This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multiple network segments. Key findings include the use of novel malware families like HanifNet and NeoExpressRAT, as well as extensive credential harvesting and lateral movement techniques. The intrusion demonstrated sophisticated evasion capabilities and targeted attempts to access operational technology networks. Forensic analysis revealed potential links to previously reported Iranian APT campaigns. The report provides detailed technical indicators and recommends enhanced logging, EDR deployment, and multi-factor authentication to defend against similar threats. Author: AlienVault
Related Tags:
web shells
proxy chaining
cve-2023-38952
hanifnet
cve-2023-38951
hxlibrary
remoteinjector
cve-2023-38950
credinterceptor
Associated Indicators:
F38B0498102D2E2FC5472593ECE32CD700D82334
5CBDE184BD95DB80DF89BBAE7F6AF6CC318B5A1A
8B22352C9C7C13CC9E0F0D42E74D8DEF0BBF8D6B
07C088076837446ADA5642BD32500627
A841C8179AC48BDC2EBF1E646D4F552D
9CD02FC79207FDC2FC783889049F32BC
0DEB2283BBF8AA6C644F6B0A6D3301C3
27AE97933A4DD955A7E928BE0EFA3619
1ABE72AA26AA9DAFE5E95DCBDB5B02C2