{ "id": "7c17d656-c303-40c4-8977-ce7479ec2625", "created_at": "2026-04-06T00:11:04.491946Z", "updated_at": "2026-04-10T03:37:36.724932Z", "deleted_at": null, "sha1_hash": "0d9bf65416394bd44249d16bb7ab07c43360cb73", "title": "Iranian Fileless Attack Infiltrates Israeli Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1754443, "plain_text": "Iranian Fileless Attack Infiltrates Israeli Organizations\r\nBy Michael Gorelik\r\nArchived: 2026-04-02 10:34:47 UTC\r\nFrom April 19-24, 2017, a politically motivated, targeted campaign was carried out against numerous Israeli\r\norganizations. Morphisec researchers began investigating the attacks on April 24 and continue to uncover more\r\ndetails. Initial reports of the attacks, published April 26 (in Hebrew) by the Israel National Cyber Event Readiness\r\nTeam (CERT-IL) and The Marker, confirm that the attack was delivered through compromised email accounts at\r\nBen-Gurion University and sent to multiple targets across Israel. Ironically, Ben-Gurion University is home to\r\nIsrael’s Cyber Security Research Center. Investigators put the origin of the attack as Iranian; Morphisec’s research\r\nsupports this conclusion and attributes the attacks to the same infamous hacker group responsible for the OilRig\r\nmalware campaigns.\r\nIntroduction\r\nThe fileless attack was delivered via Microsoft Word documents that exploited a former zero-day vulnerability in\r\nWord, CVE-2017-0199, to install a fileless attack variant of the Helminth Trojan agent. Microsoft released the\r\npatch for the vulnerability on April 11, but many organizations have not yet deployed the update. The attackers\r\nactually based their attack on an existing Proof-of-Concept method that was published by researchers after the\r\npatch release.\r\nBy hunting through known malware repositories, Morphisec identified matching samples uploaded by Israeli\r\nhigh-tech development companies, medical organizations, and education organizations, indicating that they were\r\nvictims of the attack. For security purposes, Morphisec is not revealing these names.\r\nThe delivery was executed by compromising the email accounts of a few high-profile individuals at Ben-Gurion\r\nUniversity. The Word document was sent as a reply to legitimate emails sent from those accounts and was\r\npropagated to more than 250 individuals in different Israeli companies, according to CERT-IL.\r\nUpon deeper investigation into the installed Helminth fileless agent, we identified a near-perfect match to the\r\nOilRig campaign executed by an Iranian hacker group against 140 financial institutions in the Middle East last\r\nyear, as analyzed by FireEye , Palo Alto Networks and Logrhythm. This group has become one of the most active\r\nthreat actors, with noteworthy abilities, resources, and infrastructure; speculations indicate the hacking\r\norganization to be sponsored by the Iranian government. In other recent attacks (January 2017), the group used a\r\nfake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware as described by\r\nClearSky.\r\nOur report presents the technical details of the attack, emphasizing differences from last year’s attack. In\r\nparticular, there are several enhancements to different evasive mechanisms and some modifications in the\r\ncommunications protocol, which delivers PowerShell commands from the C\u0026C.\r\nhttps://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nPage 1 of 14\n\nThe most important difference is that the use of macros was exchanged with a vulnerability exploit. With their\r\nability to set up the attack in a relatively short time, the threat actors could correctly speculate that their window of\r\nopportunity between patch release and patch rollout was still open.\r\nAt the time of publication, the C\u0026C servers are still active and will be listed herein as all other signatures and\r\nindicators of compromise.\r\nTechnical Analysis\r\nWord Delivery\r\nThe different delivered documents, as shown below, are generally named with some random number \u003crandom\r\nnumber\u003e.doc.