Iran-linked spear-phishing: attackers impersonate Oman's Ministry of Foreign Affairs to target government entities

Cybersecurity researcher has uncovered a sophisticated Iran-linked spear-phishing campaign that exploited a compromised email account at Oman’s Ministry of Foreign Affairs (MFA) in Paris. The attackers used stolen diplomatic communications and malicious macros to deliver malware to governments and international organizations worldwide.

Diplomatic decoys with harmful macros

The attackers hijacked an official email account belonging to the Omani Foreign Ministry in Paris and sent messages that appeared to contain urgent updates on multi-factor authentication (MFA). Recipients – including embassies, consulates and international organizations – were urged to ”Enable content” to display supposedly legitimate Word documents.

These documents contained a VBA macro dropper that recreated a binary payload from three-digit number sequences in a hidden form field. When the document was opened, it started a four-part chain:

Advertisement

1. Delay and anti-analysis: A nested loop routine called laylay ran thousands of iterations to delay analysis and block sandbox environments.
2. Payload decoding: The function dddd interpreted triplets of numbers into ASCII characters and built an executable binary file.
3. Silent release and execution: The decoded payload was written to C:\Users\Public\Documents\ManagerProc.log and was run hidden via a Shell command.
4. Persistence and cleanup: Delays and simple error handling hid any errors and ensured that the process was completed quietly.

This macro-based supply chain combined numerical encoding and time delays to bypass both email filters and dynamic analysis tools.

Global espionage under diplomatic cover

A forensic analysis revealed that 270 spear-phishing emails were sent from 104 compromised addresses within Oman’s MFA network. The campaign used NordVPN nodes in Jordan to mask its origin, and targeted six regions:

• Europe: 10 countries, 73 addresses
• Africa: 12 countries, 30 addresses
• Asia: 7 countries, 25 addresses
• Middle East: 7 countries, 20 addresses
• America: 11 countries, 35 addresses
• International organizations: 10 bodies, 12 addresses

Europe appeared to be the primary target, but African missions were also hit hard. Attacks were directed at several international organizations, including UN, UNICEF and the World Bank, which indicates an interest in strategic diplomacy and humanitarian networks.

The timing of the campaign coincided with sensitive regional negotiations, suggesting that the aim was to gather intelligence and influence diplomatic outcomes.

Evasion, reconnaissance and next steps

The executable file that was dropped – called sysProcUpdate – demonstrated high technical sophistication. It used custom exception handlers and section packing to make reverse engineering difficult.

When the malware was activated, it collected system data such as username, computer name, and administrative status. The information was encrypted and sent via HTTPS POST to a command and control server on https://screenai.online/Home/.
A beaconing loop ensured repeated connection attempts even in the event of network outages.

To maintain its foothold, sysProcUpdate replicated itself to C:\ProgramData\sysProcUpdate.exe and modified Windows registry entries under DNS cache parameters – a sign of possible lateral movement and preparation for future attacks.

Analysts believe that the campaign primarily focused on reconnaissance and network mapping ahead of more advanced intrusions.

Recommendations for limitation

To protect businesses against this type of targeted attacks, the following measures are recommended:

• Indicator blocking: Block communication to screenai.online and isolate documents that match known hash values for sysProcUpdate.
• Macro security: Ensure that Office installations have macros disabled by default and require digital signing for activation.
• Network monitoring: Review outbound POST traffic to unknown domains and correlate against user activity.
• Registry review: Regularly check DNS and TCP/IP registry keys for unauthorized changes.
• VPN analysis: Identify sudden spikes in VPN usage or exit nodes that deviate from normal patterns.

By combining strong email filtering, proactive network defenses, and user education, organizations can significantly reduce the risk of being affected by similar attacks. attacks.

Indicators of Compromise (IoCs)