Iran-Linked Hackers Target Israel with MURKYTOUR Malware via Fake Job Campaign
Summary:
In October 2024, the Iran-aligned threat actor UNC2428 launched a social engineering campaign targeting individuals in Israel by posing as recruiters from the Israeli defense contractor Rafael. The attackers lured victims to a fake recruitment website and prompted them to download an installer, which was in fact a loader known as LONEFLEET. This tool featured a fake GUI designed to collect personal details and resumes, while simultaneously deploying the MURKYTOUR backdoor in the background using a launcher called LEAFPILE, granting persistent access to the victim's system.
Mandiant, which tracks UNC2428 and other Iranian cyber espionage operations, emphasized the growing use of deceptive GUIs to mask malicious activities. This campaign appears to overlap with operations attributed to the Iranian group Black Shadow, which is assessed to work on behalf of Iran’s Ministry of Intelligence and Security and has targeted sectors in Israel such as healthcare, finance, and government.
UNC2428 is one of several Iranian threat clusters active in 2024. Others include Cyber Toufan, which deployed the POKYBLIGHT wiper in attacks on Israel-based targets, and UNC3313, linked to MuddyWater, which distributed malware like JELLYBEAN and CANDYBOX through phishing campaigns. UNC3313 is known for leveraging legitimate remote monitoring and management tools to maintain stealth and persistence.
Security Officer Comments:
Another Iran-linked actor distributed a .NET-based backdoor called CACTUSPAL disguised as Palo Alto Networks’ GlobalProtect installer. This backdoor checks for duplicate processes before connecting to a command-and-control server. Meanwhile, groups such as UNC1549 have increasingly used cloud infrastructure and domain manipulation tactics like typosquatting to blend into enterprise environments and evade detection.
Finally, APT42, also known as Charming Kitten, has continued its credential harvesting operations using fake login pages hosted via platforms like Google Sites and Dropbox. Mandiant reported over 20 distinct malware families—droppers, downloaders, and backdoors—linked to Iranian actors in 2024, including DODGYLAFFA and SPAREPRIZE used by APT34 (OilRig) in attacks on Iraqi government networks. These campaigns reflect Iran's persistent cyber operations aligned with state interests, characterized by evolving tactics and a growing reliance on cloud-based and social engineering techniques.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
Link(s):
https://thehackernews.com/2025/04/iran-linked-hackers-target-israel-with.html
In October 2024, the Iran-aligned threat actor UNC2428 launched a social engineering campaign targeting individuals in Israel by posing as recruiters from the Israeli defense contractor Rafael. The attackers lured victims to a fake recruitment website and prompted them to download an installer, which was in fact a loader known as LONEFLEET. This tool featured a fake GUI designed to collect personal details and resumes, while simultaneously deploying the MURKYTOUR backdoor in the background using a launcher called LEAFPILE, granting persistent access to the victim's system.
Mandiant, which tracks UNC2428 and other Iranian cyber espionage operations, emphasized the growing use of deceptive GUIs to mask malicious activities. This campaign appears to overlap with operations attributed to the Iranian group Black Shadow, which is assessed to work on behalf of Iran’s Ministry of Intelligence and Security and has targeted sectors in Israel such as healthcare, finance, and government.
UNC2428 is one of several Iranian threat clusters active in 2024. Others include Cyber Toufan, which deployed the POKYBLIGHT wiper in attacks on Israel-based targets, and UNC3313, linked to MuddyWater, which distributed malware like JELLYBEAN and CANDYBOX through phishing campaigns. UNC3313 is known for leveraging legitimate remote monitoring and management tools to maintain stealth and persistence.
Security Officer Comments:
Another Iran-linked actor distributed a .NET-based backdoor called CACTUSPAL disguised as Palo Alto Networks’ GlobalProtect installer. This backdoor checks for duplicate processes before connecting to a command-and-control server. Meanwhile, groups such as UNC1549 have increasingly used cloud infrastructure and domain manipulation tactics like typosquatting to blend into enterprise environments and evade detection.
Finally, APT42, also known as Charming Kitten, has continued its credential harvesting operations using fake login pages hosted via platforms like Google Sites and Dropbox. Mandiant reported over 20 distinct malware families—droppers, downloaders, and backdoors—linked to Iranian actors in 2024, including DODGYLAFFA and SPAREPRIZE used by APT34 (OilRig) in attacks on Iraqi government networks. These campaigns reflect Iran's persistent cyber operations aligned with state interests, characterized by evolving tactics and a growing reliance on cloud-based and social engineering techniques.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
Link(s):
https://thehackernews.com/2025/04/iran-linked-hackers-target-israel-with.html