{ "id": "a4dfa50f-8925-4621-be48-00476f4fb4f7", "created_at": "2026-04-06T00:14:32.206451Z", "updated_at": "2026-04-10T03:34:22.716424Z", "deleted_at": null, "sha1_hash": "4fe6548069d3b48dfc327acd3dff29338a1cdc4d", "title": "Espionage Campaign Targets Telecoms Organizations across Middle East and Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49804, "plain_text": "Espionage Campaign Targets Telecoms Organizations across\r\nMiddle East and Asia\r\nBy About the Author\r\nArchived: 2026-04-05 18:20:12 UTC\r\nAttackers most likely linked to Iran have attacked a string of telecoms operators in the Middle East and Asia over\r\nthe past six months, in addition to a number of IT services organizations and a utility company.\r\nOrganizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos\r\nwere targeted in the campaign, which appears to have made no use of custom malware and instead relied on a\r\nmixture of legitimate tools, publicly available malware, and living-off-the-land tactics. While the identity of the\r\nattackers remains unconfirmed, there is some evidence to suggest a link to the Iranian Seedworm (aka\r\nMuddyWater) group.  The targeting and tactics are consistent with Iranian-sponsored actors.\r\nAttack outline\r\nAfter breaching a targeted network, the attackers typically attempt to steal credentials and move laterally across\r\nthe network. They appear to be particularly interested in Exchange Servers, deploying web shells onto them. In\r\nsome cases, the attackers may be using compromised organizations as stepping stones to additional victims.\r\nFurthermore, some targets may have been compromised solely to perform supply-chain-type attacks on other\r\norganizations.\r\nIn most attacks, the infection vector is unknown. Evidence of a possible vector was found at only one target. A\r\nsuspected ScreenConnect setup MSI appeared to have been delivered in a zipped file named “Special discount\r\nprogram.zip”, suggesting that it arrived in a spear-phishing email.\r\nTelecoms attack\r\nIn one attack against a telecoms firm in the Middle East, which began in August 2021, the first evidence of\r\ncompromise was the creation of a service to launch an unknown Windows Script File (WSF). Scripts were then\r\nused to issue various domain, user discovery, and remote service discovery commands.\r\nThe attackers used PowerShell to download another WSF and run it. Net group was used to query for the\r\n“exchange trusted subsystem” domain group.\r\nThe attackers used Certutil to download a suspected Ligolo tunneling tool and launch WMI, which was used to get\r\nremote machines to carry out the following tasks:\r\nExecute Certutil to download an unknown file\r\nExecute Certutil to download an unknown WSF file and execute Wscript to launch this script\r\nExecute PowerShell to download and execute content\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east\r\nPage 1 of 4\n\nExecute PowerShell to download a suspected web shell to an Exchange Server\r\nBased on process lineage data, attackers seemed to use scripts extensively. These may be automated scripts used\r\nfor collecting information and downloading additional tools. However, in one instance, a command asks cURL for\r\nhelp, suggesting that there may have been at least some hands-on-keyboard activity on the part of the attackers.\r\nThe attackers then used a remote access tool, believed to be eHorus, to perform the following tasks:\r\nDeliver and run a suspected Local Security Authority Subsystem Service (LSASS) dumping tool\r\nDeliver what are believed to be Ligolo tunneling tools\r\nExecute Certutil to request a URL from Exchange Web Services (EWS) of what appears to be other\r\ntargeted organizations \r\nOne feature of this attack against a telecoms organization is that the attackers may have attempted to pivot to other\r\ntargets by connecting to the Exchange Web Services (EWS) of other organizations, another telecoms operator, and\r\nan electronic equipment company in the same region. The following commands were used:\r\ncertutil.exe -urlcache –split [DASH]f hxxps://[REDACTED]/ews/exchange[.]asmx\r\ncertutil.exe -urlcache -split [DASH]f hxxps://webmail.[REDACTED][.]com/ews\r\nIt is unclear what the intent of these requests is. It is possible the attackers were attempting to check connectivity\r\nto these organizations.\r\nPossible supply chain attack\r\nOne target that appeared to be an outlier was a utility company in Laos. The infection vector may have been the\r\nexploit of a public-facing service since the first machine that appeared to be compromised was an IIS web server.\r\nSuspicious activity also had w3wp.exe in the process lineage.