Five Real APT Campaigns with One Detection Outcome

APT34, also known as OilRig, is a suspected Iranian state-linked threat group active for more than a decade. The group is known for targeted cyber-espionage campaigns against government, energy, and financial organizations across the Middle East, often relying on carefully crafted spear-phishing emails to gain initial access.

Threat intelligence reporting shows that APT34 frequently uses malicious documents to deliver custom malware and maintain long-term access to victim environments. These campaigns are designed to appear routine to the recipient while quietly deploying tools for surveillance and data collection.

In this case, attackers distributed a malicious Microsoft Word document through a spear-phishing email targeting government and maritime organizations. The file was titled in Arabic and themed around naval vessel readiness, suggesting it was crafted to appear relevant to regional military or diplomatic recipients.

When opened, the document prompted the user to enable macros. Once enabled, the macro created a directory disguised as a legitimate Google-related folder and dropped additional files onto the system. The macro then executed a small VBA script that used PowerShell and .NET reflection to load two DLL payloads belonging to the Karkoff malware family.

This attack highlights the continued use of document-based spear-phishing to infiltrate sensitive environments. Government agencies, diplomatic organizations, and maritime entities remain frequent targets because the information they hold can provide strategic intelligence value.

Security teams in these sectors should treat document-based threats as a primary intrusion vector. Even a single malicious file delivered through email can serve as the entry point for a larger espionage campaign.

To learn more about this attack and review the full analysis, visit the OPSWAT FileScan report.

APT-C-35, commonly known as Donot, is a long-running threat group known for targeted spear-phishing campaigns against government and strategic organizations. Security researchers have observed the group using document-based lures and custom malware frameworks to infiltrate specific victims rather than conducting large-scale attacks.

Recent reporting also highlights the group’s continued development of its tooling, including improvements to the Jaca framework, which supports espionage and data collection activities. These campaigns demonstrate how the group adapts techniques to evade automated analysis and maintain access inside targeted environments.

In this example, attackers delivered a malicious Microsoft Office document through a spear-phishing email targeting organizations connected to manufacturing and government sectors in South Asia. The document contained a password-protected macro, with the correct password conveniently provided in the email to encourage the victim to enable execution.

Once the correct password was entered, the macro executed hidden malicious logic designed to evade automated analysis. The code included meaningless loops intended to waste analysis resources, dynamically generated shellcode, and ultimately executed the payload through the Windows CryptEnumOIDInfo API callback mechanism, allowing the attack to bypass traditional detection techniques.

This attack demonstrates how highly targeted campaigns often use small technical tricks to evade automated defenses. Manufacturing organizations, government entities, and industrial sectors connected to regional supply chains are frequent targets because attackers expect employees to routinely exchange documents and technical files.

Security teams in these industries should treat password-protected documents and macro-enabled files with particular caution. Even seemingly legitimate files delivered through email can conceal sophisticated intrusion techniques designed to bypass traditional inspection tools.

To learn more about this attack and review the full analysis, visit the OPSWAT FileScan report.

Cyber-espionage campaigns frequently target organizations connected to government and critical infrastructure environments. Iranian-linked threat activity has repeatedly focused on targeted intrusions designed to collect credentials, internal documents, and intelligence from sensitive networks.

Threat intelligence reporting also shows that these campaigns often prioritize credential theft as an initial foothold. Stolen credentials allow attackers to quietly expand access and maintain persistence inside targeted environments over time.

In this example, attackers delivered a malicious Office document containing Persian-language content designed to target organizations in Iran. The document was built to collect sensitive information such as credentials and internal documents while also capturing screenshots from the infected system.

After establishing persistence, the malware performed a stealthy connectivity check against a trusted domain such as google.com before continuing its activity. This step ensured the system had a stable internet connection before initiating further communication or potential data exfiltration.

This example shows how credential-stealing threats are frequently used in targeted intrusions against critical infrastructure environments. These sectors often operate in controlled networks where attackers must verify connectivity before attempting data collection.

Organizations responsible for critical systems should closely monitor suspicious document behavior and unexpected network checks triggered by newly opened files. These early indicators can signal the beginning of a larger intrusion campaign.

To learn more about this attack and review the full analysis, visit the OPSWAT FileScan report.

MuddyWater is a widely reported threat group linked to Iranian cyber-espionage activity. Researchers have documented the group targeting diplomatic, telecommunications, financial, and government organizations across the Middle East using spear-phishing emails and malicious documents.

Recent reporting shows the group distributing a Rust-based implant known as RustyWater through phishing emails carrying macro-enabled Word documents disguised as cybersecurity guidance. The campaign targets organizations across the Middle East and relies on convincing lures to trigger macro execution.

In this example, attackers sent a spear-phishing email titled “Cybersecurity Guidelines” from a legitimate account associated with a regional mobile operator. The email delivered a malicious Word document designed to appear like a routine policy or security advisory.

Once macros were enabled, the document extracted a hex-encoded payload embedded inside the file and reconstructed it into a Windows executable. The malware was written to disk and launched using obfuscated logic that rebuilt key strings during execution to make the macro harder to analyze.

The dropped executable deployed a Rust-based implant that included anti-debug behavior, encrypted operational strings, and checks for installed security tools before establishing command-and-control communication.

This attack shows how targeted phishing campaigns often rely on realistic policy or security-related themes to increase the likelihood that recipients will open attachments. Diplomatic organizations, telecommunications providers, and financial institutions remain frequent targets of these campaigns.

Security teams in these sectors should treat macro-enabled documents with caution, particularly when delivered through unexpected emails. Even files that appear to contain routine cybersecurity guidance can conceal malware designed to establish long-term intrusion access.

To learn more about this attack and review the full analysis, visit the OPSWAT FileScan report.

Highly targeted campaigns against aviation and transportation organizations have increased as attackers look for ways to access sensitive operational environments. These sectors often manage complex systems and supply chains, making them attractive targets for espionage and long-term intrusions.

Recent reporting describes a campaign known as CraftyCamel, which used polyglot files capable of functioning as multiple file formats simultaneously. These files were designed to bypass traditional inspection tools while targeting aviation and operational technology environments.

In this example, attackers delivered a carefully crafted phishing email sent from a compromised legitimate company to increase credibility. The message included a ZIP archive containing files disguised as legitimate documents but designed to execute hidden code.

Inside the archive, the attackers used polyglot files, including a fake Excel document that was actually a Windows shortcut (LNK) and additional PDF/HTA and PDF/ZIP combinations. These files abused trusted Windows utilities such as mshta.exe to execute hidden scripts and ultimately load the final malware payload disguised as an image.

This attack demonstrates how modern intrusion campaigns increasingly rely on complex file structures to evade traditional detection tools. Aviation, satellite, telecommunications, and transportation organizations are particularly exposed because they regularly exchange technical documents and operational files.

Security teams in these sectors should be aware that files appearing to be harmless documents may conceal multiple embedded formats or hidden execution paths. Detecting these threats requires deep inspection capable of revealing malicious behavior hidden inside complex file structures.

To learn more about this attack and review the full analysis, visit the OPSWAT FileScan report.