{
	"id": "59103dff-2c05-4772-8efe-70697b2d5fc5",
	"created_at": "2026-04-06T00:18:11.081579Z",
	"updated_at": "2026-04-10T03:20:43.977661Z",
	"deleted_at": null,
	"sha1_hash": "334a2d3ae2ce84bad1b4913bb95df8907dd68f5f",
	"title": "FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62298,
	"plain_text": "FortiGuard Incident Response Team Detects Intrusion into Middle\r\nEast Critical National Infrastructure | FortiGuard Labs\r\nPublished: 2025-05-01 · Archived: 2026-04-05 16:42:17 UTC\r\nIntroduction\r\nThe FortiGuard Incident Response (FGIR) team recently investigated a long-term cyber intrusion targeting critical\r\nnational infrastructure (CNI) in the Middle East, attributed to an Iranian state-sponsored threat group. The attack\r\ninvolved extensive espionage operations and suspected network prepositioning—a tactic often used to maintain\r\npersistent access for future strategic advantage.\r\nFull Report Available: The following article provides key findings, but a full report of this activity is available\r\nhere. The report includes an analysis of novel malware deployed throughout the intrusion, a detailed breakdown of\r\nadversary TTPs across different attack stages, Indicators of Compromise (IOCs) to assist defenders, and\r\nattribution considerations for deeper insight.\r\nKey Findings\r\nThe intrusion persisted from at least May 2023 to February 2025, with signs of compromise dating back as far as\r\nMay 2021. Attackers initially gained access via stolen VPN credentials and established persistence through\r\nmultiple web shells and backdoors, including Havoc, HanifNet, HXLibrary, and NeoExpressRAT. They bypassed\r\nnetwork segmentation using open-source proxying tools like plink, Ngrok, glider proxy, and ReverseSocks5.\r\nKey insights from the investigation include:\r\nThe attack unfolded in waves, with the adversary deploying new malware and infrastructure over time.\r\nThey used custom loaders to execute Havoc and SystemBC in memory.\r\nIn addition to publicly available tools, the adversary deployed novel backdoors such as HanifNet,\r\nHXLibrary, and NeoExpressRAT, enabling command execution, file operations, and system discovery.\r\nThe adversary avoided U.S.-based infrastructure, instead relying on non-U.S. VPS providers.\r\nPersistence was maintained through scheduled tasks designed to blend in with legitimate Windows\r\nprocesses.\r\nVirtualization infrastructure was actively targeted, with the adversary conducting reconnaissance to\r\nunderstand network configurations.\r\nAfter containment efforts, the adversary attempted to regain access by exploiting ZKTeco ZKBioTime\r\nsoftware vulnerabilities, which had not been previously reported in the wild. They also launched targeted\r\nphishing attacks, using compromised third-party emails to steal administrator credentials.\r\nIntrusion Stages\r\nThe attack unfolded in four distinct phases:\r\nhttps://www.fortinet.com/blog/threat-research/fortiguard-incident-response-team-detects-intrusion-into-middle-east-critical-national-infrastructure\r\nPage 1 of 3\n\n1. Establishing a Foothold and Initial Operations (May 2023 – April 2024)\r\nThe adversary used stolen credentials to access the victim’s SSL VPN, deploying web shells on public-facing\r\nservers and installing Havoc, HanifNet, and HXLibrary backdoors. They then stole credentials and moved\r\nlaterally using RDP and PsExec.\r\n2. Consolidating the Foothold (April 2024 – November 2024)\r\nAdditional persistence mechanisms were introduced, including NeoExpressRAT. The adversary chained proxies\r\n(plink, Ngrok) to bypass segmentation, exfiltrated targeted email data, and began interacting with virtualization\r\ninfrastructure.\r\n3. Initial Remediation and Adversary Response (November 2024 – December 2024)\r\nThe victim implemented initial containment steps, prompting a surge in adversary activity. To maintain access,\r\nadditional web shells, SystemBC, and MeshCentral were deployed, with a focus on targeting deeper CNI network\r\nsegments.