On 14 November, Proofpoint released an analysis of recent TTPs observed in a TA402-attributed campaign targeting government organizations across the Middle East and North Africa. TA402 (a.k.a. Molerats) has historically employed Arabic-language economic-themed documents as phishing lures for initial intrusion. Recently, in conjunction with the outbreak of the military operations in the Middle East, the actor shifted towards war-related lures. Yet, the main innovation regards the attack chain which maintains IP-based geofencing - to ensure targeted users are from the intended region - but employed a new customized downloaded - dubbed "Iron Wind" - as stager.
Clipeus