Since the beginning of the military conflict in the Middle East, Iran-nexus threat actors have been escalating their destructive and espionage operations against a variety of targets. A recent Microsoft Threat Intelligence report indicates the Iranian state-sponsored threat actor APT35 ("Charming Kitten" or "Mint Sandstorm" as Microsoft tracks it) - with known ties to the Iranian intelligence services - has been actively targeting high-profile geopolitics experts, researchers of the Middle East, and academicians across various countries, including Belgium, France, Israel, the United Kingdom, the United States, and the Gaza Strip. The campaign has apparent espionage objectives.
The campaign heavily relies on social engineering which culminates with malware delivery:
The actor impersonates journalists including high-profile ones in order to get into communication with the targets and establish trust which is then exploited to deliver a phishing email.
Emails were observed delivering RAR archives presenting decompressed content consistent with a double-extension file.
Upon launching the latter initiates communication with command-and-control servers from where the actor pushes onto the target's machine additional malware consistent with various Visual Basic Scripts responsible to carry out various functions within the infection chain, including execution of cmd.exe commands without displaying the prompt, logging activities and files for subsequent exfiltration, and persistence.
The attack chain involves delivery of a backdoor - MediaPl - masquerading as Windows Media Player.