Threat Actors Attacking Critical National Infrastructure With New Malware and Infrastructure

A sophisticated cyber intrusion targeting critical national infrastructure (CNI) in the Middle East has been uncovered, revealing a long-term espionage operation attributed to an Iranian state-sponsored threat group. The attack, which persisted from May 2023 to February 2025, with potential initial compromise dating back to May 2021, demonstrates the growing sophistication of state-backed actors in […] The post Threat Actors Attacking Critical National Infrastructure With New Malware and Infrastructure appeared first on Cyber Security News.

May 2, 2025 - 17:05

Threat Actors Attacking Critical National Infrastructure With New Malware and Infrastructure

A sophisticated cyber intrusion targeting critical national infrastructure (CNI) in the Middle East has been uncovered, revealing a long-term espionage operation attributed to an Iranian state-sponsored threat group.

The attack, which persisted from May 2023 to February 2025, with potential initial compromise dating back to May 2021, demonstrates the growing sophistication of state-backed actors in targeting essential services and infrastructure.

The attackers initially gained access through stolen VPN credentials, establishing persistence by deploying multiple web shells and backdoors across the victim’s network.

They systematically moved through the environment, bypassing network segmentation using open-source proxying tools to gain deeper access to restricted systems, including those potentially connected to operational technology (OT) environments.

Fortinet researchers identified an evolving arsenal of tools deployed throughout the intrusion, including both publicly available and custom-developed malware.

The attack unfolded in waves, with the adversary introducing new malware and infrastructure as they expanded their foothold within the targeted organization.

Particularly concerning was the deployment of novel backdoors such as HanifNet, HXLibrary, and NeoExpressRAT, which enabled comprehensive command execution, file operations, and system discovery capabilities.

These custom tools allowed the threat actors to maintain persistent access while evading traditional detection methods.

Even after initial containment efforts, the attackers demonstrated remarkable determination, attempting to regain access by exploiting previously unreported vulnerabilities in ZKTeco ZKBioTime software and launching targeted phishing campaigns to steal administrator credentials.

Malware Analysis: NeoExpressRAT

The most sophisticated tool in the attackers’ arsenal was NeoExpressRAT, a Golang-based backdoor with hardcoded command and control (C2) communication capabilities.

A high-level timeline outlining the changes in the adversary’s toolset throughout this intrusion (Source – Fortinet)

The malware establishes persistence through scheduled tasks designed to blend with legitimate Windows processes, using filenames that mimic system utilities.

NeoExpressRAT communicates with its C2 server using encrypted channels that employ a custom obfuscation routine to evade network monitoring.

When executed, it creates a hidden directory structure where it stores configuration files and exfiltrated data before transmission:-

func createHiddenPath() string {
    userProfile := os.Getenv("USERPROFILE")
    hiddenPath := filepath.Join(userProfile, "AppData", "Local", "Microsoft", "Windows", "SystemConfig")
    os.MkdirAll(hiddenPath, 0700)
    return hiddenPath
}

This backdoor gives attackers comprehensive remote access capabilities while maintaining a minimal footprint on disk.

Its use of legitimate Windows directories for storage further complicates detection efforts, highlighting the sophisticated nature of this threat campaign against critical infrastructure.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post Threat Actors Attacking Critical National Infrastructure With New Malware and Infrastructure appeared first on Cyber Security News.