, and Europe. Researchers at Dream reported that the group weaponized 104 compromised email accounts belonging to officials and pseudo-government entities—including a mailbox from the Oman Ministry of Foreign Affairs in Paris—to deliver messages that appeared authentic. The lures exploited geopolitical tensions with Israel, using urgent Ministry of Foreign Affairs themes to pressure recipients into opening malicious Microsoft Word attachments. Once opened, the documents prompted users to “Enable Content,” which executed embedded VBA macros that deployed malware capable of persistence, system reconnaissance, and command-and-control communication. This infrastructure gave the attackers long-term footholds and the ability to exfiltrate sensitive diplomatic data. The campaign demonstrates both technical sophistication and a deep understanding of diplomatic workflows, as the messages blended seamlessly into ongoing MFA communications. European embassies and African entities were among the most targeted, although the phishing operation extended globally, highlighting its expansive reach. ClearSky independently observed the same activity, linking the tactics and obfuscation methods to prior Iranian espionage campaigns, including the 2023 targeting of Mojahedin-e-Khalq in Albania. The operation’s use of compromised legitimate accounts and careful narrative design reduced suspicion and increased delivery success, illustrating how Iranian operators maintain persistent access against high-value geopolitical targets. This activity reinforces a growing trend of state-backed groups exploiting trusted communication channels to undermine global diplomatic security. Organizations should enforce strict policies to block or disable VBA macros in email attachments, implement advanced email filtering for spear-phishing detection, and monitor for anomalous outbound C2 traffic from diplomatic networks.
TinyLoader Malware Campaign Exploits Network Shares and USB Devices to Steal Cryptocurrency
Researchers have uncovered a sophisticated TinyLoader malware campaign that spreads through multiple vectors, including network shares, USB devices, and malicious desktop shortcuts on Windows systems. The campaign has been linked to attacker infrastructure hosted across Latvia, the UK, and the Netherlands, where centralized TinyLoader panels enable cybercriminals to monitor infections, control payload distribution, and track stolen cryptocurrency. These panels, marked with the distinctive “Login – TinyLoader” signature, highlight the malware’s development within a malware-as-a-service ecosystem. By leveraging trusted mechanisms such as network drives and removable media, TinyLoader demonstrates a deliberate focus on scalability, persistence, and stealth, making it particularly hazardous in enterprise environments where shared resources are common. Once deployed, TinyLoader uses multiple persistence techniques, including creating hidden copies across system directories, modifying registry entries to hijack file associations, and leveraging autorun scripts to activate from infected USB devices. Its most notable capability is a clipboard hijacker that checks for cryptocurrency wallet addresses four times per second, instantly replacing them with attacker-controlled values to divert funds without detection. Beyond theft, the malware serves as a delivery mechanism for additional payloads, including Redline Stealer and DCRat, which provide remote access, credential theft, surveillance, and full system compromise. By combining social engineering, lateral movement, and cryptocurrency theft in a single operation, TinyLoader represents an advanced and coordinated criminal effort. To mitigate the threat, organizations should restrict USB usage, closely monitor shared drives for suspicious executables, deploy network monitoring to flag TinyLoader-related infrastructure, and train users to verify wallet addresses before confirming transactions.
RapperBot Malware Hijacks Legacy Devices for Rapid DDoS Attacks
A newly uncovered RapperBot variant is actively exploiting vulnerable DVR and NVR devices to rapidly conscript them into massive distributed denial-of-service (DDoS) botnets. Researchers detail a sophisticated two-stage attack chain that begins with a path traversal flaw in the device’s HTTP service, allowing the attacker to obtain administrator credentials. This is followed by a malicious firmware “update” delivered via TCP port 34567. Instead of persisting on disk, the malware mounts a remote NFS share and executes the payload directly in memory, leaving minimal forensic traces while ensuring reinfection within minutes after reboot. This approach exploits a common limitation of embedded devices—many lack wget or curl but support NFS mounting—allowing attackers to deploy the malware rapidly and reliably. RapperBot’s focus on outdated or unpatched NVRs highlights how legacy systems with minimal security controls remain prime entry points for large-scale compromise. The latest variant also introduces a custom-encrypted DNS TXT record mechanism for C2 resolution, replacing hard-coded IP addresses with dynamically generated domains that query OpenNIC resolvers. This setup decrypts hidden C2 addresses in memory using a bespoke routine resembling RC4 and base-56 decoding, complicating takedown efforts. Once connected—often over ports 4444, 1935, 3478, 5000, or 37777—the botnet can issue commands for rapid scanning and immediate UDP flood attacks, with observed campaigns reaching multi-terabit volumes against high-profile targets. Additional analysis revealed global infrastructure spanning multiple hosting providers, periodic C2 rotation, and repository pivots that included FTP and HTTP support for compatibility with barebones busybox environments. U.S. law enforcement disrupted parts of the botnet through Operation PowerOFF in August, but researchers caution it will likely reemerge under new domains and infrastructure. Mitigation requires replacing or isolating unsupported DVR/NVR hardware, enforcing strong credentials, disabling UPnP to block external exposure, and monitoring DNS traffic for suspicious TXT queries. IDS/IPS signatures targeting anomalous UDP floods and brute-force scanning activity remain critical for early detection of this evolving botnet threat.
Python-Based Inf0s3c Stealer Abuses Discord for Windows Data Exfiltration
Researchers have discovered Inf0s3c Stealer, a Python-based Windows malware distributed as a 64-bit executable packed with UPX and bundled via PyInstaller. Being packed with PyInstaller allows it to obscure its embedded Python code and bypass many static detection methods. Once executed, it enumerates system information, including CPU details, running processes, network configurations, and host identifiers, while simultaneously capturing screenshots. It traverses user directories, including Desktop, Documents, Pictures, and Downloads, to harvest stored files, browser credentials, cookies, autofill data, cryptocurrency wallets, and active Discord and Telegram sessions. To remain stealthy, the malware compiles all data into a structured workspace, compresses it into a password-protected RAR archive, and then exfiltrates it to attacker-controlled Discord webhooks, blending with legitimate platform traffic and reducing detection opportunities. Its use of password-protected archives and reliance on a widely trusted service reflects a growing preference among attackers for blending exfiltration into normal workflows. The malware is engineered for persistence and stealth, with layered techniques to resist analysis and ensure continuous operation. It conducts anti-VM checks, blocks connections to antivirus update domains, inflates file size to evade heuristics, and can self-delete to hinder forensic recovery. Persistence is achieved through the installation of the Startup folder, registry Run key modifications, and optional attempts to bypass UAC. At the same time, Discord injection enables ongoing token harvesting even after the initial compromise. Analysts identified strong overlaps with other Python stealer families, suggesting active code reuse and modular development. Inf0s3c’s blend of system reconnaissance, secure packaging, and covert exfiltration exemplifies how commodity malware is adopting advanced tactics once reserved for targeted espionage. Defenders should monitor for password-protected archive creation in user temp directories, suspicious PowerShell execution linked to Python binaries, and unexpected outbound Discord traffic. Organizations are urged to enforce endpoint visibility, apply strict egress controls, and conduct proactive user awareness campaigns to mitigate risks posed by stealthy, fast-evolving data theft malware.
