An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.
The activity, which lasted from at least May 2023 to February 2025, entailed “extensive espionage operations and suspected network prepositioning – a tactic often used to maintain persistent access for future strategic advantage,” the FortiGuard Incident Response (FGIR) team said in a report.
The network security company noted that the attack exhibits tradecraft overlaps with a known Iranian nation-state threat actor called Lemon Sandstorm (formerly Rubidium), which is also tracked as Parisite, Pioneer Kitten, and UNC757.
It’s been assessed to be active since at least 2017, striking aerospace, oil and gas, water, and electric sectors across the United States, the Middle East, Europe, and Australia. According to industrial cybersecurity company Dragos, the adversary has leveraged known virtual private network (VPN) security flaws in Fortinet, Pulse Secure, and Palo Alto Networks to obtain initial access.
Last year, U.S. cybersecurity and intelligence agencies pointed fingers at Lemon Sandstorm for deploying ransomware against entities in the U.S., Israel, Azerbaijan, and the United Arab Emirates.
The attack analyzed by Fortinet against the CNI entity unfolded over four stages starting from May 2023, employing an evolving arsenal of tools as the victim enacted countermeasures –
15 May, 2023 – 29 April, 2024 – Establishing a foothold by using stolen login credentials to access the victim’s SSL VPN system, drop web shells on public-facing servers, and deploy three backdoors, Havoc, HanifNet, and HXLibrary, for long-term access
30 April, 2024 – 22 November, 2024 – Consolidating the foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim’s emails, and conducting lateral movement to the virtualization infrastructure
23 November, 2024 – 13 December, 2024 – Deploying more web shells and two more backdoors, MeshCentral Agent and SystemBC, in response to initial containment and remediation steps undertaken by the victim
14 December, 2024 – Present – Attempts to infiltrate the network again by exploiting known Biotime vulnerabilities (CVE-2023-38950, CVE-2023-38951, and CVE-2023-38952) and spear-phishing attacks aimed at 11 of the employees to harvest Microsoft 365 credentials after the victim successfully removed adversary’s access
It’s worth noting that both Havoc and MeshCentral are open-source tools that function as a command-and-control (C2) framework and remote monitoring and management (RMM) software, respectively. On the other hand, SystemBC refers to a commodity malware that often acts as a precursor to ransomware deployment.
A brief description of the custom malware families used in the attack is below –
HanifNet – An unsigned .NET executable that can retrieve and execute commands from a C2 server (First deployed in August 2023)
HXLibrary – A malicious IIS module written in .NET that’s designed to retrieve three identical text files hosted on Google Docs to fetch the C2 server and send web requests to it (First deployed in October 2023)
CredInterceptor – A DLL-based tool that can harvest credentials from the Windows Local Security Authority Subsystem Service (LSASS) process memory (First deployed in November 2023)
RemoteInjector – A loader component that’s used to execute the next-stage payload like Havoc (First deployed in April 2024)
RecShell – A web shell used for initial reconnaissance (First deployed in April 2024)
NeoExpressRAT – A backdoor that retrieves a configuration from the C2 server and likely uses Discord for follow-on communications (First deployed in August 2024)
DropShell – A web shell with basic file upload capabilities (First deployed in November 2024)
DarkLoadLibrary – An open-source loader that’s used to launch SystemBC (First deployed in December 2024)
The links to Lemon Sandstorm come from C2 infrastructure – apps.gist.githubapp[.]net and gupdate[.]net – previously flagged as associated with the threat actor’s operations conducted over the same period.
Fortinet said the victim’s restricted Operational Technology (OT) network was a key target of the attack based on the threat actor’s extensive reconnaissance activity and their breach of a network segment hosting OT-adjacent systems. That said, there is no evidence that the adversary penetrated the OT network.
A majority of the malicious activity has been assessed to be hands-on keyboard operations carried out by different individuals, given the command errors and the consistent work schedule. Furthermore, a deeper examination of the incident has revealed that the threat actor may have had access to the network as early as 15 May 2021.
“Throughout the intrusion, the attacker leveraged chained proxies and custom implants to bypass network segmentation and move laterally within the environment,” the company said. “In later stages, they consistently chained four different proxy tools to access internal network segments, demonstrating a sophisticated approach to maintaining persistence and avoiding detection.”
