An Iran-nexus group has been linked to a coordinated, multi-wave spear-phishing campaign targeting embassies and consulates in Europe and other regions, according to researchers.
The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity associated with the group known as Homeland Justice.
Dream said in a blog post that emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication. The company added that the operation forms part of a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension.
The spear-phishing emails used themes related to geopolitical tensions between Iran and Israel to lure recipients into opening a malicious Microsoft Word document. When opened, recipients are prompted to Enable Content to execute an embedded Visual Basic for Applications (VBA) macro, which deploys the malware payload.
The messages were directed at embassies, consulates, and international organizations across the Middle East, Africa, Europe, Asia, and the Americas, with European embassies and African organizations reported as heavily targeted.
Dream’s analysis highlights 104 unique compromised addresses used to send the messages, including at least some emails originating from a hacked mailbox belonging to the Oman Ministry of Foreign Affairs in Paris. The lure content consistently referenced urgent MFA communications, claimed to carry authority, and exploited the common practice of enabling macros to access content, the researchers said.
ClearSky, which also detailed aspects of the campaign late last month, said the phishing emails were sent to multiple ministries of foreign affairs. In a post on X, the firm said the obfuscation techniques resembled those used by Iranian threat actors in 2023 when they targeted Mojahedin-e-Khalq in Albania, and it assessed with moderate confidence that this activity is linked to the same Iranian actors.
Analysts warned that the end goal of the campaign is to deploy an executable via the VBA macro that can establish persistence, contact a command-and-control (C2) server, and harvest system information. The activity underscores ongoing concerns about cyber-espionage targeting diplomatic channels and official institutions.