An Iran-nexus spear-phishing campaign masquerading as the Omani Ministry of Foreign Affairs targeted global governments in August 2025. Attributed to Iranian-aligned operators linked to the Homeland Justice group and MOIS, the campaign used compromised mailboxes to send emails with malicious Microsoft Word attachments. The documents contained VBA macros that decoded and deployed malware payloads. The multi-wave operation targeted diplomatic and governmental entities across multiple regions, including the Middle East, Africa, Europe, Asia, and the Americas. The campaign utilized social engineering lures, anti-analysis techniques, and a reconnaissance-focused malware called sysProcUpdate. The attackers aimed to gain initial access, map internal networks, and prepare for further exploitation in diplomatic and industrial organizations. Author: AlienVault
Related Tags:
Ethiopia
Bahrain
oman mfa
iran-nexus
diplomatic targets
sysProcUpdate
reconnaissance
rwanda
vba macro
Associated Indicators:
B2C52FDE1301A3624A9CEB995F2DE4112D57FCBC6A4695799AEC15AF4FA0A122
2C92C7BF2D6574F9240032EC6ADEE738EDDDC2BA8D3207EB102EDDF4AB963DB0
1883DB6DE22D98ED00F8719B11DE5BF1D02FC206B89FEDD6DD0DF0E8D40C4C56
3D6F69CC0330B302DDF4701BBC956B8FCA683D1C1B3146768DCBCE4A1A3932CA
05D8F686DCBB6078F91F49AF779E4572BA1646A9C5629A1525E8499AB481DBF2
F0BA41CE46E566F83DB1BA3FC762FD9B394D12A01A9CEF4AC279135E4C1C67A9
1C16B271C0C4E277EB3D1A7795D4746CE80152F04827A4F3C5798AAF4D51F6A1
03828AEBEFDE47BCA0FCF0684ECAE18AEDDE035C85F9D39EDD2B7A147A1146FA
76FA8DCA768B64AEFEDD85F7D0A33C2693B94BDB55F40CED7830561E48E39C75