\r\nThe attackers then used PowerShell to:\r\nDownload a suspected Ligolo tunneling tool\r\nDownload an unknown PowerShell script\r\nDownload an unknown XLS file\r\nThe attackers then used PowerShell to connect to a webmail server of an organization in Thailand. They also\r\nattempted to connect to IT-related servers belonging to another company in Thailand.\r\nTo facilitate credential theft, WMI was used to execute PowerShell to modify the registry to store passwords in\r\nplaintext in memory. In addition to this, an obfuscated version of the publicly available CrackMapExec tool\r\nappeared to be deployed.\r\nToolset\r\nThe attackers made heavy use of legitimate tools and publicly available hacking tools. These include:\r\nScreenConnect: Legitimate remote administration tool\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east\r\nPage 2 of 4\n\nRemoteUtilities: Legitimate remote administration tool\r\neHorus: Legitimate remote administration tool\r\nLigolo: Reverse tunneling tool\r\nHidec: Command line tool for running a hidden window\r\nNping: Packet generation tool\r\nLSASS Dumper: Tool that dumps credentials from Local Security Authority Subsystem Service (LSASS)\r\nprocess\r\nSharpChisel: Tunneling tool\r\nPassword Dumper\r\nCrackMapExec: Publicly available tool that is used to automate security assessment of an Active Directory\r\nenvironment\r\nProcDump: Microsoft Sysinternals tool for monitoring an application for CPU spikes and generating crash\r\ndumps, but which can also be used as a general process dump utility\r\nSOCKS5 proxy server: Tunneling tool\r\nKeylogger: Retrieves browser credentials\r\nMimikatz: Publicly available credential dumping tool\r\nSeedworm link?\r\nThere is some evidence to suggest that the Iranian Seedworm group was responsible for these attacks. Two IP\r\naddresses used in this campaign have been previously linked to Seedworm activity. However, Seedworm is known\r\nto regularly switch its infrastructure, meaning conclusive attribution cannot be made.\r\nThere is also some overlap in tools between this campaign and earlier Seedworm campaigns. ScreenConnect,\r\nRemoteUtilities, SharpChisel, Ligolo, ProcDump, and Password Dumper were all referenced by Trend Micro in a\r\nMarch 2021 blog on Seedworm activity.\r\nIn the case of two tools – SharpChisel and Password Dumper – identical versions were used in this campaign to\r\nthose that were documented by Trend.\r\nFocused campaign\r\nIf these attacks are linked to Iran, it will not be the first time an Iranian threat actor has targeted the telecoms\r\nsector. In 2018, Symantec revealed that the Chafer group had compromised of a major telecoms services provider\r\nin the Middle East.\r\nWhile the ultimate end goal of the campaign remains unknown, the focus on telecoms operators suggests that the\r\nattackers are gathering intelligence on the sector and possibly attempting to pivot into spying on communications.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east\r\nPage 3 of 4\n\nae5d0ad47328b85e4876706c95d785a3c1387a11f9336844c39e75c7504ba365 – Ligolo\r\ne0873e15c7fb848c1be8dc742481b40f9887f8152469908c9d65930e0641aa6b – Ligolo\r\n22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f – Hidec\r\nb0b97c630c153bde90ffeefc4ab79e76aaf2f4fd73b8a242db56cc27920c5a27 – Nping\r\nb15dcb62dee1a8499b8ac63064a282a06abf0f7d0302c5e356cdb0c7b78415a9 – LSASS Dumper\r\n61f83466b512eb12fc82441259a5205f076254546a7726a2e3e983011898e4e2 – SharpChisel\r\nccdddd1ebf3c5de2e68b4dcb8fbc7d4ed32e8f39f6fdf71ac022a7b4d0aa4131 – Password Dumper\r\nfacb00c8dc1b7ed209507d7c56d18b2c542c4e0b2986b9bfaf1764d8e252576b – CrackMapExec\r\n1a107c3ece1880cbbdc0a6c0817624b0dd033b02ebaf7fa366306aaca22c103d – ProcDump\r\n916cc8d6bf2282ae0d2db587f4f96780af59e685a1f1a511e0b2b276669dc802 – ProcDump\r\ne2a7a9a803c6a4d2d503bb78a73cd9951e901beb5fb450a2821eaf740fc48496 – ProcDump\r\nf6600e5d5c91ed30d8203ef2bd173ed0bc431453a31c03bc363b89f77e50d4c5 - SOCKS5 proxy server\r\n6d73c0bcdf1274aeb13e5ba85ab83ec00345d3b7f3bb861d1585be1f6ccda0c5 – Keylogger\r\n912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9 – Mimikatz\r\n96632f716df30af567da00d3624e245d162d0a05ac4b4e7cbadf63f04ca8d3da – Mimikatz\r\nbee3d0ac0967389571ea8e3a8c0502306b3dbf009e8155f00a2829417ac079fc – Mimikatz\r\nd9770865ea739a8f1702a2651538f4f4de2d92888d188d8ace2c79936f9c2688 - Mimikatz\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east" ], "report_names": [ "espionage-campaign-telecoms-asia-middle-east" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434472, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4fe6548069d3b48dfc327acd3dff29338a1cdc4d.pdf", "text": "https://archive.orkl.eu/4fe6548069d3b48dfc327acd3dff29338a1cdc4d.txt", "img": "https://archive.orkl.eu/4fe6548069d3b48dfc327acd3dff29338a1cdc4d.jpg" } }