{"id":54926,"date":"2023-12-23T15:46:34","date_gmt":"2023-12-23T15:46:34","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/"},"modified":"2023-12-23T15:46:34","modified_gmt":"2023-12-23T15:46:34","slug":"iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/","title":{"rendered":"Iranian cyberspies target US defense orgs with a brand new backdoor"},"content":{"rendered":"<p><span class=\"label\">Infosec in brief<\/span> Iranian cyberspies are targeting defense industrial base organizations with a new backdoor called FalseFont, according to Microsoft.<\/p>\n<p>In a <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1737895710169628824\">series of Xeets<\/a> posted Thursday, Redmond&#8217;s threat intel team said it spotted a nation-state backed gang it calls Peach Sandstrom attempting to deliver the (presumably Windows) malware to defense-sector employees.<\/p>\n<p>&#8220;FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its C2 servers,&#8221; Microsoft said. &#8220;It was first observed being used against targets in early November 2023.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Mandiant, which tracks the Iran-backed crew as APT33, says it targets organizations in the US, Saudi Arabia and South Korea for &#8220;strategic cyberespionage,&#8221; with a particular interest in both commercial and military aviation companies as well as those in the energy sector with ties to petrochemical production.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>&#8220;We identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries,&#8221; the threat hunters said in an alert <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.mandiant.com\/resources\/blog\/apt33-insights-into-iranian-cyber-espionage\">updated<\/a> in October.<\/p>\n<p>In research published a month earlier, <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/14\/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets\/#mitigations\">Microsoft said<\/a> it had seen the crew engaged in password spraying attempts against &#8220;thousands of organizations.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>When these brute-force attacks were successful, Peach Sandstorm then used a combination of publicly available and custom tools for to snoop around on the network, maintain persistence and move laterally through the victim&#8217;s IT systems, we&#8217;re told.&nbsp;<\/p>\n<p>&#8220;In a small number of intrusions,&#8221; Redmond added, &#8220;Peach Sandstorm was observed exfiltrating data from the compromised environment.&#8221;<\/p>\n<h3 class=\"crosshead\">Hundreds of e-commerce sites compromised by card stealers<\/h3>\n<p>Cyber crooks compromised 443 online shops, using JavaScript-sniffers to steal these e-merchants&#8217; customers&#8217; credit card or payment information, according to Europol.<\/p>\n<p>The coordinated effort to combat digital skimming attacks included cops from 17 countries, the European Union Agency for Cybersecurity (ENISA), and private-sector security shops Group-IB and Sansec.<\/p>\n<p>Over the course of two months, the law enforcement agencies notified the online retailers that their customers&#8217; payment details had been stolen as part of the crooks&#8217; online fraud scheme.<\/p>\n<p>In these attacks, thieves use snippets of JavaScript code to intercept customers&#8217; card data during the online checkout process without the retailers or customers realizing they&#8217;ve been compromised. They often go undetected for a long time \u2014 and by the time they are spotted, the crooks have already been on shopping sprees of their own, or put the financial info up for sale on illicit marketplaces.&nbsp;<\/p>\n<p>Countries participating in the Greece-led effort include Albania, Belgium, Bosnia and Herzegovina, Colombia, Croatia, Finland, Germany, Georgia, Hungary, Moldova, Netherlands, Poland, Romania, Spain, the United Kingdom and the United States.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>During the operation, Group-IB&#8217;s threat intelligence team identified 23 families of JS-sniffers, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter and R3nin, we&#8217;re told. The security firm says, as of the end of 2023, there&#8217;s 132 known JS-sniffer families that have been used to compromise websites across the globe.<\/p>\n<div class=\"boxout\" readability=\"42.059964726631\">\n<p><strong>Critical vulnerabilities of the week<\/strong><\/p>\n<p>We&#8217;ve got some end-of-the year critical vulnerabilities including at least one that&#8217;s already been found and exploited in the wild. So before you sign off for the holiday break, get to patching. And pray for a Christmas miracle: No more zero-days in 2023.<\/p>\n<p>Chrome bug under exploit \u2014 <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/chromereleases.googleblog.com\/2023\/12\/stable-channel-update-for-desktop_20.html\">CVE-2023-7024<\/a>: This one doesn&#8217;t yet have a CVSS rating, but Google classified it as high severity, and warns that an exploit for this heap buffer overflow vulnerability in WebRTC is making the rounds. Reported by Cl\u00e9ment Lecigne and Vlad Stolyarov of Google&#8217;s Threat Analysis Group on 2023-12-19<\/p>\n<p>Apple security updates \u2014 <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/support.apple.com\/en-us\/HT201222\">CVE-2023-42940 and more<\/a>: Apple released security updates to address vulnerabilities in Safari, iOS, iPadOS, and macOS Sonoma, but only released details and a CVE for one of these. It&#8217;s a session rendering issue in macOS Sonoma that could be exploited to steal sensitive information.<\/p>\n<p>CVSS 9.8 \u2014 <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/forums.ivanti.com\/s\/article\/Avalanche-6-4-2-Security-Hardening-and-CVEs-addressed?language=en_US\">Multiple CVEs<\/a>: Ivanti&#8217;s Avalanche enterprise mobile device management product contains 12 memory corruption bugs that could be exploited by sending specially crafted data packets to the Mobile Device Server, resulting in denial of service&nbsp; or remote&nbsp; code execution.