Beyond Phishing: Iranian-Aligned Group Abuses Omani Mailbox to Spy on Diplomats

Recently, researchers at Dream’s Threat Intelligence Team uncovered a sophisticated spear-phishing campaign that leveraged a compromised mailbox of the Ministry of Foreign Affairs of Oman. According to the report, “we attribute this campaign to Iranian-aligned operators connected to broader offensive cyber activity led by the Homeland Justice group associated with MOIS (Ministry of Intelligence and Security of Iran).”

The operation weaponized trust by sending malicious emails that appeared to come from the Omani MFA. These messages, sent via a compromised account (@fm.gov.om), were routed through a NordVPN exit node in Jordan, masking the true origin. As Dream notes, “The phishing emails were received by embassies, consulates, and international organizations across multiple regions. The subject lines referred to urgent MFA communications and conveyed authority.”

Attached to the emails were malicious Microsoft Word documents masquerading as official registration forms. When opened, recipients were prompted to enable macros—triggering a multi-stage malware infection.

The malicious documents contained VBA macros that decoded and executed an embedded payload. The report highlights:

• The macro decodes a hidden payload from a user form, writes it to a file disguised as a log, and executes it without user interaction.
• Anti-analysis functions were included, such as the laylay delay loop, designed to hinder sandbox detection.
• The decoded executable, sysProcUpdate, collected system metadata and attempted to beacon to the command-and-control (C2) server screenai.online.

Persistence was achieved by copying the binary to C:\ProgramData\sysProcUpdate.exe and modifying registry keys to maintain control across reboots.

The campaign’s scale was larger than initially thought. Dream analyzed 270 emails and found that “104 unique compromised addresses were leveraged to mask the true origin of the activity.” This shows the operation’s global ambition.

Targeting was heavily regionalized:

• Europe saw the largest volume, with 73 unique emails across embassies in Italy, France, Germany, and others.
• Africa followed, with 30 unique emails directed at countries like Ethiopia, Nigeria, and Rwanda.
• Asia, the Middle East, and the Americas were also targeted, along with international organizations such as the UN, UNICEF, and World Bank.

Notably, some lures referenced sensitive geopolitical issues, including “The Future of the region after the Iran-Israel war and the role of Arab countries in the Middle East.”

The technical evidence suggests espionage rather than financial crime. As the report states, “The sysProcUpdate malware primarily collects system metadata and beacons to a C2 server. This suggests that the initial stage aims at reconnaissance and establishing a foothold before a possible second-stage payload for data exfiltration or lateral movement.”

By compromising a legitimate diplomatic mailbox, tailoring lures to regional contexts, and using obfuscation techniques, the Homeland Justice group displayed a high level of planning and operational security.

Related Posts:

• German is investigating a cyberattack against federal ministries, Russian group suspected
• Anonymous hacks the Russian Defense Ministry
• China Targets U.S. Tech Startups through Investments, NCSC Reveals