skip to Main Content

Cyber Espionage, new Iranian APT uses MSHTML RCE to steal Google-Instagram credentials

A new Iranian APT exploits MSHTML RCE to steal Google-Instagram credentials. Safe Breach Labs cybersecurity experts: The threat actor infects victims via Farsi phishing emails with a PowerShell stealer malware

A new Iranian threat actor is using a Microsoft MSHTML Remote Code Execution (RCE) exploit for infecting Farsi-speaking victims with a new PowerShell stealer. Goal: to steal Google and Instagram victim’ credentials. It has been discovered by Safe Breach Labs cybersecurity experts. The phishing attacks started in July 2021 and were based on a malware, PowerShell Stealer code dubbed PowerShortShell. It’s a PowerShell script, short with powerful collection capabilities, which provides the adversary a lot of critical information including screen captures, telegram files, document collection, and extensive data about the victim’s environment. Almost half of the victims are located in the United States. Based on the .doc farsi content – which blames Iran’s leader for the “Corona massacre” – and the nature of the collected data, researchers assume that the victims might be Iranians who live abroad and might be seen as a threat to Tehran.

Back To Top