OTX Bot23h ago

Iranian-Nexus Operation Against Oman's Government: 12 Ministries Hit and 26,000 Citizen Records Exposed

An exposed command and control server on RouterHosting infrastructure revealed an active Iranian-nexus intrusion campaign targeting twelve Omani government ministries. The operation primarily focused on the Ministry of Justice and Legal Affairs, deploying custom webshells that provided persistent access through April 2026. Over 26,000 user records containing judicial case data, committee decisions, and registry hives were exfiltrated. The attacker utilized ProxyShell exploits, DotNetNuke vulnerabilities, and custom Python scripts targeting Exchange servers, SQL databases, and Oracle systems. Infrastructure analysis revealed connections to spoofed Iranian diaspora media and censorship circumvention tools, with tactical overlaps indicating MOIS-linked groups such as APT34 and MuddyWater. The campaign specifically targeted judicial records, immigration systems, and citizen identity data across multiple government entities.

Pulse ID: 69fa3e5f84a20294f972fa64
Pulse Link: https://otx.alienvault.com/pulse/69fa3e5f84a20294f972fa64
Pulse Author: AlienVault
Created: 2026-05-05 19:00:47

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT34 #CyberSecurity #Government #InfoSec #Iran #MuddyWater #OTX #OpenThreatExchange #Proxy #Python #RAT #SQL #UK #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
The Threat CodexSep 12, 2024
Targeted Iranian Attacks Against Iraqi Government Infrastructure
#APT34 #Veaty #Spearal
https://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/
Targeted Iranian Attacks Against Iraqi Government Infrastructure - Check Point Research

Veaty and Spearal, a new set of malware connected to Iranian sources, were found attacking Iraqi governmental infrastructures

Check Point Research
FreemindDec 29, 2023

This malware empowers attackers to exercise complete control over information stored on compromised devices within the network.

#Cybersecurity #Menorah #Malware #APT34

https://cybersec84.wordpress.com/2023/12/29/menorah-malware-exposes-middle-easts-digital-vulnerabilities/

Menorah Malware Exposes Middle East’s Digital Vulnerabilities

Security analysts from SecurityScorecard have identified a new iteration of the Menorah computer virus, which is currently targeting organizations in the Middle East. Trend Micro initially discover…

CyberSec84 | Cybersecurity news.
ArbureNov 16, 2023

🔍 Join us in exploring the depths of APT34's recent phishing campaign in our latest study, "Evolution of Espionage: Unmasking APT34's SideTwist Campaign." This comprehensive analysis sheds light on the advanced tactics and the use of the SideTwist backdoor targeting Middle Eastern entities.

🌐 Dive deep into our insights and share your thoughts on this evolving cyber threat landscape.

https://arbure.com/cs_11012023.html

#ArbureInc #CyberSecurity #APT34 #SideTwist #CommunityDiscussion

Case Study - Evolution of Espionage: Unmasking APT34s SideTwist Campaign

An analysis of recent phishing campaign led by APT34, showcasing a more advanced backdoor variant, SideTwist, primarily targeting the Middle Eastern sectors including Lebanon since its unveiling in September 2023. The objective is to dissect the TTPs (Tactics, Techniques, and Procedures) employed by APT34, evaluate the risks posed, and offer actionable insights to the targeted sectors

Arbure Inc.
FreemindSep 30, 2023

The exact targets of these attacks are not yet known, but the use of decoys suggests that at least one of the organizations being targeted is located in Saudi Arabia.

#Cybersecurity #Iran #HackerGroup #Malware #APT34 #Menorah #OilRig

https://cybersec84.wordpress.com/2023/09/30/iranian-hackers-use-new-menorah-malware-for-covert-attacks/

Iranian Hackers Use New Menorah Malware for Covert Attacks

A highly sophisticated group of cyber actors, known as OilRig and backed by Iran, has been identified in a spear-phishing campaign that deploys a new strain of malware called Menorah. According to …

CyberSec84 | Cybersecurity news.
FreemindSep 7, 2023

Their modus operandi involves spear-phishing techniques that ultimately result in the deployment of various backdoors.

#APT34 #cybersecurity #phishing

https://cybersec84.wordpress.com/2023/09/07/new-sidetwist-backdoor-and-agent-tesla-variant-delivered-via-phishing-campaigns/

New SideTwist Backdoor and Agent Tesla Variant Delivered via Phishing Campaigns

APT34, a notorious Iranian threat actor, has been linked to a new phishing attack that utilizes a backdoor variant called SideTwist. In a recent report by NSFOCUS Security Labs, it was revealed tha…

CyberSec84 | Cybersecurity news.
ITSEC NewsJul 22, 2020
OilRig APT Drills into Malware Innovation with Unique Backdoor - The RDAT tool uses email as a C2 channel, with attachments that hide data and commands inside imag... more: https://threatpost.com/oilrig-apt-unique-backdoor/157646/ #steganography #helixkitten #c2channel #backdoor #paloalto #malware #oilrig #unit42 #apt34 #email #irán #rdat #apt
OilRig APT Drills into Malware Innovation with Unique Backdoor

The RDAT tool uses email as a C2 channel, with attachments that hide data and commands inside images.

Threatpost - English - Global - threatpost.com
ITSEC NewsFeb 18, 2020
Iran-Backed APTs Collaborate on 3-Year ‘Fox Kitten’ Global Spy Campaign - APT34/OilRig and APT33/Elfin have established a highly developed and persistent infrastructure tha... more: https://threatpost.com/iranian-apts-fox-kitten-global-spy-campaign/152974/ #criticalinfratructureespionage #criticalinfrastructure #vulnerabilities #wipermalware #websecurity #cyberattack #spycampaign #government #zerocleare #foxkitten #clearsky #malware #oilrig #hacks #apt33 #apt34 #elfin
Iran-Backed APTs Collaborate on 3-Year 'Fox Kitten' Global Spy Campaign

APT34/OilRig and APT33/Elfin have established a highly developed and persistent infrastructure that could be converted to distribute destructive wiper malware.

Threatpost - English - Global - threatpost.com
@D3lMur47Feb 17, 2020

Fox Kitten – Widespread #iranian Espionage-Offensive Campaign
#APT34 #APT33

https://www.clearskysec.com/fox-kitten/

ITSEC NewsJan 31, 2020
Iranian Hackers Target U.S. Gov. Vendor With Malware - APT34 has been spotted in a malware campaign targeting customers and employees of a company that w... more: https://threatpost.com/iran-hackers-us-gov-malware/152452/ #spearphishing #usgovernment #cyberattack #government #tonedeaf #malware #usiran #westat #hacks #apt34 #irán
Iranian Hackers Target U.S. Gov. Vendor With Malware

APT34 has been spotted in a malware campaign targeting customers and employees of a company that works closely with U.S. federal agencies, and state and local governments.

Threatpost - English - Global - threatpost.com