Iran-Linked Hackers Target Israel with Sophisticated Social Engineering and Malware

In October 2024, the Iran-linked group UNC2428 launched a large-scale social engineering campaign targeting Israeli users, posing as recruiters from the defense firm Rafael. The operation involved the deployment of the MURKYTOUR malware through a deceptive installer named LONEFLEET, crafted to resemble a résumé submission interface. This campaign formed part of a broader cyber-espionage effort aimed at data collection and establishing long-term access to victims’ systems.

Once a user entered their details into the fraudulent form and ostensibly submitted their résumé, a background process executed on their machine, deploying the MURKYTOUR backdoor. The attackers employed a component known as LEAFPILE as the execution mechanism to maintain persistence. As Mandiant notes, the use of graphical interfaces styled after legitimate applications significantly reduces suspicion and enhances the efficacy of such attacks.

This activity echoes that of the Black Shadow group, which Israel’s National Cyber Directorate associates with Iran’s Ministry of Intelligence. Black Shadow has previously targeted Israeli entities across various sectors, including education, finance, telecommunications, transportation, healthcare, and government.

Beyond UNC2428, several other Iranian groups were active throughout 2024. Among them, Cyber Toufan deployed the destructive POKYBLIGHT malware in attacks against Israeli users, while UNC3313 specialized in phishing campaigns utilizing JELLYBEAN droppers and CANDYBOX backdoors. This group is also known to have employed up to nine legitimate remote administration tools—a tactic emblematic of the MuddyWater threat group, with which UNC3313 is believed to be affiliated.

In July 2024, yet another incident was recorded: Iranian hackers disguised the CACTUSPAL malware as an installer for the widely used Palo Alto Networks GlobalProtect VPN client. Upon execution, the fake installer covertly deployed a .NET-based backdoor, establishing a connection to an external command-and-control server.

The group UNC1549 also refined its techniques, increasingly leveraging cloud infrastructure to blend its activity into normal corporate network operations. The use of spoofed domains, cloud-hosted C2 servers, and the imitation of popular services allows the group to evade automated security mechanisms.

Meanwhile, APT42, also known as Charming Kitten, continued its well-known tactic of cultivating trust with victims to steal credentials. It lured targets to counterfeit login pages for Google, Microsoft, and Yahoo!, using redirection techniques through platforms like Google Sites and Dropbox.

According to Mandiant, more than 20 distinct malware families—ranging from loaders and droppers to fully functional backdoors—were deployed by Iranian threat actors in the Middle East region in 2024. Two notable examples, DODGYLAFFA and SPAREPRIZE, were identified in APT34 (OilRig) campaigns targeting Iraqi government institutions.

As Iranian cyber operations remain tightly aligned with the regime’s strategic objectives, their attack methodologies continue to evolve in sophistication, constantly adapting to advancements in defensive technologies.