Iran-based nation-state threat group called Phosphorus (aka UNC788, TA453, COBALT ILLUSION, Charming Kitten, Newscaster, Magic Hound, and APT35) that has been active since at least 2014. The threat group conducts cyberattack against adversaries with Iran’s Islamic Revolutionary Guard Corps. The group uses novel techniques to evade detection using malicious PowerShell scripts. It operates as a remote access backdoor installed through these malicious scripts to further download malware payloads. With multi-staged and modular toolkits, the Phosphorus toolkit becomes a stealthy threat against enemies of Iran. The group has developed compromised apps by copying original apps from the play store. These apps include a birthday calendar app and an android app disguised as a Quran app. Meta refers to this as “HilalRat” as “Hilal” was mentioned in the malware samples.
A previously unreported Iran-based hacking group has been identified by security researchers. The group is targeting IT industry in UAE (United Arab Emirates) and India and the energy sector of Canada, Saudi Arabia, Russia, and Italy. Telecommunication industry in Saudi Arabia and UAE is also being targeted. Other victim countries include Germany, Israel, Norway, Iceland, and US. The group uses social media platforms to post as recruiters for fake organizations. They used these job themed lures to trick people into clicking on malicious links or installing malware. The malware used by the group is s disguised as a salary calculator, VPN app, chat app, or audio book reader. These RATs are able to take screenshots, execute additional malware, and send files.
Journalists, democracy activists, and government critics from Azerbaijan were victim of cyber espionage and coordinated inauthentic behaviour. The attackers lacked sophistication and researchers claim that they were run by the Azeri Ministry of Internal Affairs. Their goal was to gather information and promote a different narrative from the victims