Context:
In late February 2026, escalating geopolitical tensions in the Middle East culminated in coordinated military actions involving the United States and Israel, followed by retaliatory missile and drone activity from Iran. In the weeks that followed, the CyberProof Threat Intelligence team observed a corresponding increase in Iranian-linked cyber activity, with several campaigns emerging in early March 2026.
One such campaign is attributed to the Iranian advanced persistent threat (APT) group commonly tracked as Seedworm. This blog details an intrusion investigated by CyberProof’s MDR and Advanced Threat Hunting teams, highlighting Seedworm’s continued reliance on targeted social engineering combined with custom malware tooling to gain and maintain access in enterprise environments.
It exfiltrate basic data such as OS informations, user and hostname and exfiltrate it via C2 over web protocols
Mitre ATT&CK Mapping
| Tactic |
Technique ID |
Technique Name |
Context |
| Initial Access |
T1566.003 |
Spearphishing via Service |
The attacker initiated contact with the victim through Microsoft Teams while impersonating IT support to persuade the user to run a malicious MSI. |
| Defense Evasion |
T1036 |
Masquerading |
The attacker used a deceptive Microsoft 365 tenant/domain resembling a helpdesk identity, and the payload update_ms.msi was disguised as a legitimate Windows update. |
| Execution |
T1204 |
User Execution |
The victim was socially engineered into manually launching the malicious installer delivered during the Teams conversation. |
| Execution |
T1204.002 |
User Execution: Malicious File |
The file update_ms.msi was executed by the user and functioned as the initial dropper for the Dindoor infection chain. |
| Execution |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
The dropped script tango13.ps1 was used to retrieve additional payloads from attacker-controlled infrastructure. |
| Execution |
T1059.005 |
Command and Scripting Interpreter: Visual Basic |
A dropped component named Falcon_module63.vbs indicates VBScript usage in the execution chain, although its exact role was not specified. |
| Defense Evasion |
T1027 |
Obfuscated/Encoded Files and Information |
The attacker used a highly obfuscated Base64-encoded payload executed via deno.exe, helping conceal malicious functionality. |
| Persistence |
T1547.001 |
Registry Run Keys / Startup Folder |
Persistence was established through a Run key named Realtek HD Audio Universal Service to blend in as a legitimate software component. |
| Command and Control |
T1105 |
Ingress Tool Transfer |
The PowerShell script downloaded additional payloads from attacker-controlled domains during the intrusion. |
| Command and Control |
T1071.001 |
Application Layer Protocol: Web Protocols |
The malware communicated over HTTP/S using GET and POST requests from deno.exe to interact with command-and-control infrastructure. |
| Discovery |
T1033 |
System Owner/User Discovery |
The malware collected the logged-in username from the compromised host as part of host profiling. |
| Discovery |
T1082 |
System Information Discovery |
The malware gathered host metadata including hostname and operating system details from the victim machine. |
| Exfiltration |
T1041 |
Exfiltration Over C2 Channel |
The collected host information was sent back through the same command-and-control channel used by the malware. |
References
https://www.cyberproof.com/blog/iranian-apt-seedworm-targets-global-organizations-via-microsoft-teams/
Context:
In late February 2026, escalating geopolitical tensions in the Middle East culminated in coordinated military actions involving the United States and Israel, followed by retaliatory missile and drone activity from Iran. In the weeks that followed, the CyberProof Threat Intelligence team observed a corresponding increase in Iranian-linked cyber activity, with several campaigns emerging in early March 2026.
One such campaign is attributed to the Iranian advanced persistent threat (APT) group commonly tracked as Seedworm. This blog details an intrusion investigated by CyberProof’s MDR and Advanced Threat Hunting teams, highlighting Seedworm’s continued reliance on targeted social engineering combined with custom malware tooling to gain and maintain access in enterprise environments.
It exfiltrate basic data such as OS informations, user and hostname and exfiltrate it via C2 over web protocols
Mitre ATT&CK Mapping
References
https://www.cyberproof.com/blog/iranian-apt-seedworm-targets-global-organizations-via-microsoft-teams/