Threat Actors Target Critical National Infrastructure with New Malware and Tools

A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, attributed to an Iranian state-sponsored threat group.

Spanning from at least May 2023 to February 2025, with evidence of compromise dating back to May 2021, this espionage-driven campaign employed novel malware and advanced tactics, techniques, and procedures (TTPs) to achieve persistent access and potential network prepositioning for future strategic advantage.

The attack unfolded in multiple phases, beginning with the exploitation of stolen VPN credentials to infiltrate the victim’s SSL VPN.

From there, the adversaries deployed web shells on public-facing servers and installed custom backdoors such as HanifNet (a .NET-based implant), HXLibrary (a malicious IIS module for deep system control), and NeoExpressRAT (a Golang-based remote access trojan with hardcoded C2 communication).

They further leveraged loaders like RemoteInjector to execute Havoc and SystemBC in memory via scheduled tasks, blending malicious activity with legitimate Windows processes.

To bypass the victim’s highly segmented network, including restricted Operational Technology (OT) environments, the attackers chained open-source proxy tools like plink, Ngrok, glider proxy, and ReverseSocks5, enabling lateral movement from IT to sensitive segments.

While no direct OT disruption was confirmed, extensive reconnaissance and credential harvesting signaled a clear intent to target these critical systems.

Evolving Tactics and Persistent Threats Post-Containment

Over the course of the intrusion, the adversaries adapted their toolset and infrastructure, avoiding U.S.-based VPS providers and introducing new persistence mechanisms in waves.

Between April and November 2024, they exfiltrated targeted email data and probed virtualization infrastructure to map network configurations.

Following initial containment efforts by the victim in late 2024, the threat actors escalated their response, deploying additional web shells, SystemBC, and MeshCentral to retain access to deeper CNI segments.

Even after successful containment in December 2024, the group attempted re-entry by exploiting previously unreported vulnerabilities in ZKTeco ZKBioTime software and launching phishing campaigns using compromised third-party emails to steal administrator credentials.

This campaign underscores the relentless nature of state-backed cyber threats against Middle Eastern CNIs.

According to the Report, FGIR emphasizes the need for robust defensive measures, urging organizations to enforce multi-factor authentication (MFA) for VPN and privileged accounts, strengthen network segmentation with zero-trust architecture, and deploy behavioral analytics alongside endpoint detection and response (EDR) solutions for real-time anomaly detection.

Regular integrity checks on web-facing services, application allowlisting, and comprehensive incident response playbooks tailored for state-sponsored threats are also critical.

Despite containment, the adversaries’ repeated attempts to regain access highlight their long-term strategic interest, necessitating continuous vigilance and adaptive security strategies to counter such sophisticated campaigns.