Cybertech Europe 2026-IT Industry Official Media Partner
Subscribe

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
Contact us

Iran-linked spear-phishing: attackers impersonate Oman's Ministry of Foreign Affairs to target government entities

– Iran-linked spear-phishing: attackers impersonate Oman's Ministry of Foreign Affairs to target government entities | IT Industry – Iran-linked spear-phishing: attackers impersonate Oman's Ministry of Foreign Affairs to target government entities | IT Industry
Iran-linked spear-phishing: attackers impersonate Oman's Ministry of Foreign Affairs to target government entities – Published by IT-Branschen

Cybersecurity researcher has uncovered a sophisticated Iran-linked spear-phishing campaign that exploited a compromised email account at Oman’s Ministry of Foreign Affairs (MFA) in Paris. The attackers used stolen diplomatic communications and malicious macros to deliver malware to governments and international organizations worldwide.

Diplomatic decoys with harmful macros

The attackers hijacked an official email account belonging to the Omani Foreign Ministry in Paris and sent messages that appeared to contain urgent updates on multi-factor authentication (MFA). Recipients – including embassies, consulates and international organizations – were urged to ”Enable content” to display supposedly legitimate Word documents.

Iran – Iran-linked spear-phishing: attackers impersonate Oman's Ministry of Foreign Affairs to target government entities | IT Industry

These documents contained a VBA macro dropper that recreated a binary payload from three-digit number sequences in a hidden form field. When the document was opened, it started a four-part chain:

  • The IT industry Nordic technology media platform covering cybersecurity, cloud, AI, digital transformation, channel, MSP and enterprise IT news
    The IT industry is a leading Nordic technology media platform covering cybersecurity news, artificial intelligence, cloud computing, enterprise IT, digital transformation, managed services, channel partners, software development, telecommunications, data centers, IT infrastructure, technology leadership, business innovation, and emerging technologies. Through executive interviews, industry analysis, event coverage, thought leadership, product launches, vendor updates, and market insights, the IT industry connects technology decision-makers, CIOs, CISOs, CTOs, IT managers, MSPs, resellers, distributors, technology vendors, startups, and enterprise organizations across Sweden, Norway, Denmark, Finland, and Europe. Coverage includes cybersecurity trends, AI adoption, cloud strategy, enterprise software, networking, digital infrastructure, sustainability, compliance, governance, risk management, automation, data analytics, and future technology developments.
    OWN CONTENT

  • Cybertech Europe 2026 cybersecurity conference in Rome with the IT industry as Official Media Partner
    Cybertech Europe 2026 is one of Europe's leading cybersecurity conferences, bringing together cybersecurity leaders, government officials, technology innovators, startups, investors, and enterprise decision-makers in Rome. The IT industry serves as an Official Media Partner, providing event coverage, executive interviews, industry insights, and cybersecurity news for Nordic and European audiences.
    ADVERTISEMENT

  • Maciek Szczesniak featured on IT-Branschen Wire Channel Magic Chats podcast banner
    Maciek Szczesniak appears on IT-Branschen Wire Channel Magic Chats, discussing leadership, innovation, digital transformation, and business services.
    SPONSORED

  • VORTIQ-X AI Governance helps companies transform AI into controllable and verifiable business value.
    VORTIQ-X is an AI Governance platform that helps organizations govern, verify, and create measurable business value from AI. The platform focuses on transparency, compliance, AI governance, and the effective use of AI in mission-critical processes.
    ADVERTISEMENT

  1. Delay and anti-analysis: A nested loop routine called laylay ran thousands of iterations to delay analysis and block sandbox environments.
  2. Payload decoding: The function dddd interpreted triplets of numbers into ASCII characters and built an executable binary file.
  3. Silent release and execution: The decoded payload was written to C:\Users\Public\Documents\ManagerProc.log and was run hidden via a Shell command.
  4. Persistence and cleanup: Delays and simple error handling hid any errors and ensured that the process was completed quietly.

This macro-based supply chain combined numerical encoding and time delays to bypass both email filters and dynamic analysis tools.

Iran – Iran-linked spear-phishing: attackers impersonate Oman's Ministry of Foreign Affairs to target government entities | IT Industry

Global espionage under diplomatic cover

A forensic analysis revealed that 270 spear-phishing emails were sent from 104 compromised addresses within Oman’s MFA network. The campaign used NordVPN nodes in Jordan to mask its origin, and targeted six regions:

  • Europe: 10 countries, 73 addresses
  • Africa: 12 countries, 30 addresses
  • Asia: 7 countries, 25 addresses
  • Middle East: 7 countries, 20 addresses
  • America: 11 countries, 35 addresses
  • International organizations: 10 bodies, 12 addresses

Europe appeared to be the primary target, but African missions were also hit hard. Attacks were directed at several international organizations, including UN, UNICEF and the World Bank, which indicates an interest in strategic diplomacy and humanitarian networks.

The timing of the campaign coincided with sensitive regional negotiations, suggesting that the aim was to gather intelligence and influence diplomatic outcomes.

Evasion, reconnaissance and next steps

The executable file that was dropped – called sysProcUpdate – demonstrated high technical sophistication. It used custom exception handlers and section packing to make reverse engineering difficult.

When the malware was activated, it collected system data such as username, computer name, and administrative status. The information was encrypted and sent via HTTPS POST to a command and control server on https://screenai.online/Home/.
A beaconing loop ensured repeated connection attempts even in the event of network outages.

