top of page

Iranian Cyber Group Targets Jewish Leader with New AnvilEcho Malware

Iranian state-backed hackers are using a novel intelligence-gathering tool called AnvilEcho to target a prominent Jewish leader.


Security firm Proofpoint discovered the campaign, which began in late July 2024 and is linked to a group known as TA453 (also tracked as APT42, Charming Kitten, and other names). TA453 is believed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) and targets individuals aligned with Iranian political and military adversaries.


Deceptive Tactics Lure Victim


The attack used elaborate social engineering tactics. Hackers impersonated a Research Director at the Institute for the Study of War (ISW) and contacted the target via email, inviting them to participate in a podcast.


The initial email likely contained a benign attachment to build trust, followed by a password-protected DocSend link leading to a text file with a legitimate ISW podcast URL. This elaborate setup aimed to normalize clicking links and entering passwords for the victim.

Later emails included a Google Drive link containing a ZIP archive ("Podcast Plan-2024.zip"). This archive, however,  contained a malicious Windows shortcut (LNK) file that delivered the BlackSmith toolset. BlackSmith, in turn, deployed AnvilEcho.


AnvilEcho: A Multifaceted Espionage Tool


AnvilEcho is a powerful PowerShell trojan designed for extensive intelligence gathering. It can:

  • Conduct system reconnaissance

  • Capture screenshots

  • Download remote files

  • Exfiltrate sensitive data through FTP and Dropbox


Iranian Targeting Priorities


Proofpoint researchers believe this attack aligns with TA453's history of targeting individuals critical of Iranian interests, including politicians, human rights defenders, and academics. The specific targeting of a Jewish leader suggests the attack may support broader Iranian cyber efforts against Israel.


The Importance of Vigilance


This incident highlights the sophisticated tactics employed by Iranian cyber actors. Organizations and individuals should remain vigilant against social engineering attempts, be cautious of unsolicited emails, and avoid clicking suspicious links or downloading unknown attachments.

2 views0 comments

Comments


bottom of page