\r\n4. Intrusion Containment and Final Adversary Response (December 2024 – Present)\r\nThe victim successfully removed adversary access. In response, attackers attempted to re-enter via vulnerabilities\r\nin web applications and launched targeted phishing campaigns to steal credentials. Multiple failed access attempts\r\nwere detected.\r\nVictim’s Network and Attack Path\r\nThe victim organization had a highly segmented network, including a restricted Operational Technology (OT)\r\nenvironment. While no confirmed disruption to OT systems was found, FGIR observed targeted reconnaissance\r\nand credential harvesting, indicating strong adversary interest in these systems. The attackers moved from IT to\r\nrestricted segments by chaining proxy tools and implants to bypass segmentation.\r\nAdversary Tooling and Infrastructure\r\nThe attacker relied on VPS-hosted infrastructure, avoiding U.S.-based providers. Notable malware variants used\r\ninclude:\r\nHanifNet – .NET-based backdoor for persistent access\r\nHXLibrary – Malicious IIS module enabling deep system control\r\nNeoExpressRAT – Golang-based backdoor with hardcoded C2 communication\r\nRemoteInjector – Loader for executing Havoc backdoors via scheduled tasks\r\nLessons Learned and Defensive Recommendations\r\nState-sponsored cyber adversaries continue to target and compromise critical infrastructure networks, seeking to\r\nmaintain persistent access. Organizations should prioritize the following defensive measures:\r\nEnhance credential security by enforcing multi-factor authentication (MFA) for VPN and privileged\r\naccounts and implementing strict password policies with regular credential rotation.\r\nhttps://www.fortinet.com/blog/threat-research/fortiguard-incident-response-team-detects-intrusion-into-middle-east-critical-national-infrastructure\r\nPage 2 of 3\n\nStrengthen network segmentation and monitoring to restrict lateral movement and implement zero-trust\r\narchitecture with layered access controls.\r\nImprove endpoint and web security by conducting routine integrity checks on web-facing services and\r\nimplementing application allowlisting to prevent unauthorized execution.\r\nDeploy behavioral analytics and EDR solutions to detect anomalies in real-time and conduct regular\r\npenetration testing and third-party security reviews.\r\nEnsure incident response preparedness by developing and testing cybersecurity playbooks for state-sponsored threats and deploying rapid detection and containment capabilities.\r\nFinal Insights and Strategic Implications\r\nThis investigation highlights the persistent and evolving nature of state-backed cyber threats targeting Middle\r\nEastern CNIs. The adversary demonstrated advanced tactics to deeply embed themselves, evade detection, and\r\nsustain long-term access.\r\nDespite containment efforts, the adversary has continued efforts to regain access, indicating a long-term strategic\r\ninterest in this environment. Organizations must remain vigilant, continuously refining their detection and\r\nresponse strategies to defend against sophisticated, state-sponsored cyber campaigns.\r\nFor a detailed breakdown of adversary TTPs, novel malware, and IOCs, access the full report here.\r\nSource: https://www.fortinet.com/blog/threat-research/fortiguard-incident-response-team-detects-intrusion-into-middle-east-critical-national-in\r\nfrastructure\r\nhttps://www.fortinet.com/blog/threat-research/fortiguard-incident-response-team-detects-intrusion-into-middle-east-critical-national-infrastructure\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/fortiguard-incident-response-team-detects-intrusion-into-middle-east-critical-national-infrastructure"
	],
	"report_names": [
		"fortiguard-incident-response-team-detects-intrusion-into-middle-east-critical-national-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434691,
	"ts_updated_at": 1775791243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/334a2d3ae2ce84bad1b4913bb95df8907dd68f5f.pdf",
		"text": "https://archive.orkl.eu/334a2d3ae2ce84bad1b4913bb95df8907dd68f5f.txt",
		"img": "https://archive.orkl.eu/334a2d3ae2ce84bad1b4913bb95df8907dd68f5f.jpg"
	}
}