\r\nMorphisec identified the following set of documents:\r\nName SHA256\r\n13.doc a9bbbf5e4797d90d579b2cf6f9d61443dff82ead9d9ffd10f3c31b686ccf81ab\r\n558.doc, 2.doc 2869664d456034a611b90500f0503d7d6a64abf62d9f9dd432a8659fa6659a84\r\n1.doc 832cc791aad6462687e42e40fd9b261f3d2fbe91c5256241264309a5d437e4d8\r\n3.doc d4eb4035e11da04841087a181c48cd85f75c620a84832375925e6b03973d8e48\r\nCVE-2017-0199 Vulnerability Exploit\r\nhttps://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nPage 2 of 14\n\nThe most notable difference from last year’s OilRig campaign is the way the attack was delivered. In the previous\r\ncampaign, the Iranian group sent specially crafted Excel and Word files, which contained macros that targeted\r\nindividuals were convinced to enable.\r\nIn this campaign, no macros were required. Each document utilized the vulnerability via an embedded link that\r\ndelivers an .hta file (HTML executable).\r\nMorphisec identified the following delivered test\u003cnumber\u003e.hta file with the same signature delivered from the\r\nfollowing domains:\r\nName Delivery Server\r\ntest4.hta hxxp://comonscar[.]in  (82.145.40.46)\r\ntest5.hta 80.82.67.42\r\ntest1.hta reserved\r\nSHA256: 5ac61ea5142d53412a251eb77f2961e3334a00c83da9087d355a49618220ac43\r\nThe .hta file is immediately executed by mshta.exe, the Windows process which executes html executables. As a\r\nresult, the user is usually shown a warning message, despite the fact that the HTA is still executed even if the user\r\nchooses “No”:\r\nhttps://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nPage 3 of 14\n\nThe .hta file in this attack is much more sophisticated than in previous versions and actually disables this message\r\nby sending an “Enter” command to the warning window. This is covered in the next section.\r\nHTA Execution and Persistency\r\nThe HTA execution goes through the following steps:\r\n1. Before installing the agent, the .hta file sends the “Enter” key into the Word application to remove the\r\nwarning message and minimize any appearance of suspicious execution. It is done by creating and\r\nexecuting a 1.vbs script.\r\n2. The next step writes and executes the 0011.ps1 PowerShell script, which is described in the following\r\nsection.\r\n3. The last step kills the original process that activated the .hta file, to remove any suspicion.\r\nHelminth Trojan Installation and Persistency\r\nhttps://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nPage 4 of 14\n\n0011.ps1 script, which is activated by the .hta file, is in charge of generating the Helminth Trojan PowerShell and\r\nVBS files.\r\nName SHA256\r\n0011.ps1 042F60714E9347DB422E1A3A471DC0301D205FFBD053A4015D2B509DB92029D1\r\n1.vbs BE7F1D411CC4160BB221C7181DA4370972B6C867AF110C12850CAD77981976ED\r\nMorphisec identified the following structure:\r\nThis structure matches the attack structure from October 2016, as described by Logrhythm:\r\nhttps://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nPage 5 of 14\n\nAside from the unique generation of the files, the structure and the functionality of the trojan is very similar to\r\nthe previous campaign:\r\n1. The PowerShell script ps1 creates similar variants of Helminth trojan PowerShell and VBS files\r\ntemplates (DnS1.Ps1, DnE1.Ps1, backup1.vbs). Those templates are regenerated on the infected\r\ncomputer by replacement of all variables and function names to random names in order to slow down\r\ndetection and remediation.\r\n2. All the scripts are installed in the PublicLibrariesRecordedTV folder.\r\n3. As in the previous campaign, persistency is achieved by adding a schedule task with a similar name to the\r\nGoogle update task (“GoogleUpdateTasksMachineUI”), which executes vbs every 3 minutes:\r\nNote: All the parameters in the 0011.ps1 script can be reconfigured, therefore some of the names could be\r\ndifferent for the tasks and locations.