The Iran-nexus threat actor known as UNC2428 has been observed delivering a backdoor known as MURKYTOUR as part of a job-themed social engineering campaign aimed at Israel in October 2024.
Google-owned Mandiant described UNC2428 as a threat actor aligned with Iran that engages in cyber espionage-related operations. The intrusion set is said to have distributed the malware through a “complex chain of deception techniques.”
“UNC2428’s social engineering campaign targeted individuals while posing as a recruitment opportunity from Israeli defense contractor, Rafael,” the company said in its annual M-Trends report for 2025.
Individuals who expressed interest were redirected to a site that impersonated Rafael, from where they were asked to download a tool to assist with applying for the job.
The tool (“RafaelConnect.exe”) was an installer dubbed LONEFLEET that, once launched, presented a graphical user interface (GUI) to the victim in order to enter their personal information and submit their resume.
Once submitted, the MURKYTOUR backdoor launched as a background process by means of a launcher referred to as LEAFPILE, granting the attackers persistent access to the compromised machine.
“Iran-nexus threat actors incorporated graphical user interfaces (GUIs) to disguise malware execution and installation as legitimate applications or software,” Mandiant said. “The addition of a GUI that presents the user with a typical installer and is configured to mimic the form and function of the lure used can reduce suspicions from targeted individuals.”
It’s worth mentioning that the campaign overlaps with activity that the Israel National Cyber Directorate attributed to an Iranian threat actor named Black Shadow.
Assessed to be operating on behalf of the Iranian Ministry of Intelligence and Security (MOIS), the hacking group is known for targeting a wide range of industry verticals in Israel, including academia, tourism, communications, finance, transportation, healthcare, government, and technology.
Per Mandiant, UNC2428 is one of the many Iranian threat activity clusters that have trained their sights on Israel in 2024. One prominent group is Cyber Toufan, which targeted Israel-based users with the proprietary POKYBLIGHT wiper.
UNC3313 is another Iran-nexus threat group that has conducted surveillance and strategic information-gathering operations via spear-phishing campaigns. UNC3313, first documented by the company in February 2022, is believed to be affiliated with MuddyWater.
“The threat actor hosted malware on popular file-sharing services and embedded links within training- and webinar-themed phishing lures,” Mandiant said. “In one such campaign, UNC3313 distributed the JELLYBEAN dropper and CANDYBOX backdoor to organizations and individuals targeted by their phishing operations.”
Attacks mounted by UNC3313 have leaned heavily on as many as nine different legitimate remote monitoring and management (RMM) tools, a signature tactic of the MuddyWater group, in an attempt to ward off detection efforts and provide persistent remote access.
The threat intelligence firm also said it observed in July 2024 a suspected Iran-linked adversary distributing a backdoor codenamed CACTUSPAL by passing it off as an installer for the Palo Alto Networks GlobalProtect remote access software.
The installation wizard, upon launch, stealthily deploys the .NET backdoor that, in turn, verifies only one instance of the process is running before it communicates with an external command-and-control (C2) server.
The use of RMM tools notwithstanding, Iranian threat actors like UNC1549 have also been observed taking steps to incorporate cloud infrastructure into their tradecraft so as to ensure that their actions blend in with services prevalent in enterprise environments.
“In addition to techniques such as typosquatting and domain reuse, threat actors have found that hosting C2 nodes or payloads on cloud infrastructure and using cloud-native domains reduces the scrutiny that may be applied to their operations,” Mandiant said.
Any insight into the Iranian threat landscape is incomplete without APT42 (aka Charming Kitten), which is known for its elaborate social engineering and rapport-building efforts to harvest credentials and deliver bespoke malware for data exfiltration.
The threat actor, per Mandiant, deployed fake login pages masquerading as Google, Microsoft, and Yahoo! as part of their credential harvesting campaigns, using Google Sites and Dropbox to direct targets to fake Google Meet landing pages or login pages.
In all, the cybersecurity company said it identified more than 20 proprietary malware families – including droppers, downloaders, and backdoors – used by Iranian actors in campaigns in the Middle East in 2024. Two of the identified backdoors, DODGYLAFFA and SPAREPRIZE, have been employed by APT34 (aka OilRig) in attacks targeting Iraqi government entities.
“As Iran-nexus threat actors continue to pursue cyber operations that align with the interests of the Iranian regime, they will alter their methodologies to adapt to the current security landscape,” Mandiant said.
