Iran MOIS Phishes 50+ Embassies, Ministries, Int’l Orgs
Summary
Researchers attribute a short but broad phishing campaign to the Homeland Justice APT, tied to Iran’s Ministry of Intelligence (MOIS). Attackers used 104 legitimate, compromised email accounts to send convincing macro-laden Word documents to more than 50 diplomatic missions, ministries and international organisations across six continents. The dropper — delivered via VBA macros — deployed an infostealer called “sysProcUpdate” and used simple evasion tricks such as vbHide, a deceptive “.log” extension and execution delays.
Author style: Punchy — this is a high-relevance briefing that highlights how basic techniques still succeed when messages appear to come from trusted, official accounts.
Key Points
- Homeland Justice (linked to Iran MOIS) used 104 hijacked, legitimate email addresses to phish diplomatic targets worldwide.
- The campaign began on 19 Aug; the initial lure used an Oman Ministry of Foreign Affairs address and was relayed through a NordVPN exit node in Jordan.
- Attackers relied on macro-enabled Word documents that requested users enable macros to view a blurred invitation; enabling macros executed malicious VBA code.
- Malware employed basic evasion: vbHide to conceal execution, a “.log” filename extension to appear innocuous, and a “laylay” delay routine to frustrate detection.
- Targets included embassies, consulates and ministries across the Middle East, Europe, Africa, Asia and the Americas, plus international organisations such as the UN, UNODC, UNICEF, the African Union, the World Bank and humanitarian groups.
- Experts note that while macros are “old-school”, compromised legitimate accounts greatly increase credibility and click-through rates.
- At the time of reporting the attackers’ C2 infrastructure appeared inactive, suggesting the campaign was brief and possibly concluded.
Content Summary
The campaign used trusted sender addresses to increase credibility. A typical email contained a blurred document that urged recipients to enable macros; once enabled, VBA code decoded and launched a payload. The payload collected system information (sysProcUpdate) and likely aimed to enable follow-on espionage. Researchers observed simple but effective obfuscation and timing tricks designed to evade automated detection.
Kevin E. Greene (BeyondTrust) and the Dream Security team emphasise that macro-based attacks have declined after Microsoft hardened defaults, but they still work when combined with legitimate, compromised senders. The operation targeted diplomatic reporting and communications — high-value intelligence for state actors seeking strategic advantage.
Context and Relevance
This incident illustrates an ongoing trend: state-backed actors increasingly combine low-tech malware with high-trust delivery vectors (compromised official accounts) to harvest credentials and intercept diplomatic communications. In the context of Iran-Israel tensions and wider geopolitical friction, access to embassy traffic and international-organisation reporting offers actionable strategic value.
For security teams, the campaign is a reminder to prioritise email account protection, multi-factor authentication, and stronger controls around macro execution and attachment handling — especially for remote outposts like embassies that may rely on local contractors or have limited cyber resources.
Why should I read this?
Because it’s a neat, blunt reminder that cyber-espionage doesn’t always need shiny new zero-days — it often just needs trust. Compromised official addresses = believable lures. If you look after diplomatic IT, run an international NGO, or work in threat intel, this quick read tells you what to watch for and why even “old-school” macros still matter. Short, relevant and worth the five minutes.