\r\nCommunication Protocol\r\nWe will focus here on the DnE1.Ps1 file because all other files are almost identical to the previous campaign. This\r\nfile executes some of the same commands executed by VBS script in the previous campaign, but there are\r\ndifferences as well. The script connects to a C\u0026C server – vpsupdate[.]tk. At the time of this report’s publication,\r\nthe C\u0026C server is still live; the server was first registered on April 16, 2017. The goal of the script is to:\r\nhttps://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nPage 6 of 14\n\nDownload bat script\r\nExecute it and upload the results back to the C\u0026C\r\nClear traces\r\nAt each new activation (first) activation of the download command (GET request), the infected computer receives\r\na bat script for activation from the C\u0026C:\r\nvpsupdate[.]tk/index.aspx?id=\u003crandom character\u003e\u003crandomnumber\u003e[b] (the “b” is for download)\r\nThe file name of the bat script is then delivered through the response headers, and the content of the bat script is\r\ndelivered through the response. Both of them are encoded in base 64.\r\nThe name of the file is default.bat (decoded from Content-Disposition property in the header) and it is saved\r\ntemporary in the dn folder (described in the next section).\r\nNote: Morphisec identified several other samples of communication with different C\u0026C servers\r\n(“alenupdate[.]info” and “maralen[.]tk”) in which a more advanced customized version of Mimikatz was sent\r\nto specific users, and an additional agent was installed in the “C:Program Files (x86)Microsoft Idle” directory:\r\nhttps://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nPage 7 of 14\n\nBack to the popular variant of the protocol: As soon as the file executes and the resulting output is written to\r\ndefault.bat.txt (similarly to the previous campaign), the resulting file is uploaded back to the C\u0026C using the\r\nfollowing URL command (POST request):\r\nvpsupdate[.]tk/index.aspx?id=\u003crandom character\u003e\u003crandomnumber\u003e[u] (the “u” is for upload)\r\nAt the same time, the DnE1.Ps1 is executed. The DnS1.Ps1 is also executed and communicates with the C\u0026C\r\nusing DNS exchange queries (the same as in the previous campaign). This kind of communication is very hard to\r\nblock since DNS is a basic functionality required in any organization.\r\nDelivered Commands\r\nhttps://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nPage 8 of 14\n\nThe bat script is a customized version of Mimikatz (with slight modification from the last campaign). Its goal is to\r\ngather information from the computer and the network:\r\nThe added commands are chcp to handle non-ASCII characters (e.g. Hebrew) and the validation of the scheduled\r\ntask (which should have been added by the persistency mechanism).\r\nAs mentioned in the previous section, Morphisec identified an advanced version of the same bat script\r\ncommunicating with the alenupdate[.]info C\u0026C. In that case, the information that is gathered includes A.V.,\r\nFirewall, and AntiSpy product information. The persistent tasks are slightly different as well, “Google Update\r\nCore” and “Google Sync Core”.\r\nhttps://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nPage 9 of 14\n\nRemediation\r\n1. The scheduled task “GoogleUpdateTasksMachineUI” should be removed. Note that regular Google\r\nupdate tasks look like GoogleUpdateTask[Machine|User]* without the “s” in Tasks).\r\n1. In case “Google Update Core” or “Google Sync Core” exists, those need to be removed as well.\r\n2. Access PublicLibrariesRecordedTV folder. Note that the Libraries folder in Public is hidden, and you\r\nshould delete the folder and not the RecordedTV icon – if you have only the icon, then the agent is not\r\ninstalled.\r\n3. If the following directory exists, remove it: “Program Files(x86)Microsoft Idle”\r\n4. If the following directory contains “WinInit.lnk” or “SyncInit.lnk” files, remove those files:\r\n“%userprofile%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup”\r\nConclusion\r\nEvery few years, a new “logic bug” CVE in OLE object linking is identified; the previous one was three years ago\r\n(CVE-2014-4114 and CVE-2014-6352). This kind of vulnerability is rare but powerful. It allows attackers to\r\nembed OLE objects (or links in the case of CVE-2017-0199) and bypass Microsoft validation of OLE execution\r\nwithout warning. In essence, it is the same as playing animation in PowerPoint.