This threat describes a sophisticated spear-phishing campaign attributed to an Iranian-aligned threat actor group known as Homeland Justice, linked to Iran's Ministry of Intelligence and Security. The campaign impersonates communications from the Omani Ministry of Foreign Affairs to target global government entities, with a particular focus on diplomatic assets. The attack vector involves the use of compromised legitimate mailboxes to distribute malicious Microsoft Word documents embedded with VBA macros. Upon execution, these macros decode and deploy a payload named sysProcUpdate. This payload is designed to collect detailed system metadata and establish communication with a command and control (C2) server, enabling ongoing espionage activities. The campaign employs advanced techniques including anti-analysis measures to evade detection, persistence mechanisms to maintain foothold on infected systems, and regional targeting that spans multiple countries. The use of legitimate compromised mailboxes increases the likelihood of successful delivery and reduces suspicion. The campaign leverages multiple MITRE ATT&CK techniques such as spear-phishing attachments (T1566.001), execution through VBA macros (T1204.002), system information discovery (T1082), obfuscated files or information (T1027), process injection (T1055), and command and control over standard application layer protocols (T1571). Indicators of compromise include multiple file hashes and a suspicious domain (screenai.online) used for C2 communications. The campaign coincides with heightened geopolitical tensions, suggesting a strategic espionage motive targeting diplomatic communications and government operations.

For European organizations, particularly government and diplomatic entities, this campaign poses a significant espionage risk. Successful compromise could lead to unauthorized disclosure of sensitive diplomatic communications, internal government strategies, and classified information, undermining national security and diplomatic relations. The persistence and anti-analysis capabilities of the malware increase the difficulty of detection and removal, potentially allowing long-term access to compromised networks. The use of spear-phishing and compromised legitimate mailboxes increases the attack's success probability, especially in environments where email security controls are not fully hardened. The campaign's targeting of multiple European countries indicates a broad interest in European diplomatic activities, which could result in intelligence gathering that affects policy decisions, international negotiations, and security postures. Additionally, the campaign could be a precursor to further disruptive or destructive operations if initial espionage objectives are met.

1. Implement advanced email filtering solutions that incorporate reputation-based and heuristic analysis to detect spear-phishing attempts, especially those impersonating trusted government entities. 2. Enforce strict macro policies in Microsoft Office applications, such as disabling macros by default and only allowing macros signed by trusted publishers. 3. Conduct targeted user awareness training focused on recognizing spear-phishing emails, especially those that appear to come from diplomatic or governmental sources. 4. Monitor network traffic for unusual outbound connections, particularly to suspicious domains like 'screenai.online', and implement DNS filtering to block known malicious domains. 5. Deploy endpoint detection and response (EDR) solutions capable of detecting process injection, persistence mechanisms, and other advanced malware behaviors. 6. Regularly audit and secure email infrastructure to prevent mailbox compromise, including enforcing multi-factor authentication (MFA) and monitoring for anomalous mailbox activity. 7. Establish incident response playbooks specifically for spear-phishing and espionage-related intrusions, including rapid containment and forensic analysis. 8. Collaborate with national cybersecurity agencies and international partners to share threat intelligence and indicators of compromise for timely detection and response.