A hacking group with ties to Iran has been connected to a coordinated, multi-wave spear-phishing campaign that specifically targeted embassies and consulates in Europe and beyond.

The operation, identified by Israeli cybersecurity firm Dream, is linked to actors aligned with the group Homeland Justice, which has been associated with broader offensive cyber activities.

According to Dream, “emails were sent to multiple government recipients worldwide, disguising themselves as legitimate diplomatic communication.” The evidence suggests this was part of a regional espionage effort aimed at diplomatic and governmental entities during a period of escalating geopolitical tensions.

Attack Tactics

The campaign relied on spear-phishing emails exploiting sensitive themes related to Iran–Israel geopolitical conflicts. Victims were sent malicious Microsoft Word documents that instructed them to “Enable Content.” Doing so executed an embedded VBA macro, which deployed the malware payload.

The phishing emails were distributed to embassies, consulates, and international organizations across the Middle East, Africa, Europe, Asia, and the Americas. Reports indicate that European embassies and African institutions were the most heavily affected.

To enhance credibility, attackers sent messages from 104 compromised email accounts belonging to officials and government-like entities. Some of the malicious messages even originated from a hacked mailbox at the Oman Ministry of Foreign Affairs in Paris (@fm.gov.om).

The content of these lures consistently mimicked urgent Ministry of Foreign Affairs (MFA) communications, leveraging diplomatic authority while exploiting the routine practice of enabling macros. These hallmarks reflect a well-planned espionage operation designed to obscure attribution.

Objectives of the Operation

Once executed, the malicious macros installed an executable capable of:

• Establishing persistence on the system
• Connecting to a command-and-control (C2) server
• Collecting and exfiltrating system information

Connections to Previous Campaigns

Cybersecurity firm ClearSky, which analyzed elements of the campaign in late August, confirmed that phishing emails were also sent to multiple foreign affairs ministries.

They noted that similar obfuscation techniques were used by Iranian threat actors in 2023, when targeting Mojahedin-e-Khalq in Albania. ClearSky added that it has “moderate confidence this activity is linked to the same Iranian threat actors.”

Source: https://thehackernews.com/2025/09/iranian-hackers-exploit-100-embassy.html