Researchers warn that a cyberespionage actor that targets government entities in the Middle East and North Africa and is generally aligned with Palestinian interests has changed its infection chain tactics three times in recent months. The group is known for targeting a very small number of organizations in every campaign to deliver a custom malware implant dubbed IronWind. In previous campaigns observed during 2021 and 2022, the group’s phishing emails contained links that took users through a redirect script that checked their IP address location. In new campaigns seen in July attackers included links in their emails that directed victims to download a malicious Microsoft PowerPoint add-in (PPAM) file from Dropbox. In October the group shifted delivery tactics again and included malicious RAR attachments instead of XLL, while the lure was changed to “Report and Recommendations of the 110th Session on the War on Gaza."

Source: The North Africa Journal November 16, 2023 22:27 UTC