To maintain its foothold, sysProcUpdate replicated itself to C:\ProgramData\sysProcUpdate.exe and modified Windows registry entries under DNS cache parameters – a sign of possible lateral movement and preparation for future attacks.

Analysts believe that the campaign primarily focused on reconnaissance and network mapping ahead of more advanced intrusions.

Recommendations for limitation

To protect businesses against this type of targeted attacks, the following measures are recommended:

  • Indicator blocking: Block communication to screenai.online and isolate documents that match known hash values for sysProcUpdate.
  • Macro security: Ensure that Office installations have macros disabled by default and require digital signing for activation.
  • Network monitoring: Review outbound POST traffic to unknown domains and correlate against user activity.
  • Registry review: Regularly check DNS and TCP/IP registry keys for unauthorized changes.
  • VPN analysis: Identify sudden spikes in VPN usage or exit nodes that deviate from normal patterns.

By combining strong email filtering, proactive network defenses, and user education, organizations can significantly reduce the risk of being affected by similar attacks. attacks.

Indicators of Compromise (IoCs)

TypeHash / Domain / URLFile / Resource Name
Domainscreenai[.]onlineC2 domain
URLhttps://screenai.online/Home/Main C2 path
DOCb2c52fde1301a3624a9ceb995f2de4112d57fcbc6a4695799aec15af4fa0a122Online Seminar.FM.gov.om.dnr.doc
DOC1c16b271c0c4e277eb3d1a7795d4746ce80152f04827a4f3c5798aaf4d51f6a11c16b271c0c4e277eb3d1a7795d4746ce80152f04827a4f3c5798aaf4d51f6a1.doc
DOC2c92c7bf2d6574f9240032ec6adee738edddc2ba8d3207eb102eddf4ab963db0DPR for dredging in FreeSpan_16082025.2.doc
DOC80e9105233f9d93df753a43291c2ab1a010375357db9327f9fe40d184f078c6bDPR for dredging in FreeSpan_16082025.2.doc
DOCf0ba41ce46e566f83db1ba3fc762fd9b394d12a01a9cef4ac279135e4c1c67a9Seminar.MFA.gov.ct.tr-1.doc
DOC02ccc4271362b92a59e6851ac6d5d2c07182064a602906d7166fe2867cc662a5Unknown DOC file
Email (EML)05d8f686dcbb6078f91f49af779e4572ba1646a9c5629a1525e8499ab481dbf2EML2_d3ea22143ada4154bf5ea6077d7938f8.eml
Email (EML)03828aebefde47bca0fcf0684ecae18aedde035c85f9d39edd2b7a147a1146faEML1_b83e249519684cd2ac40ad5fcfee687d.eml
EXE76fa8dca768b64aefedd85f7d0a33c2693b94bdb55f40ced7830561e48e39c75sysProcUpdate.exe
EXE1883db6de22d98ed00f8719b11de5bf1d02fc206b89fedd6dd0df0e8d40c4c56sysProcUpdate.exe
EXE3ac8283916547c50501eed8e7c3a77f0ae8b009c7b72275be8726a5b6ae255e3sysProcUpdate.exe
EXE3d6f69cc0330b302ddf4701bbc956b8fca683d1c1b3146768dcbce4a1a3932casysProcUpdate.exe
VBS script20e7b9dcf954660555d511a64a07996f6178f5819f8501611a521e19fbba74b0ThisDocument.cls

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
  • Cybertech Europe 2026 cybersecurity conference in Rome with the IT industry as Official Media Partner
    Cybertech Europe 2026 is one of Europe's leading cybersecurity conferences, bringing together cybersecurity leaders, government officials, technology innovators, startups, investors, and enterprise decision-makers in Rome. The IT industry serves as an Official Media Partner, providing event coverage, executive interviews, industry insights, and cybersecurity news for Nordic and European audiences.
    ADVERTISEMENT

  • The IT industry Nordic technology media platform covering cybersecurity, cloud, AI, digital transformation, channel, MSP and enterprise IT news
    The IT industry is a leading Nordic technology media platform covering cybersecurity news, artificial intelligence, cloud computing, enterprise IT, digital transformation, managed services, channel partners, software development, telecommunications, data centers, IT infrastructure, technology leadership, business innovation, and emerging technologies. Through executive interviews, industry analysis, event coverage, thought leadership, product launches, vendor updates, and market insights, the IT industry connects technology decision-makers, CIOs, CISOs, CTOs, IT managers, MSPs, resellers, distributors, technology vendors, startups, and enterprise organizations across Sweden, Norway, Denmark, Finland, and Europe. Coverage includes cybersecurity trends, AI adoption, cloud strategy, enterprise software, networking, digital infrastructure, sustainability, compliance, governance, risk management, automation, data analytics, and future technology developments.
    OWN CONTENT

  • VORTIQ-X AI Governance helps companies transform AI into controllable and verifiable business value.
    VORTIQ-X is an AI Governance platform that helps organizations govern, verify, and create measurable business value from AI. The platform focuses on transparency, compliance, AI governance, and the effective use of AI in mission-critical processes.
    ADVERTISEMENT

  • Maciek Szczesniak featured on IT-Branschen Wire Channel Magic Chats podcast banner
    Maciek Szczesniak appears on IT-Branschen Wire Channel Magic Chats, discussing leadership, innovation, digital transformation, and business services.
    SPONSORED