Iranian Hackers Targeted Key US, Allied Sectors with Specialized Spear-Phishing SMS
“Affected Industries’ Organizations must strengthen their defenses against mimicking scams.”
Palo Alto Networks
|
As part of Tehran's reaction to the U.S.-Israeli conflict, Iranian government-backed hackers are spying on "high-value sectors" in the United States and the Middle East using spear-phishing assaults and remote access Trojans (RATs). |
Researchers
Recently, the company's Unit 42 analysts found six additional RATs that were deployed for espionage by an Iran-affiliated outfit they refer to as Screening Serpens. Since the start of the conflict, the group "has increased its operations," and malware information indicates that it has attacked "targets across the U.S., Israel, and the [United Arab Emirates] as well as two additional Middle Eastern entities."
Palo Alto Networks, Aerospace, Defense, and Telecommunications Industries
|
Screening Serpens has "consistently set its sights on high-value sectors," according to researchers who refer to it as UNC1549, Smoke Sandstorm, and Nimbus Manticore. |
Researchers
|
“The attackers' highly customized lures are a distinguishing feature of these latest assaults.” “The attackers trick victims into starting the infection chain by using specialized social engineering techniques, such as phony job requisitions and spoof video conferencing meeting invitations, which expose their companies to more exploitation.” |
As the conflict continues into its fourth month, the new research is the most recent proof that Iran is attempting to make the most of its use of cyberspace to retaliate against the United States and its allies.
Tehran-affiliated hacking gangs have previously been observed targeting U.S. infrastructure operators and Middle Eastern local administrations.
Malware Combined with Careful Planning
Two malware families included the six new RATs. The first, MiniUpdate, appeared in two efforts in late March that targeted Israeli and American organizations. It was followed by a campaign in mid-April that seems to have targeted organizations in the United Arab Emirates and potentially another Middle Eastern nation.
Palo Alto Networks’ Report
|
Custom spear-phishing lures were used in the U.S. campaign, where the hackers pretended to be a large aviation corporation; in the Middle Eastern attacks, however, the hackers first pretended to be a financial services company and subsequently a health care organization. |
Researchers found assaults utilizing RATs from a second malware family, MiniJunk V2, in February and March. Months of preparation and study went into the February attacks, which targeted an IT expert in the Middle East. Malware development started in late 2025 when the hackers examined the target's job-seeking efforts.
Palo Alto Networks
|
“After doing thorough reconnaissance, the threat actor created a personalized bait by taking advantage of the target's active job-hunting footprint.” “The attackers presented a counterfeit recruitment URL from a reputable, authentic job site to establish credibility and force the target to carry out their payload.” |
Report
As of April, Screening Serpens was still coordinating persistent, flexible worldwide cyber attacks. "Organizations should strengthen their defensive posture to prepare for potential compromise attempts as they may anticipate additional attempts in the near future."
Conclusion
Now that you know about how such attacks work, you might want to be mentally prepared to protect yourself against phishing attacks. For that, you can go for Phish Next, a dedicated phishing simulation platform offered by Craw Security.
Moreover, this platform offers the best phishing simulations to train users so that they can learn how phishing attacks work and how they can evade such sticky situations. What are you waiting for? Contact, Now!
