Cybersecurity researchers have uncovered a sophisticated Iran-linked spear-phishing campaign that leveraged a compromised email account at Oman’s Ministry of Foreign Affairs (MFA) in Paris. Attackers used stolen diplomatic correspondence and malicious macros to deliver malware to government offices and international organizations around the world.
Diplomatic lures using malicious macros
The adversaries seized control of an official email account belonging to the Omani MFA in Paris and sent messages that appeared to contain urgent updates about multi-factor authentication (MFA). Recipients — including embassies, consulates and international organizations — were urged to “Enable Content” in order to view what looked like legitimate Word documents.
Inside those documents, a VBA macro dropper reconstructed a binary payload from three-digit numeric sequences hidden in a form field. When the document was opened, a four-stage chain executed:
- Delay and anti-analysis: A nested loop routine called laylay performed thousands of iterations to delay execution and frustrate sandbox analysis.
- Payload decoding: The function dddd translated numeric triplets into ASCII characters and assembled an executable binary.
- Stealthy drop and execution: The decoded payload was written to
C:\Users\Public\Documents\ManagerProc.logand launched silently via a Shell command. - Persistence and cleanup: Delays and minimal error handling masked failures and ensured the procedure completed quietly.
This macro-based delivery chain combined numeric encoding with timing delays to evade email filters and dynamic analysis tools.
Global espionage under diplomatic cover
Forensic analysis found that 270 spear-phishing emails were sent from 104 compromised addresses within the Omani MFA network. The campaign used NordVPN exit nodes in Jordan to obscure origin, and targets spanned six regions:
- Europe: 10 countries, 73 addresses
- Africa: 12 countries, 30 addresses
- Asia: 7 countries, 25 addresses
- Middle East: 7 countries, 20 addresses
- Americas: 11 countries, 35 addresses
- International organizations: 10 bodies, 12 addresses
Europe appeared to be the primary focus, while African targets were also heavily affected. The campaign targeted several international organizations, including the UN, UNICEF and the World Bank, indicating interest in diplomatic and humanitarian networks.
The timing of the campaign coincided with sensitive regional negotiations, suggesting the attackers sought intelligence and influence over diplomatic outcomes.
Reconnaissance, evasion and next stages
The dropped executable, named sysProcUpdate, demonstrated advanced technical measures. It used custom exception handlers and section packing to hinder reverse engineering.
Once activated, the malware collected system information such as username, computer name and administrative status. The data was encrypted and exfiltrated via HTTPS POST to a command-and-control server at https://screenai.online/Home/. A beaconing loop ensured repeated connection attempts even when network conditions were unstable.
To maintain persistence, sysProcUpdate copied itself to C:\ProgramData\sysProcUpdate.exe and modified Windows registry entries related to DNS cache parameters — behavior consistent with potential lateral movement and preparation for follow-on attacks.
Analysts assess the campaign’s primary goal was reconnaissance and network mapping in preparation for more advanced intrusions.
Mitigation recommendations
To defend against this class of targeted attacks, organizations should implement the following measures:
- Indicator blocking: Block communications to
screenai.onlineand quarantine documents that match known hashes for sysProcUpdate. - Macro security: Enforce Office configurations that disable macros by default and require digital signatures for any allowed macro execution.
- Network monitoring: Inspect outbound POST traffic to unfamiliar domains and correlate it with user activity.
- Registry checks: Regularly audit DNS and TCP/IP registry keys for unauthorized changes.
- VPN analysis: Detect sudden spikes in VPN use or exit nodes that diverge from normal patterns.
By combining robust email filtering, proactive network defenses and user awareness training, organizations can greatly reduce the risk of similar attacks.
Indicators of Compromise (IoCs)
| Type | Hash / Domain / URL | File / Resource Name |
|---|---|---|
| Domain | screenai[.]online |
C2 domain |
| URL | https://screenai.online/Home/ |
Main C2 path |
| DOC | b2c52fde1301a3624a9ceb995f2de4112d57fcbc6a4695799aec15af4fa0a122 |
Online Seminar.FM.gov.om.dnr.doc |
| DOC | 1c16b271c0c4e277eb3d1a7795d4746ce80152f04827a4f3c5798aaf4d51f6a1 |
1c16b271c0c4e277eb3d1a7795d4746ce80152f04827a4f3c5798aaf4d51f6a1.doc |
| DOC | 2c92c7bf2d6574f9240032ec6adee738edddc2ba8d3207eb102eddf4ab963db0 |
DPR för muddring i FreeSpan_16082025.2.doc |
| DOC | 80e9105233f9d93df753a43291c2ab1a010375357db9327f9fe40d184f078c6b |
DPR för muddring i FreeSpan_16082025.2.doc |
| DOC | f0ba41ce46e566f83db1ba3fc762fd9b394d12a01a9cef4ac279135e4c1c67a9 |
Seminar.MFA.gov.ct.tr-1.doc |
| DOC | 02ccc4271362b92a59e6851ac6d5d2c07182064a602906d7166fe2867cc662a5 |
Unknown DOC file |
| Email (EML) | 05d8f686dcbb6078f91f49af779e4572ba1646a9c5629a1525e8499ab481dbf2 |
EML2_d3ea22143ada4154bf5ea6077d7938f8.eml |
| Email (EML) | 03828aebefde47bca0fcf0684ecae18aedde035c85f9d39edd2b7a147a1146fa |
EML1_b83e249519684cd2ac40ad5fcfee687d.eml |
| EXE | 76fa8dca768b64aefedd85f7d0a33c2693b94bdb55f40ced7830561e48e39c75 |
sysProcUpdate.exe |
| EXE | 1883db6de22d98ed00f8719b11de5bf1d02fc206b89fedd6dd0df0e8d40c4c56 |
sysProcUpdate.exe |
| EXE | 3ac8283916547c50501eed8e7c3a77f0ae8b009c7b72275be8726a5b6ae255e3 |
sysProcUpdate.exe |
| EXE | 3d6f69cc0330b302ddf4701bbc956b8fca683d1c1b3146768dcbce4a1a3932ca |
sysProcUpdate.exe |
| VBS script | 20e7b9dcf954660555d511a64a07996f6178f5819f8501611a521e19fbba74b0 |
ThisDocument.cls |