Iran-aligned threat actor #TA450 (AKA #MuddyWater #MangoSandstorm #StaticKitten) has employed new tactics. For the first time, Proofpoint researchers have observed TA450 attempt to use a malicious URL in a PDF attachment rather than directly linking the file in an email.

Security Brief: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign

In the March 7-11,2024 phishing campaign tracked by Proofpoint, TA450 sent Hebrew language lures with PDF attachments that contained malicious links.

Targets included Israeli individuals at global manufacturing, technology, and information security companies.

Proofpoint researchers observed the same targets receive multiple phishing emails with PDF attachments that had slightly different embedded links, which led to a variety of file sharing sites. If opened and clicked, a ZIP file containing AteraAgent would be downloaded and ultimately installed.

This activity marks a turn in TA450’s tactics:

➡️ The group is attempting to deliver a malicious URL in a PDF attachment

➡️ This campaign is the first time Proofpoint has observed TA450 using a sender email account that matches the lure content

➡️ This activity continues TA450's trend of leveraging Hebrew language lures and compromised

See our security brief for ET signatures and IOCs.