An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.
The activity, which lasted from at least May 2023 to February 2025, entailed "extensive espionage operations and suspected network prepositioning – a tactic often used to maintain persistent access for future strategic advantage," the FortiGuard Incident Response (FGIR) team said in a report.
The network security company noted that the attack exhibits tradecraft overlaps with a known Iranian nation-state threat actor called Lemon Sandstorm (formerly Rubidium), which is also tracked as Parisite, Pioneer Kitten, and UNC757.
It's been assessed to be active since at least 2017, striking aerospace, oil and gas, water, and electric sectors across the United States, the Middle East, Europe, and Australia. According to industrial cybersecurity company Dragos, the adversary has leveraged known virtual private network (VPN) security flaws in Fortinet, Pulse Secure, and Palo Alto Networks to obtain initial access.
Last year, U.S. cybersecurity and intelligence agencies pointed fingers at Lemon Sandstorm for deploying ransomware against entities in the U.S., Israel, Azerbaijan, and the United Arab Emirates.
The attack analyzed by Fortinet against the CNI entity unfolded over four stages starting from May 2023, employing an evolving arsenal of tools as the victim enacted countermeasures -
- 15 May, 2023 – 29 April, 2024 - Establishing a foothold by using stolen login credentials to access the victim's SSL VPN system, drop web shells on public-facing servers, and deploy three backdoors, Havoc, HanifNet, and HXLibrary, for long-term access
- 30 April, 2024 – 22 November, 2024 - Consolidating the foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim's emails, and conducting lateral movement to the virtualization infrastructure
- 23 November, 2024 – 13 December, 2024 - Deploying more web shells and two more backdoors, MeshCentral Agent and SystemBC, in response to initial containment and remediation steps undertaken by the victim
- 14 December, 2024 – Present - Attempts to infiltrate the network again by exploiting known ZKTeco BioTime vulnerabilities (CVE-2023-38950, CVE-2023-38951, and CVE-2023-38952) and conducting spear-phishing attacks aimed at 11 of the employees to harvest Microsoft 365 credentials after the victim successfully removed adversary's access
It's worth noting that both Havoc and MeshCentral are open-source tools that function as a command-and-control (C2) framework and remote monitoring and management (RMM) software, respectively. On the other hand, SystemBC refers to a commodity malware that often acts as a precursor to ransomware deployment.
A brief description of the other custom malware families and open-source tools used in the attack is below -
- HanifNet - An unsigned .NET executable that can retrieve and execute commands from a C2 server (First deployed in August 2023)
- HXLibrary - A malicious IIS module written in .NET that's designed to retrieve three identical text files hosted on Google Docs to fetch the C2 server and send web requests to it (First deployed in October 2023)
- CredInterceptor - A DLL-based tool that can harvest credentials from the Windows Local Security Authority Subsystem Service (LSASS) process memory (First deployed in November 2023)
- RemoteInjector - A loader component that's used to execute a next-stage payload like Havoc (First deployed in April 2024)
- RecShell - A web shell used for initial reconnaissance (First deployed in April 2024)
- NeoExpressRAT - A backdoor that retrieves a configuration from the C2 server and likely uses Discord for follow-on communications (First deployed in August 2024)
- DropShell - A web shell with basic file upload capabilities (First deployed in November 2024)
- DarkLoadLibrary - An open-source loader that's used to launch SystemBC (First deployed in December 2024)
The links to Lemon Sandstorm come from C2 infrastructure – apps.gist.githubapp[.]net and gupdate[.]net – previously flagged as associated with the threat actor's operations conducted over the same period.
Fortinet said the victim's restricted Operational Technology (OT) network was a key target of the attack based on the threat actor's extensive reconnaissance activity and their breach of a network segment hosting OT-adjacent systems. That said, there is no evidence that the adversary penetrated the OT network.
A majority of the malicious activity has been assessed to be hands-on keyboard operations carried out by different individuals, given the command errors and the consistent work schedule. Furthermore, a deeper examination of the incident has revealed that the threat actor may have had access to the network as early as 15 May 2021.
"Throughout the intrusion, the attacker leveraged chained proxies and custom implants to bypass network segmentation and move laterally within the environment," the company said. "In later stages, they consistently chained four different proxy tools to access internal network segments, demonstrating a sophisticated approach to maintaining persistence and avoiding detection."
Update
In a follow-up analysis published on June 23, 2025, Fortinet detailed the Havoc post-exploitation C2 backdoor framework written in C++ and Golang, noting that it's decrypted from a DLL file ("conhost.dll") and injected into a newly created "cmd.exe" process.
Havoc is designed to support a variety of commands received from the C2 server, enabling remote control of the compromised hosts. It also makes use of HTTP, HTTPS, and SMB protocols to transport commands and results between the C2 server and the compromised devices.
"As long as the Havoc demon is running on the compromised device, it collects metadata about both the compromised Windows system and the Havoc process itself," Fortinet said. "This metadata is encrypted using the AES algorithm and then sent to the C2 server to register the compromised system on the C2 server."
"In addition to the command and sub-command approach, Havoc also supports the in-memory execution of object files, commonly known as BOFs (Beacon Object Files). The C2 server sends a compiled Object File containing a piece of binary shellcode, which is executed directly in the memory of the demon process on the compromised system."
Another aspect of Havoc is its ability to support several modules, each of which contain multiple commands -
- config - Configure the behavior of the demon session
- dll - DLL spawn and injection modules
- dotnet - Execute and manage dotnet assemblies
- job - Job manager
- jump-exec - Lateral movement
- net - Network and host enumeration
- pivot - Pivoting module
- proc - Process enumeration and management
- rportfwd - Reverse port forwarding
- shellcode - Shellcode injection
- task - Task management
- token - Token manipulation and impersonation
"The Havoc framework’s modular design, supporting commands, sub-commands, and in-memory execution of Beacon Object Files (BOFs), offers attackers a flexible method to control the remote demon process," Fortinet researchers said.
(The story was updated after publication on June 25, 2025, to include additional insights shared by Fortinet.)
