An Iranian state-sponsored hacking group has been linked to a cyberattack campaign targeting a critical national infrastructure (CNI) organization in the Middle East. The intrusion lasted nearly two years, according to a report by the FortiGuard Incident Response (FGIR) team.
The cyber campaign ran from at least May 2023 to February 2025. It involved extensive spying and tactics designed to maintain long-term access to the network. These actions suggest the group was preparing for possible future operations.
Fortinet researchers identified patterns in the attack that match the methods of a known Iranian cyber group called Lemon Sandstorm. This group has also been referred to as Rubidium, Parisite, Pioneer Kitten, and UNC757. Active since at least 2017, Lemon Sandstorm has targeted industries including aerospace, oil and gas, water, and electricity in regions such as the United States, Europe, the Middle East, and Australia.
Cybersecurity firm Dragos reports that the group typically exploits vulnerabilities in VPN systems from companies like Fortinet, Pulse Secure, and Palo Alto Networks to gain initial access. In 2024, U.S. cybersecurity officials blamed Lemon Sandstorm for ransomware attacks on organizations in the U.S., Israel, Azerbaijan, and the UAE.
Four-Stage Attack Timeline
The attack on the Middle Eastern CNI followed a four-stage timeline:
1. May 15, 2023 – April 29, 2024:
The hackers gained access using stolen VPN credentials. They planted web shells on public servers and installed three backdoors—Havoc, HanifNet, and HXLibrary—to maintain long-term access.
2. April 30, 2024 – November 22, 2024:
The attackers expanded control by adding more web shells and a backdoor named NeoExpressRAT. Tools like plink and Ngrok helped them dig deeper into the network. They stole emails and moved laterally into systems supporting virtualization.
3. November 23, 2024 – December 13, 2024:
In response to the victim’s containment efforts, the hackers deployed additional web shells and two new backdoors—MeshCentral Agent and SystemBC.
4. December 14, 2024 – Present:
After being removed from the system, the group attempted to regain access. They exploited known Biotime vulnerabilities (CVE-2023-38950, -38951, and -38952) and launched phishing attacks targeting 11 employees to steal Microsoft 365 credentials.
Tools and Malware Used
- Havoc and MeshCentral: Open-source tools used for command-and-control and remote monitoring.
- SystemBC: A common malware often used before ransomware deployment.
- HanifNet: A .NET program that executes commands from a command server.
- HXLibrary: A malicious IIS module that connects to Google Docs to find its command server.
- CredInterceptor: A tool that steals credentials from Windows memory.
- RemoteInjector: Loads secondary malware like Havoc.
- RecShell: A web shell used for early-stage spying.
- NeoExpressRAT: A backdoor likely using Discord for communication.
- DropShell: A basic web shell used for file uploads.
- DarkLoadLibrary: A loader that launches SystemBC malware.
Fortinet said the hacking group used command-and-control infrastructure linked to Lemon Sandstorm in past campaigns. This included domains like apps.gist.githubapp[.]net and gupdate[.]net.
The report highlighted that the attackers were especially interested in the victim’s operational technology (OT) systems, which control physical processes like energy or water flow. Although hackers breached a network connected to OT systems, Fortinet found no proof they accessed the OT network directly.
Most of the malicious activity appeared to involve live human operators, as shown by frequent typing errors and a consistent work schedule. Investigators now believe the group may have first entered the network as early as May 15, 2021.
“The attackers used chained proxies and custom malware to avoid detection and move laterally through the network,” Fortinet said. “In later stages, they linked four proxy tools together to reach deeper parts of the system.”