\r\nhttps://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nPage 10 of 14\n\nSuch vulnerabilities should be patched immediately.\r\nIt is significant to note how the Iranian threat actors advanced their abilities in such a short time:\r\nUtilizing a vulnerability PoC immediately after its publication\r\nSetting up the required infrastructure with multiple domains and delivery servers\r\nIncreasing the sophistication of the delivered Helminth agent, including regeneration of its signatures on\r\nthe infected computer\r\nImproving the customized information gathering Mimikatz version\r\nWith many organizations taking high-risk vulnerabilities seriously and patching them as quickly as possible,\r\nattackers can no longer exploit them for an extended period of time. We, therefore, expect that threat actors will\r\nreturn to macro-based campaigns like Hancitor.\r\nIndicators of Compromise (IOCs)\r\nDocument delivery:\r\nName SHA256\r\n13.doc a9bbbf5e4797d90d579b2cf6f9d61443dff82ead9d9ffd10f3c31b686ccf81ab\r\n558.doc, 2.doc 2869664d456034a611b90500f0503d7d6a64abf62d9f9dd432a8659fa6659a84\r\n1.doc 832cc791aad6462687e42e40fd9b261f3d2fbe91c5256241264309a5d437e4d8\r\n3.doc d4eb4035e11da04841087a181c48cd85f75c620a84832375925e6b03973d8e48\r\nHTA delivery servers:\r\nhxxp://comonscar[.]in  (82.145.40.46)\r\n80.82.67.42\r\nHTA files:\r\nName SHA256\r\ntest4.hta, test5.hta 5ac61ea5142d53412a251eb77f2961e3334a00c83da9087d355a49618220ac43\r\nHelminth Trojan Installers:\r\nName SHA256\r\n0011.ps1 042F60714E9347DB422E1A3A471DC0301D205FFBD053A4015D2B509DB92029D1\r\nhttps://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nPage 11 of 14\n\n1.vbs BE7F1D411CC4160BB221C7181DA4370972B6C867AF110C12850CAD77981976ED\r\nC\u0026C:\r\nName\r\nvpsupdate[.]tk\r\nalenupdate[.]info\r\nMaralen[.]tk\r\nPersistency:\r\nTask Name\r\nGoogleUpdateTasksMachineUI\r\nGoogle Update Core\r\nGoogle Sync Core\r\nCERT-IL has listed additional IoCs that are not mentioned in this list, which includes the January campaign that\r\ninvolved malicious Juniper Networks VPN and fake Oxford registration form executables and their C\u0026C domain\r\nserver.\r\nAbout the author\r\nhttps://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nPage 12 of 14\n\nMichael Gorelik\r\nChief Technology Officer\r\nMorphisec CTO Michael Gorelik leads the malware research operation and sets technology strategy. He has\r\nextensive experience in the software industry and leading diverse cybersecurity software development projects.\r\nPrior to Morphisec, Michael was VP of R\u0026D at MotionLogic GmbH, and previously served in senior leadership\r\npositions at Deutsche Telekom Labs. Michael has extensive experience as a red teamer, reverse engineer, and\r\ncontributor to the MITRE CVE database. He has worked extensively with the FBI and US Department of\r\nHomeland Security on countering global cybercrime. Michael is a noted speaker, having presented at multiple\r\nindustry conferences, such as SANS, BSides, and RSA. Michael holds Bsc and Msc degrees from the Computer\r\nhttps://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nPage 13 of 14\n\nScience department at Ben-Gurion University, focusing on synchronization in different OS architectures. He also\r\njointly holds seven patents in the IT space.\r\nSource: https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nhttps://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability" ], "report_names": [ "iranian-fileless-cyberattack-on-israel-word-vulnerability" ], "threat_actors": [ { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434264, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0d9bf65416394bd44249d16bb7ab07c43360cb73.pdf", "text": "https://archive.orkl.eu/0d9bf65416394bd44249d16bb7ab07c43360cb73.txt", "img": "https://archive.orkl.eu/0d9bf65416394bd44249d16bb7ab07c43360cb73.jpg" } }