Hijacked Accounts and AI Code: The Deadly New Playbook of Iranian APT ‘Boggy Serpens’
Ddos 
Identified Boggy Serpens campaigns from April 2025 to February 2026 | Image: Unit 42
A new assessment from Unit 42 reveals a significant maturation in the tactics of Boggy Serpens, an Iranian nation-state cyberespionage group linked to the Ministry of Intelligence and Security (MOIS). Long known for high-volume but low-sophistication “noisy” phishing, the group has pivoted toward stealthy, multi-wave campaigns targeting critical energy, maritime, and financial sectors.
The report highlights a group that has moved beyond simple social engineering to embrace modern development tools, including AI-generated code and the Rust programming language, to maintain long-term persistence within strategic targets.
The defining characteristic of Boggy Serpens’ current strategy is the exploitation of hijacked accounts to bypass traditional security perimeters. By taking over official government or corporate mailboxes, the group sends malware that sails past reputation-based filters.
“Boggy Serpens misuses established credibility to deliver malware that evades standard reputation-based filtering.”
In one notable instance, the group hijacked a mailbox belonging to the Omani Ministry of Foreign Affairs to distribute “official” diplomatic communications to other foreign ministries. Because these emails originated from authenticated, internal accounts, they received negative spam confidence scores, effectively rendering automated filters useless.
The group’s relentless nature is best illustrated by a six-month, four-wave campaign against a single national marine and energy company in the
- UAE.Wave 1 (Engineering): Targeted project engineers using subsea pipeline terminology in blurred documents to force the “Enable Content” prompt.
- Wave 2 (Financial): Mimicked internal financial records, including references to “Payroll Payments via WPS” and local AED currency.
- Wave 3 (Travel): Sent a personalized Air Arabia flight reservation in Word format, likely using intelligence gathered from previous email exfiltration.
- Wave 4 (Logistics): Deployed a “Consumption Report” Excel file to deliver a new custom HTTP backdoor family known as Nuso.
Boggy Serpens has aggressively upgraded its toolkit to include Rust-based backdoors like BlackBeard and LampoRAT. Rust’s efficiency and cross-platform capabilities make these tools harder to analyze and detect.
Furthermore, Unit 42 uncovered evidence that the group is using generative AI to accelerate their development cycles. Analysts noted the use of emojis in command dispatchers—such as “☑ CD to”—a stylistic hallmark of code generated by Large Language Models (LLMs).
“This combination of social engineering and rapidly developed tools creates a potent threat profile.”
The report warns that the group’s ability to pivot between sectors and its shift toward manual, human-led triage of infected hosts makes them a high-risk actor for regional disruption.
To counter this threat, Unit 42 recommends that organizations look beyond sender reputation and focus on behavioral anomalies. Strict macro execution policies and behavioral monitoring of endpoint processes are essential to catching these evolving payloads before they establish a permanent foothold.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
