An Iran-nexus cyber group has been linked to a sweeping, multi-wave spear-phishing campaign aimed at embassies, consulates, and international organizations across the globe. The operation, attributed by Israeli cybersecurity firm Dream to Iranian-aligned operators associated with “Homeland Justice,” sought to masquerade as legitimate diplomatic correspondence. Analysts warn that the activity reflects a broader espionage push amid escalating geopolitical tensions in the Middle East.
Final Call: Be DPDP Act Ready with FCRF’s Certified Data Protection Officer Program
Anatomy of the Attack
The campaign relied on phishing emails laced with geopolitical themes related to Iran and Israel. Attached malicious Microsoft Word files urged recipients to “Enable Content,” triggering embedded VBA macros that deployed malware. Once activated, the payload established persistence, connected to remote command-and-control servers, and began harvesting system information. The techniques, while familiar, were executed with precision and scale, underscoring their espionage intent.
Exploiting Diplomatic Trust
To enhance credibility, attackers hijacked 104 unique email accounts belonging to officials and pseudo-government entities. At least some messages originated from a compromised mailbox tied to the Oman Ministry of Foreign Affairs in Paris. By referencing urgent MFA communications and leveraging the routine practice of enabling macros, the operation successfully blended social engineering with technical obfuscation to cloak attribution. European embassies and African organizations were among the most heavily targeted.
A Familiar Playbook
ClearSky Security, which tracked related activity in late August, said the methods bear striking resemblance to Iranian threat campaigns in 2023, when Mojahedin-e-Khalq in Albania was targeted. According to ClearSky, the recurring use of obfuscation and compromised state-linked accounts points to continuity among Iranian-aligned operators. The overlapping evidence strengthens moderate-confidence assessments tying the campaign to Homeland Justice, an entity long accused of conducting offensive cyber operations on Tehran’s behalf.
The campaign underscores how diplomatic channels—where trust and urgency often drive quick response—remain prime targets for cyber-espionage. With state-aligned groups continuing to exploit the human element of email, experts caution that embassies and ministries face an enduring frontline in the geopolitical cyber battlefield.