Iranian Nexus Hackers Exploit Omani Mailbox to Target Governments Worldwide

A sophisticated spear-phishing campaign, orchestrated by Iranian-aligned operators, has been identified as targeting diplomatic missions worldwide through a compromised Ministry of Foreign Affairs of Oman mailbox. Discovered in August 2025, this attack continues the tactics associated with the Homeland Justice group, which is linked to Iran’s Ministry of Intelligence and Security (MOIS). The campaign employed social engineering techniques to distribute malicious Microsoft Word documents that masqueraded as urgent diplomatic communications. Attackers sent emails from a compromised @fm.gov.om address, routing traffic through a NordVPN exit node in Jordan (212.32.83.11) to obscure their true origin. Recipients across 270 email addresses, spanning embassies, consulates, and international organisations in multiple regions, received documents with subjects referencing “The Future of the Region After the Iran-Israel War and the Role of Arab Countries in the Middle East.”

Dreamgroup analysts revealed that the campaign extended beyond initial assessments, utilising 104 unique compromised addresses to mask the operation’s true scope. The malware embedded within the attached Word documents employed sophisticated encoding techniques, converting numerical sequences into ASCII characters through VBA macro code execution. The technical sophistication of the attack is evident in its execution mechanism, where malicious documents contained VBA macros hidden within “This Document” and “UserForm1” modules, implementing a multi-stage payload delivery system. The primary decoder function, designated as “dddd,” systematically processes encoded strings by reading three-digit segments and converting them to ASCII characters. A noteworthy evasion technique involves the “laylay” function, which creates artificial delays through nested loops, significantly hampering dynamic analysis tools and automated sandbox detection systems. The malware writes its payload to C:UsersPublicDocumentsManagerProc[.]log, disguising the executable as a harmless log file before execution. Upon successful deployment, the sysProcUpdate executable establishes persistence by copying itself to C:ProgramDatasysProcUpdate[.]exe and modifying Windows registry DNS parameters. The malware collects system metadata, including username, computer name, and administrative privileges, transmitting this information via encrypted HTTPS POST requests to the command-and-control server at screenai.online/Home. 

Categories: Cybersecurity Threats, Spear-Phishing Campaigns, Malware Analysis 

Tags: Spear-Phishing, Iranian-Aligned, Diplomatic Missions, Social Engineering, Malicious Documents, VBA Macros, Payload Delivery, Anti-Analysis, Command-and-Control, Threat Intelligence