All news with #iran nexus tag

🔒Former national security adviser John Bolton has been charged with mishandling classified information after prosecutors say he retained and transmitted sensitive documents via a personal AOL account that was later accessed by suspected Iranian hackers. The intruders allegedly downloaded the materials and sent extortion messages to Bolton. The case highlights questions about password strength, the use of two-step verification, and the risks of sending unencrypted, sensitive information to family members. Bolton has pleaded not guilty.

🔍 Check Point Research reports that Iranian-linked actor Nimbus Manticore has escalated cyber-espionage operations across Western Europe, with heightened targeting of organizations in Denmark, Sweden and Portugal. Attackers impersonate recruiters and use convincing fake career portals to deliver personalized credentials and malicious archives. The campaign leverages evolved backdoors—first seen as Minibike, now observed as MiniJunk and MiniBrowse—and employs multi-stage DLL sideloading into legitimate Windows binaries, including Microsoft Defender components, alongside valid code-signing certificates and compiler-level obfuscation to evade detection. Infrastructure hosted via Azure App Service and shielded by Cloudflare provides redundancy and rapid command-and-control recovery.

🛡️ Check Point Research reports that Iranian-linked threat actor Nimbus Manticore is expanding operations into Europe, focusing on the defense, telecom and aerospace sectors. The group uses fake job portals and targeted spear‑phishing to deliver malicious files disguised as hiring materials while impersonating prominent aerospace firms. Evolving toolsets such as MiniJunk and MiniBrowse enable stealthy data theft and persistent access, consistent with intelligence-collection objectives linked to IRGC priorities.

🔒 PRODAFT links a recruitment-themed espionage campaign to an Iran-affiliated cluster tracked as Subtle Snail and attributed to UNC1549 (aka TA455), reporting infiltration of 34 devices across 11 telecommunications organizations in Canada, France, the UAE, the UK and the US. Operators posed as HR recruiters on LinkedIn and delivered a ZIP-based dropper that uses DLL side-loading to install the modular backdoor MINIBIKE, which harvests credentials, browser data, screenshots, keystrokes and system details. MINIBIKE communicates with C2 infrastructure proxied through Azure services, employs anti-analysis measures and achieves persistence via registry modifications to enable long-term access and data exfiltration.

🎭 In episode 435 of Smashing Security, host Graham Cluley and guest Jenny Radcliffe discuss a sophisticated phishing campaign that used fake casting calls to lure Israeli performers, illustrating how flattering, opportunity-based lures can be as persuasive as fear-based tactics. They also cover Check Point’s findings on Iran-linked activity, the UK ICO’s warning about students hacking schools, and lighter cultural items including Endeavour and a local “Catman” story. The episode blends practical security analysis with humour and sponsored segments.

📧 Israeli cybersecurity company Dream has attributed a coordinated, multi-wave spear-phishing campaign to Iranian-aligned operators connected to Homeland Justice, targeting embassies, consulates, and international organizations globally. Attackers used geopolitical lures and 104 unique compromised sender addresses — including a hacked mailbox at the Oman Ministry of Foreign Affairs in Paris — to distribute Microsoft Word documents that prompt users to Enable Content and run embedded VBA macros. The macros drop executables that establish persistence, contact command-and-control servers, and harvest system information; ClearSky has also documented related activity and linked it to prior Iranian techniques.