A sophisticated cyber intrusion targeting critical national infrastructure (CNI) in the Middle East has been uncovered, revealing a long-term espionage operation attributed to an Iranian state-sponsored threat group. They systematically moved through the environment, bypassing network segmentation using open-source proxying tools to gain deeper access to restricted systems, including those potentially connected to operational technology (OT) environments. Even after initial containment efforts, the attackers demonstrated remarkable determination, attempting to regain access by exploiting previously unreported vulnerabilities in ZKTeco ZKBioTime software and launching targeted phishing campaigns to steal administrator credentials. The attack, which persisted from May 2023 to February 2025, with potential initial compromise dating back to May 2021, demonstrates the growing sophistication of state-backed actors in targeting essential services and infrastructure. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Its use of legitimate Windows directories for storage further complicates detection efforts, highlighting the sophisticated nature of this threat campaign against critical infrastructure. The attackers initially gained access through stolen VPN credentials, establishing persistence by deploying multiple web shells and backdoors across the victim’s network. Particularly concerning was the deployment of novel backdoors such as HanifNet, HXLibrary, and NeoExpressRAT, which enabled comprehensive command execution, file operations, and system discovery capabilities. These custom tools allowed the threat actors to maintain persistent access while evading traditional detection methods. The malware establishes persistence through scheduled tasks designed to blend with legitimate Windows processes, using filenames that mimic system utilities. The most sophisticated tool in the attackers’ arsenal was NeoExpressRAT, a Golang-based backdoor with hardcoded command and control (C2) communication capabilities. This backdoor gives attackers comprehensive remote access capabilities while maintaining a minimal footprint on disk. Fortinet researchers identified an evolving arsenal of tools deployed throughout the intrusion, including both publicly available and custom-developed malware. The attack unfolded in waves, with the adversary introducing new malware and infrastructure as they expanded their foothold within the targeted organization. NeoExpressRAT communicates with its C2 server using encrypted channels that employ a custom obfuscation routine to evade network monitoring. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. In the evolving landscape of cybersecurity, artificial intelligence has transitioned from an experimental technology to a core component of security operations. Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 02 May 2025 15:50:06 +0000