This threat describes a sophisticated spear-phishing campaign attributed to Iranian-aligned threat actors linked to the Homeland Justice group and Iran's Ministry of Intelligence and Security (MOIS). The campaign, active in August 2025, impersonated the Omani Ministry of Foreign Affairs to target diplomatic and governmental entities worldwide, including Europe. Attackers leveraged compromised legitimate mailboxes to send malicious emails containing Microsoft Word documents with embedded VBA macros. When macros are enabled by the recipient, they decode and deploy a reconnaissance-focused malware named sysProcUpdate. This malware is designed to gather detailed information about the infected system and network environment, including internal network mapping and credential harvesting, to facilitate further exploitation. The campaign employed multiple waves and utilized social engineering lures tailored to diplomatic targets, anti-analysis techniques to evade detection, and a broad set of tactics, techniques, and procedures (TTPs) such as process injection, persistence mechanisms, credential dumping, and command and control communications. Indicators of compromise include multiple file hashes and a malicious domain (screenai.online). The operation's goal is initial access and reconnaissance within high-value diplomatic and industrial organizations, preparing for potential follow-on attacks or espionage activities.

For European organizations, especially governmental and diplomatic entities, this campaign poses a significant threat to confidentiality and operational security. Successful exploitation could lead to unauthorized access to sensitive diplomatic communications, internal network structures, and credentials, enabling espionage, data exfiltration, or disruption of critical governmental functions. The use of compromised mailboxes and convincing social engineering increases the likelihood of successful infection. The reconnaissance malware sysProcUpdate can facilitate lateral movement and persistence, potentially leading to long-term infiltration. This undermines trust in official communications and may compromise national security interests. Additionally, industrial organizations linked to government operations could face intellectual property theft or sabotage. The medium severity rating reflects the targeted nature and complexity of the attack, which requires user interaction but does not rely on zero-day exploits or widespread vulnerabilities.

European organizations should implement targeted defenses beyond generic advice: 1) Enforce strict email filtering and authentication protocols such as DMARC, DKIM, and SPF to detect and block spoofed emails impersonating trusted entities like the Omani Ministry of Foreign Affairs. 2) Deploy advanced sandboxing and macro analysis tools to detect malicious VBA macros in Office documents before delivery to end users. 3) Conduct focused user awareness training emphasizing the risks of enabling macros and recognizing spear-phishing attempts, especially those impersonating diplomatic sources. 4) Monitor for indicators of compromise including the provided file hashes and suspicious domain screenai.online, integrating these into SIEM and endpoint detection systems. 5) Implement network segmentation and least privilege access controls to limit lateral movement if initial compromise occurs. 6) Employ endpoint detection and response (EDR) solutions capable of detecting reconnaissance behaviors such as credential dumping, process injection, and unusual network scanning. 7) Regularly audit and secure mailboxes to prevent compromise and unauthorized use for phishing campaigns. 8) Collaborate with national cybersecurity centers and share threat intelligence to stay updated on evolving TTPs from Iranian-aligned actors.