Suspected Iran-backed attackers targeting European aerospace sector with novel malware

Suspected Iranian government-backed online attackers have expanded their European cyber ops with fake job portals and new malware targeting organizations in the defense, manufacturing, telecommunications, and aviation sectors.

In a Monday report, Check Point Research says it's been tracking "waves" of this activity since early this year, and attributed the scam to a group it tracks as Nimbus Manticore – also known as UNC1549 (by Google), Smoke Sandstorm (Microsoft), and Imperial Kitten. Google's Mandiant threat hunters have also noted the crew's overlap with another gang that Facebook previously linked to Iran's Islamic Revolutionary Guard Corps (IRGC).

This new phishing expedition appears to be a continuation of the Iranian Dream Job campaign, named because it mimics the North Korean Lazarus Group's Operation Dream Job. It's possible the two nations shared tradecraft and tools.

The security shop's research team says the new campaign indicates a "heightened ...