Security Intelligence
Loading table of contents...
Loading table of contents...
Iranian state-sponsored hackers have stepped up their cyber-espionage efforts against Israel, with a recent campaign demonstrating increasingly refined social engineering tactics.
In the operation, UNC2428 impersonates an Israeli defense contractor, Rafael, to deceive job seekers with a fake job application portal that covertly installs a custom backdoor known as MURKYTOUR. This malware allows UNC2428 to maintain persistent access to compromised systems, exfiltrate data, and potentially move laterally within targeted networks.
The infection process begins when a victim visits the fraudulent Rafael-branded job site and downloads a malicious installer, believing it to be a legitimate application. Once executed, the installer deploys MURKYTOUR along with a second-stage payload called MINIBIKE, a lightweight remote access tool.
These tools enable the attackers to silently monitor victim activity and communicate with command-and-control servers. The malware was designed to evade detection, using obfuscation and techniques that minimizes its footprint on the system.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
This campaign is part of a broader pattern of attacks from Iranian-affiliated groups like MuddyWater and UNC3313, which have previously targeted Israeli entities across academia, healthcare, and government sectors. These threat actors rely heavily on tailored phishing lures, impersonation, and well-crafted malware to achieve their goals.
The recurring nature and technical sophistication of these attacks highlight the sustained cyber threat Iran poses to Israeli infrastructure, and the pressing need for robust cybersecurity awareness and defenses.
Source: The Hacker News
Analysis
This isn’t the first time Iranian state-sponsored cyber actors were observed using job-themed attacks to deploy backdoors on targets of interest.
For example, in 2023, the Iranian group Charming Kitten targeted individuals in the aerospace industry with spear phishing emails containing malicious attachments disguised as job-related documents. The campaign also leveraged fake recruiting websites and LinkedIn profiles with AI-generated content to distribute a ZIP archive, which, among other files, contained a trojan loader known as SnailResin which loads the SlugResin backdoor.
North Korea is another country well known for its use of job-themed campaigns targeting individuals across multiple industries. However, North Korean actors like Lazarus often aim to exfiltrate cryptocurrency or gain financial leverage alongside espionage.
This Iranian campaign appears more narrowly focused on intelligence collection—especially within the defense and tech space, reinforcing how different threat groups converge on similar tactics but pursue different strategic objectives.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats from advanced cyber actors engaging in malicious activities, including Iranian state-sponsored actors. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect recommends scrutinizing unsolicited job application invites sent via email, messaging services such as WhatsApp, and social media. Take into consideration that the individuals contacting sending these invites could be fake, and always make efforts to verify the recruiter’s identity and association with the company they claim to represent. Generally, if an offer is too good to be true, it probably is.
Field Effect users are encouraged to submit suspicious emails, including job offers, to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.
