A coordinated and multi-phase spear-phishing campaign targeting embassies, consulates, and international organizations worldwide has been attributed to an Iran-aligned threat group associated with “Homeland Justice.” Israeli cybersecurity firm Dream uncovered the campaign, which leveraged compromised email accounts and diplomatic-themed lures to distribute malicious Microsoft Word documents embedded with malware.
The emails—crafted to appear as legitimate and urgent communications from ministries of foreign affairs—were sent from 104 unique compromised addresses, including one linked to the Oman Ministry of Foreign Affairs in Paris. This tactic helped the attackers gain credibility and bypass suspicion, increasing the likelihood that targets would enable macros and unknowingly execute malware.
The Iran-Nexus spearphishing attack path. Source: dreamgroup.com.
Once opened, the documents prompted recipients to enable content, triggering a VBA macro that deployed a payload designed to establish persistence, contact a command-and-control (C2) server, and extract system information. The attacks were geographically expansive, impacting government recipients across Europe, the Middle East, Africa, Asia, and the Americas—with European and African organizations reportedly among the most heavily hit.
Dream emphasized that the attackers intentionally masked their origins using spoofed identities, carefully constructed lure content, and macro abuse—hallmarks of a high-level espionage operation. The timing of the campaign also aligns with heightened geopolitical tensions involving Iran, suggesting a broader regional intelligence-gathering agenda.
Cybersecurity firm ClearSky independently corroborated elements of the attack, linking it to similar Iranian threat actor tactics seen in 2023 targeting opposition groups in Albania. ClearSky assessed with moderate confidence that the same actors were behind both campaigns, based on reused obfuscation techniques and targeting patterns.
This operation underscores a continuing escalation in state-sponsored cyber espionage, particularly in the diplomatic sphere, where compromised trust and unauthorized access can have wide-reaching geopolitical ramifications.
