Organizations in the Defense Industrial Base (DIB) sector are in the crosshairs of an Iranian threat actor as part of a campaign designed to deliver a never-before-seen backdoor called FalseFont.
The findings come from Microsoft, which is tracking the activity under its weather-themed moniker Peach Sandstorm (formerly Holmium), which is also known as APT33, Elfin, and Refined Kitten.
"FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its [command-and-control] servers," the Microsoft Threat Intelligence team said on X (previously Twitter).
The first recorded use of the implant was in early November 2023.
The tech giant further said that the latest development aligns with previous activity from Peach Sandstorm and demonstrates a continued evolution of the threat actor's tradecraft.
In a report published in September 2023, Microsoft linked the group to password spray attacks carried out against thousands of organizations globally between February and July 2023. The intrusions primarily singled out satellite, defense, and pharmaceutical sectors.
The end goal, the company said, is to facilitate intelligence collection in support of Iranian state interests. Peach Sandstorm is believed to have been active since at least 2013.
Google-owned Mandiant, in its own assessment of APT33 published in 2017, described the adversary as having "shown particular interest" in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.
The disclosure comes as the Israel National Cyber Directorate (INCD) accused Iran and Hezbollah of attempting to unsuccessfully target Ziv Hospital through hacking crews named Agrius and Lebanese Cedar.
The agency also revealed details of a phishing campaign in which a fake advisory for a security flaw in F5 BIG-IP products is employed as a decoy to deliver wiper malware on Windows and Linux systems.
The lure for the targeted attack is a critical authentication bypass vulnerability (CVE-2023-46747, CVSS score: 9.8) that came to light in late October 2023. The scale of the campaign is currently unknown.
Intezer and Broadcom-owned Symantec, which are tracking the campaign under the name Operation HamsaUpdate, described the Windows and Linux wipers as variants of Hatef and Hamsa, respectively.
“During the wipe operation the malware continuously communicates with attackers via Telegram, providing updates on the status of the infected machines as well as progress of the running wiping tasks,” the cybersecurity company said.