Iranian state-sponsored cybercriminals have been observed conducting spear-phishing campaigns targeting a prominent Jewish figure since late July 2024. The goal was to develop a new intelligence-gathering tool called AnvilEcho.

Enterprise security firm Proofpoint is tracking the activity under the name TA453, which overlaps with activity tracked by the broader cybersecurity community under the names APT42 (Mandiant), Charming Kitten (CrowdStrike), Damselfly (Symantec), Mint Sandstorm (Microsoft), and Yellow Garuda (PwC).

“The initial interaction attempted to lure the target into sending an innocuous email to build conversation and trust, only to then click on a malicious follow-up link,” security researchers Joshua Miller, Georgi Mladenov, Andrew Northern, and Greg Lesnewich said in a report shared with The Hacker News.

“The attack chain attempted to spread a new malware toolkit called BlackSmith, which distributed a PowerShell trojan called AnvilEcho.”

TA453 is believed to have ties to Iran’s Islamic Revolutionary Guard Corps (IRGC) and conducts targeted phishing campaigns in support of the country’s political and military priorities.

Data shared last week by Google-owned Mandiant showed that the US and Israel accounted for about 60% of APT42’s known geographic targeting, followed by Iran and the UK.

The social engineering attempts are both persistent and convincing. They pose as legitimate entities and journalists to initiate conversations with potential victims and build rapport over time. Victims are then caught in their phishing traps via malware-laden documents or fake credentials-collecting pages.

“APT42 approached its target with a social engineering lure to set up a video meeting and then linked to a landing page where the target was asked to log in and sent to a phishing page,” Google said.

“Another APT42 campaign template sends legitimate PDF attachments as part of a social engineering scheme to build trust and encourage the target to communicate on other platforms, such as Signal, Telegram, or WhatsApp.”

The latest series of attacks, observed by Proofpoint starting on July 22, 2024, involved the hacker contacting multiple email addresses of an anonymous Jewish figure and inviting him to be a guest on a podcast, posing as the research director of the Institute for the Study of War (ISW).

In response to a message from the target, TA453 allegedly sent a password-protected DocSend URL that in turn led to a text file containing a URL to the legitimate podcast hosted by ISW. The fake messages were sent from the domain understandingthewar(.)org, an apparent attempt to mimic ISW’s website (“understandingwar(.)org”).

“It is likely that TA453 attempted to normalize clicking a link and entering a password so that the target would do the same when distributing malware,” Proofpoint said.

In follow-up messages, it was determined that the attacker responded with a Google Drive URL containing a ZIP archive (“Podcast Plan-2024.zip”) which in turn contained a Windows shortcut (LNK) responsible for delivering the BlackSmith toolset.

AnvilEcho, which is delivered through BlackSmith, has been described as a likely successor to the PowerShell implants known as CharmPower, GorjolEcho, POWERSTAR, and PowerLess. BlackSmith is also designed to display a decoy document as a distraction mechanism.

Notably, the “BlackSmith” name also overlaps with a browser-stealing component that Volexity described earlier this year in connection with a campaign that saw BASICSTAR distributed in attacks targeting well-known individuals doing business in the Middle East.

“AnvilEcho is a PowerShell Trojan with extensive functionality,” Proofpoint said. “AnvilEcho’s capabilities indicate a clear focus on intelligence gathering and exfiltration.”

Key features include system exploration, screenshots, downloading remote files, and uploading confidential data via FTP and Dropbox.

“TA453 phishing campaigns (…) consistently reflect IRGC intelligence priorities,” Proofpoint researcher Joshua Miller said in a statement shared with The Hacker News.

“This malware deployment that attempts to target a prominent Jewish figure is likely supporting ongoing Iranian cyberattacks against Israeli interests. TA453 is persistently consistent as a persistent threat to politicians, human rights defenders, dissidents, and academics.”

The findings come days after HarfangLab revealed a new Go-based malware strain dubbed Cyclops, which may have been developed as a sequel to another Charming Kitten backdoor codenamed BellaCiao, indicating that the adversary is actively restructuring its arsenal in response to public revelations. Early samples of the malware date back to December 2023.

“The goal is to reverse-tunnel a REST API to its command-and-control (C2) server to control the target machines,” the French cybersecurity firm said. “This allows operators to execute arbitrary commands, manipulate the target’s file system, and use the infected machine to run on the network.”

It is believed that threat actors used Cyclops to target a non-profit organization that supports innovation and entrepreneurship in Lebanon, and a telecommunications company in Afghanistan. The exact entry route used for the attacks is currently unknown.

“The choice of Go for the Cyclops malware has a few implications,” HarfangLab said. “First, it confirms the popularity of this language among malware developers. Second, the initial low number of detections for this sample indicates that Go programs can still pose a challenge to security solutions.”

“And finally, it’s possible that macOS and Linux variants of Cyclops are also built on the same codebase and we have yet to find them.”