Iran-Nexus Hackers Exploit Omani Mailbox to Target Governments

A sophisticated spear-phishing campaign that exploited a compromised mailbox belonging to the Ministry of Foreign Affairs of Oman.

The operation, attributed to an Iranian-aligned group known as Homeland Justice and linked to Iran’s Ministry of Intelligence and Security (MOIS), masqueraded as legitimate multi-factor authentication (MFA) communications to infiltrate governments and diplomatic missions around the world.

The campaign leveraged the hijacked Omani MFA mailbox to send malicious Microsoft Word attachments disguised as official registration forms.

The dropper then wrote the reconstructed executable into a file named ManagerProc.log in the public documents folder, executed it invisibly via Windows Shell, and established beaconing to a command-and-control (C2) domain at screenai.online.

Forensic analysis linked the campaign’s tactics, techniques, and procedures (TTPs) to earlier operations conducted by Homeland Justice, suggesting a coordinated regional espionage effort targeting diplomatic and governmental entities amid heightened Middle East tensions.

Data from 270 spear-phishing emails revealed that attackers employed 104 unique compromised addresses to camouflage the origin of their messages.

This breadth demonstrates a multi-wave operation reaching embassies, consulates, and international organizations during sensitive ceasefire negotiations between certain nations and Hamas.

The lure emails consistently invoked urgent MFA updates, conveyed high-level authority, and exploited users’ familiarity with enabling macros—hallmarks of a well-orchestrated espionage drive.

Each document contained encoded numerical strings embedded within a VBA macro. When opened and “Enabled Content” was clicked, the macro decoded the numbers—reading three digits at a time and converting them into ASCII characters—to reconstruct the malware payload.

The initial phase targeted the Omani Embassy in Paris. Attackers crafted emails referencing regional security topics—such as “The Future of the region after the Iran-Israel war and the role of Arab countries in the Middle East”—and instructed recipients to enable embedded macros. A NordVPN exit node in Jordan (IP 212.32.83.11) masked the emails’ true origin.

Technical Analysis

• Payload Decoder (dddd): Reads three-digit sequences from a hidden form control and converts them to binary executable content.
• Anti-Analysis Delay (laylay): Four nested loops each iterating 105 times to thwart sandbox analysis.
• Execution Wrapper (RRRR): Invokes laylay twice, then runs the dropped payload with vbHide, suppressing errors.
  An AutoOpen macro orchestrated the dropper: decoding the payload, writing it as ManagerProc.log, and executing it invisibly.

Upon execution, the malware—dubbed sysProcUpdate—collected host metadata (user name, computer name, privilege level), encrypted it, and posted it via HTTPS to the C2 server. Although sandbox tests failed to reach the server (GetLastError 0x2ee7), real-world victims likely transmitted sensitive footprint data.

Regional Targeting

• Africa: Twelve countries, 30 unique emails (15 primary, 17 secondary).
• Europe: Ten countries, 73 unique emails (39 primary, 57 secondary).
• Asia: Seven countries, 25 unique emails (14 primary, 12 secondary).
• Americas: Eleven countries, 35 unique emails (1 primary, 21 secondary).
• International Organizations: Ten bodies, 12 unique emails (6 primary, 6 secondary).
• Generic Domains: 103 unique emails across non-attributable domains (47 primary, 76 secondary).
• The campaign’s use of an official government mailbox lent credibility, while VPN routing obscured attribution. The sysProcUpdate payload focused on reconnaissance, yet registry modifications and persistence across reboots indicate preparations for deeper network penetration. The uniform payload and regional lure themes underscore a high-stakes espionage undertaking.

Recommendations

1. Block all identified IOCs, including ManagerProc.log, sysProcUpdate binaries, and screenai.online domains.
2. Monitor outbound HTTPS POSTs to suspicious Home endpoints.
3. Audit DNS and TCP/IP registry settings for unauthorized changes.
4. Disable Office macros by default and enforce strict whitelist policies.
5. Analyze VPN logs for traffic anomalies linked to Jordan-based exit nodes.
6. Implement network segmentation and limit egress to approved domains.

By adopting these measures, governments and diplomatic missions can better detect and mitigate spear-phishing threats orchestrated by state-sponsored actors.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!