<\/p>\n<p>CVSS 9.8 \u2014 <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-23-353-05\">Multiple CVEs<\/a>: EuroTel ETL3100 radio transmitters, versions v01c01 and v01x37, are vulnerable to three bugs that could allow an attacker to gain full access to the system, disclose sensitive information. or access hidden resources.<\/p>\n<p>CVSS 9.6 \u2014 <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-23-353-02\">Multiple CVEs<\/a>: EFACEC BCU 500 control and automation devices are susceptible to uncontrolled resource consumption and cross-site request forgery flaws that could allow a denial-of-service condition or compromise the web application.<\/p>\n<\/div>\n<h3 class=\"crosshead\">Russian infosec worker to be extradited to Moscow<\/h3>\n<p>Kazakhstan will reportedly extradite a network security specialist to Moscow, despite the US government&#8217;s demand to send him to Washington.<\/p>\n<p>The Eastern Bloc country <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/06\/29\/russian_facct_employee_extradiation\/\" rel=\"noopener\">detained Nikita Kislitsin<\/a>, an employee of Russian infosec shop FACCT, on June 22 at the request of the US, which accused him of committing cyber crimes, according to a statement by his employer.<\/p>\n<p>&#8220;According to the information we have, the claims against Kislitsin are not related to his work at FACCT, but are related to a case more than ten years ago when Nikita worked as a journalist and independent researcher,&#8221; the <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.facct.ru\/media-center\/press-releases\/zayavlenie-kompanii-otnositelno-zaderzhaniya-nikity-kislitsina\/\">statement<\/a> said, presumably referring to his work as former editor of Hacker magazine.<\/p>\n<p>The US extradition request seems to be related to earlier charges against Kislitsin, who is accused of breaking into the social networking service Formspring in 2012.&nbsp;<\/p>\n<p>A 2014 indictment [<a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/regmedia.co.uk\/2023\/06\/28\/kislitsin_indictment.pdf\">PDF<\/a>] alleges that, after breaking and entering, Kislitsin stole usernames, email addresses, and passwords, and then tried to sell the stolen database for 5,000 euros a pop.<\/p>\n<p>Shortly after the Feds demanded Kislitsin be extradited to America, Moscow came out with its own extradition request, which appears to have won the battle \u2014&nbsp;at least according to the the General Prosecutor&#8217;s Office of the Russian Federation.<\/p>\n<p>On Thursday, the government agency said Kislitsin will be sent back to Russia where he will face criminal charges related to hacking.&nbsp;<\/p>\n<p>&#8220;According to the investigation, in October 2022, Kislitsin, together with his accomplices, unlawfully gained access to the server data of one of the commercial organizations,&#8221; the general prosecutor&#8217;s statement <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/epp.genproc.gov.ru\/web\/gprf\/mass-media\/news?item=92227535\">said<\/a>. &#8220;After this, they were copied.&#8221;<\/p>\n<p>After allegedly stealing the org&#8217;s data, Kislitsin then tried to extort the firm for $550,000 rubles in cryptocurrency. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2023\/12\/23\/iranian_cyberspies_target_us_defense\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Also: International cops crackdown on credit card stealers and patch these critical vulns Infosec in brief\u00a0 Iranian cyberspies are targeting defense industrial base organizations with a new backdoor called FalseFont, according to Microsoft.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-54926","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Iranian cyberspies target US defense orgs with a brand new backdoor 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Iranian cyberspies target US defense orgs with a brand new backdoor 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-12-23T15:46:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Iranian cyberspies target US defense orgs with a brand new backdoor\",\"datePublished\":\"2023-12-23T15:46:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\\\/\"},\"wordCount\":1054,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\\\/\",\"name\":\"Iranian cyberspies target US defense orgs with a brand new backdoor 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2023-12-23T15:46:34+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Iranian cyberspies target US defense orgs with a brand new backdoor\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Iranian cyberspies target US defense orgs with a brand new backdoor 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/","og_locale":"en_US","og_type":"article","og_title":"Iranian cyberspies target US defense orgs with a brand new backdoor 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-12-23T15:46:34+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Iranian cyberspies target US defense orgs with a brand new backdoor","datePublished":"2023-12-23T15:46:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/"},"wordCount":1054,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/","url":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/","name":"Iranian cyberspies target US defense orgs with a brand new backdoor 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2023-12-23T15:46:34+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZYcVA8LTWWhLDV46OUQk4wAAAYo&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/iranian-cyberspies-target-us-defense-orgs-with-a-brand-new-backdoor\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Iranian cyberspies target US defense orgs with a brand new backdoor"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54926","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=54926"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54926\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=54926"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=54926"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=54926"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}