Iran-aligned threat actor #TA450 (AKA #MuddyWater #MangoSandstorm #StaticKitten) has employed new tactics. For the first time, Proofpoint researchers have observed TA450 attempt to use a malicious URL in a PDF attachment rather than directly linking the file in an email.

Security Brief: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign

In the March 7-11,2024 phishing campaign tracked by Proofpoint, TA450 sent Hebrew language lures with PDF attachments that contained malicious links.

Targets included Israeli individuals at global manufacturing, technology, and information security companies.

Proofpoint researchers observed the same targets receive multiple phishing emails with PDF attachments that had slightly different embedded links, which led to a variety of file sharing sites. If opened and clicked, a ZIP file containing AteraAgent would be downloaded and ultimately installed.

This activity marks a turn in TA450’s tactics:

➡️ The group is attempting to deliver a malicious URL in a PDF attachment

➡️ This campaign is the first time Proofpoint has observed TA450 using a sender email account that matches the lure content

➡️ This activity continues TA450's trend of leveraging Hebrew language lures and compromised

See our security brief for ET signatures and IOCs.

#introduction
I’m Josh/Yoshi.
I work as a Senior Threat Researcher hunting for state aligned cyber threat actors (aka APTs).
I focus on threats suspected of originating in the Middle East & North Africa Region, primarily Iranian aligned threats like #TA453 (#CharmingKitten), #TA450 (#Muddywater), and #TA456 (#Tortoiseshell).

Before this, I did #threatIntel work in healthcare. Before that, I worked for the #FBI.

I live in Chicago(land) with 3 kids, 2 dogs and my beautiful wife.

I’m a huge fan of #StarWars and the #LAChargers

This seems like a pretty cool place, excited to see how it grows.