A sophisticated and long-term cyber espionage campaign, attributed to an Iranian state-sponsored threat group, has compromised critical national infrastructure (CNI) across the Middle East, according to a recent incident response report by the FortiGuard Incident Response (FGIR) team.
The campaign, characterized by persistent access and advanced techniques, involved extensive network prepositioning-a hallmark of state-driven operations aiming for strategic advantage and potential future disruption.
Advanced Malware and Multi-Stage Attack Progression Uncovered
The intrusion campaign persisted from at least May 2023 through February 2025, with evidence suggesting initial compromise as early as May 2021.
Attackers exploited stolen VPN credentials to access victim networks, deploying a suite of backdoors and web shells, including Havoc, HanifNet, HXLibrary, and NeoExpressRAT, to entrench their presence.
For lateral movement and to bypass segmentation barriers within highly compartmentalized networks, the adversaries leveraged open-source proxy tools such as plink, Ngrok, glider proxy, and ReverseSocks5.
Custom loaders were used to execute Havoc and SystemBC in memory, enhancing stealth and persistence.
The adversary’s tactics evolved throughout the intrusion, staging multiple waves of attacks and frequently updating their toolset.
Notably, the attackers shifted infrastructure away from U.S.-based virtual private servers (VPS) to obscure their operations and evade international scrutiny.
Persistence mechanisms, including scheduled tasks camouflaged as legitimate Windows processes, allowed the attackers to blend into standard network activity while maintaining robust and covert access.
Technical analysis revealed the deployment of novel malware families, with HanifNet functioning as a .NET-based backdoor, HXLibrary as a malicious IIS module granting extensive system control, and NeoExpressRAT-developed in Golang-using hardcoded command-and-control protocols.
Attackers also introduced RemoteInjector, a custom loader for injecting Havoc payloads via scheduled tasks.
Defensive Measures and Strategic Implications
During the initial containment efforts by the victim organization, which included credential resets and increased monitoring, the threat actors responded with intensified activity-deploying additional web shells, leveraging the legitimate MeshCentral remote management tool, and focusing on gaining deeper network access, particularly targeting sensitive virtualization infrastructure.
After significant containment, the adversaries attempted to regain access by exploiting previously unreported vulnerabilities in ZKTeco ZKBioTime software and launching targeted phishing campaigns using previously compromised email accounts.
While no direct disruption to operational technology (OT) networks was confirmed, the investigation documented deliberate reconnaissance and credential harvesting activities targeting OT environments, indicating a clear adversary intent to extend control into these critical domains.
The report underscores the necessity of stringent security practices, recommending the universal adoption of multi-factor authentication for remote access, rigorous credential management, enhanced segmentation, and layered access controls within critical infrastructure environments.
The use of behavioral analytics, endpoint detection and response (EDR) solutions, and regular third-party security assessments is also advocated as essential components of a proactive cyber defense strategy.
FGIR’s findings reinforce the need for constant vigilance and preparedness in the face of persistent, adaptive state-sponsored cyber threats.
As adversaries refine their methods and prioritize long-term access to CNI, organizations must continually evolve their own detection, response, and incident recovery practices to counter sophisticated and determined intrusions.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
