In October 2024, threat actor UNC2428, linked to Iran, executed a social engineering scheme by disguising itself as a recruitment entity for Israel's Rafael. This operation was marked by the circulation of the MURKYTOUR backdoor via a deceptive installer named LONEFLEET, which prompted victims to submit personal data under the pretense of a job application. The attackers leveraged graphical user interfaces (GUIs) to facilitate these malware installations, reducing suspicion among targeted individuals. This campaign correlates with activities from a similar Iranian adversary, Black Shadow, known for targeting various sectors in Israel.
"UNC2428's social engineering campaign targeted individuals while posing as a recruitment opportunity from Israeli defense contractor, Rafael," the company said in its annual M-Trends report for 2025.
"Iran-nexus threat actors incorporated graphical user interfaces (GUIs) to disguise malware execution and installation as legitimate applications or software," Mandiant said.
The intrusion set is said to have distributed the malware through a "complex chain of deception techniques."
Once submitted, the MURKYTOUR backdoor launched as a background process, granting the attackers persistent access to the compromised machine.
Collection
[
|
...
]